@gsep/core 0.8.0 → 1.0.0

package/dist/security/OutboundAllowlist.js

@@ -0,0 +1,112 @@
+const PRIVATE_IP_PATTERNS = [
+    /^10\./,
+    /^172\.(1[6-9]|2\d|3[01])\./,
+    /^192\.168\./,
+    /^127\./,
+    /^169\.254\./,
+    /^0\./,
+    /^::1$/,
+    /^fc00:/i,
+    /^fe80:/i,
+];
+const PRIVATE_HOSTNAMES = [
+    'localhost',
+    'localhost.localdomain',
+    'metadata.google.internal',
+    'instance-data.ec2.internal',
+];
+export class OutboundAllowlist {
+    eventBus;
+    allowedDomains;
+    blockPrivateNetworks;
+    mode;
+    stats = { totalChecks: 0, allowed: 0, blocked: 0 };
+    constructor(eventBus, config) {
+        this.eventBus = eventBus;
+        this.allowedDomains = config.allowedDomains;
+        this.blockPrivateNetworks = config.blockPrivateNetworks;
+        this.mode = config.mode;
+    }
+    check(hostname, skillId) {
+        this.stats.totalChecks++;
+        if (this.mode === 'unrestricted') {
+            this.stats.allowed++;
+            return { allowed: true, hostname };
+        }
+        if (this.blockPrivateNetworks && this.isPrivateNetwork(hostname)) {
+            this.stats.blocked++;
+            this.eventBus.emitDeny('security:net-blocked', 6, { type: 'outbound', id: hostname, detail: 'Private network blocked (SSRF prevention)' }, 'high', { skillId });
+            return { allowed: false, reason: 'Private network access blocked', hostname };
+        }
+        if (this.mode === 'strict' && !this.isDomainAllowed(hostname)) {
+            this.stats.blocked++;
+            this.eventBus.emitDeny('security:net-blocked', 6, { type: 'outbound', id: hostname, detail: 'Domain not in allowlist' }, 'warning', { skillId });
+            return { allowed: false, reason: `Domain "${hostname}" not in allowlist`, hostname };
+        }
+        if (this.mode === 'broad' && this.isSuspiciousDomain(hostname)) {
+            this.stats.blocked++;
+            this.eventBus.emitDeny('security:net-blocked', 6, { type: 'outbound', id: hostname, detail: 'Suspicious domain blocked' }, 'warning', { skillId });
+            return { allowed: false, reason: `Suspicious domain blocked: ${hostname}`, hostname };
+        }
+        this.stats.allowed++;
+        this.eventBus.emitAllow('security:net-allowed', 6, {
+            type: 'outbound',
+            id: hostname,
+        }, { skillId });
+        return { allowed: true, hostname };
+    }
+    checkURL(url, skillId) {
+        try {
+            const parsed = new URL(url);
+            return this.check(parsed.hostname, skillId);
+        }
+        catch {
+            return { allowed: false, reason: 'Invalid URL', hostname: url };
+        }
+    }
+    addDomain(domain) {
+        if (!this.allowedDomains.includes(domain)) {
+            this.allowedDomains.push(domain);
+        }
+    }
+    removeDomain(domain) {
+        const idx = this.allowedDomains.indexOf(domain);
+        if (idx === -1)
+            return false;
+        this.allowedDomains.splice(idx, 1);
+        return true;
+    }
+    getDomains() {
+        return [...this.allowedDomains];
+    }
+    getStats() {
+        return { ...this.stats };
+    }
+    isPrivateNetwork(hostname) {
+        if (PRIVATE_HOSTNAMES.includes(hostname.toLowerCase()))
+            return true;
+        return PRIVATE_IP_PATTERNS.some(p => p.test(hostname));
+    }
+    isDomainAllowed(hostname) {
+        const lower = hostname.toLowerCase();
+        return this.allowedDomains.some(pattern => {
+            const lowerPattern = pattern.toLowerCase();
+            if (lowerPattern.startsWith('*.')) {
+                const suffix = lowerPattern.slice(1);
+                return lower.endsWith(suffix) || lower === lowerPattern.slice(2);
+            }
+            return lower === lowerPattern;
+        });
+    }
+    isSuspiciousDomain(hostname) {
+        const suspicious = [
+            /\.onion$/i,
+            /\.i2p$/i,
+            /\.bit$/i,
+            /^(\d{1,3}\.){3}\d{1,3}$/,
+            /webhook|hook|exfil|collect|log|beacon/i,
+        ];
+        return suspicious.some(p => p.test(hostname));
+    }
+}
+//# sourceMappingURL=OutboundAllowlist.js.map

