@m1a0rz/agent-identity 0.1.2

package/dist/src/hooks/before-agent-start.js

@@ -0,0 +1,93 @@
+/**
+ * before_agent_start hook: fetch TIP token and inject credentials into process.env.
+ * 1. Inject credentials into process.env per credential-env-bindings (per-session)
+ * 2. Look up userToken from session store by sessionKey
+ * 3. Call CIS GetWorkloadAccessTokenForJWT
+ * 4. On "token has expired", refresh userToken via refresh_token grant and retry
+ * 5. Store TIP token in tip-store for use by before_tool_call (AuthZ) and downstream
+ */
+import { refreshSessionUserToken } from "../services/session-refresh.js";
+import { loadCredentialEnvBindings } from "../store/credential-env-bindings.js";
+import { getCredential, resolveCredentialValue } from "../store/credential-store.js";
+import { getSession } from "../store/session-store.js";
+import { getTIPToken, setTIPToken } from "../store/tip-store.js";
+import { resolveAgentId } from "../utils/derive-session-key.js";
+function isTokenExpiredError(err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return /token has expired|Invalid token/i.test(msg);
+}
+export function createBeforeAgentStartHandler(deps) {
+    const { storeDir, identityService, getOidcConfigForRefresh, logger } = deps;
+    return async (_event, ctx) => {
+        const sessionKey = ctx.sessionKey;
+        if (!sessionKey)
+            return;
+        try {
+            // 0. Inject credentials into process.env per bindings (clear if no cred to avoid cross-session leak)
+            const bindings = await loadCredentialEnvBindings(storeDir, sessionKey);
+            for (const [provider, envVar] of Object.entries(bindings)) {
+                const cred = await getCredential(storeDir, sessionKey, provider);
+                const value = cred ? resolveCredentialValue(cred) : undefined;
+                logger?.warn?.(`agent-identity: injecting ${envVar}=${value}`);
+                if (value) {
+                    process.env[envVar] = value;
+                }
+                else {
+                    delete process.env[envVar];
+                }
+            }
+        }
+        catch {
+            // Best-effort; do not block agent start
+        }
+        try {
+            // 1. Check if we already have a valid TIP token cached
+            const cached = await getTIPToken(storeDir, sessionKey);
+            if (cached)
+                return;
+            // 2. Look up userToken from session store
+            let session = await getSession(storeDir, sessionKey);
+            if (!session)
+                return;
+            let userToken = session.userToken;
+            try {
+                const agentId = resolveAgentId({
+                    agentId: ctx.agentId,
+                    sessionKey,
+                });
+                const tipEntry = await identityService.getWorkloadAccessToken({
+                    agentId,
+                    userToken,
+                    sub: session.sub,
+                });
+                // 4. Store TIP token
+                await setTIPToken(storeDir, sessionKey, tipEntry);
+                logger.info?.(`agent-identity: TIP token acquired for session ${sessionKey.slice(0, 24)}...`);
+            }
+            catch (err) {
+                if (isTokenExpiredError(err) && getOidcConfigForRefresh && session.refreshToken) {
+                    const refreshed = await refreshSessionUserToken(storeDir, sessionKey, getOidcConfigForRefresh);
+                    if (refreshed) {
+                        session = (await getSession(storeDir, sessionKey)) ?? session;
+                        const agentId = resolveAgentId({
+                            agentId: ctx.agentId,
+                            sessionKey,
+                        });
+                        const tipEntry = await identityService.getWorkloadAccessToken({
+                            agentId,
+                            userToken: refreshed,
+                            sub: session.sub,
+                        });
+                        await setTIPToken(storeDir, sessionKey, tipEntry);
+                        logger.info?.(`agent-identity: TIP token acquired after user token refresh for ${sessionKey.slice(0, 24)}...`);
+                        return;
+                    }
+                }
+                throw err;
+            }
+        }
+        catch (err) {
+            logger.warn?.(`agent-identity: failed to get TIP token for ${sessionKey}: ${String(err)}`);
+        }
+    };
+}

