@dotsetlabs/tollgate 0.1.0

package/dist/analyzers/sql.js

@@ -0,0 +1,455 @@
+import NodeSqlParser from 'node-sql-parser';
+const { Parser } = NodeSqlParser;
+/**
+ * SQL Statement Analyzer
+ *
+ * Classifies SQL statements by risk level:
+ * - read: SELECT statements
+ * - write: INSERT statements
+ * - write/destructive: UPDATE/DELETE with WHERE clause
+ * - dangerous: UPDATE/DELETE without WHERE, DROP, TRUNCATE, ALTER
+ */
+export class SqlAnalyzer {
+    name = 'sql';
+    parser;
+    constructor() {
+        this.parser = new Parser();
+    }
+    analyze(sql, _context) {
+        // First, check for obviously dangerous patterns via regex
+        // (catches cases parser might miss or malformed SQL)
+        const dangerousPatterns = this.checkDangerousPatterns(sql);
+        if (dangerousPatterns) {
+            return dangerousPatterns;
+        }
+        try {
+            const ast = this.parser.astify(sql, { database: 'PostgreSQL' });
+            const statements = Array.isArray(ast) ? ast : [ast];
+            // Analyze all statements and return the highest risk
+            let highestRisk = {
+                risk: 'safe',
+                reason: 'Empty or no-op statement',
+            };
+            for (const stmt of statements) {
+                const result = this.analyzeStatement(stmt);
+                if (this.isHigherRisk(result.risk, highestRisk.risk)) {
+                    highestRisk = result;
+                }
+            }
+            return highestRisk;
+        }
+        catch (error) {
+            // If we can't parse it, be conservative
+            // Sanitize error messages to avoid leaking schema information
+            const sanitizedReason = error instanceof Error
+                ? 'SQL parse error (details hidden for security)'
+                : 'unknown error';
+            return {
+                risk: 'dangerous',
+                reason: `Unable to parse SQL: ${sanitizedReason}`,
+                metadata: { parseError: true },
+            };
+        }
+    }
+    analyzeStatement(stmt) {
+        const statement = stmt;
+        const type = statement.type?.toLowerCase();
+        switch (type) {
+            case 'select':
+                return this.analyzeSelect(statement);
+            case 'insert':
+                return {
+                    risk: 'write',
+                    reason: 'INSERT statement adds new data',
+                    metadata: { statementType: 'insert' },
+                };
+            case 'update':
+                return this.analyzeUpdate(statement);
+            case 'delete':
+                return this.analyzeDelete(statement);
+            case 'drop':
+                return {
+                    risk: 'dangerous',
+                    reason: `DROP statement permanently removes database objects`,
+                    triggers: ['DROP'],
+                    metadata: { statementType: 'drop' },
+                };
+            case 'truncate':
+                return {
+                    risk: 'dangerous',
+                    reason: 'TRUNCATE removes all data from table',
+                    triggers: ['TRUNCATE'],
+                    metadata: { statementType: 'truncate' },
+                };
+            case 'alter':
+                return {
+                    risk: 'destructive',
+                    reason: 'ALTER modifies table structure',
+                    triggers: ['ALTER'],
+                    metadata: { statementType: 'alter' },
+                };
+            case 'create':
+                return {
+                    risk: 'write',
+                    reason: 'CREATE adds new database objects',
+                    metadata: { statementType: 'create' },
+                };
+            case 'grant':
+            case 'revoke':
+                return {
+                    risk: 'dangerous',
+                    reason: `${type.toUpperCase()} modifies database permissions`,
+                    triggers: [type.toUpperCase()],
+                    metadata: { statementType: type },
+                };
+            default:
+                return {
+                    risk: 'write',
+                    reason: `Unknown statement type: ${type}`,
+                    metadata: { statementType: type },
+                };
+        }
+    }
+    analyzeSelect(stmt) {
+        // Check for SELECT INTO (creates new table)
+        const into = stmt.into;
+        if (into && into.expr) {
+            return {
+                risk: 'write',
+                reason: 'SELECT INTO creates a new table',
+                metadata: { statementType: 'select_into' },
+            };
+        }
+        // Check for subqueries that might modify data (rare but possible)
+        // For now, treat SELECT as read-only
+        return {
+            risk: 'read',
+            reason: 'SELECT statement reads data',
+            metadata: { statementType: 'select' },
+        };
+    }
+    analyzeUpdate(stmt) {
+        const where = stmt.where;
+        if (!where) {
+            return {
+                risk: 'dangerous',
+                reason: 'UPDATE without WHERE clause affects ALL rows',
+                triggers: ['UPDATE without WHERE'],
+                metadata: { statementType: 'update', hasWhere: false },
+            };
+        }
+        // Check for always-true conditions like WHERE 1=1
+        if (this.isAlwaysTrueCondition(where)) {
+            return {
+                risk: 'dangerous',
+                reason: 'UPDATE with always-true condition affects ALL rows',
+                triggers: ['UPDATE WHERE 1=1'],
+                metadata: { statementType: 'update', hasWhere: true, alwaysTrue: true },
+            };
+        }
+        return {
+            risk: 'write',
+            reason: 'UPDATE statement modifies existing data',
+            metadata: { statementType: 'update', hasWhere: true },
+        };
+    }
+    analyzeDelete(stmt) {
+        const where = stmt.where;
+        if (!where) {
+            return {
+                risk: 'dangerous',
+                reason: 'DELETE without WHERE clause removes ALL rows',
+                triggers: ['DELETE without WHERE'],
+                metadata: { statementType: 'delete', hasWhere: false },
+            };
+        }
+        // Check for always-true conditions
+        if (this.isAlwaysTrueCondition(where)) {
+            return {
+                risk: 'dangerous',
+                reason: 'DELETE with always-true condition removes ALL rows',
+                triggers: ['DELETE WHERE 1=1'],
+                metadata: { statementType: 'delete', hasWhere: true, alwaysTrue: true },
+            };
+        }
+        return {
+            risk: 'destructive',
+            reason: 'DELETE statement removes data',
+            metadata: { statementType: 'delete', hasWhere: true },
+        };
+    }
+    isAlwaysTrueCondition(where) {
+        const condition = where;
+        // Check for 1=1, true, etc.