package/dist/security/OutboundAllowlist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"OutboundAllowlist.js","sourceRoot":"","sources":["../../src/security/OutboundAllowlist.ts"],"names":[],"mappings":"AAgCA,MAAM,mBAAmB,GAAG;IACxB,OAAO;IACP,4BAA4B;IAC5B,aAAa;IACb,QAAQ;IACR,aAAa;IACb,MAAM;IACN,OAAO;IACP,SAAS;IACT,SAAS;CACZ,CAAC;AAEF,MAAM,iBAAiB,GAAG;IACtB,WAAW;IACX,uBAAuB;IACvB,0BAA0B;IAC1B,4BAA4B;CAC/B,CAAC;AAmBF,MAAM,OAAO,iBAAiB;IAClB,QAAQ,CAAmB;IAC3B,cAAc,CAAW;IACzB,oBAAoB,CAAU;IAC9B,IAAI,CAAkC;IACtC,KAAK,GAAG,EAAE,WAAW,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IAE3D,YAAY,QAA0B,EAAE,MAA+B;QACnE,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,cAAc,GAAG,MAAM,CAAC,cAAc,CAAC;QAC5C,IAAI,CAAC,oBAAoB,GAAG,MAAM,CAAC,oBAAoB,CAAC;QACxD,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;IAC5B,CAAC;IAKD,KAAK,CAAC,QAAgB,EAAE,OAAgB;QACpC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;QAGzB,IAAI,IAAI,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;YAC/B,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;QACvC,CAAC;QAGD,IAAI,IAAI,CAAC,oBAAoB,IAAI,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/D,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACrB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAClB,sBAAsB,EACtB,CAAC,EACD,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,2CAA2C,EAAE,EACvF,MAAM,EACN,EAAE,OAAO,EAAE,CACd,CAAC;YACF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,gCAAgC,EAAE,QAAQ,EAAE,CAAC;QAClF,CAAC;QAGD,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5D,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACrB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAClB,sBAAsB,EACtB,CAAC,EACD,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,yBAAyB,EAAE,EACrE,SAAS,EACT,EAAE,OAAO,EAAE,CACd,CAAC;YACF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,QAAQ,oBAAoB,EAAE,QAAQ,EAAE,CAAC;QACzF,CAAC;QAGD,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7D,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACrB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAClB,sBAAsB,EACtB,CAAC,EACD,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,2BAA2B,EAAE,EACvE,SAAS,EACT,EAAE,OAAO,EAAE,CACd,CAAC;YACF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,QAAQ,EAAE,EAAE,QAAQ,EAAE,CAAC;QAC1F,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QACrB,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,sBAAsB,EAAE,CAAC,EAAE;YAC/C,IAAI,EAAE,UAAU;YAChB,EAAE,EAAE,QAAQ;SACf,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QAEhB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IACvC,CAAC;IAKD,QAAQ,CAAC,GAAW,EAAE,OAAgB;QAClC,IAAI,CAAC;YACD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC5B,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC;QACpE,CAAC;IACL,CAAC;IAKD,SAAS,CAAC,MAAc;QACpB,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACxC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrC,CAAC;IACL,CAAC;IAKD,YAAY,CAAC,MAAc;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAChD,IAAI,GAAG,KAAK,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAC7B,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC;IAChB,CAAC;IAKD,UAAU;QACN,OAAO,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC;IACpC,CAAC;IAKD,QAAQ;QACJ,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC;IAIO,gBAAgB,CAAC,QAAgB;QACrC,IAAI,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;YAAE,OAAO,IAAI,CAAC;QACpE,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC3D,CAAC;IAEO,eAAe,CAAC,QAAgB;QACpC,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;QACrC,OAAO,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;YACtC,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;YAC3C,IAAI,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBAEhC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBACrC,OAAO,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,KAAK,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACrE,CAAC;YACD,OAAO,KAAK,KAAK,YAAY,CAAC;QAClC,CAAC,CAAC,CAAC;IACP,CAAC;IAEO,kBAAkB,CAAC,QAAgB;QACvC,MAAM,UAAU,GAAG;YACf,WAAW;YACX,SAAS;YACT,SAAS;YACT,yBAAyB;YACzB,wCAAwC;SAC3C,CAAC;QACF,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IAClD,CAAC;CACJ"}

package/dist/security/PIIRedactionEngine.d.ts

@@ -0,0 +1,40 @@
+export type PIICategory = 'credit-card' | 'ssn' | 'email' | 'phone' | 'iban' | 'api-key' | 'ip-address' | 'passport' | 'national-id';
+export interface PIIMatch {
+    category: PIICategory;
+    original: string;
+    token: string;
+    startIndex: number;
+    endIndex: number;
+}
+export interface RedactionResult {
+    redacted: string;
+    matches: PIIMatch[];
+    categories: PIICategory[];
+}
+export declare class PIIRedactionEngine {
+    private vault;
+    private enabledCategories;
+    private vaultMaxSize;
+    private vaultTTLMs;
+    private stats;
+    constructor(options?: {
+        categories?: PIICategory[];
+        vaultMaxSize?: number;
+        vaultTTLMs?: number;
+    });
+    redact(text: string): RedactionResult;
+    rehydrate(text: string): string;
+    scan(text: string): {
+        hasPII: boolean;
+        categories: PIICategory[];
+        count: number;
+    };
+    getStats(): typeof this.stats;
+    clearVault(): void;
+    getVaultSize(): number;
+    private generateToken;
+    private categoryShort;
