@dewtech/dare-cli 3.8.2 → 3.10.0

package/dist/guard/config.d.ts

@@ -0,0 +1,60 @@
+import { z } from 'zod';
+export declare const GUARD_DEFAULTS: {
+    enabled: boolean;
+    onExecute: boolean;
+    unicode: "strip";
+    trustedPaths: string[];
+    signing: {
+        enabled: false;
+        publicKey: string | undefined;
+    };
+};
+export declare const guardConfigSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    onExecute: z.ZodDefault<z.ZodBoolean>;
+    unicode: z.ZodDefault<z.ZodEnum<["strip", "block"]>>;
+    trustedPaths: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    signing: z.ZodDefault<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        publicKey: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        enabled: boolean;
+        publicKey?: string | undefined;
+    }, {
+        enabled?: boolean | undefined;
+        publicKey?: string | undefined;
+    }>>;
+}, "strict", z.ZodTypeAny, {
+    enabled: boolean;
+    onExecute: boolean;
+    unicode: "strip" | "block";
+    trustedPaths: string[];
+    signing: {
+        enabled: boolean;
+        publicKey?: string | undefined;
+    };
+}, {
+    enabled?: boolean | undefined;
+    onExecute?: boolean | undefined;
+    unicode?: "strip" | "block" | undefined;
+    trustedPaths?: string[] | undefined;
+    signing?: {
+        enabled?: boolean | undefined;
+        publicKey?: string | undefined;
+    } | undefined;
+}>;
+export type GuardConfig = z.infer<typeof guardConfigSchema>;
+export declare class GuardConfigError extends Error {
+    readonly issues: ReadonlyArray<{
+        path: string;
+        message: string;
+    }>;
+    constructor(issues: ReadonlyArray<{
+        path: string;
+        message: string;
+    }>);
+}
+export declare function parseGuardConfig(raw: unknown): GuardConfig;
+export declare function defaultGuardConfigForProject(): GuardConfig;
+export declare function seedGuardDefaultsIfAbsent(cfg: Record<string, unknown>): boolean;
+//# sourceMappingURL=config.d.ts.map

package/dist/guard/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/guard/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,cAAc;;;;;;;mBAKmC,MAAM,GAAG,SAAS;;CAC/E,CAAC;AAEF,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAanB,CAAC;AAEZ,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAE5D,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;gBAEtD,MAAM,EAAE,aAAa,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAOrE;AAkBD,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,OAAO,GAAG,WAAW,CAW1D;AAED,wBAAgB,4BAA4B,IAAI,WAAW,CAE1D;AAED,wBAAgB,yBAAyB,CACvC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC3B,OAAO,CAIT"}

package/dist/guard/config.js

@@ -0,0 +1,64 @@
+import { z } from 'zod';
+export const GUARD_DEFAULTS = {
+    enabled: false,
+    onExecute: true,
+    unicode: 'strip',
+    trustedPaths: ['.dare/steering/**', 'DARE/TASKS.md'],
+    signing: { enabled: false, publicKey: undefined },
+};
+export const guardConfigSchema = z
+    .object({
+    enabled: z.boolean().default(GUARD_DEFAULTS.enabled),
+    onExecute: z.boolean().default(GUARD_DEFAULTS.onExecute),
+    unicode: z.enum(['strip', 'block']).default(GUARD_DEFAULTS.unicode),
+    trustedPaths: z.array(z.string()).default([...GUARD_DEFAULTS.trustedPaths]),
+    signing: z
+        .object({
+        enabled: z.boolean().default(false),
+        publicKey: z.string().optional(),
+    })
+        .default({ enabled: false }),
+})
+    .strict();
+export class GuardConfigError extends Error {
+    constructor(issues) {
+        super(`Invalid guard config: ${issues.map((i) => `${i.path}: ${i.message}`).join('; ')}`);
+        this.name = 'GuardConfigError';
+        this.issues = issues;
+    }
+}
+function isGuardBlockAbsent(raw) {
+    if (raw === undefined || raw === null)
+        return true;
+    if (typeof raw !== 'object')
+        return false;
+    const rec = raw;
+    return !('guard' in rec) || rec.guard === undefined;
+}
+function zodIssues(error) {
+    return error.issues.map((issue) => ({
+        path: issue.path.length > 0 ? issue.path.join('.') : '(root)',
+        message: issue.message,
+    }));
+}
+export function parseGuardConfig(raw) {
+    if (isGuardBlockAbsent(raw)) {
+        return guardConfigSchema.parse({});
+    }
+    const block = raw.guard;
+    const result = guardConfigSchema.safeParse(block);
+    if (!result.success) {
+        throw new GuardConfigError(zodIssues(result.error));
+    }
+    return result.data;
+}
+export function defaultGuardConfigForProject() {
+    return guardConfigSchema.parse({});
+}
+export function seedGuardDefaultsIfAbsent(cfg) {
+    if (cfg.guard !== undefined)
+        return false;
+    cfg.guard = defaultGuardConfigForProject();
+    return true;
+}
+//# sourceMappingURL=config.js.map

