@det-acp/core 0.2.0 → 0.3.0

package/dist/tools/git-status.js

@@ -0,0 +1,159 @@
+/**
+ * git:status — Read-only git status tool adapter.
+ *
+ * Reports the working tree status of a git repository.
+ * Read-only operation — no rollback needed.
+ */
+import { execSync } from 'node:child_process';
+import { z } from 'zod';
+import { ToolAdapter } from './base.js';
+import { evaluateAction } from '../policy/evaluator.js';
+export const GitStatusInputSchema = z.object({
+    repo: z.string().min(1, 'Repository path is required'),
+    /** Show short format output */
+    short: z.boolean().default(false),
+    /** Show branch tracking info */
+    branch: z.boolean().default(true),
+});
+export class GitStatusAdapter extends ToolAdapter {
+    name = 'git:status';
+    description = 'Get git working tree status for a repository';
+    inputSchema = GitStatusInputSchema;
+    validate(input, policy) {
+        const parsed = GitStatusInputSchema.safeParse(input);
+        if (!parsed.success) {
+            return {
+                verdict: 'deny',
+                tool: this.name,
+                reasons: parsed.error.issues.map((i) => `${i.path.join('.')}: ${i.message}`),
+            };
+        }
+        return evaluateAction({ tool: this.name, input: parsed.data }, policy);
+    }
+    async dryRun(input, _ctx) {
+        const { repo } = input;
+        return {
+            tool: this.name,
+            wouldDo: `Get git status of ${repo}`,
+            estimatedChanges: [],
+            warnings: [],
+        };
+    }
+    async execute(input, _ctx) {
+        const start = Date.now();
+        const { repo, short, branch } = input;
+        try {
+            // Get porcelain status for parsing
+            const porcelainOutput = execSync('git status --porcelain=v1', {
+                cwd: repo,
+                encoding: 'utf-8',
+                timeout: 10000,
+            });
+            // Parse porcelain output into structured entries
+            const entries = [];
+            for (const line of porcelainOutput.split('\n').filter(Boolean)) {
+                const indexStatus = line[0];
+                const workingStatus = line[1];
+                const filePath = line.slice(3);
+                let status = 'unknown';
+                const staged = indexStatus !== ' ' && indexStatus !== '?';
+                if (indexStatus === '?' && workingStatus === '?') {
+                    status = 'untracked';
+                }
+                else if (indexStatus === 'A') {
+                    status = 'added';
+                }
+                else if (indexStatus === 'M' || workingStatus === 'M') {
+                    status = 'modified';
+                }
+                else if (indexStatus === 'D' || workingStatus === 'D') {
+                    status = 'deleted';
+                }
+                else if (indexStatus === 'R') {
+                    status = 'renamed';
+                }
+                else if (indexStatus === 'C') {
+                    status = 'copied';
+                }
+                entries.push({ path: filePath, status, staged });
+            }
+            // Get branch info
+            let branchInfo = {};
+            if (branch) {
+                try {
+                    const branchOutput = execSync('git branch --show-current', {
+                        cwd: repo,
+                        encoding: 'utf-8',
+                        timeout: 5000,
+                    }).trim();
+                    branchInfo = { currentBranch: branchOutput || '(detached HEAD)' };
+                    // Get upstream tracking info
+                    try {
+                        const upstream = execSync('git rev-parse --abbrev-ref @{upstream}', {
+                            cwd: repo,
+                            encoding: 'utf-8',
+                            timeout: 5000,
+                        }).trim();
+                        branchInfo.upstream = upstream;
+                        const aheadBehind = execSync('git rev-list --left-right --count HEAD...@{upstream}', {
+                            cwd: repo,
+                            encoding: 'utf-8',
+                            timeout: 5000,
+                        }).trim();
+                        const [ahead, behind] = aheadBehind.split('\t');
+                        branchInfo.ahead = ahead;
+                        branchInfo.behind = behind;
+                    }
+                    catch {
+                        // No upstream configured
+                    }
+                }
+                catch {
+                    branchInfo = { currentBranch: '(unknown)' };
+                }
+            }
+            // Get readable output too
+            let readableOutput = '';
+            if (short) {
+                readableOutput = porcelainOutput;
+            }
+            else {
+                readableOutput = execSync('git status', {
+                    cwd: repo,
+                    encoding: 'utf-8',
+                    timeout: 10000,
+                });
+            }
+            return this.success({
+                repo,
+                branch: branchInfo,
+                entries,
+                clean: entries.length === 0,
+                summary: {
+                    total: entries.length,
+                    staged: entries.filter((e) => e.staged).length,
+                    unstaged: entries.filter((e) => !e.staged).length,
+                    untracked: entries.filter((e) => e.status === 'untracked').length,
+                },
+                raw: readableOutput.trim(),
+            }, Date.now() - start, [
+                {
+                    type: 'log',
+                    value: readableOutput.trim().slice(0, 4096),
+                    description: 'Git status output',
+                },
+            ]);
+        }
+        catch (err) {
+            return this.failure(err.message, Date.now() - start);
+        }
+    }
+    async rollback(_input, _ctx) {
+        return {
+            tool: this.name,
+            success: true,
+            description: 'No rollback needed for read-only git status',
+        };
+    }
+}
+//# sourceMappingURL=git-status.js.map