+    private removeOverlaps;
+    private cleanupVault;
+}
+//# sourceMappingURL=PIIRedactionEngine.d.ts.map

package/dist/security/PIIRedactionEngine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PIIRedactionEngine.d.ts","sourceRoot":"","sources":["../../src/security/PIIRedactionEngine.ts"],"names":[],"mappings":"AAmBA,MAAM,MAAM,WAAW,GACjB,aAAa,GACb,KAAK,GACL,OAAO,GACP,OAAO,GACP,MAAM,GACN,SAAS,GACT,YAAY,GACZ,UAAU,GACV,aAAa,CAAC;AAEpB,MAAM,WAAW,QAAQ;IACrB,QAAQ,EAAE,WAAW,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,QAAQ,EAAE,CAAC;IACpB,UAAU,EAAE,WAAW,EAAE,CAAC;CAC7B;AAsID,qBAAa,kBAAkB;IAC3B,OAAO,CAAC,KAAK,CAA0F;IACvG,OAAO,CAAC,iBAAiB,CAAmB;IAC5C,OAAO,CAAC,YAAY,CAAU;IAC9B,OAAO,CAAC,UAAU,CAAa;IAG/B,OAAO,CAAC,KAAK,CAIX;gBAEU,OAAO,CAAC,EAAE;QAClB,UAAU,CAAC,EAAE,WAAW,EAAE,CAAC;QAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,UAAU,CAAC,EAAE,MAAM,CAAC;KACvB;IAYD,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe;IA4ErC,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAa/B,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG;QAAE,MAAM,EAAE,OAAO,CAAC;QAAC,UAAU,EAAE,WAAW,EAAE,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE;IAgBjF,QAAQ,IAAI,OAAO,IAAI,CAAC,KAAK;IAO7B,UAAU,IAAI,IAAI;IAOlB,YAAY,IAAI,MAAM;IAMtB,OAAO,CAAC,aAAa;IAMrB,OAAO,CAAC,aAAa;IAerB,OAAO,CAAC,cAAc;IAetB,OAAO,CAAC,YAAY;CAmBvB"}

package/dist/security/PIIRedactionEngine.js

@@ -0,0 +1,232 @@
+import { randomBytes } from 'node:crypto';
+function luhnCheck(num) {
+    const digits = num.replace(/\D/g, '');
+    if (digits.length < 13 || digits.length > 19)
+        return false;
+    let sum = 0;
+    let alternate = false;
+    for (let i = digits.length - 1; i >= 0; i--) {
+        let n = parseInt(digits[i], 10);
+        if (alternate) {
+            n *= 2;
+            if (n > 9)
+                n -= 9;
+        }
+        sum += n;
+        alternate = !alternate;
+    }
+    return sum % 10 === 0;
+}
+function isValidIBAN(iban) {
+    const cleaned = iban.replace(/\s/g, '').toUpperCase();
+    if (cleaned.length < 15 || cleaned.length > 34)
+        return false;
+    if (!/^[A-Z]{2}\d{2}[A-Z0-9]+$/.test(cleaned))
+        return false;
+    const rearranged = cleaned.slice(4) + cleaned.slice(0, 4);
+    const numeric = rearranged.replace(/[A-Z]/g, ch => String(ch.charCodeAt(0) - 55));
+    let remainder = '';
+    for (const digit of numeric) {
+        remainder += digit;
+        const num = parseInt(remainder, 10);
+        remainder = String(num % 97);
+    }
+    return parseInt(remainder, 10) === 1;
+}
+const PII_PATTERNS = [
+    {
+        category: 'api-key',
+        regex: /\b(?:sk-ant-[A-Za-z0-9\-]{20,}|sk-[A-Za-z0-9]{20,}|ghp_[A-Za-z0-9]{36,}|ghs_[A-Za-z0-9]{36,}|glpat-[A-Za-z0-9\-_]{20,}|xox[bpsr]-[A-Za-z0-9\-]{10,}|AKIA[A-Z0-9]{16}|ntn_[A-Za-z0-9]{40,}|whsec_[A-Za-z0-9]{20,})\b/g,
+    },
+    {
+        category: 'iban',
+        regex: /\b[A-Z]{2}\d{2}[A-Z0-9]{11,30}\b|\b[A-Z]{2}\d{2}\s?[A-Z0-9]{4}(?:\s?[A-Z0-9]{4}){2,7}(?:\s?[A-Z0-9]{1,4})?\b/g,
+        validate: isValidIBAN,
+    },
+    {
+        category: 'credit-card',
+        regex: /\b(?:\d{4}[-\s]?){3}\d{1,4}\b/g,
+        validate: (match) => luhnCheck(match.replace(/[-\s]/g, '')),
+    },
+    {
+        category: 'ssn',
+        regex: /\b\d{3}-\d{2}-\d{4}\b/g,
+        validate: (match) => {
+            const parts = match.split('-');
+            const area = parseInt(parts[0], 10);
+            return area > 0 && area !== 666 && area < 900;
+        },
+    },
+    {
+        category: 'email',
+        regex: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g,
+    },
+    {
+        category: 'phone',
+        regex: /\+\d{1,3}[-.\s]?\(?\d{2,4}\)?[-.\s]?\d{3,4}[-.\s]?\d{3,4}\b|\b\(?\d{3}\)?[-.\s]\d{3}[-.\s]\d{4}\b/g,
+        validate: (match) => {
+            const digits = match.replace(/\D/g, '');
+            return digits.length >= 7 && digits.length <= 15;
+        },
+    },
+    {
+        category: 'ip-address',
+        regex: /\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b/g,
+        validate: (match) => {
+            return match !== '0.0.0.0' && match !== '127.0.0.1' && match !== '255.255.255.255';
+        },
+    },
+    {
+        category: 'national-id',
+        regex: /\b[CFGHJKLMNPRTVWXYZ0-9]{10}\b/g,
+    },
+    {
+        category: 'passport',
+        regex: /\b[A-Z]{1,2}\d{6,9}\b/g,
+    },
+];
+export class PIIRedactionEngine {
+    vault = new Map();
+    enabledCategories;
+    vaultMaxSize = 10_000;
+    vaultTTLMs = 3_600_000;
+    stats = {
+        totalScanned: 0,
+        totalRedacted: 0,
+        byCategory: {},
+    };
+    constructor(options) {
+        this.enabledCategories = options?.categories
+            ? new Set(options.categories)
