@panguard-ai/atr 1.4.3 → 1.5.1

package/dist/tier0-invariant.js

@@ -0,0 +1,185 @@
+/**
+ * Tier 0: Invariant Enforcement
+ *
+ * Hard boundaries that enforce what a skill is ALLOWED to do,
+ * regardless of what its description says or how it phrases requests.
+ *
+ * This is NOT pattern matching. It is permission checking.
+ * A skill declares capabilities in its manifest. Any action outside
+ * the manifest is immediately denied with severity=critical.
+ *
+ * Inspired by Tesla's AEB (Automatic Emergency Braking):
+ * it doesn't care what the neural network thinks -- it enforces physics.
+ *
+ * @module agent-threat-rules/tier0-invariant
+ */
+import { extractCapabilities } from './capability-extractor.js';
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Simple glob match: supports * (any chars) and ** (any path segments) */
+function simpleGlobMatch(value, pattern) {
+    if (pattern === '*' || pattern === '**')
+        return true;
+    if (pattern === value)
+        return true;
+    // Convert glob to regex: * → [^/]*, ** → .*, escape rest
+    const regexStr = pattern
+        .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+        .replace(/\*\*/g, '<<GLOBSTAR>>')
+        .replace(/\*/g, '[^/]*')
+        .replace(/<<GLOBSTAR>>/g, '.*');
+    try {
+        return new RegExp(`^${regexStr}$`).test(value);
+    }
+    catch {
+        return value.startsWith(pattern.replace(/\*/g, ''));
+    }
+}
+// ---------------------------------------------------------------------------
+// Invariant Checker
+// ---------------------------------------------------------------------------
+export class InvariantChecker {
+    manifests;
+    constructor(manifests) {
+        const map = new Map();
+        if (Array.isArray(manifests)) {
+            for (const m of manifests) {
+                map.set(m.skillId, m);
+            }
+        }
+        else {
+            manifests.forEach((v, k) => map.set(k, v));
+        }
+        this.manifests = map;
+    }
+    /**
+     * Check an event against the skill's manifest.
+     * Returns empty array if no violations (or no manifest for the skill).
+     */
+    check(event) {
+        const skillId = this.resolveSkillId(event);
+        if (!skillId)
+            return [];
+        const manifest = this.manifests.get(skillId);
+        if (!manifest)
+            return []; // No manifest = fail-open (unmanifested skills are not checked)
+        const allText = [
+            event.content ?? '',
+            event.fields?.tool_args ?? '',
+            event.fields?.tool_response ?? '',
+        ].join(' ');
+        const caps = extractCapabilities(allText);
+        const violations = [];
+        // Check filesystem paths
+        if (manifest.allowedPaths && caps.filesystemPaths.length > 0) {
+            for (const path of caps.filesystemPaths) {
+                const allowed = manifest.allowedPaths.some((pattern) => simpleGlobMatch(path, pattern));
+                if (!allowed) {
+                    violations.push({
+                        skillId,
+                        violationType: 'path_scope',
+                        description: `Skill "${skillId}" accessed path "${path}" outside allowed scope`,
+                        observedValue: path,
+                        allowedValues: manifest.allowedPaths,
+                    });
+                }
+            }
+        }
+        // Check network hosts
+        if (manifest.allowedHosts && caps.networkTargets.length > 0) {
+            for (const host of caps.networkTargets) {
+                const allowed = manifest.allowedHosts.some((pattern) => host === pattern || host.endsWith('.' + pattern) || pattern === '*');
+                if (!allowed) {
+                    violations.push({
+                        skillId,
+                        violationType: 'host_scope',
+                        description: `Skill "${skillId}" contacted host "${host}" outside allowed scope`,
+                        observedValue: host,
+                        allowedValues: manifest.allowedHosts,
+                    });
+                }
+            }
+        }
+        // Check environment variables
+        if (manifest.allowedEnvVars && caps.envAccesses.length > 0) {
+            for (const envVar of caps.envAccesses) {
+                const allowed = manifest.allowedEnvVars.some((pattern) => envVar === pattern || (pattern.endsWith('*') && envVar.startsWith(pattern.slice(0, -1))));
+                if (!allowed) {
+                    violations.push({
+                        skillId,
+                        violationType: 'env_scope',
+                        description: `Skill "${skillId}" accessed env var "${envVar}" outside allowed scope`,
+                        observedValue: envVar,
+                        allowedValues: manifest.allowedEnvVars,
+                    });
+                }
+            }
+        }
+        // Check command execution
