@gencode/agents 0.0.9 → 0.0.10

package/dist/security/command-path-guard.js

@@ -1,126 +0,0 @@
-import fs from "node:fs";
-import path from "node:path";
-import { unwrapExecutable } from "./command-trusted-executables.js";
-function isWithinRoot(targetPath, root) {
-    return targetPath === root || targetPath.startsWith(`${root}${path.sep}`);
-}
-function realOrResolved(targetPath) {
-    try {
-        return fs.realpathSync(targetPath);
-    }
-    catch {
-        return path.resolve(targetPath);
-    }
-}
-function validatePath(targetPath, allowedRoot, policy) {
-    const normalizedAllowedRoot = path.resolve(allowedRoot);
-    const resolved = realOrResolved(targetPath);
-    if (!isWithinRoot(resolved, normalizedAllowedRoot)) {
-        return `path escapes allowed root: ${targetPath}`;
-    }
-    for (const blockedRoot of policy.blockedRoots) {
-        const normalizedBlockedRoot = path.resolve(blockedRoot);
-        if (resolved === normalizedBlockedRoot || resolved.startsWith(`${normalizedBlockedRoot}${path.sep}`)) {
-            return `path hits blocked root: ${targetPath}`;
-        }
-    }
-    return null;
-}
-function looksLikePathToken(token) {
-    return (token === "." ||
-        token === ".." ||
-        token.startsWith("./") ||
-        token.startsWith("../") ||
-        token.startsWith("/") ||
-        token.includes("/"));
-}
-function basename(value) {
-    if (!value) {
-        return "";
-    }
-    return path.posix.basename(value).toLowerCase();
-}
-function candidatePathFromToken(token, cwd) {
-    if (path.isAbsolute(token)) {
-        return path.resolve(token);
-    }
-    return path.resolve(cwd, token);
-}
-function collectPositionalPathTokens(segment, allowlist) {
-    const executable = unwrapExecutable(segment, allowlist)?.split(/[\\/]/).pop()?.toLowerCase() ?? "";
-    const argv = [...segment.argv];
-    if (basename(segment.executable) === "env") {
-        let index = 1;
-        while (index < argv.length && /^[A-Za-z_][A-Za-z0-9_]*=/.test(argv[index])) {
-            index += 1;
-        }
-        return collectPathTokensForExecutable(executable, argv.slice(index + 1));
-    }
-    return collectPathTokensForExecutable(executable, argv.slice(1));
-}
-function collectPathTokensForExecutable(executable, args) {
-    const paths = [];
-    if (executable === "node" || executable === "python" || executable === "python3" || executable === "bash" || executable === "sh" || executable === "zsh") {
-        for (let index = 0; index < args.length; index += 1) {
-            const arg = args[index];
-            if (arg === "-e" || arg === "--eval" || arg === "-c" || arg === "--command") {
-                paths.push("__INLINE_EVAL__");
-                return paths;
-            }
-            if (!arg.startsWith("-")) {
-                paths.push(arg);
-                return paths;
-            }
-        }
-        return paths;
-    }
-    if (executable === "npm" || executable === "npx" || executable === "pnpm" || executable === "pip" || executable === "pip3") {
-        return paths;
-    }
-    for (const arg of args) {
-        if (arg.startsWith("-")) {
-            continue;
-        }
-        if (looksLikePathToken(arg) || ["cat", "find", "grep", "sort", "sed", "awk", "git"].includes(executable)) {
-            paths.push(arg);
-        }
-    }
-    return paths;
-}
-export function validateCommandPaths(params) {
-    const unwrappedExecutable = basename(unwrapExecutable(params.segment, params.allowlist));
-    if ((unwrappedExecutable === "bash" || unwrappedExecutable === "sh" || unwrappedExecutable === "zsh") &&
-        params.segment.argv.some((arg) => arg === "-c" || arg === "--command")) {
-        return "inline shell command execution is not allowed";
-    }
-    if ((unwrappedExecutable === "node" ||
-        unwrappedExecutable === "python" ||
-        unwrappedExecutable === "python3") &&
-        params.segment.argv.some((arg) => arg === "-e" || arg === "--eval" || arg === "-c" || arg === "--command")) {
-        return "inline interpreter evaluation is not allowed";
-    }
-    const cwdError = validatePath(params.cwd, params.allowedRoot, params.pathPolicy);
-    if (cwdError) {
-        return cwdError;
-    }
-    for (const redirection of params.segment.redirections) {
-        const redirectionPath = candidatePathFromToken(redirection.target, params.cwd);
-        const redirectionError = validatePath(redirectionPath, params.allowedRoot, params.pathPolicy);
-        if (redirectionError) {
-            return redirectionError;
-        }
-    }
-    const tokens = collectPositionalPathTokens(params.segment, params.allowlist);
-    for (const token of tokens) {
-        if (token === "__INLINE_EVAL__") {
-            return "inline interpreter evaluation is not allowed";
-        }
-        const candidate = candidatePathFromToken(token, params.cwd);
-        const tokenError = validatePath(candidate, params.allowedRoot, params.pathPolicy);
-        if (tokenError) {
-            return tokenError;
-        }
-    }
-    return null;
-}
-//# sourceMappingURL=command-path-guard.js.map

