@riotprompt/riotprompt 0.0.20 → 1.0.0

package/dist/security/cli-security.js

@@ -0,0 +1,302 @@
+import { z } from 'zod';
+import { PathGuard } from './path-guard.js';
+import { getAuditLogger } from './audit-logger.js';
+
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+/**
+ * Default CLI security configuration
+ */ const DEFAULT_CLI_SECURITY = {
+    enabled: true,
+    paths: {
+        enabled: true,
+        allowAbsolute: false,
+        allowSymlinks: false,
+        denyPatterns: [
+            '\\.\\.',
+            '~',
+            '\\$\\{',
+            '\\$\\('
+        ]
+    },
+    allowedExtensions: [
+        '.md',
+        '.json',
+        '.xml',
+        '.yaml',
+        '.yml',
+        '.txt'
+    ],
+    maxStringLength: 10000,
+    allowNullBytes: false,
+    allowControlChars: false
+};
+/**
+ * CLIValidator provides security validation for CLI inputs.
+ *
+ * Features:
+ * - Path validation with traversal prevention
+ * - String sanitization
+ * - Extension filtering
+ * - Audit logging
+ *
+ * @example
+ * ```typescript
+ * const validator = new CLIValidator();
+ *
+ * // Validate a path argument
+ * const pathResult = validator.validatePath('../../../etc/passwd');
+ * if (!pathResult.valid) {
+ *   console.error(pathResult.error);
+ *   process.exit(1);
+ * }
+ *
+ * // Validate a string argument
+ * const stringResult = validator.validateString(userInput);
+ * ```
+ */ class CLIValidator {
+    /**
+     * Validate a path argument
+     *
+     * @param inputPath - The path to validate
+     * @param options - Additional validation options
+     * @returns Validation result
+     */ validatePath(inputPath, options = {}) {
+        if (!this.config.enabled) {
+            return {
+                valid: true,
+                normalizedPath: inputPath
+            };
+        }
+        // First, validate with PathGuard
+        const pathResult = this.pathGuard.validate(inputPath, options.operation || 'cli');
+        if (!pathResult.valid) {
+            return pathResult;
+        }
+        // Check extension if requested
+        if (options.checkExtension && this.config.allowedExtensions.length > 0) {
+            const ext = inputPath.toLowerCase().split('.').pop();
+            const hasAllowedExt = this.config.allowedExtensions.some((allowed)=>inputPath.toLowerCase().endsWith(allowed));
+            if (!hasAllowedExt) {
+                this.auditLogger.log({
+                    type: 'path_traversal_blocked',
+                    severity: 'warning',
+                    message: `Invalid file extension: .${ext}`,
+                    context: {
+                        attemptedPath: inputPath
+                    }
+                });
+                return {
+                    valid: false,
+                    error: `Invalid file extension. Allowed: ${this.config.allowedExtensions.join(', ')}`
+                };
+            }
+        }
+        return pathResult;
+    }
+    /**
+     * Validate a string argument
+     *
+     * @param input - The string to validate
+     * @returns Validation result with sanitized string
+     */ validateString(input) {
+        if (!this.config.enabled) {
+            return {
+                valid: true,
+                sanitized: input
+            };
+        }
+        // Check length
+        if (input.length > this.config.maxStringLength) {
+            return {
+                valid: false,
+                error: `String too long (max ${this.config.maxStringLength} characters)`,
+                violation: 'length'
+            };
+        }
+        // Check for null bytes
+        if (!this.config.allowNullBytes && input.includes('\0')) {
+            this.auditLogger.log({
+                type: 'path_validation_failed',
+                severity: 'warning',
+                message: 'Null byte detected in input'
+            });
+            return {
+                valid: false,
+                error: 'Input contains invalid characters (null byte)',
+                violation: 'null_byte'
+            };
+        }
+        // Check for control characters (except common whitespace)
+        // Note: null bytes are handled separately above
+        if (!this.config.allowControlChars) {
+            // eslint-disable-next-line no-control-regex
+            const controlCharRegex = /[\x01-\x08\x0B\x0C\x0E-\x1F\x7F]/;
+            if (controlCharRegex.test(input)) {
+                this.auditLogger.log({
+                    type: 'path_validation_failed',
+                    severity: 'warning',
+                    message: 'Control character detected in input'
+                });
+                return {
+                    valid: false,
+                    error: 'Input contains invalid control characters',
+                    violation: 'control_char'
+                };
+            }
+        }
+        return {
+            valid: true,
+            sanitized: input
+        };
+    }
+    /**
+     * Validate a numeric argument
+     *
+     * @param input - The number to validate
+     * @param options - Validation options
+     * @returns Validation result
+     */ validateNumber(input, options = {}) {
+        if (!this.config.enabled) {
+            return {
+                valid: true
