@highflame/overwatch 1.0.0

package/dist/data/ingestor.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Callback to resolve application ID from a record
+ * Returns the application UUID for the x-javelin-application header
+ */
+export type ApplicationIdResolver<T> = (record: T) => string | null;
+/**
+ * Generic admin API ingestor with retry support
+ * Sends records to configurable admin API endpoints
+ */
+export declare class AdminIngestor<T> {
+    private baseUrl;
+    private token;
+    private endpoint;
+    private pendingFile;
+    private deadLetterFile;
+    private retryTimer;
+    private applicationIdResolver;
+    constructor(baseUrl: string, token: string, endpoint: string, applicationIdResolver?: ApplicationIdResolver<T>);
+    start(): void;
+    stop(): void;
+    /** Fire-and-forget record ingestion */
+    ingest(record: T): void;
+    private send;
+    private saveForRetry;
+    private processQueue;
+    private loadPending;
+    private savePending;
+    private moveToDeadLetter;
+    private ensureDir;
+}
+//# sourceMappingURL=ingestor.d.ts.map

package/dist/data/ingestor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ingestor.d.ts","sourceRoot":"","sources":["../../src/data/ingestor.ts"],"names":[],"mappings":"AAaA;;;GAGG;AACH,MAAM,MAAM,qBAAqB,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,KAAK,MAAM,GAAG,IAAI,CAAC;AAEpE;;;GAGG;AACH,qBAAa,aAAa,CAAC,CAAC;IAC1B,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,cAAc,CAAS;IAC/B,OAAO,CAAC,UAAU,CAA+B;IACjD,OAAO,CAAC,qBAAqB,CAAyC;gBAGpE,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,qBAAqB,CAAC,EAAE,qBAAqB,CAAC,CAAC,CAAC;IA2BlD,KAAK,IAAI,IAAI;IAYb,IAAI,IAAI,IAAI;IAQZ,uCAAuC;IACvC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI;YA2BT,IAAI;IA+DlB,OAAO,CAAC,YAAY;YAuBN,YAAY;IAiF1B,OAAO,CAAC,WAAW;IAmBnB,OAAO,CAAC,WAAW;IAiBnB,OAAO,CAAC,gBAAgB;IA8BxB,OAAO,CAAC,SAAS;CAIlB"}

package/dist/data/processor.d.ts

@@ -0,0 +1,96 @@
+import { EventRecord, ScanRecord } from "./reader";
+export interface DashboardData {
+    stats: {
+        totalEvents: number;
+        blockedCalls: number;
+        totalThreats: number;
+        serversScanned: number;
+        activeSessions: number;
+    };
+    installation: {
+        cursor: {
+            installed: boolean;
+            version?: string;
+            lastSeen?: string;
+        };
+        claudecode: {
+            installed: boolean;
+            version?: string;
+            lastSeen?: string;
+        };
+        github_copilot: {
+            installed: boolean;
+            version?: string;
+            lastSeen?: string;
+        };
+    };
+    activityTimeline: Array<{
+        date: string;
+        cursor: number;
+        claude: number;
+        github_copilot: number;
+    }>;
+    sessions: Array<{
+        id: string;
+        source: string;
+        startTime: string;
+        eventCount: number;
+        threatCount: number;
+        allowed: boolean;
+        events: EventRecord[];
+    }>;
+    threats: Array<{
+        id: string;
+        timestamp: string;
+        source: string;
+        rule: string;
+        severity: string;
+        category: string;
+        content?: string;
+        rawEvent: EventRecord;
+    }>;
+    commands: Array<{
+        id: string;
+        timestamp: string;
+        source: string;
+        command: string;
+        risk: "critical" | "high" | "medium" | "low";
+        reason: string;
+        allowed: boolean;
+        rawEvent: EventRecord;
+    }>;
+    topCursorHooks: Array<{
+        event: string;
+        count: number;
+    }>;
+    topClaudeTools: Array<{
+        tool: string;
+        count: number;
+    }>;
+    topGitHubCopilotHooks: Array<{
+        event: string;
+        count: number;
+    }>;
+    events: EventRecord[];
+    scans: Array<{
+        id: string;
+        timestamp: string;
+        source?: string;
+        total_servers: number;
+        total_issues: number;
+        max_severity?: string;
+        servers: Array<{
+            server_name: string;
+            url?: string;
+            issues: Array<{
+                severity: string;
+                rule_name?: string;
+                description?: string;
+                target_type?: string;
+                status?: string;
+            }>;
+        }>;
+    }>;
+}
+export declare function processDashboardData(events: EventRecord[], scans: ScanRecord[]): DashboardData;
+//# sourceMappingURL=processor.d.ts.map

