@panguard-ai/atr 1.4.1 → 1.4.3

package/dist/engine.js

@@ -1,781 +0,0 @@
-/**
- * ATR Engine - Evaluates agent events against ATR rules
- *
- * Core detection engine that:
- * 1. Loads ATR YAML rules from disk
- * 2. Evaluates agent events (LLM I/O, tool calls, behaviors) against rules
- * 3. Returns matched rules with confidence scores
- * 4. Supports two condition formats:
- *    - Array format: conditions is an array of {field, operator, value} objects
- *    - Named format: conditions is an object map of named condition blocks
- *
- * @module agent-threat-rules/engine
- */
-import { loadRulesFromDirectory, loadRuleFile } from './loader.js';
-/**
- * Rules excluded from skill-context scanning due to high false-positive rate.
- * Threshold: >2% FP on 250 benign SKILL.md files.
- */
-const SKILL_CONTEXT_DENYLIST = new Set([
-    'ATR-2026-00111', // Shell Escape — 95.2% FP
-    'ATR-2026-00118', // Approval Fatigue — 84.8% FP
-    'ATR-2026-00051', // Resource Exhaustion — 1.6% FP
-    'ATR-2026-00030', // Cross-Agent Attack — 0.8% FP
-    'ATR-2026-00002', // Indirect Prompt Injection — 0.8% FP
-    'ATR-2026-00050', // Runaway Agent Loop — 0.4% FP
-    'ATR-2026-00117', // Agent Identity Spoofing — 0.4% FP
-    'ATR-2026-00116', // A2A Message Injection — 0.4% FP
-]);
-/**
- * Detect and decode base64-encoded blocks in content.
- * Max 1 level, max 5 blocks, min 32 chars, text-only.
- */
-const BASE64_BLOCK_RE = /(?:[A-Za-z0-9+/]{32,}={0,2})/g;
-const MAX_DECODE_BLOCKS = 5;
-function decodeBase64Blocks(content) {
-    const decoded = [];
-    let match;
-    let count = 0;
-    while ((match = BASE64_BLOCK_RE.exec(content)) !== null && count < MAX_DECODE_BLOCKS) {
-        try {
-            const raw = Buffer.from(match[0], 'base64');
-            const text = raw.toString('utf-8');
-            const printable = text.split('').filter(c => c.charCodeAt(0) >= 32 && c.charCodeAt(0) < 127).length;
-            if (printable / text.length > 0.7 && text.length >= 10) {
-                decoded.push(text.slice(0, 100_000));
-                count++;
-            }
-        }
-        catch { /* skip */ }
-    }
-    return decoded;
-}
-/** Map agent event types to ATR source types */
-const EVENT_TYPE_TO_SOURCE = {
-    llm_input: 'llm_io',
-    llm_output: 'llm_io',
-    tool_call: 'tool_call',
-    tool_response: 'mcp_exchange',
-    agent_behavior: 'agent_behavior',
-    multi_agent_message: 'multi_agent_comm',
-};
-/** Map agent event types to default field names */
-const EVENT_TYPE_TO_FIELD = {
-    llm_input: 'user_input',
-    llm_output: 'agent_output',
-    tool_call: 'tool_name',
-    tool_response: 'tool_response',
-    agent_behavior: 'metric',
-    multi_agent_message: 'agent_message',
-};
-export class ATREngine {
-    config;
-    rules = [];
-    compiledPatterns = new Map();
-    constructor(config = {}) {
-        this.config = config;
-    }
-    /**
-     * Load rules from configured directory and/or pre-loaded rules.
-     */
-    async loadRules() {
-        this.rules = [];
-        this.compiledPatterns.clear();
-        if (this.config.rules) {
-            this.rules.push(...this.config.rules);
-        }
-        if (this.config.rulesDir) {
-            try {
-                const fileRules = loadRulesFromDirectory(this.config.rulesDir);
-                this.rules.push(...fileRules);
-            }
-            catch {
-                // Directory may not exist yet
-            }
-        }
-        // Pre-compile regex patterns for performance
-        for (const rule of this.rules) {
-            this.compilePatterns(rule);
-        }
-        return this.rules.length;
-    }
-    /**
-     * Load a single rule file and add it to the engine.
