@tuent/sentinel 0.1.0

package/dist/chunk-6MHWJATS.js

@@ -0,0 +1,1221 @@
+// src/repoSensitivityMap.ts
+import * as fs from "fs/promises";
+import * as path from "path";
+import * as os from "os";
+var DEFAULT_MAP_PATH = path.join(os.homedir(), ".dahlia", "repo-sensitivity.json");
+async function saveMap(map, customPath) {
+  const target = customPath ?? DEFAULT_MAP_PATH;
+  const parent = path.dirname(target);
+  const tempPath = target + ".tmp";
+  try {
+    await fs.mkdir(parent, { recursive: true });
+    await fs.writeFile(tempPath, JSON.stringify(map, null, 2), "utf-8");
+    await fs.rename(tempPath, target);
+  } catch (err) {
+    try {
+      await fs.unlink(tempPath);
+    } catch {
+    }
+    const message = err instanceof Error ? err.message : String(err);
+    throw new Error(`RepoSensitivityMap.saveMap: failed to save to ${target}: ${message}`, {
+      cause: err
+    });
+  }
+}
+async function loadMap(customPath) {
+  const target = customPath ?? DEFAULT_MAP_PATH;
+  let raw;
+  try {
+    raw = await fs.readFile(target, "utf-8");
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      return null;
+    }
+    throw err;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    throw new Error(`RepoSensitivityMap.loadMap: file at ${target} is malformed: ${message}`, {
+      cause: err
+    });
+  }
+  const scannedAt = typeof parsed.scannedAt === "string" ? parsed.scannedAt : "unknown";
+  const repoRoot = typeof parsed.repoRoot === "string" ? parsed.repoRoot : "";
+  const entries = Array.isArray(parsed.entries) ? parsed.entries : [];
+  const summary = parsed.summary && typeof parsed.summary === "object" && !Array.isArray(parsed.summary) ? parsed.summary : computeSummaryFromEntries(entries);
+  return { scannedAt, repoRoot, entries, summary };
+}
+function lookupEntry(map, target, repoRoot) {
+  if (!target || typeof target !== "string" || target.trim() === "") {
+    return null;
+  }
+  const lookupRoot = repoRoot ?? map.repoRoot;
+  let canonical;
+  if (path.isAbsolute(target)) {
+    if (!lookupRoot) return null;
+    const rel = path.relative(lookupRoot, target);
+    if (rel.startsWith("..")) return null;
+    canonical = rel;
+  } else {
+    canonical = target;
+  }
+  if (canonical.startsWith("./")) {
+    canonical = canonical.slice(2);
+  }
+  canonical = canonical.replace(/\\/g, "/");
+  for (const entry of map.entries) {
+    if (entry.path === canonical) return entry;
+  }
+  return null;
+}
+function computeSummaryFromEntries(entries) {
+  const byCategory = {};
+  const byConfidence = {
+    low: 0,
+    medium: 0,
+    high: 0
+  };
+  for (const entry of entries) {
+    byCategory[entry.category] = (byCategory[entry.category] ?? 0) + 1;
+    if (entry.confidence === "low" || entry.confidence === "medium" || entry.confidence === "high") {
+      byConfidence[entry.confidence]++;
+    }
+  }
+  return {
+    totalFiles: entries.length,
+    sensitiveFiles: entries.length,
+    byCategory,
+    byConfidence
+  };
+}
+
+// src/repoSensitivityOverlay.ts
+import * as fs2 from "fs/promises";
+import * as path2 from "path";
+import * as os2 from "os";
+var DEFAULT_OVERLAY_PATH = path2.join(
+  os2.homedir(),
+  ".dahlia",
+  "repo-sensitivity.review.json"
+);
+async function saveOverlay(overlay, customPath) {
+  const target = customPath ?? DEFAULT_OVERLAY_PATH;
+  const parent = path2.dirname(target);
+  const tempPath = target + ".tmp";
+  try {
+    await fs2.mkdir(parent, { recursive: true });
+    await fs2.writeFile(tempPath, JSON.stringify(overlay, null, 2), "utf-8");
+    await fs2.rename(tempPath, target);
+  } catch (err) {
+    try {
+      await fs2.unlink(tempPath);
+    } catch {
+    }
+    const message = err instanceof Error ? err.message : String(err);
+    throw new Error(`SensitivityOverlay.saveOverlay: failed to save to ${target}: ${message}`, {
+      cause: err
+    });
+  }
+}
+async function loadOverlay(customPath) {
+  const target = customPath ?? DEFAULT_OVERLAY_PATH;
+  let raw;
+  try {
+    raw = await fs2.readFile(target, "utf-8");
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      return null;
+    }
+    throw err;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    throw new Error(`SensitivityOverlay.loadOverlay: file at ${target} is malformed: ${message}`, {
+      cause: err
+    });
+  }
+  const version = typeof parsed.version === "string" ? parsed.version : "1.0";
+  const repoRoot = typeof parsed.repoRoot === "string" ? parsed.repoRoot : "";
+  const decisions = Array.isArray(parsed.decisions) ? parsed.decisions : [];
+  const updatedAt = typeof parsed.updatedAt === "string" ? parsed.updatedAt : "unknown";
+  return { version, repoRoot, decisions, updatedAt };
+}
+function lookupOverlayDecision(overlay, target, repoRoot) {
+  if (!target || typeof target !== "string" || target.trim() === "") {
+    return null;
+  }
+  const lookupRoot = repoRoot ?? overlay.repoRoot;
+  let canonical;
+  if (path2.isAbsolute(target)) {
+    if (!lookupRoot) return null;
+    const rel = path2.relative(lookupRoot, target);
+    if (rel.startsWith("..")) return null;
+    canonical = rel;
+  } else {
+    canonical = target;
+  }
+  if (canonical.startsWith("./")) {
+    canonical = canonical.slice(2);
+  }
+  canonical = canonical.replace(/\\/g, "/");
+  for (const decision of overlay.decisions) {
+    if (decision.path === canonical) return decision;
+  }
+  return null;
+}
+function applyOverlay(overlay, decisionPath, decisionType, options) {
+  let canonical = decisionPath;
+  if (canonical.startsWith("./")) {
+    canonical = canonical.slice(2);
+  }
+  canonical = canonical.replace(/\\/g, "/");
+  const newDecision = {
+    path: canonical,
+    decision: decisionType,
+    decidedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  if (options?.reason !== void 0) newDecision.reason = options.reason;
+  if (options?.sensitivity !== void 0) newDecision.sensitivity = options.sensitivity;
+  if (options?.category !== void 0) newDecision.category = options.category;
+  const existing = overlay.decisions.findIndex((d) => d.path === canonical);
+  const decisions = existing >= 0 ? [
+    ...overlay.decisions.slice(0, existing),
+    newDecision,
+    ...overlay.decisions.slice(existing + 1)
+  ] : [...overlay.decisions, newDecision];
+  return {
+    ...overlay,
+    decisions,
+    updatedAt: newDecision.decidedAt
+  };
+}
+function removeOverlayDecision(overlay, decisionPath) {
