@panguard-ai/atr 1.5.0 → 1.5.5

package/dist/action-executor.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Action Executor - Executes ATR response actions via platform adapters.
+ *
+ * Deduplicates actions, sorts by priority, and delegates execution
+ * to a PlatformAdapter. Handles per-action errors so one failure
+ * does not block the rest.
+ *
+ * @module agent-threat-rules/action-executor
+ */
+import type { ActionResult, ExecutionContext, PlatformAdapter } from './types.js';
+export interface ActionExecutorConfig {
+    readonly adapter: PlatformAdapter;
+    readonly dryRun?: boolean;
+    readonly onActionComplete?: (result: ActionResult) => void;
+}
+export declare class ActionExecutor {
+    private readonly adapter;
+    private readonly dryRun;
+    private readonly onActionComplete?;
+    constructor(config: ActionExecutorConfig);
+    /**
+     * Execute all actions from the verdict context.
+     *
+     * Actions are deduplicated, sorted by priority, and executed
+     * sequentially. Each action is wrapped in try/catch so a single
+     * failure does not prevent subsequent actions from running.
+     *
+     * Returns a frozen array of ActionResult.
+     */
+    execute(context: ExecutionContext): Promise<readonly ActionResult[]>;
+    /**
+     * Deduplicate actions and sort by priority (highest priority first).
+     */
+    private deduplicateAndSort;
+    /**
+     * Execute a single action, returning a result even on failure.
+     */
+    private executeOne;
+    /** Get the adapter name for diagnostics */
+    getAdapterName(): string;
+    /** Check if dry-run mode is enabled */
+    isDryRun(): boolean;
+}
+//# sourceMappingURL=action-executor.d.ts.map

package/dist/action-executor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"action-executor.d.ts","sourceRoot":"","sources":["../src/action-executor.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAEV,YAAY,EACZ,gBAAgB,EAChB,eAAe,EAChB,MAAM,YAAY,CAAC;AA8BpB,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,OAAO,EAAE,eAAe,CAAC;IAClC,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC,MAAM,EAAE,YAAY,KAAK,IAAI,CAAC;CAC5D;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAkB;IAC1C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAU;IACjC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAiC;gBAEvD,MAAM,EAAE,oBAAoB;IAMxC;;;;;;;;OAQG;IACG,OAAO,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,SAAS,YAAY,EAAE,CAAC;IAgB1E;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAW1B;;OAEG;YACW,UAAU;IAmDxB,2CAA2C;IAC3C,cAAc,IAAI,MAAM;IAIxB,uCAAuC;IACvC,QAAQ,IAAI,OAAO;CAGpB"}

