@panguard-ai/security-hardening 0.1.0

package/dist/credentials/migration.js

@@ -0,0 +1,122 @@
+/**
+ * Migrate plaintext credentials to secure storage
+ * 將明文憑證遷移到安全儲存
+ *
+ * @module @panguard-ai/security-hardening/credentials/migration
+ */
+import { existsSync, readdirSync, readFileSync, renameSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { createLogger } from '@panguard-ai/core';
+const logger = createLogger('credentials:migration');
+/** Default Panguard credentials directory / 預設 Panguard 憑證目錄 */
+const DEFAULT_CREDENTIALS_DIR = join(homedir(), '.panguard', 'credentials');
+/**
+ * Known credential file patterns
+ * 已知的憑證檔案模式
+ */
+const CREDENTIAL_PATTERNS = [
+    { pattern: /^telegram[._-]?token$/i, service: 'telegram', account: 'bot' },
+    { pattern: /^slack[._-]?token$/i, service: 'slack', account: 'default' },
+    { pattern: /^discord[._-]?token$/i, service: 'discord', account: 'bot' },
+    { pattern: /^openai[._-]?(key|token)$/i, service: 'openai', account: 'default' },
+    { pattern: /^claude[._-]?(key|token)$/i, service: 'claude', account: 'default' },
+    { pattern: /^line[._-]?token$/i, service: 'line', account: 'default' },
+    { pattern: /^whatsapp[._-]?token$/i, service: 'whatsapp', account: 'default' },
+    { pattern: /^signal[._-]?token$/i, service: 'signal', account: 'default' },
+];
+/**
+ * Scan for plaintext credential files
+ * 掃描明文憑證檔案
+ *
+ * @param credentialsDir - Directory to scan / 要掃描的目錄
+ * @returns Array of found plaintext credentials / 找到的明文憑證陣列
+ */
+export function scanPlaintextCredentials(credentialsDir = DEFAULT_CREDENTIALS_DIR) {
+    if (!existsSync(credentialsDir)) {
+        logger.info('Credentials directory not found, no plaintext credentials', { credentialsDir });
+        return [];
+    }
+    const credentials = [];
+    let files;
+    try {
+        files = readdirSync(credentialsDir);
+    }
+    catch (error) {
+        logger.error('Failed to read credentials directory', { credentialsDir, error: String(error) });
+        return [];
+    }
+    for (const file of files) {
+        // Skip backup files and hidden files
+        if (file.startsWith('.') || file.endsWith('.backup') || file.endsWith('.enc')) {
+            continue;
+        }
+        const filePath = join(credentialsDir, file);
+        // Match against known patterns
+        for (const { pattern, service, account } of CREDENTIAL_PATTERNS) {
+            if (pattern.test(file)) {
+                try {
+                    const value = readFileSync(filePath, 'utf-8').trim();
+                    if (value.length > 0) {
+                        credentials.push({ service, account, value, filePath });
+                        logger.warn('Plaintext credential found', { service, account, filePath });
+                    }
+                }
+                catch (error) {
+                    logger.error('Failed to read credential file', { filePath, error: String(error) });
+                }
+                break;
+            }
+        }
+    }
+    return credentials;
+}
+/**
+ * Migrate plaintext credentials to secure storage
+ * 將明文憑證遷移到安全儲存
+ *
+ * @param store - Target credential store / 目標憑證儲存
+ * @param credentialsDir - Source directory / 來源目錄
+ * @param dryRun - If true, only report without migrating / 僅報告而不遷移
+ * @returns Migration report / 遷移報告
+ */
+export async function migrateCredentials(store, credentialsDir = DEFAULT_CREDENTIALS_DIR, dryRun = false) {
+    const credentials = scanPlaintextCredentials(credentialsDir);
+    const report = {
+        scanned: credentials.length,
+        migrated: 0,
+        failed: 0,
+        errors: [],
+    };
+    if (credentials.length === 0) {
+        logger.info('No plaintext credentials found to migrate');
+        return report;
+    }
+    logger.info(`Found ${credentials.length} plaintext credential(s)`, { dryRun });
+    for (const { service, account, value, filePath } of credentials) {
+        if (dryRun) {
+            logger.info('[DRY RUN] Would migrate credential', { service, account });
+            report.migrated++;
+            continue;
+        }
+        try {
+            await store.set(service, account, value);
+            renameSync(filePath, `${filePath}.backup`);
+            logger.info('Credential migrated successfully', { service, account });
+            report.migrated++;
+        }
+        catch (error) {
+            const msg = `Failed to migrate ${service}:${account}: ${String(error)}`;
+            logger.error(msg);
+            report.errors.push(msg);
+            report.failed++;
+        }
+    }
+    logger.info('Migration complete', {
+        scanned: report.scanned,
+        migrated: report.migrated,
+        failed: report.failed,
+    });
+    return report;
+}
+//# sourceMappingURL=migration.js.map