+        if (manifest.allowedCommands && caps.processExecs.length > 0) {
+            for (const cmd of caps.processExecs) {
+                const allowed = manifest.allowedCommands.some((pattern) => cmd === pattern || cmd.startsWith(pattern + ' '));
+                if (!allowed) {
+                    violations.push({
+                        skillId,
+                        violationType: 'command_scope',
+                        description: `Skill "${skillId}" executed command "${cmd}" outside allowed scope`,
+                        observedValue: cmd,
+                        allowedValues: manifest.allowedCommands,
+                    });
+                }
+            }
+        }
+        // Check config modification
+        if (manifest.allowConfigModification === false && caps.configModifications) {
+            violations.push({
+                skillId,
+                violationType: 'config_modification',
+                description: `Skill "${skillId}" attempted to modify agent configuration files`,
+                observedValue: 'config file access detected',
+                allowedValues: ['none'],
+            });
+        }
+        return violations;
+    }
+    /** Build a synthetic ATRMatch from an invariant violation */
+    buildDenyMatch(violation) {
+        const syntheticRule = {
+            title: `Invariant Violation: ${violation.violationType}`,
+            id: `tier0-invariant-${violation.violationType}`,
+            status: 'stable',
+            description: violation.description,
+            author: 'atr-engine/tier0',
+            date: new Date().toISOString().slice(0, 10),
+            severity: 'critical',
+            tags: {
+                category: 'privilege-escalation',
+                subcategory: violation.violationType,
+                confidence: 'high',
+            },
+            agent_source: { type: 'skill_permission' },
+            detection: { conditions: [], condition: 'tier0-invariant' },
+            response: {
+                actions: ['block_input', 'alert', 'snapshot'],
+                message_template: violation.description,
+            },
+        };
+        return {
+            rule: syntheticRule,
+            matchedConditions: [violation.violationType],
+            matchedPatterns: [`${violation.observedValue} not in [${violation.allowedValues.join(', ')}]`],
+            confidence: 1.0,
+            timestamp: new Date().toISOString(),
+            scan_context: 'native',
+        };
+    }
+    /** Resolve skill ID from event metadata */
+    resolveSkillId(event) {
+        const fromMetadata = event.metadata?.skillId;
+        if (typeof fromMetadata === 'string')
+            return fromMetadata;
+        return event.fields?.skill_id ?? event.fields?.tool_name ?? undefined;
+    }
+}
+//# sourceMappingURL=tier0-invariant.js.map

package/dist/tier0-invariant.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tier0-invariant.js","sourceRoot":"","sources":["../src/tier0-invariant.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAGhE,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,2EAA2E;AAC3E,SAAS,eAAe,CAAC,KAAa,EAAE,OAAe;IACrD,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACrD,IAAI,OAAO,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAEnC,yDAAyD;IACzD,MAAM,QAAQ,GAAG,OAAO;SACrB,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC;SACpC,OAAO,CAAC,OAAO,EAAE,cAAc,CAAC;SAChC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC;SACvB,OAAO,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;IAElC,IAAI,CAAC;QACH,OAAO,IAAI,MAAM,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAkCD,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,MAAM,OAAO,gBAAgB;IACV,SAAS,CAAqC;IAE/D,YAAY,SAA+D;QACzE,MAAM,GAAG,GAAG,IAAI,GAAG,EAAyB,CAAC;QAC7C,IAAI,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7B,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;gBAC1B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;aAAM,CAAC;YACN,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7C,CAAC;QACD,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC;IACvB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,KAAiB;QACrB,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;QAC3C,IAAI,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC;QAExB,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ;YAAE,OAAO,EAAE,CAAC,CAAC,gEAAgE;QAE1F,MAAM,OAAO,GAAG;YACd,KAAK,CAAC,OAAO,IAAI,EAAE;YACnB,KAAK,CAAC,MAAM,EAAE,SAAS,IAAI,EAAE;YAC7B,KAAK,CAAC,MAAM,EAAE,aAAa,IAAI,EAAE;SAClC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,MAAM,IAAI,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,UAAU,GAAyB,EAAE,CAAC;QAE5C,yBAAyB;QACzB,IAAI,QAAQ,CAAC,YAAY,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7D,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBACxC,MAAM,OAAO,GAAG,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CACrD,eAAe,CAAC,IAAI,EAAE,OAAO,CAAC,CAC/B,CAAC;gBACF,