@oscharko-dev/keiko-security 0.2.0

package/dist/errors/secretbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secretbox.d.ts","sourceRoot":"","sources":["../../src/errors/secretbox.ts"],"names":[],"mappings":"AAOA,qBAAa,cAAe,SAAQ,KAAK;IACvC,SAAgB,IAAI,EAAG,uBAAuB,CAAU;gBAErC,OAAO,EAAE,MAAM;CAInC"}

package/dist/errors/secretbox.js

@@ -0,0 +1,13 @@
+// Typed error for the secretbox authenticated-encryption primitive. A single stable `code`
+// discriminant so callers can branch on the failure class without parsing the message. The
+// message is intentionally generic — it never echoes key material, plaintext, or ciphertext, so
+// it is always safe to log across a trust boundary. An auth-tag mismatch (tampered ciphertext OR
+// wrong key) and a malformed envelope both surface here; we do NOT distinguish "wrong key" from
+// "tampered" by design, because telling an attacker which one failed is an oracle.
+export class SecretboxError extends Error {
+    code = "SECRETBOX_OPEN_FAILED";
+    constructor(message) {
+        super(message);
+        this.name = "SecretboxError";
+    }
+}

package/dist/errors/tools.d.ts

@@ -0,0 +1,60 @@
+import type { PatchConflict, PatchRejection } from "@oscharko-dev/keiko-contracts";
+export declare const TOOL_CODES: {
+    readonly ARGUMENT: "TOOL_ARGUMENT";
+    readonly UNKNOWN: "TOOL_UNKNOWN";
+    readonly COMMAND_DENIED: "TOOL_COMMAND_DENIED";
+    readonly COMMAND_TIMEOUT: "TOOL_COMMAND_TIMEOUT";
+    readonly COMMAND_CANCELLED: "TOOL_COMMAND_CANCELLED";
+    readonly OUTPUT_LIMIT: "TOOL_OUTPUT_LIMIT";
+    readonly PATCH_INVALID: "TOOL_PATCH_INVALID";
+    readonly PATCH_APPLY_DISABLED: "TOOL_PATCH_APPLY_DISABLED";
+    readonly PATCH_APPLY_FAILED: "TOOL_PATCH_APPLY_FAILED";
+};
+export type ToolCode = (typeof TOOL_CODES)[keyof typeof TOOL_CODES];
+export declare abstract class ToolError extends Error {
+    abstract readonly code: ToolCode;
+    constructor(message: string, secrets?: readonly string[]);
+}
+export declare class ToolArgumentError extends ToolError {
+    readonly code: "TOOL_ARGUMENT";
+    readonly toolName: string;
+    constructor(message: string, toolName: string, secrets?: readonly string[]);
+}
+export declare class UnknownToolError extends ToolError {
+    readonly code: "TOOL_UNKNOWN";
+    readonly toolName: string;
+    constructor(message: string, toolName: string, secrets?: readonly string[]);
+}
+export declare class CommandDeniedError extends ToolError {
+    readonly code: "TOOL_COMMAND_DENIED";
+    readonly executable: string;
+    constructor(message: string, executable: string, secrets?: readonly string[]);
+}
+export declare class CommandTimeoutError extends ToolError {
+    readonly code: "TOOL_COMMAND_TIMEOUT";
+    readonly timeoutMs: number;
+    constructor(message: string, timeoutMs: number, secrets?: readonly string[]);
+}
+export declare class CommandCancelledError extends ToolError {
+    readonly code: "TOOL_COMMAND_CANCELLED";
+}
+export declare class OutputLimitError extends ToolError {
+    readonly code: "TOOL_OUTPUT_LIMIT";
+    readonly limitBytes: number;
+    constructor(message: string, limitBytes: number, secrets?: readonly string[]);
+}
+export declare class PatchValidationError extends ToolError {
+    readonly code: "TOOL_PATCH_INVALID";
+    readonly reasons: readonly PatchRejection[];
+    readonly conflicts: readonly PatchConflict[];
+    constructor(message: string, reasons: readonly PatchRejection[], conflicts: readonly PatchConflict[], secrets?: readonly string[]);
+}
+export declare class PatchApplyDisabledError extends ToolError {
+    readonly code: "TOOL_PATCH_APPLY_DISABLED";
+}
+export declare class PatchApplyError extends ToolError {
+    readonly code: "TOOL_PATCH_APPLY_FAILED";
+    readonly path: string;
+    constructor(message: string, path: string, secrets?: readonly string[]);
+}
+//# sourceMappingURL=tools.d.ts.map

