@gsep/core 0.8.0 → 1.0.0

package/dist/security/CapabilityBroker.js

@@ -0,0 +1,125 @@
+export class CapabilityBroker {
+    eventBus;
+    config;
+    manifests = new Map();
+    activeGrants = new Map();
+    grantTTLMs = 60_000;
+    stats = { totalChecks: 0, granted: 0, denied: 0 };
+    constructor(eventBus, config) {
+        this.eventBus = eventBus;
+        this.config = config;
+    }
+    registerSkill(skillId, manifest) {
+        this.manifests.set(skillId, manifest);
+    }
+    checkCapability(skillId, capability) {
+        this.stats.totalChecks++;
+        if (!this.config.enableCapabilityBroker) {
+            this.stats.granted++;
+            return { allowed: true, reason: 'Capability broker disabled' };
+        }
+        const manifest = this.manifests.get(skillId);
+        if (!manifest) {
+            if (this.config.skillVerification !== 'none') {
+                this.stats.denied++;
+                this.emitDeny(skillId, capability, 'No manifest registered');
+                return { allowed: false, reason: `Skill "${skillId}" has no registered manifest.` };
+            }
+            this.stats.granted++;
+            return { allowed: true, reason: 'No manifest required in current profile' };
+        }
+        const isRequired = manifest.permissions.required.includes(capability);
+        const isOptional = manifest.permissions.optional.includes(capability);
+        if (!isRequired && !isOptional) {
+            this.stats.denied++;
+            this.emitDeny(skillId, capability, 'Capability not declared in manifest');
+            return {
+                allowed: false,
+                reason: `Skill "${skillId}" did not declare capability "${capability}" in its manifest.`,
+            };
+        }
+        const hasGrant = this.hasActiveGrant(skillId, capability);
+        if (!hasGrant) {
+            const grant = this.grantCapability(skillId, capability);
+            this.stats.granted++;
+            this.emitGrant(skillId, capability);
+            return { allowed: true, grantId: `${grant.skillId}:${grant.capability}` };
+        }
+        this.stats.granted++;
+        return { allowed: true };
+    }
+    grantCapability(skillId, capability) {
+        const grant = {
+            skillId,
+            capability,
+            grantedAt: Date.now(),
+            expiresAt: Date.now() + this.grantTTLMs,
+        };
+        const existing = this.activeGrants.get(skillId) || [];
+        existing.push(grant);
+        this.activeGrants.set(skillId, existing);
+        return grant;
+    }
+    revokeAll(skillId) {
+        const grants = this.activeGrants.get(skillId) || [];
+        this.activeGrants.delete(skillId);
+        return grants.length;
+    }
+    revoke(skillId, capability) {
+        const grants = this.activeGrants.get(skillId);
+        if (!grants)
+            return false;
+        const idx = grants.findIndex(g => g.capability === capability);
+        if (idx === -1)
+            return false;
+        grants.splice(idx, 1);
+        if (grants.length === 0)
+            this.activeGrants.delete(skillId);
+        return true;
+    }
+    checkDataAccess(skillId, classification) {
+        const manifest = this.manifests.get(skillId);
+        if (!manifest)
+            return !this.config.enableCapabilityBroker;
+        return manifest.dataAccess.includes(classification);
+    }
+    getRegisteredSkills() {
+        return [...this.manifests.keys()];
+    }
+    getActiveGrants(skillId) {
+        this.cleanupExpiredGrants(skillId);
+        return [...(this.activeGrants.get(skillId) || [])];
+    }
+    getStats() {
+        return { ...this.stats };
+    }
+    hasActiveGrant(skillId, capability) {
+        this.cleanupExpiredGrants(skillId);
+        const grants = this.activeGrants.get(skillId) || [];
+        return grants.some(g => g.capability === capability);
+    }
+    cleanupExpiredGrants(skillId) {
+        const grants = this.activeGrants.get(skillId);
+        if (!grants)
+            return;
+        const now = Date.now();
+        const active = grants.filter(g => g.expiresAt > now);
+        if (active.length === 0) {
+            this.activeGrants.delete(skillId);
+        }
+        else {
+            this.activeGrants.set(skillId, active);
+        }
+    }
+    emitGrant(skillId, capability) {
+        this.eventBus.emitAllow('security:capability-granted', 4, {
+            type: 'capability',
+            id: capability,
+            detail: `Granted to ${skillId}`,
+        }, { skillId });
+    }
+    emitDeny(skillId, capability, reason) {
+        this.eventBus.emitDeny('security:capability-denied', 4, { type: 'capability', id: capability, detail: reason }, 'warning', { skillId });
+    }
+}
+//# sourceMappingURL=CapabilityBroker.js.map