package/dist/data/processor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"processor.d.ts","sourceRoot":"","sources":["../../src/data/processor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAEnD,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE;QACL,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,CAAC;QACrB,cAAc,EAAE,MAAM,CAAC;QACvB,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;IACF,YAAY,EAAE;QACZ,MAAM,EAAE;YAAE,SAAS,EAAE,OAAO,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QACpE,UAAU,EAAE;YAAE,SAAS,EAAE,OAAO,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QACxE,cAAc,EAAE;YAAE,SAAS,EAAE,OAAO,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;KAC7E,CAAC;IACF,gBAAgB,EAAE,KAAK,CAAC;QACtB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,MAAM,CAAC;QACf,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC,CAAC;IACH,QAAQ,EAAE,KAAK,CAAC;QACd,EAAE,EAAE,MAAM,CAAC;QACX,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,EAAE,MAAM,CAAC;QACnB,WAAW,EAAE,MAAM,CAAC;QACpB,OAAO,EAAE,OAAO,CAAC;QACjB,MAAM,EAAE,WAAW,EAAE,CAAC;KACvB,CAAC,CAAC;IACH,OAAO,EAAE,KAAK,CAAC;QACb,EAAE,EAAE,MAAM,CAAC;QACX,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,WAAW,CAAC;KACvB,CAAC,CAAC;IACH,QAAQ,EAAE,KAAK,CAAC;QACd,EAAE,EAAE,MAAM,CAAC;QACX,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;QAC7C,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,OAAO,CAAC;QACjB,QAAQ,EAAE,WAAW,CAAC;KACvB,CAAC,CAAC;IACH,cAAc,EAAE,KAAK,CAAC;QACpB,KAAK,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;KACf,CAAC,CAAC;IACH,cAAc,EAAE,KAAK,CAAC;QACpB,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,MAAM,CAAC;KACf,CAAC,CAAC;IACH,qBAAqB,EAAE,KAAK,CAAC;QAC3B,KAAK,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;KACf,CAAC,CAAC;IACH,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,KAAK,EAAE,KAAK,CAAC;QACX,EAAE,EAAE,MAAM,CAAC;QACX,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,OAAO,EAAE,KAAK,CAAC;YACb,WAAW,EAAE,MAAM,CAAC;YACpB,GAAG,CAAC,EAAE,MAAM,CAAC;YACb,MAAM,EAAE,KAAK,CAAC;gBACZ,QAAQ,EAAE,MAAM,CAAC;gBACjB,SAAS,CAAC,EAAE,MAAM,CAAC;gBACnB,WAAW,CAAC,EAAE,MAAM,CAAC;gBACrB,WAAW,CAAC,EAAE,MAAM,CAAC;gBACrB,MAAM,CAAC,EAAE,MAAM,CAAC;aACjB,CAAC,CAAC;SACJ,CAAC,CAAC;KACJ,CAAC,CAAC;CACJ;AAgDD,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,WAAW,EAAE,EACrB,KAAK,EAAE,UAAU,EAAE,GAClB,aAAa,CAmQf"}

package/dist/data/reader.d.ts

@@ -0,0 +1,24 @@
+import { HookEventRecord } from "../types";
+export type EventRecord = HookEventRecord & {
+    blocked_reason?: string;
+    guardrail?: {
+        called: boolean;
+        engine?: string;
+        duration_ms?: number;
+        response?: any;
+        threats?: string[];
+        error?: string;
+    };
+};
+export interface ScanRecord {
+    id: string;
+    timestamp: string;
+    source?: string;
+    total_servers: number;
+    total_issues: number;
+    max_severity?: string;
+    raw?: any;
+}
+export declare function readEvents(): EventRecord[];
+export declare function readScans(): ScanRecord[];
+//# sourceMappingURL=reader.d.ts.map

