@red-codes/agentguard 1.0.0

package/dist/kernel/kernel.d.ts

@@ -0,0 +1,47 @@
+import type { DomainEvent, CanonicalAction } from '../core/types.js';
+import type { MonitorConfig, MonitorDecision } from './monitor.js';
+import type { RawAgentAction } from './aab.js';
+import type { AdapterRegistry, ExecutionResult } from '../core/types.js';
+import type { GovernanceDecisionRecord, DecisionSink } from './decisions/types.js';
+import type { SimulatorRegistry } from './simulation/types.js';
+import type { SeededRng } from '../core/rng.js';
+export interface KernelResult {
+    allowed: boolean;
+    executed: boolean;
+    decision: MonitorDecision;
+    execution: ExecutionResult | null;
+    action: CanonicalAction | null;
+    events: DomainEvent[];
+    runId: string;
+    /** Governance decision record (additive — not present in older results) */
+    decisionRecord?: GovernanceDecisionRecord;
+}
+export interface EventSink {
+    write(event: DomainEvent): void;
+    flush?(): void;
+}
+export interface KernelConfig extends MonitorConfig {
+    runId?: string;
+    sinks?: EventSink[];
+    adapters?: AdapterRegistry;
+    dryRun?: boolean;
+    /** Optional decision sinks for persisting GovernanceDecisionRecords */
+    decisionSinks?: DecisionSink[];
+    /** Optional simulator registry for pre-execution impact simulation */
+    simulators?: SimulatorRegistry;
+    /** Blast radius threshold — simulation above this triggers invariant re-check */
+    simulationBlastRadiusThreshold?: number;
+    /** Optional seeded RNG for deterministic replay. If omitted, a random seed is generated. */
+    rng?: SeededRng;
+}
+export interface Kernel {
+    propose(rawAction: RawAgentAction, systemContext?: Record<string, unknown>): Promise<KernelResult>;
+    getRunId(): string;
+    /** Returns the seed used by this kernel's RNG (for session recording / replay) */
+    getSeed(): number;
+    getActionLog(): KernelResult[];
+    getEventCount(): number;
+    shutdown(): void;
+}
+export declare function createKernel(config?: KernelConfig): Kernel;
+//# sourceMappingURL=kernel.d.ts.map

package/dist/kernel/kernel.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kernel.d.ts","sourceRoot":"","sources":["../../src/kernel/kernel.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAErE,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AACnE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAG/C,OAAO,KAAK,EAAE,eAAe,EAAE,eAAe,EAAkB,MAAM,kBAAkB,CAAC;AAYzF,OAAO,KAAK,EAAE,wBAAwB,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAEnF,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAGhD,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,eAAe,CAAC;IAC1B,SAAS,EAAE,eAAe,GAAG,IAAI,CAAC;IAClC,MAAM,EAAE,eAAe,GAAG,IAAI,CAAC;IAC/B,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,2EAA2E;IAC3E,cAAc,CAAC,EAAE,wBAAwB,CAAC;CAC3C;AAED,MAAM,WAAW,SAAS;IACxB,KAAK,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI,CAAC;IAChC,KAAK,CAAC,IAAI,IAAI,CAAC;CAChB;AAED,MAAM,WAAW,YAAa,SAAQ,aAAa;IACjD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,SAAS,EAAE,CAAC;IACpB,QAAQ,CAAC,EAAE,eAAe,CAAC;IAC3B,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,uEAAuE;IACvE,aAAa,CAAC,EAAE,YAAY,EAAE,CAAC;IAC/B,sEAAsE;IACtE,UAAU,CAAC,EAAE,iBAAiB,CAAC;IAC/B,iFAAiF;IACjF,8BAA8B,CAAC,EAAE,MAAM,CAAC;IACxC,4FAA4F;IAC5F,GAAG,CAAC,EAAE,SAAS,CAAC;CACjB;AAED,MAAM,WAAW,MAAM;IACrB,OAAO,CACL,SAAS,EAAE,cAAc,EACzB,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACtC,OAAO,CAAC,YAAY,CAAC,CAAC;IACzB,QAAQ,IAAI,MAAM,CAAC;IACnB,kFAAkF;IAClF,OAAO,IAAI,MAAM,CAAC;IAClB,YAAY,IAAI,YAAY,EAAE,CAAC;IAC/B,aAAa,IAAI,MAAM,CAAC;IACxB,QAAQ,IAAI,IAAI,CAAC;CAClB;AAMD,wBAAgB,YAAY,CAAC,MAAM,GAAE,YAAiB,GAAG,MAAM,CAiZ9D"}

package/dist/kernel/kernel.js

@@ -0,0 +1,377 @@
+// Governed Action Kernel — the core orchestrator.
+// Connects monitor (AAB + policy + invariants) with execution adapters.
+// Emits full action lifecycle events: REQUESTED → ALLOWED/DENIED → EXECUTED/FAILED.
+// Builds GovernanceDecisionRecords and sinks them for audit.
