@upx-us/shield 0.2.16-beta → 0.3.5

package/dist/src/config.d.ts

@@ -15,24 +15,10 @@ export interface Config {
     redactionEnabled: boolean;
     credentials: ShieldCredentials;
 }
-/** Canonical config location — shared by setup, bridge, and plugin entry. */
 export declare const SHIELD_CONFIG_PATH: string;
-/**
- * Inject config file values into process.env so the standalone bridge
- * (sender, fetcher, etc.) can read credentials via env vars.
- * Values already set in the environment take precedence (allows override).
- */
 export declare function injectConfigEnv(): void;
-/**
- * Load credentials from config.env file and environment variables.
- * Supports new env var names with backward compat for the old names.
- */
 export declare function loadCredentials(): ShieldCredentials;
-/**
- * Build credentials from a plugin config object (openclaw.json).
- * Falls back to config.env / env vars for any missing values.
- */
-export declare function loadCredentialsFromPluginConfig(pluginConfig: Record<string, unknown>): ShieldCredentials;
+export declare function loadCredentialsFromPluginConfig(_pluginConfig: Record<string, unknown>): ShieldCredentials;
 export interface ConfigOverrides {
     credentials?: ShieldCredentials;
     dryRun?: boolean;

package/dist/src/config.js

@@ -42,7 +42,6 @@ const os_1 = require("os");
 const path_1 = require("path");
 const fs_1 = require("fs");
 const log = __importStar(require("./log"));
-/** Default OpenClaw agents directory */
 const OPENCLAW_AGENTS_DIR = (0, path_1.join)((0, os_1.homedir)(), '.openclaw/agents');
 function safeParseInt(value, fallback) {
     if (!value)
@@ -50,13 +49,6 @@ function safeParseInt(value, fallback) {
     const parsed = parseInt(value, 10);
     return isNaN(parsed) ? fallback : parsed;
 }
-function optString(val) {
-    return val != null ? String(val) : '';
-}
-/**
- * Auto-discover all agent session directories.
- * Scans ~/.openclaw/agents/{agent}/sessions for directories that exist.
- */
 function discoverSessionDirs() {
     const dirs = [];
     if (!(0, fs_1.existsSync)(OPENCLAW_AGENTS_DIR))
@@ -74,15 +66,7 @@ function discoverSessionDirs() {
     }
     return dirs;
 }
-/** Canonical config location — shared by setup, bridge, and plugin entry. */
 exports.SHIELD_CONFIG_PATH = (0, path_1.join)((0, os_1.homedir)(), '.openclaw', 'shield', 'config.env');
-/**
- * Load config file if it exists (~/.openclaw/shield/config.env).
- * Parses KEY=VALUE lines into a flat record. Lines starting with # are ignored.
- *
- * The path can be overridden by SHIELD_CONFIG_PATH env var — used in tests
- * to isolate from real credentials on the developer machine.
- */
 function loadConfigFile() {
     const configPath = process.env.SHIELD_CONFIG_PATH || exports.SHIELD_CONFIG_PATH;
     if (!(0, fs_1.existsSync)(configPath))
@@ -103,14 +87,9 @@ function loadConfigFile() {
         }
         return result;
     }
-    catch { /* corrupt config — use defaults */ }
+    catch { }
     return {};
 }
-/**
- * Inject config file values into process.env so the standalone bridge
- * (sender, fetcher, etc.) can read credentials via env vars.
- * Values already set in the environment take precedence (allows override).
- */
 function injectConfigEnv() {
     const file = loadConfigFile();
     for (const [key, val] of Object.entries(file)) {
@@ -118,10 +97,6 @@ function injectConfigEnv() {
             process.env[key] = val;
     }
 }
-/**
- * Load credentials from config.env file and environment variables.
- * Supports new env var names with backward compat for the old names.
- */
 function loadCredentials() {
     const file = loadConfigFile();
     function resolve(newName, oldName) {
@@ -138,19 +113,8 @@ function loadCredentials() {
         shieldEnv: process.env.SHIELD_ENV || file.SHIELD_ENV || '',
     };
 }
-/**
- * Build credentials from a plugin config object (openclaw.json).
- * Falls back to config.env / env vars for any missing values.
- */
-function loadCredentialsFromPluginConfig(pluginConfig) {
-    const fileCreds = loadCredentials();
-    return {
-        apiUrl: optString(pluginConfig.apiUrl) || fileCreds.apiUrl,
-        hmacSecret: optString(pluginConfig.registrationKey) || fileCreds.hmacSecret,
-        instanceId: optString(pluginConfig.instanceId) || fileCreds.instanceId,
-        // shieldEnv is internal — not exposed in plugin config (customers only see PROD)
-        shieldEnv: fileCreds.shieldEnv,
-    };
+function loadCredentialsFromPluginConfig(_pluginConfig) {
+    return loadCredentials();
 }
 function loadConfig(overrides) {
     if (!overrides?.credentials) {

