@gsep/core 0.8.0 → 1.0.0

package/dist/security/LLMProxyLayer.js

@@ -0,0 +1,148 @@
+import { PIIRedactionEngine } from './PIIRedactionEngine.js';
+import { DataClassifier } from './DataClassifier.js';
+export class LLMProxyLayer {
+    model;
+    name;
+    cloudAdapter;
+    localAdapter;
+    piiEngine;
+    classifier;
+    eventBus;
+    localRouteThreshold;
+    enableRedaction;
+    stats = {
+        totalRequests: 0,
+        redactedRequests: 0,
+        localRouted: 0,
+        cloudRouted: 0,
+        totalPIIRedacted: 0,
+        byCategory: {},
+    };
+    constructor(cloudAdapter, config = {}) {
+        this.cloudAdapter = cloudAdapter;
+        this.localAdapter = config.localAdapter;
+        this.enableRedaction = config.enableRedaction ?? true;
+        this.localRouteThreshold = config.localRouteThreshold ?? 'confidential';
+        this.eventBus = config.eventBus;
+        this.piiEngine = new PIIRedactionEngine({
+            categories: config.piiCategories,
+        });
+        this.classifier = new DataClassifier();
+        this.model = cloudAdapter.model ?? 'proxy';
+        this.name = `secure-proxy(${cloudAdapter.name ?? 'llm'})`;
+    }
+    async chat(messages, options) {
+        this.stats.totalRequests++;
+        const fullText = messages.map(m => m.content).join('\n');
+        const classification = this.classifier.classify(fullText);
+        const useLocal = this.shouldRouteLocal(classification.classification);
+        const adapter = useLocal ? (this.localAdapter ?? this.cloudAdapter) : this.cloudAdapter;
+        if (useLocal) {
+            this.stats.localRouted++;
+            this.eventBus?.emitAllow('security:local-model-routed', 2, {
+                type: 'llm-request',
+                id: classification.classification,
+                detail: `Routed to local: ${classification.categories.join(', ')}`,
+            });
+        }
+        else {
+            this.stats.cloudRouted++;
+        }
+        const gsepIdentity = [
+            '\n\n---\n## GSEP Shield (Active)',
+            'You are protected by GSEP (Genomic Self-Evolving Prompts) — the Agent Security Layer.',
+            'What is active right now:',
+            '- PII Redaction: Credit cards, SSN, emails, API keys are auto-redacted before reaching you. If you see [REDACTED:CC:xxxx] tokens, that means sensitive data was protected.',
+            '- Prompt Injection Firewall: 53 patterns block manipulation attempts.',
+            '- Output Immune System: 6 checks scan your responses for infections.',
+            '- Audit Trail: Every security event is logged immutably.',
+            '- Data Classification: Content is classified as public/internal/confidential/restricted.',
+            '',
+            'When users share sensitive data, tell them: "Your data was automatically protected by GSEP — it was redacted before I could see it."',
+            'When asked about GSEP, confirm: "Yes, I have GSEP active. It protects your data with 7 layers of security."',
+            '---\n',
+        ].join('\n');
+        const messagesWithIdentity = [...messages];
+        const systemIdx = messagesWithIdentity.findIndex(m => m.role === 'system');
+        if (systemIdx >= 0) {
+            messagesWithIdentity[systemIdx] = {
+                ...messagesWithIdentity[systemIdx],
+                content: messagesWithIdentity[systemIdx].content + gsepIdentity,
+            };
+        }
+        else {
+            messagesWithIdentity.unshift({ role: 'system', content: gsepIdentity });
+        }
+        let processedMessages = messagesWithIdentity;
+        let redactionResults = [];
+        if (this.enableRedaction && !useLocal) {
+            const redacted = messages.map(m => {
+                if (m.role === 'system')
+                    return { msg: m, result: null };
+                const result = this.piiEngine.redact(m.content);
+                return { msg: { ...m, content: result.redacted }, result };
+            });
+            processedMessages = redacted.map(r => r.msg);
+            redactionResults = redacted.map(r => r.result).filter((r) => r !== null);
+            const totalRedacted = redactionResults.reduce((sum, r) => sum + r.matches.length, 0);
+            if (totalRedacted > 0) {
+                this.stats.redactedRequests++;
+                this.stats.totalPIIRedacted += totalRedacted;
+                for (const result of redactionResults) {
+                    for (const match of result.matches) {
+                        this.stats.byCategory[match.category] = (this.stats.byCategory[match.category] || 0) + 1;
+                    }
+                }
+                this.eventBus?.emit({
+                    type: 'security:pii-redacted',
+                    timestamp: new Date(),
+                    layer: 2,
+                    decision: 'info',
+                    actor: {},
+                    resource: {
+                        type: 'pii',
+                        id: `${totalRedacted} items`,
+                        detail: redactionResults.flatMap(r => r.categories).join(', '),
+                    },
+                    severity: 'info',
+                });
+            }
+        }
+        this.eventBus?.emit({
+            type: 'security:llm-request-filtered',
+            timestamp: new Date(),
+            layer: 2,
+            decision: 'allow',
+            actor: {},
+            resource: {
+                type: 'llm-request',
+                id: adapter.name ?? adapter.model ?? 'unknown',
+                detail: `${processedMessages.length} messages, ${fullText.length} chars`,
+            },
+            severity: 'info',
+        });
+        const response = await adapter.chat(processedMessages, options);
+        if (this.enableRedaction && redactionResults.length > 0) {
+            response.content = this.piiEngine.rehydrate(response.content);
+        }
+        return response;
+    }
+    getStats() {
+        return { ...this.stats };
+    }
+    getPIIStats() {
+        return this.piiEngine.getStats();
+    }
+    clearVault() {
+        this.piiEngine.clearVault();
+    }
+    shouldRouteLocal(classification) {
+        if (!this.localAdapter)
+            return false;
+        const order = {
+            public: 0, internal: 1, confidential: 2, restricted: 3,
+        };
+        return order[classification] >= order[this.localRouteThreshold];
+    }
+}
+//# sourceMappingURL=LLMProxyLayer.js.map