package/dist/data/reader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reader.d.ts","sourceRoot":"","sources":["../../src/data/reader.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAO3C,MAAM,MAAM,WAAW,GAAG,eAAe,GAAG;IAC1C,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,SAAS,CAAC,EAAE;QACV,MAAM,EAAE,OAAO,CAAC;QAChB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,GAAG,CAAC;QACf,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH,CAAC;AAEF,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AAED,wBAAgB,UAAU,IAAI,WAAW,EAAE,CA4B1C;AAED,wBAAgB,SAAS,IAAI,UAAU,EAAE,CA4BxC"}

package/dist/data/recorder.d.ts

@@ -0,0 +1,12 @@
+import { HookEventRecord, IDESource, DetectionResult, ThreatSummary, PolicyDecision, HookEvent, OverwatchEvent } from "../types";
+/**
+ * Record a hook event with the new evaluation structure
+ * - evaluations: Detection engine results (YARA, Javelin)
+ * - threat_summary: Aggregated threat data
+ * - decision: Cedar policy decision (separate from evaluations)
+ *
+ * Requires overwatchEvent - all recorded events must go through extractors.
+ * Returns the recorded event for ingestion to admin API.
+ */
+export declare function recordEvent(source: IDESource, event: HookEvent, response: Record<string, unknown>, evaluations: DetectionResult[], threatSummary: ThreatSummary, decision: PolicyDecision, finalAllowed: boolean, totalDuration: number, overwatchEvent: OverwatchEvent, contentLength?: number): HookEventRecord;
+//# sourceMappingURL=recorder.d.ts.map

package/dist/data/recorder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"recorder.d.ts","sourceRoot":"","sources":["../../src/data/recorder.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,eAAe,EACf,SAAS,EACT,eAAe,EACf,aAAa,EACb,cAAc,EAEd,SAAS,EACT,cAAc,EACf,MAAM,UAAU,CAAC;AAgBlB;;;;;;;;GAQG;AACH,wBAAgB,WAAW,CACzB,MAAM,EAAE,SAAS,EACjB,KAAK,EAAE,SAAS,EAChB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,WAAW,EAAE,eAAe,EAAE,EAC9B,aAAa,EAAE,aAAa,EAC5B,QAAQ,EAAE,cAAc,EACxB,YAAY,EAAE,OAAO,EACrB,aAAa,EAAE,MAAM,EACrB,cAAc,EAAE,cAAc,EAC9B,aAAa,CAAC,EAAE,MAAM,GACrB,eAAe,CA0DjB"}

package/dist/engines/cedar.d.ts

@@ -0,0 +1,41 @@
+import { PolicyEngine } from "../lib/policy-engine";
+import { PolicyDecision, PolicyMetadata } from "../types";
+export interface CedarContext {
+    principalType: string;
+    principalId: string;
+    action: string;
+    resourceType: string;
+    resourceId: string;
+    contextData: Record<string, unknown>;
+}
+/**
+ * Threat context passed to Cedar for decision making
+ */
+export interface ThreatContext {
+    threats_detected: number;
+    highest_severity: string;
+    categories: string[];
+}
+/**
+ * Parse Cedar policy content to extract policy metadata from comments.
+ * Cedar uses @compliance_id, @description, @severity, @category, @frameworks annotations.
+ *
+ * Returns a mapping from policy index (policy0, policy1, etc.) to PolicyMetadata.
+ */
+export declare function parsePolicyContent(policyContent: string): Record<string, PolicyMetadata>;
+export declare class CedarExecutor {
+    private engine;
+    private policyMetadata;
+    constructor(engine: PolicyEngine | undefined, policyContent?: string);
+    /**
+     * Update policy metadata (e.g., when policy content changes)
+     */
+    updatePolicyContent(policyContent: string): void;
+    isAvailable(): boolean;
+    /**
+     * Run Cedar policy evaluation
+     * Returns PolicyDecision (separate from detection results)
+     */
+    run(ctx: CedarContext, threatContext: ThreatContext): Promise<PolicyDecision>;
+}
+//# sourceMappingURL=cedar.d.ts.map

package/dist/engines/cedar.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cedar.d.ts","sourceRoot":"","sources":["../../src/engines/cedar.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAuB,MAAM,UAAU,CAAC;AAG/E,MAAM,WAAW,YAAY;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAChC,aAAa,EAAE,MAAM,GACpB,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CA2HhC;AAwDD,qBAAa,aAAa;IAItB,OAAO,CAAC,MAAM;IAHhB,OAAO,CAAC,cAAc,CAAsC;gBAGlD,MAAM,EAAE,YAAY,GAAG,SAAS,EACxC,aAAa,CAAC,EAAE,MAAM;IAWxB;;OAEG;IACH,mBAAmB,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI;IAOhD,WAAW,IAAI,OAAO;IAItB;;;OAGG;IACG,GAAG,CACP,GAAG,EAAE,YAAY,EACjB,aAAa,EAAE,aAAa,GAC3B,OAAO,CAAC,cAAc,CAAC;CA+E3B"}

