@goplus/agentguard 1.0.0

package/dist/registry/storage.js

@@ -0,0 +1,208 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RegistryStorage = void 0;
+const fs = __importStar(require("fs/promises"));
+const path = __importStar(require("path"));
+/**
+ * Default registry data
+ */
+const DEFAULT_REGISTRY = {
+    version: 1,
+    updated_at: new Date().toISOString(),
+    records: [],
+};
+/**
+ * JSON-based storage for registry
+ */
+class RegistryStorage {
+    filePath;
+    data = null;
+    constructor(options = {}) {
+        this.filePath =
+            options.filePath ||
+                path.join(process.cwd(), 'data', 'registry.json');
+    }
+    /**
+     * Ensure data directory exists
+     */
+    async ensureDirectory() {
+        const dir = path.dirname(this.filePath);
+        await fs.mkdir(dir, { recursive: true });
+    }
+    /**
+     * Load registry data from file
+     */
+    async load() {
+        if (this.data) {
+            return this.data;
+        }
+        try {
+            const content = await fs.readFile(this.filePath, 'utf-8');
+            this.data = JSON.parse(content);
+            // Validate version
+            if (this.data.version !== 1) {
+                console.warn(`Unknown registry version: ${this.data.version}`);
+            }
+            return this.data;
+        }
+        catch (err) {
+            if (err.code === 'ENOENT') {
+                // File doesn't exist, create default
+                this.data = { ...DEFAULT_REGISTRY };
+                await this.save();
+                return this.data;
+            }
+            throw err;
+        }
+    }
+    /**
+     * Save registry data to file
+     */
+    async save() {
+        if (!this.data) {
+            throw new Error('No data to save');
+        }
+        await this.ensureDirectory();
+        this.data.updated_at = new Date().toISOString();
+        await fs.writeFile(this.filePath, JSON.stringify(this.data, null, 2), 'utf-8');
+    }
+    /**
+     * Get all records
+     */
+    async getRecords() {
+        const data = await this.load();
+        return data.records;
+    }
+    /**
+     * Find record by key
+     */
+    async findByKey(recordKey) {
+        const data = await this.load();
+        return data.records.find((r) => r.record_key === recordKey) || null;
+    }
+    /**
+     * Find records by source
+     */
+    async findBySource(source) {
+        const data = await this.load();
+        return data.records.filter((r) => r.skill.source === source);
+    }
+    /**
+     * Add or update a record
+     */
+    async upsert(record) {
+        const data = await this.load();
+        const existingIndex = data.records.findIndex((r) => r.record_key === record.record_key);
+        if (existingIndex >= 0) {
+            data.records[existingIndex] = record;
+        }
+        else {
+            data.records.push(record);
+        }
+        await this.save();
+    }
+    /**
+     * Remove a record by key
+     */
+    async remove(recordKey) {
+        const data = await this.load();
+        const initialLength = data.records.length;
+        data.records = data.records.filter((r) => r.record_key !== recordKey);
+        if (data.records.length < initialLength) {
+            await this.save();
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Update record status
+     */
+    async updateStatus(recordKey, status) {
+        const record = await this.findByKey(recordKey);
+        if (!record) {
+            return false;
+        }
+        record.status = status;
+        record.updated_at = new Date().toISOString();
+        await this.upsert(record);
+        return true;
+    }
+    /**
+     * Export registry to JSON string
+     */
+    async export() {
+        const data = await this.load();
+        return JSON.stringify(data, null, 2);
+    }
+    /**
+     * Import registry from JSON string
+     */
+    async import(jsonData, merge = false) {
+        const importData = JSON.parse(jsonData);
+        if (merge) {
+            const data = await this.load();
+            // Merge records, preferring imported records for conflicts
+            const recordMap = new Map();
+            for (const record of data.records) {
+                recordMap.set(record.record_key, record);
+            }
+            for (const record of importData.records) {
+                recordMap.set(record.record_key, record);
+            }
+            data.records = Array.from(recordMap.values());
+            await this.save();
+        }
+        else {
+            this.data = importData;
+            await this.save();
+        }
+    }
+    /**
+     * Clear all records
+     */
+    async clear() {
+        this.data = { ...DEFAULT_REGISTRY };
+        await this.save();
+    }
+    /**
+     * Get registry file path
+     */
+    getFilePath() {
+        return this.filePath;
+    }
+}
+exports.RegistryStorage = RegistryStorage;
+//# sourceMappingURL=storage.js.map