+        if (condition.type === 'binary_expr') {
+            const left = condition.left;
+            const right = condition.right;
+            const operator = condition.operator;
+            // 1=1, 'a'='a', etc.
+            if (operator === '=' && left.type === 'number' && right.type === 'number') {
+                if (left.value === right.value)
+                    return true;
+            }
+            // TRUE
+            if (left.type === 'bool' && left.value === true)
+                return true;
+        }
+        return false;
+    }
+    checkDangerousPatterns(sql) {
+        // Normalize SQL by removing comments for more accurate pattern detection
+        const normalizedSql = this.removeComments(sql);
+        // Recursive CTEs can cause infinite loops / DoS
+        if (/WITH\s+RECURSIVE/i.test(normalizedSql)) {
+            return {
+                risk: 'dangerous',
+                reason: 'Recursive CTE detected - can cause infinite loops or resource exhaustion',
+                triggers: ['WITH RECURSIVE'],
+                metadata: { dosRisk: 'recursive_cte' },
+            };
+        }
+        // DoS-prone functions that can cause resource exhaustion
+        const dosPatterns = this.checkDosFunctions(normalizedSql);
+        if (dosPatterns) {
+            return dosPatterns;
+        }
+        // Multiple statements (potential SQL injection)
+        // Count semicolons outside of string literals
+        const semicolonCount = this.countSemicolonsOutsideStrings(sql);
+        if (semicolonCount > 3) {
+            return {
+                risk: 'dangerous',
+                reason: 'Multiple SQL statements detected (potential injection)',
+                triggers: ['multiple statements'],
+            };
+        }
+        // Comment injection patterns
+        if (sql.includes('--') || sql.includes('/*')) {
+            // Check if it's suspicious (comment after quote)
+            // Use bounded character class to prevent ReDoS
+            if (/['"][^'"]{0,1000}--/.test(sql) || /['"][^'"]{0,1000}\/\*/.test(sql)) {
+                return {
+                    risk: 'dangerous',
+                    reason: 'Potential SQL injection pattern detected (comment after string)',
+                    triggers: ['comment injection pattern'],
+                };
+            }
+        }
+        // UNION-based injection (check normalized SQL without comments)
+        if (/UNION\s+(ALL\s+)?SELECT/i.test(normalizedSql)) {
+            return {
+                risk: 'dangerous',
+                reason: 'UNION SELECT pattern detected (potential injection)',
+                triggers: ['UNION SELECT'],
+            };
+        }
+        // System commands
+        if (/xp_cmdshell|exec\s+master|LOAD_FILE|INTO\s+OUTFILE|INTO\s+DUMPFILE/i.test(normalizedSql)) {
+            return {
+                risk: 'dangerous',
+                reason: 'System command execution pattern detected',
+                triggers: ['system command'],
+            };
+        }
+        // Unbounded CROSS JOIN without LIMIT (cartesian product DoS)
+        // Use normalized SQL to catch comment-based bypass attempts like CROSS/**/JOIN
+        if (/CROSS\s+JOIN/i.test(normalizedSql) && !/LIMIT\s+\d+/i.test(normalizedSql)) {
+            return {
+                risk: 'destructive',
+                reason: 'CROSS JOIN without LIMIT can cause cartesian product explosion',
+                triggers: ['CROSS JOIN without LIMIT'],
+                metadata: { dosRisk: 'unbounded_cross_join' },
+            };
+        }
+        return null;
+    }
+    /**
+     * Remove SQL comments for pattern matching
+     * Handles both -- line comments and /* block comments
+     */
+    removeComments(sql) {
+        let result = '';
+        let i = 0;
+        let inString = false;
+        let stringChar = '';
+        while (i < sql.length) {
+            // Track string literals to avoid removing content inside strings
+            if (!inString && (sql[i] === "'" || sql[i] === '"')) {
+                inString = true;
+                stringChar = sql[i];
+                result += sql[i];
+                i++;
+                continue;
+            }
+            if (inString) {
+                // Check for escape sequence or end of string
+                if (sql[i] === stringChar) {
