@planu/cli 0.30.1 → 0.31.0

package/dist/engine/plugins/sandbox.d.ts

@@ -0,0 +1,20 @@
+import type { PluginContext, PluginPermission, PluginStorageAPI, PluginLogger } from '../../types/index.js';
+/**
+ * Creates a restricted storage API for a plugin.
+ * Plugins can only access their own data directory.
+ */
+export declare function createPluginStorage(pluginId: string, dataDir: string): PluginStorageAPI;
+/**
+ * Creates a scoped logger for a plugin.
+ */
+export declare function createPluginLogger(pluginId: string): PluginLogger;
+/**
+ * Creates a restricted PluginContext for a plugin.
+ */
+export declare function createPluginContext(pluginId: string, permissions: readonly PluginPermission[], dataDir: string): PluginContext;
+/**
+ * Wraps a plugin handler with timeout and error isolation.
+ * Returns the result or throws with a descriptive error.
+ */
+export declare function withPluginTimeout<T>(pluginId: string, operation: string, fn: () => Promise<T>, timeoutMs?: number): Promise<T>;
+//# sourceMappingURL=sandbox.d.ts.map

package/dist/engine/plugins/sandbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.d.ts","sourceRoot":"","sources":["../../../src/engine/plugins/sandbox.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAChB,YAAY,EACb,MAAM,sBAAsB,CAAC;AAI9B;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,gBAAgB,CA2BvF;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,YAAY,CAajE;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,SAAS,gBAAgB,EAAE,EACxC,OAAO,EAAE,MAAM,GACd,aAAa,CAkCf;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,CAAC,EACvC,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,EACpB,SAAS,GAAE,MAA2B,GACrC,OAAO,CAAC,CAAC,CAAC,CAqBZ"}

package/dist/engine/plugins/sandbox.js

@@ -0,0 +1,111 @@
+// engine/plugins/sandbox.ts — Plugin isolation and context (SPEC-085 AC-08)
+import { readFile, writeFile, mkdir, readdir } from 'node:fs/promises';
+import { join } from 'node:path';
+const DEFAULT_TIMEOUT_MS = 30_000;
+/**
+ * Creates a restricted storage API for a plugin.
+ * Plugins can only access their own data directory.
+ */
+export function createPluginStorage(pluginId, dataDir) {
+    const pluginDataDir = join(dataDir, 'plugins', pluginId);
+    return {
+        read: async (key) => {
+            const filePath = join(pluginDataDir, `${key}.json`);
+            try {
+                const raw = await readFile(filePath, 'utf8');
+                return JSON.parse(raw);
+            }
+            catch {
+                return undefined;
+            }
+        },
+        write: async (key, value) => {
+            await mkdir(pluginDataDir, { recursive: true });
+            const filePath = join(pluginDataDir, `${key}.json`);
+            await writeFile(filePath, JSON.stringify(value, null, 2), 'utf8');
+        },
+        list: async () => {
+            try {
+                const files = await readdir(pluginDataDir);
+                return files.filter((f) => f.endsWith('.json')).map((f) => f.replace(/\.json$/, ''));
+            }
+            catch {
+                return [];
+            }
+        },
+    };
+}
+/**
+ * Creates a scoped logger for a plugin.
+ */
+export function createPluginLogger(pluginId) {
+    const prefix = `[plugin:${pluginId}]`;
+    return {
+        info: (message) => {
+            console.warn(`${prefix} [info] ${message}`);
+        },
+        warn: (message) => {
+            console.warn(`${prefix} ${message}`);
+        },
+        error: (message) => {
+            console.error(`${prefix} ${message}`);
+        },
+    };
+}
+/**
+ * Creates a restricted PluginContext for a plugin.
+ */
+export function createPluginContext(pluginId, permissions, dataDir) {
+    const hasStorageRead = permissions.includes('storage:read');
+    const hasStorageWrite = permissions.includes('storage:write');
+    const storage = createPluginStorage(pluginId, dataDir);
+    // Wrap storage to enforce permissions
+    const restrictedStorage = {
+        read: async (key) => {
+            if (!hasStorageRead && !hasStorageWrite) {
+                throw new Error(`Plugin "${pluginId}" does not have storage:read permission`);
+            }
+            return storage.read(key);
+        },
+        write: async (key, value) => {
+            if (!hasStorageWrite) {
+                throw new Error(`Plugin "${pluginId}" does not have storage:write permission`);
+            }
+            return storage.write(key, value);
+        },
+        list: async () => {
+            if (!hasStorageRead && !hasStorageWrite) {
+                throw new Error(`Plugin "${pluginId}" does not have storage:read permission`);
+            }
+            return storage.list();
+        },
+    };
+    return {
+        pluginId,
+        permissions,
+        storage: restrictedStorage,
+        logger: createPluginLogger(pluginId),
+    };
+}
+/**
+ * Wraps a plugin handler with timeout and error isolation.
+ * Returns the result or throws with a descriptive error.
+ */
+export async function withPluginTimeout(pluginId, operation, fn, timeoutMs = DEFAULT_TIMEOUT_MS) {
+    return new Promise((resolve, reject) => {
+        const timer = setTimeout(() => {
+            reject(new Error(`Plugin "${pluginId}" operation "${operation}" timed out after ${String(timeoutMs)}ms`));
+        }, timeoutMs);
+        fn()
+            .then((result) => {
+            clearTimeout(timer);
+            resolve(result);
+        })
+            .catch((error) => {
+            clearTimeout(timer);
+            const message = error instanceof Error ? error.message : String(error);
+            reject(new Error(`Plugin "${pluginId}" operation "${operation}" failed: ${message}`));
+        });
+    });
+}
+//# sourceMappingURL=sandbox.js.map