package/dist/security/CapabilityBroker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"CapabilityBroker.js","sourceRoot":"","sources":["../../src/security/CapabilityBroker.ts"],"names":[],"mappings":"AAiDA,MAAM,OAAO,gBAAgB;IACjB,QAAQ,CAAmB;IAC3B,MAAM,CAAiB;IACvB,SAAS,GAAmC,IAAI,GAAG,EAAE,CAAC;IACtD,YAAY,GAAmC,IAAI,GAAG,EAAE,CAAC;IACzD,UAAU,GAAG,MAAM,CAAC;IACpB,KAAK,GAAG,EAAE,WAAW,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IAE1D,YAAY,QAA0B,EAAE,MAAsB;QAC1D,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACzB,CAAC;IAKD,aAAa,CAAC,OAAe,EAAE,QAA2B;QACtD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1C,CAAC;IAKD,eAAe,CAAC,OAAe,EAAE,UAA0B;QACvD,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;QAGzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE,CAAC;YACtC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;QACnE,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAG7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACZ,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,KAAK,MAAM,EAAE,CAAC;gBAC3C,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;gBACpB,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,UAAU,EAAE,wBAAwB,CAAC,CAAC;gBAC7D,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,OAAO,+BAA+B,EAAE,CAAC;YACxF,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,yCAAyC,EAAE,CAAC;QAChF,CAAC;QAGD,MAAM,UAAU,GAAG,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QACtE,MAAM,UAAU,GAAG,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAEtE,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;YAC7B,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,UAAU,EAAE,qCAAqC,CAAC,CAAC;YAC1E,OAAO;gBACH,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,UAAU,OAAO,iCAAiC,UAAU,oBAAoB;aAC3F,CAAC;QACN,CAAC;QAGD,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAE1D,IAAI,CAAC,QAAQ,EAAE,CAAC;YAEZ,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YACxD,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACrB,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YACpC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,UAAU,EAAE,EAAE,CAAC;QAC9E,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC7B,CAAC;IAKD,eAAe,CAAC,OAAe,EAAE,UAA0B;QACvD,MAAM,KAAK,GAAoB;YAC3B,OAAO;YACP,UAAU;YACV,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU;SAC1C,CAAC;QAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACtD,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAEzC,OAAO,KAAK,CAAC;IACjB,CAAC;IAKD,SAAS,CAAC,OAAe;QACrB,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACpD,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAClC,OAAO,MAAM,CAAC,MAAM,CAAC;IACzB,CAAC;IAKD,MAAM,CAAC,OAAe,EAAE,UAA0B;QAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAC1B,MAAM,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,UAAU,CAAC,CAAC;QAC/D,IAAI,GAAG,KAAK,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACtB,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC3D,OAAO,IAAI,CAAC;IAChB,CAAC;IAKD,eAAe,CAAC,OAAe,EAAE,cAAsB;QACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ;YAAE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,sBAAsB,CAAC;QAC1D,OAAO,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;IACxD,CAAC;IAKD,mBAAmB;QACf,OAAO,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;IAKD,eAAe,CAAC,OAAe;QAC3B,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACvD,CAAC;IAKD,QAAQ;QACJ,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC;IAIO,cAAc,CAAC,OAAe,EAAE,UAA0B;QAC9D,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACpD,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,UAAU,CAAC,CAAC;IACzD,CAAC;IAEO,oBAAoB,CAAC,OAAe;QACxC,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM;YAAE,OAAO;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,CAAC;QACrD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACtC,CAAC;aAAM,CAAC;YACJ,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;IACL,CAAC;IAEO,SAAS,CAAC,OAAe,EAAE,UAA0B;QACzD,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,6BAA6B,EAAE,CAAC,EAAE;YACtD,IAAI,EAAE,YAAY;YAClB,EAAE,EAAE,UAAU;YACd,MAAM,EAAE,cAAc,OAAO,EAAE;SAClC,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IACpB,CAAC;IAEO,QAAQ,CAAC,OAAe,EAAE,UAA0B,EAAE,MAAc;QACxE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAClB,4BAA4B,EAC5B,CAAC,EACD,EAAE,IAAI,EAAE,YAAY,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,EACtD,SAAS,EACT,EAAE,OAAO,EAAE,CACd,CAAC;IACN,CAAC;CACJ"}

package/dist/security/CommandExecutionGuard.d.ts

@@ -0,0 +1,47 @@
+import { SecurityEventBus } from './SecurityEventBus.js';
+export type ExecDecision = 'allow' | 'deny' | 'ask';
+export interface ExecRequest {
+    command: string;
+    args: string[];
+    cwd?: string;
+    userId?: string;
+    skillId?: string;
+}
+export interface ExecResult {
+    decision: ExecDecision;
+    stdout?: string;
+    stderr?: string;
+    exitCode?: number;
+    denyReason?: string;
+    durationMs?: number;
+}
+export interface ExecGuardConfig {
+    allowlist: string[];
+    blocklist: Array<{
+        command: string;
+        argsPattern?: RegExp;
+    }>;
+    destructivePatterns: RegExp[];
+    onApprovalRequired?: (req: ExecRequest) => Promise<boolean>;
+}
+export declare class CommandExecutionGuard {
+    private eventBus;
+    private config;
+    private stats;
+    constructor(eventBus: SecurityEventBus, config?: Partial<ExecGuardConfig>);
+    evaluate(request: ExecRequest): ExecDecision;
+    execute(request: ExecRequest): Promise<ExecResult>;
+    static parseCommand(commandStr: string): {
+        command: string;
+        args: string[];
+    };
+    getStats(): {
+        totalRequests: number;
+        allowed: number;
+        denied: number;
+        asked: number;
+    };
+    getAllowlist(): string[];
+    addToAllowlist(command: string): void;
+}
+//# sourceMappingURL=CommandExecutionGuard.d.ts.map

package/dist/security/CommandExecutionGuard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CommandExecutionGuard.d.ts","sourceRoot":"","sources":["../../src/security/CommandExecutionGuard.ts"],"names":[],"mappings":"AAaA,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAIzD,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,MAAM,GAAG,KAAK,CAAC;AAEpD,MAAM,WAAW,WAAW;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACvB,QAAQ,EAAE,YAAY,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,eAAe;IAE5B,SAAS,EAAE,MAAM,EAAE,CAAC;IAEpB,SAAS,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAE5D,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAE9B,kBAAkB,CAAC,EAAE,CAAC,GAAG,EAAE,WAAW,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;CAC/D;AAkED,qBAAa,qBAAqB;IAC9B,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,KAAK,CAKX;gBAEU,QAAQ,EAAE,gBAAgB,EAAE,MAAM,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC;IAazE,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,YAAY;IAkCtC,OAAO,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;IAuExD,MAAM,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE;IA6C5E,QAAQ;;;;;;IAOR,YAAY,IAAI,MAAM,EAAE;IAOxB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;CAKxC"}