package/dist/credentials/migration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"migration.js","sourceRoot":"","sources":["../../src/credentials/migration.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AACvE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAGjD,MAAM,MAAM,GAAG,YAAY,CAAC,uBAAuB,CAAC,CAAC;AAErD,gEAAgE;AAChE,MAAM,uBAAuB,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC;AAa5E;;;GAGG;AACH,MAAM,mBAAmB,GAAiE;IACxF,EAAE,OAAO,EAAE,wBAAwB,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE;IAC1E,EAAE,OAAO,EAAE,qBAAqB,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE;IACxE,EAAE,OAAO,EAAE,uBAAuB,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE;IACxE,EAAE,OAAO,EAAE,4BAA4B,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE;IAChF,EAAE,OAAO,EAAE,4BAA4B,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE;IAChF,EAAE,OAAO,EAAE,oBAAoB,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE;IACtE,EAAE,OAAO,EAAE,wBAAwB,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE;IAC9E,EAAE,OAAO,EAAE,sBAAsB,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE;CAC3E,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,UAAU,wBAAwB,CACtC,iBAAyB,uBAAuB;IAEhD,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAChC,MAAM,CAAC,IAAI,CAAC,2DAA2D,EAAE,EAAE,cAAc,EAAE,CAAC,CAAC;QAC7F,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,WAAW,GAA0B,EAAE,CAAC;IAE9C,IAAI,KAAe,CAAC;IACpB,IAAI,CAAC;QACH,KAAK,GAAG,WAAW,CAAC,cAAc,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC/F,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,qCAAqC;QACrC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9E,SAAS;QACX,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;QAE5C,+BAA+B;QAC/B,KAAK,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,mBAAmB,EAAE,CAAC;YAChE,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;oBACrD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBACrB,WAAW,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;wBACxD,MAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAC;oBAC5E,CAAC;gBACH,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBACrF,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAsB,EACtB,iBAAyB,uBAAuB,EAChD,MAAM,GAAG,KAAK;IAEd,MAAM,WAAW,GAAG,wBAAwB,CAAC,cAAc,CAAC,CAAC;IAC7D,MAAM,MAAM,GAAoB;QAC9B,OAAO,EAAE,WAAW,CAAC,MAAM;QAC3B,QAAQ,EAAE,CAAC;QACX,MAAM,EAAE,CAAC;QACT,MAAM,EAAE,EAAE;KACX,CAAC;IAEF,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;QACzD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,SAAS,WAAW,CAAC,MAAM,0BAA0B,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IAE/E,KAAK,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,WAAW,EAAE,CAAC;QAChE,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,IAAI,CAAC,oCAAoC,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YACxE,MAAM,CAAC,QAAQ,EAAE,CAAC;YAClB,SAAS;QACX,CAAC;QAED,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;YACzC,UAAU,CAAC,QAAQ,EAAE,GAAG,QAAQ,SAAS,CAAC,CAAC;YAC3C,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YACtE,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,GAAG,qBAAqB,OAAO,IAAI,OAAO,KAAK,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACxE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAClB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACxB,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,CAAC;IACH,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,oBAAoB,EAAE;QAChC,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Panguard AI Hardening Library
+ * Panguard 安全強化函式庫
+ *
+ * Provides security fixes and hardening for Panguard AI Agent framework.
+ * Addresses CVE-2026-25253, credential storage, skill sandboxing,
+ * permission minimization, and audit logging.
+ * 為 Panguard AI Agent 框架提供安全修復和強化。
+ * 處理 CVE-2026-25253、憑證儲存、技能沙盒、權限最小化和稽核日誌。
+ *
+ * @module @panguard-ai/security-hardening
+ */
+export type { SecurityPolicy, CsrfToken, OriginConfig, AuditAction, AuditEvent, CredentialStore, VulnerabilityFinding, SecurityAuditReport, MigrationReport, } from './types.js';
+export { validateOrigin, createOriginValidator } from './websocket/index.js';
+export { CsrfTokenManager } from './websocket/index.js';
+export { validateGatewayUrl, sanitizeWebSocketUrl } from './websocket/index.js';
+export { InMemoryCredentialStore, EncryptedFileCredentialStore } from './credentials/index.js';
+export { scanPlaintextCredentials, migrateCredentials } from './credentials/index.js';
+export { isPathAllowed, createFilesystemGuard } from './sandbox/index.js';
+export { isCommandAllowed, createCommandValidator, DEFAULT_ALLOWED_COMMANDS, } from './sandbox/index.js';
+export { loadSecurityPolicy, isOperationAllowed, DEFAULT_SECURITY_POLICY, } from './permissions/index.js';
+export type { OperationType } from './permissions/index.js';
+export { logAuditEvent, logWebSocketConnect, logCredentialAccess, logFileAccess, logCommandExecution, logPolicyCheck, } from './audit/index.js';
+export { SyslogAdapter, formatSyslogMessage } from './audit/index.js';
+export { runSecurityAudit } from './scanner/index.js';
+/** Security hardening library version / 安全強化函式庫版本 */
+export declare const HARDENING_VERSION = "0.1.0";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,YAAY,EACV,cAAc,EACd,SAAS,EACT,YAAY,EACZ,WAAW,EACX,UAAU,EACV,eAAe,EACf,oBAAoB,EACpB,mBAAmB,EACnB,eAAe,GAChB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7E,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAGhF,OAAO,EAAE,uBAAuB,EAAE,4BAA4B,EAAE,MAAM,wBAAwB,CAAC;AAC/F,OAAO,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAGtF,OAAO,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EACtB,wBAAwB,GACzB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,uBAAuB,GACxB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAG5D,OAAO,EACL,aAAa,EACb,mBAAmB,EACnB,mBAAmB,EACnB,aAAa,EACb,mBAAmB,EACnB,cAAc,GACf,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAGtE,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,qDAAqD;AACrD,eAAO,MAAM,iBAAiB,UAAU,CAAC"}

