@vigil-guard/vge-cc-guard 0.9.0-beta.1

package/dist/daemon/tool-output-redactor.js

@@ -0,0 +1,82 @@
+const REDACTED_TOOL_OUTPUT_CAP = 4096;
+function sanitizeMessage(message) {
+    const clean = message.replace(/[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/g, '');
+    if (clean.length <= REDACTED_TOOL_OUTPUT_CAP)
+        return clean;
+    return clean.slice(0, REDACTED_TOOL_OUTPUT_CAP - 15) + '\n[truncated]\n';
+}
+function asObject(value) {
+    return value !== null && typeof value === 'object' && !Array.isArray(value)
+        ? value
+        : null;
+}
+export function canRedactTool(toolName, opts) {
+    return opts.ccContractHealthy && (toolName === 'Read' || toolName === 'Bash');
+}
+function redactReadOutput(message, original) {
+    const root = asObject(original);
+    const file = asObject(root?.['file']);
+    if (!root || !file) {
+        return { ok: false, reason: 'Read output is not the verified object shape' };
+    }
+    if (root['type'] !== 'text' ||
+        typeof file['filePath'] !== 'string' ||
+        typeof file['content'] !== 'string' ||
+        typeof file['numLines'] !== 'number' ||
+        typeof file['startLine'] !== 'number' ||
+        typeof file['totalLines'] !== 'number') {
+        return { ok: false, reason: 'Read output is missing verified schema fields' };
+    }
+    return {
+        ok: true,
+        output: {
+            ...root,
+            type: 'text',
+            file: {
+                ...file,
+                filePath: file['filePath'],
+                content: message,
+                numLines: file['numLines'],
+                startLine: file['startLine'],
+                totalLines: file['totalLines'],
+            },
+        },
+    };
+}
+function redactBashOutput(message, original) {
+    const root = asObject(original);
+    if (!root) {
+        return { ok: false, reason: 'Bash output is not the verified object shape' };
+    }
+    if (typeof root['stdout'] !== 'string' ||
+        typeof root['stderr'] !== 'string' ||
+        typeof root['interrupted'] !== 'boolean' ||
+        typeof root['isImage'] !== 'boolean') {
+        return { ok: false, reason: 'Bash output is missing verified schema fields' };
+    }
+    const safeRoot = { ...root };
+    delete safeRoot['persistedOutputPath'];
+    delete safeRoot['persistedOutputSize'];
+    return {
+        ok: true,
+        output: {
+            ...safeRoot,
+            stdout: message,
+            stderr: '',
+            interrupted: root['interrupted'],
+            isImage: root['isImage'],
+        },
+    };
+}
+export function redactForTool(toolName, message, original) {
+    const sanitized = sanitizeMessage(message);
+    if (toolName === 'Read')
+        return redactReadOutput(sanitized, original);
+    if (toolName === 'Bash')
+        return redactBashOutput(sanitized, original);
+    return { ok: false, reason: `${toolName} output shape is not supported for PostTool quarantine` };
+}
+export function serializedContainsOriginalString(redacted, originalString) {
+    return originalString.length > 0 && JSON.stringify(redacted).includes(originalString);
+}
+//# sourceMappingURL=tool-output-redactor.js.map

package/dist/daemon/tool-output-redactor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-output-redactor.js","sourceRoot":"","sources":["../../src/daemon/tool-output-redactor.ts"],"names":[],"mappings":"AAAA,MAAM,wBAAwB,GAAG,IAAI,CAAC;AAMtC,SAAS,eAAe,CAAC,OAAe;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;IACvE,IAAI,KAAK,CAAC,MAAM,IAAI,wBAAwB;QAAE,OAAO,KAAK,CAAC;IAC3D,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,wBAAwB,GAAG,EAAE,CAAC,GAAG,iBAAiB,CAAC;AAC3E,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACzE,CAAC,CAAC,KAAgC;QAClC,CAAC,CAAC,IAAI,CAAC;AACX,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,QAAgB,EAChB,IAAoC;IAEpC,OAAO,IAAI,CAAC,iBAAiB,IAAI,CAAC,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,MAAM,CAAC,CAAC;AAChF,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe,EAAE,QAAiB;IAC1D,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAChC,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;IACtC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACnB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,8CAA8C,EAAE,CAAC;IAC/E,CAAC;IACD,IACE,IAAI,CAAC,MAAM,CAAC,KAAK,MAAM;QACvB,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,QAAQ;QACpC,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,QAAQ;QACnC,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,QAAQ;QACpC,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,QAAQ;QACrC,OAAO,IAAI,CAAC,YAAY,CAAC,KAAK,QAAQ,EACtC,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,+CAA+C,EAAE,CAAC;IAChF,CAAC;IAED,OAAO;QACL,EAAE,EAAE,IAAI;QACR,MAAM,EAAE;YACN,GAAG,IAAI;YACP,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE;gBACJ,GAAG,IAAI;gBACP,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC;gBAC1B,OAAO,EAAE,OAAO;gBAChB,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC;gBAC1B,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC;gBAC5B,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC;aAC/B;SACF;KACF,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe,EAAE,QAAiB;IAC1D,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAChC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,8CAA8C,EAAE,CAAC;IAC/E,CAAC;IACD,IACE,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,QAAQ;QAClC,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,QAAQ;QAClC,OAAO,IAAI,CAAC,aAAa,CAAC,KAAK,SAAS;QACxC,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,SAAS,EACpC,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,+CAA+C,EAAE,CAAC;IAChF,CAAC;IAED,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;IAC7B,OAAO,QAAQ,CAAC,qBAAqB,CAAC,CAAC;IACvC,OAAO,QAAQ,CAAC,qBAAqB,CAAC,CAAC;IACvC,OAAO;QACL,EAAE,EAAE,IAAI;QACR,MAAM,EAAE;YACN,GAAG,QAAQ;YACX,MAAM,EAAE,OAAO;YACf,MAAM,EAAE,EAAE;YACV,WAAW,EAAE,IAAI,CAAC,aAAa,CAAC;YAChC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC;SACzB;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,QAAgB,EAAE,OAAe,EAAE,QAAiB;IAChF,MAAM,SAAS,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC3C,IAAI,QAAQ,KAAK,MAAM;QAAE,OAAO,gBAAgB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACtE,IAAI,QAAQ,KAAK,MAAM;QAAE,OAAO,gBAAgB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACtE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,QAAQ,wDAAwD,EAAE,CAAC;AACpG,CAAC;AAED,MAAM,UAAU,gCAAgC,CAAC,QAAiB,EAAE,cAAsB;IACxF,OAAO,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;AACxF,CAAC"}

