npm - @mondaydotcomorg/atp-provenance - Versions diffs - 0.17.14 - Mend

@mondaydotcomorg/atp-provenance 0.17.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/README.md +417 -0
package/dist/ast/instrumentor.d.ts +37 -0
package/dist/ast/instrumentor.d.ts.map +1 -0
package/dist/ast/instrumentor.js +299 -0
package/dist/ast/instrumentor.js.map +1 -0
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +7 -0
package/dist/index.js.map +1 -0
package/dist/policies/engine.d.ts +71 -0
package/dist/policies/engine.d.ts.map +1 -0
package/dist/policies/engine.js +433 -0
package/dist/policies/engine.js.map +1 -0
package/dist/registry.d.ts +94 -0
package/dist/registry.d.ts.map +1 -0
package/dist/registry.js +445 -0
package/dist/registry.js.map +1 -0
package/dist/tokens.d.ts +49 -0
package/dist/tokens.d.ts.map +1 -0
package/dist/tokens.js +239 -0
package/dist/tokens.js.map +1 -0
package/dist/types.d.ts +150 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +47 -0
package/dist/types.js.map +1 -0
package/package.json +51 -0

package/dist/ast/instrumentor.js ADDED Viewed

@@ -0,0 +1,299 @@
+import * as acorn from 'acorn';
+import * as walk from 'acorn-walk';
+import * as escodegen from 'escodegen';
+import { nanoid } from 'nanoid';
+import { ProvenanceSource } from '../types.js';
+import { getProvenance, getProvenanceForPrimitive, markPrimitiveTainted, } from '../registry.js';
+export { getProvenance, getProvenanceForPrimitive };
+/**
+ * Instrument code to track provenance at AST level
+ */
+export function instrumentCode(code) {
+    // Wrap code in async function for parsing (to allow await and return)
+    const wrappedCode = `(async function() {\n${code}\n})`;
+    const ast = acorn.parse(wrappedCode, {
+        ecmaVersion: 2022,
+        sourceType: 'script',
+    });
+    const context = {
+        nextId: 0,
+        trackingCalls: 0,
+    };
+    walk.simple(ast, {
+        BinaryExpression(node) {
+            wrapBinaryExpression(node, context);
+        },
+        AssignmentExpression(node) {
+            wrapAssignment(node, context);
+        },
+        CallExpression(node) {
+            if (node.callee.type === 'MemberExpression') {
+                wrapMethodCall(node, context);
+            }
+        },
+        TemplateLiteral(node) {
+            wrapTemplateLiteral(node, context);
+        },
+    });
+    let instrumentedCode = escodegen.generate(ast);
+    // escodegen adds a trailing semicolon to expression statements
+    // Remove it so the result is a pure function expression that executor can call with ()
+    if (instrumentedCode.endsWith(');')) {
+        instrumentedCode = instrumentedCode.slice(0, -1); // Remove trailing semicolon
+    }
+    return {
+        code: instrumentedCode,
+        metadata: {
+            trackingCalls: context.trackingCalls,
+        },
+    };
+}
+function wrapBinaryExpression(node, context) {
+    context.trackingCalls++;
+    const originalNode = { ...node };
+    node.type = 'CallExpression';
+    node.callee = {
+        type: 'Identifier',
+        name: '__track_binary',
+    };
+    node.arguments = [
+        originalNode.left,
+        originalNode.right,
+        {
+            type: 'Literal',
+            value: originalNode.operator,
+        },
+    ];
+}
+function wrapAssignment(node, context) {
+    context.trackingCalls++;
+    const originalRight = node.right;
+    node.right = {
+        type: 'CallExpression',
+        callee: {
+            type: 'Identifier',
+            name: '__track_assign',
+        },
+        arguments: [
+            {
+                type: 'Literal',
+                value: node.left.type === 'Identifier' ? node.left.name : 'unknown',