package/dist/engines/remote.d.ts

@@ -0,0 +1,21 @@
+import { JavelinClient } from "../javelin";
+import { DetectionResult, IDESource } from "../types";
+/**
+ * Callback to resolve application ID from IDE source
+ */
+export type ApplicationIdResolver = (source: IDESource) => string | null;
+export declare class RemoteExecutor {
+    private clients;
+    private applicationIdResolver;
+    constructor(clients: Map<IDESource, JavelinClient>, applicationIdResolver?: ApplicationIdResolver);
+    /**
+     * Update the application ID resolver
+     */
+    setApplicationIdResolver(resolver: ApplicationIdResolver): void;
+    /**
+     * Run remote guardrails validation
+     * Returns DetectionResult (no decision field - that's for Cedar)
+     */
+    run(source: IDESource, content: string, event: string, guardrailConfig: string, metadata: Record<string, unknown>): Promise<DetectionResult>;
+}
+//# sourceMappingURL=remote.d.ts.map

package/dist/engines/remote.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"remote.d.ts","sourceRoot":"","sources":["../../src/engines/remote.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAmB,SAAS,EAAE,MAAM,UAAU,CAAC;AAGvE;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,MAAM,EAAE,SAAS,KAAK,MAAM,GAAG,IAAI,CAAC;AAEzE,qBAAa,cAAc;IAIvB,OAAO,CAAC,OAAO;IAHjB,OAAO,CAAC,qBAAqB,CAAsC;gBAGzD,OAAO,EAAE,GAAG,CAAC,SAAS,EAAE,aAAa,CAAC,EAC9C,qBAAqB,CAAC,EAAE,qBAAqB;IAK/C;;OAEG;IACH,wBAAwB,CAAC,QAAQ,EAAE,qBAAqB,GAAG,IAAI;IAI/D;;;OAGG;IACG,GAAG,CACP,MAAM,EAAE,SAAS,EACjB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,eAAe,EAAE,MAAM,EACvB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,OAAO,CAAC,eAAe,CAAC;CA6D5B"}

package/dist/engines/yara.d.ts

@@ -0,0 +1,12 @@
+import { YaraEngine as CoreYaraEngine } from "../yara";
+import { DetectionResult } from "../types";
+export declare class YaraExecutor {
+    private engine;
+    constructor(engine: CoreYaraEngine);
+    /**
+     * Run YARA scan on content
+     * Returns DetectionResult (no decision field - that's for Cedar)
+     */
+    run(content: string): Promise<DetectionResult>;
+}
+//# sourceMappingURL=yara.d.ts.map

package/dist/engines/yara.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"yara.d.ts","sourceRoot":"","sources":["../../src/engines/yara.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,IAAI,cAAc,EAAiB,MAAM,SAAS,CAAC;AACtE,OAAO,EAAE,eAAe,EAAmB,MAAM,UAAU,CAAC;AA8D5D,qBAAa,YAAY;IACX,OAAO,CAAC,MAAM;gBAAN,MAAM,EAAE,cAAc;IAE1C;;;OAGG;IACG,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;CAkErD"}

package/dist/handlers/dashboard-handler.d.ts

@@ -0,0 +1,7 @@
+import * as http from "http";
+export declare class DashboardHandler {
+    handle(_req: http.IncomingMessage, res: http.ServerResponse): void;
+    handleJs(_req: http.IncomingMessage, res: http.ServerResponse): void;
+    handleImage(req: http.IncomingMessage, res: http.ServerResponse): void;
+}
+//# sourceMappingURL=dashboard-handler.d.ts.map

package/dist/handlers/dashboard-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dashboard-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/dashboard-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAQ7B,qBAAa,gBAAgB;IAC3B,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,eAAe,EAAE,GAAG,EAAE,IAAI,CAAC,cAAc,GAAG,IAAI;IAgGlE,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,eAAe,EAAE,GAAG,EAAE,IAAI,CAAC,cAAc,GAAG,IAAI;IA4CpE,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,eAAe,EAAE,GAAG,EAAE,IAAI,CAAC,cAAc,GAAG,IAAI;CAiFvE"}