package/dist/tools/git-status.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"git-status.js","sourceRoot":"","sources":["../../src/tools/git-status.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAUxD,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,6BAA6B,CAAC;IACtD,+BAA+B;IAC/B,KAAK,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IACjC,gCAAgC;IAChC,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CAClC,CAAC,CAAC;AAUH,MAAM,OAAO,gBAAiB,SAAQ,WAAW;IACtC,IAAI,GAAG,YAAY,CAAC;IACpB,WAAW,GAAG,8CAA8C,CAAC;IAC7D,WAAW,GAAG,oBAAoB,CAAC;IAE5C,QAAQ,CAAC,KAAc,EAAE,MAAc;QACrC,MAAM,MAAM,GAAG,oBAAoB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACrD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO;gBACL,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC7E,CAAC;QACJ,CAAC;QAED,OAAO,cAAc,CACnB,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,EACvC,MAAM,CACP,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAA8B,EAAE,IAAsB;QACjE,MAAM,EAAE,IAAI,EAAE,GAAG,KAAuB,CAAC;QACzC,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,qBAAqB,IAAI,EAAE;YACpC,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,EAAE;SACb,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAA8B,EAAE,IAAsB;QAClE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,KAAuB,CAAC;QAExD,IAAI,CAAC;YACH,mCAAmC;YACnC,MAAM,eAAe,GAAG,QAAQ,CAAC,2BAA2B,EAAE;gBAC5D,GAAG,EAAE,IAAI;gBACT,QAAQ,EAAE,OAAO;gBACjB,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YAEH,iDAAiD;YACjD,MAAM,OAAO,GAAkB,EAAE,CAAC;YAClC,KAAK,MAAM,IAAI,IAAI,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC/D,MAAM,WAAW,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;gBAC5B,MAAM,aAAa,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;gBAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAE/B,IAAI,MAAM,GAAG,SAAS,CAAC;gBACvB,MAAM,MAAM,GAAG,WAAW,KAAK,GAAG,IAAI,WAAW,KAAK,GAAG,CAAC;gBAE1D,IAAI,WAAW,KAAK,GAAG,IAAI,aAAa,KAAK,GAAG,EAAE,CAAC;oBACjD,MAAM,GAAG,WAAW,CAAC;gBACvB,CAAC;qBAAM,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;oBAC/B,MAAM,GAAG,OAAO,CAAC;gBACnB,CAAC;qBAAM,IAAI,WAAW,KAAK,GAAG,IAAI,aAAa,KAAK,GAAG,EAAE,CAAC;oBACxD,MAAM,GAAG,UAAU,CAAC;gBACtB,CAAC;qBAAM,IAAI,WAAW,KAAK,GAAG,IAAI,aAAa,KAAK,GAAG,EAAE,CAAC;oBACxD,MAAM,GAAG,SAAS,CAAC;gBACrB,CAAC;qBAAM,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;oBAC/B,MAAM,GAAG,SAAS,CAAC;gBACrB,CAAC;qBAAM,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;oBAC/B,MAAM,GAAG,QAAQ,CAAC;gBACpB,CAAC;gBAED,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;YACnD,CAAC;YAED,kBAAkB;YAClB,IAAI,UAAU,GAA2B,EAAE,CAAC;YAC5C,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,CAAC;oBACH,MAAM,YAAY,GAAG,QAAQ,CAAC,2BAA2B,EAAE;wBACzD,GAAG,EAAE,IAAI;wBACT,QAAQ,EAAE,OAAO;wBACjB,OAAO,EAAE,IAAI;qBACd,CAAC,CAAC,IAAI,EAAE,CAAC;oBAEV,UAAU,GAAG,EAAE,aAAa,EAAE,YAAY,IAAI,iBAAiB,EAAE,CAAC;oBAElE,6BAA6B;oBAC7B,IAAI,CAAC;wBACH,MAAM,QAAQ,GAAG,QAAQ,CAAC,wCAAwC,EAAE;4BAClE,GAAG,EAAE,IAAI;4BACT,QAAQ,EAAE,OAAO;4BACjB,OAAO,EAAE,IAAI;yBACd,CAAC,CAAC,IAAI,EAAE,CAAC;wBACV,UAAU,CAAC,QAAQ,GAAG,QAAQ,CAAC;wBAE/B,MAAM,WAAW,GAAG,QAAQ,CAAC,sDAAsD,EAAE;4BACnF,GAAG,EAAE,IAAI;4BACT,QAAQ,EAAE,OAAO;4BACjB,OAAO,EAAE,IAAI;yBACd,CAAC,CAAC,IAAI,EAAE,CAAC;wBACV,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;wBAChD,UAAU,CAAC,KAAK,GAAG,KAAK,CAAC;wBACzB,UAAU,CAAC,MAAM,GAAG,MAAM,CAAC;oBAC7B,CAAC;oBAAC,MAAM,CAAC;wBACP,yBAAyB;oBAC3B,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,UAAU,GAAG,EAAE,aAAa,EAAE,WAAW,EAAE,CAAC;gBAC9C,CAAC;YACH,CAAC;YAED,0BAA0B;YAC1B,IAAI,cAAc,GAAG,EAAE,CAAC;YACxB,IAAI,KAAK,EAAE,CAAC;gBACV,cAAc,GAAG,eAAe,CAAC;YACnC,CAAC;iBAAM,CAAC;gBACN,cAAc,GAAG,QAAQ,CAAC,YAAY,EAAE;oBACtC,GAAG,EAAE,IAAI;oBACT,QAAQ,EAAE,OAAO;oBACjB,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;YACL,CAAC;YAED,OAAO,IAAI,CAAC,OAAO,CACjB;gBACE,IAAI;gBACJ,MAAM,EAAE,UAAU;gBAClB,OAAO;gBACP,KAAK,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC;gBAC3B,OAAO,EAAE;oBACP,KAAK,EAAE,OAAO,CAAC,MAAM;oBACrB,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM;oBAC9C,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM;oBACjD,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,WAAW,CAAC,CAAC,MAAM;iBAClE;gBACD,GAAG,EAAE,cAAc,CAAC,IAAI,EAAE;aAC3B,EACD,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAClB;gBACE;oBACE,IAAI,EAAE,KAAK;oBACX,KAAK,EAAE,cAAc,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC;oBAC3C,WAAW,EAAE,mBAAmB;iBACjC;aACF,CACF,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,OAAO,CAAE,GAAa,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,MAA+B,EAAE,IAAsB;QACpE,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI;YACb,WAAW,EAAE,6CAA6C;SAC3D,CAAC;IACJ,CAAC;CACF"}

