@highflame/overwatch 1.0.0

package/dist/installer.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Hook Installer
+ * Installs IDE-specific hooks that integrate with Guardian daemon
+ */
+interface InstallResult {
+    ide: string;
+    hooksPath: string;
+    hooksInstalled: boolean;
+}
+/**
+ * Install hooks for an IDE
+ */
+export declare function installHooks(ide: string): Promise<void>;
+/**
+ * Uninstall hooks for an IDE
+ * @param ide IDE name
+ * @param silent If true, don't print messages (used by clear command)
+ */
+export declare function uninstallHooks(ide: string, silent?: boolean): Promise<void>;
+/**
+ * List installed hooks
+ */
+export declare function listInstalledHooks(): Promise<InstallResult[]>;
+export {};
+//# sourceMappingURL=installer.d.ts.map

package/dist/installer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"installer.d.ts","sourceRoot":"","sources":["../src/installer.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAUH,UAAU,aAAa;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,OAAO,CAAC;CACzB;AAwbD;;GAEG;AACH,wBAAsB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAgD7D;AAED;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,UAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAoE/E;AAED;;GAEG;AACH,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC,CAsBnE"}

package/dist/javelin/admin-client.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Admin API client for Guardian
+ *
+ * Handles communication with highflame-admin for:
+ * - Recording installation events
+ * - Fetching code_agent applications (via existing application API)
+ * - Fetching Cedar policies for applications (via existing policy API)
+ */
+import { CodeAgentApplication, RemoteCedarPolicy, InstallationEvent } from "../types/remote-policy";
+/**
+ * Raw policy response from /v1/admin/policy/:uuid API
+ */
+interface RawPolicy {
+    uuid: string;
+    name: string;
+    description?: string;
+    policy?: {
+        code_agent_security?: {
+            enabled?: boolean;
+            policy_cedar?: string;
+        };
+        [key: string]: unknown;
+    };
+    modified_at?: string;
+}
+/**
+ * Admin API client for Guardian
+ * Uses existing application and policy APIs from highflame-admin
+ */
+export declare class AdminClient {
+    private baseUrl;
+    private token;
+    private timeout;
+    constructor(baseUrl: string, token: string, timeout?: number);
+    /**
+     * Record installation event
+     * Called on first event from a new user/IDE combination
+     */
+    recordInstallation(event: InstallationEvent): Promise<boolean>;
+    /**
+     * Fetch code_agent applications using existing application API
+     * GET /v1/admin/applications?type=code_agent
+     */
+    getCodeAgentApplications(): Promise<CodeAgentApplication[]>;
+    /**
+     * Fetch policy by UUID using existing policy API
+     * GET /v1/admin/policy/:uuid
+     */
+    getPolicyByUUID(policyUUID: string): Promise<RawPolicy | null>;
+    /**
+     * Get Cedar policy for a specific IDE type
+     *
+     * Flow:
+     * 1. Fetch all code_agent applications
+     * 2. Find app matching the IDE name (cursor, claudecode, etc.)
+     * 3. Get policy_template UUID from app config
+     * 4. Fetch policy by UUID
+     * 5. Extract policy_cedar from policy.code_agent_security
+     */
+    getCedarPolicyForIDE(ideType: string): Promise<RemoteCedarPolicy | null>;
+    /**
+     * Fetch Cedar policies for all configured IDEs in one efficient call
+     * Returns a map of IDE type to RemoteCedarPolicy
+     *
+     * This is more efficient than calling getCedarPolicyForIDE() multiple times
+     * since it fetches applications only once.
+     */
+    getAllIDEPolicies(): Promise<Map<string, RemoteCedarPolicy>>;
+    /**
+     * Health check - verify connection to admin API
+     */
+    healthCheck(): Promise<boolean>;
+}
+export {};
+//# sourceMappingURL=admin-client.d.ts.map

