@runcore-sh/runcore 0.1.8 → 0.1.10

package/dist/lib/locked.js

@@ -0,0 +1,130 @@
+/**
+ * Centralized .locked file enforcement for brain paths.
+ *
+ * Shared by both MCP server (stdio) and direct file access (brain-io).
+ * Ensures locked paths are consistently protected regardless of access channel.
+ *
+ * Lock rules:
+ * - Exact path match (e.g. "identity/human.json")
+ * - Filename-only match (e.g. ".session-key" matches "identity/.session-key")
+ * - Directory prefix match (e.g. "identity/" matches "identity/foo.md")
+ */
+import { readFile } from "node:fs/promises";
+import { readFileSync, existsSync } from "node:fs";
+import { join, relative, resolve } from "node:path";
+const BRAIN_DIR = resolve(process.cwd(), "brain");
+const LOCKED_FILE = join(BRAIN_DIR, ".locked");
+/** Hardcoded minimum locked paths (always locked even without .locked file). */
+const HARDCODED_LOCKED = [".session-key", "human.json"];
+/** Cached locked paths (relative to brain/, forward slashes). */
+let lockedPaths = [];
+let loaded = false;
+/**
+ * Read brain/.locked and merge with hardcoded minimums. Caches result.
+ * Safe to call multiple times — returns cached paths after first load.
+ */
+export async function loadLockedPaths() {
+    const paths = new Set(HARDCODED_LOCKED);
+    try {
+        const raw = await readFile(LOCKED_FILE, "utf-8");
+        for (const line of raw.split("\n")) {
+            const trimmed = line.trim();
+            if (!trimmed || trimmed.startsWith("#"))
+                continue;
+            paths.add(trimmed.replace(/\\/g, "/"));
+        }
+    }
+    catch {
+        // .locked file doesn't exist — use hardcoded only
+    }
+    lockedPaths = Array.from(paths);
+    loaded = true;
+    return lockedPaths;
+}
+/**
+ * Synchronous variant — reads .locked file on first call, caches after.
+ */
+export function loadLockedPathsSync() {
+    if (loaded)
+        return lockedPaths;
+    const paths = new Set(HARDCODED_LOCKED);
+    try {
+        if (existsSync(LOCKED_FILE)) {
+            const raw = readFileSync(LOCKED_FILE, "utf-8");
+            for (const line of raw.split("\n")) {
+                const trimmed = line.trim();
+                if (!trimmed || trimmed.startsWith("#"))
+                    continue;
+                paths.add(trimmed.replace(/\\/g, "/"));
+            }
+        }
+    }
+    catch {
+        // .locked file doesn't exist — use hardcoded only
+    }
+    lockedPaths = Array.from(paths);
+    loaded = true;
+    return lockedPaths;
+}
+/** Force reload of locked paths (e.g. when listing current locks). */
+export async function reloadLockedPaths() {
+    loaded = false;
+    return loadLockedPaths();
+}
+/** Get the currently cached locked paths. Loads synchronously if not yet cached. */
+export function getLockedPaths() {
+    if (!loaded)
+        loadLockedPathsSync();
+    return lockedPaths;
+}
+/**
+ * Check if a brain-relative path (forward slashes) is locked.
+ * Matches exact paths, filename-only, and directory prefixes.
+ */
+export function isLocked(relPath) {
+    if (!loaded)
+        loadLockedPathsSync();
+    const normalized = relPath.replace(/\\/g, "/");
+    for (const locked of lockedPaths) {
+        // Exact match
+        if (normalized === locked)
+            return true;
+        // Filename-only match (e.g. ".session-key" matches "identity/.session-key")
+        const filename = normalized.split("/").pop() ?? "";
+        if (filename === locked)
+            return true;
+        // Directory prefix match (e.g. locked="identity/" matches "identity/foo.md")
+        if (locked.endsWith("/") && normalized.startsWith(locked))
+            return true;
+    }
+    return false;
+}
+/**
+ * Convert an absolute file path to a brain-relative path.
+ * Returns null if the path is not under brain/.
+ */
+export function toBrainRelativePath(absolutePath) {
+    try {
+        const rel = relative(BRAIN_DIR, absolutePath);
+        // Escapes brain/ — not a brain path
+        if (rel.startsWith("..") || rel.startsWith("/"))
+            return null;
+        return rel.replace(/\\/g, "/");
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Assert that an absolute path is not locked. Throws if locked.
+ * No-op for paths outside brain/.
+ */
+export function assertNotLocked(absolutePath) {
+    const rel = toBrainRelativePath(absolutePath);
+    if (rel === null)
+        return; // Not a brain path — no lock applies
+    if (isLocked(rel)) {
+        throw new Error(`🔒 Locked: ${rel} — access denied`);
+    }
+}
+//# sourceMappingURL=locked.js.map

