@goplus/agentguard 1.0.1 → 1.0.4

package/dist/adapters/claude-code.js

@@ -0,0 +1,128 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClaudeCodeAdapter = void 0;
+const node_fs_1 = require("node:fs");
+/**
+ * Tool name → action type mapping for Claude Code
+ */
+const TOOL_ACTION_MAP = {
+    Bash: 'exec_command',
+    Write: 'write_file',
+    Edit: 'write_file',
+    WebFetch: 'network_request',
+    WebSearch: 'network_request',
+};
+/**
+ * Claude Code hook adapter
+ *
+ * Bridges Claude Code's PreToolUse/PostToolUse stdin/stdout protocol
+ * to the common AgentGuard decision engine.
+ */
+class ClaudeCodeAdapter {
+    name = 'claude-code';
+    parseInput(raw) {
+        const data = raw;
+        const hookEvent = data.hook_event_name || '';
+        return {
+            toolName: data.tool_name || '',
+            toolInput: data.tool_input || {},
+            eventType: hookEvent.startsWith('Post') ? 'post' : 'pre',
+            sessionId: data.session_id,
+            cwd: data.cwd,
+            raw: data,
+        };
+    }
+    mapToolToActionType(toolName) {
+        return TOOL_ACTION_MAP[toolName] || null;
+    }
+    buildEnvelope(input, initiatingSkill) {
+        const actionType = this.mapToolToActionType(input.toolName);
+        if (!actionType)
+            return null;
+        const actor = {
+            skill: {
+                id: initiatingSkill || 'claude-code-session',
+                source: initiatingSkill || 'claude-code',
+                version_ref: '0.0.0',
+                artifact_hash: '',
+            },
+        };
+        const context = {
+            session_id: input.sessionId || `hook-${Date.now()}`,
+            user_present: true,
+            env: 'prod',
+            time: new Date().toISOString(),
+            initiating_skill: initiatingSkill || undefined,
+        };
+        // Build action data based on type
+        let actionData;
+        switch (actionType) {
+            case 'exec_command':
+                actionData = {
+                    command: input.toolInput.command || '',
+                    args: [],
+                    cwd: input.cwd,
+                };
+                break;
+            case 'write_file':
+                actionData = {
+                    path: input.toolInput.file_path || '',
+                };
+                break;
+            case 'network_request':
+                actionData = {
+                    method: 'GET',
+                    url: input.toolInput.url || input.toolInput.query || '',
+                };
+                break;
+            default:
+                return null;
+        }
+        return {
+            actor,
+            action: { type: actionType, data: actionData },
+            context,
+        };
+    }
+    async inferInitiatingSkill(input) {
+        const data = input.raw;
+        const transcriptPath = data.transcript_path;
+        if (!transcriptPath)
+            return null;
+        try {
+            const fd = (0, node_fs_1.openSync)(transcriptPath, 'r');
+            const stat = (0, node_fs_1.fstatSync)(fd);
+            const TAIL_SIZE = 4096;
+            const start = Math.max(0, stat.size - TAIL_SIZE);
+            const buf = Buffer.alloc(Math.min(TAIL_SIZE, stat.size));
+            (0, node_fs_1.readSync)(fd, buf, 0, buf.length, start);
+            (0, node_fs_1.closeSync)(fd);
+            const tail = buf.toString('utf-8');
+            const lines = tail.split('\n').filter(Boolean);
+            for (let i = lines.length - 1; i >= 0; i--) {
+                try {
+                    const entry = JSON.parse(lines[i]);
+                    if (entry.type === 'tool_use' && entry.name === 'Skill' && entry.input?.skill) {
+                        return entry.input.skill;
+                    }
+                    if (entry.role === 'assistant' && Array.isArray(entry.content)) {
+                        for (const block of entry.content) {
+                            if (block.type === 'tool_use' && block.name === 'Skill' && block.input?.skill) {
+                                return block.input.skill;
+                            }
+                        }
+                    }
+                }
+                catch {
+                    // Not valid JSON
+                }
+            }
+        }
+        catch {
+            // Can't read transcript
+        }
+        return null;
+    }
+}
+exports.ClaudeCodeAdapter = ClaudeCodeAdapter;
+//# sourceMappingURL=claude-code.js.map

