@nano-rs/dac-core 0.1.0

package/dist/index.js

@@ -0,0 +1,930 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+// src/parser/index.ts
+import { parse as parseYaml } from "yaml";
+var FRONTMATTER_REGEX = /^---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/;
+function parseDetectionFile(content, filePath) {
+  const errors = [];
+  const match = content.match(FRONTMATTER_REGEX);
+  if (!match) {
+    if (!content.startsWith("---")) {
+      return {
+        success: false,
+        errors: [
+          {
+            type: "frontmatter_missing",
+            message: "Detection file must start with YAML frontmatter delimited by ---",
+            line: 1
+          }
+        ]
+      };
+    }
+    const closingIndex = content.indexOf("\n---", 4);
+    if (closingIndex === -1) {
+      return {
+        success: false,
+        errors: [
+          {
+            type: "frontmatter_malformed",
+            message: "Missing closing --- delimiter for frontmatter",
+            line: 1
+          }
+        ]
+      };
+    }
+    return {
+      success: false,
+      errors: [
+        {
+          type: "frontmatter_malformed",
+          message: "Invalid frontmatter format. Expected: ---\\n<yaml>\\n---\\n<query>"
+        }
+      ]
+    };
+  }
+  const [, yamlContent, queryContent] = match;
+  let metadata;
+  try {
+    const parsed = parseYaml(yamlContent);
+    if (typeof parsed !== "object" || parsed === null) {
+      return {
+        success: false,
+        errors: [
+          {
+            type: "yaml_invalid",
+            message: "Frontmatter must be a YAML object"
+          }
+        ]
+      };
+    }
+    metadata = parsed;
+  } catch (e) {
+    const yamlError = e;
+    const line = yamlError.linePos?.[0]?.line;
+    const col = yamlError.linePos?.[0]?.col;
+    return {
+      success: false,
+      errors: [
+        {
+          type: "yaml_invalid",
+          message: `Invalid YAML: ${yamlError.message}`,
+          line: line ? line + 1 : void 0,
+          // +1 for the opening ---
+          column: col
+        }
+      ]
+    };
+  }
+  if (typeof metadata.mitre_tactics === "string") {
+    metadata.mitre_tactics = [metadata.mitre_tactics];
+  }
+  if (typeof metadata.mitre_techniques === "string") {
+    metadata.mitre_techniques = [metadata.mitre_techniques];
+  }
+  if (typeof metadata.tags === "string") {
+    metadata.tags = [metadata.tags];
+  }
+  const query = queryContent.trim();
+  if (!query) {
+    return {
+      success: false,
+      errors: [
+        {
+          type: "query_missing",
+          message: "Detection file must include a query after the frontmatter"
+        }
+      ]
+    };
+  }
+  return {
+    success: true,
+    detection: {
+      filePath,
+      metadata,
+      query,
+      raw: content
+    },
+    errors
+  };
+}
+function parseMultipleFiles(files) {
+  const results = /* @__PURE__ */ new Map();
+  for (const file of files) {
+    results.set(file.path, parseDetectionFile(file.content, file.path));
+  }
+  return results;
+}
+function serializeDetection(detection) {
+  const { stringify } = __require("yaml");
+  const yaml = stringify(detection.metadata);
+  return `---
+${yaml}---
+${detection.query}
+`;
+}
+
+// src/validator/index.ts
+var VALID_SEVERITIES = [
+  "critical",
+  "high",
+  "medium",
+  "low",
+  "informational"
+];
+var VALID_MODES = ["staging", "live", "alerting", "paused"];
+var VALID_DETECTION_MODES = ["real-time", "scheduled"];
+var VALID_CASE_VISIBILITIES = ["public", "group", "private"];
