@upx-us/shield 0.2.12-beta

package/dist/src/host-collector.js

@@ -0,0 +1,200 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.collectHostMetrics = collectHostMetrics;
+const child_process_1 = require("child_process");
+const os = __importStar(require("os"));
+function run(cmd) {
+    try {
+        return (0, child_process_1.execSync)(cmd, { timeout: 10000, encoding: 'utf-8' }).trim();
+    }
+    catch {
+        return '';
+    }
+}
+async function collectCpu() {
+    try {
+        const top = run('top -l 1 -n 0');
+        const m = top.match(/CPU usage:\s+([\d.]+)%\s+user,\s+([\d.]+)%\s+sys,\s+([\d.]+)%\s+idle/);
+        const idle = m ? parseFloat(m[3]) : null;
+        const usage = idle !== null ? Math.round((100 - idle) * 100) / 100 : null;
+        const loads = os.loadavg();
+        return {
+            usage,
+            load1: Math.round(loads[0] * 100) / 100,
+            load5: Math.round(loads[1] * 100) / 100,
+            load15: Math.round(loads[2] * 100) / 100,
+        };
+    }
+    catch {
+        return { usage: null, load1: null, load5: null, load15: null };
+    }
+}
+async function collectMemory() {
+    try {
+        const totalBytes = os.totalmem();
+        const freeBytes = os.freemem();
+        const totalMb = Math.round(totalBytes / 1024 / 1024);
+        const usedMb = Math.round((totalBytes - freeBytes) / 1024 / 1024);
+        const usagePercent = Math.round((usedMb / totalMb) * 10000) / 100;
+        return { totalMb, usedMb, usagePercent };
+    }
+    catch {
+        return { totalMb: null, usedMb: null, usagePercent: null };
+    }
+}
+async function collectDisk() {
+    try {
+        const df = run('df -g /');
+        const lines = df.split('\n');
+        if (lines.length < 2)
+            return { totalGb: null, usedGb: null, usagePercent: null };
+        const parts = lines[1].split(/\s+/);
+        const totalGb = parseInt(parts[1]);
+        const usedGb = parseInt(parts[2]);
+        const usagePercent = Math.round((usedGb / totalGb) * 10000) / 100;
+        return { totalGb, usedGb, usagePercent };
+    }
+    catch {
+        return { totalGb: null, usedGb: null, usagePercent: null };
+    }
+}
+async function collectUptime() {
+    try {
+        return Math.round(os.uptime());
+    }
+    catch {
+        return null;
+    }
+}
+async function collectNetwork() {
+    try {
+        const connCount = parseInt(run("netstat -an | grep ESTABLISHED | wc -l").trim()) || 0;
+        const lsof = run("lsof -iTCP -sTCP:LISTEN -P -n 2>/dev/null");
+        const ports = new Set();
+        for (const line of lsof.split('\n').slice(1)) {
+            const m = line.match(/:(\d+)\s/);
+            if (m)
+                ports.add(m[1]);
+        }
+        return {
+            connections: connCount,
+            listeningPorts: ports.size > 0 ? Array.from(ports).sort((a, b) => parseInt(a) - parseInt(b)).join(',') : null,
+        };
+    }
