@two7722/sentinel-guard 1.1.0

package/dist/lib/modes.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ALL_MODES = exports.MODE_DESCRIPTIONS = void 0;
+exports.getMode = getMode;
+exports.setMode = setMode;
+exports.getModeInfo = getModeInfo;
+exports.shouldAutoAllow = shouldAutoAllow;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const keys_1 = require("../crypto/keys");
+const MODES_PATH = (0, path_1.join)((0, keys_1.getSentinelDir)(), 'mode.json');
+function loadMode() {
+    if (!(0, fs_1.existsSync)(MODES_PATH))
+        return { mode: 'strict', changedAt: new Date().toISOString() };
+    try {
+        return JSON.parse((0, fs_1.readFileSync)(MODES_PATH, 'utf-8'));
+    }
+    catch {
+        return { mode: 'strict', changedAt: new Date().toISOString() };
+    }
+}
+function getMode() {
+    return loadMode().mode;
+}
+function setMode(mode) {
+    (0, fs_1.writeFileSync)(MODES_PATH, JSON.stringify({ mode, changedAt: new Date().toISOString() }, null, 2), { mode: 0o600 });
+}
+function getModeInfo() {
+    return loadMode();
+}
+/** Check if a tool should be auto-allowed based on current mode */
+function shouldAutoAllow(toolName) {
+    const mode = getMode();
+    switch (mode) {
+        case 'lockdown':
+            return 'block';
+        case 'yolo':
+            return 'auto_allow';
+        case 'relaxed':
+            // Only Bash and destructive ops need approval
+            if (['Bash', 'Delete'].includes(toolName))
+                return 'require';
+            return 'auto_allow';
+        case 'plan':
+        case 'strict':
+        default:
+            return 'require'; // Let the rule engine decide
+    }
+}
+exports.MODE_DESCRIPTIONS = {
+    strict: 'Every write/bash needs approval (default)',
+    relaxed: 'Only bash & destructive ops need approval',
+    yolo: 'Auto-approve everything (logged)',
+    plan: 'Strict + group related operations',
+    lockdown: 'Block all operations',
+};
+exports.ALL_MODES = ['strict', 'relaxed', 'yolo', 'plan', 'lockdown'];
+//# sourceMappingURL=modes.js.map

package/dist/lib/modes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"modes.js","sourceRoot":"","sources":["../../src/lib/modes.ts"],"names":[],"mappings":";;;AAgCA,0BAEC;AAED,0BAEC;AAED,kCAEC;AAGD,0CAoBC;AAjED,2BAA6D;AAC7D,+BAA4B;AAC5B,yCAAgD;AAchD,MAAM,UAAU,GAAG,IAAA,WAAI,EAAC,IAAA,qBAAc,GAAE,EAAE,WAAW,CAAC,CAAC;AAOvD,SAAS,QAAQ;IACf,IAAI,CAAC,IAAA,eAAU,EAAC,UAAU,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;IAC5F,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;IACjE,CAAC;AACH,CAAC;AAED,SAAgB,OAAO;IACrB,OAAO,QAAQ,EAAE,CAAC,IAAI,CAAC;AACzB,CAAC;AAED,SAAgB,OAAO,CAAC,IAAoB;IAC1C,IAAA,kBAAa,EAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACrH,CAAC;AAED,SAAgB,WAAW;IACzB,OAAO,QAAQ,EAAE,CAAC;AACpB,CAAC;AAED,mEAAmE;AACnE,SAAgB,eAAe,CAAC,QAAgB;IAC9C,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;IAEvB,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,UAAU;YACb,OAAO,OAAO,CAAC;QAEjB,KAAK,MAAM;YACT,OAAO,YAAY,CAAC;QAEtB,KAAK,SAAS;YACZ,8CAA8C;YAC9C,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAAE,OAAO,SAAS,CAAC;YAC5D,OAAO,YAAY,CAAC;QAEtB,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ,CAAC;QACd;YACE,OAAO,SAAS,CAAC,CAAC,6BAA6B;IACnD,CAAC;AACH,CAAC;AAEY,QAAA,iBAAiB,GAAmC;IAC/D,MAAM,EAAE,2CAA2C;IACnD,OAAO,EAAE,2CAA2C;IACpD,IAAI,EAAE,kCAAkC;IACxC,IAAI,EAAE,mCAAmC;IACzC,QAAQ,EAAE,sBAAsB;CACjC,CAAC;AAEW,QAAA,SAAS,GAAqB,CAAC,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC"}