package/dist/security/LLMProxyLayer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"LLMProxyLayer.js","sourceRoot":"","sources":["../../src/security/LLMProxyLayer.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,kBAAkB,EAAwB,MAAM,yBAAyB,CAAC;AACnF,OAAO,EAAE,cAAc,EAA2B,MAAM,qBAAqB,CAAC;AAuD9E,MAAM,OAAO,aAAa;IACb,KAAK,CAAS;IACd,IAAI,CAAS;IAEd,YAAY,CAAiB;IAC7B,YAAY,CAAkB;IAC9B,SAAS,CAAqB;IAC9B,UAAU,CAAiB;IAC3B,QAAQ,CAAoB;IAC5B,mBAAmB,CAAqB;IACxC,eAAe,CAAU;IAEzB,KAAK,GAAe;QACxB,aAAa,EAAE,CAAC;QAChB,gBAAgB,EAAE,CAAC;QACnB,WAAW,EAAE,CAAC;QACd,WAAW,EAAE,CAAC;QACd,gBAAgB,EAAE,CAAC;QACnB,UAAU,EAAE,EAAE;KACjB,CAAC;IAEF,YAAY,YAA4B,EAAE,SAAkC,EAAE;QAC1E,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QACjC,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;QACxC,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,IAAI,IAAI,CAAC;QACtD,IAAI,CAAC,mBAAmB,GAAG,MAAM,CAAC,mBAAmB,IAAI,cAAc,CAAC;QACxE,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QAEhC,IAAI,CAAC,SAAS,GAAG,IAAI,kBAAkB,CAAC;YACpC,UAAU,EAAE,MAAM,CAAC,aAAsB;SAC5C,CAAC,CAAC;QACH,IAAI,CAAC,UAAU,GAAG,IAAI,cAAc,EAAE,CAAC;QAEvC,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC,KAAK,IAAI,OAAO,CAAC;QAC3C,IAAI,CAAC,IAAI,GAAG,gBAAgB,YAAY,CAAC,IAAI,IAAI,KAAK,GAAG,CAAC;IAC9D,CAAC;IAKD,KAAK,CAAC,IAAI,CACN,QAAkD,EAClD,OAAiB;QAEjB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;QAG3B,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,MAAM,cAAc,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAG1D,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAC,cAAc,CAAC,CAAC;QACtE,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC;QAExF,IAAI,QAAQ,EAAE,CAAC;YACX,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;YACzB,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,6BAA6B,EAAE,CAAC,EAAE;gBACvD,IAAI,EAAE,aAAa;gBACnB,EAAE,EAAE,cAAc,CAAC,cAAc;gBACjC,MAAM,EAAE,oBAAoB,cAAc,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aACrE,CAAC,CAAC;QACP,CAAC;aAAM,CAAC;YACJ,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;QAC7B,CAAC;QAID,MAAM,YAAY,GAAG;YACjB,kCAAkC;YAClC,uFAAuF;YACvF,2BAA2B;YAC3B,4KAA4K;YAC5K,uEAAuE;YACvE,sEAAsE;YACtE,0DAA0D;YAC1D,0FAA0F;YAC1F,EAAE;YACF,sIAAsI;YACtI,6GAA6G;YAC7G,OAAO;SACV,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAGb,MAAM,oBAAoB,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC;QAC3C,MAAM,SAAS,GAAG,oBAAoB,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;QAC3E,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;YACjB,oBAAoB,CAAC,SAAS,CAAC,GAAG;gBAC9B,GAAG,oBAAoB,CAAC,SAAS,CAAC;gBAClC,OAAO,EAAE,oBAAoB,CAAC,SAAS,CAAC,CAAC,OAAO,GAAG,YAAY;aAClE,CAAC;QACN,CAAC;aAAM,CAAC;YACJ,oBAAoB,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC;QAC5E,CAAC;QAGD,IAAI,iBAAiB,GAAG,oBAAoB,CAAC;QAC7C,IAAI,gBAAgB,GAAsB,EAAE,CAAC;QAE7C,IAAI,IAAI,CAAC,eAAe,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;gBAC9B,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ;oBAAE,OAAO,EAAE,GAAG,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;gBACzD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;gBAChD,OAAO,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,CAAC;YAC/D,CAAC,CAAC,CAAC;YAEH,iBAAiB,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YAC7C,gBAAgB,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAwB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;YAE/F,MAAM,aAAa,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YACrF,IAAI,aAAa,GAAG,CAAC,EAAE,CAAC;gBACpB,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;gBAC9B,IAAI,CAAC,KAAK,CAAC,gBAAgB,IAAI,aAAa,CAAC;gBAE7C,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;oBACpC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;wBACjC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;oBAC7F,CAAC;gBACL,CAAC;gBAED,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC;oBAChB,IAAI,EAAE,uBAAuB;oBAC7B,SAAS,EAAE,IAAI,IAAI,EAAE;oBACrB,KAAK,EAAE,CAAC;oBACR,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,EAAE;oBACT,QAAQ,EAAE;wBACN,IAAI,EAAE,KAAK;wBACX,EAAE,EAAE,GAAG,aAAa,QAAQ;wBAC5B,MAAM,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;qBACjE;oBACD,QAAQ,EAAE,MAAM;iBACnB,CAAC,CAAC;YACP,CAAC;QACL,CAAC;QAGD,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC;YAChB,IAAI,EAAE,+BAA+B;YACrC,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,KAAK,EAAE,CAAC;YACR,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,EAAE;YACT,QAAQ,EAAE;gBACN,IAAI,EAAE,aAAa;gBACnB,EAAE,EAAE,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,KAAK,IAAI,SAAS;gBAC9C,MAAM,EAAE,GAAG,iBAAiB,CAAC,MAAM,cAAc,QAAQ,CAAC,MAAM,QAAQ;aAC3E;YACD,QAAQ,EAAE,MAAM;SACnB,CAAC,CAAC;QAGH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;QAGhE,IAAI,IAAI,CAAC,eAAe,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtD,QAAQ,CAAC,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAClE,CAAC;QAED,OAAO,QAAQ,CAAC;IACpB,CAAC;IAKD,QAAQ;QACJ,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC;IAKD,WAAW;QACP,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;IACrC,CAAC;IAKD,UAAU;QACN,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;IAChC,CAAC;IAIO,gBAAgB,CAAC,cAAkC;QACvD,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,OAAO,KAAK,CAAC;QAErC,MAAM,KAAK,GAAuC;YAC9C,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC;SACzD,CAAC;QAEF,OAAO,KAAK,CAAC,cAAc,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACpE,CAAC;CACJ"}