package/dist/security/command-path-guard.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"command-path-guard.js","sourceRoot":"","sources":["../../src/security/command-path-guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AAGpE,SAAS,YAAY,CAAC,UAAkB,EAAE,IAAY;IACpD,OAAO,UAAU,KAAK,IAAI,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,cAAc,CAAC,UAAkB;IACxC,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,UAAkB,EAAE,WAAmB,EAAE,MAAyB;IACtF,MAAM,qBAAqB,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;IAC5C,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,qBAAqB,CAAC,EAAE,CAAC;QACnD,OAAO,8BAA8B,UAAU,EAAE,CAAC;IACpD,CAAC;IACD,KAAK,MAAM,WAAW,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QAC9C,MAAM,qBAAqB,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QACxD,IAAI,QAAQ,KAAK,qBAAqB,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,qBAAqB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;YACrG,OAAO,2BAA2B,UAAU,EAAE,CAAC;QACjD,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAa;IACvC,OAAO,CACL,KAAK,KAAK,GAAG;QACb,KAAK,KAAK,IAAI;QACd,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;QACtB,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;QACvB,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC;QACrB,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CACpB,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,KAAoB;IACpC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;AAClD,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAa,EAAE,GAAW;IACxD,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,2BAA2B,CAAC,OAA6B,EAAE,SAAiC;IACnG,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IACnG,MAAM,IAAI,GAAG,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,KAAK,EAAE,CAAC;QAC3C,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,OAAO,KAAK,GAAG,IAAI,CAAC,MAAM,IAAI,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAE,CAAC,EAAE,CAAC;YAC5E,KAAK,IAAI,CAAC,CAAC;QACb,CAAC;QACD,OAAO,8BAA8B,CAAC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,8BAA8B,CAAC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,8BAA8B,CAAC,UAAkB,EAAE,IAAc;IACxE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,UAAU,KAAK,MAAM,IAAI,UAAU,KAAK,QAAQ,IAAI,UAAU,KAAK,SAAS,IAAI,UAAU,KAAK,MAAM,IAAI,UAAU,KAAK,IAAI,IAAI,UAAU,KAAK,KAAK,EAAE,CAAC;QACzJ,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;YACpD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAE,CAAC;YACzB,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;gBAC5E,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBAC9B,OAAO,KAAK,CAAC;YACf,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACzB,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAChB,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,UAAU,KAAK,KAAK,IAAI,UAAU,KAAK,KAAK,IAAI,UAAU,KAAK,MAAM,IAAI,UAAU,KAAK,KAAK,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;QAC3H,OAAO,KAAK,CAAC;IACf,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,SAAS;QACX,CAAC;QACD,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACzG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,MAMpC;IACC,MAAM,mBAAmB,GAAG,QAAQ,CAAC,gBAAgB,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;IACzF,IACE,CAAC,mBAAmB,KAAK,MAAM,IAAI,mBAAmB,KAAK,IAAI,IAAI,mBAAmB,KAAK,KAAK,CAAC;QACjG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,WAAW,CAAC,EACtE,CAAC;QACD,OAAO,+CAA+C,CAAC;IACzD,CAAC;IACD,IACE,CAAC,mBAAmB,KAAK,MAAM;QAC7B,mBAAmB,KAAK,QAAQ;QAChC,mBAAmB,KAAK,SAAS,CAAC;QACpC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,WAAW,CAAC,EAC1G,CAAC;QACD,OAAO,8CAA8C,CAAC;IACxD,CAAC;IAED,MAAM,QAAQ,GAAG,YAAY,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;IACjF,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,MAAM,WAAW,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;QACtD,MAAM,eAAe,GAAG,sBAAsB,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QAC/E,MAAM,gBAAgB,GAAG,YAAY,CAAC,eAAe,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;QAC9F,IAAI,gBAAgB,EAAE,CAAC;YACrB,OAAO,gBAAgB,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,2BAA2B,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IAC7E,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,KAAK,KAAK,iBAAiB,EAAE,CAAC;YAChC,OAAO,8CAA8C,CAAC;QACxD,CAAC;QACD,MAAM,SAAS,GAAG,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5D,MAAM,UAAU,GAAG,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;QAClF,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,UAAU,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/security/command-policy-config.d.ts

@@ -1,5 +0,0 @@
-import type { CommandPolicyConfig } from "./command-policy-types.js";
-export declare function getDefaultCommandPolicyPath(): string;
-export declare function getDefaultCommandPolicy(): CommandPolicyConfig;
-export declare function loadCommandPolicy(configPath?: string): CommandPolicyConfig;
-//# sourceMappingURL=command-policy-config.d.ts.map

package/dist/security/command-policy-config.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"command-policy-config.d.ts","sourceRoot":"","sources":["../../src/security/command-policy-config.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAgJrE,wBAAgB,2BAA2B,IAAI,MAAM,CAEpD;AAED,wBAAgB,uBAAuB,IAAI,mBAAmB,CAE7D;AAED,wBAAgB,iBAAiB,CAAC,UAAU,SAAsB,GAAG,mBAAmB,CAqFvF"}

