@red-codes/core 1.0.0

package/dist/data/escalation.json

@@ -0,0 +1,13 @@
+{
+    "levels": {
+        "NORMAL": 0,
+        "ELEVATED": 1,
+        "HIGH": 2,
+        "LOCKDOWN": 3
+    },
+    "defaults": {
+        "denialThreshold": 5,
+        "violationThreshold": 3,
+        "windowSize": 10
+    }
+}

package/dist/data/git-action-patterns.json

@@ -0,0 +1,7 @@
+[
+    { "patterns": ["\\bgit\\s+push\\s+--force\\b", "\\bgit\\s+push\\s+-f\\b"], "actionType": "git.force-push" },
+    { "patterns": ["\\bgit\\s+push\\b"], "actionType": "git.push" },
+    { "patterns": ["\\bgit\\s+branch\\s+-[dD]\\b"], "actionType": "git.branch.delete" },
+    { "patterns": ["\\bgit\\s+merge\\b"], "actionType": "git.merge" },
+    { "patterns": ["\\bgit\\s+commit\\b"], "actionType": "git.commit" }
+]

package/dist/data/invariant-patterns.json

@@ -0,0 +1,48 @@
+{
+    "sensitiveFilePatterns": [
+        ".env", "credentials", ".pem", ".key", "secret", "token",
+        ".npmrc", ".netrc", ".pgpass", ".htpasswd",
+        "id_rsa", "id_ed25519", "id_ecdsa", "id_dsa",
+        ".p12", ".pfx", ".jks", "keystore",
+        "secrets.yaml", "secrets.yml", "vault.json"
+    ],
+    "credentialPathPatterns": [
+        "/.ssh/", "\\.ssh\\",
+        "/.aws/credentials", "/.aws/config", "\\.aws\\credentials", "\\.aws\\config",
+        "/.config/gcloud/", "\\.config\\gcloud\\",
+        "/.azure/", "\\.azure\\",
+        "/.docker/config.json", "\\.docker\\config.json"
+    ],
+    "credentialBasenamePatterns": [".npmrc", ".pypirc", ".netrc", ".curlrc"],
+    "containerConfigBasenames": [
+        "dockerfile", "docker-compose.yml", "docker-compose.yaml",
+        "compose.yml", "compose.yaml", ".dockerignore", "containerfile"
+    ],
+    "lifecycleScripts": [
+        "preinstall", "postinstall", "prepare", "prepublishOnly",
+        "prepack", "postpack", "install"
+    ],
+    "envFileRegex": "(?:^|[\\\\/])\\.env(?:\\.\\w+)?$",
+    "dockerfileSuffixRegex": "\\.dockerfile$",
+    "invariants": [
+        { "id": "no-secret-exposure", "name": "No Secret Exposure", "description": "Sensitive files (.env, credentials, keys) must not be committed or exposed", "severity": 5 },
+        { "id": "protected-branch", "name": "Protected Branch Safety", "description": "Direct pushes to main/master are forbidden", "severity": 4 },
+        { "id": "blast-radius-limit", "name": "Blast Radius Limit", "description": "A single operation must not modify too many files at once", "severity": 3 },
+        { "id": "test-before-push", "name": "Tests Before Push", "description": "Tests must pass before pushing code", "severity": 3 },
+        { "id": "no-force-push", "name": "No Force Push", "description": "Force pushes are forbidden unless explicitly authorized", "severity": 4 },
+        { "id": "no-skill-modification", "name": "No Skill Modification", "description": "Agent skill files (.claude/skills/) must not be modified by governed actions", "severity": 4 },
+        { "id": "no-scheduled-task-modification", "name": "No Scheduled Task Modification", "description": "Agents must not modify scheduled task definitions (.claude/scheduled-tasks/) directly", "severity": 5 },
+        { "id": "no-credential-file-creation", "name": "No Credential File Creation", "description": "Agents must not create or overwrite well-known credential files (SSH keys, cloud configs, auth tokens)", "severity": 5 },
+        { "id": "no-package-script-injection", "name": "No Package Script Injection", "description": "Modifications to package.json scripts are flagged as potential supply chain attack vectors", "severity": 4 },
+        { "id": "recursive-operation-guard", "name": "Recursive Operation Guard", "description": "Flags recursive operations (find -exec, xargs) combined with write/delete operations that could cause widespread damage", "severity": 2 },
+        { "id": "large-file-write", "name": "Large File Write Limit", "description": "Single file writes must not exceed a size threshold to prevent data dumps or runaway generation", "severity": 3 },
+        { "id": "no-cicd-config-modification", "name": "No CI/CD Config Modification", "description": "CI/CD pipeline configurations must not be modified by governed actions — prevents supply chain attacks via malicious build steps", "severity": 5 },
+        { "id": "no-permission-escalation", "name": "No Permission Escalation", "description": "Agents must not escalate filesystem permissions (world-writable, setuid/setgid, ownership changes, sudoers)", "severity": 4 },
+        { "id": "no-governance-self-modification", "name": "No Governance Self-Modification", "description": "Agents must not modify governance configuration (policy files, governance data, policy packs)", "severity": 5 },
+        { "id": "lockfile-integrity", "name": "Lockfile Integrity", "description": "Package lockfiles must stay in sync with manifests", "severity": 2 },
+        { "id": "no-container-config-modification", "name": "No Container Config Modification", "description": "Container configuration files (Dockerfile, docker-compose, .dockerignore, Containerfile) must not be modified without authorization", "severity": 3 },
+        { "id": "no-env-var-modification", "name": "No Environment Variable Modification", "description": "Detects attempts to modify environment variables or shell profile files — environment variables often contain secrets and profile modifications can establish persistent backdoors", "severity": 3 },
+        { "id": "no-destructive-migration", "name": "No Destructive Migration", "description": "Detects potentially destructive database migration files — flags writes to migration directories containing DROP, TRUNCATE, or other destructive DDL", "severity": 3 },
+        { "id": "transitive-effect-analysis", "name": "Transitive Effect Analysis", "description": "Detects when an agent writes a script or config file whose contents would produce effects that would be denied if executed directly — closes the creative circumvention gap", "severity": 4 }
+    ]
+}