+var VALID_ALERT_MODES = ["grouped", "per_event"];
+var VALID_AUTO_TUNING_MODES = ["off", "proposals", "auto_approve"];
+var CRON_FIELD = "(\\*|\\*\\/\\d+|\\d+|\\d+-\\d+|[\\d,\\-\\/\\*]+)";
+var CRON_5_FIELD = new RegExp(
+  `^${CRON_FIELD}\\s+${CRON_FIELD}\\s+${CRON_FIELD}\\s+${CRON_FIELD}\\s+${CRON_FIELD}$`
+);
+var CRON_6_FIELD = new RegExp(
+  `^${CRON_FIELD}\\s+${CRON_FIELD}\\s+${CRON_FIELD}\\s+${CRON_FIELD}\\s+${CRON_FIELD}\\s+${CRON_FIELD}$`
+);
+var LOOKBACK_REGEX = /^(\d+)(s|m|h|d)$/;
+var MITRE_TACTIC_REGEX = /^TA\d{4}$/;
+var MITRE_TECHNIQUE_REGEX = /^T\d{4}(\.\d{3})?$/;
+function validateDetection(detection) {
+  const errors = [];
+  const warnings = [];
+  const { metadata, query } = detection;
+  validateRequired(metadata, errors);
+  validateEnums(metadata, errors, warnings);
+  validateSchedule(metadata, errors, warnings);
+  validateLookback(metadata, errors);
+  validateMitre(metadata, warnings);
+  validateAiTriageHints(metadata, warnings);
+  validateFolder(metadata, errors);
+  validateCaseVisibility(metadata, errors);
+  validateAutoTuning(metadata, errors);
+  validateRequires(metadata, warnings);
+  validateQuery(query, errors, warnings);
+  return {
+    valid: errors.length === 0,
+    errors,
+    warnings
+  };
+}
+function validateRequired(metadata, errors) {
+  if (!metadata.title || metadata.title.trim() === "") {
+    errors.push({
+      field: "title",
+      message: "Title is required",
+      code: "REQUIRED_FIELD"
+    });
+  }
+  if (!metadata.severity) {
+    errors.push({
+      field: "severity",
+      message: "Severity is required",
+      code: "REQUIRED_FIELD"
+    });
+  }
+  if (!metadata.mode) {
+    errors.push({
+      field: "mode",
+      message: "Mode is required",
+      code: "REQUIRED_FIELD"
+    });
+  }
+  if (!metadata.detection_mode) {
+    errors.push({
+      field: "detection_mode",
+      message: "Detection mode is required",
+      code: "REQUIRED_FIELD"
+    });
+  }
+}
+function validateEnums(metadata, errors, warnings) {
+  if (metadata.severity && !VALID_SEVERITIES.includes(metadata.severity)) {
+    errors.push({
+      field: "severity",
+      message: `Invalid severity: "${metadata.severity}". Must be one of: ${VALID_SEVERITIES.join(", ")}`,
+      code: "INVALID_ENUM"
+    });
+  }
+  if (metadata.mode && !VALID_MODES.includes(metadata.mode)) {
+    errors.push({
+      field: "mode",
+      message: `Invalid mode: "${metadata.mode}". Must be one of: ${VALID_MODES.join(", ")}`,
+      code: "INVALID_ENUM"
+    });
+  }
+  if (metadata.detection_mode && !VALID_DETECTION_MODES.includes(
+    metadata.detection_mode
+  )) {
+    errors.push({
+      field: "detection_mode",
+      message: `Invalid detection_mode: "${metadata.detection_mode}". Must be one of: ${VALID_DETECTION_MODES.join(", ")}`,
+      code: "INVALID_ENUM"
+    });
+  }
+  if (metadata.alert_mode && !VALID_ALERT_MODES.includes(
+    metadata.alert_mode
+  )) {
+    errors.push({
+      field: "alert_mode",
+      message: `Invalid alert_mode: "${metadata.alert_mode}". Must be one of: ${VALID_ALERT_MODES.join(", ")}`,
+      code: "INVALID_ENUM"
+    });
+  }
+  if (metadata.alert_mode === "per_event" && metadata.detection_mode === "real-time") {
+    warnings.push({
+      field: "alert_mode",
+      message: "per_event alert_mode with real-time detection_mode is redundant \u2014 real-time rules already process events individually",
+      code: "REDUNDANT_CONFIG"
+    });
+  }
+}