package/dist/adapters/claude-code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"claude-code.js","sourceRoot":"","sources":["../../src/adapters/claude-code.ts"],"names":[],"mappings":";;;AAAA,qCAAmE;AAInE;;GAEG;AACH,MAAM,eAAe,GAA2B;IAC9C,IAAI,EAAE,cAAc;IACpB,KAAK,EAAE,YAAY;IACnB,IAAI,EAAE,YAAY;IAClB,QAAQ,EAAE,iBAAiB;IAC3B,SAAS,EAAE,iBAAiB;CAC7B,CAAC;AAEF;;;;;GAKG;AACH,MAAa,iBAAiB;IACnB,IAAI,GAAG,aAAa,CAAC;IAE9B,UAAU,CAAC,GAAY;QACrB,MAAM,IAAI,GAAG,GAA8B,CAAC;QAC5C,MAAM,SAAS,GAAI,IAAI,CAAC,eAA0B,IAAI,EAAE,CAAC;QACzD,OAAO;YACL,QAAQ,EAAG,IAAI,CAAC,SAAoB,IAAI,EAAE;YAC1C,SAAS,EAAG,IAAI,CAAC,UAAsC,IAAI,EAAE;YAC7D,SAAS,EAAE,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK;YACxD,SAAS,EAAE,IAAI,CAAC,UAAgC;YAChD,GAAG,EAAE,IAAI,CAAC,GAAyB;YACnC,GAAG,EAAE,IAAI;SACV,CAAC;IACJ,CAAC;IAED,mBAAmB,CAAC,QAAgB;QAClC,OAAO,eAAe,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;IAC3C,CAAC;IAED,aAAa,CAAC,KAAgB,EAAE,eAA+B;QAC7D,MAAM,UAAU,GAAG,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC5D,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAE7B,MAAM,KAAK,GAAG;YACZ,KAAK,EAAE;gBACL,EAAE,EAAE,eAAe,IAAI,qBAAqB;gBAC5C,MAAM,EAAE,eAAe,IAAI,aAAa;gBACxC,WAAW,EAAE,OAAO;gBACpB,aAAa,EAAE,EAAE;aAClB;SACF,CAAC;QAEF,MAAM,OAAO,GAAG;YACd,UAAU,EAAE,KAAK,CAAC,SAAS,IAAI,QAAQ,IAAI,CAAC,GAAG,EAAE,EAAE;YACnD,YAAY,EAAE,IAAI;YAClB,GAAG,EAAE,MAAe;YACpB,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAC9B,gBAAgB,EAAE,eAAe,IAAI,SAAS;SAC/C,CAAC;QAEF,kCAAkC;QAClC,IAAI,UAAmC,CAAC;QAExC,QAAQ,UAAU,EAAE,CAAC;YACnB,KAAK,cAAc;gBACjB,UAAU,GAAG;oBACX,OAAO,EAAG,KAAK,CAAC,SAAS,CAAC,OAAkB,IAAI,EAAE;oBAClD,IAAI,EAAE,EAAE;oBACR,GAAG,EAAE,KAAK,CAAC,GAAG;iBACf,CAAC;gBACF,MAAM;YAER,KAAK,YAAY;gBACf,UAAU,GAAG;oBACX,IAAI,EAAG,KAAK,CAAC,SAAS,CAAC,SAAoB,IAAI,EAAE;iBAClD,CAAC;gBACF,MAAM;YAER,KAAK,iBAAiB;gBACpB,UAAU,GAAG;oBACX,MAAM,EAAE,KAAK;oBACb,GAAG,EAAG,KAAK,CAAC,SAAS,CAAC,GAAc,IAAK,KAAK,CAAC,SAAS,CAAC,KAAgB,IAAI,EAAE;iBAChF,CAAC;gBACF,MAAM;YAER;gBACE,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,OAAO;YACL,KAAK;YACL,MAAM,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE;YAC9C,OAAO;SACqB,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,KAAgB;QACzC,MAAM,IAAI,GAAG,KAAK,CAAC,GAA8B,CAAC;QAClD,MAAM,cAAc,GAAG,IAAI,CAAC,eAAqC,CAAC;QAClE,IAAI,CAAC,cAAc;YAAE,OAAO,IAAI,CAAC;QAEjC,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,IAAA,kBAAQ,EAAC,cAAc,EAAE,GAAG,CAAC,CAAC;YACzC,MAAM,IAAI,GAAG,IAAA,mBAAS,EAAC,EAAE,CAAC,CAAC;YAC3B,MAAM,SAAS,GAAG,IAAI,CAAC;YACvB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,GAAG,SAAS,CAAC,CAAC;YACjD,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YACzD,IAAA,kBAAQ,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YACxC,IAAA,mBAAS,EAAC,EAAE,CAAC,CAAC;YAEd,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACnC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAE/C,KAAK,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC3C,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;oBACnC,IAAI,KAAK,CAAC,IAAI,KAAK,UAAU,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,IAAI,KAAK,CAAC,KAAK,EAAE,KAAK,EAAE,CAAC;wBAC9E,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC;oBAC3B,CAAC;oBACD,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;wBAC/D,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;4BAClC,IAAI,KAAK,CAAC,IAAI,KAAK,UAAU,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,IAAI,KAAK,CAAC,KAAK,EAAE,KAAK,EAAE,CAAC;gCAC9E,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC;4BAC3B,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,iBAAiB;gBACnB,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AApHD,8CAoHC"}

package/dist/adapters/common.d.ts

@@ -0,0 +1,40 @@
+import type { HookInput } from './types.js';
+export declare function loadConfig(): {
+    level: string;
+};
+export declare function isSensitivePath(filePath: string): boolean;
+export declare function shouldDenyAtLevel(decision: {
+    decision: string;
+    risk_level?: string;
+}, config: {
+    level?: string;
+}): boolean;
+export declare function shouldAskAtLevel(decision: {
+    decision: string;
+    risk_level?: string;
+}, config: {
+    level?: string;
+}): boolean;
+export declare function writeAuditLog(input: HookInput, decision: {
+    decision?: string;
+    risk_level?: string;
+    risk_tags?: string[];
+} | null, initiatingSkill?: string | null): void;
+export declare function getSkillTrustPolicy(skillId: string, registry: {
+    lookup: (s: {
+        id: string;
+        source: string;
+        version_ref: string;
+        artifact_hash: string;
+    }) => Promise<{
+        effective_trust_level: string;
+        effective_capabilities: Record<string, unknown>;
+        record: unknown | null;
+    }>;
+}): Promise<{
+    trustLevel: string | null;
+    capabilities: Record<string, unknown> | null;
+    isKnown: boolean;
+}>;
+export declare function isActionAllowedByCapabilities(actionType: string, capabilities: Record<string, unknown>): boolean;
+//# sourceMappingURL=common.d.ts.map

package/dist/adapters/common.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"common.d.ts","sourceRoot":"","sources":["../../src/adapters/common.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,SAAS,EAAc,MAAM,YAAY,CAAC;AAoBxD,wBAAgB,UAAU,IAAI;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,CAM9C;AAeD,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAMzD;AAMD,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,EACnD,MAAM,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACzB,OAAO,CAgBT;AAED,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,EACnD,MAAM,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACzB,OAAO,CAoBT;AAMD,wBAAgB,aAAa,CAC3B,KAAK,EAAE,SAAS,EAChB,QAAQ,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GAAG,IAAI,EACjF,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,GAC9B,IAAI,CAkBN;AAqBD,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE;IAAE,MAAM,EAAE,CAAC,CAAC,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,MAAM,CAAA;KAAE,KAAK,OAAO,CAAC;QAAE,qBAAqB,EAAE,MAAM,CAAC;QAAC,sBAAsB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAAC,MAAM,EAAE,OAAO,GAAG,IAAI,CAAA;KAAE,CAAC,CAAA;CAAE,GAC3N,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,CAAC,CAmBxG;AAED,wBAAgB,6BAA6B,CAC3C,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACpC,OAAO,CAiBT"}

package/dist/adapters/common.js

@@ -0,0 +1,166 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadConfig = loadConfig;
+exports.isSensitivePath = isSensitivePath;
+exports.shouldDenyAtLevel = shouldDenyAtLevel;
+exports.shouldAskAtLevel = shouldAskAtLevel;
+exports.writeAuditLog = writeAuditLog;
+exports.getSkillTrustPolicy = getSkillTrustPolicy;
+exports.isActionAllowedByCapabilities = isActionAllowedByCapabilities;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const node_os_1 = require("node:os");
+// ---------------------------------------------------------------------------
+// Paths
+// ---------------------------------------------------------------------------
+const AGENTGUARD_DIR = process.env.AGENTGUARD_HOME || (0, node_path_1.join)((0, node_os_1.homedir)(), '.agentguard');
+const CONFIG_PATH = (0, node_path_1.join)(AGENTGUARD_DIR, 'config.json');
+const AUDIT_PATH = (0, node_path_1.join)(AGENTGUARD_DIR, 'audit.jsonl');
+function ensureDir() {
+    if (!(0, node_fs_1.existsSync)(AGENTGUARD_DIR)) {
+        (0, node_fs_1.mkdirSync)(AGENTGUARD_DIR, { recursive: true });
+    }
+}
+// ---------------------------------------------------------------------------
+// Config
+// ---------------------------------------------------------------------------
+function loadConfig() {
+    try {
+        return JSON.parse((0, node_fs_1.readFileSync)(CONFIG_PATH, 'utf-8'));
+    }
+    catch {
+        return { level: 'balanced' };
+    }
+}
+// ---------------------------------------------------------------------------
+// Sensitive path detection
+// ---------------------------------------------------------------------------
+const SENSITIVE_PATHS = [
+    '.env', '.env.local', '.env.production',
+    '.ssh/', 'id_rsa', 'id_ed25519',
+    '.aws/credentials', '.aws/config',
+    '.npmrc', '.netrc',
+    'credentials.json', 'serviceAccountKey.json',
+    '.kube/config',
+];
+function isSensitivePath(filePath) {
+    if (!filePath)
+        return false;
+    const normalized = filePath.replace(/\\/g, '/');
+    return SENSITIVE_PATHS.some((p) => normalized.includes(`/${p}`) || normalized.endsWith(p));
+}
+// ---------------------------------------------------------------------------
+// Protection level thresholds
+// ---------------------------------------------------------------------------
+function shouldDenyAtLevel(decision, config) {
+    const level = config.level || 'balanced';
+    if (level === 'strict') {
+        return decision.decision === 'deny' || decision.decision === 'confirm';
+    }
+    if (level === 'balanced') {
+        return decision.decision === 'deny';
+    }
+    if (level === 'permissive') {
+        return decision.decision === 'deny' && decision.risk_level === 'critical';
+    }
+    return decision.decision === 'deny';
+}
+function shouldAskAtLevel(decision, config) {
+    const level = config.level || 'balanced';
+    if (level === 'strict') {
+        return false;
+    }
+    if (level === 'balanced') {
+        return decision.decision === 'confirm';
+    }
+    if (level === 'permissive') {
+        return ((decision.decision === 'deny' && decision.risk_level !== 'critical') ||
+            (decision.decision === 'confirm' &&
+                (decision.risk_level === 'high' || decision.risk_level === 'critical')));
+    }
+    return decision.decision === 'confirm';
+}
+// ---------------------------------------------------------------------------
+// Audit logging
+// ---------------------------------------------------------------------------
+function writeAuditLog(input, decision, initiatingSkill) {
+    try {
+        ensureDir();
+        const entry = {
+            timestamp: new Date().toISOString(),
+            tool_name: input.toolName,
+            tool_input_summary: summarizeToolInput(input),
+            decision: decision?.decision || 'allow',
+            risk_level: decision?.risk_level || 'low',
+            risk_tags: decision?.risk_tags || [],
+        };
+        if (initiatingSkill) {
+            entry.initiating_skill = initiatingSkill;
+        }
+        (0, node_fs_1.appendFileSync)(AUDIT_PATH, JSON.stringify(entry) + '\n');
+    }
+    catch {
+        // Non-critical
+    }
+}
+function summarizeToolInput(input) {
+    const toolInput = input.toolInput;
+    if (typeof toolInput === 'object' && toolInput !== null) {
+        const cmd = toolInput.command;
+        if (typeof cmd === 'string')
+            return cmd.slice(0, 200);
+        const fp = toolInput.file_path ||
+            toolInput.path;
+        if (typeof fp === 'string')
+            return fp;
+        const url = toolInput.url ||
+            toolInput.query;
+        if (typeof url === 'string')
+            return url;
+    }
+    return JSON.stringify(toolInput).slice(0, 200);
+}
+// ---------------------------------------------------------------------------
+// Skill trust policy helpers
+// ---------------------------------------------------------------------------
+async function getSkillTrustPolicy(skillId, registry) {
+    if (!skillId) {
+        return { trustLevel: null, capabilities: null, isKnown: false };
+    }
+    try {
+        const result = await registry.lookup({
+            id: skillId,
+            source: skillId,
+            version_ref: '0.0.0',
+            artifact_hash: '',
+        });
+        return {
+            trustLevel: result.effective_trust_level,
+            capabilities: result.effective_capabilities,
+            isKnown: result.record !== null,
+        };
+    }
+    catch {
+        return { trustLevel: null, capabilities: null, isKnown: false };
+    }
+}
+function isActionAllowedByCapabilities(actionType, capabilities) {
+    if (!capabilities)
+        return true;
+    switch (actionType) {
+        case 'exec_command':
+            return capabilities.can_exec !== false;
+        case 'network_request':
+            return capabilities.can_network !== false;
+        case 'write_file':
+            return capabilities.can_write !== false;
+        case 'read_file':
+            return capabilities.can_read !== false;
+        case 'web3_tx':
+        case 'web3_sign':
+            return capabilities.can_web3 !== false;
+        default:
+            return true;
+    }
+}
+//# sourceMappingURL=common.js.map

