@integsec/agentic-pentest-proxy 0.1.0

package/dist/src/ip-matcher.js

@@ -0,0 +1,128 @@
+/**
+ * ip-matcher.ts
+ *
+ * IP / CIDR matching utilities for scope enforcement.
+ * Used to determine whether a target IP is in-scope, private, or a cloud
+ * metadata endpoint.  This is security-critical code: every edge case matters.
+ */
+import IPCIDR from "ip-cidr";
+// ─────────────────────────────────────────────────────────────────────────────
+// Helpers
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Return true if `address` looks like an IPv6 string (contains a colon).
+ * This is intentionally lightweight — full validation is delegated to ip-cidr.
+ */
+function looksLikeIPv6(address) {
+    return address.includes(":");
+}
+/**
+ * Normalise a range string so it always contains a `/`.
+ *
+ * Rules:
+ *  - If it already contains a `/` it is returned as-is.
+ *  - If it looks like an IPv6 bare address, append `/128`.
+ *  - Otherwise append `/32` (treat as an IPv4 exact-host CIDR).
+ *
+ * We intentionally do NOT strip whitespace here — a range with leading or
+ * trailing whitespace is invalid and should propagate to ip-cidr which will
+ * throw and be caught.
+ */
+function normaliseCidr(range) {
+    if (range.includes("/")) {
+        return range;
+    }
+    return looksLikeIPv6(range) ? `${range}/128` : `${range}/32`;
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Public API
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Check whether `ip` falls within the CIDR `cidr`.
+ *
+ * - Bare IPs (no slash) are treated as an exact-host match (/32 or /128).
+ * - Returns `false` for any invalid input rather than throwing.
+ * - An IPv4 address will never match an IPv6 range and vice-versa.
+ */
+export function isIpInCidr(ip, cidr) {
+    if (!ip || !cidr) {
+        return false;
+    }
+    try {
+        const normalisedCidr = normaliseCidr(cidr);
+        if (!IPCIDR.isValidCIDR(normalisedCidr)) {
+            return false;
+        }
+        const range = new IPCIDR(normalisedCidr);
+        return range.contains(ip);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Check whether `ip` falls within any of the provided CIDR/IP `ranges`.
+ *
+ * - An empty `ranges` array always returns `false`.
+ * - Invalid individual ranges are silently skipped.
+ * - Returns `false` for any invalid `ip`.
+ */
+export function isIpInAnyRange(ip, ranges) {
+    for (const range of ranges) {
+        if (isIpInCidr(ip, range)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * RFC 1918 / link-local private address ranges:
+ *   10.0.0.0/8       — Class A private
+ *   172.16.0.0/12    — Class B private
+ *   192.168.0.0/16   — Class C private
+ *   169.254.0.0/16   — Link-local (APIPA)
+ */
+const RFC1918_RANGES = [
+    "10.0.0.0/8",
+    "172.16.0.0/12",
+    "192.168.0.0/16",
+    "169.254.0.0/16",
+];
+/**
+ * Return true if `ip` is a private/link-local IPv4 address as defined by
+ * RFC 1918 and RFC 3927 (169.254.0.0/16).
+ *
+ * Returns `false` for invalid inputs and for IPv6 addresses.
+ */
+export function isRfc1918(ip) {
+    if (!ip) {
+        return false;
+    }
+    // Quick guard: IPv6 addresses are never RFC 1918
+    if (looksLikeIPv6(ip)) {
+        return false;
+    }
+    return isIpInAnyRange(ip, RFC1918_RANGES);
+}
+/**
+ * Well-known cloud instance metadata endpoints.
+ *   169.254.169.254   — AWS, Azure, GCP (IPv4)
+ *   fd00:ec2::254     — AWS (IPv6)
+ */
+const CLOUD_METADATA_IPS = [
+    "169.254.169.254",
+    "fd00:ec2::254",
+];
+/**
+ * Return true if `ip` is a known cloud metadata endpoint.
+ *
+ * Performs exact-host matching only — no subnet expansion.
+ * Returns `false` for invalid inputs.
+ */
+export function isCloudMetadata(ip) {
+    if (!ip) {
+        return false;
+    }
+    return isIpInAnyRange(ip, CLOUD_METADATA_IPS);
+}
+//# sourceMappingURL=ip-matcher.js.map