package/dist/registry/storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.js","sourceRoot":"","sources":["../../src/registry/storage.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,gDAAkC;AAClC,2CAA6B;AAG7B;;GAEG;AACH,MAAM,gBAAgB,GAAiB;IACrC,OAAO,EAAE,CAAC;IACV,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;IACpC,OAAO,EAAE,EAAE;CACZ,CAAC;AAUF;;GAEG;AACH,MAAa,eAAe;IAClB,QAAQ,CAAS;IACjB,IAAI,GAAwB,IAAI,CAAC;IAEzC,YAAY,UAA0B,EAAE;QACtC,IAAI,CAAC,QAAQ;YACX,OAAO,CAAC,QAAQ;gBAChB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC;IACtD,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,eAAe;QAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACxC,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI;QACR,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,OAAO,IAAI,CAAC,IAAI,CAAC;QACnB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAC1D,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAiB,CAAC;YAEhD,mBAAmB;YACnB,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;gBAC5B,OAAO,CAAC,IAAI,CAAC,6BAA6B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;YACjE,CAAC;YAED,OAAO,IAAI,CAAC,IAAI,CAAC;QACnB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACrD,qCAAqC;gBACrC,IAAI,CAAC,IAAI,GAAG,EAAE,GAAG,gBAAgB,EAAE,CAAC;gBACpC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;gBAClB,OAAO,IAAI,CAAC,IAAI,CAAC;YACnB,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI;QACR,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;QACrC,CAAC;QAED,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAE7B,IAAI,CAAC,IAAI,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAEhD,MAAM,EAAE,CAAC,SAAS,CAChB,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAClC,OAAO,CACR,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,SAAiB;QAC/B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,SAAS,CAAC,IAAI,IAAI,CAAC;IACtE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,MAAc;QAC/B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;IAC/D,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,MAAmB;QAC9B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAE/B,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAC1C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,MAAM,CAAC,UAAU,CAC1C,CAAC;QAEF,IAAI,aAAa,IAAI,CAAC,EAAE,CAAC;YACvB,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5B,CAAC;QAED,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAE/B,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QAC1C,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC;QAEtE,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,aAAa,EAAE,CAAC;YACxC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAChB,SAAiB,EACjB,MAA4B;QAE5B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAE/C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC;QACvB,MAAM,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAE7C,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM;QACV,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,QAAgB,EAAE,QAAiB,KAAK;QACnD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAiB,CAAC;QAExD,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAE/B,2DAA2D;YAC3D,MAAM,SAAS,GAAG,IAAI,GAAG,EAAuB,CAAC;YAEjD,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBAClC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YAC3C,CAAC;YAED,KAAK,MAAM,MAAM,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;gBACxC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YAC3C,CAAC;YAED,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;YAC9C,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,IAAI,GAAG,UAAU,CAAC;YACvB,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,IAAI,GAAG,EAAE,GAAG,gBAAgB,EAAE,CAAC;QACpC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF;AApMD,0CAoMC"}