package/dist/index.js

@@ -0,0 +1,32 @@
+/**
+ * Panguard AI Hardening Library
+ * Panguard 安全強化函式庫
+ *
+ * Provides security fixes and hardening for Panguard AI Agent framework.
+ * Addresses CVE-2026-25253, credential storage, skill sandboxing,
+ * permission minimization, and audit logging.
+ * 為 Panguard AI Agent 框架提供安全修復和強化。
+ * 處理 CVE-2026-25253、憑證儲存、技能沙盒、權限最小化和稽核日誌。
+ *
+ * @module @panguard-ai/security-hardening
+ */
+// WebSocket Security (CVE-2026-25253)
+export { validateOrigin, createOriginValidator } from './websocket/index.js';
+export { CsrfTokenManager } from './websocket/index.js';
+export { validateGatewayUrl, sanitizeWebSocketUrl } from './websocket/index.js';
+// Credential Security
+export { InMemoryCredentialStore, EncryptedFileCredentialStore } from './credentials/index.js';
+export { scanPlaintextCredentials, migrateCredentials } from './credentials/index.js';
+// Skill Sandbox
+export { isPathAllowed, createFilesystemGuard } from './sandbox/index.js';
+export { isCommandAllowed, createCommandValidator, DEFAULT_ALLOWED_COMMANDS, } from './sandbox/index.js';
+// Permissions
+export { loadSecurityPolicy, isOperationAllowed, DEFAULT_SECURITY_POLICY, } from './permissions/index.js';
+// Audit Logging
+export { logAuditEvent, logWebSocketConnect, logCredentialAccess, logFileAccess, logCommandExecution, logPolicyCheck, } from './audit/index.js';
+export { SyslogAdapter, formatSyslogMessage } from './audit/index.js';
+// Security Scanner
+export { runSecurityAudit } from './scanner/index.js';
+/** Security hardening library version / 安全強化函式庫版本 */
+export const HARDENING_VERSION = '0.1.0';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAeH,sCAAsC;AACtC,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7E,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEhF,sBAAsB;AACtB,OAAO,EAAE,uBAAuB,EAAE,4BAA4B,EAAE,MAAM,wBAAwB,CAAC;AAC/F,OAAO,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAEtF,gBAAgB;AAChB,OAAO,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EACtB,wBAAwB,GACzB,MAAM,oBAAoB,CAAC;AAE5B,cAAc;AACd,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,uBAAuB,GACxB,MAAM,wBAAwB,CAAC;AAGhC,gBAAgB;AAChB,OAAO,EACL,aAAa,EACb,mBAAmB,EACnB,mBAAmB,EACnB,aAAa,EACb,mBAAmB,EACnB,cAAc,GACf,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAEtE,mBAAmB;AACnB,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,qDAAqD;AACrD,MAAM,CAAC,MAAM,iBAAiB,GAAG,OAAO,CAAC"}