package/dist/lib/locked.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"locked.js","sourceRoot":"","sources":["../../src/lib/locked.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,QAAQ,EAAiB,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,CAAC,CAAC;AAClD,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;AAE/C,gFAAgF;AAChF,MAAM,gBAAgB,GAAG,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;AAExD,iEAAiE;AACjE,IAAI,WAAW,GAAa,EAAE,CAAC;AAC/B,IAAI,MAAM,GAAG,KAAK,CAAC;AAEnB;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAS,gBAAgB,CAAC,CAAC;IAChD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QACjD,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAClD,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kDAAkD;IACpD,CAAC;IACD,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChC,MAAM,GAAG,IAAI,CAAC;IACd,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,MAAM;QAAE,OAAO,WAAW,CAAC;IAC/B,MAAM,KAAK,GAAG,IAAI,GAAG,CAAS,gBAAgB,CAAC,CAAC;IAChD,IAAI,CAAC;QACH,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAC5B,MAAM,GAAG,GAAG,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;YAC/C,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAClD,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kDAAkD;IACpD,CAAC;IACD,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChC,MAAM,GAAG,IAAI,CAAC;IACd,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,sEAAsE;AACtE,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,GAAG,KAAK,CAAC;IACf,OAAO,eAAe,EAAE,CAAC;AAC3B,CAAC;AAED,oFAAoF;AACpF,MAAM,UAAU,cAAc;IAC5B,IAAI,CAAC,MAAM;QAAE,mBAAmB,EAAE,CAAC;IACnC,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAC,OAAe;IACtC,IAAI,CAAC,MAAM;QAAE,mBAAmB,EAAE,CAAC;IACnC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC/C,KAAK,MAAM,MAAM,IAAI,WAAW,EAAE,CAAC;QACjC,cAAc;QACd,IAAI,UAAU,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QACvC,4EAA4E;QAC5E,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;QACnD,IAAI,QAAQ,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QACrC,6EAA6E;QAC7E,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;IACzE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,YAAoB;IACtD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;QAC9C,oCAAoC;QACpC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAC7D,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,YAAoB;IAClD,MAAM,GAAG,GAAG,mBAAmB,CAAC,YAAY,CAAC,CAAC;IAC9C,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,CAAC,qCAAqC;IAC/D,IAAI,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,cAAc,GAAG,kBAAkB,CAAC,CAAC;IACvD,CAAC;AACH,CAAC"}

package/dist/llm/complete.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"complete.d.ts","sourceRoot":"","sources":["../../src/llm/complete.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AASzD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,YAAY,CAAC;IACvB,mCAAmC;IACnC,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,kDAAkD;IAClD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,MAAM,CAAC,CAGhF"}
+{"version":3,"file":"complete.d.ts","sourceRoot":"","sources":["../../src/llm/complete.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAUzD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,YAAY,CAAC;IACvB,mCAAmC;IACnC,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,kDAAkD;IAClD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,MAAM,CAAC,CAGhF"}

package/dist/llm/complete.js

@@ -8,6 +8,7 @@ import { getProvider } from "./providers/index.js";
 import { completeChatCached } from "./cache.js";
 import { LLMError } from "./errors.js";
 import { withRetry } from "./retry.js";
+import { rehydrateResponse } from "./redact.js";
 import { createLogger } from "../utils/logger.js";
 const log = createLogger("llm");
 /**
@@ -29,10 +30,11 @@ async function completeChatUncached(options) {
         messageCount: options.messages.length,
     });
     try {
-        return await withRetry(() => {
+        const raw = await withRetry(() => {
             const timeout = AbortSignal.timeout(60_000);
             return provider.completeChat(options.messages, options.model, timeout);
         }, { maxRetries: 3, baseDelayMs: 1_000, maxDelayMs: 30_000 });
+        return rehydrateResponse(raw);
     }
     catch (err) {
         // On credit/billing errors from cloud providers, try Ollama as a fallback
@@ -44,10 +46,11 @@ async function completeChatUncached(options) {
                     provider: options.provider,
                     status: err.statusCode,
                 });
-                return withRetry(() => {
+                const fallbackRaw = await withRetry(() => {
                     const fallbackTimeout = AbortSignal.timeout(120_000);
                     return ollama.completeChat(options.messages, undefined, fallbackTimeout);
                 }, { maxRetries: 3, baseDelayMs: 1_000, maxDelayMs: 30_000 });
+                return rehydrateResponse(fallbackRaw);
             }
         }
         throw err;

