npm - @eddacraft/anvil-runtime - Versions diffs - 0.1.0 - Mend

@eddacraft/anvil-runtime 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/LICENSE +14 -0
package/dist/cache/cache-key.d.ts +45 -0
package/dist/cache/cache-key.d.ts.map +1 -0
package/dist/cache/cache-key.js +135 -0
package/dist/cache/index.d.ts +27 -0
package/dist/cache/index.d.ts.map +1 -0
package/dist/cache/index.js +38 -0
package/dist/cache/providers/file-cache.d.ts +63 -0
package/dist/cache/providers/file-cache.d.ts.map +1 -0
package/dist/cache/providers/file-cache.js +369 -0
package/dist/cache/providers/memory-cache.d.ts +52 -0
package/dist/cache/providers/memory-cache.d.ts.map +1 -0
package/dist/cache/providers/memory-cache.js +197 -0
package/dist/cache/providers/null-cache.d.ts +26 -0
package/dist/cache/providers/null-cache.d.ts.map +1 -0
package/dist/cache/providers/null-cache.js +50 -0
package/dist/cache/types.d.ts +114 -0
package/dist/cache/types.d.ts.map +1 -0
package/dist/cache/types.js +4 -0
package/dist/concurrency/agent.d.ts +137 -0
package/dist/concurrency/agent.d.ts.map +1 -0
package/dist/concurrency/agent.js +440 -0
package/dist/concurrency/atomic.d.ts +93 -0
package/dist/concurrency/atomic.d.ts.map +1 -0
package/dist/concurrency/atomic.js +281 -0
package/dist/concurrency/git-agent.d.ts +114 -0
package/dist/concurrency/git-agent.d.ts.map +1 -0
package/dist/concurrency/git-agent.js +313 -0
package/dist/concurrency/index.d.ts +95 -0
package/dist/concurrency/index.d.ts.map +1 -0
package/dist/concurrency/index.js +127 -0
package/dist/concurrency/lock-manager.d.ts +170 -0
package/dist/concurrency/lock-manager.d.ts.map +1 -0
package/dist/concurrency/lock-manager.js +525 -0
package/dist/concurrency/queue-manager.d.ts +166 -0
package/dist/concurrency/queue-manager.d.ts.map +1 -0
package/dist/concurrency/queue-manager.js +442 -0
package/dist/concurrency/types.d.ts +382 -0
package/dist/concurrency/types.d.ts.map +1 -0
package/dist/concurrency/types.js +204 -0
package/dist/export/constraint-collector.d.ts +175 -0
package/dist/export/constraint-collector.d.ts.map +1 -0
package/dist/export/constraint-collector.js +203 -0
package/dist/export/formatters/llms-txt-formatter.d.ts +89 -0
package/dist/export/formatters/llms-txt-formatter.d.ts.map +1 -0
package/dist/export/formatters/llms-txt-formatter.js +249 -0
package/dist/export/formatters/mcp-resource-formatter.d.ts +186 -0
package/dist/export/formatters/mcp-resource-formatter.d.ts.map +1 -0
package/dist/export/formatters/mcp-resource-formatter.js +139 -0
package/dist/export/formatters/prompt-formatter.d.ts +83 -0
package/dist/export/formatters/prompt-formatter.d.ts.map +1 -0
package/dist/export/formatters/prompt-formatter.js +256 -0
package/dist/export/index.d.ts +10 -0
package/dist/export/index.d.ts.map +1 -0
package/dist/export/index.js +9 -0
package/dist/gate/check.interface.d.ts +15 -0
package/dist/gate/check.interface.d.ts.map +1 -0
package/dist/gate/check.interface.js +18 -0
package/dist/gate/checks/antipattern.check.d.ts +27 -0
package/dist/gate/checks/antipattern.check.d.ts.map +1 -0
package/dist/gate/checks/antipattern.check.js +140 -0
package/dist/gate/checks/architecture/circular-detector.d.ts +33 -0
package/dist/gate/checks/architecture/circular-detector.d.ts.map +1 -0
package/dist/gate/checks/architecture/circular-detector.js +71 -0
package/dist/gate/checks/architecture/dependency-analyzer.d.ts +81 -0
package/dist/gate/checks/architecture/dependency-analyzer.d.ts.map +1 -0
package/dist/gate/checks/architecture/dependency-analyzer.js +136 -0
package/dist/gate/checks/architecture/layer-validator.d.ts +75 -0
package/dist/gate/checks/architecture/layer-validator.d.ts.map +1 -0
package/dist/gate/checks/architecture/layer-validator.js +193 -0
package/dist/gate/checks/architecture.check.d.ts +56 -0
package/dist/gate/checks/architecture.check.d.ts.map +1 -0
package/dist/gate/checks/architecture.check.js +394 -0