+    catch {
+        return { connections: null, listeningPorts: null };
+    }
+}
+async function collectTopProcesses() {
+    try {
+        const ps = run("ps aux -r | head -6");
+        const lines = ps.split('\n').slice(1); // skip header
+        const procs = lines.map(l => {
+            const parts = l.split(/\s+/);
+            return `${parts[10] || parts[parts.length - 1]}(${parts[2]}%)`;
+        });
+        return procs.join(', ') || null;
+    }
+    catch {
+        return null;
+    }
+}
+async function collectOpenClawStatus() {
+    try {
+        const out = run("pgrep -f 'openclaw' | wc -l");
+        const count = parseInt(out.trim()) || 0;
+        return {
+            status: count > 0 ? 'running' : 'stopped',
+            sessions: null, // would need API access
+        };
+    }
+    catch {
+        return { status: null, sessions: null };
+    }
+}
+async function collectHostMetrics() {
+    const cpu = await collectCpu();
+    const mem = await collectMemory();
+    const disk = await collectDisk();
+    const uptimeSec = await collectUptime();
+    const net = await collectNetwork();
+    const procs = await collectTopProcesses();
+    const oc = await collectOpenClawStatus();
+    const anomalies = [];
+    if (cpu.usage !== null && cpu.usage > 90)
+        anomalies.push(`CPU=${cpu.usage}%`);
+    if (mem.usagePercent !== null && mem.usagePercent > 90)
+        anomalies.push(`Memory=${mem.usagePercent}%`);
+    if (disk.usagePercent !== null && disk.usagePercent > 90)
+        anomalies.push(`Disk=${disk.usagePercent}%`);
+    const event = {
+        timestamp: new Date().toISOString(),
+        event_type: 'TOOL_CALL',
+        tool_name: 'host_telemetry',
+        session_id: 'host-monitor',
+        model: '',
+        hostname: os.hostname(),
+        product_name: 'OpenClaw',
+        vendor_name: 'UPX',
+        event_category: 'HOST_METRIC',
+        metric_type: 'system_snapshot',
+        cpu_usage_percent: cpu.usage,
+        cpu_load_1m: cpu.load1,
+        cpu_load_5m: cpu.load5,
+        cpu_load_15m: cpu.load15,
+        memory_total_mb: mem.totalMb,
+        memory_used_mb: mem.usedMb,
+        memory_usage_percent: mem.usagePercent,
+        disk_total_gb: disk.totalGb,
+        disk_used_gb: disk.usedGb,
+        disk_usage_percent: disk.usagePercent,
+        uptime_seconds: uptimeSec,
+        network_connections_count: net.connections,
+        network_listening_ports: net.listeningPorts,
+        top_processes: procs,
+        openclaw_gateway_status: oc.status,
+        openclaw_active_sessions: oc.sessions,
+        os_name: os.platform(),
+        os_version: os.release(),
+        arch: os.arch(),
+        tool_metadata: {
+            collection_method: 'shell_exec',
+            is_anomaly: anomalies.length > 0,
+            anomaly_details: anomalies.length > 0 ? anomalies.join('; ') : null,
+        },
+    };
+    return [event];
+}

