@flowdot.ai/guardian-agent 0.1.0

package/dist/audit/chain.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Audit-log hash chain. SPEC §2.5.
+ *
+ * Stateless helpers; no I/O.
+ */
+import type { AuditRecord } from '../types.js';
+/** The genesis hash that the first record's prev_hash points to. */
+export declare const GENESIS_HASH = "sha256:0";
+/**
+ * Compute the canonical hash of a record. The record's own `prev_hash` is
+ * included; the `signature` is NOT, because signatures are computed over the
+ * record with `signature: null` (so the signature itself doesn't change the
+ * record's identity in the chain).
+ *
+ * Canonical-form JSON: keys sorted lexicographically; no extra whitespace;
+ * Unicode normalized to NFC.
+ */
+export declare function computeRecordHash(record: AuditRecord): string;
+/**
+ * Produce the canonical UTF-8 bytes of a record for hashing. Strips
+ * `signature` (signatures are over the unsigned record). Keys sorted.
+ */
+export declare function canonicalizeForHash(record: AuditRecord): Buffer;
+/**
+ * Stable JSON.stringify: sort keys recursively. Matches Python's
+ * `json.dumps(..., sort_keys=True, separators=(',', ':'))` byte-for-byte for
+ * the field types we use (strings, numbers, booleans, null, arrays, objects).
+ */
+export declare function canonicalJsonStringify(value: unknown): string;
+//# sourceMappingURL=chain.d.ts.map

package/dist/audit/chain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain.d.ts","sourceRoot":"","sources":["../../src/audit/chain.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE/C,oEAAoE;AACpE,eAAO,MAAM,YAAY,aAAa,CAAC;AAEvC;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,WAAW,GAAG,MAAM,CAG7D;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,WAAW,GAAG,MAAM,CAG/D;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAyB7D"}

package/dist/audit/chain.js

@@ -0,0 +1,65 @@
+/**
+ * Audit-log hash chain. SPEC §2.5.
+ *
+ * Stateless helpers; no I/O.
+ */
+import { createHash } from 'node:crypto';
+/** The genesis hash that the first record's prev_hash points to. */
+export const GENESIS_HASH = 'sha256:0';
+/**
+ * Compute the canonical hash of a record. The record's own `prev_hash` is
+ * included; the `signature` is NOT, because signatures are computed over the
+ * record with `signature: null` (so the signature itself doesn't change the
+ * record's identity in the chain).
+ *
+ * Canonical-form JSON: keys sorted lexicographically; no extra whitespace;
+ * Unicode normalized to NFC.
+ */
+export function computeRecordHash(record) {
+    const canonical = canonicalizeForHash(record);
+    return 'sha256:' + createHash('sha256').update(canonical).digest('hex');
+}
+/**
+ * Produce the canonical UTF-8 bytes of a record for hashing. Strips
+ * `signature` (signatures are over the unsigned record). Keys sorted.
+ */
+export function canonicalizeForHash(record) {
+    const { signature: _signature, ...rest } = record;
+    return Buffer.from(canonicalJsonStringify(rest), 'utf-8');
+}
+/**
+ * Stable JSON.stringify: sort keys recursively. Matches Python's
+ * `json.dumps(..., sort_keys=True, separators=(',', ':'))` byte-for-byte for
+ * the field types we use (strings, numbers, booleans, null, arrays, objects).
+ */
+export function canonicalJsonStringify(value) {
+    if (value === null)
+        return 'null';
+    if (typeof value === 'number') {
+        if (!Number.isFinite(value)) {
+            throw new TypeError('non-finite numbers cannot be canonicalized');
+        }
+        return JSON.stringify(value);
+    }
+    if (typeof value === 'string')
+        return JSON.stringify(value);
+    if (typeof value === 'boolean')
+        return value ? 'true' : 'false';
+    if (Array.isArray(value)) {
+        return '[' + value.map(canonicalJsonStringify).join(',') + ']';
+    }
+    if (typeof value === 'object') {
+        const obj = value;
+        const keys = Object.keys(obj).sort();
+        const parts = [];
+        for (const k of keys) {
+            const v = obj[k];
+            if (v === undefined)
+                continue;
+            parts.push(JSON.stringify(k) + ':' + canonicalJsonStringify(v));
+        }
+        return '{' + parts.join(',') + '}';
+    }
+    throw new TypeError(`cannot canonicalize value of type ${typeof value}`);
+}
+//# sourceMappingURL=chain.js.map