package/dist/security/command-policy-config.js

@@ -1,212 +0,0 @@
-import fs from "node:fs";
-import path from "node:path";
-const DEFAULT_POLICY_PATH = process.env.PINGCLAW_COMMAND_POLICY_PATH?.trim() || "/pingclaw/command-policy.json";
-const DEFAULT_POLICY = {
-    version: 1,
-    dataRoot: "/data",
-    security: {
-        defaultMode: "allowlist",
-        approvalMode: "off",
-    },
-    exec: {
-        allowShell: true,
-        allowPty: true,
-        maxCommandLength: 8192,
-        defaultTimeoutSec: 1800,
-    },
-    pathPolicy: {
-        allowedRoots: ["/data"],
-        blockedRoots: [
-            "/",
-            "/etc",
-            "/usr",
-            "/var",
-            "/bin",
-            "/sbin",
-            "/lib",
-            "/lib64",
-            "/boot",
-            "/root",
-            "/home",
-            "/proc",
-            "/sys",
-            "/dev",
-            "/run",
-            "/mnt",
-            "/media",
-            "/tmp",
-        ],
-        followSymlink: true,
-        denyPathEscape: true,
-    },
-    safeBins: {
-        enabled: true,
-        trustedDirs: ["/bin", "/usr/bin"],
-        bins: ["jq", "cut", "uniq", "head", "tail", "tr", "wc", "grep", "sort"],
-        profiles: {
-            jq: {},
-            cut: {},
-            uniq: {},
-            head: {},
-            tail: {},
-            tr: {},
-            wc: {},
-            grep: {},
-            sort: {},
-        },
-    },
-    trustedExecutables: {
-        enabled: true,
-        executables: [
-            "/usr/bin/node",
-            "/usr/bin/npm",
-            "/usr/bin/npx",
-            "/usr/bin/pnpm",
-            "/usr/bin/python",
-            "/usr/bin/python3",
-            "/usr/bin/pip",
-            "/usr/bin/pip3",
-            "/usr/bin/bash",
-            "/usr/bin/sh",
-            "/usr/bin/zsh",
-            "/usr/bin/git",
-            "/usr/bin/grep",
-            "/usr/bin/sort",
-            "/usr/bin/find",
-            "/usr/bin/cat",
-            "/usr/bin/sed",
-            "/usr/bin/awk",
-            "/usr/bin/ls",
-            "/usr/bin/env",
-        ],
-    },
-    allowlist: {
-        executables: [
-            "/usr/bin/ls",
-            "/usr/bin/find",
-            "/usr/bin/cat",
-            "/usr/bin/grep",
-            "/usr/bin/sort",
-            "/usr/bin/git",
-            "/usr/bin/env",
-        ],
-        wrappers: ["env", "timeout", "stdbuf", "nohup"],
-    },
-    dangerousRules: {
-        denyExecutables: [
-            "mount",
-            "umount",
-            "losetup",
-            "mkfs",
-            "fdisk",
-            "parted",
-            "fsck",
-            "swapon",
-            "swapoff",
-            "sudo",
-            "su",
-            "passwd",
-            "useradd",
-            "usermod",
-            "groupadd",
-            "shutdown",
-            "reboot",
-            "poweroff",
-            "systemctl",
-            "service",
-            "iptables",
-            "nft",
-            "ufw",
-            "route",
-            "ip",
-            "docker",
-            "podman",
-            "nsenter",
-            "unshare",
-            "chroot",
-        ],
-        denyShellPatterns: ["curl|sh", "wget|sh", "curl|bash", "wget|bash", "nc -e", "bash -i", "/dev/tcp/"],
-        requireApprovalExecutables: [],
-        requireApprovalShellPatterns: [],
-    },
-};
-function normalizeStringArray(value, fallback) {
-    if (!Array.isArray(value)) {
-        return [...fallback];
-    }
-    const normalized = value
-        .map((entry) => (typeof entry === "string" ? entry.trim() : ""))
-        .filter((entry) => entry.length > 0);
-    return normalized.length > 0 ? normalized : [...fallback];
-}
-export function getDefaultCommandPolicyPath() {
-    return DEFAULT_POLICY_PATH;
-}
-export function getDefaultCommandPolicy() {
-    return JSON.parse(JSON.stringify(DEFAULT_POLICY));
-}
-export function loadCommandPolicy(configPath = DEFAULT_POLICY_PATH) {
-    if (!fs.existsSync(configPath)) {
-        return getDefaultCommandPolicy();
-    }
-    const raw = JSON.parse(fs.readFileSync(configPath, "utf8"));
-    const defaults = getDefaultCommandPolicy();
-    const dataRoot = typeof raw.dataRoot === "string" && raw.dataRoot.trim().length > 0
-        ? path.posix.normalize(raw.dataRoot.trim())
-        : defaults.dataRoot;
-    return {
-        version: typeof raw.version === "number" ? raw.version : defaults.version,
-        dataRoot,
-        security: {
-            defaultMode: raw.security?.defaultMode === "deny" ||
-                raw.security?.defaultMode === "allowlist" ||
-                raw.security?.defaultMode === "full"
-                ? raw.security.defaultMode
-                : defaults.security.defaultMode,
-            approvalMode: raw.security?.approvalMode === "off" ||
-                raw.security?.approvalMode === "on-miss" ||
-                raw.security?.approvalMode === "always"
-                ? raw.security.approvalMode
-                : defaults.security.approvalMode,
-        },
-        exec: {
-            allowShell: raw.exec?.allowShell ?? defaults.exec.allowShell,
-            allowPty: raw.exec?.allowPty ?? defaults.exec.allowPty,
-            maxCommandLength: typeof raw.exec?.maxCommandLength === "number"
-                ? raw.exec.maxCommandLength
-                : defaults.exec.maxCommandLength,
-            defaultTimeoutSec: typeof raw.exec?.defaultTimeoutSec === "number"
-                ? raw.exec.defaultTimeoutSec
-                : defaults.exec.defaultTimeoutSec,
-        },
-        pathPolicy: {
-            allowedRoots: normalizeStringArray(raw.pathPolicy?.allowedRoots, [dataRoot]),
-            blockedRoots: normalizeStringArray(raw.pathPolicy?.blockedRoots, defaults.pathPolicy.blockedRoots),
-            followSymlink: raw.pathPolicy?.followSymlink ?? defaults.pathPolicy.followSymlink,
-            denyPathEscape: raw.pathPolicy?.denyPathEscape ?? defaults.pathPolicy.denyPathEscape,
-        },
-        safeBins: {
-            enabled: raw.safeBins?.enabled ?? defaults.safeBins.enabled,
-            trustedDirs: normalizeStringArray(raw.safeBins?.trustedDirs, defaults.safeBins.trustedDirs),
-            bins: normalizeStringArray(raw.safeBins?.bins, defaults.safeBins.bins),
-            profiles: raw.safeBins?.profiles && typeof raw.safeBins.profiles === "object"
-                ? raw.safeBins.profiles
-                : defaults.safeBins.profiles,
-        },
-        trustedExecutables: {
-            enabled: raw.trustedExecutables?.enabled ?? defaults.trustedExecutables.enabled,
-            executables: normalizeStringArray(raw.trustedExecutables?.executables, defaults.trustedExecutables.executables),
-        },
-        allowlist: {
-            executables: normalizeStringArray(raw.allowlist?.executables, defaults.allowlist.executables),
-            wrappers: normalizeStringArray(raw.allowlist?.wrappers, defaults.allowlist.wrappers),
-        },
-        dangerousRules: {
-            denyExecutables: normalizeStringArray(raw.dangerousRules?.denyExecutables, defaults.dangerousRules.denyExecutables),
-            denyShellPatterns: normalizeStringArray(raw.dangerousRules?.denyShellPatterns, defaults.dangerousRules.denyShellPatterns),
-            requireApprovalExecutables: normalizeStringArray(raw.dangerousRules?.requireApprovalExecutables, defaults.dangerousRules.requireApprovalExecutables),
-            requireApprovalShellPatterns: normalizeStringArray(raw.dangerousRules?.requireApprovalShellPatterns, defaults.dangerousRules.requireApprovalShellPatterns),
-        },
-    };
-}
-//# sourceMappingURL=command-policy-config.js.map