package/dist/data/tool-action-map.json

@@ -0,0 +1,14 @@
+{
+    "Write": "file.write",
+    "Edit": "file.write",
+    "Read": "file.read",
+    "Bash": "shell.exec",
+    "Glob": "file.read",
+    "Grep": "file.read",
+    "NotebookEdit": "file.write",
+    "TodoWrite": "shell.exec",
+    "WebFetch": "http.request",
+    "WebSearch": "http.request",
+    "Agent": "shell.exec",
+    "Skill": "shell.exec"
+}

package/dist/execution-log/bridge.d.ts

@@ -0,0 +1,12 @@
+import type { DomainEvent, ExecutionEvent, ExecutionEventLog } from '../types.js';
+/**
+ * Convert a domain event into an execution event.
+ * Returns null if the domain event kind has no execution event mapping.
+ */
+export declare function domainEventToExecutionEvent(event: DomainEvent): ExecutionEvent | null;
+/**
+ * Create a bridge that automatically records domain events as execution events.
+ * Returns a subscriber function compatible with the domain event system.
+ */
+export declare function createEventBridge(log: ExecutionEventLog): (event: DomainEvent) => void;
+//# sourceMappingURL=bridge.d.ts.map

package/dist/execution-log/bridge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge.d.ts","sourceRoot":"","sources":["../../src/execution-log/bridge.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EACV,WAAW,EACX,cAAc,EACd,iBAAiB,EAIlB,MAAM,aAAa,CAAC;AA+ErB;;;GAGG;AACH,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,WAAW,GAAG,cAAc,GAAG,IAAI,CA0BrF;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,iBAAiB,GAAG,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAOtF"}

