@sandrobuilds/tracerney 0.9.6

package/dist/application/ShieldApplicationService.d.ts

@@ -0,0 +1,94 @@
+/**
+ * Shield Application Service
+ * Core orchestrator: wires domain services + infrastructure adapters
+ * Fixes all 5 integration gaps from the original design
+ */
+import { type ToolPolicy } from "../domain/guard/ToolPolicy";
+import { ILLMProvider, type LLMResponse } from "./ports/ILLMProvider";
+import { ISentinel } from "./ports/ISentinel";
+import { ITelemetrySink } from "./ports/ITelemetrySink";
+import { IPatternRepository } from "./ports/IPatternRepository";
+import { HttpShadowLogSink } from "../infrastructure/telemetry";
+export interface ShieldApplicationServiceConfig {
+    patternRepository: IPatternRepository;
+    telemetrySink?: ITelemetrySink;
+    toolPolicy: ToolPolicy;
+    sdkVersion?: string;
+    llmProvider?: ILLMProvider;
+    sentinel?: ISentinel;
+    shadowLogSink?: HttpShadowLogSink;
+}
+export interface WrapOptions {
+    prompt?: string;
+    requestId?: string;
+    modelName?: string;
+    provider?: string;
+}
+export interface ServiceStatus {
+    patternMatcher: {
+        ready: boolean;
+        stats?: unknown;
+    };
+    toolGuard: {
+        allowedTools: readonly string[];
+    };
+    telemetry: {
+        enabled: boolean;
+        status?: unknown;
+    };
+}
+export declare class ShieldApplicationService {
+    private readonly config;
+    private patternMatcher;
+    private toolGuard;
+    private telemetrySink?;
+    private llmProvider?;
+    private sentinel?;
+    private readonly sdkVersion;
+    constructor(config: ShieldApplicationServiceConfig);
+    /**
+     * Update patterns from remote repository in background.
+     * Non-blocking; fails gracefully, falling back to bundled patterns.
+     */
+    private updateRemotePatterns;
+    /**
+     * Main wrapper method for LLM calls.
+     * Fixes Gap 2 (latencyMs now stored) and Gap 3 (prompt parameter for pre-LLM scan)
+     *
+     * @param llmCall - The LLM function to execute
+     * @param options - Optional: prompt for pre-LLM scan, request context
+     */
+    wrap<T extends LLMResponse>(llmCall: () => Promise<T>, options?: WrapOptions): Promise<T>;
+    /**
+     * Scan a raw prompt pre-LLM for inline use.
+     * Throws if injection is detected.
+     *
+     * Hardened Middleware:
+     * - Normalize: Collapse homoglyphs and whitespace tricks
+     * - Layer 1 (Regex): Fast, pattern-based detection
+     * - Layer 2 (LLM Sentinel): If Layer 1 misses, use LLM to verify
+     * - Jitter: Add random delay to mask which layer blocked (if any)
+     */
+    scanPrompt(prompt: string, requestId?: string): Promise<void>;
+    /**
+     * Update tool policy at runtime
+     */
+    setAllowedTools(tools: readonly string[]): void;
+    /**
+     * Get service status for diagnostics
+     */
+    getStatus(): ServiceStatus;
+    /**
+     * Report a security event (non-blocking)
+     */
+    private report;
+    /**
+     * Graceful shutdown: flush telemetry, release resources
+     */
+    destroy(): void;
+    /**
+     * Generate a unique request ID
+     */
+    private generateRequestId;
+}
+//# sourceMappingURL=ShieldApplicationService.d.ts.map

package/dist/application/ShieldApplicationService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ShieldApplicationService.d.ts","sourceRoot":"","sources":["../../src/application/ShieldApplicationService.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,EAAoB,KAAK,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAO/E,OAAO,EAAE,YAAY,EAAE,KAAK,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAGhE,OAAO,EAAE,iBAAiB,EAAyB,MAAM,6BAA6B,CAAC;AAIvF,MAAM,WAAW,8BAA8B;IAC7C,iBAAiB,EAAE,kBAAkB,CAAC;IACtC,aAAa,CAAC,EAAE,cAAc,CAAC;IAC/B,UAAU,EAAE,UAAU,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,YAAY,CAAC;IAC3B,QAAQ,CAAC,EAAE,SAAS,CAAC;IACrB,aAAa,CAAC,EAAE,iBAAiB,CAAC;CACnC;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,cAAc,EAAE;QACd,KAAK,EAAE,OAAO,CAAC;QACf,KAAK,CAAC,EAAE,OAAO,CAAC;KACjB,CAAC;IACF,SAAS,EAAE;QACT,YAAY,EAAE,SAAS,MAAM,EAAE,CAAC;KACjC,CAAC;IACF,SAAS,EAAE;QACT,OAAO,EAAE,OAAO,CAAC;QACjB,MAAM,CAAC,EAAE,OAAO,CAAC;KAClB,CAAC;CACH;AAED,qBAAa,wBAAwB;IASvB,OAAO,CAAC,QAAQ,CAAC,MAAM;IARnC,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,SAAS,CAAY;IAC7B,OAAO,CAAC,aAAa,CAAC,CAAiB;IACvC,OAAO,CAAC,WAAW,CAAC,CAAe;IACnC,OAAO,CAAC,QAAQ,CAAC,CAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAEP,MAAM,EAAE,8BAA8B;IAgBnE;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAoB5B;;;;;;OAMG;IACG,IAAI,CAAC,CAAC,SAAS,WAAW,EAC9B,OAAO,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,EACzB,OAAO,CAAC,EAAE,WAAW,GACpB,OAAO,CAAC,CAAC,CAAC;IAuDb;;;;;;;;;OASG;IACG,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAuFnE;;OAEG;IACH,eAAe,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,GAAG,IAAI;IAK/C;;OAEG;IACH,SAAS,IAAI,aAAa;IAgB1B;;OAEG;IACH,OAAO,CAAC,MAAM;IAMd;;OAEG;IACH,OAAO,IAAI,IAAI;IAIf;;OAEG;IACH,OAAO,CAAC,iBAAiB;CAG1B"}