package/dist/lib/overrides.d.ts

@@ -0,0 +1,13 @@
+/** Check current override state (auto-clears expired) */
+export declare function getOverrideState(): {
+    blockAll: boolean;
+    allowAll: boolean;
+};
+export declare function setBlockAll(on: boolean, durationMinutes?: number): void;
+export declare function setAllowAll(on: boolean, durationMinutes?: number): void;
+export declare function getOverrideInfo(): {
+    blockAll: boolean;
+    allowAll: boolean;
+    blockUntil: string | null;
+    allowUntil: string | null;
+};

package/dist/lib/overrides.js

@@ -0,0 +1,74 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getOverrideState = getOverrideState;
+exports.setBlockAll = setBlockAll;
+exports.setAllowAll = setAllowAll;
+exports.getOverrideInfo = getOverrideInfo;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const keys_1 = require("../crypto/keys");
+const OVERRIDES_PATH = (0, path_1.join)((0, keys_1.getSentinelDir)(), 'overrides.json');
+function loadOverrides() {
+    if (!(0, fs_1.existsSync)(OVERRIDES_PATH))
+        return { blockAll: false, allowAll: false, blockUntil: null, allowUntil: null };
+    try {
+        return JSON.parse((0, fs_1.readFileSync)(OVERRIDES_PATH, 'utf-8'));
+    }
+    catch {
+        return { blockAll: false, allowAll: false, blockUntil: null, allowUntil: null };
+    }
+}
+function saveOverrides(o) {
+    (0, fs_1.writeFileSync)(OVERRIDES_PATH, JSON.stringify(o, null, 2), { mode: 0o600 });
+}
+function isExpired(until) {
+    if (!until)
+        return false;
+    return new Date(until) <= new Date();
+}
+/** Check current override state (auto-clears expired) */
+function getOverrideState() {
+    const o = loadOverrides();
+    let changed = false;
+    if (o.blockAll && o.blockUntil && isExpired(o.blockUntil)) {
+        o.blockAll = false;
+        o.blockUntil = null;
+        changed = true;
+    }
+    if (o.allowAll && o.allowUntil && isExpired(o.allowUntil)) {
+        o.allowAll = false;
+        o.allowUntil = null;
+        changed = true;
+    }
+    if (changed)
+        saveOverrides(o);
+    return { blockAll: o.blockAll, allowAll: o.allowAll };
+}
+function setBlockAll(on, durationMinutes) {
+    const o = loadOverrides();
+    o.blockAll = on;
+    o.allowAll = false;
+    o.allowUntil = null;
+    o.blockUntil = on && durationMinutes
+        ? new Date(Date.now() + durationMinutes * 60_000).toISOString()
+        : null;
+    saveOverrides(o);
+}
+function setAllowAll(on, durationMinutes) {
+    const o = loadOverrides();
+    o.allowAll = on;
+    o.blockAll = false;
+    o.blockUntil = null;
+    o.allowUntil = on && durationMinutes
+        ? new Date(Date.now() + durationMinutes * 60_000).toISOString()
+        : null;
+    saveOverrides(o);
+}
+function getOverrideInfo() {
+    const o = loadOverrides();
+    // Check expiry
+    getOverrideState();
+    const fresh = loadOverrides();
+    return fresh;
+}
+//# sourceMappingURL=overrides.js.map