package/dist/src/ip-matcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip-matcher.js","sourceRoot":"","sources":["../../src/ip-matcher.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,MAAM,MAAM,SAAS,CAAC;AAE7B,gFAAgF;AAChF,UAAU;AACV,gFAAgF;AAEhF;;;GAGG;AACH,SAAS,aAAa,CAAC,OAAe;IACpC,OAAO,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,aAAa,CAAC,KAAa;IAClC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,KAAK,KAAK,CAAC;AAC/D,CAAC;AAED,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF;;;;;;GAMG;AACH,MAAM,UAAU,UAAU,CAAC,EAAU,EAAE,IAAY;IACjD,IAAI,CAAC,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;QACjB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;QAE3C,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,cAAc,CAAC,EAAE,CAAC;YACxC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,cAAc,CAAC,CAAC;QACzC,OAAO,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAAC,EAAU,EAAE,MAAgB;IACzD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,UAAU,CAAC,EAAE,EAAE,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;GAMG;AACH,MAAM,cAAc,GAAa;IAC/B,YAAY;IACZ,eAAe;IACf,gBAAgB;IAChB,gBAAgB;CACjB,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,EAAU;IAClC,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,KAAK,CAAC;IACf,CAAC;IACD,iDAAiD;IACjD,IAAI,aAAa,CAAC,EAAE,CAAC,EAAE,CAAC;QACtB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,cAAc,CAAC,EAAE,EAAE,cAAc,CAAC,CAAC;AAC5C,CAAC;AAED;;;;GAIG;AACH,MAAM,kBAAkB,GAAa;IACnC,iBAAiB;IACjB,eAAe;CAChB,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,EAAU;IACxC,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,cAAc,CAAC,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAChD,CAAC"}

package/dist/src/manifest-schema.d.ts

@@ -0,0 +1,77 @@
+import { z } from "zod";
+export declare const ScopeManifestSchema: z.ZodObject<{
+    engagement_id: z.ZodString;
+    client: z.ZodString;
+    operator: z.ZodString;
+    authorized_targets: z.ZodObject<{
+        ip_ranges: z.ZodArray<z.ZodString, "many">;
+        domains: z.ZodArray<z.ZodString, "many">;
+        urls: z.ZodArray<z.ZodString, "many">;
+        cloud_accounts: z.ZodArray<z.ZodString, "many">;
+    }, "strip", z.ZodTypeAny, {
+        ip_ranges: string[];
+        domains: string[];
+        urls: string[];
+        cloud_accounts: string[];
+    }, {
+        ip_ranges: string[];
+        domains: string[];
+        urls: string[];
+        cloud_accounts: string[];
+    }>;
+    excluded_targets: z.ZodArray<z.ZodString, "many">;
+    authorized_techniques: z.ZodArray<z.ZodString, "many">;
+    excluded_techniques: z.ZodArray<z.ZodString, "many">;
+    engagement_window: z.ZodObject<{
+        start: z.ZodEffects<z.ZodString, string, string>;
+        end: z.ZodEffects<z.ZodString, string, string>;
+    }, "strip", z.ZodTypeAny, {
+        start: string;
+        end: string;
+    }, {
+        start: string;
+        end: string;
+    }>;
+}, "strip", z.ZodTypeAny, {
+    engagement_id: string;
+    client: string;
+    operator: string;
+    authorized_targets: {
+        ip_ranges: string[];
+        domains: string[];
+        urls: string[];
+        cloud_accounts: string[];
+    };
+    excluded_targets: string[];
+    authorized_techniques: string[];
+    excluded_techniques: string[];
+    engagement_window: {
+        start: string;
+        end: string;
+    };
+}, {
+    engagement_id: string;
+    client: string;
+    operator: string;
+    authorized_targets: {
+        ip_ranges: string[];
+        domains: string[];
+        urls: string[];
+        cloud_accounts: string[];
+    };
+    excluded_targets: string[];
+    authorized_techniques: string[];
+    excluded_techniques: string[];
+    engagement_window: {
+        start: string;
+        end: string;
+    };
+}>;
+/**
+ * Inferred TypeScript type from the Zod schema.
+ * Use this instead of the hand-written `ScopeManifest` interface from
+ * types.ts wherever you want the compiler to track schema changes
+ * automatically.
+ */
+export type ScopeManifest = z.infer<typeof ScopeManifestSchema>;
+//# sourceMappingURL=manifest-schema.d.ts.map

package/dist/src/manifest-schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest-schema.d.ts","sourceRoot":"","sources":["../../src/manifest-schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAiBxB,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAiB9B,CAAC;AAEH;;;;;GAKG;AACH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC"}