+            };
+        }
+        // Check NaN
+        if (Number.isNaN(input)) {
+            if (!options.allowNaN) {
+                return {
+                    valid: false,
+                    error: 'Value cannot be NaN'
+                };
+            }
+            // If NaN is allowed, skip other checks since they don't apply
+            return {
+                valid: true
+            };
+        }
+        // Check Infinity (only for non-NaN values)
+        if (!options.allowInfinity && !Number.isFinite(input)) {
+            return {
+                valid: false,
+                error: 'Value cannot be infinite'
+            };
+        }
+        // Check integer
+        if (options.integer && !Number.isInteger(input)) {
+            return {
+                valid: false,
+                error: 'Value must be an integer'
+            };
+        }
+        // Check min
+        if (options.min !== undefined && input < options.min) {
+            return {
+                valid: false,
+                error: `Value must be at least ${options.min}`
+            };
+        }
+        // Check max
+        if (options.max !== undefined && input > options.max) {
+            return {
+                valid: false,
+                error: `Value must be at most ${options.max}`
+            };
+        }
+        return {
+            valid: true
+        };
+    }
+    /**
+     * Create a Zod schema for secure path validation
+     */ securePathSchema(options = {}) {
+        return z.string().refine((val)=>this.validatePath(val, options).valid, {
+            message: 'Invalid path'
+        });
+    }
+    /**
+     * Create a Zod schema for secure string validation
+     */ secureStringSchema() {
+        return z.string().refine((val)=>this.validateString(val).valid, {
+            message: 'Invalid string'
+        });
+    }
+    /**
+     * Create a Zod schema for secure number validation
+     */ secureNumberSchema(options = {}) {
+        return z.number().refine((val)=>this.validateNumber(val, options).valid, {
+            message: 'Invalid number'
+        });
+    }
+    /**
+     * Get the underlying PathGuard
+     */ getPathGuard() {
+        return this.pathGuard;
+    }
+    /**
+     * Add a base path for path validation
+     */ addBasePath(basePath) {
+        this.pathGuard.addBasePath(basePath);
+    }
+    constructor(config = {}){
+        _define_property(this, "config", void 0);
+        _define_property(this, "pathGuard", void 0);
+        _define_property(this, "auditLogger", void 0);
+        this.config = {
+            ...DEFAULT_CLI_SECURITY,
+            ...config,
+            paths: {
+                ...DEFAULT_CLI_SECURITY.paths,
+                ...config.paths
+            }
+        };
+        this.pathGuard = new PathGuard(this.config.paths);
+        this.auditLogger = getAuditLogger();
+    }
+}
+/**
+ * Create a CLI validator with RiotPrompt defaults
+ */ function createRiotPromptValidator(basePaths) {
+    const validator = new CLIValidator({
+        paths: {
+            basePaths: basePaths || [
+                process.cwd()
+            ]
+        }
+    });
+    return validator;
+}
+// Global instance
+let globalCLIValidator = null;
+/**
+ * Get the global CLI validator
+ */ function getCLIValidator() {
+    if (!globalCLIValidator) {
+        globalCLIValidator = new CLIValidator();
+    }
+    return globalCLIValidator;
+}
+/**
+ * Configure the global CLI validator
+ */ function configureCLIValidator(config) {
+    globalCLIValidator = new CLIValidator(config);
+}
+/**
+ * Reset the global CLI validator
+ */ function resetCLIValidator() {
+    globalCLIValidator = null;
+}
+
+export { CLIValidator, DEFAULT_CLI_SECURITY, configureCLIValidator, createRiotPromptValidator, getCLIValidator, resetCLIValidator };
+//# sourceMappingURL=cli-security.js.map

package/dist/security/cli-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli-security.js","sources":["../../src/security/cli-security.ts"],"sourcesContent":["/**\n * RiotPrompt - CLI Security\n *\n * Provides security validation for CLI inputs using the existing\n * security infrastructure.\n */\n\nimport { z } from 'zod';\nimport { PathGuard, type PathSecurityConfig } from './path-guard';\nimport { getAuditLogger, SecurityAuditLogger } from './audit-logger';\n\n/**\n * CLI Security configuration\n */\nexport interface CLISecurityConfig {\n    /** Enable CLI security validation */\n    enabled: boolean;\n    /** Path security configuration */\n    paths: Partial<PathSecurityConfig>;\n    /** Allowed file extensions for input files */\n    allowedExtensions: string[];\n    /** Maximum string length for inputs */\n    maxStringLength: number;\n    /** Allow null bytes in strings */\n    allowNullBytes: boolean;\n    /** Allow control characters in strings */\n    allowControlChars: boolean;\n}\n\n/**\n * Default CLI security configuration\n */\nexport const DEFAULT_CLI_SECURITY: CLISecurityConfig = {\n    enabled: true,\n    paths: {\n        enabled: true,\n        allowAbsolute: false,\n        allowSymlinks: false,\n        denyPatterns: [\n            '\\\\.