+import { createMonitor } from './monitor.js';
+import { createAction, getActionClass } from '../core/actions.js';
+import { createAdapterRegistry } from '../core/adapters.js';
+import { createEvent, ACTION_REQUESTED, ACTION_ALLOWED, ACTION_DENIED, ACTION_EXECUTED, ACTION_FAILED, DECISION_RECORDED, SIMULATION_COMPLETED, } from '../events/schema.js';
+import { simpleHash } from '../core/hash.js';
+import { buildDecisionRecord } from './decisions/factory.js';
+import { generateSeed, createSeededRng } from '../core/rng.js';
+function generateRunId(rng) {
+    return `run_${Date.now()}_${simpleHash(rng.random().toString())}`;
+}
+export function createKernel(config = {}) {
+    const rng = config.rng || createSeededRng(generateSeed());
+    const runId = config.runId || generateRunId(rng);
+    const sinks = config.sinks || [];
+    const decisionSinks = config.decisionSinks || [];
+    const adapters = config.adapters || createAdapterRegistry();
+    const dryRun = config.dryRun ?? false;
+    const simulators = config.simulators || null;
+    const blastRadiusThreshold = config.simulationBlastRadiusThreshold ?? 50;
+    const actionLog = [];
+    let eventCount = 0;
+    const monitor = createMonitor({
+        policyDefs: config.policyDefs,
+        invariants: config.invariants,
+        denialThreshold: config.denialThreshold,
+        violationThreshold: config.violationThreshold,
+        windowSize: config.windowSize,
+    });
+    function sinkEvent(event) {
+        eventCount++;
+        for (const sink of sinks) {
+            sink.write(event);
+        }
+    }
+    function sinkEvents(events) {
+        for (const event of events) {
+            sinkEvent(event);
+        }
+    }
+    function sinkDecision(record) {
+        for (const sink of decisionSinks) {
+            sink.write(record);
+        }
+    }
+    return {
+        propose: async (rawAction, systemContext = {}) => {
+            const allEvents = [];
+            // 1. Emit ACTION_REQUESTED
+            const requestedEvent = createEvent(ACTION_REQUESTED, {
+                actionType: rawAction.tool || 'unknown',
+                target: rawAction.file || rawAction.target || '',
+                justification: rawAction.metadata?.justification || 'agent action',
+                actionId: undefined,
+                agentId: rawAction.agent || 'unknown',
+                metadata: { runId, command: rawAction.command },
+            });
+            allEvents.push(requestedEvent);
+            // 2. Evaluate via monitor (AAB → policy → invariants → evidence)
+            const decision = monitor.process(rawAction, systemContext);
+            // 3. Create canonical action object for execution
+            let action = null;
+            try {
+                const actionType = decision.intent.action;
+                const target = decision.intent.target;
+                if (actionType !== 'unknown') {
+                    action = createAction(actionType, target, 'kernel-proposed', {
+                        command: rawAction.command,
+                        agent: rawAction.agent,
+                        runId,
+                    });
+                }
+            }
+            catch {
+                // Action creation may fail for unknown types — continue with null
+            }
+            // 4. Emit decision events from monitor
+            sinkEvents(decision.events);
+            if (!decision.allowed) {
+                // 5a. DENIED — emit denial event, build decision record
+                const deniedEvent = createEvent(ACTION_DENIED, {
+                    actionType: decision.intent.action,
+                    target: decision.intent.target,
+                    reason: decision.decision.reason,
+                    actionId: action?.id,
+                    policyHash: decision.decision.matchedPolicy?.id,
+                    metadata: {
+                        runId,
+                        intervention: decision.intervention,
+                        violations: decision.violations,
+                    },
+                });
+                allEvents.push(deniedEvent);
+                sinkEvents(allEvents);
+                const decisionRecord = buildDecisionRecord({
+                    runId,
+                    decision,
+                    execution: null,
+                    executionDurationMs: null,
+                    simulation: null,
+                });
+                sinkDecision(decisionRecord);
+                // Emit DECISION_RECORDED event
+                const decisionEvent = createEvent(DECISION_RECORDED, {
+                    recordId: decisionRecord.recordId,
+                    outcome: decisionRecord.outcome,
+                    actionType: decisionRecord.action.type,
+                    target: decisionRecord.action.target,
+                    reason: decisionRecord.reason,
+                });
+                sinkEvent(decisionEvent);
+                const result = {
+                    allowed: false,
+                    executed: false,
+                    decision,
+                    execution: null,
+                    action,
+                    events: allEvents,
+                    runId,
+                    decisionRecord,
+                };
+                actionLog.push(result);
+                return result;
+            }
+            // 5b. ALLOWED — run simulation if available, then re-check
+            let simulationResult = null;
+            if (simulators && simulators.find(decision.intent)) {
+                const simulator = simulators.find(decision.intent);
+                try {
+                    simulationResult = await simulator.simulate(decision.intent, systemContext);
+                    // Emit simulation event
+                    const simEvent = createEvent(SIMULATION_COMPLETED, {
+                        simulatorId: simulationResult.simulatorId,
+                        riskLevel: simulationResult.riskLevel,
+                        blastRadius: simulationResult.blastRadius,
+                        predictedChanges: simulationResult.predictedChanges,
+                        durationMs: simulationResult.durationMs,
+                    });
+                    allEvents.push(simEvent);
+                    sinkEvent(simEvent);
+                    // Re-check invariants if simulation reveals elevated risk
+                    if (simulationResult.blastRadius > blastRadiusThreshold ||
+                        simulationResult.riskLevel === 'high') {