package/dist/tools/network-dns.d.ts

@@ -0,0 +1,50 @@
+/**
+ * network:dns — DNS lookup tool adapter.
+ *
+ * Performs DNS resolution for hostnames within allowed domains.
+ * Read-only operation — no rollback needed.
+ * Domain allow-listing enforced by policy.
+ */
+import { z } from 'zod';
+import { ToolAdapter } from './base.js';
+import type { DryRunResult, ExecutionContext, ExecutionResult, Policy, RollbackResult, ValidationResult } from '../types.js';
+export declare const NetworkDnsInputSchema: z.ZodObject<{
+    hostname: z.ZodString;
+    type: z.ZodDefault<z.ZodEnum<{
+        A: "A";
+        AAAA: "AAAA";
+        CNAME: "CNAME";
+        MX: "MX";
+        TXT: "TXT";
+        NS: "NS";
+        SOA: "SOA";
+        SRV: "SRV";
+        PTR: "PTR";
+    }>>;
+    timeout: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+}, z.core.$strip>;
+export type NetworkDnsInput = z.infer<typeof NetworkDnsInputSchema>;
+export declare class NetworkDnsAdapter extends ToolAdapter {
+    readonly name = "network:dns";
+    readonly description = "Perform DNS lookups for allow-listed domains";
+    readonly inputSchema: z.ZodObject<{
+        hostname: z.ZodString;
+        type: z.ZodDefault<z.ZodEnum<{
+            A: "A";
+            AAAA: "AAAA";
+            CNAME: "CNAME";
+            MX: "MX";
+            TXT: "TXT";
+            NS: "NS";
+            SOA: "SOA";
+            SRV: "SRV";
+            PTR: "PTR";
+        }>>;
+        timeout: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    }, z.core.$strip>;
+    validate(input: unknown, policy: Policy): ValidationResult;
+    dryRun(input: Record<string, unknown>, _ctx: ExecutionContext): Promise<DryRunResult>;
+    execute(input: Record<string, unknown>, _ctx: ExecutionContext): Promise<ExecutionResult>;
+    rollback(_input: Record<string, unknown>, _ctx: ExecutionContext): Promise<RollbackResult>;
+}
+//# sourceMappingURL=network-dns.d.ts.map