package/dist/registry/trust.d.ts

@@ -0,0 +1,41 @@
+import type { TrustLevel, TrustRecord } from '../types/registry.js';
+import type { SkillIdentity, CapabilityModel } from '../types/skill.js';
+/**
+ * Trust level priorities (higher = more trusted)
+ */
+export declare const TRUST_PRIORITY: Record<TrustLevel, number>;
+/**
+ * Check if a trust level change is an upgrade
+ */
+export declare function isTrustUpgrade(from: TrustLevel, to: TrustLevel): boolean;
+/**
+ * Check if a trust level change is a downgrade
+ */
+export declare function isTrustDowngrade(from: TrustLevel, to: TrustLevel): boolean;
+/**
+ * Determine if a skill needs re-evaluation based on identity changes
+ */
+export declare function needsReevaluation(existingRecord: TrustRecord, newSkill: SkillIdentity): {
+    needsReevaluation: boolean;
+    reason?: string;
+};
+/**
+ * Check if capabilities are being escalated
+ */
+export declare function isCapabilityEscalation(existing: CapabilityModel, requested: CapabilityModel): {
+    isEscalation: boolean;
+    escalations: string[];
+};
+/**
+ * Create a new trust record
+ */
+export declare function createTrustRecord(skill: SkillIdentity, trustLevel: TrustLevel, capabilities: CapabilityModel, review: {
+    reviewed_by: string;
+    evidence_refs: string[];
+    notes: string;
+}, expiresAt?: string): TrustRecord;
+/**
+ * Merge capabilities (take the more restrictive option)
+ */
+export declare function mergeCapabilities(a: CapabilityModel, b: CapabilityModel): CapabilityModel;
+//# sourceMappingURL=trust.d.ts.map

package/dist/registry/trust.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust.d.ts","sourceRoot":"","sources":["../../src/registry/trust.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACpE,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAGxE;;GAEG;AACH,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAIrD,CAAC;AAEF;;GAEG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,GAAG,OAAO,CAExE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,GAAG,OAAO,CAE1E;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,WAAW,EAC3B,QAAQ,EAAE,aAAa,GACtB;IACD,iBAAiB,EAAE,OAAO,CAAC;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAkBA;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,eAAe,EACzB,SAAS,EAAE,eAAe,GACzB;IACD,YAAY,EAAE,OAAO,CAAC;IACtB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB,CA2DA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,aAAa,EACpB,UAAU,EAAE,UAAU,EACtB,YAAY,EAAE,eAAe,EAC7B,MAAM,EAAE;IACN,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;CACf,EACD,SAAS,CAAC,EAAE,MAAM,GACjB,WAAW,CAiBb;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,CAAC,EAAE,eAAe,EAClB,CAAC,EAAE,eAAe,GACjB,eAAe,CA+BjB"}