package/dist/engine/plugins/sandbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.js","sourceRoot":"","sources":["../../../src/engine/plugins/sandbox.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAE5E,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAQjC,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAElC;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAgB,EAAE,OAAe;IACnE,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IAEzD,OAAO;QACL,IAAI,EAAE,KAAK,EAAE,GAAW,EAAoB,EAAE;YAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,EAAE,GAAG,GAAG,OAAO,CAAC,CAAC;YACpD,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBAC7C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;QACD,KAAK,EAAE,KAAK,EAAE,GAAW,EAAE,KAAc,EAAiB,EAAE;YAC1D,MAAM,KAAK,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,EAAE,GAAG,GAAG,OAAO,CAAC,CAAC;YACpD,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,EAAE,KAAK,IAAuB,EAAE;YAClC,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,CAAC;gBAC3C,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC;YACvF,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAgB;IACjD,MAAM,MAAM,GAAG,WAAW,QAAQ,GAAG,CAAC;IACtC,OAAO;QACL,IAAI,EAAE,CAAC,OAAe,EAAQ,EAAE;YAC9B,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,WAAW,OAAO,EAAE,CAAC,CAAC;QAC9C,CAAC;QACD,IAAI,EAAE,CAAC,OAAe,EAAQ,EAAE;YAC9B,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CAAC;QACvC,CAAC;QACD,KAAK,EAAE,CAAC,OAAe,EAAQ,EAAE;YAC/B,OAAO,CAAC,KAAK,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CAAC;QACxC,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,QAAgB,EAChB,WAAwC,EACxC,OAAe;IAEf,MAAM,cAAc,GAAG,WAAW,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;IAC5D,MAAM,eAAe,GAAG,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;IAE9D,MAAM,OAAO,GAAG,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAEvD,sCAAsC;IACtC,MAAM,iBAAiB,GAAqB;QAC1C,IAAI,EAAE,KAAK,EAAE,GAAW,EAAoB,EAAE;YAC5C,IAAI,CAAC,cAAc,IAAI,CAAC,eAAe,EAAE,CAAC;gBACxC,MAAM,IAAI,KAAK,CAAC,WAAW,QAAQ,yCAAyC,CAAC,CAAC;YAChF,CAAC;YACD,OAAO,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QACD,KAAK,EAAE,KAAK,EAAE,GAAW,EAAE,KAAc,EAAiB,EAAE;YAC1D,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,MAAM,IAAI,KAAK,CAAC,WAAW,QAAQ,0CAA0C,CAAC,CAAC;YACjF,CAAC;YACD,OAAO,OAAO,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACnC,CAAC;QACD,IAAI,EAAE,KAAK,IAAuB,EAAE;YAClC,IAAI,CAAC,cAAc,IAAI,CAAC,eAAe,EAAE,CAAC;gBACxC,MAAM,IAAI,KAAK,CAAC,WAAW,QAAQ,yCAAyC,CAAC,CAAC;YAChF,CAAC;YACD,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC;QACxB,CAAC;KACF,CAAC;IAEF,OAAO;QACL,QAAQ;QACR,WAAW;QACX,OAAO,EAAE,iBAAiB;QAC1B,MAAM,EAAE,kBAAkB,CAAC,QAAQ,CAAC;KACrC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,QAAgB,EAChB,SAAiB,EACjB,EAAoB,EACpB,YAAoB,kBAAkB;IAEtC,OAAO,IAAI,OAAO,CAAI,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACxC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CACJ,IAAI,KAAK,CACP,WAAW,QAAQ,gBAAgB,SAAS,qBAAqB,MAAM,CAAC,SAAS,CAAC,IAAI,CACvF,CACF,CAAC;QACJ,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,EAAE,EAAE;aACD,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;YACf,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,CAAC,MAAM,CAAC,CAAC;QAClB,CAAC,CAAC;aACD,KAAK,CAAC,CAAC,KAAc,EAAE,EAAE;YACxB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,CAAC,IAAI,KAAK,CAAC,WAAW,QAAQ,gBAAgB,SAAS,aAAa,OAAO,EAAE,CAAC,CAAC,CAAC;QACxF,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/engine/plugins/validator.d.ts