package/dist/application/ShieldApplicationService.js

@@ -0,0 +1,223 @@
+/**
+ * Shield Application Service
+ * Core orchestrator: wires domain services + infrastructure adapters
+ * Fixes all 5 integration gaps from the original design
+ */
+import { PatternMatcher } from '../domain/detection/PatternMatcher.js';
+import { ToolGuard } from '../domain/guard/ToolGuard.js';
+import { createToolPolicy } from '../domain/guard/ToolPolicy.js';
+import { createSecurityEvent, SecurityEventType, ThreatSeverity, } from '../domain/events/index.js';
+import { ShieldBlockError } from './ShieldBlockError.js';
+import { normalizePrompt, jitter } from './utils/index.js';
+import { BUNDLED_PATTERNS } from '../infrastructure/patterns/bundled-patterns.js';
+import { BundledPatternRepository } from '../infrastructure/patterns/BundledPatternRepository.js';
+export class ShieldApplicationService {
+    constructor(config) {
+        this.config = config;
+        this.toolGuard = new ToolGuard(config.toolPolicy);
+        this.telemetrySink = config.telemetrySink;
+        this.llmProvider = config.llmProvider;
+        this.sentinel = config.sentinel; // Layer 2
+        // this.shadowLogSink = config.shadowLogSink; // Disabled for now
+        this.sdkVersion = config.sdkVersion ?? "0.2.0";
+        // Initialize patterns synchronously (bundled patterns always available)
+        this.patternMatcher = new PatternMatcher(BUNDLED_PATTERNS);
+        console.log(`[Tracerny] Layer 1 ready immediately with ${BUNDLED_PATTERNS.length} bundled patterns`);
+        // Load remote patterns in background if configured (zero-day updates)
+        this.updateRemotePatterns();
+    }
+    /**
+     * Update patterns from remote repository in background.
+     * Non-blocking; fails gracefully, falling back to bundled patterns.
+     */
+    updateRemotePatterns() {
+        // Only load remote if not using bundled repository
+        if (this.config.patternRepository instanceof BundledPatternRepository === false) {
+            this.config.patternRepository
+                .getPatterns()
+                .then((patterns) => {
+                if (patterns && patterns.length > 0) {
+                    this.patternMatcher = new PatternMatcher(patterns);
+                    console.log(`[Tracerny] Layer 1 updated with ${patterns.length} remote patterns`);
+                }
+            })
+                .catch((err) => {
+                console.warn("[Tracerny] Remote pattern load failed, using bundled patterns:", err);
+            });
+        }
+    }
+    /**
+     * Main wrapper method for LLM calls.
+     * Fixes Gap 2 (latencyMs now stored) and Gap 3 (prompt parameter for pre-LLM scan)
+     *
+     * @param llmCall - The LLM function to execute
+     * @param options - Optional: prompt for pre-LLM scan, request context
+     */
+    async wrap(llmCall, options) {
+        const requestId = options?.requestId ?? this.generateRequestId();
+        const startTime = Date.now();
+        try {
+            // FIX GAP 3: Pre-LLM scan if prompt is provided
+            // Uses both Layer 1 (Regex) and Layer 2 (LLM) to make decision
+            if (options?.prompt) {
+                await this.scanPrompt(options.prompt, requestId);
+                // scanPrompt throws ShieldBlockError if blocked by Layer 2
+                // Layer 1 just flags suspicious, doesn't block
+            }
+            // Execute the LLM call
+            const response = await llmCall();
+            // FIX GAP 2: Compute and store latencyMs in event metadata
+            const latencyMs = Date.now() - startTime;
+            // Validate tool calls against policy
+            const toolCalls = response.choices?.[0]?.message?.tool_calls;
+            const violation = this.toolGuard.validate(toolCalls, requestId);
+            if (violation) {
+                const event = createSecurityEvent(requestId, SecurityEventType.UNAUTHORIZED_TOOL, ThreatSeverity.CRITICAL, `Tool '${violation.toolName}' is not in allow list`, {
+                    toolName: violation.toolName,
+                    blockLatencyMs: latencyMs, // FIX GAP 2: now included
+                    modelName: options?.modelName,
+                    provider: options?.provider,
+                }, startTime);
+                this.report(event);
+                throw new ShieldBlockError(`Tracerny Block: Unauthorized tool '${violation.toolName}'`, event);
+            }
+            return response;
+        }
+        catch (error) {
+            // Re-throw our blocks as-is
+            if (error instanceof ShieldBlockError) {
+                throw error;
+            }
+            // Let other errors (LLM failures, network issues) propagate
+            throw error;
+        }
+    }
+    /**
+     * Scan a raw prompt pre-LLM for inline use.
+     * Throws if injection is detected.
+     *
+     * Hardened Middleware:
+     * - Normalize: Collapse homoglyphs and whitespace tricks
+     * - Layer 1 (Regex): Fast, pattern-based detection
+     * - Layer 2 (LLM Sentinel): If Layer 1 misses, use LLM to verify
+     * - Jitter: Add random delay to mask which layer blocked (if any)
+     */
+    async scanPrompt(prompt, requestId) {
+        if (!prompt) {
+            return; // No-op for empty prompt