+                        // Import checker for re-check
+                        const { checkAllInvariants, buildSystemState } = await import('../invariants/checker.js');
+                        const { DEFAULT_INVARIANTS } = await import('../invariants/definitions.js');
+                        const reCheckState = buildSystemState({
+                            ...systemContext,
+                            filesAffected: simulationResult.blastRadius,
+                            simulatedBlastRadius: simulationResult.blastRadius,
+                            simulatedRiskLevel: simulationResult.riskLevel,
+                            targetBranch: decision.intent.branch || systemContext.targetBranch,
+                            forcePush: decision.intent.action === 'git.force-push',
+                            directPush: decision.intent.action === 'git.push',
+                            isPush: decision.intent.action === 'git.push' ||
+                                decision.intent.action === 'git.force-push',
+                        });
+                        const reCheck = checkAllInvariants(config.invariants || DEFAULT_INVARIANTS, reCheckState);
+                        if (!reCheck.allHold) {
+                            // Simulation-triggered denial
+                            sinkEvents(reCheck.events);
+                            const deniedEvent = createEvent(ACTION_DENIED, {
+                                actionType: decision.intent.action,
+                                target: decision.intent.target,
+                                reason: `Simulation revealed elevated risk: ${simulationResult.riskLevel} (blast radius: ${simulationResult.blastRadius})`,
+                                actionId: action?.id,
+                                metadata: {
+                                    runId,
+                                    simulationTriggered: true,
+                                    simulatorId: simulationResult.simulatorId,
+                                    violations: reCheck.violations.map((v) => ({
+                                        invariantId: v.invariant.id,
+                                        name: v.invariant.name,
+                                        severity: v.invariant.severity,
+                                        expected: v.result.expected,
+                                        actual: v.result.actual,
+                                    })),
+                                },
+                            });
+                            allEvents.push(deniedEvent);
+                            sinkEvents(allEvents);
+                            const simSummary = {
+                                predictedChanges: simulationResult.predictedChanges,
+                                blastRadius: simulationResult.blastRadius,
+                                riskLevel: simulationResult.riskLevel,
+                                simulatorId: simulationResult.simulatorId,
+                                durationMs: simulationResult.durationMs,
+                            };
+                            const decisionRecord = buildDecisionRecord({
+                                runId,
+                                decision: {
+                                    ...decision,
+                                    allowed: false,
+                                    violations: reCheck.violations.map((v) => ({
+                                        invariantId: v.invariant.id,
+                                        name: v.invariant.name,
+                                        severity: v.invariant.severity,
+                                        expected: v.result.expected,
+                                        actual: v.result.actual,
+                                    })),
+                                },
+                                execution: null,
+                                executionDurationMs: null,
+                                simulation: simSummary,
+                            });
+                            sinkDecision(decisionRecord);
+                            const decisionEvent = createEvent(DECISION_RECORDED, {
+                                recordId: decisionRecord.recordId,
+                                outcome: 'deny',
+                                actionType: decisionRecord.action.type,
+                                target: decisionRecord.action.target,
+                                reason: `Simulation-triggered denial`,
+                            });
+                            sinkEvent(decisionEvent);
+                            const result = {
+                                allowed: false,
+                                executed: false,
+                                decision: {
+                                    ...decision,
+                                    allowed: false,
+                                    violations: reCheck.violations.map((v) => ({
+                                        invariantId: v.invariant.id,
+                                        name: v.invariant.name,
+                                        severity: v.invariant.severity,
+                                        expected: v.result.expected,
+                                        actual: v.result.actual,
+                                    })),
+                                },
+                                execution: null,
+                                action,
+                                events: allEvents,
+                                runId,
+                                decisionRecord,
+                            };
+                            actionLog.push(result);
+                            return result;
+                        }
+                    }
+                }
+                catch {
+                    // Simulation failure is non-fatal — continue with execution
+                }
+            }
+            // Emit allowed event
+            const allowedEvent = createEvent(ACTION_ALLOWED, {
+                actionType: decision.intent.action,
+                target: decision.intent.target,
+                capability: decision.decision.matchedPolicy?.id || 'default-allow',
+                actionId: action?.id,
+                reason: decision.decision.reason,
+                metadata: { runId },
+            });
+            allEvents.push(allowedEvent);
+            // 6. Execute via adapter (unless dry-run)
+            let execution = null;