+  let canonical = decisionPath;
+  if (canonical.startsWith("./")) {
+    canonical = canonical.slice(2);
+  }
+  canonical = canonical.replace(/\\/g, "/");
+  const filtered = overlay.decisions.filter((d) => d.path !== canonical);
+  if (filtered.length === overlay.decisions.length) {
+    return overlay;
+  }
+  return {
+    ...overlay,
+    decisions: filtered,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function createEmptyOverlay(repoRoot) {
+  return {
+    version: "1.0",
+    repoRoot,
+    decisions: [],
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+
+// src/defaults.ts
+var DEFAULT_FORBIDDEN_PATTERNS = [
+  "**/.env",
+  "**/.env.*",
+  "**/.ssh/**",
+  "**/.aws/**",
+  "**/secrets/**",
+  "**/credentials/**",
+  "**/id_rsa*",
+  "**/id_dsa*",
+  "**/id_ecdsa*",
+  "**/id_ed25519*",
+  "**/*.pem",
+  "**/*.key",
+  "/etc/**"
+];
+var DEFAULT_MEDIUM_DISPOSITION = {
+  network_request: "deny"
+};
+var DEFAULT_NETWORK_DENYLIST_CIDRS = [
+  "10.0.0.0/8",
+  // RFC1918 private (Class A)
+  "172.16.0.0/12",
+  // RFC1918 private (Class B)
+  "192.168.0.0/16",
+  // RFC1918 private (Class C)
+  "127.0.0.0/8",
+  // loopback v4
+  "169.254.0.0/16",
+  // link-local v4 (cloud metadata endpoints)
+  "fe80::/10",
+  // link-local v6
+  "::1/128"
+  // loopback v6
+];
+var DEFAULT_DANGEROUS_SCHEMES = ["file:", "data:", "javascript:", "vbscript:"];
+
+// src/roleValidator.ts
+import { normalize, basename, dirname as dirname3, join as join3 } from "path";
+import { lstatSync, readdirSync, realpathSync } from "fs";
+import { homedir as homedir3 } from "os";
+var SUSPICIOUS_BASENAME_RE = /^\.|(\.env|secret|credential|key|config|token)/i;
+function resolveSymlinks(normalizedPath) {
+  if (!normalizedPath || normalizedPath.includes("://")) return normalizedPath;
+  if (normalizedPath.includes("node_modules/") || normalizedPath.includes("node_modules\\")) {
+    return normalizedPath;
+  }
+  const base = basename(normalizedPath);
+  const needsRealpath = SUSPICIOUS_BASENAME_RE.test(base);
+  if (!needsRealpath) {
+    try {
+      const stat = lstatSync(normalizedPath);
+      if (!stat.isSymbolicLink()) {
+        try {
+          const resolved = realpathSync(normalizedPath);
+          return resolved === normalizedPath ? normalizedPath : resolved;
+        } catch {
+          return normalizedPath;
+        }
+      }
+    } catch (err) {
+      const code = err.code;
+      if (code === "ENOENT") {
+        return normalizedPath;
+      }
+      return normalizedPath;
+    }
+  }
+  try {
+    return realpathSync(normalizedPath);
+  } catch (err) {
+    const code = err.code;
+    if (code === "ENOENT") {
+      return resolveNonexistentPath(normalizedPath);
+    }
+    return normalizedPath;
+  }
+}
+function resolveNonexistentPath(normalizedPath) {
+  let current = normalizedPath;
+  let suffix = "";
+  for (let i = 0; i < 50; i++) {
+    const parent = dirname3(current);
+    if (parent === current) {
+      return normalizedPath;
+    }
+    if (parent === ".") {
+      return normalizedPath;
+    }
+    suffix = suffix ? join3(basename(current), suffix) : basename(current);
+    current = parent;
+    try {
+      const resolved = realpathSync(current);
+      if (resolved !== current) {
+        return join3(resolved, suffix);
+      }
+      return normalizedPath;
+    } catch {
+    }
+  }
+  return normalizedPath;
+}
+function matchGlob(pattern, path3) {
+  let regex = "";
+  let i = 0;
+  while (i < pattern.length) {
+    if (pattern[i] === "*" && pattern[i + 1] === "*") {
+      regex += ".*";
+      i += 2;
+      if (pattern[i] === "/") i++;
+    } else if (pattern[i] === "*") {
+      regex += "[^/]*";
+      i++;
+    } else if (".+?^${}()|[]\\".includes(pattern[i])) {
+      regex += "\\" + pattern[i];
+      i++;
+    } else {
+      regex += pattern[i];
+      i++;
+    }
+  }
+  return new RegExp("^" + regex + "$").test(path3);
+}
+function normalizeForbiddenPattern(pattern) {
+  if (pattern.startsWith("**/") || pattern.startsWith("/")) return pattern;
+  return "**/" + pattern;
+}
+function isPathShaped(value) {
+  if (value.length === 0 || value.length > 4096) return false;
+  if (/\s/.test(value)) return false;
+  if (value.includes("/") || value.includes("\\")) return true;
+  if (value.startsWith(".") || value.startsWith("~")) return true;
+  if (/\.[A-Za-z0-9]{1,8}$/.test(value)) return true;
+  return false;
+}
+var PATH_TARGET_ACTIONS = /* @__PURE__ */ new Set([
+  "file_read",
+  "file_write",
+  "network_request"
+]);
+function anchorAllowedPattern(pattern, workspaceRoot) {
+  if (!workspaceRoot) return pattern;
+  if (pattern.startsWith("**") || pattern.startsWith("/")) return pattern;
+  const root = workspaceRoot.endsWith("/") ? workspaceRoot.slice(0, -1) : workspaceRoot;
+  return `${root}/${pattern}`;
+}
+function matchGlobInsensitive(pattern, path3) {
+  return matchGlob(pattern.toLowerCase(), path3.toLowerCase());
+}
+var DAY_NAMES = ["sunday", "monday", "tuesday", "wednesday", "thursday", "friday", "saturday"];
+function actionVerb(action) {
+  switch (action) {
+    case "api_call":
+      return "called API";
+    case "tool_invocation":
+      return "invoked tool";
+    case "file_read":
+      return "read";
+    case "file_write":
+      return "wrote to";
+    case "command_exec":
+      return "executed command";
+    default:
+      return "accessed";
+  }
+}
+function formatPatterns(patterns, max = 3) {
+  if (patterns.length === 0) return "none defined";
+  if (patterns.length <= max) return patterns.join(", ");
+  return patterns.slice(0, max).join(", ") + ` +${patterns.length - max} more`;
+}
+function getTargetRecommendation(findingType, target, action) {
+  const t = target.toLowerCase();
+  if (findingType === "role_violation") {
+    if (action === "command_exec") {
+      if (t.includes("http") || t.startsWith("curl") || t.startsWith("wget")) {
+        return "Agent attempted unauthorized command execution targeting an external URL. Treat this as a potential data exfiltration attempt. Restrict the agent's action types and review prompt history for injection.";
+      }
+      return "Agent attempted unauthorized command execution. Review the specific command for data exfiltration or system modification intent. Restrict the agent's action types and review prompt history for injection.";
+    }
+    if (action === "database_query") {