package/dist/daemon/tool-policy.d.ts

@@ -0,0 +1,16 @@
+import type { Config, ToolPolicy } from '../shared/config-schema.js';
+export declare function getConfigPath(): string;
+export declare function loadConfig(): void;
+export declare function reloadConfig(): {
+    ok: true;
+    revision: number;
+} | {
+    ok: false;
+    message: string;
+};
+export declare function getCurrentConfig(): Config | undefined;
+export declare function getConfigRevision(): number;
+export declare function resolveToolPolicy(toolName: string): ToolPolicy;
+export declare function startWatcher(): void;
+export declare function stopWatcher(): void;
+//# sourceMappingURL=tool-policy.d.ts.map

package/dist/daemon/tool-policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-policy.d.ts","sourceRoot":"","sources":["../../src/daemon/tool-policy.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAGrE,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAOD,wBAAgB,UAAU,IAAI,IAAI,CAGjC;AAED,wBAAgB,YAAY,IAAI;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAS9F;AAED,wBAAgB,gBAAgB,IAAI,MAAM,GAAG,SAAS,CAErD;AAED,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU,CAG9D;AAED,wBAAgB,YAAY,IAAI,IAAI,CAiBnC;AAED,wBAAgB,WAAW,IAAI,IAAI,CAIlC"}

package/dist/daemon/tool-policy.js

@@ -0,0 +1,60 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import { loadActiveConfigFromString, resolveConfigPath } from '../shared/config-io.js';
+export function getConfigPath() {
+    return resolveConfigPath();
+}
+let currentConfig;
+let configRevision = 0;
+let debounceTimer;
+let watcher;
+export function loadConfig() {
+    const outcome = reloadConfig();
+    if (!outcome.ok)
+        throw new Error(outcome.message);
+}
+export function reloadConfig() {
+    try {
+        const raw = fs.readFileSync(getConfigPath(), 'utf-8');
+        currentConfig = loadActiveConfigFromString(raw);
+        configRevision += 1;
+        return { ok: true, revision: configRevision };
+    }
+    catch (err) {
+        return { ok: false, message: err instanceof Error ? err.message : String(err) };
+    }
+}
+export function getCurrentConfig() {
+    return currentConfig;
+}
+export function getConfigRevision() {
+    return configRevision;
+}
+export function resolveToolPolicy(toolName) {
+    const tools = currentConfig?.tools ?? {};
+    return tools[toolName] ?? tools['*'] ?? { gate: 'ask', analyze_output: false };
+}
+export function startWatcher() {
+    const configPath = getConfigPath();
+    const configDir = path.dirname(configPath);
+    const configFile = path.basename(configPath);
+    // Watch the directory — more reliable than watching the file directly on macOS
+    // (writeFileSync may replace the inode, causing a file watcher to go silent)
+    watcher = fs.watch(configDir, { persistent: false }, (_event, filename) => {
+        if (filename !== configFile)
+            return;
+        clearTimeout(debounceTimer);
+        debounceTimer = setTimeout(() => {
+            const outcome = reloadConfig();
+            if (!outcome.ok) {
+                console.warn(`[tool-policy] Config reload failed — keeping last valid config: ${outcome.message}`);
+            }
+        }, 100);
+    });
+}
+export function stopWatcher() {
+    clearTimeout(debounceTimer);
+    watcher?.close();
+    watcher = undefined;
+}
+//# sourceMappingURL=tool-policy.js.map