\\\\.',        // Parent directory\n            '~',             // Home directory expansion\n            '\\\\$\\\\{',        // Variable expansion\n            '\\\\$\\\\(',        // Command substitution\n        ],\n    },\n    allowedExtensions: ['.md', '.json', '.xml', '.yaml', '.yml', '.txt'],\n    maxStringLength: 10000,\n    allowNullBytes: false,\n    allowControlChars: false,\n};\n\n/**\n * String validation result\n */\nexport interface StringValidationResult {\n    valid: boolean;\n    sanitized?: string;\n    error?: string;\n    violation?: string;\n}\n\n/**\n * CLIValidator provides security validation for CLI inputs.\n *\n * Features:\n * - Path validation with traversal prevention\n * - String sanitization\n * - Extension filtering\n * - Audit logging\n *\n * @example\n * ```typescript\n * const validator = new CLIValidator();\n *\n * // Validate a path argument\n * const pathResult = validator.validatePath('../../../etc/passwd');\n * if (!pathResult.valid) {\n *   console.error(pathResult.error);\n *   process.exit(1);\n * }\n *\n * // Validate a string argument\n * const stringResult = validator.validateString(userInput);\n * ```\n */\nexport class CLIValidator {\n    private config: CLISecurityConfig;\n    private pathGuard: PathGuard;\n    private auditLogger: SecurityAuditLogger;\n\n    constructor(config: Partial<CLISecurityConfig> = {}) {\n        this.config = {\n            ...DEFAULT_CLI_SECURITY,\n            ...config,\n            paths: { ...DEFAULT_CLI_SECURITY.paths, ...config.paths },\n        };\n        this.pathGuard = new PathGuard(this.config.paths);\n        this.auditLogger = getAuditLogger();\n    }\n\n    /**\n     * Validate a path argument\n     *\n     * @param inputPath - The path to validate\n     * @param options - Additional validation options\n     * @returns Validation result\n     */\n    validatePath(inputPath: string, options: {\n        checkExtension?: boolean;\n        operation?: string;\n    } = {}): { valid: boolean; normalizedPath?: string; error?: string } {\n        if (!this.config.enabled) {\n            return { valid: true, normalizedPath: inputPath };\n        }\n\n        // First, validate with PathGuard\n        const pathResult = this.pathGuard.validate(inputPath, options.operation || 'cli');\n        if (!pathResult.valid) {\n            return pathResult;\n        }\n\n        // Check extension if requested\n        if (options.checkExtension && this.config.allowedExtensions.length > 0) {\n            const ext = inputPath.toLowerCase().split('.').pop();\n            const hasAllowedExt = this.config.allowedExtensions.some(\n                allowed => inputPath.toLowerCase().endsWith(allowed)\n            );\n\n            if (!hasAllowedExt) {\n                this.auditLogger.log({\n                    type: 'path_traversal_blocked',\n                    severity: 'warning',\n                    message: `Invalid file extension: .${ext}`,\n                    context: { attemptedPath: inputPath },\n                });\n                return {\n                    valid: false,\n                    error: `Invalid file extension. Allowed: ${this.config.allowedExtensions.join(', ')}`,\n                };\n            }\n        }\n\n        return pathResult;\n    }\n\n    /**\n     * Validate a string argument\n     *\n     * @param input - The string to validate\n     * @returns Validation result with sanitized string\n     */\n    validateString(input: string): StringValidationResult {\n        if (!this.config.enabled) {\n            return { valid: true, sanitized: input };\n        }\n\n        // Check length\n        if (input.length > this.config.maxStringLength) {\n            return {\n                valid: false,\n                error: `String too long (max ${this.config.maxStringLength} characters)`,\n                violation: 'length',\n            };\n        }\n\n        // Check for null bytes\n        if (!this.config.allowNullBytes && input.includes('\\0')) {\n            this.auditLogger.log({\n                type: 'path_validation_failed',\n                severity: 'warning',\n                message: 'Null byte detected in input',\n            });\n            return {\n                valid: false,\n                error: 'Input contains invalid characters (null byte)',\n                violation: 'null_byte',\n            };\n        }\n\n        // Check for control characters (except common whitespace)\n        // Note: null bytes are handled separately above\n        if (!this.config.allowControlChars) {\n            // eslint-disable-next-line no-control-regex\n            const controlCharRegex = /[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F]/;\n            if (controlCharRegex.test(input)) {\n                this.auditLogger.log({\n                    type: 'path_validation_failed',\n                    severity: 'warning',\n                    message: 'Control character detected in input',\n                });\n                return {\n                    valid: false,\n                    error: 'Input contains invalid control characters',\n                    violation: 'control_char',\n                };\n            }\n        }\n\n        return { valid: true, sanitized: input };\n    }\n\n    /**\n     * Validate a numeric argument\n     *\n     * @param input - The number to validate\n     * @param options - Validation options\n     * @returns Validation result\n     */\n    validateNumber(input: number, options: {\n        min?: number;\n        max?: number;\n        integer?: boolean;\n        allowNaN?: boolean;\n        allowInfinity?: boolean;\n    } = {}): { valid: boolean; error?: string } {\n        if (!this.config.enabled) {\n            return { valid: true };\n        }\n\n        // Check NaN\n        if (Number.isNaN(input)) {\n            if (!options.allowNaN) {\n                return { valid: false, error: 'Value cannot be NaN' };\n            }\n            // If NaN is allowed, skip other checks since they don't apply\n            return { valid: true };\n        }\n\n        // Check Infinity (only for non-NaN values)\n        if (!options.allowInfinity && !Number.isFinite(input)) {\n            return { valid: false, error: 'Value cannot be infinite' };\n        }\n\n        // Check integer\n        if (options.integer && !Number.isInteger(input)) {\n            return { valid: false, error: 'Value must be an integer' };\n        }\n\n        // Check min\n        if (options.min !== undefined && input < options.min) {\n            return { valid: false, error: `Value must be at least ${options.min}` };\n        }\n\n        // Check max\n        if (options.max !== undefined && input > options.max) {\n            return { valid: false, error: `Value must be at most ${options.max}` };\n        }\n\n        return { valid: true };\n    }\n\n    /**\n     * Create a Zod schema for secure path validation\n     */\n    securePathSchema(options: {\n        checkExtension?: boolean;\n    } = {}) {\n        return z.string().refine(\n            (val: string) => this.validatePath(val, options).valid,\n            { message: 'Invalid path' }\n        );\n    }\n\n    /**\n     * Create a Zod schema for secure string validation\n     */\n    secureStringSchema() {\n        return z.string().refine(\n            (val: string) => this.validateString(val).valid,\n            { message: 'Invalid string' }\n        );\n    }\n\n    /**\n     * Create a Zod schema for secure number validation\n     */\n    secureNumberSchema(options: {\n        min?: number;\n        max?: number;\n        integer?: boolean;\n    } = {}) {\n        return z.number().refine(\n            (val: number) => this.validateNumber(val, options).valid,\n            { message: 'Invalid number' }\n        );\n    }\n\n    /**\n     * Get the underlying PathGuard\n     */\n    getPathGuard(): PathGuard {\n        return this.pathGuard;\n    }\n\n    /**\n     * Add a base path for path validation\n     */\n    addBasePath(basePath: string): void {\n        this.pathGuard.addBasePath(basePath);\n    }\n}\n\n/**\n * Create a CLI validator with RiotPrompt defaults\n */\nexport function createRiotPromptValidator(basePaths?: string[]): CLIValidator {\n    const validator = new CLIValidator({\n        paths: {\n            basePaths: basePaths || [process.cwd()],\n        },\n    });\n    return validator;\n}\n\n// Global instance\nlet globalCLIValidator: CLIValidator | null = null;\n\n/**\n * Get the global CLI validator\n */\nexport function getCLIValidator(): CLIValidator {\n    if (!globalCLIValidator) {\n        globalCLIValidator = new CLIValidator();\n    }\n    return globalCLIValidator;\n}\n\n/**\n * Configure the global CLI validator\n */\nexport function configureCLIValidator(config: Partial<CLISecurityConfig>): void {\n    globalCLIValidator = new CLIValidator(config);\n}\n\n/**\n * Reset the global CLI validator\n */\nexport function resetCLIValidator(): void {\n    globalCLIValidator = null;\n}\n\n"],"names":["DEFAULT_CLI_SECURITY","enabled","paths","allowAbsolute","allowSymlinks","denyPatterns","allowedExtensions","maxStringLength","allowNullBytes","allowControlChars","CLIValidator","validatePath","inputPath","options","config","valid","normalizedPath","pathResult","pathGuard","validate","operation","checkExtension","length","ext","toLowerCase","split","pop","hasAllowedExt","some","allowed","endsWith","auditLogger","log","type","severity","message","context","attemptedPath","error","join","validateString","input","sanitized","violation","includes","controlCharRegex","test","validateNumber","Number","isNaN","allowNaN","allowInfinity","isFinite","integer","isInteger","min","undefined","max","securePathSchema","z","string","refine","val","secureStringSchema","secureNumberSchema","number","getPathGuard","addBasePath","basePath","PathGuard","getAuditLogger","createRiotPromptValidator","basePaths","validator","process","cwd","globalCLIValidator","getCLIValidator","configureCLIValidator","resetCLIValidator"],"mappings":";;;;;;;;;;;;;;;;;AA6BA;;UAGaA,oBAAAA,GAA0C;IACnDC,OAAAA,EAAS,IAAA;IACTC,KAAAA,EAAO;QACHD,OAAAA,EAAS,IAAA;QACTE,aAAAA,EAAe,KAAA;QACfC,aAAAA,EAAe,KAAA;QACfC,YAAAA,EAAc;AACV,YAAA,QAAA;AACA,YAAA,GAAA;AACA,YAAA,QAAA;AACA,YAAA;AACH;AACL,KAAA;IACAC,iBAAAA,EAAmB;AAAC,QAAA,KAAA;AAAO,QAAA,OAAA;AAAS,QAAA,MAAA;AAAQ,QAAA,OAAA;AAAS,QAAA,MAAA;AAAQ,QAAA;AAAO,KAAA;IACpEC,eAAAA,EAAiB,KAAA;IACjBC,cAAAA,EAAgB,KAAA;IAChBC,iBAAAA,EAAmB;AACvB;AAYA;;;;;;;;;;;;;;;;;;;;;;;AAuBC,IACM,MAAMC,YAAAA,CAAAA;AAeT;;;;;;AAMC,QACDC,aAAaC,SAAiB,EAAEC,OAAAA,GAG5B,EAAE,EAA+D;AACjE,QAAA,IAAI,CAAC,IAAI,CAACC,MAAM,CAACb,OAAO,EAAE;YACtB,OAAO;gBAAEc,KAAAA,EAAO,IAAA;gBAAMC,cAAAA,EAAgBJ;AAAU,aAAA;AACpD