@@ -0,0 +1,18 @@
+import type { PluginManifest, PluginValidationResult } from '../../types/index.js';
+/**
+ * Validates that a value looks like a PluginManifest structurally.
+ */
+export declare function validateManifestStructure(manifest: unknown): PluginValidationResult;
+/**
+ * Validates a manifest against built-in tool names and other active plugins.
+ */
+export declare function validateToolConflicts(manifest: PluginManifest, pluginTools: readonly string[], builtInTools: ReadonlySet<string>, activePluginTools: ReadonlyMap<string, string>): PluginValidationResult;
+/**
+ * Validates version compatibility of a plugin against current Planu version.
+ */
+export declare function validateVersionCompatibility(manifest: PluginManifest, currentVersion: string): PluginValidationResult;
+/**
+ * Runs full validation suite on a manifest.
+ */
+export declare function validatePlugin(manifest: unknown, currentVersion: string, builtInTools: ReadonlySet<string>, activePluginTools: ReadonlyMap<string, string>, pluginToolNames?: readonly string[]): PluginValidationResult;
+//# sourceMappingURL=validator.d.ts.map

package/dist/engine/plugins/validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../../../src/engine/plugins/validator.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAoFnF;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,OAAO,GAAG,sBAAsB,CAenF;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,cAAc,EACxB,WAAW,EAAE,SAAS,MAAM,EAAE,EAC9B,YAAY,EAAE,WAAW,CAAC,MAAM,CAAC,EACjC,iBAAiB,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,GAC7C,sBAAsB,CAkBxB;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAC1C,QAAQ,EAAE,cAAc,EACxB,cAAc,EAAE,MAAM,GACrB,sBAAsB,CAWxB;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,OAAO,EACjB,cAAc,EAAE,MAAM,EACtB,YAAY,EAAE,WAAW,CAAC,MAAM,CAAC,EACjC,iBAAiB,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,EAC9C,eAAe,GAAE,SAAS,MAAM,EAAO,GACtC,sBAAsB,CAcxB"}

package/dist/engine/plugins/validator.js

@@ -0,0 +1,125 @@
+// engine/plugins/validator.ts — Plugin manifest validation (SPEC-085 AC-11)
+import { parseSemver, isPluginCompatible } from './compatibility.js';
+const VALID_PERMISSIONS = new Set([
+    'tools:register',
+    'workers:register',
+    'analyzers:register',
+    'templates:register',
+    'storage:read',
+    'storage:write',
+]);
+const REQUIRED_STRING_FIELDS = [
+    'id',
+    'name',
+    'version',
+    'author',
+    'description',
+    'license',
+    'planuVersion',
+    'entryPoint',
+];
+const PLUGIN_ID_PATTERN = /^[a-z][a-z0-9-]*$/;
+/** Validates required string fields are present and non-empty. */
+function validateRequiredFields(m, errors) {
+    for (const field of REQUIRED_STRING_FIELDS) {
+        const val = m[field];
+        if (typeof val !== 'string' || !val.trim()) {
+            errors.push(`Missing or empty required field: ${field}`);
+        }
+    }
+}
+/** Validates field formats: id pattern, semver version, entryPoint safety, planuVersion range. */
+function validateFieldFormats(m, errors) {
+    if (typeof m.id === 'string' && !PLUGIN_ID_PATTERN.test(m.id)) {
+        errors.push(`Invalid plugin id "${m.id}": must be lowercase alphanumeric with hyphens, starting with a letter`);
+    }
+    if (typeof m.version === 'string' && !parseSemver(m.version)) {
+        errors.push(`Invalid version "${m.version}": must be valid semver (e.g., 1.0.0)`);
+    }
+    if (typeof m.entryPoint === 'string') {
+        if (m.entryPoint.includes('..') || m.entryPoint.startsWith('/')) {
+            errors.push('entryPoint must be a relative path within the plugin directory');
+        }
+    }
+    if (typeof m.planuVersion === 'string') {
+        const hasVersion = /\d+\.\d+\.\d+/.test(m.planuVersion);
+        if (!hasVersion) {
+            errors.push(`Invalid planuVersion range "${m.planuVersion}": must contain at least one semver version`);
+        }
+    }
+}
+/** Validates the permissions array. */
+function validatePermissions(m, errors, warnings) {
+    if (!Array.isArray(m.permissions)) {
+        errors.push('permissions must be an array');
+        return;
+    }
+    for (const perm of m.permissions) {
+        if (typeof perm !== 'string' || !VALID_PERMISSIONS.has(perm)) {
+            errors.push(`Invalid permission: "${String(perm)}"`);
+        }
+    }
+    if (m.permissions.length === 0) {
+        warnings.push('Plugin declares no permissions — it will have no capabilities');
+    }
+}
+/**
+ * Validates that a value looks like a PluginManifest structurally.
+ */
+export function validateManifestStructure(manifest) {
+    const errors = [];
+    const warnings = [];
+    if (!manifest || typeof manifest !== 'object') {
+        return { valid: false, errors: ['Manifest must be a JSON object'], warnings };
+    }
+    const m = manifest;
+    validateRequiredFields(m, errors);
+    validateFieldFormats(m, errors);
+    validatePermissions(m, errors, warnings);
+    return { valid: errors.length === 0, errors, warnings };
+}
+/**
+ * Validates a manifest against built-in tool names and other active plugins.
+ */
+export function validateToolConflicts(manifest, pluginTools, builtInTools, activePluginTools) {
+    const errors = [];
+    const warnings = [];
+    for (const toolName of pluginTools) {
+        const prefixedName = `plugin:${manifest.id}:${toolName}`;
+        if (builtInTools.has(toolName) || builtInTools.has(prefixedName)) {
+            errors.push(`Tool "${toolName}" conflicts with built-in tool`);
+        }
+        const existingPlugin = activePluginTools.get(prefixedName);
+        if (existingPlugin && existingPlugin !== manifest.id) {
+            errors.push(`Tool "${toolName}" conflicts with plugin "${existingPlugin}"`);
+        }
+    }
+    return { valid: errors.length === 0, errors, warnings };
+}
+/**
+ * Validates version compatibility of a plugin against current Planu version.
+ */
+export function validateVersionCompatibility(manifest, currentVersion) {
+    const errors = [];
+    const warnings = [];
+    if (!isPluginCompatible(manifest.planuVersion, currentVersion)) {
+        errors.push(`Plugin "${manifest.name}" requires Planu ${manifest.planuVersion}, current version is ${currentVersion}`);
+    }
+    return { valid: errors.length === 0, errors, warnings };
+}
+/**
+ * Runs full validation suite on a manifest.
+ */
+export function validatePlugin(manifest, currentVersion, builtInTools, activePluginTools, pluginToolNames = []) {
+    const structResult = validateManifestStructure(manifest);
+    if (!structResult.valid) {
+        return structResult;
+    }
+    const m = manifest;
+    const versionResult = validateVersionCompatibility(m, currentVersion);
+    const toolResult = validateToolConflicts(m, pluginToolNames, builtInTools, activePluginTools);
+    const allErrors = [...structResult.errors, ...versionResult.errors, ...toolResult.errors];
+    const allWarnings = [...structResult.warnings, ...versionResult.warnings, ...toolResult.warnings];
+    return { valid: allErrors.length === 0, errors: allErrors, warnings: allWarnings };
+}
+//# sourceMappingURL=validator.js.map