package/dist/errors/tools.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tools.d.ts","sourceRoot":"","sources":["../../src/errors/tools.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAGnF,eAAO,MAAM,UAAU;;;;;;;;;;CAUb,CAAC;AAEX,MAAM,MAAM,QAAQ,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC,MAAM,OAAO,UAAU,CAAC,CAAC;AAEpE,8BAAsB,SAAU,SAAQ,KAAK;IAC3C,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;gBAErB,OAAO,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAI7D;AAGD,qBAAa,iBAAkB,SAAQ,SAAS;IAC9C,QAAQ,CAAC,IAAI,kBAAuB;IACpC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;gBAEd,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAI/E;AAGD,qBAAa,gBAAiB,SAAQ,SAAS;IAC7C,QAAQ,CAAC,IAAI,iBAAsB;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;gBAEd,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAI/E;AAGD,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,IAAI,wBAA6B;IAC1C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;gBAEhB,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAIjF;AAGD,qBAAa,mBAAoB,SAAQ,SAAS;IAChD,QAAQ,CAAC,IAAI,yBAA8B;IAC3C,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;gBAEf,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAIhF;AAGD,qBAAa,qBAAsB,SAAQ,SAAS;IAClD,QAAQ,CAAC,IAAI,2BAAgC;CAC9C;AAGD,qBAAa,gBAAiB,SAAQ,SAAS;IAC7C,QAAQ,CAAC,IAAI,sBAA2B;IACxC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;gBAEhB,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAIjF;AAGD,qBAAa,oBAAqB,SAAQ,SAAS;IACjD,QAAQ,CAAC,IAAI,uBAA4B;IACzC,QAAQ,CAAC,OAAO,EAAE,SAAS,cAAc,EAAE,CAAC;IAC5C,QAAQ,CAAC,SAAS,EAAE,SAAS,aAAa,EAAE,CAAC;gBAG3C,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,SAAS,cAAc,EAAE,EAClC,SAAS,EAAE,SAAS,aAAa,EAAE,EACnC,OAAO,GAAE,SAAS,MAAM,EAAO;CAMlC;AAGD,qBAAa,uBAAwB,SAAQ,SAAS;IACpD,QAAQ,CAAC,IAAI,8BAAmC;CACjD;AAGD,qBAAa,eAAgB,SAAQ,SAAS;IAC5C,QAAQ,CAAC,IAAI,4BAAiC;IAC9C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBAEV,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAI3E"}