package/dist/src/index.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/src/index.js

@@ -0,0 +1,210 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const config_1 = require("./config");
+const log = __importStar(require("./log"));
+const fetcher_1 = require("./fetcher");
+const transformer_1 = require("./transformer");
+const sender_1 = require("./sender");
+const redactor_1 = require("./redactor");
+const validator_1 = require("./validator");
+const fs_1 = require("fs");
+const version_1 = require("./version");
+let running = true;
+let lastTelemetryAt = 0;
+let consecutiveFailures = 0;
+const TELEMETRY_INTERVAL_MS = 5 * 60 * 1000; // 5 minutes
+const MAX_BACKOFF_MS = 5 * 60 * 1000; // 5 minutes
+function getBackoffInterval(baseMs) {
+    if (consecutiveFailures === 0)
+        return baseMs;
+    const backoff = baseMs * Math.pow(2, Math.min(consecutiveFailures, 10));
+    return Math.min(backoff, MAX_BACKOFF_MS);
+}
+async function poll() {
+    const config = (0, config_1.loadConfig)();
+    if (config.redactionEnabled) {
+        (0, redactor_1.init)();
+    }
+    log.info('bridge', `Starting — dryRun=${config.dryRun} poll=${config.pollIntervalMs}ms maxEvents=${config.maxEvents || 'unlimited'} redaction=${config.redactionEnabled} logLevel=${process.env.LOG_LEVEL || 'info'}`);
+    while (running) {
+        try {
+            let entries = await (0, fetcher_1.fetchNewEntries)(config);
+            const now = Date.now();
+            if (now - lastTelemetryAt >= TELEMETRY_INTERVAL_MS) {
+                // Host telemetry is no longer forwarded to Chronicle/SIEM.
+                // It is summarised server-side via the instance report sent to the
+                // platform backend (Cloud Run → uss.upx.com). This avoids noisy
+                // GENERIC_EVENT floods that trigger false-positive YARA-L rules.
+                (0, transformer_1.generateHostTelemetry)(); // still collect locally (for score / future use)
+                const instancePayload = {
+                    machine: {
+                        hostname: config.hostname,
+                        os: process.platform,
+                        arch: process.arch,
+                        node_version: process.version,
+                    },
+                    software: {
+                        plugin_version: version_1.VERSION,
+                        openclaw_version: (0, transformer_1.resolveOpenClawVersion)(),
+                        agent_label: (0, transformer_1.resolveAgentLabel)('main'),
+                    },
+                };
+                const platformOk = await (0, sender_1.reportInstance)(instancePayload, config.credentials);
+                log.info('bridge', `Instance report → Platform: success=${platformOk}`);
+                if (platformOk)
+                    lastTelemetryAt = now;
+            }
+            if (entries.length > 0) {
+                let envelopes = (0, transformer_1.transformEntries)(entries);
+                const { valid: validEnvelopes, quarantined } = (0, validator_1.validate)(envelopes.map(e => e.event));
+                if (quarantined > 0) {
+                    log.warn('bridge', `${quarantined} events quarantined (see ~/.openclaw/shield/data/quarantine.jsonl)`);
+                }
+                envelopes = envelopes.filter(e => validEnvelopes.includes(e.event));
+                if (config.maxEvents > 0 && envelopes.length > config.maxEvents) {
+                    log.info('bridge', `Limiting to ${config.maxEvents} of ${envelopes.length} events (maxEvents cap)`);
+                    envelopes = envelopes.slice(0, config.maxEvents);
+                }
+                if (config.redactionEnabled) {
+                    envelopes = envelopes.map(env => {
+                        const redacted = (0, redactor_1.redactEvent)(env);
+                        log.debug('redactor', `tool=${env.event.tool_name} session=${env.event.session_id}`, { event: redacted.event });
+                        return redacted;
+                    });
+                }
+                log.info('bridge', `${entries.length} entries → ${envelopes.length} envelopes`);
+                const results = await (0, sender_1.sendEvents)(envelopes, config);
+                for (const r of results) {
+                    if (r.success) {