package/dist/execution-log/bridge.js

@@ -0,0 +1,112 @@
+// Execution Event Log Bridge — connects execution events to the domain event system.
+// Maps domain events to execution events and vice versa.
+// No DOM, no Node.js APIs — pure domain logic.
+import { createExecutionEvent } from './event-schema.js';
+import { AGENT_EDIT_FILE, RUNTIME_EXCEPTION, TEST_SUITE_FAILED, TEST_SUITE_PASSED, BUILD_FAILED, BUILD_SUCCEEDED, DEPLOYMENT_FAILED, DEPLOYMENT_SUCCEEDED, POLICY_VIOLATION_DETECTED, INVARIANT_CHECK_FAILED, } from './event-schema.js';
+// --- Domain Event → Execution Event Kind Mapping ---
+const DOMAIN_TO_EXECUTION_KIND = {
+    ActionExecuted: AGENT_EDIT_FILE,
+    ActionFailed: RUNTIME_EXCEPTION,
+    ErrorObserved: RUNTIME_EXCEPTION,
+    TestCompleted: TEST_SUITE_PASSED,
+    BuildCompleted: BUILD_SUCCEEDED,
+    DeployCompleted: DEPLOYMENT_SUCCEEDED,
+    PolicyDenied: POLICY_VIOLATION_DETECTED,
+    InvariantViolation: INVARIANT_CHECK_FAILED,
+};
+// Override with failure kinds when the domain event indicates failure
+const FAILURE_OVERRIDES = {
+    TestCompleted: (event) => (event.result === 'fail' ? TEST_SUITE_FAILED : null),
+    BuildCompleted: (event) => (event.result === 'fail' ? BUILD_FAILED : null),
+    DeployCompleted: (event) => (event.result === 'fail' ? DEPLOYMENT_FAILED : null),
+};
+/**
+ * Infer actor from a domain event.
+ */
+function inferActor(event) {
+    if (event.agentId || event.kind === 'ActionExecuted' || event.kind === 'ActionFailed') {
+        return 'agent';
+    }
+    if (event.kind === 'PolicyDenied' ||
+        event.kind === 'InvariantViolation' ||
+        event.kind === 'BlastRadiusExceeded') {
+        return 'system';
+    }
+    return 'human';
+}
+/**
+ * Infer event source from a domain event kind.
+ */
+function inferSource(event) {
+    const kind = event.kind;
+    if (kind === 'TestCompleted' || kind === 'BuildCompleted')
+        return 'ci';
+    if (kind === 'CommitCreated' || kind === 'FileSaved')
+        return 'git';
+    if (kind === 'DeployCompleted')
+        return 'runtime';
+    if (kind === 'PolicyDenied' || kind === 'InvariantViolation' || kind === 'BlastRadiusExceeded') {
+        return 'governance';
+    }
+    if (kind === 'ErrorObserved')
+        return 'runtime';
+    return 'cli';
+}
+/**
+ * Build execution context from a domain event.
+ */
+function buildContext(event) {
+    const context = {};
+    if (typeof event.file === 'string')
+        context.file = event.file;
+    if (typeof event.branch === 'string')
+        context.branch = event.branch;
+    if (typeof event.hash === 'string')
+        context.commit = event.hash;
+    if (typeof event.agentId === 'string')
+        context.agentRunId = event.agentId;
+    return context;
+}
+/**
+ * Convert a domain event into an execution event.
+ * Returns null if the domain event kind has no execution event mapping.
+ */
+export function domainEventToExecutionEvent(event) {
+    let executionKind = DOMAIN_TO_EXECUTION_KIND[event.kind];
+    if (!executionKind)
+        return null;
+    // Check for failure overrides
+    const override = FAILURE_OVERRIDES[event.kind];
+    if (override) {
+        const overrideKind = override(event);
+        if (overrideKind)
+            executionKind = overrideKind;
+    }
+    // Build payload from domain event data (exclude standard fields)
+    const payload = {};
+    const standardFields = new Set(['id', 'kind', 'timestamp', 'fingerprint']);
+    for (const [key, value] of Object.entries(event)) {
+        if (!standardFields.has(key)) {
+            payload[key] = value;
+        }
+    }
+    return createExecutionEvent(executionKind, {
+        actor: inferActor(event),
+        source: inferSource(event),
+        context: buildContext(event),
+        payload,
+    });
+}
+/**
+ * Create a bridge that automatically records domain events as execution events.
+ * Returns a subscriber function compatible with the domain event system.
+ */
+export function createEventBridge(log) {
+    return (event) => {
+        const executionEvent = domainEventToExecutionEvent(event);
+        if (executionEvent) {
+            log.append(executionEvent);
+        }
+    };
+}
+//# sourceMappingURL=bridge.js.map