-     */
-    addRuleFile(filePath) {
-        const rule = loadRuleFile(filePath);
-        this.rules.push(rule);
-        this.compilePatterns(rule);
-    }
-    /**
-     * Add a pre-parsed rule to the engine.
-     */
-    addRule(rule) {
-        this.rules.push(rule);
-        this.compilePatterns(rule);
-    }
-    /**
-     * Evaluate an agent event against all loaded ATR rules.
-     * Returns all matching rules with details.
-     */
-    evaluate(event) {
-        const matches = [];
-        const eventSourceType = EVENT_TYPE_TO_SOURCE[event.type];
-        const allMatchedPatterns = [];
-        const isSkillContext = event.scanContext === 'skill';
-        for (const rule of this.rules) {
-            // Skip deprecated and draft rules
-            if (rule.status === 'deprecated' || rule.status === 'draft')
-                continue;
-            // Skill context denylist: skip rules known to cause high FP on SKILL.md
-            if (isSkillContext && SKILL_CONTEXT_DENYLIST.has(rule.id))
-                continue;
-            // Source type filtering: skip rules that don't apply to this event type
-            // When scanContext is 'skill', all rules fire (cross-context)
-            if (!isSkillContext && eventSourceType && rule.agent_source.type !== eventSourceType) {
-                // Allow mcp_exchange rules to also match tool_call events
-                if (!(rule.agent_source.type === 'mcp_exchange' && eventSourceType === 'tool_call')) {
-                    continue;
-                }
-            }
-            const matchResult = this.evaluateRule(rule, event);
-            if (matchResult) {
-                // Cross-context: MCP-only rules on SKILL.md get confidence downweight
-                if (isSkillContext && rule.tags.scan_target !== 'skill' && rule.tags.scan_target !== 'both') {
-                    matches.push({
-                        ...matchResult,
-                        confidence: matchResult.confidence * 0.6,
-                        scan_context: 'cross-context',
-                    });
-                }
-                else {
-                    matches.push(matchResult);
-                }
-                allMatchedPatterns.push(...matchResult.matchedPatterns);
-            }
-        }
-        // Record the event in the session tracker if available
-        const sessionId = event.sessionId;
-        if (this.config.sessionTracker && sessionId) {
-            this.config.sessionTracker.recordEvent(sessionId, event, allMatchedPatterns);
-        }
-        // Sort by severity (critical first) then confidence
-        return matches.sort((a, b) => {
-            const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, informational: 4 };
-            const aSev = severityOrder[a.rule.severity] ?? 4;
-            const bSev = severityOrder[b.rule.severity] ?? 4;
-            if (aSev !== bSev)
-                return aSev - bSev;
-            return b.confidence - a.confidence;
-        });
-    }
-    /**
-     * Evaluate a single rule against an event.
-     * Supports both array-format and named-map-format conditions.
-     */
-    evaluateRule(rule, event) {
-        const { detection } = rule;
-        const conditions = detection.conditions;
-        const allMatchedPatterns = [];
-        // Detect format: array or named map
-        if (Array.isArray(conditions)) {
-            return this.evaluateArrayConditions(rule, conditions, detection.condition, event, allMatchedPatterns);
-        }
-        return this.evaluateNamedConditions(rule, conditions, detection.condition, event, allMatchedPatterns);
-    }
-    /**
-     * Evaluate array-format conditions: [{field, operator, value}, ...]
-     * with condition: "any" | "all"
-     */
-    evaluateArrayConditions(rule, conditions, conditionExpr, event, allMatchedPatterns) {
-        const matchedConditionIndices = [];
-        const isAny = conditionExpr === 'any' || conditionExpr === 'or';
-        for (let i = 0; i < conditions.length; i++) {
-            const cond = conditions[i];
-            const result = this.evaluateArrayCondition(cond, event, rule.id, i, allMatchedPatterns);
-            if (result) {
-                matchedConditionIndices.push(i);
-                if (isAny)
-                    break; // Short-circuit on first match for "any"
-            }
-        }
-        const matched = isAny
-            ? matchedConditionIndices.length > 0
-            : matchedConditionIndices.length === conditions.length;
-        if (!matched)
-            return null;
-        const baseConfidence = rule.tags.confidence === 'high' ? 0.9 : rule.tags.confidence === 'medium' ? 0.7 : 0.5;
-        const matchRatio = matchedConditionIndices.length / Math.max(conditions.length, 1);
-        const confidence = Math.min(baseConfidence + matchRatio * 0.1, 1.0);
-        return {
-            rule,
-            matchedConditions: matchedConditionIndices.map(String),
-            matchedPatterns: allMatchedPatterns,
-            confidence,
-            timestamp: new Date().toISOString(),
-            scan_context: 'native',
-        };
-    }
-    /**
-     * Evaluate a single array-format condition {field, operator, value}.