package/dist/permissions/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Permission and security policy module
+ * 權限與安全政策模組
+ *
+ * @module @panguard-ai/security-hardening/permissions
+ */
+export { loadSecurityPolicy, isOperationAllowed, DEFAULT_SECURITY_POLICY, SecurityPolicySchema, } from './security-policy.js';
+export type { OperationType } from './security-policy.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/permissions/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/permissions/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,uBAAuB,EACvB,oBAAoB,GACrB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/permissions/index.js

@@ -0,0 +1,8 @@
+/**
+ * Permission and security policy module
+ * 權限與安全政策模組
+ *
+ * @module @panguard-ai/security-hardening/permissions
+ */
+export { loadSecurityPolicy, isOperationAllowed, DEFAULT_SECURITY_POLICY, SecurityPolicySchema, } from './security-policy.js';
+//# sourceMappingURL=index.js.map

package/dist/permissions/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/permissions/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,uBAAuB,EACvB,oBAAoB,GACrB,MAAM,sBAAsB,CAAC"}

package/dist/permissions/security-policy.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Security policy configuration and enforcement
+ * 安全政策配置與執行
+ *
+ * @module @panguard-ai/security-hardening/permissions/security-policy
+ */
+import { z } from 'zod';
+import type { SecurityPolicy } from '../types.js';
+/**
+ * Zod schema for security policy validation
+ * 安全政策驗證的 Zod schema
+ */
+export declare const SecurityPolicySchema: z.ZodObject<{
+    allowShellAccess: z.ZodDefault<z.ZodBoolean>;
+    allowedDirectories: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    allowedCommands: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    requireCsrfToken: z.ZodDefault<z.ZodBoolean>;
+    allowedOrigins: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    enableAuditLog: z.ZodDefault<z.ZodBoolean>;
+    syslogServer: z.ZodOptional<z.ZodString>;
+    syslogPort: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    allowShellAccess: boolean;
+    allowedDirectories: string[];
+    allowedCommands: string[];
+    requireCsrfToken: boolean;
+    allowedOrigins: string[];
+    enableAuditLog: boolean;
+    syslogServer?: string | undefined;
+    syslogPort?: number | undefined;
+}, {
+    allowShellAccess?: boolean | undefined;
+    allowedDirectories?: string[] | undefined;
+    allowedCommands?: string[] | undefined;
+    requireCsrfToken?: boolean | undefined;
+    allowedOrigins?: string[] | undefined;
+    enableAuditLog?: boolean | undefined;
+    syslogServer?: string | undefined;
+    syslogPort?: number | undefined;
+}>;
+/**
+ * Default security policy (restricted mode)
+ * 預設安全政策（受限模式）
+ *
+ * Shell access disabled, CSRF required, audit logging enabled.
+ * Shell 存取停用、CSRF 必要、稽核日誌啟用。
+ */
+export declare const DEFAULT_SECURITY_POLICY: SecurityPolicy;
+/**
+ * Operation types that can be checked against policy
+ * 可以根據政策檢查的操作類型
+ */
+export type OperationType = 'shell' | 'file_read' | 'file_write' | 'command' | 'network';
+/**
+ * Load and validate a security policy from configuration
+ * 從配置載入並驗證安全政策
+ *
+ * Falls back to default restricted policy on validation failure.
+ * 驗證失敗時回退到預設的受限政策。
+ *
+ * @param config - Raw configuration object / 原始配置物件
+ * @returns Validated security policy / 驗證後的安全政策
+ */
+export declare function loadSecurityPolicy(config: unknown): SecurityPolicy;
+/**
+ * Check if an operation is allowed by the current policy
+ * 檢查操作是否被目前的政策允許
+ *
+ * @param operation - Operation type / 操作類型
+ * @param policy - Security policy / 安全政策
+ * @returns true if operation is allowed / 操作被允許則回傳 true
+ */
+export declare function isOperationAllowed(operation: OperationType, policy: SecurityPolicy): boolean;
+//# sourceMappingURL=security-policy.d.ts.map