package/dist/action-executor.js

@@ -0,0 +1,130 @@
+/**
+ * Action Executor - Executes ATR response actions via platform adapters.
+ *
+ * Deduplicates actions, sorts by priority, and delegates execution
+ * to a PlatformAdapter. Handles per-action errors so one failure
+ * does not block the rest.
+ *
+ * @module agent-threat-rules/action-executor
+ */
+/** Priority order: lower number = higher priority (executed first) */
+const ACTION_PRIORITY = {
+    kill_agent: 0,
+    block_input: 1,
+    block_output: 2,
+    block_tool: 3,
+    quarantine_session: 4,
+    reduce_permissions: 5,
+    reset_context: 6,
+    alert: 7,
+    escalate: 8,
+    snapshot: 9,
+};
+/** Map action names to PlatformAdapter method names */
+const ACTION_METHOD_MAP = {
+    block_input: 'blockInput',
+    block_output: 'blockOutput',
+    block_tool: 'blockTool',
+    quarantine_session: 'quarantineSession',
+    reset_context: 'resetContext',
+    alert: 'alert',
+    snapshot: 'snapshot',
+    escalate: 'escalate',
+    reduce_permissions: 'reducePermissions',
+    kill_agent: 'killAgent',
+};
+export class ActionExecutor {
+    adapter;
+    dryRun;
+    onActionComplete;
+    constructor(config) {
+        this.adapter = config.adapter;
+        this.dryRun = config.dryRun ?? false;
+        this.onActionComplete = config.onActionComplete;
+    }
+    /**
+     * Execute all actions from the verdict context.
+     *
+     * Actions are deduplicated, sorted by priority, and executed
+     * sequentially. Each action is wrapped in try/catch so a single
+     * failure does not prevent subsequent actions from running.
+     *
+     * Returns a frozen array of ActionResult.
+     */
+    async execute(context) {
+        const actions = this.deduplicateAndSort(context.verdict.actions);
+        const results = [];
+        for (const action of actions) {
+            const result = await this.executeOne(action, context);
+            results.push(result);
+            if (this.onActionComplete) {
+                this.onActionComplete(result);
+            }
+        }
+        return Object.freeze(results);
+    }
+    /**
+     * Deduplicate actions and sort by priority (highest priority first).
+     */
+    deduplicateAndSort(actions) {
+        const unique = [...new Set(actions)];
+        return unique.sort((a, b) => {
+            const pa = ACTION_PRIORITY[a] ?? 99;
+            const pb = ACTION_PRIORITY[b] ?? 99;
+            return pa - pb;
+        });
+    }
+    /**
+     * Execute a single action, returning a result even on failure.
+     */
+    async executeOne(action, context) {
+        const timestamp = new Date().toISOString();
+        if (this.dryRun) {
+            return Object.freeze({
+                action,
+                success: true,
+                message: `[dry-run] Would execute: ${action}`,
+                timestamp,
+            });
+        }
+        try {
+            const methodName = ACTION_METHOD_MAP[action];
+            if (!methodName) {
+                return Object.freeze({
+                    action,
+                    success: false,
+                    message: `Unknown action: ${action}`,
+                    timestamp,
+                });
+            }
+            const method = this.adapter[methodName];
+            if (typeof method !== 'function') {
+                return Object.freeze({
+                    action,
+                    success: false,
+                    message: `Adapter "${this.adapter.name}" does not implement: ${methodName}`,
+                    timestamp,
+                });
+            }
+            return await method.call(this.adapter, context);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            return Object.freeze({
+                action,
+                success: false,
+                message: `Action "${action}" failed: ${message}`,
+                timestamp,
+            });
+        }
+    }
+    /** Get the adapter name for diagnostics */
+    getAdapterName() {
+        return this.adapter.name;
+    }
+    /** Check if dry-run mode is enabled */
+    isDryRun() {
+        return this.dryRun;
+    }
+}
+//# sourceMappingURL=action-executor.js.map

package/dist/action-executor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"action-executor.js","sourceRoot":"","sources":["../src/action-executor.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AASH,sEAAsE;AACtE,MAAM,eAAe,GAAwC;IAC3D,UAAU,EAAE,CAAC;IACb,WAAW,EAAE,CAAC;IACd,YAAY,EAAE,CAAC;IACf,UAAU,EAAE,CAAC;IACb,kBAAkB,EAAE,CAAC;IACrB,kBAAkB,EAAE,CAAC;IACrB,aAAa,EAAE,CAAC;IAChB,KAAK,EAAE,CAAC;IACR,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF,uDAAuD;AACvD,MAAM,iBAAiB,GAAuD;IAC5E,WAAW,EAAE,YAAY;IACzB,YAAY,EAAE,aAAa;IAC3B,UAAU,EAAE,WAAW;IACvB,kBAAkB,EAAE,mBAAmB;IACvC,aAAa,EAAE,cAAc;IAC7B,KAAK,EAAE,OAAO;IACd,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,UAAU;IACpB,kBAAkB,EAAE,mBAAmB;IACvC,UAAU,EAAE,WAAW;CACxB,CAAC;AAQF,MAAM,OAAO,cAAc;IACR,OAAO,CAAkB;IACzB,MAAM,CAAU;IAChB,gBAAgB,CAAkC;IAEnE,YAAY,MAA4B;QACtC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,KAAK,CAAC;QACrC,IAAI,CAAC,gBAAgB,GAAG,MAAM,CAAC,gBAAgB,CAAC;IAClD,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,OAAO,CAAC,OAAyB;QACrC,MAAM,OAAO,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACjE,MAAM,OAAO,GAAmB,EAAE,CAAC;QAEnC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAErB,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC1B,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAChC,CAAC;IAED;;OAEG;IACK,kBAAkB,CACxB,OAA6B;QAE7B,MAAM,MAAM,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;QACrC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;YAC1B,MAAM,EAAE,GAAG,eAAe,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACpC,MAAM,EAAE,GAAG,eAAe,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACpC,OAAO,EAAE,GAAG,EAAE,CAAC;QACjB,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU,CACtB,MAAiB,EACjB,OAAyB;QAEzB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAE3C,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,OAAO,MAAM,CAAC,MAAM,CAAC;gBACnB,MAAM;gBACN,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,4BAA4B,MAAM,EAAE;gBAC7C,SAAS;aACV,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,MAAM,CAAC,MAAM,CAAC;oBACnB,MAAM;oBACN,OAAO,EAAE,KAAK;oBACd,OAAO,EAAE,mBAAmB,MAAM,EAAE;oBACpC,SAAS;iBACV,CAAC,CAAC;YACL,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAEzB,CAAC;YAEd,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;gBACjC,OAAO,MAAM,CAAC,MAAM,CAAC;oBACnB,MAAM;oBACN,OAAO,EAAE,KAAK;oBACd,OAAO,EAAE,YAAY,IAAI,CAAC,OAAO,CAAC,IAAI,yBAAyB,UAAU,EAAE;oBAC3E,SAAS;iBACV,CAAC,CAAC;YACL,CAAC;YAED,OAAO,MAAM,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,MAAM,CAAC,MAAM,CAAC;gBACnB,MAAM;gBACN,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,WAAW,MAAM,aAAa,OAAO,EAAE;gBAChD,SAAS;aACV,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,2CAA2C;IAC3C,cAAc;QACZ,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;IAC3B,CAAC;IAED,uCAAuC;IACvC,QAAQ;QACN,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;CACF"}