package/dist/gate/checks/command-safety.check.d.ts +12 -0
package/dist/gate/checks/command-safety.check.d.ts.map +1 -0
package/dist/gate/checks/command-safety.check.js +230 -0
package/dist/gate/checks/coverage.check.d.ts +9 -0
package/dist/gate/checks/coverage.check.d.ts.map +1 -0
package/dist/gate/checks/coverage.check.js +81 -0
package/dist/gate/checks/dependency.check.d.ts +17 -0
package/dist/gate/checks/dependency.check.d.ts.map +1 -0
package/dist/gate/checks/dependency.check.js +342 -0
package/dist/gate/checks/eslint.check.d.ts +14 -0
package/dist/gate/checks/eslint.check.d.ts.map +1 -0
package/dist/gate/checks/eslint.check.js +79 -0
package/dist/gate/checks/policy.check.d.ts +78 -0
package/dist/gate/checks/policy.check.d.ts.map +1 -0
package/dist/gate/checks/policy.check.js +457 -0
package/dist/gate/checks/secret/entropy-detector.d.ts +44 -0
package/dist/gate/checks/secret/entropy-detector.d.ts.map +1 -0
package/dist/gate/checks/secret/entropy-detector.js +76 -0
package/dist/gate/checks/secret/git-scanner.d.ts +36 -0
package/dist/gate/checks/secret/git-scanner.d.ts.map +1 -0
package/dist/gate/checks/secret/git-scanner.js +90 -0
package/dist/gate/checks/secret/secret-patterns.d.ts +42 -0
package/dist/gate/checks/secret/secret-patterns.d.ts.map +1 -0
package/dist/gate/checks/secret/secret-patterns.js +137 -0
package/dist/gate/checks/secret.check.d.ts +56 -0
package/dist/gate/checks/secret.check.d.ts.map +1 -0
package/dist/gate/checks/secret.check.js +245 -0
package/dist/gate/config/command-safety-config.d.ts +5 -0
package/dist/gate/config/command-safety-config.d.ts.map +1 -0
package/dist/gate/config/command-safety-config.js +69 -0
package/dist/gate/config/index.d.ts +2 -0
package/dist/gate/config/index.d.ts.map +1 -0
package/dist/gate/config/index.js +1 -0
package/dist/gate/formatters/command-safety-formatter.d.ts +10 -0
package/dist/gate/formatters/command-safety-formatter.d.ts.map +1 -0
package/dist/gate/formatters/command-safety-formatter.js +64 -0
package/dist/gate/formatters/index.d.ts +2 -0
package/dist/gate/formatters/index.d.ts.map +1 -0
package/dist/gate/formatters/index.js +1 -0
package/dist/gate/gate-config.d.ts +44 -0
package/dist/gate/gate-config.d.ts.map +1 -0
package/dist/gate/gate-config.js +334 -0
package/dist/gate/gate-runner.d.ts +160 -0
package/dist/gate/gate-runner.d.ts.map +1 -0
package/dist/gate/gate-runner.js +531 -0
package/dist/gate/index.d.ts +20 -0
package/dist/gate/index.d.ts.map +1 -0
package/dist/gate/index.js +14 -0
package/dist/gate/parsers/command-parser.d.ts +18 -0
package/dist/gate/parsers/command-parser.d.ts.map +1 -0
package/dist/gate/parsers/command-parser.js +363 -0
package/dist/gate/parsers/index.d.ts +2 -0
package/dist/gate/parsers/index.d.ts.map +1 -0
package/dist/gate/parsers/index.js +1 -0
package/dist/gate/policy/index.d.ts +12 -0
package/dist/gate/policy/index.d.ts.map +1 -0
package/dist/gate/policy/index.js +10 -0
package/dist/gate/rules/default-filesystem-rules.d.ts +3 -0
package/dist/gate/rules/default-filesystem-rules.d.ts.map +1 -0
package/dist/gate/rules/default-filesystem-rules.js +201 -0
package/dist/gate/rules/default-git-rules.d.ts +3 -0
package/dist/gate/rules/default-git-rules.d.ts.map +1 -0
package/dist/gate/rules/default-git-rules.js +192 -0
package/dist/gate/rules/index.d.ts +5 -0
package/dist/gate/rules/index.d.ts.map +1 -0
package/dist/gate/rules/index.js +3 -0
package/dist/gate/rules/rule-matcher.d.ts +27 -0
package/dist/gate/rules/rule-matcher.d.ts.map +1 -0
package/dist/gate/rules/rule-matcher.js +228 -0
package/dist/gate/rules/types.d.ts +250 -0
package/dist/gate/rules/types.d.ts.map +1 -0
package/dist/gate/rules/types.js +1 -0
package/dist/index.d.ts +19 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +35 -0
package/dist/types/gate.types.d.ts +42 -0
package/dist/types/gate.types.d.ts.map +1 -0