package/dist/guard/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/guard/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,OAAO,EAAE,KAAK;IACd,SAAS,EAAE,IAAI;IACf,OAAO,EAAE,OAAgB;IACzB,YAAY,EAAE,CAAC,mBAAmB,EAAE,eAAe,CAAC;IACpD,OAAO,EAAE,EAAE,OAAO,EAAE,KAAc,EAAE,SAAS,EAAE,SAA+B,EAAE;CACjF,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC;KAC/B,MAAM,CAAC;IACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC;IACpD,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,cAAc,CAAC,SAAS,CAAC;IACxD,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC;IACnE,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,cAAc,CAAC,YAAY,CAAC,CAAC;IAC3E,OAAO,EAAE,CAAC;SACP,MAAM,CAAC;QACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;QACnC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACjC,CAAC;SACD,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;CAC/B,CAAC;KACD,MAAM,EAAE,CAAC;AAIZ,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAGzC,YAAY,MAAwD;QAClE,KAAK,CACH,yBAAyB,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACnF,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;CACF;AAED,SAAS,kBAAkB,CAAC,GAAY;IACtC,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACnD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,OAAO,CAAC,CAAC,OAAO,IAAI,GAAG,CAAC,IAAI,GAAG,CAAC,KAAK,KAAK,SAAS,CAAC;AACtD,CAAC;AAED,SAAS,SAAS,CAChB,KAAiB;IAEjB,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAClC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ;QAC7D,OAAO,EAAE,KAAK,CAAC,OAAO;KACvB,CAAC,CAAC,CAAC;AACN,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,GAAY;IAC3C,IAAI,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACrC,CAAC;IAED,MAAM,KAAK,GAAI,GAA+B,CAAC,KAAK,CAAC;IACrD,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAClD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,gBAAgB,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,4BAA4B;IAC1C,OAAO,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,GAA4B;IAE5B,IAAI,GAAG,CAAC,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC1C,GAAG,CAAC,KAAK,GAAG,4BAA4B,EAAE,CAAC;IAC3C,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/guard/pipeline.d.ts

@@ -0,0 +1,13 @@
+import { type BoundaryIntent } from './boundary.js';
+import type { GuardConfig } from './config.js';
+import type { GuardResult, GuardedArtifact } from './types.js';
+export interface GuardPipelineOptions {
+    readonly cwd?: string;
+    readonly boundaryIntent?: BoundaryIntent;
+}
+export interface GuardPipelineOutput {
+    readonly result: GuardResult;
+    readonly artifact: GuardedArtifact;
+}
+export declare function runGuardPipeline(artifactPath: string, content: Buffer, cfg: GuardConfig, options?: GuardPipelineOptions): GuardPipelineOutput;
+//# sourceMappingURL=pipeline.d.ts.map

package/dist/guard/pipeline.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../src/guard/pipeline.ts"],"names":[],"mappings":"AAEA,OAAO,EAGL,KAAK,cAAc,EACpB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG/C,OAAO,KAAK,EAEV,WAAW,EAEX,eAAe,EAChB,MAAM,YAAY,CAAC;AAGpB,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,cAAc,CAAC,EAAE,cAAc,CAAC;CAC1C;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;IAC7B,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;CACpC;AAkGD,wBAAgB,gBAAgB,CAC9B,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,WAAW,EAChB,OAAO,GAAE,oBAAyB,GACjC,mBAAmB,CAwDrB"}