-     */
-    evaluateArrayCondition(cond, event, ruleId, index, matchedPatterns) {
-        const field = cond['field'];
-        const operator = cond['operator'];
-        const value = cond['value'];
-        if (!field || !operator || value === undefined)
-            return false;
-        const rawFieldValue = this.resolveField(field, event);
-        if (!rawFieldValue)
-            return false;
-        const fieldValue = normalizeUnicode(rawFieldValue);
-        switch (operator) {
-            case 'regex': {
-                // Try pre-compiled pattern first
-                const compiled = this.compiledPatterns.get(ruleId)?.get(String(index));
-                if (compiled && compiled.length > 0) {
-                    // Test against both normalized and raw values so that patterns
-                    // detecting zero-width/bidi characters can match before stripping
-                    if (safeRegexTest(compiled[0], fieldValue) ||
-                        safeRegexTest(compiled[0], rawFieldValue)) {
-                        matchedPatterns.push(value);
-                        return true;
-                    }
-                    return false;
-                }
-                // Fallback: compile on the fly
-                try {
-                    const normalized = normalizeRegex(value);
-                    const rFlags = normalized.includes('\\u{') || normalized.includes('\\p{') ? 'iu' : 'i';
-                    const regex = new RegExp(normalized, rFlags);
-                    if (safeRegexTest(regex, fieldValue) || safeRegexTest(regex, rawFieldValue)) {
-                        matchedPatterns.push(value);
-                        return true;
-                    }
-                }
-                catch {
-                    // Invalid regex
-                }
-                return false;
-            }
-            case 'contains': {
-                if (fieldValue.toLowerCase().includes(value.toLowerCase())) {
-                    matchedPatterns.push(value);
-                    return true;
-                }
-                return false;
-            }
-            case 'exact': {
-                if (fieldValue === value) {
-                    matchedPatterns.push(value);
-                    return true;
-                }
-                return false;
-            }
-            case 'starts_with': {
-                if (fieldValue.toLowerCase().startsWith(value.toLowerCase())) {
-                    matchedPatterns.push(value);
-                    return true;
-                }
-                return false;
-            }
-            default:
-                return false;
-        }
-    }
-    /**
-     * Evaluate named-map-format conditions: {name: {field, patterns, match_type}, ...}
-     * with condition: "name1 AND name2" | "name1 OR name2" | "name1"
-     */
-    evaluateNamedConditions(rule, conditions, conditionExpr, event, allMatchedPatterns) {
-        const conditionResults = new Map();
-        const matchedConditionNames = [];
-        for (const [condName, condDef] of Object.entries(conditions)) {
-            const result = this.evaluateNamedCondition(condName, condDef, event, rule, allMatchedPatterns);
-            conditionResults.set(condName, result);
-            if (result) {
-                matchedConditionNames.push(condName);
-            }
-        }
-        // Evaluate the boolean expression
-        const finalResult = this.evaluateExpression(conditionExpr, conditionResults);
-        if (!finalResult)
-            return null;
-        const baseConfidence = rule.tags.confidence === 'high' ? 0.9 : rule.tags.confidence === 'medium' ? 0.7 : 0.5;
-        const matchRatio = matchedConditionNames.length / Math.max(Object.keys(conditions).length, 1);
-        const confidence = Math.min(baseConfidence + matchRatio * 0.1, 1.0);
-        return {
-            rule,
-            matchedConditions: matchedConditionNames,
-            matchedPatterns: allMatchedPatterns,
-            confidence,
-            timestamp: new Date().toISOString(),
-            scan_context: 'native',
-        };
-    }
-    /**
-     * Evaluate a single named condition against an event.