package/dist/src/counters.d.ts

@@ -0,0 +1,14 @@
+export declare function recordEventType(eventType: string): void;
+export declare function getEventTypeCounts(): Array<{
+    type: string;
+    count: number;
+}>;
+export declare function getTotalEventCount(): number;
+export declare function recordRedaction(category: string): void;
+export declare function getRedactionCounts(): Array<{
+    category: string;
+    count: number;
+}>;
+export declare function getTotalRedactionCount(): number;
+export declare function formatStats(): string;
+export declare function _resetCountersForTesting(): void;

package/dist/src/counters.js

@@ -0,0 +1,96 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.recordEventType = recordEventType;
+exports.getEventTypeCounts = getEventTypeCounts;
+exports.getTotalEventCount = getTotalEventCount;
+exports.recordRedaction = recordRedaction;
+exports.getRedactionCounts = getRedactionCounts;
+exports.getTotalRedactionCount = getTotalRedactionCount;
+exports.formatStats = formatStats;
+exports._resetCountersForTesting = _resetCountersForTesting;
+const eventTypeCounts = new Map();
+let sessionStartedAt = Date.now();
+function recordEventType(eventType) {
+    if (!eventType)
+        return;
+    eventTypeCounts.set(eventType, (eventTypeCounts.get(eventType) ?? 0) + 1);
+}
+function getEventTypeCounts() {
+    return Array.from(eventTypeCounts.entries())
+        .map(([type, count]) => ({ type, count }))
+        .sort((a, b) => b.count - a.count);
+}
+function getTotalEventCount() {
+    let total = 0;
+    for (const v of eventTypeCounts.values())
+        total += v;
+    return total;
+}
+const redactionCounts = new Map();
+function recordRedaction(category) {
+    if (!category)
+        return;
+    redactionCounts.set(category, (redactionCounts.get(category) ?? 0) + 1);
+}
+function getRedactionCounts() {
+    return Array.from(redactionCounts.entries())
+        .map(([category, count]) => ({ category, count }))
+        .sort((a, b) => b.count - a.count);
+}
+function getTotalRedactionCount() {
+    let total = 0;
+    for (const v of redactionCounts.values())
+        total += v;
+    return total;
+}
+const BAR_CHARS = '████████████████████';
+const BAR_MAX_WIDTH = 8;
+function bar(count, max) {
+    if (max === 0)
+        return '';
+    const filled = Math.max(1, Math.round((count / max) * BAR_MAX_WIDTH));
+    return BAR_CHARS.slice(0, filled);
+}
+function formatStats() {
+    const totalEvents = getTotalEventCount();
+    const eventRows = getEventTypeCounts();
+    const maxEventCount = eventRows[0]?.count ?? 0;
+    const totalRedactions = getTotalRedactionCount();
+    const redactionRows = getRedactionCounts();
+    const uptimeSec = Math.round((Date.now() - sessionStartedAt) / 1000);
+    const uptimeLabel = uptimeSec < 60
+        ? `${uptimeSec}s`
+        : uptimeSec < 3600
+            ? `${Math.floor(uptimeSec / 60)}m`
+            : `${(uptimeSec / 3600).toFixed(1)}h`;
+    const lines = [];
+    lines.push(`🛡️  Shield Stats (session uptime: ${uptimeLabel})`);
+    lines.push('');
+    lines.push(`📊 Events transmitted: ${totalEvents}`);
+    if (eventRows.length === 0) {
+        lines.push('  (no events yet)');
+    }
+    else {
+        for (const { type, count } of eventRows) {
+            const b = bar(count, maxEventCount);
+            lines.push(`  ${type.padEnd(20)} ${b.padEnd(BAR_MAX_WIDTH + 1)} ${count}`);
+        }
+    }
+    lines.push('');
+    lines.push(`🔒 Redactions applied: ${totalRedactions}`);
+    if (redactionRows.length === 0) {
+        lines.push('  (none)');
+    }
+    else {
+        for (const { category, count } of redactionRows) {
+            lines.push(`  ${category.padEnd(20)} ${count}`);
+        }
+        lines.push('  (values never stored or transmitted)');
+    }
+    return lines.join('\n');
+}
+function _resetCountersForTesting() {
+    eventTypeCounts.clear();
+    redactionCounts.clear();
+    sessionStartedAt = Date.now();
+}