package/dist/llm/complete.js.map

@@ -1 +1 @@
-{"version":3,"file":"complete.js","sourceRoot":"","sources":["../../src/llm/complete.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;AAYhC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAA4B;IAC7D,IAAI,OAAO,CAAC,OAAO;QAAE,OAAO,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAC1D,OAAO,kBAAkB,CAAC,OAAO,EAAE,oBAAoB,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;AAC/E,CAAC;AAED,2EAA2E;AAC3E,KAAK,UAAU,oBAAoB,CAAC,OAA4B;IAC9D,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAE/C,GAAG,CAAC,KAAK,CAAC,oBAAoB,EAAE;QAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,SAAS;QACjC,YAAY,EAAE,OAAO,CAAC,QAAQ,CAAC,MAAM;KACtC,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,OAAO,MAAM,SAAS,CACpB,GAAG,EAAE;YACH,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAC5C,OAAO,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QACzE,CAAC,EACD,EAAE,UAAU,EAAE,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,CAC1D,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,0EAA0E;QAC1E,IAAI,GAAG,YAAY,QAAQ,IAAI,GAAG,CAAC,cAAc,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACnF,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;YACrC,MAAM,eAAe,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;YACnD,IAAI,eAAe,EAAE,CAAC;gBACpB,GAAG,CAAC,IAAI,CAAC,0DAA0D,EAAE;oBACnE,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,MAAM,EAAE,GAAG,CAAC,UAAU;iBACvB,CAAC,CAAC;gBACH,OAAO,SAAS,CACd,GAAG,EAAE;oBACH,MAAM,eAAe,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;oBACrD,OAAO,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;gBAC3E,CAAC,EACD,EAAE,UAAU,EAAE,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,CAC1D,CAAC;YACJ,CAAC;QACH,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC"}
+{"version":3,"file":"complete.js","sourceRoot":"","sources":["../../src/llm/complete.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;AAYhC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAA4B;IAC7D,IAAI,OAAO,CAAC,OAAO;QAAE,OAAO,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAC1D,OAAO,kBAAkB,CAAC,OAAO,EAAE,oBAAoB,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;AAC/E,CAAC;AAED,2EAA2E;AAC3E,KAAK,UAAU,oBAAoB,CAAC,OAA4B;IAC9D,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAE/C,GAAG,CAAC,KAAK,CAAC,oBAAoB,EAAE;QAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,SAAS;QACjC,YAAY,EAAE,OAAO,CAAC,QAAQ,CAAC,MAAM;KACtC,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,SAAS,CACzB,GAAG,EAAE;YACH,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAC5C,OAAO,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QACzE,CAAC,EACD,EAAE,UAAU,EAAE,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,CAC1D,CAAC;QACF,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,0EAA0E;QAC1E,IAAI,GAAG,YAAY,QAAQ,IAAI,GAAG,CAAC,cAAc,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACnF,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;YACrC,MAAM,eAAe,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;YACnD,IAAI,eAAe,EAAE,CAAC;gBACpB,GAAG,CAAC,IAAI,CAAC,0DAA0D,EAAE;oBACnE,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,MAAM,EAAE,GAAG,CAAC,UAAU;iBACvB,CAAC,CAAC;gBACH,MAAM,WAAW,GAAG,MAAM,SAAS,CACjC,GAAG,EAAE;oBACH,MAAM,eAAe,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;oBACrD,OAAO,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;gBAC3E,CAAC,EACD,EAAE,UAAU,EAAE,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,CAC1D,CAAC;gBACF,OAAO,iBAAiB,CAAC,WAAW,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC"}

package/dist/llm/fetch-guard.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Global fetch interceptor — defense-in-depth for privateMode + sensitive data redaction.
+ *
+ * Two layers:
+ * 1. privateMode enforcement — blocks outbound requests to known cloud LLM API hosts.
+ * 2. Sensitive data redaction — strips secrets/PII from LLM request bodies before network egress.
+ *
+ * The function-level guard in guard.ts → assertProviderAllowed() remains the
+ * primary enforcement. This is the safety net.
+ */
+/**
+ * Monkey-patch globalThis.fetch to block cloud LLM hosts in privateMode.
+ * Safe to call multiple times — only installs once.
+ */
+export declare function installFetchGuard(): void;
+//# sourceMappingURL=fetch-guard.d.ts.map

package/dist/llm/fetch-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch-guard.d.ts","sourceRoot":"","sources":["../../src/llm/fetch-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAuBH;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,IAAI,CAiCxC"}