package/dist/engine/plugins/validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validator.js","sourceRoot":"","sources":["../../../src/engine/plugins/validator.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAG5E,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAErE,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,gBAAgB;IAChB,kBAAkB;IAClB,oBAAoB;IACpB,oBAAoB;IACpB,cAAc;IACd,eAAe;CAChB,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAsC;IAChE,IAAI;IACJ,MAAM;IACN,SAAS;IACT,QAAQ;IACR,aAAa;IACb,SAAS;IACT,cAAc;IACd,YAAY;CACb,CAAC;AAEF,MAAM,iBAAiB,GAAG,mBAAmB,CAAC;AAE9C,kEAAkE;AAClE,SAAS,sBAAsB,CAAC,CAA0B,EAAE,MAAgB;IAC1E,KAAK,MAAM,KAAK,IAAI,sBAAsB,EAAE,CAAC;QAC3C,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACrB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;YAC3C,MAAM,CAAC,IAAI,CAAC,oCAAoC,KAAK,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;AACH,CAAC;AAED,kGAAkG;AAClG,SAAS,oBAAoB,CAAC,CAA0B,EAAE,MAAgB;IACxE,IAAI,OAAO,CAAC,CAAC,EAAE,KAAK,QAAQ,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;QAC9D,MAAM,CAAC,IAAI,CACT,sBAAsB,CAAC,CAAC,EAAE,wEAAwE,CACnG,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7D,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,OAAO,uCAAuC,CAAC,CAAC;IACpF,CAAC;IAED,IAAI,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QACrC,IAAI,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChE,MAAM,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,CAAC,IAAI,CACT,+BAA+B,CAAC,CAAC,YAAY,6CAA6C,CAC3F,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,uCAAuC;AACvC,SAAS,mBAAmB,CAC1B,CAA0B,EAC1B,MAAgB,EAChB,QAAkB;IAElB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC;QAClC,MAAM,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;QAC5C,OAAO;IACT,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QACjC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7D,MAAM,CAAC,IAAI,CAAC,wBAAwB,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IACD,IAAI,CAAC,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;IACjF,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CAAC,QAAiB;IACzD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,gCAAgC,CAAC,EAAE,QAAQ,EAAE,CAAC;IAChF,CAAC;IAED,MAAM,CAAC,GAAG,QAAmC,CAAC;IAE9C,sBAAsB,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IAClC,oBAAoB,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IAChC,mBAAmB,CAAC,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAEzC,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AAC1D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,QAAwB,EACxB,WAA8B,EAC9B,YAAiC,EACjC,iBAA8C;IAE9C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,KAAK,MAAM,QAAQ,IAAI,WAAW,EAAE,CAAC;QACnC,MAAM,YAAY,GAAG,UAAU,QAAQ,CAAC,EAAE,IAAI,QAAQ,EAAE,CAAC;QAEzD,IAAI,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;YACjE,MAAM,CAAC,IAAI,CAAC,SAAS,QAAQ,gCAAgC,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,cAAc,GAAG,iBAAiB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAC3D,IAAI,cAAc,IAAI,cAAc,KAAK,QAAQ,CAAC,EAAE,EAAE,CAAC;YACrD,MAAM,CAAC,IAAI,CAAC,SAAS,QAAQ,4BAA4B,cAAc,GAAG,CAAC,CAAC;QAC9E,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AAC1D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,4BAA4B,CAC1C,QAAwB,EACxB,cAAsB;IAEtB,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,YAAY,EAAE,cAAc,CAAC,EAAE,CAAC;QAC/D,MAAM,CAAC,IAAI,CACT,WAAW,QAAQ,CAAC,IAAI,oBAAoB,QAAQ,CAAC,YAAY,wBAAwB,cAAc,EAAE,CAC1G,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AAC1D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,QAAiB,EACjB,cAAsB,EACtB,YAAiC,EACjC,iBAA8C,EAC9C,kBAAqC,EAAE;IAEvC,MAAM,YAAY,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IACzD,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QACxB,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,MAAM,CAAC,GAAG,QAA0B,CAAC;IACrC,MAAM,aAAa,GAAG,4BAA4B,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;IACtE,MAAM,UAAU,GAAG,qBAAqB,CAAC,CAAC,EAAE,eAAe,EAAE,YAAY,EAAE,iBAAiB,CAAC,CAAC;IAE9F,MAAM,SAAS,GAAG,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,GAAG,aAAa,CAAC,MAAM,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAC1F,MAAM,WAAW,GAAG,CAAC,GAAG,YAAY,CAAC,QAAQ,EAAE,GAAG,aAAa,CAAC,QAAQ,EAAE,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAElG,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;AACrF,CAAC"}