package/dist/security/MFAProvider.d.ts

@@ -0,0 +1,35 @@
+import { SecurityEventBus } from './SecurityEventBus.js';
+export interface MFASetup {
+    secret: string;
+    uri: string;
+    recoveryCodes: string[];
+}
+export interface MFAVerifyResult {
+    valid: boolean;
+    method: 'totp' | 'recovery';
+    reason?: string;
+}
+export interface MFAUserState {
+    userId: string;
+    enabled: boolean;
+    secret: string;
+    recoveryCodes: string[];
+    usedRecoveryCodes: string[];
+    failedAttempts: number;
+    lockedUntil?: Date;
+    lastVerifiedAt?: Date;
+}
+export declare class MFAProvider {
+    private eventBus;
+    private users;
+    constructor(eventBus: SecurityEventBus);
+    setup(userId: string, issuer?: string): MFASetup;
+    verify(userId: string, code: string): MFAVerifyResult;
+    disable(userId: string): boolean;
+    isEnabled(userId: string): boolean;
+    getRemainingRecoveryCodes(userId: string): number;
+    regenerateRecoveryCodes(userId: string): string[];
+    private generateRecoveryCodes;
+    private timingSafeEqual;
+}
+//# sourceMappingURL=MFAProvider.d.ts.map

package/dist/security/MFAProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"MFAProvider.d.ts","sourceRoot":"","sources":["../../src/security/MFAProvider.ts"],"names":[],"mappings":"AAaA,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAIzD,MAAM,WAAW,QAAQ;IAErB,MAAM,EAAE,MAAM,CAAC;IAEf,GAAG,EAAE,MAAM,CAAC;IAEZ,aAAa,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,eAAe;IAC5B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,GAAG,UAAU,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,IAAI,CAAC;IACnB,cAAc,CAAC,EAAE,IAAI,CAAC;CACzB;AAiFD,qBAAa,WAAW;IACpB,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,KAAK,CAAwC;gBAEzC,QAAQ,EAAE,gBAAgB;IAOtC,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,SAAW,GAAG,QAAQ;IAkClD,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,eAAe;IA2ErD,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAUhC,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAOlC,yBAAyB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM;IAOjD,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE;IAUjD,OAAO,CAAC,qBAAqB;IAS7B,OAAO,CAAC,eAAe;CAQ1B"}