+function validateSchedule(metadata, errors, warnings) {
+  if (metadata.detection_mode === "scheduled") {
+    if (!metadata.schedule) {
+      warnings.push({
+        field: "schedule",
+        message: "No schedule specified for scheduled detection. Will use default (every minute)",
+        code: "MISSING_OPTIONAL"
+      });
+    } else {
+      const isCron5 = CRON_5_FIELD.test(metadata.schedule);
+      const isCron6 = CRON_6_FIELD.test(metadata.schedule);
+      if (!isCron5 && !isCron6) {
+        errors.push({
+          field: "schedule",
+          message: `Invalid cron expression: "${metadata.schedule}". Expected 5 or 6 field cron format`,
+          code: "INVALID_CRON"
+        });
+      }
+    }
+  }
+}
+function validateLookback(metadata, errors) {
+  if (metadata.lookback && !LOOKBACK_REGEX.test(metadata.lookback)) {
+    errors.push({
+      field: "lookback",
+      message: `Invalid lookback format: "${metadata.lookback}". Expected format like "15m", "1h", "24h", "7d"`,
+      code: "INVALID_FORMAT"
+    });
+  }
+}
+function validateMitre(metadata, warnings) {
+  const tactics = Array.isArray(metadata.mitre_tactics) ? metadata.mitre_tactics : metadata.mitre_tactics ? [metadata.mitre_tactics] : [];
+  const techniques = Array.isArray(metadata.mitre_techniques) ? metadata.mitre_techniques : metadata.mitre_techniques ? [metadata.mitre_techniques] : [];
+  if (tactics.length === 0 && techniques.length === 0) {
+    warnings.push({
+      field: "mitre",
+      message: "No MITRE ATT&CK mappings specified",
+      code: "MISSING_MITRE"
+    });
+  }
+  for (const tactic of tactics) {
+    if (!MITRE_TACTIC_REGEX.test(tactic)) {
+      warnings.push({
+        field: "mitre_tactics",
+        message: `Non-standard tactic format: "${tactic}" (expected TAxxxx)`,
+        code: "INVALID_MITRE_FORMAT"
+      });
+    }
+  }
+  for (const technique of techniques) {
+    if (!MITRE_TECHNIQUE_REGEX.test(technique)) {
+      warnings.push({
+        field: "mitre_techniques",
+        message: `Non-standard technique format: "${technique}" (expected Txxxx or Txxxx.xxx)`,
+        code: "INVALID_MITRE_FORMAT"
+      });
+    }
+  }
+}
+function validateAiTriageHints(metadata, warnings) {
+  const hints = metadata.ai_triage_hints;
+  if (!hints) return;
+  if (hints.ignore_when && hints.ignore_when.length === 0) {
+    warnings.push({
+      field: "ai_triage_hints.ignore_when",
+      message: "ignore_when array is empty. Consider adding benign conditions or removing the field",
+      code: "EMPTY_ARRAY"
+    });
+  }
+  if (hints.suspicious_when && hints.suspicious_when.length === 0) {
+    warnings.push({
+      field: "ai_triage_hints.suspicious_when",
+      message: "suspicious_when array is empty. Consider adding suspicious conditions or removing the field",
+      code: "EMPTY_ARRAY"
+    });
+  }
+  const allHints = [...hints.ignore_when || [], ...hints.suspicious_when || []];
+  for (const hint of allHints) {
+    if (hint.length > 200) {
+      warnings.push({
+        field: "ai_triage_hints",
+        message: `Hint is very long (${hint.length} chars). Consider being more concise`,
+        code: "HINT_TOO_LONG"
+      });
+      break;
+    }
+  }
+}
+var FOLDER_REGEX = /^[a-z0-9][a-z0-9_-]{0,49}$/;
+function validateFolder(metadata, errors) {
+  if (metadata.folder === void 0) return;
+  if (!FOLDER_REGEX.test(metadata.folder)) {
+    errors.push({
+      field: "folder",
+      message: `Invalid folder: "${metadata.folder}". Must be lowercase alphanumeric with hyphens/underscores, max 50 chars`,