package/dist/errors/tools.js

@@ -0,0 +1,94 @@
+// Tool error taxonomy, mirroring gateway/harness/workspace (ADR-0003/0004/0005/0006).
+// Errors carry a stable `code` discriminant; callers switch on `code`, never parse `message`.
+// Every message is redacted at construction so errors are always safe to log or surface.
+import { redact } from "../redaction.js";
+export const TOOL_CODES = {
+    ARGUMENT: "TOOL_ARGUMENT",
+    UNKNOWN: "TOOL_UNKNOWN",
+    COMMAND_DENIED: "TOOL_COMMAND_DENIED",
+    COMMAND_TIMEOUT: "TOOL_COMMAND_TIMEOUT",
+    COMMAND_CANCELLED: "TOOL_COMMAND_CANCELLED",
+    OUTPUT_LIMIT: "TOOL_OUTPUT_LIMIT",
+    PATCH_INVALID: "TOOL_PATCH_INVALID",
+    PATCH_APPLY_DISABLED: "TOOL_PATCH_APPLY_DISABLED",
+    PATCH_APPLY_FAILED: "TOOL_PATCH_APPLY_FAILED",
+};
+export class ToolError extends Error {
+    constructor(message, secrets = []) {
+        super(redact(message, secrets));
+        this.name = new.target.name;
+    }
+}
+// Malformed tool arguments (a required field missing or of the wrong type).
+export class ToolArgumentError extends ToolError {
+    code = TOOL_CODES.ARGUMENT;
+    toolName;
+    constructor(message, toolName, secrets = []) {
+        super(message, secrets);
+        this.toolName = toolName;
+    }
+}
+// No such tool in the host's dispatch map.
+export class UnknownToolError extends ToolError {
+    code = TOOL_CODES.UNKNOWN;
+    toolName;
+    constructor(message, toolName, secrets = []) {
+        super(message, secrets);
+        this.toolName = toolName;
+    }
+}
+// Executable or subcommand not on the allowlist (deny-by-default). Raised BEFORE any spawn.
+export class CommandDeniedError extends ToolError {
+    code = TOOL_CODES.COMMAND_DENIED;
+    executable;
+    constructor(message, executable, secrets = []) {
+        super(message, secrets);
+        this.executable = executable;
+    }
+}
+// The command exceeded its wall-time budget and was terminated.
+export class CommandTimeoutError extends ToolError {
+    code = TOOL_CODES.COMMAND_TIMEOUT;
+    timeoutMs;
+    constructor(message, timeoutMs, secrets = []) {
+        super(message, secrets);
+        this.timeoutMs = timeoutMs;
+    }
+}
+// Abort-driven cancellation of a command or a patch apply.
+export class CommandCancelledError extends ToolError {
+    code = TOOL_CODES.COMMAND_CANCELLED;
+}
+// A hard output-limit breach (used where truncate-and-flag is not acceptable, e.g. patch input).
+export class OutputLimitError extends ToolError {
+    code = TOOL_CODES.OUTPUT_LIMIT;
+    limitBytes;
+    constructor(message, limitBytes, secrets = []) {
+        super(message, secrets);
+        this.limitBytes = limitBytes;
+    }
+}
+// Patch validation failed; carries the structured rejection reasons. Nothing was written.
+export class PatchValidationError extends ToolError {
+    code = TOOL_CODES.PATCH_INVALID;
+    reasons;
+    conflicts;
+    constructor(message, reasons, conflicts, secrets = []) {
+        super(message, secrets);
+        this.reasons = reasons;
+        this.conflicts = conflicts;
+    }
+}
+// Fail-closed: apply requested while applyEnabled is false. Nothing was written.
+export class PatchApplyDisabledError extends ToolError {
+    code = TOOL_CODES.PATCH_APPLY_DISABLED;
+}
+// A write (or rollback) failed during the apply phase at the filesystem boundary.
+export class PatchApplyError extends ToolError {
+    code = TOOL_CODES.PATCH_APPLY_FAILED;
+    path;
+    constructor(message, path, secrets = []) {
+        super(message, secrets);
+        this.path = path;
+    }
+}

package/dist/errors/verification.d.ts

@@ -0,0 +1,12 @@
+export declare const VERIFICATION_CODES: {
+    readonly PLAN_EMPTY: "VERIFICATION_PLAN_EMPTY";
+};
+export type VerificationCode = (typeof VERIFICATION_CODES)[keyof typeof VERIFICATION_CODES];
+export declare abstract class VerificationError extends Error {
+    abstract readonly code: VerificationCode;
+    constructor(message: string, secrets?: readonly string[]);
+}
+export declare class EmptyPlanError extends VerificationError {
+    readonly code: "VERIFICATION_PLAN_EMPTY";
+}
+//# sourceMappingURL=verification.d.ts.map

package/dist/errors/verification.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verification.d.ts","sourceRoot":"","sources":["../../src/errors/verification.ts"],"names":[],"mappings":"AASA,eAAO,MAAM,kBAAkB;;CAErB,CAAC;AAEX,MAAM,MAAM,gBAAgB,GAAG,CAAC,OAAO,kBAAkB,CAAC,CAAC,MAAM,OAAO,kBAAkB,CAAC,CAAC;AAE5F,8BAAsB,iBAAkB,SAAQ,KAAK;IACnD,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,gBAAgB,CAAC;gBAE7B,OAAO,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAI7D;AAID,qBAAa,cAAe,SAAQ,iBAAiB;IACnD,QAAQ,CAAC,IAAI,4BAAiC;CAC/C"}