package/dist/security/command-policy-config.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"command-policy-config.js","sourceRoot":"","sources":["../../src/security/command-policy-config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,MAAM,mBAAmB,GAAG,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE,IAAI,EAAE,IAAI,+BAA+B,CAAC;AAEhH,MAAM,cAAc,GAAwB;IAC1C,OAAO,EAAE,CAAC;IACV,QAAQ,EAAE,OAAO;IACjB,QAAQ,EAAE;QACR,WAAW,EAAE,WAAW;QACxB,YAAY,EAAE,KAAK;KACpB;IACD,IAAI,EAAE;QACJ,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,IAAI;QACd,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,IAAI;KACxB;IACD,UAAU,EAAE;QACV,YAAY,EAAE,CAAC,OAAO,CAAC;QACvB,YAAY,EAAE;YACZ,GAAG;YACH,MAAM;YACN,MAAM;YACN,MAAM;YACN,MAAM;YACN,OAAO;YACP,MAAM;YACN,QAAQ;YACR,OAAO;YACP,OAAO;YACP,OAAO;YACP,OAAO;YACP,MAAM;YACN,MAAM;YACN,MAAM;YACN,MAAM;YACN,QAAQ;YACR,MAAM;SACP;QACD,aAAa,EAAE,IAAI;QACnB,cAAc,EAAE,IAAI;KACrB;IACD,QAAQ,EAAE;QACR,OAAO,EAAE,IAAI;QACb,WAAW,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;QACjC,IAAI,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC;QACvE,QAAQ,EAAE;YACR,EAAE,EAAE,EAAE;YACN,GAAG,EAAE,EAAE;YACP,IAAI,EAAE,EAAE;YACR,IAAI,EAAE,EAAE;YACR,IAAI,EAAE,EAAE;YACR,EAAE,EAAE,EAAE;YACN,EAAE,EAAE,EAAE;YACN,IAAI,EAAE,EAAE;YACR,IAAI,EAAE,EAAE;SACT;KACF;IACD,kBAAkB,EAAE;QAClB,OAAO,EAAE,IAAI;QACb,WAAW,EAAE;YACX,eAAe;YACf,cAAc;YACd,cAAc;YACd,eAAe;YACf,iBAAiB;YACjB,kBAAkB;YAClB,cAAc;YACd,eAAe;YACf,eAAe;YACf,aAAa;YACb,cAAc;YACd,cAAc;YACd,eAAe;YACf,eAAe;YACf,eAAe;YACf,cAAc;YACd,cAAc;YACd,cAAc;YACd,aAAa;YACb,cAAc;SACf;KACF;IACD,SAAS,EAAE;QACT,WAAW,EAAE;YACX,aAAa;YACb,eAAe;YACf,cAAc;YACd,eAAe;YACf,eAAe;YACf,cAAc;YACd,cAAc;SACf;QACD,QAAQ,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,CAAC;KAChD;IACD,cAAc,EAAE;QACd,eAAe,EAAE;YACf,OAAO;YACP,QAAQ;YACR,SAAS;YACT,MAAM;YACN,OAAO;YACP,QAAQ;YACR,MAAM;YACN,QAAQ;YACR,SAAS;YACT,MAAM;YACN,IAAI;YACJ,QAAQ;YACR,SAAS;YACT,SAAS;YACT,UAAU;YACV,UAAU;YACV,QAAQ;YACR,UAAU;YACV,WAAW;YACX,SAAS;YACT,UAAU;YACV,KAAK;YACL,KAAK;YACL,OAAO;YACP,IAAI;YACJ,QAAQ;YACR,QAAQ;YACR,SAAS;YACT,SAAS;YACT,QAAQ;SACT;QACD,iBAAiB,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,CAAC;QACpG,0BAA0B,EAAE,EAAE;QAC9B,4BAA4B,EAAE,EAAE;KACjC;CACF,CAAC;AAEF,SAAS,oBAAoB,CAAC,KAAc,EAAE,QAAkB;IAC9D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC;IACvB,CAAC;IACD,MAAM,UAAU,GAAG,KAAK;SACrB,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;SAC/D,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACvC,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC;AAC5D,CAAC;AAED,MAAM,UAAU,2BAA2B;IACzC,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,CAAwB,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,UAAU,GAAG,mBAAmB;IAChE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,OAAO,uBAAuB,EAAE,CAAC;IACnC,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAiC,CAAC;IAC5F,MAAM,QAAQ,GAAG,uBAAuB,EAAE,CAAC;IAC3C,MAAM,QAAQ,GACZ,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC3C,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