+      code: "INVALID_FORMAT"
+    });
+  }
+}
+function validateCaseVisibility(metadata, errors) {
+  if (metadata.case_visibility) {
+    if (!VALID_CASE_VISIBILITIES.includes(
+      metadata.case_visibility
+    )) {
+      errors.push({
+        field: "case_visibility",
+        message: `Invalid case_visibility: "${metadata.case_visibility}". Must be one of: ${VALID_CASE_VISIBILITIES.join(", ")}`,
+        code: "INVALID_ENUM"
+      });
+    }
+    if (metadata.case_visibility === "group") {
+      if (!metadata.case_groups || metadata.case_groups.length === 0) {
+        errors.push({
+          field: "case_groups",
+          message: 'case_groups is required when case_visibility is "group"',
+          code: "REQUIRED_FIELD"
+        });
+      }
+    }
+  }
+  if (metadata.case_groups) {
+    const SLUG_REGEX = /^[a-z0-9-]+$/;
+    const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+    for (const group of metadata.case_groups) {
+      if (!SLUG_REGEX.test(group) && !UUID_REGEX.test(group)) {
+        errors.push({
+          field: "case_groups",
+          message: `Invalid group identifier: "${group}". Must be lowercase slug or UUID`,
+          code: "INVALID_FORMAT"
+        });
+      }
+    }
+  }
+}
+function validateAutoTuning(metadata, errors) {
+  const autoTuning = metadata.auto_tuning;
+  if (!autoTuning) return;
+  if (autoTuning.mode && !VALID_AUTO_TUNING_MODES.includes(
+    autoTuning.mode
+  )) {
+    errors.push({
+      field: "auto_tuning.mode",
+      message: `Invalid auto_tuning mode: "${autoTuning.mode}". Must be one of: ${VALID_AUTO_TUNING_MODES.join(", ")}`,
+      code: "INVALID_ENUM"
+    });
+  }
+  if (autoTuning.min_confidence !== void 0) {
+    if (typeof autoTuning.min_confidence !== "number" || autoTuning.min_confidence < 0 || autoTuning.min_confidence > 1) {
+      errors.push({
+        field: "auto_tuning.min_confidence",
+        message: `min_confidence must be a number between 0.0 and 1.0. Got: ${autoTuning.min_confidence}`,
+        code: "OUT_OF_RANGE"
+      });
+    }
+  }
+  if (autoTuning.enabled !== void 0 && typeof autoTuning.enabled !== "boolean") {
+    errors.push({
+      field: "auto_tuning.enabled",
+      message: "auto_tuning.enabled must be a boolean",
+      code: "INVALID_TYPE"
+    });
+  }
+  if (autoTuning.critical !== void 0 && typeof autoTuning.critical !== "boolean") {
+    errors.push({
+      field: "auto_tuning.critical",
+      message: "auto_tuning.critical must be a boolean",
+      code: "INVALID_TYPE"
+    });
+  }
+}
+function validateRequires(metadata, warnings) {
+  const requires = metadata.requires;
+  if (!requires) return;
+  if (!requires.fields || requires.fields.length === 0) {
+    warnings.push({
+      field: "requires.fields",
+      message: "requires.fields is empty. Consider specifying required UDM fields",
+      code: "EMPTY_ARRAY"
+    });
+  }
+  const FIELD_REGEX = /^[a-z][a-z0-9_]*$/;
+  if (requires.fields) {
+    for (const field of requires.fields) {
+      if (!FIELD_REGEX.test(field)) {
+        warnings.push({
+          field: "requires.fields",
+          message: `Potentially invalid UDM field name: "${field}". Expected lowercase with underscores`,
+          code: "INVALID_FORMAT"
+        });
+      }
+    }
+  }
+  if (requires.source_types) {
+    for (const sourceType of requires.source_types) {
+      if (!FIELD_REGEX.test(sourceType.toLowerCase())) {
+        warnings.push({
+          field: "requires.source_types",