package/dist/adapters/default-adapter.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Default Platform Adapter - No-op implementation for CLI and testing.
+ *
+ * Every method logs the action and returns a success result.
+ * This adapter is safe to use in any environment as it performs
+ * no actual enforcement.
+ *
+ * @module agent-threat-rules/adapters/default-adapter
+ */
+import type { ActionResult, ExecutionContext, PlatformAdapter } from '../types.js';
+export declare class DefaultAdapter implements PlatformAdapter {
+    readonly name = "default";
+    blockInput(ctx: ExecutionContext): Promise<ActionResult>;
+    blockOutput(ctx: ExecutionContext): Promise<ActionResult>;
+    blockTool(ctx: ExecutionContext): Promise<ActionResult>;
+    quarantineSession(ctx: ExecutionContext): Promise<ActionResult>;
+    resetContext(ctx: ExecutionContext): Promise<ActionResult>;
+    alert(ctx: ExecutionContext): Promise<ActionResult>;
+    snapshot(ctx: ExecutionContext): Promise<ActionResult>;
+    escalate(ctx: ExecutionContext): Promise<ActionResult>;
+    reducePermissions(ctx: ExecutionContext): Promise<ActionResult>;
+    killAgent(ctx: ExecutionContext): Promise<ActionResult>;
+}
+//# sourceMappingURL=default-adapter.d.ts.map

package/dist/adapters/default-adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"default-adapter.d.ts","sourceRoot":"","sources":["../../src/adapters/default-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EAChB,eAAe,EAChB,MAAM,aAAa,CAAC;AAcrB,qBAAa,cAAe,YAAW,eAAe;IACpD,QAAQ,CAAC,IAAI,aAAa;IAEpB,UAAU,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAIxD,WAAW,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAIzD,SAAS,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAIvD,iBAAiB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAI/D,YAAY,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAI1D,KAAK,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAInD,QAAQ,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAItD,QAAQ,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAItD,iBAAiB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAI/D,SAAS,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;CAG9D"}