package/dist/permissions/security-policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-policy.d.ts","sourceRoot":"","sources":["../../src/permissions/security-policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAIlD;;;GAGG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;EAS/B,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAOrC,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,WAAW,GAAG,YAAY,GAAG,SAAS,GAAG,SAAS,CAAC;AAEzF;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,OAAO,GAAG,cAAc,CA0BlE;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,aAAa,EAAE,MAAM,EAAE,cAAc,GAAG,OAAO,CA0B5F"}

package/dist/permissions/security-policy.js

@@ -0,0 +1,109 @@
+/**
+ * Security policy configuration and enforcement
+ * 安全政策配置與執行
+ *
+ * @module @panguard-ai/security-hardening/permissions/security-policy
+ */
+import { z } from 'zod';
+import { createLogger, validateInput } from '@panguard-ai/core';
+const logger = createLogger('permissions:security-policy');
+/**
+ * Zod schema for security policy validation
+ * 安全政策驗證的 Zod schema
+ */
+export const SecurityPolicySchema = z.object({
+    allowShellAccess: z.boolean().default(false),
+    allowedDirectories: z.array(z.string()).default([]),
+    allowedCommands: z.array(z.string()).default([]),
+    requireCsrfToken: z.boolean().default(true),
+    allowedOrigins: z.array(z.string()).default(['http://localhost:18789', 'http://127.0.0.1:18789']),
+    enableAuditLog: z.boolean().default(true),
+    syslogServer: z.string().optional(),
+    syslogPort: z.number().int().min(1).max(65535).optional(),
+});
+/**
+ * Default security policy (restricted mode)
+ * 預設安全政策（受限模式）
+ *
+ * Shell access disabled, CSRF required, audit logging enabled.
+ * Shell 存取停用、CSRF 必要、稽核日誌啟用。
+ */
+export const DEFAULT_SECURITY_POLICY = {
+    allowShellAccess: false,
+    allowedDirectories: [],
+    allowedCommands: [],
+    requireCsrfToken: true,
+    allowedOrigins: ['http://localhost:18789', 'http://127.0.0.1:18789'],
+    enableAuditLog: true,
+};
+/**
+ * Load and validate a security policy from configuration
+ * 從配置載入並驗證安全政策
+ *
+ * Falls back to default restricted policy on validation failure.
+ * 驗證失敗時回退到預設的受限政策。
+ *
+ * @param config - Raw configuration object / 原始配置物件
+ * @returns Validated security policy / 驗證後的安全政策
+ */
+export function loadSecurityPolicy(config) {
+    try {
+        const parsed = validateInput(SecurityPolicySchema, config);
+        // Zod .default() guarantees all required fields after parsing
+        const policy = {
+            allowShellAccess: parsed.allowShellAccess ?? false,
+            allowedDirectories: parsed.allowedDirectories ?? [],
+            allowedCommands: parsed.allowedCommands ?? [],
+            requireCsrfToken: parsed.requireCsrfToken ?? true,
+            allowedOrigins: parsed.allowedOrigins ?? ['http://localhost:18789', 'http://127.0.0.1:18789'],
+            enableAuditLog: parsed.enableAuditLog ?? true,
+            syslogServer: parsed.syslogServer,
+            syslogPort: parsed.syslogPort,
+        };
+        logger.info('Security policy loaded', {
+            allowShellAccess: policy.allowShellAccess,
+            requireCsrfToken: policy.requireCsrfToken,
+            enableAuditLog: policy.enableAuditLog,
+        });
+        return policy;
+    }
+    catch (error) {
+        logger.error('Failed to load security policy, using restricted defaults', {
+            error: String(error),
+        });
+        return DEFAULT_SECURITY_POLICY;
+    }
+}
+/**
+ * Check if an operation is allowed by the current policy
+ * 檢查操作是否被目前的政策允許
+ *
+ * @param operation - Operation type / 操作類型
+ * @param policy - Security policy / 安全政策
+ * @returns true if operation is allowed / 操作被允許則回傳 true
+ */
+export function isOperationAllowed(operation, policy) {
+    let allowed;
+    switch (operation) {
+        case 'shell':
+            allowed = policy.allowShellAccess;
+            break;
+        case 'file_read':
+        case 'file_write':
+            allowed = policy.allowedDirectories.length > 0;
+            break;
+        case 'command':
+            allowed = policy.allowedCommands.length > 0 || policy.allowShellAccess;
+            break;
+        case 'network':
+            allowed = true; // Network is allowed by default, controlled separately
+            break;
+        default:
+            allowed = false;
+    }
+    if (!allowed) {
+        logger.warn('Operation blocked by security policy', { operation });
+    }
+    return allowed;
+}
+//# sourceMappingURL=security-policy.js.map

