@neurosec/sentry 1.0.20 → 1.1.1

package/dist/enforcement/network-monitor.test.js

@@ -0,0 +1,52 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const dns_1 = __importDefault(require("dns"));
+const { mockExecFileSync } = vitest_1.vi.hoisted(() => ({
+    mockExecFileSync: vitest_1.vi.fn(),
+}));
+vitest_1.vi.mock('child_process', () => ({
+    execFileSync: mockExecFileSync,
+}));
+const network_monitor_1 = require("./network-monitor");
+(0, vitest_1.describe)('scanLLMConnections', () => {
+    (0, vitest_1.beforeEach)(() => {
+        vitest_1.vi.clearAllMocks();
+    });
+    (0, vitest_1.it)('detects local LLM listeners on Windows via netstat', async () => {
+        const platformSpy = vitest_1.vi.spyOn(process, 'platform', 'get').mockReturnValue('win32');
+        const reverseSpy = vitest_1.vi.spyOn(dns_1.default, 'reverse').mockImplementation((_ip, cb) => cb(new Error('no reverse dns'), []));
+        mockExecFileSync.mockReturnValue([
+            'Active Connections',
+            '',
+            '  Proto  Local Address          Foreign Address        State           PID',
+            '  TCP    127.0.0.1:11434        0.0.0.0:0              LISTENING       4242',
+            '  TCP    127.0.0.1:55000        127.0.0.1:11434        ESTABLISHED     4242',
+        ].join('\r\n'));
+        const taggedProcesses = [{
+                pid: 4242,
+                ppid: 1,
+                frameworkId: 'ollama',
+                frameworkName: 'Ollama',
+                command: 'ollama serve',
+                exePath: 'C:\\ollama.exe',
+                confidence: 1,
+                envKeys: [],
+                discoveredAt: Date.now(),
+                sandboxed: false,
+                sandboxProfileName: null,
+                uid: 0,
+                gid: 0,
+            }];
+        const connections = await (0, network_monitor_1.scanLLMConnections)(taggedProcesses);
+        (0, vitest_1.expect)(connections).toHaveLength(2);
+        (0, vitest_1.expect)(connections.some(connection => connection.type === 'listening' && connection.providerId === 'ollama-local')).toBe(true);
+        (0, vitest_1.expect)(connections.some(connection => connection.type === 'established' && connection.hostname === 'localhost')).toBe(true);
+        reverseSpy.mockRestore();
+        platformSpy.mockRestore();
+    });
+});
+//# sourceMappingURL=network-monitor.test.js.map

package/dist/enforcement/network-monitor.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"network-monitor.test.js","sourceRoot":"","sources":["../../src/enforcement/network-monitor.test.ts"],"names":[],"mappings":";;;;;AAAA,mCAA8D;AAC9D,8CAAsB;AAEtB,MAAM,EAAE,gBAAgB,EAAE,GAAG,WAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAC7C,gBAAgB,EAAE,WAAE,CAAC,EAAE,EAAE;CAC1B,CAAC,CAAC,CAAC;AAEJ,WAAE,CAAC,IAAI,CAAC,eAAe,EAAE,GAAG,EAAE,CAAC,CAAC;IAC9B,YAAY,EAAE,gBAAgB;CAC/B,CAAC,CAAC,CAAC;AAEJ,uDAAuD;AAGvD,IAAA,iBAAQ,EAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,IAAA,mBAAU,EAAC,GAAG,EAAE;QACd,WAAE,CAAC,aAAa,EAAE,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,WAAW,GAAG,WAAE,CAAC,KAAK,CAAC,OAAO,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QAClF,MAAM,UAAU,GAAG,WAAE,CAAC,KAAK,CAAC,aAAG,EAAE,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,KAAK,CAAC,gBAAgB,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;QAEjH,gBAAgB,CAAC,eAAe,CAAC;YAC/B,oBAAoB;YACpB,EAAE;YACF,4EAA4E;YAC5E,6EAA6E;YAC7E,6EAA6E;SAC9E,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAEhB,MAAM,eAAe,GAAoB,CAAC;gBACxC,GAAG,EAAE,IAAI;gBACT,IAAI,EAAE,CAAC;gBACP,WAAW,EAAE,QAAQ;gBACrB,aAAa,EAAE,QAAQ;gBACvB,OAAO,EAAE,cAAc;gBACvB,OAAO,EAAE,gBAAgB;gBACzB,UAAU,EAAE,CAAC;gBACb,OAAO,EAAE,EAAE;gBACX,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE;gBACxB,SAAS,EAAE,KAAK;gBAChB,kBAAkB,EAAE,IAAI;gBACxB,GAAG,EAAE,CAAC;gBACN,GAAG,EAAE,CAAC;aACP,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,MAAM,IAAA,oCAAkB,EAAC,eAAe,CAAC,CAAC;QAE9D,IAAA,eAAM,EAAC,WAAW,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACpC,IAAA,eAAM,EAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,KAAK,WAAW,IAAI,UAAU,CAAC,UAAU,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/H,IAAA,eAAM,EAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,KAAK,aAAa,IAAI,UAAU,CAAC,QAAQ,KAAK,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE5H,UAAU,CAAC,WAAW,EAAE,CAAC;QACzB,WAAW,CAAC,WAAW,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/enforcement/policy-executor.d.ts

@@ -16,17 +16,40 @@ interface PolicyResult {
     applied: boolean;
     detail: string;
 }
+/**
+ * Executes cloud-supplied policies on the local host.
+ *
+ * SECURITY INVARIANTS:
+ *   - Every `target` from a policy is validated via {@link validateTarget}
+ *     before reaching any subprocess. Invalid targets are dropped, not
+ *     "best-effort" passed through.
+ *   - All subprocess invocations use {@link execFileSync} with separate args —
+ *     no shell metacharacter interpolation, ever.
+ *   - PID validation rejects values outside the kernel's PID range (1..4194304).
+ *   - Iptables / nft binaries are resolved once at construction; we never
+ *     accept a `bin` path from the cloud.
+ */
 export declare class PolicyExecutor {
     private config;
     private appliedRules;
     private lastPolicies;
+    private iptablesBin;
+    private nftBin;
     constructor(config: SentryConfig);
+    private resolveBin;
     apply(policies: SentryPolicy[], taggedProcesses: TaggedProcess[]): Promise<PolicyResult[]>;
     private applyKillProcess;
     private applyBlockProvider;
     private applyBlockDomain;
-    private addIptablesRule;
+    /**
+     * Add an OUTPUT DROP rule. Each piece of `target` was pre-validated; we still
+     * call execFileSync with separate args so even a future regression in the
+     * validator cannot escape to a shell.
+     */
+    private addNetworkBlockRule;
     private removeRule;
+    private removeIptablesRule;
+    private removeNftRules;
 }
 export {};
 //# sourceMappingURL=policy-executor.d.ts.map