package/dist/execution-log/bridge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge.js","sourceRoot":"","sources":["../../src/execution-log/bridge.ts"],"names":[],"mappings":"AAAA,qFAAqF;AACrF,yDAAyD;AACzD,+CAA+C;AAU/C,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,EACjB,YAAY,EACZ,eAAe,EACf,iBAAiB,EACjB,oBAAoB,EACpB,yBAAyB,EACzB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAE3B,sDAAsD;AAEtD,MAAM,wBAAwB,GAA2B;IACvD,cAAc,EAAE,eAAe;IAC/B,YAAY,EAAE,iBAAiB;IAC/B,aAAa,EAAE,iBAAiB;IAChC,aAAa,EAAE,iBAAiB;IAChC,cAAc,EAAE,eAAe;IAC/B,eAAe,EAAE,oBAAoB;IACrC,YAAY,EAAE,yBAAyB;IACvC,kBAAkB,EAAE,sBAAsB;CAC3C,CAAC;AAEF,sEAAsE;AACtE,MAAM,iBAAiB,GAA0D;IAC/E,aAAa,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9E,cAAc,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC;IAC1E,eAAe,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC;CACjF,CAAC;AAEF;;GAEG;AACH,SAAS,UAAU,CAAC,KAAkB;IACpC,IAAI,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,IAAI,KAAK,gBAAgB,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QACtF,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,IACE,KAAK,CAAC,IAAI,KAAK,cAAc;QAC7B,KAAK,CAAC,IAAI,KAAK,oBAAoB;QACnC,KAAK,CAAC,IAAI,KAAK,qBAAqB,EACpC,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,KAAkB;IACrC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IACxB,IAAI,IAAI,KAAK,eAAe,IAAI,IAAI,KAAK,gBAAgB;QAAE,OAAO,IAAI,CAAC;IACvE,IAAI,IAAI,KAAK,eAAe,IAAI,IAAI,KAAK,WAAW;QAAE,OAAO,KAAK,CAAC;IACnE,IAAI,IAAI,KAAK,iBAAiB;QAAE,OAAO,SAAS,CAAC;IACjD,IAAI,IAAI,KAAK,cAAc,IAAI,IAAI,KAAK,oBAAoB,IAAI,IAAI,KAAK,qBAAqB,EAAE,CAAC;QAC/F,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,IAAI,IAAI,KAAK,eAAe;QAAE,OAAO,SAAS,CAAC;IAC/C,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,KAAkB;IACtC,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IAC9D,IAAI,OAAO,KAAK,CAAC,MAAM,KAAK,QAAQ;QAAE,OAAO,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;IACpE,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,CAAC,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC;IAChE,IAAI,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ;QAAE,OAAO,CAAC,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC;IAC1E,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CAAC,KAAkB;IAC5D,IAAI,aAAa,GAAG,wBAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACzD,IAAI,CAAC,aAAa;QAAE,OAAO,IAAI,CAAC;IAEhC,8BAA8B;IAC9B,MAAM,QAAQ,GAAG,iBAAiB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/C,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,YAAY,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;QACrC,IAAI,YAAY;YAAE,aAAa,GAAG,YAAY,CAAC;IACjD,CAAC;IAED,iEAAiE;IACjE,MAAM,OAAO,GAA4B,EAAE,CAAC;IAC5C,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC,CAAC;IAC3E,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACjD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,oBAAoB,CAAC,aAAa,EAAE;QACzC,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC;QACxB,MAAM,EAAE,WAAW,CAAC,KAAK,CAAC;QAC1B,OAAO,EAAE,YAAY,CAAC,KAAK,CAAC;QAC5B,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAsB;IACtD,OAAO,CAAC,KAAkB,EAAE,EAAE;QAC5B,MAAM,cAAc,GAAG,2BAA2B,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,cAAc,EAAE,CAAC;YACnB,GAAG,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/execution-log/event-log.d.ts

@@ -0,0 +1,7 @@
+import type { ExecutionEventLog } from '../types.js';
+/**
+ * Create an in-memory execution event log.
+ * Append-only with support for causal chain tracing and NDJSON persistence.
+ */
+export declare function createExecutionEventLog(): ExecutionEventLog;
+//# sourceMappingURL=event-log.d.ts.map

package/dist/execution-log/event-log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"event-log.d.ts","sourceRoot":"","sources":["../../src/execution-log/event-log.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAwC,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAG3F;;;GAGG;AACH,wBAAgB,uBAAuB,IAAI,iBAAiB,CAqG3D"}