package/dist/guard/pipeline.js

@@ -0,0 +1,120 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { BoundaryViolationError, enforceBoundary, } from './boundary.js';
+import { classify, computeDigest, verifyArtifact } from './provenance.js';
+import { scanHeuristics } from './scan.js';
+import { auditUnicode } from './unicode.js';
+function normalizeProjectPath(rawPath) {
+    return rawPath
+        .replace(/\\/g, '/')
+        .replace(/^[A-Za-z]:\//, '')
+        .replace(/^\.\/+/, '')
+        .replace(/^\/+/, '')
+        .replace(/\/{2,}/g, '/');
+}
+function worstVerdict(findings) {
+    if (findings.some((finding) => finding.severity === 'FAIL'))
+        return 'FAIL';
+    if (findings.some((finding) => finding.severity === 'WARN'))
+        return 'WARN';
+    return 'PASS';
+}
+function provenanceFinding(rule, evidence, severity = 'FAIL') {
+    return {
+        layer: 'provenance',
+        severity,
+        rule,
+        evidence,
+    };
+}
+function resolveKeyMaterial(cwd, configuredKey) {
+    const trimmed = configuredKey?.trim();
+    if (!trimmed)
+        return undefined;
+    if (trimmed.includes('BEGIN PUBLIC KEY'))
+        return trimmed;
+    const absPath = path.resolve(cwd, trimmed);
+    if (fs.existsSync(absPath) && fs.statSync(absPath).isFile()) {
+        return fs.readFileSync(absPath, 'utf8');
+    }
+    return trimmed;
+}
+function loadSignature(artifactAbsPath) {
+    const signaturePath = `${artifactAbsPath}.minisig`;
+    if (!fs.existsSync(signaturePath))
+        return undefined;
+    const signature = fs.readFileSync(signaturePath, 'utf8').trim();
+    return signature.length > 0 ? signature : undefined;
+}
+function runProvenanceChecks(args) {
+    const findings = [];
+    if (args.artifact.channel !== 'control' || !args.cfg.signing.enabled) {
+        return findings;
+    }
+    const publicKey = resolveKeyMaterial(args.cwd, args.cfg.signing.publicKey);
+    if (!publicKey) {
+        findings.push(provenanceFinding('signing-key-missing', 'guard.signing.publicKey is required when signing is enabled'));
+        return findings;
+    }
+    const signature = loadSignature(args.artifactAbsPath);
+    if (!signature) {
+        findings.push(provenanceFinding('signature-missing', `${args.artifact.path}.minisig is required for trusted artifacts`));
+        return findings;
+    }
+    if (!verifyArtifact(args.content, signature, publicKey)) {
+        findings.push(provenanceFinding('signature-invalid', `${args.artifact.path}.minisig does not match artifact digest`));
+    }
+    return findings;
+}
+export function runGuardPipeline(artifactPath, content, cfg, options = {}) {
+    const cwd = options.cwd ?? process.cwd();
+    const artifactAbsPath = path.isAbsolute(artifactPath)
+        ? artifactPath
+        : path.resolve(cwd, artifactPath);
+    const artifactRelPath = normalizeProjectPath(path.isAbsolute(artifactPath)
+        ? path.relative(cwd, artifactPath)
+        : artifactPath);
+    const utf8 = content.toString('utf8');
+    const cls = classify(artifactRelPath, cfg);
+    const unicode = auditUnicode(utf8, cfg.unicode);
+    const scan = scanHeuristics(unicode.sanitized);
+    const artifact = {
+        path: artifactRelPath,
+        origin: cls.origin,
+        channel: cls.channel,
+        trust: cls.trust,
+        digest: computeDigest(content),
+    };
+    const findings = [
+        ...unicode.findings,
+        ...scan,
+        ...runProvenanceChecks({
+            cwd,
+            artifactAbsPath,
+            content,
+            cfg,
+            artifact,
+        }),
+    ];
+    try {
+        enforceBoundary(artifact, options.boundaryIntent ?? 'read');
+    }
+    catch (err) {
+        if (err instanceof BoundaryViolationError) {
+            findings.push(provenanceFinding('boundary-violation', err.message));
+        }
+        else {
+            throw err;
+        }
+    }
+    const verdict = worstVerdict(findings);
+    const includeSanitized = cfg.unicode === 'strip' && unicode.sanitized !== utf8;
+    const result = {
+        artifact: artifactRelPath,
+        verdict,
+        findings,
+        ...(includeSanitized ? { sanitized: unicode.sanitized } : {}),
+    };
+    return { result, artifact };
+}
+//# sourceMappingURL=pipeline.js.map