package/dist/enforcement/policy-executor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"policy-executor.d.ts","sourceRoot":"","sources":["../../src/enforcement/policy-executor.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAA2B,MAAM,UAAU,CAAC;AAClE,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAGzC,UAAU,YAAY;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,IAAI,EAAE,cAAc,GAAG,gBAAgB,GAAG,cAAc,CAAC;IACzD,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS,CAAC;IACvC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,UAAU,YAAY;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,cAAc,GAAG,gBAAgB,GAAG,cAAc,CAAC;IAC3D,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,cAAc;IAIb,OAAO,CAAC,MAAM;IAH1B,OAAO,CAAC,YAAY,CAAqB;IACzC,OAAO,CAAC,YAAY,CAAsB;gBAEtB,MAAM,EAAE,YAAY;IAGlC,KAAK,CACT,QAAQ,EAAE,YAAY,EAAE,EACxB,eAAe,EAAE,aAAa,EAAE,GAC/B,OAAO,CAAC,YAAY,EAAE,CAAC;YAyCZ,gBAAgB;IA8D9B,OAAO,CAAC,kBAAkB;IA+B1B,OAAO,CAAC,gBAAgB;IAYxB,OAAO,CAAC,eAAe;IASvB,OAAO,CAAC,UAAU;CAInB"}
+{"version":3,"file":"policy-executor.d.ts","sourceRoot":"","sources":["../../src/enforcement/policy-executor.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAA2B,MAAM,UAAU,CAAC;AAClE,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAIzC,UAAU,YAAY;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,IAAI,EAAE,cAAc,GAAG,gBAAgB,GAAG,cAAc,CAAC;IACzD,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS,CAAC;IACvC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,UAAU,YAAY;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,cAAc,GAAG,gBAAgB,GAAG,cAAc,CAAC;IAC3D,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AAOD;;;;;;;;;;;;GAYG;AACH,qBAAa,cAAc;IAMb,OAAO,CAAC,MAAM;IAL1B,OAAO,CAAC,YAAY,CAA2C;IAC/D,OAAO,CAAC,YAAY,CAAsB;IAC1C,OAAO,CAAC,WAAW,CAAgB;IACnC,OAAO,CAAC,MAAM,CAAgB;gBAEV,MAAM,EAAE,YAAY;IAKxC,OAAO,CAAC,UAAU;IAcZ,KAAK,CACT,QAAQ,EAAE,YAAY,EAAE,EACxB,eAAe,EAAE,aAAa,EAAE,GAC/B,OAAO,CAAC,YAAY,EAAE,CAAC;IAiF1B,OAAO,CAAC,gBAAgB;IAoDxB,OAAO,CAAC,kBAAkB;IAqC1B,OAAO,CAAC,gBAAgB;IAaxB;;;;OAIG;IACH,OAAO,CAAC,mBAAmB;IA8B3B,OAAO,CAAC,UAAU;IAqBlB,OAAO,CAAC,kBAAkB;IAqB1B,OAAO,CAAC,cAAc;CAiCvB"}