+          message: `Potentially invalid source_type: "${sourceType}"`,
+          code: "INVALID_FORMAT"
+        });
+      }
+    }
+  }
+}
+function validateQuery(query, errors, warnings) {
+  if (!query || query.trim() === "") {
+    errors.push({
+      field: "query",
+      message: "Query body is required",
+      code: "REQUIRED_FIELD"
+    });
+    return;
+  }
+  const trimmed = query.trim();
+  if (!trimmed.startsWith("source_type=") && !trimmed.startsWith("*")) {
+    warnings.push({
+      field: "query",
+      message: "Query should typically start with source_type= filter or *",
+      code: "QUERY_NO_SOURCE"
+    });
+  }
+  const singleQuotes = (trimmed.match(/'/g) || []).length;
+  const doubleQuotes = (trimmed.match(/"/g) || []).length;
+  if (singleQuotes % 2 !== 0) {
+    errors.push({
+      field: "query",
+      message: "Unclosed single quote in query",
+      code: "UNCLOSED_QUOTE"
+    });
+  }
+  if (doubleQuotes % 2 !== 0) {
+    errors.push({
+      field: "query",
+      message: "Unclosed double quote in query",
+      code: "UNCLOSED_QUOTE"
+    });
+  }
+}
+function parseLookbackToMinutes(lookback) {
+  const match = lookback.match(LOOKBACK_REGEX);
+  if (!match) return void 0;
+  const value = parseInt(match[1], 10);
+  const unit = match[2];
+  switch (unit) {
+    case "s":
+      return Math.ceil(value / 60);
+    case "m":
+      return value;
+    case "h":
+      return value * 60;
+    case "d":
+      return value * 60 * 24;
+    default:
+      return void 0;
+  }
+}
+
+// src/client/index.ts
+var NanosiemClient = class {
+  apiUrl;
+  searchUrl;
+  apiKey;
+  timeout;
+  constructor(config) {
+    this.apiUrl = config.apiUrl.replace(/\/$/, "");
+    this.searchUrl = config.searchUrl?.replace(/\/$/, "") || this.apiUrl;
+    this.apiKey = config.apiKey;
+    this.timeout = config.timeout ?? 3e4;
+  }
+  /**
+   * Make an API request
+   */
+  async request(method, path, body, useSearchUrl = false) {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+    const baseUrl = useSearchUrl ? this.searchUrl : this.apiUrl;
+    try {
+      const response = await fetch(`${baseUrl}${path}`, {
+        method,
+        headers: {
+          "Content-Type": "application/json",
+          "X-API-Key": this.apiKey
+        },
+        body: body ? JSON.stringify(body) : void 0,
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        const errorBody = await response.json().catch(() => ({}));
+        return {
+          success: false,
+          error: {
+            code: `HTTP_${response.status}`,
+            message: errorBody.error?.message || errorBody.message || response.statusText,
+            details: errorBody
+          }
+        };
+      }
+      const data = await response.json();
+      return { success: true, data };
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          success: false,
+          error: {
+            code: "TIMEOUT",
+            message: `Request timed out after ${this.timeout}ms`
+          }
+        };
+      }
+      return {
+        success: false,
+        error: {
+          code: "NETWORK_ERROR",
+          message: error instanceof Error ? error.message : "Unknown error"
+        }
+      };
+    }
+  }
+  // ==================== Detection Endpoints ====================
+  /**
+   * List all detection rules
+   */
+  async listDetections() {
+    return this.request("GET", "/api/rules");
+  }
+  /**
+   * Get a single detection rule by ID
+   */
+  async getDetection(id) {