package/dist/adapters/common.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"common.js","sourceRoot":"","sources":["../../src/adapters/common.ts"],"names":[],"mappings":";;AAuBA,gCAMC;AAeD,0CAMC;AAMD,8CAmBC;AAED,4CAuBC;AAMD,sCAsBC;AAqBD,kDAsBC;AAED,sEAoBC;AAjMD,qCAA8E;AAC9E,yCAAiC;AACjC,qCAAkC;AAGlC,8EAA8E;AAC9E,QAAQ;AACR,8EAA8E;AAE9E,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,aAAa,CAAC,CAAC;AACrF,MAAM,WAAW,GAAG,IAAA,gBAAI,EAAC,cAAc,EAAE,aAAa,CAAC,CAAC;AACxD,MAAM,UAAU,GAAG,IAAA,gBAAI,EAAC,cAAc,EAAE,aAAa,CAAC,CAAC;AAEvD,SAAS,SAAS;IAChB,IAAI,CAAC,IAAA,oBAAU,EAAC,cAAc,CAAC,EAAE,CAAC;QAChC,IAAA,mBAAS,EAAC,cAAc,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,SAAS;AACT,8EAA8E;AAE9E,SAAgB,UAAU;IACxB,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAA,sBAAY,EAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IAC/B,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E,MAAM,eAAe,GAAG;IACtB,MAAM,EAAE,YAAY,EAAE,iBAAiB;IACvC,OAAO,EAAE,QAAQ,EAAE,YAAY;IAC/B,kBAAkB,EAAE,aAAa;IACjC,QAAQ,EAAE,QAAQ;IAClB,kBAAkB,EAAE,wBAAwB;IAC5C,cAAc;CACf,CAAC;AAEF,SAAgB,eAAe,CAAC,QAAgB;IAC9C,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAChD,OAAO,eAAe,CAAC,IAAI,CACzB,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAC9D,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,8BAA8B;AAC9B,8EAA8E;AAE9E,SAAgB,iBAAiB,CAC/B,QAAmD,EACnD,MAA0B;IAE1B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,UAAU,CAAC;IAEzC,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvB,OAAO,QAAQ,CAAC,QAAQ,KAAK,MAAM,IAAI,QAAQ,CAAC,QAAQ,KAAK,SAAS,CAAC;IACzE,CAAC;IAED,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;QACzB,OAAO,QAAQ,CAAC,QAAQ,KAAK,MAAM,CAAC;IACtC,CAAC;IAED,IAAI,KAAK,KAAK,YAAY,EAAE,CAAC;QAC3B,OAAO,QAAQ,CAAC,QAAQ,KAAK,MAAM,IAAI,QAAQ,CAAC,UAAU,KAAK,UAAU,CAAC;IAC5E,CAAC;IAED,OAAO,QAAQ,CAAC,QAAQ,KAAK,MAAM,CAAC;AACtC,CAAC;AAED,SAAgB,gBAAgB,CAC9B,QAAmD,EACnD,MAA0B;IAE1B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,UAAU,CAAC;IAEzC,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;QACzB,OAAO,QAAQ,CAAC,QAAQ,KAAK,SAAS,CAAC;IACzC,CAAC;IAED,IAAI,KAAK,KAAK,YAAY,EAAE,CAAC;QAC3B,OAAO,CACL,CAAC,QAAQ,CAAC,QAAQ,KAAK,MAAM,IAAI,QAAQ,CAAC,UAAU,KAAK,UAAU,CAAC;YACpE,CAAC,QAAQ,CAAC,QAAQ,KAAK,SAAS;gBAC9B,CAAC,QAAQ,CAAC,UAAU,KAAK,MAAM,IAAI,QAAQ,CAAC,UAAU,KAAK,UAAU,CAAC,CAAC,CAC1E,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC,QAAQ,KAAK,SAAS,CAAC;AACzC,CAAC;AAED,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,SAAgB,aAAa,CAC3B,KAAgB,EAChB,QAAiF,EACjF,eAA+B;IAE/B,IAAI,CAAC;QACH,SAAS,EAAE,CAAC;QACZ,MAAM,KAAK,GAA4B;YACrC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS,EAAE,KAAK,CAAC,QAAQ;YACzB,kBAAkB,EAAE,kBAAkB,CAAC,KAAK,CAAC;YAC7C,QAAQ,EAAE,QAAQ,EAAE,QAAQ,IAAI,OAAO;YACvC,UAAU,EAAE,QAAQ,EAAE,UAAU,IAAI,KAAK;YACzC,SAAS,EAAE,QAAQ,EAAE,SAAS,IAAI,EAAE;SACrC,CAAC;QACF,IAAI,eAAe,EAAE,CAAC;YACpB,KAAK,CAAC,gBAAgB,GAAG,eAAe,CAAC;QAC3C,CAAC;QACD,IAAA,wBAAc,EAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;IAC3D,CAAC;IAAC,MAAM,CAAC;QACP,eAAe;IACjB,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAgB;IAC1C,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC;IAClC,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;QACxD,MAAM,GAAG,GAAI,SAAqC,CAAC,OAAO,CAAC;QAC3D,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACtD,MAAM,EAAE,GAAI,SAAqC,CAAC,SAAS;YAC/C,SAAqC,CAAC,IAAI,CAAC;QACvD,IAAI,OAAO,EAAE,KAAK,QAAQ;YAAE,OAAO,EAAE,CAAC;QACtC,MAAM,GAAG,GAAI,SAAqC,CAAC,GAAG;YACzC,SAAqC,CAAC,KAAK,CAAC;QACzD,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,GAAG,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AACjD,CAAC;AAED,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAEvE,KAAK,UAAU,mBAAmB,CACvC,OAAe,EACf,QAA4N;IAE5N,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAClE,CAAC;IACD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;YACnC,EAAE,EAAE,OAAO;YACX,MAAM,EAAE,OAAO;YACf,WAAW,EAAE,OAAO;YACpB,aAAa,EAAE,EAAE;SAClB,CAAC,CAAC;QACH,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,qBAAqB;YACxC,YAAY,EAAE,MAAM,CAAC,sBAAsB;YAC3C,OAAO,EAAE,MAAM,CAAC,MAAM,KAAK,IAAI;SAChC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAClE,CAAC;AACH,CAAC;AAED,SAAgB,6BAA6B,CAC3C,UAAkB,EAClB,YAAqC;IAErC,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAC;IAC/B,QAAQ,UAAU,EAAE,CAAC;QACnB,KAAK,cAAc;YACjB,OAAO,YAAY,CAAC,QAAQ,KAAK,KAAK,CAAC;QACzC,KAAK,iBAAiB;YACpB,OAAO,YAAY,CAAC,WAAW,KAAK,KAAK,CAAC;QAC5C,KAAK,YAAY;YACf,OAAO,YAAY,CAAC,SAAS,KAAK,KAAK,CAAC;QAC1C,KAAK,WAAW;YACd,OAAO,YAAY,CAAC,QAAQ,KAAK,KAAK,CAAC;QACzC,KAAK,SAAS,CAAC;QACf,KAAK,WAAW;YACd,OAAO,YAAY,CAAC,QAAQ,KAAK,KAAK,CAAC;QACzC;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC"}

