@shuyhere/takotako 0.0.1

package/dist/core/sanitizer.js

@@ -0,0 +1,181 @@
+/**
+ * Input Sanitizer — detects and strips prompt injection patterns.
+ *
+ * Modes:
+ * - 'strip': remove dangerous tokens, continue processing
+ * - 'warn': log but don't modify
+ * - 'block': reject the message entirely
+ */
+const SANITIZE_PATTERNS = [
+    // Prompt injection attempts
+    {
+        regex: /ignore\s+(all\s+)?previous\s+(instructions|rules|prompts)/gi,
+        category: 'injection',
+        severity: 'high',
+        description: 'Ignore previous instructions',
+    },
+    {
+        regex: /disregard\s+(all\s+)?(previous\s+)?(rules|instructions|prompts|context)/gi,
+        category: 'injection',
+        severity: 'high',
+        description: 'Disregard rules',
+    },
+    {
+        regex: /forget\s+(all\s+)?(your\s+)?(previous\s+)?(instructions|rules|training)/gi,
+        category: 'injection',
+        severity: 'high',
+        description: 'Forget instructions',
+    },
+    {
+        regex: /you\s+are\s+now\s+(a|an|the)\s+/gi,
+        category: 'injection',
+        severity: 'medium',
+        description: 'Role override attempt',
+    },
+    {
+        regex: /new\s+instructions?:?\s/gi,
+        category: 'injection',
+        severity: 'medium',
+        description: 'New instructions injection',
+    },
+    {
+        regex: /override\s+(system|safety|security)\s/gi,
+        category: 'injection',
+        severity: 'high',
+        description: 'Override system prompt',
+    },
+    // System prompt extraction
+    {
+        regex: /repeat\s+(your\s+)?(system\s+)?(prompt|instructions)/gi,
+        category: 'extraction',
+        severity: 'medium',
+        description: 'System prompt extraction',
+    },
+    {
+        regex: /what\s+are\s+your\s+(system\s+)?(instructions|rules|constraints)/gi,
+        category: 'extraction',
+        severity: 'low',
+        description: 'Instruction probing',
+    },
+    {
+        regex: /show\s+(me\s+)?(your\s+)?(system\s+)?(prompt|instructions|configuration)/gi,
+        category: 'extraction',
+        severity: 'medium',
+        description: 'Show system prompt',
+    },
+    {
+        regex: /output\s+(your\s+)?(entire\s+)?(system\s+)?(prompt|message|instructions)/gi,
+        category: 'extraction',
+        severity: 'medium',
+        description: 'Output system prompt',
+    },
+    // Role confusion tokens
+    {
+        regex: /<\|system\|>/gi,
+        category: 'role_confusion',
+        severity: 'high',
+        description: 'System token injection',
+    },
+    {
+        regex: /<\|(?:user|assistant|endoftext|im_start|im_end)\|>/gi,
+        category: 'role_confusion',
+        severity: 'high',
+        description: 'Chat role token injection',
+    },
+    {
+        regex: /\[INST\]/gi,
+        category: 'role_confusion',
+        severity: 'high',
+        description: 'Llama instruction token',
+    },
+    {
+        regex: /<<SYS>>/gi,
+        category: 'role_confusion',
+        severity: 'high',
+        description: 'Llama system token',
+    },
+    {
+        regex: /\[\/INST\]/gi,
+        category: 'role_confusion',
+        severity: 'high',
+        description: 'Llama end instruction token',
+    },
+    {
+        regex: /<\/?(?:system|human|assistant)>/gi,
+        category: 'role_confusion',
+        severity: 'high',
+        description: 'XML role tag injection',
+    },
+    // Encoded payloads
+    {
+        regex: /base64[:\s]+[A-Za-z0-9+/]{50,}={0,2}/gi,
+        category: 'encoding',
+        severity: 'medium',
+        description: 'Base64 encoded payload',
+    },
+];
+// ─── Sanitizer ──────────────────────────────────────────────────────
+export class InputSanitizer {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Sanitize user input.
