@panguard-ai/core 0.1.0

package/dist/rules/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGlD,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAE3E,MAAM,MAAM,GAAG,YAAY,CAAC,aAAa,CAAC,CAAC;AAE3C,oCAAoC;AACpC,MAAM,CAAC,MAAM,aAAa,GAAG,OAAO,CAAC;AAErC;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,OAAO,UAAU;IACrB,yCAAyC;IACjC,KAAK,GAAgB,EAAE,CAAC;IAEhC,iEAAiE;IACzD,cAAc,CAAc;IAEpC,kCAAkC;IAC1B,MAAM,CAAmB;IAEjC;;;;;OAKG;IACH,YAAY,MAAyB;QACnC,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,EAAE,CAAC;QAE3B,+CAA+C;QAC/C,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChF,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YAC5C,MAAM,CAAC,IAAI,CACT,oBAAoB,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,wBAAwB,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,QAAQ,CACjH,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,SAAS;QACb,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAEzD,sDAAsD;QACtD,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACvC,MAAM,cAAc,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAC1E,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;gBAClC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;oBAC9B,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACtB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC3B,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CACT,+BAA+B,IAAI,CAAC,EAAE,8CAA8C,IAAI,CAAC,EAAE,GAAG,CAC/F,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,2EAA2E;QAC3E,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;YAChD,MAAM,cAAc,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC;YACtF,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;gBAClC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;oBAC9B,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACtB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC3B,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CACT,+BAA+B,IAAI,CAAC,EAAE,iDAAiD,IAAI,CAAC,EAAE,GAAG,CAClG,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACtF,MAAM,CAAC,IAAI,CACT,qFAAqF,CACtF,CAAC;QACJ,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,uBAAuB,IAAI,CAAC,KAAK,CAAC,MAAM,eAAe,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAExF,2DAA2D;QAC3D,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YAChE,IAAI,IAAI,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;gBACtC,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,CAAC;YAED,IAAI,CAAC,cAAc,GAAG,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,YAAY,EAAE,EAAE;gBAC/E,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC;gBAClD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;gBAExD,IAAI,CAAC,KAAK,GAAG,CAAC,GAAG,WAAW,CAAC,CAAC;gBAC9B,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;gBAErC,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;oBAChC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;wBAC5B,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;wBACtB,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBACzB,CAAC;gBACH,CAAC;gBAED,0DAA0D;gBAC1D,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;oBAChD,MAAM,cAAc,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC;oBACtF,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;wBAClC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;4BAC5B,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;4BACtB,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;wBACzB,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,MAAM,CAAC,IAAI,CACT,8BAA8B,IAAI,CAAC,KAAK,CAAC,MAAM,kBAAkB,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CACrF,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,OAAO,CAAC,IAAe;QACrB,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC,CAAC;QACpE,IAAI,aAAa,KAAK,CAAC,CAAC,EAAE,CAAC;YACzB,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC;YACjC,MAAM,CAAC,IAAI,CACT,2BAA2B,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,EAAE,gBAAgB,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,EAAE,GAAG,CAC7F,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtB,MAAM,CAAC,IAAI,CACT,oBAAoB,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,EAAE,cAAc,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,EAAE,GAAG,CACpF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,UAAU,CAAC,EAAU;QACnB,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;QACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QACnD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,aAAa,CAAC;QAElD,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,aAAa,EAAE,EAAE,CAAC,CAAC;QACpD,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,+BAA+B,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;QACtE,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,KAAoB;QACxB,OAAO,sBAAsB,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;IACnD,CAAC;IAED;;;;;OAKG;IACH,QAAQ;QACN,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;IACzB,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,MAAM;QACV,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;QAE9C,yCAAyC;QACzC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACzE,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAEzD,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACvC,MAAM,cAAc,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAC1E,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;gBAClC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;oBAC9B,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACtB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC3B,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;YAChD,MAAM,cAAc,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC;YACtF,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;gBAClC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;oBAC9B,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACtB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC3B,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CACT,iCAAiC,IAAI,CAAC,KAAK,CAAC,MAAM,mBAAmB,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CACzF,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACH,OAAO;QACL,IAAI,IAAI,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACtC,IAAI,CAAC,cAAc,EAAE,CAAC;YACtB,IAAI,CAAC,cAAc,GAAG,SAAS,CAAC;QAClC,CAAC;QACD,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IACvD,CAAC;CACF;AAWD,yCAAyC;AACzC,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnE,0CAA0C;AAC1C,OAAO,EAAE,UAAU,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAExE,yCAAyC;AACzC,OAAO,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAEnG,yCAAyC;AACzC,OAAO,EAAE,WAAW,EAAuC,MAAM,mBAAmB,CAAC"}

package/dist/rules/rule-loader.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Sigma rule filesystem loader
+ * Sigma 規則檔案系統載入器
+ *
+ * Loads Sigma rules from directories and supports watching for changes.
