@terminals-tech/agent-zero 1.0.1 → 2.0.0

package/dist/security/capabilities.js

@@ -14,6 +14,7 @@
  */
 import { z } from 'zod';
 import { BoundaryViolation, } from './sandbox.js';
+import { read, write, network, execute, spawn, memory, combine, } from './combinators.js';
 // ============================================================================
 // SKILL CAPABILITY SCHEMAS
 // ============================================================================
@@ -240,6 +241,181 @@ export class SkillCapabilityManager {
         // Validate and return
         return SkillCapabilityDeclaration.parse(parsed);
     }
+    // ==========================================================================
+    // DSL PARSER
+    // ==========================================================================
+    /**
+     * Parse a declarative security DSL string into a CapabilityExpression.
+     *
+     * Syntax:
+     *   read(filesystem:./data/**) & network(api.example.com) | write(filesystem:./output/**)
+     *
+     * Operators:
+     *   & = combine (both granted, higher precedence)
+     *   | = union (either granted, lower precedence)
+     *
+     * NOTE: In the current capability model, both & and | resolve to `combine()`
+     * because capabilities are additive scope sets — "grant A and B" and "grant
+     * A or B" both result in the union of scopes. A future `intersect()` combinator
+     * would make & restrict to the overlap, but this is not yet implemented.
+     * The two operators are preserved for DSL readability and forward compatibility.
+     *
+     * Functions:
+     *   read(pattern), write(pattern), network(domain),
+     *   execute(binary), spawn(N), memory(bytes)
+     *
+     * Parentheses are used for function arguments, not grouping of expressions.
+     *
+     * Precedence: & binds tighter than |
+     *   "A | B & C" = "A | (B & C)"
+     */
+    parseDSL(dsl) {
+        const tokens = this.tokenizeDSL(dsl);
+        if (tokens.length === 0) {
+            throw new Error('DSL parse error: empty expression');
+        }
+        const result = this.parseDSLUnion(tokens, { pos: 0 });
+        return result;
+    }
+    /**
+     * Tokenize DSL string into an array of tokens.
+     * Token types: 'func' (e.g. read), 'lparen', 'rparen', 'and', 'or', 'arg' (argument text)
+     */
+    tokenizeDSL(dsl) {
+        const tokens = [];
+        let i = 0;
+        const s = dsl.trim();
+        while (i < s.length) {
+            // Skip whitespace
+            if (/\s/.test(s[i])) {
+                i++;
+                continue;
+            }
+            // Operators
+            if (s[i] === '&') {
+                tokens.push({ type: 'and', value: '&' });
+                i++;
+                continue;
+            }
+            if (s[i] === '|') {
+                tokens.push({ type: 'or', value: '|' });
+                i++;
+                continue;
+            }
+            if (s[i] === '(') {
+                tokens.push({ type: 'lparen', value: '(' });
+                i++;
+                continue;
+            }
+            if (s[i] === ')') {
+                tokens.push({ type: 'rparen', value: ')' });
+                i++;
+                continue;
+            }
+            // Identifiers / arguments: everything that's not an operator or paren
+            let start = i;
+            while (i < s.length && !/[&|()]/.test(s[i]) && !/^\s$/.test(s[i])) {
+                i++;
+            }
+            const word = s.slice(start, i).trim();
+            if (word.length > 0) {
+                // Check if it's a known function name
+                const funcNames = ['read', 'write', 'network', 'execute', 'spawn', 'memory'];
+                if (funcNames.includes(word)) {
+                    tokens.push({ type: 'func', value: word });
+                }
+                else {
+                    tokens.push({ type: 'arg', value: word });
+                }
+            }
+        }
+        return tokens;
+    }
+    /**
+     * Parse union (|) level — lowest precedence.
+     * union = intersection (| intersection)*
+     */
+    parseDSLUnion(tokens, cursor) {
+        let left = this.parseDSLIntersection(tokens, cursor);
+        while (cursor.pos < tokens.length && tokens[cursor.pos].type === 'or') {
+            cursor.pos++; // consume |
+            const right = this.parseDSLIntersection(tokens, cursor);
+            left = combine(left, right);
+        }
+        return left;
+    }
+    /**
+     * Parse intersection (&) level — higher precedence than |.
+     * intersection = primary (& primary)*
+     */
+    parseDSLIntersection(tokens, cursor) {
+        let left = this.parseDSLPrimary(tokens, cursor);
+        while (cursor.pos < tokens.length && tokens[cursor.pos].type === 'and') {
+            cursor.pos++; // consume &
+            const right = this.parseDSLPrimary(tokens, cursor);
+            left = combine(left, right);
+        }
+        return left;
+    }
+    /**
+     * Parse primary: func(arg)
+     */
+    parseDSLPrimary(tokens, cursor) {
+        if (cursor.pos >= tokens.length) {
+            throw new Error('DSL parse error: unexpected end of expression');
+        }
+        const token = tokens[cursor.pos];
+        if (token.type !== 'func') {
+            throw new Error(`DSL parse error: expected function name, got '${token.value}'`);
+        }
+        const funcName = token.value;
+        cursor.pos++; // consume func name
+        // Expect '('
+        if (cursor.pos >= tokens.length || tokens[cursor.pos].type !== 'lparen') {
+            throw new Error(`DSL parse error: expected '(' after '${funcName}'`);
+        }
+        cursor.pos++; // consume (
+        // Collect argument tokens until ')'
+        const argParts = [];
+        while (cursor.pos < tokens.length && tokens[cursor.pos].type !== 'rparen') {
+            argParts.push(tokens[cursor.pos].value);
+            cursor.pos++;
+        }
+        if (cursor.pos >= tokens.length || tokens[cursor.pos].type !== 'rparen') {
+            throw new Error(`DSL parse error: expected ')' to close '${funcName}('`);
+        }
+        cursor.pos++; // consume )
+        const arg = argParts.join('');
+        // Strip optional type prefix (e.g., "filesystem:" or "api.example.com")
+        const colonIdx = arg.indexOf(':');
+        const cleanArg = colonIdx >= 0 ? arg.slice(colonIdx + 1) : arg;
+        switch (funcName) {
+            case 'read':
+                return read(cleanArg);
+            case 'write':
+                return write(cleanArg);
+            case 'network':
+                return network(arg); // network uses the full domain, no prefix stripping
+            case 'execute':
+                return execute(cleanArg);
+            case 'spawn': {
+                const n = parseInt(arg, 10);
+                if (isNaN(n) || n < 0) {
+                    throw new Error(`DSL parse error: spawn requires a non-negative integer, got '${arg}'`);
+                }
+                return spawn(n);
+            }
+            case 'memory': {
+                const bytes = parseInt(arg, 10);
+                if (isNaN(bytes) || bytes <= 0) {
+                    throw new Error(`DSL parse error: memory requires a positive integer, got '${arg}'`);
+                }
+                return memory(bytes);
+            }
+            default:
+                throw new Error(`DSL parse error: unknown function '${funcName}'`);
+        }
+    }
     /**
      * Infer scopes from declaration
      */