+     */
+    sanitize(text) {
+        if (!this.config.enabled) {
+            return { text, flagged: false, blocked: false, detections: [] };
+        }
+        const detections = [];
+        for (const pattern of SANITIZE_PATTERNS) {
+            pattern.regex.lastIndex = 0;
+            if (pattern.regex.test(text)) {
+                detections.push({
+                    pattern: pattern.description,
+                    category: pattern.category,
+                    severity: pattern.severity,
+                });
+            }
+        }
+        if (detections.length === 0) {
+            return { text, flagged: false, blocked: false, detections: [] };
+        }
+        // Block mode
+        if (this.config.mode === 'block') {
+            const hasHigh = detections.some((d) => d.severity === 'high');
+            if (hasHigh) {
+                return {
+                    text: '',
+                    flagged: true,
+                    blocked: true,
+                    detections,
+                };
+            }
+        }
+        // Strip mode
+        if (this.config.mode === 'strip') {
+            let cleaned = text;
+            for (const pattern of SANITIZE_PATTERNS) {
+                pattern.regex.lastIndex = 0;
+                cleaned = cleaned.replace(pattern.regex, '');
+            }
+            // Clean up extra whitespace from stripping
+            cleaned = cleaned.replace(/\s{3,}/g, ' ').trim();
+            return {
+                text: cleaned,
+                flagged: true,
+                blocked: false,
+                detections,
+            };
+        }
+        // Warn mode — pass through unchanged
+        return {
+            text,
+            flagged: true,
+            blocked: false,
+            detections,
+        };
+    }
+}
+//# sourceMappingURL=sanitizer.js.map

package/dist/core/sanitizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitizer.js","sourceRoot":"","sources":["../../src/core/sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAqCH,MAAM,iBAAiB,GAAsB;IAC3C,4BAA4B;IAC5B;QACE,KAAK,EAAE,6DAA6D;QACpE,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,8BAA8B;KAC5C;IACD;QACE,KAAK,EAAE,2EAA2E;QAClF,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,iBAAiB;KAC/B;IACD;QACE,KAAK,EAAE,2EAA2E;QAClF,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qBAAqB;KACnC;IACD;QACE,KAAK,EAAE,mCAAmC;QAC1C,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,uBAAuB;KACrC;IACD;QACE,KAAK,EAAE,2BAA2B;QAClC,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,4BAA4B;KAC1C;IACD;QACE,KAAK,EAAE,yCAAyC;QAChD,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wBAAwB;KACtC;IAED,2BAA2B;IAC3B;QACE,KAAK,EAAE,wDAAwD;QAC/D,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,0BAA0B;KACxC;IACD;QACE,KAAK,EAAE,oEAAoE;QAC3E,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,qBAAqB;KACnC;IACD;QACE,KAAK,EAAE,4EAA4E;QACnF,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,oBAAoB;KAClC;IACD;QACE,KAAK,EAAE,4EAA4E;QACnF,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,sBAAsB;KACpC;IAED,wBAAwB;IACxB;QACE,KAAK,EAAE,gBAAgB;QACvB,QAAQ,EAAE,gBAAgB;QAC1B,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wBAAwB;KACtC;IACD;QACE,KAAK,EAAE,sDAAsD;QAC7D,QAAQ,EAAE,gBAAgB;QAC1B,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,2BAA2B;KACzC;IACD;QACE,KAAK,EAAE,YAAY;QACnB,QAAQ,EAAE,gBAAgB;QAC1B,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yBAAyB;KACvC;IACD;QACE,KAAK,EAAE,WAAW;QAClB,QAAQ,EAAE,gBAAgB;QAC1B,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,oBAAoB;KAClC;IACD;QACE,KAAK,EAAE,cAAc;QACrB,QAAQ,EAAE,gBAAgB;QAC1B,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6BAA6B;KAC3C;IACD;QACE,KAAK,EAAE,mCAAmC;QAC1C,QAAQ,EAAE,gBAAgB;QAC1B,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wBAAwB;KACtC;IAED,mBAAmB;IACnB;QACE,KAAK,EAAE,wCAAwC;QAC/C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,wBAAwB;KACtC;CACF,CAAC;AAEF,uEAAuE;AAEvE,MAAM,OAAO,cAAc;IACjB,MAAM,CAAkB;IAEhC,YAAY,MAAuB;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,IAAY;QACnB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAClE,CAAC;QAED,MAAM,UAAU,GAAwB,EAAE,CAAC;QAE3C,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;YACxC,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;YAC5B,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,UAAU,CAAC,IAAI,CAAC;oBACd,OAAO,EAAE,OAAO,CAAC,WAAW;oBAC5B,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;iBAC3B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAClE,CAAC;QAED,aAAa;QACb,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YACjC,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC;YAC9D,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO;oBACL,IAAI,EAAE,EAAE;oBACR,OAAO,EAAE,IAAI;oBACb,OAAO,EAAE,IAAI;oBACb,UAAU;iBACX,CAAC;YACJ,CAAC;QACH,CAAC;QAED,aAAa;QACb,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YACjC,IAAI,OAAO,GAAG,IAAI,CAAC;YACnB,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;gBACxC,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;gBAC5B,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAC/C,CAAC;YACD,2CAA2C;YAC3C,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACjD,OAAO;gBACL,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,KAAK;gBACd,UAAU;aACX,CAAC;QACJ,CAAC;QAED,qCAAqC;QACrC,OAAO;YACL,IAAI;YACJ,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,KAAK;YACd,UAAU;SACX,CAAC;IACJ,CAAC;CACF"}

package/dist/core/secret-scanner.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Secret Scanner — detects and redacts secrets in agent output before delivery.