;IAExB,OAAO;QACL,OAAO,EAAE,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO;QACzE,QAAQ;QACR,QAAQ,EAAE;YACR,WAAW,EACT,GAAG,CAAC,QAAQ,EAAE,WAAW,KAAK,MAAM;gBACpC,GAAG,CAAC,QAAQ,EAAE,WAAW,KAAK,WAAW;gBACzC,GAAG,CAAC,QAAQ,EAAE,WAAW,KAAK,MAAM;gBAClC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW;gBAC1B,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW;YACnC,YAAY,EACV,GAAG,CAAC,QAAQ,EAAE,YAAY,KAAK,KAAK;gBACpC,GAAG,CAAC,QAAQ,EAAE,YAAY,KAAK,SAAS;gBACxC,GAAG,CAAC,QAAQ,EAAE,YAAY,KAAK,QAAQ;gBACrC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY;gBAC3B,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY;SACrC;QACD,IAAI,EAAE;YACJ,UAAU,EAAE,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,QAAQ,CAAC,IAAI,CAAC,UAAU;YAC5D,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,QAAQ,IAAI,QAAQ,CAAC,IAAI,CAAC,QAAQ;YACtD,gBAAgB,EACd,OAAO,GAAG,CAAC,IAAI,EAAE,gBAAgB,KAAK,QAAQ;gBAC5C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB;gBAC3B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,gBAAgB;YACpC,iBAAiB,EACf,OAAO,GAAG,CAAC,IAAI,EAAE,iBAAiB,KAAK,QAAQ;gBAC7C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,iBAAiB;gBAC5B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,iBAAiB;SACtC;QACD,UAAU,EAAE;YACV,YAAY,EAAE,oBAAoB,CAAC,GAAG,CAAC,UAAU,EAAE,YAAY,EAAE,CAAC,QAAQ,CAAC,CAAC;YAC5E,YAAY,EAAE,oBAAoB,CAAC,GAAG,CAAC,UAAU,EAAE,YAAY,EAAE,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC;YAClG,aAAa,EAAE,GAAG,CAAC,UAAU,EAAE,aAAa,IAAI,QAAQ,CAAC,UAAU,CAAC,aAAa;YACjF,cAAc,EAAE,GAAG,CAAC,UAAU,EAAE,cAAc,IAAI,QAAQ,CAAC,UAAU,CAAC,cAAc;SACrF;QACD,QAAQ,EAAE;YACR,OAAO,EAAE,GAAG,CAAC,QAAQ,EAAE,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO;YAC3D,WAAW,EAAE,oBAAoB,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,EAAE,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC3F,IAAI,EAAE,oBAAoB,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC;YACtE,QAAQ,EACN,GAAG,CAAC,QAAQ,EAAE,QAAQ,IAAI,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,KAAK,QAAQ;gBACjE,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ;gBACvB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ;SACjC;QACD,kBAAkB,EAAE;YAClB,OAAO,EAAE,GAAG,CAAC,kBAAkB,EAAE,OAAO,IAAI,QAAQ,CAAC,kBAAkB,CAAC,OAAO;YAC/E,WAAW,EAAE,oBAAoB,CAC/B,GAAG,CAAC,kBAAkB,EAAE,WAAW,EACnC,QAAQ,CAAC,kBAAkB,CAAC,WAAW,CACxC;SACF;QACD,SAAS,EAAE;YACT,WAAW,EAAE,oBAAoB,CAAC,GAAG,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,SAAS,CAAC,WAAW,CAAC;YAC7F,QAAQ,EAAE,oBAAoB,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,SAAS,CAAC,QAAQ,CAAC;SACrF;QACD,cAAc,EAAE;YACd,eAAe,EAAE,oBAAoB,CACnC,GAAG,CAAC,cAAc,EAAE,eAAe,EACnC,QAAQ,CAAC,cAAc,CAAC,eAAe,CACxC;YACD,iBAAiB,EAAE,oBAAoB,CACrC,GAAG,CAAC,cAAc,EAAE,iBAAiB,EACrC,QAAQ,CAAC,cAAc,CAAC,iBAAiB,CAC1C;YACD,0BAA0B,EAAE,oBAAoB,CAC9C,GAAG,CAAC,cAAc,EAAE,0BAA0B,EAC9C,QAAQ,CAAC,cAAc,CAAC,0BAA0B,CACnD;YACD,4BAA4B,EAAE,oBAAoB,CAChD,GAAG,CAAC,cAAc,EAAE,4BAA4B,EAChD,QAAQ,CAAC,cAAc,CAAC,4BAA4B,CACrD;SACF;KACF,CAAC;AACJ,CAAC"}