package/dist/src/events/base.d.ts

@@ -1,14 +1,7 @@
-/**
- * base.ts — Core types, composable blocks, and generic engine for the Shield event model.
- *
- * All event types extend BaseEvent. The engine composes base rules with type-specific rules.
- * Individual event types never redeclare base-level concerns.
- */
 export interface BaseEvent {
     timestamp: string;
     event_type: 'TOOL_CALL' | 'TOOL_RESULT';
     tool_name: string;
-    /** Discriminator — lets the parser know the shape of each event */
     tool_category: string;
     session_id: string;
     model?: string;
@@ -22,7 +15,6 @@ export interface BaseEvent {
     };
     tool_metadata?: Record<string, string | null>;
 }
-/** Attach to any event type when network context is relevant (SSH, HTTP, etc.) */
 export interface NetworkBlock {
     network: {
         session_id: string;
@@ -30,11 +22,6 @@ export interface NetworkBlock {
         direction: string;
     };
 }
-/**
- * Attach to any event type when a security-relevant finding is detected.
- * NOTE: `target` is NOT a composable block — each event type owns its `target` shape
- * to avoid property collisions across types.
- */
 export interface SecurityResultBlock {
     security_result: {
         severity: string;
@@ -42,10 +29,8 @@ export interface SecurityResultBlock {
         category: string;
     };
 }
-/** Dot-notation path to a field in an event, plus the redaction strategy to apply */
 export interface FieldRedaction {
     path: string;
-    /** Strategy key — must match a registered RedactionStrategy in src/redactor/strategies/ */
     strategy: string;
 }
 export interface ValidationResult {
@@ -53,13 +38,11 @@ export interface ValidationResult {
     field?: string;
     error?: string;
 }
-/** Raw tool call from the JSONL session file */
 export interface RawToolCall {
     name: string;
     id?: string;
     arguments: Record<string, any>;
 }
-/** Context passed to every enrich() function */
 export interface EnrichmentContext {
     sessionId: string;
     agentId: string;
@@ -86,10 +69,8 @@ export interface SourceInfo {
         transport: string;
     };
 }
-/** Schema descriptor — one per event type */
 export interface EventSchema<T extends BaseEvent = BaseEvent> {
     category: string;
-    /** Pure, fast matcher. First match wins. GenericSchema must be last. */
     match: (tool: RawToolCall) => boolean;
     enrich: (tool: RawToolCall, context: EnrichmentContext) => T;
     redactions: FieldRedaction[];
@@ -98,13 +79,7 @@ export interface EventSchema<T extends BaseEvent = BaseEvent> {
 export declare const baseValidations: {
     validate(event: BaseEvent): ValidationResult;
 };
-/** Applied to every event, regardless of type */
 export declare const baseRedactions: FieldRedaction[];
-/**
- * Run base validations first, then type-specific validations.
- * Returns the first failure encountered.
- */
 export declare function validateEvent(event: BaseEvent, schema: EventSchema): ValidationResult;
-/** Convert all values in a metadata object to strings (Chronicle CBN can't extract booleans/integers) */
 export declare function stringifyMetadata(meta: Record<string, any>): Record<string, string | null>;
 export declare function truncate(s: string, max?: number): string;