+ *
+ * Scans for: API keys, private keys, tokens, passwords.
+ * Actions: 'redact' (default), 'block', 'warn'.
+ */
+export interface SecretScannerConfig {
+    /** Enable secret scanning (default: true). */
+    enabled: boolean;
+    /** Action on detection: 'redact' replaces, 'block' stops delivery, 'warn' logs only. */
+    action: 'redact' | 'block' | 'warn';
+}
+export interface ScanResult {
+    /** The (possibly redacted) text. */
+    text: string;
+    /** Whether any secrets were found. */
+    hasSecrets: boolean;
+    /** List of detected secret types. */
+    detections: SecretDetection[];
+}
+export interface SecretDetection {
+    type: string;
+    offset: number;
+    length: number;
+    redacted: string;
+}
+export declare class SecretScanner {
+    private config;
+    constructor(config: SecretScannerConfig);
+    /**
+     * Scan text for secrets and optionally redact them.
+     */
+    scan(text: string): ScanResult;
+    /**
+     * Quick check — does this text contain any secrets?
+     */
+    hasSecrets(text: string): boolean;
+}
+//# sourceMappingURL=secret-scanner.d.ts.map

package/dist/core/secret-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-scanner.d.ts","sourceRoot":"","sources":["../../src/core/secret-scanner.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,WAAW,mBAAmB;IAClC,8CAA8C;IAC9C,OAAO,EAAE,OAAO,CAAC;IACjB,wFAAwF;IACxF,MAAM,EAAE,QAAQ,GAAG,OAAO,GAAG,MAAM,CAAC;CACrC;AAED,MAAM,WAAW,UAAU;IACzB,oCAAoC;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,UAAU,EAAE,OAAO,CAAC;IACpB,qCAAqC;IACrC,UAAU,EAAE,eAAe,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAiDD,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAsB;gBAExB,MAAM,EAAE,mBAAmB;IAIvC;;OAEG;IACH,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU;IA6C9B;;OAEG;IACH,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;CASlC"}

package/dist/core/secret-scanner.js

@@ -0,0 +1,96 @@
+/**
+ * Secret Scanner — detects and redacts secrets in agent output before delivery.
+ *
+ * Scans for: API keys, private keys, tokens, passwords.
+ * Actions: 'redact' (default), 'block', 'warn'.
