@panguard-ai/panguard 1.5.4 → 1.5.5

package/dist/cli/workspace-sync.d.ts

@@ -0,0 +1,108 @@
+/**
+ * workspace-sync.ts — push scan events to app.panguard.ai when authenticated
+ *
+ * Flow:
+ *   1. `pga audit` / `pga scan` finish a scan locally (offline-first)
+ *   2. If ~/.panguard/auth.json exists (user has run `pga login`), this module
+ *      POSTs the findings to app.panguard.ai/api/v2/events so they appear in
+ *      the customer dashboard timeline.
+ *   3. Anonymous / Community users are unaffected — they continue to use the
+ *      existing TC telemetry path (tc.panguard.ai) via panguard-guard's
+ *      ThreatCloudClient.
+ *
+ * Privacy:
+ *   - Raw adversarial payloads are NEVER uploaded. Only: rule_id, severity,
+ *     target (path/URL), target_hash (sha256 of content), and a 1-line summary
+ *     produced by the CLI.
+ *   - Endpoint identification: a stable hash of machine-id + logged-in user.
+ *     Not the hostname itself, not the user's email.
+ *
+ * Failure mode:
+ *   - Network / HTTP failure is logged via `log.debug` and swallowed.
+ *   - 401 (token revoked/expired) prints ONE warning then deletes auth.json
+ *     so subsequent commands don't keep hitting the broken path.
+ *   - The main scan result printed to stdout is never altered by sync result.
+ */
+interface AuthInfo {
+    api_key: string;
+    workspace_id: string;
+    workspace_slug: string;
+    workspace_name: string;
+    tier: string;
+    user_email: string;
+    /**
+     * UUID of the matching TC org. Optional — only set if the workspace was
+     * provisioned with a linked TC org (see Supabase migration
+     * 20260422000006_tc_org_link.sql). Used by getTcCorrelationHeaders() so
+     * existing anonymous TC telemetry can be post-hoc correlated back to this
+     * workspace without breaking Community-tier anonymous behaviour.
+     */
+    tc_org_id?: string;
+}
+export declare function authJsonPath(): string;
+export declare function tryLoadAuth(): AuthInfo | null;
+/**
+ * Headers to pass on any CLI → tc.panguard.ai request when the user is
+ * authenticated to a paid workspace. Harmless when TC doesn't know about
+ * workspaces yet (TC ignores unknown headers); enables retroactive
+ * correlation once TC gains workspace-aware endpoints.
+ *
+ * Returns an empty object if the user is anonymous (Community tier) so
+ * Community behaviour is byte-identical to pre-Phase-2 code.
+ */
+export declare function getTcCorrelationHeaders(): Record<string, string>;
+export type EventType = 'scan.rule_match' | 'scan.completed' | 'guard.blocked' | 'guard.flagged' | 'trap.triggered' | 'respond.action';
+export type Severity = 'critical' | 'high' | 'medium' | 'low' | 'info';
+export interface WorkspaceEvent {
+    event_type: EventType;
+    severity: Severity;
+    rule_id?: string;
+    target: string;
+    target_hash?: string;
+    payload_summary: string;
+    occurred_at?: string;
+    metadata?: Record<string, unknown>;
+}
+export interface EndpointInfo {
+    machine_id: string;
+    hostname?: string;
+    os_type?: string;
+    panguard_version?: string;
+}
+export declare function getEndpointInfo(panguardVersion: string | undefined, userEmail: string): EndpointInfo;
+interface SyncResult {
+    ingested: number;
+    skipped: string;
+}
+/**
+ * Push a batch of events to app.panguard.ai under the current workspace.
+ * Returns the number ingested. Non-throwing: any error is logged and the
+ * function returns `{ ingested: 0, skipped: <reason> }`.
+ */
+export declare function syncEvents(events: WorkspaceEvent[], opts?: {
+    appUrl?: string;
+    panguardVersion?: string;
+    /** Print a one-line success/failure summary to stdout. Default false. */
+    verbose?: boolean;
+}): Promise<SyncResult>;
+export interface AuditFindingLike {
+    ruleId?: string;
+    severity?: string;
+    title?: string;
+    description?: string;
+    [key: string]: unknown;
+}
+/**
+ * Build a WorkspaceEvent[] from an audit report's findings + a scan summary row.
+ * This is the shared shape emitted by both `pga audit` and `pga scan`.