package/dist/security/capabilities.js.map

@@ -1 +1 @@
-{"version":3,"file":"capabilities.js","sourceRoot":"","sources":["../../src/security/capabilities.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAGL,iBAAiB,GAElB,MAAM,cAAc,CAAC;AAEtB,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,wCAAwC;IACxC,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC3C,uCAAuC;IACvC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxC,gCAAgC;IAChC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAChD,4BAA4B;IAC5B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,EAAE,gBAAgB;IAChF,yBAAyB;IACzB,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACpC,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,iBAAiB;IACjB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,4BAA4B;IAC5B,WAAW,EAAE,0BAA0B;IACvC,oCAAoC;IACpC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE;IAC3B,sCAAsC;IACtC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,gCAAgC;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,6BAA6B;IAC7B,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC;CACvC,CAAC,CAAC;AAGH,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E,MAAM,OAAO,sBAAsB;IACzB,OAAO,CAAoB;IAC3B,QAAQ,GAAuC,IAAI,GAAG,EAAE,CAAC;IAEjE,YAAY,OAA0B;QACpC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,IAAY,EAAE,WAAuC;QACjE,0CAA0C;QAC1C,MAAM,MAAM,GAAsB,EAAE,CAAC;QACrC,MAAM,SAAS,GAAsB,EAAE,CAAC;QAExC,oBAAoB;QACpB,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC7B,KAAK,MAAM,OAAO,IAAI,WAAW,CAAC,UAAU,EAAE,CAAC;gBAC7C,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QAED,iBAAiB;QACjB,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,KAAK,MAAM,OAAO,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;gBAC1C,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,WAAW,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;gBACpE,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,UAAU,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,WAAW,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACrB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,WAAW,WAAW,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAC7E,CAAC;QAED,gBAAgB;QAChB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACtB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,gBAAgB,WAAW,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAEjF,qBAAqB;QACrB,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QACxD,CAAC;QAED,2CAA2C;QAC3C,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACzB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAEzD,+BAA+B;QAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;QAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE;YACnD,MAAM;YACN,SAAS;YACT,MAAM,EAAE,UAAU,IAAI,EAAE;SACzB,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,0CAA0C,IAAI,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,2BAA2B;QAC3B,MAAM,OAAO,GAA0B;YACrC,SAAS,EAAE,IAAI;YACf,WAAW;YACX,eAAe,EAAE,UAAU,CAAC,KAAK;YACjC,GAAG,EAAE,IAAI;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,UAAU,EAAE,EAAE;SACf,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACjC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,gBAAgB,CACd,IAAY,EACZ,KAAsB,EACtB,QAAgB;QAEhB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,SAAS,GAAsB;gBACnC,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,UAAU,IAAI,kBAAkB;gBACzC,QAAQ;gBACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;aACtB,CAAC;YACF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QACvC,CAAC;QAED,yCAAyC;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,eAAe,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAE5E,mBAAmB;QACnB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,sBAAsB,CAAC,IAAY,EAAE,cAA+B;QAClE,MAAM,SAAS,GAAsB;YACnC,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,UAAU,IAAI,oCAAoC,cAAc,GAAG;YAC5E,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC;QAEF,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACrC,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,IAAY;QACtB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO;YAAE,OAAO;QAErB,+BAA+B;QAC/B,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAE7C,iCAAiC;QACjC,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YACvC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,sCAAsC;YACxC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,gBAAgB;QAMd,MAAM,MAAM,GAKP,EAAE,CAAC;QAER,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YACpE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC;YAC9C,MAAM,cAAc,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC;YAEjD,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,CAAC;QACxD,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,+BAA+B,CAAC,WAAmB;QACjD,gCAAgC;QAChC,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAE1E,8BAA8B;QAC9B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,MAAM,GAA4B,EAAE,CAAC;QAE3C,IAAI,UAAU,GAAkB,IAAI,CAAC;QACrC,IAAI,YAAY,GAAa,EAAE,CAAC;QAEhC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAElD,aAAa;YACb,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,IAAI,UAAU,EAAE,CAAC;oBACf,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC7C,CAAC;gBACD,SAAS;YACX,CAAC;YAED,uBAAuB;YACvB,IAAI,UAAU,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1C,MAAM,CAAC,UAAU,CAAC,GAAG,YAAY,CAAC;gBAClC,YAAY,GAAG,EAAE,CAAC;YACpB,CAAC;YAED,iBAAiB;YACjB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;YACrE,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;gBAC7B,UAAU,GAAG,GAAG,CAAC;gBAEjB,UAAU;gBACV,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;oBAC1C,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,KAAK,MAAM,CAAC;oBAC/B,UAAU,GAAG,IAAI,CAAC;oBAClB,SAAS;gBACX,CAAC;gBAED,SAAS;gBACT,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBACxB,MAAM,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBAClC,UAAU,GAAG,IAAI,CAAC;oBAClB,SAAS;gBACX,CAAC;gBAED,2CAA2C;gBAC3C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;oBACpB,UAAU,GAAG,IAAI,CAAC;gBACpB,CAAC;YACH,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,IAAI,UAAU,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,CAAC,UAAU,CAAC,GAAG,YAAY,CAAC;QACpC,CAAC;QAED,sBAAsB;QACtB,OAAO,0BAA0B,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAClD,CAAC;IAED;;OAEG;IACK,0BAA0B,CAAC,WAAuC;QACxE,MAAM,MAAM,GAAsB,EAAE,CAAC;QAErC,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC/B,CAAC;QACD,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,WAAW,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvB,CAAC;QACD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACzB,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,iBAAiB;QACrD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,MAAM,UAAU,4BAA4B,CAAC,OAA0B;IACrE,OAAO,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAC;AAC7C,CAAC"}