package/dist/enforcement/policy-executor.js

@@ -4,36 +4,101 @@ exports.PolicyExecutor = void 0;
 const child_process_1 = require("child_process");
 const types_1 = require("../types");
 const logger_1 = require("../logger");
+const target_validator_1 = require("./target-validator");
+/**
+ * Executes cloud-supplied policies on the local host.
+ *
+ * SECURITY INVARIANTS:
+ *   - Every `target` from a policy is validated via {@link validateTarget}
+ *     before reaching any subprocess. Invalid targets are dropped, not
+ *     "best-effort" passed through.
+ *   - All subprocess invocations use {@link execFileSync} with separate args —
+ *     no shell metacharacter interpolation, ever.
+ *   - PID validation rejects values outside the kernel's PID range (1..4194304).
+ *   - Iptables / nft binaries are resolved once at construction; we never
+ *     accept a `bin` path from the cloud.
+ */
 class PolicyExecutor {
     constructor(config) {
         this.config = config;
-        this.appliedRules = new Set();
+        this.appliedRules = new Map();
         this.lastPolicies = [];
+        this.iptablesBin = this.resolveBin('iptables');
+        this.nftBin = this.resolveBin('nft');
+    }
+    resolveBin(name) {
+        // Prefer absolute paths to avoid PATH-injection via a shell PATH manipulation.
+        for (const dir of ['/usr/sbin', '/sbin', '/usr/local/sbin', '/usr/bin', '/bin']) {
+            const candidate = `${dir}/${name}`;
+            try {
+                (0, child_process_1.execFileSync)(candidate, ['--version'], { timeout: 2000, stdio: 'ignore' });
+                return candidate;
+            }
+            catch {
+                continue;
+            }
+        }
+        return null;
     }
-    // Apply policies to the current host — returns list of actions taken
     async apply(policies, taggedProcesses) {
         const results = [];
         const hostId = this.config.sentry.hostId;
-        // Only process enabled policies for this host (or global)
+        const previousPolicies = new Map(this.lastPolicies.map(policy => [policy.id, policy]));
         const active = policies.filter(p => p.enabled && (!p.hostId || p.hostId === hostId));
         for (const policy of active) {
+            const previous = previousPolicies.get(policy.id);
+            const unchanged = previous
+                && previous.type === policy.type
+                && previous.target === policy.target
+                && previous.action === policy.action
+                && previous.enabled === policy.enabled
+                && previous.hostId === policy.hostId;
+            if (policy.type !== 'kill_process' && unchanged && this.appliedRules.has(policy.id)) {
+                results.push({
+                    policyId: policy.id,
+                    action: policy.type,
+                    target: policy.target,
+                    applied: true,
+                    detail: 'Rule already active',
+                });
+                continue;
+            }
+            if (policy.type !== 'kill_process' && this.appliedRules.has(policy.id)) {
+                this.removeRule(policy.id);
+            }
+            const validated = (0, target_validator_1.validateTarget)(policy.target);
+            if (validated.kind === 'invalid') {
+                logger_1.logger.warn('Rejected policy with invalid target (possible injection attempt)', {
+                    policyId: policy.id,
+                    policyType: policy.type,
+                    // Truncate to avoid log injection via huge target strings
+                    target: String(policy.target).slice(0, 64),
+                });
+                results.push({
+                    policyId: policy.id,
+                    action: policy.type,
+                    target: '',
+                    applied: false,
+                    detail: 'Rejected: invalid target',
+                });
+                continue;
+            }
             switch (policy.type) {
                 case 'kill_process':
-                    results.push(await this.applyKillProcess(policy, taggedProcesses));
+                    results.push(this.applyKillProcess(policy, validated, taggedProcesses));
                     break;
                 case 'block_provider':
-                    results.push(this.applyBlockProvider(policy));
+                    results.push(this.applyBlockProvider(policy, validated));
                     break;
                 case 'block_domain':
-                    results.push(this.applyBlockDomain(policy));
+                    results.push(this.applyBlockDomain(policy, validated));
                     break;
             }
         }
         // Remove rules for policies that no longer exist
-        for (const ruleId of this.appliedRules) {
+        for (const ruleId of Array.from(this.appliedRules.keys())) {
             if (!active.some(p => p.id === ruleId)) {
                 this.removeRule(ruleId);
-                this.appliedRules.delete(ruleId);
             }
         }
         this.lastPolicies = active;
@@ -43,80 +108,73 @@ class PolicyExecutor {
         }
         return results;
     }
-    async applyKillProcess(policy, processes) {
-        const target = policy.target.toLowerCase();
-        // Support PID-specific kill: target is "pid:12345"
-        const pidMatch = target.match(/^pid:(\d+)$/);
-        if (pidMatch) {
-            const targetPid = parseInt(pidMatch[1], 10);
-            const proc = processes.find(p => p.pid === targetPid);
+    applyKillProcess(policy, target, processes) {
+        const signal = policy.action === 'sigkill' ? 'SIGKILL' : 'SIGTERM';
+        if (target.kind === 'pid' && target.pid !== undefined) {
+            const proc = processes.find(p => p.pid === target.pid);
             if (!proc) {
-                return { policyId: policy.id, action: 'kill_process', target: policy.target, applied: false, detail: 'No matching process found' };
+                return { policyId: policy.id, action: 'kill_process', target: target.value, applied: false, detail: 'No matching process found' };
             }
-            const signal = policy.action === 'sigkill' ? 'SIGKILL' : 'SIGTERM';
             try {
-                process.kill(targetPid, signal);
-                logger_1.logger.info('Policy: kill_process (pid)', { target: policy.target, pid: targetPid, signal });
-                return { policyId: policy.id, action: 'kill_process', target: policy.target, applied: true, detail: `Killed pid ${targetPid} with ${signal}` };
+                process.kill(target.pid, signal);
+                logger_1.logger.info('Policy: kill_process (pid)', { target: target.value, pid: target.pid, signal });
+                return { policyId: policy.id, action: 'kill_process', target: target.value, applied: true, detail: `Killed pid ${target.pid} with ${signal}` };
             }
             catch {
-                try {
-                    (0, child_process_1.execSync)(`kill -${signal === 'SIGKILL' ? 9 : 15} ${targetPid}`, { timeout: 3000 });
-                    logger_1.logger.info('Policy: kill_process (pid, fallback)', { target: policy.target, pid: targetPid, signal });
-                    return { policyId: policy.id, action: 'kill_process', target: policy.target, applied: true, detail: `Killed pid ${targetPid} with ${signal}` };
-                }
-                catch {
-                    return { policyId: policy.id, action: 'kill_process', target: policy.target, applied: false, detail: 'Process may already be gone' };
-                }
+                return { policyId: policy.id, action: 'kill_process', target: target.value, applied: false, detail: 'Process may already be gone' };
             }
         }
-        // Framework-level kill: match by frameworkId, name, or command
+        if (target.kind !== 'framework' && target.kind !== 'hostname') {
+            return { policyId: policy.id, action: 'kill_process', target: target.value, applied: false, detail: 'Target must be pid:N, framework id, or hostname for kill_process' };
+        }
+        const lowered = target.value.toLowerCase();
         const matched = processes.filter(p => {
-            if (p.frameworkId === target)
+            if (p.frameworkId === lowered)
                 return true;
-            if (p.frameworkName?.toLowerCase() === target)
+            if (p.frameworkName?.toLowerCase() === lowered)
                 return true;
-            if (p.command?.toLowerCase().includes(target))
+            // command match restricted to a substring of the framework token to
+            // avoid greedy matches on free-form text.
+            if (target.kind === 'framework' && p.command?.toLowerCase().includes(lowered))
                 return true;
             return false;
         });
         if (matched.length === 0) {
-            return { policyId: policy.id, action: 'kill_process', target: policy.target, applied: false, detail: 'No matching process found' };
+            return { policyId: policy.id, action: 'kill_process', target: target.value, applied: false, detail: 'No matching process found' };
         }
-        const signal = policy.action === 'sigkill' ? 'SIGKILL' : 'SIGTERM';