+ */
+export declare function buildEventsFromAuditReport(args: {
+    target: string;
+    targetHash?: string;
+    riskLevel: string;
+    riskScore: number;
+    findings: AuditFindingLike[];
+    skillName?: string;
+}): WorkspaceEvent[];
+export {};
+//# sourceMappingURL=workspace-sync.d.ts.map

package/dist/cli/workspace-sync.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-sync.d.ts","sourceRoot":"","sources":["../../src/cli/workspace-sync.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAcH,UAAU,QAAQ;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB;;;;;;OAMG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,wBAAgB,YAAY,IAAI,MAAM,CAErC;AAED,wBAAgB,WAAW,IAAI,QAAQ,GAAG,IAAI,CAS7C;AAED;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAUhE;AAID,MAAM,MAAM,SAAS,GACjB,iBAAiB,GACjB,gBAAgB,GAChB,eAAe,GACf,eAAe,GACf,gBAAgB,GAChB,gBAAgB,CAAC;AAErB,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAEvE,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,SAAS,CAAC;IACtB,QAAQ,EAAE,QAAQ,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAMD,wBAAgB,eAAe,CAC7B,eAAe,EAAE,MAAM,GAAG,SAAS,EACnC,SAAS,EAAE,MAAM,GAChB,YAAY,CAed;AAID,UAAU,UAAU;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;GAIG;AACH,wBAAsB,UAAU,CAC9B,MAAM,EAAE,cAAc,EAAE,EACxB,IAAI,CAAC,EAAE;IACL,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,yEAAyE;IACzE,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GACA,OAAO,CAAC,UAAU,CAAC,CA2ErB;AAID,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAWD;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,IAAI,EAAE;IAC/C,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,GAAG,cAAc,EAAE,CAoCnB"}

package/dist/cli/workspace-sync.js

@@ -0,0 +1,199 @@
+/**
+ * workspace-sync.ts — push scan events to app.panguard.ai when authenticated
+ *
+ * Flow:
+ *   1. `pga audit` / `pga scan` finish a scan locally (offline-first)
+ *   2. If ~/.panguard/auth.json exists (user has run `pga login`), this module
+ *      POSTs the findings to app.panguard.ai/api/v2/events so they appear in
+ *      the customer dashboard timeline.
+ *   3. Anonymous / Community users are unaffected — they continue to use the
+ *      existing TC telemetry path (tc.panguard.ai) via panguard-guard's
+ *      ThreatCloudClient.
+ *
+ * Privacy:
+ *   - Raw adversarial payloads are NEVER uploaded. Only: rule_id, severity,
+ *     target (path/URL), target_hash (sha256 of content), and a 1-line summary
+ *     produced by the CLI.
+ *   - Endpoint identification: a stable hash of machine-id + logged-in user.
+ *     Not the hostname itself, not the user's email.
+ *
+ * Failure mode:
+ *   - Network / HTTP failure is logged via `log.debug` and swallowed.
+ *   - 401 (token revoked/expired) prints ONE warning then deletes auth.json
+ *     so subsequent commands don't keep hitting the broken path.
+ *   - The main scan result printed to stdout is never altered by sync result.
+ */
+import { createHash } from 'node:crypto';
+import { readFileSync, unlinkSync } from 'node:fs';
+import { homedir, hostname, platform } from 'node:os';
+import { join } from 'node:path';
+import { c, symbols } from '@panguard-ai/core';
+const DEFAULT_APP_URL = 'https://app.panguard.ai';
+const AUTH_JSON_RELATIVE = '.panguard/auth.json';
+const TIMEOUT_MS = 5000;
+export function authJsonPath() {
+    return join(homedir(), AUTH_JSON_RELATIVE);
+}
+export function tryLoadAuth() {
+    try {
+        const raw = readFileSync(authJsonPath(), 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (!parsed.api_key || !parsed.workspace_id)
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Headers to pass on any CLI → tc.panguard.ai request when the user is
+ * authenticated to a paid workspace. Harmless when TC doesn't know about
+ * workspaces yet (TC ignores unknown headers); enables retroactive
+ * correlation once TC gains workspace-aware endpoints.
+ *
+ * Returns an empty object if the user is anonymous (Community tier) so
+ * Community behaviour is byte-identical to pre-Phase-2 code.