+                        log.info('bridge', `Result: success=${r.success} status=${r.statusCode} events=${r.eventCount}`);
+                    }
+                    else {
+                        log.error('bridge', `Result: FAILED status=${r.statusCode} events=${r.eventCount} body=${r.body?.slice(0, 200)}`);
+                    }
+                }
+                const allSuccess = results.every(r => r.success);
+                if (allSuccess) {
+                    (0, fetcher_1.commitCursors)(config, entries);
+                    if (config.redactionEnabled)
+                        (0, redactor_1.flush)();
+                    log.info('bridge', 'Cursors committed');
+                    consecutiveFailures = 0;
+                }
+                else {
+                    consecutiveFailures++;
+                    log.warn('bridge', 'Some batches failed — cursors NOT updated (will retry next poll)');
+                }
+                if (config.maxEvents > 0) {
+                    log.info('bridge', 'Test mode complete, exiting');
+                    running = false;
+                    break;
+                }
+            }
+            else {
+                consecutiveFailures = 0;
+            }
+        }
+        catch (err) {
+            consecutiveFailures++;
+            log.error('bridge', 'Poll error', err);
+        }
+        if (!running)
+            break;
+        const interval = getBackoffInterval(config.pollIntervalMs);
+        if (interval !== config.pollIntervalMs) {
+            log.warn('bridge', `Backing off: next poll in ${Math.round(interval / 1000)}s (${consecutiveFailures} consecutive failures)`);
+        }
+        await new Promise(r => setTimeout(r, interval));
+    }
+    if (config.redactionEnabled)
+        (0, redactor_1.flush)();
+    console.log('[Shield Bridge] Stopped');
+}
+function checkConfiguration() {
+    if (!(0, fs_1.existsSync)(config_1.SHIELD_CONFIG_PATH)) {
+        const { SHIELD_API_URL, SHIELD_INSTANCE_ID, SHIELD_HMAC_SECRET, SHIELD_FINGERPRINT, SHIELD_SECRET } = process.env;
+        // Support both new and legacy env var names
+        if (SHIELD_API_URL && (SHIELD_INSTANCE_ID || SHIELD_FINGERPRINT) && (SHIELD_HMAC_SECRET || SHIELD_SECRET))
+            return true;
+        console.log('🛡️  OpenClaw Shield — First Time Setup Required');
+        console.log('=================================================\n');
+        console.log(`No config found at ${config_1.SHIELD_CONFIG_PATH}`);
+        console.log('Run the setup wizard to connect to your Shield API:\n');
+        console.log('  npx shield-setup\n');
+        return false;
+    }
+    (0, config_1.injectConfigEnv)();
+    const creds = (0, config_1.loadCredentials)();
+    if (!creds.apiUrl || !creds.instanceId || !creds.hmacSecret) {
+        console.error('❌ Shield config is incomplete. Missing apiUrl, instanceId, or hmacSecret.');
+        console.error(`   Config file: ${config_1.SHIELD_CONFIG_PATH}`);
+        console.error('   Run: npx shield-setup');
+        return false;
+    }
+    return true;
+}
+if (!checkConfiguration()) {
+    process.exit(1);
+}
+const config = (0, config_1.loadConfig)();
+process.on('SIGINT', () => {
+    console.log('\n[Shield Bridge] Shutting down...');
+    if (config.redactionEnabled)
+        (0, redactor_1.flush)();
+    running = false;
+});
+process.on('SIGTERM', () => {
+    console.log('\n[Shield Bridge] Received SIGTERM, shutting down gracefully...');
+    if (config.redactionEnabled)
+        (0, redactor_1.flush)();
+    running = false;
+});
+poll().catch((err) => {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error('[Shield Bridge] Fatal error:', msg);
+    if (msg.includes('ENOTFOUND') || msg.includes('ECONNREFUSED')) {
+        console.error('\n💡 This looks like a network connectivity issue.');
+        console.error('   - Check your Shield API URL in the configuration');
+        console.error('   - Verify your internet connection');
+        console.error('   - Run: npm run setup -- --verify');
+    }
+    else if (msg.includes('401') || msg.includes('403')) {
+        console.error('\n💡 This looks like an authentication issue.');
+        console.error('   - Verify your Shield API credentials');
+        console.error('   - Run: npm run setup');
+    }
+    process.exit(1);
+});