package/dist/security/command-policy-engine.d.ts

@@ -1,8 +0,0 @@
-import type { CommandPolicyConfig, CommandPolicyResult } from "./command-policy-types.js";
-export declare function evaluateCommandPolicy(params: {
-    command: string;
-    cwd: string;
-    allowedRoot: string;
-    policy: CommandPolicyConfig;
-}): CommandPolicyResult;
-//# sourceMappingURL=command-policy-engine.d.ts.map

package/dist/security/command-policy-engine.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"command-policy-engine.d.ts","sourceRoot":"","sources":["../../src/security/command-policy-engine.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAO1F,wBAAgB,qBAAqB,CAAC,MAAM,EAAE;IAC5C,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,mBAAmB,CAAC;CAC7B,GAAG,mBAAmB,CAgItB"}

package/dist/security/command-policy-engine.js

@@ -1,122 +0,0 @@
-import { parseCommand } from "./command-parser.js";
-import { matchDangerousExecutable, matchDangerousShellPattern } from "./command-dangerous-rules.js";
-import { matchAllowlistExecutable, matchTrustedExecutable } from "./command-trusted-executables.js";
-import { validateCommandPaths } from "./command-path-guard.js";
-import { matchSafeBin } from "./command-safe-bins.js";
-export function evaluateCommandPolicy(params) {
-    const normalizedCommand = params.command.trim();
-    if (!normalizedCommand) {
-        return {
-            decision: "deny",
-            reason: "empty_command",
-            normalizedCommand,
-            parsedSegments: [],
-        };
-    }
-    if (normalizedCommand.length > params.policy.exec.maxCommandLength) {
-        return {
-            decision: "deny",
-            reason: "parse_error",
-            normalizedCommand,
-            parsedSegments: [],
-        };
-    }
-    const dangerousPattern = matchDangerousShellPattern(normalizedCommand, params.policy.dangerousRules);
-    if (dangerousPattern) {
-        return {
-            decision: "deny",
-            reason: "dangerous_shell_pattern",
-            matchedRuleId: dangerousPattern,
-            normalizedCommand,
-            parsedSegments: [],
-        };
-    }
-    const parsed = parseCommand(normalizedCommand);
-    if (!parsed) {
-        return {
-            decision: "deny",
-            reason: "parse_error",
-            normalizedCommand,
-            parsedSegments: [],
-        };
-    }
-    let matchedTrusted = null;
-    let matchedAllowlist = null;
-    let matchedSafeBin = null;
-    for (const segment of parsed.segments) {
-        const dangerousExecutable = matchDangerousExecutable(segment, params.policy.dangerousRules);
-        if (dangerousExecutable) {
-            return {
-                decision: "deny",
-                reason: "dangerous_executable",
-                matchedRuleId: dangerousExecutable,
-                normalizedCommand,
-                parsedSegments: parsed.segments,
-            };
-        }
-        const pathError = validateCommandPaths({
-            cwd: params.cwd,
-            allowedRoot: params.allowedRoot,
-            pathPolicy: params.policy.pathPolicy,
-            segment,
-            allowlist: params.policy.allowlist,
-        });
-        if (pathError) {
-            return {
-                decision: "deny",
-                reason: "path_escape",
-                matchedRuleId: pathError,
-                normalizedCommand,
-                parsedSegments: parsed.segments,
-            };
-        }
-        const trusted = matchTrustedExecutable(segment, params.policy.trustedExecutables, params.policy.allowlist);
-        const safeBin = matchSafeBin(segment, params.policy.safeBins, params.policy.allowlist);
-        const allowed = matchAllowlistExecutable(segment, params.policy.allowlist);
-        matchedSafeBin ||= safeBin;
-        matchedTrusted ||= trusted;
-        matchedAllowlist ||= allowed;
-        if (!safeBin && !trusted && !allowed) {
-            return {
-                decision: "deny",
-                reason: "allowlist_miss",
-                normalizedCommand,
-                parsedSegments: parsed.segments,
-            };
-        }
-    }
-    if (matchedSafeBin) {
-        return {
-            decision: "allow",
-            reason: "safe_bin_match",
-            matchedRuleId: matchedSafeBin,
-            normalizedCommand,
-            parsedSegments: parsed.segments,
-        };
-    }
-    if (matchedTrusted) {
-        return {
-            decision: "allow",
-            reason: "trusted_executable_match",
-            matchedRuleId: matchedTrusted,
-            normalizedCommand,
-            parsedSegments: parsed.segments,
-        };
-    }
-    if (matchedAllowlist) {
-        return {
-            decision: "allow",
-            reason: "allowlist_match",
-            matchedRuleId: matchedAllowlist,
-            normalizedCommand,
-            parsedSegments: parsed.segments,
-        };
-    }
-    return {
-        decision: "deny",
-        reason: "allowlist_miss",
-        normalizedCommand,
-        parsedSegments: parsed.segments,
-    };
-}
-//# sourceMappingURL=command-policy-engine.js.map