package/dist/registry/trust.js

@@ -0,0 +1,139 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TRUST_PRIORITY = void 0;
+exports.isTrustUpgrade = isTrustUpgrade;
+exports.isTrustDowngrade = isTrustDowngrade;
+exports.needsReevaluation = needsReevaluation;
+exports.isCapabilityEscalation = isCapabilityEscalation;
+exports.createTrustRecord = createTrustRecord;
+exports.mergeCapabilities = mergeCapabilities;
+const skill_js_1 = require("../types/skill.js");
+/**
+ * Trust level priorities (higher = more trusted)
+ */
+exports.TRUST_PRIORITY = {
+    untrusted: 0,
+    restricted: 1,
+    trusted: 2,
+};
+/**
+ * Check if a trust level change is an upgrade
+ */
+function isTrustUpgrade(from, to) {
+    return exports.TRUST_PRIORITY[to] > exports.TRUST_PRIORITY[from];
+}
+/**
+ * Check if a trust level change is a downgrade
+ */
+function isTrustDowngrade(from, to) {
+    return exports.TRUST_PRIORITY[to] < exports.TRUST_PRIORITY[from];
+}
+/**
+ * Determine if a skill needs re-evaluation based on identity changes
+ */
+function needsReevaluation(existingRecord, newSkill) {
+    // Hash change = definitely needs re-evaluation
+    if (existingRecord.skill.artifact_hash !== newSkill.artifact_hash) {
+        return {
+            needsReevaluation: true,
+            reason: 'artifact_hash_changed',
+        };
+    }
+    // Version change (but same hash is fine, unlikely but possible)
+    if (existingRecord.skill.version_ref !== newSkill.version_ref) {
+        return {
+            needsReevaluation: true,
+            reason: 'version_changed',
+        };
+    }
+    return { needsReevaluation: false };
+}
+/**
+ * Check if capabilities are being escalated
+ */
+function isCapabilityEscalation(existing, requested) {
+    const escalations = [];
+    // Check exec permission
+    if (existing.exec === 'deny' && requested.exec === 'allow') {
+        escalations.push('exec: deny -> allow');
+    }
+    // Check network allowlist expansion
+    const newNetworkDomains = requested.network_allowlist.filter((d) => !existing.network_allowlist.includes(d));
+    if (newNetworkDomains.length > 0) {
+        escalations.push(`network_allowlist: added ${newNetworkDomains.join(', ')}`);
+    }
+    // Check filesystem allowlist expansion
+    const newFilePaths = requested.filesystem_allowlist.filter((p) => !existing.filesystem_allowlist.includes(p));
+    if (newFilePaths.length > 0) {
+        escalations.push(`filesystem_allowlist: added ${newFilePaths.join(', ')}`);
+    }
+    // Check secrets allowlist expansion
+    const newSecrets = requested.secrets_allowlist.filter((s) => !existing.secrets_allowlist.includes(s));
+    if (newSecrets.length > 0) {
+        escalations.push(`secrets_allowlist: added ${newSecrets.join(', ')}`);
+    }
+    // Check Web3 capabilities
+    if (requested.web3 && existing.web3) {
+        const newChains = requested.web3.chains_allowlist.filter((c) => !existing.web3.chains_allowlist.includes(c));
+        if (newChains.length > 0) {
+            escalations.push(`web3.chains_allowlist: added ${newChains.join(', ')}`);
+        }
+        // Check tx_policy
+        const txPolicyPriority = { deny: 0, confirm_high_risk: 1, allow: 2 };
+        if (txPolicyPriority[requested.web3.tx_policy] >
+            txPolicyPriority[existing.web3.tx_policy]) {
+            escalations.push(`web3.tx_policy: ${existing.web3.tx_policy} -> ${requested.web3.tx_policy}`);
+        }
+    }
+    else if (requested.web3 && !existing.web3) {
+        escalations.push('web3: added');
+    }
+    return {
+        isEscalation: escalations.length > 0,
+        escalations,
+    };
+}
+/**
+ * Create a new trust record
+ */
+function createTrustRecord(skill, trustLevel, capabilities, review, expiresAt) {
+    const now = new Date().toISOString();
+    return {
+        record_key: (0, skill_js_1.generateRecordKey)(skill),
+        skill,
+        trust_level: trustLevel,
+        capabilities,
+        expires_at: expiresAt,
+        review: {
+            ...review,
+            reviewed_at: now,
+        },
+        status: 'active',
+        created_at: now,
+        updated_at: now,
+    };
+}
+/**
+ * Merge capabilities (take the more restrictive option)
+ */
+function mergeCapabilities(a, b) {
+    return {
+        network_allowlist: a.network_allowlist.filter((d) => b.network_allowlist.includes(d)),
+        filesystem_allowlist: a.filesystem_allowlist.filter((p) => b.filesystem_allowlist.includes(p)),
+        exec: a.exec === 'deny' || b.exec === 'deny' ? 'deny' : 'allow',
+        secrets_allowlist: a.secrets_allowlist.filter((s) => b.secrets_allowlist.includes(s)),
+        web3: a.web3 && b.web3
+            ? {
+                chains_allowlist: a.web3.chains_allowlist.filter((c) => b.web3.chains_allowlist.includes(c)),
+                rpc_allowlist: a.web3.rpc_allowlist.filter((r) => b.web3.rpc_allowlist.includes(r)),
+                tx_policy: a.web3.tx_policy === 'deny' || b.web3.tx_policy === 'deny'
+                    ? 'deny'
+                    : a.web3.tx_policy === 'confirm_high_risk' ||
+                        b.web3.tx_policy === 'confirm_high_risk'
+                        ? 'confirm_high_risk'
+                        : 'allow',
+            }
+            : undefined,
+    };
+}
+//# sourceMappingURL=trust.js.map