package/dist/src/log.d.ts

@@ -0,0 +1,39 @@
+/**
+ * log.ts — Structured logger for the Shield plugin
+ *
+ * Supports two backends via the LogAdapter interface:
+ *   1. ConsoleLogAdapter (default) — used in standalone/docker bridge mode
+ *   2. Gateway adapter — injected by the plugin entry via setAdapter()
+ *
+ * All internal modules use `import * as log from './log'` unchanged.
+ * Standalone mode never calls setAdapter(), so console logging works
+ * identically to a direct console.log/warn/error setup.
+ *
+ * Log level is controlled by LOG_LEVEL env var: debug | info | warn | error
+ * (default: info). In debug mode, pipeline stages emit detailed per-event
+ * output (transformer, validator, redactor, sender).
+ */
+export interface LogAdapter {
+    debug(tag: string, msg: string, data?: unknown): void;
+    info(tag: string, msg: string): void;
+    warn(tag: string, msg: string): void;
+    error(tag: string, msg: string, err?: unknown): void;
+}
+/**
+ * Swap the log backend. Plugin mode calls this with a Gateway-backed adapter.
+ * Standalone/docker mode never calls this — console logging remains the default.
+ * Also invalidates the cached log level so it is re-resolved on next call.
+ */
+export declare function setAdapter(adapter: LogAdapter): void;
+/** Reset to the default console adapter (useful for tests). */
+export declare function resetAdapter(): void;
+/**
+ * isDebug — dynamic property check.
+ * Accessed as `log.isDebug` (property, not function call) throughout the codebase.
+ * Using Object.defineProperty to make it a live getter on the module exports.
+ */
+export declare let isDebug: boolean;
+export declare function debug(tag: string, msg: string, data?: unknown): void;
+export declare function info(tag: string, msg: string): void;
+export declare function warn(tag: string, msg: string): void;
+export declare function error(tag: string, msg: string, err?: unknown): void;

package/dist/src/log.js

@@ -0,0 +1,102 @@
+"use strict";
+/**
+ * log.ts — Structured logger for the Shield plugin
+ *
+ * Supports two backends via the LogAdapter interface:
+ *   1. ConsoleLogAdapter (default) — used in standalone/docker bridge mode
+ *   2. Gateway adapter — injected by the plugin entry via setAdapter()
+ *
+ * All internal modules use `import * as log from './log'` unchanged.
+ * Standalone mode never calls setAdapter(), so console logging works
+ * identically to a direct console.log/warn/error setup.
+ *
+ * Log level is controlled by LOG_LEVEL env var: debug | info | warn | error
+ * (default: info). In debug mode, pipeline stages emit detailed per-event
+ * output (transformer, validator, redactor, sender).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isDebug = void 0;
+exports.setAdapter = setAdapter;
+exports.resetAdapter = resetAdapter;
+exports.debug = debug;
+exports.info = info;
+exports.warn = warn;
+exports.error = error;
+const LEVEL_RANK = { debug: 0, info: 1, warn: 2, error: 3 };
+function resolveLevel() {
+    const raw = (process.env.LOG_LEVEL || 'info').toLowerCase();
+    if (raw in LEVEL_RANK)
+        return raw;
+    return 'info';
+}
+let cachedLevel = null;
+function getLevel() {
+    if (cachedLevel === null)
+        cachedLevel = resolveLevel();
+    return cachedLevel;
+}
+function fmt(level, tag, msg) {
+    const ts = new Date().toISOString().slice(11, 23); // HH:MM:SS.mmm
+    return `[${ts}] [${level.toUpperCase().padEnd(5)}] [${tag}] ${msg}`;
+}
+const consoleAdapter = {
+    debug(tag, msg, data) {
+        if (LEVEL_RANK[getLevel()] > LEVEL_RANK.debug)
+            return;
+        console.debug(fmt('debug', tag, msg));
+        if (data !== undefined)
+            console.debug(JSON.stringify(data, null, 2));
+    },
+    info(tag, msg) {
+        if (LEVEL_RANK[getLevel()] > LEVEL_RANK.info)
+            return;
+        console.log(fmt('info', tag, msg));
+    },
+    warn(tag, msg) {
+        if (LEVEL_RANK[getLevel()] > LEVEL_RANK.warn)
+            return;
+        console.warn(fmt('warn', tag, msg));
+    },
+    error(tag, msg, err) {
+        console.error(fmt('error', tag, msg));
+        if (err)
+            console.error(err);
+    },
+};
+let activeAdapter = consoleAdapter;
+/**
+ * Swap the log backend. Plugin mode calls this with a Gateway-backed adapter.
+ * Standalone/docker mode never calls this — console logging remains the default.
+ * Also invalidates the cached log level so it is re-resolved on next call.
+ */
+function setAdapter(adapter) {
+    activeAdapter = adapter;
+    cachedLevel = null;
+}
+/** Reset to the default console adapter (useful for tests). */
+function resetAdapter() {
+    activeAdapter = consoleAdapter;
+    cachedLevel = null;
+}
+/**
+ * isDebug — dynamic property check.
+ * Accessed as `log.isDebug` (property, not function call) throughout the codebase.
+ * Using Object.defineProperty to make it a live getter on the module exports.
+ */
+exports.isDebug = LEVEL_RANK[getLevel()] <= LEVEL_RANK.debug;
+Object.defineProperty(exports, 'isDebug', {
+    get: () => LEVEL_RANK[getLevel()] <= LEVEL_RANK.debug,
+    enumerable: true,
+});
+function debug(tag, msg, data) {
+    activeAdapter.debug(tag, msg, data);
+}
+function info(tag, msg) {
+    activeAdapter.info(tag, msg);
+}
+function warn(tag, msg) {
+    activeAdapter.warn(tag, msg);
+}
+function error(tag, msg, err) {
+    activeAdapter.error(tag, msg, err);
+}