+      return `Agent attempted unauthorized database query on '${target}'. Database access is not in this agent's allowed actions. If database access is required, add 'database_query' to allowedActions. If unexpected, investigate for data harvesting or SQL injection attempts.`;
+    }
+    return `Agent performed unauthorized action '${action}'. This action type is not in the agent's role definition. Investigate why it was attempted \u2014 check the agent's prompt chain for injection or misconfiguration. If legitimate, add '${action}' to allowedActions.`;
+  }
+  if (findingType === "unauthorized_target") {
+    if (t.includes(".env")) {
+      return "URGENT: Rotate all API keys, database credentials, and secrets stored in .env files. Audit which services consumed these credentials. Review agent prompt history for injection attempts that directed the agent toward environment files.";
+    }
+    if (t.includes(".ssh/authorized_keys") && action === "file_write") {
+      return "CRITICAL: Inspect ~/.ssh/authorized_keys for unauthorized entries added by the agent. This pattern indicates a backdoor installation attempt. Remove any unrecognized keys. Rotate all SSH credentials. Escalate to your security team immediately.";
+    }
+    if (t.includes(".ssh/")) {
+      return "URGENT: Rotate SSH keys immediately. Audit all systems that accepted this key for unauthorized access. Check ~/.ssh/known_hosts for unfamiliar entries. Review agent prompt history for injection.";
+    }
+    if (t.includes(".aws/")) {
+      return "URGENT: Rotate all AWS access keys and secret keys. Check CloudTrail logs for unauthorized API calls made with these credentials. Review IAM policies for unauthorized changes.";
+    }
+    if (t.includes("/etc/passwd") || t.includes("/etc/shadow")) {
+      return "Agent attempted to read system authentication files. This indicates reconnaissance for privilege escalation. Review whether this agent should have any access to system paths. Restrict the agent's filesystem scope.";
+    }
+    if (t.includes("/etc/")) {
+      return "Agent accessed system configuration files. Review whether this access was intentional and restrict the agent's filesystem scope to prevent system-level reconnaissance.";
+    }
+    if (t.includes("secrets/") || t.includes("credentials/")) {
+      return "URGENT: Audit all files in the accessed secrets directory. Rotate any credentials that may have been exposed. Review access logs for the secrets store.";
+    }
+    if (t.includes("debug") && t.includes(".log")) {
+      return action === "file_write" ? `Agent is writing to debug log '${target}'. Debug logs can contain sensitive runtime data including credentials, tokens, and internal state. If debug logging is expected, remove the matching forbidden pattern. If unexpected, inspect the log contents for exfiltrated data and investigate what triggered verbose logging.` : `Agent accessed debug log '${target}'. Debug logs may contain sensitive runtime information including API keys, tokens, and stack traces. Review the log contents for leaked credentials and restrict the agent's access to log files.`;
+    }
+    if (t.endsWith(".log") || t.includes("/log/") || t.includes("/logs/")) {
+      return `Agent ${actionVerb(action)} log file '${target}' which is explicitly forbidden. Log files can contain credentials, session tokens, and PII. If this agent needs log access, update forbiddenTargetPatterns. Otherwise, investigate what prompted the log access.`;
+    }
+    return "Immediately review agent activity. This target is explicitly forbidden. Check for prompt injection or misconfiguration.";
+  }
+  if (findingType === "scope_violation") {
+    if (action === "tool_invocation") {
+      if (t === "agent_stop" || t === "agent_shutdown" || t.includes("stop") || t.includes("shutdown") || t.includes("kill")) {
+        return `Agent invoked lifecycle tool '${target}'. This may indicate the agent is attempting to control its own execution or evade monitoring. If self-management is expected, add '${target}' to allowedTargetPatterns. If unexpected, review the agent's prompt history for self-termination or detection evasion instructions.`;
+      }
+      return `Agent invoked tool '${target}' outside its defined scope. If this tool is expected behavior, add '${target}' to allowedTargetPatterns. If unexpected, investigate what triggered the tool call and review the agent's prompt chain for injection.`;
+    }
+    if (action === "api_call") {
+      if (t.includes("anthropic") || t.includes("openai") || t.includes("claude") || t.includes("gpt") || t.includes("gemini")) {
+        return `Agent made an API call to AI service '${target}' outside its allowed scope. This could indicate legitimate AI integration not yet configured, or the agent attempting to invoke another model to bypass its restrictions. If expected, add '${target}' to allowedTargetPatterns. If unexpected, review what prompted this external AI call.`;
+      }
+      return `Agent made an API call to '${target}' outside its allowed scope. If this API is expected, add the target pattern to allowedTargetPatterns. If unexpected, investigate whether the agent was directed to make unauthorized external requests \u2014 this could indicate data exfiltration or prompt injection.`;
+    }
+    if (action === "file_write") {
+      return `Agent wrote to '${target}' which is outside its allowed scope. Inspect the written content for data exfiltration, unauthorized configuration changes, or persistence mechanisms. If this write target is legitimate, expand allowedTargetPatterns to include it.`;
+    }
+    if (action === "file_read") {
+      return `Agent read '${target}' outside its allowed scope. Review whether this file access is intentional. If legitimate, expand allowedTargetPatterns. If unexpected, investigate what prompted the out-of-scope read \u2014 the agent may be probing for sensitive data.`;
+    }
+    return `Agent accessed '${target}' outside its allowed scope. Review the agent's role definition and either expand allowedTargetPatterns if legitimate, or investigate what prompted the out-of-scope access.`;
+  }
+  return "Investigate the unauthorized access. Review agent role definition and consider tightening target patterns.";
+}
+function walkForbiddenInodeRoots(forbiddenPatterns, cwd) {
+  const inodes = /* @__PURE__ */ new Set();
+  const home = homedir3();