+            : new Set(PII_PATTERNS.map(p => p.category));
+        if (options?.vaultMaxSize)
+            this.vaultMaxSize = options.vaultMaxSize;
+        if (options?.vaultTTLMs)
+            this.vaultTTLMs = options.vaultTTLMs;
+    }
+    redact(text) {
+        this.stats.totalScanned++;
+        const matches = [];
+        let redacted = text;
+        const allMatches = [];
+        for (const pattern of PII_PATTERNS) {
+            if (!this.enabledCategories.has(pattern.category))
+                continue;
+            pattern.regex.lastIndex = 0;
+            let match;
+            while ((match = pattern.regex.exec(text)) !== null) {
+                const value = match[0];
+                if (pattern.validate && !pattern.validate(value))
+                    continue;
+                const token = this.generateToken(pattern.category);
+                allMatches.push({
+                    category: pattern.category,
+                    original: value,
+                    token,
+                    startIndex: match.index,
+                    endIndex: match.index + value.length,
+                    pattern,
+                });
+            }
+        }
+        allMatches.sort((a, b) => b.startIndex - a.startIndex);
+        const filtered = this.removeOverlaps(allMatches);
+        for (const m of filtered) {
+            redacted = redacted.slice(0, m.startIndex) + m.token + redacted.slice(m.endIndex);
+            this.vault.set(m.token, {
+                original: m.original,
+                category: m.category,
+                timestamp: Date.now(),
+            });
+            this.stats.totalRedacted++;
+            this.stats.byCategory[m.category] = (this.stats.byCategory[m.category] || 0) + 1;
+            matches.push({
+                category: m.category,
+                original: m.original,
+                token: m.token,
+                startIndex: m.startIndex,
+                endIndex: m.endIndex,
+            });
+        }
+        this.cleanupVault();
+        const categories = [...new Set(matches.map(m => m.category))];
+        return { redacted, matches: matches.reverse(), categories };
+    }
+    rehydrate(text) {
+        let result = text;
+        for (const [token, entry] of this.vault) {
+            if (result.includes(token)) {
+                result = result.replaceAll(token, entry.original);
+            }
+        }
+        return result;
+    }
+    scan(text) {
+        const result = this.redact(text);
+        for (const match of result.matches) {
+            this.vault.delete(match.token);
+        }
+        return {
+            hasPII: result.matches.length > 0,
+            categories: result.categories,
+            count: result.matches.length,
+        };
+    }
+    getStats() {
+        return { ...this.stats };
+    }
+    clearVault() {
+        this.vault.clear();
+    }
+    getVaultSize() {
+        return this.vault.size;
+    }
+    generateToken(category) {
+        const id = randomBytes(2).toString('hex');
+        const short = this.categoryShort(category);
+        return `[REDACTED:${short}:${id}]`;
+    }
+    categoryShort(category) {
+        const map = {
+            'credit-card': 'CC',
+            'ssn': 'SSN',
+            'email': 'EMAIL',
+            'phone': 'PHONE',
+            'iban': 'IBAN',
+            'api-key': 'KEY',
+            'ip-address': 'IP',
+            'passport': 'PASS',
+            'national-id': 'NID',
+        };
+        return map[category] || 'PII';
+    }
+    removeOverlaps(matches) {
+        const result = [];
+        let lastEnd = Infinity;
+        for (const m of matches) {
+            if (m.endIndex <= lastEnd) {
+                result.push(m);
+                lastEnd = m.startIndex;
+            }
+        }
+        return result;
+    }
+    cleanupVault() {
+        if (this.vault.size <= this.vaultMaxSize)
+            return;
+        const now = Date.now();
+        for (const [token, entry] of this.vault) {
+            if (now - entry.timestamp > this.vaultTTLMs) {
+                this.vault.delete(token);
+            }
+        }
+        if (this.vault.size > this.vaultMaxSize) {
+            const entries = [...this.vault.entries()].sort((a, b) => a[1].timestamp - b[1].timestamp);
+            const toRemove = entries.slice(0, this.vault.size - this.vaultMaxSize);
+            for (const [token] of toRemove) {
+                this.vault.delete(token);
+            }
+        }
+    }
+}
+//# sourceMappingURL=PIIRedactionEngine.js.map