+            let executionDurationMs = null;
+            if (!dryRun && action) {
+                const actionClass = getActionClass(action.type);
+                if (actionClass && adapters.has(actionClass)) {
+                    const adapterDecisionRecord = {
+                        actionId: action.id,
+                        decision: 'allow',
+                        reason: decision.decision.reason,
+                        timestamp: Date.now(),
+                        policyHash: decision.decision.matchedPolicy?.id || 'none',
+                    };
+                    const startTime = Date.now();
+                    try {
+                        execution = await adapters.execute(action, adapterDecisionRecord);
+                        executionDurationMs = Date.now() - startTime;
+                        if (execution.success) {
+                            const executedEvent = createEvent(ACTION_EXECUTED, {
+                                actionType: action.type,
+                                target: action.target,
+                                result: 'success',
+                                actionId: action.id,
+                                duration: executionDurationMs,
+                                metadata: { runId },
+                            });
+                            allEvents.push(executedEvent);
+                        }
+                        else {
+                            const failedEvent = createEvent(ACTION_FAILED, {
+                                actionType: action.type,
+                                target: action.target,
+                                error: execution.error || 'Unknown execution error',
+                                actionId: action.id,
+                                duration: executionDurationMs,
+                                metadata: { runId },
+                            });
+                            allEvents.push(failedEvent);
+                        }
+                    }
+                    catch (err) {
+                        executionDurationMs = Date.now() - startTime;
+                        execution = { success: false, error: err.message };
+                        const failedEvent = createEvent(ACTION_FAILED, {
+                            actionType: action.type,
+                            target: action.target,
+                            error: err.message,
+                            actionId: action.id,
+                            duration: executionDurationMs,
+                            metadata: { runId },
+                        });
+                        allEvents.push(failedEvent);
+                    }
+                }
+            }
+            sinkEvents(allEvents);
+            // Build and sink governance decision record
+            const simSummary = simulationResult
+                ? {
+                    predictedChanges: simulationResult.predictedChanges,
+                    blastRadius: simulationResult.blastRadius,
+                    riskLevel: simulationResult.riskLevel,
+                    simulatorId: simulationResult.simulatorId,
+                    durationMs: simulationResult.durationMs,
+                }
+                : null;
+            const decisionRecord = buildDecisionRecord({
+                runId,
+                decision,
+                execution,
+                executionDurationMs,
+                simulation: simSummary,
+            });
+            sinkDecision(decisionRecord);
+            // Emit DECISION_RECORDED event
+            const decisionEvent = createEvent(DECISION_RECORDED, {
+                recordId: decisionRecord.recordId,
+                outcome: decisionRecord.outcome,
+                actionType: decisionRecord.action.type,
+                target: decisionRecord.action.target,
+                reason: decisionRecord.reason,
+            });
+            sinkEvent(decisionEvent);
+            const result = {
+                allowed: true,
+                executed: execution !== null,
+                decision,
+                execution,
+                action,
+                events: allEvents,
+                runId,
+                decisionRecord,
+            };
+            actionLog.push(result);
+            return result;
+        },
+        getRunId() {
+            return runId;
+        },
+        getSeed() {
+            return rng.seed;
+        },
+        getActionLog() {
+            return [...actionLog];
+        },
+        getEventCount() {
+            return eventCount;
+        },
+        shutdown() {
+            for (const sink of sinks) {
+                if (sink.flush)
+                    sink.flush();
+            }
+            for (const sink of decisionSinks) {
+                if (sink.flush)
+                    sink.flush();
+            }
+        },
+    };
+}
+//# sourceMappingURL=kernel.js.map

package/dist/kernel/kernel.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kernel.js","sourceRoot":"","sources":["../../src/kernel/kernel.ts"],"names":[],"mappings":"AAAA,kDAAkD;AAClD,wEAAwE;AACxE,oFAAoF;AACpF,6DAA6D;AAG7D,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAG7C,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAClE,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAE5D,OAAO,EACL,WAAW,EACX,gBAAgB,EAChB,cAAc,EACd,aAAa,EACb,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,oBAAoB,GACrB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAE7C,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAG7D,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AA+C/D,SAAS,aAAa,CAAC,GAAc;IACnC,OAAO,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,SAAuB,EAAE;IACpD,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,eAAe,CAAC,YAAY,EAAE,CAAC,CAAC;IAC1D,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,aAAa,CAAC,GAAG,CAAC,CAAC;IACjD,MAAM,KAAK,GAAgB,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;IAC9C,MAAM,aAAa,GAAmB,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC;IACjE,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,qBAAqB,EAAE,CAAC;IAC5D,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,KAAK,CAAC;IACtC,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC;IAC7C,MAAM,oBAAoB,GAAG,MAAM,CAAC,8BAA8B,IAAI,EAAE,CAAC;IACzE,MAAM,SAAS,GAAmB,EAAE,CAAC;IACrC,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,MAAM,OAAO,GAAG,aAAa,CAAC;QAC5B,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;QAC7C,UAAU,EAAE,MAAM,CAAC,UAAU;KAC9B,CAAC,CAAC;IAEH,SAAS,SAAS,CAAC,KAAkB;QACnC,UAAU,EAAE,CAAC;QACb,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAED,SAAS,UAAU,CAAC,MAAqB;QACvC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,SAAS,CAAC,KAAK,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,SAAS,YAAY,CAAC,MAAgC;QACpD,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,aAAa,GAAG,EAAE,EAAE,EAAE;YAC/C,MAAM,SAAS,GAAkB,EAAE,CAAC;YAEpC,2BAA2B;YAC3B,MAAM,cAAc,GAAG,WAAW,CAAC,gBAAgB,EAAE;gBACnD,UAAU,EAAE,SAAS,CAAC,IAAI,IAAI,SAAS;gBACvC,MAAM,EAAE,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,MAAM,IAAI,EAAE;gBAChD,aAAa,EAAG,SAAS,CAAC,QAAQ,EAAE,aAAwB,IAAI,cAAc;gBAC9E,QAAQ,EAAE,SAAS;gBACnB,OAAO,EAAE,SAAS,CAAC,KAAK,IAAI,SAAS;gBACrC,QAAQ,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,CAAC,OAAO,EAAE;aAChD,CAAC,CAAC;YACH,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAE/B,iEAAiE;YACjE,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;YAE3D,kDAAkD;YAClD,IAAI,MAAM,GAA2B,IAAI,CAAC;YAC1C,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC;gBAC1C,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC;gBACtC,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;oBAC7B,MAAM,GAAG,YAAY,CAAC,UAAU,EAAE,MAAM,EAAE,iBAAiB,EAAE;wBAC3D,OAAO,EAAE,SAAS,CAAC,OAAO;wBAC1B,KAAK,EAAE,SAAS,CAAC,KAAK;wBACtB,KAAK;qBACN,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;YACpE,CAAC;YAED,uCAAuC;YACvC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAE5B,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACtB,wDAAwD;gBACxD,MAAM,WAAW,GAAG,WAAW,CAAC,aAAa,EAAE;oBAC7C,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM;oBAClC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM;oBAC9B,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,MAAM;oBAChC,QAAQ,EAAE,MAAM,EAAE,EAAE;oBACpB,UAAU,EAAE,QAAQ,CAAC,QAAQ,CAAC,aAAa,EAAE,EAAE;oBAC/C,QAAQ,EAAE;wBACR,KAAK;wBACL,YAAY,EAAE,QAAQ,CAAC,YAAY;wBACnC,UAAU,EAAE,QAAQ,CAAC,UAAU;qBAChC;iBACF,CAAC,CAAC;gBACH,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;gBAC5B,UAAU,CAAC,SAAS,CAAC,CAAC;gBAEtB,MAAM,cAAc,GAAG,mBAAmB,CAAC;oBACzC,KAAK;oBACL,QAAQ;oBACR,SAAS,EAAE,IAAI;oBACf,mBAAmB,EAAE,IAAI;oBACzB,UAAU,EAAE,IAAI;iBACjB,CAAC,CAAC;gBACH,YAAY,CAAC,cAAc,CAAC,CAAC;gBAE7B,+BAA+B;gBAC/B,MAAM,aAAa,GAAG,WAAW,CAAC,iBAAiB,EAAE;oBACnD,QAAQ,EAAE,cAAc,CAAC,QAAQ;oBACjC,OAAO,EAAE,cAAc,CAAC,OAAO;oBAC/B,UAAU,EAAE,cAAc,CAAC,MAAM,CAAC,IAAI;oBACtC,MAAM,EAAE,cAAc,CAAC,MAAM,CAAC,MAAM;oBACpC,MAAM,EAAE,cAAc,CAAC,MAAM;iBAC9B,CAAC,CAAC;gBACH,SAAS,CAAC,aAAa,CAAC,CAAC;gBAEzB,MAAM,MAAM,GAAiB;oBAC3B,OAAO,EAAE,KAAK;oBACd,QAAQ,EAAE,KAAK;oBACf,QAAQ;oBACR,SAAS,EAAE,IAAI;oBACf,MAAM;oBACN,MAAM,EAAE,SAAS;oBACjB,KAAK;oBACL,cAAc;iBACf,CAAC;gBACF,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACvB,OAAO,MAAM,CAAC;YAChB,CAAC;YAED,2DAA2D;YAC3D,IAAI,gBAAgB,GAAG,IAAI,CAAC;YAE5B,IAAI,UAAU,IAAI,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBACnD,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAE,CAAC;gBACpD,IAAI,CAAC;oBACH,gBAAgB,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;oBAE5E,wBAAwB;oBACxB,MAAM,QAAQ,GAAG,WAAW,CAAC,oBAAoB,EAAE;wBACjD,WAAW,EAAE,gBAAgB,CAAC,WAAW;wBACzC,SAAS,EAAE,gBAAgB,CAAC,SAAS;wBACrC,WAAW,EAAE,gBAAgB,CAAC,WAAW;wBACzC,gBAAgB,EAAE,gBAAgB,CAAC,gBAAgB;wBACnD,UAAU,EAAE,gBAAgB,CAAC,UAAU;qBACxC,CAAC,CAAC;oBACH,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;oBACzB,SAAS,CAAC,QAAQ,CAAC,CAAC;oBAEpB,0DAA0D;oBAC1D,IACE,gBAAgB,CAAC,WAAW,GAAG,oBAAoB;wBACnD,gBAAgB,CAAC,SAAS,KAAK,MAAM,EACrC,CAAC;wBACD,8BAA8B;wBAC9B,MAAM,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,GAC5C,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;wBAC3C,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;wBAE5E,MAAM,YAAY,GAAG,gBAAgB,CAAC;4BACpC,GAAG,aAAa;4BAChB,aAAa,EAAE,gBAAgB,CAAC,WAAW;4BAC3C,oBAAoB,EAAE,gBAAgB,CAAC,WAAW;4BAClD,kBAAkB,EAAE,gBAAgB,CAAC,SAAS;4BAC9C,YAAY,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,IAAK,aAAa,CAAC,YAAuB;4BAC9E,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,KAAK,gBAAgB;4BACtD,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,KAAK,UAAU;4BACjD,MAAM,EACJ,QAAQ,CAAC,MAAM,CAAC,MAAM,KAAK,UAAU;gCACrC,QAAQ,CAAC,MAAM,CAAC,MAAM,KAAK,gBAAgB;yBAC9C,CAAC,CAAC;wBAEH,MAAM,OAAO,GAAG,kBAAkB,CAChC,MAAM,CAAC,UAAU,IAAI,kBAAkB,EACvC,YAAY,CACb,CAAC;wBAEF,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;4BACrB,8BAA8B;4BAC9B,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;4BAE3B,MAAM,WAAW,GAAG,WAAW,CAAC,aAAa,EAAE;gCAC7C,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM;gCAClC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM;gCAC9B,MAAM,EAAE,sCAAsC,gBAAgB,CAAC,SAAS,mBAAmB,gBAAgB,CAAC,WAAW,GAAG;gCAC1H,QAAQ,EAAE,MAAM,EAAE,EAAE;gCACpB,QAAQ,EAAE;oCACR,KAAK;oCACL,mBAAmB,EAAE,IAAI;oCACzB,WAAW,EAAE,gBAAgB,CAAC,WAAW;oCACzC,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;wCACzC,WAAW,EAAE,CAAC,CAAC,SAAS,CAAC,EAAE;wCAC3B,IAAI,EAAE,CAAC,CAAC,SAAS,CAAC,IAAI;wCACtB,QAAQ,EAAE,CAAC,CAAC,SAAS,CAAC,QAAQ;wCAC9B,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ;wCAC3B,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM;qCACxB,CAAC,CAAC;iCACJ;6BACF,CAAC,CAAC;4BACH,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;4BAC5B,UAAU,CAAC,SAAS,CAAC,CAAC;4BAEtB,MAAM,UAAU,GAAG;gCACjB,gBAAgB,EAAE,gBAAgB,CAAC,gBAAgB;gCACnD,WAAW,EAAE,gBAAgB,CAAC,WAAW;gCACzC,SAAS,EAAE,gBAAgB,CAAC,SAAS;gCACrC,WAAW,EAAE,gBAAgB,CAAC,WAAW;gCACzC,UAAU,EAAE,gBAAgB,CAAC,UAAU;6BACxC,CAAC;4BAEF,MAAM,cAAc,GAAG,mBAAmB,CAAC;gCACzC,KAAK;gCACL,QAAQ,EAAE;oCACR,GAAG,QAAQ;oCACX,OAAO,EAAE,KAAK;oCACd,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;wCACzC,WAAW,EAAE,CAAC,CAAC,SAAS,CAAC,EAAE;wCAC3B,IAAI,EAAE,CAAC,CAAC,SAAS,CAAC,IAAI;wCACtB,QAAQ,EAAE,CAAC,CAAC,SAAS,CAAC,QAAQ;wCAC9B,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ;wCAC3B,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM;qCACxB,CAAC,CAAC;iCACJ;gCACD,SAAS,EAAE,IAAI;gCACf,mBAAmB,EAAE,IAAI;gCACzB,UAAU,EAAE,UAAU;6BACvB,CAAC,CAAC;4BACH,YAAY,CAAC,cAAc,CAAC,CAAC;4BAE7B,MAAM,aAAa,GAAG,WAAW,CAAC,iBAAiB,EAAE;gCACnD,QAAQ,EAAE,cAAc,CAAC,QAAQ;gCACjC,OAAO,EAAE,MAAM;gCACf,UAAU,EAAE,cAAc,CAAC,MAAM,CAAC,IAAI;gCACtC,MAAM,EAAE,cAAc,CAAC,MAAM,CAAC,MAAM;gCACpC,MAAM,EAAE,6BAA6B;6BACtC,CAAC,CAAC;4BACH,SAAS,CAAC,aAAa,CAAC,CAAC;4BAEzB,MAAM,MAAM,GAAiB;gCAC3B,OAAO,EAAE,KAAK;gCACd,QAAQ,EAAE,KAAK;gCACf,QAAQ,EAAE;oCACR,GAAG,QAAQ;oCACX,OAAO,EAAE,KAAK;oCACd,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;wCACzC,WAAW,EAAE,CAAC,CAAC,SAAS,CAAC,EAAE;wCAC3B,IAAI,EAAE,CAAC,CAAC,SAAS,CAAC,IAAI;wCACtB,QAAQ,EAAE,CAAC,CAAC,SAAS,CAAC,QAAQ;wCAC9B,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ;wCAC3B,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM;qCACxB,CAAC,CAAC;iCACJ;gCACD,SAAS,EAAE,IAAI;gCACf,MAAM;gCACN,MAAM,EAAE,SAAS;gCACjB,KAAK;gCACL,cAAc;6BACf,CAAC;4BACF,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;4BACvB,OAAO,MAAM,CAAC;wBAChB,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,4DAA4D;gBAC9D,CAAC;YACH,CAAC;YAED,qBAAqB;YACrB,MAAM,YAAY,GAAG,WAAW,CAAC,cAAc,EAAE;gBAC/C,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM;gBAClC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM;gBAC9B,UAAU,EAAE,QAAQ,CAAC,QAAQ,CAAC,aAAa,EAAE,EAAE,IAAI,eAAe;gBAClE,QAAQ,EAAE,MAAM,EAAE,EAAE;gBACpB,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,MAAM;gBAChC,QAAQ,EAAE,EAAE,KAAK,EAAE;aACpB,CAAC,CAAC;YACH,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAE7B,0CAA0C;YAC1C,IAAI,SAAS,GAA2B,IAAI,CAAC;YAC7C,IAAI,mBAAmB,GAAkB,IAAI,CAAC;YAC9C,IAAI,CAAC,MAAM,IAAI,MAAM,EAAE,CAAC;gBACtB,MAAM,WAAW,GAAG,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAChD,IAAI,WAAW,IAAI,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;oBAC7C,MAAM,qBAAqB,GAAmB;wBAC5C,QAAQ,EAAE,MAAM,CAAC,EAAE;wBACnB,QAAQ,EAAE,OAAO;wBACjB,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,MAAM;wBAChC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;wBACrB,UAAU,EAAE,QAAQ,CAAC,QAAQ,CAAC,aAAa,EAAE,EAAE,IAAI,MAAM;qBAC1D,CAAC;oBAEF,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;oBAC7B,IAAI,CAAC;wBACH,SAAS,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;wBAClE,mBAAmB,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;wBAE7C,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;4BACtB,MAAM,aAAa,GAAG,WAAW,CAAC,eAAe,EAAE;gCACjD,UAAU,EAAE,MAAM,CAAC,IAAI;gCACvB,MAAM,EAAE,MAAM,CAAC,MAAM;gCACrB,MAAM,EAAE,SAAS;gCACjB,QAAQ,EAAE,MAAM,CAAC,EAAE;gCACnB,QAAQ,EAAE,mBAAmB;gCAC7B,QAAQ,EAAE,EAAE,KAAK,EAAE;6BACpB,CAAC,CAAC;4BACH,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;wBAChC,CAAC;6BAAM,CAAC;4BACN,MAAM,WAAW,GAAG,WAAW,CAAC,aAAa,EAAE;gCAC7C,UAAU,EAAE,MAAM,CAAC,IAAI;gCACvB,MAAM,EAAE,MAAM,CAAC,MAAM;gCACrB,KAAK,EAAE,SAAS,CAAC,KAAK,IAAI,yBAAyB;gCACnD,QAAQ,EAAE,MAAM,CAAC,EAAE;gCACnB,QAAQ,EAAE,mBAAmB;gCAC7B,QAAQ,EAAE,EAAE,KAAK,EAAE;6BACpB,CAAC,CAAC;4BACH,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;wBAC9B,CAAC;oBACH,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,mBAAmB,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;wBAC7C,SAAS,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;wBAC9D,MAAM,WAAW,GAAG,WAAW,CAAC,aAAa,EAAE;4BAC7C,UAAU,EAAE,MAAM,CAAC,IAAI;4BACvB,MAAM,EAAE,MAAM,CAAC,MAAM;4BACrB,KAAK,EAAG,GAAa,CAAC,OAAO;4BAC7B,QAAQ,EAAE,MAAM,CAAC,EAAE;4BACnB,QAAQ,EAAE,mBAAmB;4BAC7B,QAAQ,EAAE,EAAE,KAAK,EAAE;yBACpB,CAAC,CAAC;wBACH,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;oBAC9B,CAAC;gBACH,CAAC;YACH,CAAC;YAED,UAAU,CAAC,SAAS,CAAC,CAAC;YAEtB,4CAA4C;YAC5C,MAAM,UAAU,GAAG,gBAAgB;gBACjC,CAAC,CAAC;oBACE,gBAAgB,EAAE,gBAAgB,CAAC,gBAAgB;oBACnD,WAAW,EAAE,gBAAgB,CAAC,WAAW;oBACzC,SAAS,EAAE,gBAAgB,CAAC,SAAS;oBACrC,WAAW,EAAE,gBAAgB,CAAC,WAAW;oBACzC,UAAU,EAAE,gBAAgB,CAAC,UAAU;iBACxC;gBACH,CAAC,CAAC,IAAI,CAAC;YAET,MAAM,cAAc,GAAG,mBAAmB,CAAC;gBACzC,KAAK;gBACL,QAAQ;gBACR,SAAS;gBACT,mBAAmB;gBACnB,UAAU,EAAE,UAAU;aACvB,CAAC,CAAC;YACH,YAAY,CAAC,cAAc,CAAC,CAAC;YAE7B,+BAA+B;YAC/B,MAAM,aAAa,GAAG,WAAW,CAAC,iBAAiB,EAAE;gBACnD,QAAQ,EAAE,cAAc,CAAC,QAAQ;gBACjC,OAAO,EAAE,cAAc,CAAC,OAAO;gBAC/B,UAAU,EAAE,cAAc,CAAC,MAAM,CAAC,IAAI;gBACtC,MAAM,EAAE,cAAc,CAAC,MAAM,CAAC,MAAM;gBACpC,MAAM,EAAE,cAAc,CAAC,MAAM;aAC9B,CAAC,CAAC;YACH,SAAS,CAAC,aAAa,CAAC,CAAC;YAEzB,MAAM,MAAM,GAAiB;gBAC3B,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,SAAS,KAAK,IAAI;gBAC5B,QAAQ;gBACR,SAAS;gBACT,MAAM;gBACN,MAAM,EAAE,SAAS;gBACjB,KAAK;gBACL,cAAc;aACf,CAAC;YACF,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACvB,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,QAAQ;YACN,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO;YACL,OAAO,GAAG,CAAC,IAAI,CAAC;QAClB,CAAC;QAED,YAAY;YACV,OAAO,CAAC,GAAG,SAAS,CAAC,CAAC;QACxB,CAAC;QAED,aAAa;YACX,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,QAAQ;YACN,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,IAAI,CAAC,KAAK;oBAAE,IAAI,CAAC,KAAK,EAAE,CAAC;YAC/B,CAAC;YACD,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;gBACjC,IAAI,IAAI,CAAC,KAAK;oBAAE,IAAI,CAAC,KAAK,EAAE,CAAC;YAC/B,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/kernel/monitor.d.ts

@@ -0,0 +1,35 @@
+import type { EngineConfig, EngineDecision } from './decision.js';
+import type { RawAgentAction } from './aab.js';
+import { EventBus } from '../events/bus.js';
+import type { EventStore } from '../core/types.js';
+export declare const ESCALATION: {
+    readonly NORMAL: 0;
+    readonly ELEVATED: 1;
+    readonly HIGH: 2;
+    readonly LOCKDOWN: 3;
+};
+export type EscalationLevel = (typeof ESCALATION)[keyof typeof ESCALATION];
+interface MonitorState {
+    escalationLevel: EscalationLevel;
+    totalEvaluations: number;
+    totalDenials: number;
+    totalViolations: number;
+}
+export interface MonitorDecision extends EngineDecision {
+    monitor: MonitorState;
+}
+export interface MonitorConfig extends EngineConfig {
+    denialThreshold?: number;
+    violationThreshold?: number;
+    windowSize?: number;
+}
+export interface Monitor {
+    bus: EventBus<Record<string, unknown>>;
+    store: EventStore;
+    process(rawAction: RawAgentAction | null, systemContext?: Record<string, unknown>): MonitorDecision;
+    getStatus(): Record<string, unknown>;
+    resetEscalation(): void;
+}
+export declare function createMonitor(config?: MonitorConfig): Monitor;
+export {};
+//# sourceMappingURL=monitor.d.ts.map

package/dist/kernel/monitor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"monitor.d.ts","sourceRoot":"","sources":["../../src/kernel/monitor.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAClE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnD,eAAO,MAAM,UAAU;;;;;CAKb,CAAC;AAEX,MAAM,MAAM,eAAe,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC,MAAM,OAAO,UAAU,CAAC,CAAC;AAE3E,UAAU,YAAY;IACpB,eAAe,EAAE,eAAe,CAAC;IACjC,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,eAAgB,SAAQ,cAAc;IACrD,OAAO,EAAE,YAAY,CAAC;CACvB;AAED,MAAM,WAAW,aAAc,SAAQ,YAAY;IACjD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAQD,MAAM,WAAW,OAAO;IACtB,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IACvC,KAAK,EAAE,UAAU,CAAC;IAClB,OAAO,CACL,SAAS,EAAE,cAAc,GAAG,IAAI,EAChC,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACtC,eAAe,CAAC;IACnB,SAAS,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,eAAe,IAAI,IAAI,CAAC;CACzB;AAED,wBAAgB,aAAa,CAAC,MAAM,GAAE,aAAkB,GAAG,OAAO,CAgJjE"}

package/dist/kernel/monitor.js

@@ -0,0 +1,144 @@
+// Runtime Monitor — closed-loop feedback system.