package/dist/audit/chain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain.js","sourceRoot":"","sources":["../../src/audit/chain.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAIzC,oEAAoE;AACpE,MAAM,CAAC,MAAM,YAAY,GAAG,UAAU,CAAC;AAEvC;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAmB;IACnD,MAAM,SAAS,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC9C,OAAO,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1E,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAmB;IACrD,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,IAAI,EAAE,GAAG,MAAM,CAAC;IAClD,OAAO,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;AAC5D,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CAAC,KAAc;IACnD,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,SAAS,CAAC,4CAA4C,CAAC,CAAC;QACpE,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC5D,IAAI,OAAO,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;IAChE,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IACjE,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,KAAgC,CAAC;QAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACrC,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACrB,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;YACjB,IAAI,CAAC,KAAK,SAAS;gBAAE,SAAS;YAC9B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;QAClE,CAAC;QACD,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IACrC,CAAC;IACD,MAAM,IAAI,SAAS,CAAC,qCAAqC,OAAO,KAAK,EAAE,CAAC,CAAC;AAC3E,CAAC"}

package/dist/audit/correlation.d.ts

@@ -0,0 +1,114 @@
+/**
+ * Cross-surface correlation. SPEC §14 (v0.5.0+).
+ *
+ * Reads audit records from multiple sources (typically one per surface —
+ * `cli.jsonl`, `mcp.jsonl`, etc.) and looks for patterns that span
+ * surfaces under the same `agent_id`:
+ *
+ *   - Overlapping sessions: same agent_id running concurrent sessions on
+ *     two different surfaces.
+ *   - Identical args: canonical-JSON-SHA256 of `tool.args` collides
+ *     across surfaces within a configurable time window.
+ *   - Sequence similarity: cosine similarity of per-session tool-frequency
+ *     vectors above a configurable threshold.
+ *
+ * All three patterns are deterministic predicates on input. The library
+ * produces match records; the operator decides what to do with them.
+ *
+ * Read-only on source audit files. Output is written to a separate
+ * `correlations.jsonl` log so source-log integrity (hash chain,
+ * signatures) is never touched.
+ */
+import type { AuditRecord } from '../types.js';
+export interface AuditSource {
+    /** Stable surface id, used in match records. Typical: `'cli'`, `'mcp'`, `'native'`. */
+    surface: string;
+    /** Records from this surface. Caller is responsible for loading. */
+    records: AuditRecord[];
+}
+export interface SessionSummary {
+    surface: string;
+    agent_id: string;
+    session_id: string;
+    /** Earliest record `ts` (ISO-8601). */
+    start: string;
+    /** Latest record `ts` (ISO-8601). */
+    end: string;
+    /** Wall-clock duration in ms. */
+    duration_ms: number;
+    /** Per-tool call counts. */
+    tool_frequency: Record<string, number>;
+    /** SHA-256(canonical-JSON(args)) for each tool_call record in this session, in order. */
+    args_hashes: {
+        event_id: string;
+        ts: string;
+        tool_name: string;
+        args_hash: string;
+    }[];
+}
+/**
+ * Summarize a source's records into one entry per (agent_id, session_id).
+ */
+export declare function summarizeSessions(source: AuditSource): SessionSummary[];
+/**
+ * One correlation finding. Written as a JSONL row with `kind:
+ * 'x_cross_surface_match'` to the operator's correlations log.
+ */
+export interface CorrelationMatch {
+    kind: 'x_cross_surface_match';
+    agent_id: string;
+    match_type: 'overlapping_sessions' | 'args_hash_collision' | 'sequence_similarity';
+    /** Always 2 surfaces (pairwise). */
+    surfaces: [string, string];
+    /** Session ids on each side, in surfaces order. */
+    session_ids: [string, string];
+    detail: Record<string, unknown>;
+}
+export interface CorrelationOptions {
+    /**
+     * For args-hash collisions: max ms between the two collisions to count as
+     * a match. Default 60_000 (1 min) — collisions further apart aren't
+     * load-bearing for "running in parallel."
+     */
+    argsHashWindowMs?: number;
+    /**
+     * For sequence similarity: cosine threshold in [0,1]. Default 0.9 —
+     * very similar tool-frequency vectors across surfaces in close time.
+     */
+    similarityThreshold?: number;
+    /**
+     * For sequence similarity: only compare sessions whose time windows are
+     * within this many ms of each other (start-to-start). Default 600_000
+     * (10 min).
+     */
+    similarityWindowMs?: number;
+    /**
+     * For sequence similarity: minimum tool_call count per session to be
+     * considered. Vectors that are too sparse trivially correlate.
+     * Default 5.
+     */
+    similarityMinCalls?: number;
+}
+/**
+ * Run all three correlators across the given sources. Returns matches in
+ * insertion order (overlap → hash → similarity).
+ */
+export declare function correlate(sources: readonly AuditSource[], options?: CorrelationOptions): CorrelationMatch[];
+/**
+ * Detect pairs of sessions on different surfaces (same agent_id) whose
+ * time windows overlap. "Overlap" = [start1,end1] ∩ [start2,end2] ≠ ∅.
+ */
+export declare function findOverlappingSessions(sessions: SessionSummary[]): CorrelationMatch[];
+/**
+ * Detect args-hash collisions across surfaces within a time window for the
+ * same agent_id. A collision means: identical canonical-JSON-SHA256(args)
+ * for the same `tool_name`, in two different surfaces, within `windowMs`.
+ */
+export declare function findArgsHashCollisions(sessions: SessionSummary[], windowMs: number): CorrelationMatch[];
+/**
+ * Detect pairs of sessions on different surfaces (same agent_id) whose
+ * tool-frequency vectors have cosine similarity above the threshold AND
+ * whose start times are within `similarityWindowMs`.
+ */
+export declare function findSequenceSimilarity(sessions: SessionSummary[], options: Required<CorrelationOptions>): CorrelationMatch[];
+//# sourceMappingURL=correlation.d.ts.map