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,UAAU,CAAC,IAAI,CAAC;wBACd,OAAO;wBACP,aAAa,EAAE,YAAY;wBAC3B,WAAW,EAAE,UAAU,OAAO,oBAAoB,IAAI,yBAAyB;wBAC/E,aAAa,EAAE,IAAI;wBACnB,aAAa,EAAE,QAAQ,CAAC,YAAY;qBACrC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,sBAAsB;QACtB,IAAI,QAAQ,CAAC,YAAY,IAAI,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5D,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;gBACvC,MAAM,OAAO,GAAG,QAAQ,CAAC,YAAY,CAAC,IAAI,CACxC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,GAAG,OAAO,CAAC,IAAI,OAAO,KAAK,GAAG,CACjF,CAAC;gBACF,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,UAAU,CAAC,IAAI,CAAC;wBACd,OAAO;wBACP,aAAa,EAAE,YAAY;wBAC3B,WAAW,EAAE,UAAU,OAAO,qBAAqB,IAAI,yBAAyB;wBAChF,aAAa,EAAE,IAAI;wBACnB,aAAa,EAAE,QAAQ,CAAC,YAAY;qBACrC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,8BAA8B;QAC9B,IAAI,QAAQ,CAAC,cAAc,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3D,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACtC,MAAM,OAAO,GAAG,QAAQ,CAAC,cAAc,CAAC,IAAI,CAC1C,CAAC,OAAO,EAAE,EAAE,CAAC,MAAM,KAAK,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CACtG,CAAC;gBACF,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,UAAU,CAAC,IAAI,CAAC;wBACd,OAAO;wBACP,aAAa,EAAE,WAAW;wBAC1B,WAAW,EAAE,UAAU,OAAO,uBAAuB,MAAM,yBAAyB;wBACpF,aAAa,EAAE,MAAM;wBACrB,aAAa,EAAE,QAAQ,CAAC,cAAc;qBACvC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,IAAI,QAAQ,CAAC,eAAe,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7D,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBACpC,MAAM,OAAO,GAAG,QAAQ,CAAC,eAAe,CAAC,IAAI,CAC3C,CAAC,OAAO,EAAE,EAAE,CAAC,GAAG,KAAK,OAAO,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,GAAG,GAAG,CAAC,CAC9D,CAAC;gBACF,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,UAAU,CAAC,IAAI,CAAC;wBACd,OAAO;wBACP,aAAa,EAAE,eAAe;wBAC9B,WAAW,EAAE,UAAU,OAAO,uBAAuB,GAAG,yBAAyB;wBACjF,aAAa,EAAE,GAAG;wBAClB,aAAa,EAAE,QAAQ,CAAC,eAAe;qBACxC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,4BAA4B;QAC5B,IAAI,QAAQ,CAAC,uBAAuB,KAAK,KAAK,IAAI,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC3E,UAAU,CAAC,IAAI,CAAC;gBACd,OAAO;gBACP,aAAa,EAAE,qBAAqB;gBACpC,WAAW,EAAE,UAAU,OAAO,iDAAiD;gBAC/E,aAAa,EAAE,6BAA6B;gBAC5C,aAAa,EAAE,CAAC,MAAM,CAAC;aACxB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,6DAA6D;IAC7D,cAAc,CAAC,SAA6B;QAC1C,MAAM,aAAa,GAAY;YAC7B,KAAK,EAAE,wBAAwB,SAAS,CAAC,aAAa,EAAE;YACxD,EAAE,EAAE,mBAAmB,SAAS,CAAC,aAAa,EAAE;YAChD,MAAM,EAAE,QAAiB;YACzB,WAAW,EAAE,SAAS,CAAC,WAAW;YAClC,MAAM,EAAE,kBAAkB;YAC1B,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YAC3C,QAAQ,EAAE,UAAyB;YACnC,IAAI,EAAE;gBACJ,QAAQ,EAAE,sBAAsB;gBAChC,WAAW,EAAE,SAAS,CAAC,aAAa;gBACpC,UAAU,EAAE,MAAe;aAC5B;YACD,YAAY,EAAE,EAAE,IAAI,EAAE,kBAA2B,EAAE;YACnD,SAAS,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,iBAAiB,EAAE;YAC3D,QAAQ,EAAE;gBACR,OAAO,EAAE,CAAC,aAAsB,EAAE,OAAgB,EAAE,UAAmB,CAAC;gBACxE,gBAAgB,EAAE,SAAS,CAAC,WAAW;aACxC;SACF,CAAC;QAEF,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,iBAAiB,EAAE,CAAC,SAAS,CAAC,aAAa,CAAC;YAC5C,eAAe,EAAE,CAAC,GAAG,SAAS,CAAC,aAAa,YAAY,SAAS,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;YAC9F,UAAU,EAAE,GAAG;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,YAAY,EAAE,QAAiB;SAChC,CAAC;IACJ,CAAC;IAED,2CAA2C;IACnC,cAAc,CAAC,KAAiB;QACtC,MAAM,YAAY,GAAG,KAAK,CAAC,QAAQ,EAAE,OAAO,CAAC;QAC7C,IAAI,OAAO,YAAY,KAAK,QAAQ;YAAE,OAAO,YAAY,CAAC;QAC1D,OAAO,KAAK,CAAC,MAAM,EAAE,QAAQ,IAAI,KAAK,CAAC,MAAM,EAAE,SAAS,IAAI,SAAS,CAAC;IACxE,CAAC;CACF"}

package/dist/tier1-blacklist.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Tier 1: Blacklist Provider
+ *
+ * Hash/name-based lookup for known-bad skills.
+ * O(1) lookup, zero false positives, zero latency.
+ *
+ * Sources: Threat Cloud skill_blacklist, CVE advisories, community reports.
+ *
+ * @module agent-threat-rules/tier1-blacklist
+ */
+import type { ATRMatch, ATRSeverity } from './types.js';
+export interface BlacklistEntry {
+    readonly skillHash: string;
+    readonly skillName: string;
+    readonly reason: string;
+    readonly reportCount: number;
+    readonly severity: ATRSeverity;
+}
+export interface BlacklistProvider {
+    /** Check if a skill is blacklisted. Returns entry if found. */
+    lookup(skillId: string): BlacklistEntry | undefined;
+    /** Refresh the blacklist from source */
+    refresh(): Promise<void>;
+    /** Total blacklist size */
+    size(): number;
+}
+export declare class InMemoryBlacklist implements BlacklistProvider {
+    private byHash;
+    private byName;
+    constructor(entries?: readonly BlacklistEntry[]);
+    lookup(skillId: string): BlacklistEntry | undefined;
+    refresh(): Promise<void>;
+    size(): number;
+    /** Replace all entries (immutable update) */
+    withEntries(entries: readonly BlacklistEntry[]): InMemoryBlacklist;
+}
+/** Build a synthetic ATRMatch from a blacklist hit */
+export declare function buildBlacklistMatch(entry: BlacklistEntry): ATRMatch;
+/**
+ * Resolve skill identifier from event for blacklist lookup.