package/dist/errors/verification.js

@@ -0,0 +1,21 @@
+// Verification error taxonomy, mirroring the workspace/tools pattern (ADR-0005/0006). Errors
+// carry a stable `code` discriminant; callers switch on `code`, never parse `message`. Every
+// message is redacted at construction so errors are always safe to log. The only verification
+// error surfaced today is at the CLI/IO boundary (workspace detection failures are surfaced by
+// the workspace layer's own WorkspaceError); this base exists so later boundary failures have a
+// typed home without re-deriving the pattern.
+import { redact } from "../redaction.js";
+export const VERIFICATION_CODES = {
+    PLAN_EMPTY: "VERIFICATION_PLAN_EMPTY",
+};
+export class VerificationError extends Error {
+    constructor(message, secrets = []) {
+        super(redact(message, secrets));
+        this.name = new.target.name;
+    }
+}
+// Raised when a verification run is requested but the plan contains no steps (e.g. --only with an
+// empty selection). Surfaced as a non-green verification error at the CLI boundary.
+export class EmptyPlanError extends VerificationError {
+    code = VERIFICATION_CODES.PLAN_EMPTY;
+}

package/dist/errors/workspace.d.ts

@@ -0,0 +1,56 @@
+export declare const WORKSPACE_CODES: {
+    readonly PATH_ESCAPE: "WORKSPACE_PATH_ESCAPE";
+    readonly PATH_DENIED: "WORKSPACE_PATH_DENIED";
+    readonly NOT_FOUND: "WORKSPACE_NOT_FOUND";
+    readonly FILE_TOO_LARGE: "WORKSPACE_FILE_TOO_LARGE";
+    readonly READ_FAILED: "WORKSPACE_READ_FAILED";
+    readonly REPO_SEARCH_INVALID_QUERY: "WORKSPACE_REPO_SEARCH_INVALID_QUERY";
+    readonly REPO_SEARCH_INVALID_RANGE: "WORKSPACE_REPO_SEARCH_INVALID_RANGE";
+    readonly REPO_SEARCH_UNSUPPORTED_FILE: "WORKSPACE_REPO_SEARCH_UNSUPPORTED_FILE";
+};
+export type WorkspaceCode = (typeof WORKSPACE_CODES)[keyof typeof WORKSPACE_CODES];
+export declare abstract class WorkspaceError extends Error {
+    abstract readonly code: WorkspaceCode;
+    constructor(message: string, secrets?: readonly string[]);
+}
+export declare class PathEscapeError extends WorkspaceError {
+    readonly code: "WORKSPACE_PATH_ESCAPE";
+    readonly requestedPath: string;
+    constructor(message: string, requestedPath: string, secrets?: readonly string[]);
+}
+export declare class PathDeniedError extends WorkspaceError {
+    readonly code: "WORKSPACE_PATH_DENIED";
+    readonly requestedPath: string;
+    constructor(message: string, requestedPath: string, secrets?: readonly string[]);
+}
+export declare class WorkspaceNotFoundError extends WorkspaceError {
+    readonly code: "WORKSPACE_NOT_FOUND";
+    readonly startDir: string;
+    constructor(message: string, startDir: string, secrets?: readonly string[]);
+}
+export declare class FileTooLargeError extends WorkspaceError {
+    readonly code: "WORKSPACE_FILE_TOO_LARGE";
+    readonly requestedPath: string;
+    readonly sizeBytes: number;
+    readonly limitBytes: number;
+    constructor(message: string, requestedPath: string, sizeBytes: number, limitBytes: number, secrets?: readonly string[]);
+}
+export declare class WorkspaceReadError extends WorkspaceError {
+    readonly code: "WORKSPACE_READ_FAILED";
+    readonly requestedPath: string;
+    constructor(message: string, requestedPath: string, secrets?: readonly string[]);
+}
+export declare class RepoSearchInvalidQueryError extends WorkspaceError {
+    readonly code: "WORKSPACE_REPO_SEARCH_INVALID_QUERY";
+    constructor(message: string, secrets?: readonly string[]);
+}
+export declare class RepoSearchInvalidRangeError extends WorkspaceError {
+    readonly code: "WORKSPACE_REPO_SEARCH_INVALID_RANGE";
+    constructor(message: string, secrets?: readonly string[]);
+}
+export declare class RepoSearchUnsupportedFileError extends WorkspaceError {
+    readonly code: "WORKSPACE_REPO_SEARCH_UNSUPPORTED_FILE";
+    readonly reason: string;
+    constructor(message: string, reason: string, secrets?: readonly string[]);
+}
+//# sourceMappingURL=workspace.d.ts.map