package/dist/handlers/hook-handler.d.ts

@@ -0,0 +1,23 @@
+import * as http from "http";
+import { HookEventRecord } from "../types";
+import { HookPipeline } from "../pipeline/hook-pipeline";
+import { AdminIngestor } from "../data/ingestor";
+export declare class HookHandler {
+    private pipeline;
+    private ingestor;
+    private eventCount;
+    private onProjectSkillsScan?;
+    constructor(pipeline: HookPipeline, ingestor: AdminIngestor<HookEventRecord> | null);
+    /**
+     * Set callback for project skills scanning
+     */
+    setProjectSkillsScanCallback(callback: (workspace: string) => void): void;
+    getEventCount(): number;
+    handle(req: http.IncomingMessage, res: http.ServerResponse): Promise<void>;
+    /**
+     * Extract workspace path from event body
+     * Checks workspace_roots array first, then common fields: cwd, workingDirectory, workspace
+     */
+    private extractWorkspace;
+}
+//# sourceMappingURL=hook-handler.d.ts.map

package/dist/handlers/hook-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hook-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/hook-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAwB,eAAe,EAAE,MAAM,UAAU,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAKjD,qBAAa,WAAW;IAKpB,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,QAAQ;IALlB,OAAO,CAAC,UAAU,CAAK;IACvB,OAAO,CAAC,mBAAmB,CAAC,CAA8B;gBAGhD,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,aAAa,CAAC,eAAe,CAAC,GAAG,IAAI;IAGzD;;OAEG;IACH,4BAA4B,CAAC,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,IAAI,GAAG,IAAI;IAIzE,aAAa,IAAI,MAAM;IAIjB,MAAM,CACV,GAAG,EAAE,IAAI,CAAC,eAAe,EACzB,GAAG,EAAE,IAAI,CAAC,cAAc,GACvB,OAAO,CAAC,IAAI,CAAC;IAsEhB;;;OAGG;IACH,OAAO,CAAC,gBAAgB;CAkCzB"}

package/dist/handlers/oauth-handler.d.ts

@@ -0,0 +1,12 @@
+import * as http from "http";
+import { OAuthState } from "../auth";
+export declare class OAuthHandler {
+    private port;
+    private pendingOAuthStates;
+    private oauthStateTimeout;
+    constructor(port: number, pendingOAuthStates: Map<string, OAuthState>, oauthStateTimeout: number);
+    handleStart(req: http.IncomingMessage, res: http.ServerResponse): Promise<void>;
+    handleCallback(req: http.IncomingMessage, res: http.ServerResponse): Promise<void>;
+    handleStatus(req: http.IncomingMessage, res: http.ServerResponse): Promise<void>;
+}
+//# sourceMappingURL=oauth-handler.d.ts.map

package/dist/handlers/oauth-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/oauth-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAE7B,OAAO,EAML,UAAU,EACX,MAAM,SAAS,CAAC;AAGjB,qBAAa,YAAY;IAErB,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,kBAAkB;IAC1B,OAAO,CAAC,iBAAiB;gBAFjB,IAAI,EAAE,MAAM,EACZ,kBAAkB,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,EAC3C,iBAAiB,EAAE,MAAM;IAG7B,WAAW,CACf,GAAG,EAAE,IAAI,CAAC,eAAe,EACzB,GAAG,EAAE,IAAI,CAAC,cAAc,GACvB,OAAO,CAAC,IAAI,CAAC;IAmCV,cAAc,CAClB,GAAG,EAAE,IAAI,CAAC,eAAe,EACzB,GAAG,EAAE,IAAI,CAAC,cAAc,GACvB,OAAO,CAAC,IAAI,CAAC;IAmEV,YAAY,CAChB,GAAG,EAAE,IAAI,CAAC,eAAe,EACzB,GAAG,EAAE,IAAI,CAAC,cAAc,GACvB,OAAO,CAAC,IAAI,CAAC;CA8BjB"}