package/dist/security/MFAProvider.js

@@ -0,0 +1,174 @@
+import { randomBytes, createHmac } from 'node:crypto';
+const TOTP_PERIOD = 30;
+const TOTP_DIGITS = 6;
+const TOTP_WINDOW = 1;
+const SECRET_BYTES = 20;
+const RECOVERY_CODE_COUNT = 10;
+const MAX_FAILED_ATTEMPTS = 5;
+const LOCKOUT_DURATION_MS = 15 * 60 * 1000;
+const BASE32_CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+function toBase32(buffer) {
+    let bits = '';
+    for (const byte of buffer) {
+        bits += byte.toString(2).padStart(8, '0');
+    }
+    let result = '';
+    for (let i = 0; i < bits.length; i += 5) {
+        const chunk = bits.slice(i, i + 5).padEnd(5, '0');
+        result += BASE32_CHARS[parseInt(chunk, 2)];
+    }
+    return result;
+}
+function fromBase32(encoded) {
+    let bits = '';
+    for (const char of encoded.toUpperCase()) {
+        const idx = BASE32_CHARS.indexOf(char);
+        if (idx === -1)
+            continue;
+        bits += idx.toString(2).padStart(5, '0');
+    }
+    const bytes = [];
+    for (let i = 0; i + 8 <= bits.length; i += 8) {
+        bytes.push(parseInt(bits.slice(i, i + 8), 2));
+    }
+    return Buffer.from(bytes);
+}
+function generateTOTP(secret, time) {
+    const counter = Math.floor(time / TOTP_PERIOD);
+    const counterBuffer = Buffer.alloc(8);
+    counterBuffer.writeUInt32BE(0, 0);
+    counterBuffer.writeUInt32BE(counter, 4);
+    const hmac = createHmac('sha1', secret).update(counterBuffer).digest();
+    const offset = hmac[hmac.length - 1] & 0x0f;
+    const code = (((hmac[offset] & 0x7f) << 24) |
+        ((hmac[offset + 1] & 0xff) << 16) |
+        ((hmac[offset + 2] & 0xff) << 8) |
+        (hmac[offset + 3] & 0xff)) % Math.pow(10, TOTP_DIGITS);
+    return code.toString().padStart(TOTP_DIGITS, '0');
+}
+export class MFAProvider {
+    eventBus;
+    users = new Map();
+    constructor(eventBus) {
+        this.eventBus = eventBus;
+    }
+    setup(userId, issuer = 'Genome') {
+        const secretBuffer = randomBytes(SECRET_BYTES);
+        const secret = toBase32(secretBuffer);
+        const recoveryCodes = this.generateRecoveryCodes();
+        const state = {
+            userId,
+            enabled: true,
+            secret,
+            recoveryCodes,
+            usedRecoveryCodes: [],
+            failedAttempts: 0,
+        };
+        this.users.set(userId, state);
+        const uri = `otpauth://totp/${encodeURIComponent(issuer)}:${encodeURIComponent(userId)}?secret=${secret}&issuer=${encodeURIComponent(issuer)}&algorithm=SHA1&digits=${TOTP_DIGITS}&period=${TOTP_PERIOD}`;
+        this.eventBus.emit({
+            type: 'security:audit-entry',
+            timestamp: new Date(),
+            layer: 3,
+            decision: 'info',
+            actor: { userId },
+            resource: { type: 'mfa', id: 'setup', detail: 'MFA enabled' },
+            severity: 'info',
+        });
+        return { secret, uri, recoveryCodes };
+    }
+    verify(userId, code) {
+        const state = this.users.get(userId);
+        if (!state || !state.enabled) {
+            return { valid: false, method: 'totp', reason: 'MFA not enabled for this user' };
+        }
+        if (state.lockedUntil && new Date() < state.lockedUntil) {
+            const remaining = Math.ceil((state.lockedUntil.getTime() - Date.now()) / 60000);
+            return { valid: false, method: 'totp', reason: `Account locked. Try again in ${remaining} minutes.` };
+        }
+        if (code.length === TOTP_DIGITS && /^\d+$/.test(code)) {
+            const secretBuffer = fromBase32(state.secret);
+            const now = Math.floor(Date.now() / 1000);
+            for (let i = -TOTP_WINDOW; i <= TOTP_WINDOW; i++) {
+                const expected = generateTOTP(secretBuffer, now + i * TOTP_PERIOD);
+                if (this.timingSafeEqual(code, expected)) {
+                    state.failedAttempts = 0;
+                    state.lockedUntil = undefined;
+                    state.lastVerifiedAt = new Date();
+                    this.eventBus.emitAllow('security:audit-entry', 3, {
+                        type: 'mfa', id: 'totp-verify', detail: 'Success',
+                    }, { userId });
+                    return { valid: true, method: 'totp' };
+                }
+            }
+        }
+        if (code.length >= 8) {
+            const normalizedCode = code.replace(/-/g, '').toUpperCase();
+            const idx = state.recoveryCodes.indexOf(normalizedCode);
+            if (idx !== -1) {
+                state.recoveryCodes.splice(idx, 1);
+                state.usedRecoveryCodes.push(normalizedCode);
+                state.failedAttempts = 0;
+                state.lockedUntil = undefined;
+                state.lastVerifiedAt = new Date();
+                this.eventBus.emit({
+                    type: 'security:audit-entry',
+                    timestamp: new Date(),
+                    layer: 3,
+                    decision: 'info',
+                    actor: { userId },
+                    resource: { type: 'mfa', id: 'recovery-code', detail: `Used. ${state.recoveryCodes.length} remaining.` },
+                    severity: 'warning',
+                });
+                return { valid: true, method: 'recovery' };
+            }
+        }
+        state.failedAttempts++;
+        if (state.failedAttempts >= MAX_FAILED_ATTEMPTS) {
+            state.lockedUntil = new Date(Date.now() + LOCKOUT_DURATION_MS);
+            this.eventBus.emitDeny('security:audit-entry', 3, {
+                type: 'mfa', id: 'lockout', detail: `${MAX_FAILED_ATTEMPTS} failed attempts — locked for 15 minutes`,
+            }, 'high', { userId });
+        }
+        return { valid: false, method: 'totp', reason: 'Invalid code' };
+    }
+    disable(userId) {
+        const state = this.users.get(userId);
+        if (!state)
+            return false;
+        state.enabled = false;
+        return true;
+    }
+    isEnabled(userId) {
+        return this.users.get(userId)?.enabled ?? false;
+    }
+    getRemainingRecoveryCodes(userId) {
+        return this.users.get(userId)?.recoveryCodes.length ?? 0;
+    }
+    regenerateRecoveryCodes(userId) {
+        const state = this.users.get(userId);
+        if (!state)
+            throw new Error('[MFA] User not found');
+        state.recoveryCodes = this.generateRecoveryCodes();
+        state.usedRecoveryCodes = [];
+        return state.recoveryCodes;
+    }
+    generateRecoveryCodes() {
+        const codes = [];
+        for (let i = 0; i < RECOVERY_CODE_COUNT; i++) {
+            const code = randomBytes(5).toString('hex').toUpperCase();
+            codes.push(code);
+        }
+        return codes;
+    }
+    timingSafeEqual(a, b) {
+        if (a.length !== b.length)
+            return false;
+        let result = 0;
+        for (let i = 0; i < a.length; i++) {
+            result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+        }
+        return result === 0;
+    }
+}
+//# sourceMappingURL=MFAProvider.js.map