package/dist/audit/correlation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"correlation.d.ts","sourceRoot":"","sources":["../../src/audit/correlation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAO/C,MAAM,WAAW,WAAW;IAC1B,uFAAuF;IACvF,OAAO,EAAE,MAAM,CAAC;IAChB,oEAAoE;IACpE,OAAO,EAAE,WAAW,EAAE,CAAC;CACxB;AAMD,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,uCAAuC;IACvC,KAAK,EAAE,MAAM,CAAC;IACd,qCAAqC;IACrC,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,4BAA4B;IAC5B,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACvC,yFAAyF;IACzF,WAAW,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CACvF;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,WAAW,GAAG,cAAc,EAAE,CAmCvE;AAUD;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,uBAAuB,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,sBAAsB,GAAG,qBAAqB,GAAG,qBAAqB,CAAC;IACnF,oCAAoC;IACpC,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3B,mDAAmD;IACnD,WAAW,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AASD;;;GAGG;AACH,wBAAgB,SAAS,CACvB,OAAO,EAAE,SAAS,WAAW,EAAE,EAC/B,OAAO,GAAE,kBAAuB,GAC/B,gBAAgB,EAAE,CAoBpB;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,gBAAgB,EAAE,CAgCtF;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,cAAc,EAAE,EAC1B,QAAQ,EAAE,MAAM,GACf,gBAAgB,EAAE,CA8CpB;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,cAAc,EAAE,EAC1B,OAAO,EAAE,QAAQ,CAAC,kBAAkB,CAAC,GACpC,gBAAgB,EAAE,CAqCpB"}