package/dist/engine/runtime-security/audit-logger.d.ts

@@ -0,0 +1,7 @@
+import type { RuntimeAuditSummary, RuntimeSecurityAction, RuntimeSecurityLevel, RuntimeSecurityThreat } from '../../types/index.js';
+export declare function logAuditEntry(projectPath: string, toolName: string, inputs: Record<string, unknown>, threats: RuntimeSecurityThreat[], action: RuntimeSecurityAction, userId?: string): void;
+export declare function getAuditSummary(projectPath: string, options: {
+    timeRange?: string;
+    securityLevel?: RuntimeSecurityLevel;
+}): RuntimeAuditSummary;
+//# sourceMappingURL=audit-logger.d.ts.map

package/dist/engine/runtime-security/audit-logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logger.d.ts","sourceRoot":"","sources":["../../../src/engine/runtime-security/audit-logger.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAEV,mBAAmB,EACnB,qBAAqB,EACrB,oBAAoB,EACpB,qBAAqB,EAGtB,MAAM,sBAAsB,CAAC;AAqD9B,wBAAgB,aAAa,CAC3B,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,OAAO,EAAE,qBAAqB,EAAE,EAChC,MAAM,EAAE,qBAAqB,EAC7B,MAAM,CAAC,EAAE,MAAM,GACd,IAAI,CA0BN;AAsBD,wBAAgB,eAAe,CAC7B,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,oBAAoB,CAAA;CAAE,GACpE,mBAAmB,CAgCrB"}