package/dist/errors/workspace.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace.d.ts","sourceRoot":"","sources":["../../src/errors/workspace.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,eAAe;;;;;;;;;CASlB,CAAC;AAEX,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,eAAe,CAAC,CAAC,MAAM,OAAO,eAAe,CAAC,CAAC;AAEnF,8BAAsB,cAAe,SAAQ,KAAK;IAChD,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;gBAE1B,OAAO,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAI7D;AAGD,qBAAa,eAAgB,SAAQ,cAAc;IACjD,QAAQ,CAAC,IAAI,0BAA+B;IAC5C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;gBAEnB,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAIpF;AAGD,qBAAa,eAAgB,SAAQ,cAAc;IACjD,QAAQ,CAAC,IAAI,0BAA+B;IAC5C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;gBAEnB,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAIpF;AAGD,qBAAa,sBAAuB,SAAQ,cAAc;IACxD,QAAQ,CAAC,IAAI,wBAA6B;IAC1C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;gBAEd,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAI/E;AAGD,qBAAa,iBAAkB,SAAQ,cAAc;IACnD,QAAQ,CAAC,IAAI,6BAAkC;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;gBAG1B,OAAO,EAAE,MAAM,EACf,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,OAAO,GAAE,SAAS,MAAM,EAAO;CAOlC;AAGD,qBAAa,kBAAmB,SAAQ,cAAc;IACpD,QAAQ,CAAC,IAAI,0BAA+B;IAC5C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;gBAEnB,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAIpF;AAID,qBAAa,2BAA4B,SAAQ,cAAc;IAC7D,QAAQ,CAAC,IAAI,wCAA6C;gBAE9C,OAAO,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAG7D;AAID,qBAAa,2BAA4B,SAAQ,cAAc;IAC7D,QAAQ,CAAC,IAAI,wCAA6C;gBAE9C,OAAO,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAG7D;AAID,qBAAa,8BAA+B,SAAQ,cAAc;IAChE,QAAQ,CAAC,IAAI,2CAAgD;IAC7D,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;gBAEZ,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,GAAE,SAAS,MAAM,EAAO;CAI7E"}