+    return this.request("GET", `/api/rules/${id}`);
+  }
+  /**
+   * Create a new detection rule
+   */
+  async createDetection(payload) {
+    return this.request("POST", "/api/rules", payload);
+  }
+  /**
+   * Update an existing detection rule
+   */
+  async updateDetection(id, payload) {
+    return this.request(
+      "PUT",
+      `/api/rules/${id}`,
+      payload
+    );
+  }
+  /**
+   * Delete a detection rule
+   */
+  async deleteDetection(id) {
+    return this.request(
+      "DELETE",
+      `/api/rules/${id}`
+    );
+  }
+  /**
+   * Pause a detection rule (set mode to paused)
+   */
+  async pauseDetection(id) {
+    return this.request("POST", `/api/rules/${id}/pause`);
+  }
+  /**
+   * Resume a paused detection rule (set mode back to alerting)
+   */
+  async resumeDetection(id) {
+    return this.request("POST", `/api/rules/${id}/resume`);
+  }
+  /**
+   * Test a detection rule against historical data
+   */
+  async testDetection(id, days) {
+    return this.request(
+      "POST",
+      `/api/rules/${id}/test`,
+      { days: days ?? 7 }
+    );
+  }
+  /**
+   * Test a query without creating a detection
+   */
+  async testQuery(query, days) {
+    return this.request(
+      "POST",
+      "/api/rules/test",
+      { query, days: days ?? 7 }
+    );
+  }
+  // ==================== Search Endpoints ====================
+  /**
+   * Execute a search query
+   */
+  async search(query, timeRange, options) {
+    return this.request(
+      "POST",
+      "/api/search",
+      {
+        query,
+        time_range: timeRange,
+        limit: options?.limit,
+        include_sql: options?.includeSQL
+      },
+      true
+      // Use search URL
+    );
+  }
+  // ==================== Health Check ====================
+  /**
+   * Check API health
+   */
+  async healthCheck() {
+    return this.request("GET", "/health");
+  }
+  // ==================== Rule Lifecycle ====================
+  /**
+   * Promote a rule (staging -> live -> alerting)
+   */
+  async promoteDetection(id) {
+    return this.request("POST", `/api/rules/${id}/promote`);
+  }
+  /**
+   * Demote a rule (alerting -> live)
+   */
+  async demoteDetection(id) {
+    return this.request("POST", `/api/rules/${id}/demote`);
+  }
+  /**
+   * Manually trigger a rule to execute now
+   */
+  async triggerDetection(id) {
+    return this.request(
+      "POST",
+      `/api/rules/${id}/trigger`
+    );
+  }
+  // ==================== Query Tools ====================
+  /**
+   * Validate a query using server-side validation
+   */
+  async validateQuery(query, detectionMode) {
+    return this.request("POST", "/api/rules/validate", {
+      query,
+      detection_mode: detectionMode
+    });
+  }
+  /**
+   * Format a query with pretty-printing
+   */
+  async formatQuery(query) {
+    return this.request("POST", "/api/rules/format", {
+      query
+    });
+  }
+  // ==================== Matches & Stats ====================
+  /**
+   * Get detection matches for a rule
+   */
+  async getMatches(id, params) {
+    const query = new URLSearchParams();
+    if (params?.limit) query.set("limit", String(params.limit));
+    if (params?.offset) query.set("offset", String(params.offset));
+    if (params?.start_time) query.set("start_time", params.start_time);
+    if (params?.end_time) query.set("end_time", params.end_time);
+    const qs = query.toString();
+    return this.request(
+      "GET",
+      `/api/rules/${id}/matches${qs ? `?${qs}` : ""}`
+    );
+  }
+  /**
+   * Get detection stats (match counts by day)