+            },
+            originalRight,
+        ],
+    };
+}
+function wrapMethodCall(node, context) {
+    const obj = node.callee.object;
+    const isAPICall = (obj.type === 'Identifier' && (obj.name === 'api' || obj.name === 'atp')) ||
+        (obj.type === 'MemberExpression' && isAPIObject(obj));
+    if (!isAPICall) {
+        return;
+    }
+    context.trackingCalls++;
+    const originalNode = { ...node };
+    node.type = 'CallExpression';
+    node.callee = {
+        type: 'Identifier',
+        name: '__track_method',
+    };
+    node.arguments = [
+        originalNode.callee.object,
+        {
+            type: 'Literal',
+            value: originalNode.callee.property.name || originalNode.callee.property.value,
+        },
+        {
+            type: 'ArrayExpression',
+            elements: originalNode.arguments,
+        },
+    ];
+}
+function isAPIObject(node) {
+    if (node.type === 'Identifier') {
+        return node.name === 'api' || node.name === 'atp';
+    }
+    if (node.type === 'MemberExpression') {
+        return isAPIObject(node.object);
+    }
+    return false;
+}
+function wrapTemplateLiteral(node, context) {
+    context.trackingCalls++;
+    const originalNode = { ...node };
+    node.type = 'CallExpression';
+    node.callee = {
+        type: 'Identifier',
+        name: '__track_template',
+    };
+    node.arguments = [
+        {
+            type: 'ArrayExpression',
+            elements: originalNode.expressions || [],
+        },
+        {
+            type: 'ArrayExpression',
+            elements: (originalNode.quasis || []).map((quasi) => ({
+                type: 'Literal',
+                value: quasi.value.cooked || quasi.value.raw,
+            })),
+        },
+    ];
+}
+/**
+ * Runtime tracking functions injected into sandbox
+ */
+export class ASTProvenanceTracker {
+    metadata = new Map();
+    valueToId = new WeakMap();
+    nextId = 0;
+    getId(value) {
+        if (typeof value === 'object' && value !== null) {
+            const existing = this.valueToId.get(value);
+            if (existing)
+                return existing;
+            const id = `tracked_${this.nextId++}`;
+            this.valueToId.set(value, id);
+            return id;
+        }
+        return `primitive_${nanoid()}`;
+    }
+    track(value, source, dependencies = []) {
+        if (value === null || value === undefined) {
+            return value;
+        }
+        const id = this.getId(value);
+        if (!this.metadata.has(id)) {
+            this.metadata.set(id, {
+                id,
+                source,
+                readers: { type: 'public' },
+                dependencies,
+            });
+        }
+        return value;
+    }
+    trackBinary(left, right, operator) {
+        const leftId = this.getId(left);
+        const rightId = this.getId(right);
+        const leftProv = getProvenance(left) || getProvenanceForPrimitive(left);
+        const rightProv = getProvenance(right) || getProvenanceForPrimitive(right);
+        const toolMetadata = leftProv?.source.type === ProvenanceSource.TOOL
+            ? leftProv
+            : rightProv?.source.type === ProvenanceSource.TOOL
+                ? rightProv
+                : null;
+        let result;
+        switch (operator) {
+            case '+':
+                result = left + right;
+                if (typeof result === 'string' && toolMetadata) {
+                    markPrimitiveTainted(result, toolMetadata);
+                }
+                break;
+            case '-':
+                result = left - right;
+                break;