package/dist/src/manifest-schema.js

@@ -0,0 +1,34 @@
+import { z } from "zod";
+/**
+ * Validates that a string is a parseable ISO 8601 date/datetime.
+ *
+ * Date.parse("") returns NaN in all major JS engines, so empty strings are
+ * rejected. Strings like "not-a-date" also produce NaN and are rejected.
+ * Valid variants such as "2026-03-26", "2026-03-26T08:00:00Z", and
+ * "2026-03-26T08:00:00+05:30" all parse to finite numbers and pass.
+ */
+const isoDateString = z
+    .string()
+    .min(1, { message: "Date string must not be empty" })
+    .refine((val) => !isNaN(Date.parse(val)), {
+    message: "Must be a valid ISO 8601 date string",
+});
+export const ScopeManifestSchema = z.object({
+    engagement_id: z.string().min(1, { message: "engagement_id must not be empty" }),
+    client: z.string().min(1, { message: "client must not be empty" }),
+    operator: z.string().min(1, { message: "operator must not be empty" }),
+    authorized_targets: z.object({
+        ip_ranges: z.array(z.string()),
+        domains: z.array(z.string()),
+        urls: z.array(z.string()),
+        cloud_accounts: z.array(z.string()),
+    }),
+    excluded_targets: z.array(z.string()),
+    authorized_techniques: z.array(z.string()),
+    excluded_techniques: z.array(z.string()),
+    engagement_window: z.object({
+        start: isoDateString,
+        end: isoDateString,
+    }),
+});
+//# sourceMappingURL=manifest-schema.js.map

package/dist/src/manifest-schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest-schema.js","sourceRoot":"","sources":["../../src/manifest-schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;;;;GAOG;AACH,MAAM,aAAa,GAAG,CAAC;KACpB,MAAM,EAAE;KACR,GAAG,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;KACpD,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE;IACxC,OAAO,EAAE,sCAAsC;CAChD,CAAC,CAAC;AAEL,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,iCAAiC,EAAE,CAAC;IAChF,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;IAClE,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,4BAA4B,EAAE,CAAC;IACtE,kBAAkB,EAAE,CAAC,CAAC,MAAM,CAAC;QAC3B,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC9B,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC5B,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACzB,cAAc,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KACpC,CAAC;IACF,gBAAgB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACrC,qBAAqB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAC1C,mBAAmB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACxC,iBAAiB,EAAE,CAAC,CAAC,MAAM,CAAC;QAC1B,KAAK,EAAE,aAAa;QACpB,GAAG,EAAE,aAAa;KACnB,CAAC;CACH,CAAC,CAAC"}

package/dist/src/manifest.d.ts

@@ -0,0 +1,3 @@
+import type { ScopeManifest } from "./manifest-schema.js";
+export declare function loadManifest(): Promise<ScopeManifest>;
+//# sourceMappingURL=manifest.d.ts.map

package/dist/src/manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../../src/manifest.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAqB1D,wBAAsB,YAAY,IAAI,OAAO,CAAC,aAAa,CAAC,CA2G3D"}