package/dist/adapters/default-adapter.js

@@ -0,0 +1,51 @@
+/**
+ * Default Platform Adapter - No-op implementation for CLI and testing.
+ *
+ * Every method logs the action and returns a success result.
+ * This adapter is safe to use in any environment as it performs
+ * no actual enforcement.
+ *
+ * @module agent-threat-rules/adapters/default-adapter
+ */
+function createResult(action, ctx) {
+    return Object.freeze({
+        action,
+        success: true,
+        message: `[${action}] logged (no-op) for verdict: ${ctx.verdict.outcome}`,
+        timestamp: new Date().toISOString(),
+    });
+}
+export class DefaultAdapter {
+    name = 'default';
+    async blockInput(ctx) {
+        return createResult('block_input', ctx);
+    }
+    async blockOutput(ctx) {
+        return createResult('block_output', ctx);
+    }
+    async blockTool(ctx) {
+        return createResult('block_tool', ctx);
+    }
+    async quarantineSession(ctx) {
+        return createResult('quarantine_session', ctx);
+    }
+    async resetContext(ctx) {
+        return createResult('reset_context', ctx);
+    }
+    async alert(ctx) {
+        return createResult('alert', ctx);
+    }
+    async snapshot(ctx) {
+        return createResult('snapshot', ctx);
+    }
+    async escalate(ctx) {
+        return createResult('escalate', ctx);
+    }
+    async reducePermissions(ctx) {
+        return createResult('reduce_permissions', ctx);
+    }
+    async killAgent(ctx) {
+        return createResult('kill_agent', ctx);
+    }
+}
+//# sourceMappingURL=default-adapter.js.map

package/dist/adapters/default-adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"default-adapter.js","sourceRoot":"","sources":["../../src/adapters/default-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAQH,SAAS,YAAY,CACnB,MAA8B,EAC9B,GAAqB;IAErB,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,MAAM;QACN,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,IAAI,MAAM,iCAAiC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE;QACzE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,SAAS,CAAC;IAE1B,KAAK,CAAC,UAAU,CAAC,GAAqB;QACpC,OAAO,YAAY,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAqB;QACrC,OAAO,YAAY,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAqB;QACnC,OAAO,YAAY,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAqB;QAC3C,OAAO,YAAY,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAqB;QACtC,OAAO,YAAY,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAqB;QAC/B,OAAO,YAAY,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAqB;QAClC,OAAO,YAAY,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAqB;QAClC,OAAO,YAAY,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAqB;QAC3C,OAAO,YAAY,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAqB;QACnC,OAAO,YAAY,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;CACF"}

package/dist/adapters/stdio-adapter.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Stdio Platform Adapter - Adapter for Claude Code hook integration.
+ *
+ * Block actions write JSON responses to an internal buffer that can
+ * be flushed to stdout. Alert and snapshot actions log to stderr
+ * to avoid interfering with the JSON protocol on stdout.
+ *
+ * @module agent-threat-rules/adapters/stdio-adapter
+ */
+import type { ActionResult, ExecutionContext, PlatformAdapter } from '../types.js';
+export declare class StdioAdapter implements PlatformAdapter {
+    readonly name = "stdio";
+    private readonly responseBuffer;
+    /**
+     * Get buffered responses and clear the buffer.
+     * Returns a frozen copy.
+     */
+    flushResponses(): readonly unknown[];
+    blockInput(ctx: ExecutionContext): Promise<ActionResult>;
+    blockOutput(ctx: ExecutionContext): Promise<ActionResult>;
+    blockTool(ctx: ExecutionContext): Promise<ActionResult>;
+    quarantineSession(ctx: ExecutionContext): Promise<ActionResult>;
+    resetContext(ctx: ExecutionContext): Promise<ActionResult>;
+    alert(ctx: ExecutionContext): Promise<ActionResult>;
+    snapshot(ctx: ExecutionContext): Promise<ActionResult>;
+    escalate(ctx: ExecutionContext): Promise<ActionResult>;
+    reducePermissions(ctx: ExecutionContext): Promise<ActionResult>;
+    killAgent(ctx: ExecutionContext): Promise<ActionResult>;
+}
+//# sourceMappingURL=stdio-adapter.d.ts.map

package/dist/adapters/stdio-adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stdio-adapter.d.ts","sourceRoot":"","sources":["../../src/adapters/stdio-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EAChB,eAAe,EAChB,MAAM,aAAa,CAAC;AAcrB,qBAAa,YAAa,YAAW,eAAe;IAClD,QAAQ,CAAC,IAAI,WAAW;IACxB,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAiB;IAEhD;;;OAGG;IACH,cAAc,IAAI,SAAS,OAAO,EAAE;IAM9B,UAAU,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAUxD,WAAW,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAUzD,SAAS,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAWvD,iBAAiB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAU/D,YAAY,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAS1D,KAAK,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAWnD,QAAQ,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAetD,QAAQ,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAWtD,iBAAiB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAU/D,SAAS,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;CAS9D"}