+            case '*':
+                result = left * right;
+                break;
+            case '/':
+                result = left / right;
+                break;
+            case '%':
+                result = left % right;
+                break;
+            case '===':
+            case '==':
+                result = left === right;
+                break;
+            case '!==':
+            case '!=':
+                result = left !== right;
+                break;
+            case '<':
+                result = left < right;
+                break;
+            case '>':
+                result = left > right;
+                break;
+            case '<=':
+                result = left <= right;
+                break;
+            case '>=':
+                result = left >= right;
+                break;
+            case '&&':
+                result = left && right;
+                break;
+            case '||':
+                result = left || right;
+                break;
+            default:
+                result = undefined;
+        }
+        return this.track(result, { type: 'system', operation: `binary_${operator}`, timestamp: Date.now() }, [leftId, rightId]);
+    }
+    trackAssign(name, value) {
+        return this.track(value, { type: 'system', operation: 'assignment', timestamp: Date.now() }, [this.getId(value)]);
+    }
+    trackMethod(object, method, args) {
+        if (typeof object === 'object' && object !== null && method in object) {
+            const result = object[method](...args);
+            return this.track(result, { type: 'system', operation: `method_${method}`, timestamp: Date.now() }, [this.getId(object), ...args.map((a) => this.getId(a))]);
+        }
+        return undefined;
+    }
+    trackTemplate(expressions, quasis) {
+        let result = '';
+        let toolMetadata = null;
+        for (let i = 0; i < quasis.length; i++) {
+            result += quasis[i] || '';
+            if (i < expressions.length) {
+                const expr = expressions[i];
+                result += String(expr);
+                const prov = getProvenance(expr) || getProvenanceForPrimitive(expr);
+                if (prov && prov.source.type === ProvenanceSource.TOOL && !toolMetadata) {
+                    toolMetadata = prov;
+                }
+            }
+        }
+        if (toolMetadata) {
+            markPrimitiveTainted(result, toolMetadata);
+        }
+        return result;
+    }
+    getMetadata(value) {
+        if (typeof value === 'object' && value !== null) {
+            const id = this.valueToId.get(value);
+            if (id) {
+                return this.metadata.get(id) || null;
+            }
+        }
+        return null;
+    }
+    getAllMetadata() {
+        return new Map(this.metadata);
+    }
+    restoreMetadata(metadata) {
+        this.metadata = new Map(metadata);
+    }
+}
+/**
+ * Create tracking runtime for sandbox injection
+ */
+export function createTrackingRuntime() {
+    const tracker = new ASTProvenanceTracker();
+    return {
+        tracker,
+        runtime: {
+            __track: (value, source, deps) => tracker.track(value, source, deps),
+            __track_binary: (left, right, operator) => tracker.trackBinary(left, right, operator),
+            __track_assign: (name, value) => tracker.trackAssign(name, value),
+            __track_method: (object, method, args) => tracker.trackMethod(object, method, args),
+            __track_template: (expressions, quasis) => tracker.trackTemplate(expressions, quasis),
+            __get_provenance: (value) => tracker.getMetadata(value),