package/dist/security/PIIRedactionEngine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"PIIRedactionEngine.js","sourceRoot":"","sources":["../../src/security/PIIRedactionEngine.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAqC1C,SAAS,SAAS,CAAC,GAAW;IAC1B,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACtC,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IAC3D,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,KAAK,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,IAAI,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChC,IAAI,SAAS,EAAE,CAAC;YACZ,CAAC,IAAI,CAAC,CAAC;YACP,IAAI,CAAC,GAAG,CAAC;gBAAE,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC;QACD,GAAG,IAAI,CAAC,CAAC;QACT,SAAS,GAAG,CAAC,SAAS,CAAC;IAC3B,CAAC;IACD,OAAO,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACtD,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IAC7D,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAE5D,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC1D,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAClF,IAAI,SAAS,GAAG,EAAE,CAAC;IACnB,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC1B,SAAS,IAAI,KAAK,CAAC;QACnB,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QACpC,SAAS,GAAG,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC;IACjC,CAAC;IACD,OAAO,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAID,MAAM,YAAY,GAAiB;IAI/B;QACI,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,sNAAsN;KAChO;IAGD;QACI,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,+GAA+G;QACtH,QAAQ,EAAE,WAAW;KACxB;IAGD;QACI,QAAQ,EAAE,aAAa;QACvB,KAAK,EAAE,gCAAgC;QACvC,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;KAC9D;IAGD;QACI,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,wBAAwB;QAC/B,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE;YAChB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACpC,OAAO,IAAI,GAAG,CAAC,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,GAAG,GAAG,CAAC;QAClD,CAAC;KACJ;IAGD;QACI,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,qDAAqD;KAC/D;IAGD;QACI,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,oGAAoG;QAC3G,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACxC,OAAO,MAAM,CAAC,MAAM,IAAI,CAAC,IAAI,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;QACrD,CAAC;KACJ;IAGD;QACI,QAAQ,EAAE,YAAY;QACtB,KAAK,EAAE,8EAA8E;QACrF,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE;YAChB,OAAO,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,WAAW,IAAI,KAAK,KAAK,iBAAiB,CAAC;QACvF,CAAC;KACJ;IAGD;QACI,QAAQ,EAAE,aAAa;QACvB,KAAK,EAAE,iCAAiC;KAC3C;IAGD;QACI,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,wBAAwB;KAClC;CACJ,CAAC;AAmBF,MAAM,OAAO,kBAAkB;IACnB,KAAK,GAAgF,IAAI,GAAG,EAAE,CAAC;IAC/F,iBAAiB,CAAmB;IACpC,YAAY,GAAG,MAAM,CAAC;IACtB,UAAU,GAAG,SAAS,CAAC;IAGvB,KAAK,GAAG;QACZ,YAAY,EAAE,CAAC;QACf,aAAa,EAAE,CAAC;QAChB,UAAU,EAAE,EAAiC;KAChD,CAAC;IAEF,YAAY,OAIX;QACG,IAAI,CAAC,iBAAiB,GAAG,OAAO,EAAE,UAAU;YACxC,CAAC,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC;YAC7B,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAEjD,IAAI,OAAO,EAAE,YAAY;YAAE,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QACpE,IAAI,OAAO,EAAE,UAAU;YAAE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAClE,CAAC;IAKD,MAAM,CAAC,IAAY;QACf,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;QAC1B,MAAM,OAAO,GAAe,EAAE,CAAC;QAC/B,IAAI,QAAQ,GAAG,IAAI,CAAC;QAGpB,MAAM,UAAU,GAA8C,EAAE,CAAC;QAEjE,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAG5D,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;YAE5B,IAAI,KAAK,CAAC;YACV,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACjD,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAGvB,IAAI,OAAO,CAAC,QAAQ,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;oBAAE,SAAS;gBAE3D,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;gBAEnD,UAAU,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,QAAQ,EAAE,KAAK;oBACf,KAAK;oBACL,UAAU,EAAE,KAAK,CAAC,KAAK;oBACvB,QAAQ,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,MAAM;oBACpC,OAAO;iBACV,CAAC,CAAC;YACP,CAAC;QACL,CAAC;QAGD,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;QAGvD,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QAGjD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACvB,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;YAGlF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE;gBACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;aACxB,CAAC,CAAC;YAGH,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YAC3B,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAEjF,OAAO,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,QAAQ,EAAE,CAAC,CAAC,QAAQ;aACvB,CAAC,CAAC;QACP,CAAC;QAGD,IAAI,CAAC,YAAY,EAAE,CAAC;QAEpB,MAAM,UAAU,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAE9D,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,CAAC;IAChE,CAAC;IAMD,SAAS,CAAC,IAAY;QAClB,IAAI,MAAM,GAAG,IAAI,CAAC;QAClB,KAAK,