package/dist/engine/runtime-security/audit-logger.js

@@ -0,0 +1,120 @@
+// engine/runtime-security/audit-logger.ts — SPEC-084 AC-07
+// Append-only JSON audit log with automatic rotation.
+import { createHash } from 'node:crypto';
+import { readFileSync, writeFileSync, existsSync, mkdirSync, renameSync, statSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
+const MAX_AUDIT_SIZE = 5 * 1024 * 1024; // 5MB
+function hashInputs(inputs) {
+    const json = JSON.stringify(inputs, Object.keys(inputs).sort());
+    return createHash('sha256').update(json).digest('hex');
+}
+function getAuditPath(projectPath) {
+    return resolve(projectPath, 'audit.json');
+}
+function ensureDir(filePath) {
+    const dir = dirname(filePath);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+    }
+}
+function rotateIfNeeded(auditPath) {
+    if (!existsSync(auditPath)) {
+        return;
+    }
+    try {
+        const stats = statSync(auditPath);
+        if (stats.size >= MAX_AUDIT_SIZE) {
+            const dateStr = new Date().toISOString().slice(0, 10);
+            const rotatedPath = auditPath.replace('.json', `-${dateStr}.json`);
+            renameSync(auditPath, rotatedPath);
+        }
+    }
+    catch {
+        // Ignore rotation errors
+    }
+}
+function readAuditLog(auditPath) {
+    if (!existsSync(auditPath)) {
+        return [];
+    }
+    try {
+        const raw = readFileSync(auditPath, 'utf-8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return [];
+    }
+}
+function writeAuditLog(auditPath, entries) {
+    ensureDir(auditPath);
+    writeFileSync(auditPath, JSON.stringify(entries, null, 2), 'utf-8');
+}
+export function logAuditEntry(projectPath, toolName, inputs, threats, action, userId) {
+    const auditPath = getAuditPath(projectPath);
+    rotateIfNeeded(auditPath);
+    const maxSeverity = threats.length > 0
+        ? threats.reduce((max, t) => {
+            const order = { critical: 3, warning: 2, info: 1 };
+            return order[t.severity] > order[max] ? t.severity : max;
+        }, 'info')
+        : null;
+    const entry = {
+        timestamp: new Date().toISOString(),
+        toolName,
+        inputsHash: hashInputs(inputs),
+        threatDetected: threats.length > 0,
+        severity: maxSeverity,
+        action,
+        threats: [...new Set(threats.map((t) => t.type))],
+        ...(userId ? { userId } : {}),
+    };
+    const entries = readAuditLog(auditPath);
+    entries.push(entry);
+    writeAuditLog(auditPath, entries);
+}
+function filterByTimeRange(entries, timeRange) {
+    if (timeRange === 'all') {
+        return entries;
+    }
+    const now = Date.now();
+    const ranges = {
+        last24h: 24 * 60 * 60 * 1000,
+        last7d: 7 * 24 * 60 * 60 * 1000,
+        last30d: 30 * 24 * 60 * 60 * 1000,
+    };
+    const cutoff = ranges[timeRange];
+    if (!cutoff) {
+        return entries;
+    }
+    return entries.filter((e) => now - new Date(e.timestamp).getTime() < cutoff);
+}
+export function getAuditSummary(projectPath, options) {
+    const auditPath = getAuditPath(projectPath);
+    const allEntries = readAuditLog(auditPath);
+    const timeRange = options.timeRange ?? 'all';
+    const entries = filterByTimeRange(allEntries, timeRange);
+    const threatsByType = {};
+    const toolThreats = new Map();
+    for (const entry of entries) {
+        if (entry.threatDetected) {
+            for (const t of entry.threats) {
+                threatsByType[t] = (threatsByType[t] ?? 0) + 1;
+            }
+            toolThreats.set(entry.toolName, (toolThreats.get(entry.toolName) ?? 0) + 1);
+        }
+    }
+    const topToolsByThreat = [...toolThreats.entries()]
+        .sort((a, b) => b[1] - a[1])
+        .slice(0, 5)
+        .map(([tool, count]) => ({ tool, count }));
+    return {
+        totalCalls: entries.length,
+        threatsDetected: entries.filter((e) => e.threatDetected).length,
+        blockedCalls: entries.filter((e) => e.action === 'blocked').length,
+        threatsByType,
+        topToolsByThreat,
+        securityLevel: options.securityLevel ?? 'standard',
+        timeRange,
+    };
+}
+//# sourceMappingURL=audit-logger.js.map