+        }
+        const rid = requestId ?? this.generateRequestId();
+        const startTime = Date.now();
+        try {
+            // Normalize prompt to prevent Unicode/whitespace evasion
+            const normalizedPrompt = normalizePrompt(prompt);
+            console.log(`[Tracerny] Scanning prompt (${normalizedPrompt.length} chars), sentinel=${!!this.sentinel}`);
+            // Layer 1: Regex patterns (detection, NOT blocking)
+            // Flags suspicious content but doesn't block - Layer 2 makes the final decision
+            const threat = this.patternMatcher.match(normalizedPrompt);
+            const isSuspicious = !!threat;
+            console.log(`[Tracerny] Layer 1 result: ${isSuspicious ? 'SUSPICIOUS' : 'CLEAN'}`);
+            if (isSuspicious && threat) {
+                console.log(`[Tracerny] Layer 1 flagged: ${threat.patternName}`);
+            }
+            // Layer 2: LLM Sentinel ALWAYS called (makes final decision)
+            // Even if Layer 1 is clean, Layer 2 can catch subtle attacks
+            // If Layer 1 is suspicious, Layer 2 verifies context (allows educational content)
+            console.log(`[Tracerny] Layer 2 check: sentinel=${!!this.sentinel}`);
+            if (this.sentinel) {
+                console.log('[Tracerny] Layer 2: Calling Sentinel...');
+                try {
+                    const result = await this.sentinel.check(normalizedPrompt, rid);
+                    console.log(`[Tracerny] Layer 2 result: blocked=${result.blocked}`);
+                    if (result.blocked) {
+                        // Log to shadow_log for analysis
+                        // Disabled for now - will re-enable after fixing endpoint
+                        // if (this.shadowLogSink) {
+                        //   const shadowPayload: ShadowLogPayload = {
+                        //     id: rid,
+                        //     prompt: prompt.substring(0, 500),
+                        //     keywords: result.keywords,
+                        //     verdict: 'YES', // Detected as attack by LLM
+                        //     latencyMs: result.latencyMs || 0,
+                        //     model: result.llmModel || 'unknown',
+                        //     timestamp: new Date().toISOString(),
+                        //   };
+                        //   this.shadowLogSink.log(shadowPayload).catch(err => {
+                        //     console.warn("[Tracerny] Shadow log send failed:", err);
+                        //   });
+                        // }
+                        const event = createSecurityEvent(rid, SecurityEventType.PROMPT_INJECTION, ThreatSeverity.HIGH, `LLM Sentinel detected: ${result.keywords.join(", ")} (confidence: ${result.confidence})`, {
+                            patternName: "LLM Sentinel",
+                            requestSnippet: prompt.substring(0, 100),
+                            blockLatencyMs: (result.latencyMs || 0) + (Date.now() - startTime),
+                            modelName: result.llmModel,
+                        });
+                        this.report(event);
+                        throw new ShieldBlockError("Tracerny Block: LLM Sentinel", event);
+                    }
+                    // Layer 2 passed - no shadow log entry
+                }
+                catch (error) {
+                    // If sentinel throws (network error, etc), check if it's our block or a system error
+                    if (error instanceof ShieldBlockError) {
+                        throw error;
+                    }
+                    // Other errors are silently caught - Layer 2 is non-blocking fallback
+                    console.warn("[Tracerny] Layer 2 sentinel error:", error);
+                }
+            }
+            // Both layers passed - prompt is safe
+            return;
+        }
+        finally {
+            // Jitter: Add random delay to obfuscate timing (always runs, masked from caller)
+            await jitter();
+        }
+    }
+    /**
+     * Update tool policy at runtime
+     */
+    setAllowedTools(tools) {
+        const policy = createToolPolicy(tools);
+        this.toolGuard.updatePolicy(policy);
+    }
+    /**
+     * Get service status for diagnostics
+     */
+    getStatus() {
+        return {
+            patternMatcher: {
+                ready: this.patternMatcher !== null,
+                stats: this.patternMatcher?.stats(),
+            },
+            toolGuard: {
+                allowedTools: this.toolGuard.getAllowedTools(),
+            },
+            telemetry: {
+                enabled: this.telemetrySink !== undefined,
+                status: this.telemetrySink?.getStatus(),
+            },
+        };
+    }
+    /**
+     * Report a security event (non-blocking)
+     */
+    report(event) {
+        if (this.telemetrySink) {
+            this.telemetrySink.queue(event);
+        }
+    }
+    /**
+     * Graceful shutdown: flush telemetry, release resources
+     */
+    destroy() {
+        this.telemetrySink?.destroy();
+    }
+    /**
+     * Generate a unique request ID
+     */
+    generateRequestId() {
+        return `req_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
+    }
+}
+//# sourceMappingURL=ShieldApplicationService.js.map