package/dist/errors/workspace.js

@@ -0,0 +1,95 @@
+// Workspace error taxonomy, mirroring the gateway/harness pattern (ADR-0003, ADR-0004).
+// Errors carry a stable `code` discriminant; callers switch on `code`, never parse
+// `message`. Every message is redacted at construction so errors are always safe to log.
+import { redact } from "../redaction.js";
+export const WORKSPACE_CODES = {
+    PATH_ESCAPE: "WORKSPACE_PATH_ESCAPE",
+    PATH_DENIED: "WORKSPACE_PATH_DENIED",
+    NOT_FOUND: "WORKSPACE_NOT_FOUND",
+    FILE_TOO_LARGE: "WORKSPACE_FILE_TOO_LARGE",
+    READ_FAILED: "WORKSPACE_READ_FAILED",
+    REPO_SEARCH_INVALID_QUERY: "WORKSPACE_REPO_SEARCH_INVALID_QUERY",
+    REPO_SEARCH_INVALID_RANGE: "WORKSPACE_REPO_SEARCH_INVALID_RANGE",
+    REPO_SEARCH_UNSUPPORTED_FILE: "WORKSPACE_REPO_SEARCH_UNSUPPORTED_FILE",
+};
+export class WorkspaceError extends Error {
+    constructor(message, secrets = []) {
+        super(redact(message, secrets));
+        this.name = new.target.name;
+    }
+}
+// Raised when a candidate path escapes the workspace root (NUL, `..`, or absolute escape).
+export class PathEscapeError extends WorkspaceError {
+    code = WORKSPACE_CODES.PATH_ESCAPE;
+    requestedPath;
+    constructor(message, requestedPath, secrets = []) {
+        super(message, secrets);
+        this.requestedPath = requestedPath;
+    }
+}
+// Raised when a path matches an always-on deny pattern (secrets, deps, build, vcs).
+export class PathDeniedError extends WorkspaceError {
+    code = WORKSPACE_CODES.PATH_DENIED;
+    requestedPath;
+    constructor(message, requestedPath, secrets = []) {
+        super(message, secrets);
+        this.requestedPath = requestedPath;
+    }
+}
+// Raised when no workspace root (`.git` or `package.json`) is found above startDir.
+export class WorkspaceNotFoundError extends WorkspaceError {
+    code = WORKSPACE_CODES.NOT_FOUND;
+    startDir;
+    constructor(message, startDir, secrets = []) {
+        super(message, secrets);
+        this.startDir = startDir;
+    }
+}
+// Raised when a file exceeds the configured read size cap.
+export class FileTooLargeError extends WorkspaceError {
+    code = WORKSPACE_CODES.FILE_TOO_LARGE;
+    requestedPath;
+    sizeBytes;
+    limitBytes;
+    constructor(message, requestedPath, sizeBytes, limitBytes, secrets = []) {
+        super(message, secrets);
+        this.requestedPath = requestedPath;
+        this.sizeBytes = sizeBytes;
+        this.limitBytes = limitBytes;
+    }
+}
+// Raised for an underlying filesystem read failure at the IO boundary.
+export class WorkspaceReadError extends WorkspaceError {
+    code = WORKSPACE_CODES.READ_FAILED;
+    requestedPath;
+    constructor(message, requestedPath, secrets = []) {
+        super(message, secrets);
+        this.requestedPath = requestedPath;
+    }
+}
+// Raised at the repo-search API boundary when the RetrievalQuery fails validation, has the
+// wrong `kind` for the entry point called, or carries a syntactically invalid regex.
+export class RepoSearchInvalidQueryError extends WorkspaceError {
+    code = WORKSPACE_CODES.REPO_SEARCH_INVALID_QUERY;
+    constructor(message, secrets = []) {
+        super(message, secrets);
+    }
+}
+// Raised when a readExcerpt request specifies a line range that is not a positive,
+// increasing pair of integers, or a scopePath that fails the contracts validator.
+export class RepoSearchInvalidRangeError extends WorkspaceError {
+    code = WORKSPACE_CODES.REPO_SEARCH_INVALID_RANGE;
+    constructor(message, secrets = []) {
+        super(message, secrets);
+    }
+}
+// Raised when readExcerpt is called on a file the facade refuses to read or interpret
+// (for example: outside the selected scope, denied/ignored by policy, or binary content).
+export class RepoSearchUnsupportedFileError extends WorkspaceError {
+    code = WORKSPACE_CODES.REPO_SEARCH_UNSUPPORTED_FILE;
+    reason;
+    constructor(message, reason, secrets = []) {
+        super(message, secrets);
+        this.reason = reason;
+    }
+}

package/dist/hashing.d.ts

@@ -0,0 +1,4 @@
+export declare function canonicalise(value: unknown): string;
+export declare function sha256Hex(input: string): string;
+export declare function sha256Base64(input: string): string;
+//# sourceMappingURL=hashing.d.ts.map

package/dist/hashing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hashing.d.ts","sourceRoot":"","sources":["../src/hashing.ts"],"names":[],"mappings":"AAcA,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAenD;AAID,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C;AAID,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAElD"}