+ */
+const SECRET_PATTERNS = [
+    // API keys
+    { type: 'anthropic_key', regex: /sk-ant-[a-zA-Z0-9_-]{20,}/g, label: 'REDACTED:anthropic_key' },
+    { type: 'openai_key', regex: /sk-[a-zA-Z0-9]{20,}/g, label: 'REDACTED:openai_key' },
+    { type: 'aws_key', regex: /AKIA[0-9A-Z]{16}/g, label: 'REDACTED:aws_key' },
+    { type: 'github_token', regex: /gh[pousr]_[a-zA-Z0-9]{36,}/g, label: 'REDACTED:github_token' },
+    { type: 'github_classic', regex: /ghp_[a-zA-Z0-9]{36}/g, label: 'REDACTED:github_token' },
+    // Bearer tokens (JWT-like)
+    { type: 'bearer_token', regex: /Bearer\s+ey[a-zA-Z0-9_-]{20,}\.[a-zA-Z0-9_-]{20,}\.[a-zA-Z0-9_-]{20,}/g, label: 'REDACTED:bearer_token' },
+    // JWT standalone
+    { type: 'jwt', regex: /eyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/g, label: 'REDACTED:jwt' },
+    // Private keys
+    { type: 'rsa_key', regex: /-----BEGIN RSA PRIVATE KEY-----[\s\S]*?-----END RSA PRIVATE KEY-----/g, label: 'REDACTED:rsa_private_key' },
+    { type: 'openssh_key', regex: /-----BEGIN OPENSSH PRIVATE KEY-----[\s\S]*?-----END OPENSSH PRIVATE KEY-----/g, label: 'REDACTED:openssh_key' },
+    { type: 'ec_key', regex: /-----BEGIN EC PRIVATE KEY-----[\s\S]*?-----END EC PRIVATE KEY-----/g, label: 'REDACTED:ec_private_key' },
+    { type: 'generic_key', regex: /-----BEGIN PRIVATE KEY-----[\s\S]*?-----END PRIVATE KEY-----/g, label: 'REDACTED:private_key' },
+    // Discord / Telegram tokens
+    { type: 'discord_token', regex: /[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27,}/g, label: 'REDACTED:discord_token' },
+    { type: 'telegram_token', regex: /\d{8,10}:[a-zA-Z0-9_-]{35}/g, label: 'REDACTED:telegram_token' },
+    // Slack tokens
+    { type: 'slack_token', regex: /xox[bpors]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,}/g, label: 'REDACTED:slack_token' },
+    // Password patterns in assignments
+    { type: 'password_assign', regex: /(?:password|passwd|pwd|secret|api_key|apikey|auth_token)\s*[=:]\s*['"][^'"]{8,}['"]/gi, label: 'REDACTED:credential' },
+    // AWS secret key
+    { type: 'aws_secret', regex: /(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY)\s*[=:]\s*['"]?[A-Za-z0-9/+=]{40}['"]?/g, label: 'REDACTED:aws_secret' },
+    // Generic long hex strings that look like API keys (40+ chars)
+    { type: 'hex_secret', regex: /(?:token|secret|key|api_key)\s*[=:]\s*['"]?[a-f0-9]{40,}['"]?/gi, label: 'REDACTED:hex_token' },
+];
+// ─── Scanner ────────────────────────────────────────────────────────
+export class SecretScanner {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Scan text for secrets and optionally redact them.
+     */
+    scan(text) {
+        if (!this.config.enabled) {
+            return { text, hasSecrets: false, detections: [] };
+        }
+        const detections = [];
+        let redacted = text;
+        for (const pattern of SECRET_PATTERNS) {
+            // Reset regex state
+            pattern.regex.lastIndex = 0;
+            let match;
+            while ((match = pattern.regex.exec(text)) !== null) {
+                detections.push({
+                    type: pattern.type,
+                    offset: match.index,
+                    length: match[0].length,
+                    redacted: `[${pattern.label}]`,
+                });
+            }
+        }
+        if (detections.length === 0) {
+            return { text, hasSecrets: false, detections: [] };
+        }
+        // Sort detections by offset descending for safe replacement
+        if (this.config.action === 'redact') {
+            const sorted = [...detections].sort((a, b) => b.offset - a.offset);
+            for (const det of sorted) {
+                redacted =
+                    redacted.slice(0, det.offset) +
+                        det.redacted +
+                        redacted.slice(det.offset + det.length);
+            }
+        }
+        return {
+            text: this.config.action === 'redact' ? redacted : text,
+            hasSecrets: true,
+            detections,
+        };
+    }
+    /**
+     * Quick check — does this text contain any secrets?