package/dist/registry/trust.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust.js","sourceRoot":"","sources":["../../src/registry/trust.ts"],"names":[],"mappings":";;;AAgBA,wCAEC;AAKD,4CAEC;AAKD,8CAwBC;AAKD,wDAiEC;AAKD,8CA2BC;AAKD,8CAkCC;AAjMD,gDAAsD;AAEtD;;GAEG;AACU,QAAA,cAAc,GAA+B;IACxD,SAAS,EAAE,CAAC;IACZ,UAAU,EAAE,CAAC;IACb,OAAO,EAAE,CAAC;CACX,CAAC;AAEF;;GAEG;AACH,SAAgB,cAAc,CAAC,IAAgB,EAAE,EAAc;IAC7D,OAAO,sBAAc,CAAC,EAAE,CAAC,GAAG,sBAAc,CAAC,IAAI,CAAC,CAAC;AACnD,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAAC,IAAgB,EAAE,EAAc;IAC/D,OAAO,sBAAc,CAAC,EAAE,CAAC,GAAG,sBAAc,CAAC,IAAI,CAAC,CAAC;AACnD,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC/B,cAA2B,EAC3B,QAAuB;IAKvB,+CAA+C;IAC/C,IAAI,cAAc,CAAC,KAAK,CAAC,aAAa,KAAK,QAAQ,CAAC,aAAa,EAAE,CAAC;QAClE,OAAO;YACL,iBAAiB,EAAE,IAAI;YACvB,MAAM,EAAE,uBAAuB;SAChC,CAAC;IACJ,CAAC;IAED,gEAAgE;IAChE,IAAI,cAAc,CAAC,KAAK,CAAC,WAAW,KAAK,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC9D,OAAO;YACL,iBAAiB,EAAE,IAAI;YACvB,MAAM,EAAE,iBAAiB;SAC1B,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,SAAgB,sBAAsB,CACpC,QAAyB,EACzB,SAA0B;IAK1B,MAAM,WAAW,GAAa,EAAE,CAAC;IAEjC,wBAAwB;IACxB,IAAI,QAAQ,CAAC,IAAI,KAAK,MAAM,IAAI,SAAS,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC3D,WAAW,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;IAC1C,CAAC;IAED,oCAAoC;IACpC,MAAM,iBAAiB,GAAG,SAAS,CAAC,iBAAiB,CAAC,MAAM,CAC1D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAC/C,CAAC;IACF,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,WAAW,CAAC,IAAI,CAAC,4BAA4B,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED,uCAAuC;IACvC,MAAM,YAAY,GAAG,SAAS,CAAC,oBAAoB,CAAC,MAAM,CACxD,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,oBAAoB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAClD,CAAC;IACF,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,WAAW,CAAC,IAAI,CAAC,+BAA+B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7E,CAAC;IAED,oCAAoC;IACpC,MAAM,UAAU,GAAG,SAAS,CAAC,iBAAiB,CAAC,MAAM,CACnD,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAC/C,CAAC;IACF,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,WAAW,CAAC,IAAI,CAAC,4BAA4B,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,0BAA0B;IAC1B,IAAI,SAAS,CAAC,IAAI,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,gBAAgB,CAAC,MAAM,CACtD,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC,CACpD,CAAC;QACF,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,WAAW,CAAC,IAAI,CAAC,gCAAgC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3E,CAAC;QAED,kBAAkB;QAClB,MAAM,gBAAgB,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,iBAAiB,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;QACrE,IACE,gBAAgB,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC;YAC1C,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EACzC,CAAC;YACD,WAAW,CAAC,IAAI,CACd,mBAAmB,QAAQ,CAAC,IAAI,CAAC,SAAS,OAAO,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,CAC5E,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,IAAI,SAAS,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC5C,WAAW,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAClC,CAAC;IAED,OAAO;QACL,YAAY,EAAE,WAAW,CAAC,MAAM,GAAG,CAAC;QACpC,WAAW;KACZ,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC/B,KAAoB,EACpB,UAAsB,EACtB,YAA6B,EAC7B,MAIC,EACD,SAAkB;IAElB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,OAAO;QACL,UAAU,EAAE,IAAA,4BAAiB,EAAC,KAAK,CAAC;QACpC,KAAK;QACL,WAAW,EAAE,UAAU;QACvB,YAAY;QACZ,UAAU,EAAE,SAAS;QACrB,MAAM,EAAE;YACN,GAAG,MAAM;YACT,WAAW,EAAE,GAAG;SACjB;QACD,MAAM,EAAE,QAAQ;QAChB,UAAU,EAAE,GAAG;QACf,UAAU,EAAE,GAAG;KAChB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC/B,CAAkB,EAClB,CAAkB;IAElB,OAAO;QACL,iBAAiB,EAAE,CAAC,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAClD,CAAC,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAChC;QACD,oBAAoB,EAAE,CAAC,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACxD,CAAC,CAAC,oBAAoB,CAAC,QAAQ,CAAC,CAAC,CAAC,CACnC;QACD,IAAI,EAAE,CAAC,CAAC,IAAI,KAAK,MAAM,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO;QAC/D,iBAAiB,EAAE,CAAC,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAClD,CAAC,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAChC;QACD,IAAI,EACF,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI;YACd,CAAC,CAAC;gBACE,gBAAgB,EAAE,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACrD,CAAC,CAAC,IAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC,CACrC;gBACD,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAC/C,CAAC,CAAC,IAAK,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAClC;gBACD,SAAS,EACP,CAAC,CAAC,IAAI,CAAC,SAAS,KAAK,MAAM,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,KAAK,MAAM;oBACxD,CAAC,CAAC,MAAM;oBACR,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,KAAK,mBAAmB;wBACxC,CAAC,CAAC,IAAI,CAAC,SAAS,KAAK,mBAAmB;wBAC1C,CAAC,CAAC,mBAAmB;wBACrB,CAAC,CAAC,OAAO;aACd;YACH,CAAC,CAAC,SAAS;KAChB,CAAC;AACJ,CAAC"}