package/dist/src/hooks/before-tool-call.d.ts

@@ -0,0 +1,38 @@
+/**
+ * before_tool_call hook: optional AuthZ check.
+ * When enabled, blocks tool calls for sessions without valid TIP or denied by policy.
+ * Integrates with CheckPermission when identityClient is provided (veadk-style).
+ * Supports low-risk bypass and high-risk pending approval (Channel: poll, Webchat/TUI: retry).
+ *
+ * @see https://github.com/volcengine/veadk-python/blob/main/veadk/tools/builtin_tools/agent_authorization.py
+ */
+import type { IdentityClientInterface } from "../services/identity-client.js";
+import type { PluginConfig } from "../types.js";
+export type BeforeToolCallDeps = {
+    storeDir: string;
+    /** When set, call CheckPermission with principal/originalCallers from TIP token, resource=toolName. */
+    identityClient?: IdentityClientInterface;
+    /** Namespace for CheckPermission. From authz.namespaceName, default "default". */
+    namespaceName?: string;
+    logger: {
+        debug?: (msg: string) => void;
+        warn?: (msg: string) => void;
+    };
+    /** Send message to session (Channel only). For sync approval flow. */
+    sendToSession?: (targetOrSessionKey: string, text: string) => Promise<void>;
+    /** Authz config for low-risk bypass and risk approval. */
+    authz?: PluginConfig["authz"];
+    approvalTtlMs: number;
+};
+export declare function createBeforeToolCallHandler(deps: BeforeToolCallDeps): (event: {
+    toolName: string;
+    params: Record<string, unknown>;
+}, ctx: {
+    agentId?: string;
+    sessionKey?: string;
+    toolName: string;
+}) => Promise<{
+    block?: boolean;
+    blockReason?: string;
+} | void>;
+//# sourceMappingURL=before-tool-call.d.ts.map

package/dist/src/hooks/before-tool-call.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"before-tool-call.d.ts","sourceRoot":"","sources":["../../../src/hooks/before-tool-call.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAC9E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQhD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,uGAAuG;IACvG,cAAc,CAAC,EAAE,uBAAuB,CAAC;IACzC,kFAAkF;IAClF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE;QAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;IACxE,sEAAsE;IACtE,aAAa,CAAC,EAAE,CAAC,kBAAkB,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5E,0DAA0D;IAC1D,KAAK,CAAC,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAoBF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,kBAAkB,IAgBhE,OAAO;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,EAC5D,KAAK;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,KAC/D,OAAO,CAAC;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA4I7D"}