package/dist/execution-log/event-log.js

@@ -0,0 +1,103 @@
+// Execution Event Log — append-only event log with causal chain support.
+// Stores execution events and supports query, replay, trace, and NDJSON serialization.
+// No DOM, no Node.js APIs — pure domain logic.
+import { validateExecutionEvent } from './event-schema.js';
+/**
+ * Create an in-memory execution event log.
+ * Append-only with support for causal chain tracing and NDJSON persistence.
+ */
+export function createExecutionEventLog() {
+    let events = [];
+    const indexById = new Map();
+    function rebuildIndex() {
+        indexById.clear();
+        for (let i = 0; i < events.length; i++) {
+            indexById.set(events[i].id, i);
+        }
+    }
+    return {
+        append(event) {
+            const { valid, errors } = validateExecutionEvent(event);
+            if (!valid) {
+                throw new Error(`Cannot append invalid execution event: ${errors.join('; ')}`);
+            }
+            if (event.causedBy && !indexById.has(event.causedBy)) {
+                // causedBy references must point to events already in the log,
+                // or to events from a previous session (allow unknown references)
+            }
+            indexById.set(event.id, events.length);
+            events.push(event);
+        },
+        query(filter = {}) {
+            let result = events;
+            if (filter.kind) {
+                result = result.filter((e) => e.kind === filter.kind);
+            }
+            if (filter.actor) {
+                result = result.filter((e) => e.actor === filter.actor);
+            }
+            if (filter.source) {
+                result = result.filter((e) => e.source === filter.source);
+            }
+            if (filter.since !== undefined) {
+                result = result.filter((e) => e.timestamp >= filter.since);
+            }
+            if (filter.until !== undefined) {
+                result = result.filter((e) => e.timestamp <= filter.until);
+            }
+            if (filter.agentRunId) {
+                result = result.filter((e) => e.context.agentRunId === filter.agentRunId);
+            }
+            if (filter.file) {
+                result = result.filter((e) => e.context.file === filter.file);
+            }
+            return result;
+        },
+        replay(fromId) {
+            if (!fromId)
+                return [...events];
+            const idx = indexById.get(fromId);
+            if (idx === undefined)
+                return [];
+            return events.slice(idx);
+        },
+        trace(eventId) {
+            const chain = [];
+            const visited = new Set();
+            let currentId = eventId;
+            while (currentId && !visited.has(currentId)) {
+                visited.add(currentId);
+                const idx = indexById.get(currentId);
+                if (idx === undefined)
+                    break;
+                const event = events[idx];
+                chain.unshift(event);
+                currentId = event.causedBy;
+            }
+            return chain;
+        },
+        count() {
+            return events.length;
+        },
+        clear() {
+            events = [];
+            indexById.clear();
+        },
+        toNDJSON() {
+            return events.map((e) => JSON.stringify(e)).join('\n');
+        },
+        fromNDJSON(ndjson) {
+            const lines = ndjson.split('\n').filter((line) => line.trim().length > 0);
+            let loaded = 0;
+            for (const line of lines) {
+                const parsed = JSON.parse(line);
+                indexById.set(parsed.id, events.length);
+                events.push(parsed);
+                loaded++;
+            }
+            rebuildIndex();
+            return loaded;
+        },
+    };
+}
+//# sourceMappingURL=event-log.js.map

package/dist/execution-log/event-log.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"event-log.js","sourceRoot":"","sources":["../../src/execution-log/event-log.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,uFAAuF;AACvF,+CAA+C;AAG/C,OAAO,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAE3D;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,IAAI,MAAM,GAAqB,EAAE,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE5C,SAAS,YAAY;QACnB,SAAS,CAAC,KAAK,EAAE,CAAC;QAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IAED,OAAO;QACL,MAAM,CAAC,KAAqB;YAC1B,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,sBAAsB,CAAC,KAA2C,CAAC,CAAC;YAC9F,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,KAAK,CAAC,0CAA0C,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACjF,CAAC;YACD,IAAI,KAAK,CAAC,QAAQ,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACrD,+DAA+D;gBAC/D,kEAAkE;YACpE,CAAC;YACD,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;YACvC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;QAED,KAAK,CAAC,SAA+B,EAAE;YACrC,IAAI,MAAM,GAAG,MAAM,CAAC;YACpB,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;gBAChB,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC;YACxD,CAAC;YACD,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,MAAM,CAAC,KAAK,CAAC,CAAC;YAC1D,CAAC;YACD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAClB,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,CAAC;YAC5D,CAAC;YACD,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;gBAC/B,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,MAAM,CAAC,KAAM,CAAC,CAAC;YAC9D,CAAC;YACD,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;gBAC/B,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,MAAM,CAAC,KAAM,CAAC,CAAC;YAC9D,CAAC;YACD,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBACtB,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,KAAK,MAAM,CAAC,UAAU,CAAC,CAAC;YAC5E,CAAC;YACD,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;gBAChB,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC;YAChE,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,CAAC,MAAe;YACpB,IAAI,CAAC,MAAM;gBAAE,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC;YAChC,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAClC,IAAI,GAAG,KAAK,SAAS;gBAAE,OAAO,EAAE,CAAC;YACjC,OAAO,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QAED,KAAK,CAAC,OAAe;YACnB,MAAM,KAAK,GAAqB,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;YAClC,IAAI,SAAS,GAAuB,OAAO,CAAC;YAE5C,OAAO,SAAS,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC5C,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBACvB,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBACrC,IAAI,GAAG,KAAK,SAAS;oBAAE,MAAM;gBAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC1B,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;gBACrB,SAAS,GAAG,KAAK,CAAC,QAAQ,CAAC;YAC7B,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC;QAED,KAAK;YACH,OAAO,MAAM,CAAC,MAAM,CAAC;QACvB,CAAC;QAED,KAAK;YACH,MAAM,GAAG,EAAE,CAAC;YACZ,SAAS,CAAC,KAAK,EAAE,CAAC;QACpB,CAAC;QAED,QAAQ;YACN,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,CAAC;QAED,UAAU,CAAC,MAAc;YACvB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAC1E,IAAI,MAAM,GAAG,CAAC,CAAC;YACf,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAmB,CAAC;gBAClD,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;gBACxC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACpB,MAAM,EAAE,CAAC;YACX,CAAC;YACD,YAAY,EAAE,CAAC;YACf,OAAO,MAAM,CAAC;QAChB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/execution-log/event-projections.d.ts