package/dist/src/manifest.js

@@ -0,0 +1,115 @@
+import { readFileSync } from "node:fs";
+import { ScopeManifestSchema } from "./manifest-schema.js";
+function parseAndValidate(json, source) {
+    let parsed;
+    try {
+        parsed = JSON.parse(json);
+    }
+    catch (err) {
+        throw new Error(`Failed to parse manifest JSON from ${source}: ${err.message}`);
+    }
+    const result = ScopeManifestSchema.safeParse(parsed);
+    if (!result.success) {
+        const issues = result.error.issues
+            .map((i) => `${i.path.join(".")}: ${i.message}`)
+            .join("; ");
+        throw new Error(`Manifest from ${source} failed schema validation: ${issues}`);
+    }
+    return result.data;
+}
+export async function loadManifest() {
+    // 1. Inline JSON env var — highest priority
+    const inlineJson = process.env.SCOPE_MANIFEST_JSON;
+    if (inlineJson) {
+        return parseAndValidate(inlineJson, "SCOPE_MANIFEST_JSON");
+    }
+    // 2. File path env var
+    const filePath = process.env.SCOPE_MANIFEST_PATH;
+    if (filePath) {
+        let fileContents;
+        try {
+            fileContents = readFileSync(filePath, "utf-8");
+        }
+        catch (err) {
+            throw new Error(`Failed to read manifest file at "${filePath}": ${err.message}`);
+        }
+        return parseAndValidate(fileContents, `file:${filePath}`);
+    }
+    // 3. AWS Secrets Manager
+    const secretArn = process.env.SCOPE_MANIFEST_SECRET_ARN;
+    if (secretArn) {
+        try {
+            const awsMod = "@aws-sdk/client-secrets-manager";
+            const { SecretsManagerClient, GetSecretValueCommand } = await import(
+            /* @vite-ignore */ awsMod);
+            const client = new SecretsManagerClient({});
+            const response = await client.send(new GetSecretValueCommand({ SecretId: secretArn }));
+            const secretString = response.SecretString;
+            if (!secretString) {
+                throw new Error("Secret value is empty or binary (binary secrets are not supported)");
+            }
+            return parseAndValidate(secretString, `AWS Secrets Manager ARN: ${secretArn}`);
+        }
+        catch (err) {
+            if (err.code === "ERR_MODULE_NOT_FOUND") {
+                throw new Error("SCOPE_MANIFEST_SECRET_ARN is set but @aws-sdk/client-secrets-manager is not installed. " +
+                    "Install it with: npm install @aws-sdk/client-secrets-manager");
+            }
+            throw err;
+        }
+    }
+    // 4. Azure Key Vault
+    const keyvaultUri = process.env.SCOPE_MANIFEST_KEYVAULT_URI;
+    if (keyvaultUri) {
+        try {
+            const kvMod = "@azure/keyvault-secrets";
+            const idMod = "@azure/identity";
+            const { SecretClient } = await import(/* @vite-ignore */ kvMod);
+            const { DefaultAzureCredential } = await import(/* @vite-ignore */ idMod);
+            const credential = new DefaultAzureCredential();
+            const client = new SecretClient(keyvaultUri, credential);
+            // The URI may be in the form https://vault.azure.net/secrets/secretName
+            // or we use a convention: treat the env var as the vault base URI
+            // and look for secret named "scope-manifest"
+            const secretName = process.env.SCOPE_MANIFEST_KEYVAULT_SECRET_NAME || "scope-manifest";
+            const secret = await client.getSecret(secretName);
+            if (!secret.value) {
+                throw new Error(`Secret "${secretName}" in Key Vault has no value`);
+            }
+            return parseAndValidate(secret.value, `Azure Key Vault: ${keyvaultUri}/${secretName}`);
+        }
+        catch (err) {
+            if (err.code === "ERR_MODULE_NOT_FOUND") {
+                throw new Error("SCOPE_MANIFEST_KEYVAULT_URI is set but @azure/keyvault-secrets or @azure/identity is not installed. " +
+                    "Install them with: npm install @azure/keyvault-secrets @azure/identity");
+            }
+            throw err;
+        }
+    }
+    // 5. GCP Secret Manager
+    const gcpSecret = process.env.SCOPE_MANIFEST_GCP_SECRET;
+    if (gcpSecret) {
+        try {
+            const gcpMod = "@google-cloud/secret-manager";
+            const { SecretManagerServiceClient } = await import(/* @vite-ignore */ gcpMod);
+            const client = new SecretManagerServiceClient();
+            const [version] = await client.accessSecretVersion({ name: gcpSecret });
+            const payload = version.payload?.data;
+            if (!payload) {
+                throw new Error(`GCP secret "${gcpSecret}" has no payload data`);
+            }
+            const secretString = typeof payload === "string" ? payload : Buffer.from(payload).toString("utf-8");
+            return parseAndValidate(secretString, `GCP Secret Manager: ${gcpSecret}`);
+        }
+        catch (err) {
+            if (err.code === "ERR_MODULE_NOT_FOUND") {
+                throw new Error("SCOPE_MANIFEST_GCP_SECRET is set but @google-cloud/secret-manager is not installed. " +
+                    "Install it with: npm install @google-cloud/secret-manager");
+            }
+            throw err;
+        }
+    }
+    throw new Error("No scope manifest source configured. Set one of: SCOPE_MANIFEST_JSON, SCOPE_MANIFEST_PATH, " +
+        "SCOPE_MANIFEST_SECRET_ARN, SCOPE_MANIFEST_KEYVAULT_URI, or SCOPE_MANIFEST_GCP_SECRET");
+}
+//# sourceMappingURL=manifest.js.map