package/dist/src/hooks/before-tool-call.js

@@ -0,0 +1,138 @@
+/**
+ * before_tool_call hook: optional AuthZ check.
+ * When enabled, blocks tool calls for sessions without valid TIP or denied by policy.
+ * Integrates with CheckPermission when identityClient is provided (veadk-style).
+ * Supports low-risk bypass and high-risk pending approval (Channel: poll, Webchat/TUI: retry).
+ *
+ * @see https://github.com/volcengine/veadk-python/blob/main/veadk/tools/builtin_tools/agent_authorization.py
+ */
+import { diagnoseRisk } from "../risk/diagnose-risk.js";
+import { isLowRiskTool } from "../risk/low-risk-tools.js";
+import { getTIPToken } from "../store/tip-store.js";
+import * as toolApprovalStore from "../store/tool-approval-store.js";
+import { supportsSyncApproval } from "../utils/approval-channel.js";
+import { extractDelegationChainFromJwt } from "../utils/auth.js";
+function buildApprovalMessage(toolName, params, approvalId, ttlSeconds, riskReason) {
+    const preview = toolName === "exec" || toolName === "process"
+        ? String(params.command ?? params.cmd ?? params.script ?? "").slice(0, 80)
+        : String(params.path ?? params.target ?? "").slice(0, 80);
+    const reasonLine = riskReason && riskReason.trim()
+        ? `\nRisk: ${riskReason.trim()}`
+        : "";
+    return `Tool "${toolName}"${preview ? ` (${preview}...)` : ""} requires your approval.${reasonLine}\nReply "approve" or /identity approve ${approvalId}. Expires in ${ttlSeconds}s.`;
+}
+export function createBeforeToolCallHandler(deps) {
+    const { storeDir, identityClient, namespaceName = "default", logger, sendToSession, authz, approvalTtlMs, } = deps;
+    const lowRiskBypass = authz?.lowRiskBypass !== false;
+    const requireRiskApproval = authz?.requireRiskApproval !== false;
+    const extraLowRisk = authz?.lowRiskTools;
+    return async (event, ctx) => {
+        const { toolName, params } = event;
+        const sessionKey = ctx.sessionKey;
+        logger?.debug?.(`agent-identity: before_tool_call: toolName=${toolName}`);
+        if (!sessionKey)
+            return;
+        if (lowRiskBypass && isLowRiskTool(toolName, extraLowRisk)) {
+            logger?.debug?.(`agent-identity: low-risk bypass for ${toolName}`);
+            return;
+        }
+        const tip = await getTIPToken(storeDir, sessionKey);
+        if (!tip) {
+            return {
+                block: true,
+                blockReason: "AuthZ: session has no valid identity (TIP token required)",
+            };
+        }
+        if (identityClient) {
+            const chain = extractDelegationChainFromJwt(tip.token);
+            if (!chain) {
+                return {
+                    block: true,
+                    blockReason: "AuthZ: failed to parse delegation chain from TIP token",
+                };
+            }
+            const principal = { Type: "user", Id: chain.principalId };
+            const action = { Type: "Action", Id: "invoke" };
+            const resource = { Type: "tool", Id: toolName };
+            const originalCallers = chain.actors.map((id) => ({
+                Type: "agent",
+                Id: id,
+            }));
+            logger?.debug?.(`agent-identity: before_tool_call: checking permission for ${toolName} (sub: ${tip.sub}), originalCallers: ${originalCallers.map((c) => c.Id).join(", ")}`);
+            try {
+                const result = await identityClient.checkPermission({
+                    namespaceName,
+                    principal,
+                    action,
+                    resource,
+                    originalCallers,
+                });
+                if (!result.allowed) {
+                    return {
+                        block: true,
+                        blockReason: result.message || `AuthZ: CheckPermission denied for tool ${toolName}`,
+                    };
+                }
+            }
+            catch (err) {
+                logger?.debug?.(`agent-identity: CheckPermission error: ${String(err)}`);
+                return {
+                    block: true,
+                    blockReason: `AuthZ: Failed to verify permission: ${String(err)}`,
+                };
+            }
+        }
+        if (!requireRiskApproval) {
+            logger?.debug?.(`agent-identity: AuthZ ok for ${toolName} (sub: ${tip.sub})`);
+            return;
+        }
+        const paramsRecord = params && typeof params === "object" ? params : {};
+        const llmConfig = authz?.enableLlmRiskCheck && authz?.llmRiskCheck ? authz.llmRiskCheck : undefined;
+        const { risk, reason: riskReason } = await diagnoseRisk(toolName, paramsRecord, llmConfig, logger);
+        if (risk !== "high") {
+            logger?.debug?.(`agent-identity: AuthZ ok for ${toolName} (risk=${risk})`);
+            return;
+        }
+        if (toolApprovalStore.hasRecentApproval(sessionKey, toolName, paramsRecord)) {
+            toolApprovalStore.consumeApproval(sessionKey, toolName, paramsRecord);
+            logger?.debug?.(`agent-identity: AuthZ ok for ${toolName} (recent approval)`);
+            return;
+        }
+        const fullHash = toolApprovalStore.hashToolParams(toolName, paramsRecord);
+        const approvalId = toolApprovalStore.shortApprovalId(fullHash + sessionKey + Date.now());
+        const ttlSeconds = Math.floor(approvalTtlMs / 1000);
+        if (supportsSyncApproval(sessionKey) && sendToSession) {
+            toolApprovalStore.createPending({
+                approvalId,
+                sessionKey,
+                toolName,
+                params: paramsRecord,
+                ttlMs: approvalTtlMs,
+            });
+            await sendToSession(sessionKey, buildApprovalMessage(toolName, paramsRecord, approvalId, ttlSeconds, riskReason));
+            const approved = await toolApprovalStore.pollForApproval(approvalId, approvalTtlMs);
+            if (approved) {
+                logger?.debug?.(`agent-identity: AuthZ ok for ${toolName} (approved via poll)`);
+                return;
+            }
+            return {
+                block: true,
+                blockReason: riskReason
+                    ? `AuthZ: High-risk tool requires approval. ${riskReason} Approval timed out or rejected.`
+                    : "AuthZ: High-risk tool requires approval. Approval timed out or rejected.",
+            };
+        }
+        toolApprovalStore.createPending({
+            approvalId,
+            sessionKey,
+            toolName,
+            params: paramsRecord,
+            ttlMs: approvalTtlMs,
+        });
+        const reasonSuffix = riskReason ? ` Reason: ${riskReason}.` : "";
+        return {
+            block: true,
+            blockReason: `AuthZ: High-risk tool requires approval. Run /identity approve ${approvalId}, then retry.${reasonSuffix}`,
+        };
+    };
+}