package/dist/security/CommandExecutionGuard.js

@@ -0,0 +1,175 @@
+import { execFile } from 'node:child_process';
+const DEFAULT_ALLOWLIST = [
+    'ls', 'cat', 'head', 'tail', 'grep', 'find', 'wc', 'sort', 'uniq',
+    'echo', 'printf', 'date', 'whoami', 'hostname', 'uname', 'pwd',
+    'git', 'node', 'python', 'python3', 'pip', 'npm', 'npx', 'pnpm',
+    'jq', 'yq', 'curl', 'wget', 'dig', 'nslookup', 'ping',
+    'docker', 'brew', 'which', 'file', 'stat', 'du', 'df',
+    'tar', 'zip', 'unzip', 'gzip', 'gunzip',
+    'sed', 'awk', 'cut', 'tr', 'tee', 'diff', 'patch',
+    'rm', 'mkdir', 'touch', 'cp', 'mv', 'ln',
+    'sudo', 'chmod', 'chown',
+    'open', 'pbcopy', 'pbpaste',
+    'code', 'vim', 'nano',
+];
+const DEFAULT_BLOCKLIST = [
+    { command: 'rm', argsPattern: /-[A-Za-z]*r[A-Za-z]*f|--force.*--recursive|--recursive.*--force/ },
+    { command: 'chmod', argsPattern: /777/ },
+    { command: 'sudo', argsPattern: /rm|dd|mkfs|fdisk/ },
+    { command: 'dd' },
+    { command: 'mkfs' },
+    { command: 'fdisk' },
+    { command: 'diskutil', argsPattern: /erase|partition/ },
+    { command: 'launchctl', argsPattern: /unload|remove/ },
+    { command: 'defaults', argsPattern: /delete|write/ },
+    { command: 'killall' },
+    { command: 'pkill', argsPattern: /-9/ },
+    { command: 'eval' },
+    { command: 'sh', argsPattern: /-c/ },
+    { command: 'bash', argsPattern: /-c/ },
+    { command: 'zsh', argsPattern: /-c/ },
+];
+const DEFAULT_DESTRUCTIVE_PATTERNS = [
+    /\brm\b/,
+    /\bsudo\b/,
+    /\bchmod\b/,
+    /\bchown\b/,
+    /\bmv\s+\//,
+    />\s*\/dev\/null/,
+    /\|\s*sh\b/,
+    /\|\s*bash\b/,
+    /--force/,
+    /--hard/,
+];
+export class CommandExecutionGuard {
+    eventBus;
+    config;
+    stats = {
+        totalRequests: 0,
+        allowed: 0,
+        denied: 0,
+        asked: 0,
+    };
+    constructor(eventBus, config) {
+        this.eventBus = eventBus;
+        this.config = {
+            allowlist: config?.allowlist ?? DEFAULT_ALLOWLIST,
+            blocklist: config?.blocklist ?? DEFAULT_BLOCKLIST,
+            destructivePatterns: config?.destructivePatterns ?? DEFAULT_DESTRUCTIVE_PATTERNS,
+            onApprovalRequired: config?.onApprovalRequired,
+        };
+    }
+    evaluate(request) {
+        const { command, args } = request;
+        const fullCommand = [command, ...args].join(' ');
+        for (const blocked of this.config.blocklist) {
+            if (command === blocked.command || command.endsWith(`/${blocked.command}`)) {
+                if (!blocked.argsPattern || blocked.argsPattern.test(fullCommand)) {
+                    return 'deny';
+                }
+            }
+        }
+        const basename = command.split('/').pop() ?? command;
+        const isAllowed = this.config.allowlist.includes(basename);
+        if (!isAllowed) {
+            return 'deny';
+        }
+        for (const pattern of this.config.destructivePatterns) {
+            if (pattern.test(fullCommand)) {
+                return 'ask';
+            }
+        }
+        return 'allow';
+    }
+    async execute(request) {
+        this.stats.totalRequests++;
+        const decision = this.evaluate(request);
+        if (decision === 'deny') {
+            this.stats.denied++;
+            this.eventBus.emitDeny('security:exec-blocked', 5, { type: 'command', id: request.command, detail: request.args.join(' ') }, 'warning', { userId: request.userId, skillId: request.skillId });
+            return { decision: 'deny', denyReason: `Command "${request.command}" is not allowed by security policy.` };
+        }
+        if (decision === 'ask') {
+            this.stats.asked++;
+            if (this.config.onApprovalRequired) {
+                const approved = await this.config.onApprovalRequired(request);
+                if (!approved) {
+                    this.stats.denied++;
+                    this.eventBus.emitDeny('security:exec-blocked', 5, { type: 'command', id: request.command, detail: 'User denied destructive command' }, 'warning', { userId: request.userId, skillId: request.skillId });
+                    return { decision: 'deny', denyReason: 'User denied the command.' };
+                }
+            }
+            else {
+                this.stats.denied++;
+                return { decision: 'deny', denyReason: 'Destructive command requires approval but no handler configured.' };
+            }
+        }
+        this.stats.allowed++;
+        const startTime = Date.now();
+        return new Promise((resolve) => {
+            execFile(request.command, request.args, { cwd: request.cwd, timeout: 30_000, maxBuffer: 10 * 1024 * 1024 }, (error, stdout, stderr) => {
+                const durationMs = Date.now() - startTime;
+                const exitCode = error?.code ? Number(error.code) : 0;
+                this.eventBus.emitAllow('security:exec-allowed', 5, {
+                    type: 'command',
+                    id: request.command,
+                    detail: `args=${request.args.length} exit=${exitCode} ${durationMs}ms`,
+                }, { userId: request.userId, skillId: request.skillId });
+                resolve({ decision: 'allow', stdout, stderr, exitCode, durationMs });
+            });
+        });
+    }
+    static parseCommand(commandStr) {
+        const tokens = [];
+        let current = '';
+        let inQuote = null;
+        let escaped = false;
+        for (const char of commandStr) {
+            if (escaped) {
+                current += char;
+                escaped = false;
+                continue;
+            }
+            if (char === '\\') {
+                escaped = true;
+                continue;
+            }
+            if (inQuote) {
+                if (char === inQuote) {
+                    inQuote = null;
+                }
+                else {
+                    current += char;
+                }
+                continue;
+            }
+            if (char === '"' || char === "'") {
+                inQuote = char;
+                continue;
+            }
+            if (char === ' ' || char === '\t') {
+                if (current) {
+                    tokens.push(current);
+                    current = '';
+                }
+                continue;
+            }
+            current += char;
+        }
+        if (current)
+            tokens.push(current);
+        return { command: tokens[0] ?? '', args: tokens.slice(1) };
+    }
+    getStats() {
+        return { ...this.stats };
+    }
+    getAllowlist() {
+        return [...this.config.allowlist];
+    }
+    addToAllowlist(command) {
+        if (!this.config.allowlist.includes(command)) {
+            this.config.allowlist.push(command);
+        }
+    }
+}
+//# sourceMappingURL=CommandExecutionGuard.js.map