package/dist/daemon/tool-policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-policy.js","sourceRoot":"","sources":["../../src/daemon/tool-policy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAE7B,OAAO,EAAE,0BAA0B,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAEvF,MAAM,UAAU,aAAa;IAC3B,OAAO,iBAAiB,EAAE,CAAC;AAC7B,CAAC;AAED,IAAI,aAAiC,CAAC;AACtC,IAAI,cAAc,GAAG,CAAC,CAAC;AACvB,IAAI,aAAwD,CAAC;AAC7D,IAAI,OAAiC,CAAC;AAEtC,MAAM,UAAU,UAAU;IACxB,MAAM,OAAO,GAAG,YAAY,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,EAAE,OAAO,CAAC,CAAC;QACtD,aAAa,GAAG,0BAA0B,CAAC,GAAG,CAAC,CAAC;QAChD,cAAc,IAAI,CAAC,CAAC;QACpB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAC;IAChD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IAClF,CAAC;AACH,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,QAAgB;IAChD,MAAM,KAAK,GAAG,aAAa,EAAE,KAAK,IAAI,EAAE,CAAC;IACzC,OAAO,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC;AACjF,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,MAAM,UAAU,GAAG,aAAa,EAAE,CAAC;IACnC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAE7C,+EAA+E;IAC/E,6EAA6E;IAC7E,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,SAAS,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,EAAE;QACxE,IAAI,QAAQ,KAAK,UAAU;YAAE,OAAO;QACpC,YAAY,CAAC,aAAa,CAAC,CAAC;QAC5B,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;YAC9B,MAAM,OAAO,GAAG,YAAY,EAAE,CAAC;YAC/B,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;gBAChB,OAAO,CAAC,IAAI,CAAC,mEAAmE,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;YACrG,CAAC;QACH,CAAC,EAAE,GAAG,CAAC,CAAC;IACV,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,WAAW;IACzB,YAAY,CAAC,aAAa,CAAC,CAAC;IAC5B,OAAO,EAAE,KAAK,EAAE,CAAC;IACjB,OAAO,GAAG,SAAS,CAAC;AACtB,CAAC"}

package/dist/daemon/tool-response-normalizer.d.ts

@@ -0,0 +1,11 @@
+export interface NormalizedToolResponse {
+    textToAnalyze: string;
+    toolResultContent: unknown;
+    contentHash: string;
+    contentBytes: number;
+    isBinary: boolean;
+    isError: boolean;
+}
+export declare function capSerializedValue(value: unknown): unknown;
+export declare function normalizeToolResponse(toolResponse: unknown, toolError: unknown): NormalizedToolResponse;
+//# sourceMappingURL=tool-response-normalizer.d.ts.map

package/dist/daemon/tool-response-normalizer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-response-normalizer.d.ts","sourceRoot":"","sources":["../../src/daemon/tool-response-normalizer.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,sBAAsB;IACrC,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,OAAO,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;CAClB;AAuBD,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAU1D;AAYD,wBAAgB,qBAAqB,CACnC,YAAY,EAAE,OAAO,EACrB,SAAS,EAAE,OAAO,GACjB,sBAAsB,CAgBxB"}

package/dist/daemon/tool-response-normalizer.js

@@ -0,0 +1,67 @@
+import * as crypto from 'crypto';
+import { isBinaryBuffer, truncateText } from './truncate.js';
+const MAX_TOOL_RESULT_BYTES = 64 * 1024;
+const TOOL_RESULT_PREVIEW_BYTES = 60 * 1024;
+function safeStringify(value) {
+    if (typeof value === 'string')
+        return value;
+    if (value === undefined)
+        return '';
+    try {
+        return JSON.stringify(value);
+    }
+    catch {
+        return String(value);
+    }
+}
+function truncateUtf8Bytes(value, maxBytes) {
+    if (Buffer.byteLength(value, 'utf-8') <= maxBytes)
+        return value;
+    let end = Math.min(value.length, maxBytes);
+    let candidate = value.slice(0, end);
+    while (Buffer.byteLength(candidate, 'utf-8') > maxBytes) {
+        end = Math.floor(end * 0.9);
+        candidate = value.slice(0, end);
+    }
+    return candidate;
+}
+export function capSerializedValue(value) {
+    const serialized = safeStringify(value);
+    const bytes = Buffer.byteLength(serialized, 'utf-8');
+    if (bytes <= MAX_TOOL_RESULT_BYTES)
+        return value;
+    return {
+        truncated: true,
+        originalSerializedBytes: bytes,
+        preview: truncateUtf8Bytes(serialized, TOOL_RESULT_PREVIEW_BYTES),
+    };
+}
+function bufferFromUnknown(value) {
+    if (Buffer.isBuffer(value))
+        return value;
+    if (value instanceof ArrayBuffer)
+        return Buffer.from(value);
+    if (ArrayBuffer.isView(value)) {
+        return Buffer.from(value.buffer, value.byteOffset, value.byteLength);
+    }
+    if (typeof value === 'string')
+        return Buffer.from(value);
+    return null;
+}
+export function normalizeToolResponse(toolResponse, toolError) {
+    const source = toolResponse ?? '';
+    const candidateBuffer = bufferFromUnknown(source);
+    const isBinary = candidateBuffer !== null && isBinaryBuffer(candidateBuffer.subarray(0, 8));
+    const fullText = isBinary
+        ? `[binary content, sha256=${crypto.createHash('sha256').update(candidateBuffer).digest('hex')}, len=${candidateBuffer.length}]`
+        : safeStringify(source);
+    return {
+        textToAnalyze: truncateText(fullText),
+        toolResultContent: isBinary ? fullText : capSerializedValue(source),
+        contentHash: crypto.createHash('sha256').update(fullText).digest('hex'),
+        contentBytes: Buffer.byteLength(fullText, 'utf-8'),
+        isBinary,
+        isError: toolError !== null && toolError !== undefined && toolError !== '',
+    };
+}
+//# sourceMappingURL=tool-response-normalizer.js.map