package/dist/lib/overrides.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"overrides.js","sourceRoot":"","sources":["../../src/lib/overrides.ts"],"names":[],"mappings":";;AAgCA,4CAiBC;AAED,kCASC;AAED,kCASC;AAED,0CAMC;AA/ED,2BAA6D;AAC7D,+BAA4B;AAC5B,yCAAgD;AAEhD,MAAM,cAAc,GAAG,IAAA,WAAI,EAAC,IAAA,qBAAc,GAAE,EAAE,gBAAgB,CAAC,CAAC;AAShE,SAAS,aAAa;IACpB,IAAI,CAAC,IAAA,eAAU,EAAC,cAAc,CAAC;QAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;IACjH,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,cAAc,EAAE,OAAO,CAAC,CAAC,CAAC;IAC3D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;IAClF,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,CAAY;IACjC,IAAA,kBAAa,EAAC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,SAAS,CAAC,KAAoB;IACrC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;AACvC,CAAC;AAED,yDAAyD;AACzD,SAAgB,gBAAgB;IAC9B,MAAM,CAAC,GAAG,aAAa,EAAE,CAAC;IAC1B,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,UAAU,IAAI,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1D,CAAC,CAAC,QAAQ,GAAG,KAAK,CAAC;QACnB,CAAC,CAAC,UAAU,GAAG,IAAI,CAAC;QACpB,OAAO,GAAG,IAAI,CAAC;IACjB,CAAC;IACD,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,UAAU,IAAI,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1D,CAAC,CAAC,QAAQ,GAAG,KAAK,CAAC;QACnB,CAAC,CAAC,UAAU,GAAG,IAAI,CAAC;QACpB,OAAO,GAAG,IAAI,CAAC;IACjB,CAAC;IACD,IAAI,OAAO;QAAE,aAAa,CAAC,CAAC,CAAC,CAAC;IAE9B,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;AACxD,CAAC;AAED,SAAgB,WAAW,CAAC,EAAW,EAAE,eAAwB;IAC/D,MAAM,CAAC,GAAG,aAAa,EAAE,CAAC;IAC1B,CAAC,CAAC,QAAQ,GAAG,EAAE,CAAC;IAChB,CAAC,CAAC,QAAQ,GAAG,KAAK,CAAC;IACnB,CAAC,CAAC,UAAU,GAAG,IAAI,CAAC;IACpB,CAAC,CAAC,UAAU,GAAG,EAAE,IAAI,eAAe;QAClC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,eAAe,GAAG,MAAM,CAAC,CAAC,WAAW,EAAE;QAC/D,CAAC,CAAC,IAAI,CAAC;IACT,aAAa,CAAC,CAAC,CAAC,CAAC;AACnB,CAAC;AAED,SAAgB,WAAW,CAAC,EAAW,EAAE,eAAwB;IAC/D,MAAM,CAAC,GAAG,aAAa,EAAE,CAAC;IAC1B,CAAC,CAAC,QAAQ,GAAG,EAAE,CAAC;IAChB,CAAC,CAAC,QAAQ,GAAG,KAAK,CAAC;IACnB,CAAC,CAAC,UAAU,GAAG,IAAI,CAAC;IACpB,CAAC,CAAC,UAAU,GAAG,EAAE,IAAI,eAAe;QAClC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,eAAe,GAAG,MAAM,CAAC,CAAC,WAAW,EAAE;QAC/D,CAAC,CAAC,IAAI,CAAC;IACT,aAAa,CAAC,CAAC,CAAC,CAAC;AACnB,CAAC;AAED,SAAgB,eAAe;IAC7B,MAAM,CAAC,GAAG,aAAa,EAAE,CAAC;IAC1B,eAAe;IACf,gBAAgB,EAAE,CAAC;IACnB,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/lib/session.d.ts