package/dist/guard/pipeline.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pipeline.js","sourceRoot":"","sources":["../../src/guard/pipeline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EACL,sBAAsB,EACtB,eAAe,GAEhB,MAAM,eAAe,CAAC;AAEvB,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAC1E,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAO3C,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAY5C,SAAS,oBAAoB,CAAC,OAAe;IAC3C,OAAO,OAAO;SACX,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC;SAC3B,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;SACrB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,YAAY,CAAC,QAAqC;IACzD,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,KAAK,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC;IAC3E,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,KAAK,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC;IAC3E,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,iBAAiB,CACxB,IAAY,EACZ,QAAgB,EAChB,WAAyB,MAAM;IAE/B,OAAO;QACL,KAAK,EAAE,YAAY;QACnB,QAAQ;QACR,IAAI;QACJ,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CACzB,GAAW,EACX,aAAiC;IAEjC,MAAM,OAAO,GAAG,aAAa,EAAE,IAAI,EAAE,CAAC;IACtC,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,IAAI,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC;QAAE,OAAO,OAAO,CAAC;IAEzD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC3C,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC;QAC5D,OAAO,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,aAAa,CAAC,eAAuB;IAC5C,MAAM,aAAa,GAAG,GAAG,eAAe,UAAU,CAAC;IACnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC;QAAE,OAAO,SAAS,CAAC;IACpD,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IAChE,OAAO,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;AACtD,CAAC;AAED,SAAS,mBAAmB,CAAC,IAM5B;IACC,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACrE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,SAAS,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC3E,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,QAAQ,CAAC,IAAI,CACX,iBAAiB,CACf,qBAAqB,EACrB,6DAA6D,CAC9D,CACF,CAAC;QACF,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACtD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,QAAQ,CAAC,IAAI,CACX,iBAAiB,CACf,mBAAmB,EACnB,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,4CAA4C,CAClE,CACF,CAAC;QACF,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,SAAS,CAAC,EAAE,CAAC;QACxD,QAAQ,CAAC,IAAI,CACX,iBAAiB,CACf,mBAAmB,EACnB,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,yCAAyC,CAC/D,CACF,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,YAAoB,EACpB,OAAe,EACf,GAAgB,EAChB,UAAgC,EAAE;IAElC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACzC,MAAM,eAAe,GAAG,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC;QACnD,CAAC,CAAC,YAAY;QACd,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IACpC,MAAM,eAAe,GAAG,oBAAoB,CAC1C,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC;QAC3B,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,YAAY,CAAC;QAClC,CAAC,CAAC,YAAY,CACjB,CAAC;IACF,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEtC,MAAM,GAAG,GAAG,QAAQ,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAE/C,MAAM,QAAQ,GAAoB;QAChC,IAAI,EAAE,eAAe;QACrB,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,MAAM,EAAE,aAAa,CAAC,OAAO,CAAC;KAC/B,CAAC;IAEF,MAAM,QAAQ,GAAmB;QAC/B,GAAG,OAAO,CAAC,QAAQ;QACnB,GAAG,IAAI;QACP,GAAG,mBAAmB,CAAC;YACrB,GAAG;YACH,eAAe;YACf,OAAO;YACP,GAAG;YACH,QAAQ;SACT,CAAC;KACH,CAAC;IAEF,IAAI,CAAC;QACH,eAAe,CAAC,QAAQ,EAAE,OAAO,CAAC,cAAc,IAAI,MAAM,CAAC,CAAC;IAC9D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,sBAAsB,EAAE,CAAC;YAC1C,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,oBAAoB,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;QACtE,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IACvC,MAAM,gBAAgB,GAAG,GAAG,CAAC,OAAO,KAAK,OAAO,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,CAAC;IAC/E,MAAM,MAAM,GAAgB;QAC1B,QAAQ,EAAE,eAAe;QACzB,OAAO;QACP,QAAQ;QACR,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC9D,CAAC;IAEF,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AAC9B,CAAC"}