package/dist/llm/fetch-guard.js

@@ -0,0 +1,61 @@
+/**
+ * Global fetch interceptor — defense-in-depth for privateMode + sensitive data redaction.
+ *
+ * Two layers:
+ * 1. privateMode enforcement — blocks outbound requests to known cloud LLM API hosts.
+ * 2. Sensitive data redaction — strips secrets/PII from LLM request bodies before network egress.
+ *
+ * The function-level guard in guard.ts → assertProviderAllowed() remains the
+ * primary enforcement. This is the safety net.
+ */
+import { isPrivateMode, PrivateModeError } from "./guard.js";
+import { redactRequestBody } from "./redact.js";
+import { createLogger } from "../utils/logger.js";
+const log = createLogger("llm.fetch-guard");
+const BLOCKED_HOSTS = new Set([
+    "api.openai.com",
+    "api.anthropic.com",
+    "openrouter.ai",
+    "api.perplexity.ai",
+]);
+/** Hosts where outbound request bodies should be redacted (LLM API endpoints). */
+const LLM_HOSTS = new Set([
+    ...BLOCKED_HOSTS,
+    "generativelanguage.googleapis.com",
+]);
+let installed = false;
+/**
+ * Monkey-patch globalThis.fetch to block cloud LLM hosts in privateMode.
+ * Safe to call multiple times — only installs once.
+ */
+export function installFetchGuard() {
+    if (installed)
+        return;
+    installed = true;
+    const originalFetch = globalThis.fetch;
+    globalThis.fetch = function guardedFetch(input, init) {
+        let hostname;
+        try {
+            const raw = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
+            hostname = new URL(raw).hostname;
+        }
+        catch {
+            // URL parse failure — skip host-based logic
+        }
+        // Layer 1: privateMode enforcement
+        if (isPrivateMode() && hostname && BLOCKED_HOSTS.has(hostname)) {
+            log.error("Fetch guard blocked outbound request", { host: hostname });
+            throw new PrivateModeError("cloud-api");
+        }
+        // Layer 2: redact sensitive data from LLM request bodies
+        if (hostname && LLM_HOSTS.has(hostname) && init?.body && typeof init.body === "string") {
+            const redacted = redactRequestBody(init.body);
+            if (redacted !== init.body) {
+                init = { ...init, body: redacted };
+            }
+        }
+        return originalFetch.call(globalThis, input, init);
+    };
+    log.info("Fetch guard installed — privateMode enforcement + sensitive data redaction");
+}
+//# sourceMappingURL=fetch-guard.js.map

package/dist/llm/fetch-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch-guard.js","sourceRoot":"","sources":["../../src/llm/fetch-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,GAAG,GAAG,YAAY,CAAC,iBAAiB,CAAC,CAAC;AAE5C,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IAC5B,gBAAgB;IAChB,mBAAmB;IACnB,eAAe;IACf,mBAAmB;CACpB,CAAC,CAAC;AAEH,kFAAkF;AAClF,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;IACxB,GAAG,aAAa;IAChB,mCAAmC;CACpC,CAAC,CAAC;AAEH,IAAI,SAAS,GAAG,KAAK,CAAC;AAEtB;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAC/B,IAAI,SAAS;QAAE,OAAO;IACtB,SAAS,GAAG,IAAI,CAAC;IAEjB,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;IAEvC,UAAU,CAAC,KAAK,GAAG,SAAS,YAAY,CAAC,KAA6B,EAAE,IAAkB;QACxF,IAAI,QAA4B,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,YAAY,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAE,KAAiB,CAAC,GAAG,CAAC;YAC3G,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,4CAA4C;QAC9C,CAAC;QAED,mCAAmC;QACnC,IAAI,aAAa,EAAE,IAAI,QAAQ,IAAI,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/D,GAAG,CAAC,KAAK,CAAC,sCAAsC,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;YACtE,MAAM,IAAI,gBAAgB,CAAC,WAAkB,CAAC,CAAC;QACjD,CAAC;QAED,yDAAyD;QACzD,IAAI,QAAQ,IAAI,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,EAAE,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACvF,MAAM,QAAQ,GAAG,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9C,IAAI,QAAQ,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC3B,IAAI,GAAG,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;YACrC,CAAC;QACH,CAAC;QAED,OAAO,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACrD,CAAC,CAAC;IAEF,GAAG,CAAC,IAAI,CAAC,4EAA4E,CAAC,CAAC;AACzF,CAAC"}