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACtC,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;YACtD,CAAC;QACL,CAAC;QACD,OAAO,MAAM,CAAC;IAClB,CAAC;IAKD,IAAI,CAAC,IAAY;QACb,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAEjC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACnC,CAAC;QACD,OAAO;YACH,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;YACjC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM;SAC/B,CAAC;IACN,CAAC;IAKD,QAAQ;QACJ,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC;IAKD,UAAU;QACN,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAKD,YAAY;QACR,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IAC3B,CAAC;IAIO,aAAa,CAAC,QAAqB;QACvC,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QAC3C,OAAO,aAAa,KAAK,IAAI,EAAE,GAAG,CAAC;IACvC,CAAC;IAEO,aAAa,CAAC,QAAqB;QACvC,MAAM,GAAG,GAAgC;YACrC,aAAa,EAAE,IAAI;YACnB,KAAK,EAAE,KAAK;YACZ,OAAO,EAAE,OAAO;YAChB,OAAO,EAAE,OAAO;YAChB,MAAM,EAAE,MAAM;YACd,SAAS,EAAE,KAAK;YAChB,YAAY,EAAE,IAAI;YAClB,UAAU,EAAE,MAAM;YAClB,aAAa,EAAE,KAAK;SACvB,CAAC;QACF,OAAO,GAAG,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC;IAClC,CAAC;IAEO,cAAc,CAAC,OAAmB;QACtC,MAAM,MAAM,GAAe,EAAE,CAAC;QAC9B,IAAI,OAAO,GAAG,QAAQ,CAAC;QAEvB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YAEtB,IAAI,CAAC,CAAC,QAAQ,IAAI,OAAO,EAAE,CAAC;gBACxB,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACf,OAAO,GAAG,CAAC,CAAC,UAAU,CAAC;YAC3B,CAAC;QACL,CAAC;QAED,OAAO,MAAM,CAAC;IAClB,CAAC;IAEO,YAAY;QAChB,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,YAAY;YAAE,OAAO;QAEjD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACtC,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC1C,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC7B,CAAC;QACL,CAAC;QAGD,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;YAC1F,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC;YACvE,KAAK,MAAM,CAAC,KAAK,CAAC,IAAI,QAAQ,EAAE,CAAC;gBAC7B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC7B,CAAC;QACL,CAAC;IACL,CAAC;CACJ"}

package/dist/security/RBACEngine.d.ts

@@ -0,0 +1,44 @@
+import { SecurityEventBus } from './SecurityEventBus.js';
+export type RoleName = 'admin' | 'manager' | 'standard' | 'restricted' | 'auditor';
+export type Permission = 'genome:read' | 'genome:write' | 'genome:evolve' | 'genome:delete' | 'skill:invoke:bundled' | 'skill:invoke:installed' | 'skill:invoke:custom' | 'skill:install' | 'skill:uninstall' | 'exec:safe-bin' | 'exec:allowlist' | 'exec:arbitrary' | 'fs:read:workspace' | 'fs:read:home' | 'fs:read:system' | 'fs:write:workspace' | 'fs:write:home' | 'fs:delete' | 'net:outbound:allowlist' | 'net:outbound:any' | 'net:localhost' | 'cred:read' | 'cred:write' | 'cred:rotate' | 'cred:delete' | 'data:public' | 'data:internal' | 'data:confidential' | 'data:restricted' | 'data:pii' | 'data:financial' | 'data:health' | 'admin:users' | 'admin:roles' | 'admin:policies' | 'admin:audit:read' | 'admin:audit:export' | 'admin:security:configure';
+export interface Role {
+    name: RoleName | string;
+    description: string;
+    permissions: Permission[];
+    inherits?: RoleName | string;
+    rateLimit: number;
+    sessionTimeoutMinutes: number;
+}
+export interface UserAssignment {
+    userId: string;
+    role: RoleName | string;
+    assignedAt: Date;
+    assignedBy: string;
+    expiresAt?: Date;
+}
+export interface AccessCheckResult {
+    allowed: boolean;
+    role: string;
+    permission: Permission;
+    reason?: string;
+}
+export declare class RBACEngine {
+    private eventBus;
+    private roles;
+    private assignments;
+    private operationCounts;
+    constructor(eventBus: SecurityEventBus);
+    assignRole(userId: string, roleName: RoleName | string, assignedBy: string, expiresAt?: Date): void;
+    revokeRole(userId: string): boolean;
+    checkAccess(userId: string, permission: Permission): AccessCheckResult;
+    getUserRole(userId: string): Role | null;
+    getUserPermissions(userId: string): Permission[];
+    registerRole(role: Role): void;
+    getRoles(): Role[];
+    getAssignments(): UserAssignment[];
+    hasRole(userId: string, roleName: string): boolean;
+    private resolvePermissions;
+    private checkRateLimit;
+    private incrementOps;
+}
+//# sourceMappingURL=RBACEngine.d.ts.map