package/dist/types/gate.types.js +94 -0
package/dist/watch/debouncer.d.ts +90 -0
package/dist/watch/debouncer.d.ts.map +1 -0
package/dist/watch/debouncer.js +135 -0
package/dist/watch/file-watcher.d.ts +73 -0
package/dist/watch/file-watcher.d.ts.map +1 -0
package/dist/watch/file-watcher.js +121 -0
package/dist/watch/git-status.d.ts +98 -0
package/dist/watch/git-status.d.ts.map +1 -0
package/dist/watch/git-status.js +266 -0
package/dist/watch/index.d.ts +16 -0
package/dist/watch/index.d.ts.map +1 -0
package/dist/watch/index.js +15 -0
package/dist/watch/orchestrator.d.ts +113 -0
package/dist/watch/orchestrator.d.ts.map +1 -0
package/dist/watch/orchestrator.js +409 -0
package/dist/watch/types.d.ts +190 -0
package/dist/watch/types.d.ts.map +1 -0
package/dist/watch/types.js +76 -0
package/package.json +60 -0

package/dist/gate/rules/default-git-rules.js ADDED Viewed

@@ -0,0 +1,192 @@
+export const DEFAULT_GIT_RULES = [
+    {
+        id: 'git-reset-hard',
+        category: 'git',
+        command: 'git',
+        subcommand: 'reset',
+        flags: { dangerous: ['--hard'] },
+        action: 'block',
+        severity: 'error',
+        reason: 'git reset --hard permanently destroys uncommitted changes',
+        suggestion: 'Use "git stash" first to preserve your work, or "git reset --soft" for a safer alternative',
+        references: [
+            'https://git-scm.com/docs/git-reset',
+            'https://ohshitgit.com/#accidental-commit-wrong-branch',
+        ],
+    },
+    {
+        id: 'git-reset-merge',
+        category: 'git',
+        command: 'git',
+        subcommand: 'reset',
+        flags: { dangerous: ['--merge'] },
+        action: 'warn',
+        severity: 'warning',
+        reason: 'git reset --merge can lose uncommitted changes during conflict resolution',
+        suggestion: 'Ensure all changes are committed or stashed before using --merge',
+    },
+    {
+        id: 'git-checkout-discard',
+        category: 'git',
+        command: 'git',
+        subcommand: 'checkout',
+        flags: { dangerous: ['--'] },
+        action: 'block',
+        severity: 'error',
+        reason: 'git checkout -- discards uncommitted changes permanently',
+        suggestion: 'Use "git stash" to preserve changes, or "git diff" to review first',
+        references: ['https://git-scm.com/docs/git-checkout'],
+    },
+    {
+        id: 'git-checkout-all',
+        category: 'git',
+        command: 'git',
+        subcommand: 'checkout',
+        args: { pattern: /^\.$/ },
+        action: 'warn',
+        severity: 'warning',
+        reason: 'git checkout . discards all uncommitted changes in the working tree',
+        suggestion: 'Use "git stash" to preserve changes, or "git diff" to review first',
+    },
+    {
+        id: 'git-restore-worktree',
+        category: 'git',
+        command: 'git',
+        subcommand: 'restore',
+        flags: { forbidden: ['--staged'] },
+        action: 'block',
+        severity: 'error',
+        reason: 'git restore discards uncommitted changes permanently',
+        suggestion: 'Use "git stash" first, or "git restore --staged" to only unstage',
+    },
+    {
+        id: 'git-clean-force',
+        category: 'git',
+        command: 'git',
+        subcommand: 'clean',
+        flags: { dangerous: ['-f', '--force'], forbidden: ['-n', '--dry-run'] },
+        action: 'warn',
+        severity: 'warning',
+        reason: 'git clean -f permanently removes untracked files',
+        suggestion: 'Preview with "git clean -n" (dry-run) first',
+    },
+    {
+        id: 'git-push-force',
+        category: 'git',
+        command: 'git',
+        subcommand: 'push',
+        flags: { dangerous: ['-f', '--force'], forbidden: ['--force-with-lease'] },
+        action: 'block',
+        severity: 'error',
+        reason: 'git push --force rewrites remote history and can cause data loss for collaborators',