package/dist/llm/guard.d.ts

@@ -0,0 +1,40 @@
+/**
+ * LLM request guard — enforces privateMode at the request layer.
+ *
+ * When privateMode is enabled, ALL outbound LLM API calls to cloud providers
+ * are blocked. Only local providers (Ollama) are allowed through.
+ * This is network-level isolation, not just provider swapping.
+ */
+import type { ProviderName } from "./providers/types.js";
+/**
+ * Error thrown when a cloud LLM call is attempted in private mode.
+ * Intentionally loud — this should never be silently swallowed.
+ */
+export declare class PrivateModeError extends Error {
+    constructor(provider: ProviderName);
+}
+/**
+ * Check whether the current settings enforce private mode.
+ * privateMode takes precedence over airplaneMode — it's the hard enforcement layer.
+ */
+export declare function isPrivateMode(): boolean;
+/**
+ * Assert that a provider is allowed under current mode.
+ * Throws PrivateModeError if a cloud provider is requested while privateMode is on.
+ * Call this at the request boundary, before any fetch() is made.
+ */
+export declare function assertProviderAllowed(provider: ProviderName): void;
+/**
+ * Lightweight Ollama health probe. Returns a result object instead of throwing,
+ * useful for non-critical paths (SSE error hints, status endpoints).
+ */
+export declare function checkOllamaHealth(): Promise<{
+    ok: boolean;
+    message: string;
+}>;
+/**
+ * Check if Ollama is reachable. Used to fail loudly at startup when
+ * privateMode is on but Ollama isn't available.
+ */
+export declare function assertOllamaAvailable(): Promise<void>;
+//# sourceMappingURL=guard.d.ts.map

package/dist/llm/guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../src/llm/guard.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAOzD;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;gBAC7B,QAAQ,EAAE,YAAY;CAQnC;AAED;;;GAGG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAGvC;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,YAAY,GAAG,IAAI,CAOlE;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAenF;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,IAAI,CAAC,CAkB3D"}

package/dist/llm/guard.js

@@ -0,0 +1,88 @@
+/**
+ * LLM request guard — enforces privateMode at the request layer.
+ *
+ * When privateMode is enabled, ALL outbound LLM API calls to cloud providers
+ * are blocked. Only local providers (Ollama) are allowed through.
+ * This is network-level isolation, not just provider swapping.
+ */
+import { getSettings } from "../settings.js";
+import { createLogger } from "../utils/logger.js";
+const log = createLogger("llm.guard");
+/** Providers that are allowed in private mode (local-only, no outbound network). */
+const LOCAL_PROVIDERS = new Set(["ollama"]);
+/**
+ * Error thrown when a cloud LLM call is attempted in private mode.
+ * Intentionally loud — this should never be silently swallowed.
+ */
+export class PrivateModeError extends Error {
+    constructor(provider) {
+        super(`[PRIVATE MODE] Blocked outbound LLM request to "${provider}". ` +
+            `privateMode is enabled — only local providers (Ollama) are allowed. ` +
+            `Disable privateMode in brain/settings.json to use cloud providers.`);
+        this.name = "PrivateModeError";
+    }
+}
+/**
+ * Check whether the current settings enforce private mode.
+ * privateMode takes precedence over airplaneMode — it's the hard enforcement layer.
+ */
+export function isPrivateMode() {
+    const settings = getSettings();
+    return settings.privateMode === true;
+}
+/**
+ * Assert that a provider is allowed under current mode.
+ * Throws PrivateModeError if a cloud provider is requested while privateMode is on.
+ * Call this at the request boundary, before any fetch() is made.
+ */
+export function assertProviderAllowed(provider) {
+    if (!isPrivateMode())
+        return;
+    if (!LOCAL_PROVIDERS.has(provider)) {
+        log.error("Blocked cloud LLM request in private mode", { provider });
+        throw new PrivateModeError(provider);
+    }
+}
+/**
+ * Lightweight Ollama health probe. Returns a result object instead of throwing,
+ * useful for non-critical paths (SSE error hints, status endpoints).
+ */
+export async function checkOllamaHealth() {
+    const baseUrl = process.env.OLLAMA_URL ?? "http://localhost:11434";
+    try {
+        const res = await fetch(`${baseUrl}/api/tags`, {
+            method: "HEAD",
+            signal: AbortSignal.timeout(3_000),
+        });
+        if (!res.ok) {
+            return { ok: false, message: `Ollama responded with status ${res.status}` };
+        }
+        return { ok: true, message: "Ollama is reachable" };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return { ok: false, message: `Ollama not available at ${baseUrl}: ${msg}` };
+    }
+}
+/**
+ * Check if Ollama is reachable. Used to fail loudly at startup when
+ * privateMode is on but Ollama isn't available.
+ */
+export async function assertOllamaAvailable() {
+    const baseUrl = process.env.OLLAMA_URL ?? "http://localhost:11434";
+    try {
+        const res = await fetch(`${baseUrl}/api/tags`, {
+            signal: AbortSignal.timeout(5_000),
+        });
+        if (!res.ok) {
+            throw new Error(`Ollama responded with status ${res.status}`);
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new Error(`[PRIVATE MODE] Ollama is required but not available at ${baseUrl}. ` +
+            `privateMode blocks all cloud providers — Ollama must be running. ` +
+            `Error: ${msg}`);
+    }
+}
+//# sourceMappingURL=guard.js.map