+// Pure domain logic. No DOM, no Node.js-specific APIs.
+import { createEngine, INTERVENTION } from './decision.js';
+import { EventBus } from '../events/bus.js';
+import { createInMemoryStore } from '../events/store.js';
+export const ESCALATION = {
+    NORMAL: 0,
+    ELEVATED: 1,
+    HIGH: 2,
+    LOCKDOWN: 3,
+};
+export function createMonitor(config = {}) {
+    const bus = new EventBus();
+    const store = createInMemoryStore();
+    const engine = createEngine({
+        policyDefs: config.policyDefs || [],
+        invariants: config.invariants,
+        onEvent(event) {
+            store.append(event);
+            bus.emit(event.kind, event);
+            bus.emit('*', event);
+        },
+    });
+    const denialThreshold = config.denialThreshold ?? 5;
+    const violationThreshold = config.violationThreshold ?? 3;
+    const windowSize = config.windowSize ?? 10;
+    let totalEvaluations = 0;
+    let totalDenials = 0;
+    let totalViolations = 0;
+    const denialsByAgent = new Map();
+    const violationsByInvariant = new Map();
+    const recentDenials = [];
+    let escalationLevel = ESCALATION.NORMAL;
+    const sessionStartTime = Date.now();
+    function updateEscalation() {
+        if (totalDenials >= denialThreshold * 2 || totalViolations >= violationThreshold * 2) {
+            escalationLevel = ESCALATION.LOCKDOWN;
+        }
+        else if (totalDenials >= denialThreshold || totalViolations >= violationThreshold) {
+            escalationLevel = ESCALATION.HIGH;
+        }
+        else if (totalDenials >= Math.ceil(denialThreshold / 2)) {
+            escalationLevel = ESCALATION.ELEVATED;
+        }
+        else {
+            escalationLevel = ESCALATION.NORMAL;
+        }
+        bus.emit('escalation', { level: escalationLevel });
+    }
+    return {
+        bus,
+        store,
+        process(rawAction, systemContext = {}) {
+            if (escalationLevel === ESCALATION.LOCKDOWN) {
+                totalEvaluations++;
+                const lockedResult = {
+                    allowed: false,
+                    intent: {
+                        action: rawAction?.tool || 'unknown',
+                        target: '',
+                        agent: rawAction?.agent || 'unknown',
+                        destructive: false,
+                    },
+                    decision: {
+                        allowed: false,
+                        decision: 'deny',
+                        matchedRule: null,
+                        matchedPolicy: null,
+                        reason: 'Session in LOCKDOWN — human intervention required',
+                        severity: 5,
+                    },
+                    violations: [],
+                    events: [],
+                    evidencePack: null,
+                    intervention: INTERVENTION.DENY,
+                    monitor: {
+                        escalationLevel,
+                        totalEvaluations,
+                        totalDenials,
+                        totalViolations,
+                    },
+                };
+                bus.emit('lockdown-denial', lockedResult);
+                return lockedResult;
+            }
+            const result = engine.evaluate(rawAction, systemContext);
+            totalEvaluations++;
+            if (!result.allowed) {
+                totalDenials++;
+                const agent = result.intent.agent || 'unknown';
+                denialsByAgent.set(agent, (denialsByAgent.get(agent) || 0) + 1);
+                recentDenials.push({
+                    timestamp: Date.now(),
+                    action: result.intent.action,
+                    reason: result.decision.reason,
+                });
+                while (recentDenials.length > windowSize) {
+                    recentDenials.shift();
+                }
+            }
+            for (const v of result.violations) {
+                totalViolations++;
+                const id = v.invariantId;
+                violationsByInvariant.set(id, (violationsByInvariant.get(id) || 0) + 1);
+            }
+            updateEscalation();
+            return {
+                ...result,
+                monitor: {
+                    escalationLevel,
+                    totalEvaluations,
+                    totalDenials,
+                    totalViolations,
+                },
+            };
+        },
+        getStatus() {
+            return {
+                escalationLevel,
+                totalEvaluations,
+                totalDenials,
+                totalViolations,
+                denialsByAgent: Object.fromEntries(denialsByAgent),
+                violationsByInvariant: Object.fromEntries(violationsByInvariant),
+                recentDenials: [...recentDenials],
+                eventCount: store.count(),
+                uptime: Date.now() - sessionStartTime,
+                policyCount: engine.getPolicyCount(),
+                invariantCount: engine.getInvariantCount(),