@@ -0,0 +1,32 @@
+export interface SessionEvent {
+    type: 'tool_use' | 'tool_result' | 'notification' | 'stop' | 'user_message' | 'claude_response';
+    toolName?: string;
+    filePath?: string;
+    summary?: string;
+    decision?: string;
+    message?: string;
+    stopReason?: string;
+    timestamp: string;
+}
+export interface Session {
+    id: string;
+    startedAt: string;
+    endedAt?: string;
+    events: SessionEvent[];
+    stats: {
+        tools: number;
+        approved: number;
+        blocked: number;
+    };
+}
+export declare function startSession(): Session;
+export declare function addSessionEvent(event: SessionEvent): void;
+export declare function endSession(): void;
+export declare function getCurrentSession(): Session | null;
+/** List recent sessions (newest first) */
+export declare function listSessions(limit?: number): {
+    id: string;
+    startedAt: string;
+    events: number;
+    stats: Session['stats'];
+}[];

package/dist/lib/session.js

@@ -0,0 +1,68 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startSession = startSession;
+exports.addSessionEvent = addSessionEvent;
+exports.endSession = endSession;
+exports.getCurrentSession = getCurrentSession;
+exports.listSessions = listSessions;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const keys_1 = require("../crypto/keys");
+const SESSIONS_DIR = (0, path_1.join)((0, keys_1.getSentinelDir)(), 'sessions');
+let currentSession = null;
+function startSession() {
+    if (!(0, fs_1.existsSync)(SESSIONS_DIR))
+        (0, fs_1.mkdirSync)(SESSIONS_DIR, { recursive: true });
+    currentSession = {
+        id: new Date().toISOString().replace(/[:.]/g, '-'),
+        startedAt: new Date().toISOString(),
+        events: [],
+        stats: { tools: 0, approved: 0, blocked: 0 },
+    };
+    return currentSession;
+}
+function addSessionEvent(event) {
+    if (!currentSession)
+        return;
+    currentSession.events.push(event);
+    if (event.type === 'tool_use')
+        currentSession.stats.tools++;
+    if (event.decision === 'allowed' || event.decision === 'auto_allow')
+        currentSession.stats.approved++;
+    if (event.decision === 'blocked')
+        currentSession.stats.blocked++;
+}
+function endSession() {
+    if (!currentSession)
+        return;
+    currentSession.endedAt = new Date().toISOString();
+    // Save to file
+    const path = (0, path_1.join)(SESSIONS_DIR, `${currentSession.id}.json`);
+    (0, fs_1.writeFileSync)(path, JSON.stringify(currentSession, null, 2), { mode: 0o600 });
+    currentSession = null;
+}
+function getCurrentSession() {
+    return currentSession;
+}
+/** List recent sessions (newest first) */
+function listSessions(limit = 10) {
+    if (!(0, fs_1.existsSync)(SESSIONS_DIR))
+        return [];
+    const files = require('fs').readdirSync(SESSIONS_DIR);
+    return files
+        .filter((f) => f.endsWith('.json'))
+        .sort()
+        .reverse()
+        .slice(0, limit)
+        .map((f) => {
+        try {
+            const s = JSON.parse((0, fs_1.readFileSync)((0, path_1.join)(SESSIONS_DIR, f), 'utf-8'));
+            return { id: s.id, startedAt: s.startedAt, events: s.events.length, stats: s.stats };
+        }
+        catch {
+            return null;
+        }
+    })
+        .filter(Boolean);
+}
+//# sourceMappingURL=session.js.map