+        suggestion: 'Use "git push --force-with-lease" for safer force pushing, or coordinate with your team',
+        references: [
+            'https://git-scm.com/docs/git-push#Documentation/git-push.txt---force-with-leaseltrefnamegt',
+        ],
+    },
+    {
+        id: 'git-branch-force-delete',
+        category: 'git',
+        command: 'git',
+        subcommand: 'branch',
+        flags: { dangerous: ['-D'] },
+        action: 'warn',
+        severity: 'warning',
+        reason: 'git branch -D force-deletes branches without merge verification',
+        suggestion: 'Use "git branch -d" for safe deletion with merge checks',
+    },
+    {
+        id: 'git-stash-drop',
+        category: 'git',
+        command: 'git',
+        subcommand: 'stash',
+        args: { pattern: /^drop$/, position: 0 },
+        action: 'warn',
+        severity: 'warning',
+        reason: 'git stash drop permanently deletes stashed changes',
+        suggestion: 'Review stashed changes with "git stash show -p" before dropping',
+    },
+    {
+        id: 'git-stash-clear',
+        category: 'git',
+        command: 'git',
+        subcommand: 'stash',
+        args: { pattern: /^clear$/, position: 0 },
+        action: 'warn',
+        severity: 'warning',
+        reason: 'git stash clear permanently deletes all stashed changes',
+        suggestion: 'Review stashes with "git stash list" before clearing',
+    },
+    {
+        id: 'git-rebase-abort',
+        category: 'git',
+        command: 'git',
+        subcommand: 'rebase',
+        flags: { dangerous: ['--abort'] },
+        action: 'warn',
+        severity: 'warning',
+        reason: 'git rebase --abort discards rebase progress',
+        suggestion: 'Ensure you want to discard all rebase progress before aborting',
+    },
+    {
+        id: 'git-merge-abort',
+        category: 'git',
+        command: 'git',
+        subcommand: 'merge',
+        flags: { dangerous: ['--abort'] },
+        action: 'warn',
+        severity: 'warning',
+        reason: 'git merge --abort discards merge progress',
+        suggestion: 'Ensure you want to discard all merge progress before aborting',
+    },
+    {
+        id: 'git-checkout-branch',
+        category: 'git',
+        command: 'git',
+        subcommand: 'checkout',
+        flags: { required: ['-b', '-B', '--orphan'] },
+        action: 'allow',
+        severity: 'info',
+        reason: 'Branch creation is a safe operation',
+    },
+    {
+        id: 'git-restore-staged',
+        category: 'git',
+        command: 'git',
+        subcommand: 'restore',
+        flags: { required: ['--staged'] },
+        action: 'allow',
+        severity: 'info',
+        reason: 'Unstaging changes is a safe operation',
+    },
+    {
+        id: 'git-push-force-with-lease',
+        category: 'git',
+        command: 'git',
+        subcommand: 'push',
+        flags: { required: ['--force-with-lease'] },
+        action: 'allow',
+        severity: 'info',
+        reason: 'Force-with-lease is a safer alternative to --force',
+    },
+    {
+        id: 'git-branch-safe-delete',
+        category: 'git',
+        command: 'git',
+        subcommand: 'branch',
+        flags: { required: ['-d'], forbidden: ['-D'] },
+        action: 'allow',
+        severity: 'info',
+        reason: 'Safe branch deletion with merge verification',
+    },
+    {
+        id: 'git-clean-dry-run',
+        category: 'git',
+        command: 'git',
+        subcommand: 'clean',
+        flags: { required: ['-n', '--dry-run'] },
+        action: 'allow',
+        severity: 'info',
+        reason: 'Dry-run preview is safe',
+    },
+];