package/dist/hashing.js

@@ -0,0 +1,38 @@
+// Pure, deterministic hashing primitives shared across the security trust boundary. Callers in
+// harness, audit, and UI compose these into higher-level fingerprints, evidence digests, and CSP
+// hashes without re-deriving the cryptographic boundary in each layer.
+//
+// Why these helpers live here, not in node:crypto callers: the security package is the leaf trust
+// boundary, so the canonical-JSON serialiser and the SHA-256 wrappers belong with redact() and the
+// safe-error taxonomy — any future regulated-delivery audit only needs to inspect one module to
+// confirm hashing semantics are stable.
+import { createHash } from "node:crypto";
+// Canonical JSON: object keys sorted recursively, array order preserved, undefined values omitted
+// (matching JSON.stringify semantics). Two structurally equal inputs serialise to byte-identical
+// strings regardless of key insertion order, so SHA-256 over the canonical form is order-stable.
+export function canonicalise(value) {
+    if (value === undefined) {
+        return "null";
+    }
+    if (value === null || typeof value !== "object") {
+        return JSON.stringify(value);
+    }
+    if (Array.isArray(value)) {
+        return `[${value.map((item) => canonicalise(item)).join(",")}]`;
+    }
+    const entries = Object.entries(value)
+        .filter(([, v]) => v !== undefined)
+        .sort(([a], [b]) => (a < b ? -1 : a > b ? 1 : 0))
+        .map(([key, v]) => `${JSON.stringify(key)}:${canonicalise(v)}`);
+    return `{${entries.join(",")}}`;
+}
+// SHA-256 of a UTF-8 string, hex-encoded. Used for run-fingerprints and any other identifier-style
+// digest where hex is the expected format.
+export function sha256Hex(input) {
+    return createHash("sha256").update(input, "utf8").digest("hex");
+}
+// SHA-256 of a UTF-8 string, base64-encoded. Used for CSP `'sha256-...'` source tokens (RFC 4648
+// standard base64, which is what browsers compare CSP hashes against).
+export function sha256Base64(input) {
+    return createHash("sha256").update(input, "utf8").digest("base64");
+}

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+export { KEIKO_SECURITY_VERSION } from "./version.js";
+export { redact, createAuditRedactor, deepRedactStrings } from "./redaction.js";
+export { assertValidRunId } from "./runid.js";
+export type { EnvSource } from "./secrets.js";
+export { isKeikoApiKeyEnvName, keikoApiKeySecretValues } from "./secrets.js";
+export { canonicalise, sha256Hex, sha256Base64 } from "./hashing.js";
+export { sealString, openString, sealBytes, openBytes, isSealed } from "./secretbox.js";
+export type { PromptInjectionSignalCode, PromptInjectionSeverity, PromptInjectionSignal, } from "./promptInjection.js";
+export { PROMPT_INJECTION_SIGNAL_CODES, isPromptInjectionSignalCode, detectPromptInjectionSignals, containsRedactableSecret, hasCriticalInjectionSignal, } from "./promptInjection.js";
+export * from "./errors/index.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AAEtD,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAEhF,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C,YAAY,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAE7E,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAErE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAGxF,YAAY,EACV,yBAAyB,EACzB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,6BAA6B,EAC7B,2BAA2B,EAC3B,4BAA4B,EAC5B,wBAAwB,EACxB,0BAA0B,GAC3B,MAAM,sBAAsB,CAAC;AAE9B,cAAc,mBAAmB,CAAC"}