package/dist/tools/network-dns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"network-dns.d.ts","sourceRoot":"","sources":["../../src/tools/network-dns.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAExC,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EAChB,eAAe,EACf,MAAM,EACN,cAAc,EACd,gBAAgB,EACjB,MAAM,aAAa,CAAC;AAErB,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;iBAMhC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE,qBAAa,iBAAkB,SAAQ,WAAW;IAChD,QAAQ,CAAC,IAAI,iBAAiB;IAC9B,QAAQ,CAAC,WAAW,kDAAkD;IACtE,QAAQ,CAAC,WAAW;;;;;;;;;;;;;;sBAAyB;IAE7C,QAAQ,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,GAAG,gBAAgB;IAgBpD,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAWrF,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IA+EzF,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,cAAc,CAAC;CAOjG"}

package/dist/tools/network-dns.js

@@ -0,0 +1,122 @@
+/**
+ * network:dns — DNS lookup tool adapter.
+ *
+ * Performs DNS resolution for hostnames within allowed domains.
+ * Read-only operation — no rollback needed.
+ * Domain allow-listing enforced by policy.
+ */
+import dns from 'node:dns/promises';
+import crypto from 'node:crypto';
+import { z } from 'zod';
+import { ToolAdapter } from './base.js';
+import { evaluateAction } from '../policy/evaluator.js';
+export const NetworkDnsInputSchema = z.object({
+    hostname: z.string().min(1, 'Hostname is required'),
+    /** DNS record type */
+    type: z.enum(['A', 'AAAA', 'CNAME', 'MX', 'TXT', 'NS', 'SOA', 'SRV', 'PTR']).default('A'),
+    /** Timeout in milliseconds */
+    timeout: z.number().positive().optional().default(10000),
+});
+export class NetworkDnsAdapter extends ToolAdapter {
+    name = 'network:dns';
+    description = 'Perform DNS lookups for allow-listed domains';
+    inputSchema = NetworkDnsInputSchema;
+    validate(input, policy) {
+        const parsed = NetworkDnsInputSchema.safeParse(input);
+        if (!parsed.success) {
+            return {
+                verdict: 'deny',
+                tool: this.name,
+                reasons: parsed.error.issues.map((i) => `${i.path.join('.')}: ${i.message}`),
+            };
+        }
+        return evaluateAction({ tool: this.name, input: parsed.data }, policy);
+    }
+    async dryRun(input, _ctx) {
+        const { hostname, type } = input;
+        return {
+            tool: this.name,
+            wouldDo: `DNS ${type} lookup for ${hostname}`,
+            estimatedChanges: [],
+            warnings: [],
+        };
+    }
+    async execute(input, _ctx) {
+        const start = Date.now();
+        const { hostname, type, timeout } = input;
+        try {
+            // Set up timeout
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), timeout);
+            let records;
+            try {
+                const resolver = new dns.Resolver();
+                // Apply timeout via AbortController on the resolver
+                resolver.setServers(dns.getServers());
+                switch (type) {
+                    case 'A':
+                        records = await resolver.resolve4(hostname);
+                        break;
+                    case 'AAAA':
+                        records = await resolver.resolve6(hostname);
+                        break;
+                    case 'CNAME':
+                        records = await resolver.resolveCname(hostname);
+                        break;
+                    case 'MX':
+                        records = await resolver.resolveMx(hostname);
+                        break;
+                    case 'TXT':
+                        records = await resolver.resolveTxt(hostname);
+                        break;
+                    case 'NS':
+                        records = await resolver.resolveNs(hostname);
+                        break;
+                    case 'SOA':
+                        records = await resolver.resolveSoa(hostname);
+                        break;
+                    case 'SRV':
+                        records = await resolver.resolveSrv(hostname);
+                        break;
+                    case 'PTR':
+                        records = await resolver.resolvePtr(hostname);
+                        break;
+                    default:
+                        return this.failure(`Unsupported record type: ${type}`, Date.now() - start);
+                }
+            }
+            finally {
+                clearTimeout(timeoutId);
+            }
+            const resultStr = JSON.stringify(records);
+            const resultHash = crypto.createHash('sha256').update(resultStr).digest('hex');
+            return this.success({
+                hostname,
+                type,
+                records,
+            }, Date.now() - start, [
+                {
+                    type: 'log',
+                    value: `DNS ${type} ${hostname}: ${resultStr.slice(0, 2048)}`,
+                    description: 'DNS lookup result',
+                },
+                {
+                    type: 'checksum',
+                    value: `sha256:${resultHash}`,
+                    description: 'DNS result hash',
+                },
+            ]);
+        }
+        catch (err) {
+            return this.failure(err.message, Date.now() - start);
+        }
+    }
+    async rollback(_input, _ctx) {
+        return {
+            tool: this.name,
+            success: true,
+            description: 'No rollback needed for read-only DNS lookup',
+        };
+    }
+}
+//# sourceMappingURL=network-dns.js.map