package/dist/engine/runtime-security/audit-logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logger.js","sourceRoot":"","sources":["../../../src/engine/runtime-security/audit-logger.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,sDAAsD;AAEtD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnG,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAW7C,MAAM,cAAc,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,MAAM;AAE9C,SAAS,UAAU,CAAC,MAA+B;IACjD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAChE,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,YAAY,CAAC,WAAmB;IACvC,OAAO,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB;IACjC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,SAAiB;IACvC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,OAAO;IACT,CAAC;IACD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC;QAClC,IAAI,KAAK,CAAC,IAAI,IAAI,cAAc,EAAE,CAAC;YACjC,MAAM,OAAO,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACtD,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,OAAO,OAAO,CAAC,CAAC;YACnE,UAAU,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,yBAAyB;IAC3B,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,SAAiB;IACrC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC7C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAwB,CAAC;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,SAAiB,EAAE,OAA4B;IACpE,SAAS,CAAC,SAAS,CAAC,CAAC;IACrB,aAAa,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,WAAmB,EACnB,QAAgB,EAChB,MAA+B,EAC/B,OAAgC,EAChC,MAA6B,EAC7B,MAAe;IAEf,MAAM,SAAS,GAAG,YAAY,CAAC,WAAW,CAAC,CAAC;IAC5C,cAAc,CAAC,SAAS,CAAC,CAAC;IAE1B,MAAM,WAAW,GACf,OAAO,CAAC,MAAM,GAAG,CAAC;QAChB,CAAC,CAAC,OAAO,CAAC,MAAM,CAAwB,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;YAC/C,MAAM,KAAK,GAA0C,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;YAC1F,OAAO,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC;QAC3D,CAAC,EAAE,MAAM,CAAC;QACZ,CAAC,CAAC,IAAI,CAAC;IAEX,MAAM,KAAK,GAAsB;QAC/B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ;QACR,UAAU,EAAE,UAAU,CAAC,MAAM,CAAC;QAC9B,cAAc,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC;QAClC,QAAQ,EAAE,WAAW;QACrB,MAAM;QACN,OAAO,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QACjD,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC9B,CAAC;IAEF,MAAM,OAAO,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IACxC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpB,aAAa,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,iBAAiB,CAAC,OAA4B,EAAE,SAAiB;IACxE,IAAI,SAAS,KAAK,KAAK,EAAE,CAAC;QACxB,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,MAAM,GAA2B;QACrC,OAAO,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;QAC5B,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;QAC/B,OAAO,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;KAClC,CAAC;IAEF,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;IACjC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,CAAC;AAC/E,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,WAAmB,EACnB,OAAqE;IAErE,MAAM,SAAS,GAAG,YAAY,CAAC,WAAW,CAAC,CAAC;IAC5C,MAAM,UAAU,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IAC3C,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,KAAK,CAAC;IAC7C,MAAM,OAAO,GAAG,iBAAiB,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IAEzD,MAAM,aAAa,GAA+C,EAAE,CAAC;IACrE,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE9C,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,CAAC,cAAc,EAAE,CAAC;YACzB,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;gBAC9B,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACjD,CAAC;YACD,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9E,CAAC;IACH,CAAC;IAED,MAAM,gBAAgB,GAAG,CAAC,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC;SAChD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;SAC3B,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;SACX,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAE7C,OAAO;QACL,UAAU,EAAE,OAAO,CAAC,MAAM;QAC1B,eAAe,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,MAAM;QAC/D,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM;QAClE,aAAa;QACb,gBAAgB;QAChB,aAAa,EAAE,OAAO,CAAC,aAAa,IAAI,UAAU;QAClD,SAAS;KACV,CAAC;AACJ,CAAC"}

package/dist/engine/runtime-security/checkers/command-injection.d.ts

@@ -0,0 +1,3 @@
+import type { RuntimeSecurityChecker } from '../../../types/index.js';
+export declare const commandInjectionChecker: RuntimeSecurityChecker;
+//# sourceMappingURL=command-injection.d.ts.map

package/dist/engine/runtime-security/checkers/command-injection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-injection.d.ts","sourceRoot":"","sources":["../../../../src/engine/runtime-security/checkers/command-injection.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,sBAAsB,EAGvB,MAAM,yBAAyB,CAAC;AA+EjC,eAAO,MAAM,uBAAuB,EAAE,sBAwBrC,CAAC"}

package/dist/engine/runtime-security/checkers/command-injection.js

@@ -0,0 +1,91 @@
+// engine/runtime-security/checkers/command-injection.ts — SPEC-084 AC-04
+// Detects shell metacharacters and dangerous commands in user inputs.
+// Shell metacharacters that enable command chaining/redirection
+const SHELL_METACHAR_PATTERN = /[;|`]|\$\(|&&|\|\||>>|<<|>\s|<\s/;
+// Dangerous shell commands (Unix + Windows)
+const DANGEROUS_COMMANDS = [
+    /\brm\s+-rf\b/i,
+    /\bcurl\b.*\|\s*(?:sh|bash)\b/i,
+    /\bwget\b/i,
+    /\bchmod\b/i,
+    /\bchown\b/i,
+    /\bsudo\b/i,
+    /\beval\b/i,
+    /\bexec\b/i,
+    /\bpowershell\b/i,
+    /\bcmd\s*\/c\b/i,
+    /\bdel\s+\/[sfq]\b/i,
+    /\bformat\s+[a-z]:/i,
+    /\bnet\s+user\b/i,
+];
+// Multi-language dangerous patterns
+const CODE_INJECTION_PATTERNS = [
+    /\bos\.system\s*\(/, // Python
+    /\bsubprocess\.(?:call|run|Popen)\s*\(/, // Python
+    /\bsystem\s*\(/, // Ruby, PHP, C
+    /\bexec\s*\(/, // PHP, Node
+    /\bshell_exec\s*\(/, // PHP
+    /\bRuntime\.getRuntime\(\)\.exec\b/, // Java
+    /\bProcessBuilder\b/, // Java
+    /\bexec\.Command\s*\(/, // Go
+    /\bCommand::new\s*\(/, // Rust
+    /\bProcess\.Start\s*\(/, // C#
+];
+function checkStringForInjection(value, field) {
+    const threats = [];
+    // Check shell metacharacters
+    if (SHELL_METACHAR_PATTERN.test(value)) {
+        threats.push({
+            type: 'command-injection',
+            severity: 'critical',
+            message: 'Shell metacharacters detected in input',
+            field,
+            pattern: 'shell-metachar',
+        });
+    }
+    // Check dangerous commands
+    for (const pattern of DANGEROUS_COMMANDS) {
+        if (pattern.test(value)) {
+            threats.push({
+                type: 'command-injection',
+                severity: 'critical',
+                message: `Dangerous command detected: ${pattern.source}`,
+                field,
+                pattern: pattern.source,
+            });
+        }
+    }
+    // Check code injection patterns
+    for (const pattern of CODE_INJECTION_PATTERNS) {
+        if (pattern.test(value)) {
+            threats.push({
+                type: 'command-injection',
+                severity: 'warning',
+                message: `Code execution pattern detected: ${pattern.source}`,
+                field,
+                pattern: pattern.source,
+            });
+        }
+    }
+    return threats;
+}
+export const commandInjectionChecker = {
+    type: 'command-injection',
+    check(_toolName, inputs, _config) {
+        const threats = [];
+        for (const [key, value] of Object.entries(inputs)) {
+            if (typeof value === 'string') {
+                threats.push(...checkStringForInjection(value, key));
+            }
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (typeof item === 'string') {
+                        threats.push(...checkStringForInjection(item, key));
+                    }
+                }
+            }
+        }
+        return threats;
+    },
+};
+//# sourceMappingURL=command-injection.js.map