+   */
+  async getStats(days) {
+    const qs = days ? `?days=${days}` : "";
+    return this.request("GET", `/api/rules/stats${qs}`);
+  }
+  // ==================== Bulk Operations ====================
+  /**
+   * Bulk update rule modes
+   */
+  async bulkUpdate(ruleIds, mode) {
+    return this.request("POST", "/api/rules/bulk-update", {
+      rule_ids: ruleIds,
+      mode
+    });
+  }
+  /**
+   * Import rules in bulk
+   */
+  async importRules(rules) {
+    return this.request("POST", "/api/rules/import", {
+      rules
+    });
+  }
+  /**
+   * Export all rules
+   */
+  async exportRules() {
+    return this.request("GET", "/api/rules/export");
+  }
+};
+function detectionToApiPayload(detection) {
+  const { metadata, query } = detection;
+  let lookbackMinutes;
+  if (metadata.lookback) {
+    lookbackMinutes = parseLookbackToMinutes(metadata.lookback);
+  }
+  const mitreTactics = Array.isArray(metadata.mitre_tactics) ? metadata.mitre_tactics : metadata.mitre_tactics ? [metadata.mitre_tactics] : [];
+  const mitreTechniques = Array.isArray(metadata.mitre_techniques) ? metadata.mitre_techniques : metadata.mitre_techniques ? [metadata.mitre_techniques] : [];
+  return {
+    name: metadata.title,
+    description: metadata.description,
+    query,
+    severity: metadata.severity,
+    mode: metadata.mode,
+    detection_mode: metadata.detection_mode,
+    schedule_cron: metadata.schedule,
+    lookback_minutes: lookbackMinutes,
+    mitre_tactics: mitreTactics,
+    mitre_techniques: mitreTechniques,
+    tags: metadata.tags ?? [],
+    reference_url: metadata.reference_url,
+    author: metadata.author,
+    realtime_enabled: metadata.realtime_enabled,
+    ai_triage_hints: metadata.ai_triage_hints,
+    alert_mode: metadata.alert_mode,
+    folder: metadata.folder,
+    case_visibility: metadata.case_visibility,
+    case_group_ids: metadata.case_groups,
+    // Flatten auto_tuning for API (server expects flat fields)
+    auto_tuning_enabled: metadata.auto_tuning?.enabled,
+    auto_tuning_min_confidence: metadata.auto_tuning?.min_confidence,
+    auto_tuning_critical: metadata.auto_tuning?.critical,
+    // Playbook auto-attach at firing time. Server enforces that
+    // playbook_id is set iff selector_mode is 'specific'. Accepts either
+    // the two-field form (`playbook_selector_mode` + `playbook_id`) or the
+    // NAN-453 shorthand (`playbook:`). Shorthand wins when both are set.
+    ...decodePlaybook(metadata)
+  };
+}
+function decodePlaybook(metadata) {
+  const shorthand = metadata.playbook?.trim();
+  if (shorthand !== void 0) {
+    if (shorthand === "" || shorthand === "none") {
+      return { playbook_selector_mode: "none", playbook_id: null };
+    }
+    if (shorthand === "adaptive") {
+      return { playbook_selector_mode: "adaptive", playbook_id: null };
+    }
+    if (/^pb_[0-9a-z]+$/i.test(shorthand)) {
+      return { playbook_selector_mode: "specific", playbook_id: shorthand };
+    }
+  }
+  return {
+    playbook_selector_mode: metadata.playbook_selector_mode,
+    playbook_id: metadata.playbook_selector_mode === "specific" ? metadata.playbook_id ?? null : null
+  };
+}
+function detectionRuleToDetection(rule, filePath) {
+  let lookback;
+  if (rule.lookback_minutes) {
+    if (rule.lookback_minutes >= 1440 && rule.lookback_minutes % 1440 === 0) {
+      lookback = `${rule.lookback_minutes / 1440}d`;
+    } else if (rule.lookback_minutes >= 60 && rule.lookback_minutes % 60 === 0) {
+      lookback = `${rule.lookback_minutes / 60}h`;