package/dist/tools/network-dns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"network-dns.js","sourceRoot":"","sources":["../../src/tools/network-dns.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,GAAG,MAAM,mBAAmB,CAAC;AACpC,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAUxD,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,sBAAsB,CAAC;IACnD,sBAAsB;IACtB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IACzF,8BAA8B;IAC9B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACzD,CAAC,CAAC;AAIH,MAAM,OAAO,iBAAkB,SAAQ,WAAW;IACvC,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAAG,8CAA8C,CAAC;IAC7D,WAAW,GAAG,qBAAqB,CAAC;IAE7C,QAAQ,CAAC,KAAc,EAAE,MAAc;QACrC,MAAM,MAAM,GAAG,qBAAqB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACtD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO;gBACL,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC7E,CAAC;QACJ,CAAC;QAED,OAAO,cAAc,CACnB,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,EACvC,MAAM,CACP,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAA8B,EAAE,IAAsB;QACjE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,KAAwB,CAAC;QAEpD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,OAAO,IAAI,eAAe,QAAQ,EAAE;YAC7C,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,EAAE;SACb,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAA8B,EAAE,IAAsB;QAClE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,KAAwB,CAAC;QAE7D,IAAI,CAAC;YACH,iBAAiB;YACjB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;YAEhE,IAAI,OAAgB,CAAC;YAErB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;gBACpC,oDAAoD;gBACpD,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;gBAEtC,QAAQ,IAAI,EAAE,CAAC;oBACb,KAAK,GAAG;wBACN,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;wBAC5C,MAAM;oBACR,KAAK,MAAM;wBACT,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;wBAC5C,MAAM;oBACR,KAAK,OAAO;wBACV,OAAO,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;wBAChD,MAAM;oBACR,KAAK,IAAI;wBACP,OAAO,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;wBAC7C,MAAM;oBACR,KAAK,KAAK;wBACR,OAAO,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;wBAC9C,MAAM;oBACR,KAAK,IAAI;wBACP,OAAO,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;wBAC7C,MAAM;oBACR,KAAK,KAAK;wBACR,OAAO,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;wBAC9C,MAAM;oBACR,KAAK,KAAK;wBACR,OAAO,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;wBAC9C,MAAM;oBACR,KAAK,KAAK;wBACR,OAAO,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;wBAC9C,MAAM;oBACR;wBACE,OAAO,IAAI,CAAC,OAAO,CAAC,4BAA4B,IAAI,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;gBAChF,CAAC;YACH,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,SAAS,CAAC,CAAC;YAC1B,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YAC1C,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAE/E,OAAO,IAAI,CAAC,OAAO,CACjB;gBACE,QAAQ;gBACR,IAAI;gBACJ,OAAO;aACR,EACD,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAClB;gBACE;oBACE,IAAI,EAAE,KAAK;oBACX,KAAK,EAAE,OAAO,IAAI,IAAI,QAAQ,KAAK,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE;oBAC7D,WAAW,EAAE,mBAAmB;iBACjC;gBACD;oBACE,IAAI,EAAE,UAAU;oBAChB,KAAK,EAAE,UAAU,UAAU,EAAE;oBAC7B,WAAW,EAAE,iBAAiB;iBAC/B;aACF,CACF,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,OAAO,CAAE,GAAa,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,MAA+B,EAAE,IAAsB;QACpE,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI;YACb,WAAW,EAAE,6CAA6C;SAC3D,CAAC;IACJ,CAAC;CACF"}

package/dist/types.d.ts

@@ -4,7 +4,7 @@
  * These types are the shared vocabulary used across the entire framework:
  * policy engine, tool adapters, session manager, ledger, and gateway runtime.
  */
-export type ToolName = 'file:read' | 'file:write' | 'file:delete' | 'command:run' | 'http:request' | 'git:diff' | 'git:apply' | (string & {});
+export type ToolName = 'file:read' | 'file:write' | 'file:delete' | 'file:move' | 'file:copy' | 'directory:list' | 'directory:create' | 'command:run' | 'http:request' | 'git:diff' | 'git:apply' | 'git:commit' | 'git:status' | 'env:read' | 'network:dns' | 'archive:extract' | (string & {});
 export type ApprovalMode = 'auto' | 'human' | 'webhook';
 export type RiskLevel = 'low' | 'medium' | 'high' | 'critical';
 export interface CapabilityScope {