         let killed = 0;
         for (const proc of matched) {
             try {
                 process.kill(proc.pid, signal);
                 killed++;
             }
-            catch {
-                try {
-                    (0, child_process_1.execSync)(`kill -${signal === 'SIGKILL' ? 9 : 15} ${proc.pid}`, { timeout: 3000 });
-                    killed++;
-                }
-                catch { /* process may already be gone */ }
-            }
+            catch { /* process may already be gone */ }
         }
         const detail = killed > 0 ? `Killed ${killed} process(es) with ${signal}` : 'Failed to kill processes';
-        logger_1.logger.info('Policy: kill_process', { target: policy.target, killed, signal });
-        return { policyId: policy.id, action: 'kill_process', target: policy.target, applied: killed > 0, detail };
+        logger_1.logger.info('Policy: kill_process', { target: target.value, killed, signal });
+        return { policyId: policy.id, action: 'kill_process', target: target.value, applied: killed > 0, detail };
     }
-    applyBlockProvider(policy) {
-        const provider = types_1.LLM_PROVIDER_SIGNATURES.find(p => p.id === policy.target || p.name === policy.target);
+    applyBlockProvider(policy, target) {
+        // Provider matching is by id or name only — both already constrained by FRAMEWORK_RE / HOSTNAME_RE.
+        const provider = types_1.LLM_PROVIDER_SIGNATURES.find(p => p.id === target.value || p.name === target.value);
         if (!provider) {
-            return { policyId: policy.id, action: 'block_provider', target: policy.target, applied: false, detail: `Unknown provider: ${policy.target}` };
+            return { policyId: policy.id, action: 'block_provider', target: target.value, applied: false, detail: `Unknown provider: ${target.value}` };
         }
-        const ruleId = `sentry-block-${provider.id}`;
         let success = 0;
+        const appliedRules = [];
         for (const domain of provider.domains) {
-            try {
-                this.addIptablesRule(ruleId, domain);
+            const domainTarget = (0, target_validator_1.validateTarget)(domain);
+            if (!(0, target_validator_1.isNetworkTarget)(domainTarget))
+                continue; // defense in depth
+            const appliedRule = this.addNetworkBlockRule(policy.id, domainTarget);
+            if (appliedRule) {
+                appliedRules.push(appliedRule);
                 success++;
             }
-            catch { /* best-effort */ }
         }
-        this.appliedRules.add(ruleId);
+        if (appliedRules.length > 0) {
+            this.appliedRules.set(policy.id, appliedRules);
+        }
         if (success > 0) {
             logger_1.logger.info('Policy: block_provider', { provider: provider.name, domains: success });
         }
@@ -125,33 +183,119 @@ class PolicyExecutor {
             action: 'block_provider',
             target: provider.name,
             applied: success > 0,
-            detail: success > 0 ? `Blocked ${success} domain(s) via iptables` : 'No domains blocked (try running as root)',
+            detail: success > 0 ? `Blocked ${success} domain(s)` : 'No domains blocked (try running as root)',
         };
     }
-    applyBlockDomain(policy) {
-        const ruleId = `sentry-block-domain-${policy.id.slice(0, 8)}`;
-        try {
-            this.addIptablesRule(ruleId, policy.target);
-            this.appliedRules.add(ruleId);
-            logger_1.logger.info('Policy: block_domain', { target: policy.target });
-            return { policyId: policy.id, action: 'block_domain', target: policy.target, applied: true, detail: `Blocked ${policy.target} via iptables` };
+    applyBlockDomain(policy, target) {
+        if (!(0, target_validator_1.isNetworkTarget)(target)) {
+            return { policyId: policy.id, action: 'block_domain', target: target.value, applied: false, detail: 'Target must be a hostname, IP, or CIDR' };
         }
-        catch (err) {
-            return { policyId: policy.id, action: 'block_domain', target: policy.target, applied: false, detail: `Failed: ${err.message}` };
+        const appliedRule = this.addNetworkBlockRule(policy.id, target);
+        if (appliedRule) {
+            this.appliedRules.set(policy.id, [appliedRule]);
+            logger_1.logger.info('Policy: block_domain', { target: target.value });
+            return { policyId: policy.id, action: 'block_domain', target: target.value, applied: true, detail: `Blocked ${target.value}` };
         }
+        return { policyId: policy.id, action: 'block_domain', target: target.value, applied: false, detail: 'iptables/nft unavailable or rejected the rule' };
     }
-    addIptablesRule(ruleId, target) {
-        // Try nftables first, fall back to iptables
-        try {
-            (0, child_process_1.execSync)(`nft add rule inet filter output ${ruleId} ip daddr ${target} drop 2>/dev/null || iptables -C OUTPUT -d ${target} -j DROP 2>/dev/null || iptables -A OUTPUT -d ${target} -j DROP`, { timeout: 5000 });
+    /**
+     * Add an OUTPUT DROP rule. Each piece of `target` was pre-validated; we still
+     * call execFileSync with separate args so even a future regression in the
+     * validator cannot escape to a shell.
+     */
+    addNetworkBlockRule(ruleId, target) {
+        // nft first (modern kernels)
+        if (this.nftBin) {
+            try {
+                (0, child_process_1.execFileSync)(this.nftBin, ['add', 'rule', 'inet', 'filter', 'output', 'ip', 'daddr', target.value, 'drop', 'comment', ruleId], { timeout: 5000, stdio: 'ignore' });
+                return { backend: 'nft', target: target.value };
+            }
+            catch {
+                // fall through to iptables
+            }
         }
-        catch {
-            (0, child_process_1.execSync)(`iptables -C OUTPUT -d ${target} -j DROP 2>/dev/null || iptables -A OUTPUT -d ${target} -j DROP`, { timeout: 5000 });
+        if (this.iptablesBin) {
+            try {
+                // -C first to dedupe; ignore exit code, then -A
+                try {
+                    (0, child_process_1.execFileSync)(this.iptablesBin, ['-C', 'OUTPUT', '-d', target.value, '-j', 'DROP'], { timeout: 5000, stdio: 'ignore' });
+                    return { backend: 'iptables', target: target.value };
+                }
+                catch { /* not present, add */ }
+                (0, child_process_1.execFileSync)(this.iptablesBin, ['-A', 'OUTPUT', '-d', target.value, '-j', 'DROP'], { timeout: 5000, stdio: 'ignore' });
+                return { backend: 'iptables', target: target.value };
+            }
+            catch {
+                return null;
+            }
         }
+        return null;
     }
     removeRule(ruleId) {
-        // Cleanup is deferred — rules persist until explicitly removed or reboot
-        logger_1.logger.debug('Policy rule removed from tracking', { ruleId });
+        const rules = this.appliedRules.get(ruleId);
+        if (!rules || rules.length === 0) {
+            return;
+        }
+        let removed = 0;
+        if (rules.some(rule => rule.backend === 'nft')) {
+            removed += this.removeNftRules(ruleId);
+        }
+        for (const rule of rules) {
+            if (rule.backend === 'iptables' && this.removeIptablesRule(rule.target)) {
+                removed++;
+            }
+        }
+        this.appliedRules.delete(ruleId);
+        logger_1.logger.debug('Policy rules removed', { ruleId, removed });
+    }
+    removeIptablesRule(target) {
+        if (!this.iptablesBin) {
+            return false;
+        }
+        let removed = false;
+        while (true) {
+            try {
+                (0, child_process_1.execFileSync)(this.iptablesBin, ['-D', 'OUTPUT', '-d', target, '-j', 'DROP'], {
+                    timeout: 5000,
+                    stdio: 'ignore',
+                });
+                removed = true;
+            }
+            catch {
+                break;
+            }
+        }
+        return removed;
+    }
+    removeNftRules(ruleId) {
+        if (!this.nftBin) {
+            return 0;
+        }
+        try {
+            const output = (0, child_process_1.execFileSync)(this.nftBin, ['-a', 'list', 'chain', 'inet', 'filter', 'output'], {
+                encoding: 'utf8',
+                timeout: 5000,
+            });
+            const handles = output
+                .split('\n')
+                .map((line) => {
+                if (!line.includes(`comment "${ruleId}"`)) {
+                    return null;
+                }
+                return line.match(/# handle (\d+)/)?.[1] ?? null;
+            })
+                .filter((handle) => Boolean(handle));
+            for (const handle of handles) {
+                (0, child_process_1.execFileSync)(this.nftBin, ['delete', 'rule', 'inet', 'filter', 'output', 'handle', handle], {
+                    timeout: 5000,
+                    stdio: 'ignore',
+                });
+            }
+            return handles.length;
+        }
+        catch {
+            return 0;
+        }
     }
 }
 exports.PolicyExecutor = PolicyExecutor;