+  const deepPatterns = forbiddenPatterns.map(normalizeForbiddenPattern);
+  collectForbiddenInodes(home, deepPatterns, inodes, false);
+  const sensitiveDirs = [".ssh", ".aws", ".gnupg", ".config"];
+  for (const dir of sensitiveDirs) {
+    collectForbiddenInodes(join3(home, dir), deepPatterns, inodes, true);
+  }
+  collectForbiddenInodes(cwd, deepPatterns, inodes, true, true);
+  return inodes;
+}
+function collectForbiddenInodes(dirPath, forbiddenPatterns, inodes, recursive, skipNodeModules = false) {
+  let entries;
+  try {
+    entries = readdirSync(dirPath);
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    if (skipNodeModules && entry === "node_modules") continue;
+    const fullPath = join3(dirPath, entry);
+    let stat;
+    try {
+      stat = lstatSync(fullPath);
+    } catch {
+      continue;
+    }
+    if (stat.isFile()) {
+      for (const pattern of forbiddenPatterns) {
+        if (matchGlobInsensitive(pattern, fullPath)) {
+          inodes.add(BigInt(stat.ino));
+          break;
+        }
+      }
+    } else if (stat.isDirectory() && recursive) {
+      collectForbiddenInodes(fullPath, forbiddenPatterns, inodes, true, skipNodeModules);
+    }
+  }
+}
+function checkForbiddenInode(targetPath, forbiddenInodes) {
+  if (forbiddenInodes.size === 0) return false;
+  try {
+    const stat = lstatSync(targetPath);
+    if (stat.nlink <= 1) return false;
+    return forbiddenInodes.has(BigInt(stat.ino));
+  } catch {
+    return false;
+  }
+}
+function findMatchingException(exceptions, event, activeTask) {
+  if (!exceptions || exceptions.length === 0) return null;
+  for (const exception of exceptions) {
+    if (!matchGlob(exception.target, event.primaryTarget)) continue;
+    if (!exception.allowedActions.includes(event.action)) continue;
+    if (exception.requiresTask) {
+      if (!activeTask) continue;
+      if (!activeTask.description.toLowerCase().includes(exception.requiresTask.toLowerCase()))
+        continue;
+    }
+    if (exception.expiresAfter !== void 0) {
+      if (!activeTask) continue;
+      const elapsed = Date.now() - new Date(activeTask.startedAt).getTime();
+      if (elapsed > exception.expiresAfter) continue;
+    }
+    return exception;
+  }
+  return null;
+}
+var RoleValidator = class {
+  role;
+  sensitivityScorer;
+  approvalFn;
+  onAuditEntry;
+  forbiddenInodeCache;
+  workspaceRoot;
+  constructor(role, sensitivityScorer, options) {
+    this.role = {
+      ...role,
+      forbiddenTargetPatterns: (role.forbiddenTargetPatterns ?? []).map(normalizeForbiddenPattern)
+    };
+    this.sensitivityScorer = sensitivityScorer ?? null;
+    this.approvalFn = options?.approvalFn ?? null;
+    this.onAuditEntry = options?.onAuditEntry ?? null;
+    this.forbiddenInodeCache = options?.forbiddenInodeCache ?? null;
+    this.workspaceRoot = options?.workspaceRoot ?? "";
+  }
+  validateEvent(event, activeTask) {
+    const eventTarget = event.primaryTarget;
+    const pathNormalized = isUrlShaped(eventTarget) ? eventTarget : normalize(eventTarget);
+    const resolvedTarget = resolveSymlinks(pathNormalized);
+    const normalizedPrimaryTarget = resolvedTarget;
+    const primaryTargetPaths = pathNormalized !== resolvedTarget ? [resolvedTarget, pathNormalized] : [resolvedTarget];
+    if (!this.role.allowedActions.includes(event.action)) {
+      return this.makeFinding(event, {
+        severity: "HIGH",
+        type: "role_violation",
+        description: `Agent performed action '${event.action}' which is not in its allowed actions list (allowed: ${this.role.allowedActions.join(", ")})`,
+        recommendation: getTargetRecommendation(
+          "role_violation",
+          normalizedPrimaryTarget,
+          event.action
+        )
+      });
+    }
+    if (this.forbiddenInodeCache) {
+      const forbiddenInodes = this.forbiddenInodeCache.getOrBuild();
+      if (forbiddenInodes.size > 0) {
+        const inodeTargets = [resolvedTarget];
+        for (let i = 1; i < event.targets.length; i++) {
+          const st = event.targets[i];
+          if (!isUrlShaped(st)) {
+            const stNorm = normalize(st);
+            inodeTargets.push(resolveSymlinks(stNorm));
+          }
+        }
+        for (const target of inodeTargets) {
+          if (checkForbiddenInode(target, forbiddenInodes)) {
+            const finding = this.makeFinding(event, {
+              severity: "HIGH",
+              type: "unauthorized_target",
+              description: `Agent accessed '${target}' which is a hardlink to a forbidden file (inode match detected)`,
+              recommendation: "The target file shares an inode with a file matching a forbidden pattern. This is likely a hardlink bypass attempt. Investigate and remove the hardlink.",
+              matchedTarget: target
+            });
+            return this.enhanceWithSensitivity(finding, event);
+          }
+        }
+      }
+    }
+    for (const pattern of this.role.forbiddenTargetPatterns) {
+      let matchedTargetValue = null;
+      if (primaryTargetPaths.some((tp) => matchGlobInsensitive(pattern, tp))) {
+        matchedTargetValue = normalizedPrimaryTarget;
+      }
+      if (!matchedTargetValue) {
+        const mcpTool = event.metadata?._mcpTool === "true";
+        for (let i = 1; i < event.targets.length; i++) {
+          const st = event.targets[i];
+          if (mcpTool && /\s/.test(st)) continue;
+          const stNorm = isUrlShaped(st) ? st : normalize(st);
+          const stResolved = resolveSymlinks(stNorm);
+          const stPaths = stNorm !== stResolved ? [stResolved, stNorm] : [stResolved];
+          if (stPaths.some((tp) => matchGlobInsensitive(pattern, tp))) {
+            matchedTargetValue = st;
+            break;
+          }
+        }
+      }
+      if (matchedTargetValue) {
+        const sensitivity = this.sensitivityScorer?.scoreTarget(matchedTargetValue, event.action);
+        const isCritical = sensitivity ? sensitivity.effectiveScore >= 0.9 : false;
+        const finding = this.makeFinding(event, {
+          severity: "HIGH",
+          type: "unauthorized_target",
+          description: `Agent accessed '${matchedTargetValue}' which matches forbidden pattern '${pattern}'`,
+          recommendation: getTargetRecommendation(
+            "unauthorized_target",
+            matchedTargetValue,
+            event.action
+          ),
+          matchedTarget: matchedTargetValue
+        });