package/dist/permissions/security-policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-policy.js","sourceRoot":"","sources":["../../src/permissions/security-policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGhE,MAAM,MAAM,GAAG,YAAY,CAAC,6BAA6B,CAAC,CAAC;AAE3D;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,gBAAgB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC5C,kBAAkB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACnD,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAChD,gBAAgB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAC3C,cAAc,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,wBAAwB,EAAE,wBAAwB,CAAC,CAAC;IACjG,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACzC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE;CAC1D,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAmB;IACrD,gBAAgB,EAAE,KAAK;IACvB,kBAAkB,EAAE,EAAE;IACtB,eAAe,EAAE,EAAE;IACnB,gBAAgB,EAAE,IAAI;IACtB,cAAc,EAAE,CAAC,wBAAwB,EAAE,wBAAwB,CAAC;IACpE,cAAc,EAAE,IAAI;CACrB,CAAC;AAQF;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAe;IAChD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,aAAa,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;QAC3D,8DAA8D;QAC9D,MAAM,MAAM,GAAmB;YAC7B,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,KAAK;YAClD,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,EAAE;YACnD,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,EAAE;YAC7C,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,IAAI;YACjD,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,CAAC,wBAAwB,EAAE,wBAAwB,CAAC;YAC7F,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,IAAI;YAC7C,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,UAAU,EAAE,MAAM,CAAC,UAAU;SAC9B,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,wBAAwB,EAAE;YACpC,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;YACzC,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;YACzC,cAAc,EAAE,MAAM,CAAC,cAAc;SACtC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,2DAA2D,EAAE;YACxE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;SACrB,CAAC,CAAC;QACH,OAAO,uBAAuB,CAAC;IACjC,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAAC,SAAwB,EAAE,MAAsB;IACjF,IAAI,OAAgB,CAAC;IAErB,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,OAAO;YACV,OAAO,GAAG,MAAM,CAAC,gBAAgB,CAAC;YAClC,MAAM;QACR,KAAK,WAAW,CAAC;QACjB,KAAK,YAAY;YACf,OAAO,GAAG,MAAM,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC,CAAC;YAC/C,MAAM;QACR,KAAK,SAAS;YACZ,OAAO,GAAG,MAAM,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC;YACvE,MAAM;QACR,KAAK,SAAS;YACZ,OAAO,GAAG,IAAI,CAAC,CAAC,uDAAuD;YACvE,MAAM;QACR;YACE,OAAO,GAAG,KAAK,CAAC;IACpB,CAAC;IAED,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,sCAAsC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/sandbox/command-whitelist.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Command whitelist for safe execution
+ * 安全執行的命令白名單
+ *
+ * Prevents Skills from executing arbitrary commands.
+ * 防止 Skills 執行任意命令。
+ *
+ * @module @panguard-ai/security-hardening/sandbox/command-whitelist
+ */
+/**
+ * Default allowed commands (safe, read-only utilities)
+ * 預設允許的命令（安全、唯讀工具）
+ */
+export declare const DEFAULT_ALLOWED_COMMANDS: readonly string[];
+/**
+ * Extract base command name from a command string
+ * 從命令字串中提取基礎命令名稱
+ *
+ * @param command - Full command string / 完整命令字串
+ * @returns Base command name / 基礎命令名稱
+ */
+export declare function extractBaseCommand(command: string): string;
+/**
+ * Check if a command is in the whitelist
+ * 檢查命令是否在白名單中
+ *
+ * @param command - Command to check / 要檢查的命令
+ * @param whitelist - Allowed commands / 允許的命令
+ * @returns true if command is allowed / 命令被允許則回傳 true
+ */
+export declare function isCommandAllowed(command: string, whitelist?: readonly string[]): boolean;
+/**
+ * Create a command validator function
+ * 建立命令驗證器函式
+ *
+ * Returns a function that throws if a command is not whitelisted.
+ * 回傳一個在命令未列入白名單時拋出錯誤的函式。
+ *
+ * @param whitelist - Allowed commands / 允許的命令
+ * @returns Validator function / 驗證器函式
+ */
+export declare function createCommandValidator(whitelist?: readonly string[]): (command: string) => void;
+//# sourceMappingURL=command-whitelist.d.ts.map