package/dist/audit/correlation.js

@@ -0,0 +1,259 @@
+/**
+ * Cross-surface correlation. SPEC §14 (v0.5.0+).
+ *
+ * Reads audit records from multiple sources (typically one per surface —
+ * `cli.jsonl`, `mcp.jsonl`, etc.) and looks for patterns that span
+ * surfaces under the same `agent_id`:
+ *
+ *   - Overlapping sessions: same agent_id running concurrent sessions on
+ *     two different surfaces.
+ *   - Identical args: canonical-JSON-SHA256 of `tool.args` collides
+ *     across surfaces within a configurable time window.
+ *   - Sequence similarity: cosine similarity of per-session tool-frequency
+ *     vectors above a configurable threshold.
+ *
+ * All three patterns are deterministic predicates on input. The library
+ * produces match records; the operator decides what to do with them.
+ *
+ * Read-only on source audit files. Output is written to a separate
+ * `correlations.jsonl` log so source-log integrity (hash chain,
+ * signatures) is never touched.
+ */
+import { createHash } from 'node:crypto';
+import { canonicalJsonStringify } from './chain.js';
+/**
+ * Summarize a source's records into one entry per (agent_id, session_id).
+ */
+export function summarizeSessions(source) {
+    const map = new Map();
+    for (const r of source.records) {
+        const key = `${r.agent_id}::${r.session_id}`;
+        let s = map.get(key);
+        if (!s) {
+            s = {
+                surface: source.surface,
+                agent_id: r.agent_id,
+                session_id: r.session_id,
+                start: r.ts,
+                end: r.ts,
+                duration_ms: 0,
+                tool_frequency: {},
+                args_hashes: [],
+            };
+            map.set(key, s);
+        }
+        if (r.ts < s.start)
+            s.start = r.ts;
+        if (r.ts > s.end)
+            s.end = r.ts;
+        if (r.kind === 'tool_call' && r.tool) {
+            s.tool_frequency[r.tool.name] = (s.tool_frequency[r.tool.name] ?? 0) + 1;
+            s.args_hashes.push({
+                event_id: r.event_id,
+                ts: r.ts,
+                tool_name: r.tool.name,
+                args_hash: hashArgs(r.tool.args),
+            });
+        }
+    }
+    // Compute duration once.
+    for (const s of map.values()) {
+        s.duration_ms = new Date(s.end).getTime() - new Date(s.start).getTime();
+    }
+    return Array.from(map.values());
+}
+function hashArgs(args) {
+    return 'sha256:' + createHash('sha256').update(canonicalJsonStringify(args)).digest('hex');
+}
+const DEFAULT_OPTS = {
+    argsHashWindowMs: 60_000,
+    similarityThreshold: 0.9,
+    similarityWindowMs: 600_000,
+    similarityMinCalls: 5,
+};
+/**
+ * Run all three correlators across the given sources. Returns matches in
+ * insertion order (overlap → hash → similarity).
+ */
+export function correlate(sources, options = {}) {
+    const opts = { ...DEFAULT_OPTS, ...options };
+    const summaries = sources.flatMap((s) => summarizeSessions(s));
+    // Index by agent_id.
+    const byAgent = new Map();
+    for (const s of summaries) {
+        let list = byAgent.get(s.agent_id);
+        if (!list) {
+            list = [];
+            byAgent.set(s.agent_id, list);
+        }
+        list.push(s);
+    }
+    const out = [];
+    for (const sessions of byAgent.values()) {
+        out.push(...findOverlappingSessions(sessions));
+        out.push(...findArgsHashCollisions(sessions, opts.argsHashWindowMs));
+        out.push(...findSequenceSimilarity(sessions, opts));
+    }
+    return out;
+}
+/**
+ * Detect pairs of sessions on different surfaces (same agent_id) whose
+ * time windows overlap. "Overlap" = [start1,end1] ∩ [start2,end2] ≠ ∅.
+ */
+export function findOverlappingSessions(sessions) {
+    const out = [];
+    for (let i = 0; i < sessions.length; i++) {
+        for (let j = i + 1; j < sessions.length; j++) {
+            const a = sessions[i];
+            const b = sessions[j];
+            if (a.surface === b.surface)
+                continue;
+            const aStart = new Date(a.start).getTime();
+            const aEnd = new Date(a.end).getTime();
+            const bStart = new Date(b.start).getTime();
+            const bEnd = new Date(b.end).getTime();
+            if (aStart <= bEnd && bStart <= aEnd) {
+                const overlapStart = Math.max(aStart, bStart);
+                const overlapEnd = Math.min(aEnd, bEnd);
+                out.push({
+                    kind: 'x_cross_surface_match',
+                    agent_id: a.agent_id,
+                    match_type: 'overlapping_sessions',
+                    surfaces: [a.surface, b.surface],
+                    session_ids: [a.session_id, b.session_id],
+                    detail: {
+                        overlap_start: new Date(overlapStart).toISOString(),
+                        overlap_end: new Date(overlapEnd).toISOString(),