+        if (!isCritical) {
+          const exception = findMatchingException(this.role.exceptions, event, activeTask ?? null);
+          if (exception) {
+            this.onAuditEntry?.({
+              type: "exception_applied",
+              timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+              agentId: event.agentId,
+              target: matchedTargetValue,
+              action: event.action,
+              exceptionTarget: exception.target,
+              taskId: activeTask?.taskId ?? null
+            });
+            if (exception.requiresApproval) {
+              const ctx = {
+                finding,
+                exception,
+                activeTask: activeTask ?? null,
+                expiresAt: exception.expiresAfter != null && activeTask ? new Date(new Date(activeTask.startedAt).getTime() + exception.expiresAfter) : null
+              };
+              const approved = this.approvalFn?.(ctx) === true;
+              if (approved) {
+                this.onAuditEntry?.({
+                  type: "exception_approved",
+                  timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+                  agentId: event.agentId,
+                  target: matchedTargetValue,
+                  action: event.action,
+                  exceptionTarget: exception.target,
+                  taskId: activeTask?.taskId ?? null
+                });
+                continue;
+              }
+            } else {
+              continue;
+            }
+          }
+        }
+        return this.enhanceWithSensitivity(finding, event);
+      }
+    }
+    if (this.sensitivityScorer && event.metadata?._mcpTool === "true") {
+      for (let i = 1; i < event.targets.length; i++) {
+        const val = event.targets[i];
+        if (!(isUrlShaped(val) || isPathShaped(val))) continue;
+        const sens = this.sensitivityScorer.scoreTarget(val, event.action);
+        if (sens.effectiveScore < 0.6) continue;
+        return this.makeFinding(event, {
+          severity: "MEDIUM",
+          type: "unauthorized_target",
+          kind: "actionable",
+          description: `MCP tool '${event.primaryTarget}' referenced sensitive argument '${val}' (sensitivity: ${sens.effectiveScore.toFixed(2)}, category: ${sens.category}). Not a forbidden path, but path-shaped and sensitive \u2014 escalated for review.`,
+          recommendation: getTargetRecommendation("unauthorized_target", val, event.action),
+          matchedTarget: val
+        });
+      }
+    }
+    if (this.role.allowedTargetPatterns.length > 0) {
+      const anchor = this.workspaceRoot !== "" && PATH_TARGET_ACTIONS.has(event.action);
+      const matched = this.role.allowedTargetPatterns.some((pattern) => {
+        const candidates = anchor ? [pattern, anchorAllowedPattern(pattern, this.workspaceRoot)] : [pattern];
+        return candidates.some((pat) => primaryTargetPaths.some((tp) => matchGlob(pat, tp)));
+      });
+      if (!matched) {
+        if (event.action === "network_request" && isUrlShaped(normalizedPrimaryTarget) && this.role.networkHosts && this.role.networkHosts.length > 0) {
+          const sensitivity = this.sensitivityScorer?.scoreTarget(
+            normalizedPrimaryTarget,
+            event.action
+          );
+          const isCritical = sensitivity ? sensitivity.effectiveScore >= 0.9 : false;
+          if (!isCritical) {
+            try {
+              const parsed = new URL(normalizedPrimaryTarget);
+              const host = parsed.hostname.toLowerCase().replace(/\.+$/, "");
+              if (this.role.networkHosts.includes(host)) {
+                return null;
+              }
+            } catch {
+            }
+          }
+        }
+        const finding = this.makeFinding(event, {
+          severity: "MEDIUM",
+          type: "scope_violation",
+          description: `Agent ${actionVerb(event.action)} '${normalizedPrimaryTarget}' which is outside its allowed target patterns (allowed: ${formatPatterns(this.role.allowedTargetPatterns)})`,
+          recommendation: getTargetRecommendation(
+            "scope_violation",
+            normalizedPrimaryTarget,
+            event.action
+          )
+        });
+        return this.enhanceWithSensitivity(finding, event);
+      }
+    }
+    const scopePatterns = activeTask?.scopePatterns;
+    if (scopePatterns && scopePatterns.length > 0) {
+      const anchor = this.workspaceRoot !== "" && PATH_TARGET_ACTIONS.has(event.action);
+      const inScope = scopePatterns.some((pattern) => {
+        const candidates = anchor ? [pattern, anchorAllowedPattern(pattern, this.workspaceRoot)] : [pattern];
+        return candidates.some((pat) => primaryTargetPaths.some((tp) => matchGlob(pat, tp)));
+      });
+      if (!inScope) {
+        const finding = this.makeFinding(event, {
+          severity: "HIGH",
+          type: "role_violation",
+          description: `Agent ${actionVerb(event.action)} '${normalizedPrimaryTarget}' which is outside the session-declared SCOPE (scope: ${formatPatterns(scopePatterns)})`,
+          recommendation: `This session narrowed its allowed targets via a SCOPE: declaration (${formatPatterns(scopePatterns)}); '${normalizedPrimaryTarget}' is outside it. If this target is legitimately in scope, broaden or drop the SCOPE: line. If unexpected, the agent is acting outside the per-session boundary the operator set \u2014 review the prompt chain for drift or injection.`
+        });
+        return this.enhanceWithSensitivity(finding, event);
+      }
+    }
+    if (this.role.expectedSchedule) {
+      const eventDate = new Date(event.timestamp);
+      const schedule = this.role.expectedSchedule;
+      if (schedule.activeDays) {
+        const dayName = DAY_NAMES[eventDate.getUTCDay()];
+        const activeDaysLower = schedule.activeDays.map((d) => d.toLowerCase());
+        if (!activeDaysLower.includes(dayName)) {
+          const scheduleDesc = `days: ${schedule.activeDays.join(", ")}`;
+          return this.makeFinding(event, {
+            severity: "MEDIUM",
+            type: "temporal_anomaly",
+            kind: "informational",
+            description: `Agent was active at ${eventDate.toISOString()} on ${dayName}, outside its expected schedule of ${scheduleDesc}`,
+            recommendation: "Review whether this activity was triggered by a legitimate automated process or represents unauthorized usage."