package/dist/adapters/engine.d.ts

@@ -0,0 +1,9 @@
+import type { HookAdapter, HookOutput, EngineOptions } from './types.js';
+/**
+ * Evaluate a hook event using the common AgentGuard decision engine.
+ *
+ * This is the platform-agnostic core — adapters handle I/O protocol,
+ * this function handles security logic.
+ */
+export declare function evaluateHook(adapter: HookAdapter, rawInput: unknown, options: EngineOptions): Promise<HookOutput>;
+//# sourceMappingURL=engine.d.ts.map

package/dist/adapters/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/adapters/engine.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAa,UAAU,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAUpF;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,WAAW,EACpB,QAAQ,EAAE,OAAO,EACjB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,UAAU,CAAC,CAiGrB"}

package/dist/adapters/engine.js

@@ -0,0 +1,93 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.evaluateHook = evaluateHook;
+const common_js_1 = require("./common.js");
+/**
+ * Evaluate a hook event using the common AgentGuard decision engine.
+ *
+ * This is the platform-agnostic core — adapters handle I/O protocol,
+ * this function handles security logic.
+ */
+async function evaluateHook(adapter, rawInput, options) {
+    const input = adapter.parseInput(rawInput);
+    // Post-tool events → audit only
+    if (input.eventType === 'post') {
+        const skill = await adapter.inferInitiatingSkill(input);
+        (0, common_js_1.writeAuditLog)(input, null, skill);
+        return { decision: 'allow' };
+    }
+    // Build envelope
+    const initiatingSkill = await adapter.inferInitiatingSkill(input);
+    const envelope = adapter.buildEnvelope(input, initiatingSkill);
+    if (!envelope) {
+        return { decision: 'allow' };
+    }
+    // Fast check: sensitive file paths (Write/Edit)
+    const actionType = adapter.mapToolToActionType(input.toolName);
+    if (actionType === 'write_file') {
+        const filePath = input.toolInput.file_path ||
+            input.toolInput.path || '';
+        if ((0, common_js_1.isSensitivePath)(filePath)) {
+            const skillTag = initiatingSkill ? ` (via skill: ${initiatingSkill})` : '';
+            const reason = `GoPlus AgentGuard: blocked write to sensitive path "${filePath}"${skillTag}`;
+            (0, common_js_1.writeAuditLog)(input, { decision: 'deny', risk_level: 'critical', risk_tags: ['SENSITIVE_PATH'] }, initiatingSkill);
+            // In permissive mode, ask for user-initiated writes
+            if (options.config.level === 'permissive' && !initiatingSkill) {
+                return { decision: 'ask', reason, riskLevel: 'critical', riskTags: ['SENSITIVE_PATH'], initiatingSkill };
+            }
+            return { decision: 'deny', reason, riskLevel: 'critical', riskTags: ['SENSITIVE_PATH'], initiatingSkill };
+        }
+    }
+    // Full ActionScanner evaluation
+    try {
+        const decision = await options.agentguard.actionScanner.decide(envelope);
+        // Skill trust policy enforcement
+        if (initiatingSkill) {
+            const policy = await (0, common_js_1.getSkillTrustPolicy)(initiatingSkill, options.agentguard.registry);
+            if (!policy.isKnown || policy.trustLevel === 'untrusted') {
+                if (!(0, common_js_1.isActionAllowedByCapabilities)(envelope.action.type, { can_exec: false, can_network: false, can_write: false, can_read: true, can_web3: false })) {
+                    const reason = `GoPlus AgentGuard: untrusted skill "${initiatingSkill}" attempted ${envelope.action.type} — register it with /agentguard trust attest to allow`;
+                    (0, common_js_1.writeAuditLog)(input, { decision: 'deny', risk_level: 'high', risk_tags: ['UNTRUSTED_SKILL', ...(decision.risk_tags || [])] }, initiatingSkill);
+                    return { decision: 'ask', reason, riskLevel: 'high', riskTags: ['UNTRUSTED_SKILL'], initiatingSkill };
+                }
+            }
+            if (policy.isKnown && policy.capabilities) {
+                if (!(0, common_js_1.isActionAllowedByCapabilities)(envelope.action.type, policy.capabilities)) {
+                    const reason = `GoPlus AgentGuard: skill "${initiatingSkill}" is not allowed to ${envelope.action.type} per its trust policy`;
+                    (0, common_js_1.writeAuditLog)(input, { decision: 'deny', risk_level: 'high', risk_tags: ['CAPABILITY_EXCEEDED', ...(decision.risk_tags || [])] }, initiatingSkill);
+                    return { decision: 'deny', reason, riskLevel: 'high', riskTags: ['CAPABILITY_EXCEEDED'], initiatingSkill };
+                }
+            }
+        }
+        // Write audit log
+        (0, common_js_1.writeAuditLog)(input, decision, initiatingSkill);
+        // Apply protection level thresholds
+        const skillTag = initiatingSkill ? ` (via skill: ${initiatingSkill})` : '';
+        const tags = (decision.risk_tags || []).join(', ');
+        if ((0, common_js_1.shouldDenyAtLevel)(decision, options.config)) {
+            return {
+                decision: 'deny',
+                reason: `GoPlus AgentGuard: ${decision.explanation || 'Action blocked'}${skillTag} [${tags}]`,
+                riskLevel: decision.risk_level,
+                riskTags: decision.risk_tags,
+                initiatingSkill,
+            };
+        }
+        if ((0, common_js_1.shouldAskAtLevel)(decision, options.config)) {
+            return {
+                decision: 'ask',
+                reason: `GoPlus AgentGuard: ${decision.explanation || 'Action requires confirmation'}${skillTag} [${tags}]`,
+                riskLevel: decision.risk_level,
+                riskTags: decision.risk_tags,
+                initiatingSkill,
+            };
+        }
+        return { decision: 'allow', initiatingSkill };
+    }
+    catch {
+        // Engine error → fail open
+        (0, common_js_1.writeAuditLog)(input, { decision: 'error', risk_level: 'low', risk_tags: ['ENGINE_ERROR'] }, initiatingSkill);
+        return { decision: 'allow' };
+    }
+}
+//# sourceMappingURL=engine.js.map