package/dist/javelin/admin-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-client.d.ts","sourceRoot":"","sources":["../../src/javelin/admin-client.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,iBAAiB,EAClB,MAAM,wBAAwB,CAAC;AAoBhC;;GAEG;AACH,UAAU,SAAS;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE;QACP,mBAAmB,CAAC,EAAE;YACpB,OAAO,CAAC,EAAE,OAAO,CAAC;YAClB,YAAY,CAAC,EAAE,MAAM,CAAC;SACvB,CAAC;QACF,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC;IACF,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;GAGG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,OAAO,CAAS;gBAGtB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,MAAwB;IAanC;;;OAGG;IACG,kBAAkB,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC;IAsCpE;;;OAGG;IACG,wBAAwB,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAmDjE;;;OAGG;IACG,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAgDpE;;;;;;;;;OASG;IACG,oBAAoB,CACxB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IAiFpC;;;;;;OAMG;IACG,iBAAiB,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAuElE;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;CAwBtC"}

package/dist/javelin/client.d.ts

@@ -0,0 +1,30 @@
+import { JavelinConfig, JavelinValidationResponse } from "./types";
+/**
+ * Highflame HTTP client for guardrails validation
+ */
+export declare class JavelinClient {
+    private config;
+    private requestCount;
+    constructor(config: JavelinConfig);
+    /**
+     * Get current config
+     */
+    getConfig(): JavelinConfig;
+    /**
+     * Validate content using Highflame guardrails API
+     * @param engine - Guardrail engine type (guardrails, yara)
+     * @param payload - Content to validate
+     * @param metadata - Optional metadata to include in request
+     * @param applicationId - Optional application ID for x-javelin-application header
+     */
+    validateWithGuardrails(engine: string, payload: string, metadata?: Record<string, unknown>, applicationId?: string): Promise<JavelinValidationResponse>;
+    /**
+     * Test connection to Highflame API
+     */
+    testConnection(): Promise<boolean>;
+    /**
+     * Update configuration
+     */
+    updateConfig(config: JavelinConfig): void;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/javelin/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/javelin/client.ts"],"names":[],"mappings":"AACA,OAAO,EACL,aAAa,EACb,yBAAyB,EAG1B,MAAM,SAAS,CAAC;AAoBjB;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,YAAY,CAAK;gBAEb,MAAM,EAAE,aAAa;IAOjC;;OAEG;IACH,SAAS,IAAI,aAAa;IAI1B;;;;;;OAMG;IACG,sBAAsB,CAC1B,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClC,aAAa,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC,yBAAyB,CAAC;IA4LrC;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC;IASxC;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI;CAO1C"}

package/dist/javelin/config-reader.d.ts

@@ -0,0 +1,70 @@
+import { JavelinConfig } from "./types";
+import { IDEType, OperatingMode, OverwatchConfig, AdminConfig } from "../types";
+/**
+ * Configuration reader for ~/.overwatch/config.json
+ * Uses JWT token from session.json for API authentication
+ */
+export declare class ConfigReader {
+    private configPath;
+    private cachedConfig;
+    private rawConfig;
+    constructor(configPath?: string);
+    /**
+     * JWT token from session.json
+     */
+    readHighflameConfig(ide: IDEType): Promise<JavelinConfig | null>;
+    /**
+     * Get operating mode for an IDE (inspect or enforce)
+     */
+    getMode(ide: IDEType): OperatingMode;
+    /**
+     * Get the full overwatch config
+     */
+    getOverwatchConfig(): OverwatchConfig | null;
+    /**
+     * Get Highflame API configuration
+     */
+    getHighflameConfig(): {
+        baseUrl: string;
+        enabled: boolean;
+    };
+    /**
+     * Get JWT token from session.json for API authentication
+     */
+    getJwtToken(): string | null;
+    /**
+     * Get LLM API key from config or environment
+     */
+    getLLMApiKey(): string | null;
+    /**
+     * Load raw config from file
+     */
+    private loadRawConfig;
+    /**
+     * Get default configuration
+     */
+    private getDefaultConfig;
+    /**
+     * Get cached configuration for an IDE
+     */
+    getCachedConfig(ide: IDEType): JavelinConfig | null;
+    /**
+     * Check if configuration is valid
+     */
+    isValid(config: JavelinConfig | null): boolean;
+    /**
+     * Get admin API configuration (derived from Highflame config)
+     * Used by PolicyManager and AdminClient for remote policy fetching
+     */
+    getAdminConfig(): AdminConfig;
+    /**
+     * Get admin token for API authentication
+     * Alias for getJwtToken for backwards compatibility
+     */
+    getAdminToken(): string | null;
+    /**
+     * Clear cache (useful for config reload)
+     */
+    clearCache(): void;
+}
+//# sourceMappingURL=config-reader.d.ts.map