package/dist/application/ShieldApplicationService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ShieldApplicationService.js","sourceRoot":"","sources":["../../src/application/ShieldApplicationService.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACpE,OAAO,EAAE,SAAS,EAAiB,MAAM,2BAA2B,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAmB,MAAM,4BAA4B,CAAC;AAC/E,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,cAAc,GAEf,MAAM,kBAAkB,CAAC;AAK1B,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAElD,OAAO,EAAE,gBAAgB,EAAE,MAAM,6CAA6C,CAAC;AAC/E,OAAO,EAAE,wBAAwB,EAAE,MAAM,qDAAqD,CAAC;AAiC/F,MAAM,OAAO,wBAAwB;IASnC,YAA6B,MAAsC;QAAtC,WAAM,GAAN,MAAM,CAAgC;QACjE,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAClD,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;QAC1C,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;QACtC,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,UAAU;QAC3C,iEAAiE;QACjE,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC;QAE/C,wEAAwE;QACxE,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,gBAAgB,CAAC,CAAC;QAC3D,OAAO,CAAC,GAAG,CAAC,6CAA6C,gBAAgB,CAAC,MAAM,mBAAmB,CAAC,CAAC;QAErG,sEAAsE;QACtE,IAAI,CAAC,oBAAoB,EAAE,CAAC;IAC9B,CAAC;IAED;;;OAGG;IACK,oBAAoB;QAC1B,mDAAmD;QACnD,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,YAAY,wBAAwB,KAAK,KAAK,EAAE,CAAC;YAChF,IAAI,CAAC,MAAM,CAAC,iBAAiB;iBAC1B,WAAW,EAAE;iBACb,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE;gBACjB,IAAI,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACpC,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,QAAQ,CAAC,CAAC;oBACnD,OAAO,CAAC,GAAG,CAAC,mCAAmC,QAAQ,CAAC,MAAM,kBAAkB,CAAC,CAAC;gBACpF,CAAC;YACH,CAAC,CAAC;iBACD,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBACb,OAAO,CAAC,IAAI,CACV,gEAAgE,EAChE,GAAG,CACJ,CAAC;YACJ,CAAC,CAAC,CAAC;QACP,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,IAAI,CACR,OAAyB,EACzB,OAAqB;QAErB,MAAM,SAAS,GAAG,OAAO,EAAE,SAAS,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACjE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,gDAAgD;YAChD,+DAA+D;YAC/D,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;gBACpB,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;gBACjD,2DAA2D;gBAC3D,+CAA+C;YACjD,CAAC;YAED,uBAAuB;YACvB,MAAM,QAAQ,GAAG,MAAM,OAAO,EAAE,CAAC;YAEjC,2DAA2D;YAC3D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAEzC,qCAAqC;YACrC,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,UAAU,CAAC;YAC7D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YAEhE,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,KAAK,GAAG,mBAAmB,CAC/B,SAAS,EACT,iBAAiB,CAAC,iBAAiB,EACnC,cAAc,CAAC,QAAQ,EACvB,SAAS,SAAS,CAAC,QAAQ,wBAAwB,EACnD;oBACE,QAAQ,EAAE,SAAS,CAAC,QAAQ;oBAC5B,cAAc,EAAE,SAAS,EAAE,0BAA0B;oBACrD,SAAS,EAAE,OAAO,EAAE,SAAS;oBAC7B,QAAQ,EAAE,OAAO,EAAE,QAAQ;iBAC5B,EACD,SAAS,CACV,CAAC;gBACF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBACnB,MAAM,IAAI,gBAAgB,CACxB,sCAAsC,SAAS,CAAC,QAAQ,GAAG,EAC3D,KAAK,CACN,CAAC;YACJ,CAAC;YAED,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,4BAA4B;YAC5B,IAAI,KAAK,YAAY,gBAAgB,EAAE,CAAC;gBACtC,MAAM,KAAK,CAAC;YACd,CAAC;YACD,4DAA4D;YAC5D,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,UAAU,CAAC,MAAc,EAAE,SAAkB;QACjD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,yBAAyB;QACnC,CAAC;QAED,MAAM,GAAG,GAAG,SAAS,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAClD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,yDAAyD;YACzD,MAAM,gBAAgB,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;YACjD,OAAO,CAAC,GAAG,CAAC,+BAA+B,gBAAgB,CAAC,MAAM,qBAAqB,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAE1G,oDAAoD;YACpD,gFAAgF;YAChF,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;YAC3D,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,8BAA8B,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YAEnF,IAAI,YAAY,IAAI,MAAM,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,+BAA+B,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;YACnE,CAAC;YAED,6DAA6D;YAC7D,6DAA6D;YAC7D,kFAAkF;YAClF,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YACrE,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;gBACvD,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;oBAChE,OAAO,CAAC,GAAG,CAAC,sCAAsC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;oBAEpE,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;wBACnB,iCAAiC;wBACjC,0DAA0D;wBAC1D,4BAA4B;wBAC5B,8CAA8C;wBAC9C,eAAe;wBACf,wCAAwC;wBACxC,iCAAiC;wBACjC,mDAAmD;wBACnD,wCAAwC;wBACxC,2CAA2C;wBAC3C,2CAA2C;wBAC3C,OAAO;wBACP,yDAAyD;wBACzD,+DAA+D;wBAC/D,QAAQ;wBACR,IAAI;wBAEJ,MAAM,KAAK,GAAG,mBAAmB,CAC/B,GAAG,EACH,iBAAiB,CAAC,gBAAgB,EAClC,cAAc,CAAC,IAAI,EACnB,0BAA0B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,UAAU,GAAG,EACzF;4BACE,WAAW,EAAE,cAAc;4BAC3B,cAAc,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;4BACxC,cAAc,EAAE,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;4BAClE,SAAS,EAAE,MAAM,CAAC,QAAQ;yBAC3B,CACF,CAAC;wBAEF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;wBACnB,MAAM,IAAI,gBAAgB,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;oBACpE,CAAC;oBAED,uCAAuC;gBACzC,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,qFAAqF;oBACrF,IAAI,KAAK,YAAY,gBAAgB,EAAE,CAAC;wBACtC,MAAM,KAAK,CAAC;oBACd,CAAC;oBACD,sEAAsE;oBACtE,OAAO,CAAC,IAAI,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;gBAC5D,CAAC;YACH,CAAC;YAED,sCAAsC;YACtC,OAAO;QACT,CAAC;gBAAS,CAAC;YACT,iFAAiF;YACjF,MAAM,MAAM,EAAE,CAAC;QACjB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,KAAwB;QACtC,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACvC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO;YACL,cAAc,EAAE;gBACd,KAAK,EAAE,IAAI,CAAC,cAAc,KAAK,IAAI;gBACnC,KAAK,EAAE,IAAI,CAAC,cAAc,EAAE,KAAK,EAAE;aACpC;YACD,SAAS,EAAE;gBACT,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,eAAe,EAAE;aAC/C;YACD,SAAS,EAAE;gBACT,OAAO,EAAE,IAAI,CAAC,aAAa,KAAK,SAAS;gBACzC,MAAM,EAAE,IAAI,CAAC,aAAa,EAAE,SAAS,EAAE;aACxC;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,KAAoB;QACjC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,OAAO;QACL,IAAI,CAAC,aAAa,EAAE,OAAO,EAAE,CAAC;IAChC,CAAC;IAED;;OAEG;IACK,iBAAiB;QACvB,OAAO,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;IAC3E,CAAC;CACF"}