package/dist/adapters/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/adapters/engine.ts"],"names":[],"mappings":";;AAgBA,oCAqGC;AApHD,2CAOqB;AAErB;;;;;GAKG;AACI,KAAK,UAAU,YAAY,CAChC,OAAoB,EACpB,QAAiB,EACjB,OAAsB;IAEtB,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IAE3C,gCAAgC;IAChC,IAAI,KAAK,CAAC,SAAS,KAAK,MAAM,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAC;QACxD,IAAA,yBAAa,EAAC,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;QAClC,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;IAC/B,CAAC;IAED,iBAAiB;IACjB,MAAM,eAAe,GAAG,MAAM,OAAO,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAC;IAClE,MAAM,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IAE/D,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;IAC/B,CAAC;IAED,gDAAgD;IAChD,MAAM,UAAU,GAAG,OAAO,CAAC,mBAAmB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,UAAU,KAAK,YAAY,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAI,KAAK,CAAC,SAAS,CAAC,SAAoB;YACpC,KAAK,CAAC,SAAS,CAAC,IAAe,IAAI,EAAE,CAAC;QACxD,IAAI,IAAA,2BAAe,EAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,MAAM,QAAQ,GAAG,eAAe,CAAC,CAAC,CAAC,gBAAgB,eAAe,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3E,MAAM,MAAM,GAAG,uDAAuD,QAAQ,IAAI,QAAQ,EAAE,CAAC;YAC7F,IAAA,yBAAa,EAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,gBAAgB,CAAC,EAAE,EAAE,eAAe,CAAC,CAAC;YAEnH,oDAAoD;YACpD,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,KAAK,YAAY,IAAI,CAAC,eAAe,EAAE,CAAC;gBAC9D,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC,gBAAgB,CAAC,EAAE,eAAe,EAAE,CAAC;YAC3G,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC,gBAAgB,CAAC,EAAE,eAAe,EAAE,CAAC;QAC5G,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAEzE,iCAAiC;QACjC,IAAI,eAAe,EAAE,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,IAAA,+BAAmB,EAAC,eAAe,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YAEvF,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,UAAU,KAAK,WAAW,EAAE,CAAC;gBACzD,IAAI,CAAC,IAAA,yCAA6B,EAChC,QAAQ,CAAC,MAAM,CAAC,IAAI,EACpB,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,CAC3F,EAAE,CAAC;oBACF,MAAM,MAAM,GAAG,uCAAuC,eAAe,eAAe,QAAQ,CAAC,MAAM,CAAC,IAAI,uDAAuD,CAAC;oBAChK,IAAA,yBAAa,EAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,iBAAiB,EAAE,GAAG,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,eAAe,CAAC,CAAC;oBAC/I,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,iBAAiB,CAAC,EAAE,eAAe,EAAE,CAAC;gBACxG,CAAC;YACH,CAAC;YAED,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;gBAC1C,IAAI,CAAC,IAAA,yCAA6B,EAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;oBAC9E,MAAM,MAAM,GAAG,6BAA6B,eAAe,uBAAuB,QAAQ,CAAC,MAAM,CAAC,IAAI,uBAAuB,CAAC;oBAC9H,IAAA,yBAAa,EAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,qBAAqB,EAAE,GAAG,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,eAAe,CAAC,CAAC;oBACnJ,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,qBAAqB,CAAC,EAAE,eAAe,EAAE,CAAC;gBAC7G,CAAC;YACH,CAAC;QACH,CAAC;QAED,kBAAkB;QAClB,IAAA,yBAAa,EAAC,KAAK,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAC;QAEhD,oCAAoC;QACpC,MAAM,QAAQ,GAAG,eAAe,CAAC,CAAC,CAAC,gBAAgB,eAAe,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3E,MAAM,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEnD,IAAI,IAAA,6BAAiB,EAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAChD,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,sBAAsB,QAAQ,CAAC,WAAW,IAAI,gBAAgB,GAAG,QAAQ,KAAK,IAAI,GAAG;gBAC7F,SAAS,EAAE,QAAQ,CAAC,UAAU;gBAC9B,QAAQ,EAAE,QAAQ,CAAC,SAAS;gBAC5B,eAAe;aAChB,CAAC;QACJ,CAAC;QAED,IAAI,IAAA,4BAAgB,EAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/C,OAAO;gBACL,QAAQ,EAAE,KAAK;gBACf,MAAM,EAAE,sBAAsB,QAAQ,CAAC,WAAW,IAAI,8BAA8B,GAAG,QAAQ,KAAK,IAAI,GAAG;gBAC3G,SAAS,EAAE,QAAQ,CAAC,UAAU;gBAC9B,QAAQ,EAAE,QAAQ,CAAC,SAAS;gBAC5B,eAAe;aAChB,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,2BAA2B;QAC3B,IAAA,yBAAa,EAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,eAAe,CAAC,CAAC;QAC7G,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;IAC/B,CAAC;AACH,CAAC"}