package/dist/enforcement/policy-executor.js.map

@@ -1 +1 @@
-{"version":3,"file":"policy-executor.js","sourceRoot":"","sources":["../../src/enforcement/policy-executor.ts"],"names":[],"mappings":";;;AACA,iDAAyC;AACzC,oCAAkE;AAElE,sCAAmC;AAoBnC,MAAa,cAAc;IAIzB,YAAoB,MAAoB;QAApB,WAAM,GAAN,MAAM,CAAc;QAHhC,iBAAY,GAAG,IAAI,GAAG,EAAU,CAAC;QACjC,iBAAY,GAAmB,EAAE,CAAC;IAEC,CAAC;IAE5C,qEAAqE;IACrE,KAAK,CAAC,KAAK,CACT,QAAwB,EACxB,eAAgC;QAEhC,MAAM,OAAO,GAAmB,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;QAEzC,0DAA0D;QAC1D,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACjC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAChD,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,MAAM,EAAE,CAAC;YAC5B,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;gBACpB,KAAK,cAAc;oBACjB,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC;oBACnE,MAAM;gBACR,KAAK,gBAAgB;oBACnB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC;oBAC9C,MAAM;gBACR,KAAK,cAAc;oBACjB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC;oBAC5C,MAAM;YACV,CAAC;QACH,CAAC;QAED,iDAAiD;QACjD,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACvC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,EAAE,CAAC;gBACvC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;gBACxB,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC;QAE3B,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;YACtD,eAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAC5B,MAAoB,EACpB,SAA0B;QAE1B,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QAE3C,mDAAmD;QACnD,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QAC7C,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC5C,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC;YACtD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;YACrI,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YACnE,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;gBAChC,eAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;gBAC7F,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,cAAc,SAAS,SAAS,MAAM,EAAE,EAAE,CAAC;YACjJ,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC;oBACH,IAAA,wBAAQ,EAAC,SAAS,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;oBACnF,eAAM,CAAC,IAAI,CAAC,sCAAsC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;oBACvG,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,cAAc,SAAS,SAAS,MAAM,EAAE,EAAE,CAAC;gBACjJ,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC;gBACvI,CAAC;YACH,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,MAAM,OAAO,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;YACnC,IAAI,CAAC,CAAC,WAAW,KAAK,MAAM;gBAAE,OAAO,IAAI,CAAC;YAC1C,IAAI,CAAC,CAAC,aAAa,EAAE,WAAW,EAAE,KAAK,MAAM;gBAAE,OAAO,IAAI,CAAC;YAC3D,IAAI,CAAC,CAAC,OAAO,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC3D,OAAO,KAAK,CAAC;QACf,CAAC,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;QACrI,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QACnE,IAAI,MAAM,GAAG,CAAC,CAAC;QAEf,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;gBAC/B,MAAM,EAAE,CAAC;YACX,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC;oBACH,IAAA,wBAAQ,EAAC,SAAS,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;oBAClF,MAAM,EAAE,CAAC;gBACX,CAAC;gBAAC,MAAM,CAAC,CAAC,iCAAiC,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,MAAM,qBAAqB,MAAM,EAAE,CAAC,CAAC,CAAC,0BAA0B,CAAC;QACvG,eAAM,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAC/E,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7G,CAAC;IAEO,kBAAkB,CAAC,MAAoB;QAC7C,MAAM,QAAQ,GAAG,+BAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,MAAM,CAAC,CAAC;QACvG,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC;QAChJ,CAAC;QAED,MAAM,MAAM,GAAG,gBAAgB,QAAQ,CAAC,EAAE,EAAE,CAAC;QAC7C,IAAI,OAAO,GAAG,CAAC,CAAC;QAEhB,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBACrC,OAAO,EAAE,CAAC;YACZ,CAAC;YAAC,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;QAC/B,CAAC;QAED,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAE9B,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;YAChB,eAAM,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,QAAQ,EAAE,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;QACvF,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,MAAM,EAAE,gBAAgB;YACxB,MAAM,EAAE,QAAQ,CAAC,IAAI;YACrB,OAAO,EAAE,OAAO,GAAG,CAAC;YACpB,MAAM,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,OAAO,yBAAyB,CAAC,CAAC,CAAC,0CAA0C;SAC/G,CAAC;IACJ,CAAC;IAEO,gBAAgB,CAAC,MAAoB;QAC3C,MAAM,MAAM,GAAG,uBAAuB,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QAC9D,IAAI,CAAC;YACH,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAC9B,eAAM,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;YAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,MAAM,CAAC,MAAM,eAAe,EAAE,CAAC;QAChJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,WAAY,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;QAC7I,CAAC;IACH,CAAC;IAEO,eAAe,CAAC,MAAc,EAAE,MAAc;QACpD,4CAA4C;QAC5C,IAAI,CAAC;YACH,IAAA,wBAAQ,EAAC,mCAAmC,MAAM,aAAa,MAAM,8CAA8C,MAAM,iDAAiD,MAAM,UAAU,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QACjN,CAAC;QAAC,MAAM,CAAC;YACP,IAAA,wBAAQ,EAAC,yBAAyB,MAAM,iDAAiD,MAAM,UAAU,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAChI,CAAC;IACH,CAAC;IAEO,UAAU,CAAC,MAAc;QAC/B,yEAAyE;QACzE,eAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IAChE,CAAC;CACF;AAzKD,wCAyKC"}
+{"version":3,"file":"policy-executor.js","sourceRoot":"","sources":["../../src/enforcement/policy-executor.ts"],"names":[],"mappings":";;;AAAA,iDAA6C;AAC7C,oCAAkE;AAElE,sCAAmC;AACnC,yDAAsF;AAyBtF;;;;;;;;;;;;GAYG;AACH,MAAa,cAAc;IAMzB,YAAoB,MAAoB;QAApB,WAAM,GAAN,MAAM,CAAc;QALhC,iBAAY,GAAG,IAAI,GAAG,EAAgC,CAAC;QACvD,iBAAY,GAAmB,EAAE,CAAC;QAKxC,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC;IAEO,UAAU,CAAC,IAAY;QAC7B,+EAA+E;QAC/E,KAAK,MAAM,GAAG,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE,CAAC;YAChF,MAAM,SAAS,GAAG,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;YACnC,IAAI,CAAC;gBACH,IAAA,4BAAY,EAAC,SAAS,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;gBAC3E,OAAO,SAAS,CAAC;YACnB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,KAAK,CACT,QAAwB,EACxB,eAAgC;QAEhC,MAAM,OAAO,GAAmB,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;QACzC,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;QAEvF,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACjC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAChD,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,MAAM,EAAE,CAAC;YAC5B,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACjD,MAAM,SAAS,GAAG,QAAQ;mBACrB,QAAQ,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI;mBAC7B,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;mBACjC,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;mBACjC,QAAQ,CAAC,OAAO,KAAK,MAAM,CAAC,OAAO;mBACnC,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC;YAEvC,IAAI,MAAM,CAAC,IAAI,KAAK,cAAc,IAAI,SAAS,IAAI,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;gBACpF,OAAO,CAAC,IAAI,CAAC;oBACX,QAAQ,EAAE,MAAM,CAAC,EAAE;oBACnB,MAAM,EAAE,MAAM,CAAC,IAAI;oBACnB,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,OAAO,EAAE,IAAI;oBACb,MAAM,EAAE,qBAAqB;iBAC9B,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,IAAI,MAAM,CAAC,IAAI,KAAK,cAAc,IAAI,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;gBACvE,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC7B,CAAC;YAED,MAAM,SAAS,GAAG,IAAA,iCAAc,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAChD,IAAI,SAAS,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACjC,eAAM,CAAC,IAAI,CAAC,kEAAkE,EAAE;oBAC9E,QAAQ,EAAE,MAAM,CAAC,EAAE;oBACnB,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,0DAA0D;oBAC1D,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBAC3C,CAAC,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC;oBACX,QAAQ,EAAE,MAAM,CAAC,EAAE;oBACnB,MAAM,EAAE,MAAM,CAAC,IAAI;oBACnB,MAAM,EAAE,EAAE;oBACV,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,0BAA0B;iBACnC,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;gBACpB,KAAK,cAAc;oBACjB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,CAAC;oBACxE,MAAM;gBACR,KAAK,gBAAgB;oBACnB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;oBACzD,MAAM;gBACR,KAAK,cAAc;oBACjB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;oBACvD,MAAM;YACV,CAAC;QACH,CAAC;QAED,iDAAiD;QACjD,KAAK,MAAM,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YAC1D,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,EAAE,CAAC;gBACvC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC;QAE3B,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;YACtD,eAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,gBAAgB,CACtB,MAAoB,EACpB,MAAuB,EACvB,SAA0B;QAE1B,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnE,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YACtD,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,CAAC,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;YACpI,CAAC;YACD,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;gBACjC,eAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC;gBAC7F,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,cAAc,MAAM,CAAC,GAAG,SAAS,MAAM,EAAE,EAAE,CAAC;YACjJ,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC;YACtI,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC9D,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,kEAAkE,EAAE,CAAC;QAC3K,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;QAC3C,MAAM,OAAO,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;YACnC,IAAI,CAAC,CAAC,WAAW,KAAK,OAAO;gBAAE,OAAO,IAAI,CAAC;YAC3C,IAAI,CAAC,CAAC,aAAa,EAAE,WAAW,EAAE,KAAK,OAAO;gBAAE,OAAO,IAAI,CAAC;YAC5D,oEAAoE;YACpE,0CAA0C;YAC1C,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,IAAI,CAAC,CAAC,OAAO,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC3F,OAAO,KAAK,CAAC;QACf,CAAC,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;QACpI,CAAC;QAED,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;gBAC/B,MAAM,EAAE,CAAC;YACX,CAAC;YAAC,MAAM,CAAC,CAAC,iCAAiC,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,MAAM,qBAAqB,MAAM,EAAE,CAAC,CAAC,CAAC,0BAA0B,CAAC;QACvG,eAAM,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAC9E,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5G,CAAC;IAEO,kBAAkB,CAAC,MAAoB,EAAE,MAAuB;QACtE,oGAAoG;QACpG,MAAM,QAAQ,GAAG,+BAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,KAAK,CAAC,CAAC;QACrG,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;QAC9I,CAAC;QAED,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,MAAM,YAAY,GAAyB,EAAE,CAAC;QAE9C,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,MAAM,YAAY,GAAG,IAAA,iCAAc,EAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,CAAC,IAAA,kCAAe,EAAC,YAAY,CAAC;gBAAE,SAAS,CAAC,mBAAmB;YACjE,MAAM,WAAW,GAAG,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAAE,EAAE,YAAY,CAAC,CAAC;YACtE,IAAI,WAAW,EAAE,CAAC;gBAChB,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;gBAC/B,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QAED,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5B,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,YAAY,CAAC,CAAC;QACjD,CAAC;QAED,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;YAChB,eAAM,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,QAAQ,EAAE,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;QACvF,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,MAAM,EAAE,gBAAgB;YACxB,MAAM,EAAE,QAAQ,CAAC,IAAI;YACrB,OAAO,EAAE,OAAO,GAAG,CAAC;YACpB,MAAM,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,OAAO,YAAY,CAAC,CAAC,CAAC,0CAA0C;SAClG,CAAC;IACJ,CAAC;IAEO,gBAAgB,CAAC,MAAoB,EAAE,MAAuB;QACpE,IAAI,CAAC,IAAA,kCAAe,EAAC,MAAM,CAAC,EAAE,CAAC;YAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,wCAAwC,EAAE,CAAC;QACjJ,CAAC;QACD,MAAM,WAAW,GAAG,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QAChE,IAAI,WAAW,EAAE,CAAC;YAChB,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC;YAChD,eAAM,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;YAC9D,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;QACjI,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,+CAA+C,EAAE,CAAC;IACxJ,CAAC;IAED;;;;OAIG;IACK,mBAAmB,CAAC,MAAc,EAAE,MAAuB;QACjE,6BAA6B;QAC7B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC;gBACH,IAAA,4BAAY,EACV,IAAI,CAAC,MAAM,EACX,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,CAAC,EACnG,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CACnC,CAAC;gBACF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;YAClD,CAAC;YAAC,MAAM,CAAC;gBACP,2BAA2B;YAC7B,CAAC;QACH,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,IAAI,CAAC;gBACH,gDAAgD;gBAChD,IAAI,CAAC;oBACH,IAAA,4BAAY,EAAC,IAAI,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;oBACvH,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;gBACvD,CAAC;gBAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC;gBAClC,IAAA,4BAAY,EAAC,IAAI,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;gBACvH,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;YACvD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,UAAU,CAAC,MAAc;QAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,OAAO;QACT,CAAC;QAED,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,KAAK,KAAK,CAAC,EAAE,CAAC;YAC/C,OAAO,IAAI,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,IAAI,CAAC,OAAO,KAAK,UAAU,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBACxE,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QAED,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACjC,eAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC;IAEO,kBAAkB,CAAC,MAAc;QACvC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,OAAO,IAAI,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,IAAA,4BAAY,EAAC,IAAI,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,EAAE;oBAC3E,OAAO,EAAE,IAAI;oBACb,KAAK,EAAE,QAAQ;iBAChB,CAAC,CAAC;gBACH,OAAO,GAAG,IAAI,CAAC;YACjB,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM;YACR,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,cAAc,CAAC,MAAc;QACnC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,OAAO,CAAC,CAAC;QACX,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,4BAAY,EAAC,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,EAAE;gBAC5F,QAAQ,EAAE,MAAM;gBAChB,OAAO,EAAE,IAAI;aACd,CAAC,CAAC;YAEH,MAAM,OAAO,GAAG,MAAM;iBACnB,KAAK,CAAC,IAAI,CAAC;iBACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;gBACZ,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC1C,OAAO,IAAI,CAAC;gBACd,CAAC;gBACD,OAAO,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;YACnD,CAAC,CAAC;iBACD,MAAM,CAAC,CAAC,MAAM,EAAoB,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;YAEzD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,IAAA,4BAAY,EAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE;oBAC1F,OAAO,EAAE,IAAI;oBACb,KAAK,EAAE,QAAQ;iBAChB,CAAC,CAAC;YACL,CAAC;YAED,OAAO,OAAO,CAAC,MAAM,CAAC;QACxB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;CACF;AAjUD,wCAiUC"}