package/dist/src/events/base.js

@@ -1,16 +1,9 @@
 "use strict";
-/**
- * base.ts — Core types, composable blocks, and generic engine for the Shield event model.
- *
- * All event types extend BaseEvent. The engine composes base rules with type-specific rules.
- * Individual event types never redeclare base-level concerns.
- */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.baseRedactions = exports.baseValidations = void 0;
 exports.validateEvent = validateEvent;
 exports.stringifyMetadata = stringifyMetadata;
 exports.truncate = truncate;
-// ─── Base Validations ─────────────────────────────────────────────────────────
 exports.baseValidations = {
     validate(event) {
         if (!event.timestamp)
@@ -26,24 +19,16 @@ exports.baseValidations = {
         return { valid: true };
     },
 };
-// ─── Base Redactions ──────────────────────────────────────────────────────────
-/** Applied to every event, regardless of type */
 exports.baseRedactions = [
     { path: 'principal.hostname', strategy: 'hostname' },
     { path: 'principal.user', strategy: 'username' },
 ];
-// ─── Generic Engine ───────────────────────────────────────────────────────────
-/**
- * Run base validations first, then type-specific validations.
- * Returns the first failure encountered.
- */
 function validateEvent(event, schema) {
     const baseResult = exports.baseValidations.validate(event);
     if (!baseResult.valid)
         return baseResult;
     return schema.validate(event);
 }
-/** Convert all values in a metadata object to strings (Chronicle CBN can't extract booleans/integers) */
 function stringifyMetadata(meta) {
     const result = {};
     for (const [k, v] of Object.entries(meta)) {

package/dist/src/events/browser/enrich.js

@@ -41,6 +41,6 @@ function enrich(tool, ctx) {
         event.network = { session_id: ctx.sessionId, protocol: 'HTTPS', direction: 'OUTBOUND' };
         event.tool_metadata = (0, base_1.stringifyMetadata)(meta);
     }
-    catch { /* no valid URL */ }
+    catch { }
     return event;
 }

package/dist/src/events/exec/enrich.js

@@ -14,7 +14,6 @@ function enrich(tool, ctx) {
         cmd_has_sudo: /\bsudo\b/.test(cmd),
         cmd_has_pipe: /\|/.test(cmd),
     };
-    // Process scope escape detection (kill/pkill/killall)
     if (/^(kill|pkill|killall)$/.test(rootCmd)) {
         const pidMatch = cmd.match(/\bkill\s+(?:-\d+\s+)?(\d+)/);
         if (pidMatch) {
@@ -42,7 +41,6 @@ function enrich(tool, ctx) {
         target: { command_line: (0, base_1.truncate)(cmd) },
         tool_metadata: (0, base_1.stringifyMetadata)(meta),
     };
-    // SSH / SCP / rsync detection
     if (/^(ssh|scp|rsync)\b/.test(rootCmd)) {
         const stripped = cmd.replace(/\s-[ipoFlJWbDeLRw]\s+\S+/g, ' ').replace(/\s-[^\s]+/g, ' ');
         const parts = stripped.trim().split(/\s+/).slice(1);

package/dist/src/events/exec/redactions.d.ts

@@ -1,3 +1,2 @@
 import { FieldRedaction } from '../base';
-/** Exec-specific redaction rules. Base redactions (principal.hostname, principal.user) are applied automatically. */
 export declare const redactions: FieldRedaction[];

package/dist/src/events/exec/redactions.js

@@ -1,7 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.redactions = void 0;
-/** Exec-specific redaction rules. Base redactions (principal.hostname, principal.user) are applied automatically. */
 exports.redactions = [
     { path: 'command', strategy: 'command' },
     { path: 'command', strategy: 'secret-key' },

package/dist/src/events/file/enrich.js

@@ -9,9 +9,6 @@ function enrich(tool, ctx) {
     const ext = (0, path_1.extname)(fp) || null;
     const isSystem = /^\/(etc|usr|var|sys|proc)(\/|$)/.test(fp);
     const configExts = ['.json', '.yaml', '.yml', '.toml', '.env', '.conf', '.cfg', '.ini'];
-    // Note: extname('.env') returns '' in Node (dotfiles treated as no extension).
-    // file_is_config uses extension-based detection only. Dotfile detection is a known
-    // limitation (issue #6) — tracked for a future dedicated dotfile enrichment rule.
     const isMemoryFile = /\/(MEMORY\.md|memory\/.*\.md)$/.test(fp);
     const toolName = tool.name;
     const meta = {

package/dist/src/events/generic/index.d.ts

@@ -1,5 +1,4 @@
 import { EventSchema } from '../base';
 import { GenericEvent } from './event';
 export type { GenericEvent };
-/** Fallback schema — always matches. MUST be last in the registry. */
 export declare const GenericSchema: EventSchema<GenericEvent>;