-     */
-    evaluateNamedCondition(condName, condDef, event, rule, matchedPatterns) {
-        const cond = condDef;
-        // Pattern matching condition (named format with patterns array)
-        if (cond['patterns'] && cond['field']) {
-            return this.evaluatePatternCondition(cond, event, rule.id, condName, matchedPatterns);
-        }
-        // Behavioral condition
-        if (cond['metric'] && cond['operator'] && cond['threshold'] !== undefined) {
-            return this.evaluateBehavioralCondition(cond, event);
-        }
-        // Sequence condition
-        if (cond['steps'] && Array.isArray(cond['steps'])) {
-            return this.evaluateSequenceCondition(cond, event);
-        }
-        return false;
-    }
-    /**
-     * Evaluate a pattern matching condition (named format with patterns array).
-     */
-    evaluatePatternCondition(cond, event, ruleId, condName, matchedPatterns) {
-        const rawFieldValue = this.resolveField(cond.field, event);
-        if (!rawFieldValue)
-            return false;
-        const fieldValue = normalizeUnicode(rawFieldValue);
-        // Code block suppression: skip matches inside markdown code blocks
-        // for rules that commonly false-positive on documentation content.
-        // Prompt injection rules are NOT suppressed.
-        const suppressInCodeBlocks = this.shouldSuppressInCodeBlocks(ruleId);
-        const codeRanges = suppressInCodeBlocks ? buildCodeBlockRanges(fieldValue) : [];
-        // Get pre-compiled patterns
-        const compiled = this.compiledPatterns.get(ruleId)?.get(condName);
-        if (compiled) {
-            for (let i = 0; i < compiled.length; i++) {
-                if (safeRegexTest(compiled[i], fieldValue)) {
-                    if (suppressInCodeBlocks &&
-                        codeRanges.length > 0 &&
-                        isInsideCodeBlock(fieldValue, compiled[i], codeRanges)) {
-                        continue;
-                    }
-                    matchedPatterns.push(cond.patterns[i] ?? 'unknown');
-                    return true;
-                }
-            }
-            return false;
-        }
-        // Fallback: direct string matching
-        const checkValue = cond.case_sensitive ? fieldValue : fieldValue.toLowerCase();
-        for (const pattern of cond.patterns) {
-            const checkPattern = cond.case_sensitive ? pattern : pattern.toLowerCase();
-            switch (cond.match_type) {
-                case 'contains':
-                    if (checkValue.includes(checkPattern)) {
-                        matchedPatterns.push(pattern);
-                        return true;
-                    }
-                    break;
-                case 'exact':
-                    if (checkValue === checkPattern) {
-                        matchedPatterns.push(pattern);
-                        return true;
-                    }
-                    break;
-                case 'starts_with':
-                    if (checkValue.startsWith(checkPattern)) {
-                        matchedPatterns.push(pattern);
-                        return true;
-                    }
-                    break;
-                case 'regex':
-                default: {
-                    try {
-                        const flags = cond.case_sensitive ? '' : 'i';
-                        const regex = new RegExp(pattern, flags);
-                        if (safeRegexTest(regex, fieldValue)) {
-                            matchedPatterns.push(pattern);
-                            return true;
-                        }
-                    }
-                    catch {
-                        // Invalid regex, skip
-                    }
-                    break;
-                }
-            }
-        }
-        return false;
-    }
-    shouldSuppressInCodeBlocks(ruleId) {
-        const rule = this.rules.find((r) => r.id === ruleId);
-        if (!rule)
-            return false;
-        const category = rule.tags?.category ?? '';
-        const suppressCategories = ['privilege-escalation', 'context-exfiltration', 'skill-compromise'];
-        return suppressCategories.includes(category);
-    }
-    /**
-     * Evaluate a behavioral threshold condition.
-     * When a session tracker is available and the event has a sessionId,
-     * supports session-derived metrics: call_frequency, pattern_frequency, event_count.