package/dist/adapters/stdio-adapter.js

@@ -0,0 +1,128 @@
+/**
+ * Stdio Platform Adapter - Adapter for Claude Code hook integration.
+ *
+ * Block actions write JSON responses to an internal buffer that can
+ * be flushed to stdout. Alert and snapshot actions log to stderr
+ * to avoid interfering with the JSON protocol on stdout.
+ *
+ * @module agent-threat-rules/adapters/stdio-adapter
+ */
+function makeResult(action, message) {
+    return Object.freeze({
+        action,
+        success: true,
+        message,
+        timestamp: new Date().toISOString(),
+    });
+}
+export class StdioAdapter {
+    name = 'stdio';
+    responseBuffer = [];
+    /**
+     * Get buffered responses and clear the buffer.
+     * Returns a frozen copy.
+     */
+    flushResponses() {
+        const copy = Object.freeze([...this.responseBuffer]);
+        this.responseBuffer.length = 0;
+        return copy;
+    }
+    async blockInput(ctx) {
+        const entry = {
+            action: 'block_input',
+            verdict: ctx.verdict.outcome,
+            reason: ctx.verdict.reason,
+        };
+        this.responseBuffer.push(entry);
+        return makeResult('block_input', 'Input blocked via stdio protocol');
+    }
+    async blockOutput(ctx) {
+        const entry = {
+            action: 'block_output',
+            verdict: ctx.verdict.outcome,
+            reason: ctx.verdict.reason,
+        };
+        this.responseBuffer.push(entry);
+        return makeResult('block_output', 'Output blocked via stdio protocol');
+    }
+    async blockTool(ctx) {
+        const entry = {
+            action: 'block_tool',
+            verdict: ctx.verdict.outcome,
+            reason: ctx.verdict.reason,
+            tool: ctx.event.fields?.['tool_name'] ?? 'unknown',
+        };
+        this.responseBuffer.push(entry);
+        return makeResult('block_tool', 'Tool blocked via stdio protocol');
+    }
+    async quarantineSession(ctx) {
+        const entry = {
+            action: 'quarantine_session',
+            verdict: ctx.verdict.outcome,
+            sessionId: ctx.sessionId ?? 'unknown',
+        };
+        this.responseBuffer.push(entry);
+        return makeResult('quarantine_session', 'Session quarantined via stdio protocol');
+    }
+    async resetContext(ctx) {
+        const entry = {
+            action: 'reset_context',
+            verdict: ctx.verdict.outcome,
+        };
+        this.responseBuffer.push(entry);
+        return makeResult('reset_context', 'Context reset via stdio protocol');
+    }
+    async alert(ctx) {
+        const alertMsg = {
+            type: 'alert',
+            severity: ctx.verdict.highestSeverity,
+            reason: ctx.verdict.reason,
+            matchCount: ctx.verdict.matchCount,
+        };
+        process.stderr.write(JSON.stringify(alertMsg) + '\n');
+        return makeResult('alert', 'Alert written to stderr');
+    }
+    async snapshot(ctx) {
+        const snapshotData = {
+            type: 'snapshot',
+            event: {
+                type: ctx.event.type,
+                contentPreview: ctx.event.content.slice(0, 200),
+            },
+            verdict: ctx.verdict.outcome,
+            matchCount: ctx.verdict.matchCount,
+            timestamp: new Date().toISOString(),
+        };
+        process.stderr.write(JSON.stringify(snapshotData) + '\n');
+        return makeResult('snapshot', 'Snapshot written to stderr');
+    }
+    async escalate(ctx) {
+        const escalation = {
+            type: 'escalation',
+            severity: ctx.verdict.highestSeverity,
+            reason: ctx.verdict.reason,
+            matchCount: ctx.verdict.matchCount,
+        };
+        process.stderr.write(JSON.stringify(escalation) + '\n');
+        return makeResult('escalate', 'Escalation written to stderr');
+    }
+    async reducePermissions(ctx) {
+        const entry = {
+            action: 'reduce_permissions',
+            verdict: ctx.verdict.outcome,
+            reason: ctx.verdict.reason,
+        };
+        this.responseBuffer.push(entry);
+        return makeResult('reduce_permissions', 'Permissions reduced via stdio protocol');
+    }
+    async killAgent(ctx) {
+        const entry = {
+            action: 'kill_agent',
+            verdict: ctx.verdict.outcome,
+            reason: ctx.verdict.reason,
+        };
+        this.responseBuffer.push(entry);
+        return makeResult('kill_agent', 'Agent kill requested via stdio protocol');
+    }
+}
+//# sourceMappingURL=stdio-adapter.js.map