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,MAAM,MAAM,QAAQ,GAAG,WAAW,GAAG,YAAY,GAAG,aAAa,GAAG,aAAa,GAAG,cAAc,GAAG,UAAU,GAAG,WAAW,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAE9I,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;AAExD,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAE/D,MAAM,WAAW,eAAe;IAC9B,2CAA2C;IAC3C,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,iDAAiD;IACjD,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,2BAA2B;IAC3B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,mCAAmC;IACnC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,QAAQ,CAAC;IACf,KAAK,EAAE,eAAe,CAAC;CACxB;AAED,MAAM,WAAW,IAAI;IACnB,MAAM,EAAE,QAAQ,CAAC;IACjB,QAAQ,EAAE,YAAY,CAAC;IACvB,UAAU,CAAC,EAAE,SAAS,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,MAAM;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,eAAe,EAAE,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAMD,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,sCAAsC;IACtC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,OAAO,EAAE,eAAe,CAAC;CAC1B;AAED,MAAM,WAAW,kBAAkB;IACjC,kCAAkC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gCAAgC;IAChC,UAAU,CAAC,EAAE,eAAe,CAAC;IAC7B,2CAA2C;IAC3C,UAAU,CAAC,EAAE,cAAc,EAAE,CAAC;CAC/B;AAMD,MAAM,WAAW,MAAM;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,UAAU,EAAE,CAAC;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,QAAQ,EAAE,cAAc,CAAC;IACzB,SAAS,EAAE,gBAAgB,EAAE,CAAC;IAC9B,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,sDAAsD;IACtD,OAAO,CAAC,EAAE,kBAAkB,CAAC;CAC9B;AAMD,MAAM,WAAW,aAAa;IAC5B,2CAA2C;IAC3C,IAAI,EAAE,QAAQ,CAAC;IACf,qCAAqC;IACrC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,kDAAkD;IAClD,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,MAAM,iBAAiB,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,CAAC;AAE1D,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,iBAAiB,CAAC;IAC3B,IAAI,EAAE,QAAQ,CAAC;IACf,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,iDAAiD;IACjD,IAAI,CAAC,EAAE,IAAI,CAAC;CACb;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,QAAQ,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,QAAQ,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,iBAAiB,EAAE,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,UAAU,GAAG,WAAW,CAAC;IAC7D,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,QAAQ,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAMD,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,iFAAiF;IACjF,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,8BAA8B;IAC9B,MAAM,EAAE,aAAa,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,kDAAkD;IAClD,gBAAgB,EAAE,MAAM,CAAC;IACzB,+CAA+C;IAC/C,aAAa,EAAE,MAAM,CAAC;CACvB;AAMD,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,QAAQ,GAAG,YAAY,CAAC;AAE9D,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,YAAY,CAAC;IACpB,MAAM,EAAE,aAAa,CAAC;IACtB,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,aAAa,CAAC;IACvB,UAAU,EAAE,gBAAgB,CAAC;IAC7B,wCAAwC;IACxC,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,iBAAiB,EAAE,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAMD,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,aAAa,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,eAAe,CAAC,EAAE,cAAc,CAAC;IACjC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,YAAY,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,aAAa,CAAC;IAC1B,OAAO,EAAE,aAAa,EAAE,CAAC;CAC1B;AAMD,MAAM,MAAM,eAAe,GACvB,eAAe,GACf,sBAAsB,GACtB,mBAAmB,GACnB,iBAAiB,GACjB,eAAe,GACf,iBAAiB,GACjB,gBAAgB,GAChB,eAAe,GACf,eAAe,GACf,gBAAgB,GAChB,iBAAiB,GACjB,sBAAsB,CAAC;AAE3B,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC/B;AAMD,MAAM,MAAM,YAAY,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,CAAC;AAE/D,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,aAAa,CAAC;IACtB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,YAAY,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAMD,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;CAChB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,MAAM,MAAM,QAAQ,GAChB,WAAW,GACX,YAAY,GACZ,aAAa,GACb,WAAW,GACX,WAAW,GACX,gBAAgB,GAChB,kBAAkB,GAClB,aAAa,GACb,cAAc,GACd,UAAU,GACV,WAAW,GACX,YAAY,GACZ,YAAY,GACZ,UAAU,GACV,aAAa,GACb,iBAAiB,GACjB,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAElB,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;AAExD,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAE/D,MAAM,WAAW,eAAe;IAC9B,2CAA2C;IAC3C,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,iDAAiD;IACjD,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,2BAA2B;IAC3B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,mCAAmC;IACnC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,QAAQ,CAAC;IACf,KAAK,EAAE,eAAe,CAAC;CACxB;AAED,MAAM,WAAW,IAAI;IACnB,MAAM,EAAE,QAAQ,CAAC;IACjB,QAAQ,EAAE,YAAY,CAAC;IACvB,UAAU,CAAC,EAAE,SAAS,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,MAAM;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,eAAe,EAAE,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAMD,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,sCAAsC;IACtC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,OAAO,EAAE,eAAe,CAAC;CAC1B;AAED,MAAM,WAAW,kBAAkB;IACjC,kCAAkC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gCAAgC;IAChC,UAAU,CAAC,EAAE,eAAe,CAAC;IAC7B,2CAA2C;IAC3C,UAAU,CAAC,EAAE,cAAc,EAAE,CAAC;CAC/B;AAMD,MAAM,WAAW,MAAM;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,UAAU,EAAE,CAAC;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,QAAQ,EAAE,cAAc,CAAC;IACzB,SAAS,EAAE,gBAAgB,EAAE,CAAC;IAC9B,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,sDAAsD;IACtD,OAAO,CAAC,EAAE,kBAAkB,CAAC;CAC9B;AAMD,MAAM,WAAW,aAAa;IAC5B,2CAA2C;IAC3C,IAAI,EAAE,QAAQ,CAAC;IACf,qCAAqC;IACrC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,kDAAkD;IAClD,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,MAAM,iBAAiB,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,CAAC;AAE1D,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,iBAAiB,CAAC;IAC3B,IAAI,EAAE,QAAQ,CAAC;IACf,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,iDAAiD;IACjD,IAAI,CAAC,EAAE,IAAI,CAAC;CACb;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,QAAQ,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,QAAQ,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,iBAAiB,EAAE,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,UAAU,GAAG,WAAW,CAAC;IAC7D,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,QAAQ,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAMD,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,iFAAiF;IACjF,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,8BAA8B;IAC9B,MAAM,EAAE,aAAa,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,kDAAkD;IAClD,gBAAgB,EAAE,MAAM,CAAC;IACzB,+CAA+C;IAC/C,aAAa,EAAE,MAAM,CAAC;CACvB;AAMD,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,QAAQ,GAAG,YAAY,CAAC;AAE9D,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,YAAY,CAAC;IACpB,MAAM,EAAE,aAAa,CAAC;IACtB,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,aAAa,CAAC;IACvB,UAAU,EAAE,gBAAgB,CAAC;IAC7B,wCAAwC;IACxC,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,iBAAiB,EAAE,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAMD,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,aAAa,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,eAAe,CAAC,EAAE,cAAc,CAAC;IACjC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,YAAY,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,aAAa,CAAC;IAC1B,OAAO,EAAE,aAAa,EAAE,CAAC;CAC1B;AAMD,MAAM,MAAM,eAAe,GACvB,eAAe,GACf,sBAAsB,GACtB,mBAAmB,GACnB,iBAAiB,GACjB,eAAe,GACf,iBAAiB,GACjB,gBAAgB,GAChB,eAAe,GACf,eAAe,GACf,gBAAgB,GAChB,iBAAiB,GACjB,sBAAsB,CAAC;AAE3B,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC/B;AAMD,MAAM,MAAM,YAAY,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,CAAC;AAE/D,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,aAAa,CAAC;IACtB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,YAAY,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAMD,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;CAChB"}