package/dist/security/command-policy-engine.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"command-policy-engine.js","sourceRoot":"","sources":["../../src/security/command-policy-engine.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,wBAAwB,EAAE,0BAA0B,EAAE,MAAM,8BAA8B,CAAC;AACpG,OAAO,EAAE,wBAAwB,EAAE,sBAAsB,EAAE,MAAM,kCAAkC,CAAC;AACpG,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAEtD,MAAM,UAAU,qBAAqB,CAAC,MAKrC;IACC,MAAM,iBAAiB,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IAChD,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,eAAe;YACvB,iBAAiB;YACjB,cAAc,EAAE,EAAE;SACnB,CAAC;IACJ,CAAC;IAED,IAAI,iBAAiB,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACnE,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,aAAa;YACrB,iBAAiB;YACjB,cAAc,EAAE,EAAE;SACnB,CAAC;IACJ,CAAC;IAED,MAAM,gBAAgB,GAAG,0BAA0B,CAAC,iBAAiB,EAAE,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IACrG,IAAI,gBAAgB,EAAE,CAAC;QACrB,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,yBAAyB;YACjC,aAAa,EAAE,gBAAgB;YAC/B,iBAAiB;YACjB,cAAc,EAAE,EAAE;SACnB,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,iBAAiB,CAAC,CAAC;IAC/C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,aAAa;YACrB,iBAAiB;YACjB,cAAc,EAAE,EAAE;SACnB,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,GAAkB,IAAI,CAAC;IACzC,IAAI,gBAAgB,GAAkB,IAAI,CAAC;IAC3C,IAAI,cAAc,GAAkB,IAAI,CAAC;IAEzC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACtC,MAAM,mBAAmB,GAAG,wBAAwB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC5F,IAAI,mBAAmB,EAAE,CAAC;YACxB,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,sBAAsB;gBAC9B,aAAa,EAAE,mBAAmB;gBAClC,iBAAiB;gBACjB,cAAc,EAAE,MAAM,CAAC,QAAQ;aAChC,CAAC;QACJ,CAAC;QAED,MAAM,SAAS,GAAG,oBAAoB,CAAC;YACrC,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU;YACpC,OAAO;YACP,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS;SACnC,CAAC,CAAC;QACH,IAAI,SAAS,EAAE,CAAC;YACd,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,aAAa;gBACrB,aAAa,EAAE,SAAS;gBACxB,iBAAiB;gBACjB,cAAc,EAAE,MAAM,CAAC,QAAQ;aAChC,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,sBAAsB,CACpC,OAAO,EACP,MAAM,CAAC,MAAM,CAAC,kBAAkB,EAChC,MAAM,CAAC,MAAM,CAAC,SAAS,CACxB,CAAC;QACF,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACvF,MAAM,OAAO,GAAG,wBAAwB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC3E,cAAc,KAAK,OAAO,CAAC;QAC3B,cAAc,KAAK,OAAO,CAAC;QAC3B,gBAAgB,KAAK,OAAO,CAAC;QAE7B,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;YACrC,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,gBAAgB;gBACxB,iBAAiB;gBACjB,cAAc,EAAE,MAAM,CAAC,QAAQ;aAChC,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,gBAAgB;YACxB,aAAa,EAAE,cAAc;YAC7B,iBAAiB;YACjB,cAAc,EAAE,MAAM,CAAC,QAAQ;SAChC,CAAC;IACJ,CAAC;IACD,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,0BAA0B;YAClC,aAAa,EAAE,cAAc;YAC7B,iBAAiB;YACjB,cAAc,EAAE,MAAM,CAAC,QAAQ;SAChC,CAAC;IACJ,CAAC;IACD,IAAI,gBAAgB,EAAE,CAAC;QACrB,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,iBAAiB;YACzB,aAAa,EAAE,gBAAgB;YAC/B,iBAAiB;YACjB,cAAc,EAAE,MAAM,CAAC,QAAQ;SAChC,CAAC;IACJ,CAAC;IACD,OAAO;QACL,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,gBAAgB;QACxB,iBAAiB;QACjB,cAAc,EAAE,MAAM,CAAC,QAAQ;KAChC,CAAC;AACJ,CAAC"}