-     */
-    evaluateBehavioralCondition(cond, event) {
-        const metricValue = this.resolveMetricValue(cond, event);
-        if (metricValue === undefined)
-            return false;
-        switch (cond.operator) {
-            case 'gt':
-                return metricValue > cond.threshold;
-            case 'lt':
-                return metricValue < cond.threshold;
-            case 'eq':
-                return metricValue === cond.threshold;
-            case 'gte':
-                return metricValue >= cond.threshold;
-            case 'lte':
-                return metricValue <= cond.threshold;
-            case 'deviation_from_baseline':
-                return Math.abs(metricValue) > cond.threshold;
-            default:
-                return false;
-        }
-    }
-    /**
-     * Resolve a metric value from event metrics or session tracker.
-     * Session-derived metrics use the format: "call_frequency:toolName" or "pattern_frequency:pattern".
-     */
-    resolveMetricValue(cond, event) {
-        // Check event-level metrics first
-        const directValue = event.metrics?.[cond.metric];
-        if (directValue !== undefined)
-            return directValue;
-        // Try session tracker for session-derived metrics
-        const tracker = this.config.sessionTracker;
-        const sessionId = event.sessionId;
-        if (!tracker || !sessionId)
-            return undefined;
-        const windowMs = this.parseWindowMs(cond.window);
-        if (cond.metric.startsWith('call_frequency:')) {
-            const toolName = cond.metric.slice('call_frequency:'.length);
-            return tracker.getCallFrequency(sessionId, toolName, windowMs);
-        }
-        if (cond.metric.startsWith('pattern_frequency:')) {
-            const pattern = cond.metric.slice('pattern_frequency:'.length);
-            return tracker.getPatternFrequency(sessionId, pattern, windowMs);
-        }
-        if (cond.metric === 'event_count') {
-            return tracker.getEventCount(sessionId, windowMs);
-        }
-        return undefined;
-    }
-    /**
-     * Parse a window string (e.g. "5m", "1h", "30s") to milliseconds.
-     * Defaults to 5 minutes if not specified or unparseable.
-     */
-    parseWindowMs(window) {
-        if (!window)
-            return 5 * 60 * 1000;
-        const match = window.match(/^(\d+)\s*(s|m|h)$/);
-        if (!match)
-            return 5 * 60 * 1000;
-        const value = parseInt(match[1], 10);
-        const unit = match[2];
-        switch (unit) {
-            case 's':
-                return value * 1000;
-            case 'm':
-                return value * 60 * 1000;
-            case 'h':
-                return value * 60 * 60 * 1000;
-            default:
-                return 5 * 60 * 1000;
-        }
-    }
-    /**
-     * Evaluate a sequence condition against the current event.
-     *
-     * Limitation (v0.1): This checks whether patterns from multiple steps
-     * co-occur in the current event's content. It does NOT track ordered
-     * execution across separate events or enforce time windows.
-     * Full session-aware sequence detection is planned for v0.2.
-     */
-    evaluateSequenceCondition(cond, event) {
-        const steps = cond['steps'];
-        if (!steps || steps.length === 0)
-            return false;
-        const content = normalizeUnicode(event.content);
-        let matchCount = 0;
-        for (const step of steps) {
-            const patterns = step['patterns'];
-            if (patterns) {
-                for (const pattern of patterns) {
-                    try {
-                        const regex = new RegExp(pattern, 'i');
-                        if (safeRegexTest(regex, content)) {
-                            matchCount++;
-                            break;
-                        }
-                    }
-                    catch {
-                        // Invalid regex
-                    }
-                }
-            }
-        }
-        return matchCount >= 2;
-    }
-    /**
-     * Resolve a field value from an agent event.
-     */
-    resolveField(fieldName, event) {
-        // Check explicit fields first
-        if (event.fields?.[fieldName]) {
-            return event.fields[fieldName];
-        }
-        // Map standard field names to event properties
-        const defaultField = EVENT_TYPE_TO_FIELD[event.type];
-        if (fieldName === defaultField || fieldName === 'content') {
-            return event.content;
-        }
-        // Common field aliases
-        switch (fieldName) {
-            case 'user_input':
-                return event.type === 'llm_input' ? event.content : event.fields?.['user_input'];
-            case 'agent_output':
-                return event.type === 'llm_output' ? event.content : event.fields?.['agent_output'];
-            case 'tool_response':
-                return event.type === 'tool_response' ? event.content : event.fields?.['tool_response'];
-            case 'tool_name':
-                return (event.fields?.['tool_name'] ?? (event.type === 'tool_call' ? event.content : undefined));
-            case 'tool_args':
-                return event.fields?.['tool_args'];
-            case 'agent_message':
-                return event.type === 'multi_agent_message'
-                    ? event.content
-                    : event.fields?.['agent_message'];
-            default:
-                // Try metadata
-                return event.metadata?.[fieldName];
-        }
-    }
-    /**
-     * Evaluate a boolean expression string against condition results.