package/dist/src/events/generic/index.js

@@ -4,7 +4,6 @@ exports.GenericSchema = void 0;
 const enrich_1 = require("./enrich");
 const redactions_1 = require("./redactions");
 const validations_1 = require("./validations");
-/** Fallback schema — always matches. MUST be last in the registry. */
 exports.GenericSchema = {
     category: 'generic',
     match: (_tool) => true,

package/dist/src/events/index.d.ts

@@ -1,10 +1,3 @@
-/**
- * src/events/index.ts — Shield Event Registry
- *
- * Imports all schemas and builds the ordered lookup array.
- * GenericSchema is always last — it matches everything and acts as the fallback.
- * First match wins; schemas are evaluated in order.
- */
 import { EventSchema } from './base';
 export type { ExecEvent } from './exec';
 export type { FileEvent } from './file';
@@ -30,11 +23,5 @@ import type { GatewayEvent } from './gateway';
 import type { HostTelemetryEvent } from './host-telemetry';
 import type { ToolResultEvent } from './tool-result';
 import type { GenericEvent } from './generic';
-/** Discriminated union of all Shield event types */
 export type ShieldEvent = ExecEvent | FileEvent | WebEvent | BrowserEvent | MessageEvent | SessionsSpawnEvent | CronEvent | GatewayEvent | HostTelemetryEvent | ToolResultEvent | GenericEvent;
-/**
- * Ordered registry of all event schemas.
- * GenericSchema MUST remain last.
- * eslint-disable-next-line @typescript-eslint/no-explicit-any
- */
 export declare const schemas: EventSchema<any>[];

package/dist/src/events/index.js

@@ -1,11 +1,4 @@
 "use strict";
-/**
- * src/events/index.ts — Shield Event Registry
- *
- * Imports all schemas and builds the ordered lookup array.
- * GenericSchema is always last — it matches everything and acts as the fallback.
- * First match wins; schemas are evaluated in order.
- */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.schemas = exports.buildToolResult = void 0;
 const exec_1 = require("./exec");
@@ -20,11 +13,6 @@ const host_telemetry_1 = require("./host-telemetry");
 const generic_1 = require("./generic");
 var tool_result_1 = require("./tool-result");
 Object.defineProperty(exports, "buildToolResult", { enumerable: true, get: function () { return tool_result_1.buildToolResult; } });
-/**
- * Ordered registry of all event schemas.
- * GenericSchema MUST remain last.
- * eslint-disable-next-line @typescript-eslint/no-explicit-any
- */
 exports.schemas = [
     exec_1.ExecSchema,
     file_1.FileSchema,
@@ -35,5 +23,5 @@ exports.schemas = [
     cron_1.CronSchema,
     gateway_1.GatewaySchema,
     host_telemetry_1.HostTelemetrySchema,
-    generic_1.GenericSchema, // always last
+    generic_1.GenericSchema,
 ];

package/dist/src/events/message/validations.js

@@ -1,7 +1,4 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.validate = validate;
-// MessageEvent has no required type-specific fields beyond BaseEvent.
-// Base validations (timestamp, session_id, tool_name, principal.hostname) run
-// automatically before this function — no additional checks needed here.
 function validate(_event) { return { valid: true }; }

package/dist/src/events/sessions-spawn/enrich.js

@@ -33,7 +33,6 @@ function enrich(tool, ctx) {
             user: ctx.agentId,
         },
         arguments_summary: (0, base_1.truncate)(task),
-        // target.command_line required by parser for PROCESS_LAUNCH mapping
         target: { command_line: (0, base_1.truncate)(task) },
         tool_metadata: (0, base_1.stringifyMetadata)(meta),
     };

package/dist/src/events/sessions-spawn/event.d.ts

@@ -2,7 +2,6 @@ import { BaseEvent } from '../base';
 export interface SessionsSpawnEvent extends BaseEvent {
     tool_category: 'sessions_spawn';
     arguments_summary?: string;
-    /** target.command_line = task description — required by parser for PROCESS_LAUNCH mapping */
     target?: {
         command_line?: string;
     };