package/dist/daemon/tool-response-normalizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-response-normalizer.js","sourceRoot":"","sources":["../../src/daemon/tool-response-normalizer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AACjC,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7D,MAAM,qBAAqB,GAAG,EAAE,GAAG,IAAI,CAAC;AACxC,MAAM,yBAAyB,GAAG,EAAE,GAAG,IAAI,CAAC;AAW5C,SAAS,aAAa,CAAC,KAAc;IACnC,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5C,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACnC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;IACvB,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAa,EAAE,QAAgB;IACxD,IAAI,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,QAAQ;QAAE,OAAO,KAAK,CAAC;IAChE,IAAI,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC3C,IAAI,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACpC,OAAO,MAAM,CAAC,UAAU,CAAC,SAAS,EAAE,OAAO,CAAC,GAAG,QAAQ,EAAE,CAAC;QACxD,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;QAC5B,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAC/C,MAAM,UAAU,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACrD,IAAI,KAAK,IAAI,qBAAqB;QAAE,OAAO,KAAK,CAAC;IAEjD,OAAO;QACL,SAAS,EAAE,IAAI;QACf,uBAAuB,EAAE,KAAK;QAC9B,OAAO,EAAE,iBAAiB,CAAC,UAAU,EAAE,yBAAyB,CAAC;KAClE,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACzC,IAAI,KAAK,YAAY,WAAW;QAAE,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5D,IAAI,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC;IACvE,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,YAAqB,EACrB,SAAkB;IAElB,MAAM,MAAM,GAAG,YAAY,IAAI,EAAE,CAAC;IAClC,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,eAAe,KAAK,IAAI,IAAI,cAAc,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC5F,MAAM,QAAQ,GAAG,QAAQ;QACvB,CAAC,CAAC,2BAA2B,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,eAAe,CAAC,MAAM,GAAG;QAChI,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;IAE1B,OAAO;QACL,aAAa,EAAE,YAAY,CAAC,QAAQ,CAAC;QACrC,iBAAiB,EAAE,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,kBAAkB,CAAC,MAAM,CAAC;QACnE,WAAW,EAAE,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;QACvE,YAAY,EAAE,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC;QAClD,QAAQ;QACR,OAAO,EAAE,SAAS,KAAK,IAAI,IAAI,SAAS,KAAK,SAAS,IAAI,SAAS,KAAK,EAAE;KAC3E,CAAC;AACJ,CAAC"}

package/dist/daemon/truncate.d.ts

@@ -0,0 +1,3 @@
+export declare function truncateText(text: string): string;
+export declare function isBinaryBuffer(buf: Buffer): boolean;
+//# sourceMappingURL=truncate.d.ts.map

package/dist/daemon/truncate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"truncate.d.ts","sourceRoot":"","sources":["../../src/daemon/truncate.ts"],"names":[],"mappings":"AAYA,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAMjD;AAED,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAEnD"}

package/dist/daemon/truncate.js

@@ -0,0 +1,22 @@
+const MAX_CHARS = 100_000;
+// HALF * 2 + marker (~45 chars) < MAX_CHARS: 49_975*2 + 45 = 99_995
+const HALF = 49_975;
+const BINARY_MAGIC_BYTES = [
+    [0x89, 0x50, 0x4e, 0x47], // PNG
+    [0x25, 0x50, 0x44, 0x46], // PDF
+    [0x50, 0x4b, 0x03, 0x04], // ZIP
+    [0xff, 0xd8, 0xff], // JPEG
+    [0x47, 0x49, 0x46], // GIF
+];
+export function truncateText(text) {
+    if (text.length <= MAX_CHARS)
+        return text;
+    const head = text.slice(0, HALF);
+    const tail = text.slice(text.length - HALF);
+    const marker = `\n[truncated middle, original was ${text.length} chars]\n`;
+    return head + marker + tail;
+}
+export function isBinaryBuffer(buf) {
+    return BINARY_MAGIC_BYTES.some((magic) => magic.every((byte, i) => buf[i] === byte));
+}
+//# sourceMappingURL=truncate.js.map

package/dist/daemon/truncate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"truncate.js","sourceRoot":"","sources":["../../src/daemon/truncate.ts"],"names":[],"mappings":"AAAA,MAAM,SAAS,GAAG,OAAO,CAAC;AAC1B,oEAAoE;AACpE,MAAM,IAAI,GAAG,MAAM,CAAC;AAEpB,MAAM,kBAAkB,GAAwB;IAC9C,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,MAAM;IAChC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,MAAM;IAChC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,MAAM;IAChC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAQ,OAAO;IACjC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAQ,MAAM;CACjC,CAAC;AAEF,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,IAAI,IAAI,CAAC,MAAM,IAAI,SAAS;QAAE,OAAO,IAAI,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAG,qCAAqC,IAAI,CAAC,MAAM,WAAW,CAAC;IAC3E,OAAO,IAAI,GAAG,MAAM,GAAG,IAAI,CAAC;AAC9B,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC;AACvF,CAAC"}