-     * Supports AND, OR, NOT operators.
-     */
-    evaluateExpression(expression, results) {
-        const expr = expression.trim();
-        // Simple single condition
-        if (results.has(expr)) {
-            return results.get(expr) ?? false;
-        }
-        // Handle NOT
-        if (expr.startsWith('NOT ') || expr.startsWith('not ')) {
-            const inner = expr.slice(4).trim();
-            return !this.evaluateExpression(inner, results);
-        }
-        // Handle OR (lower precedence — split first so AND binds tighter)
-        const orParts = this.splitByOperator(expr, 'OR');
-        if (orParts.length > 1) {
-            return orParts.some((part) => this.evaluateExpression(part, results));
-        }
-        // Handle AND (higher precedence — evaluated within each OR branch)
-        const andParts = this.splitByOperator(expr, 'AND');
-        if (andParts.length > 1) {
-            return andParts.every((part) => this.evaluateExpression(part, results));
-        }
-        // Handle parentheses
-        if (expr.startsWith('(') && expr.endsWith(')')) {
-            return this.evaluateExpression(expr.slice(1, -1), results);
-        }
-        // Default: treat as condition name
-        return results.get(expr) ?? false;
-    }
-    /**
-     * Split expression by operator, respecting parentheses.
-     */
-    splitByOperator(expr, operator) {
-        const parts = [];
-        let depth = 0;
-        let current = '';
-        const op = ` ${operator} `;
-        const opLower = ` ${operator.toLowerCase()} `;
-        for (let i = 0; i < expr.length; i++) {
-            const char = expr[i];
-            if (char === '(')
-                depth++;
-            if (char === ')')
-                depth--;
-            if (depth === 0) {
-                const remaining = expr.slice(i);
-                if (remaining.startsWith(op) || remaining.startsWith(opLower)) {
-                    parts.push(current.trim());
-                    current = '';
-                    i += op.length - 1;
-                    continue;
-                }
-            }
-            current += char;
-        }
-        if (current.trim()) {
-            parts.push(current.trim());
-        }
-        return parts;
-    }
-    /**
-     * Pre-compile regex patterns for a rule (performance optimization).
-     * Supports both array-format and named-map-format conditions.
-     */
-    compilePatterns(rule) {
-        const ruleMap = new Map();
-        const conditions = rule.detection.conditions;
-        if (Array.isArray(conditions)) {
-            // Array format: compile each {operator: regex, value: "pattern"} entry
-            for (let i = 0; i < conditions.length; i++) {
-                const cond = conditions[i];
-                if (cond['operator'] === 'regex' && typeof cond['value'] === 'string') {
-                    try {
-                        const pat = normalizeRegex(cond['value']);
-                        const fl = pat.includes('\\u{') || pat.includes('\\p{') ? 'iu' : 'i';
-                        ruleMap.set(String(i), [new RegExp(pat, fl)]);
-                    }
-                    catch {
-                        // Invalid regex, skip
-                    }
-                }
-            }
-        }
-        else {
-            // Named format: compile patterns arrays
-            for (const [condName, condDef] of Object.entries(conditions)) {
-                const cond = condDef;
-                if (cond['patterns'] && Array.isArray(cond['patterns'])) {
-                    const matchType = cond['match_type'] ?? 'regex';
-                    const caseSensitive = cond['case_sensitive'] ?? false;
-                    const flags = caseSensitive ? '' : 'i';
-                    const compiled = [];
-                    for (const pattern of cond['patterns']) {
-                        try {
-                            if (matchType === 'regex') {
-                                compiled.push(new RegExp(normalizeRegex(pattern), flags));
-                            }
-                            else if (matchType === 'contains') {
-                                compiled.push(new RegExp(escapeRegex(pattern), flags));
-                            }
-                            else if (matchType === 'exact') {
-                                compiled.push(new RegExp(`^${escapeRegex(pattern)}$`, flags));
-                            }
-                            else if (matchType === 'starts_with') {
-                                compiled.push(new RegExp(`^${escapeRegex(pattern)}`, flags));
-                            }
-                        }
-                        catch {
-                            // Invalid regex pattern, skip
-                        }
-                    }
-                    ruleMap.set(condName, compiled);
-                }
-            }
-        }
-        this.compiledPatterns.set(rule.id, ruleMap);
-    }
-    /** Get loaded rule count */
-    getRuleCount() {
-        return this.rules.length;
-    }
-    /** Get all loaded rules */
-    getRules() {
-        return this.rules;
-    }
-    /** Get a rule by ID */
-    getRuleById(id) {
-        return this.rules.find((r) => r.id === id);
-    }
-    /** Get rules by category */
-    getRulesByCategory(category) {
-        return this.rules.filter((r) => r.tags.category === category);
-    }
-    /**
-     * Scan SKILL.md content for threats.