package/dist/security/command-policy-types.d.ts

@@ -1,67 +0,0 @@
-export type CommandDecision = "allow" | "deny" | "require_approval";
-export type CommandDecisionReason = "empty_command" | "parse_error" | "dangerous_executable" | "dangerous_shell_pattern" | "path_escape" | "blocked_root" | "allowlist_match" | "trusted_executable_match" | "safe_bin_match" | "allowlist_miss" | "approval_required";
-export type CommandPathPolicy = {
-    allowedRoots: string[];
-    blockedRoots: string[];
-    followSymlink: boolean;
-    denyPathEscape: boolean;
-};
-export type CommandSafeBinsPolicy = {
-    enabled: boolean;
-    trustedDirs: string[];
-    bins: string[];
-    profiles: Record<string, Record<string, unknown>>;
-};
-export type CommandTrustedExecutablesPolicy = {
-    enabled: boolean;
-    executables: string[];
-};
-export type CommandAllowlistPolicy = {
-    executables: string[];
-    wrappers: string[];
-};
-export type CommandDangerousRulesPolicy = {
-    denyExecutables: string[];
-    denyShellPatterns: string[];
-    requireApprovalExecutables: string[];
-    requireApprovalShellPatterns: string[];
-};
-export type CommandPolicyConfig = {
-    version: number;
-    dataRoot: string;
-    security: {
-        defaultMode: "deny" | "allowlist" | "full";
-        approvalMode: "off" | "on-miss" | "always";
-    };
-    exec: {
-        allowShell: boolean;
-        allowPty: boolean;
-        maxCommandLength: number;
-        defaultTimeoutSec: number;
-    };
-    pathPolicy: CommandPathPolicy;
-    safeBins: CommandSafeBinsPolicy;
-    trustedExecutables: CommandTrustedExecutablesPolicy;
-    allowlist: CommandAllowlistPolicy;
-    dangerousRules: CommandDangerousRulesPolicy;
-};
-export type ParsedCommandSegment = {
-    raw: string;
-    argv: string[];
-    executable: string | null;
-    redirections: Array<{
-        operator: string;
-        target: string;
-    }>;
-};
-export type ParsedCommand = {
-    segments: ParsedCommandSegment[];
-};
-export type CommandPolicyResult = {
-    decision: CommandDecision;
-    reason: CommandDecisionReason;
-    matchedRuleId?: string;
-    normalizedCommand: string;
-    parsedSegments: ParsedCommandSegment[];
-};
-//# sourceMappingURL=command-policy-types.d.ts.map

package/dist/security/command-policy-types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"command-policy-types.d.ts","sourceRoot":"","sources":["../../src/security/command-policy-types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG,OAAO,GAAG,MAAM,GAAG,kBAAkB,CAAC;AAEpE,MAAM,MAAM,qBAAqB,GAC7B,eAAe,GACf,aAAa,GACb,sBAAsB,GACtB,yBAAyB,GACzB,aAAa,GACb,cAAc,GACd,iBAAiB,GACjB,0BAA0B,GAC1B,gBAAgB,GAChB,gBAAgB,GAChB,mBAAmB,CAAC;AAExB,MAAM,MAAM,iBAAiB,GAAG;IAC9B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,aAAa,EAAE,OAAO,CAAC;IACvB,cAAc,EAAE,OAAO,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACnD,CAAC;AAEF,MAAM,MAAM,+BAA+B,GAAG;IAC5C,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG;IACxC,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,0BAA0B,EAAE,MAAM,EAAE,CAAC;IACrC,4BAA4B,EAAE,MAAM,EAAE,CAAC;CACxC,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE;QACR,WAAW,EAAE,MAAM,GAAG,WAAW,GAAG,MAAM,CAAC;QAC3C,YAAY,EAAE,KAAK,GAAG,SAAS,GAAG,QAAQ,CAAC;KAC5C,CAAC;IACF,IAAI,EAAE;QACJ,UAAU,EAAE,OAAO,CAAC;QACpB,QAAQ,EAAE,OAAO,CAAC;QAClB,gBAAgB,EAAE,MAAM,CAAC;QACzB,iBAAiB,EAAE,MAAM,CAAC;KAC3B,CAAC;IACF,UAAU,EAAE,iBAAiB,CAAC;IAC9B,QAAQ,EAAE,qBAAqB,CAAC;IAChC,kBAAkB,EAAE,+BAA+B,CAAC;IACpD,SAAS,EAAE,sBAAsB,CAAC;IAClC,cAAc,EAAE,2BAA2B,CAAC;CAC7C,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC3D,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC1B,QAAQ,EAAE,oBAAoB,EAAE,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,eAAe,CAAC;IAC1B,MAAM,EAAE,qBAAqB,CAAC;IAC9B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,cAAc,EAAE,oBAAoB,EAAE,CAAC;CACxC,CAAC"}

package/dist/security/command-policy-types.js

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=command-policy-types.js.map

package/dist/security/command-policy-types.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"command-policy-types.js","sourceRoot":"","sources":["../../src/security/command-policy-types.ts"],"names":[],"mappings":""}

package/dist/security/command-safe-bins.d.ts

@@ -1,4 +0,0 @@
-import type { CommandSafeBinsPolicy, ParsedCommandSegment } from "./command-policy-types.js";
-import type { CommandAllowlistPolicy } from "./command-policy-types.js";
-export declare function matchSafeBin(segment: ParsedCommandSegment, safeBins: CommandSafeBinsPolicy, allowlist: CommandAllowlistPolicy): string | null;
-//# sourceMappingURL=command-safe-bins.d.ts.map

package/dist/security/command-safe-bins.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"command-safe-bins.d.ts","sourceRoot":"","sources":["../../src/security/command-safe-bins.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,qBAAqB,EACrB,oBAAoB,EACrB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AAyExE,wBAAgB,YAAY,CAC1B,OAAO,EAAE,oBAAoB,EAC7B,QAAQ,EAAE,qBAAqB,EAC/B,SAAS,EAAE,sBAAsB,GAChC,MAAM,GAAG,IAAI,CAgBf"}