package/dist/guard/provenance.d.ts

@@ -0,0 +1,18 @@
+import type { GuardConfig } from './config.js';
+import type { ArtifactOrigin, TrustChannel } from './types.js';
+type ArtifactTrust = 'signed' | 'unsigned';
+export declare function computeDigest(content: Buffer): string;
+/**
+ * Layout minisign-compat:
+ * - Linha 1: "untrusted comment: ..."
+ * - Linha 2: assinatura Ed25519 em base64 (raw)
+ */
+export declare function signArtifact(content: Buffer, privKeyPem: string): string;
+export declare function verifyArtifact(content: Buffer, sig: string, pubKeyPem: string): boolean;
+export declare function classify(path: string, cfg: GuardConfig): {
+    origin: ArtifactOrigin;
+    channel: TrustChannel;
+    trust: ArtifactTrust;
+};
+export {};
+//# sourceMappingURL=provenance.d.ts.map

package/dist/guard/provenance.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provenance.d.ts","sourceRoot":"","sources":["../../src/guard/provenance.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/D,KAAK,aAAa,GAAG,QAAQ,GAAG,UAAU,CAAC;AAiF3C,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAErD;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAIxE;AAED,wBAAgB,cAAc,CAC5B,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,GAChB,OAAO,CAST;AAED,wBAAgB,QAAQ,CACtB,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE,WAAW,GACf;IAAE,MAAM,EAAE,cAAc,CAAC;IAAC,OAAO,EAAE,YAAY,CAAC;IAAC,KAAK,EAAE,aAAa,CAAA;CAAE,CAezE"}

package/dist/guard/provenance.js

@@ -0,0 +1,108 @@
+import { createHash, createPrivateKey, createPublicKey, sign, verify } from 'node:crypto';
+function normalizePath(rawPath) {
+    return rawPath
+        .replace(/\\/g, '/')
+        .replace(/^[A-Za-z]:\//, '')
+        .replace(/^\.\/+/, '')
+        .replace(/^\/+/, '')
+        .replace(/\/{2,}/g, '/');
+}
+function isTrustedPath(path, pattern) {
+    const normalizedPath = normalizePath(path);
+    const normalizedPattern = normalizePath(pattern);
+    const hasWildcard = normalizedPattern.includes('*');
+    if (!hasWildcard) {
+        return (normalizedPath === normalizedPattern ||
+            normalizedPath.endsWith(`/${normalizedPattern}`));
+    }
+    const source = normalizedPattern
+        .replace(/[.+?^${}()|[\]\\]/g, '\\$&')
+        .replace(/\*\*/g, '::DOUBLE_STAR::')
+        .replace(/\*/g, '[^/]*')
+        .replace(/::DOUBLE_STAR::/g, '.*');
+    const regex = new RegExp(`^(?:.*/)?${source}$`);
+    return regex.test(normalizedPath);
+}
+function inferOrigin(path) {
+    const normalized = normalizePath(path).toLowerCase();
+    if (normalized.startsWith('.dare/')) {
+        return 'agent';
+    }
+    return 'external';
+}
+function decodeBase64Signature(line) {
+    const compact = line.replace(/\s+/g, '');
+    if (!/^[A-Za-z0-9+/]+={0,2}$/.test(compact)) {
+        return null;
+    }
+    try {
+        const decoded = Buffer.from(compact, 'base64');
+        if (decoded.length === 0)
+            return null;
+        const normalizedInput = compact.replace(/=+$/g, '');
+        const normalizedDecoded = decoded.toString('base64').replace(/=+$/g, '');
+        return normalizedInput === normalizedDecoded ? decoded : null;
+    }
+    catch {
+        return null;
+    }
+}
+function signaturePayload(signature) {
+    const lines = signature
+        .split(/\r?\n/)
+        .map((line) => line.trim())
+        .filter((line) => line.length > 0);
+    if (lines.length === 0)
+        return null;
+    const candidateLines = lines.length === 1
+        ? lines
+        : lines.filter((line) => !line.toLowerCase().startsWith('untrusted comment:') &&
+            !line.toLowerCase().startsWith('trusted comment:'));
+    for (const candidate of candidateLines) {
+        const decoded = decodeBase64Signature(candidate);
+        if (decoded)
+            return decoded;
+    }
+    return null;
+}
+export function computeDigest(content) {
+    return createHash('sha256').update(content).digest('hex');
+}
+/**
+ * Layout minisign-compat:
+ * - Linha 1: "untrusted comment: ..."
+ * - Linha 2: assinatura Ed25519 em base64 (raw)
+ */
+export function signArtifact(content, privKeyPem) {
+    const privateKey = createPrivateKey(privKeyPem);
+    const signature = sign(null, content, privateKey).toString('base64');
+    return `untrusted comment: signature from dare guard\n${signature}`;
+}
+export function verifyArtifact(content, sig, pubKeyPem) {
+    const payload = signaturePayload(sig);
+    if (!payload)
+        return false;
+    try {
+        const publicKey = createPublicKey(pubKeyPem);
+        return verify(null, content, publicKey, payload);
+    }
+    catch {
+        return false;
+    }
+}
+export function classify(path, cfg) {
+    const trusted = cfg.trustedPaths.some((pattern) => isTrustedPath(path, pattern));
+    if (trusted) {
+        return {
+            origin: 'human',
+            channel: 'control',
+            trust: cfg.signing.enabled ? 'signed' : 'unsigned',
+        };
+    }
+    return {
+        origin: inferOrigin(path),
+        channel: 'data',
+        trust: 'unsigned',
+    };
+}
+//# sourceMappingURL=provenance.js.map