package/dist/gate/rules/index.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+export type { CommandCategory, CommandAction, CommandSeverity, CommandFlagConfig, CommandArgConfig, CommandConditions, CommandRule, CommandRuleset, ParsedCommand, CommandAnalysisResult, CommandAnalysisSummary, CommandRuleOverride, CommandRulesConfig, WorkingDirectoryConfig, CommandSafetyOutputConfig, CommandSafetyConfig, ResolvedCommandSafetyConfig, CommandSafetyFinding, CommandSafetyDetails, } from './types.js';
+export { findMatchingRule, analyseCommand, calculateSpecificity, RuleMatcher, } from './rule-matcher.js';
+export { DEFAULT_GIT_RULES } from './default-git-rules.js';
+export { DEFAULT_FILESYSTEM_RULES } from './default-filesystem-rules.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/gate/rules/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/gate/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,eAAe,EACf,aAAa,EACb,eAAe,EACf,iBAAiB,EACjB,gBAAgB,EAChB,iBAAiB,EACjB,WAAW,EACX,cAAc,EACd,aAAa,EACb,qBAAqB,EACrB,sBAAsB,EACtB,mBAAmB,EACnB,kBAAkB,EAClB,sBAAsB,EACtB,yBAAyB,EACzB,mBAAmB,EACnB,2BAA2B,EAC3B,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,oBAAoB,EACpB,WAAW,GACZ,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAC"}

package/dist/gate/rules/index.js ADDED Viewed

@@ -0,0 +1,3 @@
+export { findMatchingRule, analyseCommand, calculateSpecificity, RuleMatcher, } from './rule-matcher.js';
+export { DEFAULT_GIT_RULES } from './default-git-rules.js';
+export { DEFAULT_FILESYSTEM_RULES } from './default-filesystem-rules.js';

package/dist/gate/rules/rule-matcher.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import type { CommandRule, ParsedCommand, CommandAnalysisResult, WorkingDirectoryConfig } from './types.js';
+export interface MatcherContext {
+    strict?: boolean;
+    workingDirectory?: WorkingDirectoryConfig;
+    cwd?: string;
+}
+declare function calculateSpecificity(rule: CommandRule): number;
+export declare function findMatchingRule(parsed: ParsedCommand, rules: CommandRule[], context?: MatcherContext): CommandRule | undefined;
+export declare function analyseCommand(command: string, parsed: ParsedCommand, rules: CommandRule[], context?: MatcherContext): CommandAnalysisResult;
+export declare class RuleMatcher {
+    private rules;
+    private context?;
+    constructor(rules?: CommandRule[], context?: MatcherContext);
+    setContext(context: MatcherContext): void;
+    addRule(rule: CommandRule): void;
+    addRules(rules: CommandRule[]): void;
+    setRules(rules: CommandRule[]): void;
+    getRules(): CommandRule[];
+    findMatchingRule(parsed: ParsedCommand, context?: MatcherContext): CommandRule | undefined;
+    analyse(command: string, parsed: ParsedCommand, context?: MatcherContext): CommandAnalysisResult;
+    analyseMultiple(commands: Array<{
+        command: string;
+        parsed: ParsedCommand;
+    }>, context?: MatcherContext): CommandAnalysisResult[];
+}
+export { calculateSpecificity };
+//# sourceMappingURL=rule-matcher.d.ts.map

package/dist/gate/rules/rule-matcher.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rule-matcher.d.ts","sourceRoot":"","sources":["../../../src/gate/rules/rule-matcher.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,aAAa,EACb,qBAAqB,EACrB,sBAAsB,EACvB,MAAM,YAAY,CAAC;AAKpB,MAAM,WAAW,cAAc;IAC7B,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAC1C,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAOD,iBAAS,oBAAoB,CAAC,IAAI,EAAE,WAAW,GAAG,MAAM,CAuBvD;AA0KD,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,aAAa,EACrB,KAAK,EAAE,WAAW,EAAE,EACpB,OAAO,CAAC,EAAE,cAAc,GACvB,WAAW,GAAG,SAAS,CAmBzB;AAED,wBAAgB,cAAc,CAC5B,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,aAAa,EACrB,KAAK,EAAE,WAAW,EAAE,EACpB,OAAO,CAAC,EAAE,cAAc,GACvB,qBAAqB,CA2BvB;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,KAAK,CAAgB;IAC7B,OAAO,CAAC,OAAO,CAAC,CAAiB;gBAErB,KAAK,GAAE,WAAW,EAAO,EAAE,OAAO,CAAC,EAAE,cAAc;IAK/D,UAAU,CAAC,OAAO,EAAE,cAAc,GAAG,IAAI;IAIzC,OAAO,CAAC,IAAI,EAAE,WAAW,GAAG,IAAI;IAIhC,QAAQ,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,IAAI;IAIpC,QAAQ,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,IAAI;IAIpC,QAAQ,IAAI,WAAW,EAAE;IAIzB,gBAAgB,CAAC,MAAM,EAAE,aAAa,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,WAAW,GAAG,SAAS;IAI1F,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,qBAAqB;IAIhG,eAAe,CACb,QAAQ,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,aAAa,CAAA;KAAE,CAAC,EAC3D,OAAO,CAAC,EAAE,cAAc,GACvB,qBAAqB,EAAE;CAI3B;AAED,OAAO,EAAE,oBAAoB,EAAE,CAAC"}