+ * 從目錄載入 Sigma 規則並支援監視變更。
+ *
+ * @module @panguard-ai/core/rules/rule-loader
+ */
+import type { SigmaRule } from './types.js';
+/**
+ * Load all Sigma rules from a directory
+ * 從目錄載入所有 Sigma 規則
+ *
+ * Reads all .yml and .yaml files in the given directory (non-recursive),
+ * parses each one, and returns the successfully parsed rules.
+ * 讀取指定目錄中所有 .yml 和 .yaml 檔案（非遞迴），
+ * 解析每一個，並回傳成功解析的規則。
+ *
+ * @param dir - Directory path containing Sigma rule files / 包含 Sigma 規則檔案的目錄路徑
+ * @returns Array of successfully parsed Sigma rules / 成功解析的 Sigma 規則陣列
+ */
+export declare function loadRulesFromDirectory(dir: string): SigmaRule[];
+/**
+ * Recursively load Sigma rules from a directory tree
+ * 從目錄樹遞迴載入 Sigma 規則
+ *
+ * Walks subdirectories to find all .yml/.yaml files.
+ * Optionally tags each rule with a source label.
+ * 遍歷子目錄尋找所有 .yml/.yaml 檔案。
+ * 可選擇性地為每條規則標記來源標籤。
+ *
+ * @param dir - Root directory to scan recursively / 要遞迴掃描的根目錄
+ * @param source - Optional source tag for loaded rules / 可選的規則來源標記
+ * @returns Array of successfully parsed Sigma rules / 成功解析的 Sigma 規則陣列
+ */
+export declare function loadRulesRecursive(dir: string, source?: SigmaRule['source']): SigmaRule[];
+/**
+ * Watch a directory for Sigma rule file changes
+ * 監視目錄中的 Sigma 規則檔案變更
+ *
+ * Uses fs.watch to monitor the directory. When any .yml/.yaml file changes,
+ * reloads all rules from the directory and invokes the callback.
+ * Returns a cleanup function that stops the watcher.
+ * 使用 fs.watch 監視目錄。當任何 .yml/.yaml 檔案變更時，
+ * 從目錄重新載入所有規則並呼叫回調。
+ * 回傳停止監視的清理函式。
+ *
+ * @param dir - Directory path to watch / 要監視的目錄路徑
+ * @param callback - Called with reloaded rules on file changes / 檔案變更時以重新載入的規則呼叫
+ * @returns Cleanup function to stop the watcher / 停止監視的清理函式
+ */
+export declare function watchRulesDirectory(dir: string, callback: (rules: SigmaRule[]) => void): () => void;
+//# sourceMappingURL=rule-loader.d.ts.map

package/dist/rules/rule-loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rule-loader.d.ts","sourceRoot":"","sources":["../../src/rules/rule-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAO5C;;;;;;;;;;;GAWG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,EAAE,CA0C/D;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,SAAS,CAAC,QAAQ,CAAC,GAAG,SAAS,EAAE,CAyCzF;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,mBAAmB,CACjC,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,KAAK,IAAI,GACrC,MAAM,IAAI,CA2CZ"}

package/dist/rules/rule-loader.js

@@ -0,0 +1,167 @@
+/**
+ * Sigma rule filesystem loader
+ * Sigma 規則檔案系統載入器
+ *
+ * Loads Sigma rules from directories and supports watching for changes.
+ * 從目錄載入 Sigma 規則並支援監視變更。
+ *
+ * @module @panguard-ai/core/rules/rule-loader
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { createLogger } from '../utils/logger.js';
+import { parseSigmaFile } from './sigma-parser.js';
+const logger = createLogger('rule-loader');
+/** Supported Sigma rule file extensions / 支援的 Sigma 規則檔案副檔名 */
+const SIGMA_EXTENSIONS = new Set(['.yml', '.yaml']);
+/**
+ * Load all Sigma rules from a directory
+ * 從目錄載入所有 Sigma 規則
+ *
+ * Reads all .yml and .yaml files in the given directory (non-recursive),
+ * parses each one, and returns the successfully parsed rules.