,QAAA;;QAGA,MAAMK,UAAAA,GAAa,IAAI,CAACC,SAAS,CAACC,QAAQ,CAACP,SAAAA,EAAWC,OAAAA,CAAQO,SAAS,IAAI,KAAA,CAAA;QAC3E,IAAI,CAACH,UAAAA,CAAWF,KAAK,EAAE;YACnB,OAAOE,UAAAA;AACX,QAAA;;QAGA,IAAIJ,OAAAA,CAAQQ,cAAc,IAAI,IAAI,CAACP,MAAM,CAACR,iBAAiB,CAACgB,MAAM,GAAG,CAAA,EAAG;AACpE,YAAA,MAAMC,MAAMX,SAAAA,CAAUY,WAAW,GAAGC,KAAK,CAAC,KAAKC,GAAG,EAAA;AAClD,YAAA,MAAMC,aAAAA,GAAgB,IAAI,CAACb,MAAM,CAACR,iBAAiB,CAACsB,IAAI,CACpDC,CAAAA,OAAAA,GAAWjB,SAAAA,CAAUY,WAAW,EAAA,CAAGM,QAAQ,CAACD,OAAAA,CAAAA,CAAAA;AAGhD,YAAA,IAAI,CAACF,aAAAA,EAAe;AAChB,gBAAA,IAAI,CAACI,WAAW,CAACC,GAAG,CAAC;oBACjBC,IAAAA,EAAM,wBAAA;oBACNC,QAAAA,EAAU,SAAA;oBACVC,OAAAA,EAAS,CAAC,yBAAyB,EAAEZ,GAAAA,CAAAA,CAAK;oBAC1Ca,OAAAA,EAAS;wBAAEC,aAAAA,EAAezB;AAAU;AACxC,iBAAA,CAAA;gBACA,OAAO;oBACHG,KAAAA,EAAO,KAAA;oBACPuB,KAAAA,EAAO,CAAC,iCAAiC,EAAE,IAAI,CAACxB,MAAM,CAACR,iBAAiB,CAACiC,IAAI,CAAC,IAAA,CAAA,CAAA;AAClF,iBAAA;AACJ,YAAA;AACJ,QAAA;QAEA,OAAOtB,UAAAA;AACX,IAAA;AAEA;;;;;QAMAuB,cAAAA,CAAeC,KAAa,EAA0B;AAClD,QAAA,IAAI,CAAC,IAAI,CAAC3B,MAAM,CAACb,OAAO,EAAE;YACtB,OAAO;gBAAEc,KAAAA,EAAO,IAAA;gBAAM2B,SAAAA,EAAWD;AAAM,aAAA;AAC3C,QAAA;;QAGA,IAAIA,KAAAA,CAAMnB,MAAM,GAAG,IAAI,CAACR,MAAM,CAACP,eAAe,EAAE;YAC5C,OAAO;gBACHQ,KAAAA,EAAO,KAAA;gBACPuB,KAAAA,EAAO,CAAC,qBAAqB,EAAE,IAAI,CAACxB,MAAM,CAACP,eAAe,CAAC,YAAY,CAAC;gBACxEoC,SAAAA,EAAW;AACf,aAAA;AACJ,QAAA;;QAGA,IAAI,CAAC,IAAI,CAAC7B,MAAM,CAACN,cAAc,IAAIiC,KAAAA,CAAMG,QAAQ,CAAC,IAAA,CAAA,EAAO;AACrD,YAAA,IAAI,CAACb,WAAW,CAACC,GAAG,CAAC;gBACjBC,IAAAA,EAAM,wBAAA;gBACNC,QAAAA,EAAU,SAAA;gBACVC,OAAAA,EAAS;AACb,aAAA,CAAA;YACA,OAAO;gBACHpB,KAAAA,EAAO,KAAA;gBACPuB,KAAAA,EAAO,+CAAA;gBACPK,SAAAA,EAAW;AACf,aAAA;AACJ,QAAA;;;AAIA,QAAA,IAAI,CAAC,IAAI,CAAC7B,MAAM,CAACL,iBAAiB,EAAE;;AAEhC,YAAA,MAAMoC,gBAAAA,GAAmB,kCAAA;YACzB,IAAIA,gBAAAA,CAAiBC,IAAI,CAACL,KAAAA,CAAAA,EAAQ;AAC9B,gBAAA,IAAI,CAACV,WAAW,CAACC,GAAG,CAAC;oBACjBC,IAAAA,EAAM,wBAAA;oBACNC,QAAAA,EAAU,SAAA;oBACVC,OAAAA,EAAS;AACb,iBAAA,CAAA;gBACA,OAAO;oBACHpB,KAAAA,EAAO,KAAA;oBACPuB,KAAAA,EAAO,2CAAA;oBACPK,SAAAA,EAAW;AACf,iBAAA;AACJ,YAAA;AACJ,QAAA;QAEA,OAAO;YAAE5B,KAAAA,EAAO,IAAA;YAAM2B,SAAAA,EAAWD;AAAM,SAAA;AAC3C,IAAA;AAEA;;;;;;AAMC,QACDM,eAAeN,KAAa,EAAE5B,OAAAA,GAM1B,EAAE,EAAsC;AACxC,QAAA,IAAI,CAAC,IAAI,CAACC,MAAM,CAACb,OAAO,EAAE;YACtB,OAAO;gBAAEc,KAAAA,EAAO;AAAK,aAAA;AACzB,QAAA;;QAGA,IAAIiC,MAAAA,CAAOC,KAAK,CAACR,KAAAA,CAAAA,EAAQ;YACrB,IAAI,CAAC5B,OAAAA,CAAQqC,QAAQ,EAAE;gBACnB,OAAO;oBAAEnC,KAAAA,EAAO,KAAA;oBAAOuB,KAAAA,EAAO;AAAsB,iBAAA;AACxD,YAAA;;YAEA,OAAO;gBAAEvB,KAAAA,EAAO;AAAK,aAAA;AACzB,QAAA;;QAGA,IAAI,CAACF,QAAQsC,aAAa,IAAI,CAACH,MAAAA,CAAOI,QAAQ,CAACX,KAAAA,CAAAA,EAAQ;YACnD,OAAO;gBAAE1B,KAAAA,EAAO,KAAA;gBAAOuB,KAAAA,EAAO;AAA2B,aAAA;AAC7D,QAAA;;AAGA,QAAA,IAAIzB,QAAQwC,OAAO,IAAI,CAACL,MAAAA,CAAOM,SAAS,CAACb,KAAAA,CAAAA,EAAQ;YAC7C,OAAO;gBAAE1B,KAAAA,EAAO,KAAA;gBAAOuB,KAAAA,EAAO;AAA2B,aAAA;AAC7D,QAAA;;AAGA,QAAA,IAAIzB,QAAQ0C,GAAG,KAAKC,aAAaf,KAAAA,GAAQ5B,OAAAA,CAAQ0C,GAAG,EAAE;YAClD,OAAO;gBAAExC,KAAAA,EAAO,KAAA;AAAOuB,gBAAAA,KAAAA,EAAO,CAAC,uBAAuB,EAAEzB,OAAAA,CAAQ0C,GAAG,CAAA;AAAG,aAAA;AAC1E,QAAA;;AAGA,QAAA,IAAI1C,QAAQ4C,GAAG,KAAKD,aAAaf,KAAAA,GAAQ5B,OAAAA,CAAQ4C,GAAG,EAAE;YAClD,OAAO;gBAAE1C,KAAAA,EAAO,KAAA;AAAOuB,gBAAAA,KAAAA,EAAO,CAAC,sBAAsB,EAAEzB,OAAAA,CAAQ4C,GAAG,CAAA;AAAG,aAAA;AACzE,QAAA;QAEA,OAAO;YAAE1C,KAAAA,EAAO;AAAK,SAAA;AACzB,IAAA;AAEA;;AAEC,QACD2C,gBAAAA,CAAiB7C,OAAAA,GAEb,EAAE,EAAE;AACJ,QAAA,OAAO8C,CAAAA,CAAEC,MAAM,EAAA,CAAGC,MAAM,CACpB,CAACC,GAAAA,GAAgB,IAAI,CAACnD,YAAY,CAACmD,GAAAA,EAAKjD,OAAAA,CAAAA,CAASE,KAAK,EACtD;YAAEoB,OAAAA,EAAS;AAAe,SAAA,CAAA;AAElC,IAAA;AAEA;;AAEC,QACD4B,kBAAAA,GAAqB;AACjB,QAAA,OAAOJ,CAAAA,CAAEC,MAAM,EAAA,CAAGC,MAAM,CACpB,CAACC,GAAAA,GAAgB,IAAI,CAACtB,cAAc,CAACsB,GAAAA,CAAAA,CAAK/C,KAAK,EAC/C;YAAEoB,OAAAA,EAAS;AAAiB,SAAA,CAAA;AAEpC,IAAA;AAEA;;AAEC,QACD6B,kBAAAA,CAAmBnD,OAAAA,GAIf,EAAE,EAAE;AACJ,QAAA,OAAO8C,CAAAA,CAAEM,MAAM,EAAA,CAAGJ,MAAM,CACpB,CAACC,GAAAA,GAAgB,IAAI,CAACf,cAAc,CAACe,GAAAA,EAAKjD,OAAAA,CAAAA,CAASE,KAAK,EACxD;YAAEoB,OAAAA,EAAS;AAAiB,SAAA,CAAA;AAEpC,IAAA;AAEA;;AAEC,QACD+B,YAAAA,GAA0B;QACtB,OAAO,IAAI,CAAChD,SAAS;AACzB,IAAA;AAEA;;QAGAiD,WAAAA,CAAYC,QAAgB,EAAQ;AAChC,QAAA,IAAI,CAAClD,SAAS,CAACiD,WAAW,CAACC,QAAAA,CAAAA;AAC/B,IAAA;IAjNA,WAAA,CAAYtD,MAAAA,GAAqC,EAAE,CAAE;AAJrD,QAAA,gBAAA,CAAA,IAAA,EAAQA,UAAR,MAAA,CAAA;AACA,QAAA,gBAAA,CAAA,IAAA,EAAQI,aAAR,MAAA,CAAA;AACA,QAAA,gBAAA,CAAA,IAAA,EAAQa,eAAR,MAAA,CAAA;QAGI,IAAI,CAACjB,MAAM,GAAG;AACV,YAAA,GAAGd,oBAAoB;AACvB,YAAA,GAAGc,MAAM;YACTZ,KAAAA,EAAO;AAAE,gBAAA,GAAGF,qBAAqBE,KAAK;AAAE,gBAAA,GAAGY,OAAOZ;AAAM;AAC5D,SAAA;QACA,IAAI,CAACgB,SAAS,GAAG,IAAImD,UAAU,IAAI,CAACvD,MAAM,CAACZ,KAAK,CAAA;QAChD,IAAI,CAAC6B,WAAW,GAAGuC,cAAAA,EAAAA;AACvB,IAAA;AA0MJ;AAEA;;IAGO,SAASC,yBAAAA,CAA0BC,SAAoB,EAAA;IAC1D,MAAMC,SAAAA,GAAY,IAAI/D,YAAAA,CAAa;QAC/BR,KAAAA,EAAO;AACHsE,YAAAA,SAAAA,EAAWA,SAAAA,IAAa;AAACE,gBAAAA,OAAAA,CAAQC,GAAG;AAAG;AAC3C;AACJ,KAAA,CAAA;IACA,OAAOF,SAAAA;AACX;AAEA;AACA,IAAIG,kBAAAA,GAA0C,IAAA;AAE9C;;AAEC,IACM,SAASC,eAAAA,GAAAA;AACZ,IAAA,IAAI,CAACD,kBAAAA,EAAoB;AACrBA,QAAAA,kBAAAA,GAAqB,IAAIlE,YAAAA,EAAAA;AAC7B,IAAA;IACA,OAAOkE,kBAAAA;AACX;AAEA;;IAGO,SAASE,qBAAAA,CAAsBhE,MAAkC,EAAA;AACpE8D,IAAAA,kBAAAA,GAAqB,IAAIlE,YAAAA,CAAaI,MAAAA,CAAAA;AAC1C;AAEA;;AAEC,IACM,SAASiE,iBAAAA,GAAAA;IACZH,kBAAAA,GAAqB,IAAA;AACzB;;;;"}

package/dist/security/defaults.d.ts

@@ -0,0 +1,31 @@
+import { SecurityConfig, PathSecurityConfig, ToolSecurityConfig, SecretSecurityConfig, LogSecurityConfig, TimeoutConfig } from './types';
+/**