package/dist/src/manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../../src/manifest.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAG3D,SAAS,gBAAgB,CAAC,IAAY,EAAE,MAAc;IACpD,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IAC7F,CAAC;IAED,MAAM,MAAM,GAAG,mBAAmB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACrD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;aAC/B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC/C,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,iBAAiB,MAAM,8BAA8B,MAAM,EAAE,CAAC,CAAC;IACjF,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,4CAA4C;IAC5C,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACnD,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,gBAAgB,CAAC,UAAU,EAAE,qBAAqB,CAAC,CAAC;IAC7D,CAAC;IAED,uBAAuB;IACvB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,IAAI,YAAoB,CAAC;QACzB,IAAI,CAAC;YACH,YAAY,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,oCAAoC,QAAQ,MAAO,GAAa,CAAC,OAAO,EAAE,CAC3E,CAAC;QACJ,CAAC;QACD,OAAO,gBAAgB,CAAC,YAAY,EAAE,QAAQ,QAAQ,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,yBAAyB;IACzB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;IACxD,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,iCAAiC,CAAC;YACjD,MAAM,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,GAAG,MAAM,MAAM;YAClE,kBAAkB,CAAC,MAAM,CAC1B,CAAC;YACF,MAAM,MAAM,GAAG,IAAI,oBAAoB,CAAC,EAAE,CAAC,CAAC;YAC5C,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,IAAI,qBAAqB,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;YACvF,MAAM,YAAY,GAAG,QAAQ,CAAC,YAAY,CAAC;YAC3C,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;YACxF,CAAC;YACD,OAAO,gBAAgB,CAAC,YAAY,EAAE,4BAA4B,SAAS,EAAE,CAAC,CAAC;QACjF,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAK,GAA6B,CAAC,IAAI,KAAK,sBAAsB,EAAE,CAAC;gBACnE,MAAM,IAAI,KAAK,CACb,yFAAyF;oBACvF,8DAA8D,CACjE,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC;IAC5D,IAAI,WAAW,EAAE,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,yBAAyB,CAAC;YACxC,MAAM,KAAK,GAAG,iBAAiB,CAAC;YAChC,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;YAChE,MAAM,EAAE,sBAAsB,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;YAC1E,MAAM,UAAU,GAAG,IAAI,sBAAsB,EAAE,CAAC;YAChD,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;YACzD,wEAAwE;YACxE,kEAAkE;YAClE,6CAA6C;YAC7C,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,mCAAmC,IAAI,gBAAgB,CAAC;YACvF,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;YAClD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CAAC,WAAW,UAAU,6BAA6B,CAAC,CAAC;YACtE,CAAC;YACD,OAAO,gBAAgB,CAAC,MAAM,CAAC,KAAK,EAAE,oBAAoB,WAAW,IAAI,UAAU,EAAE,CAAC,CAAC;QACzF,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAK,GAA6B,CAAC,IAAI,KAAK,sBAAsB,EAAE,CAAC;gBACnE,MAAM,IAAI,KAAK,CACb,sGAAsG;oBACpG,wEAAwE,CAC3E,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;IACxD,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,8BAA8B,CAAC;YAC9C,MAAM,EAAE,0BAA0B,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;YAC/E,MAAM,MAAM,GAAG,IAAI,0BAA0B,EAAE,CAAC;YAChD,MAAM,CAAC,OAAO,CAAC,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;YACxE,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC;YACtC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,eAAe,SAAS,uBAAuB,CAAC,CAAC;YACnE,CAAC;YACD,MAAM,YAAY,GAChB,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAqB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC/F,OAAO,gBAAgB,CAAC,YAAY,EAAE,uBAAuB,SAAS,EAAE,CAAC,CAAC;QAC5E,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAK,GAA6B,CAAC,IAAI,KAAK,sBAAsB,EAAE,CAAC;gBACnE,MAAM,IAAI,KAAK,CACb,sFAAsF;oBACpF,2DAA2D,CAC9D,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,MAAM,IAAI,KAAK,CACb,6FAA6F;QAC3F,sFAAsF,CACzF,CAAC;AACJ,CAAC"}

package/dist/src/proxy.d.ts

@@ -0,0 +1,16 @@
+import type { ScopeManifest } from "./types.js";
+import { AuditLogger } from "./audit/index.js";
+import type { ProxyConfig } from "./config.js";
+export declare class ScopeEnforcementProxy {
+    private validator;
+    private auditLogger;
+    private manifest;
+    private config;
+    constructor(manifest: ScopeManifest, config: ProxyConfig);
+    getAuditLogger(): AuditLogger;
+    handleMessage(message: unknown): Promise<{
+        forward: boolean;
+        response?: unknown;
+    }>;
+}
+//# sourceMappingURL=proxy.d.ts.map