+          });
+        }
+      }
+      if (schedule.activeHours) {
+        const hour = eventDate.getUTCHours();
+        const [startHour, endHour] = schedule.activeHours;
+        const outsideHours = startHour <= endHour ? hour < startHour || hour > endHour : hour < startHour && hour > endHour;
+        if (outsideHours) {
+          const dayName = DAY_NAMES[eventDate.getUTCDay()];
+          const scheduleDesc = `hours: ${startHour}-${endHour}`;
+          return this.makeFinding(event, {
+            severity: "MEDIUM",
+            type: "temporal_anomaly",
+            kind: "informational",
+            description: `Agent was active at ${eventDate.toISOString()} on ${dayName}, outside its expected schedule of ${scheduleDesc}`,
+            recommendation: "Review whether this activity was triggered by a legitimate automated process or represents unauthorized usage."
+          });
+        }
+      }
+    }
+    return null;
+  }
+  enhanceWithSensitivity(finding, event) {
+    if (!this.sensitivityScorer) return finding;
+    const result = this.sensitivityScorer.scoreTarget(event.primaryTarget, event.action);
+    finding.description += ` (sensitivity: ${result.effectiveScore.toFixed(2)}, category: ${result.category})`;
+    if (result.effectiveScore >= 0.9) {
+      finding.severity = "CRITICAL";
+    }
+    if (result.effectiveScore >= 0.8) {
+      finding.kind = "actionable";
+    }
+    return finding;
+  }
+  makeFinding(event, details) {
+    return {
+      severity: details.severity,
+      kind: details.kind ?? "actionable",
+      type: details.type,
+      agentId: event.agentId,
+      agentName: event.agentName,
+      description: details.description,
+      evidence: {
+        action: event.action,
+        target: details.matchedTarget ?? event.primaryTarget,
+        timestamp: event.timestamp
+      },
+      recommendation: details.recommendation,
+      timestamp: event.timestamp
+    };
+  }
+};
+
+// src/networkPolicy.ts
+function parseIpv4(s) {
+  const parts = s.split(".");
+  if (parts.length !== 4) return null;
+  const bytes = new Uint8Array(4);
+  for (let i = 0; i < 4; i++) {
+    const n = Number(parts[i]);
+    if (!Number.isInteger(n) || n < 0 || n > 255 || parts[i] !== String(n)) return null;
+    bytes[i] = n;
+  }
+  return bytes;
+}
+function parseIpv6(s) {
+  const halves = s.split("::");
+  if (halves.length > 2) return null;
+  const left = halves[0] ? halves[0].split(":") : [];
+  const right = halves.length === 2 && halves[1] ? halves[1].split(":") : [];
+  if (halves.length === 1 && left.length !== 8) return null;
+  if (left.length + right.length > 8) return null;
+  const groups = [];
+  for (const g of left) {
+    if (!/^[0-9a-fA-F]{1,4}$/.test(g)) return null;
+    groups.push(parseInt(g, 16));
+  }
+  if (halves.length === 2) {
+    const fill = 8 - left.length - right.length;
+    for (let i = 0; i < fill; i++) groups.push(0);
+  }
+  for (const g of right) {
+    if (!/^[0-9a-fA-F]{1,4}$/.test(g)) return null;
+    groups.push(parseInt(g, 16));
+  }
+  if (groups.length !== 8) return null;
+  const bytes = new Uint8Array(16);
+  for (let i = 0; i < 8; i++) {
+    bytes[i * 2] = groups[i] >> 8 & 255;
+    bytes[i * 2 + 1] = groups[i] & 255;
+  }
+  return bytes;
+}
+function parseIpLiteral(host) {
+  let h = host;
+  if (h.startsWith("[") && h.endsWith("]")) h = h.slice(1, -1);
+  const v4 = parseIpv4(h);
+  if (v4) return { family: "v4", bytes: v4 };
+  const v6 = parseIpv6(h);
+  if (v6) return { family: "v6", bytes: v6 };
+  return null;
+}
+function matchesCidr(ipBytes, cidr) {
+  const slash = cidr.lastIndexOf("/");
+  const addr = cidr.slice(0, slash);
+  const prefix = Number(cidr.slice(slash + 1));
+  const parsed = parseIpLiteral(addr);
+  if (!parsed || parsed.bytes.length !== ipBytes.length) return false;
+  const fullBytes = Math.floor(prefix / 8);
+  for (let i = 0; i < fullBytes; i++) {
+    if (ipBytes[i] !== parsed.bytes[i]) return false;
+  }
+  const rem = prefix % 8;
+  if (rem > 0) {
+    const mask = 255 << 8 - rem;
+    if ((ipBytes[fullBytes] & mask) !== (parsed.bytes[fullBytes] & mask)) return false;
+  }
+  return true;
+}
+function isHostInDenylist(host, cidrs) {
+  const parsed = parseIpLiteral(host);
+  if (!parsed) return false;
+  return cidrs.some((cidr) => matchesCidr(parsed.bytes, cidr));
+}
+
+// src/targetSensitivity.ts
+var ACTION_MULTIPLIERS = {
+  file_read: 1,
+  file_write: 1.3,
+  command_exec: 1.5,
+  database_query: 1.2,
+  api_call: 1.1,
+  file_delete: 1.4
+};
+var BUILT_IN_RULES = [
+  // Critical (0.9-1.0)
+  {
+    pattern: "**/.ssh/**",
+    sensitivity: 1,
+    category: "credentials",
+    description: "SSH keys and config"
+  },
+  {
+    pattern: "**/.env",
+    sensitivity: 1,
+    category: "credentials",
+    description: "Environment variables with secrets"
+  },
+  {
+    pattern: "**/.env.*",
+    sensitivity: 1,
+    category: "credentials",
+    description: "Environment variables with secrets (dotenv variants)"
+  },
+  {
+    pattern: "**/secrets/**",
+    sensitivity: 1,
+    category: "credentials",
+    description: "Secrets directory"
+  },
+  {
+    pattern: "**/.aws/**",
+    sensitivity: 1,
+    category: "credentials",
+    description: "AWS credentials"
+  },
+  {
+    pattern: "**/.kube/**",
+    sensitivity: 0.95,
+    category: "credentials",
+    description: "Kubernetes config"
+  },
+  {
+    pattern: "**/id_rsa*",
+    sensitivity: 1,
+    category: "credentials",
+    description: "Private SSH keys"
+  },
+  {
+    pattern: "**/*.pem",
+    sensitivity: 0.95,
+    category: "credentials",