+                policyErrors: engine.getPolicyErrors(),
+            };
+        },
+        resetEscalation() {
+            escalationLevel = ESCALATION.NORMAL;
+            totalDenials = 0;
+            totalViolations = 0;
+            denialsByAgent.clear();
+            violationsByInvariant.clear();
+            recentDenials.length = 0;
+            bus.emit('escalation-reset', { level: ESCALATION.NORMAL });
+        },
+    };
+}
+//# sourceMappingURL=monitor.js.map

package/dist/kernel/monitor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"monitor.js","sourceRoot":"","sources":["../../src/kernel/monitor.ts"],"names":[],"mappings":"AAAA,iDAAiD;AACjD,uDAAuD;AAGvD,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG3D,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAGzD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,MAAM,EAAE,CAAC;IACT,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACH,CAAC;AAsCX,MAAM,UAAU,aAAa,CAAC,SAAwB,EAAE;IACtD,MAAM,GAAG,GAAG,IAAI,QAAQ,EAA2B,CAAC;IACpD,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IAEpC,MAAM,MAAM,GAAG,YAAY,CAAC;QAC1B,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,EAAE;QACnC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,OAAO,CAAC,KAAkB;YACxB,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACpB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,KAA2C,CAAC,CAAC;YAClE,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,KAA2C,CAAC,CAAC;QAC7D,CAAC;KACF,CAAC,CAAC;IAEH,MAAM,eAAe,GAAG,MAAM,CAAC,eAAe,IAAI,CAAC,CAAC;IACpD,MAAM,kBAAkB,GAAG,MAAM,CAAC,kBAAkB,IAAI,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;IAE3C,IAAI,gBAAgB,GAAG,CAAC,CAAC;IACzB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,MAAM,cAAc,GAAG,IAAI,GAAG,EAAkB,CAAC;IACjD,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxD,MAAM,aAAa,GAAmB,EAAE,CAAC;IACzC,IAAI,eAAe,GAAoB,UAAU,CAAC,MAAM,CAAC;IACzD,MAAM,gBAAgB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEpC,SAAS,gBAAgB;QACvB,IAAI,YAAY,IAAI,eAAe,GAAG,CAAC,IAAI,eAAe,IAAI,kBAAkB,GAAG,CAAC,EAAE,CAAC;YACrF,eAAe,GAAG,UAAU,CAAC,QAAQ,CAAC;QACxC,CAAC;aAAM,IAAI,YAAY,IAAI,eAAe,IAAI,eAAe,IAAI,kBAAkB,EAAE,CAAC;YACpF,eAAe,GAAG,UAAU,CAAC,IAAI,CAAC;QACpC,CAAC;aAAM,IAAI,YAAY,IAAI,IAAI,CAAC,IAAI,CAAC,eAAe,GAAG,CAAC,CAAC,EAAE,CAAC;YAC1D,eAAe,GAAG,UAAU,CAAC,QAAQ,CAAC;QACxC,CAAC;aAAM,CAAC;YACN,eAAe,GAAG,UAAU,CAAC,MAAM,CAAC;QACtC,CAAC;QAED,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,OAAO;QACL,GAAG;QACH,KAAK;QAEL,OAAO,CAAC,SAAS,EAAE,aAAa,GAAG,EAAE;YACnC,IAAI,eAAe,KAAK,UAAU,CAAC,QAAQ,EAAE,CAAC;gBAC5C,gBAAgB,EAAE,CAAC;gBACnB,MAAM,YAAY,GAAoB;oBACpC,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE;wBACN,MAAM,EAAE,SAAS,EAAE,IAAI,IAAI,SAAS;wBACpC,MAAM,EAAE,EAAE;wBACV,KAAK,EAAE,SAAS,EAAE,KAAK,IAAI,SAAS;wBACpC,WAAW,EAAE,KAAK;qBACnB;oBACD,QAAQ,EAAE;wBACR,OAAO,EAAE,KAAK;wBACd,QAAQ,EAAE,MAAM;wBAChB,WAAW,EAAE,IAAI;wBACjB,aAAa,EAAE,IAAI;wBACnB,MAAM,EAAE,mDAAmD;wBAC3D,QAAQ,EAAE,CAAC;qBACZ;oBACD,UAAU,EAAE,EAAE;oBACd,MAAM,EAAE,EAAE;oBACV,YAAY,EAAE,IAAI;oBAClB,YAAY,EAAE,YAAY,CAAC,IAAI;oBAC/B,OAAO,EAAE;wBACP,eAAe;wBACf,gBAAgB;wBAChB,YAAY;wBACZ,eAAe;qBAChB;iBACF,CAAC;gBACF,GAAG,CAAC,IAAI,CAAC,iBAAiB,EAAE,YAAkD,CAAC,CAAC;gBAChF,OAAO,YAAY,CAAC;YACtB,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;YACzD,gBAAgB,EAAE,CAAC;YAEnB,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,YAAY,EAAE,CAAC;gBACf,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,IAAI,SAAS,CAAC;gBAC/C,cAAc,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAEhE,aAAa,CAAC,IAAI,CAAC;oBACjB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;oBACrB,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM;oBAC5B,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM;iBAC/B,CAAC,CAAC;gBAEH,OAAO,aAAa,CAAC,MAAM,GAAG,UAAU,EAAE,CAAC;oBACzC,aAAa,CAAC,KAAK,EAAE,CAAC;gBACxB,CAAC;YACH,CAAC;YAED,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBAClC,eAAe,EAAE,CAAC;gBAClB,MAAM,EAAE,GAAG,CAAC,CAAC,WAAW,CAAC;gBACzB,qBAAqB,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC1E,CAAC;YAED,gBAAgB,EAAE,CAAC;YAEnB,OAAO;gBACL,GAAG,MAAM;gBACT,OAAO,EAAE;oBACP,eAAe;oBACf,gBAAgB;oBAChB,YAAY;oBACZ,eAAe;iBAChB;aACF,CAAC;QACJ,CAAC;QAED,SAAS;YACP,OAAO;gBACL,eAAe;gBACf,gBAAgB;gBAChB,YAAY;gBACZ,eAAe;gBACf,cAAc,EAAE,MAAM,CAAC,WAAW,CAAC,cAAc,CAAC;gBAClD,qBAAqB,EAAE,MAAM,CAAC,WAAW,CAAC,qBAAqB,CAAC;gBAChE,aAAa,EAAE,CAAC,GAAG,aAAa,CAAC;gBACjC,UAAU,EAAE,KAAK,CAAC,KAAK,EAAE;gBACzB,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,gBAAgB;gBACrC,WAAW,EAAE,MAAM,CAAC,cAAc,EAAE;gBACpC,cAAc,EAAE,MAAM,CAAC,iBAAiB,EAAE;gBAC1C,YAAY,EAAE,MAAM,CAAC,eAAe,EAAE;aACvC,CAAC;QACJ,CAAC;QAED,eAAe;YACb,eAAe,GAAG,UAAU,CAAC,MAAM,CAAC;YACpC,YAAY,GAAG,CAAC,CAAC;YACjB,eAAe,GAAG,CAAC,CAAC;YACpB,cAAc,CAAC,KAAK,EAAE,CAAC;YACvB,qBAAqB,CAAC,KAAK,EAAE,CAAC;YAC9B,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC;YACzB,GAAG,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,KAAK,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7D,CAAC;KACF,CAAC;AACJ,CAAC"}