package/dist/sandbox/command-whitelist.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-whitelist.d.ts","sourceRoot":"","sources":["../../src/sandbox/command-whitelist.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH;;;GAGG;AACH,eAAO,MAAM,wBAAwB,EAAE,SAAS,MAAM,EAe5C,CAAC;AAEX;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAO1D;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,EACf,SAAS,GAAE,SAAS,MAAM,EAA6B,GACtD,OAAO,CAWT;AAED;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CAAC,SAAS,GAAE,SAAS,MAAM,EAA6B,aAC3E,MAAM,KAAG,IAAI,CAQ/B"}

package/dist/sandbox/command-whitelist.js

@@ -0,0 +1,84 @@
+/**
+ * Command whitelist for safe execution
+ * 安全執行的命令白名單
+ *
+ * Prevents Skills from executing arbitrary commands.
+ * 防止 Skills 執行任意命令。
+ *
+ * @module @panguard-ai/security-hardening/sandbox/command-whitelist
+ */
+import { createLogger } from '@panguard-ai/core';
+const logger = createLogger('sandbox:command-whitelist');
+/**
+ * Default allowed commands (safe, read-only utilities)
+ * 預設允許的命令（安全、唯讀工具）
+ */
+export const DEFAULT_ALLOWED_COMMANDS = [
+    'ls',
+    'cat',
+    'grep',
+    'find',
+    'head',
+    'tail',
+    'wc',
+    'echo',
+    'pwd',
+    'date',
+    'whoami',
+    'uname',
+    'node',
+    'git',
+];
+/**
+ * Extract base command name from a command string
+ * 從命令字串中提取基礎命令名稱
+ *
+ * @param command - Full command string / 完整命令字串
+ * @returns Base command name / 基礎命令名稱
+ */
+export function extractBaseCommand(command) {
+    const trimmed = command.trim();
+    // Get first token (before any spaces/args)
+    const firstToken = trimmed.split(/\s+/)[0] ?? trimmed;
+    // Get basename (after last /)
+    const basename = firstToken.split('/').pop() ?? firstToken;
+    return basename;
+}
+/**
+ * Check if a command is in the whitelist
+ * 檢查命令是否在白名單中
+ *
+ * @param command - Command to check / 要檢查的命令
+ * @param whitelist - Allowed commands / 允許的命令
+ * @returns true if command is allowed / 命令被允許則回傳 true
+ */
+export function isCommandAllowed(command, whitelist = DEFAULT_ALLOWED_COMMANDS) {
+    const base = extractBaseCommand(command);
+    const allowed = whitelist.includes(base);
+    if (!allowed) {
+        logger.warn('Command blocked: not in whitelist', { command, baseCommand: base });
+    }
+    else {
+        logger.info('Command allowed', { command, baseCommand: base });
+    }
+    return allowed;
+}
+/**
+ * Create a command validator function
+ * 建立命令驗證器函式
+ *
+ * Returns a function that throws if a command is not whitelisted.
+ * 回傳一個在命令未列入白名單時拋出錯誤的函式。
+ *
+ * @param whitelist - Allowed commands / 允許的命令
+ * @returns Validator function / 驗證器函式
+ */
+export function createCommandValidator(whitelist = DEFAULT_ALLOWED_COMMANDS) {
+    return (command) => {
+        if (!isCommandAllowed(command, whitelist)) {
+            throw new Error(`Command execution denied: '${extractBaseCommand(command)}' is not whitelisted / ` +
+                `命令執行拒絕：'${extractBaseCommand(command)}' 未列入白名單`);
+        }
+    };
+}
+//# sourceMappingURL=command-whitelist.js.map