+     */
+    hasSecrets(text) {
+        if (!this.config.enabled)
+            return false;
+        for (const pattern of SECRET_PATTERNS) {
+            pattern.regex.lastIndex = 0;
+            if (pattern.regex.test(text))
+                return true;
+        }
+        return false;
+    }
+}
+//# sourceMappingURL=secret-scanner.js.map

package/dist/core/secret-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-scanner.js","sourceRoot":"","sources":["../../src/core/secret-scanner.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAmCH,MAAM,eAAe,GAAoB;IACvC,WAAW;IACX,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,4BAA4B,EAAE,KAAK,EAAE,wBAAwB,EAAE;IAC/F,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,sBAAsB,EAAE,KAAK,EAAE,qBAAqB,EAAE;IACnF,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,mBAAmB,EAAE,KAAK,EAAE,kBAAkB,EAAE;IAC1E,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,6BAA6B,EAAE,KAAK,EAAE,uBAAuB,EAAE;IAC9F,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,sBAAsB,EAAE,KAAK,EAAE,uBAAuB,EAAE;IAEzF,2BAA2B;IAC3B,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,wEAAwE,EAAE,KAAK,EAAE,uBAAuB,EAAE;IAEzI,iBAAiB;IACjB,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,mEAAmE,EAAE,KAAK,EAAE,cAAc,EAAE;IAElH,eAAe;IACf,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,uEAAuE,EAAE,KAAK,EAAE,0BAA0B,EAAE;IACtI,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,+EAA+E,EAAE,KAAK,EAAE,sBAAsB,EAAE;IAC9I,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,qEAAqE,EAAE,KAAK,EAAE,yBAAyB,EAAE;IAClI,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,+DAA+D,EAAE,KAAK,EAAE,sBAAsB,EAAE;IAE9H,4BAA4B;IAC5B,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,4CAA4C,EAAE,KAAK,EAAE,wBAAwB,EAAE;IAC/G,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,6BAA6B,EAAE,KAAK,EAAE,yBAAyB,EAAE;IAElG,eAAe;IACf,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,wDAAwD,EAAE,KAAK,EAAE,sBAAsB,EAAE;IAEvH,mCAAmC;IACnC,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,uFAAuF,EAAE,KAAK,EAAE,qBAAqB,EAAE;IAEzJ,iBAAiB;IACjB,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,wFAAwF,EAAE,KAAK,EAAE,qBAAqB,EAAE;IAErJ,+DAA+D;IAC/D,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,iEAAiE,EAAE,KAAK,EAAE,oBAAoB,EAAE;CAC9H,CAAC;AAEF,uEAAuE;AAEvE,MAAM,OAAO,aAAa;IAChB,MAAM,CAAsB;IAEpC,YAAY,MAA2B;QACrC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,IAAI,CAAC,IAAY;QACf,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QACrD,CAAC;QAED,MAAM,UAAU,GAAsB,EAAE,CAAC;QACzC,IAAI,QAAQ,GAAG,IAAI,CAAC;QAEpB,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;YACtC,oBAAoB;YACpB,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;YAC5B,IAAI,KAA6B,CAAC;YAElC,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACnD,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,MAAM,EAAE,KAAK,CAAC,KAAK;oBACnB,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM;oBACvB,QAAQ,EAAE,IAAI,OAAO,CAAC,KAAK,GAAG;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QACrD,CAAC;QAED,4DAA4D;QAC5D,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,MAAM,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;YACnE,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;gBACzB,QAAQ;oBACN,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC;wBAC7B,GAAG,CAAC,QAAQ;wBACZ,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;YAC5C,CAAC;QACH,CAAC;QAED,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI;YACvD,UAAU,EAAE,IAAI;YAChB,UAAU;SACX,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,IAAY;QACrB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,OAAO,KAAK,CAAC;QAEvC,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;YACtC,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;YAC5B,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC5C,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/core/secrets.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Secrets manager — secure storage for API keys and tokens.
+ *
+ * Stores secrets encrypted at rest (using a derived key from the machine ID),
+ * provides env-var injection, and masks secrets in logs/output.