package/dist/daemon/url-access-baseline.d.ts

@@ -0,0 +1,46 @@
+import type { Config } from '../shared/config-schema.js';
+type UrlPresetName = keyof Config['policy']['url_access_baseline']['presets'];
+export type UrlDenyReason = 'cloud_metadata' | 'unsafe_scheme' | 'credentials_in_url' | 'oob_callback_collector' | 'strict_internal_network' | 'public_paste_or_file_drop' | 'custom_host' | 'custom_cidr' | 'custom_scheme' | 'custom_url_pattern';
+export interface UrlAccessBaselineMatch {
+    reason: UrlDenyReason;
+    matchedRule: string;
+    preset?: UrlPresetName;
+    host: string | null;
+    scheme: string | null;
+}
+export declare const URL_ACCESS_PRESETS: {
+    readonly cloud_metadata: {
+        readonly label: "Cloud metadata endpoints";
+        readonly defaultEnabled: true;
+        readonly action: "block";
+        readonly hosts: readonly ["169.254.169.254", "fd00:ec2::254", "metadata.google.internal", "169.254.170.2", "169.254.170.23", "fd00:ec2::23", "100.100.100.200"];
+    };
+    readonly unsafe_url_shapes: {
+        readonly label: "Unsafe URL shapes";
+        readonly defaultEnabled: true;
+        readonly action: "block";
+        readonly schemes: readonly ["file", "gopher", "ftp", "smb", "nfs", "ldap", "ldaps", "dict"];
+    };
+    readonly oob_callback_collectors: {
+        readonly label: "OOB callback collectors";
+        readonly defaultEnabled: false;
+        readonly action: "block";
+        readonly hosts: readonly ["webhook.site", "*.webhook.site", "interact.sh", "*.interact.sh", "oast.pro", "*.oast.pro", "oast.me", "*.oast.me", "burpcollaborator.net", "*.burpcollaborator.net"];
+    };
+    readonly strict_internal_network: {
+        readonly label: "Strict internal network";
+        readonly defaultEnabled: false;
+        readonly action: "block";
+        readonly hosts: readonly ["localhost", "*.internal", "*.corp", "*.local"];
+        readonly cidrs: readonly ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "0.0.0.0/32", "169.254.0.0/16", "::1/128", "fc00::/7", "fe80::/10"];
+    };
+    readonly public_paste_and_file_drops: {
+        readonly label: "Public paste and file drops";
+        readonly defaultEnabled: false;
+        readonly action: "block";
+        readonly hosts: readonly ["pastebin.com", "*.pastebin.com", "transfer.sh", "*.transfer.sh", "file.io", "*.file.io", "temp.sh", "*.temp.sh"];
+    };
+};
+export declare function evaluateUrlAccessBaseline(rawUrl: string, config: Config): UrlAccessBaselineMatch | null;
+export {};
+//# sourceMappingURL=url-access-baseline.d.ts.map

package/dist/daemon/url-access-baseline.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-access-baseline.d.ts","sourceRoot":"","sources":["../../src/daemon/url-access-baseline.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AASzD,KAAK,aAAa,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC,qBAAqB,CAAC,CAAC,SAAS,CAAC,CAAC;AAE9E,MAAM,MAAM,aAAa,GACrB,gBAAgB,GAChB,eAAe,GACf,oBAAoB,GACpB,wBAAwB,GACxB,yBAAyB,GACzB,2BAA2B,GAC3B,aAAa,GACb,aAAa,GACb,eAAe,GACf,oBAAoB,CAAC;AAEzB,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,aAAa,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,aAAa,CAAC;IACvB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAsErB,CAAC;AAEX,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,sBAAsB,GAAG,IAAI,CA0CvG"}