+ * Prioritizes package-level identifiers (hash, package name) over
+ * tool function names, since blacklists store package names.
+ */
+export declare function resolveSkillId(event: {
+    fields?: Record<string, string>;
+    metadata?: Record<string, unknown>;
+}): string | undefined;
+//# sourceMappingURL=tier1-blacklist.d.ts.map

package/dist/tier1-blacklist.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tier1-blacklist.d.ts","sourceRoot":"","sources":["../src/tier1-blacklist.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAW,WAAW,EAAE,MAAM,YAAY,CAAC;AAMjE,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC;CAChC;AAED,MAAM,WAAW,iBAAiB;IAChC,+DAA+D;IAC/D,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS,CAAC;IACpD,wCAAwC;IACxC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACzB,2BAA2B;IAC3B,IAAI,IAAI,MAAM,CAAC;CAChB;AAMD,qBAAa,iBAAkB,YAAW,iBAAiB;IACzD,OAAO,CAAC,MAAM,CAA8B;IAC5C,OAAO,CAAC,MAAM,CAA8B;gBAEhC,OAAO,CAAC,EAAE,SAAS,cAAc,EAAE;IAW/C,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAK7C,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAI9B,IAAI,IAAI,MAAM;IAId,6CAA6C;IAC7C,WAAW,CAAC,OAAO,EAAE,SAAS,cAAc,EAAE,GAAG,iBAAiB;CAGnE;AAMD,sDAAsD;AACtD,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,cAAc,GAAG,QAAQ,CA8BnE;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,GAAG,MAAM,GAAG,SAAS,CAYjI"}

package/dist/tier1-blacklist.js

@@ -0,0 +1,92 @@
+/**
+ * Tier 1: Blacklist Provider
+ *
+ * Hash/name-based lookup for known-bad skills.
+ * O(1) lookup, zero false positives, zero latency.
+ *
+ * Sources: Threat Cloud skill_blacklist, CVE advisories, community reports.
+ *
+ * @module agent-threat-rules/tier1-blacklist
+ */
+// ---------------------------------------------------------------------------
+// In-Memory Implementation
+// ---------------------------------------------------------------------------
+export class InMemoryBlacklist {
+    byHash;
+    byName;
+    constructor(entries) {
+        this.byHash = new Map();
+        this.byName = new Map();
+        if (entries) {
+            for (const entry of entries) {
+                this.byHash.set(entry.skillHash, entry);
+                this.byName.set(entry.skillName.toLowerCase(), entry);
+            }
+        }
+    }
+    lookup(skillId) {
+        // Try hash lookup first, then name lookup
+        return this.byHash.get(skillId) ?? this.byName.get(skillId.toLowerCase());
+    }
+    async refresh() {
+        // No-op for static blacklist. Override for TC-backed implementations.
+    }
+    size() {
+        return this.byHash.size;
+    }
+    /** Replace all entries (immutable update) */
+    withEntries(entries) {
+        return new InMemoryBlacklist(entries);
+    }
+}
+// ---------------------------------------------------------------------------
+// Match Builder
+// ---------------------------------------------------------------------------
+/** Build a synthetic ATRMatch from a blacklist hit */
+export function buildBlacklistMatch(entry) {
+    const syntheticRule = {
+        title: `Blacklisted Skill: ${entry.skillName}`,
+        id: `tier1-blacklist-${entry.skillHash.slice(0, 8)}`,
+        status: 'stable',
+        description: `Skill "${entry.skillName}" is on the community blacklist. ${entry.reason}. Reported by ${entry.reportCount} users.`,
+        author: 'atr-engine/tier1-blacklist',
+        date: new Date().toISOString().slice(0, 10),
+        severity: entry.severity,
+        tags: {
+            category: 'skill-compromise',
+            subcategory: 'blacklisted',
+            confidence: 'high',
+        },
+        agent_source: { type: 'skill_lifecycle' },
+        detection: { conditions: [], condition: 'tier1-blacklist-match' },
+        response: {
+            actions: ['block_tool', 'alert'],
+            message_template: `Blocked: "${entry.skillName}" is a known malicious skill (${entry.reportCount} community reports)`,
+        },
+    };
+    return {
+        rule: syntheticRule,
+        matchedConditions: ['blacklist_hash', 'blacklist_name'],
+        matchedPatterns: [`hash:${entry.skillHash}`, `name:${entry.skillName}`],
+        confidence: 1.0,
+        timestamp: new Date().toISOString(),
+        scan_context: 'native',
+    };
+}
+/**
+ * Resolve skill identifier from event for blacklist lookup.
+ * Prioritizes package-level identifiers (hash, package name) over
+ * tool function names, since blacklists store package names.
+ */
+export function resolveSkillId(event) {
+    return (event.metadata?.skillHash ??
+        event.metadata?.packageName ??
+        event.metadata?.skillId ??
+        event.fields?.skill_hash ??
+        event.fields?.package_name ??
+        event.fields?.skill_name ??
+        event.fields?.skill_id ??
+        event.fields?.tool_name ??