package/dist/lib/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/lib/session.ts"],"names":[],"mappings":";;AA2BA,oCAUC;AAED,0CAOC;AAED,gCAQC;AAED,8CAEC;AAGD,oCAkBC;AAjFD,2BAAwE;AACxE,+BAA4B;AAC5B,yCAAgD;AAEhD,MAAM,YAAY,GAAG,IAAA,WAAI,EAAC,IAAA,qBAAc,GAAE,EAAE,UAAU,CAAC,CAAC;AAqBxD,IAAI,cAAc,GAAmB,IAAI,CAAC;AAE1C,SAAgB,YAAY;IAC1B,IAAI,CAAC,IAAA,eAAU,EAAC,YAAY,CAAC;QAAE,IAAA,cAAS,EAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE5E,cAAc,GAAG;QACf,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC;QAClD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,MAAM,EAAE,EAAE;QACV,KAAK,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE;KAC7C,CAAC;IACF,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,SAAgB,eAAe,CAAC,KAAmB;IACjD,IAAI,CAAC,cAAc;QAAE,OAAO;IAC5B,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAElC,IAAI,KAAK,CAAC,IAAI,KAAK,UAAU;QAAE,cAAc,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IAC5D,IAAI,KAAK,CAAC,QAAQ,KAAK,SAAS,IAAI,KAAK,CAAC,QAAQ,KAAK,YAAY;QAAE,cAAc,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;IACrG,IAAI,KAAK,CAAC,QAAQ,KAAK,SAAS;QAAE,cAAc,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;AACnE,CAAC;AAED,SAAgB,UAAU;IACxB,IAAI,CAAC,cAAc;QAAE,OAAO;IAC5B,cAAc,CAAC,OAAO,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAElD,eAAe;IACf,MAAM,IAAI,GAAG,IAAA,WAAI,EAAC,YAAY,EAAE,GAAG,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC;IAC7D,IAAA,kBAAa,EAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9E,cAAc,GAAG,IAAI,CAAC;AACxB,CAAC;AAED,SAAgB,iBAAiB;IAC/B,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,0CAA0C;AAC1C,SAAgB,YAAY,CAAC,KAAK,GAAG,EAAE;IACrC,IAAI,CAAC,IAAA,eAAU,EAAC,YAAY,CAAC;QAAE,OAAO,EAAE,CAAC;IAEzC,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,CAAC,YAAY,CAAa,CAAC;IAClE,OAAO,KAAK;SACT,MAAM,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;SAC1C,IAAI,EAAE;SACN,OAAO,EAAE;SACT,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC;SACf,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE;QACjB,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,IAAA,WAAI,EAAC,YAAY,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAY,CAAC;YAC9E,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC;QACvF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC,CAAC;SACD,MAAM,CAAC,OAAO,CAAU,CAAC;AAC9B,CAAC"}

package/dist/lib/summarizer.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Convert tool call results into human-readable one-line summaries.
+ */
+export declare function summarize(toolName: string, toolInput: Record<string, unknown>, toolResponse?: string): string;
+export declare function summarizeStop(reason: string): string;

package/dist/lib/summarizer.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.summarize = summarize;
+exports.summarizeStop = summarizeStop;
+const path_1 = require("path");
+/**
+ * Convert tool call results into human-readable one-line summaries.
+ */
+function summarize(toolName, toolInput, toolResponse) {
+    const filePath = (toolInput.file_path ?? toolInput.path ?? '');
+    const fileName = filePath ? (0, path_1.basename)(filePath) : '';
+    const command = (toolInput.command ?? '');
+    switch (toolName) {
+        case 'Write':
+            return `${fileName || 'file'} written`;
+        case 'Edit':
+            return `${fileName || 'file'} edited`;
+        case 'Read':
+            return `${fileName || 'file'} read`;
+        case 'Bash': {
+            const cmd = command.length > 40 ? command.slice(0, 37) + '...' : command;
+            const ok = !toolResponse?.includes('error') && !toolResponse?.includes('Error');
+            return `${cmd || 'command'}${ok ? '' : ' (error)'}`;
+        }
+        case 'Glob':
+            return `search: ${(toolInput.pattern ?? '*')}`;
+        case 'Grep':
+            return `grep: ${(toolInput.pattern ?? '')}`;
+        case 'WebSearch':
+            return `search: ${(toolInput.query ?? '')}`;
+        case 'WebFetch':
+            return `fetch: ${(toolInput.url ?? '')}`;
+        default:
+            return `${toolName} completed`;
+    }
+}
+function summarizeStop(reason) {
+    switch (reason) {
+        case 'completed':
+        case 'end_turn': return 'Task completed';
+        case 'error': return 'Task failed';
+        case 'interrupted': return 'Task interrupted';
+        default: return `Stopped: ${reason}`;
+    }
+}
+//# sourceMappingURL=summarizer.js.map