package/dist/guard/provenance.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provenance.js","sourceRoot":"","sources":["../../src/guard/provenance.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,eAAe,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAM1F,SAAS,aAAa,CAAC,OAAe;IACpC,OAAO,OAAO;SACX,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC;SAC3B,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;SACrB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,aAAa,CAAC,IAAY,EAAE,OAAe;IAClD,MAAM,cAAc,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;IAC3C,MAAM,iBAAiB,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,WAAW,GAAG,iBAAiB,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAEpD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,CACL,cAAc,KAAK,iBAAiB;YACpC,cAAc,CAAC,QAAQ,CAAC,IAAI,iBAAiB,EAAE,CAAC,CACjD,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,iBAAiB;SAC7B,OAAO,CAAC,oBAAoB,EAAE,MAAM,CAAC;SACrC,OAAO,CAAC,OAAO,EAAE,iBAAiB,CAAC;SACnC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC;SACvB,OAAO,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC;IACrC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,YAAY,MAAM,GAAG,CAAC,CAAC;IAChD,OAAO,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IACrD,IAAI,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY;IACzC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACzC,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC/C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACtC,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACpD,MAAM,iBAAiB,GAAG,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACzE,OAAO,eAAe,KAAK,iBAAiB,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,SAAiB;IACzC,MAAM,KAAK,GAAG,SAAS;SACpB,KAAK,CAAC,OAAO,CAAC;SACd,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;SAC1B,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAErC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,cAAc,GAClB,KAAK,CAAC,MAAM,KAAK,CAAC;QAChB,CAAC,CAAC,KAAK;QACP,CAAC,CAAC,KAAK,CAAC,MAAM,CACV,CAAC,IAAI,EAAE,EAAE,CACP,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,oBAAoB,CAAC;YACpD,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,kBAAkB,CAAC,CACrD,CAAC;IAER,KAAK,MAAM,SAAS,IAAI,cAAc,EAAE,CAAC;QACvC,MAAM,OAAO,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;QACjD,IAAI,OAAO;YAAE,OAAO,OAAO,CAAC;IAC9B,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,OAAe;IAC3C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,OAAe,EAAE,UAAkB;IAC9D,MAAM,UAAU,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAChD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACrE,OAAO,iDAAiD,SAAS,EAAE,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,OAAe,EACf,GAAW,EACX,SAAiB;IAEjB,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;QAC7C,OAAO,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,UAAU,QAAQ,CACtB,IAAY,EACZ,GAAgB;IAEhB,MAAM,OAAO,GAAG,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IACjF,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO;YACL,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,SAAS;YAClB,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU;SACnD,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,WAAW,CAAC,IAAI,CAAC;QACzB,OAAO,EAAE,MAAM;QACf,KAAK,EAAE,UAAU;KAClB,CAAC;AACJ,CAAC"}