package/dist/javelin/config-reader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-reader.d.ts","sourceRoot":"","sources":["../../src/javelin/config-reader.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxC,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAKhF;;;GAGG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,YAAY,CAA0C;IAC9D,OAAO,CAAC,SAAS,CAAgC;gBAErC,UAAU,CAAC,EAAE,MAAM;IAM/B;;OAEG;IACG,mBAAmB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IA0CtE;;OAEG;IACH,OAAO,CAAC,GAAG,EAAE,OAAO,GAAG,aAAa;IASpC;;OAEG;IACH,kBAAkB,IAAI,eAAe,GAAG,IAAI;IAI5C;;OAEG;IACH,kBAAkB,IAAI;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE;IAS3D;;OAEG;IACH,WAAW,IAAI,MAAM,GAAG,IAAI;IAY5B;;OAEG;IACH,YAAY,IAAI,MAAM,GAAG,IAAI;IAK7B;;OAEG;YACW,aAAa;IA6B3B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAiBxB;;OAEG;IACH,eAAe,CAAC,GAAG,EAAE,OAAO,GAAG,aAAa,GAAG,IAAI;IASnD;;OAEG;IACH,OAAO,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,GAAG,OAAO;IAW9C;;;OAGG;IACH,cAAc,IAAI,WAAW;IAQ7B;;;OAGG;IACH,aAAa,IAAI,MAAM,GAAG,IAAI;IAI9B;;OAEG;IACH,UAAU,IAAI,IAAI;CAQnB"}

package/dist/javelin/index.d.ts

@@ -0,0 +1,5 @@
+export * from "./types";
+export * from "./config-reader";
+export * from "./client";
+export * from "./admin-client";
+//# sourceMappingURL=index.d.ts.map

package/dist/javelin/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/javelin/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,cAAc,iBAAiB,CAAC;AAChC,cAAc,UAAU,CAAC;AACzB,cAAc,gBAAgB,CAAC"}