package/dist/lib/summarizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"summarizer.js","sourceRoot":"","sources":["../../src/lib/summarizer.ts"],"names":[],"mappings":";;AAKA,8BA4BC;AAED,sCAOC;AA1CD,+BAAgC;AAEhC;;GAEG;AACH,SAAgB,SAAS,CAAC,QAAgB,EAAE,SAAkC,EAAE,YAAqB;IACnG,MAAM,QAAQ,GAAG,CAAC,SAAS,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,IAAI,EAAE,CAAW,CAAC;IACzE,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAA,eAAQ,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACpD,MAAM,OAAO,GAAG,CAAC,SAAS,CAAC,OAAO,IAAI,EAAE,CAAW,CAAC;IAEpD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,GAAG,QAAQ,IAAI,MAAM,UAAU,CAAC;QACzC,KAAK,MAAM;YACT,OAAO,GAAG,QAAQ,IAAI,MAAM,SAAS,CAAC;QACxC,KAAK,MAAM;YACT,OAAO,GAAG,QAAQ,IAAI,MAAM,OAAO,CAAC;QACtC,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC;YACzE,MAAM,EAAE,GAAG,CAAC,YAAY,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC;YAChF,OAAO,GAAG,GAAG,IAAI,SAAS,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC;QACtD,CAAC;QACD,KAAK,MAAM;YACT,OAAO,WAAW,CAAC,SAAS,CAAC,OAAO,IAAI,GAAG,CAAW,EAAE,CAAC;QAC3D,KAAK,MAAM;YACT,OAAO,SAAS,CAAC,SAAS,CAAC,OAAO,IAAI,EAAE,CAAW,EAAE,CAAC;QACxD,KAAK,WAAW;YACd,OAAO,WAAW,CAAC,SAAS,CAAC,KAAK,IAAI,EAAE,CAAW,EAAE,CAAC;QACxD,KAAK,UAAU;YACb,OAAO,UAAU,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,CAAW,EAAE,CAAC;QACrD;YACE,OAAO,GAAG,QAAQ,YAAY,CAAC;IACnC,CAAC;AACH,CAAC;AAED,SAAgB,aAAa,CAAC,MAAc;IAC1C,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,WAAW,CAAC;QAAC,KAAK,UAAU,CAAC,CAAC,OAAO,gBAAgB,CAAC;QAC3D,KAAK,OAAO,CAAC,CAAC,OAAO,aAAa,CAAC;QACnC,KAAK,aAAa,CAAC,CAAC,OAAO,kBAAkB,CAAC;QAC9C,OAAO,CAAC,CAAC,OAAO,YAAY,MAAM,EAAE,CAAC;IACvC,CAAC;AACH,CAAC"}

package/dist/lib/tunnel.d.ts

@@ -0,0 +1,2 @@
+export declare function startTunnel(port: number): Promise<string>;
+export declare function stopTunnel(): void;

package/dist/lib/tunnel.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startTunnel = startTunnel;
+exports.stopTunnel = stopTunnel;
+const child_process_1 = require("child_process");
+const logger_1 = require("./logger");
+let tunnelProcess = null;
+async function startTunnel(port) {
+    return new Promise((resolve, reject) => {
+        const timeout = setTimeout(() => reject(new Error('Tunnel timed out (30s). Is cloudflared installed?')), 30000);
+        tunnelProcess = (0, child_process_1.spawn)('cloudflared', ['tunnel', '--url', `tcp://localhost:${port}`, '--no-tls-verify'], {
+            stdio: ['ignore', 'pipe', 'pipe'],
+        });
+        tunnelProcess.on('error', (err) => {
+            clearTimeout(timeout);
+            if (err.code === 'ENOENT') {
+                reject(new Error('cloudflared not found. Install: brew install cloudflared'));
+            }
+            else {
+                reject(err);
+            }
+        });
+        const handleOutput = (data) => {
+            const line = data.toString();
+            const match = line.match(/https?:\/\/[a-z0-9-]+\.trycloudflare\.com/);
+            if (match) {
+                clearTimeout(timeout);
+                resolve(match[0]);
+            }
+        };
+        tunnelProcess.stdout?.on('data', handleOutput);
+        tunnelProcess.stderr?.on('data', handleOutput);
+        tunnelProcess.on('exit', (code) => {
+            clearTimeout(timeout);
+            if (code !== 0 && code !== null) {
+                reject(new Error(`cloudflared exited with code ${code}`));
+            }
+        });
+    });
+}
+function stopTunnel() {
+    if (tunnelProcess) {
+        tunnelProcess.kill();
+        tunnelProcess = null;
+        logger_1.log.info('Tunnel stopped');
+    }
+}
+//# sourceMappingURL=tunnel.js.map