package/dist/security/MFAProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"MFAProvider.js","sourceRoot":"","sources":["../../src/security/MFAProvider.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAiCtD,MAAM,WAAW,GAAG,EAAE,CAAC;AACvB,MAAM,WAAW,GAAG,CAAC,CAAC;AACtB,MAAM,WAAW,GAAG,CAAC,CAAC;AACtB,MAAM,YAAY,GAAG,EAAE,CAAC;AACxB,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAC/B,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAC9B,MAAM,mBAAmB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAI3C,MAAM,YAAY,GAAG,kCAAkC,CAAC;AAExD,SAAS,QAAQ,CAAC,MAAc;IAC5B,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;QACxB,IAAI,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAClD,MAAM,IAAI,YAAY,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,MAAM,CAAC;AAClB,CAAC;AAED,SAAS,UAAU,CAAC,OAAe;IAC/B,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,GAAG,KAAK,CAAC,CAAC;YAAE,SAAS;QACzB,IAAI,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC7C,CAAC;IACD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3C,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC9B,CAAC;AAID,SAAS,YAAY,CAAC,MAAc,EAAE,IAAY;IAC9C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,WAAW,CAAC,CAAC;IAC/C,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACtC,aAAa,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAClC,aAAa,CAAC,aAAa,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAExC,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,EAAE,CAAC;IACvE,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;IAC5C,MAAM,IAAI,GAAG,CACT,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC7B,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QACjC,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,CAC5B,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;IAE9B,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;AACtD,CAAC;AAoBD,MAAM,OAAO,WAAW;IACZ,QAAQ,CAAmB;IAC3B,KAAK,GAA8B,IAAI,GAAG,EAAE,CAAC;IAErD,YAAY,QAA0B;QAClC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC7B,CAAC;IAKD,KAAK,CAAC,MAAc,EAAE,MAAM,GAAG,QAAQ;QACnC,MAAM,YAAY,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,QAAQ,CAAC,YAAY,CAAC,CAAC;QACtC,MAAM,aAAa,GAAG,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAEnD,MAAM,KAAK,GAAiB;YACxB,MAAM;YACN,OAAO,EAAE,IAAI;YACb,MAAM;YACN,aAAa;YACb,iBAAiB,EAAE,EAAE;YACrB,cAAc,EAAE,CAAC;SACpB,CAAC;QAEF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAE9B,MAAM,GAAG,GAAG,kBAAkB,kBAAkB,CAAC,MAAM,CAAC,IAAI,kBAAkB,CAAC,MAAM,CAAC,WAAW,MAAM,WAAW,kBAAkB,CAAC,MAAM,CAAC,0BAA0B,WAAW,WAAW,WAAW,EAAE,CAAC;QAE1M,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,sBAAsB;YAC5B,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,KAAK,EAAE,CAAC;YACR,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,EAAE,MAAM,EAAE;YACjB,QAAQ,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE;YAC7D,QAAQ,EAAE,MAAM;SACnB,CAAC,CAAC;QAEH,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,aAAa,EAAE,CAAC;IAC1C,CAAC;IAKD,MAAM,CAAC,MAAc,EAAE,IAAY;QAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAErC,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YAC3B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;QACrF,CAAC;QAGD,IAAI,KAAK,CAAC,WAAW,IAAI,IAAI,IAAI,EAAE,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;YACtD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC;YAChF,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,gCAAgC,SAAS,WAAW,EAAE,CAAC;QAC1G,CAAC;QAGD,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACpD,MAAM,YAAY,GAAG,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAE1C,KAAK,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,IAAI,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC/C,MAAM,QAAQ,GAAG,YAAY,CAAC,YAAY,EAAE,GAAG,GAAG,CAAC,GAAG,WAAW,CAAC,CAAC;gBACnE,IAAI,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;oBACvC,KAAK,CAAC,cAAc,GAAG,CAAC,CAAC;oBACzB,KAAK,CAAC,WAAW,GAAG,SAAS,CAAC;oBAC9B,KAAK,CAAC,cAAc,GAAG,IAAI,IAAI,EAAE,CAAC;oBAElC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,sBAA+B,EAAE,CAAC,EAAE;wBACxD,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,aAAa,EAAE,MAAM,EAAE,SAAS;qBACpD,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;oBAEf,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;gBAC3C,CAAC;YACL,CAAC;QACL,CAAC;QAGD,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACnB,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YAC5D,MAAM,GAAG,GAAG,KAAK,CAAC,aAAa,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;YAExD,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;gBACb,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;gBACnC,KAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;gBAC7C,KAAK,CAAC,cAAc,GAAG,CAAC,CAAC;gBACzB,KAAK,CAAC,WAAW,GAAG,SAAS,CAAC;gBAC9B,KAAK,CAAC,cAAc,GAAG,IAAI,IAAI,EAAE,CAAC;gBAElC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACf,IAAI,EAAE,sBAAsB;oBAC5B,SAAS,EAAE,IAAI,IAAI,EAAE;oBACrB,KAAK,EAAE,CAAC;oBACR,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,EAAE,MAAM,EAAE;oBACjB,QAAQ,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,eAAe,EAAE,MAAM,EAAE,SAAS,KAAK,CAAC,aAAa,CAAC,MAAM,aAAa,EAAE;oBACxG,QAAQ,EAAE,SAAS;iBACtB,CAAC,CAAC;gBAEH,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;YAC/C,CAAC;QACL,CAAC;QAGD,KAAK,CAAC,cAAc,EAAE,CAAC;QACvB,IAAI,KAAK,CAAC,cAAc,IAAI,mBAAmB,EAAE,CAAC;YAC9C,KAAK,CAAC,WAAW,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,mBAAmB,CAAC,CAAC;YAC/D,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,sBAA+B,EAAE,CAAC,EAAE;gBACvD,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,mBAAmB,0CAA0C;aACvG,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAC3B,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IACpE,CAAC;IAKD,OAAO,CAAC,MAAc;QAClB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC;QACtB,OAAO,IAAI,CAAC;IAChB,CAAC;IAKD,SAAS,CAAC,MAAc;QACpB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,OAAO,IAAI,KAAK,CAAC;IACpD,CAAC;IAKD,yBAAyB,CAAC,MAAc;QACpC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,aAAa,CAAC,MAAM,IAAI,CAAC,CAAC;IAC7D,CAAC;IAKD,uBAAuB,CAAC,MAAc;QAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACpD,KAAK,CAAC,aAAa,GAAG,IAAI,CAAC,qBAAqB,EAAE,CAAC;QACnD,KAAK,CAAC,iBAAiB,GAAG,EAAE,CAAC;QAC7B,OAAO,KAAK,CAAC,aAAa,CAAC;IAC/B,CAAC;IAIO,qBAAqB;QACzB,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,mBAAmB,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3C,MAAM,IAAI,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;YAC1D,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,KAAK,CAAC;IACjB,CAAC;IAEO,eAAe,CAAC,CAAS,EAAE,CAAS;QACxC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QACxC,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAChC,MAAM,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,MAAM,KAAK,CAAC,CAAC;IACxB,CAAC;CACJ"}