+{"version":3,"file":"capabilities.js","sourceRoot":"","sources":["../../src/security/capabilities.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAGL,iBAAiB,GAElB,MAAM,cAAc,CAAC;AACtB,OAAO,EAEL,IAAI,EACJ,KAAK,EACL,OAAO,EACP,OAAO,EACP,KAAK,EACL,MAAM,EACN,OAAO,GACR,MAAM,kBAAkB,CAAC;AAE1B,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,wCAAwC;IACxC,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC3C,uCAAuC;IACvC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxC,gCAAgC;IAChC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAChD,4BAA4B;IAC5B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,EAAE,gBAAgB;IAChF,yBAAyB;IACzB,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACpC,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,iBAAiB;IACjB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,4BAA4B;IAC5B,WAAW,EAAE,0BAA0B;IACvC,oCAAoC;IACpC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE;IAC3B,sCAAsC;IACtC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,gCAAgC;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,6BAA6B;IAC7B,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC;CACvC,CAAC,CAAC;AAGH,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E,MAAM,OAAO,sBAAsB;IACzB,OAAO,CAAoB;IAC3B,QAAQ,GAAuC,IAAI,GAAG,EAAE,CAAC;IAEjE,YAAY,OAA0B;QACpC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,IAAY,EAAE,WAAuC;QACjE,0CAA0C;QAC1C,MAAM,MAAM,GAAsB,EAAE,CAAC;QACrC,MAAM,SAAS,GAAsB,EAAE,CAAC;QAExC,oBAAoB;QACpB,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC7B,KAAK,MAAM,OAAO,IAAI,WAAW,CAAC,UAAU,EAAE,CAAC;gBAC7C,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QAED,iBAAiB;QACjB,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,KAAK,MAAM,OAAO,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;gBAC1C,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,WAAW,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;gBACpE,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,UAAU,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,WAAW,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACrB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,WAAW,WAAW,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAC7E,CAAC;QAED,gBAAgB;QAChB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACtB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,gBAAgB,WAAW,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAEjF,qBAAqB;QACrB,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QACxD,CAAC;QAED,2CAA2C;QAC3C,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACzB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAEzD,+BAA+B;QAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;QAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE;YACnD,MAAM;YACN,SAAS;YACT,MAAM,EAAE,UAAU,IAAI,EAAE;SACzB,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,0CAA0C,IAAI,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,2BAA2B;QAC3B,MAAM,OAAO,GAA0B;YACrC,SAAS,EAAE,IAAI;YACf,WAAW;YACX,eAAe,EAAE,UAAU,CAAC,KAAK;YACjC,GAAG,EAAE,IAAI;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,UAAU,EAAE,EAAE;SACf,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACjC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,gBAAgB,CACd,IAAY,EACZ,KAAsB,EACtB,QAAgB;QAEhB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,SAAS,GAAsB;gBACnC,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,UAAU,IAAI,kBAAkB;gBACzC,QAAQ;gBACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;aACtB,CAAC;YACF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QACvC,CAAC;QAED,yCAAyC;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,eAAe,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAE5E,mBAAmB;QACnB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,sBAAsB,CAAC,IAAY,EAAE,cAA+B;QAClE,MAAM,SAAS,GAAsB;YACnC,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,UAAU,IAAI,oCAAoC,cAAc,GAAG;YAC5E,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC;QAEF,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACrC,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,IAAY;QACtB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO;YAAE,OAAO;QAErB,+BAA+B;QAC/B,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAE7C,iCAAiC;QACjC,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YACvC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,sCAAsC;YACxC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,gBAAgB;QAMd,MAAM,MAAM,GAKP,EAAE,CAAC;QAER,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YACpE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC;YAC9C,MAAM,cAAc,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC;YAEjD,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,CAAC;QACxD,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,+BAA+B,CAAC,WAAmB;QACjD,gCAAgC;QAChC,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAE1E,8BAA8B;QAC9B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,MAAM,GAA4B,EAAE,CAAC;QAE3C,IAAI,UAAU,GAAkB,IAAI,CAAC;QACrC,IAAI,YAAY,GAAa,EAAE,CAAC;QAEhC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAElD,aAAa;YACb,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,IAAI,UAAU,EAAE,CAAC;oBACf,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC7C,CAAC;gBACD,SAAS;YACX,CAAC;YAED,uBAAuB;YACvB,IAAI,UAAU,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1C,MAAM,CAAC,UAAU,CAAC,GAAG,YAAY,CAAC;gBAClC,YAAY,GAAG,EAAE,CAAC;YACpB,CAAC;YAED,iBAAiB;YACjB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;YACrE,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;gBAC7B,UAAU,GAAG,GAAG,CAAC;gBAEjB,UAAU;gBACV,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;oBAC1C,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,KAAK,MAAM,CAAC;oBAC/B,UAAU,GAAG,IAAI,CAAC;oBAClB,SAAS;gBACX,CAAC;gBAED,SAAS;gBACT,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBACxB,MAAM,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBAClC,UAAU,GAAG,IAAI,CAAC;oBAClB,SAAS;gBACX,CAAC;gBAED,2CAA2C;gBAC3C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;oBACpB,UAAU,GAAG,IAAI,CAAC;gBACpB,CAAC;YACH,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,IAAI,UAAU,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,CAAC,UAAU,CAAC,GAAG,YAAY,CAAC;QACpC,CAAC;QAED,sBAAsB;QACtB,OAAO,0BAA0B,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAClD,CAAC;IAED,6EAA6E;IAC7E,aAAa;IACb,6EAA6E;IAE7E;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACH,QAAQ,CAAC,GAAW;QAClB,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACtD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;OAGG;IACK,WAAW,CAAC,GAAW;QAC7B,MAAM,MAAM,GAA2C,EAAE,CAAC;QAC1D,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QAErB,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;YACpB,kBAAkB;YAClB,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpB,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YAED,YAAY;YACZ,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;gBACzC,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YACD,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;gBACxC,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YACD,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC5C,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YACD,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC5C,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YAED,sEAAsE;YACtE,IAAI,KAAK,GAAG,CAAC,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAClE,CAAC,EAAE,CAAC;YACN,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACtC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpB,sCAAsC;gBACtC,MAAM,SAAS,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;gBAC7E,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC7B,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC7C,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC5C,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;OAGG;IACK,aAAa,CACnB,MAA8C,EAC9C,MAAuB;QAEvB,IAAI,IAAI,GAAG,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAErD,OAAO,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;YACtE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,YAAY;YAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YACxD,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC9B,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACK,oBAAoB,CAC1B,MAA8C,EAC9C,MAAuB;QAEvB,IAAI,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEhD,OAAO,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;YACvE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,YAAY;YAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YACnD,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC9B,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,eAAe,CACrB,MAA8C,EAC9C,MAAuB;QAEvB,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEjC,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,iDAAiD,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC;QACnF,CAAC;QAED,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC;QAC7B,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,oBAAoB;QAElC,aAAa;QACb,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACxE,MAAM,IAAI,KAAK,CAAC,wCAAwC,QAAQ,GAAG,CAAC,CAAC;QACvE,CAAC;QACD,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,YAAY;QAE1B,oCAAoC;QACpC,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,OAAO,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC1E,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;YACxC,MAAM,CAAC,GAAG,EAAE,CAAC;QACf,CAAC;QAED,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACxE,MAAM,IAAI,KAAK,CAAC,2CAA2C,QAAQ,IAAI,CAAC,CAAC;QAC3E,CAAC;QACD,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,YAAY;QAE1B,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAE9B,wEAAwE;QACxE,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAClC,MAAM,QAAQ,GAAG,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAE/D,QAAQ,QAAQ,EAAE,CAAC;YACjB,KAAK,MAAM;gBACT,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAC;YACxB,KAAK,OAAO;gBACV,OAAO,KAAK,CAAC,QAAQ,CAAC,CAAC;YACzB,KAAK,SAAS;gBACZ,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,oDAAoD;YAC3E,KAAK,SAAS;gBACZ,OAAO,OAAO,CAAC,QAAQ,CAAC,CAAC;YAC3B,KAAK,OAAO,CAAC,CAAC,CAAC;gBACb,MAAM,CAAC,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBAC5B,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACtB,MAAM,IAAI,KAAK,CAAC,gEAAgE,GAAG,GAAG,CAAC,CAAC;gBAC1F,CAAC;gBACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBAChC,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;oBAC/B,MAAM,IAAI,KAAK,CAAC,6DAA6D,GAAG,GAAG,CAAC,CAAC;gBACvF,CAAC;gBACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;YACvB,CAAC;YACD;gBACE,MAAM,IAAI,KAAK,CAAC,sCAAsC,QAAQ,GAAG,CAAC,CAAC;QACvE,CAAC;IACH,CAAC;IAED;;OAEG;IACK,0BAA0B,CAAC,WAAuC;QACxE,MAAM,MAAM,GAAsB,EAAE,CAAC;QAErC,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC/B,CAAC;QACD,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,WAAW,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvB,CAAC;QACD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACzB,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,iBAAiB;QACrD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,MAAM,UAAU,4BAA4B,CAAC,OAA0B;IACrE,OAAO,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAC;AAC7C,CAAC"}