package/dist/daemon/url-access-baseline.js

@@ -0,0 +1,154 @@
+import { cidrContainsIp, hostnameMatchesUrlPattern, normalizeUrlHostPattern, normalizeUrlScheme, urlMatchesGlobPattern, } from '../shared/url-patterns.js';
+export const URL_ACCESS_PRESETS = {
+    cloud_metadata: {
+        label: 'Cloud metadata endpoints',
+        defaultEnabled: true,
+        action: 'block',
+        hosts: [
+            '169.254.169.254',
+            'fd00:ec2::254',
+            'metadata.google.internal',
+            '169.254.170.2',
+            '169.254.170.23',
+            'fd00:ec2::23',
+            '100.100.100.200',
+        ],
+    },
+    unsafe_url_shapes: {
+        label: 'Unsafe URL shapes',
+        defaultEnabled: true,
+        action: 'block',
+        schemes: ['file', 'gopher', 'ftp', 'smb', 'nfs', 'ldap', 'ldaps', 'dict'],
+    },
+    oob_callback_collectors: {
+        label: 'OOB callback collectors',
+        defaultEnabled: false,
+        action: 'block',
+        hosts: [
+            'webhook.site',
+            '*.webhook.site',
+            'interact.sh',
+            '*.interact.sh',
+            'oast.pro',
+            '*.oast.pro',
+            'oast.me',
+            '*.oast.me',
+            'burpcollaborator.net',
+            '*.burpcollaborator.net',
+        ],
+    },
+    strict_internal_network: {
+        label: 'Strict internal network',
+        defaultEnabled: false,
+        action: 'block',
+        hosts: ['localhost', '*.internal', '*.corp', '*.local'],
+        cidrs: [
+            '10.0.0.0/8',
+            '172.16.0.0/12',
+            '192.168.0.0/16',
+            '127.0.0.0/8',
+            '0.0.0.0/32',
+            '169.254.0.0/16',
+            '::1/128',
+            'fc00::/7',
+            'fe80::/10',
+        ],
+    },
+    public_paste_and_file_drops: {
+        label: 'Public paste and file drops',
+        defaultEnabled: false,
+        action: 'block',
+        hosts: [
+            'pastebin.com',
+            '*.pastebin.com',
+            'transfer.sh',
+            '*.transfer.sh',
+            'file.io',
+            '*.file.io',
+            'temp.sh',
+            '*.temp.sh',
+        ],
+    },
+};
+export function evaluateUrlAccessBaseline(rawUrl, config) {
+    const baseline = config.policy.url_access_baseline;
+    if (!baseline.enabled)
+        return null;
+    const parsed = parseUrl(rawUrl);
+    const scheme = parsed ? normalizeUrlScheme(parsed.protocol) : extractScheme(rawUrl);
+    const host = parsed?.hostname ? normalizeUrlHostPattern(parsed.hostname) : null;
+    const customScheme = findMatch(scheme, baseline.custom_deny.schemes);
+    if (customScheme)
+        return match('custom_scheme', customScheme, host, scheme);
+    if (baseline.presets.unsafe_url_shapes) {
+        const unsafeScheme = findMatch(scheme, URL_ACCESS_PRESETS.unsafe_url_shapes.schemes);
+        if (unsafeScheme)
+            return match('unsafe_scheme', unsafeScheme, host, scheme, 'unsafe_url_shapes');
+    }
+    if (parsed && baseline.presets.unsafe_url_shapes && (parsed.username || parsed.password)) {
+        return match('credentials_in_url', 'embedded credentials', host, scheme, 'unsafe_url_shapes');
+    }
+    if (host && baseline.presets.cloud_metadata) {
+        const metadataHost = URL_ACCESS_PRESETS.cloud_metadata.hosts.find((candidate) => hostnameMatchesUrlPattern(host, candidate));
+        if (metadataHost)
+            return match('cloud_metadata', metadataHost, host, scheme, 'cloud_metadata');
+    }
+    const presetMatch = evaluateOptionalPresets(host, scheme, baseline.presets);
+    if (presetMatch)
+        return presetMatch;
+    const customHost = host
+        ? baseline.custom_deny.hosts.find((candidate) => hostnameMatchesUrlPattern(host, candidate))
+        : undefined;
+    if (customHost)
+        return match('custom_host', customHost, host, scheme);
+    const customCidr = host ? baseline.custom_deny.cidrs.find((cidr) => cidrContainsIp(host, cidr)) : undefined;
+    if (customCidr)
+        return match('custom_cidr', customCidr, host, scheme);
+    const customPattern = baseline.custom_deny.url_patterns.find((pattern) => urlMatchesGlobPattern(rawUrl, pattern));
+    if (customPattern)
+        return match('custom_url_pattern', customPattern, host, scheme);
+    return null;
+}
+function evaluateOptionalPresets(host, scheme, presets) {
+    if (host && presets.oob_callback_collectors) {
+        const oobHost = URL_ACCESS_PRESETS.oob_callback_collectors.hosts.find((candidate) => hostnameMatchesUrlPattern(host, candidate));
+        if (oobHost)
+            return match('oob_callback_collector', oobHost, host, scheme, 'oob_callback_collectors');
+    }
+    if (host && presets.strict_internal_network) {
+        const internalHost = URL_ACCESS_PRESETS.strict_internal_network.hosts.find((candidate) => hostnameMatchesUrlPattern(host, candidate));
+        if (internalHost)
+            return match('strict_internal_network', internalHost, host, scheme, 'strict_internal_network');
+        const internalCidr = URL_ACCESS_PRESETS.strict_internal_network.cidrs.find((cidr) => cidrContainsIp(host, cidr));
+        if (internalCidr)
+            return match('strict_internal_network', internalCidr, host, scheme, 'strict_internal_network');
+    }
+    if (host && presets.public_paste_and_file_drops) {
+        const dropHost = URL_ACCESS_PRESETS.public_paste_and_file_drops.hosts.find((candidate) => hostnameMatchesUrlPattern(host, candidate));
+        if (dropHost) {
+            return match('public_paste_or_file_drop', dropHost, host, scheme, 'public_paste_and_file_drops');
+        }
+    }
+    return null;
+}
+function parseUrl(rawUrl) {
+    try {
+        return new URL(rawUrl);
+    }
+    catch {
+        return null;
+    }
+}
+function extractScheme(rawUrl) {
+    const match = rawUrl.match(/^([a-z][a-z0-9+.-]*):\/\//i);
+    return match ? normalizeUrlScheme(match[1]) : null;
+}
+function findMatch(value, candidates) {
+    if (!value)
+        return undefined;
+    return candidates.find((candidate) => normalizeUrlScheme(candidate) === value);
+}
+function match(reason, matchedRule, host, scheme, preset) {
+    return { reason, matchedRule, host, scheme, ...(preset ? { preset } : {}) };
+}
+//# sourceMappingURL=url-access-baseline.js.map