+        undefined);
+}
+//# sourceMappingURL=tier1-blacklist.js.map

package/dist/tier1-blacklist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tier1-blacklist.js","sourceRoot":"","sources":["../src/tier1-blacklist.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAyBH,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E,MAAM,OAAO,iBAAiB;IACpB,MAAM,CAA8B;IACpC,MAAM,CAA8B;IAE5C,YAAY,OAAmC;QAC7C,IAAI,CAAC,MAAM,GAAG,IAAI,GAAG,EAAE,CAAC;QACxB,IAAI,CAAC,MAAM,GAAG,IAAI,GAAG,EAAE,CAAC;QACxB,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;gBACxC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,WAAW,EAAE,EAAE,KAAK,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,CAAC,OAAe;QACpB,0CAA0C;QAC1C,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IAC5E,CAAC;IAED,KAAK,CAAC,OAAO;QACX,sEAAsE;IACxE,CAAC;IAED,IAAI;QACF,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1B,CAAC;IAED,6CAA6C;IAC7C,WAAW,CAAC,OAAkC;QAC5C,OAAO,IAAI,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC;CACF;AAED,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,sDAAsD;AACtD,MAAM,UAAU,mBAAmB,CAAC,KAAqB;IACvD,MAAM,aAAa,GAAY;QAC7B,KAAK,EAAE,sBAAsB,KAAK,CAAC,SAAS,EAAE;QAC9C,EAAE,EAAE,mBAAmB,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;QACpD,MAAM,EAAE,QAAiB;QACzB,WAAW,EAAE,UAAU,KAAK,CAAC,SAAS,oCAAoC,KAAK,CAAC,MAAM,iBAAiB,KAAK,CAAC,WAAW,SAAS;QACjI,MAAM,EAAE,4BAA4B;QACpC,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;QAC3C,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,IAAI,EAAE;YACJ,QAAQ,EAAE,kBAAkB;YAC5B,WAAW,EAAE,aAAa;YAC1B,UAAU,EAAE,MAAe;SAC5B;QACD,YAAY,EAAE,EAAE,IAAI,EAAE,iBAA0B,EAAE;QAClD,SAAS,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,uBAAuB,EAAE;QACjE,QAAQ,EAAE;YACR,OAAO,EAAE,CAAC,YAAqB,EAAE,OAAgB,CAAC;YAClD,gBAAgB,EAAE,aAAa,KAAK,CAAC,SAAS,iCAAiC,KAAK,CAAC,WAAW,qBAAqB;SACtH;KACF,CAAC;IAEF,OAAO;QACL,IAAI,EAAE,aAAa;QACnB,iBAAiB,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;QACvD,eAAe,EAAE,CAAC,QAAQ,KAAK,CAAC,SAAS,EAAE,EAAE,QAAQ,KAAK,CAAC,SAAS,EAAE,CAAC;QACvE,UAAU,EAAE,GAAG;QACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,YAAY,EAAE,QAAiB;KAChC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,KAA8E;IAC3G,OAAO,CACJ,KAAK,CAAC,QAAQ,EAAE,SAAoB;QACpC,KAAK,CAAC,QAAQ,EAAE,WAAsB;QACtC,KAAK,CAAC,QAAQ,EAAE,OAAkB;QACnC,KAAK,CAAC,MAAM,EAAE,UAAU;QACxB,KAAK,CAAC,MAAM,EAAE,YAAY;QAC1B,KAAK,CAAC,MAAM,EAAE,UAAU;QACxB,KAAK,CAAC,MAAM,EAAE,QAAQ;QACtB,KAAK,CAAC,MAAM,EAAE,SAAS;QACvB,SAAS,CACV,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,232 @@
+/**
+ * ATR (Agent Threat Rules) type definitions
+ * @module agent-threat-rules/types
+ */
+export type ATRStatus = 'draft' | 'experimental' | 'stable' | 'deprecated';
+export type ATRSeverity = 'critical' | 'high' | 'medium' | 'low' | 'informational';
+export type ATRCategory = 'prompt-injection' | 'tool-poisoning' | 'context-exfiltration' | 'agent-manipulation' | 'privilege-escalation' | 'excessive-autonomy' | 'data-poisoning' | 'model-abuse' | 'skill-compromise';
+export type ATRConfidence = 'high' | 'medium' | 'low';
+export type ATRSourceType = 'llm_io' | 'tool_call' | 'mcp_exchange' | 'agent_behavior' | 'multi_agent_comm' | 'context_window' | 'memory_access' | 'skill_lifecycle' | 'skill_permission' | 'skill_chain';
+export type ATRMatchType = 'contains' | 'regex' | 'exact' | 'starts_with';
+export type ATROperator = 'gt' | 'lt' | 'eq' | 'gte' | 'lte' | 'deviation_from_baseline';
+export type ATRAction = 'block_input' | 'block_output' | 'block_tool' | 'quarantine_session' | 'reset_context' | 'alert' | 'snapshot' | 'escalate' | 'reduce_permissions' | 'kill_agent';
+export interface ATRReferences {
+    owasp_llm?: string[];
+    owasp_agentic?: string[];
+    mitre_atlas?: string[];
+    mitre_attack?: string[];
+    cve?: string[];
+}
+export type ATRScanTarget = 'mcp' | 'skill' | 'both' | 'runtime';
+export interface ATRTags {
+    category: ATRCategory;
+    subcategory?: string;
+    confidence?: ATRConfidence;
+    scan_target?: ATRScanTarget;
+}
+export interface ATRAgentSource {
+    type: ATRSourceType;
+    framework?: string[];
+    provider?: string[];
+}
+export interface ATRPatternCondition {
+    field: string;
+    patterns: string[];
+    match_type: ATRMatchType;
+    case_sensitive?: boolean;
+}
+export interface ATRBehavioralCondition {
+    metric: string;
+    operator: ATROperator;
+    threshold: number;
+    window?: string;
+}
+export interface ATRSequenceStep {
+    field?: string;
+    patterns?: string[];
+    match_type?: ATRMatchType;
+    metric?: string;
+    operator?: ATROperator;
+    threshold?: number;
+}
+export interface ATRSequenceCondition {
+    ordered: boolean;
+    within: string;
+    steps: ATRSequenceStep[];
+}