+ */
+export function getTcCorrelationHeaders() {
+    const auth = tryLoadAuth();
+    if (!auth)
+        return {};
+    const headers = {
+        'X-Panguard-Workspace-Id': auth.workspace_id,
+    };
+    if (auth.tc_org_id) {
+        headers['X-Panguard-Tc-Org-Id'] = auth.tc_org_id;
+    }
+    return headers;
+}
+// ─── Stable endpoint id (not PII) ──────────────────────────────────────────
+let cachedMachineId = null;
+export function getEndpointInfo(panguardVersion, userEmail) {
+    if (!cachedMachineId) {
+        // Combine OS hostname + userEmail (from auth) + node arch → sha256.
+        // Server never sees the raw values, and the hash is stable across runs of
+        // the same user on the same machine, giving the dashboard a useful
+        // "endpoint" without leaking hostname or email to the database.
+        const seed = `${hostname()}::${userEmail}::${process.arch}`;
+        cachedMachineId = 'm_' + createHash('sha256').update(seed).digest('hex').slice(0, 48);
+    }
+    return {
+        machine_id: cachedMachineId,
+        hostname: hostname(),
+        os_type: platform(),
+        ...(panguardVersion ? { panguard_version: panguardVersion } : {}),
+    };
+}
+/**
+ * Push a batch of events to app.panguard.ai under the current workspace.
+ * Returns the number ingested. Non-throwing: any error is logged and the
+ * function returns `{ ingested: 0, skipped: <reason> }`.
+ */
+export async function syncEvents(events, opts) {
+    if (events.length === 0) {
+        return { ingested: 0, skipped: 'empty' };
+    }
+    const auth = tryLoadAuth();
+    if (!auth) {
+        // Not authenticated — not an error, just means Community mode.
+        return { ingested: 0, skipped: 'anonymous' };
+    }
+    const appUrl = (opts?.appUrl ?? process.env['PANGUARD_APP_URL'] ?? DEFAULT_APP_URL).replace(/\/$/, '');
+    const endpoint = getEndpointInfo(opts?.panguardVersion, auth.user_email);
+    const body = { events, endpoint };
+    try {
+        const res = await fetch(`${appUrl}/api/v2/events`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${auth.api_key}`,
+                'User-Agent': `panguard-cli/${opts?.panguardVersion ?? 'unknown'}`,
+            },
+            body: JSON.stringify(body),
+            signal: AbortSignal.timeout(TIMEOUT_MS),
+        });
+        if (res.status === 401) {
+            // Token revoked or expired — clear auth.json so future commands go
+            // anonymous instead of repeatedly failing.
+            try {
+                unlinkSync(authJsonPath());
+            }
+            catch {
+                // fine
+            }
+            if (opts?.verbose) {
+                console.log(`  ${c.caution(symbols.warn)} ${c.dim('Session expired. Run')} ${c.sage('pga login')} ${c.dim('to reconnect.')}`);
+            }
+            return { ingested: 0, skipped: 'auth_revoked' };
+        }
+        if (!res.ok) {
+            if (opts?.verbose) {
+                console.log(`  ${c.caution(symbols.warn)} ${c.dim(`Dashboard sync failed (HTTP ${res.status}) — results are local only.`)}`);
+            }
+            return { ingested: 0, skipped: `http_${res.status}` };
+        }
+        const parsed = (await res.json().catch(() => ({})));
+        const ingested = typeof parsed.ingested === 'number' ? parsed.ingested : events.length;
+        if (opts?.verbose) {
+            console.log(`  ${c.safe(symbols.pass)} ${c.dim(`${ingested} event${ingested === 1 ? '' : 's'} synced to`)} ${c.sage(auth.workspace_name)}`);
+        }
+        return { ingested, skipped: '' };
+    }
+    catch (err) {
+        // Network / timeout / malformed response. Swallow — offline-first principle.
+        if (opts?.verbose) {
+            const msg = err instanceof Error ? err.message : String(err);
+            console.log(`  ${c.dim(`Dashboard sync skipped (${msg.slice(0, 60)}) — results are local only.`)}`);
+        }
+        return { ingested: 0, skipped: 'network_error' };
+    }
+}
+/** Convert a normalized severity string (from audit/scan reports) to the allowed enum. */
+function normalizeSeverity(s) {
+    const lower = (s ?? '').toLowerCase();
+    if (lower === 'critical' || lower === 'high' || lower === 'medium' || lower === 'low') {
+        return lower;
+    }
+    return 'info';
+}
+/**
+ * Build a WorkspaceEvent[] from an audit report's findings + a scan summary row.
+ * This is the shared shape emitted by both `pga audit` and `pga scan`.