package/dist/security/CommandExecutionGuard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"CommandExecutionGuard.js","sourceRoot":"","sources":["../../src/security/CommandExecutionGuard.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,QAAQ,EAA0B,MAAM,oBAAoB,CAAC;AAqCtE,MAAM,iBAAiB,GAAG;IACtB,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM;IACjE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK;IAC9D,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM;IAC/D,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM;IACrD,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI;IACrD,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ;IACvC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO;IACjD,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI;IACxC,MAAM,EAAE,OAAO,EAAE,OAAO;IACxB,MAAM,EAAE,QAAQ,EAAE,SAAS;IAC3B,MAAM,EAAE,KAAK,EAAE,MAAM;CACxB,CAAC;AAEF,MAAM,iBAAiB,GAAiC;IACpD,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,iEAAiE,EAAE;IACjG,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE;IACxC,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,kBAAkB,EAAE;IACpD,EAAE,OAAO,EAAE,IAAI,EAAE;IACjB,EAAE,OAAO,EAAE,MAAM,EAAE;IACnB,EAAE,OAAO,EAAE,OAAO,EAAE;IACpB,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,iBAAiB,EAAE;IACvD,EAAE,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,eAAe,EAAE;IACtD,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE;IACpD,EAAE,OAAO,EAAE,SAAS,EAAE;IACtB,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE;IACvC,EAAE,OAAO,EAAE,MAAM,EAAE;IACnB,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;IACpC,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE;IACtC,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE;CACxC,CAAC;AAEF,MAAM,4BAA4B,GAAG;IACjC,QAAQ;IACR,UAAU;IACV,WAAW;IACX,WAAW;IACX,WAAW;IACX,iBAAiB;IACjB,WAAW;IACX,aAAa;IACb,SAAS;IACT,QAAQ;CACX,CAAC;AAmBF,MAAM,OAAO,qBAAqB;IACtB,QAAQ,CAAmB;IAC3B,MAAM,CAAkB;IACxB,KAAK,GAAG;QACZ,aAAa,EAAE,CAAC;QAChB,OAAO,EAAE,CAAC;QACV,MAAM,EAAE,CAAC;QACT,KAAK,EAAE,CAAC;KACX,CAAC;IAEF,YAAY,QAA0B,EAAE,MAAiC;QACrE,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG;YACV,SAAS,EAAE,MAAM,EAAE,SAAS,IAAI,iBAAiB;YACjD,SAAS,EAAE,MAAM,EAAE,SAAS,IAAI,iBAAiB;YACjD,mBAAmB,EAAE,MAAM,EAAE,mBAAmB,IAAI,4BAA4B;YAChF,kBAAkB,EAAE,MAAM,EAAE,kBAAkB;SACjD,CAAC;IACN,CAAC;IAKD,QAAQ,CAAC,OAAoB;QACzB,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;QAClC,MAAM,WAAW,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAGjD,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC1C,IAAI,OAAO,KAAK,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;gBACzE,IAAI,CAAC,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;oBAChE,OAAO,MAAM,CAAC;gBAClB,CAAC;YACL,CAAC;QACL,CAAC;QAGD,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,OAAO,CAAC;QACrD,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAE3D,IAAI,CAAC,SAAS,EAAE,CAAC;YACb,OAAO,MAAM,CAAC;QAClB,CAAC;QAGD,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE,CAAC;YACpD,IAAI,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC5B,OAAO,KAAK,CAAC;YACjB,CAAC;QACL,CAAC;QAED,OAAO,OAAO,CAAC;IACnB,CAAC;IAKD,KAAK,CAAC,OAAO,CAAC,OAAoB;QAC9B,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAExC,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACtB,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAClB,uBAAuB,EACvB,CAAC,EACD,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EACxE,SAAS,EACT,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CACvD,CAAC;YACF,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,OAAO,CAAC,OAAO,sCAAsC,EAAE,CAAC;QAC/G,CAAC;QAED,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;YACrB,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACnB,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;gBACjC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;gBAC/D,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACZ,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;oBACpB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAClB,uBAAuB,EACvB,CAAC,EACD,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,iCAAiC,EAAE,EACnF,SAAS,EACT,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CACvD,CAAC;oBACF,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,0BAA0B,EAAE,CAAC;gBACxE,CAAC;YACL,CAAC;iBAAM,CAAC;gBAEJ,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;gBACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,kEAAkE,EAAE,CAAC;YAChH,CAAC;QACL,CAAC;QAGD,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QACrB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,OAAO,IAAI,OAAO,CAAa,CAAC,OAAO,EAAE,EAAE;YACvC,QAAQ,CACJ,OAAO,CAAC,OAAO,EACf,OAAO,CAAC,IAAI,EACZ,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,EAClE,CAAC,KAA+B,EAAE,MAAc,EAAE,MAAc,EAAE,EAAE;gBAChE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;gBAC1C,MAAM,QAAQ,GAAG,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAEtD,IAAI,CAAC,QAAQ,CAAC,SAAS,CACnB,uBAAuB,EACvB,CAAC,EACD;oBACI,IAAI,EAAE,SAAS;oBACf,EAAE,EAAE,OAAO,CAAC,OAAO;oBACnB,MAAM,EAAE,QAAQ,OAAO,CAAC,IAAI,CAAC,MAAM,SAAS,QAAQ,IAAI,UAAU,IAAI;iBACzE,EACD,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CACvD,CAAC;gBAEF,OAAO,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC,CAAC;YACzE,CAAC,CACJ,CAAC;QACN,CAAC,CAAC,CAAC;IACP,CAAC;IAKD,MAAM,CAAC,YAAY,CAAC,UAAkB;QAClC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,IAAI,OAAO,GAAkB,IAAI,CAAC;QAClC,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC5B,IAAI,OAAO,EAAE,CAAC;gBACV,OAAO,IAAI,IAAI,CAAC;gBAChB,OAAO,GAAG,KAAK,CAAC;gBAChB,SAAS;YACb,CAAC;YACD,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBAChB,OAAO,GAAG,IAAI,CAAC;gBACf,SAAS;YACb,CAAC;YACD,IAAI,OAAO,EAAE,CAAC;gBACV,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;oBACnB,OAAO,GAAG,IAAI,CAAC;gBACnB,CAAC;qBAAM,CAAC;oBACJ,OAAO,IAAI,IAAI,CAAC;gBACpB,CAAC;gBACD,SAAS;YACb,CAAC;YACD,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;gBAC/B,OAAO,GAAG,IAAI,CAAC;gBACf,SAAS;YACb,CAAC;YACD,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBAChC,IAAI,OAAO,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;oBACrB,OAAO,GAAG,EAAE,CAAC;gBACjB,CAAC;gBACD,SAAS;YACb,CAAC;YACD,OAAO,IAAI,IAAI,CAAC;QACpB,CAAC;QACD,IAAI,OAAO;YAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAElC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IAC/D,CAAC;IAKD,QAAQ;QACJ,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC;IAKD,YAAY;QACR,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;IAKD,cAAc,CAAC,OAAe;QAC1B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3C,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC;IACL,CAAC;CACJ"}