package/examples/coding-agent.policy.yaml

@@ -16,6 +16,30 @@ capabilities:
       paths:
         - "./src/**"
         - "./tests/**"
+  - tool: "file:delete"
+    scope:
+      paths:
+        - "./src/**"
+        - "./tests/**"
+  - tool: "file:move"
+    scope:
+      paths:
+        - "./src/**"
+        - "./tests/**"
+  - tool: "file:copy"
+    scope:
+      paths:
+        - "./src/**"
+        - "./tests/**"
+  - tool: "directory:list"
+    scope:
+      paths:
+        - "./**"
+  - tool: "directory:create"
+    scope:
+      paths:
+        - "./src/**"
+        - "./tests/**"
   - tool: "command:run"
     scope:
       binaries:
@@ -33,6 +57,14 @@ capabilities:
   - tool: "git:apply"
     scope:
       repos: ["."]
+  - tool: "git:status"
+    scope:
+      repos: ["."]
+  - tool: "git:commit"
+    scope:
+      repos: ["."]
+  - tool: "env:read"
+    scope: {}
 
 limits:
   max_runtime_ms: 1800000    # 30 minutes
@@ -41,6 +73,18 @@ limits:
   max_cost_usd: 5.0
 
 gates:
+  - action: "file:delete"
+    approval: "human"
+    risk_level: "high"
+
+  - action: "file:move"
+    approval: "auto"
+    risk_level: "medium"
+
+  - action: "git:commit"
+    approval: "auto"
+    risk_level: "medium"
+
   - action: "command:run"
     approval: "human"
     risk_level: "high"

package/examples/data-analyst.policy.yaml

@@ -0,0 +1,160 @@
+# Data Analyst Agent Policy
+# Constrains a data analysis agent operating on datasets, generating reports,
+# and querying external APIs — while preventing data exfiltration and
+# unauthorized modifications to source data.
+
+version: "1.0"
+name: "data-analyst"
+description: "Policy for a data analysis agent that reads datasets, runs analysis scripts, generates reports, and queries external data APIs."
+
+capabilities:
+  - tool: "file:read"
+    scope:
+      paths:
+        - "./data/**"
+        - "./config/**"
+        - "./scripts/**"
+        - "./templates/**"
+
+  - tool: "file:write"
+    scope:
+      paths:
+        - "./output/**"
+        - "./reports/**"
+        - "./tmp/**"
+
+  - tool: "file:copy"
+    scope:
+      paths:
+        - "./data/**"
+        - "./output/**"
+
+  - tool: "file:delete"
+    scope:
+      paths:
+        - "./tmp/**"
+        - "./output/**"
+
+  - tool: "directory:list"
+    scope:
+      paths:
+        - "./data/**"
+        - "./output/**"
+        - "./reports/**"
+        - "./scripts/**"
+
+  - tool: "directory:create"
+    scope:
+      paths:
+        - "./output/**"
+        - "./reports/**"
+        - "./tmp/**"
+
+  - tool: "command:run"
+    scope:
+      binaries:
+        - "python"
+        - "python3"
+        - "pip"
+        - "Rscript"
+        - "node"
+        - "npx"
+        - "cat"
+        - "wc"
+        - "head"
+        - "tail"
+        - "sort"
+
+  - tool: "http:request"
+    scope:
+      domains:
+        - "api.census.gov"
+        - "api.worldbank.org"
+        - "data.gov"
+        - "api.data.yourcompany.com"
+      methods:
+        - "GET"
+
+  - tool: "env:read"
+    scope: {}
+
+  - tool: "archive:extract"
+    scope:
+      paths:
+        - "./data/**"
+        - "./tmp/**"
+
+  - tool: "network:dns"
+    scope:
+      domains:
+        - "api.census.gov"
+        - "api.worldbank.org"
+        - "data.gov"
+
+limits:
+  max_runtime_ms: 3600000       # 60 minutes (analysis can be long)
+  max_output_bytes: 536870912   # 512 MB
+  max_files_changed: 100
+  max_retries: 3
+  max_cost_usd: 10.0
+
+gates:
+  - action: "file:delete"
+    approval: "human"
+    risk_level: "medium"
+
+  - action: "http:request"
+    approval: "auto"
+    risk_level: "low"
+
+  - action: "command:run"
+    approval: "auto"
+    risk_level: "medium"
+    condition: "outside_scope"
+
+evidence:
+  require:
+    - "checksums"
+    - "diffs"
+    - "exit_codes"
+    - "logs"
+  format: "jsonl"
+
+forbidden:
+  - pattern: "**/.env"
+  - pattern: "**/.env.*"
+  - pattern: "**/credentials*"
+  - pattern: "**/secrets*"
+  - pattern: "**/passwords*"
+  - pattern: "curl | sh"
+  - pattern: "wget | sh"
+  - pattern: "rm -rf /"
+  - pattern: "pip install --user"
+  - pattern: "POST"
+  - pattern: "PUT"
+  - pattern: "DELETE"
+
+session:
+  max_actions: 500
+  max_denials: 30
+  rate_limit:
+    max_per_minute: 60
+  escalation:
+    - after_actions: 200
+      require: human_checkin
+    - after_minutes: 30
+      require: human_checkin
+
+remediation:
+  rules:
+    - match: "FileNotFoundError"
+      action: "retry"
+    - match: "MemoryError"
+      action: "abort"
+    - match: "ECONNREFUSED"
+      action: "retry"
+    - match: "disk full"
+      action: "abort"
+    - match: "permission denied"
+      action: "abort"
+  fallback_chain: ["retry", "skip", "abort"]