@@ -0,0 +1,28 @@
+import type { ExecutionEvent, ExecutionEventLog, FailureCluster, EncounterMapping, RiskScore } from '../types.js';
+/**
+ * Build the full causal chain leading to an event.
+ * Walks `causedBy` references back to the root cause.
+ * Returns events in chronological order (root first).
+ */
+export declare function buildCausalChain(log: ExecutionEventLog, eventId: string): ExecutionEvent[];
+/**
+ * Score an agent run by its risk profile.
+ * Higher score = more risk. Based on failures, violations,
+ * skipped tests, sensitive file edits, and action velocity.
+ */
+export declare function scoreAgentRun(log: ExecutionEventLog, agentRunId: string): RiskScore;
+export interface ClusterOptions {
+    readonly windowMs?: number;
+}
+/**
+ * Cluster related failures by file and time proximity.
+ * Groups failures that share a common file or occur within a time window.
+ */
+export declare function clusterFailures(log: ExecutionEventLog, options?: ClusterOptions): FailureCluster[];
+/**
+ * Map an execution event to a game encounter.
+ * Only failure events produce encounters.
+ * Returns null for non-failure events.
+ */
+export declare function mapToEncounter(event: ExecutionEvent): EncounterMapping | null;
+//# sourceMappingURL=event-projections.d.ts.map

package/dist/execution-log/event-projections.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"event-projections.d.ts","sourceRoot":"","sources":["../../src/execution-log/event-projections.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EACV,cAAc,EACd,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,SAAS,EAGV,MAAM,aAAa,CAAC;AAerB;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,GAAG,cAAc,EAAE,CAE1F;AA6BD;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,GAAG,SAAS,CAsFnF;AAID,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,iBAAiB,EACtB,OAAO,GAAE,cAAmB,GAC3B,cAAc,EAAE,CA0FlB;AA8CD;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,cAAc,GAAG,gBAAgB,GAAG,IAAI,CAe7E"}