package/dist/javelin/types.d.ts

@@ -0,0 +1,81 @@
+/**
+ * Javelin API configuration
+ */
+export interface JavelinConfig {
+    /** Highflame API base URL */
+    baseUrl: string;
+    /** Highflame API Token (JWT) */
+    token: string;
+    /** Request timeout in milliseconds */
+    timeout: number;
+}
+/**
+ * Highflame Guardrails API request format
+ */
+export interface HighflameGuardrailsRequest {
+    input: {
+        text: string;
+    };
+    guardrails: Array<{
+        name: string;
+        config: Record<string, unknown>;
+    }>;
+    metadata: {
+        direction: "request";
+        request_source: string;
+        session_id: string;
+        [key: string]: unknown;
+    };
+}
+/**
+ * Individual guardrail assessment result
+ */
+export interface HighflameGuardrailAssessment {
+    request_reject: boolean;
+    results: Record<string, unknown>;
+}
+/**
+ * Highflame Guardrails API response format
+ */
+export interface HighflameGuardrailsResponse {
+    assessments: Array<Record<string, HighflameGuardrailAssessment>>;
+}
+/**
+ * Javelin validation request
+ * (matches Javelin API format)
+ */
+export interface JavelinValidationRequest {
+    /** Engine/guardrail to use */
+    engine: string;
+    /** Content to validate */
+    content: string;
+    /** Additional parameters */
+    parameters?: Record<string, unknown>;
+}
+/**
+ * Javelin validation response
+ * (matches Javelin API response format)
+ */
+export interface JavelinValidationResponse {
+    /** Whether validation passed */
+    success: boolean;
+    /** Response message */
+    message?: string;
+    /** Detailed results */
+    results?: {
+        findings?: Array<{
+            severity: string;
+            type: string;
+            message: string;
+            location?: Record<string, unknown>;
+        }>;
+        metadata?: Record<string, unknown>;
+    };
+    /** Error details if request failed */
+    error?: {
+        code: string;
+        message: string;
+        details?: unknown;
+    };
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/javelin/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/javelin/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAEhB,gCAAgC;IAChC,KAAK,EAAE,MAAM,CAAC;IAEd,sCAAsC;IACtC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,KAAK,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IACxB,UAAU,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC,CAAC;IACrE,QAAQ,EAAE;QACR,SAAS,EAAE,SAAS,CAAC;QACrB,cAAc,EAAE,MAAM,CAAC;QACvB,UAAU,EAAE,MAAM,CAAC;QACnB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,cAAc,EAAE,OAAO,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,4BAA4B,CAAC,CAAC,CAAC;CAClE;AAED;;;GAGG;AACH,MAAM,WAAW,wBAAwB;IACvC,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAC;IAEf,0BAA0B;IAC1B,OAAO,EAAE,MAAM,CAAC;IAEhB,4BAA4B;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,gCAAgC;IAChC,OAAO,EAAE,OAAO,CAAC;IAEjB,uBAAuB;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,uBAAuB;IACvB,OAAO,CAAC,EAAE;QACR,QAAQ,CAAC,EAAE,KAAK,CAAC;YACf,QAAQ,EAAE,MAAM,CAAC;YACjB,IAAI,EAAE,MAAM,CAAC;YACb,OAAO,EAAE,MAAM,CAAC;YAChB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;SACpC,CAAC,CAAC;QACH,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,CAAC;IAEF,sCAAsC;IACtC,KAAK,CAAC,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC;CACH"}

package/dist/lib/policy-engine.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Policy Engine Loader
+ *
+ * Uses @highflame/policy npm package for Cedar policy evaluation.
+ * The package uses @cedar-policy/cedar-wasm (WebAssembly) for cross-platform support.
+ */
+/**
+ * PolicyEngine interface matching the expected API
+ */
+export interface PolicyEngine {
+    loadPoliciesFromFile(path: string): void;
+    evaluate(principalType: string, principalId: string, action: string, resourceType: string, resourceId: string, context?: Record<string, unknown> | null): {
+        effect: "Allow" | "Deny";
+        determining_policies: string[];
+    };
+}
+/**
+ * Create a new PolicyEngine instance
+ * Returns undefined if the module is not available
+ *
+ * Note: This function is async internally but returns synchronously for compatibility.
+ * Call initPolicyEngine() first to ensure the module is loaded.
+ */
+export declare function createPolicyEngine(): PolicyEngine | undefined;
+/**
+ * Initialize the policy engine module (async)
+ * Must be called before createPolicyEngine()
+ */
+export declare function initPolicyEngine(): Promise<boolean>;
+/**
+ * Check if the policy engine module is available
+ */
+export declare function isPolicyEngineAvailable(): boolean;
+//# sourceMappingURL=policy-engine.d.ts.map