+/** Array-format condition: {field, operator, value} used by most rules */
+export interface ATRArrayCondition {
+    field: string;
+    operator: string;
+    value: string;
+    description?: string;
+}
+/** Named-map conditions or array conditions */
+export type ATRConditions = ATRArrayCondition[] | Record<string, ATRPatternCondition | ATRBehavioralCondition | ATRSequenceCondition>;
+export interface ATRDetection {
+    conditions: ATRConditions;
+    /** "any" = OR across all conditions, "all" = AND. For named format: boolean expression string. */
+    condition: string;
+    false_positives?: string[];
+}
+export interface ATRResponse {
+    actions: ATRAction[];
+    auto_response_threshold?: string;
+    message_template?: string;
+}
+export interface ATRTestCase {
+    input?: string;
+    tool_response?: string;
+    agent_output?: string;
+    tool_name?: string;
+    tool_args?: string;
+    expected: 'trigger' | 'no_trigger' | 'triggered' | 'not_triggered';
+}
+export interface ATRTestCases {
+    true_positives: ATRTestCase[];
+    true_negatives: ATRTestCase[];
+}
+export interface ATRRule {
+    title: string;
+    id: string;
+    rule_version?: number;
+    status: ATRStatus;
+    description: string;
+    author: string;
+    date: string;
+    modified?: string;
+    schema_version?: string;
+    detection_tier?: string;
+    maturity?: string;
+    severity: ATRSeverity;
+    references?: ATRReferences;
+    tags: ATRTags;
+    agent_source: ATRAgentSource;
+    detection: ATRDetection;
+    response: ATRResponse;
+    test_cases?: ATRTestCases;
+    /** Evasion tests documenting known bypass techniques */
+    evasion_tests?: ATREvasionTest[];
+    /** Numeric confidence score (0-100), computed from precision + wild validation + evasion docs */
+    confidence?: number;
+    /** Date of last wild scan validation (YYYY/MM/DD format) */
+    wild_validated?: string;
+    /** Number of real-world samples tested in wild scan */
+    wild_samples?: number;
+    /** False positive rate measured on wild scan data (0.0 - 100.0) */
+    wild_fp_rate?: number;
+    /** Reason for deprecation (required when status is 'deprecated') */
+    deprecated_reason?: string;
+    /** ID of replacement rule (when status is 'deprecated') */
+    replaced_by?: string;
+}
+export interface ATREvasionTest {
+    input: string;
+    expected: 'triggered' | 'not_triggered';
+    bypass_technique: string;
+    notes?: string;
+}
+/** Event types that the ATR engine can evaluate */
+export type AgentEventType = 'llm_input' | 'llm_output' | 'tool_call' | 'tool_response' | 'agent_behavior' | 'multi_agent_message' | 'mcp_exchange';
+/** An agent event to evaluate against ATR rules */
+export interface AgentEvent {
+    type: AgentEventType;
+    timestamp: string;
+    /** The text content to analyze */
+    content: string;
+    /** Specific field values for pattern matching */
+    fields?: Record<string, string>;
+    /** Behavioral metrics for threshold-based detection */
+    metrics?: Record<string, number>;
+    /** Session identifier for correlation */
+    sessionId?: string;
+    /** Source agent identifier */
+    agentId?: string;
+    /** Additional metadata */
+    metadata?: Record<string, unknown>;
+    /** Scan context: when 'skill', all rules fire regardless of agent_source.type,
+     *  with cross-context confidence downweighting for MCP-only rules. */
+    scanContext?: 'mcp' | 'skill';
+}
+/** Result when an ATR rule matches an event */
+export type ScanContextType = 'native' | 'cross-context';
+export interface ATRMatch {
+    rule: ATRRule;
+    matchedConditions: string[];
+    matchedPatterns: string[];
+    confidence: number;
+    timestamp: string;
+    /** Whether this match is native (rule designed for this scan path) or cross-context
+     *  (e.g., MCP rule firing on SKILL.md content with confidence downweight). */
+    scan_context: ScanContextType;
+}
+/** Verdict outcome from evaluating matched rules */
+export type VerdictOutcome = 'allow' | 'ask' | 'deny';
+/** Verdict returned after evaluating an event against all rules */
+export interface ATRVerdict {
+    readonly outcome: VerdictOutcome;
+    readonly reason: string;
+    readonly matchCount: number;
+    readonly highestSeverity: ATRSeverity | null;
+    readonly highestConfidence: number;
+    readonly actions: readonly ATRAction[];
+    readonly matches: readonly ATRMatch[];
+    readonly timestamp: string;
+}
+/** Result of executing a single action */
+export interface ActionResult {
+    readonly action: ATRAction;
+    readonly success: boolean;
+    readonly message: string;
+    readonly timestamp: string;
+}
+/** Context provided to platform adapters when executing actions */
+export interface ExecutionContext {