+ */
+export interface SecretsConfig {
+    /** Storage backend: 'file' | 'env' | 'keychain' */
+    backend: 'file' | 'env' | 'keychain';
+    /** Path for file-based storage. */
+    path?: string;
+}
+export declare class SecretsManager {
+    private config;
+    private storePath;
+    private cache;
+    private encryptionKey;
+    constructor(config?: Partial<SecretsConfig>);
+    /** Get a secret by key. */
+    get(key: string): Promise<string | undefined>;
+    /** Set a secret. */
+    set(key: string, value: string): Promise<void>;
+    /** Delete a secret. */
+    delete(key: string): Promise<void>;
+    /** List secret keys (not values). */
+    list(): Promise<string[]>;
+    /** Mask secrets in a string (for log safety). */
+    mask(text: string): string;
+    /** Inject secrets as environment variables for child processes. */
+    toEnv(): Record<string, string>;
+    /** Preload all secrets into in-memory cache (for masking and env injection). */
+    preload(): Promise<void>;
+    private encrypt;
+    private decrypt;
+    private loadStore;
+    private saveStore;
+}
+//# sourceMappingURL=secrets.d.ts.map

package/dist/core/secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../../src/core/secrets.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,MAAM,WAAW,aAAa;IAC5B,mDAAmD;IACnD,OAAO,EAAE,MAAM,GAAG,KAAK,GAAG,UAAU,CAAC;IACrC,mCAAmC;IACnC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AASD,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,KAAK,CAAoC;IACjD,OAAO,CAAC,aAAa,CAAS;gBAElB,MAAM,GAAE,OAAO,CAAC,aAAa,CAAM;IAW/C,2BAA2B;IACrB,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAYnD,oBAAoB;IACd,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAcpD,uBAAuB;IACjB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYxC,qCAAqC;IAC/B,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAU/B,iDAAiD;IACjD,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAW1B,mEAAmE;IACnE,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAU/B,gFAAgF;IAC1E,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAgB9B,OAAO,CAAC,OAAO;IAOf,OAAO,CAAC,OAAO;YAUD,SAAS;YAST,SAAS;CAIxB"}

package/dist/core/secrets.js

@@ -0,0 +1,137 @@
+/**
+ * Secrets manager — secure storage for API keys and tokens.
+ *
+ * Stores secrets encrypted at rest (using a derived key from the machine ID),
+ * provides env-var injection, and masks secrets in logs/output.
+ */
+import { readFile, writeFile, mkdir } from 'node:fs/promises';
+import { join, dirname } from 'node:path';
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'node:crypto';
+// ─── Implementation ─────────────────────────────────────────────────
+export class SecretsManager {
+    config;
+    storePath;
+    cache = null;
+    encryptionKey;
+    constructor(config = {}) {
+        this.config = {
+            backend: config.backend ?? 'file',
+            path: config.path,
+        };
+        this.storePath = this.config.path ?? join(process.env.HOME ?? '/tmp', '.tako', 'secrets.enc');
+        // Derive encryption key from hostname + username (machine-bound)
+        const salt = `tako-secrets-${process.env.USER ?? 'default'}`;
+        this.encryptionKey = scryptSync(salt, 'tako', 32);
+    }
+    /** Get a secret by key. */
+    async get(key) {
+        if (this.config.backend === 'env') {
+            return process.env[key];
+        }
+        const store = await this.loadStore();
+        const entry = store.secrets[key];
+        if (!entry)
+            return undefined;
+        return this.decrypt(entry.iv, entry.data);
+    }
+    /** Set a secret. */
+    async set(key, value) {
+        if (this.config.backend === 'env') {
+            process.env[key] = value;
+            return;
+        }
+        const store = await this.loadStore();
+        const iv = randomBytes(16);
+        const encrypted = this.encrypt(iv, value);
+        store.secrets[key] = { iv: iv.toString('hex'), data: encrypted };
+        await this.saveStore(store);
+        this.cache = null; // Invalidate cache
+    }
+    /** Delete a secret. */
+    async delete(key) {
+        if (this.config.backend === 'env') {
+            delete process.env[key];
+            return;
+        }
+        const store = await this.loadStore();
+        delete store.secrets[key];
+        await this.saveStore(store);
+        this.cache = null;
+    }
+    /** List secret keys (not values). */
+    async list() {
+        if (this.config.backend === 'env') {
+            // Return known Tako-related env vars
+            return Object.keys(process.env).filter((k) => k.startsWith('TAKO_'));
+        }
+        const store = await this.loadStore();
+        return Object.keys(store.secrets);
+    }
+    /** Mask secrets in a string (for log safety). */
+    mask(text) {
+        if (!this.cache)
+            return text;
+        let masked = text;
+        for (const [, value] of this.cache) {
+            if (value.length >= 4) {
+                masked = masked.replaceAll(value, value.slice(0, 2) + '***' + value.slice(-2));
+            }
+        }
+        return masked;
+    }
+    /** Inject secrets as environment variables for child processes. */
+    toEnv() {
+        const env = {};
+        if (this.cache) {
+            for (const [key, value] of this.cache) {
+                env[key] = value;
+            }
+        }
+        return env;
+    }
+    /** Preload all secrets into in-memory cache (for masking and env injection). */
+    async preload() {
+        if (this.config.backend === 'env')
+            return;
+        const store = await this.loadStore();