package/dist/security/combinators.d.ts

@@ -0,0 +1,89 @@
+/**
+ * Capability Combinators
+ *
+ * Nix-inspired combinator system for composing capability profiles.
+ * Combinators are pure functions that produce CapabilityExpression objects,
+ * which can be materialized into sandbox capabilities via attenuate().
+ *
+ * Composition model:
+ * - combine(): union of scopes and resources (grant both)
+ * - restrict(): adds deny patterns to block specific access
+ * - withTTL(): sets expiration on the expression
+ * - materialize(): converts expression into a live sandbox capability
+ */
+import { IsomorphicSandbox, type CapabilityScope, type ResourcePattern, type Capability } from './sandbox.js';
+export interface CapabilityExpression {
+    /** Scopes granted by this expression */
+    scopes: CapabilityScope[];
+    /** Resource patterns (allow/deny) */
+    resources: ResourcePattern[];
+    /** Time-to-live in milliseconds (undefined = never expires) */
+    ttl?: number;
+}
+/**
+ * Grant read access to the given glob patterns.
+ */
+export declare function read(...patterns: string[]): CapabilityExpression;
+/**
+ * Grant write access to the given glob patterns.
+ */
+export declare function write(...patterns: string[]): CapabilityExpression;
+/**
+ * Grant network access to the given domain patterns.
+ */
+export declare function network(...domains: string[]): CapabilityExpression;
+/**
+ * Grant execute access to the given binary patterns.
+ */
+export declare function execute(...binaries: string[]): CapabilityExpression;
+/**
+ * Grant memory access with a byte limit.
+ * The limit is encoded as a resource pattern: `memory:bytes:<limit>`.
+ */
+export declare function memory(limitBytes: number): CapabilityExpression;
+/**
+ * Grant spawn access with a max children limit.
+ * The limit is encoded as a resource pattern: `spawn:*:<max>`.
+ */
+export declare function spawn(maxChildren: number): CapabilityExpression;
+/**
+ * Combine multiple expressions by merging their scopes (deduped) and resources.
+ * If any expression has a TTL, the minimum TTL is used.
+ */
+export declare function combine(...exprs: CapabilityExpression[]): CapabilityExpression;
+/**
+ * Restrict an expression by adding deny patterns from the deny expression.
+ * The deny expression's resource patterns are converted to deny type.
+ * Scopes from the deny expression are NOT removed from the base expression --
+ * denial is at the resource level, not the scope level.
+ */
+export declare function restrict(expr: CapabilityExpression, deny: CapabilityExpression): CapabilityExpression;
+/**
+ * Set a TTL on an expression. If the expression already has a TTL,
+ * the minimum of the two is used.
+ */
+export declare function withTTL(expr: CapabilityExpression, ttlMs: number): CapabilityExpression;
+/**
+ * Materialize a CapabilityExpression into a live sandbox Capability.
+ *
+ * Attenuates from the given parent token, mapping the expression's scopes
+ * and resources into the sandbox's capability model.
+ *
+ * Returns null if the parent token is invalid or the attenuation fails
+ * (e.g., requested scopes not available in parent).
+ */
+export declare function materialize(sandbox: IsomorphicSandbox, parentToken: string, expr: CapabilityExpression, reason: string): Capability | null;
+/**
+ * Pre-built capability profiles for common agent roles.
+ */
+export declare const PROFILES: {
+    /** Read-only access to all resources */
+    readonly readOnly: CapabilityExpression;
+    /** Network-only access to all domains */
+    readonly networkOnly: CapabilityExpression;
+    /** Researcher: read all, network all, 256MB memory */
+    readonly researcher: CapabilityExpression;
+    /** Worker: read all, write to output, execute, spawn up to 3 children */
+    readonly worker: CapabilityExpression;
+};
+//# sourceMappingURL=combinators.d.ts.map

package/dist/security/combinators.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"combinators.d.ts","sourceRoot":"","sources":["../../src/security/combinators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EACL,iBAAiB,EACjB,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,UAAU,EAChB,MAAM,cAAc,CAAC;AAMtB,MAAM,WAAW,oBAAoB;IACnC,wCAAwC;IACxC,MAAM,EAAE,eAAe,EAAE,CAAC;IAC1B,qCAAqC;IACrC,SAAS,EAAE,eAAe,EAAE,CAAC;IAC7B,+DAA+D;IAC/D,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAMD;;GAEG;AACH,wBAAgB,IAAI,CAAC,GAAG,QAAQ,EAAE,MAAM,EAAE,GAAG,oBAAoB,CAKhE;AAED;;GAEG;AACH,wBAAgB,KAAK,CAAC,GAAG,QAAQ,EAAE,MAAM,EAAE,GAAG,oBAAoB,CAKjE;AAED;;GAEG;AACH,wBAAgB,OAAO,CAAC,GAAG,OAAO,EAAE,MAAM,EAAE,GAAG,oBAAoB,CAKlE;AAED;;GAEG;AACH,wBAAgB,OAAO,CAAC,GAAG,QAAQ,EAAE,MAAM,EAAE,GAAG,oBAAoB,CAKnE;AAED;;;GAGG;AACH,wBAAgB,MAAM,CAAC,UAAU,EAAE,MAAM,GAAG,oBAAoB,CAK/D;AAED;;;GAGG;AACH,wBAAgB,KAAK,CAAC,WAAW,EAAE,MAAM,GAAG,oBAAoB,CAK/D;AAMD;;;GAGG;AACH,wBAAgB,OAAO,CAAC,GAAG,KAAK,EAAE,oBAAoB,EAAE,GAAG,oBAAoB,CAyB9E;AAED;;;;;GAKG;AACH,wBAAgB,QAAQ,CACtB,IAAI,EAAE,oBAAoB,EAC1B,IAAI,EAAE,oBAAoB,GACzB,oBAAoB,CAWtB;AAED;;;GAGG;AACH,wBAAgB,OAAO,CACrB,IAAI,EAAE,oBAAoB,EAC1B,KAAK,EAAE,MAAM,GACZ,oBAAoB,CAOtB;AAMD;;;;;;;;GAQG;AACH,wBAAgB,WAAW,CACzB,OAAO,EAAE,iBAAiB,EAC1B,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,oBAAoB,EAC1B,MAAM,EAAE,MAAM,GACb,UAAU,GAAG,IAAI,CASnB;AAMD;;GAEG;AACH,eAAO,MAAM,QAAQ;IACnB,wCAAwC;;IAExC,yCAAyC;;IAEzC,sDAAsD;;IAEtD,yEAAyE;;CAEjE,CAAC"}