package/dist/src/proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy.d.ts","sourceRoot":"","sources":["../../src/proxy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAc,MAAM,YAAY,CAAC;AAE5D,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAI/C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE/C,qBAAa,qBAAqB;IAChC,OAAO,CAAC,SAAS,CAAiB;IAClC,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,QAAQ,CAAgB;IAChC,OAAO,CAAC,MAAM,CAAc;gBAEhB,QAAQ,EAAE,aAAa,EAAE,MAAM,EAAE,WAAW;IASxD,cAAc,IAAI,WAAW;IAEvB,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;CAmDzF"}

package/dist/src/proxy.js

@@ -0,0 +1,72 @@
+import { ScopeValidator } from "./validator.js";
+import { AuditLogger } from "./audit/index.js";
+import { sanitizeParams } from "./sanitizer.js";
+import { DnsResolver } from "./dns-resolver.js";
+import { TechniqueChecker } from "./technique-checker.js";
+export class ScopeEnforcementProxy {
+    validator;
+    auditLogger;
+    manifest;
+    config;
+    constructor(manifest, config) {
+        this.manifest = manifest;
+        this.config = config;
+        const dnsResolver = new DnsResolver(config.dnsCacheTtl);
+        const techniqueChecker = new TechniqueChecker();
+        this.validator = new ScopeValidator(manifest, dnsResolver, techniqueChecker);
+        this.auditLogger = new AuditLogger(config.auditLogPath);
+    }
+    getAuditLogger() { return this.auditLogger; }
+    async handleMessage(message) {
+        // Only intercept tools/call JSON-RPC requests
+        if (!isToolCallRequest(message)) {
+            return { forward: true };
+        }
+        const { id, params } = message;
+        const toolName = params?.name ?? "unknown";
+        const toolParams = params?.arguments ?? {};
+        const result = await this.validator.validate(toolName, toolParams);
+        // Build audit entry
+        const entry = {
+            timestamp: new Date().toISOString(),
+            engagement_id: this.manifest.engagement_id,
+            client: this.manifest.client,
+            operator: this.manifest.operator,
+            tool_name: toolName,
+            tool_parameters: sanitizeParams(toolParams),
+            extracted_target: result.extractedTarget ?? null,
+            resolved_ips: result.resolvedIps ?? [],
+            decision: result.decision,
+            decision_reason: result.reason,
+            matched_scope_item: result.matchedScopeItem ?? null,
+            duration_ms: result.durationMs,
+            proxy_version: this.config.proxyVersion,
+        };
+        // Log asynchronously — never block on logging failure
+        this.auditLogger.log(entry).catch((err) => {
+            console.error(`[integsec-agentic-pentest-proxy] Failed to log audit entry: ${err.message}`);
+        });
+        // If blocked, return error response
+        if (result.decision.startsWith("BLOCKED")) {
+            return {
+                forward: false,
+                response: {
+                    jsonrpc: "2.0",
+                    id,
+                    error: {
+                        code: -32001,
+                        message: `SCOPE_VIOLATION: ${result.reason}. Decision: ${result.decision}.`,
+                    },
+                },
+            };
+        }
+        return { forward: true };
+    }
+}
+function isToolCallRequest(msg) {
+    if (typeof msg !== "object" || msg === null)
+        return false;
+    const obj = msg;
+    return obj.method === "tools/call" && obj.jsonrpc === "2.0";
+}
+//# sourceMappingURL=proxy.js.map