+                        overlap_ms: overlapEnd - overlapStart,
+                        session_a_window: [a.start, a.end],
+                        session_b_window: [b.start, b.end],
+                    },
+                });
+            }
+        }
+    }
+    return out;
+}
+/**
+ * Detect args-hash collisions across surfaces within a time window for the
+ * same agent_id. A collision means: identical canonical-JSON-SHA256(args)
+ * for the same `tool_name`, in two different surfaces, within `windowMs`.
+ */
+export function findArgsHashCollisions(sessions, windowMs) {
+    const out = [];
+    const byKey = new Map();
+    for (const session of sessions) {
+        for (const h of session.args_hashes) {
+            const key = `${h.tool_name}::${h.args_hash}`;
+            let list = byKey.get(key);
+            if (!list) {
+                list = [];
+                byKey.set(key, list);
+            }
+            list.push({ ...h, session });
+        }
+    }
+    for (const [key, entries] of byKey) {
+        if (entries.length < 2)
+            continue;
+        // Pairwise: find pairs in different surfaces within windowMs.
+        for (let i = 0; i < entries.length; i++) {
+            for (let j = i + 1; j < entries.length; j++) {
+                const a = entries[i];
+                const b = entries[j];
+                if (a.session.surface === b.session.surface)
+                    continue;
+                const aT = new Date(a.ts).getTime();
+                const bT = new Date(b.ts).getTime();
+                if (Math.abs(aT - bT) > windowMs)
+                    continue;
+                const [tool_name, args_hash] = key.split('::');
+                out.push({
+                    kind: 'x_cross_surface_match',
+                    agent_id: a.session.agent_id,
+                    match_type: 'args_hash_collision',
+                    surfaces: [a.session.surface, b.session.surface],
+                    session_ids: [a.session.session_id, b.session.session_id],
+                    detail: {
+                        tool_name,
+                        args_hash,
+                        event_id_a: a.event_id,
+                        event_id_b: b.event_id,
+                        delta_ms: Math.abs(aT - bT),
+                    },
+                });
+            }
+        }
+    }
+    return out;
+}
+/**
+ * Detect pairs of sessions on different surfaces (same agent_id) whose
+ * tool-frequency vectors have cosine similarity above the threshold AND
+ * whose start times are within `similarityWindowMs`.
+ */
+export function findSequenceSimilarity(sessions, options) {
+    const out = [];
+    // Build vocabulary.
+    const vocab = new Set();
+    for (const s of sessions) {
+        for (const name of Object.keys(s.tool_frequency))
+            vocab.add(name);
+    }
+    const vocabList = Array.from(vocab);
+    for (let i = 0; i < sessions.length; i++) {
+        for (let j = i + 1; j < sessions.length; j++) {
+            const a = sessions[i];
+            const b = sessions[j];
+            if (a.surface === b.surface)
+                continue;
+            const aCalls = sumValues(a.tool_frequency);
+            const bCalls = sumValues(b.tool_frequency);
+            if (aCalls < options.similarityMinCalls || bCalls < options.similarityMinCalls)
+                continue;
+            const dt = Math.abs(new Date(a.start).getTime() - new Date(b.start).getTime());
+            if (dt > options.similarityWindowMs)
+                continue;
+            const sim = cosineSimilarity(a.tool_frequency, b.tool_frequency, vocabList);
+            if (sim >= options.similarityThreshold) {
+                out.push({
+                    kind: 'x_cross_surface_match',
+                    agent_id: a.agent_id,
+                    match_type: 'sequence_similarity',
+                    surfaces: [a.surface, b.surface],
+                    session_ids: [a.session_id, b.session_id],
+                    detail: {
+                        cosine_similarity: sim,
+                        window_dt_ms: dt,
+                        session_a_calls: aCalls,
+                        session_b_calls: bCalls,
+                    },
+                });
+            }
+        }
+    }
+    return out;
+}
+function sumValues(m) {
+    let s = 0;
+    for (const v of Object.values(m))
+        s += v;
+    return s;
+}
+function cosineSimilarity(a, b, vocab) {
+    let dot = 0;
+    let magA = 0;
+    let magB = 0;
+    for (const term of vocab) {
+        const va = a[term] ?? 0;
+        const vb = b[term] ?? 0;
+        dot += va * vb;
+        magA += va * va;
+        magB += vb * vb;
+    }
+    /* c8 ignore next */
+    if (magA === 0 || magB === 0)
+        return 0;
+    return dot / (Math.sqrt(magA) * Math.sqrt(magB));
+}
+//# sourceMappingURL=correlation.js.map