package/dist/security/combinators.js

@@ -0,0 +1,168 @@
+/**
+ * Capability Combinators
+ *
+ * Nix-inspired combinator system for composing capability profiles.
+ * Combinators are pure functions that produce CapabilityExpression objects,
+ * which can be materialized into sandbox capabilities via attenuate().
+ *
+ * Composition model:
+ * - combine(): union of scopes and resources (grant both)
+ * - restrict(): adds deny patterns to block specific access
+ * - withTTL(): sets expiration on the expression
+ * - materialize(): converts expression into a live sandbox capability
+ */
+// ============================================================================
+// PRIMITIVE COMBINATORS
+// ============================================================================
+/**
+ * Grant read access to the given glob patterns.
+ */
+export function read(...patterns) {
+    return {
+        scopes: ['read'],
+        resources: patterns.map(p => ({ pattern: p, type: 'allow' })),
+    };
+}
+/**
+ * Grant write access to the given glob patterns.
+ */
+export function write(...patterns) {
+    return {
+        scopes: ['write'],
+        resources: patterns.map(p => ({ pattern: p, type: 'allow' })),
+    };
+}
+/**
+ * Grant network access to the given domain patterns.
+ */
+export function network(...domains) {
+    return {
+        scopes: ['network'],
+        resources: domains.map(d => ({ pattern: d, type: 'allow' })),
+    };
+}
+/**
+ * Grant execute access to the given binary patterns.
+ */
+export function execute(...binaries) {
+    return {
+        scopes: ['execute'],
+        resources: binaries.map(b => ({ pattern: b, type: 'allow' })),
+    };
+}
+/**
+ * Grant memory access with a byte limit.
+ * The limit is encoded as a resource pattern: `memory:bytes:<limit>`.
+ */
+export function memory(limitBytes) {
+    return {
+        scopes: ['memory'],
+        resources: [{ pattern: `memory:bytes:${limitBytes}`, type: 'allow' }],
+    };
+}
+/**
+ * Grant spawn access with a max children limit.
+ * The limit is encoded as a resource pattern: `spawn:*:<max>`.
+ */
+export function spawn(maxChildren) {
+    return {
+        scopes: ['spawn'],
+        resources: [{ pattern: `spawn:*:${maxChildren}`, type: 'allow' }],
+    };
+}
+// ============================================================================
+// COMPOSITION OPERATORS
+// ============================================================================
+/**
+ * Combine multiple expressions by merging their scopes (deduped) and resources.
+ * If any expression has a TTL, the minimum TTL is used.
+ */
+export function combine(...exprs) {
+    const scopeSet = new Set();
+    const resources = [];
+    let minTTL;
+    for (const expr of exprs) {
+        for (const scope of expr.scopes) {
+            scopeSet.add(scope);
+        }
+        resources.push(...expr.resources);
+        if (expr.ttl !== undefined) {
+            minTTL = minTTL === undefined ? expr.ttl : Math.min(minTTL, expr.ttl);
+        }
+    }
+    const result = {
+        scopes: Array.from(scopeSet),
+        resources,
+    };
+    if (minTTL !== undefined) {
+        result.ttl = minTTL;
+    }
+    return result;
+}
+/**
+ * Restrict an expression by adding deny patterns from the deny expression.
+ * The deny expression's resource patterns are converted to deny type.
+ * Scopes from the deny expression are NOT removed from the base expression --
+ * denial is at the resource level, not the scope level.
+ */
+export function restrict(expr, deny) {
+    const denyPatterns = deny.resources.map(r => ({
+        pattern: r.pattern,
+        type: 'deny',
+    }));
+    return {
+        scopes: [...expr.scopes],
+        resources: [...expr.resources, ...denyPatterns],
+        ...(expr.ttl !== undefined ? { ttl: expr.ttl } : {}),
+    };
+}
+/**
+ * Set a TTL on an expression. If the expression already has a TTL,
+ * the minimum of the two is used.
+ */
+export function withTTL(expr, ttlMs) {
+    const effectiveTTL = expr.ttl !== undefined ? Math.min(expr.ttl, ttlMs) : ttlMs;
+    return {
+        scopes: [...expr.scopes],
+        resources: [...expr.resources],
+        ttl: effectiveTTL,
+    };
+}
+// ============================================================================
+// MATERIALIZATION
+// ============================================================================
+/**
+ * Materialize a CapabilityExpression into a live sandbox Capability.
+ *
+ * Attenuates from the given parent token, mapping the expression's scopes
+ * and resources into the sandbox's capability model.
+ *
+ * Returns null if the parent token is invalid or the attenuation fails
+ * (e.g., requested scopes not available in parent).
+ */
+export function materialize(sandbox, parentToken, expr, reason) {
+    const expiresAt = expr.ttl !== undefined ? Date.now() + expr.ttl : undefined;
+    return sandbox.attenuate(parentToken, {
+        scopes: expr.scopes,
+        resources: expr.resources,
+        expiresAt,
+        reason,
+    });
+}
+// ============================================================================
+// PRESET PROFILES
+// ============================================================================
+/**
+ * Pre-built capability profiles for common agent roles.
+ */
+export const PROFILES = {
+    /** Read-only access to all resources */
+    readOnly: combine(read('**')),
+    /** Network-only access to all domains */
+    networkOnly: combine(network('*')),
+    /** Researcher: read all, network all, 256MB memory */
+    researcher: combine(read('**'), network('*'), memory(256 * 1024 * 1024)),
+    /** Worker: read all, write to output, execute, spawn up to 3 children */
+    worker: combine(read('**'), write('./output/**'), execute('*'), spawn(3)),
+};
+//# sourceMappingURL=combinators.js.map