package/dist/daemon/url-access-baseline.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-access-baseline.js","sourceRoot":"","sources":["../../src/daemon/url-access-baseline.ts"],"names":[],"mappings":"AACA,OAAO,EACL,cAAc,EACd,yBAAyB,EACzB,uBAAuB,EACvB,kBAAkB,EAClB,qBAAqB,GACtB,MAAM,2BAA2B,CAAC;AAwBnC,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,cAAc,EAAE;QACd,KAAK,EAAE,0BAA0B;QACjC,cAAc,EAAE,IAAI;QACpB,MAAM,EAAE,OAAO;QACf,KAAK,EAAE;YACL,iBAAiB;YACjB,eAAe;YACf,0BAA0B;YAC1B,eAAe;YACf,gBAAgB;YAChB,cAAc;YACd,iBAAiB;SAClB;KACF;IACD,iBAAiB,EAAE;QACjB,KAAK,EAAE,mBAAmB;QAC1B,cAAc,EAAE,IAAI;QACpB,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC;KAC1E;IACD,uBAAuB,EAAE;QACvB,KAAK,EAAE,yBAAyB;QAChC,cAAc,EAAE,KAAK;QACrB,MAAM,EAAE,OAAO;QACf,KAAK,EAAE;YACL,cAAc;YACd,gBAAgB;YAChB,aAAa;YACb,eAAe;YACf,UAAU;YACV,YAAY;YACZ,SAAS;YACT,WAAW;YACX,sBAAsB;YACtB,wBAAwB;SACzB;KACF;IACD,uBAAuB,EAAE;QACvB,KAAK,EAAE,yBAAyB;QAChC,cAAc,EAAE,KAAK;QACrB,MAAM,EAAE,OAAO;QACf,KAAK,EAAE,CAAC,WAAW,EAAE,YAAY,EAAE,QAAQ,EAAE,SAAS,CAAC;QACvD,KAAK,EAAE;YACL,YAAY;YACZ,eAAe;YACf,gBAAgB;YAChB,aAAa;YACb,YAAY;YACZ,gBAAgB;YAChB,SAAS;YACT,UAAU;YACV,WAAW;SACZ;KACF;IACD,2BAA2B,EAAE;QAC3B,KAAK,EAAE,6BAA6B;QACpC,cAAc,EAAE,KAAK;QACrB,MAAM,EAAE,OAAO;QACf,KAAK,EAAE;YACL,cAAc;YACd,gBAAgB;YAChB,aAAa;YACb,eAAe;YACf,SAAS;YACT,WAAW;YACX,SAAS;YACT,WAAW;SACZ;KACF;CACO,CAAC;AAEX,MAAM,UAAU,yBAAyB,CAAC,MAAc,EAAE,MAAc;IACtE,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,mBAAmB,CAAC;IACnD,IAAI,CAAC,QAAQ,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAEnC,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;IAChC,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;IACpF,MAAM,IAAI,GAAG,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,uBAAuB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEhF,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IACrE,IAAI,YAAY;QAAE,OAAO,KAAK,CAAC,eAAe,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IAE5E,IAAI,QAAQ,CAAC,OAAO,CAAC,iBAAiB,EAAE,CAAC;QACvC,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,EAAE,kBAAkB,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QACrF,IAAI,YAAY;YAAE,OAAO,KAAK,CAAC,eAAe,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,mBAAmB,CAAC,CAAC;IACnG,CAAC;IAED,IAAI,MAAM,IAAI,QAAQ,CAAC,OAAO,CAAC,iBAAiB,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzF,OAAO,KAAK,CAAC,oBAAoB,EAAE,sBAAsB,EAAE,IAAI,EAAE,MAAM,EAAE,mBAAmB,CAAC,CAAC;IAChG,CAAC;IAED,IAAI,IAAI,IAAI,QAAQ,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAC5C,MAAM,YAAY,GAAG,kBAAkB,CAAC,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAC9E,yBAAyB,CAAC,IAAI,EAAE,SAAS,CAAC,CAC3C,CAAC;QACF,IAAI,YAAY;YAAE,OAAO,KAAK,CAAC,gBAAgB,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,gBAAgB,CAAC,CAAC;IACjG,CAAC;IAED,MAAM,WAAW,GAAG,uBAAuB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC5E,IAAI,WAAW;QAAE,OAAO,WAAW,CAAC;IAEpC,MAAM,UAAU,GAAG,IAAI;QACrB,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,yBAAyB,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAC5F,CAAC,CAAC,SAAS,CAAC;IACd,IAAI,UAAU;QAAE,OAAO,KAAK,CAAC,aAAa,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IAEtE,MAAM,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5G,IAAI,UAAU;QAAE,OAAO,KAAK,CAAC,aAAa,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IAEtE,MAAM,aAAa,GAAG,QAAQ,CAAC,WAAW,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,qBAAqB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAClH,IAAI,aAAa;QAAE,OAAO,KAAK,CAAC,oBAAoB,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IAEnF,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,uBAAuB,CAC9B,IAAmB,EACnB,MAAqB,EACrB,OAA2D;IAE3D,IAAI,IAAI,IAAI,OAAO,CAAC,uBAAuB,EAAE,CAAC;QAC5C,MAAM,OAAO,GAAG,kBAAkB,CAAC,uBAAuB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAClF,yBAAyB,CAAC,IAAI,EAAE,SAAS,CAAC,CAC3C,CAAC;QACF,IAAI,OAAO;YAAE,OAAO,KAAK,CAAC,wBAAwB,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,yBAAyB,CAAC,CAAC;IACxG,CAAC;IAED,IAAI,IAAI,IAAI,OAAO,CAAC,uBAAuB,EAAE,CAAC;QAC5C,MAAM,YAAY,GAAG,kBAAkB,CAAC,uBAAuB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CACvF,yBAAyB,CAAC,IAAI,EAAE,SAAS,CAAC,CAC3C,CAAC;QACF,IAAI,YAAY;YAAE,OAAO,KAAK,CAAC,yBAAyB,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,yBAAyB,CAAC,CAAC;QAEjH,MAAM,YAAY,GAAG,kBAAkB,CAAC,uBAAuB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;QACjH,IAAI,YAAY;YAAE,OAAO,KAAK,CAAC,yBAAyB,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,yBAAyB,CAAC,CAAC;IACnH,CAAC;IAED,IAAI,IAAI,IAAI,OAAO,CAAC,2BAA2B,EAAE,CAAC;QAChD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,2BAA2B,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CACvF,yBAAyB,CAAC,IAAI,EAAE,SAAS,CAAC,CAC3C,CAAC;QACF,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,KAAK,CAAC,2BAA2B,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,6BAA6B,CAAC,CAAC;QACnG,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,QAAQ,CAAC,MAAc;IAC9B,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,MAAc;IACnC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;IACzD,OAAO,KAAK,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACrD,CAAC;AAED,SAAS,SAAS,CAAC,KAAoB,EAAE,UAA6B;IACpE,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,kBAAkB,CAAC,SAAS,CAAC,KAAK,KAAK,CAAC,CAAC;AACjF,CAAC;AAED,SAAS,KAAK,CACZ,MAAqB,EACrB,WAAmB,EACnB,IAAmB,EACnB,MAAqB,EACrB,MAAsB;IAEtB,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;AAC9E,CAAC"}