package/dist/adapters/stdio-adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"stdio-adapter.js","sourceRoot":"","sources":["../../src/adapters/stdio-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAQH,SAAS,UAAU,CACjB,MAA8B,EAC9B,OAAe;IAEf,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,MAAM;QACN,OAAO,EAAE,IAAI;QACb,OAAO;QACP,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,OAAO,YAAY;IACd,IAAI,GAAG,OAAO,CAAC;IACP,cAAc,GAAc,EAAE,CAAC;IAEhD;;;OAGG;IACH,cAAc;QACZ,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC;QACrD,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,GAAqB;QACpC,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE,aAAa;YACrB,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;YAC5B,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;SAC3B,CAAC;QACF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,UAAU,CAAC,aAAa,EAAE,kCAAkC,CAAC,CAAC;IACvE,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAqB;QACrC,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE,cAAc;YACtB,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;YAC5B,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;SAC3B,CAAC;QACF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,UAAU,CAAC,cAAc,EAAE,mCAAmC,CAAC,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAqB;QACnC,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;YAC5B,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;YAC1B,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,WAAW,CAAC,IAAI,SAAS;SACnD,CAAC;QACF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,UAAU,CAAC,YAAY,EAAE,iCAAiC,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAqB;QAC3C,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE,oBAAoB;YAC5B,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;YAC5B,SAAS,EAAE,GAAG,CAAC,SAAS,IAAI,SAAS;SACtC,CAAC;QACF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,UAAU,CAAC,oBAAoB,EAAE,wCAAwC,CAAC,CAAC;IACpF,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAqB;QACtC,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE,eAAe;YACvB,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;SAC7B,CAAC;QACF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,UAAU,CAAC,eAAe,EAAE,kCAAkC,CAAC,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAqB;QAC/B,MAAM,QAAQ,GAAG;YACf,IAAI,EAAE,OAAO;YACb,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,eAAe;YACrC,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;YAC1B,UAAU,EAAE,GAAG,CAAC,OAAO,CAAC,UAAU;SACnC,CAAC;QACF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;QACtD,OAAO,UAAU,CAAC,OAAO,EAAE,yBAAyB,CAAC,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAqB;QAClC,MAAM,YAAY,GAAG;YACnB,IAAI,EAAE,UAAU;YAChB,KAAK,EAAE;gBACL,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,IAAI;gBACpB,cAAc,EAAE,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;aAChD;YACD,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;YAC5B,UAAU,EAAE,GAAG,CAAC,OAAO,CAAC,UAAU;YAClC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;QACF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC,CAAC;QAC1D,OAAO,UAAU,CAAC,UAAU,EAAE,4BAA4B,CAAC,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAqB;QAClC,MAAM,UAAU,GAAG;YACjB,IAAI,EAAE,YAAY;YAClB,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,eAAe;YACrC,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;YAC1B,UAAU,EAAE,GAAG,CAAC,OAAO,CAAC,UAAU;SACnC,CAAC;QACF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC;QACxD,OAAO,UAAU,CAAC,UAAU,EAAE,8BAA8B,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAqB;QAC3C,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE,oBAAoB;YAC5B,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;YAC5B,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;SAC3B,CAAC;QACF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,UAAU,CAAC,oBAAoB,EAAE,wCAAwC,CAAC,CAAC;IACpF,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAqB;QACnC,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;YAC5B,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;SAC3B,CAAC;QACF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,UAAU,CAAC,YAAY,EAAE,yCAAyC,CAAC,CAAC;IAC7E,CAAC;CACF"}