package/dist/lib/tunnel.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tunnel.js","sourceRoot":"","sources":["../../src/lib/tunnel.ts"],"names":[],"mappings":";;AAKA,kCAoCC;AAED,gCAMC;AAjDD,iDAAoD;AACpD,qCAA+B;AAE/B,IAAI,aAAa,GAAwB,IAAI,CAAC;AAEvC,KAAK,UAAU,WAAW,CAAC,IAAY;IAC5C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QAEhH,aAAa,GAAG,IAAA,qBAAK,EAAC,aAAa,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,mBAAmB,IAAI,EAAE,EAAE,iBAAiB,CAAC,EAAE;YACtG,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;QAEH,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YAChC,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,IAAK,GAAW,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACnC,MAAM,CAAC,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC,CAAC;YAChF,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG,CAAC,IAAY,EAAE,EAAE;YACpC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;YACtE,IAAI,KAAK,EAAE,CAAC;gBACV,YAAY,CAAC,OAAO,CAAC,CAAC;gBACtB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACpB,CAAC;QACH,CAAC,CAAC;QAEF,aAAa,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QAC/C,aAAa,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QAE/C,aAAa,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YAChC,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBAChC,MAAM,CAAC,IAAI,KAAK,CAAC,gCAAgC,IAAI,EAAE,CAAC,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAgB,UAAU;IACxB,IAAI,aAAa,EAAE,CAAC;QAClB,aAAa,CAAC,IAAI,EAAE,CAAC;QACrB,aAAa,GAAG,IAAI,CAAC;QACrB,YAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC7B,CAAC;AACH,CAAC"}

package/dist/relay/pending.d.ts

@@ -0,0 +1,27 @@
+type DecisionAction = 'allowed' | 'blocked' | 'timeout';
+/**
+ * 管理等待决策的审批请求
+ * 每个请求对应一个 Promise — Socket 收到 decision 事件时 resolve
+ */
+declare class PendingStore {
+    private requests;
+    /**
+     * 注册一个等待中的请求，返回 Promise<action>
+     * 超时自动 resolve 为 'timeout'
+     */
+    waitForDecision(requestId: string, toolName: string): Promise<DecisionAction>;
+    /**
+     * 收到决策时调用 — 从 Socket decision 事件触发
+     */
+    resolve(requestId: string, action: DecisionAction): void;
+    /**
+     * 当前等待中的请求数量
+     */
+    get size(): number;
+    /**
+     * 清理所有请求（shutdown 时使用）
+     */
+    clear(): void;
+}
+export declare const pending: PendingStore;
+export {};