+ */
+export function buildEventsFromAuditReport(args) {
+    const out = [];
+    // One event per rule match — this is the unit of compliance evidence.
+    for (const f of args.findings) {
+        if (!f.ruleId)
+            continue;
+        out.push({
+            event_type: 'scan.rule_match',
+            severity: normalizeSeverity(typeof f.severity === 'string' ? f.severity : undefined),
+            rule_id: f.ruleId,
+            target: args.target,
+            ...(args.targetHash ? { target_hash: args.targetHash } : {}),
+            payload_summary: (typeof f.title === 'string' ? f.title : `${f.ruleId} match`).slice(0, 200),
+            metadata: {
+                skill_name: args.skillName ?? undefined,
+            },
+        });
+    }
+    // One summary event per scan run (lets the dashboard show "scans/day" even
+    // when findings are zero).
+    out.push({
+        event_type: 'scan.completed',
+        severity: 'info',
+        target: args.target,
+        ...(args.targetHash ? { target_hash: args.targetHash } : {}),
+        payload_summary: `Scan completed — risk=${args.riskLevel}, score=${args.riskScore}, findings=${args.findings.length}`,
+        metadata: {
+            risk_level: args.riskLevel,
+            risk_score: args.riskScore,
+            findings_count: args.findings.length,
+            skill_name: args.skillName ?? undefined,
+        },
+    });
+    return out;
+}
+//# sourceMappingURL=workspace-sync.js.map

package/dist/cli/workspace-sync.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-sync.js","sourceRoot":"","sources":["../../src/cli/workspace-sync.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACtD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAE/C,MAAM,eAAe,GAAG,yBAAyB,CAAC;AAClD,MAAM,kBAAkB,GAAG,qBAAqB,CAAC;AACjD,MAAM,UAAU,GAAG,IAAI,CAAC;AAqBxB,MAAM,UAAU,YAAY;IAC1B,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,WAAW;IACzB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,YAAY,EAAE,EAAE,OAAO,CAAC,CAAC;QAClD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAsB,CAAC;QACpD,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC;QACzD,OAAO,MAAkB,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,uBAAuB;IACrC,MAAM,IAAI,GAAG,WAAW,EAAE,CAAC;IAC3B,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,MAAM,OAAO,GAA2B;QACtC,yBAAyB,EAAE,IAAI,CAAC,YAAY;KAC7C,CAAC;IACF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,OAAO,CAAC,sBAAsB,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;IACnD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAgCD,8EAA8E;AAE9E,IAAI,eAAe,GAAkB,IAAI,CAAC;AAE1C,MAAM,UAAU,eAAe,CAC7B,eAAmC,EACnC,SAAiB;IAEjB,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,oEAAoE;QACpE,0EAA0E;QAC1E,mEAAmE;QACnE,gEAAgE;QAChE,MAAM,IAAI,GAAG,GAAG,QAAQ,EAAE,KAAK,SAAS,KAAK,OAAO,CAAC,IAAI,EAAE,CAAC;QAC5D,eAAe,GAAG,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACxF,CAAC;IACD,OAAO;QACL,UAAU,EAAE,eAAe;QAC3B,QAAQ,EAAE,QAAQ,EAAE;QACpB,OAAO,EAAE,QAAQ,EAAE;QACnB,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAClE,CAAC;AACJ,CAAC;AASD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,MAAwB,EACxB,IAKC;IAED,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;IAC3C,CAAC;IAED,MAAM,IAAI,GAAG,WAAW,EAAE,CAAC;IAC3B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,+DAA+D;QAC/D,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;IAC/C,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,eAAe,CAAC,CAAC,OAAO,CACzF,KAAK,EACL,EAAE,CACH,CAAC;IACF,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,EAAE,eAAe,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAEzE,MAAM,IAAI,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IAElC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,MAAM,gBAAgB,EAAE;YACjD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,aAAa,EAAE,UAAU,IAAI,CAAC,OAAO,EAAE;gBACvC,YAAY,EAAE,gBAAgB,IAAI,EAAE,eAAe,IAAI,SAAS,EAAE;aACnE;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;YAC1B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC;SACxC,CAAC,