package/dist/audit/correlation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"correlation.js","sourceRoot":"","sources":["../../src/audit/correlation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAiCpD;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAmB;IACnD,MAAM,GAAG,GAAG,IAAI,GAAG,EAA0B,CAAC;IAC9C,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,UAAU,EAAE,CAAC;QAC7C,IAAI,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACrB,IAAI,CAAC,CAAC,EAAE,CAAC;YACP,CAAC,GAAG;gBACF,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,KAAK,EAAE,CAAC,CAAC,EAAE;gBACX,GAAG,EAAE,CAAC,CAAC,EAAE;gBACT,WAAW,EAAE,CAAC;gBACd,cAAc,EAAE,EAAE;gBAClB,WAAW,EAAE,EAAE;aAChB,CAAC;YACF,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,IAAI,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK;YAAE,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,EAAE,CAAC;QACnC,IAAI,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,GAAG;YAAE,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC;QAC/B,IAAI,CAAC,CAAC,IAAI,KAAK,WAAW,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;YACrC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACzE,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC;gBACjB,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,EAAE,EAAE,CAAC,CAAC,EAAE;gBACR,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI;gBACtB,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;aACjC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,yBAAyB;IACzB,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;QAC7B,CAAC,CAAC,WAAW,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;IAC1E,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,QAAQ,CAAC,IAAa;IAC7B,OAAO,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC7F,CAAC;AA+CD,MAAM,YAAY,GAAiC;IACjD,gBAAgB,EAAE,MAAM;IACxB,mBAAmB,EAAE,GAAG;IACxB,kBAAkB,EAAE,OAAO;IAC3B,kBAAkB,EAAE,CAAC;CACtB,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,SAAS,CACvB,OAA+B,EAC/B,UAA8B,EAAE;IAEhC,MAAM,IAAI,GAAiC,EAAE,GAAG,YAAY,EAAE,GAAG,OAAO,EAAE,CAAC;IAC3E,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/D,qBAAqB;IACrB,MAAM,OAAO,GAAG,IAAI,GAAG,EAA4B,CAAC;IACpD,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;QAC1B,IAAI,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACnC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,GAAG,EAAE,CAAC;YACV,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACf,CAAC;IACD,MAAM,GAAG,GAAuB,EAAE,CAAC;IACnC,KAAK,MAAM,QAAQ,IAAI,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;QACxC,GAAG,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC/C,GAAG,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,QAAQ,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC;QACrE,GAAG,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,QAA0B;IAChE,MAAM,GAAG,GAAuB,EAAE,CAAC;IACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7C,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAmB,CAAC;YACxC,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAmB,CAAC;YACxC,IAAI,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,OAAO;gBAAE,SAAS;YACtC,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;YAC3C,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC;YACvC,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;YAC3C,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC;YACvC,IAAI,MAAM,IAAI,IAAI,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;gBACrC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;gBACxC,GAAG,CAAC,IAAI,CAAC;oBACP,IAAI,EAAE,uBAAuB;oBAC7B,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,UAAU,EAAE,sBAAsB;oBAClC,QAAQ,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC;oBAChC,WAAW,EAAE,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,UAAU,CAAC;oBACzC,MAAM,EAAE;wBACN,aAAa,EAAE,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE;wBACnD,WAAW,EAAE,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE;wBAC/C,UAAU,EAAE,UAAU,GAAG,YAAY;wBACrC,gBAAgB,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC;wBAClC,gBAAgB,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC;qBACnC;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CACpC,QAA0B,EAC1B,QAAgB;IAEhB,MAAM,GAAG,GAAuB,EAAE,CAAC;IAGnC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAmB,CAAC;IACzC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACpC,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,SAAS,EAAE,CAAC;YAC7C,IAAI,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC1B,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,IAAI,GAAG,EAAE,CAAC;gBACV,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YACvB,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IACD,KAAK,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,KAAK,EAAE,CAAC;QACnC,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;YAAE,SAAS;QACjC,8DAA8D;QAC9D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACxC,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC5C,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAU,CAAC;gBAC9B,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAU,CAAC;gBAC9B,IAAI,CAAC,CAAC,OAAO,CAAC,OAAO,KAAK,CAAC,CAAC,OAAO,CAAC,OAAO;oBAAE,SAAS;gBACtD,MAAM,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;gBACpC,MAAM,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;gBACpC,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,QAAQ;oBAAE,SAAS;gBAC3C,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAqB,CAAC;gBACnE,GAAG,CAAC,IAAI,CAAC;oBACP,IAAI,EAAE,uBAAuB;oBAC7B,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ;oBAC5B,UAAU,EAAE,qBAAqB;oBACjC,QAAQ,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;oBAChD,WAAW,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;oBACzD,MAAM,EAAE;wBACN,SAAS;wBACT,SAAS;wBACT,UAAU,EAAE,CAAC,CAAC,QAAQ;wBACtB,UAAU,EAAE,CAAC,CAAC,QAAQ;wBACtB,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,CAAC;qBAC5B;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CACpC,QAA0B,EAC1B,OAAqC;IAErC,MAAM,GAAG,GAAuB,EAAE,CAAC;IACnC,oBAAoB;IACpB,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC;YAAE,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7C,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAmB,CAAC;YACxC,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAmB,CAAC;YACxC,IAAI,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,OAAO;gBAAE,SAAS;YACtC,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;YAC3C,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;YAC3C,IAAI,MAAM,GAAG,OAAO,CAAC,kBAAkB,IAAI,MAAM,GAAG,OAAO,CAAC,kBAAkB;gBAAE,SAAS;YACzF,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YAC/E,IAAI,EAAE,GAAG,OAAO,CAAC,kBAAkB;gBAAE,SAAS;YAC9C,MAAM,GAAG,GAAG,gBAAgB,CAAC,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC,cAAc,EAAE,SAAS,CAAC,CAAC;YAC5E,IAAI,GAAG,IAAI,OAAO,CAAC,mBAAmB,EAAE,CAAC;gBACvC,GAAG,CAAC,IAAI,CAAC;oBACP,IAAI,EAAE,uBAAuB;oBAC7B,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,UAAU,EAAE,qBAAqB;oBACjC,QAAQ,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC;oBAChC,WAAW,EAAE,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,UAAU,CAAC;oBACzC,MAAM,EAAE;wBACN,iBAAiB,EAAE,GAAG;wBACtB,YAAY,EAAE,EAAE;wBAChB,eAAe,EAAE,MAAM;wBACvB,eAAe,EAAE,MAAM;qBACxB;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,SAAS,CAAC,CAAyB;IAC1C,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;QAAE,CAAC,IAAI,CAAC,CAAC;IACzC,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,gBAAgB,CACvB,CAAyB,EACzB,CAAyB,EACzB,KAAwB;IAExB,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxB,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxB,GAAG,IAAI,EAAE,GAAG,EAAE,CAAC;QACf,IAAI,IAAI,EAAE,GAAG,EAAE,CAAC;QAChB,IAAI,IAAI,EAAE,GAAG,EAAE,CAAC;IAClB,CAAC;IACD,oBAAoB;IACpB,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IACvC,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACnD,CAAC"}