package/dist/handlers/scan-handler.d.ts

@@ -0,0 +1,13 @@
+import * as http from "http";
+import { ScanRecord } from "../types";
+import { MCPScanner } from "../scanner";
+import { AdminIngestor } from "../data/ingestor";
+export declare class ScanHandler {
+    private scanner;
+    private ingestor;
+    constructor(scanner: MCPScanner, ingestor: AdminIngestor<ScanRecord> | null);
+    handle(req: http.IncomingMessage, res: http.ServerResponse): Promise<void>;
+    runInitialScan(): Promise<void>;
+    private recordScan;
+}
+//# sourceMappingURL=scan-handler.d.ts.map

package/dist/handlers/scan-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-handler.d.ts","sourceRoot":"","sources":["../../src/handlers/scan-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAK7B,OAAO,EAAa,UAAU,EAAE,MAAM,UAAU,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAMjD,qBAAa,WAAW;IAEpB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,QAAQ;gBADR,OAAO,EAAE,UAAU,EACnB,QAAQ,EAAE,aAAa,CAAC,UAAU,CAAC,GAAG,IAAI;IAG9C,MAAM,CACV,GAAG,EAAE,IAAI,CAAC,eAAe,EACzB,GAAG,EAAE,IAAI,CAAC,cAAc,GACvB,OAAO,CAAC,IAAI,CAAC;IAgCV,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;IAgBrC,OAAO,CAAC,UAAU;CA6EnB"}

package/dist/handlers/utils.d.ts

@@ -0,0 +1,11 @@
+import * as http from "http";
+/**
+ * Parse JSON body from HTTP request
+ */
+export declare function parseBody(req: http.IncomingMessage): Promise<Record<string, unknown>>;
+/**
+ * Get guardrail config name based on hook type
+ */
+export declare function getGuardrailConfig(event: string): string;
+export declare function getDefaultResponse(event: string): Record<string, unknown>;
+//# sourceMappingURL=utils.d.ts.map

package/dist/handlers/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/handlers/utils.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAE7B;;GAEG;AACH,wBAAsB,SAAS,CAC7B,GAAG,EAAE,IAAI,CAAC,eAAe,GACxB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAelC;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAmCxD;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAqCzE"}

package/dist/hooks/claudecode/hooks.json.template

@@ -0,0 +1,20 @@
+{
+  "UserPromptSubmit": [
+    {
+      "command": "~/.overwatch/universal-hook.sh claudecode UserPromptSubmit",
+      "timeout": 10000
+    }
+  ],
+  "PreToolUse": [
+    {
+      "command": "~/.overwatch/universal-hook.sh claudecode PreToolUse",
+      "timeout": 10000
+    }
+  ],
+  "PostToolUse": [
+    {
+      "command": "~/.overwatch/universal-hook.sh claudecode PostToolUse",
+      "timeout": 5000
+    }
+  ]
+}

package/dist/hooks/cursor/hooks.json.template

@@ -0,0 +1,74 @@
+{
+  "beforeSubmitPrompt": [
+    {
+      "command": "~/.overwatch/universal-hook.sh cursor beforeSubmitPrompt",
+      "timeout": 10000
+    }
+  ],
+  "beforeShellExecution": [
+    {
+      "command": "~/.overwatch/universal-hook.sh cursor beforeShellExecution",
+      "timeout": 10000
+    }
+  ],
+  "beforeMCPExecution": [
+    {
+      "command": "~/.overwatch/universal-hook.sh cursor beforeMCPExecution",
+      "timeout": 10000
+    }
+  ],
+  "beforeTabFileRead": [
+    {
+      "command": "~/.overwatch/universal-hook.sh cursor beforeTabFileRead",
+      "timeout": 10000
+    }
+  ],
+  "beforeReadFile": [
+    {
+      "command": "~/.overwatch/universal-hook.sh cursor beforeReadFile",
+      "timeout": 10000
+    }
+  ],
+  "afterShellExecution": [
+    {
+      "command": "~/.overwatch/universal-hook.sh cursor afterShellExecution",
+      "timeout": 5000
+    }
+  ],
+  "afterMCPExecution": [
+    {
+      "command": "~/.overwatch/universal-hook.sh cursor afterMCPExecution",
+      "timeout": 5000
+    }
+  ],
+  "afterFileEdit": [
+    {
+      "command": "~/.overwatch/universal-hook.sh cursor afterFileEdit",
+      "timeout": 5000
+    }
+  ],
+  "afterTabFileEdit": [
+    {
+      "command": "~/.overwatch/universal-hook.sh cursor afterTabFileEdit",
+      "timeout": 5000
+    }
+  ],
+  "afterAgentResponse": [
+    {
+      "command": "~/.overwatch/universal-hook.sh cursor afterAgentResponse",
+      "timeout": 5000
+    }
+  ],
+  "afterAgentThought": [
+    {
+      "command": "~/.overwatch/universal-hook.sh cursor afterAgentThought",
+      "timeout": 5000
+    }
+  ],
+  "stop": [
+    {
+      "command": "~/.overwatch/universal-hook.sh cursor stop",
+      "timeout": 5000
+    }
+  ]
+}