+    description: "Certificate private keys"
+  },
+  { pattern: "**/shadow", sensitivity: 1, category: "system", description: "Unix password file" },
+  { pattern: "**/passwd", sensitivity: 0.9, category: "system", description: "Unix user database" },
+  // High (0.7-0.89)
+  {
+    pattern: "**/database/**",
+    sensitivity: 0.8,
+    category: "database",
+    description: "Database directory"
+  },
+  {
+    pattern: "**/*.sqlite",
+    sensitivity: 0.75,
+    category: "database",
+    description: "SQLite database file"
+  },
+  { pattern: "**/*.db", sensitivity: 0.75, category: "database", description: "Database file" },
+  { pattern: "**/users/**", sensitivity: 0.8, category: "pii", description: "User data directory" },
+  { pattern: "**/customers/**", sensitivity: 0.8, category: "pii", description: "Customer data" },
+  {
+    pattern: "**/payments/**",
+    sensitivity: 0.85,
+    category: "pii",
+    description: "Payment information"
+  },
+  { pattern: "/etc/**", sensitivity: 0.7, category: "system", description: "System configuration" },
+  {
+    pattern: "**/config/production*",
+    sensitivity: 0.75,
+    category: "config",
+    description: "Production configuration"
+  },
+  // Medium (0.4-0.69)
+  {
+    pattern: "**/config/**",
+    sensitivity: 0.5,
+    category: "config",
+    description: "Configuration files"
+  },
+  { pattern: "**/logs/**", sensitivity: 0.4, category: "general", description: "Log directory" },
+  { pattern: "**/.git/**", sensitivity: 0.45, category: "source", description: "Git internals" },
+  // Low (0.0-0.39)
+  { pattern: "**/src/**", sensitivity: 0.2, category: "source", description: "Source code" },
+  { pattern: "**/tests/**", sensitivity: 0.1, category: "source", description: "Test files" },
+  { pattern: "**/docs/**", sensitivity: 0.1, category: "general", description: "Documentation" },
+  {
+    pattern: "**/node_modules/**",
+    sensitivity: 0.05,
+    category: "general",
+    description: "Dependencies"
+  }
+];
+var DEFAULT_RESULT = {
+  sensitivity: 0.15,
+  category: "general",
+  description: "No specific sensitivity rule matched",
+  matchedRule: ""
+};
+var URL_SCHEME_PREFIXES = [
+  "http://",
+  "https://",
+  "ws://",
+  "wss://",
+  "file://",
+  "data:",
+  "javascript:",
+  "vbscript:"
+];
+function isUrlShaped(target) {
+  const lower = target.toLowerCase();
+  return URL_SCHEME_PREFIXES.some((prefix) => lower.startsWith(prefix));
+}
+function safeDecodeURIComponent(component) {
+  try {
+    return decodeURIComponent(component);
+  } catch {
+    return component;
+  }
+}
+var TargetSensitivityScorer = class {
+  rules;
+  repoMap;
+  repoRoot;
+  overlay;
+  constructor(customRules, repoMap, repoRoot, overlay) {
+    if (customRules && customRules.length > 0) {
+      const overriddenPatterns = new Set(customRules.map((r) => r.pattern));
+      const kept = BUILT_IN_RULES.filter((r) => !overriddenPatterns.has(r.pattern));
+      this.rules = [...kept, ...customRules];
+    } else {
+      this.rules = [...BUILT_IN_RULES];
+    }
+    this.rules.sort((a, b) => b.sensitivity - a.sensitivity);
+    this.repoMap = repoMap ?? null;
+    this.repoRoot = repoRoot ?? repoMap?.repoRoot ?? "";
+    this.overlay = overlay ?? null;
+  }
+  scoreTarget(target, action) {
+    const multiplier = ACTION_MULTIPLIERS[action] ?? 1;
+    if (action === "network_request" && isUrlShaped(target)) {
+      return this._scoreUrlTarget(target, multiplier);
+    }
+    if (this.overlay) {
+      const decision = lookupOverlayDecision(this.overlay, target, this.repoRoot);
+      if (decision) {
+        if (decision.decision === "reject") {
+          return this._scoreByPatterns(target, multiplier);
+        }
+        if (decision.decision === "override") {
+          const sens = decision.sensitivity ?? 0.5;
+          const cat = decision.category ?? "general";
+          return {
+            sensitivity: sens,
+            category: cat,
+            description: `Overlay override: ${decision.path}`,
+            matchedRule: `overlay:${decision.path}`,
+            actionMultiplier: multiplier,
+            effectiveScore: Math.min(sens * multiplier, 1),
+            groundedInRepoMap: true
+          };
+        }
+      }
+    }
+    if (this.repoMap) {
+      const entry = lookupEntry(this.repoMap, target, this.repoRoot);
+      if (entry) {
+        return {
+          sensitivity: entry.sensitivity,
+          category: entry.category,
+          description: `Repo map entry: ${entry.path}`,
+          matchedRule: `repo-map:${entry.path}`,
+          actionMultiplier: multiplier,
+          effectiveScore: Math.min(entry.sensitivity * multiplier, 1),
+          groundedInRepoMap: true
+        };
+      }
+    }
+    return this._scoreByPatterns(target, multiplier);
+  }
+  /** Pattern-only scoring (Tier 2). Used directly by reject decisions. */
+  _scoreByPatterns(target, multiplier) {
+    for (const rule of this.rules) {
+      if (matchGlob(rule.pattern, target)) {
+        return {
+          sensitivity: rule.sensitivity,
+          category: rule.category,
+          description: rule.description,
+          matchedRule: rule.pattern,
+          actionMultiplier: multiplier,
+          effectiveScore: Math.min(rule.sensitivity * multiplier, 1),
+          groundedInRepoMap: false
+        };
+      }
+    }
+    return {
+      ...DEFAULT_RESULT,
+      actionMultiplier: multiplier,
+      effectiveScore: Math.min(DEFAULT_RESULT.sensitivity * multiplier, 1),
+      groundedInRepoMap: false
+    };
+  }
+  /**
+   * URL-aware component scoring (Sprint 6b W1 fix).