+    readonly event: AgentEvent;
+    readonly matches: readonly ATRMatch[];
+    readonly verdict: ATRVerdict;
+    readonly sessionId?: string;
+    readonly metadata?: Readonly<Record<string, unknown>>;
+}
+/** Platform-specific adapter for executing ATR actions */
+export interface PlatformAdapter {
+    readonly name: string;
+    blockInput(ctx: ExecutionContext): Promise<ActionResult>;
+    blockOutput(ctx: ExecutionContext): Promise<ActionResult>;
+    blockTool(ctx: ExecutionContext): Promise<ActionResult>;
+    quarantineSession(ctx: ExecutionContext): Promise<ActionResult>;
+    resetContext(ctx: ExecutionContext): Promise<ActionResult>;
+    alert(ctx: ExecutionContext): Promise<ActionResult>;
+    snapshot(ctx: ExecutionContext): Promise<ActionResult>;
+    escalate(ctx: ExecutionContext): Promise<ActionResult>;
+    reducePermissions(ctx: ExecutionContext): Promise<ActionResult>;
+    killAgent(ctx: ExecutionContext): Promise<ActionResult>;
+}
+/** Hook input from Claude Code / agent host */
+export interface HookInput {
+    readonly hook: 'PreToolUse' | 'PostToolUse';
+    readonly tool_name: string;
+    readonly tool_input: Readonly<Record<string, unknown>>;
+    readonly session_id?: string;
+    readonly timestamp?: string;
+}
+/** Hook output to Claude Code / agent host */
+export interface HookOutput {
+    readonly decision: VerdictOutcome;
+    readonly reason?: string;
+    readonly message?: string;
+    readonly matched_rules?: readonly string[];
+}
+/** Scan type: MCP runtime event scan vs SKILL.md static file scan */
+export type ScanType = 'mcp' | 'skill';
+/** Unified scan result produced by both evaluate() and scanSkill() paths */
+export interface ScanResult {
+    readonly scan_type: ScanType;
+    readonly content_hash: string;
+    readonly input_file?: string;
+    readonly timestamp: string;
+    readonly rules_loaded: number;
+    readonly matches: readonly ATRMatch[];
+    readonly threat_count: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,SAAS,GAAG,OAAO,GAAG,cAAc,GAAG,QAAQ,GAAG,YAAY,CAAC;AAE3E,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,eAAe,CAAC;AAEnF,MAAM,MAAM,WAAW,GACnB,kBAAkB,GAClB,gBAAgB,GAChB,sBAAsB,GACtB,oBAAoB,GACpB,sBAAsB,GACtB,oBAAoB,GACpB,gBAAgB,GAChB,aAAa,GACb,kBAAkB,CAAC;AAEvB,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEtD,MAAM,MAAM,aAAa,GACrB,QAAQ,GACR,WAAW,GACX,cAAc,GACd,gBAAgB,GAChB,kBAAkB,GAClB,gBAAgB,GAChB,eAAe,GACf,iBAAiB,GACjB,kBAAkB,GAClB,aAAa,CAAC;AAElB,MAAM,MAAM,YAAY,GAAG,UAAU,GAAG,OAAO,GAAG,OAAO,GAAG,aAAa,CAAC;AAE1E,MAAM,MAAM,WAAW,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,GAAG,KAAK,GAAG,KAAK,GAAG,yBAAyB,CAAC;AAEzF,MAAM,MAAM,SAAS,GACjB,aAAa,GACb,cAAc,GACd,YAAY,GACZ,oBAAoB,GACpB,eAAe,GACf,OAAO,GACP,UAAU,GACV,UAAU,GACV,oBAAoB,GACpB,YAAY,CAAC;AAEjB,MAAM,WAAW,aAAa;IAC5B,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;CAChB;AAED,MAAM,MAAM,aAAa,GAAG,KAAK,GAAG,OAAO,GAAG,MAAM,GAAG,SAAS,CAAC;AAEjE,MAAM,WAAW,OAAO;IACtB,QAAQ,EAAE,WAAW,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,aAAa,CAAC;IAC3B,WAAW,CAAC,EAAE,aAAa,CAAC;CAC7B;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,aAAa,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,UAAU,EAAE,YAAY,CAAC;IACzB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,WAAW,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,UAAU,CAAC,EAAE,YAAY,CAAC;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,WAAW,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,eAAe,EAAE,CAAC;CAC1B;AAED,0EAA0E;AAC1E,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,+CAA+C;AAC/C,MAAM,MAAM,aAAa,GACrB,iBAAiB,EAAE,GACnB,MAAM,CAAC,MAAM,EAAE,mBAAmB,GAAG,sBAAsB,GAAG,oBAAoB,CAAC,CAAC;AAExF,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,aAAa,CAAC;IAC1B,kGAAkG;IAClG,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,SAAS,EAAE,CAAC;IACrB,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,SAAS,GAAG,YAAY,GAAG,WAAW,GAAG,eAAe,CAAC;CACpE;AAED,MAAM,WAAW,YAAY;IAC3B,cAAc,EAAE,WAAW,EAAE,CAAC;IAC9B,cAAc,EAAE,WAAW,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,OAAO;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,SAAS,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,WAAW,CAAC;IACtB,UAAU,CAAC,EAAE,aAAa,CAAC;IAC3B,IAAI,EAAE,OAAO,CAAC;IACd,YAAY,EAAE,cAAc,CAAC;IAC7B,SAAS,EAAE,YAAY,CAAC;IACxB,QAAQ,EAAE,WAAW,CAAC;IACtB,UAAU,CAAC,EAAE,YAAY,CAAC;IAC1B,wDAAwD;IACxD,aAAa,CAAC,EAAE,cAAc,EAAE,CAAC;IACjC,iGAAiG;IACjG,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,4DAA4D;IAC5D,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,uDAAuD;IACvD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mEAAmE;IACnE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,oEAAoE;IACpE,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