package/dist/security/ComplianceExporter.d.ts

@@ -0,0 +1,32 @@
+import type { DataAccessTracker } from './DataAccessTracker.js';
+import type { SecurityEventBus } from './SecurityEventBus.js';
+export type ReportFormat = 'json' | 'csv';
+export type ReportType = 'data-access' | 'security-incidents' | 'credential-access' | 'full-audit';
+export interface ExportOptions {
+    format: ReportFormat;
+    type: ReportType;
+    from?: Date;
+    to?: Date;
+    skillFilter?: string;
+    userFilter?: string;
+}
+export interface ExportResult {
+    content: string;
+    format: ReportFormat;
+    type: ReportType;
+    generatedAt: string;
+    recordCount: number;
+}
+export declare class ComplianceExporter {
+    private dataTracker;
+    private eventBus;
+    constructor(dataTracker: DataAccessTracker, eventBus: SecurityEventBus);
+    export(options: ExportOptions): ExportResult;
+    private exportDataAccess;
+    private exportSecurityIncidents;
+    private exportCredentialAccess;
+    private exportFullAudit;
+    private toCSV;
+    private countBy;
+}
+//# sourceMappingURL=ComplianceExporter.d.ts.map

package/dist/security/ComplianceExporter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ComplianceExporter.d.ts","sourceRoot":"","sources":["../../src/security/ComplianceExporter.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAI9D,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,KAAK,CAAC;AAE1C,MAAM,MAAM,UAAU,GAChB,aAAa,GACb,oBAAoB,GACpB,mBAAmB,GACnB,YAAY,CAAC;AAEnB,MAAM,WAAW,aAAa;IAC1B,MAAM,EAAE,YAAY,CAAC;IACrB,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,EAAE,CAAC,EAAE,IAAI,CAAC;IACV,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,YAAY;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,YAAY,CAAC;IACrB,IAAI,EAAE,UAAU,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;CACvB;AAoBD,qBAAa,kBAAkB;IAC3B,OAAO,CAAC,WAAW,CAAoB;IACvC,OAAO,CAAC,QAAQ,CAAmB;gBAEvB,WAAW,EAAE,iBAAiB,EAAE,QAAQ,EAAE,gBAAgB;IAQtE,MAAM,CAAC,OAAO,EAAE,aAAa,GAAG,YAAY;IAoB5C,OAAO,CAAC,gBAAgB;IAkCxB,OAAO,CAAC,uBAAuB;IA2B/B,OAAO,CAAC,sBAAsB;IAwB9B,OAAO,CAAC,eAAe;IAoCvB,OAAO,CAAC,KAAK;IAeb,OAAO,CAAC,OAAO;CAQlB"}