+    } else {
+      lookback = `${rule.lookback_minutes}m`;
+    }
+  }
+  const metadata = {
+    title: rule.name,
+    description: rule.description,
+    author: rule.author,
+    severity: rule.severity,
+    mode: rule.mode,
+    detection_mode: rule.detection_mode,
+    schedule: rule.schedule_cron,
+    lookback,
+    mitre_tactics: rule.mitre_tactics,
+    mitre_techniques: rule.mitre_techniques,
+    tags: rule.tags,
+    reference_url: rule.reference_url,
+    realtime_enabled: rule.realtime_enabled,
+    ai_triage_hints: rule.ai_triage_hints,
+    alert_mode: rule.alert_mode,
+    folder: rule.folder,
+    case_visibility: rule.case_visibility,
+    case_groups: rule.case_group_ids,
+    // Reconstruct nested auto_tuning from flat API fields
+    auto_tuning: rule.auto_tuning_enabled !== void 0 || rule.auto_tuning_min_confidence !== void 0 || rule.auto_tuning_critical !== void 0 ? {
+      enabled: rule.auto_tuning_enabled,
+      min_confidence: rule.auto_tuning_min_confidence,
+      critical: rule.auto_tuning_critical
+    } : void 0
+  };
+  return {
+    filePath,
+    metadata,
+    query: rule.query,
+    raw: ""
+    // Not available from API
+  };
+}
+
+// src/grouping/index.ts
+var ENTITY_FIELDS_PRIORITY = [
+  "src_ip",
+  "dest_ip",
+  "user",
+  "src_user",
+  "dest_user",
+  "src_host",
+  "dest_host",
+  "host",
+  "hostname",
+  "process_name",
+  "file_hash",
+  "process_hash"
+];
+function getDominantEntity(events) {
+  for (const field of ENTITY_FIELDS_PRIORITY) {
+    const counts = /* @__PURE__ */ new Map();
+    for (const event of events) {
+      const val = event[field];
+      if (val !== void 0 && val !== null && val !== "") {
+        const key = String(val);
+        counts.set(key, (counts.get(key) || 0) + 1);
+      }
+    }
+    if (counts.size > 0) {
+      let maxVal = "";
+      let maxCount = 0;
+      for (const [val, count] of counts) {
+        if (count > maxCount) {
+          maxVal = val;
+          maxCount = count;
+        }
+      }
+      return {
+        field,
+        value: maxVal,
+        others_count: counts.size - 1
+      };
+    }
+  }
+  return null;
+}
+function bucketEventsByLookback(events, lookbackMinutes) {
+  if (events.length === 0 || lookbackMinutes <= 0) return [];
+  const windowMs = lookbackMinutes * 60 * 1e3;
+  const bucketMap = /* @__PURE__ */ new Map();
+  for (const event of events) {
+    const ts = event.timestamp || event.ingest_time || event._nano_detected_at;
+    if (!ts) continue;
+    const epochMs = new Date(String(ts)).getTime();
+    if (isNaN(epochMs)) continue;
+    const windowStart = Math.floor(epochMs / windowMs) * windowMs;
+    if (!bucketMap.has(windowStart)) bucketMap.set(windowStart, []);
+    bucketMap.get(windowStart).push(event);
+  }
+  const sorted = [...bucketMap.entries()].sort((a, b) => b[0] - a[0]);
+  return sorted.map(([windowStartMs, bucketEvents]) => ({
+    window_start: new Date(windowStartMs).toISOString(),
+    window_end: new Date(windowStartMs + windowMs).toISOString(),
+    event_count: bucketEvents.length,
+    dominant_entity: getDominantEntity(bucketEvents),
+    sample_events: bucketEvents.slice(0, 3)
+  }));
+}
+export {
+  ENTITY_FIELDS_PRIORITY,
+  NanosiemClient,
+  bucketEventsByLookback,
+  detectionRuleToDetection,
+  detectionToApiPayload,
+  getDominantEntity,
+  parseDetectionFile,
+  parseLookbackToMinutes,
+  parseMultipleFiles,
+  serializeDetection,
+  validateDetection
+};
+//# sourceMappingURL=index.js.map