package/dist/scanner/file-walker.d.ts

@@ -0,0 +1,34 @@
+/**
+ * File info for scanning
+ */
+export interface FileInfo {
+    /** Absolute path */
+    path: string;
+    /** Relative path from root */
+    relativePath: string;
+    /** File content */
+    content: string;
+    /** File extension */
+    extension: string;
+}
+/**
+ * Supported file extensions for scanning
+ */
+export declare const SCANNABLE_EXTENSIONS: string[];
+/**
+ * Files to skip
+ */
+export declare const SKIP_PATTERNS: string[];
+/**
+ * Walk directory and collect scannable files
+ */
+export declare function walkDirectory(rootDir: string): Promise<FileInfo[]>;
+/**
+ * Check if a path is a directory
+ */
+export declare function isDirectory(dirPath: string): Promise<boolean>;
+/**
+ * Check if a path exists
+ */
+export declare function pathExists(p: string): Promise<boolean>;
+//# sourceMappingURL=file-walker.d.ts.map

package/dist/scanner/file-walker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-walker.d.ts","sourceRoot":"","sources":["../../src/scanner/file-walker.ts"],"names":[],"mappings":"AAIA;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,oBAAoB;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,8BAA8B;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,mBAAmB;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,qBAAqB;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,eAAO,MAAM,oBAAoB,UAahC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,UAWzB,CAAC;AAEF;;GAEG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,CAmCxE;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAOnE;AAED;;GAEG;AACH,wBAAsB,UAAU,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAO5D"}