package/dist/guard/scan.d.ts

@@ -0,0 +1,6 @@
+import type { GuardFinding } from './types.js';
+/**
+ * Heurística best-effort (camada 2): um achado isolado é sempre WARN.
+ */
+export declare function scanHeuristics(content: string): GuardFinding[];
+//# sourceMappingURL=scan.d.ts.map

package/dist/guard/scan.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../../src/guard/scan.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAoF/C;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,YAAY,EAAE,CAuB9D"}

package/dist/guard/scan.js

@@ -0,0 +1,84 @@
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+const RULES_FILENAME = 'scan-rules.json';
+const DEFAULT_RULES_PATH = fileURLToPath(new URL(`./rules/${RULES_FILENAME}`, import.meta.url));
+const MAX_EVIDENCE_LENGTH = 160;
+function parseRegexLiteral(literal) {
+    const trimmed = literal.trim();
+    const match = /^\/([\s\S]*)\/([a-z]*)$/i.exec(trimmed);
+    if (!match) {
+        throw new Error(`Invalid regex literal "${literal}"`);
+    }
+    const [, source, flags] = match;
+    return new RegExp(source, flags);
+}
+function resolveRulesPath() {
+    const overridePath = process.env.DARE_GUARD_SCAN_RULES_PATH?.trim();
+    if (!overridePath)
+        return DEFAULT_RULES_PATH;
+    return resolve(overridePath);
+}
+function loadRulesFile() {
+    const rulesPath = resolveRulesPath();
+    const raw = readFileSync(rulesPath, 'utf8');
+    const parsed = JSON.parse(raw);
+    if (typeof parsed !== 'object' || parsed === null) {
+        throw new Error(`Invalid scan rules at "${rulesPath}"`);
+    }
+    const rec = parsed;
+    if (!Array.isArray(rec.rules)) {
+        throw new Error(`Invalid scan rules at "${rulesPath}"`);
+    }
+    return {
+        version: typeof rec.version === 'number' ? rec.version : 0,
+        rules: rec.rules,
+    };
+}
+function compileRules(file) {
+    return file.rules.map((rule) => {
+        if (typeof rule.id !== 'string' ||
+            typeof rule.description !== 'string' ||
+            !Array.isArray(rule.regex)) {
+            throw new Error('Invalid scan rule definition');
+        }
+        return {
+            id: rule.id,
+            description: rule.description,
+            patterns: rule.regex.map((literal) => parseRegexLiteral(literal)),
+        };
+    });
+}
+function sanitizeEvidence(evidence) {
+    const collapsed = evidence.replace(/\s+/g, ' ').trim();
+    const redacted = collapsed.replace(/\b[A-Za-z0-9_=-]{16,}\b/g, '[REDACTED]');
+    if (redacted.length <= MAX_EVIDENCE_LENGTH)
+        return redacted;
+    return `${redacted.slice(0, MAX_EVIDENCE_LENGTH)}...`;
+}
+/**
+ * Heurística best-effort (camada 2): um achado isolado é sempre WARN.
+ */
+export function scanHeuristics(content) {
+    if (!content)
+        return [];
+    const rules = compileRules(loadRulesFile());
+    const findings = [];
+    for (const rule of rules) {
+        for (const pattern of rule.patterns) {
+            pattern.lastIndex = 0;
+            const match = pattern.exec(content);
+            if (!match)
+                continue;
+            findings.push({
+                layer: 'scan',
+                severity: 'WARN',
+                rule: rule.id,
+                evidence: sanitizeEvidence(match[0]),
+            });
+            break;
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=scan.js.map