package/dist/badge.d.ts

@@ -0,0 +1,42 @@
+/**
+ * ATR Badge Generator
+ *
+ * Generates shields.io-compatible SVG badges and JSON endpoints
+ * for ATR scan results.
+ *
+ * Badge states:
+ *   - Green:  "ATR Scanned - No Issues" (scan passed, no findings)
+ *   - Yellow: "ATR Scanned - Issues Found" (scan found potential threats)
+ *   - Red:    "ATR Scanned - Critical" (critical threats detected)
+ *   - Gray:   "Not Yet Scanned" (no scan data available)
+ *
+ * @module agent-threat-rules/badge
+ */
+export interface BadgeData {
+    readonly schemaVersion: 1;
+    readonly label: string;
+    readonly message: string;
+    readonly color: string;
+    readonly namedLogo?: string;
+    readonly logoSvg?: string;
+}
+export type BadgeStatus = 'clean' | 'issues' | 'critical' | 'unknown';
+export interface ScanSummary {
+    readonly packageName: string;
+    readonly version?: string;
+    readonly scannedAt?: string;
+    readonly riskLevel: string;
+    readonly riskScore: number;
+    readonly findings: {
+        readonly critical: number;
+        readonly high: number;
+        readonly medium: number;
+        readonly low: number;
+    };
+}
+export declare function determineBadgeStatus(summary: ScanSummary): BadgeStatus;
+export declare function generateBadgeEndpoint(summary: ScanSummary | null): BadgeData;
+export declare function generateBadgeSvg(summary: ScanSummary | null): string;
+export declare function lookupPackageScan(auditDataPath: string, packageName: string): ScanSummary | null;
+export declare function generateBadgeMarkdown(packageName: string, repoUrl?: string): string;
+//# sourceMappingURL=badge.d.ts.map

package/dist/badge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"badge.d.ts","sourceRoot":"","sources":["../src/badge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAQH,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,aAAa,EAAE,CAAC,CAAC;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,MAAM,WAAW,GAAG,OAAO,GAAG,QAAQ,GAAG,UAAU,GAAG,SAAS,CAAC;AAEtE,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE;QACjB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;QAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;QACxB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAiBD,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,WAAW,GAAG,WAAW,CActE;AAMD,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI,GAAG,SAAS,CA+B5E;AAoBD,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI,GAAG,MAAM,CA+BpE;AAMD,wBAAgB,iBAAiB,CAC/B,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,GAClB,WAAW,GAAG,IAAI,CA6BpB;AAMD,wBAAgB,qBAAqB,CACnC,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,MAAkE,GAC1E,MAAM,CAIR"}