package/dist/audit/index.d.ts

@@ -0,0 +1,13 @@
+export { AuditLogWriter } from './writer.js';
+export type { AuditLogWriterOptions } from './writer.js';
+export { AuditLogReader } from './reader.js';
+export { GENESIS_HASH, computeRecordHash, canonicalJsonStringify, canonicalizeForHash, } from './chain.js';
+export { generateEd25519KeyPair, loadPrivateKey, loadPublicKey, signRecord, verifyRecord, SIGNATURE_PREFIX, } from './signature.js';
+export type { Ed25519KeyPair } from './signature.js';
+export { httpAttestor, nullAttestor, payloadFromRecord, } from './attestor.js';
+export type { Attestor, AttestationPayload, AttestationReceipt, HttpAttestorOptions, } from './attestor.js';
+export { analyzeAgent, analyzeMultiAgent, compareToBaseline, mean, stddev, } from './stats.js';
+export type { AgentProfile, Deviation, DeviationReport, CompareOptions, } from './stats.js';
+export { correlate, summarizeSessions, findOverlappingSessions, findArgsHashCollisions, findSequenceSimilarity, } from './correlation.js';
+export type { AuditSource, SessionSummary, CorrelationMatch, CorrelationOptions, } from './correlation.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/audit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,YAAY,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,GACpB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,sBAAsB,EACtB,cAAc,EACd,aAAa,EACb,UAAU,EACV,YAAY,EACZ,gBAAgB,GACjB,MAAM,gBAAgB,CAAC;AACxB,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,iBAAiB,GAClB,MAAM,eAAe,CAAC;AACvB,YAAY,EACV,QAAQ,EACR,kBAAkB,EAClB,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,IAAI,EACJ,MAAM,GACP,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,YAAY,EACZ,SAAS,EACT,eAAe,EACf,cAAc,GACf,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,uBAAuB,EACvB,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EACV,WAAW,EACX,cAAc,EACd,gBAAgB,EAChB,kBAAkB,GACnB,MAAM,kBAAkB,CAAC"}

package/dist/audit/index.js

@@ -0,0 +1,8 @@
+export { AuditLogWriter } from './writer.js';
+export { AuditLogReader } from './reader.js';
+export { GENESIS_HASH, computeRecordHash, canonicalJsonStringify, canonicalizeForHash, } from './chain.js';
+export { generateEd25519KeyPair, loadPrivateKey, loadPublicKey, signRecord, verifyRecord, SIGNATURE_PREFIX, } from './signature.js';
+export { httpAttestor, nullAttestor, payloadFromRecord, } from './attestor.js';
+export { analyzeAgent, analyzeMultiAgent, compareToBaseline, mean, stddev, } from './stats.js';
+export { correlate, summarizeSessions, findOverlappingSessions, findArgsHashCollisions, findSequenceSimilarity, } from './correlation.js';
+//# sourceMappingURL=index.js.map

package/dist/audit/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,GACpB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,sBAAsB,EACtB,cAAc,EACd,aAAa,EACb,UAAU,EACV,YAAY,EACZ,gBAAgB,GACjB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,iBAAiB,GAClB,MAAM,eAAe,CAAC;AAOvB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,IAAI,EACJ,MAAM,GACP,MAAM,YAAY,CAAC;AAOpB,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,uBAAuB,EACvB,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC"}

package/dist/audit/reader.d.ts

@@ -0,0 +1,30 @@
+/**
+ * AuditLogReader — iterate + verify hash chain. SPEC §2.
+ */
+import type { KeyObject } from 'node:crypto';
+import type { AuditRecord } from '../types.js';
+export declare class AuditLogReader {
+    readonly path: string;
+    private handle;
+    private constructor();
+    static open(path: string): Promise<AuditLogReader>;
+    /** Async-iterate over all records. Each call returns a fresh iterator. */
+    records(): AsyncGenerator<AuditRecord, void, void>;
+    /**
+     * Verify every record's ed25519 signature against the given public key.
+     * Throws GuardianIntegrityError on the first record with a missing or
+     * invalid signature. Returns the count of records verified.
+     *
+     * SPEC §2.6.
+     */
+    verifySignatures(publicKey: KeyObject): Promise<number>;
+    /**
+     * Verify the full hash chain. Throws GuardianIntegrityError on first break.
+     * Returns the count of records verified on success.
+     */
+    verifyChain(): Promise<number>;
+    /** Idempotent close. */
+    close(): Promise<void>;
+    private openLineStream;
+}
+//# sourceMappingURL=reader.d.ts.map

package/dist/audit/reader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reader.d.ts","sourceRoot":"","sources":["../../src/audit/reader.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAK/C,qBAAa,cAAc;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,OAAO,CAAC,MAAM,CAA2B;IAEzC,OAAO;WAIM,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAMxD,0EAA0E;IACnE,OAAO,IAAI,cAAc,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,CAAC;IAYzD;;;;;;OAMG;IACG,gBAAgB,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC;IAmB7D;;;OAGG;IACG,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC;IAgBpC,wBAAwB;IAClB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAS5B,OAAO,CAAC,cAAc;CAKvB"}