+ * 讀取指定目錄中所有 .yml 和 .yaml 檔案（非遞迴），
+ * 解析每一個，並回傳成功解析的規則。
+ *
+ * @param dir - Directory path containing Sigma rule files / 包含 Sigma 規則檔案的目錄路徑
+ * @returns Array of successfully parsed Sigma rules / 成功解析的 Sigma 規則陣列
+ */
+export function loadRulesFromDirectory(dir) {
+    const rules = [];
+    if (!fs.existsSync(dir)) {
+        logger.error(`Rules directory does not exist: ${dir} / 規則目錄不存在: ${dir}`);
+        return rules;
+    }
+    let entries;
+    try {
+        entries = fs.readdirSync(dir, { withFileTypes: true });
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.error(`Failed to read rules directory: ${dir} / 讀取規則目錄失敗: ${dir}`, {
+            error: message,
+        });
+        return rules;
+    }
+    for (const entry of entries) {
+        if (!entry.isFile())
+            continue;
+        const ext = path.extname(entry.name).toLowerCase();
+        if (!SIGMA_EXTENSIONS.has(ext))
+            continue;
+        const filePath = path.join(dir, entry.name);
+        const rule = parseSigmaFile(filePath);
+        if (rule !== null) {
+            rules.push(rule);
+            logger.debug(`Loaded rule from file: ${entry.name} / 從檔案載入規則: ${entry.name}`, {
+                ruleId: rule.id,
+                title: rule.title,
+            });
+        }
+    }
+    logger.info(`Loaded ${rules.length} rules from directory: ${dir} / 從目錄載入 ${rules.length} 條規則: ${dir}`);
+    return rules;
+}
+/**
+ * Recursively load Sigma rules from a directory tree
+ * 從目錄樹遞迴載入 Sigma 規則
+ *
+ * Walks subdirectories to find all .yml/.yaml files.
+ * Optionally tags each rule with a source label.
+ * 遍歷子目錄尋找所有 .yml/.yaml 檔案。
+ * 可選擇性地為每條規則標記來源標籤。
+ *
+ * @param dir - Root directory to scan recursively / 要遞迴掃描的根目錄
+ * @param source - Optional source tag for loaded rules / 可選的規則來源標記
+ * @returns Array of successfully parsed Sigma rules / 成功解析的 Sigma 規則陣列
+ */
+export function loadRulesRecursive(dir, source) {
+    if (!fs.existsSync(dir)) {
+        logger.warn(`Rules directory does not exist, skipping: ${dir} / 規則目錄不存在，跳過: ${dir}`);
+        return [];
+    }
+    const rules = [];
+    function walk(currentDir) {
+        let entries;
+        try {
+            entries = fs.readdirSync(currentDir, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            const fullPath = path.join(currentDir, entry.name);
+            if (entry.isDirectory()) {
+                walk(fullPath);
+            }
+            else if (entry.isFile()) {
+                const ext = path.extname(entry.name).toLowerCase();
+                if (!SIGMA_EXTENSIONS.has(ext))
+                    continue;
+                const rule = parseSigmaFile(fullPath);
+                if (rule !== null) {
+                    if (source !== undefined) {
+                        rule.source = source;
+                    }
+                    rules.push(rule);
+                }
+            }
+        }
+    }
+    walk(dir);
+    logger.info(`Loaded ${rules.length} rules recursively from: ${dir} (source: ${source ?? 'unset'}) / 從 ${dir} 遞迴載入 ${rules.length} 條規則`);
+    return rules;
+}
+/**
+ * Watch a directory for Sigma rule file changes
+ * 監視目錄中的 Sigma 規則檔案變更
+ *
+ * Uses fs.watch to monitor the directory. When any .yml/.yaml file changes,
+ * reloads all rules from the directory and invokes the callback.
+ * Returns a cleanup function that stops the watcher.