CAAC;QAEH,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YACvB,mEAAmE;YACnE,2CAA2C;YAC3C,IAAI,CAAC;gBACH,UAAU,CAAC,YAAY,EAAE,CAAC,CAAC;YAC7B,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;YACT,CAAC;YACD,IAAI,IAAI,EAAE,OAAO,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CACjH,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC;QAClD,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,IAAI,IAAI,EAAE,OAAO,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,+BAA+B,GAAG,CAAC,MAAM,6BAA6B,CAAC,EAAE,CAChH,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,QAAQ,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;QACxD,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAA0B,CAAC;QAC7E,MAAM,QAAQ,GAAG,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC;QAEvF,IAAI,IAAI,EAAE,OAAO,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,GAAG,QAAQ,SAAS,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAC/H,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACnC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,6EAA6E;QAC7E,IAAI,IAAI,EAAE,OAAO,EAAE,CAAC;YAClB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,CAAC,GAAG,CAAC,2BAA2B,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,6BAA6B,CAAC,EAAE,CACvF,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;IACnD,CAAC;AACH,CAAC;AAYD,0FAA0F;AAC1F,SAAS,iBAAiB,CAAC,CAAqB;IAC9C,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACtC,IAAI,KAAK,KAAK,UAAU,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;QACtF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CAAC,IAO1C;IACC,MAAM,GAAG,GAAqB,EAAE,CAAC;IAEjC,sEAAsE;IACtE,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,SAAS;QACxB,GAAG,CAAC,IAAI,CAAC;YACP,UAAU,EAAE,iBAAiB;YAC7B,QAAQ,EAAE,iBAAiB,CAAC,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YACpF,OAAO,EAAE,CAAC,CAAC,MAAM;YACjB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5D,eAAe,EAAE,CAAC,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YAC5F,QAAQ,EAAE;gBACR,UAAU,EAAE,IAAI,CAAC,SAAS,IAAI,SAAS;aACxC;SACF,CAAC,CAAC;IACL,CAAC;IAED,2EAA2E;IAC3E,2BAA2B;IAC3B,GAAG,CAAC,IAAI,CAAC;QACP,UAAU,EAAE,gBAAgB;QAC5B,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5D,eAAe,EAAE,yBAAyB,IAAI,CAAC,SAAS,WAAW,IAAI,CAAC,SAAS,cAAc,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE;QACrH,QAAQ,EAAE;YACR,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,cAAc,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM;YACpC,UAAU,EAAE,IAAI,CAAC,SAAS,IAAI,SAAS;SACxC;KACF,CAAC,CAAC;IAEH,OAAO,GAAG,CAAC;AACb,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@panguard-ai/panguard",
-  "version": "1.5.4",
+  "version": "1.5.5",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -37,23 +37,28 @@
   ],
   "dependencies": {
     "commander": "^12.0.0",
+    "js-yaml": "^4.1.0",
+    "pdfkit": "^0.15.0",
     "zod": "^3.24.0",
-    "@panguard-ai/atr": "1.5.1",
-    "@panguard-ai/security-hardening": "1.0.1",
-    "@panguard-ai/scan-core": "1.4.2",
-    "@panguard-ai/core": "1.3.3",
-    "@panguard-ai/panguard-scan": "1.3.2",
-    "@panguard-ai/panguard-guard": "2.0.3",
-    "@panguard-ai/panguard-chat": "1.3.1",
-    "@panguard-ai/panguard-skill-auditor": "1.4.5",
-    "@panguard-ai/panguard-mcp": "1.3.2"
+    "@panguard-ai/core": "1.5.5",
+    "@panguard-ai/panguard-scan": "1.5.5",
+    "@panguard-ai/atr": "1.5.5",
+    "@panguard-ai/panguard-guard": "1.5.5",
+    "@panguard-ai/security-hardening": "1.5.5",
+    "@panguard-ai/panguard-skill-auditor": "1.5.5",
+    "@panguard-ai/panguard-chat": "1.5.5",
+    "@panguard-ai/scan-core": "1.5.5",
+    "@panguard-ai/panguard-mcp": "1.5.5"
   },
   "optionalDependencies": {
-    "@panguard-ai/panguard-trap": "1.3.1",
-    "@panguard-ai/threat-cloud": "1.4.2"
+    "agent-threat-rules": "^2.1.1",
+    "@panguard-ai/threat-cloud": "1.5.5",
+    "@panguard-ai/panguard-trap": "1.5.5"
   },
   "devDependencies": {
+    "@types/js-yaml": "^4.0.9",
     "@types/node": "^22.14.0",
+    "@types/pdfkit": "^0.13.0",
     "typescript": "~5.7.3"
   },
   "scripts": {