package/dist/src/proxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy.js","sourceRoot":"","sources":["../../src/proxy.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG1D,MAAM,OAAO,qBAAqB;IACxB,SAAS,CAAiB;IAC1B,WAAW,CAAc;IACzB,QAAQ,CAAgB;IACxB,MAAM,CAAc;IAE5B,YAAY,QAAuB,EAAE,MAAmB;QACtD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,MAAM,WAAW,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACxD,MAAM,gBAAgB,GAAG,IAAI,gBAAgB,EAAE,CAAC;QAChD,IAAI,CAAC,SAAS,GAAG,IAAI,cAAc,CAAC,QAAQ,EAAE,WAAW,EAAE,gBAAgB,CAAC,CAAC;QAC7E,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC1D,CAAC;IAED,cAAc,KAAkB,OAAO,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IAE1D,KAAK,CAAC,aAAa,CAAC,OAAgB;QAClC,8CAA8C;QAC9C,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,EAAE,CAAC;YAChC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,OAAc,CAAC;QACtC,MAAM,QAAQ,GAAW,MAAM,EAAE,IAAI,IAAI,SAAS,CAAC;QACnD,MAAM,UAAU,GAA4B,MAAM,EAAE,SAAS,IAAI,EAAE,CAAC;QAEpE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QAEnE,oBAAoB;QACpB,MAAM,KAAK,GAAe;YACxB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,aAAa,EAAE,IAAI,CAAC,QAAQ,CAAC,aAAa;YAC1C,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM;YAC5B,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ;YAChC,SAAS,EAAE,QAAQ;YACnB,eAAe,EAAE,cAAc,CAAC,UAAU,CAAC;YAC3C,gBAAgB,EAAE,MAAM,CAAC,eAAe,IAAI,IAAI;YAChD,YAAY,EAAE,MAAM,CAAC,WAAW,IAAI,EAAE;YACtC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,eAAe,EAAE,MAAM,CAAC,MAAM;YAC9B,kBAAkB,EAAE,MAAM,CAAC,gBAAgB,IAAI,IAAI;YACnD,WAAW,EAAE,MAAM,CAAC,UAAU;YAC9B,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;SACxC,CAAC;QAEF,sDAAsD;QACtD,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACxC,OAAO,CAAC,KAAK,CAAC,+DAA+D,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAC9F,CAAC,CAAC,CAAC;QAEH,oCAAoC;QACpC,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC1C,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,QAAQ,EAAE;oBACR,OAAO,EAAE,KAAK;oBACd,EAAE;oBACF,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,oBAAoB,MAAM,CAAC,MAAM,eAAe,MAAM,CAAC,QAAQ,GAAG;qBAC5E;iBACF;aACF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,GAAY;IACrC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC1D,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,OAAO,GAAG,CAAC,MAAM,KAAK,YAAY,IAAI,GAAG,CAAC,OAAO,KAAK,KAAK,CAAC;AAC9D,CAAC"}

package/dist/src/sanitizer.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Parameter sanitizer — redacts sensitive values from tool parameter objects
+ * before they are logged or forwarded.
+ *
+ * Sensitive key names are matched case-insensitively against an exact list.
+ * Nested objects and arrays are recursed into so that deeply nested credentials
+ * are also redacted.  The original object is never mutated; a new copy is
+ * always returned.
+ */
+/**
+ * Return a deep copy of `params` with any values whose key matches the
+ * sensitive-key list replaced by `"[REDACTED]"`.
+ *
+ * Matching is case-insensitive and exact (no prefix/suffix matching).
+ * Nested objects and arrays of objects are recursed into.
+ * The original `params` object is never mutated.
+ */
+export declare function sanitizeParams(params: Record<string, unknown>): Record<string, unknown>;
+//# sourceMappingURL=sanitizer.d.ts.map

package/dist/src/sanitizer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitizer.d.ts","sourceRoot":"","sources":["../../src/sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AA0DH;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAEzB"}

package/dist/src/sanitizer.js

@@ -0,0 +1,68 @@
+/**
+ * Parameter sanitizer — redacts sensitive values from tool parameter objects
+ * before they are logged or forwarded.
+ *
+ * Sensitive key names are matched case-insensitively against an exact list.
+ * Nested objects and arrays are recursed into so that deeply nested credentials
+ * are also redacted.  The original object is never mutated; a new copy is
+ * always returned.
+ */
+const REDACTED = "[REDACTED]";
+/**
+ * Regex that matches a key name that is *exactly* one of the sensitive words
+ * (case-insensitive, full-string match).
+ */
+const SENSITIVE_KEY_RE = /^(password|passwd|token|secret|key|credential|auth|apikey|api_key|authorization)$/i;
+/** Returns true if the given key should have its value redacted. */
+function isSensitive(key) {
+    return SENSITIVE_KEY_RE.test(key);
+}
+/**
+ * Recursively sanitize an unknown value that may be a plain object, an array,
+ * or a primitive.  When called from the top-level sanitizeParams the `key`
+ * parameter is always provided so we can decide whether to redact.
+ *
+ * @param value - the value to sanitize
+ * @param key   - the object key under which this value sits (undefined for the
+ *                top-level call where there is no parent key)
+ */
+function sanitizeValue(value, key) {
+    // If this value sits under a sensitive key, redact it immediately —
+    // regardless of the value's own type (string, number, null, object, …).
+    if (key !== undefined && isSensitive(key)) {
+        return REDACTED;
+    }
+    if (Array.isArray(value)) {
+        return value.map((item) => {
+            // Array items do not inherit a key name, so we only recurse into objects.
+            if (item !== null && typeof item === "object" && !Array.isArray(item)) {
+                return sanitizeObject(item);
+            }
+            return item;
+        });
+    }
+    if (value !== null && typeof value === "object") {
+        return sanitizeObject(value);
+    }
+    return value;
+}
+/** Shallow-copy an object and recursively sanitize every property. */
+function sanitizeObject(obj) {
+    const result = {};
+    for (const [k, v] of Object.entries(obj)) {
+        result[k] = sanitizeValue(v, k);
+    }
+    return result;
+}
+/**
+ * Return a deep copy of `params` with any values whose key matches the
+ * sensitive-key list replaced by `"[REDACTED]"`.
+ *
+ * Matching is case-insensitive and exact (no prefix/suffix matching).
+ * Nested objects and arrays of objects are recursed into.
+ * The original `params` object is never mutated.
+ */
+export function sanitizeParams(params) {
+    return sanitizeObject(params);
+}
+//# sourceMappingURL=sanitizer.js.map