package/dist/index.js

@@ -0,0 +1,13 @@
+// Public barrel for @oscharko-dev/keiko-security. Re-exports every shared primitive so callers
+// can `import { redact, GatewayError, assertValidRunId, sha256Hex } from "@oscharko-dev/keiko-security"`
+// without knowing which sub-module owns the symbol. Subpath imports (`./errors/gateway`, etc.) are
+// available for callers who want to pull in a narrower surface — both flat and subpath imports
+// resolve to the same module instance.
+export { KEIKO_SECURITY_VERSION } from "./version.js";
+export { redact, createAuditRedactor, deepRedactStrings } from "./redaction.js";
+export { assertValidRunId } from "./runid.js";
+export { isKeikoApiKeyEnvName, keikoApiKeySecretValues } from "./secrets.js";
+export { canonicalise, sha256Hex, sha256Base64 } from "./hashing.js";
+export { sealString, openString, sealBytes, openBytes, isSealed } from "./secretbox.js";
+export { PROMPT_INJECTION_SIGNAL_CODES, isPromptInjectionSignalCode, detectPromptInjectionSignals, containsRedactableSecret, hasCriticalInjectionSignal, } from "./promptInjection.js";
+export * from "./errors/index.js";

package/dist/promptInjection.d.ts

@@ -0,0 +1,29 @@
+export type PromptInjectionSignalCode = "instruction-override" | "system-prompt-disclosure" | "secret-exfiltration" | "tool-authority-request" | "egress-request" | "manipulative-framing" | "embedded-secret-material";
+export declare const PROMPT_INJECTION_SIGNAL_CODES: readonly PromptInjectionSignalCode[];
+export declare const isPromptInjectionSignalCode: (value: unknown) => value is PromptInjectionSignalCode;
+export type PromptInjectionSeverity = "elevated" | "critical";
+export interface PromptInjectionSignal {
+    readonly code: PromptInjectionSignalCode;
+    readonly severity: PromptInjectionSeverity;
+    readonly matchCount: number;
+}
+/**
+ * Detect unsafe-content signals in a piece of UNTRUSTED text (raw user draft, retrieved snippet, or
+ * tool output). Pure and content-free: returns a stable list of `{ code, severity, matchCount }`
+ * signals and never echoes the matched text. ReDoS-safe (substring containment + the bounded `redact`).
+ *
+ * `embedded-secret-material` fires when the text itself contains a redactable secret shape — relevant
+ * both to secret-exfiltration detection and to the redaction guarantee for persisted evidence.
+ */
+export declare function detectPromptInjectionSignals(untrustedText: string): readonly PromptInjectionSignal[];
+/**
+ * Whether the text contains redactable secret material (a known token/key/credential shape). Reuses
+ * the authoritative `redact` so the detector and the redactor agree by construction. Pure.
+ */
+export declare function containsRedactableSecret(text: string): boolean;
+/**
+ * Whether any detected signal is `critical` — an active attack attempt (override, disclosure,
+ * exfiltration, unsafe tool, or egress). Pure helper for callers gating on attack severity.
+ */
+export declare function hasCriticalInjectionSignal(signals: readonly PromptInjectionSignal[]): boolean;
+//# sourceMappingURL=promptInjection.d.ts.map

package/dist/promptInjection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"promptInjection.d.ts","sourceRoot":"","sources":["../src/promptInjection.ts"],"names":[],"mappings":"AAsBA,MAAM,MAAM,yBAAyB,GAEjC,sBAAsB,GAEtB,0BAA0B,GAE1B,qBAAqB,GAErB,wBAAwB,GAExB,gBAAgB,GAEhB,sBAAsB,GAEtB,0BAA0B,CAAC;AAE/B,eAAO,MAAM,6BAA6B,EAAE,SAAS,yBAAyB,EAQpE,CAAC;AAEX,eAAO,MAAM,2BAA2B,GAAI,OAAO,OAAO,KAAG,KAAK,IAAI,yBAC6B,CAAC;AAKpG,MAAM,MAAM,uBAAuB,GAAG,UAAU,GAAG,UAAU,CAAC;AAI9D,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,IAAI,EAAE,yBAAyB,CAAC;IACzC,QAAQ,CAAC,QAAQ,EAAE,uBAAuB,CAAC;IAC3C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAkLD;;;;;;;GAOG;AACH,wBAAgB,4BAA4B,CAC1C,aAAa,EAAE,MAAM,GACpB,SAAS,qBAAqB,EAAE,CAgBlC;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE9D;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,SAAS,qBAAqB,EAAE,GAAG,OAAO,CAE7F"}