package/dist/llm/guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard.js","sourceRoot":"","sources":["../../src/llm/guard.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGlD,MAAM,GAAG,GAAG,YAAY,CAAC,WAAW,CAAC,CAAC;AAEtC,oFAAoF;AACpF,MAAM,eAAe,GAA8B,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;AAEvE;;;GAGG;AACH,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IACzC,YAAY,QAAsB;QAChC,KAAK,CACH,mDAAmD,QAAQ,KAAK;YAChE,sEAAsE;YACtE,oEAAoE,CACrE,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa;IAC3B,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;IAC/B,OAAO,QAAQ,CAAC,WAAW,KAAK,IAAI,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAsB;IAC1D,IAAI,CAAC,aAAa,EAAE;QAAE,OAAO;IAE7B,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnC,GAAG,CAAC,KAAK,CAAC,2CAA2C,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;QACrE,MAAM,IAAI,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,wBAAwB,CAAC;IACnE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,WAAW,EAAE;YAC7C,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,gCAAgC,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;QAC9E,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,qBAAqB,EAAE,CAAC;IACtD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,2BAA2B,OAAO,KAAK,GAAG,EAAE,EAAE,CAAC;IAC9E,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB;IACzC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,wBAAwB,CAAC;IAEnE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,WAAW,EAAE;YAC7C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CACb,0DAA0D,OAAO,IAAI;YACrE,mEAAmE;YACnE,UAAU,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/llm/membrane.d.ts

@@ -0,0 +1,46 @@
+/**
+ * PrivacyMembrane — reversible typed-placeholder redaction.
+ *
+ * Outbound: replaces sensitive spans with `<<CATEGORY_N>>` placeholders.
+ * Inbound: restores placeholders to original values.
+ *
+ * Same value always maps to the same placeholder across turns.
+ * Audit log tracks categories + counts (never raw values).
+ */
+import type { SensitiveRegistry } from "./sensitive-registry.js";
+interface AuditEntry {
+    timestamp: string;
+    direction: "apply" | "rehydrate";
+    categories: Record<string, number>;
+}
+export declare class PrivacyMembrane {
+    private readonly registry;
+    /** original value → placeholder */
+    private readonly forward;
+    /** placeholder → original value */
+    private readonly reverse;
+    /** category → next index counter */
+    private readonly counters;
+    /** audit log (categories + counts only, never values) */
+    private readonly audit;
+    constructor(registry: SensitiveRegistry);
+    /**
+     * Replace sensitive content with typed placeholders.
+     * Same value always gets the same placeholder.
+     */
+    apply(text: string): string;
+    /**
+     * Restore placeholders to original values.
+     */
+    rehydrate(text: string): string;
+    /** Get audit log (safe — no raw values). */
+    getAuditLog(): readonly AuditEntry[];
+    /** Number of unique sensitive values tracked. */
+    get size(): number;
+    /**
+     * Get existing placeholder or create a new one for a value+category pair.
+     */
+    private getOrCreatePlaceholder;
+}
+export {};
+//# sourceMappingURL=membrane.d.ts.map

package/dist/llm/membrane.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"membrane.d.ts","sourceRoot":"","sources":["../../src/llm/membrane.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAQjE,UAAU,UAAU;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,OAAO,GAAG,WAAW,CAAC;IACjC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACpC;AAED,qBAAa,eAAe;IAUd,OAAO,CAAC,QAAQ,CAAC,QAAQ;IATrC,mCAAmC;IACnC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA6B;IACrD,mCAAmC;IACnC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA6B;IACrD,oCAAoC;IACpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA6B;IACtD,yDAAyD;IACzD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAoB;gBAEb,QAAQ,EAAE,iBAAiB;IAExD;;;OAGG;IACH,KAAK,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAgD3B;;OAEG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAyB/B,4CAA4C;IAC5C,WAAW,IAAI,SAAS,UAAU,EAAE;IAIpC,iDAAiD;IACjD,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED;;OAEG;IACH,OAAO,CAAC,sBAAsB;CAY/B"}