package/dist/security/NetworkAuditLogger.d.ts

@@ -0,0 +1,35 @@
+import { SecurityEventBus } from './SecurityEventBus.js';
+export interface NetworkLogEntry {
+    timestamp: Date;
+    method: string;
+    hostname: string;
+    port: number;
+    path: string;
+    requestSize: number;
+    responseStatus?: number;
+    responseSize?: number;
+    durationMs?: number;
+    skillId?: string;
+    blocked: boolean;
+}
+export interface TrafficSummary {
+    totalRequests: number;
+    blockedRequests: number;
+    byHostname: Record<string, number>;
+    byMethod: Record<string, number>;
+    avgDurationMs: number;
+    totalBytesOut: number;
+    totalBytesIn: number;
+}
+export declare class NetworkAuditLogger {
+    private entries;
+    private maxEntries;
+    constructor(eventBus: SecurityEventBus);
+    logRequest(entry: Omit<NetworkLogEntry, 'timestamp' | 'blocked'>): void;
+    getSummary(since?: Date): TrafficSummary;
+    getRecent(limit?: number): NetworkLogEntry[];
+    detectAnomalies(windowMs?: number): string[];
+    getEntryCount(): number;
+    private trimEntries;
+}
+//# sourceMappingURL=NetworkAuditLogger.d.ts.map

package/dist/security/NetworkAuditLogger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"NetworkAuditLogger.d.ts","sourceRoot":"","sources":["../../src/security/NetworkAuditLogger.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAIzD,MAAM,WAAW,eAAe;IAC5B,SAAS,EAAE,IAAI,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACxB;AA0BD,qBAAa,kBAAkB;IAC3B,OAAO,CAAC,OAAO,CAAyB;IACxC,OAAO,CAAC,UAAU,CAAQ;gBAEd,QAAQ,EAAE,gBAAgB;IAmCtC,UAAU,CAAC,KAAK,EAAE,IAAI,CAAC,eAAe,EAAE,WAAW,GAAG,SAAS,CAAC,GAAG,IAAI;IAcvE,UAAU,CAAC,KAAK,CAAC,EAAE,IAAI,GAAG,cAAc;IAsCxC,SAAS,CAAC,KAAK,SAAK,GAAG,eAAe,EAAE;IAOxC,eAAe,CAAC,QAAQ,SAAU,GAAG,MAAM,EAAE;IA2B7C,aAAa,IAAI,MAAM;IAMvB,OAAO,CAAC,WAAW;CAKtB"}