package/dist/src/redactor/base.d.ts

@@ -0,0 +1,29 @@
+/**
+ * src/redactor/base.ts — Core types for the strategy-based redaction system.
+ *
+ * Every redaction strategy implements RedactionStrategy. Strategies are pure
+ * data transforms: they receive a value and an injected hmac function, and
+ * return a redacted string. No I/O, no key management, no side effects.
+ */
+/**
+ * Produces a deterministic token (e.g. 'user:a3f9b2c1d4e5') and records the
+ * original-to-token mapping in the vault. Injected into strategies so they
+ * never own key management or storage.
+ */
+export type HmacFn = (category: string, value: string) => string;
+/**
+ * Contract every redaction strategy must satisfy.
+ * The `key` string is what event `FieldRedaction.strategy` references.
+ */
+export interface RedactionStrategy {
+    /** Unique identifier — must match the `strategy` field in FieldRedaction rules */
+    key: string;
+    /** Human-readable description for documentation and debugging */
+    description: string;
+    /**
+     * Apply redaction to a single string value.
+     * Must be pure: same inputs always produce same outputs.
+     * Must not throw on empty strings or unusual inputs.
+     */
+    redact: (value: string, hmac: HmacFn) => string;
+}

package/dist/src/redactor/base.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * src/redactor/base.ts — Core types for the strategy-based redaction system.
+ *
+ * Every redaction strategy implements RedactionStrategy. Strategies are pure
+ * data transforms: they receive a value and an injected hmac function, and
+ * return a redacted string. No I/O, no key management, no side effects.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/src/redactor/index.d.ts

@@ -0,0 +1,27 @@
+/**
+ * src/redactor/index.ts — Strategy engine, event redaction, and public API.
+ *
+ * This module wires vault + strategies into a single redaction engine.
+ * All imports of './redactor' resolve here (TypeScript: directory + index.ts).
+ */
+import type { FieldRedaction } from '../events/base';
+/**
+ * Apply a single FieldRedaction rule to an object via dot-notation path.
+ * Missing fields and null values are silently skipped.
+ * Unknown strategy keys throw a descriptive error.
+ */
+export declare function applyFieldRedaction(obj: any, rule: FieldRedaction): void;
+/**
+ * Deep-redact a Shield envelope. Returns a new object (does not mutate input).
+ * Applies base redactions + schema-specific redactions based on tool_category.
+ */
+export declare function redactEvent(envelope: any): any;
+export declare function redactUsername(value: string): string;
+export declare function redactHostname(value: string): string;
+export declare function redactPath(value: string): string;
+export declare function redactCommand(value: string): string;
+export declare function init(): void;
+export declare function flush(): void;
+export declare function reverseLookup(token: string): string | null;
+export declare function getAllMappings(): Record<string, string>;
+export declare function _initForTesting(secret: string): void;