package/dist/security/RBACEngine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RBACEngine.d.ts","sourceRoot":"","sources":["../../src/security/RBACEngine.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAIzD,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,SAAS,GAAG,UAAU,GAAG,YAAY,GAAG,SAAS,CAAC;AAEnF,MAAM,MAAM,UAAU,GAEhB,aAAa,GACb,cAAc,GACd,eAAe,GACf,eAAe,GAEf,sBAAsB,GACtB,wBAAwB,GACxB,qBAAqB,GACrB,eAAe,GACf,iBAAiB,GAEjB,eAAe,GACf,gBAAgB,GAChB,gBAAgB,GAEhB,mBAAmB,GACnB,cAAc,GACd,gBAAgB,GAChB,oBAAoB,GACpB,eAAe,GACf,WAAW,GAEX,wBAAwB,GACxB,kBAAkB,GAClB,eAAe,GAEf,WAAW,GACX,YAAY,GACZ,aAAa,GACb,aAAa,GAEb,aAAa,GACb,eAAe,GACf,mBAAmB,GACnB,iBAAiB,GACjB,UAAU,GACV,gBAAgB,GAChB,aAAa,GAEb,aAAa,GACb,aAAa,GACb,gBAAgB,GAChB,kBAAkB,GAClB,oBAAoB,GACpB,0BAA0B,CAAC;AAEjC,MAAM,WAAW,IAAI;IACjB,IAAI,EAAE,QAAQ,GAAG,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,UAAU,EAAE,CAAC;IAE1B,QAAQ,CAAC,EAAE,QAAQ,GAAG,MAAM,CAAC;IAE7B,SAAS,EAAE,MAAM,CAAC;IAElB,qBAAqB,EAAE,MAAM,CAAC;CACjC;AAED,MAAM,WAAW,cAAc;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,QAAQ,GAAG,MAAM,CAAC;IACxB,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,IAAI,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,UAAU,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;CACnB;AAoGD,qBAAa,UAAU;IACnB,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,KAAK,CAAgC;IAC7C,OAAO,CAAC,WAAW,CAA0C;IAC7D,OAAO,CAAC,eAAe,CAAkE;gBAE7E,QAAQ,EAAE,gBAAgB;IActC,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,IAAI,GAAG,IAAI;IA2BnG,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAOnC,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,GAAG,iBAAiB;IA6DtE,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI;IASxC,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,EAAE;IAShD,YAAY,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI;IAO9B,QAAQ,IAAI,IAAI,EAAE;IAOlB,cAAc,IAAI,cAAc,EAAE;IAOlC,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO;IAOlD,OAAO,CAAC,kBAAkB;IAgB1B,OAAO,CAAC,cAAc;IAYtB,OAAO,CAAC,YAAY;CAMvB"}

package/dist/security/RBACEngine.js

@@ -0,0 +1,209 @@
+const ROLE_ADMIN = {
+    name: 'admin',
+    description: 'Full system control — can manage users, roles, policies, and all operations',
+    permissions: [
+        'genome:read', 'genome:write', 'genome:evolve', 'genome:delete',
+        'skill:invoke:bundled', 'skill:invoke:installed', 'skill:invoke:custom', 'skill:install', 'skill:uninstall',
+        'exec:safe-bin', 'exec:allowlist', 'exec:arbitrary',
+        'fs:read:workspace', 'fs:read:home', 'fs:read:system', 'fs:write:workspace', 'fs:write:home', 'fs:delete',
+        'net:outbound:allowlist', 'net:outbound:any', 'net:localhost',
+        'cred:read', 'cred:write', 'cred:rotate', 'cred:delete',
+        'data:public', 'data:internal', 'data:confidential', 'data:restricted', 'data:pii', 'data:financial', 'data:health',
+        'admin:users', 'admin:roles', 'admin:policies', 'admin:audit:read', 'admin:audit:export', 'admin:security:configure',
+    ],
+    rateLimit: 0,
+    sessionTimeoutMinutes: 480,
+};
+const ROLE_MANAGER = {
+    name: 'manager',
+    description: 'Team lead — can use all skills, access confidential data, view audit logs',
+    inherits: 'standard',
+    permissions: [
+        'genome:read', 'genome:write', 'genome:evolve',
+        'skill:invoke:bundled', 'skill:invoke:installed', 'skill:invoke:custom', 'skill:install',
+        'exec:safe-bin', 'exec:allowlist',
+        'fs:read:workspace', 'fs:read:home', 'fs:write:workspace', 'fs:write:home',
+        'net:outbound:allowlist', 'net:localhost',
+        'cred:read', 'cred:write',
+        'data:public', 'data:internal', 'data:confidential', 'data:pii',
+        'admin:audit:read',
+    ],
+    rateLimit: 500,
+    sessionTimeoutMinutes: 480,
+};
+const ROLE_STANDARD = {
+    name: 'standard',
+    description: 'Regular user — bundled skills, workspace access, no admin',
+    permissions: [
+        'genome:read',
+        'skill:invoke:bundled', 'skill:invoke:installed',
+        'exec:safe-bin',
+        'fs:read:workspace', 'fs:write:workspace',
+        'net:outbound:allowlist', 'net:localhost',
+        'cred:read',
+        'data:public', 'data:internal',
+    ],
+    rateLimit: 200,
+    sessionTimeoutMinutes: 480,
+};
+const ROLE_RESTRICTED = {
+    name: 'restricted',
+    description: 'Limited user — read-only access, basic skills only',
+    permissions: [
+        'genome:read',
+        'skill:invoke:bundled',
+        'fs:read:workspace',
+        'net:localhost',
+        'data:public',
+    ],
+    rateLimit: 50,
+    sessionTimeoutMinutes: 120,
+};
+const ROLE_AUDITOR = {
+    name: 'auditor',
+    description: 'Compliance auditor — read-only access to everything + audit logs + export',
+    permissions: [
+        'genome:read',
+        'fs:read:workspace', 'fs:read:home',
+        'data:public', 'data:internal', 'data:confidential', 'data:restricted',
+        'admin:audit:read', 'admin:audit:export',
+    ],
+    rateLimit: 100,
+    sessionTimeoutMinutes: 240,
+};
+export class RBACEngine {
+    eventBus;
+    roles = new Map();
+    assignments = new Map();
+    operationCounts = new Map();
+    constructor(eventBus) {
+        this.eventBus = eventBus;