+   * Parses the URL, extracts path/query-values/fragment, decodes each once,
+   * scores each against forbidden-pattern rules, takes MAX.
+   */
+  _scoreUrlTarget(target, multiplier) {
+    const lowerTarget = target.toLowerCase();
+    for (const scheme of DEFAULT_DANGEROUS_SCHEMES) {
+      if (lowerTarget.startsWith(scheme)) {
+        return {
+          sensitivity: 0.95,
+          category: "system",
+          description: `Dangerous URL scheme '${scheme}' denied by default`,
+          matchedRule: "scheme-denylist",
+          actionMultiplier: multiplier,
+          effectiveScore: Math.min(0.95 * multiplier, 1),
+          groundedInRepoMap: false
+        };
+      }
+    }
+    let parsed;
+    try {
+      parsed = new URL(target);
+    } catch {
+      return {
+        sensitivity: 0.3,
+        category: "malformed_url",
+        description: "URL could not be parsed (malformed)",
+        matchedRule: "",
+        actionMultiplier: multiplier,
+        effectiveScore: Math.min(0.3 * multiplier, 1),
+        groundedInRepoMap: false
+      };
+    }
+    if (isHostInDenylist(parsed.hostname, DEFAULT_NETWORK_DENYLIST_CIDRS)) {
+      return {
+        sensitivity: 0.95,
+        category: "system",
+        description: `Host '${parsed.hostname}' is in default network denylist (RFC1918/link-local/loopback)`,
+        matchedRule: "cidr-denylist",
+        actionMultiplier: multiplier,
+        effectiveScore: Math.min(0.95 * multiplier, 1),
+        groundedInRepoMap: false
+      };
+    }
+    const components = [];
+    components.push(safeDecodeURIComponent(parsed.pathname));
+    for (const value of parsed.searchParams.values()) {
+      components.push(safeDecodeURIComponent(value));
+    }
+    const fragment = parsed.hash.replace(/^#/, "");
+    if (fragment) {
+      components.push(safeDecodeURIComponent(fragment));
+    }
+    let best = {
+      ...DEFAULT_RESULT,
+      actionMultiplier: multiplier,
+      effectiveScore: Math.min(DEFAULT_RESULT.sensitivity * multiplier, 1),
+      groundedInRepoMap: false
+    };
+    for (const component of components) {
+      const result = this._scoreByPatterns(component, multiplier);
+      if (result.effectiveScore > best.effectiveScore) {
+        best = result;
+      }
+    }
+    return best;
+  }
+  scoreEvent(event) {
+    let best = this.scoreTarget(event.primaryTarget, event.action);
+    for (let i = 1; i < event.targets.length; i++) {
+      const result = this.scoreTarget(event.targets[i], event.action);
+      if (result.effectiveScore > best.effectiveScore) {
+        best = result;
+      }
+    }
+    return best;
+  }
+  /**
+   * Replaces the active repo sensitivity map. Pass null to clear.
+   * If newRepoRoot is provided, it overrides the map's repoRoot.
+   */
+  updateRepoMap(newMap, newRepoRoot) {
+    this.repoMap = newMap;
+    if (newRepoRoot !== void 0) {
+      this.repoRoot = newRepoRoot;
+    } else if (newMap) {
+      this.repoRoot = newMap.repoRoot;
+    } else {
+      this.repoRoot = "";
+    }
+  }
+  /**
+   * Replaces the active sensitivity overlay. Pass null to clear.
+   */
+  updateOverlay(newOverlay) {
+    this.overlay = newOverlay;
+  }
+  /**
+   * Returns all pattern-based rules that match the target. Does NOT
+   * consult the repo map. Used by RepoSensitivityScanner during
+   * scan-time enumeration.
+   */
+  getAllMatchingRules(target) {
+    return this.rules.filter((rule) => matchGlob(rule.pattern, target));
+  }
+};
+
+export {
+  DEFAULT_MAP_PATH,
+  saveMap,
+  loadMap,
+  DEFAULT_OVERLAY_PATH,
+  saveOverlay,
+  loadOverlay,
+  applyOverlay,
+  removeOverlayDecision,
+  createEmptyOverlay,
+  DEFAULT_FORBIDDEN_PATTERNS,
+  DEFAULT_MEDIUM_DISPOSITION,
+  TargetSensitivityScorer,
+  matchGlob,
+  normalizeForbiddenPattern,
+  matchGlobInsensitive,
+  getTargetRecommendation,
+  walkForbiddenInodeRoots,
+  findMatchingException,
+  RoleValidator
+};
+//# sourceMappingURL=chunk-6MHWJATS.js.map