package/dist/src/risk/classify-risk.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Rule-based risk classification for tool calls.
+ * Used after CheckPermission to determine if user approval is required.
+ */
+export type RiskLevel = "low" | "medium" | "high";
+export type RuleRiskResult = {
+    risk: RiskLevel;
+    reason?: string;
+};
+/**
+ * Classify risk based on built-in rules only.
+ */
+export declare function classifyRiskRules(toolName: string, params: Record<string, unknown>): RuleRiskResult;
+/**
+ * Return built-in risk patterns for display (e.g. identity_list_risk_patterns).
+ */
+export declare function getRiskPatterns(): {
+    commandPatterns: Array<{
+        example: string;
+        reason: string;
+    }>;
+    sensitivePaths: string[];
+};
+//# sourceMappingURL=classify-risk.d.ts.map

package/dist/src/risk/classify-risk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"classify-risk.d.ts","sourceRoot":"","sources":["../../../src/risk/classify-risk.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;AAElD,MAAM,MAAM,cAAc,GAAG;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AA+BlE;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,cAAc,CAkBhB;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI;IACjC,eAAe,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC5D,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B,CAQA"}

package/dist/src/risk/classify-risk.js

@@ -0,0 +1,61 @@
+/**
+ * Rule-based risk classification for tool calls.
+ * Used after CheckPermission to determine if user approval is required.
+ */
+const DANGEROUS_COMMAND_PATTERNS = [
+    { pattern: /\brm\s+-rf\b/i, reason: "Destructive recursive delete", example: "rm -rf /" },
+    { pattern: /\bsudo\b/i, reason: "Privilege escalation", example: "sudo apt install" },
+    { pattern: /\bchmod\s+[0-7]{3,4}\b/i, reason: "Permission change on filesystem", example: "chmod 777 file" },
+    { pattern: />\s*\/dev\/(sd|nvme|vd)/i, reason: "Direct block device access", example: ">/dev/sda" },
+    { pattern: /\bdd\s+if=/i, reason: "Raw disk write", example: "dd if=/dev/zero of=..." },
+    { pattern: /\bcurl\s+.*\|\s*(bash|sh)\b/i, reason: "Pipe-to-shell from network", example: "curl x | bash" },
+    { pattern: /\bwget\s+.*\|\s*(bash|sh)\b/i, reason: "Pipe-to-shell from network", example: "wget x | sh" },
+];
+const SENSITIVE_PATH_PREFIXES = ["/etc/", "/usr/", "/var/", "/bin/", "/sbin/", "/root/", "/boot/"];
+function containsSensitivePath(path) {
+    if (typeof path !== "string")
+        return false;
+    const normalized = path.replace(/^~\/?/, "").replace(/^\.\//, "");
+    const full = normalized.startsWith("/") ? normalized : `/${normalized}`;
+    return SENSITIVE_PATH_PREFIXES.some((p) => full.startsWith(p) || full.includes("/.ssh/"));
+}
+function getDangerousCommandReason(cmd) {
+    if (typeof cmd !== "string")
+        return undefined;
+    const entry = DANGEROUS_COMMAND_PATTERNS.find((e) => e.pattern.test(cmd));
+    return entry?.reason;
+}
+function isDangerousCommand(cmd) {
+    return getDangerousCommandReason(cmd) !== undefined;
+}
+/**
+ * Classify risk based on built-in rules only.
+ */
+export function classifyRiskRules(toolName, params) {
+    const normalized = toolName.trim().toLowerCase();
+    if (normalized === "exec" || normalized === "process") {
+        const cmd = params.command ?? params.cmd ?? params.script ?? "";
+        if (isDangerousCommand(cmd)) {
+            return { risk: "high", reason: getDangerousCommandReason(cmd) };
+        }
+    }
+    if (normalized === "write" || normalized === "edit" || normalized === "apply_patch") {
+        const path = params.path ?? params.target ?? params.filePath ?? "";
+        if (containsSensitivePath(path)) {
+            return { risk: "high", reason: "Writes to system or sensitive path" };
+        }
+    }
+    return { risk: "medium" };
+}
+/**
+ * Return built-in risk patterns for display (e.g. identity_list_risk_patterns).
+ */
+export function getRiskPatterns() {
+    return {
+        commandPatterns: DANGEROUS_COMMAND_PATTERNS.map((p) => ({
+            example: p.example,
+            reason: p.reason,
+        })),
+        sensitivePaths: [...SENSITIVE_PATH_PREFIXES, "~/.ssh/"],
+    };
+}