package/dist/application/ShieldBlockError.d.ts

@@ -0,0 +1,10 @@
+/**
+ * ShieldBlockError
+ * Application exception: thrown when a security block occurs
+ */
+import { SecurityEvent } from "../domain/events/SecurityEvent";
+export declare class ShieldBlockError extends Error {
+    readonly event: SecurityEvent;
+    constructor(message: string, event: SecurityEvent);
+}
+//# sourceMappingURL=ShieldBlockError.d.ts.map

package/dist/application/ShieldBlockError.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ShieldBlockError.d.ts","sourceRoot":"","sources":["../../src/application/ShieldBlockError.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAE/D,qBAAa,gBAAiB,SAAQ,KAAK;aAGvB,KAAK,EAAE,aAAa;gBADpC,OAAO,EAAE,MAAM,EACC,KAAK,EAAE,aAAa;CAMvC"}

package/dist/application/ShieldBlockError.js

@@ -0,0 +1,13 @@
+/**
+ * ShieldBlockError
+ * Application exception: thrown when a security block occurs
+ */
+export class ShieldBlockError extends Error {
+    constructor(message, event) {
+        super(message);
+        this.event = event;
+        this.name = "ShieldBlockError";
+        Object.setPrototypeOf(this, ShieldBlockError.prototype);
+    }
+}
+//# sourceMappingURL=ShieldBlockError.js.map

package/dist/application/ShieldBlockError.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ShieldBlockError.js","sourceRoot":"","sources":["../../src/application/ShieldBlockError.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IACzC,YACE,OAAe,EACC,KAAoB;QAEpC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,UAAK,GAAL,KAAK,CAAe;QAGpC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAC1D,CAAC;CACF"}

package/dist/application/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Application Layer
+ * Barrel export
+ */
+export { ShieldApplicationService } from "./ShieldApplicationService";
+export type { ShieldApplicationServiceConfig, WrapOptions, ServiceStatus } from "./ShieldApplicationService";
+export { ShieldBlockError } from "./ShieldBlockError";
+export * from "./ports";
+//# sourceMappingURL=index.d.ts.map

package/dist/application/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/application/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AACtE,YAAY,EAAE,8BAA8B,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAE7G,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,cAAc,SAAS,CAAC"}

package/dist/application/index.js

@@ -0,0 +1,8 @@
+/**
+ * Application Layer
+ * Barrel export
+ */
+export { ShieldApplicationService } from './ShieldApplicationService.js';
+export { ShieldBlockError } from './ShieldBlockError.js';
+export * from './ports/index.js';
+//# sourceMappingURL=index.js.map

package/dist/application/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/application/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AAGtE,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,cAAc,SAAS,CAAC"}

package/dist/application/ports/ILLMProvider.d.ts

@@ -0,0 +1,71 @@
+/**
+ * ILLMProvider
+ * Outbound port: defines the contract for LLM calls
+ * Implemented by: OpenRouterProvider, OpenAI, Anthropic adapters, etc.
+ */
+export interface LLMMessage {
+    readonly role: "user" | "assistant" | "system";
+    readonly content: string;
+}
+export interface LLMTool {
+    readonly type: "function";
+    readonly function: {
+        readonly name: string;
+        readonly description?: string;
+        readonly parameters?: Record<string, unknown>;
+    };
+}
+export interface ToolCall {
+    readonly id: string;
+    readonly function: {
+        readonly name: string;
+        readonly arguments?: string | Record<string, unknown>;
+    };
+    readonly type?: "function";
+}
+export interface LLMChoice {
+    readonly message: {
+        readonly content: string | null;
+        readonly role: "assistant";
+        readonly tool_calls?: readonly ToolCall[];
+    };
+    readonly finish_reason: "stop" | "tool_calls" | "length" | "content_filter" | null;
+    readonly index: number;
+}
+export interface TokenUsage {
+    readonly prompt_tokens: number;
+    readonly completion_tokens: number;
+    readonly total_tokens: number;
+}
+export interface LLMResponse {
+    readonly id?: string;
+    readonly choices: readonly LLMChoice[];
+    readonly usage?: TokenUsage;
+    readonly model?: string;
+}
+export interface LLMRequest {
+    readonly messages: readonly LLMMessage[];
+    readonly model: string;
+    readonly tools?: readonly LLMTool[];
+    readonly temperature?: number;
+    readonly maxTokens?: number;
+    readonly [key: string]: unknown;
+}
+export declare class ProviderError extends Error {
+    readonly providerName: string;
+    readonly statusCode?: number | undefined;
+    readonly cause?: unknown | undefined;
+    constructor(message: string, providerName: string, statusCode?: number | undefined, cause?: unknown | undefined);
+}
+export interface ILLMProvider {
+    /**
+     * The name of this provider (for telemetry)
+     */
+    readonly providerName: string;
+    /**
+     * Execute an LLM call
+     * Throws ProviderError on failure
+     */
+    complete(request: LLMRequest): Promise<LLMResponse>;
+}
+//# sourceMappingURL=ILLMProvider.d.ts.map

