@vigil-guard/vge-cc-guard 0.9.0-beta.1

package/dist/shared/private-file.js

@@ -0,0 +1,144 @@
+import fs from 'fs';
+import * as childProcess from 'child_process';
+import * as os from 'os';
+import * as path from 'path';
+function supportsPosixModes(platform) {
+    return platform !== 'win32';
+}
+function currentWindowsUser() {
+    const username = os.userInfo().username || process.env['USERNAME'];
+    if (!username)
+        throw new Error('cannot determine current Windows user for private file ACL');
+    return username;
+}
+function resolveIcaclsCommand() {
+    const systemRoot = process.env['SystemRoot'] || process.env['WINDIR'];
+    return systemRoot ? path.win32.join(systemRoot, 'System32', 'icacls.exe') : 'icacls';
+}
+function hardenWindowsAcl(filePath) {
+    const currentUser = currentWindowsUser();
+    const options = { stdio: 'pipe' };
+    const icacls = resolveIcaclsCommand();
+    // Protects against other local user accounts, not local Administrators, SYSTEM, or kernel-level malware.
+    childProcess.execFileSync(icacls, [filePath, '/inheritance:r'], options);
+    childProcess.execFileSync(icacls, [
+        filePath,
+        '/remove:g',
+        '*S-1-1-0',
+        '*S-1-5-11',
+        '*S-1-5-32-545',
+    ], options);
+    childProcess.execFileSync(icacls, [
+        filePath,
+        '/grant:r',
+        `${currentUser}:(F)`,
+        '*S-1-5-18:(F)',
+        '*S-1-5-32-544:(F)',
+    ], options);
+}
+export function chmodPrivateSync(filePath, opts = {}) {
+    const platform = opts.platform ?? process.platform;
+    if (!supportsPosixModes(platform)) {
+        hardenWindowsAcl(filePath);
+        return;
+    }
+    fs.chmodSync(filePath, 0o600);
+}
+export function chmodPrivateDirectorySync(directoryPath, opts = {}) {
+    const platform = opts.platform ?? process.platform;
+    if (!supportsPosixModes(platform)) {
+        hardenWindowsAcl(directoryPath);
+        return;
+    }
+    fs.chmodSync(directoryPath, 0o700);
+}
+function removeFailedPrivateFile(filePath) {
+    fs.rmSync(filePath, { force: true });
+}
+function fsyncDirectoryBestEffort(dir) {
+    try {
+        const fd = fs.openSync(dir, 'r');
+        try {
+            fs.fsyncSync(fd);
+        }
+        finally {
+            fs.closeSync(fd);
+        }
+    }
+    catch {
+        // Some platforms and filesystems do not support fsync on directories.
+    }
+}
+export function writePrivateFileSync(filePath, content, opts = {}) {
+    const platform = opts.platform ?? process.platform;
+    const fd = fs.openSync(filePath, 'w', supportsPosixModes(platform) ? 0o600 : undefined);
+    try {
+        if (typeof content === 'string')
+            fs.writeSync(fd, content);
+        else
+            fs.writeSync(fd, content, 0, content.length);
+        fs.fsyncSync(fd);
+    }
+    finally {
+        fs.closeSync(fd);
+    }
+    try {
+        chmodPrivateSync(filePath, { platform });
+    }
+    catch (err) {
+        removeFailedPrivateFile(filePath);
+        throw err;
+    }
+}
+export function writePrivateFileAtomicSync(filePath, content, opts = {}) {
+    const platform = opts.platform ?? process.platform;
+    const dir = path.dirname(filePath);
+    const tmp = path.join(dir, `.${path.basename(filePath)}.${process.pid}.${Date.now()}.tmp-${Math.random().toString(36).slice(2)}`);
+    let fd = null;
+    try {
+        fd = fs.openSync(tmp, 'w', supportsPosixModes(platform) ? 0o600 : undefined);
+        if (typeof content === 'string')
+            fs.writeSync(fd, content);
+        else
+            fs.writeSync(fd, content, 0, content.length);
+        fs.fsyncSync(fd);
+        fs.closeSync(fd);
+        fd = null;
+        chmodPrivateSync(tmp, { platform });
+        fs.renameSync(tmp, filePath);
+        chmodPrivateSync(filePath, { platform });
+        fsyncDirectoryBestEffort(dir);
+    }
+    catch (err) {
+        if (fd !== null) {
+            try {
+                fs.closeSync(fd);
+            }
+            catch { /* already closed */ }
+        }
+        removeFailedPrivateFile(tmp);
+        throw err;
+    }
+}
+export function appendPrivateFileSync(filePath, content, opts = {}) {
+    const platform = opts.platform ?? process.platform;
+    const fd = fs.openSync(filePath, 'a', supportsPosixModes(platform) ? 0o600 : undefined);
+    try {
+        if (typeof content === 'string')
+            fs.writeSync(fd, content);
+        else
+            fs.writeSync(fd, content, 0, content.length);
+        fs.fsyncSync(fd);
+    }
+    finally {
+        fs.closeSync(fd);
+    }
+    try {
+        chmodPrivateSync(filePath, { platform });
+    }
+    catch (err) {
+        removeFailedPrivateFile(filePath);
+        throw err;
+    }
+}
+//# sourceMappingURL=private-file.js.map