+ * Deep partial type for recursive partial objects
+ */
+export type DeepPartial<T> = {
+    [P in keyof T]?: T[P] extends object ? DeepPartial<T[P]> : T[P];
+};
+/**
+ * User configuration with all fields optional (including nested)
+ */
+export type UserSecurityConfig = {
+    paths?: Partial<PathSecurityConfig>;
+    tools?: Partial<ToolSecurityConfig>;
+    secrets?: Partial<SecretSecurityConfig>;
+    logging?: Partial<LogSecurityConfig>;
+    timeouts?: Partial<TimeoutConfig>;
+};
+/**
+ * Secure default configuration
+ * All security features enabled by default
+ */
+export declare const SECURE_DEFAULTS: SecurityConfig;
+/**
+ * Permissive configuration for development/testing
+ * Security features disabled for convenience
+ */
+export declare const PERMISSIVE_DEFAULTS: SecurityConfig;
+/**
+ * Merge user configuration with defaults
+ */
+export declare function mergeSecurityConfig(userConfig: UserSecurityConfig | undefined, defaults?: SecurityConfig): SecurityConfig;

package/dist/security/defaults.js

@@ -0,0 +1,72 @@
+import { SecurityConfigSchema } from './types.js';
+
+/**
+ * Secure default configuration
+ * All security features enabled by default
+ */ const SECURE_DEFAULTS = SecurityConfigSchema.parse({});
+/**
+ * Permissive configuration for development/testing
+ * Security features disabled for convenience
+ */ const PERMISSIVE_DEFAULTS = {
+    paths: {
+        enabled: false,
+        basePaths: [],
+        allowAbsolute: true,
+        allowSymlinks: true,
+        denyPatterns: []
+    },
+    tools: {
+        enabled: false,
+        validateParams: false,
+        sandboxExecution: false,
+        maxExecutionTime: 0,
+        maxConcurrentCalls: 0,
+        deniedTools: []
+    },
+    secrets: {
+        enabled: false,
+        redactInLogs: false,
+        redactInErrors: false,
+        patterns: [],
+        customPatterns: []
+    },
+    logging: {
+        enabled: false,
+        auditSecurityEvents: false,
+        sanitizeStackTraces: false,
+        maxContentLength: Number.MAX_SAFE_INTEGER
+    },
+    timeouts: {
+        enabled: false,
+        defaultTimeout: 0,
+        llmTimeout: 0,
+        toolTimeout: 0,
+        fileTimeout: 0
+    }
+};
+/**
+ * Merge user configuration with defaults
+ */ function mergeSecurityConfig(userConfig, defaults = SECURE_DEFAULTS) {
+    if (!userConfig) return defaults;
+    // Deep merge each section
+    const merged = {
+        paths: mergeSection(defaults.paths, userConfig.paths),
+        tools: mergeSection(defaults.tools, userConfig.tools),
+        secrets: mergeSection(defaults.secrets, userConfig.secrets),
+        logging: mergeSection(defaults.logging, userConfig.logging),
+        timeouts: mergeSection(defaults.timeouts, userConfig.timeouts)
+    };
+    return merged;
+}
+/**
+ * Helper to merge a single section
+ */ function mergeSection(defaultSection, userSection) {
+    if (!userSection) return defaultSection;
+    return {
+        ...defaultSection,
+        ...userSection
+    };
+}
+
+export { PERMISSIVE_DEFAULTS, SECURE_DEFAULTS, mergeSecurityConfig };
+//# sourceMappingURL=defaults.js.map

package/dist/security/defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.js","sources":["../../src/security/defaults.ts"],"sourcesContent":["import { \n    SecurityConfig, \n    SecurityConfigSchema,\n    PathSecurityConfig,\n    ToolSecurityConfig,\n    SecretSecurityConfig,\n    LogSecurityConfig,\n    TimeoutConfig,\n} from './types';\n\n/**\n * Deep partial type for recursive partial objects\n */\nexport type DeepPartial<T> = {\n    [P in keyof T]?: T[P] extends object ? DeepPartial<T[P]> : T[P];\n};\n\n/**\n * User configuration with all fields optional (including nested)\n */\nexport type UserSecurityConfig = {\n    paths?: Partial<PathSecurityConfig>;\n    tools?: Partial<ToolSecurityConfig>;\n    secrets?: Partial<SecretSecurityConfig>;\n    logging?: Partial<LogSecurityConfig>;\n    timeouts?: Partial<TimeoutConfig>;\n};\n\n/**\n * Secure default configuration\n * All security features enabled by default\n */\nexport const SECURE_DEFAULTS: SecurityConfig = SecurityConfigSchema.parse({});\n\n/**\n * Permissive configuration for development/testing\n * Security features disabled for convenience\n */\nexport const PERMISSIVE_DEFAULTS: SecurityConfig = {\n    paths: { \n        enabled: false, \n        basePaths: [], \n        allowAbsolute: true, \n        allowSymlinks: true, \n        denyPatterns: [] \n    },\n    tools: { \n        enabled: false, \n        validateParams: false, \n        sandboxExecution: false, \n        maxExecutionTime: 0, \n        maxConcurrentCalls: 0, \n        deniedTools: [] \n    },\n    secrets: { \n        enabled: false, \n        redactInLogs: false, \n        redactInErrors: false, \n        patterns: [], \n        customPatterns: [] \n    },\n    logging: { \n        enabled: false, \n        auditSecurityEvents: false, \n        sanitizeStackTraces: false, \n        maxContentLength: Number.MAX_SAFE_INTEGER \n    },\n    timeouts: { \n        enabled: false, \n        defaultTimeout: 0, \n        llmTimeout: 0, \n        toolTimeout: 0, \n        fileTimeout: 0 \n    },\n};\n\n/**\n * Merge user configuration with defaults\n */\nexport function mergeSecurityConfig(\n    userConfig: UserSecurityConfig | undefined,\n    defaults: SecurityConfig = SECURE_DEFAULTS\n): SecurityConfig {\n    if (!userConfig) return defaults;\n  \n    // Deep merge each section\n    const merged: SecurityConfig = {\n        paths: mergeSection(defaults.paths, userConfig.paths),\n        tools: mergeSection(defaults.tools, userConfig.tools),\n        secrets: mergeSection(defaults.secrets, userConfig.secrets),\n        logging: mergeSection(defaults.logging, userConfig.logging),\n        timeouts: mergeSection(defaults.timeouts, userConfig.timeouts),\n    };\n  \n    return merged;\n}\n\n/**\n * Helper to merge a single section\n */\nfunction mergeSection<T extends Record<string, unknown>>(\n    defaultSection: T,\n    userSection: Partial<T> | undefined\n): T {\n    if (!userSection) return defaultSection;\n    return { ...defaultSection, ...userSection };\n}\n"],"names":["SECURE_DEFAULTS","SecurityConfigSchema","parse","PERMISSIVE_DEFAULTS","paths","enabled","basePaths","allowAbsolute","allowSymlinks","denyPatterns","tools","validateParams","sandboxExecution","maxExecutionTime","maxConcurrentCalls","deniedTools","secrets","redactInLogs","redactInErrors","patterns","customPatterns","logging","auditSecurityEvents","sanitizeStackTraces","maxContentLength","Number","MAX_SAFE_INTEGER","timeouts","defaultTimeout","llmTimeout","toolTimeout","fileTimeout","mergeSecurityConfig","userConfig","defaults","merged","mergeSection","defaultSection","userSection"],"mappings":";;AA4BA;;;AAGC,IACM,MAAMA,eAAAA,GAAkCC,qBAAqBC,KAAK,CAAC,EAAC;AAE3E;;;UAIaC,mBAAAA,GAAsC;IAC/CC,KAAAA,EAAO;QACHC,OAAAA,EAAS,KAAA;AACTC,QAAAA,SAAAA,EAAW,EAAE;QACbC,aAAAA,EAAe,IAAA;QACfC,aAAAA,EAAe,IAAA;AACfC,QAAAA,YAAAA,EAAc;AAClB,KAAA;IACAC,KAAAA,EAAO;QACHL,OAAAA,EAAS,KAAA;QACTM,cAAAA,EAAgB,KAAA;QAChBC,gBAAAA,EAAkB,KAAA;QAClBC,gBAAAA,EAAkB,CAAA;QAClBC,kBAAAA,EAAoB,CAAA;AACpBC,QAAAA,WAAAA,EAAa;AACjB,KAAA;IACAC,OAAAA,EAAS;QACLX,OAAAA,EAAS,KAAA;QACTY,YAAAA,EAAc,KAAA;QACdC,cAAAA,EAAgB,KAAA;AAChBC,QAAAA,QAAAA,EAAU,EAAE;AACZC,QAAAA,cAAAA,EAAgB;AACpB,KAAA;IACAC,OAAAA,EAAS;QACLhB,OAAAA,EAAS,KAAA;QACTiB,mBAAAA,EAAqB,KAAA;QACrBC,mBAAAA,EAAqB,KAAA;AACrBC,QAAAA,gBAAAA,EAAkBC,OAAOC;AAC7B,KAAA;IACAC,QAAAA,EAAU;QACNtB,OAAAA,EAAS,KAAA;QACTuB,cAAAA,EAAgB,CAAA;QAChBC,UAAAA,EAAY,CAAA;QACZC,WAAAA,EAAa,CAAA;QACbC,WAAAA,EAAa;AACjB;AACJ;AAEA;;AAEC,IACM,SAASC,mBAAAA,CACZC,UAA0C,EAC1CC,WAA2BlC,eAAe,EAAA;IAE1C,IAAI,CAACiC,YAAY,OAAOC,QAAAA;;AAGxB,IAAA,MAAMC,MAAAA,GAAyB;AAC3B/B,QAAAA,KAAAA,EAAOgC,YAAAA,CAAaF,QAAAA,CAAS9B,KAAK,EAAE6B,WAAW7B,KAAK,CAAA;AACpDM,QAAAA,KAAAA,EAAO0B,YAAAA,CAAaF,QAAAA,CAASxB,KAAK,EAAEuB,WAAWvB,KAAK,CAAA;AACpDM,QAAAA,OAAAA,EAASoB,YAAAA,CAAaF,QAAAA,CAASlB,OAAO,EAAEiB,WAAWjB,OAAO,CAAA;AAC1DK,QAAAA,OAAAA,EAASe,YAAAA,CAAaF,QAAAA,CAASb,OAAO,EAAEY,WAAWZ,OAAO,CAAA;AAC1DM,QAAAA,QAAAA,EAAUS,YAAAA,CAAaF,QAAAA,CAASP,QAAQ,EAAEM,WAAWN,QAAQ;AACjE,KAAA;IAEA,OAAOQ,MAAAA;AACX;AAEA;;AAEC,IACD,SAASC,YAAAA,CACLC,cAAiB,EACjBC,WAAmC,EAAA;IAEnC,IAAI,CAACA,aAAa,OAAOD,cAAAA;IACzB,OAAO;AAAE,QAAA,GAAGA,cAAc;AAAE,QAAA,GAAGC;AAAY,KAAA;AAC/C;;;;"}

package/dist/security/events.d.ts

@@ -0,0 +1,8 @@
+export type SecurityEventType = 'path_validation_failed' | 'path_traversal_blocked' | 'tool_validation_failed' | 'tool_execution_blocked' | 'tool_timeout' | 'secret_redacted' | 'api_key_used' | 'deserialization_failed' | 'regex_timeout' | 'regex_blocked' | 'input_validation_failed' | 'request_timeout' | 'rate_limit_exceeded';
+export interface SecurityEvent {
+    type: SecurityEventType;
+    timestamp: Date;
+    severity: 'info' | 'warning' | 'error' | 'critical';
+    message: string;
+    context?: Record<string, unknown>;
+}

package/dist/security/index.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Security module for RiotPrompt
+ *
+ * Provides security configuration, types, and utilities for:
+ * - Path validation and traversal prevention
+ * - Tool execution sandboxing
+ * - Secret redaction
+ * - Secure logging
+ * - Request timeouts
+ *
+ * @packageDocumentation
+ */
+export { PathSecurityConfigSchema, ToolSecurityConfigSchema, SecretSecurityConfigSchema, LogSecurityConfigSchema, TimeoutConfigSchema, SecurityConfigSchema, } from './types';
+export type { PathSecurityConfig, ToolSecurityConfig, SecretSecurityConfig, LogSecurityConfig, TimeoutConfig, SecurityConfig, } from './types';
+export { SECURE_DEFAULTS, PERMISSIVE_DEFAULTS, mergeSecurityConfig, } from './defaults';
+export type { SecurityEventType, SecurityEvent, } from './events';
+export { SecurityAuditLogger, getAuditLogger, configureAuditLogger, resetAuditLogger, } from './audit-logger';
+export type { AuditLoggerConfig, } from './audit-logger';
+export { PathGuard, getPathGuard, configurePathGuard, resetPathGuard, sanitizeGlobPattern, isGlobSafe, validateGlobPattern, } from './path-guard';
+export type { PathValidationResult, GlobValidationResult, } from './path-guard';
+export { CLIValidator, getCLIValidator, configureCLIValidator, resetCLIValidator, createRiotPromptValidator, DEFAULT_CLI_SECURITY, } from './cli-security';
+export type { CLISecurityConfig, StringValidationResult, } from './cli-security';
+export { TimeoutGuard, TimeoutError, isTimeoutError, getTimeoutGuard, configureTimeoutGuard, resetTimeoutGuard, } from './timeout-guard';