package/dist/hooks/universal-hook.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# Overwatch Universal Hook Adapter
+# This script handles communication between AI tools and the Guardian daemon.
+# Usage: ./universal-hook.sh <source> <event> <default_json>
+
+set -euo pipefail
+
+IDE_SOURCE=$1
+HOOK_EVENT=$2
+DEFAULT_RESPONSE=${3:-"{}"}
+
+# Read guardian port from discovery file
+GUARDIAN_PORT_FILE="$HOME/.overwatch/guardian_port"
+
+# 1. Port Discovery
+if [ ! -f "$GUARDIAN_PORT_FILE" ]; then
+    echo "$DEFAULT_RESPONSE"
+    exit 0
+fi
+
+GUARDIAN_PORT=$(cat "$GUARDIAN_PORT_FILE" 2>/dev/null || echo "17580")
+ENDPOINT="http://127.0.0.1:${GUARDIAN_PORT}/hook/${IDE_SOURCE}/${HOOK_EVENT}"
+
+# 2. Health Check & Forward Payload
+# We use a 1s timeout for the health check to avoid hanging if the daemon is dead.
+if curl -s -f -m 1 "http://127.0.0.1:${GUARDIAN_PORT}/health" >/dev/null 2>&1; then
+    # Forward stdin to daemon and capture response
+    # Use a 10s timeout for processing
+    RESPONSE=$(cat | curl -s -m 10 -X POST "$ENDPOINT" \
+        -H "Content-Type: application/json" \
+        -d @- 2>/dev/null || echo "$DEFAULT_RESPONSE")
+    echo "$RESPONSE"
+else
+    # Daemon is unreachable, return default "allow" response
+    echo "$DEFAULT_RESPONSE"
+fi

package/dist/http/server.d.ts

@@ -0,0 +1,38 @@
+import * as http from "http";
+type RequestListener = (req: http.IncomingMessage, res: http.ServerResponse) => void;
+/**
+ * Lightweight HTTP server for Guardian
+ */
+export declare class GuardianHttpServer {
+    private server;
+    private port;
+    private requestListeners;
+    private requestCount;
+    constructor(port: number);
+    /**
+     * Start the server
+     */
+    start(): Promise<void>;
+    /**
+     * Stop the server
+     */
+    stop(): Promise<void>;
+    /**
+     * Register a request handler for a specific path
+     */
+    on(path: string, listener: RequestListener): void;
+    /**
+     * Handle incoming requests
+     */
+    private handleRequest;
+    /**
+     * Get the port the server is listening on
+     */
+    getPort(): number;
+    /**
+     * Check if server is currently listening
+     */
+    isListening(): boolean;
+}
+export {};
+//# sourceMappingURL=server.d.ts.map

package/dist/http/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/http/server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAG7B,KAAK,eAAe,GAAG,CACrB,GAAG,EAAE,IAAI,CAAC,eAAe,EACzB,GAAG,EAAE,IAAI,CAAC,cAAc,KACrB,IAAI,CAAC;AAEV;;GAEG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,gBAAgB,CAA2C;IACnE,OAAO,CAAC,YAAY,CAAK;gBAEb,IAAI,EAAE,MAAM;IASxB;;OAEG;IACH,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAyCtB;;OAEG;IACH,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAiBrB;;OAEG;IACH,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,eAAe,GAAG,IAAI;IAQjD;;OAEG;IACH,OAAO,CAAC,aAAa;IAwDrB;;OAEG;IACH,OAAO,IAAI,MAAM;IAIjB;;OAEG;IACH,WAAW,IAAI,OAAO;CAGvB"}

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * @highflame/overwatch
+ *
+ * Security validation module for Overwatch extensions
+ */
+export { GuardianModule } from "./module";
+export * from "./types";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAG1C,cAAc,SAAS,CAAC"}