package/dist/security/ComplianceExporter.js

@@ -0,0 +1,129 @@
+export class ComplianceExporter {
+    dataTracker;
+    eventBus;
+    constructor(dataTracker, eventBus) {
+        this.dataTracker = dataTracker;
+        this.eventBus = eventBus;
+    }
+    export(options) {
+        const from = options.from ?? new Date(Date.now() - 30 * 24 * 60 * 60 * 1000);
+        const to = options.to ?? new Date();
+        switch (options.type) {
+            case 'data-access':
+                return this.exportDataAccess(options.format, from, to, options.skillFilter);
+            case 'security-incidents':
+                return this.exportSecurityIncidents(options.format, from, to);
+            case 'credential-access':
+                return this.exportCredentialAccess(options.format, from, to);
+            case 'full-audit':
+                return this.exportFullAudit(options.format, from, to);
+            default:
+                throw new Error(`Unknown report type: ${options.type}`);
+        }
+    }
+    exportDataAccess(format, from, to, skillFilter) {
+        const report = this.dataTracker.getReport(from, to);
+        let records = report.records;
+        if (skillFilter) {
+            records = records.filter(r => r.skillId === skillFilter);
+        }
+        const content = format === 'csv'
+            ? this.toCSV(['Timestamp', 'Source', 'Category', 'Skill', 'Description', 'Sent to Cloud', 'Cloud Provider', 'Item Count'], records.map(r => [
+                r.timestamp.toISOString(),
+                r.source,
+                r.category,
+                r.skillId,
+                r.description,
+                String(r.sentToCloud),
+                r.cloudProvider ?? '',
+                String(r.itemCount),
+            ]))
+            : JSON.stringify({ report: 'data-access', period: { from, to }, summary: { total: records.length, sentToCloud: report.sentToCloud, bySource: report.bySource, byCategory: report.byCategory }, records }, null, 2);
+        return { content, format, type: 'data-access', generatedAt: new Date().toISOString(), recordCount: records.length };
+    }
+    exportSecurityIncidents(format, from, to) {
+        const events = this.eventBus.getHistory({
+            decision: 'deny',
+            since: from,
+        }).filter(e => e.timestamp <= to);
+        const content = format === 'csv'
+            ? this.toCSV(['Timestamp', 'Type', 'Layer', 'Severity', 'Resource Type', 'Resource ID', 'Detail', 'Evidence'], events.map(e => [
+                e.timestamp.toISOString(),
+                e.type,
+                String(e.layer),
+                e.severity,
+                e.resource.type,
+                e.resource.id,
+                e.resource.detail ?? '',
+                e.evidence ?? '',
+            ]))
+            : JSON.stringify({ report: 'security-incidents', period: { from, to }, totalIncidents: events.length, bySeverity: this.countBy(events, e => e.severity), byLayer: this.countBy(events, e => String(e.layer)), events }, null, 2);
+        return { content, format, type: 'security-incidents', generatedAt: new Date().toISOString(), recordCount: events.length };
+    }
+    exportCredentialAccess(format, from, to) {
+        const events = this.eventBus.getHistory({
+            type: 'security:keychain-access',
+            since: from,
+        }).filter(e => e.timestamp <= to);
+        const content = format === 'csv'
+            ? this.toCSV(['Timestamp', 'Decision', 'Resource', 'Skill', 'User'], events.map(e => [
+                e.timestamp.toISOString(),
+                e.decision,
+                e.resource.id,
+                e.actor.skillId ?? '',
+                e.actor.userId ?? '',
+            ]))
+            : JSON.stringify({ report: 'credential-access', period: { from, to }, totalAccesses: events.length, events }, null, 2);
+        return { content, format, type: 'credential-access', generatedAt: new Date().toISOString(), recordCount: events.length };
+    }
+    exportFullAudit(format, from, to) {
+        const allEvents = this.eventBus.getHistory({ since: from }).filter(e => e.timestamp <= to);
+        const dataReport = this.dataTracker.getReport(from, to);
+        const content = format === 'csv'
+            ? this.toCSV(['Timestamp', 'Type', 'Layer', 'Decision', 'Severity', 'Resource', 'Detail'], allEvents.map(e => [
+                e.timestamp.toISOString(),
+                e.type,
+                String(e.layer),
+                e.decision,
+                e.severity,
+                `${e.resource.type}:${e.resource.id}`,
+                e.resource.detail ?? '',
+            ]))
+            : JSON.stringify({
+                report: 'full-audit',
+                period: { from, to },
+                summary: {
+                    totalEvents: allEvents.length,
+                    allowed: allEvents.filter(e => e.decision === 'allow').length,
+                    denied: allEvents.filter(e => e.decision === 'deny').length,
+                    dataAccesses: dataReport.totalAccesses,
+                    dataSentToCloud: dataReport.sentToCloud,
+                },
+                securityEvents: allEvents,
+                dataAccess: dataReport,
+            }, null, 2);
+        return { content, format, type: 'full-audit', generatedAt: new Date().toISOString(), recordCount: allEvents.length };
+    }
+    toCSV(headers, rows) {
+        const escape = (val) => {
+            if (val.includes(',') || val.includes('"') || val.includes('\n')) {
+                return `"${val.replace(/"/g, '""')}"`;
+            }
+            return val;
+        };
+        const lines = [headers.map(escape).join(',')];
+        for (const row of rows) {
+            lines.push(row.map(escape).join(','));
+        }
+        return lines.join('\n');
+    }
+    countBy(items, key) {
+        const counts = {};
+        for (const item of items) {
+            const k = key(item);
+            counts[k] = (counts[k] || 0) + 1;
+        }
+        return counts;
+    }
+}
+//# sourceMappingURL=ComplianceExporter.js.map