package/dist/scanner/file-walker.js

@@ -0,0 +1,134 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SKIP_PATTERNS = exports.SCANNABLE_EXTENSIONS = void 0;
+exports.walkDirectory = walkDirectory;
+exports.isDirectory = isDirectory;
+exports.pathExists = pathExists;
+const glob_1 = require("glob");
+const fs = __importStar(require("fs/promises"));
+const path = __importStar(require("path"));
+/**
+ * Supported file extensions for scanning
+ */
+exports.SCANNABLE_EXTENSIONS = [
+    // JavaScript/TypeScript
+    '.js', '.ts', '.jsx', '.tsx', '.mjs', '.cjs',
+    // Python
+    '.py',
+    // Configuration
+    '.json', '.yaml', '.yml', '.toml',
+    // Solidity
+    '.sol',
+    // Shell
+    '.sh', '.bash',
+    // Markdown (for prompt injection)
+    '.md',
+];
+/**
+ * Files to skip
+ */
+exports.SKIP_PATTERNS = [
+    '**/node_modules/**',
+    '**/dist/**',
+    '**/build/**',
+    '**/.git/**',
+    '**/coverage/**',
+    '**/__pycache__/**',
+    '**/*.min.js',
+    '**/package-lock.json',
+    '**/yarn.lock',
+    '**/pnpm-lock.yaml',
+];
+/**
+ * Walk directory and collect scannable files
+ */
+async function walkDirectory(rootDir) {
+    const files = [];
+    // Build glob pattern for all scannable extensions
+    const extensions = exports.SCANNABLE_EXTENSIONS.map(e => e.slice(1)).join(',');
+    const pattern = `**/*.{${extensions}}`;
+    // Find all matching files
+    const matches = await (0, glob_1.glob)(pattern, {
+        cwd: rootDir,
+        ignore: exports.SKIP_PATTERNS,
+        nodir: true,
+        absolute: true,
+    });
+    // Read file contents
+    for (const filePath of matches) {
+        try {
+            const content = await fs.readFile(filePath, 'utf-8');
+            const relativePath = path.relative(rootDir, filePath);
+            const extension = path.extname(filePath);
+            files.push({
+                path: filePath,
+                relativePath,
+                content,
+                extension,
+            });
+        }
+        catch (err) {
+            // Skip unreadable files
+            console.warn(`Failed to read file: ${filePath}`);
+        }
+    }
+    return files;
+}
+/**
+ * Check if a path is a directory
+ */
+async function isDirectory(dirPath) {
+    try {
+        const stat = await fs.stat(dirPath);
+        return stat.isDirectory();
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Check if a path exists
+ */
+async function pathExists(p) {
+    try {
+        await fs.access(p);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=file-walker.js.map

package/dist/scanner/file-walker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-walker.js","sourceRoot":"","sources":["../../src/scanner/file-walker.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuDA,sCAmCC;AAKD,kCAOC;AAKD,gCAOC;AAlHD,+BAA4B;AAC5B,gDAAkC;AAClC,2CAA6B;AAgB7B;;GAEG;AACU,QAAA,oBAAoB,GAAG;IAClC,wBAAwB;IACxB,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAC5C,SAAS;IACT,KAAK;IACL,gBAAgB;IAChB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO;IACjC,WAAW;IACX,MAAM;IACN,QAAQ;IACR,KAAK,EAAE,OAAO;IACd,kCAAkC;IAClC,KAAK;CACN,CAAC;AAEF;;GAEG;AACU,QAAA,aAAa,GAAG;IAC3B,oBAAoB;IACpB,YAAY;IACZ,aAAa;IACb,YAAY;IACZ,gBAAgB;IAChB,mBAAmB;IACnB,aAAa;IACb,sBAAsB;IACtB,cAAc;IACd,mBAAmB;CACpB,CAAC;AAEF;;GAEG;AACI,KAAK,UAAU,aAAa,CAAC,OAAe;IACjD,MAAM,KAAK,GAAe,EAAE,CAAC;IAE7B,kDAAkD;IAClD,MAAM,UAAU,GAAG,4BAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACvE,MAAM,OAAO,GAAG,SAAS,UAAU,GAAG,CAAC;IAEvC,0BAA0B;IAC1B,MAAM,OAAO,GAAG,MAAM,IAAA,WAAI,EAAC,OAAO,EAAE;QAClC,GAAG,EAAE,OAAO;QACZ,MAAM,EAAE,qBAAa;QACrB,KAAK,EAAE,IAAI;QACX,QAAQ,EAAE,IAAI;KACf,CAAC,CAAC;IAEH,qBAAqB;IACrB,KAAK,MAAM,QAAQ,IAAI,OAAO,EAAE,CAAC;QAC/B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACrD,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YACtD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YAEzC,KAAK,CAAC,IAAI,CAAC;gBACT,IAAI,EAAE,QAAQ;gBACd,YAAY;gBACZ,OAAO;gBACP,SAAS;aACV,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,wBAAwB;YACxB,OAAO,CAAC,IAAI,CAAC,wBAAwB,QAAQ,EAAE,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,WAAW,CAAC,OAAe;IAC/C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,UAAU,CAAC,CAAS;IACxC,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/scanner/index.d.ts