package/dist/gate/rules/rule-matcher.js ADDED Viewed

@@ -0,0 +1,228 @@
+import { createDebugger } from '@eddacraft/anvil-core';
+const debug = createDebugger('gate');
+const SPECIFICITY_COMMAND = 1;
+const SPECIFICITY_SUBCOMMAND = 2;
+const SPECIFICITY_FLAGS = 4;
+const SPECIFICITY_ARGS = 8;
+function calculateSpecificity(rule) {
+    let score = SPECIFICITY_COMMAND;
+    if (rule.subcommand) {
+        score += SPECIFICITY_SUBCOMMAND;
+    }
+    if (rule.flags) {
+        const hasFlags = (rule.flags.required && rule.flags.required.length > 0) ||
+            (rule.flags.requiredAll && rule.flags.requiredAll.length > 0) ||
+            (rule.flags.forbidden && rule.flags.forbidden.length > 0) ||
+            (rule.flags.dangerous && rule.flags.dangerous.length > 0);
+        if (hasFlags) {
+            score += SPECIFICITY_FLAGS;
+        }
+    }
+    if (rule.args?.pattern) {
+        score += SPECIFICITY_ARGS;
+    }
+    return score;
+}
+function normaliseFlag(flag) {
+    if (flag.startsWith('--')) {
+        return flag;
+    }
+    return flag.toLowerCase();
+}
+function hasFlag(parsedFlags, ruleFlag) {
+    const normalised = normaliseFlag(ruleFlag);
+    return parsedFlags.some((f) => normaliseFlag(f) === normalised);
+}
+function hasAnyFlag(parsedFlags, ruleFlags) {
+    return ruleFlags.some((f) => hasFlag(parsedFlags, f));
+}
+function hasAllFlags(parsedFlags, ruleFlags) {
+    return ruleFlags.every((f) => hasFlag(parsedFlags, f));
+}
+function matchFlags(parsed, rule) {
+    if (!rule.flags) {
+        return true;
+    }
+    const { required, requiredAll, forbidden, dangerous } = rule.flags;
+    if (required && required.length > 0) {
+        if (!hasAnyFlag(parsed.flags, required)) {
+            return false;
+        }
+    }
+    if (requiredAll && requiredAll.length > 0) {
+        if (!hasAllFlags(parsed.flags, requiredAll)) {
+            return false;
+        }
+    }
+    if (forbidden && forbidden.length > 0) {
+        if (hasAnyFlag(parsed.flags, forbidden)) {
+            return false;
+        }
+    }
+    if (dangerous && dangerous.length > 0) {
+        if (!hasAnyFlag(parsed.flags, dangerous)) {
+            return false;
+        }
+    }
+    return true;
+}
+function isPathInTempDir(path, context) {
+    const tempPatterns = context?.workingDirectory?.tempDirPatterns ?? ['/tmp', '/var/tmp'];
+    return isTempPath(path, tempPatterns);
+}
+function matchArgs(parsed, rule, context) {
+    if (!rule.args?.pattern) {
+        return true;
+    }
+    const allArgs = [...parsed.args];
+    if (parsed.subcommand) {
+        allArgs.unshift(parsed.subcommand);
+    }
+    if (rule.args.position !== undefined) {
+        const arg = allArgs[rule.args.position];
+        if (arg === undefined) {
+            return false;
+        }
+        if (context?.workingDirectory?.allowDeleteInCwd && isPathInTempDir(arg, context)) {
+            return false;
+        }
+        return rule.args.pattern.test(arg);
+    }
+    return allArgs.some((arg) => {
+        if (context?.workingDirectory?.allowDeleteInCwd && isPathInTempDir(arg, context)) {
+            return false;
+        }
+        return rule.args.pattern.test(arg);
+    });
+}
+function isHomePath(path) {
+    return (path.startsWith('/home/') || path.startsWith('/Users/') || path === '~' || path.startsWith('~/'));
+}