package/dist/lib/policy-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-engine.d.ts","sourceRoot":"","sources":["../../src/lib/policy-engine.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAUH;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACzC,QAAQ,CACN,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,GACvC;QAAE,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;QAAC,oBAAoB,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CACjE;AAsED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,IAAI,YAAY,GAAG,SAAS,CAuB7D;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,OAAO,CAAC,CAGzD;AAED;;GAEG;AACH,wBAAgB,uBAAuB,IAAI,OAAO,CAEjD"}

package/dist/lib/policy-manager.d.ts

@@ -0,0 +1,86 @@
+/**
+ * Policy Manager for Guardian
+ *
+ * Manages Cedar policies with support for:
+ * - Remote policy fetching from highflame-admin
+ * - IDE-specific policy mapping (cursor, claudecode, github_copilot)
+ * - Configurable polling for policy updates
+ * - Local policy fallback when remote is unavailable
+ */
+import { PolicyEngine } from "./policy-engine";
+import { IDESource, PolicyMapping } from "../types";
+/**
+ * PolicyManager handles remote policy fetching and local fallback
+ * Maintains policy mapping per IDE source
+ */
+export declare class PolicyManager {
+    private adminClient;
+    private policyEngines;
+    private localPolicyEngine;
+    private policyMapping;
+    private pollTimer;
+    private pollIntervalMs;
+    private _localPolicyPath;
+    private initialized;
+    private lastFetchTime;
+    constructor(pollIntervalMs?: number);
+    /**
+     * Initialize with admin client and local fallback
+     */
+    init(baseUrl: string | null, token: string | null, localPolicyPath: string | null): Promise<void>;
+    /**
+     * Start polling for policy updates
+     */
+    startPolling(): void;
+    /**
+     * Stop polling
+     */
+    stopPolling(): void;
+    /**
+     * Fetch remote policies and update engines
+     */
+    fetchRemotePolicies(): Promise<void>;
+    /**
+     * Update policy engine for specific IDE
+     */
+    private updatePolicyForIDE;
+    /**
+     * Get policy engine for IDE source
+     * Falls back to local policy if no remote policy available
+     */
+    getEngineForIDE(ide: IDESource): PolicyEngine | undefined;
+    /**
+     * Get policy content for IDE source
+     * Returns the Cedar policy string for parsing metadata
+     */
+    getPolicyContentForIDE(ide: IDESource): string | undefined;
+    /**
+     * Check if a specific IDE has remote policy
+     */
+    hasRemotePolicyForIDE(ide: IDESource): boolean;
+    /**
+     * Get policy mapping info
+     */
+    getPolicyMapping(): PolicyMapping;
+    /**
+     * Get last fetch time
+     */
+    getLastFetchTime(): number;
+    /**
+     * Get status information
+     */
+    getStatus(): {
+        initialized: boolean;
+        hasAdminClient: boolean;
+        hasLocalPolicy: boolean;
+        localPolicyPath: string | null;
+        remotePolicies: string[];
+        isPolling: boolean;
+        lastFetchTime: number;
+    };
+    /**
+     * Force refresh policies
+     */
+    refreshPolicies(): Promise<void>;
+}
+//# sourceMappingURL=policy-manager.d.ts.map