+        },
+    };
+}
+//# sourceMappingURL=instrumentor.js.map

package/dist/ast/instrumentor.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"instrumentor.js","sourceRoot":"","sources":["../../src/ast/instrumentor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAC/B,OAAO,KAAK,IAAI,MAAM,YAAY,CAAC;AACnC,OAAO,KAAK,SAAS,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAEhC,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAEN,aAAa,EACb,yBAAyB,EACzB,oBAAoB,GACpB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,aAAa,EAAE,yBAAyB,EAAE,CAAC;AAOpD;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IAI1C,sEAAsE;IACtE,MAAM,WAAW,GAAG,wBAAwB,IAAI,MAAM,CAAC;IAEvD,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,WAAW,EAAE;QACpC,WAAW,EAAE,IAAI;QACjB,UAAU,EAAE,QAAQ;KACpB,CAAQ,CAAC;IAEV,MAAM,OAAO,GAA2B;QACvC,MAAM,EAAE,CAAC;QACT,aAAa,EAAE,CAAC;KAChB,CAAC;IAEF,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE;QAChB,gBAAgB,CAAC,IAAS;YACzB,oBAAoB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACrC,CAAC;QACD,oBAAoB,CAAC,IAAS;YAC7B,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC/B,CAAC;QACD,cAAc,CAAC,IAAS;YACvB,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;gBAC7C,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC/B,CAAC;QACF,CAAC;QACD,eAAe,CAAC,IAAS;YACxB,mBAAmB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACpC,CAAC;KACD,CAAC,CAAC;IAEH,IAAI,gBAAgB,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAE/C,+DAA+D;IAC/D,uFAAuF;IACvF,IAAI,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACrC,gBAAgB,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,4BAA4B;IAC/E,CAAC;IAED,OAAO;QACN,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE;YACT,aAAa,EAAE,OAAO,CAAC,aAAa;SACpC;KACD,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAS,EAAE,OAA+B;IACvE,OAAO,CAAC,aAAa,EAAE,CAAC;IAExB,MAAM,YAAY,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;IAEjC,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC7B,IAAI,CAAC,MAAM,GAAG;QACb,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,gBAAgB;KACtB,CAAC;IACF,IAAI,CAAC,SAAS,GAAG;QAChB,YAAY,CAAC,IAAI;QACjB,YAAY,CAAC,KAAK;QAClB;YACC,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,YAAY,CAAC,QAAQ;SAC5B;KACD,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,IAAS,EAAE,OAA+B;IACjE,OAAO,CAAC,aAAa,EAAE,CAAC;IAExB,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC;IACjC,IAAI,CAAC,KAAK,GAAG;QACZ,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE;YACP,IAAI,EAAE,YAAY;YAClB,IAAI,EAAE,gBAAgB;SACtB;QACD,SAAS,EAAE;YACV;gBACC,IAAI,EAAE,SAAS;gBACf,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;aACnE;YACD,aAAa;SACb;KACD,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,IAAS,EAAE,OAA+B;IACjE,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IAE/B,MAAM,SAAS,GACd,CAAC,GAAG,CAAC,IAAI,KAAK,YAAY,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,KAAK,IAAI,GAAG,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC;QACzE,CAAC,GAAG,CAAC,IAAI,KAAK,kBAAkB,IAAI,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;IAEvD,IAAI,CAAC,SAAS,EAAE,CAAC;QAChB,OAAO;IACR,CAAC;IAED,OAAO,CAAC,aAAa,EAAE,CAAC;IAExB,MAAM,YAAY,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;IAEjC,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC7B,IAAI,CAAC,MAAM,GAAG;QACb,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,gBAAgB;KACtB,CAAC;IACF,IAAI,CAAC,SAAS,GAAG;QAChB,YAAY,CAAC,MAAM,CAAC,MAAM;QAC1B;YACC,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,IAAI,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK;SAC9E;QACD;YACC,IAAI,EAAE,iBAAiB;YACvB,QAAQ,EAAE,YAAY,CAAC,SAAS;SAChC;KACD,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