package/dist/src/sanitizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitizer.js","sourceRoot":"","sources":["../../src/sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,QAAQ,GAAG,YAAY,CAAC;AAE9B;;;GAGG;AACH,MAAM,gBAAgB,GACpB,oFAAoF,CAAC;AAEvF,oEAAoE;AACpE,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACpC,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,aAAa,CAAC,KAAc,EAAE,GAAY;IACjD,oEAAoE;IACpE,wEAAwE;IACxE,IAAI,GAAG,KAAK,SAAS,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1C,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;YACxB,0EAA0E;YAC1E,IAAI,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACtE,OAAO,cAAc,CAAC,IAA+B,CAAC,CAAC;YACzD,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;IACL,CAAC;IAED,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAChD,OAAO,cAAc,CAAC,KAAgC,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,sEAAsE;AACtE,SAAS,cAAc,CAAC,GAA4B;IAClD,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,MAAM,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAC5B,MAA+B;IAE/B,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC"}

package/dist/src/technique-checker.d.ts

@@ -0,0 +1,50 @@
+/**
+ * TechniqueChecker
+ *
+ * Maps tool names to technique categories using exact-match lists and
+ * substring patterns. All comparisons are case-insensitive.
+ *
+ * Default categories:
+ *   dos              — denial-of-service flooding tools
+ *   destructive      — data-wiping / destructive tools
+ *   social_engineering — phishing / credential-harvesting frameworks
+ *
+ * Custom mappings passed to the constructor are merged with the defaults
+ * (they do not replace them). Both exact lists and patterns are extended
+ * per-category.
+ */
+export interface TechniqueMapping {
+    /** Tool names that must match exactly (case-insensitive). */
+    exact: string[];
+    /** Substrings; tool name is matched if it contains any of these (case-insensitive). */
+    patterns: string[];
+}
+export type TechniqueMappings = Record<string, TechniqueMapping>;
+export declare class TechniqueChecker {
+    private readonly mappings;
+    /**
+     * @param customMappings  Optional extra mappings to merge on top of the
+     *                        defaults. Keys that already exist in the defaults
+     *                        have their `exact` and `patterns` arrays extended;
+     *                        new keys add entirely new categories.
+     */
+    constructor(customMappings?: TechniqueMappings);
+    /**
+     * Returns the technique category that `toolName` belongs to, or `null` if
+     * no category matches.
+     */
+    getCategory(toolName: string): string | null;
+    /**
+     * Returns `true` when `toolName` belongs to a category that appears in
+     * `excludedTechniques`, `false` otherwise (including when the tool is not
+     * categorised).
+     */
+    isBlocked(toolName: string, excludedTechniques: string[]): boolean;
+    /**
+     * Merges `custom` mappings into `base`, extending per-category arrays rather
+     * than replacing them. Returns a deep-copied result so the originals are
+     * never mutated.
+     */
+    private static mergeMappings;
+}
+//# sourceMappingURL=technique-checker.d.ts.map

package/dist/src/technique-checker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"technique-checker.d.ts","sourceRoot":"","sources":["../../src/technique-checker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,6DAA6D;IAC7D,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,uFAAuF;IACvF,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;AAyBjE,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAoB;IAE7C;;;;;OAKG;gBACS,cAAc,CAAC,EAAE,iBAAiB;IAQ9C;;;OAGG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAoB5C;;;;OAIG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,kBAAkB,EAAE,MAAM,EAAE,GAAG,OAAO;IAalE;;;;OAIG;IACH,OAAO,CAAC,MAAM,CAAC,aAAa;CAsB7B"}