package/dist/adapters/index.d.ts

@@ -0,0 +1,7 @@
+export type { HookAdapter, HookInput, HookOutput, EngineOptions, AgentGuardInstance } from './types.js';
+export { ClaudeCodeAdapter } from './claude-code.js';
+export { OpenClawAdapter } from './openclaw.js';
+export { evaluateHook } from './engine.js';
+export { registerOpenClawPlugin, getPluginIdFromTool, getPluginScanResult, type OpenClawPluginOptions, } from './openclaw-plugin.js';
+export { loadConfig, isSensitivePath, shouldDenyAtLevel, shouldAskAtLevel, writeAuditLog, getSkillTrustPolicy, isActionAllowedByCapabilities, } from './common.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/adapters/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/adapters/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,UAAU,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AACxG,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EACL,sBAAsB,EACtB,mBAAmB,EACnB,mBAAmB,EACnB,KAAK,qBAAqB,GAC3B,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,UAAU,EACV,eAAe,EACf,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,EACb,mBAAmB,EACnB,6BAA6B,GAC9B,MAAM,aAAa,CAAC"}

package/dist/adapters/index.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isActionAllowedByCapabilities = exports.getSkillTrustPolicy = exports.writeAuditLog = exports.shouldAskAtLevel = exports.shouldDenyAtLevel = exports.isSensitivePath = exports.loadConfig = exports.getPluginScanResult = exports.getPluginIdFromTool = exports.registerOpenClawPlugin = exports.evaluateHook = exports.OpenClawAdapter = exports.ClaudeCodeAdapter = void 0;
+var claude_code_js_1 = require("./claude-code.js");
+Object.defineProperty(exports, "ClaudeCodeAdapter", { enumerable: true, get: function () { return claude_code_js_1.ClaudeCodeAdapter; } });
+var openclaw_js_1 = require("./openclaw.js");
+Object.defineProperty(exports, "OpenClawAdapter", { enumerable: true, get: function () { return openclaw_js_1.OpenClawAdapter; } });
+var engine_js_1 = require("./engine.js");
+Object.defineProperty(exports, "evaluateHook", { enumerable: true, get: function () { return engine_js_1.evaluateHook; } });
+var openclaw_plugin_js_1 = require("./openclaw-plugin.js");
+Object.defineProperty(exports, "registerOpenClawPlugin", { enumerable: true, get: function () { return openclaw_plugin_js_1.registerOpenClawPlugin; } });
+Object.defineProperty(exports, "getPluginIdFromTool", { enumerable: true, get: function () { return openclaw_plugin_js_1.getPluginIdFromTool; } });
+Object.defineProperty(exports, "getPluginScanResult", { enumerable: true, get: function () { return openclaw_plugin_js_1.getPluginScanResult; } });
+var common_js_1 = require("./common.js");
+Object.defineProperty(exports, "loadConfig", { enumerable: true, get: function () { return common_js_1.loadConfig; } });
+Object.defineProperty(exports, "isSensitivePath", { enumerable: true, get: function () { return common_js_1.isSensitivePath; } });
+Object.defineProperty(exports, "shouldDenyAtLevel", { enumerable: true, get: function () { return common_js_1.shouldDenyAtLevel; } });
+Object.defineProperty(exports, "shouldAskAtLevel", { enumerable: true, get: function () { return common_js_1.shouldAskAtLevel; } });
+Object.defineProperty(exports, "writeAuditLog", { enumerable: true, get: function () { return common_js_1.writeAuditLog; } });
+Object.defineProperty(exports, "getSkillTrustPolicy", { enumerable: true, get: function () { return common_js_1.getSkillTrustPolicy; } });
+Object.defineProperty(exports, "isActionAllowedByCapabilities", { enumerable: true, get: function () { return common_js_1.isActionAllowedByCapabilities; } });
+//# sourceMappingURL=index.js.map