+                    // Check for escaped quote ('' or "")
+                    if (i + 1 < sql.length && sql[i + 1] === stringChar) {
+                        result += sql[i] + sql[i + 1];
+                        i += 2;
+                        continue;
+                    }
+                    inString = false;
+                }
+                result += sql[i];
+                i++;
+                continue;
+            }
+            // Block comment
+            if (sql[i] === '/' && i + 1 < sql.length && sql[i + 1] === '*') {
+                // Skip until */
+                i += 2;
+                while (i < sql.length - 1 && !(sql[i] === '*' && sql[i + 1] === '/')) {
+                    i++;
+                }
+                i += 2; // Skip */
+                result += ' '; // Replace comment with space to preserve token separation
+                continue;
+            }
+            // Line comment
+            if (sql[i] === '-' && i + 1 < sql.length && sql[i + 1] === '-') {
+                // Skip until end of line
+                while (i < sql.length && sql[i] !== '\n') {
+                    i++;
+                }
+                result += ' '; // Replace comment with space
+                continue;
+            }
+            result += sql[i];
+            i++;
+        }
+        return result;
+    }
+    /**
+     * Count semicolons that are outside of string literals
+     */
+    countSemicolonsOutsideStrings(sql) {
+        let count = 0;
+        let inString = false;
+        let stringChar = '';
+        for (let i = 0; i < sql.length; i++) {
+            const char = sql[i];
+            // Track string literals
+            if (!inString && (char === "'" || char === '"')) {
+                inString = true;
+                stringChar = char;
+                continue;
+            }
+            if (inString) {
+                if (char === stringChar) {
+                    // Check for escaped quote ('' or "")
+                    if (i + 1 < sql.length && sql[i + 1] === stringChar) {
+                        i++; // Skip the escaped quote
+                        continue;
+                    }
+                    inString = false;
+                }
+                continue;
+            }
+            // Count semicolons outside strings
+            if (char === ';') {
+                count++;
+            }
+        }
+        return count;
+    }
+    /**
+     * Check for functions that can cause DoS / resource exhaustion
+     */
+    checkDosFunctions(sql) {
+        // PostgreSQL sleep function - obvious DoS
+        if (/pg_sleep\s*\(/i.test(sql)) {
+            return {
+                risk: 'dangerous',
+                reason: 'pg_sleep() can cause denial of service',
+                triggers: ['pg_sleep()'],
+                metadata: { dosRisk: 'sleep_function' },
+            };
+        }
+        // MySQL sleep
+        if (/\bsleep\s*\(/i.test(sql) && !/pg_sleep/i.test(sql)) {
+            return {
+                risk: 'dangerous',
+                reason: 'SLEEP() can cause denial of service',
+                triggers: ['SLEEP()'],
+                metadata: { dosRisk: 'sleep_function' },
+            };
+        }
+        // PostgreSQL benchmark/waitfor functions
+        if (/waitfor\s+delay/i.test(sql)) {
+            return {
+                risk: 'dangerous',
+                reason: 'WAITFOR DELAY can cause denial of service',
+                triggers: ['WAITFOR DELAY'],
+                metadata: { dosRisk: 'delay_function' },
+            };
+        }
+        // generate_series with large ranges can exhaust memory
+        // Use bounded whitespace to prevent ReDoS
+        const genSeriesMatch = sql.match(/generate_series\s{0,10}\(\s{0,10}(\d+)\s{0,10},\s{0,10}(\d+)/i);
+        if (genSeriesMatch && genSeriesMatch[1] && genSeriesMatch[2]) {
+            const start = parseInt(genSeriesMatch[1], 10);
+            const end = parseInt(genSeriesMatch[2], 10);
+            const range = Math.abs(end - start);
+            // Flag if generating more than 1 million rows
+            if (range > 1000000) {
+                return {
+                    risk: 'dangerous',
+                    reason: `generate_series() with ${range.toLocaleString()} rows can exhaust memory`,
+                    triggers: ['generate_series(large range)'],