package/dist/sandbox/command-whitelist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-whitelist.js","sourceRoot":"","sources":["../../src/sandbox/command-whitelist.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,MAAM,MAAM,GAAG,YAAY,CAAC,2BAA2B,CAAC,CAAC;AAEzD;;;GAGG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAsB;IACzD,IAAI;IACJ,KAAK;IACL,MAAM;IACN,MAAM;IACN,MAAM;IACN,MAAM;IACN,IAAI;IACJ,MAAM;IACN,KAAK;IACL,MAAM;IACN,QAAQ;IACR,OAAO;IACP,MAAM;IACN,KAAK;CACG,CAAC;AAEX;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,2CAA2C;IAC3C,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC;IACtD,8BAA8B;IAC9B,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,UAAU,CAAC;IAC3D,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAe,EACf,YAA+B,wBAAwB;IAEvD,MAAM,IAAI,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAEzC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,mCAAmC,EAAE,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;IACnF,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,sBAAsB,CAAC,YAA+B,wBAAwB;IAC5F,OAAO,CAAC,OAAe,EAAQ,EAAE;QAC/B,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CACb,8BAA8B,kBAAkB,CAAC,OAAO,CAAC,yBAAyB;gBAChF,WAAW,kBAAkB,CAAC,OAAO,CAAC,UAAU,CACnD,CAAC;QACJ,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/sandbox/filesystem-guard.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Filesystem access control for Skills
+ * Skills 的檔案系統存取控制
+ *
+ * Restricts file access to whitelisted directories only.
+ * 限制檔案存取僅限白名單目錄。
+ *
+ * @module @panguard-ai/security-hardening/sandbox/filesystem-guard
+ */
+/**
+ * Check if a file path is within allowed directories
+ * 檢查檔案路徑是否在允許的目錄內
+ *
+ * @param filePath - File path to check / 要檢查的檔案路徑
+ * @param allowedDirs - Allowed directories / 允許的目錄
+ * @returns true if path is allowed / 路徑被允許則回傳 true
+ */
+export declare function isPathAllowed(filePath: string, allowedDirs: string[]): boolean;
+/**
+ * Create a filesystem guard function
+ * 建立檔案系統守衛函式
+ *
+ * Returns a function that throws if a path is not allowed.
+ * 回傳一個在路徑不被允許時拋出錯誤的函式。
+ *
+ * @param allowedDirs - Allowed directories / 允許的目錄
+ * @returns Guard function / 守衛函式
+ */
+export declare function createFilesystemGuard(allowedDirs: string[]): (filePath: string) => void;
+//# sourceMappingURL=filesystem-guard.d.ts.map

package/dist/sandbox/filesystem-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"filesystem-guard.d.ts","sourceRoot":"","sources":["../../src/sandbox/filesystem-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAOH;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CA6B9E;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,MAAM,EAAE,cACvC,MAAM,KAAG,IAAI,CAQhC"}