package/dist/security/NetworkAuditLogger.js

@@ -0,0 +1,99 @@
+export class NetworkAuditLogger {
+    entries = [];
+    maxEntries = 5000;
+    constructor(eventBus) {
+        eventBus.on('security:net-blocked', (event) => {
+            this.entries.push({
+                timestamp: event.timestamp,
+                method: 'BLOCKED',
+                hostname: event.resource.id,
+                port: 0,
+                path: '',
+                requestSize: 0,
+                blocked: true,
+                skillId: event.actor.skillId,
+            });
+            this.trimEntries();
+        });
+        eventBus.on('security:net-allowed', (event) => {
+            this.entries.push({
+                timestamp: event.timestamp,
+                method: 'ALLOWED',
+                hostname: event.resource.id,
+                port: 0,
+                path: '',
+                requestSize: 0,
+                blocked: false,
+                skillId: event.actor.skillId,
+            });
+            this.trimEntries();
+        });
+    }
+    logRequest(entry) {
+        const full = {
+            ...entry,
+            timestamp: new Date(),
+            blocked: false,
+        };
+        this.entries.push(full);
+        this.trimEntries();
+    }
+    getSummary(since) {
+        let entries = this.entries;
+        if (since) {
+            entries = entries.filter(e => e.timestamp >= since);
+        }
+        const summary = {
+            totalRequests: entries.length,
+            blockedRequests: entries.filter(e => e.blocked).length,
+            byHostname: {},
+            byMethod: {},
+            avgDurationMs: 0,
+            totalBytesOut: 0,
+            totalBytesIn: 0,
+        };
+        let totalDuration = 0;
+        let durationCount = 0;
+        for (const entry of entries) {
+            summary.byHostname[entry.hostname] = (summary.byHostname[entry.hostname] || 0) + 1;
+            summary.byMethod[entry.method] = (summary.byMethod[entry.method] || 0) + 1;
+            summary.totalBytesOut += entry.requestSize;
+            summary.totalBytesIn += entry.responseSize ?? 0;
+            if (entry.durationMs) {
+                totalDuration += entry.durationMs;
+                durationCount++;
+            }
+        }
+        summary.avgDurationMs = durationCount > 0 ? totalDuration / durationCount : 0;
+        return summary;
+    }
+    getRecent(limit = 50) {
+        return this.entries.slice(-limit);
+    }
+    detectAnomalies(windowMs = 300_000) {
+        const anomalies = [];
+        const now = Date.now();
+        const recent = this.entries.filter(e => now - e.timestamp.getTime() < windowMs);
+        const hostCounts = {};
+        for (const entry of recent) {
+            hostCounts[entry.hostname] = (hostCounts[entry.hostname] || 0) + 1;
+        }
+        const older = this.entries.filter(e => now - e.timestamp.getTime() >= windowMs);
+        const oldHosts = new Set(older.map(e => e.hostname));
+        for (const [host, count] of Object.entries(hostCounts)) {
+            if (!oldHosts.has(host) && count > 5) {
+                anomalies.push(`New domain "${host}" with ${count} requests in last ${windowMs / 60000}m`);
+            }
+        }
+        return anomalies;
+    }
+    getEntryCount() {
+        return this.entries.length;
+    }
+    trimEntries() {
+        if (this.entries.length > this.maxEntries) {
+            this.entries = this.entries.slice(-this.maxEntries);
+        }
+    }
+}
+//# sourceMappingURL=NetworkAuditLogger.js.map