package/dist/llm/membrane.js

@@ -0,0 +1,123 @@
+/**
+ * PrivacyMembrane — reversible typed-placeholder redaction.
+ *
+ * Outbound: replaces sensitive spans with `<<CATEGORY_N>>` placeholders.
+ * Inbound: restores placeholders to original values.
+ *
+ * Same value always maps to the same placeholder across turns.
+ * Audit log tracks categories + counts (never raw values).
+ */
+import { createLogger } from "../utils/logger.js";
+const log = createLogger("llm.membrane");
+/** Matches our placeholder format: <<CATEGORY_N>> */
+const PLACEHOLDER_RE = /<<([A-Z_]+_\d+)>>/g;
+export class PrivacyMembrane {
+    registry;
+    /** original value → placeholder */
+    forward = new Map();
+    /** placeholder → original value */
+    reverse = new Map();
+    /** category → next index counter */
+    counters = new Map();
+    /** audit log (categories + counts only, never values) */
+    audit = [];
+    constructor(registry) {
+        this.registry = registry;
+    }
+    /**
+     * Replace sensitive content with typed placeholders.
+     * Same value always gets the same placeholder.
+     */
+    apply(text) {
+        let result = text;
+        const categoryCounts = {};
+        // 1. Explicit terms (longest-first, from registry)
+        for (const term of this.registry.sensitiveTerms) {
+            if (!result.includes(term.value))
+                continue;
+            const ph = this.getOrCreatePlaceholder(term.value, term.category);
+            // Use split+join for literal replacement (no regex escaping needed)
+            const before = result;
+            result = result.split(term.value).join(ph);
+            if (result !== before) {
+                const count = (before.length - result.length + ph.length * ((before.length - result.length) / (term.value.length - ph.length) || 1));
+                categoryCounts[term.category] = (categoryCounts[term.category] ?? 0) + 1;
+            }
+        }
+        // 2. Pattern-based detection (built-in + custom from registry)
+        for (const rule of this.registry.patterns) {
+            rule.pattern.lastIndex = 0;
+            const matches = result.match(rule.pattern);
+            rule.pattern.lastIndex = 0;
+            if (!matches)
+                continue;
+            for (const match of matches) {
+                // Skip false positives for CARD rule
+                if (rule.category === "CARD" && match.replace(/[\s-]/g, "").length < 13)
+                    continue;
+                // Don't re-redact something already replaced with a placeholder
+                if (match.startsWith("<<") && match.endsWith(">>"))
+                    continue;
+                const ph = this.getOrCreatePlaceholder(match, rule.category);
+                result = result.replace(match, ph);
+                categoryCounts[rule.category] = (categoryCounts[rule.category] ?? 0) + 1;
+            }
+        }
+        if (Object.keys(categoryCounts).length > 0) {
+            this.audit.push({
+                timestamp: new Date().toISOString(),
+                direction: "apply",
+                categories: categoryCounts,
+            });
+            log.info("Membrane applied", { categories: categoryCounts });
+        }
+        return result;
+    }
+    /**
+     * Restore placeholders to original values.
+     */
+    rehydrate(text) {
+        const categoryCounts = {};
+        const result = text.replace(PLACEHOLDER_RE, (match) => {
+            const original = this.reverse.get(match);
+            if (original) {
+                const cat = match.replace(/<<|_\d+>>/g, "");
+                categoryCounts[cat] = (categoryCounts[cat] ?? 0) + 1;
+                return original;
+            }
+            return match; // unknown placeholder — leave as-is
+        });
+        if (Object.keys(categoryCounts).length > 0) {
+            this.audit.push({
+                timestamp: new Date().toISOString(),
+                direction: "rehydrate",
+                categories: categoryCounts,
+            });
+            log.debug("Membrane rehydrated", { categories: categoryCounts });
+        }
+        return result;
+    }
+    /** Get audit log (safe — no raw values). */
+    getAuditLog() {
+        return this.audit;
+    }
+    /** Number of unique sensitive values tracked. */
+    get size() {
+        return this.forward.size;
+    }
+    /**
+     * Get existing placeholder or create a new one for a value+category pair.
+     */
+    getOrCreatePlaceholder(value, category) {
+        const existing = this.forward.get(value);
+        if (existing)
+            return existing;
+        const idx = this.counters.get(category) ?? 0;
+        this.counters.set(category, idx + 1);
+        const placeholder = `<<${category}_${idx}>>`;
+        this.forward.set(value, placeholder);
+        this.reverse.set(placeholder, value);
+        return placeholder;
+    }
+}
+//# sourceMappingURL=membrane.js.map