+        this.roles.set('admin', ROLE_ADMIN);
+        this.roles.set('manager', ROLE_MANAGER);
+        this.roles.set('standard', ROLE_STANDARD);
+        this.roles.set('restricted', ROLE_RESTRICTED);
+        this.roles.set('auditor', ROLE_AUDITOR);
+    }
+    assignRole(userId, roleName, assignedBy, expiresAt) {
+        if (!this.roles.has(roleName)) {
+            throw new Error(`[RBAC] Unknown role: ${roleName}`);
+        }
+        this.assignments.set(userId, {
+            userId,
+            role: roleName,
+            assignedAt: new Date(),
+            assignedBy,
+            expiresAt,
+        });
+        this.eventBus.emit({
+            type: 'security:audit-entry',
+            timestamp: new Date(),
+            layer: 4,
+            decision: 'info',
+            actor: { userId: assignedBy },
+            resource: { type: 'role', id: roleName, detail: `Assigned to ${userId}` },
+            severity: 'info',
+        });
+    }
+    revokeRole(userId) {
+        return this.assignments.delete(userId);
+    }
+    checkAccess(userId, permission) {
+        const assignment = this.assignments.get(userId);
+        if (!assignment) {
+            return {
+                allowed: false,
+                role: 'none',
+                permission,
+                reason: 'No role assigned — defaulting to deny',
+            };
+        }
+        if (assignment.expiresAt && new Date() > assignment.expiresAt) {
+            this.assignments.delete(userId);
+            return {
+                allowed: false,
+                role: assignment.role,
+                permission,
+                reason: 'Role assignment expired',
+            };
+        }
+        const role = this.roles.get(assignment.role);
+        if (!role) {
+            return { allowed: false, role: assignment.role, permission, reason: 'Role not found' };
+        }
+        if (role.rateLimit > 0 && !this.checkRateLimit(userId, role.rateLimit)) {
+            this.eventBus.emitDeny('security:capability-denied', 4, {
+                type: 'rate-limit',
+                id: userId,
+                detail: `Exceeded ${role.rateLimit} ops/hour`,
+            }, 'warning', { userId });
+            return { allowed: false, role: role.name, permission, reason: `Rate limit exceeded (${role.rateLimit}/hour)` };
+        }
+        const allPermissions = this.resolvePermissions(role);
+        const allowed = allPermissions.includes(permission);
+        if (!allowed) {
+            this.eventBus.emitDeny('security:capability-denied', 4, {
+                type: 'rbac',
+                id: permission,
+                detail: `Role ${role.name} lacks ${permission}`,
+            }, 'warning', { userId });
+        }
+        this.incrementOps(userId);
+        return { allowed, role: role.name, permission, reason: allowed ? undefined : `Role "${role.name}" does not have permission "${permission}"` };
+    }
+    getUserRole(userId) {
+        const assignment = this.assignments.get(userId);
+        if (!assignment)
+            return null;
+        return this.roles.get(assignment.role) ?? null;
+    }
+    getUserPermissions(userId) {
+        const role = this.getUserRole(userId);
+        if (!role)
+            return [];
+        return this.resolvePermissions(role);
+    }
+    registerRole(role) {
+        this.roles.set(role.name, role);
+    }
+    getRoles() {
+        return [...this.roles.values()];
+    }
+    getAssignments() {
+        return [...this.assignments.values()];
+    }
+    hasRole(userId, roleName) {
+        const assignment = this.assignments.get(userId);
+        return assignment?.role === roleName;
+    }
+    resolvePermissions(role) {
+        const permissions = [...role.permissions];
+        if (role.inherits) {
+            const parent = this.roles.get(role.inherits);
+            if (parent) {
+                const parentPerms = this.resolvePermissions(parent);
+                for (const p of parentPerms) {
+                    if (!permissions.includes(p))
+                        permissions.push(p);
+                }
+            }
+        }
+        return permissions;
+    }
+    checkRateLimit(userId, limit) {
+        const now = Date.now();
+        const record = this.operationCounts.get(userId);
+        if (!record || now - record.windowStart > 3_600_000) {
+            this.operationCounts.set(userId, { count: 1, windowStart: now });
+            return true;
+        }
+        return record.count < limit;
+    }
+    incrementOps(userId) {
+        const record = this.operationCounts.get(userId);
+        if (record) {
+            record.count++;
+        }
+    }
+}
+//# sourceMappingURL=RBACEngine.js.map