package/dist/application/ports/ILLMProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ILLMProvider.d.ts","sourceRoot":"","sources":["../../../src/application/ports/ILLMProvider.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,WAAW,GAAG,QAAQ,CAAC;IAC/C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,OAAO;IACtB,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE;QACjB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QACtB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;QAC9B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAC/C,CAAC;CACH;AAED,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,QAAQ,EAAE;QACjB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QACtB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACvD,CAAC;IACF,QAAQ,CAAC,IAAI,CAAC,EAAE,UAAU,CAAC;CAC5B;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,OAAO,EAAE;QAChB,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;QAChC,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;QAC3B,QAAQ,CAAC,UAAU,CAAC,EAAE,SAAS,QAAQ,EAAE,CAAC;KAC3C,CAAC;IACF,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,YAAY,GAAG,QAAQ,GAAG,gBAAgB,GAAG,IAAI,CAAC;IACnF,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,OAAO,EAAE,SAAS,SAAS,EAAE,CAAC;IACvC,QAAQ,CAAC,KAAK,CAAC,EAAE,UAAU,CAAC;IAC5B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,QAAQ,EAAE,SAAS,UAAU,EAAE,CAAC;IACzC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,OAAO,EAAE,CAAC;IACpC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACjC;AAED,qBAAa,aAAc,SAAQ,KAAK;aAGpB,YAAY,EAAE,MAAM;aACpB,UAAU,CAAC,EAAE,MAAM;aACnB,KAAK,CAAC,EAAE,OAAO;gBAH/B,OAAO,EAAE,MAAM,EACC,YAAY,EAAE,MAAM,EACpB,UAAU,CAAC,EAAE,MAAM,YAAA,EACnB,KAAK,CAAC,EAAE,OAAO,YAAA;CAKlC;AAED,MAAM,WAAW,YAAY;IAC3B;;OAEG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAE9B;;;OAGG;IACH,QAAQ,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;CACrD"}

package/dist/application/ports/ILLMProvider.js

@@ -0,0 +1,15 @@
+/**
+ * ILLMProvider
+ * Outbound port: defines the contract for LLM calls
+ * Implemented by: OpenRouterProvider, OpenAI, Anthropic adapters, etc.
+ */
+export class ProviderError extends Error {
+    constructor(message, providerName, statusCode, cause) {
+        super(message);
+        this.providerName = providerName;
+        this.statusCode = statusCode;
+        this.cause = cause;
+        this.name = "ProviderError";
+    }
+}
+//# sourceMappingURL=ILLMProvider.js.map

package/dist/application/ports/ILLMProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ILLMProvider.js","sourceRoot":"","sources":["../../../src/application/ports/ILLMProvider.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAyDH,MAAM,OAAO,aAAc,SAAQ,KAAK;IACtC,YACE,OAAe,EACC,YAAoB,EACpB,UAAmB,EACnB,KAAe;QAE/B,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,iBAAY,GAAZ,YAAY,CAAQ;QACpB,eAAU,GAAV,UAAU,CAAS;QACnB,UAAK,GAAL,KAAK,CAAU;QAG/B,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF"}

package/dist/application/ports/IPatternRepository.d.ts

@@ -0,0 +1,20 @@
+/**
+ * IPatternRepository
+ * Outbound port: defines the contract for loading detection patterns
+ * Implemented by: BundledPatternRepository, RemotePatternRepository
+ */
+import { VanguardPattern } from "../../domain/detection/VanguardPattern";
+export interface IPatternRepository {
+    /**
+     * Load patterns.
+     * May be synchronous (bundled) or asynchronous (remote).
+     * Returns readonly array for immutability.
+     */
+    getPatterns(): Promise<readonly VanguardPattern[]>;
+    /**
+     * Source identifier for diagnostics.
+     * Examples: "bundled@0.1.0", "remote:https://api.tracerney.dev/manifest.json"
+     */
+    readonly sourceIdentifier: string;
+}
+//# sourceMappingURL=IPatternRepository.d.ts.map

package/dist/application/ports/IPatternRepository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"IPatternRepository.d.ts","sourceRoot":"","sources":["../../../src/application/ports/IPatternRepository.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,wCAAwC,CAAC;AAEzE,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,WAAW,IAAI,OAAO,CAAC,SAAS,eAAe,EAAE,CAAC,CAAC;IAEnD;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;CACnC"}

package/dist/application/ports/IPatternRepository.js

@@ -0,0 +1,7 @@
+/**
+ * IPatternRepository
+ * Outbound port: defines the contract for loading detection patterns
+ * Implemented by: BundledPatternRepository, RemotePatternRepository
+ */
+export {};
+//# sourceMappingURL=IPatternRepository.js.map

package/dist/application/ports/IPatternRepository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"IPatternRepository.js","sourceRoot":"","sources":["../../../src/application/ports/IPatternRepository.ts"],"names":[],"mappings":"AAAA;;;;GAIG"}

package/dist/application/ports/ISentinel.d.ts

@@ -0,0 +1,22 @@
+/**
+ * ISentinel - Port for Layer 2 LLM-based attack detection
+ *
+ * Called when Layer 1 (regex) finds no match.
+ * Provides a second opinion via fast LLM model.
+ */
+export interface ISentinel {
+    /**
+     * Check if a prompt contains a prompt injection attack
+     * @param prompt The user input to evaluate
+     * @param requestId Optional request ID for logging
+     * @returns Result with blocked flag, confidence score, and triggered keywords
+     */
+    check(prompt: string, requestId?: string): Promise<{
+        blocked: boolean;
+        confidence: number;
+        keywords: string[];
+        llmModel?: string;
+        latencyMs?: number;
+    }>;
+}
+//# sourceMappingURL=ISentinel.d.ts.map