+ * 使用 fs.watch 監視目錄。當任何 .yml/.yaml 檔案變更時，
+ * 從目錄重新載入所有規則並呼叫回調。
+ * 回傳停止監視的清理函式。
+ *
+ * @param dir - Directory path to watch / 要監視的目錄路徑
+ * @param callback - Called with reloaded rules on file changes / 檔案變更時以重新載入的規則呼叫
+ * @returns Cleanup function to stop the watcher / 停止監視的清理函式
+ */
+export function watchRulesDirectory(dir, callback) {
+    if (!fs.existsSync(dir)) {
+        logger.error(`Cannot watch non-existent directory: ${dir} / 無法監視不存在的目錄: ${dir}`);
+        return () => {
+            /* noop */
+        };
+    }
+    let debounceTimer = null;
+    const DEBOUNCE_MS = 300;
+    const watcher = fs.watch(dir, (eventType, filename) => {
+        // Filter for Sigma rule files only / 僅篩選 Sigma 規則檔案
+        if (filename !== null && filename !== undefined) {
+            const ext = path.extname(filename).toLowerCase();
+            if (!SIGMA_EXTENSIONS.has(ext))
+                return;
+        }
+        // Debounce rapid changes / 防止快速連續變更
+        if (debounceTimer !== null) {
+            clearTimeout(debounceTimer);
+        }
+        debounceTimer = setTimeout(() => {
+            logger.info(`Detected rule file change (${eventType}${filename ? `: ${filename}` : ''}), reloading rules / 偵測到規則檔案變更，重新載入規則`);
+            const rules = loadRulesFromDirectory(dir);
+            callback(rules);
+            debounceTimer = null;
+        }, DEBOUNCE_MS);
+    });
+    logger.info(`Watching rules directory for changes: ${dir} / 正在監視規則目錄的變更: ${dir}`);
+    // Return cleanup function / 回傳清理函式
+    return () => {
+        if (debounceTimer !== null) {
+            clearTimeout(debounceTimer);
+        }
+        watcher.close();
+        logger.info(`Stopped watching rules directory: ${dir} / 停止監視規則目錄: ${dir}`);
+    };
+}
+//# sourceMappingURL=rule-loader.js.map

package/dist/rules/rule-loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rule-loader.js","sourceRoot":"","sources":["../../src/rules/rule-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAGnD,MAAM,MAAM,GAAG,YAAY,CAAC,aAAa,CAAC,CAAC;AAE3C,+DAA+D;AAC/D,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;AAEpD;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,sBAAsB,CAAC,GAAW;IAChD,MAAM,KAAK,GAAgB,EAAE,CAAC;IAE9B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,CAAC,KAAK,CAAC,mCAAmC,GAAG,eAAe,GAAG,EAAE,CAAC,CAAC;QACzE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,OAAoB,CAAC;IACzB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,MAAM,CAAC,KAAK,CAAC,mCAAmC,GAAG,gBAAgB,GAAG,EAAE,EAAE;YACxE,KAAK,EAAE,OAAO;SACf,CAAC,CAAC;QACH,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;YAAE,SAAS;QAE9B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QACnD,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAEzC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,IAAI,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QAEtC,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAClB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjB,MAAM,CAAC,KAAK,CAAC,0BAA0B,KAAK,CAAC,IAAI,eAAe,KAAK,CAAC,IAAI,EAAE,EAAE;gBAC5E,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,KAAK,EAAE,IAAI,CAAC,KAAK;aAClB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,CAAC,IAAI,CACT,UAAU,KAAK,CAAC,MAAM,0BAA0B,GAAG,YAAY,KAAK,CAAC,MAAM,SAAS,GAAG,EAAE,CAC1F,CAAC;IAEF,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW,EAAE,MAA4B;IAC1E,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CAAC,6CAA6C,GAAG,kBAAkB,GAAG,EAAE,CAAC,CAAC;QACrF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,KAAK,GAAgB,EAAE,CAAC;IAE9B,SAAS,IAAI,CAAC,UAAkB;QAC9B,IAAI,OAAoB,CAAC;QACzB,IAAI,CAAC;YACH,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAChE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YACnD,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,IAAI,CAAC,QAAQ,CAAC,CAAC;YACjB,CAAC;iBAAM,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;gBAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;gBACnD,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBACzC,MAAM,IAAI,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;gBACtC,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;oBAClB,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;wBACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;oBACvB,CAAC;oBACD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,CAAC;IAEV,MAAM,CAAC,IAAI,CACT,UAAU,KAAK,CAAC,MAAM,4BAA4B,GAAG,aAAa,MAAM,IAAI,OAAO,SAAS,GAAG,SAAS,KAAK,CAAC,MAAM,MAAM,CAC3H,CAAC;IAEF,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,mBAAmB,CACjC,GAAW,EACX,QAAsC;IAEtC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,CAAC,KAAK,CAAC,wCAAwC,GAAG,kBAAkB,GAAG,EAAE,CAAC,CAAC;QACjF,OAAO,GAAG,EAAE;YACV,UAAU;QACZ,CAAC,CAAC;IACJ,CAAC;IAED,IAAI,aAAa,GAAyC,IAAI,CAAC;IAC/D,MAAM,WAAW,GAAG,GAAG,CAAC;IAExB,MAAM,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE;QACpD,oDAAoD;QACpD,IAAI,QAAQ,KAAK,IAAI,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAChD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;YACjD,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,OAAO;QACzC,CAAC;QAED,oCAAoC;QACpC,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC3B,YAAY,CAAC,aAAa,CAAC,CAAC;QAC9B,CAAC;QAED,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;YAC9B,MAAM,CAAC,IAAI,CACT,8BAA8B,SAAS,GAAG,QAAQ,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,uCAAuC,CACjH,CAAC;YACF,MAAM,KAAK,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YAC1C,QAAQ,CAAC,KAAK,CAAC,CAAC;YAChB,aAAa,GAAG,IAAI,CAAC;QACvB,CAAC,EAAE,WAAW,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,yCAAyC,GAAG,mBAAmB,GAAG,EAAE,CAAC,CAAC;IAElF,mCAAmC;IACnC,OAAO,GAAG,EAAE;QACV,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC3B,YAAY,CAAC,aAAa,CAAC,CAAC;QAC9B,CAAC;QACD,OAAO,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC,qCAAqC,GAAG,gBAAgB,GAAG,EAAE,CAAC,CAAC;IAC7E,CAAC,CAAC;AACJ,CAAC"}

package/dist/rules/sigma-matcher.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Sigma rule event matcher
+ * Sigma 規則事件比對器
+ *
+ * Matches SecurityEvent instances against Sigma rules by evaluating
+ * detection selections and condition expressions.
+ * Supports wildcards (*), the |contains modifier, and simple AND/OR/NOT logic.
+ * 將 SecurityEvent 實例與 Sigma 規則比對，透過評估偵測選擇項和條件表達式。
+ * 支援萬用字元（*）、|contains 修飾符，以及簡單的 AND/OR/NOT 邏輯。
+ *
+ * @module @panguard-ai/core/rules/sigma-matcher
+ */
+import type { SecurityEvent } from '../types.js';
+import type { SigmaRule, RuleMatch } from './types.js';
+/**
+ * Match a single security event against a single Sigma rule
+ * 比對單一安全事件與單一 Sigma 規則
+ *
+ * Evaluates all selections in the rule's detection block, then checks
+ * whether the condition expression is satisfied.
+ * 評估規則偵測區塊中的所有選擇項，然後檢查條件表達式是否滿足。
+ *
+ * @param event - The security event to test / 要測試的安全事件
+ * @param rule - The Sigma rule to match against / 要比對的 Sigma 規則
+ * @returns A RuleMatch if the event matches, or null / 事件比對時回傳 RuleMatch，否則回傳 null
+ */
+export declare function matchEvent(event: SecurityEvent, rule: SigmaRule): RuleMatch | null;
+/**
+ * Match a single security event against multiple Sigma rules
+ * 比對單一安全事件與多個 Sigma 規則
+ *
+ * Tests the event against every rule and returns all matches.
+ * 將事件與每個規則測試並回傳所有比對結果。
+ *
+ * @param event - The security event to test / 要測試的安全事件
+ * @param rules - Array of Sigma rules to match against / 要比對的 Sigma 規則陣列
+ * @returns Array of RuleMatch for all matching rules / 所有比對規則的 RuleMatch 陣列
+ */
+export declare function matchEventAgainstRules(event: SecurityEvent, rules: SigmaRule[]): RuleMatch[];
+//# sourceMappingURL=sigma-matcher.d.ts.map

package/dist/rules/sigma-matcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sigma-matcher.d.ts","sourceRoot":"","sources":["../../src/rules/sigma-matcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAuYvD;;;;;;;;;;;GAWG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,SAAS,GAAG,SAAS,GAAG,IAAI,CAwClF;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,aAAa,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,SAAS,EAAE,CAW5F"}