package/dist/enforcement/policy-executor.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=policy-executor.test.d.ts.map

package/dist/enforcement/policy-executor.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-executor.test.d.ts","sourceRoot":"","sources":["../../src/enforcement/policy-executor.test.ts"],"names":[],"mappings":""}

package/dist/enforcement/policy-executor.test.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const { mockExecFileSync } = vitest_1.vi.hoisted(() => ({
+    mockExecFileSync: vitest_1.vi.fn(),
+}));
+vitest_1.vi.mock('child_process', () => ({
+    execFileSync: mockExecFileSync,
+}));
+const policy_executor_1 = require("./policy-executor");
+(0, vitest_1.describe)('PolicyExecutor', () => {
+    (0, vitest_1.beforeEach)(() => {
+        vitest_1.vi.clearAllMocks();
+        mockExecFileSync.mockImplementation((_bin, args) => {
+            if (args[0] === '--version')
+                return '';
+            if (args[0] === 'add' && args[1] === 'rule')
+                return '';
+            if (args[0] === '-a' && args[1] === 'list') {
+                return 'table inet filter {\n  chain output {\n    ip daddr 203.0.113.10 drop comment "policy-1" # handle 17\n  }\n}\n';
+            }
+            if (args[0] === 'delete' && args[1] === 'rule')
+                return '';
+            if (args[0] === '-C' || args[0] === '-A' || args[0] === '-D')
+                return '';
+            return '';
+        });
+    });
+    (0, vitest_1.it)('removes nft rules when a synced policy is deleted', async () => {
+        const executor = new policy_executor_1.PolicyExecutor({ sentry: { hostId: 'host-1' } });
+        await executor.apply([
+            {
+                id: 'policy-1',
+                hostId: null,
+                type: 'block_domain',
+                target: '203.0.113.10',
+                enabled: true,
+                action: 'deny',
+                description: '',
+            },
+        ], []);
+        await executor.apply([], []);
+        (0, vitest_1.expect)(mockExecFileSync).toHaveBeenCalledWith(vitest_1.expect.stringContaining('/nft'), ['delete', 'rule', 'inet', 'filter', 'output', 'handle', '17'], vitest_1.expect.any(Object));
+    });
+});
+//# sourceMappingURL=policy-executor.test.js.map