package/dist/lib/policy-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-manager.d.ts","sourceRoot":"","sources":["../../src/lib/policy-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,OAAO,EACL,YAAY,EAGb,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,SAAS,EAET,aAAa,EAGd,MAAM,UAAU,CAAC;AAElB;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,WAAW,CAA4B;IAC/C,OAAO,CAAC,aAAa,CAA2C;IAChE,OAAO,CAAC,iBAAiB,CAA2B;IACpD,OAAO,CAAC,aAAa,CAAqB;IAC1C,OAAO,CAAC,SAAS,CAA+B;IAChD,OAAO,CAAC,cAAc,CAAS;IAC/B,OAAO,CAAC,gBAAgB,CAAuB;IAC/C,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,aAAa,CAAa;gBAGhC,cAAc,GAAE,MAAoD;IAQtE;;OAEG;IACG,IAAI,CACR,OAAO,EAAE,MAAM,GAAG,IAAI,EACtB,KAAK,EAAE,MAAM,GAAG,IAAI,EACpB,eAAe,EAAE,MAAM,GAAG,IAAI,GAC7B,OAAO,CAAC,IAAI,CAAC;IAiDhB;;OAEG;IACH,YAAY,IAAI,IAAI;IAyBpB;;OAEG;IACH,WAAW,IAAI,IAAI;IAQnB;;OAEG;IACG,mBAAmB,IAAI,OAAO,CAAC,IAAI,CAAC;IAmC1C;;OAEG;YACW,kBAAkB;IA4DhC;;;OAGG;IACH,eAAe,CAAC,GAAG,EAAE,SAAS,GAAG,YAAY,GAAG,SAAS;IAoBzD;;;OAGG;IACH,sBAAsB,CAAC,GAAG,EAAE,SAAS,GAAG,MAAM,GAAG,SAAS;IAsB1D;;OAEG;IACH,qBAAqB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO;IAI9C;;OAEG;IACH,gBAAgB,IAAI,aAAa;IAIjC;;OAEG;IACH,gBAAgB,IAAI,MAAM;IAI1B;;OAEG;IACH,SAAS,IAAI;QACX,WAAW,EAAE,OAAO,CAAC;QACrB,cAAc,EAAE,OAAO,CAAC;QACxB,cAAc,EAAE,OAAO,CAAC;QACxB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,SAAS,EAAE,OAAO,CAAC;QACnB,aAAa,EAAE,MAAM,CAAC;KACvB;IAYD;;OAEG;IACG,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC;CAIvC"}

package/dist/module.d.ts

@@ -0,0 +1,52 @@
+export declare class GuardianModule {
+    private javelinClients;
+    private configReader;
+    private httpServer;
+    private scanner;
+    private yaraEngine;
+    private cedarEngine;
+    private yaraExecutor;
+    private remoteExecutor;
+    private hookPipeline;
+    private hookHandler;
+    private scanHandler;
+    private dashboardHandler;
+    private oauthHandler;
+    private skillsScanner;
+    private projectSkillsCache;
+    private static readonly PROJECT_SKILLS_CACHE_TTL;
+    private eventIngestor;
+    private scanIngestor;
+    private skillsIngestor;
+    private policyManager;
+    private adminClient;
+    private seenInstallations;
+    private pendingOAuthStates;
+    private readonly oauthStateTimeout;
+    private initialized;
+    private debug;
+    constructor(config?: {
+        httpPort?: number;
+        debug?: boolean;
+    });
+    init(): Promise<void>;
+    private loadHighflameConfig;
+    private loadYaraRules;
+    private findRulesDir;
+    private initCedarEngine;
+    private findPolicyFile;
+    private initPolicyManager;
+    private checkInstallation;
+    private recordInstallation;
+    startServer(): Promise<void>;
+    private runStartupSkillsScan;
+    private handleShutdown;
+    stopServer(): Promise<void>;
+    getPort(): number;
+    /**
+     * Scan project-level skills if not recently cached
+     * Called from hook handler when workspace is present in event
+     */
+    scanProjectSkillsIfNeeded(workspace: string): Promise<void>;
+}
+//# sourceMappingURL=module.d.ts.map