package/dist/execution-log/event-projections.js

@@ -0,0 +1,272 @@
+// Execution Event Projections — derived views from the execution event stream.
+// Causal chain construction, risk scoring, failure clustering, encounter mapping.
+// No DOM, no Node.js APIs — pure domain logic.
+import { simpleHash } from '../hash.js';
+import { FAILURE_KINDS, VIOLATION_KINDS, AGENT_ACTION_KINDS, TESTS_SKIPPED, RUNTIME_EXCEPTION, TEST_SUITE_FAILED, DEPLOYMENT_FAILED, BUILD_FAILED, } from './event-schema.js';
+// --- Causal Chain ---
+/**
+ * Build the full causal chain leading to an event.
+ * Walks `causedBy` references back to the root cause.
+ * Returns events in chronological order (root first).
+ */
+export function buildCausalChain(log, eventId) {
+    return log.trace(eventId);
+}
+// --- Risk Scoring ---
+const RISK_WEIGHTS = {
+    failure: 10,
+    violation: 25,
+    skippedTests: 15,
+    sensitiveFileEdit: 20,
+    highActionRate: 5,
+};
+const SENSITIVE_PATTERNS = [
+    /auth/i,
+    /security/i,
+    /password/i,
+    /secret/i,
+    /key/i,
+    /token/i,
+    /credential/i,
+    /\.env/i,
+    /migration/i,
+    /deploy/i,
+];
+function isSensitiveFile(file) {
+    return SENSITIVE_PATTERNS.some((p) => p.test(file));
+}
+/**
+ * Score an agent run by its risk profile.
+ * Higher score = more risk. Based on failures, violations,
+ * skipped tests, sensitive file edits, and action velocity.
+ */
+export function scoreAgentRun(log, agentRunId) {
+    const events = log.query({ agentRunId });
+    const factors = [];
+    let totalScore = 0;
+    let failureCount = 0;
+    let violationCount = 0;
+    // Count failures
+    const failures = events.filter((e) => FAILURE_KINDS.has(e.kind));
+    failureCount = failures.length;
+    if (failureCount > 0) {
+        const weight = failureCount * RISK_WEIGHTS.failure;
+        totalScore += weight;
+        factors.push({
+            name: 'failures',
+            weight,
+            detail: `${failureCount} failure(s) during agent run`,
+        });
+    }
+    // Count violations
+    const violations = events.filter((e) => VIOLATION_KINDS.has(e.kind));
+    violationCount = violations.length;
+    if (violationCount > 0) {
+        const weight = violationCount * RISK_WEIGHTS.violation;
+        totalScore += weight;
+        factors.push({
+            name: 'violations',
+            weight,
+            detail: `${violationCount} policy/invariant violation(s)`,
+        });
+    }
+    // Skipped tests
+    const skipped = events.filter((e) => e.kind === TESTS_SKIPPED);
+    if (skipped.length > 0) {
+        totalScore += RISK_WEIGHTS.skippedTests;
+        factors.push({
+            name: 'skipped_tests',
+            weight: RISK_WEIGHTS.skippedTests,
+            detail: `Tests were skipped ${skipped.length} time(s)`,
+        });
+    }
+    // Sensitive file edits
+    const agentActions = events.filter((e) => AGENT_ACTION_KINDS.has(e.kind));
+    const sensitiveEdits = agentActions.filter((e) => e.context.file && isSensitiveFile(e.context.file));
+    if (sensitiveEdits.length > 0) {
+        const weight = sensitiveEdits.length * RISK_WEIGHTS.sensitiveFileEdit;
+        totalScore += weight;
+        factors.push({
+            name: 'sensitive_file_edits',
+            weight,
+            detail: `${sensitiveEdits.length} edit(s) to sensitive files`,
+        });
+    }
+    // High action rate (>50 actions in a single run is suspicious)
+    if (agentActions.length > 50) {
+        totalScore += RISK_WEIGHTS.highActionRate;
+        factors.push({
+            name: 'high_action_rate',
+            weight: RISK_WEIGHTS.highActionRate,
+            detail: `${agentActions.length} agent actions in a single run`,
+        });
+    }
+    // Determine risk level
+    let level;
+    if (totalScore >= 75)
+        level = 'critical';
+    else if (totalScore >= 40)
+        level = 'high';
+    else if (totalScore >= 15)
+        level = 'medium';
+    else
+        level = 'low';
+    return {
+        agentRunId,
+        score: totalScore,
+        level,
+        factors,
+        eventCount: events.length,
+        failureCount,
+        violationCount,
+    };
+}
+/**
+ * Cluster related failures by file and time proximity.
+ * Groups failures that share a common file or occur within a time window.
+ */
+export function clusterFailures(log, options = {}) {
+    const windowMs = options.windowMs ?? 60_000; // 1 minute default
+    const failures = log.query({}).filter((e) => FAILURE_KINDS.has(e.kind));
+    if (failures.length === 0)
+        return [];
+    // Group by file, then by time proximity
+    const byFile = new Map();
+    const noFile = [];
+    for (const event of failures) {