@@ -0,0 +1,67 @@
+import type { ScanPayload, ScanResult, RiskLevel, RiskTag, ScanRule } from '../types/scanner.js';
+/**
+ * Scanner options
+ */
+export interface ScannerOptions {
+    /** Use cisco-ai-defense/skill-scanner if available */
+    useExternalScanner?: boolean;
+    /** Enable deep analysis */
+    deep?: boolean;
+    /** Custom rules to add */
+    additionalRules?: ScanRule[];
+}
+/**
+ * Skill Scanner - Module A
+ * Scans skill code for security risks
+ */
+export declare class SkillScanner {
+    private options;
+    private externalScannerAvailable;
+    constructor(options?: ScannerOptions);
+    /**
+     * Check if cisco-ai-defense/skill-scanner is installed
+     */
+    private checkExternalScanner;
+    /**
+     * Run external skill-scanner CLI
+     */
+    private runExternalScanner;
+    /**
+     * Parse external skill-scanner JSON output
+     */
+    private parseExternalResult;
+    /**
+     * Map external finding type to our risk tags
+     */
+    private mapExternalFindingToTag;
+    /**
+     * Run built-in scanner
+     */
+    private runBuiltinScanner;
+    /**
+     * Calculate risk level from tags
+     */
+    private calculateRiskLevel;
+    /**
+     * Generate human-readable summary
+     */
+    private generateSummary;
+    /**
+     * Calculate artifact hash for a directory
+     */
+    calculateArtifactHash(dirPath: string): Promise<string>;
+    /**
+     * Main scan method
+     */
+    scan(payload: ScanPayload): Promise<ScanResult>;
+    /**
+     * Quick scan - scan and return basic info
+     */
+    quickScan(dirPath: string): Promise<{
+        risk_level: RiskLevel;
+        risk_tags: RiskTag[];
+        summary: string;
+    }>;
+}
+export declare const scanner: SkillScanner;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanner/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/scanner/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,WAAW,EACX,UAAU,EAEV,SAAS,EACT,OAAO,EACP,QAAQ,EACT,MAAM,qBAAqB,CAAC;AAK7B;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,sDAAsD;IACtD,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,2BAA2B;IAC3B,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,0BAA0B;IAC1B,eAAe,CAAC,EAAE,QAAQ,EAAE,CAAC;CAC9B;AAED;;;GAGG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,OAAO,CAAiB;IAChC,OAAO,CAAC,wBAAwB,CAAwB;gBAE5C,OAAO,GAAE,cAAmB;IAQxC;;OAEG;YACW,oBAAoB;IAuBlC;;OAEG;YACW,kBAAkB;IA+ChC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA8C3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAqB/B;;OAEG;YACW,iBAAiB;IAqD/B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAqB1B;;OAEG;IACH,OAAO,CAAC,eAAe;IA0BvB;;OAEG;IACG,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAe7D;;OAEG;IACG,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;IAqCrD;;OAEG;IACG,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;QACxC,UAAU,EAAE,SAAS,CAAC;QACtB,SAAS,EAAE,OAAO,EAAE,CAAC;QACrB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CAoBH;AAGD,eAAO,MAAM,OAAO,cAAqB,CAAC"}