,IAAS;IAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAChC,OAAO,IAAI,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,CAAC;IACnD,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACtC,OAAO,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IACD,OAAO,KAAK,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAAC,IAAS,EAAE,OAA+B;IACtE,OAAO,CAAC,aAAa,EAAE,CAAC;IAExB,MAAM,YAAY,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;IAEjC,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC7B,IAAI,CAAC,MAAM,GAAG;QACb,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,kBAAkB;KACxB,CAAC;IACF,IAAI,CAAC,SAAS,GAAG;QAChB;YACC,IAAI,EAAE,iBAAiB;YACvB,QAAQ,EAAE,YAAY,CAAC,WAAW,IAAI,EAAE;SACxC;QACD;YACC,IAAI,EAAE,iBAAiB;YACvB,QAAQ,EAAE,CAAC,YAAY,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,KAAU,EAAE,EAAE,CAAC,CAAC;gBAC1D,IAAI,EAAE,SAAS;gBACf,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG;aAC5C,CAAC,CAAC;SACH;KACD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,oBAAoB;IACxB,QAAQ,GAAoC,IAAI,GAAG,EAAE,CAAC;IACtD,SAAS,GAA4B,IAAI,OAAO,EAAE,CAAC;IACnD,MAAM,GAAG,CAAC,CAAC;IAEX,KAAK,CAAC,KAAc;QAC3B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAe,CAAC,CAAC;YACrD,IAAI,QAAQ;gBAAE,OAAO,QAAQ,CAAC;YAE9B,MAAM,EAAE,GAAG,WAAW,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;YACtC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAe,EAAE,EAAE,CAAC,CAAC;YACxC,OAAO,EAAE,CAAC;QACX,CAAC;QACD,OAAO,aAAa,MAAM,EAAE,EAAE,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,KAAc,EAAE,MAAsB,EAAE,eAAyB,EAAE;QACxE,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YAC3C,OAAO,KAAK,CAAC;QACd,CAAC;QAED,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAE7B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;YAC5B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE;gBACrB,EAAE;gBACF,MAAM;gBACN,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gBAC3B,YAAY;aACZ,CAAC,CAAC;QACJ,CAAC;QAED,OAAO,KAAK,CAAC;IACd,CAAC;IAED,WAAW,CAAC,IAAa,EAAE,KAAc,EAAE,QAAgB;QAC1D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAElC,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,yBAAyB,CAAC,IAAI,CAAC,CAAC;QACxE,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,yBAAyB,CAAC,KAAK,CAAC,CAAC;QAC3E,MAAM,YAAY,GACjB,QAAQ,EAAE,MAAM,CAAC,IAAI,KAAK,gBAAgB,CAAC,IAAI;YAC9C,CAAC,CAAC,QAAQ;YACV,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,KAAK,gBAAgB,CAAC,IAAI;gBACjD,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,CAAC;QAEV,IAAI,MAAe,CAAC;QACpB,QAAQ,QAAQ,EAAE,CAAC;YAClB,KAAK,GAAG;gBACP,MAAM,GAAI,IAAY,GAAI,KAAa,CAAC;gBACxC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,YAAY,EAAE,CAAC;oBAChD,oBAAoB,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;gBAC5C,CAAC;gBACD,MAAM;YACP,KAAK,GAAG;gBACP,MAAM,GAAI,IAAY,GAAI,KAAa,CAAC;gBACxC,MAAM;YACP,KAAK,GAAG;gBACP,MAAM,GAAI,IAAY,GAAI,KAAa,CAAC;gBACxC,MAAM;YACP,KAAK,GAAG;gBACP,MAAM,GAAI,IAAY,GAAI,KAAa,CAAC;gBACxC,MAAM;YACP,KAAK,GAAG;gBACP,MAAM,GAAI,IAAY,GAAI,KAAa,CAAC;gBACxC,MAAM;YACP,KAAK,KAAK,CAAC;YACX,KAAK,IAAI;gBACR,MAAM,GAAG,IAAI,KAAK,KAAK,CAAC;gBACxB,MAAM;YACP,KAAK,KAAK,CAAC;YACX,KAAK,IAAI;gBACR,MAAM,GAAG,IAAI,KAAK,KAAK,CAAC;gBACxB,MAAM;YACP,KAAK,GAAG;gBACP,MAAM,GAAI,IAAY,GAAI,KAAa,CAAC;gBACxC,MAAM;YACP,KAAK,GAAG;gBACP,MAAM,GAAI,IAAY,GAAI,KAAa,CAAC;gBACxC,MAAM;YACP,KAAK,IAAI;gBACR,MAAM,GAAI,IAAY,IAAK,KAAa,CAAC;gBACzC,MAAM;YACP,KAAK,IAAI;gBACR,MAAM,GAAI,IAAY,IAAK,KAAa,CAAC;gBACzC,MAAM;YACP,KAAK,IAAI;gBACR,MAAM,GAAG,IAAI,IAAI,KAAK,CAAC;gBACvB,MAAM;YACP,KAAK,IAAI;gBACR,MAAM,GAAG,IAAI,IAAI,KAAK,CAAC;gBACvB,MAAM;YACP;gBACC,MAAM,GAAG,SAAS,CAAC;QACrB,CAAC;QAED,OAAO,IAAI,CAAC,KAAK,CAChB,MAAM,EACN,EAAE,IAAI,EAAE,QAAe,EAAE,SAAS,EAAE,UAAU,