+                    metadata: { dosRisk: 'large_generate_series', rowCount: range },
+                };
+            }
+            else if (range > 100000) {
+                return {
+                    risk: 'destructive',
+                    reason: `generate_series() with ${range.toLocaleString()} rows may impact performance`,
+                    triggers: ['generate_series(medium range)'],
+                    metadata: { dosRisk: 'medium_generate_series', rowCount: range },
+                };
+            }
+        }
+        // repeat() with large counts
+        const repeatMatch = sql.match(/repeat\s*\([^,]+,\s*(\d+)\s*\)/i);
+        if (repeatMatch && repeatMatch[1]) {
+            const count = parseInt(repeatMatch[1], 10);
+            if (count > 1000000) {
+                return {
+                    risk: 'dangerous',
+                    reason: `repeat() with count ${count.toLocaleString()} can exhaust memory`,
+                    triggers: ['repeat(large count)'],
+                    metadata: { dosRisk: 'large_repeat', count },
+                };
+            }
+        }
+        // MD5/SHA hash loops (common DoS pattern)
+        if (/md5\s*\(\s*md5\s*\(/i.test(sql) || /sha\d*\s*\(\s*sha\d*\s*\(/i.test(sql)) {
+            return {
+                risk: 'destructive',
+                reason: 'Nested hash functions may indicate DoS attempt',
+                triggers: ['nested hash functions'],
+                metadata: { dosRisk: 'nested_hash' },
+            };
+        }
+        // Large LIMIT values that could fetch too much data
+        const limitMatch = sql.match(/LIMIT\s+(\d+)/i);
+        if (limitMatch && limitMatch[1]) {
+            const limit = parseInt(limitMatch[1], 10);
+            if (limit > 10000000) {
+                return {
+                    risk: 'destructive',
+                    reason: `LIMIT ${limit.toLocaleString()} may transfer excessive data`,
+                    triggers: ['LIMIT(excessive)'],
+                    metadata: { dosRisk: 'large_limit', limit },
+                };
+            }
+        }
+        return null;
+    }
+    isHigherRisk(a, b) {
+        const riskOrder = ['safe', 'read', 'write', 'destructive', 'dangerous'];
+        return riskOrder.indexOf(a) > riskOrder.indexOf(b);
+    }
+}
+//# sourceMappingURL=sql.js.map

package/dist/analyzers/sql.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sql.js","sourceRoot":"","sources":["../../src/analyzers/sql.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,MAAM,iBAAiB,CAAC;AAC5C,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC;AAGjC;;;;;;;;GAQG;AACH,MAAM,OAAO,WAAW;IACb,IAAI,GAAG,KAAK,CAAC;IACd,MAAM,CAA8B;IAE5C;QACE,IAAI,CAAC,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;IAC7B,CAAC;IAED,OAAO,CAAC,GAAW,EAAE,QAA0B;QAC7C,0DAA0D;QAC1D,qDAAqD;QACrD,MAAM,iBAAiB,GAAG,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC;QAC3D,IAAI,iBAAiB,EAAE,CAAC;YACtB,OAAO,iBAAiB,CAAC;QAC3B,CAAC;QAED,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC,CAAC;YAChE,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YAEpD,qDAAqD;YACrD,IAAI,WAAW,GAAmB;gBAChC,IAAI,EAAE,MAAM;gBACZ,MAAM,EAAE,0BAA0B;aACnC,CAAC;YAEF,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;gBAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;gBAC3C,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrD,WAAW,GAAG,MAAM,CAAC;gBACvB,CAAC;YACH,CAAC;YAED,OAAO,WAAW,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,wCAAwC;YACxC,8DAA8D;YAC9D,MAAM,eAAe,GAAG,KAAK,YAAY,KAAK;gBAC5C,CAAC,CAAC,+CAA+C;gBACjD,CAAC,CAAC,eAAe,CAAC;YACpB,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,wBAAwB,eAAe,EAAE;gBACjD,QAAQ,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE;aAC/B,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,IAAa;QACpC,MAAM,SAAS,GAAG,IAA+B,CAAC;QAClD,MAAM,IAAI,GAAI,SAAS,CAAC,IAAe,EAAE,WAAW,EAAE,CAAC;QAEvD,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,QAAQ;gBACX,OAAO,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;YAEvC,KAAK,QAAQ;gBACX,OAAO;oBACL,IAAI,EAAE,OAAO;oBACb,MAAM,EAAE,gCAAgC;oBACxC,QAAQ,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE;iBACtC,CAAC;YAEJ,KAAK,QAAQ;gBACX,OAAO,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;YAEvC,KAAK,QAAQ;gBACX,OAAO,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;YAEvC,KAAK,MAAM;gBACT,OAAO;oBACL,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,qDAAqD;oBAC7D,QAAQ,EAAE,CAAC,MAAM,CAAC;oBAClB,QAAQ,EAAE,EAAE,aAAa,EAAE,MAAM,EAAE;iBACpC,CAAC;YAEJ,KAAK,UAAU;gBACb,OAAO;oBACL,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,sCAAsC;oBAC9C,QAAQ,EAAE,CAAC,UAAU,CAAC;oBACtB,QAAQ,EAAE,EAAE,aAAa,EAAE,UAAU,EAAE;iBACxC,CAAC;YAEJ,KAAK,OAAO;gBACV,OAAO;oBACL,IAAI,EAAE,aAAa;oBACnB,MAAM,EAAE,gCAAgC;oBACxC,QAAQ,EAAE,CAAC,OAAO,CAAC;oBACnB,QAAQ,EAAE,EAAE,aAAa,EAAE,OAAO,EAAE;iBACrC,CAAC;YAEJ,KAAK,QAAQ;gBACX,OAAO;oBACL,IAAI,EAAE,OAAO;oBACb,MAAM,EAAE,kCAAkC;oBAC1C,QAAQ,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE;iBACtC,CAAC;YAEJ,KAAK,OAAO,CAAC;YACb,KAAK,QAAQ;gBACX,OAAO;oBACL,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,EAAE,gCAAgC;oBAC7D,QAAQ,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;oBAC9B,QAAQ,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE;iBAClC,CAAC;YAEJ;gBACE,OAAO;oBACL,IAAI,EAAE,OAAO;oBACb,MAAM,EAAE,2BAA2B,IAAI,EAAE;oBACzC,QAAQ,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE;iBAClC,CAAC;QACN,CAAC;IACH,CAAC;IAEO,aAAa,CAAC,IAA6B;QACjD,4CAA4C;QAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,IAA2C,CAAC;QAC9D,IAAI,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACtB,OAAO;gBACL,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,iCAAiC;gBACzC,QAAQ,EAAE,EAAE,aAAa,EAAE,aAAa,EAAE;aAC3C,CAAC;QACJ,CAAC;QAED,kEAAkE;QAClE,qCAAqC;QACrC,OAAO;YACL,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,6BAA6B;YACrC,QAAQ,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE;SACtC,CAAC;IACJ,CAAC;IAEO,aAAa,CAAC,IAA6B;QACjD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QAEzB,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,8CAA8C;gBACtD,QAAQ,EAAE,CAAC,sBAAsB,CAAC;gBAClC,QAAQ,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE;aACvD,CAAC;QACJ,CAAC;QAED,kDAAkD;QAClD,IAAI,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,EAAE,CAAC;YACtC,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,oDAAoD;gBAC5D,QAAQ,EAAE,CAAC,kBAAkB,CAAC;gBAC9B,QAAQ,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE;aACxE,CAAC;QACJ,CAAC;QAED,OAAO;YACL,IAAI,EAAE,OAAO;YACb,MAAM,EAAE,yCAAyC;YACjD,QAAQ,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;SACtD,CAAC;IACJ,CAAC;IAEO,aAAa,CAAC,IAA6B;QACjD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QAEzB,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,8CAA8C;gBACtD,QAAQ,EAAE,CAAC,sBAAsB,CAAC;gBAClC,QAAQ,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE;aACvD,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,IAAI,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,EAAE,CAAC;YACtC,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,oDAAoD;gBAC5D,QAAQ,EAAE,CAAC,kBAAkB,CAAC;gBAC9B,QAAQ,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE;aACxE,CAAC;QACJ,CAAC;QAED,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,+BAA+B;YACvC,QAAQ,EAAE,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE;SACtD,CAAC;IACJ,CAAC;IAEO,qBAAqB,CAAC,KAAc;QAC1C,MAAM,SAAS,GAAG,KAAgC,CAAC;QAEnD,4BAA4B;QAC5B,IAAI,SAAS,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;YACrC,MAAM,IAAI,GAAG,SAAS,CAAC,IAA+B,CAAC;YACvD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAgC,CAAC;YACzD,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAkB,CAAC;YAE9C,qBAAqB;YACrB,IAAI,QAAQ,KAAK,GAAG,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC1E,IAAI,IAAI,CAAC,KAAK,KAAK,KAAK,CAAC,KAAK;oBAAE,OAAO,IAAI,CAAC;YAC9C,CAAC;YAED,OAAO;YACP,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,KAAK,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC;QAC/D,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,sBAAsB,CAAC,GAAW;QACxC,yEAAyE;QACzE,MAAM,aAAa,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAE/C,gDAAgD;QAChD,IAAI,mBAAmB,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;YAC5C,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,0EAA0E;gBAClF,QAAQ,EAAE,CAAC,gBAAgB,CAAC;gBAC5B,QAAQ,EAAE,EAAE,OAAO,EAAE,eAAe,EAAE;aACvC,CAAC;QACJ,CAAC;QAED,yDAAyD;QACzD,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,CAAC,aAAa,CAAC,CAAC;QAC1D,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,WAAW,CAAC;QACrB,CAAC;QAED,gDAAgD;QAChD,8CAA8C;QAC9C,MAAM,cAAc,GAAG,IAAI,CAAC,6BAA6B,CAAC,GAAG,CAAC,CAAC;QAC/D,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;YACvB,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,wDAAwD;gBAChE,QAAQ,EAAE,CAAC,qBAAqB,CAAC;aAClC,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7C,iDAAiD;YACjD,+CAA+C;YAC/C,IAAI,qBAAqB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,uBAAuB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACzE,OAAO;oBACL,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,iEAAiE;oBACzE,QAAQ,EAAE,CAAC,2BAA2B,CAAC;iBACxC,CAAC;YACJ,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,IAAI,0BAA0B,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;YACnD,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,qDAAqD;gBAC7D,QAAQ,EAAE,CAAC,cAAc,CAAC;aAC3B,CAAC;QACJ,CAAC;QAED,kBAAkB;QAClB,IAAI,qEAAqE,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;YAC9F,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,2CAA2C;gBACnD,QAAQ,EAAE,CAAC,gBAAgB,CAAC;aAC7B,CAAC;QACJ,CAAC;QAED,6DAA6D;QAC7D,+EAA+E;QAC/E,IAAI,eAAe,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;YAC/E,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,MAAM,EAAE,gEAAgE;gBACxE,QAAQ,EAAE,CAAC,0BAA0B,CAAC;gBACtC,QAAQ,EAAE,EAAE,OAAO,EAAE,sBAAsB,EAAE;aAC9C,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACK,cAAc,CAAC,GAAW;QAChC,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,UAAU,GAAG,EAAE,CAAC;QAEpB,OAAO,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;YACtB,iEAAiE;YACjE,IAAI,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;gBACpD,QAAQ,GAAG,IAAI,CAAC;gBAChB,UAAU,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;gBACpB,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC;gBACjB,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YAED,IAAI,QAAQ,EAAE,CAAC;gBACb,6CAA6C;gBAC7C,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,UAAU,EAAE,CAAC;oBAC1B,qCAAqC;oBACrC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,UAAU,EAAE,CAAC;wBACpD,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;wBAC9B,CAAC,IAAI,CAAC,CAAC;wBACP,SAAS;oBACX,CAAC;oBACD,QAAQ,GAAG,KAAK,CAAC;gBACnB,CAAC;gBACD,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC;gBACjB,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YAED,gBAAgB;YAChB,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBAC/D,gBAAgB;gBAChB,CAAC,IAAI,CAAC,CAAC;gBACP,OAAO,CAAC,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;oBACrE,CAAC,EAAE,CAAC;gBACN,CAAC;gBACD,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU;gBAClB,MAAM,IAAI,GAAG,CAAC,CAAC,0DAA0D;gBACzE,SAAS;YACX,CAAC;YAED,eAAe;YACf,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBAC/D,yBAAyB;gBACzB,OAAO,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBACzC,CAAC,EAAE,CAAC;gBACN,CAAC;gBACD,MAAM,IAAI,GAAG,CAAC,CAAC,6BAA6B;gBAC5C,SAAS;YACX,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC;YACjB,CAAC,EAAE,CAAC;QACN,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACK,6BAA6B,CAAC,GAAW;QAC/C,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,UAAU,GAAG,EAAE,CAAC;QAEpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACpC,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;YAEpB,wBAAwB;YACxB,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;gBAChD,QAAQ,GAAG,IAAI,CAAC;gBAChB,UAAU,GAAG,IAAI,CAAC;gBAClB,SAAS;YACX,CAAC;YAED,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;oBACxB,qCAAqC;oBACrC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,UAAU,EAAE,CAAC;wBACpD,CAAC,EAAE,CAAC,CAAC,yBAAyB;wBAC9B,SAAS;oBACX,CAAC;oBACD,QAAQ,GAAG,KAAK,CAAC;gBACnB,CAAC;gBACD,SAAS;YACX,CAAC;YAED,mCAAmC;YACnC,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;gBACjB,KAAK,EAAE,CAAC;YACV,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,GAAW;QACnC,0CAA0C;QAC1C,IAAI,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,wCAAwC;gBAChD,QAAQ,EAAE,CAAC,YAAY,CAAC;gBACxB,QAAQ,EAAE,EAAE,OAAO,EAAE,gBAAgB,EAAE;aACxC,CAAC;QACJ,CAAC;QAED,cAAc;QACd,IAAI,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACxD,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,qCAAqC;gBAC7C,QAAQ,EAAE,CAAC,SAAS,CAAC;gBACrB,QAAQ,EAAE,EAAE,OAAO,EAAE,gBAAgB,EAAE;aACxC,CAAC;QACJ,CAAC;QAED,yCAAyC;QACzC,IAAI,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,2CAA2C;gBACnD,QAAQ,EAAE,CAAC,eAAe,CAAC;gBAC3B,QAAQ,EAAE,EAAE,OAAO,EAAE,gBAAgB,EAAE;aACxC,CAAC;QACJ,CAAC;QAED,uDAAuD;QACvD,0CAA0C;QAC1C,MAAM,cAAc,GAAG,GAAG,CAAC,KAAK,CAAC,+DAA+D,CAAC,CAAC;QAClG,IAAI,cAAc,IAAI,cAAc,CAAC,CAAC,CAAC,IAAI,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7D,MAAM,KAAK,GAAG,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC9C,MAAM,GAAG,GAAG,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC5C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC;YACpC,8CAA8C;YAC9C,IAAI,KAAK,GAAG,OAAO,EAAE,CAAC;gBACpB,OAAO;oBACL,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,0BAA0B,KAAK,CAAC,cAAc,EAAE,0BAA0B;oBAClF,QAAQ,EAAE,CAAC,8BAA8B,CAAC;oBAC1C,QAAQ,EAAE,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,KAAK,EAAE;iBAChE,CAAC;YACJ,CAAC;iBAAM,IAAI,KAAK,GAAG,MAAM,EAAE,CAAC;gBAC1B,OAAO;oBACL,IAAI,EAAE,aAAa;oBACnB,MAAM,EAAE,0BAA0B,KAAK,CAAC,cAAc,EAAE,8BAA8B;oBACtF,QAAQ,EAAE,CAAC,+BAA+B,CAAC;oBAC3C,QAAQ,EAAE,EAAE,OAAO,EAAE,wBAAwB,EAAE,QAAQ,EAAE,KAAK,EAAE;iBACjE,CAAC;YACJ,CAAC;QACH,CAAC;QAED,6BAA6B;QAC7B,MAAM,WAAW,GAAG,GAAG,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACjE,IAAI,WAAW,IAAI,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;YAClC,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC3C,IAAI,KAAK,GAAG,OAAO,EAAE,CAAC;gBACpB,OAAO;oBACL,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,uBAAuB,KAAK,CAAC,cAAc,EAAE,qBAAqB;oBAC1E,QAAQ,EAAE,CAAC,qBAAqB,CAAC;oBACjC,QAAQ,EAAE,EAAE,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE;iBAC7C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,IAAI,sBAAsB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,4BAA4B,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/E,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,MAAM,EAAE,gDAAgD;gBACxD,QAAQ,EAAE,CAAC,uBAAuB,CAAC;gBACnC,QAAQ,EAAE,EAAE,OAAO,EAAE,aAAa,EAAE;aACrC,CAAC;QACJ,CAAC;QAED,oDAAoD;QACpD,MAAM,UAAU,GAAG,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAC/C,IAAI,UAAU,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;YAChC,MAAM,KAAK,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC1C,IAAI,KAAK,GAAG,QAAQ,EAAE,CAAC;gBACrB,OAAO;oBACL,IAAI,EAAE,aAAa;oBACnB,MAAM,EAAE,SAAS,KAAK,CAAC,cAAc,EAAE,8BAA8B;oBACrE,QAAQ,EAAE,CAAC,kBAAkB,CAAC;oBAC9B,QAAQ,EAAE,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE;iBAC5C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,YAAY,CAAC,CAAyB,EAAE,CAAyB;QACvE,MAAM,SAAS,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;QACxE,OAAO,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IACrD,CAAC;CACF"}

package/dist/analyzers/types.d.ts

@@ -0,0 +1,117 @@
+/**
+ * Content Analyzer Type Definitions
+ *
+ * This module defines the types for Tollgate's smart content analysis system.
+ * Analyzers examine tool arguments to determine risk levels, enabling
+ * context-aware policy decisions.
+ *
+ * Built-in analyzers:
+ * - **SQL**: Parses SQL queries to detect reads, writes, and destructive operations
+ * - **Filesystem**: Analyzes file paths for sensitive or dangerous locations
+ * - **Shell**: Detects dangerous shell command patterns
+ * - **HTTP**: Prevents SSRF attacks by analyzing URLs, methods, and headers
+ *
+ * @example
+ * ```typescript
+ * import type { ContentAnalyzer, AnalysisResult, RiskLevel } from './types.js';
+ *
+ * class CustomAnalyzer implements ContentAnalyzer {
+ *   readonly name = 'custom';
+ *
+ *   analyze(content: string): AnalysisResult {
+ *     return {
+ *       risk: 'safe',
+ *       reason: 'Content passed custom validation'
+ *     };
+ *   }
+ * }
+ * ```
+ *
+ * @module analyzers/types
+ */
+/**
+ * Risk levels for analyzed content.
+ *
+ * Risk levels form a hierarchy from lowest to highest risk:
+ * 1. `safe` - No risk, proceed automatically
+ * 2. `read` - Read-only operation, typically safe
+ * 3. `write` - Modifies data, may need approval
+ * 4. `destructive` - Removes/deletes data, should prompt
+ * 5. `dangerous` - High risk, should deny or require explicit approval
+ */
+export type RiskLevel = 'safe' | 'read' | 'write' | 'destructive' | 'dangerous';
+/**
+ * Result of content analysis.
+ *
+ * Contains the risk assessment along with supporting information
+ * for audit logging and user display.
+ */
+export interface AnalysisResult {
+    /** The determined risk level */
+    risk: RiskLevel;
+    /** Human-readable reason for the classification */
+    reason: string;
+    /** Specific patterns or elements that triggered the classification */
+    triggers?: string[];
+    /** Additional metadata about the analysis */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Interface for content analyzers.
+ *
+ * All analyzers must implement this interface. Analyzers are stateless
+ * and should be safe to call concurrently.