package/dist/enforcement/policy-executor.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-executor.test.js","sourceRoot":"","sources":["../../src/enforcement/policy-executor.test.ts"],"names":[],"mappings":";;AAAA,mCAA8D;AAE9D,MAAM,EAAE,gBAAgB,EAAE,GAAG,WAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAC7C,gBAAgB,EAAE,WAAE,CAAC,EAAE,EAAE;CAC1B,CAAC,CAAC,CAAC;AAEJ,WAAE,CAAC,IAAI,CAAC,eAAe,EAAE,GAAG,EAAE,CAAC,CAAC;IAC9B,YAAY,EAAE,gBAAgB;CAC/B,CAAC,CAAC,CAAC;AAEJ,uDAAmD;AAEnD,IAAA,iBAAQ,EAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,IAAA,mBAAU,EAAC,GAAG,EAAE;QACd,WAAE,CAAC,aAAa,EAAE,CAAC;QACnB,gBAAgB,CAAC,kBAAkB,CAAC,CAAC,IAAY,EAAE,IAAc,EAAE,EAAE;YACnE,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,WAAW;gBAAE,OAAO,EAAE,CAAC;YACvC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,MAAM;gBAAE,OAAO,EAAE,CAAC;YACvD,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC;gBAC3C,OAAO,gHAAgH,CAAC;YAC1H,CAAC;YACD,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,MAAM;gBAAE,OAAO,EAAE,CAAC;YAC1D,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI;gBAAE,OAAO,EAAE,CAAC;YACxE,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,QAAQ,GAAG,IAAI,gCAAc,CAAC,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAW,CAAC,CAAC;QAE/E,MAAM,QAAQ,CAAC,KAAK,CAAC;YACnB;gBACE,EAAE,EAAE,UAAU;gBACd,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,cAAc;gBACpB,MAAM,EAAE,cAAc;gBACtB,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,MAAM;gBACd,WAAW,EAAE,EAAE;aAChB;SACF,EAAE,EAAE,CAAC,CAAC;QAEP,MAAM,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAE7B,IAAA,eAAM,EAAC,gBAAgB,CAAC,CAAC,oBAAoB,CAC3C,eAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,EAC/B,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,EAC9D,eAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/enforcement/target-validator.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Strict validator for policy `target` strings that flow from the NeuroSec
+ * cloud into shell-executing code paths (iptables/nft/process.kill).
+ *
+ * Design intent: targets are NEVER interpolated into shell strings without
+ * passing this validator first. Any rejected target is logged and dropped —
+ * we fail closed rather than risk injection.
+ *
+ * Accepted forms:
+ *   - hostname:     foo.example.com (RFC 1123, max 253 chars, no whitespace)
+ *   - wildcard:     *.example.com
+ *   - IPv4:         203.0.113.42
+ *   - IPv4 CIDR:    10.0.0.0/8
+ *   - IPv6:         2001:db8::1
+ *   - IPv6 CIDR:    2001:db8::/32
+ *   - pid spec:     pid:12345
+ *   - framework id: lowercase + digits + dash, 1-64 chars (e.g. "claude-code")
+ *
+ * Rejected:
+ *   - shell metacharacters: ; | & $ ` < > ( ) " ' \ newline tab
+ *   - leading dashes (could be parsed as a flag by iptables)
+ *   - any value containing whitespace
+ */
+export type TargetKind = 'hostname' | 'wildcard' | 'ipv4' | 'ipv4-cidr' | 'ipv6' | 'ipv6-cidr' | 'pid' | 'framework' | 'invalid';
+export interface ValidatedTarget {
+    kind: TargetKind;
+    value: string;
+    pid?: number;
+}
+/**
+ * Classify and validate a target. Returns `invalid` for anything that should
+ * never be interpolated into a shell command.
+ */
+export declare function validateTarget(raw: unknown): ValidatedTarget;
+/** Returns true if the target is safe to use as an iptables/nft destination. */
+export declare function isNetworkTarget(t: ValidatedTarget): boolean;
+//# sourceMappingURL=target-validator.d.ts.map

package/dist/enforcement/target-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"target-validator.d.ts","sourceRoot":"","sources":["../../src/enforcement/target-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAaH,MAAM,MAAM,UAAU,GAAG,UAAU,GAAG,UAAU,GAAG,MAAM,GAAG,WAAW,GAAG,MAAM,GAAG,WAAW,GAAG,KAAK,GAAG,WAAW,GAAG,SAAS,CAAC;AAEjI,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,UAAU,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAsBD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,OAAO,GAAG,eAAe,CAuC5D;AAED,gFAAgF;AAChF,wBAAgB,eAAe,CAAC,CAAC,EAAE,eAAe,GAAG,OAAO,CAO3D"}

package/dist/enforcement/target-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"target-validator.js","sourceRoot":"","sources":["../../src/enforcement/target-validator.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;;AA6CH,wCAuCC;AAGD,0CAOC;AA5FD,MAAM,WAAW,GAAG,yHAAyH,CAAC;AAC9I,MAAM,OAAO,GAAG,kHAAkH,CAAC;AACnI,MAAM,YAAY,GAAG,oIAAoI,CAAC;AAC1J,MAAM,OAAO,GAAG,iBAAiB,CAAC;AAClC,MAAM,YAAY,GAAG,6CAA6C,CAAC;AACnE,MAAM,MAAM,GAAG,oBAAoB,CAAC;AACpC,MAAM,YAAY,GAAG,wBAAwB,CAAC;AAE9C,yDAAyD;AACzD,MAAM,eAAe,GAAG,oBAAoB,CAAC;AAU7C,SAAS,WAAW,CAAC,KAAa;IAChC,gFAAgF;IAChF,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,8EAA8E;IAC9E,IAAI,CAAC;QACH,8BAA8B;QAC9B,IAAI,GAAG,CAAC,WAAW,KAAK,GAAG,CAAC,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACjC,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC;AAC3B,CAAC;AAED;;;GAGG;AACH,SAAgB,cAAc,CAAC,GAAY;IACzC,MAAM,MAAM,GAAG,EAAE,IAAI,EAAE,SAAkB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IACvD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAC;IAC3C,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACzB,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG;QAAE,OAAO,MAAM,CAAC;IAC5D,IAAI,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAC/C,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,MAAM,CAAC,CAAC,gCAAgC;IAE1E,UAAU;IACV,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACnC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,GAAG,OAAS;YAAE,OAAO,MAAM,CAAC;QACxE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;IACrC,CAAC;IAED,IAAI,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC;IAClE,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IACxD,IAAI,eAAe,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC;IAChE,IAAI,WAAW,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAEvD,wEAAwE;IACxE,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,OAAO,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;IACxE,CAAC;IAED,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,6DAA6D;QAC7D,6EAA6E;QAC7E,8EAA8E;QAC9E,6EAA6E;QAC7E,iEAAiE;QACjE,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAClD,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;QACrC,CAAC;IACH,CAAC;IAED,IAAI,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC;IAElE,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gFAAgF;AAChF,SAAgB,eAAe,CAAC,CAAkB;IAChD,OAAO,CAAC,CAAC,IAAI,KAAK,UAAU;WACvB,CAAC,CAAC,IAAI,KAAK,UAAU;WACrB,CAAC,CAAC,IAAI,KAAK,MAAM;WACjB,CAAC,CAAC,IAAI,KAAK,WAAW;WACtB,CAAC,CAAC,IAAI,KAAK,MAAM;WACjB,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC;AAC9B,CAAC"}

package/dist/enforcement/target-validator.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=target-validator.test.d.ts.map