+        this.cache = new Map();
+        for (const [key, entry] of Object.entries(store.secrets)) {
+            try {
+                const value = this.decrypt(entry.iv, entry.data);
+                this.cache.set(key, value);
+            }
+            catch {
+                // Skip corrupted entries
+            }
+        }
+    }
+    // ─── Encryption helpers ─────────────────────────────────────────
+    encrypt(iv, plaintext) {
+        const cipher = createCipheriv('aes-256-cbc', this.encryptionKey, iv);
+        let encrypted = cipher.update(plaintext, 'utf-8', 'hex');
+        encrypted += cipher.final('hex');
+        return encrypted;
+    }
+    decrypt(ivHex, ciphertext) {
+        const iv = Buffer.from(ivHex, 'hex');
+        const decipher = createDecipheriv('aes-256-cbc', this.encryptionKey, iv);
+        let decrypted = decipher.update(ciphertext, 'hex', 'utf-8');
+        decrypted += decipher.final('utf-8');
+        return decrypted;
+    }
+    // ─── Store I/O ──────────────────────────────────────────────────
+    async loadStore() {
+        try {
+            const raw = await readFile(this.storePath, 'utf-8');
+            return JSON.parse(raw);
+        }
+        catch {
+            return { version: 1, secrets: {} };
+        }
+    }
+    async saveStore(store) {
+        await mkdir(dirname(this.storePath), { recursive: true });
+        await writeFile(this.storePath, JSON.stringify(store, null, 2), 'utf-8');
+    }
+}
+//# sourceMappingURL=secrets.js.map

package/dist/core/secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../src/core/secrets.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAgBxF,uEAAuE;AAEvE,MAAM,OAAO,cAAc;IACjB,MAAM,CAAgB;IACtB,SAAS,CAAS;IAClB,KAAK,GAA+B,IAAI,CAAC;IACzC,aAAa,CAAS;IAE9B,YAAY,SAAiC,EAAE;QAC7C,IAAI,CAAC,MAAM,GAAG;YACZ,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,MAAM;YACjC,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB,CAAC;QACF,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,MAAM,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC;QAC9F,iEAAiE;QACjE,MAAM,IAAI,GAAG,gBAAgB,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7D,IAAI,CAAC,aAAa,GAAG,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;IACpD,CAAC;IAED,2BAA2B;IAC3B,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAClC,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1B,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAE7B,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5C,CAAC;IAED,oBAAoB;IACpB,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAa;QAClC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAClC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACzB,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAC1C,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QACjE,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC5B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,mBAAmB;IACxC,CAAC;IAED,uBAAuB;IACvB,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAClC,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACxB,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC1B,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC5B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;IACpB,CAAC;IAED,qCAAqC;IACrC,KAAK,CAAC,IAAI;QACR,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAClC,qCAAqC;YACrC,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;QACvE,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACpC,CAAC;IAED,iDAAiD;IACjD,IAAI,CAAC,IAAY;QACf,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAC7B,IAAI,MAAM,GAAG,IAAI,CAAC;QAClB,KAAK,MAAM,CAAC,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACnC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBACtB,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACjF,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,mEAAmE;IACnE,KAAK;QACH,MAAM,GAAG,GAA2B,EAAE,CAAC;QACvC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACtC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACnB,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,gFAAgF;IAChF,KAAK,CAAC,OAAO;QACX,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,KAAK,KAAK;YAAE,OAAO;QAC1C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,IAAI,CAAC,KAAK,GAAG,IAAI,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;YACzD,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;gBACjD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAC7B,CAAC;YAAC,MAAM,CAAC;gBACP,yBAAyB;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED,mEAAmE;IAE3D,OAAO,CAAC,EAAU,EAAE,SAAiB;QAC3C,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QACrE,IAAI,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;QACzD,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACjC,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,OAAO,CAAC,KAAa,EAAE,UAAkB;QAC/C,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QACrC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QACzE,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,UAAU,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;QAC5D,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,mEAAmE;IAE3D,KAAK,CAAC,SAAS;QACrB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YACpD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiB,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACrC,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,KAAmB;QACzC,MAAM,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAC3E,CAAC;CACF"}

package/dist/core/security.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Security middleware — unified access point for all security modules.