package/dist/audit/reader.js

@@ -0,0 +1,85 @@
+/**
+ * AuditLogReader — iterate + verify hash chain. SPEC §2.
+ */
+import { open } from 'node:fs/promises';
+import { createReadStream } from 'node:fs';
+import { createInterface } from 'node:readline';
+import { GuardianIntegrityError } from '../errors.js';
+import { GENESIS_HASH, computeRecordHash } from './chain.js';
+import { verifyRecord } from './signature.js';
+export class AuditLogReader {
+    path;
+    handle = null;
+    constructor(path) {
+        this.path = path;
+    }
+    static async open(path) {
+        const reader = new AuditLogReader(path);
+        reader.handle = await open(path, 'r');
+        return reader;
+    }
+    /** Async-iterate over all records. Each call returns a fresh iterator. */
+    async *records() {
+        const lines = this.openLineStream();
+        try {
+            for await (const line of lines) {
+                if (line.length === 0)
+                    continue;
+                yield JSON.parse(line);
+            }
+        }
+        finally {
+            lines.close();
+        }
+    }
+    /**
+     * Verify every record's ed25519 signature against the given public key.
+     * Throws GuardianIntegrityError on the first record with a missing or
+     * invalid signature. Returns the count of records verified.
+     *
+     * SPEC §2.6.
+     */
+    async verifySignatures(publicKey) {
+        let count = 0;
+        for await (const record of this.records()) {
+            if (record.signature == null) {
+                throw new GuardianIntegrityError(`audit log record ${count + 1} has no signature`);
+            }
+            if (!verifyRecord(record, publicKey)) {
+                throw new GuardianIntegrityError(`audit log signature verification failed at record ${count + 1}`, `event_id=${record.event_id}`);
+            }
+            count++;
+        }
+        return count;
+    }
+    /**
+     * Verify the full hash chain. Throws GuardianIntegrityError on first break.
+     * Returns the count of records verified on success.
+     */
+    async verifyChain() {
+        let expectedPrev = GENESIS_HASH;
+        let count = 0;
+        for await (const record of this.records()) {
+            if (record.prev_hash !== expectedPrev) {
+                throw new GuardianIntegrityError(`audit log hash chain broken at record ${count + 1}`, `expected prev_hash=${expectedPrev}, got ${record.prev_hash}`);
+            }
+            expectedPrev = computeRecordHash(record);
+            count++;
+        }
+        return count;
+    }
+    /** Idempotent close. */
+    async close() {
+        if (this.handle) {
+            await this.handle.close();
+            this.handle = null;
+        }
+    }
+    // ---- internal --------------------------------------------------------------
+    openLineStream() {
+        // We open a fresh read stream for each iteration so consumers can re-iterate.
+        const stream = createReadStream(this.path, { encoding: 'utf-8' });
+        return createInterface({ input: stream, crlfDelay: Infinity });
+    }
+}
+//# sourceMappingURL=reader.js.map

package/dist/audit/reader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reader.js","sourceRoot":"","sources":["../../src/audit/reader.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,IAAI,EAAc,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAa,MAAM,eAAe,CAAC;AAI3D,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,MAAM,OAAO,cAAc;IAChB,IAAI,CAAS;IAEd,MAAM,GAAsB,IAAI,CAAC;IAEzC,YAAoB,IAAY;QAC9B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAY;QAC5B,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC;QACxC,MAAM,CAAC,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACtC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,0EAA0E;IAC1E,KAAK,CAAC,CAAC,OAAO;QACZ,MAAM,KAAK,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QACpC,IAAI,CAAC;YACH,IAAI,KAAK,EAAE,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBAC/B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;oBAAE,SAAS;gBAChC,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAgB,CAAC;YACxC,CAAC;QACH,CAAC;gBAAS,CAAC;YACT,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,gBAAgB,CAAC,SAAoB;QACzC,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,KAAK,EAAE,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;YAC1C,IAAI,MAAM,CAAC,SAAS,IAAI,IAAI,EAAE,CAAC;gBAC7B,MAAM,IAAI,sBAAsB,CAC9B,oBAAoB,KAAK,GAAG,CAAC,mBAAmB,CACjD,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC;gBACrC,MAAM,IAAI,sBAAsB,CAC9B,qDAAqD,KAAK,GAAG,CAAC,EAAE,EAChE,YAAY,MAAM,CAAC,QAAQ,EAAE,CAC9B,CAAC;YACJ,CAAC;YACD,KAAK,EAAE,CAAC;QACV,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,YAAY,GAAG,YAAY,CAAC;QAChC,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,KAAK,EAAE,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;YAC1C,IAAI,MAAM,CAAC,SAAS,KAAK,YAAY,EAAE,CAAC;gBACtC,MAAM,IAAI,sBAAsB,CAC9B,yCAAyC,KAAK,GAAG,CAAC,EAAE,EACpD,sBAAsB,YAAY,SAAS,MAAM,CAAC,SAAS,EAAE,CAC9D,CAAC;YACJ,CAAC;YACD,YAAY,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;YACzC,KAAK,EAAE,CAAC;QACV,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,wBAAwB;IACxB,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAC1B,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,+EAA+E;IAEvE,cAAc;QACpB,8EAA8E;QAC9E,MAAM,MAAM,GAAG,gBAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QAClE,OAAO,eAAe,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC,CAAC;IACjE,CAAC;CACF"}