+export { SCHEMA_VERSION, SERIALIZATION_LIMITS, ToolCallSchema, ConversationMessageSchema, ConversationMetadataSchema, SerializedConversationSchema, SerializedPromptSchema, LoggedConversationSchema, validateConversation, validateLoggedConversation, safeJsonParse, } from './serialization-schemas';
+export type { SerializedConversation, SerializedPrompt, LoggedConversation as SerializedLoggedConversation, } from './serialization-schemas';
+export { NoOpRateLimiter, MemoryRateLimiter, createRateLimiter, createNoOpRateLimiter, getRateLimiter, configureRateLimiter, resetRateLimiter, } from './rate-limiter';
+export type { RateLimiter, RateLimiterConfig, } from './rate-limiter';

package/dist/security/index.js

@@ -0,0 +1,22 @@
+export { LogSecurityConfigSchema, PathSecurityConfigSchema, SecretSecurityConfigSchema, SecurityConfigSchema, TimeoutConfigSchema, ToolSecurityConfigSchema } from './types.js';
+export { PERMISSIVE_DEFAULTS, SECURE_DEFAULTS, mergeSecurityConfig } from './defaults.js';
+export { SecurityAuditLogger, configureAuditLogger, getAuditLogger, resetAuditLogger } from './audit-logger.js';
+export { PathGuard, configurePathGuard, getPathGuard, isGlobSafe, resetPathGuard, sanitizeGlobPattern, validateGlobPattern } from './path-guard.js';
+export { CLIValidator, DEFAULT_CLI_SECURITY, configureCLIValidator, createRiotPromptValidator, getCLIValidator, resetCLIValidator } from './cli-security.js';
+export { TimeoutError, TimeoutGuard, configureTimeoutGuard, getTimeoutGuard, isTimeoutError, resetTimeoutGuard } from './timeout-guard.js';
+export { ConversationMessageSchema, ConversationMetadataSchema, LoggedConversationSchema, SCHEMA_VERSION, SERIALIZATION_LIMITS, SerializedConversationSchema, SerializedPromptSchema, ToolCallSchema, safeJsonParse, validateConversation, validateLoggedConversation } from './serialization-schemas.js';
+export { MemoryRateLimiter, NoOpRateLimiter, configureRateLimiter, createNoOpRateLimiter, createRateLimiter, getRateLimiter, resetRateLimiter } from './rate-limiter.js';
+
+/**
+ * Security module for RiotPrompt
+ * 
+ * Provides security configuration, types, and utilities for:
+ * - Path validation and traversal prevention
+ * - Tool execution sandboxing
+ * - Secret redaction
+ * - Secure logging
+ * - Request timeouts
+ * 
+ * @packageDocumentation
+ */ // Types and schemas
+//# sourceMappingURL=index.js.map

package/dist/security/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sources":["../../src/security/index.ts"],"sourcesContent":["/**\n * Security module for RiotPrompt\n * \n * Provides security configuration, types, and utilities for:\n * - Path validation and traversal prevention\n * - Tool execution sandboxing\n * - Secret redaction\n * - Secure logging\n * - Request timeouts\n * \n * @packageDocumentation\n */\n\n// Types and schemas\nexport {\n    PathSecurityConfigSchema,\n    ToolSecurityConfigSchema,\n    SecretSecurityConfigSchema,\n    LogSecurityConfigSchema,\n    TimeoutConfigSchema,\n    SecurityConfigSchema,\n} from './types';\n\nexport type {\n    PathSecurityConfig,\n    ToolSecurityConfig,\n    SecretSecurityConfig,\n    LogSecurityConfig,\n    TimeoutConfig,\n    SecurityConfig,\n} from './types';\n\n// Default configurations\nexport {\n    SECURE_DEFAULTS,\n    PERMISSIVE_DEFAULTS,\n    mergeSecurityConfig,\n} from './defaults';\n\n// Security events\nexport type {\n    SecurityEventType,\n    SecurityEvent,\n} from './events';\n\n// Audit logging\nexport {\n    SecurityAuditLogger,\n    getAuditLogger,\n    configureAuditLogger,\n    resetAuditLogger,\n} from './audit-logger';\n\nexport type {\n    AuditLoggerConfig,\n} from './audit-logger';\n\n// Path security\nexport {\n    PathGuard,\n    getPathGuard,\n    configurePathGuard,\n    resetPathGuard,\n    // Glob pattern utilities\n    sanitizeGlobPattern,\n    isGlobSafe,\n    validateGlobPattern,\n} from './path-guard';\n\nexport type {\n    PathValidationResult,\n    GlobValidationResult,\n} from './path-guard';\n\n// CLI security\nexport {\n    CLIValidator,\n    getCLIValidator,\n    configureCLIValidator,\n    resetCLIValidator,\n    createRiotPromptValidator,\n    DEFAULT_CLI_SECURITY,\n} from './cli-security';\n\nexport type {\n    CLISecurityConfig,\n    StringValidationResult,\n} from './cli-security';\n\n// Timeout protection\nexport {\n    TimeoutGuard,\n    TimeoutError,\n    isTimeoutError,\n    getTimeoutGuard,\n    configureTimeoutGuard,\n    resetTimeoutGuard,\n} from './timeout-guard';\n\n// Serialization security\nexport {\n    SCHEMA_VERSION,\n    SERIALIZATION_LIMITS,\n    ToolCallSchema,\n    ConversationMessageSchema,\n    ConversationMetadataSchema,\n    SerializedConversationSchema,\n    SerializedPromptSchema,\n    LoggedConversationSchema,\n    validateConversation,\n    validateLoggedConversation,\n    safeJsonParse,\n} from './serialization-schemas';\n\nexport type {\n    SerializedConversation,\n    SerializedPrompt,\n    LoggedConversation as SerializedLoggedConversation,\n} from './serialization-schemas';\n\n// Rate limiting\nexport {\n    NoOpRateLimiter,\n    MemoryRateLimiter,\n    createRateLimiter,\n    createNoOpRateLimiter,\n    getRateLimiter,\n    configureRateLimiter,\n    resetRateLimiter,\n} from './rate-limiter';\n\nexport type {\n    RateLimiter,\n    RateLimiterConfig,\n} from './rate-limiter';\n"],"names":[],"mappings":";;;;;;;;;AAAA;;;;;;;;;;;AAWC"}