package/dist/src/events/tool-result/enrich.js

@@ -15,7 +15,6 @@ function buildToolResult(raw, ctx) {
         result_size_bytes: String(resultText.length),
         result_is_large: resultText.length > 50000,
     };
-    // ANSI injection detection
     const ansiMatches = resultText.match(/\x1b\[[0-9;]*[a-zA-Z]|\x1b\]|\x07|\x1b\(B/g);
     if (ansiMatches && ansiMatches.length > 0) {
         meta['ansi_content_detected'] = 'true';

package/dist/src/events/tool-result/redactions.js

@@ -2,6 +2,5 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.redactions = void 0;
 exports.redactions = [
-    // result_summary may contain API keys or tokens in command output — scrub them
     { path: 'result_summary', strategy: 'secret-key' },
 ];

package/dist/src/events/web/enrich.d.ts

@@ -1,8 +1,4 @@
 import { RawToolCall, EnrichmentContext } from '../base';
 import { WebEvent } from './event';
-/**
- * Returns true for loopback, RFC 1918, link-local, and cloud metadata endpoints.
- * 169.254.169.254 is the AWS/GCP/Azure instance metadata endpoint — a critical IoC.
- */
 export declare function isInternalUrl(u: URL): boolean;
 export declare function enrich(tool: RawToolCall, ctx: EnrichmentContext): WebEvent;

package/dist/src/events/web/enrich.js

@@ -3,32 +3,25 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.isInternalUrl = isInternalUrl;
 exports.enrich = enrich;
 const base_1 = require("../base");
-/**
- * Returns true for loopback, RFC 1918, link-local, and cloud metadata endpoints.
- * 169.254.169.254 is the AWS/GCP/Azure instance metadata endpoint — a critical IoC.
- */
 function isInternalUrl(u) {
-    // Node.js URL parser wraps IPv6 in brackets: [::1] — strip them for comparison
     const h = u.hostname;
     const bare = h.startsWith('[') && h.endsWith(']') ? h.slice(1, -1) : h;
     if (bare === 'localhost' || bare === '127.0.0.1' || bare === '::1')
         return true;
     if (/^169\.254\./.test(bare))
-        return true; // link-local / cloud metadata
+        return true;
     if (/^10\./.test(bare))
-        return true; // RFC 1918 Class A
+        return true;
     if (/^192\.168\./.test(bare))
-        return true; // RFC 1918 Class C
+        return true;
     if (/^172\.(1[6-9]|2\d|3[01])\./.test(bare))
-        return true; // RFC 1918 Class B
+        return true;
     if (/\.(local|internal|localhost)$/.test(bare))
-        return true; // internal hostnames
+        return true;
     return false;
 }
 function enrich(tool, ctx) {
     const args = tool.arguments;
-    // web_search args have `query` but no `url` — synthesise a canonical search URL
-    // so the parser gets a valid target hostname for NETWORK_HTTP mapping
     const rawUrl = args.url || args.targetUrl || '';
     const url = rawUrl || (tool.name === 'web_search' && args.query
         ? `https://search.brave.com/search?q=${encodeURIComponent(String(args.query).slice(0, 200))}`
@@ -61,7 +54,6 @@ function enrich(tool, ctx) {
         const u = new URL(url);
         event.target.hostname = u.hostname;
         event.target.url_domain = u.hostname;
-        // Reflect actual protocol (HTTP vs HTTPS) in the network block
         if (event.network) {
             event.network.protocol = u.protocol === 'http:' ? 'HTTP' : 'HTTPS';
         }
@@ -73,6 +65,6 @@ function enrich(tool, ctx) {
             url_is_internal: isInternalUrl(u),
         });
     }
-    catch { /* malformed URL — keep defaults */ }
+    catch { }
     return event;
 }

package/dist/src/events/web/redactions.js

@@ -1,6 +1,4 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.redactions = void 0;
-exports.redactions = [
-// URLs are kept as-is for detection value; no PII expected in URLs at this layer
-];
+exports.redactions = [];

package/dist/src/fetcher.d.ts

@@ -8,5 +8,6 @@ export interface RawEntry {
     _sessionId: string;
     _agentId: string;
 }
+export declare const MAX_ENTRIES_PER_POLL = 5000;
 export declare function fetchNewEntries(config: Config): Promise<RawEntry[]>;
 export declare function commitCursors(config: Config, _entries: RawEntry[]): void;