-     * All rules fire with scanContext='skill':
-     *   - skill/both rules: native context, full confidence
-     *   - MCP-only rules: cross-context, confidence * 0.6
-     * Also decodes base64 blocks and scans decoded content.
-     */
-    scanSkill(content) {
-        const baseEvent = {
-            type: 'mcp_exchange',
-            timestamp: new Date().toISOString(),
-            sessionId: 'skill-scan',
-            fields: {},
-            scanContext: 'skill',
-        };
-        const matches = this.evaluate({ ...baseEvent, content });
-        // Scan base64-decoded blocks for hidden payloads
-        for (const block of decodeBase64Blocks(content)) {
-            for (const m of this.evaluate({ ...baseEvent, content: block })) {
-                matches.push({
-                    ...m,
-                    matchedPatterns: [...m.matchedPatterns, '[decoded:base64]'],
-                });
-            }
-        }
-        return matches;
-    }
-}
-function escapeRegex(str) {
-    return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-}
-/**
- * Strip inline flags like (?i) from regex patterns.
- * JavaScript RegExp uses flags as a constructor parameter, not inline.
- */
-function normalizeRegex(pattern) {
-    return pattern.replace(/^\(\?[imsx]+\)/, '');
-}
-/**
- * Normalize Unicode text to NFC form and strip zero-width characters.
- * This prevents evasion via combining characters, zero-width joiners, etc.
- */
-function normalizeUnicode(text) {
-    return text
-        .normalize('NFC')
-        .replace(
-    // Zero-width and bidi control characters (listed individually to avoid misleading character class)
-    /[\u200B\u200C\uFEFF\u2060\u180E\u200E\u200F]/gu, '')
-        .replace(/[\u202A-\u202E\u2066-\u2069\u200D]/gu, '');
-}
-/** Maximum input length for regex evaluation to mitigate ReDoS */
-const MAX_EVAL_LENGTH = 100_000;
-/**
- * Safely test a regex pattern against input with length limits.
- * Returns false if input exceeds MAX_EVAL_LENGTH to prevent ReDoS.
- */
-function safeRegexTest(regex, input) {
-    if (input.length > MAX_EVAL_LENGTH)
-        return false;
-    return regex.test(input);
-}
-function buildCodeBlockRanges(text) {
-    const ranges = [];
-    const fenced = /```[\s\S]*?```/g;
-    let m;
-    while ((m = fenced.exec(text)) !== null) {
-        ranges.push([m.index, m.index + m[0].length]);
-    }
-    const inline = /`[^`\n]+`/g;
-    while ((m = inline.exec(text)) !== null) {
-        const pos = m.index;
-        const inFenced = ranges.some(([start, end]) => pos >= start && pos < end);
-        if (!inFenced) {
-            ranges.push([pos, pos + m[0].length]);
-        }
-    }
-    return ranges;
-}
-function isInsideCodeBlock(text, regex, codeRanges) {
-    if (codeRanges.length === 0)
-        return false;
-    const searchRegex = new RegExp(regex.source, regex.flags.includes('g') ? regex.flags : regex.flags + 'g');
-    const m = searchRegex.exec(text);
-    if (!m)
-        return false;
-    return codeRanges.some(([start, end]) => m.index >= start && m.index < end);
-}
-//# sourceMappingURL=engine.js.map