package/dist/application/ports/ISentinel.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ISentinel.d.ts","sourceRoot":"","sources":["../../../src/application/ports/ISentinel.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,SAAS;IACxB;;;;;OAKG;IACH,KAAK,CACH,MAAM,EAAE,MAAM,EACd,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC;QACT,OAAO,EAAE,OAAO,CAAC;QACjB,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,CAAC,CAAC;CACJ"}

package/dist/application/ports/ISentinel.js

@@ -0,0 +1,8 @@
+/**
+ * ISentinel - Port for Layer 2 LLM-based attack detection
+ *
+ * Called when Layer 1 (regex) finds no match.
+ * Provides a second opinion via fast LLM model.
+ */
+export {};
+//# sourceMappingURL=ISentinel.js.map

package/dist/application/ports/ISentinel.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ISentinel.js","sourceRoot":"","sources":["../../../src/application/ports/ISentinel.ts"],"names":[],"mappings":"AAAA;;;;;GAKG"}

package/dist/application/ports/ITelemetrySink.d.ts

@@ -0,0 +1,35 @@
+/**
+ * ITelemetrySink
+ * Outbound port: defines the contract for reporting security events
+ * Implemented by: HttpSignalSink, NoOpSink, etc.
+ */
+import { SecurityEvent } from "../../domain/events/SecurityEvent";
+export interface TelemetrySinkStatus {
+    readonly enabled: boolean;
+    readonly queuedEvents: number;
+    readonly isPosting: boolean;
+}
+export interface ITelemetrySink {
+    /**
+     * Queue a security event for async delivery.
+     * Returns immediately — never throws.
+     * Fire-and-forget pattern.
+     */
+    queue(event: SecurityEvent): void;
+    /**
+     * Flush all queued events to the sink.
+     * Awaitable for graceful shutdown.
+     * Throws on persistent send failure (after retries).
+     */
+    flush(): Promise<void>;
+    /**
+     * Destroy the sink and release resources.
+     * Should attempt a final flush if possible.
+     */
+    destroy(): void;
+    /**
+     * Get sink status (for diagnostics).
+     */
+    getStatus(): TelemetrySinkStatus;
+}
+//# sourceMappingURL=ITelemetrySink.d.ts.map

package/dist/application/ports/ITelemetrySink.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ITelemetrySink.d.ts","sourceRoot":"","sources":["../../../src/application/ports/ITelemetrySink.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,mCAAmC,CAAC;AAElE,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,cAAc;IAC7B;;;;OAIG;IACH,KAAK,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI,CAAC;IAElC;;;;OAIG;IACH,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvB;;;OAGG;IACH,OAAO,IAAI,IAAI,CAAC;IAEhB;;OAEG;IACH,SAAS,IAAI,mBAAmB,CAAC;CAClC"}

package/dist/application/ports/ITelemetrySink.js

@@ -0,0 +1,7 @@
+/**
+ * ITelemetrySink
+ * Outbound port: defines the contract for reporting security events
+ * Implemented by: HttpSignalSink, NoOpSink, etc.
+ */
+export {};
+//# sourceMappingURL=ITelemetrySink.js.map

package/dist/application/ports/ITelemetrySink.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ITelemetrySink.js","sourceRoot":"","sources":["../../../src/application/ports/ITelemetrySink.ts"],"names":[],"mappings":"AAAA;;;;GAIG"}

package/dist/application/ports/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Application Ports
+ * Outbound port interfaces for dependency injection
+ * Barrel export
+ */
+export { ProviderError } from "./ILLMProvider";
+export type { ILLMProvider, LLMRequest, LLMResponse, LLMMessage, LLMChoice, ToolCall, LLMTool, TokenUsage, } from "./ILLMProvider";
+export type { ITelemetrySink, TelemetrySinkStatus } from "./ITelemetrySink";
+export type { IPatternRepository } from "./IPatternRepository";
+//# sourceMappingURL=index.d.ts.map

package/dist/application/ports/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/application/ports/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,YAAY,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,UAAU,EACV,SAAS,EACT,QAAQ,EACR,OAAO,EACP,UAAU,GACX,MAAM,gBAAgB,CAAC;AAExB,YAAY,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAE5E,YAAY,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/application/ports/index.js

@@ -0,0 +1,7 @@
+/**
+ * Application Ports
+ * Outbound port interfaces for dependency injection
+ * Barrel export
+ */
+export { ProviderError } from './ILLMProvider.js';
+//# sourceMappingURL=index.js.map