+function isRootPath(path) {
+    return path === '/' || path === '/root';
+}
+function isTempPath(path, tempPatterns) {
+    return tempPatterns.some((pattern) => path.startsWith(pattern));
+}
+function matchWorkingDirectory(ruleCondition, context) {
+    if (ruleCondition === 'any') {
+        return true;
+    }
+    const cwd = context?.cwd;
+    if (!cwd) {
+        return true;
+    }
+    if (ruleCondition === 'home') {
+        return isHomePath(cwd);
+    }
+    if (ruleCondition === 'root') {
+        return isRootPath(cwd);
+    }
+    return true;
+}
+function matchConditions(rule, context) {
+    if (!rule.conditions) {
+        return true;
+    }
+    if (rule.conditions.strictModeOnly && !context?.strict) {
+        return false;
+    }
+    if (rule.conditions.workingDirectory) {
+        if (!matchWorkingDirectory(rule.conditions.workingDirectory, context)) {
+            return false;
+        }
+    }
+    return true;
+}
+function matchRule(parsed, rule, context) {
+    if (!matchConditions(rule, context)) {
+        return false;
+    }
+    if (parsed.command !== rule.command) {
+        return false;
+    }
+    if (rule.subcommand && parsed.subcommand !== rule.subcommand) {
+        return false;
+    }
+    if (!matchFlags(parsed, rule)) {
+        return false;
+    }
+    if (!matchArgs(parsed, rule, context)) {
+        return false;
+    }
+    return true;
+}
+export function findMatchingRule(parsed, rules, context) {
+    debug(`findMatchingRule: command=${parsed.command} subcommand=${parsed.subcommand} rules=${rules.length}`);
+    const sorted = [...rules].sort((a, b) => {
+        const scoreA = calculateSpecificity(a);
+        const scoreB = calculateSpecificity(b);
+        return scoreB - scoreA;
+    });
+    for (const rule of sorted) {
+        if (matchRule(parsed, rule, context)) {
+            debug(`findMatchingRule: matched rule=${rule.id} action=${rule.action}`);
+            return rule;
+        }
+    }
+    debug('findMatchingRule: no rule matched');
+    return undefined;
+}
+export function analyseCommand(command, parsed, rules, context) {
+    debug(`analyseCommand: command=${command}`);
+    const matchedRule = findMatchingRule(parsed, rules, context);
+    if (!matchedRule) {
+        debug('analyseCommand: allowed (no matching rule)');
+        return {
+            command,
+            parsedCommand: parsed,
+            action: 'allow',
+            severity: 'info',
+        };
+    }
+    debug(`analyseCommand: result action=${matchedRule.action} severity=${matchedRule.severity} rule=${matchedRule.id}`);
+    return {
+        command,
+        parsedCommand: parsed,
+        matchedRule,
+        action: matchedRule.action,
+        severity: matchedRule.severity,
+        reason: matchedRule.reason,
+        suggestion: matchedRule.suggestion,
+        references: matchedRule.references,
+    };
+}
+export class RuleMatcher {
+    rules;
+    context;
+    constructor(rules = [], context) {
+        this.rules = rules;
+        this.context = context;
+    }
+    setContext(context) {
+        this.context = context;
+    }
+    addRule(rule) {
+        this.rules.push(rule);
+    }
+    addRules(rules) {
+        this.rules.push(...rules);
+    }
+    setRules(rules) {
+        this.rules = [...rules];
+    }
+    getRules() {
+        return [...this.rules];
+    }
+    findMatchingRule(parsed, context) {
+        return findMatchingRule(parsed, this.rules, context ?? this.context);
+    }
+    analyse(command, parsed, context) {
+        return analyseCommand(command, parsed, this.rules, context ?? this.context);
+    }
+    analyseMultiple(commands, context) {
+        const ctx = context ?? this.context;
+        return commands.map(({ command, parsed }) => analyseCommand(command, parsed, this.rules, ctx));
+    }
+}
+export { calculateSpecificity };