package/dist/security/combinators.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"combinators.js","sourceRoot":"","sources":["../../src/security/combinators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAsBH,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,IAAI,CAAC,GAAG,QAAkB;IACxC,OAAO;QACL,MAAM,EAAE,CAAC,MAAM,CAAC;QAChB,SAAS,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,OAAgB,EAAE,CAAC,CAAC;KACvE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,KAAK,CAAC,GAAG,QAAkB;IACzC,OAAO;QACL,MAAM,EAAE,CAAC,OAAO,CAAC;QACjB,SAAS,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,OAAgB,EAAE,CAAC,CAAC;KACvE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,OAAO,CAAC,GAAG,OAAiB;IAC1C,OAAO;QACL,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,OAAgB,EAAE,CAAC,CAAC;KACtE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,OAAO,CAAC,GAAG,QAAkB;IAC3C,OAAO;QACL,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,SAAS,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,OAAgB,EAAE,CAAC,CAAC;KACvE,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,MAAM,CAAC,UAAkB;IACvC,OAAO;QACL,MAAM,EAAE,CAAC,QAAQ,CAAC;QAClB,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,gBAAgB,UAAU,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;KACtE,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,KAAK,CAAC,WAAmB;IACvC,OAAO;QACL,MAAM,EAAE,CAAC,OAAO,CAAC;QACjB,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,WAAW,WAAW,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;KAClE,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,GAAG,KAA6B;IACtD,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAmB,CAAC;IAC5C,MAAM,SAAS,GAAsB,EAAE,CAAC;IACxC,IAAI,MAA0B,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;QACD,SAAS,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;QAClC,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC3B,MAAM,GAAG,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAyB;QACnC,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC5B,SAAS;KACV,CAAC;IAEF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC;IACtB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,QAAQ,CACtB,IAA0B,EAC1B,IAA0B;IAE1B,MAAM,YAAY,GAAsB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC/D,OAAO,EAAE,CAAC,CAAC,OAAO;QAClB,IAAI,EAAE,MAAe;KACtB,CAAC,CAAC,CAAC;IAEJ,OAAO;QACL,MAAM,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC;QACxB,SAAS,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,EAAE,GAAG,YAAY,CAAC;QAC/C,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACrD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CACrB,IAA0B,EAC1B,KAAa;IAEb,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IAChF,OAAO;QACL,MAAM,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC;QACxB,SAAS,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;QAC9B,GAAG,EAAE,YAAY;KAClB,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E;;;;;;;;GAQG;AACH,MAAM,UAAU,WAAW,CACzB,OAA0B,EAC1B,WAAmB,EACnB,IAA0B,EAC1B,MAAc;IAEd,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAE7E,OAAO,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE;QACpC,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS;QACT,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB,wCAAwC;IACxC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,yCAAyC;IACzC,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAClC,sDAAsD;IACtD,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC;IACxE,yEAAyE;IACzE,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC;CACjE,CAAC"}

package/dist/security/index.d.ts

@@ -1,11 +1,17 @@
 /**
  * @terminals-tech/agent-zero/security
  *
- * AES-256-GCM vault, capability sandbox, injection firewall, Ed25519 skill verification.
+ * AES-256-GCM vault, capability sandbox, injection firewall, Ed25519 skill verification,
+ * capability combinators, agent isolation boundaries.
  */
 export { Vault, createVault } from './vault.js';
 export { IsomorphicSandbox, CapabilityScope, detectInjection, generateCapabilityToken } from './sandbox.js';
+export type { AuditEntry } from './sandbox.js';
 export { SkillCapabilityManager, createSkillCapabilityManager } from './capabilities.js';
 export { InjectionFirewall, ParanoiaLevel, createFirewall } from './injectionFirewall.js';
 export { generateSigningKeyPair, signManifest, verifyManifest, verifySkillIntegrity, createManifest, hashFile, loadSignedManifest, } from './skillVerify.js';
+export { read, write, network, execute, memory, spawn, combine, restrict, withTTL, materialize, PROFILES, } from './combinators.js';
+export type { CapabilityExpression } from './combinators.js';
+export { AgentIsolationManager } from './isolation.js';
+export type { IsolationBoundary } from './isolation.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/security/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC5G,OAAO,EAAE,sBAAsB,EAAE,4BAA4B,EAAE,MAAM,mBAAmB,CAAC;AACzF,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC1F,OAAO,EACL,sBAAsB,EACtB,YAAY,EACZ,cAAc,EACd,oBAAoB,EACpB,cAAc,EACd,QAAQ,EACR,kBAAkB,GACnB,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC5G,YAAY,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EAAE,sBAAsB,EAAE,4BAA4B,EAAE,MAAM,mBAAmB,CAAC;AACzF,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC1F,OAAO,EACL,sBAAsB,EACtB,YAAY,EACZ,cAAc,EACd,oBAAoB,EACpB,cAAc,EACd,QAAQ,EACR,kBAAkB,GACnB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,IAAI,EACJ,KAAK,EACL,OAAO,EACP,OAAO,EACP,MAAM,EACN,KAAK,EACL,OAAO,EACP,QAAQ,EACR,OAAO,EACP,WAAW,EACX,QAAQ,GACT,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AACvD,YAAY,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/security/index.js