+ *
+ * Initializes and provides access to:
+ * - SecretScanner (output scanning)
+ * - RateLimiter (request throttling)
+ * - InputSanitizer (prompt injection detection)
+ * - ToolValidator (argument validation)
+ * - NetworkPolicy (URL/domain control)
+ *
+ * This module is the single integration point. Other modules import
+ * from here rather than from individual security modules.
+ */
+import { SecretScanner } from './secret-scanner.js';
+import { RateLimiter } from './rate-limiter.js';
+import { InputSanitizer } from './sanitizer.js';
+import { ToolValidator } from './tool-validator.js';
+import { NetworkPolicy } from './network-policy.js';
+import type { SecurityConfig } from '../config/schema.js';
+/**
+ * Initialize all security modules from config.
+ */
+export declare function initSecurity(config: SecurityConfig, workspaceRoot: string): void;
+/** Get the secret scanner instance. */
+export declare function getSecretScanner(): SecretScanner | null;
+/** Get the rate limiter instance. */
+export declare function getRateLimiter(): RateLimiter | null;
+/** Get the input sanitizer instance. */
+export declare function getInputSanitizer(): InputSanitizer | null;
+/** Get the tool validator instance. */
+export declare function getToolValidator(): ToolValidator | null;
+/** Get the network policy instance. */
+export declare function getNetworkPolicy(): NetworkPolicy | null;
+/**
+ * Scan and redact secrets from outgoing text.
+ * Returns the (possibly redacted) text.
+ */
+export declare function scanSecrets(text: string): string;
+/**
+ * Check rate limit for a user/channel pair.
+ * Returns null if allowed, or an error message if limited.
+ */
+export declare function checkRateLimit(userId: string, channelId: string): string | null;
+/**
+ * Sanitize user input for prompt injection.
+ * Returns the sanitized text, or null if blocked.
+ */
+export declare function sanitizeInput(text: string): {
+    text: string;
+    blocked: boolean;
+    warnings: string[];
+};
+/**
+ * Check if a URL is allowed by network policy.
+ * Returns null if allowed, or an error message if blocked.
+ */
+export declare function checkNetworkPolicy(url: string): string | null;
+//# sourceMappingURL=security.d.ts.map

package/dist/core/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/core/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,aAAa,EAA4B,MAAM,qBAAqB,CAAC;AAC9E,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAwB,MAAM,gBAAgB,CAAC;AACtE,OAAO,EAAE,aAAa,EAA4B,MAAM,qBAAqB,CAAC;AAC9E,OAAO,EAAE,aAAa,EAA4B,MAAM,qBAAqB,CAAC;AAC9E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAU1D;;GAEG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,GAAG,IAAI,CAyBhF;AAED,uCAAuC;AACvC,wBAAgB,gBAAgB,IAAI,aAAa,GAAG,IAAI,CAEvD;AAED,qCAAqC;AACrC,wBAAgB,cAAc,IAAI,WAAW,GAAG,IAAI,CAEnD;AAED,wCAAwC;AACxC,wBAAgB,iBAAiB,IAAI,cAAc,GAAG,IAAI,CAEzD;AAED,uCAAuC;AACvC,wBAAgB,gBAAgB,IAAI,aAAa,GAAG,IAAI,CAEvD;AAED,uCAAuC;AACvC,wBAAgB,gBAAgB,IAAI,aAAa,GAAG,IAAI,CAEvD;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAOhD;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAO/E;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,MAAM,EAAE,CAAA;CAAE,CAQlG;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAO7D"}