package/dist/guard/scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../src/guard/scan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAoBzC,MAAM,cAAc,GAAG,iBAAiB,CAAC;AACzC,MAAM,kBAAkB,GAAG,aAAa,CACtC,IAAI,GAAG,CAAC,WAAW,cAAc,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CACtD,CAAC;AACF,MAAM,mBAAmB,GAAG,GAAG,CAAC;AAEhC,SAAS,iBAAiB,CAAC,OAAe;IACxC,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,0BAA0B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,0BAA0B,OAAO,GAAG,CAAC,CAAC;IACxD,CAAC;IACD,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;IAChC,OAAO,IAAI,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,gBAAgB;IACvB,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,IAAI,EAAE,CAAC;IACpE,IAAI,CAAC,YAAY;QAAE,OAAO,kBAAkB,CAAC;IAC7C,OAAO,OAAO,CAAC,YAAY,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,SAAS,GAAG,gBAAgB,EAAE,CAAC;IACrC,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;IAE1C,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,0BAA0B,SAAS,GAAG,CAAC,CAAC;IAC1D,CAAC;IACD,MAAM,GAAG,GAAG,MAAiC,CAAC;IAC9C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,0BAA0B,SAAS,GAAG,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO;QACL,OAAO,EAAE,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAC1D,KAAK,EAAE,GAAG,CAAC,KAA0C;KACtD,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,IAAmB;IACvC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QAC7B,IACE,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ;YAC3B,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ;YACpC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAC1B,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QACD,OAAO;YACL,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;SAClE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACvD,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,CAAC,0BAA0B,EAAE,YAAY,CAAC,CAAC;IAC7E,IAAI,QAAQ,CAAC,MAAM,IAAI,mBAAmB;QAAE,OAAO,QAAQ,CAAC;IAC5D,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,mBAAmB,CAAC,KAAK,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IAExB,MAAM,KAAK,GAAG,YAAY,CAAC,aAAa,EAAE,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACpC,IAAI,CAAC,KAAK;gBAAE,SAAS;YAErB,QAAQ,CAAC,IAAI,CAAC;gBACZ,KAAK,EAAE,MAAM;gBACb,QAAQ,EAAE,MAAM;gBAChB,IAAI,EAAE,IAAI,CAAC,EAAE;gBACb,QAAQ,EAAE,gBAAgB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;aACrC,CAAC,CAAC;YACH,MAAM;QACR,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/guard/types.d.ts

@@ -0,0 +1,28 @@
+export type GuardVerdict = 'PASS' | 'WARN' | 'FAIL';
+export type ArtifactOrigin = 'human' | 'agent' | 'external';
+export type TrustChannel = 'control' | 'data';
+export interface GuardedArtifact {
+    readonly path: string;
+    readonly origin: ArtifactOrigin;
+    readonly channel: TrustChannel;
+    readonly trust: 'signed' | 'unsigned';
+    readonly taskId?: string;
+    /** sha256 hex */
+    readonly digest: string;
+}
+export interface GuardFinding {
+    readonly layer: 'unicode' | 'scan' | 'provenance';
+    readonly severity: GuardVerdict;
+    readonly rule: string;
+    /** sanitizado (sem vazar segredo) */
+    readonly evidence: string;
+}
+export interface GuardResult {
+    readonly artifact: string;
+    /** pior severidade entre findings */
+    readonly verdict: GuardVerdict;
+    readonly findings: ReadonlyArray<GuardFinding>;
+    /** conteúdo após strip (unicode=strip) */
+    readonly sanitized?: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/guard/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/guard/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AACpD,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,OAAO,GAAG,UAAU,CAAC;AAC5D,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,MAAM,CAAC;AAE9C,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE,YAAY,CAAC;IAC/B,QAAQ,CAAC,KAAK,EAAE,QAAQ,GAAG,UAAU,CAAC;IACtC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,iBAAiB;IACjB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,GAAG,YAAY,CAAC;IAClD,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,qCAAqC;IACrC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,qCAAqC;IACrC,QAAQ,CAAC,OAAO,EAAE,YAAY,CAAC;IAC/B,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC;IAC/C,0CAA0C;IAC1C,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B"}

package/dist/guard/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/guard/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/guard/types.ts"],"names":[],"mappings":""}

package/dist/guard/unicode.d.ts

@@ -0,0 +1,8 @@
+import type { GuardFinding } from './types.js';
+type UnicodeMode = 'strip' | 'block';
+export declare function auditUnicode(content: string, mode: UnicodeMode): {
+    findings: GuardFinding[];
+    sanitized: string;
+};
+export {};
+//# sourceMappingURL=unicode.d.ts.map

package/dist/guard/unicode.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unicode.d.ts","sourceRoot":"","sources":["../../src/guard/unicode.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,KAAK,WAAW,GAAG,OAAO,GAAG,OAAO,CAAC;AAsHrC,wBAAgB,YAAY,CAC1B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,WAAW,GAChB;IAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAgCjD"}