package/dist/relay/pending.js

@@ -0,0 +1,65 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.pending = void 0;
+const logger_1 = require("../lib/logger");
+const TIMEOUT_MS = 120_000; // 120s
+/**
+ * 管理等待决策的审批请求
+ * 每个请求对应一个 Promise — Socket 收到 decision 事件时 resolve
+ */
+class PendingStore {
+    requests = new Map();
+    /**
+     * 注册一个等待中的请求，返回 Promise<action>
+     * 超时自动 resolve 为 'timeout'
+     */
+    waitForDecision(requestId, toolName) {
+        return new Promise((resolve) => {
+            const timer = setTimeout(() => {
+                if (this.requests.has(requestId)) {
+                    this.requests.delete(requestId);
+                    logger_1.log.warn(`Request ${requestId} timed out (${TIMEOUT_MS / 1000}s)`);
+                    resolve('timeout');
+                }
+            }, TIMEOUT_MS);
+            this.requests.set(requestId, {
+                requestId,
+                toolName,
+                createdAt: Date.now(),
+                resolve,
+                timer,
+            });
+        });
+    }
+    /**
+     * 收到决策时调用 — 从 Socket decision 事件触发
+     */
+    resolve(requestId, action) {
+        const entry = this.requests.get(requestId);
+        if (!entry) {
+            logger_1.log.debug(`Decision for unknown request: ${requestId}`);
+            return;
+        }
+        clearTimeout(entry.timer);
+        this.requests.delete(requestId);
+        entry.resolve(action);
+    }
+    /**
+     * 当前等待中的请求数量
+     */
+    get size() {
+        return this.requests.size;
+    }
+    /**
+     * 清理所有请求（shutdown 时使用）
+     */
+    clear() {
+        for (const [, entry] of this.requests) {
+            clearTimeout(entry.timer);
+            entry.resolve('timeout');
+        }
+        this.requests.clear();
+    }
+}
+exports.pending = new PendingStore();
+//# sourceMappingURL=pending.js.map

package/dist/relay/pending.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pending.js","sourceRoot":"","sources":["../../src/relay/pending.ts"],"names":[],"mappings":";;;AAAA,0CAAoC;AAYpC,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,OAAO;AAEnC;;;GAGG;AACH,MAAM,YAAY;IACR,QAAQ,GAAG,IAAI,GAAG,EAA0B,CAAC;IAErD;;;OAGG;IACH,eAAe,CAAC,SAAiB,EAAE,QAAgB;QACjD,OAAO,IAAI,OAAO,CAAiB,CAAC,OAAO,EAAE,EAAE;YAC7C,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC5B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;oBACjC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;oBAChC,YAAG,CAAC,IAAI,CAAC,WAAW,SAAS,eAAe,UAAU,GAAG,IAAI,IAAI,CAAC,CAAC;oBACnE,OAAO,CAAC,SAAS,CAAC,CAAC;gBACrB,CAAC;YACH,CAAC,EAAE,UAAU,CAAC,CAAC;YAEf,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE;gBAC3B,SAAS;gBACT,QAAQ;gBACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;gBACrB,OAAO;gBACP,KAAK;aACN,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,SAAiB,EAAE,MAAsB;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,YAAG,CAAC,KAAK,CAAC,iCAAiC,SAAS,EAAE,CAAC,CAAC;YACxD,OAAO;QACT,CAAC;QAED,YAAY,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAChC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,KAAK;QACH,KAAK,MAAM,CAAC,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACtC,YAAY,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YAC1B,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC3B,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;IACxB,CAAC;CACF;AAEY,QAAA,OAAO,GAAG,IAAI,YAAY,EAAE,CAAC"}

package/dist/rules/engine.d.ts

@@ -0,0 +1,31 @@
+export type RiskAction = 'auto_allow' | 'require_confirm' | 'require_faceid';
+export interface Rule {
+    id: string;
+    toolPattern: string | null;
+    pathPattern: string | null;
+    risk: RiskAction;
+    priority: number;
+    description: string;
+}
+export interface RuleMatchResult {
+    matched: boolean;
+    rule: Rule | null;
+    action: RiskAction;
+}
+export declare function getRules(): Rule[];
+/** Set custom rules received from iOS (merged with file rules) */
+export declare function setCustomRules(rules: Rule[]): void;
+/** Watch rules.json for changes and auto-reload */
+export declare function watchRules(): void;
+/**
+ * 匹配工具调用 against 规则列表
+ *
+ * @param toolName   - 工具名，e.g. "Bash", "Write", "Edit"
+ * @param filePath   - 文件路径（可选），e.g. "/tmp/foo.txt"
+ * @returns          - 匹配结果：{ matched, rule, action }
+ */
+export declare function matchRules(toolName: string, filePath: string | null): RuleMatchResult;
+/**
+ * 将工具调用的风险等级映射为 server riskLevel
+ */
+export declare function riskToLevel(action: RiskAction): string;