package/dist/security/ComplianceExporter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ComplianceExporter.js","sourceRoot":"","sources":["../../src/security/ComplianceExporter.ts"],"names":[],"mappings":"AA4DA,MAAM,OAAO,kBAAkB;IACnB,WAAW,CAAoB;IAC/B,QAAQ,CAAmB;IAEnC,YAAY,WAA8B,EAAE,QAA0B;QAClE,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC7B,CAAC;IAKD,MAAM,CAAC,OAAsB;QACzB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7E,MAAM,EAAE,GAAG,OAAO,CAAC,EAAE,IAAI,IAAI,IAAI,EAAE,CAAC;QAEpC,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC;YACnB,KAAK,aAAa;gBACd,OAAO,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;YAChF,KAAK,oBAAoB;gBACrB,OAAO,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;YAClE,KAAK,mBAAmB;gBACpB,OAAO,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;YACjE,KAAK,YAAY;gBACb,OAAO,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;YAC1D;gBACI,MAAM,IAAI,KAAK,CAAC,wBAAwB,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QAChE,CAAC;IACL,CAAC;IAIO,gBAAgB,CACpB,MAAoB,EACpB,IAAU,EACV,EAAQ,EACR,WAAoB;QAEpB,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACpD,IAAI,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAE7B,IAAI,WAAW,EAAE,CAAC;YACd,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,WAAW,CAAC,CAAC;QAC7D,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,KAAK,KAAK;YAC5B,CAAC,CAAC,IAAI,CAAC,KAAK,CACR,CAAC,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,gBAAgB,EAAE,YAAY,CAAC,EAC5G,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACb,CAAC,CAAC,SAAS,CAAC,WAAW,EAAE;gBACzB,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,QAAQ;gBACV,CAAC,CAAC,OAAO;gBACT,CAAC,CAAC,WAAW;gBACb,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC;gBACrB,CAAC,CAAC,aAAa,IAAI,EAAE;gBACrB,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;aACtB,CAAC,CACL;YACD,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,MAAM,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAEvN,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,WAAW,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC;IACxH,CAAC;IAIO,uBAAuB,CAAC,MAAoB,EAAE,IAAU,EAAE,EAAQ;QACtE,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;YACpC,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,IAAI;SACd,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;QAElC,MAAM,OAAO,GAAG,MAAM,KAAK,KAAK;YAC5B,CAAC,CAAC,IAAI,CAAC,KAAK,CACR,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,CAAC,EAChG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACZ,CAAC,CAAC,SAAS,CAAC,WAAW,EAAE;gBACzB,CAAC,CAAC,IAAI;gBACN,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;gBACf,CAAC,CAAC,QAAQ;gBACV,CAAC,CAAC,QAAQ,CAAC,IAAI;gBACf,CAAC,CAAC,QAAQ,CAAC,EAAE;gBACb,CAAC,CAAC,QAAQ,CAAC,MAAM,IAAI,EAAE;gBACvB,CAAC,CAAC,QAAQ,IAAI,EAAE;aACnB,CAAC,CACL;YACD,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,oBAAoB,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAErO,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,oBAAoB,EAAE,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;IAC9H,CAAC;IAIO,sBAAsB,CAAC,MAAoB,EAAE,IAAU,EAAE,EAAQ;QACrE,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;YACpC,IAAI,EAAE,0BAA0B;YAChC,KAAK,EAAE,IAAI;SACd,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;QAElC,MAAM,OAAO,GAAG,MAAM,KAAK,KAAK;YAC5B,CAAC,CAAC,IAAI,CAAC,KAAK,CACR,CAAC,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC,EACtD,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACZ,CAAC,CAAC,SAAS,CAAC,WAAW,EAAE;gBACzB,CAAC,CAAC,QAAQ;gBACV,CAAC,CAAC,QAAQ,CAAC,EAAE;gBACb,CAAC,CAAC,KAAK,CAAC,OAAO,IAAI,EAAE;gBACrB,CAAC,CAAC,KAAK,CAAC,MAAM,IAAI,EAAE;aACvB,CAAC,CACL;YACD,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,mBAAmB,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAE3H,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,mBAAmB,EAAE,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;IAC7H,CAAC;IAIO,eAAe,CAAC,MAAoB,EAAE,IAAU,EAAE,EAAQ;QAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;QAC3F,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAExD,MAAM,OAAO,GAAG,MAAM,KAAK,KAAK;YAC5B,CAAC,CAAC,IAAI,CAAC,KAAK,CACR,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,CAAC,EAC5E,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACf,CAAC,CAAC,SAAS,CAAC,WAAW,EAAE;gBACzB,CAAC,CAAC,IAAI;gBACN,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;gBACf,CAAC,CAAC,QAAQ;gBACV,CAAC,CAAC,QAAQ;gBACV,GAAG,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE;gBACrC,CAAC,CAAC,QAAQ,CAAC,MAAM,IAAI,EAAE;aAC1B,CAAC,CACL;YACD,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC;gBACb,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;gBACpB,OAAO,EAAE;oBACL,WAAW,EAAE,SAAS,CAAC,MAAM;oBAC7B,OAAO,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,MAAM;oBAC7D,MAAM,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;oBAC3D,YAAY,EAAE,UAAU,CAAC,aAAa;oBACtC,eAAe,EAAE,UAAU,CAAC,WAAW;iBAC1C;gBACD,cAAc,EAAE,SAAS;gBACzB,UAAU,EAAE,UAAU;aACzB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAEhB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,WAAW,EAAE,SAAS,CAAC,MAAM,EAAE,CAAC;IACzH,CAAC;IAIO,KAAK,CAAC,OAAiB,EAAE,IAAgB;QAC7C,MAAM,MAAM,GAAG,CAAC,GAAW,EAAE,EAAE;YAC3B,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/D,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC;YAC1C,CAAC;YACD,OAAO,GAAG,CAAC;QACf,CAAC,CAAC;QAEF,MAAM,KAAK,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACrB,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1C,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IAEO,OAAO,CAAI,KAAU,EAAE,GAAwB;QACnD,MAAM,MAAM,GAA2B,EAAE,CAAC;QAC1C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACvB,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC;YACpB,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACrC,CAAC;QACD,OAAO,MAAM,CAAC;IAClB,CAAC;CACJ"}