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,EACjF,CAAC,MAAM,EAAE,OAAO,CAAC,CACjB,CAAC;IACH,CAAC;IAED,WAAW,CAAC,IAAY,EAAE,KAAc;QACvC,OAAO,IAAI,CAAC,KAAK,CAChB,KAAK,EACL,EAAE,IAAI,EAAE,QAAe,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,EACzE,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CACnB,CAAC;IACH,CAAC;IAED,WAAW,CAAC,MAAe,EAAE,MAAc,EAAE,IAAe;QAC3D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,IAAK,MAAc,EAAE,CAAC;YAChF,MAAM,MAAM,GAAI,MAAc,CAAC,MAAM,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YAEhD,OAAO,IAAI,CAAC,KAAK,CAChB,MAAM,EACN,EAAE,IAAI,EAAE,QAAe,EAAE,SAAS,EAAE,UAAU,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,EAC/E,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CACvD,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IAClB,CAAC;IAED,aAAa,CAAC,WAAsB,EAAE,MAAgB;QACrD,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,YAAY,GAA8B,IAAI,CAAC;QAEnD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACxC,MAAM,IAAI,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC1B,IAAI,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;gBAC5B,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC;gBAEvB,MAAM,IAAI,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,yBAAyB,CAAC,IAAI,CAAC,CAAC;gBACpE,IAAI,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,gBAAgB,CAAC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;oBACzE,YAAY,GAAG,IAAI,CAAC;gBACrB,CAAC;YACF,CAAC;QACF,CAAC;QAED,IAAI,YAAY,EAAE,CAAC;YAClB,oBAAoB,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,MAAM,CAAC;IACf,CAAC;IAED,WAAW,CAAC,KAAc;QACzB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACjD,MAAM,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAe,CAAC,CAAC;YAC/C,IAAI,EAAE,EAAE,CAAC;gBACR,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;YACtC,CAAC;QACF,CAAC;QACD,OAAO,IAAI,CAAC;IACb,CAAC;IAED,cAAc;QACb,OAAO,IAAI,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC;IAED,eAAe,CAAC,QAAyC;QACxD,IAAI,CAAC,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;IACnC,CAAC;CACD;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB;IAIpC,MAAM,OAAO,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAE3C,OAAO;QACN,OAAO;QACP,OAAO,EAAE;YACR,OAAO,EAAE,CAAC,KAAc,EAAE,MAAsB,EAAE,IAAe,EAAE,EAAE,CACpE,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC;YACnC,cAAc,EAAE,CAAC,IAAa,EAAE,KAAc,EAAE,QAAgB,EAAE,EAAE,CACnE,OAAO,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,QAAQ,CAAC;YAC3C,cAAc,EAAE,CAAC,IAAY,EAAE,KAAc,EAAE,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC;YAClF,cAAc,EAAE,CAAC,MAAe,EAAE,MAAc,EAAE,IAAe,EAAE,EAAE,CACpE,OAAO,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC;YAC1C,gBAAgB,EAAE,CAAC,WAAsB,EAAE,MAAgB,EAAE,EAAE,CAC9D,OAAO,CAAC,aAAa,CAAC,WAAW,EAAE,MAAM,CAAC;YAC3C,gBAAgB,EAAE,CAAC,KAAc,EAAE,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC;SAChE;KACD,CAAC;AACH,CAAC"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+export * from './types.js';
+export { createProvenanceProxy, getProvenance, hasProvenance, getAllProvenance, canRead, getProvenanceForPrimitive, markPrimitiveTainted, isPrimitiveTainted, setProvenanceExecutionId, clearProvenanceExecutionId, registerProvenanceMetadata, cleanupProvenanceForExecution, captureProvenanceState, restoreProvenanceState, captureProvenanceSnapshot, restoreProvenanceSnapshot, } from './registry.js';
+export { issueProvenanceToken, verifyProvenanceToken, verifyProvenanceHints, computeDigest, stableStringify, getClientSecret, type TokenPayload, } from './tokens.js';
+export { SecurityPolicyEngine, type Logger } from './policies/engine.js';