package/dist/daemon/url-block-decisions.d.ts

@@ -0,0 +1,27 @@
+import type { SessionData, UrlBlockDecision } from '../shared/types.js';
+import { applyUrlBlockDecision } from './ask-dialog.js';
+export declare function sha256Hex(value: string): string;
+export declare function urlResourceKey(url: string): string;
+export declare function urlHashFromResourceId(resourceId: string): string;
+export declare function findUrlAllowlistMatch(host: string, patterns: string[]): string | null;
+export declare function addHostToPersistentUrlAllowlist(host: string): boolean;
+export declare function auditUrlAllowlistBypass(params: {
+    sessionId: string;
+    toolName: string;
+    resourceId: string;
+    host: string;
+    pattern: string;
+}): void;
+export declare function auditResolvedUrlBlock(sessionId: string, resolved: {
+    escalation: {
+        toolName: string;
+        resourceId: string;
+        host?: string;
+        vgeDecision?: string;
+        vgeScore?: number;
+    };
+    decision: UrlBlockDecision;
+    blockReason?: 'user_block' | 'malformed_url' | 'persist_failed';
+}): void;
+export declare function applyAndAuditUrlBlockDecision(session: SessionData, decision: UrlBlockDecision, escalationId?: string): ReturnType<typeof applyUrlBlockDecision>;
+//# sourceMappingURL=url-block-decisions.d.ts.map

package/dist/daemon/url-block-decisions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-block-decisions.d.ts","sourceRoot":"","sources":["../../src/daemon/url-block-decisions.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAKxE,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAaxD,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAElD;AAED,wBAAgB,qBAAqB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAIhE;AAED,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,GAAG,IAAI,CAErF;AAED,wBAAgB,+BAA+B,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAmBrE;AAED,wBAAgB,uBAAuB,CAAC,MAAM,EAAE;IAC9C,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB,GAAG,IAAI,CAKP;AAED,wBAAgB,qBAAqB,CACnC,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE;IACR,UAAU,EAAE;QACV,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,EAAE,MAAM,CAAC;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,CAAC;IACF,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,WAAW,CAAC,EAAE,YAAY,GAAG,eAAe,GAAG,gBAAgB,CAAC;CACjE,GACA,IAAI,CAkCN;AAED,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,WAAW,EACpB,QAAQ,EAAE,gBAAgB,EAC1B,YAAY,CAAC,EAAE,MAAM,GACpB,UAAU,CAAC,OAAO,qBAAqB,CAAC,CAa1C"}