package/dist/badge.js

@@ -0,0 +1,163 @@
+/**
+ * ATR Badge Generator
+ *
+ * Generates shields.io-compatible SVG badges and JSON endpoints
+ * for ATR scan results.
+ *
+ * Badge states:
+ *   - Green:  "ATR Scanned - No Issues" (scan passed, no findings)
+ *   - Yellow: "ATR Scanned - Issues Found" (scan found potential threats)
+ *   - Red:    "ATR Scanned - Critical" (critical threats detected)
+ *   - Gray:   "Not Yet Scanned" (no scan data available)
+ *
+ * @module agent-threat-rules/badge
+ */
+import { readFileSync } from 'node:fs';
+// ---------------------------------------------------------------------------
+// Badge colors
+// ---------------------------------------------------------------------------
+const BADGE_COLORS = {
+    clean: '#2ea44f', // GitHub green
+    issues: '#dfb317', // Warning yellow
+    critical: '#e05d44', // Alert red
+    unknown: '#9f9f9f', // Gray
+};
+// ---------------------------------------------------------------------------
+// Determine badge status from scan data
+// ---------------------------------------------------------------------------
+export function determineBadgeStatus(summary) {
+    // Check ATR rule findings first
+    if (summary.findings.critical > 0)
+        return 'critical';
+    if (summary.findings.high > 0)
+        return 'critical';
+    if (summary.findings.medium > 0)
+        return 'issues';
+    if (summary.findings.low > 0)
+        return 'issues';
+    // Fall back to overall risk assessment (from code analysis, supply chain, etc.)
+    const level = summary.riskLevel.toUpperCase();
+    if (level === 'CRITICAL' || level === 'HIGH')
+        return 'critical';
+    if (level === 'MEDIUM')
+        return 'issues';
+    if (level === 'LOW')
+        return 'issues';
+    return 'clean';
+}
+// ---------------------------------------------------------------------------
+// Generate shields.io endpoint JSON
+// ---------------------------------------------------------------------------
+export function generateBadgeEndpoint(summary) {
+    if (!summary) {
+        return {
+            schemaVersion: 1,
+            label: 'ATR',
+            message: 'Not Yet Scanned',
+            color: BADGE_COLORS.unknown,
+        };
+    }
+    const status = determineBadgeStatus(summary);
+    const totalFindings = summary.findings.critical + summary.findings.high + summary.findings.medium + summary.findings.low;
+    const messages = {
+        clean: 'Scanned - No Issues',
+        issues: totalFindings > 0
+            ? `Scanned - ${totalFindings} Issue${totalFindings > 1 ? 's' : ''}`
+            : `Scanned - ${summary.riskLevel}`,
+        critical: totalFindings > 0
+            ? `Scanned - ${summary.findings.critical + summary.findings.high} Critical`
+            : `Scanned - ${summary.riskLevel}`,
+        unknown: 'Not Yet Scanned',
+    };
+    return {
+        schemaVersion: 1,
+        label: 'ATR',
+        message: messages[status],
+        color: BADGE_COLORS[status],
+    };
+}
+// ---------------------------------------------------------------------------
+// Generate standalone SVG badge
+// ---------------------------------------------------------------------------
+function escapeXml(str) {
+    return str
+        .replace(/&/g, '&')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&apos;');
+}
+function measureText(text) {
+    // Approximate character width for Verdana 11px (shields.io standard)
+    return text.length * 6.8 + 10;
+}
+export function generateBadgeSvg(summary) {
+    const data = generateBadgeEndpoint(summary);
+    const label = escapeXml(data.label);
+    const message = escapeXml(data.message);
+    const color = data.color;
+    const labelWidth = measureText(label);
+    const messageWidth = measureText(message);
+    const totalWidth = labelWidth + messageWidth;
+    return `<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="${totalWidth}" height="20" role="img" aria-label="${label}: ${message}">
+  <title>${label}: ${message}</title>
+  <linearGradient id="s" x2="0" y2="100%">
+    <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
+    <stop offset="1" stop-opacity=".1"/>
+  </linearGradient>
+  <clipPath id="r">
+    <rect width="${totalWidth}" height="20" rx="3" fill="#fff"/>
+  </clipPath>
+  <g clip-path="url(#r)">
+    <rect width="${labelWidth}" height="20" fill="#555"/>
+    <rect x="${labelWidth}" width="${messageWidth}" height="20" fill="${color}"/>
+    <rect width="${totalWidth}" height="20" fill="url(#s)"/>
+  </g>
+  <g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110">
+    <text aria-hidden="true" x="${labelWidth * 5}" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)">${label}</text>
+    <text x="${labelWidth * 5}" y="140" transform="scale(.1)" fill="#fff">${label}</text>
+    <text aria-hidden="true" x="${(labelWidth + messageWidth / 2) * 10}" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)">${message}</text>
+    <text x="${(labelWidth + messageWidth / 2) * 10}" y="140" transform="scale(.1)" fill="#fff">${message}</text>
+  </g>
+</svg>`;
+}
+// ---------------------------------------------------------------------------
+// Load scan result from audit data file
+// ---------------------------------------------------------------------------
+export function lookupPackageScan(auditDataPath, packageName) {
+    try {
+        const data = JSON.parse(readFileSync(auditDataPath, 'utf-8'));
+        const results = data.results ?? [];
+        const entry = results.find((r) => r.package === packageName);
+        if (!entry)
+            return null;
+        const atrMatches = entry.atrMatches ?? [];
+        const findings = { critical: 0, high: 0, medium: 0, low: 0 };
+        for (const m of atrMatches) {
+            const sev = (m.severity ?? m.rule?.severity ?? 'low').toLowerCase();
+            if (sev in findings) {
+                findings[sev]++;
+            }
+        }
+        return {
+            packageName: entry.package,
+            version: entry.version,
+            scannedAt: entry.auditedAt ?? data.auditedAt,
+            riskLevel: entry.riskLevel ?? 'UNKNOWN',
+            riskScore: entry.riskScore ?? 0,
+            findings,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+// ---------------------------------------------------------------------------
+// Generate markdown badge snippet
+// ---------------------------------------------------------------------------
+export function generateBadgeMarkdown(packageName, repoUrl = 'https://github.com/Agent-Threat-Rule/agent-threat-rules') {
+    // Static badge URL using shields.io
+    const encodedName = encodeURIComponent(packageName);
+    return `[![ATR Scanned](https://img.shields.io/badge/ATR-Scanned-2ea44f?style=flat-square)](${repoUrl})`;
+}
+//# sourceMappingURL=badge.js.map