,2DAA2D;IAC3D,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,WAAW,GAAG,eAAe,CAAC;IACxC,gBAAgB,EAAE,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,mDAAmD;AACnD,MAAM,MAAM,cAAc,GACtB,WAAW,GACX,YAAY,GACZ,WAAW,GACX,eAAe,GACf,gBAAgB,GAChB,qBAAqB,GACrB,cAAc,CAAC;AAEnB,mDAAmD;AACnD,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,iDAAiD;IACjD,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,uDAAuD;IACvD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,yCAAyC;IACzC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8BAA8B;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC;0EACsE;IACtE,WAAW,CAAC,EAAE,KAAK,GAAG,OAAO,CAAC;CAC/B;AAED,+CAA+C;AAC/C,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,eAAe,CAAC;AAEzD,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,OAAO,CAAC;IACd,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB;kFAC8E;IAC9E,YAAY,EAAE,eAAe,CAAC;CAC/B;AAED,oDAAoD;AACpD,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,KAAK,GAAG,MAAM,CAAC;AAEtD,mEAAmE;AACnE,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,OAAO,EAAE,cAAc,CAAC;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;IAC7C,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,OAAO,EAAE,SAAS,SAAS,EAAE,CAAC;IACvC,QAAQ,CAAC,OAAO,EAAE,SAAS,QAAQ,EAAE,CAAC;IACtC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,0CAA0C;AAC1C,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,MAAM,EAAE,SAAS,CAAC;IAC3B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,mEAAmE;AACnE,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAC;IAC3B,QAAQ,CAAC,OAAO,EAAE,SAAS,QAAQ,EAAE,CAAC;IACtC,QAAQ,CAAC,OAAO,EAAE,UAAU,CAAC;IAC7B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACvD;AAED,0DAA0D;AAC1D,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACzD,WAAW,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IAC1D,SAAS,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACxD,iBAAiB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IAChE,YAAY,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IAC3D,KAAK,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACpD,QAAQ,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACvD,QAAQ,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACvD,iBAAiB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IAChE,SAAS,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;CACzD;AAED,+CAA+C;AAC/C,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,IAAI,EAAE,YAAY,GAAG,aAAa,CAAC;IAC5C,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IACvD,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,8CAA8C;AAC9C,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC5C;AAED,qEAAqE;AACrE,MAAM,MAAM,QAAQ,GAAG,KAAK,GAAG,OAAO,CAAC;AAEvC,4EAA4E;AAC5E,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC;IAC7B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,OAAO,EAAE,SAAS,QAAQ,EAAE,CAAC;IACtC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;CAC/B"}

package/dist/types.js

@@ -0,0 +1,6 @@
+/**
+ * ATR (Agent Threat Rules) type definitions
+ * @module agent-threat-rules/types
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/verdict.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Verdict computation from ATR rule matches.
+ *
+ * Pure functions that determine the outcome (allow/ask/deny)
+ * based on severity, confidence, and auto-response thresholds.
+ *
+ * @module agent-threat-rules/verdict
+ */
+import type { ATRMatch, ATRSeverity, ATRVerdict } from './types.js';
+/** Severity rank from most severe (0) to least severe (4) */
+export declare const SEVERITY_RANK: Readonly<Record<ATRSeverity, number>>;
+/**
+ * Check whether auto-response is enabled for a matched rule.
+ * The auto_response_threshold field on ATRResponse indicates the
+ * minimum confidence level at which the action should be taken
+ * automatically (without human approval).
+ */
+export declare function isAutoResponseEnabled(match: ATRMatch): boolean;
+/**
+ * Compute a verdict from an array of ATR matches.
+ *
+ * This is a pure function -- no side effects, no mutation.
+ * Returns a frozen ATRVerdict object.
+ */
+export declare function computeVerdict(matches: readonly ATRMatch[]): ATRVerdict;
+//# sourceMappingURL=verdict.d.ts.map

package/dist/verdict.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verdict.d.ts","sourceRoot":"","sources":["../src/verdict.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,QAAQ,EACR,WAAW,EAEX,UAAU,EAEX,MAAM,YAAY,CAAC;AAEpB,6DAA6D;AAC7D,eAAO,MAAM,aAAa,EAAE,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAM/D,CAAC;AAEF;;;;;GAKG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,QAAQ,GACd,OAAO,CAcT;AAwED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,OAAO,EAAE,SAAS,QAAQ,EAAE,GAC3B,UAAU,CAkCZ"}