package/dist/src/risk/diagnose-risk.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Shared risk diagnosis: rules + optional LLM re-evaluation.
+ * Used by before-tool-call, identity_risk_check, and /identity risk.
+ */
+import type { RiskLevel } from "./classify-risk.js";
+import { type LlmRiskCheckConfig } from "./llm-risk-check.js";
+export type DiagnoseRiskResult = {
+    risk: RiskLevel;
+    reason?: string;
+    source: "rules" | "llm";
+};
+export type AuthzLlmConfig = LlmRiskCheckConfig | undefined;
+/**
+ * Diagnose risk for a tool call. Uses rules first; when rules return "medium"
+ * and LLM config is present, re-evaluates via LLM for context.
+ */
+export declare function diagnoseRisk(toolName: string, params: Record<string, unknown>, llmConfig: AuthzLlmConfig, logger?: {
+    debug?: (msg: string) => void;
+    warn?: (msg: string) => void;
+}): Promise<DiagnoseRiskResult>;
+//# sourceMappingURL=diagnose-risk.d.ts.map

package/dist/src/risk/diagnose-risk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"diagnose-risk.d.ts","sourceRoot":"","sources":["../../../src/risk/diagnose-risk.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAEpD,OAAO,EAEL,KAAK,kBAAkB,EACxB,MAAM,qBAAqB,CAAC;AAE7B,MAAM,MAAM,kBAAkB,GAAG;IAC/B,IAAI,EAAE,SAAS,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,OAAO,GAAG,KAAK,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG,kBAAkB,GAAG,SAAS,CAAC;AAE5D;;;GAGG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,SAAS,EAAE,cAAc,EACzB,MAAM,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;CAAE,GACvE,OAAO,CAAC,kBAAkB,CAAC,CAmC7B"}

package/dist/src/risk/diagnose-risk.js

@@ -0,0 +1,37 @@
+/**
+ * Shared risk diagnosis: rules + optional LLM re-evaluation.
+ * Used by before-tool-call, identity_risk_check, and /identity risk.
+ */
+import { classifyRiskRules } from "./classify-risk.js";
+import { evaluateRiskLlm, } from "./llm-risk-check.js";
+/**
+ * Diagnose risk for a tool call. Uses rules first; when rules return "medium"
+ * and LLM config is present, re-evaluates via LLM for context.
+ */
+export async function diagnoseRisk(toolName, params, llmConfig, logger) {
+    const ruleResult = classifyRiskRules(toolName, params);
+    if (ruleResult.risk === "medium" &&
+        llmConfig?.endpoint &&
+        llmConfig?.model) {
+        const llmResult = await evaluateRiskLlm(toolName, params, {
+            endpoint: llmConfig.endpoint,
+            api: llmConfig.api ?? "ollama",
+            model: llmConfig.model,
+            apiKey: llmConfig.apiKey,
+            timeoutMs: llmConfig.timeoutMs ?? 10_000,
+            cacheTtlMs: llmConfig.cacheTtlMs ?? 300_000,
+        }, logger);
+        if (llmResult) {
+            return {
+                risk: llmResult.risk,
+                reason: llmResult.reason,
+                source: "llm",
+            };
+        }
+    }
+    return {
+        risk: ruleResult.risk,
+        reason: ruleResult.reason,
+        source: "rules",
+    };
+}

package/dist/src/risk/llm-risk-check.d.ts

@@ -0,0 +1,27 @@
+/**
+ * LLM-based risk classification for tool calls.
+ * Supports Ollama and OpenAI-compatible providers. No core OpenClaw changes.
+ * Reference: GuardSpine plugin (ollamaGenerate, runCouncilReview).
+ */
+import type { RiskLevel } from "./classify-risk.js";
+export type LlmRiskCheckConfig = {
+    endpoint: string;
+    api?: "ollama" | "openai-completions";
+    model: string;
+    apiKey?: string;
+    timeoutMs?: number;
+    /** Cache TTL ms. 0 = disabled. Default 300000. */
+    cacheTtlMs?: number;
+};
+export type LlmRiskResult = {
+    risk: RiskLevel;
+    reason?: string;
+};
+/**
+ * Run LLM risk evaluation. Returns risk level and optional reason, or null on error.
+ */
+export declare function evaluateRiskLlm(toolName: string, params: Record<string, unknown>, config: LlmRiskCheckConfig, logger?: {
+    debug?: (msg: string) => void;
+    warn?: (msg: string) => void;
+}): Promise<LlmRiskResult | null>;
+//# sourceMappingURL=llm-risk-check.d.ts.map

package/dist/src/risk/llm-risk-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm-risk-check.d.ts","sourceRoot":"","sources":["../../../src/risk/llm-risk-check.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAkDpD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,QAAQ,GAAG,oBAAoB,CAAC;IACtC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AA0CF,MAAM,MAAM,aAAa,GAAG;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAyJjE;;GAEG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,MAAM,EAAE,kBAAkB,EAC1B,MAAM,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;CAAE,GACvE,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAmE/B"}