package/dist/llm/membrane.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"membrane.js","sourceRoot":"","sources":["../../src/llm/membrane.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,GAAG,GAAG,YAAY,CAAC,cAAc,CAAC,CAAC;AAEzC,qDAAqD;AACrD,MAAM,cAAc,GAAG,oBAAoB,CAAC;AAQ5C,MAAM,OAAO,eAAe;IAUG;IAT7B,mCAAmC;IAClB,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;IACrD,mCAAmC;IAClB,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;IACrD,oCAAoC;IACnB,QAAQ,GAAG,IAAI,GAAG,EAAkB,CAAC;IACtD,yDAAyD;IACxC,KAAK,GAAiB,EAAE,CAAC;IAE1C,YAA6B,QAA2B;QAA3B,aAAQ,GAAR,QAAQ,CAAmB;IAAG,CAAC;IAE5D;;;OAGG;IACH,KAAK,CAAC,IAAY;QAChB,IAAI,MAAM,GAAG,IAAI,CAAC;QAClB,MAAM,cAAc,GAA2B,EAAE,CAAC;QAElD,mDAAmD;QACnD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;YAChD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,SAAS;YAC3C,MAAM,EAAE,GAAG,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;YAClE,oEAAoE;YACpE,MAAM,MAAM,GAAG,MAAM,CAAC;YACtB,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC3C,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACtB,MAAM,KAAK,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACrI,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YAC1C,IAAI,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAC3B,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3C,IAAI,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAC3B,IAAI,CAAC,OAAO;gBAAE,SAAS;YAEvB,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,qCAAqC;gBACrC,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,MAAM,GAAG,EAAE;oBAAE,SAAS;gBAClF,gEAAgE;gBAChE,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAE7D,MAAM,EAAE,GAAG,IAAI,CAAC,sBAAsB,CAAC,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAC7D,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACnC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;gBACd,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,SAAS,EAAE,OAAO;gBAClB,UAAU,EAAE,cAAc;aAC3B,CAAC,CAAC;YACH,GAAG,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,UAAU,EAAE,cAAc,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,IAAY;QACpB,MAAM,cAAc,GAA2B,EAAE,CAAC;QAElD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,KAAK,EAAE,EAAE;YACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YACzC,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;gBAC5C,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;gBACrD,OAAO,QAAQ,CAAC;YAClB,CAAC;YACD,OAAO,KAAK,CAAC,CAAC,oCAAoC;QACpD,CAAC,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;gBACd,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,SAAS,EAAE,WAAW;gBACtB,UAAU,EAAE,cAAc;aAC3B,CAAC,CAAC;YACH,GAAG,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,UAAU,EAAE,cAAc,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,4CAA4C;IAC5C,WAAW;QACT,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED,iDAAiD;IACjD,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;IAC3B,CAAC;IAED;;OAEG;IACK,sBAAsB,CAAC,KAAa,EAAE,QAAgB;QAC5D,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACzC,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAE9B,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC;QAErC,MAAM,WAAW,GAAG,KAAK,QAAQ,IAAI,GAAG,IAAI,CAAC;QAC7C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QACrC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;QACrC,OAAO,WAAW,CAAC;IACrB,CAAC;CACF"}

package/dist/llm/providers/index.d.ts

@@ -3,7 +3,10 @@
  * Manages provider instances and provides a single entry point for LLM operations.
  */
 import type { LLMProvider, ProviderName } from "./types.js";
-/** Get a provider by name. Throws if unknown. */
+/**
+ * Get a provider by name. Throws if unknown.
+ * Enforces privateMode — cloud providers are blocked when private mode is on.
+ */
 export declare function getProvider(name: ProviderName): LLMProvider;
 /** Register a custom provider (for plugins or testing). */
 export declare function registerProvider(provider: LLMProvider): void;
@@ -17,4 +20,5 @@ export { anthropicProvider } from "./anthropic.js";
 export { openAIProvider } from "./openai.js";
 export { ollamaProvider } from "./ollama.js";
 export { LLMError, classifyApiError } from "../errors.js";
+export { PrivateModeError, isPrivateMode } from "../guard.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/llm/providers/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/llm/providers/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,YAAY,EAAiB,MAAM,YAAY,CAAC;AAkB3E,iDAAiD;AACjD,wBAAgB,WAAW,CAAC,IAAI,EAAE,YAAY,GAAG,WAAW,CAI3D;AAED,2DAA2D;AAC3D,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,WAAW,GAAG,IAAI,CAG5D;AAED,0CAA0C;AAC1C,wBAAgB,aAAa,IAAI,YAAY,EAAE,CAE9C;AAED,qFAAqF;AACrF,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC,CAQrE;AAID,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3E,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/llm/providers/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,YAAY,EAAiB,MAAM,YAAY,CAAC;AAmB3E;;;GAGG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,YAAY,GAAG,WAAW,CAO3D;AAED,2DAA2D;AAC3D,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,WAAW,GAAG,IAAI,CAG5D;AAED,0CAA0C;AAC1C,wBAAgB,aAAa,IAAI,YAAY,EAAE,CAE9C;AAED,qFAAqF;AACrF,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC,CAQrE;AAID,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3E,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC"}