package/dist/module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":"AAkCA,qBAAa,cAAc;IACzB,OAAO,CAAC,cAAc,CAA4C;IAClE,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,UAAU,CAAqB;IACvC,OAAO,CAAC,OAAO,CAAa;IAG5B,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,WAAW,CAA2B;IAG9C,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,cAAc,CAAiB;IAGvC,OAAO,CAAC,YAAY,CAA2B;IAG/C,OAAO,CAAC,WAAW,CAA0B;IAC7C,OAAO,CAAC,WAAW,CAA0B;IAC7C,OAAO,CAAC,gBAAgB,CAA4C;IACpE,OAAO,CAAC,YAAY,CAA2B;IAG/C,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,kBAAkB,CAA4C;IACtE,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,wBAAwB,CAAiB;IAGjE,OAAO,CAAC,aAAa,CAA+C;IACpE,OAAO,CAAC,YAAY,CAA0C;IAC9D,OAAO,CAAC,cAAc,CAA+C;IAGrE,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,WAAW,CAA4B;IAE/C,OAAO,CAAC,iBAAiB,CAA0B;IACnD,OAAO,CAAC,kBAAkB,CAAsC;IAChE,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAiB;IAEnD,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,KAAK,CAAU;gBAEX,MAAM,GAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAA;KAAO;IAmBzD,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;YAiFb,mBAAmB;YAUnB,aAAa;IAO3B,OAAO,CAAC,YAAY;YAYN,eAAe;IAmB7B,OAAO,CAAC,cAAc;YAaR,iBAAiB;IAwB/B,OAAO,CAAC,iBAAiB;YAkBX,kBAAkB;IAmB1B,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC;YAyEpB,oBAAoB;IAkBlC,OAAO,CAAC,cAAc;IAoBhB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAQjC,OAAO,IAAI,MAAM;IAIjB;;;OAGG;IACG,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAuBlE"}

package/dist/pipeline/context-mapper.d.ts

@@ -0,0 +1,16 @@
+import { OverwatchEvent, ThreatSummary, DetectionResult } from "../types";
+export interface CedarContext {
+    principalType: string;
+    principalId: string;
+    action: string;
+    resourceType: string;
+    resourceId: string;
+    contextData: Record<string, unknown>;
+}
+/**
+ * Map OverwatchEvent + threat/yara results to Cedar policy context.
+ */
+export declare class ContextMapper {
+    static mapToCedarContext(overwatchEvent: OverwatchEvent, threatSummary: ThreatSummary, yaraResult: DetectionResult): CedarContext;
+}
+//# sourceMappingURL=context-mapper.d.ts.map

package/dist/pipeline/context-mapper.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context-mapper.d.ts","sourceRoot":"","sources":["../../src/pipeline/context-mapper.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,aAAa,EACb,eAAe,EAChB,MAAM,UAAU,CAAC;AAGlB,MAAM,WAAW,YAAY;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED;;GAEG;AACH,qBAAa,aAAa;IACxB,MAAM,CAAC,iBAAiB,CACtB,cAAc,EAAE,cAAc,EAC9B,aAAa,EAAE,aAAa,EAC5B,UAAU,EAAE,eAAe,GAC1B,YAAY;CAmFhB"}

package/dist/pipeline/extractors/claude-extractor.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Claude Code Extractor
+ *
+ * Converts Claude Code hook payloads into canonical OverwatchEvent format.
+ * Claude Code events: UserPromptSubmit, PreToolUse, PostToolUse.
+ */
+import { IExtractor } from './index';
+import { OverwatchEvent, IDESource } from '../../types/events';
+export declare class ClaudeExtractor implements IExtractor {
+    /**
+     * Check if this extractor can handle the given event from Claude Code
+     */
+    canHandle(event: string, source: IDESource): boolean;
+    /**
+     * Convert Claude Code hook payload to canonical OverwatchEvent
+     * canHandle(event, source) is called before and must return true before calling this method
+     */
+    toCanonical(event: string, input: Record<string, any>, _source: IDESource): Promise<OverwatchEvent | null>;
+    /**
+     * Normalize Claude tool names to standard names
+     */
+    private normalizeToolName;
+    /**
+     * Extract content to be scanned by security engines
+     */
+    private extractContent;
+    /**
+     * Extract file path from tool input
+     */
+    private extractFilePath;
+    /**
+     * Extract command from tool input (for Bash tools)
+     */
+    private extractCommand;
+    /**
+     * Extract tool arguments
+     */
+    private extractArguments;
+    /**
+     * Resolve workspace root from Claude Code formats
+     */
+    private resolveWorkspaceRoot;
+    /**
+     * Generate default response format for Claude Code
+     */
+    getDefaultResponse(event: string, allowed: boolean, reason?: string): Record<string, any>;
+}
+//# sourceMappingURL=claude-extractor.d.ts.map