@@ -1,11 +1,14 @@
 /**
  * @terminals-tech/agent-zero/security
  *
- * AES-256-GCM vault, capability sandbox, injection firewall, Ed25519 skill verification.
+ * AES-256-GCM vault, capability sandbox, injection firewall, Ed25519 skill verification,
+ * capability combinators, agent isolation boundaries.
  */
 export { Vault, createVault } from './vault.js';
 export { IsomorphicSandbox, CapabilityScope, detectInjection, generateCapabilityToken } from './sandbox.js';
 export { SkillCapabilityManager, createSkillCapabilityManager } from './capabilities.js';
 export { InjectionFirewall, ParanoiaLevel, createFirewall } from './injectionFirewall.js';
 export { generateSigningKeyPair, signManifest, verifyManifest, verifySkillIntegrity, createManifest, hashFile, loadSignedManifest, } from './skillVerify.js';
+export { read, write, network, execute, memory, spawn, combine, restrict, withTTL, materialize, PROFILES, } from './combinators.js';
+export { AgentIsolationManager } from './isolation.js';
 //# sourceMappingURL=index.js.map

package/dist/security/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC5G,OAAO,EAAE,sBAAsB,EAAE,4BAA4B,EAAE,MAAM,mBAAmB,CAAC;AACzF,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC1F,OAAO,EACL,sBAAsB,EACtB,YAAY,EACZ,cAAc,EACd,oBAAoB,EACpB,cAAc,EACd,QAAQ,EACR,kBAAkB,GACnB,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAE5G,OAAO,EAAE,sBAAsB,EAAE,4BAA4B,EAAE,MAAM,mBAAmB,CAAC;AACzF,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC1F,OAAO,EACL,sBAAsB,EACtB,YAAY,EACZ,cAAc,EACd,oBAAoB,EACpB,cAAc,EACd,QAAQ,EACR,kBAAkB,GACnB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,IAAI,EACJ,KAAK,EACL,OAAO,EACP,OAAO,EACP,MAAM,EACN,KAAK,EACL,OAAO,EACP,QAAQ,EACR,OAAO,EACP,WAAW,EACX,QAAQ,GACT,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/security/isolation.d.ts

@@ -0,0 +1,76 @@
+/**
+ * Agent Isolation Boundaries
+ *
+ * Enforces security boundaries between parent and child agents.
+ * Controls what capabilities a child agent inherits from its parent,
+ * limits spawn depth to prevent unbounded agent trees, and optionally
+ * isolates semantic memory between agents.
+ *
+ * Security Model:
+ * - Each parent-child relationship has an explicit IsolationBoundary
+ * - sharedScopes defines the maximum capabilities a child can access
+ * - maxSpawnDepth prevents exponential agent proliferation
+ * - memoryIsolated prevents children from reading parent memories
+ */
+import type { CapabilityScope } from './sandbox.js';
+export interface IsolationBoundary {
+    /** Parent agent ID */
+    parentId: string;
+    /** Child agent ID */
+    childId: string;
+    /** Scopes the child can access from parent */
+    sharedScopes: CapabilityScope[];
+    /** Maximum spawn depth for this child and its descendants */
+    maxSpawnDepth: number;
+    /** Whether the child is memory-isolated from the parent */
+    memoryIsolated: boolean;
+}
+export declare class AgentIsolationManager {
+    /** Boundaries keyed by childId for O(1) lookup */
+    private boundaries;
+    /**
+     * Create an isolation boundary between a parent and child agent.
+     *
+     * Config fields override defaults:
+     * - sharedScopes defaults to ['read', 'write', 'execute', 'memory', 'broadcast']
+     * - maxSpawnDepth defaults to 3
+     * - memoryIsolated defaults to true
+     */
+    createBoundary(parentId: string, childId: string, config?: Partial<IsolationBoundary>): IsolationBoundary;
+    /**
+     * Check if a child agent has access to a given scope and resource.
+     *
+     * Returns false if:
+     * - No boundary exists for the child
+     * - The requested scope is not in the child's sharedScopes
+     * - The scope is 'memory' and the child is memory-isolated
+     */
+    checkAccess(childId: string, scope: CapabilityScope, resource: string): boolean;
+    /**
+     * Get the spawn depth of an agent by walking the parent chain.
+     * Root agents (no boundary) have depth 0.
+     */
+    getSpawnDepth(agentId: string): number;
+    /**
+     * Check if an agent can spawn children.
+     *
+     * An agent can spawn if its current depth is less than its maxSpawnDepth.
+     * If maxDepth is provided, it overrides the boundary's maxSpawnDepth.
+     * Root agents (no boundary) can always spawn.
+     */
+    canSpawn(agentId: string, maxDepth?: number): boolean;
+    /**
+     * Remove the boundary for a child agent.
+     */
+    removeBoundary(childId: string): void;
+    /**
+     * Get the boundary for a child agent, if it exists.
+     */
+    getBoundary(childId: string): IsolationBoundary | undefined;
+    /**
+     * Get the maximum spawn depth for an agent from its boundary.
+     * Returns DEFAULT_MAX_SPAWN_DEPTH if no boundary exists.
+     */
+    getMaxSpawnDepth(agentId: string): number;
+}
+//# sourceMappingURL=isolation.d.ts.map

package/dist/security/isolation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isolation.d.ts","sourceRoot":"","sources":["../../src/security/isolation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAMpD,MAAM,WAAW,iBAAiB;IAChC,sBAAsB;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,qBAAqB;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,8CAA8C;IAC9C,YAAY,EAAE,eAAe,EAAE,CAAC;IAChC,6DAA6D;IAC7D,aAAa,EAAE,MAAM,CAAC;IACtB,2DAA2D;IAC3D,cAAc,EAAE,OAAO,CAAC;CACzB;AAcD,qBAAa,qBAAqB;IAChC,kDAAkD;IAClD,OAAO,CAAC,UAAU,CAA6C;IAE/D;;;;;;;OAOG;IACH,cAAc,CACZ,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,MAAM,GAAE,OAAO,CAAC,iBAAiB,CAAM,GACtC,iBAAiB;IAapB;;;;;;;OAOG;IACH,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO;IAa/E;;;OAGG;IACH,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM;IActC;;;;;;OAMG;IACH,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO;IAYrD;;OAEG;IACH,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAIrC;;OAEG;IACH,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,GAAG,SAAS;IAI3D;;;OAGG;IACH,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM;CAI1C"}