+export { preventDataExfiltration, preventDataExfiltrationWithApproval, requireUserOrigin, requireUserOriginWithApproval, blockLLMRecipients, blockLLMRecipientsWithApproval, auditSensitiveAccess, getBuiltInPolicies, getBuiltInPoliciesWithApproval, createCustomPolicy, } from './policies/engine.js';
+export { instrumentCode, createTrackingRuntime } from './ast/instrumentor.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAE3B,OAAO,EACN,qBAAqB,EACrB,aAAa,EACb,aAAa,EACb,gBAAgB,EAChB,OAAO,EACP,yBAAyB,EACzB,oBAAoB,EACpB,kBAAkB,EAClB,wBAAwB,EACxB,0BAA0B,EAC1B,0BAA0B,EAC1B,6BAA6B,EAC7B,sBAAsB,EACtB,sBAAsB,EACtB,yBAAyB,EACzB,yBAAyB,GACzB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACN,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,EACrB,aAAa,EACb,eAAe,EACf,eAAe,EACf,KAAK,YAAY,GACjB,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,oBAAoB,EAAE,KAAK,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAEzE,OAAO,EACN,uBAAuB,EACvB,mCAAmC,EACnC,iBAAiB,EACjB,6BAA6B,EAC7B,kBAAkB,EAClB,8BAA8B,EAC9B,oBAAoB,EACpB,kBAAkB,EAClB,8BAA8B,EAC9B,kBAAkB,GAClB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,7 @@
+export * from './types.js';
+export { createProvenanceProxy, getProvenance, hasProvenance, getAllProvenance, canRead, getProvenanceForPrimitive, markPrimitiveTainted, isPrimitiveTainted, setProvenanceExecutionId, clearProvenanceExecutionId, registerProvenanceMetadata, cleanupProvenanceForExecution, captureProvenanceState, restoreProvenanceState, captureProvenanceSnapshot, restoreProvenanceSnapshot, } from './registry.js';
+export { issueProvenanceToken, verifyProvenanceToken, verifyProvenanceHints, computeDigest, stableStringify, getClientSecret, } from './tokens.js';
+export { SecurityPolicyEngine } from './policies/engine.js';
+export { preventDataExfiltration, preventDataExfiltrationWithApproval, requireUserOrigin, requireUserOriginWithApproval, blockLLMRecipients, blockLLMRecipientsWithApproval, auditSensitiveAccess, getBuiltInPolicies, getBuiltInPoliciesWithApproval, createCustomPolicy, } from './policies/engine.js';
+export { instrumentCode, createTrackingRuntime } from './ast/instrumentor.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAE3B,OAAO,EACN,qBAAqB,EACrB,aAAa,EACb,aAAa,EACb,gBAAgB,EAChB,OAAO,EACP,yBAAyB,EACzB,oBAAoB,EACpB,kBAAkB,EAClB,wBAAwB,EACxB,0BAA0B,EAC1B,0BAA0B,EAC1B,6BAA6B,EAC7B,sBAAsB,EACtB,sBAAsB,EACtB,yBAAyB,EACzB,yBAAyB,GACzB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACN,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,EACrB,aAAa,EACb,eAAe,EACf,eAAe,GAEf,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,oBAAoB,EAAe,MAAM,sBAAsB,CAAC;AAEzE,OAAO,EACN,uBAAuB,EACvB,mCAAmC,EACnC,iBAAiB,EACjB,6BAA6B,EAC7B,kBAAkB,EAClB,8BAA8B,EAC9B,oBAAoB,EACpB,kBAAkB,EAClB,8BAA8B,EAC9B,kBAAkB,GAClB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/policies/engine.d.ts ADDED Viewed

@@ -0,0 +1,71 @@
+/**
+ * Security Policy Engine
+ *
+ */
+import type { SecurityPolicy } from '../types.js';
+export interface Logger {
+    debug: (msg: string, obj?: any) => void;
+    info: (msg: string, obj?: any) => void;
+    warn: (msg: string, obj?: any) => void;
+    error: (msg: string, obj?: any) => void;
+}
+export declare class SecurityPolicyEngine {
+    private policies;
+    private logger;
+    private approvalCallback?;
+    private customGetProvenance?;
+    constructor(policies: SecurityPolicy[], logger: Logger, customGetProvenance?: (value: unknown) => any);
+    /**
+     * Set a custom getProvenance function (e.g., for AST mode)
+     */
+    setGetProvenance(fn: (value: unknown) => any): void;
+    /**
+     * Set approval callback for policies that return action='approve'
+     */
+    setApprovalCallback(callback: (message: string, context: Record<string, unknown>) => Promise<boolean>): void;