+        const file = event.context.file ?? event.payload.file;
+        if (file) {
+            const existing = byFile.get(file) ?? [];
+            existing.push(event);
+            byFile.set(file, existing);
+        }
+        else {
+            noFile.push(event);
+        }
+    }
+    const clusters = [];
+    // File-based clusters
+    for (const [file, fileEvents] of byFile) {
+        const sorted = [...fileEvents].sort((a, b) => a.timestamp - b.timestamp);
+        let clusterEvents = [sorted[0]];
+        for (let i = 1; i < sorted.length; i++) {
+            if (sorted[i].timestamp - sorted[i - 1].timestamp <= windowMs) {
+                clusterEvents.push(sorted[i]);
+            }
+            else {
+                if (clusterEvents.length > 0) {
+                    clusters.push({
+                        id: simpleHash(`cluster:${file}:${clusterEvents[0].id}`),
+                        rootEvent: clusterEvents[0],
+                        events: clusterEvents,
+                        commonFile: file,
+                        commonKind: getMostCommonKind(clusterEvents),
+                        severity: Math.min(5, clusterEvents.length),
+                    });
+                }
+                clusterEvents = [sorted[i]];
+            }
+        }
+        if (clusterEvents.length > 0) {
+            clusters.push({
+                id: simpleHash(`cluster:${file}:${clusterEvents[0].id}`),
+                rootEvent: clusterEvents[0],
+                events: clusterEvents,
+                commonFile: file,
+                commonKind: getMostCommonKind(clusterEvents),
+                severity: Math.min(5, clusterEvents.length),
+            });
+        }
+    }
+    // Time-based clusters for events without files
+    if (noFile.length > 0) {
+        const sorted = [...noFile].sort((a, b) => a.timestamp - b.timestamp);
+        let clusterEvents = [sorted[0]];
+        for (let i = 1; i < sorted.length; i++) {
+            if (sorted[i].timestamp - sorted[i - 1].timestamp <= windowMs) {
+                clusterEvents.push(sorted[i]);
+            }
+            else {
+                if (clusterEvents.length > 0) {
+                    clusters.push({
+                        id: simpleHash(`cluster:time:${clusterEvents[0].id}`),
+                        rootEvent: clusterEvents[0],
+                        events: clusterEvents,
+                        commonKind: getMostCommonKind(clusterEvents),
+                        severity: Math.min(5, clusterEvents.length),
+                    });
+                }
+                clusterEvents = [sorted[i]];
+            }
+        }
+        if (clusterEvents.length > 0) {
+            clusters.push({
+                id: simpleHash(`cluster:time:${clusterEvents[0].id}`),
+                rootEvent: clusterEvents[0],
+                events: clusterEvents,
+                commonKind: getMostCommonKind(clusterEvents),
+                severity: Math.min(5, clusterEvents.length),
+            });
+        }
+    }
+    return clusters.sort((a, b) => b.severity - a.severity);
+}
+function getMostCommonKind(events) {
+    const counts = new Map();
+    for (const e of events) {
+        counts.set(e.kind, (counts.get(e.kind) ?? 0) + 1);
+    }
+    let maxKind = events[0].kind;
+    let maxCount = 0;
+    for (const [kind, count] of counts) {
+        if (count > maxCount) {
+            maxKind = kind;
+            maxCount = count;
+        }
+    }
+    return maxKind;
+}
+// --- Encounter Mapping ---
+const KIND_TO_ENCOUNTER = {
+    [RUNTIME_EXCEPTION]: {
+        encounterType: 'monster',
+        severity: 3,
+        name: 'Runtime Wraith',
+    },
+    [TEST_SUITE_FAILED]: {
+        encounterType: 'monster',
+        severity: 2,
+        name: 'Test Phantom',
+    },
+    [BUILD_FAILED]: {
+        encounterType: 'monster',
+        severity: 2,
+        name: 'Build Specter',
+    },
+    [DEPLOYMENT_FAILED]: {
+        encounterType: 'boss',
+        severity: 4,
+        name: 'Deploy Colossus',
+    },
+};
+/**
+ * Map an execution event to a game encounter.
+ * Only failure events produce encounters.
+ * Returns null for non-failure events.
+ */
+export function mapToEncounter(event) {
+    const mapping = KIND_TO_ENCOUNTER[event.kind];
+    if (!mapping)
+        return null;
+    const description = event.payload.message
+        ? String(event.payload.message)
+        : `${event.kind} in ${event.context.file ?? 'unknown'}`;
+    return {
+        eventId: event.id,
+        encounterType: mapping.encounterType,
+        severity: mapping.severity,
+        name: mapping.name,
+        description,
+    };
+}
+//# sourceMappingURL=event-projections.js.map