package/dist/engine/runtime-security/checkers/command-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-injection.js","sourceRoot":"","sources":["../../../../src/engine/runtime-security/checkers/command-injection.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,sEAAsE;AAQtE,gEAAgE;AAChE,MAAM,sBAAsB,GAAG,kCAAkC,CAAC;AAElE,4CAA4C;AAC5C,MAAM,kBAAkB,GAAG;IACzB,eAAe;IACf,+BAA+B;IAC/B,WAAW;IACX,YAAY;IACZ,YAAY;IACZ,WAAW;IACX,WAAW;IACX,WAAW;IACX,iBAAiB;IACjB,gBAAgB;IAChB,oBAAoB;IACpB,oBAAoB;IACpB,iBAAiB;CAClB,CAAC;AAEF,oCAAoC;AACpC,MAAM,uBAAuB,GAAG;IAC9B,mBAAmB,EAAE,SAAS;IAC9B,uCAAuC,EAAE,SAAS;IAClD,eAAe,EAAE,eAAe;IAChC,aAAa,EAAE,YAAY;IAC3B,mBAAmB,EAAE,MAAM;IAC3B,mCAAmC,EAAE,OAAO;IAC5C,oBAAoB,EAAE,OAAO;IAC7B,sBAAsB,EAAE,KAAK;IAC7B,qBAAqB,EAAE,OAAO;IAC9B,uBAAuB,EAAE,KAAK;CAC/B,CAAC;AAEF,SAAS,uBAAuB,CAAC,KAAa,EAAE,KAAa;IAC3D,MAAM,OAAO,GAA4B,EAAE,CAAC;IAE5C,6BAA6B;IAC7B,IAAI,sBAAsB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACvC,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,mBAAmB;YACzB,QAAQ,EAAE,UAAU;YACpB,OAAO,EAAE,wCAAwC;YACjD,KAAK;YACL,OAAO,EAAE,gBAAgB;SAC1B,CAAC,CAAC;IACL,CAAC;IAED,2BAA2B;IAC3B,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,mBAAmB;gBACzB,QAAQ,EAAE,UAAU;gBACpB,OAAO,EAAE,+BAA+B,OAAO,CAAC,MAAM,EAAE;gBACxD,KAAK;gBACL,OAAO,EAAE,OAAO,CAAC,MAAM;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,KAAK,MAAM,OAAO,IAAI,uBAAuB,EAAE,CAAC;QAC9C,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,mBAAmB;gBACzB,QAAQ,EAAE,SAAS;gBACnB,OAAO,EAAE,oCAAoC,OAAO,CAAC,MAAM,EAAE;gBAC7D,KAAK;gBACL,OAAO,EAAE,OAAO,CAAC,MAAM;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,MAAM,uBAAuB,GAA2B;IAC7D,IAAI,EAAE,mBAAmB;IACzB,KAAK,CACH,SAAiB,EACjB,MAA+B,EAC/B,OAA8B;QAE9B,MAAM,OAAO,GAA4B,EAAE,CAAC;QAE5C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAClD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,OAAO,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;YACvD,CAAC;YACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;oBACzB,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;wBAC7B,OAAO,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;oBACtD,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CACF,CAAC"}

package/dist/engine/runtime-security/checkers/content-security.d.ts

@@ -0,0 +1,3 @@
+import type { RuntimeSecurityChecker } from '../../../types/index.js';
+export declare const contentSecurityChecker: RuntimeSecurityChecker;
+//# sourceMappingURL=content-security.d.ts.map

package/dist/engine/runtime-security/checkers/content-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"content-security.d.ts","sourceRoot":"","sources":["../../../../src/engine/runtime-security/checkers/content-security.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAEV,sBAAsB,EAGvB,MAAM,yBAAyB,CAAC;AAgGjC,eAAO,MAAM,sBAAsB,EAAE,sBAmBpC,CAAC"}