package/dist/security/DataAccessTracker.d.ts

@@ -0,0 +1,38 @@
+import { SecurityEventBus } from './SecurityEventBus.js';
+export type DataSource = 'apple-notes' | 'imessage' | 'obsidian' | 'bear-notes' | '1password' | 'browser' | 'filesystem' | 'terminal' | 'clipboard' | 'calendar' | 'contacts' | 'email' | 'other';
+export type DataCategory = 'messages' | 'notes' | 'contacts' | 'financial' | 'credentials' | 'health' | 'files' | 'browsing-history' | 'location' | 'media' | 'other';
+export interface DataAccessRecord {
+    timestamp: Date;
+    source: DataSource;
+    category: DataCategory;
+    skillId: string;
+    description: string;
+    sentToCloud: boolean;
+    cloudProvider?: string;
+    itemCount: number;
+}
+export interface DataAccessReport {
+    period: {
+        from: Date;
+        to: Date;
+    };
+    totalAccesses: number;
+    sentToCloud: number;
+    bySource: Record<string, number>;
+    byCategory: Record<string, number>;
+    bySkill: Record<string, number>;
+    records: DataAccessRecord[];
+}
+export declare class DataAccessTracker {
+    private eventBus;
+    private records;
+    private maxRecords;
+    constructor(eventBus: SecurityEventBus);
+    record(access: Omit<DataAccessRecord, 'timestamp'>): void;
+    getReport(from?: Date, to?: Date): DataAccessReport;
+    getRecent(limit?: number): DataAccessRecord[];
+    getCount(): number;
+    wasAccessed(source: DataSource, since?: Date): boolean;
+    getCloudExposures(since?: Date): DataAccessRecord[];
+}
+//# sourceMappingURL=DataAccessTracker.d.ts.map

package/dist/security/DataAccessTracker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"DataAccessTracker.d.ts","sourceRoot":"","sources":["../../src/security/DataAccessTracker.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAIzD,MAAM,MAAM,UAAU,GAChB,aAAa,GACb,UAAU,GACV,UAAU,GACV,YAAY,GACZ,WAAW,GACX,SAAS,GACT,YAAY,GACZ,UAAU,GACV,WAAW,GACX,UAAU,GACV,UAAU,GACV,OAAO,GACP,OAAO,CAAC;AAEd,MAAM,MAAM,YAAY,GAClB,UAAU,GACV,OAAO,GACP,UAAU,GACV,WAAW,GACX,aAAa,GACb,QAAQ,GACR,OAAO,GACP,kBAAkB,GAClB,UAAU,GACV,OAAO,GACP,OAAO,CAAC;AAEd,MAAM,WAAW,gBAAgB;IAC7B,SAAS,EAAE,IAAI,CAAC;IAChB,MAAM,EAAE,UAAU,CAAC;IACnB,QAAQ,EAAE,YAAY,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,OAAO,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,gBAAgB;IAC7B,MAAM,EAAE;QAAE,IAAI,EAAE,IAAI,CAAC;QAAC,EAAE,EAAE,IAAI,CAAA;KAAE,CAAC;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,OAAO,EAAE,gBAAgB,EAAE,CAAC;CAC/B;AAwBD,qBAAa,iBAAiB;IAC1B,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,OAAO,CAA0B;IACzC,OAAO,CAAC,UAAU,CAAU;gBAEhB,QAAQ,EAAE,gBAAgB;IAOtC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,gBAAgB,EAAE,WAAW,CAAC,GAAG,IAAI;IA8BzD,SAAS,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,CAAC,EAAE,IAAI,GAAG,gBAAgB;IAkCnD,SAAS,CAAC,KAAK,SAAK,GAAG,gBAAgB,EAAE;IAOzC,QAAQ,IAAI,MAAM;IAOlB,WAAW,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,CAAC,EAAE,IAAI,GAAG,OAAO;IAQtD,iBAAiB,CAAC,KAAK,CAAC,EAAE,IAAI,GAAG,gBAAgB,EAAE;CAItD"}