package/dist/security/NetworkAuditLogger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"NetworkAuditLogger.js","sourceRoot":"","sources":["../../src/security/NetworkAuditLogger.ts"],"names":[],"mappings":"AA+DA,MAAM,OAAO,kBAAkB;IACnB,OAAO,GAAsB,EAAE,CAAC;IAChC,UAAU,GAAG,IAAI,CAAC;IAE1B,YAAY,QAA0B;QAGlC,QAAQ,CAAC,EAAE,CAAC,sBAAsB,EAAE,CAAC,KAAK,EAAE,EAAE;YAC1C,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;gBACd,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,MAAM,EAAE,SAAS;gBACjB,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,EAAE;gBAC3B,IAAI,EAAE,CAAC;gBACP,IAAI,EAAE,EAAE;gBACR,WAAW,EAAE,CAAC;gBACd,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,OAAO;aAC/B,CAAC,CAAC;YACH,IAAI,CAAC,WAAW,EAAE,CAAC;QACvB,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,EAAE,CAAC,sBAAsB,EAAE,CAAC,KAAK,EAAE,EAAE;YAC1C,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;gBACd,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,MAAM,EAAE,SAAS;gBACjB,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,EAAE;gBAC3B,IAAI,EAAE,CAAC;gBACP,IAAI,EAAE,EAAE;gBACR,WAAW,EAAE,CAAC;gBACd,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,OAAO;aAC/B,CAAC,CAAC;YACH,IAAI,CAAC,WAAW,EAAE,CAAC;QACvB,CAAC,CAAC,CAAC;IACP,CAAC;IAKD,UAAU,CAAC,KAAqD;QAC5D,MAAM,IAAI,GAAoB;YAC1B,GAAG,KAAK;YACR,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,OAAO,EAAE,KAAK;SACjB,CAAC;QAEF,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxB,IAAI,CAAC,WAAW,EAAE,CAAC;IACvB,CAAC;IAKD,UAAU,CAAC,KAAY;QACnB,IAAI,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAC3B,IAAI,KAAK,EAAE,CAAC;YACR,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,KAAK,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,OAAO,GAAmB;YAC5B,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,eAAe,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM;YACtD,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,EAAE;YACZ,aAAa,EAAE,CAAC;YAChB,aAAa,EAAE,CAAC;YAChB,YAAY,EAAE,CAAC;SAClB,CAAC;QAEF,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,aAAa,GAAG,CAAC,CAAC;QAEtB,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC1B,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACnF,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAC3E,OAAO,CAAC,aAAa,IAAI,KAAK,CAAC,WAAW,CAAC;YAC3C,OAAO,CAAC,YAAY,IAAI,KAAK,CAAC,YAAY,IAAI,CAAC,CAAC;YAChD,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;gBACnB,aAAa,IAAI,KAAK,CAAC,UAAU,CAAC;gBAClC,aAAa,EAAE,CAAC;YACpB,CAAC;QACL,CAAC;QAED,OAAO,CAAC,aAAa,GAAG,aAAa,GAAG,CAAC,CAAC,CAAC,CAAC,aAAa,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;QAE9E,OAAO,OAAO,CAAC;IACnB,CAAC;IAKD,SAAS,CAAC,KAAK,GAAG,EAAE;QAChB,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC;IAKD,eAAe,CAAC,QAAQ,GAAG,OAAO;QAC9B,MAAM,SAAS,GAAa,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,QAAQ,CAAC,CAAC;QAGhF,MAAM,UAAU,GAA2B,EAAE,CAAC;QAC9C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YACzB,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACvE,CAAC;QAGD,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,QAAQ,CAAC,CAAC;QAChF,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAErD,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YACrD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;gBACnC,SAAS,CAAC,IAAI,CAAC,eAAe,IAAI,UAAU,KAAK,qBAAqB,QAAQ,GAAG,KAAK,GAAG,CAAC,CAAC;YAC/F,CAAC;QACL,CAAC;QAED,OAAO,SAAS,CAAC;IACrB,CAAC;IAKD,aAAa;QACT,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;IAC/B,CAAC;IAIO,WAAW;QACf,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;YACxC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACxD,CAAC;IACL,CAAC;CACJ"}

package/dist/security/OutboundAllowlist.d.ts

@@ -0,0 +1,33 @@
+import { SecurityEventBus } from './SecurityEventBus.js';
+export interface OutboundCheckResult {
+    allowed: boolean;
+    reason?: string;
+    hostname: string;
+}
+export interface OutboundAllowlistConfig {
+    allowedDomains: string[];
+    blockPrivateNetworks: boolean;
+    mode: 'strict' | 'broad' | 'unrestricted';
+}
+export declare class OutboundAllowlist {
+    private eventBus;
+    private allowedDomains;
+    private blockPrivateNetworks;
+    private mode;
+    private stats;
+    constructor(eventBus: SecurityEventBus, config: OutboundAllowlistConfig);
+    check(hostname: string, skillId?: string): OutboundCheckResult;
+    checkURL(url: string, skillId?: string): OutboundCheckResult;
+    addDomain(domain: string): void;
+    removeDomain(domain: string): boolean;
+    getDomains(): string[];
+    getStats(): {
+        totalChecks: number;
+        allowed: number;
+        blocked: number;
+    };
+    private isPrivateNetwork;
+    private isDomainAllowed;
+    private isSuspiciousDomain;
+}
+//# sourceMappingURL=OutboundAllowlist.d.ts.map

package/dist/security/OutboundAllowlist.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OutboundAllowlist.d.ts","sourceRoot":"","sources":["../../src/security/OutboundAllowlist.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAIzD,MAAM,WAAW,mBAAmB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,uBAAuB;IAEpC,cAAc,EAAE,MAAM,EAAE,CAAC;IAEzB,oBAAoB,EAAE,OAAO,CAAC;IAE9B,IAAI,EAAE,QAAQ,GAAG,OAAO,GAAG,cAAc,CAAC;CAC7C;AAwCD,qBAAa,iBAAiB;IAC1B,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,cAAc,CAAW;IACjC,OAAO,CAAC,oBAAoB,CAAU;IACtC,OAAO,CAAC,IAAI,CAAkC;IAC9C,OAAO,CAAC,KAAK,CAA8C;gBAE/C,QAAQ,EAAE,gBAAgB,EAAE,MAAM,EAAE,uBAAuB;IAUvE,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,mBAAmB;IA4D9D,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,mBAAmB;IAY5D,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAS/B,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAUrC,UAAU,IAAI,MAAM,EAAE;IAOtB,QAAQ;;;;;IAMR,OAAO,CAAC,gBAAgB;IAKxB,OAAO,CAAC,eAAe;IAavB,OAAO,CAAC,kBAAkB;CAU7B"}