+ */
+export interface ContentAnalyzer {
+    /** Unique identifier for this analyzer */
+    readonly name: string;
+    /** Analyze content and return risk assessment */
+    analyze(content: string, context?: AnalyzerContext): AnalysisResult;
+}
+/**
+ * Context provided to analyzers for more informed decisions.
+ *
+ * Provides additional information about the request that may
+ * influence the risk assessment.
+ */
+export interface AnalyzerContext {
+    /** The tool being called */
+    tool?: string;
+    /** The server name */
+    server?: string;
+    /** Additional arguments that might inform analysis */
+    args?: Record<string, unknown>;
+}
+/**
+ * Mapping from risk levels to policy actions.
+ *
+ * Used in smart policies to define how each risk level should be handled.
+ * Unspecified levels fall back to DEFAULT_RISK_MAPPING.
+ *
+ * @example
+ * ```typescript
+ * const strictMapping: RiskMapping = {
+ *   safe: 'allow',
+ *   read: 'allow',
+ *   write: 'prompt',
+ *   destructive: 'deny',  // Stricter than default
+ *   dangerous: 'deny'
+ * };
+ * ```
+ */
+export interface RiskMapping {
+    safe?: 'allow' | 'prompt' | 'deny';
+    read?: 'allow' | 'prompt' | 'deny';
+    write?: 'allow' | 'prompt' | 'deny';
+    destructive?: 'allow' | 'prompt' | 'deny';
+    dangerous?: 'allow' | 'prompt' | 'deny';
+}
+/**
+ * Default risk mapping with sensible security defaults.
+ *
+ * - Safe and read operations are allowed automatically
+ * - Write and destructive operations require user approval
+ * - Dangerous operations are denied by default
+ */
+export declare const DEFAULT_RISK_MAPPING: Required<RiskMapping>;
+//# sourceMappingURL=types.d.ts.map

package/dist/analyzers/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/analyzers/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAMH;;;;;;;;;GASG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,aAAa,GAAG,WAAW,CAAC;AAEhF;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC7B,gCAAgC;IAChC,IAAI,EAAE,SAAS,CAAC;IAEhB,mDAAmD;IACnD,MAAM,EAAE,MAAM,CAAC;IAEf,sEAAsE;IACtE,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IAEpB,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAMD;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,0CAA0C;IAC1C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,iDAAiD;IACjD,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,cAAc,CAAC;CACrE;AAED;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,4BAA4B;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd,sBAAsB;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,sDAAsD;IACtD,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC;AAMD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,EAAE,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAC;IACnC,IAAI,CAAC,EAAE,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAC;IACnC,KAAK,CAAC,EAAE,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAC;IACpC,WAAW,CAAC,EAAE,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAC;IAC1C,SAAS,CAAC,EAAE,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAC;CACzC;AAED;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,EAAE,QAAQ,CAAC,WAAW,CAMtD,CAAC"}

package/dist/analyzers/types.js

@@ -0,0 +1,46 @@
+/**
+ * Content Analyzer Type Definitions
+ *
+ * This module defines the types for Tollgate's smart content analysis system.
+ * Analyzers examine tool arguments to determine risk levels, enabling
+ * context-aware policy decisions.
+ *
+ * Built-in analyzers:
+ * - **SQL**: Parses SQL queries to detect reads, writes, and destructive operations
+ * - **Filesystem**: Analyzes file paths for sensitive or dangerous locations
+ * - **Shell**: Detects dangerous shell command patterns
+ * - **HTTP**: Prevents SSRF attacks by analyzing URLs, methods, and headers
+ *
+ * @example
+ * ```typescript
+ * import type { ContentAnalyzer, AnalysisResult, RiskLevel } from './types.js';
+ *
+ * class CustomAnalyzer implements ContentAnalyzer {
+ *   readonly name = 'custom';
+ *
+ *   analyze(content: string): AnalysisResult {
+ *     return {
+ *       risk: 'safe',
+ *       reason: 'Content passed custom validation'
+ *     };
+ *   }
+ * }
+ * ```
+ *
+ * @module analyzers/types
+ */
+/**
+ * Default risk mapping with sensible security defaults.
+ *
+ * - Safe and read operations are allowed automatically
+ * - Write and destructive operations require user approval
+ * - Dangerous operations are denied by default
+ */
+export const DEFAULT_RISK_MAPPING = {
+    safe: 'allow',
+    read: 'allow',
+    write: 'prompt',
+    destructive: 'prompt',
+    dangerous: 'deny',
+};
+//# sourceMappingURL=types.js.map

package/dist/analyzers/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/analyzers/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAsGH;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAA0B;IACzD,IAAI,EAAE,OAAO;IACb,IAAI,EAAE,OAAO;IACb,KAAK,EAAE,QAAQ;IACf,WAAW,EAAE,QAAQ;IACrB,SAAS,EAAE,MAAM;CAClB,CAAC"}