+    checkTool(toolName: string, apiGroup: string, args: Record<string, unknown>): Promise<void>;
+    private normalizeAction;
+    private requestApproval;
+    private sanitizeArgs;
+}
+/**
+ * Prevent data exfiltration - blocks sending private data to unauthorized recipients
+ */
+export declare const preventDataExfiltration: SecurityPolicy;
+/**
+ * Prevent data exfiltration (approval mode) - requires approval for risky sends
+ */
+export declare const preventDataExfiltrationWithApproval: SecurityPolicy;
+/**
+ * Require user origin - ensures sensitive operations only use user-provided data
+ */
+export declare const requireUserOrigin: SecurityPolicy;
+/**
+ * Require user origin (approval mode) - requires approval for non-user-originated critical operations
+ */
+export declare const requireUserOriginWithApproval: SecurityPolicy;
+/**
+ * Block LLM-generated recipients - prevents sending to LLM-extracted emails
+ */
+export declare const blockLLMRecipients: SecurityPolicy;
+/**
+ * Block LLM-generated recipients (approval mode) - requires approval for LLM-extracted emails
+ */
+export declare const blockLLMRecipientsWithApproval: SecurityPolicy;
+/**
+ * Audit sensitive data access - logs access without blocking
+ */
+export declare const auditSensitiveAccess: SecurityPolicy;
+/**
+ * Helper: Create custom policy
+ */
+export declare function createCustomPolicy(name: string, description: string, checkFn: SecurityPolicy['check']): SecurityPolicy;
+/**
+ * Get all built-in policies
+ */
+export declare function getBuiltInPolicies(): SecurityPolicy[];
+/**
+ * Get all built-in policies with approval variants
+ */
+export declare function getBuiltInPoliciesWithApproval(): SecurityPolicy[];
+//# sourceMappingURL=engine.d.ts.map

package/dist/policies/engine.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/policies/engine.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,KAAK,EAAE,cAAc,EAAkD,MAAM,aAAa,CAAC;AASlG,MAAM,WAAW,MAAM;IACtB,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,KAAK,IAAI,CAAC;IACxC,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,KAAK,IAAI,CAAC;IACvC,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,KAAK,IAAI,CAAC;IACvC,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,KAAK,IAAI,CAAC;CACxC;AAED,qBAAa,oBAAoB;IAChC,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,gBAAgB,CAAC,CAGH;IACtB,OAAO,CAAC,mBAAmB,CAAC,CAA0B;gBAGrD,QAAQ,EAAE,cAAc,EAAE,EAC1B,MAAM,EAAE,MAAM,EACd,mBAAmB,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,GAAG;IAO9C;;OAEG;IACH,gBAAgB,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,GAAG,GAAG,IAAI;IAInD;;OAEG;IACH,mBAAmB,CAClB,QAAQ,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,OAAO,CAAC,OAAO,CAAC,GAC/E,IAAI;IAID,SAAS,CACd,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC3B,OAAO,CAAC,IAAI,CAAC;IA8EhB,OAAO,CAAC,eAAe;YAYT,eAAe;IAmC7B,OAAO,CAAC,YAAY;CAapB;AA+DD;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,cA0CrC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,mCAAmC,EAAE,cA0CjD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB,EAAE,cAkC/B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,6BAA6B,EAAE,cAmC3C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,cAyBhC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,8BAA8B,EAAE,cA0B5C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oBAAoB,EAAE,cAyBlC,CAAC;AAEF;;GAEG;AACH,wBAAgB,kBAAkB,CACjC,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,cAAc,CAAC,OAAO,CAAC,GAC9B,cAAc,CAEhB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,cAAc,EAAE,CAErD;AAED;;GAEG;AACH,wBAAgB,8BAA8B,IAAI,cAAc,EAAE,CAOjE"}