package/dist/adapters/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/adapters/index.ts"],"names":[],"mappings":";;;AACA,mDAAqD;AAA5C,mHAAA,iBAAiB,OAAA;AAC1B,6CAAgD;AAAvC,8GAAA,eAAe,OAAA;AACxB,yCAA2C;AAAlC,yGAAA,YAAY,OAAA;AACrB,2DAK8B;AAJ5B,4HAAA,sBAAsB,OAAA;AACtB,yHAAA,mBAAmB,OAAA;AACnB,yHAAA,mBAAmB,OAAA;AAGrB,yCAQqB;AAPnB,uGAAA,UAAU,OAAA;AACV,4GAAA,eAAe,OAAA;AACf,8GAAA,iBAAiB,OAAA;AACjB,6GAAA,gBAAgB,OAAA;AAChB,0GAAA,aAAa,OAAA;AACb,gHAAA,mBAAmB,OAAA;AACnB,0HAAA,6BAA6B,OAAA"}

package/dist/adapters/openclaw-plugin.d.ts

@@ -0,0 +1,72 @@
+/**
+ * GoPlus AgentGuard — OpenClaw Plugin
+ *
+ * Registers before_tool_call, after_tool_call, and session_start hooks
+ * with the OpenClaw plugin API to evaluate tool safety at runtime and
+ * auto-scan installed skills on session startup.
+ *
+ * Features:
+ * - Auto-scan all loaded plugins on registration
+ * - Auto-scan skill directories (~/.openclaw/skills/, ~/.claude/skills/) on session_start
+ * - Auto-register plugins to AgentGuard trust registry
+ * - Build toolName → pluginId mapping for initiating skill inference
+ *
+ * Usage in OpenClaw plugin config:
+ *   import agentguard from '@goplus/agentguard/openclaw';
+ *   export default agentguard;
+ *
+ * Or register manually:
+ *   import { registerOpenClawPlugin } from '@goplus/agentguard';
+ *   registerOpenClawPlugin(api);
+ */
+import type { AgentGuardInstance } from './types.js';
+import { SkillScanner } from '../scanner/index.js';
+import { SkillRegistry } from '../registry/index.js';
+/**
+ * OpenClaw plugin API interface (subset we use)
+ */
+interface OpenClawPluginApi {
+    id: string;
+    name: string;
+    source: string;
+    on(event: string, handler: (event: unknown, ctx?: unknown) => Promise<unknown>): void;
+    on(event: string, options: Record<string, unknown>, handler: (event: unknown, ctx?: unknown) => Promise<unknown>): void;
+}
+/**
+ * Plugin registration options
+ */
+export interface OpenClawPluginOptions {
+    /** Protection level (strict/balanced/permissive) */
+    level?: string;
+    /** Enable auto-scanning of plugins (default: false — opt-in) */
+    skipAutoScan?: boolean;
+    /** Custom AgentGuard instance factory */
+    agentguardFactory?: () => AgentGuardInstance;
+    /** Custom scanner instance */
+    scanner?: SkillScanner;
+    /** Custom registry instance */
+    registry?: SkillRegistry;
+}
+/**
+ * Get plugin ID from tool name
+ */
+export declare function getPluginIdFromTool(toolName: string): string | null;
+/**
+ * Get scan result for a plugin
+ */
+export declare function getPluginScanResult(pluginId: string): {
+    riskLevel: string;
+    riskTags: string[];
+} | null;
+/**
+ * Register AgentGuard hooks with OpenClaw plugin API
+ */
+export declare function registerOpenClawPlugin(api: OpenClawPluginApi, options?: OpenClawPluginOptions): void;
+/**
+ * Default export for OpenClaw plugin registration
+ *
+ * Usage: export default from '@goplus/agentguard/openclaw'
+ */
+export default function register(api: OpenClawPluginApi): void;
+export {};
+//# sourceMappingURL=openclaw-plugin.d.ts.map

package/dist/adapters/openclaw-plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openclaw-plugin.d.ts","sourceRoot":"","sources":["../../src/adapters/openclaw-plugin.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AASH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AA0BrD;;GAEG;AACH,UAAU,iBAAiB;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC;IACtF,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC;CACzH;AAkGD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,oDAAoD;IACpD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gEAAgE;IAChE,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,yCAAyC;IACzC,iBAAiB,CAAC,EAAE,MAAM,kBAAkB,CAAC;IAC7C,8BAA8B;IAC9B,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,+BAA+B;IAC/B,QAAQ,CAAC,EAAE,aAAa,CAAC;CAC1B;AA6HD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAEnE;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,EAAE,CAAA;CAAE,GAAG,IAAI,CAEtG;AAMD;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,iBAAiB,EACtB,OAAO,GAAE,qBAA0B,GAClC,IAAI,CA8GN;AAED;;;;GAIG;AACH,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAG,EAAE,iBAAiB,GAAG,IAAI,CAE7D"}