package/dist/pipeline/extractors/claude-extractor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"claude-extractor.d.ts","sourceRoot":"","sources":["../../../src/pipeline/extractors/claude-extractor.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,cAAc,EAAE,SAAS,EAAkB,MAAM,oBAAoB,CAAC;AAG/E,qBAAa,eAAgB,YAAW,UAAU;IAC9C;;OAEG;IACH,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,GAAG,OAAO;IAepD;;;OAGG;IACG,WAAW,CACb,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC1B,OAAO,EAAE,SAAS,GACnB,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAmFjC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAazB;;OAEG;YACW,cAAc;IAkD5B;;OAEG;IACH,OAAO,CAAC,eAAe;IAKvB;;OAEG;IACH,OAAO,CAAC,cAAc;IAQtB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAWxB;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAe5B;;OAEG;IACH,kBAAkB,CACd,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,OAAO,EAChB,MAAM,CAAC,EAAE,MAAM,GAChB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;CAsBzB"}

package/dist/pipeline/extractors/cursor-extractor.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Cursor IDE Extractor
+ *
+ * Converts Cursor hook payloads into canonical OverwatchEvent format.
+ * Handles all Cursor hook events: prompt, shell, MCP, file operations.
+ */
+import { IExtractor } from './index';
+import { OverwatchEvent, IDESource } from '../../types/events';
+export declare class CursorExtractor implements IExtractor {
+    /**
+     * Check if the extractor can handle given event from Cursor
+     */
+    canHandle(event: string, source: IDESource): boolean;
+    /**
+     * Convert Cursor hook payload to canonical OverwatchEvent
+     * canHandle(event, source) is called before andmust return true before calling this method
+     */
+    toCanonical(event: string, input: Record<string, any>, _source: IDESource): Promise<OverwatchEvent | null>;
+    /**
+     * Extract content to be scanned by security engines
+     */
+    private extractContent;
+    /**
+     * Extract tool name and MCP information
+     */
+    private extractToolInfo;
+    /**
+     * Extract file path from input
+     */
+    private extractFilePath;
+    /**
+     * Extract tool arguments
+     */
+    private extractArguments;
+    /**
+     * Resolve workspace root from various Cursor formats
+     */
+    private resolveWorkspaceRoot;
+    /**
+     * Generate default response format for Cursor
+     */
+    getDefaultResponse(event: string, allowed: boolean, reason?: string): Record<string, any>;
+}
+//# sourceMappingURL=cursor-extractor.d.ts.map

package/dist/pipeline/extractors/cursor-extractor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cursor-extractor.d.ts","sourceRoot":"","sources":["../../../src/pipeline/extractors/cursor-extractor.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,cAAc,EAAE,SAAS,EAAkB,MAAM,oBAAoB,CAAC;AAG/E,qBAAa,eAAgB,YAAW,UAAU;IAC9C;;OAEG;IACH,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,GAAG,OAAO;IAwBpD;;;OAGG;IACG,WAAW,CACb,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC1B,OAAO,EAAE,SAAS,GACnB,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IA2DjC;;OAEG;IACH,OAAO,CAAC,cAAc;IAiFtB;;OAEG;IACH,OAAO,CAAC,eAAe;IAwCvB;;OAEG;IACH,OAAO,CAAC,eAAe;IAUvB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAOxB;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAkB5B;;OAEG;IACH,kBAAkB,CACd,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,OAAO,EAChB,MAAM,CAAC,EAAE,MAAM,GAChB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;CAuCzB"}