package/dist/shared/private-file.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"private-file.js","sourceRoot":"","sources":["../../src/shared/private-file.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,KAAK,YAAY,MAAM,eAAe,CAAC;AAC9C,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAI7B,SAAS,kBAAkB,CAAC,QAA6B;IACvD,OAAO,QAAQ,KAAK,OAAO,CAAC;AAC9B,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACnE,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;IAC7F,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,oBAAoB;IAC3B,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACtE,OAAO,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;AACvF,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,WAAW,GAAG,kBAAkB,EAAE,CAAC;IACzC,MAAM,OAAO,GAAG,EAAE,KAAK,EAAE,MAAe,EAAE,CAAC;IAC3C,MAAM,MAAM,GAAG,oBAAoB,EAAE,CAAC;IAEtC,yGAAyG;IACzG,YAAY,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,gBAAgB,CAAC,EAAE,OAAO,CAAC,CAAC;IACzE,YAAY,CAAC,YAAY,CAAC,MAAM,EAAE;QAChC,QAAQ;QACR,WAAW;QACX,UAAU;QACV,WAAW;QACX,eAAe;KAChB,EAAE,OAAO,CAAC,CAAC;IACZ,YAAY,CAAC,YAAY,CAAC,MAAM,EAAE;QAChC,QAAQ;QACR,UAAU;QACV,GAAG,WAAW,MAAM;QACpB,eAAe;QACf,mBAAmB;KACpB,EAAE,OAAO,CAAC,CAAC;AACd,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,QAAgB,EAChB,OAA2C,EAAE;IAE7C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IACnD,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC3B,OAAO;IACT,CAAC;IACD,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,aAAqB,EACrB,OAA2C,EAAE;IAE7C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IACnD,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,gBAAgB,CAAC,aAAa,CAAC,CAAC;QAChC,OAAO;IACT,CAAC;IACD,EAAE,CAAC,SAAS,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAgB;IAC/C,EAAE,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,wBAAwB,CAAC,GAAW;IAC3C,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC;YACH,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACnB,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,sEAAsE;IACxE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,QAAgB,EAChB,OAAwB,EACxB,OAA2C,EAAE;IAE7C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IACnD,MAAM,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,GAAG,EAAE,kBAAkB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IACxF,IAAI,CAAC;QACH,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;;YACtD,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QAClD,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IACD,IAAI,CAAC;QACH,gBAAgB,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAClC,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,QAAgB,EAChB,OAAwB,EACxB,OAA2C,EAAE;IAE7C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IACnD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAClI,IAAI,EAAE,GAAkB,IAAI,CAAC;IAC7B,IAAI,CAAC;QACH,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,kBAAkB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAC7E,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;;YACtD,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QAClD,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACjB,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACjB,EAAE,GAAG,IAAI,CAAC;QACV,gBAAgB,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;QACpC,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC7B,gBAAgB,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;QACzC,wBAAwB,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YAChB,IAAI,CAAC;gBAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,oBAAoB,CAAC,CAAC;QAC1D,CAAC;QACD,uBAAuB,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,QAAgB,EAChB,OAAwB,EACxB,OAA2C,EAAE;IAE7C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IACnD,MAAM,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,GAAG,EAAE,kBAAkB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IACxF,IAAI,CAAC;QACH,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;;YACtD,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QAClD,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IACD,IAAI,CAAC;QACH,gBAAgB,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAClC,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC"}

package/dist/shared/runtime-lock.d.ts

@@ -0,0 +1,30 @@
+export interface RuntimeLockOwner {
+    schemaVersion: 1;
+    pid: number;
+    createdAt: string;
+    purpose: 'daemon-instance' | 'daemon-start';
+}
+export type RuntimeLockAcquireResult<T> = {
+    ok: true;
+    handle: RuntimeLockHandle<T>;
+    recovered?: {
+        reason: 'dead_pid' | 'invalid_owner' | 'stale_timeout';
+        previousOwner?: T;
+    };
+} | {
+    ok: false;
+    reason: 'held' | 'owner_alive' | 'io_error';
+    owner?: T;
+    message?: string;
+};
+export interface RuntimeLockHandle<T> {
+    lockDir: string;
+    owner: T;
+    release: () => void;
+}
+export declare function isPidAlive(pid: number): boolean;
+export declare function readRuntimeLockOwner<T>(lockDir: string): T | null;
+export declare function acquireRuntimeLock<T extends RuntimeLockOwner>(lockDir: string, owner: T, opts?: {
+    staleAfterMs?: number;
+}): RuntimeLockAcquireResult<T>;
+//# sourceMappingURL=runtime-lock.d.ts.map

package/dist/shared/runtime-lock.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-lock.d.ts","sourceRoot":"","sources":["../../src/shared/runtime-lock.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,gBAAgB;IAC/B,aAAa,EAAE,CAAC,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,iBAAiB,GAAG,cAAc,CAAC;CAC7C;AAED,MAAM,MAAM,wBAAwB,CAAC,CAAC,IAClC;IACE,EAAE,EAAE,IAAI,CAAC;IACT,MAAM,EAAE,iBAAiB,CAAC,CAAC,CAAC,CAAC;IAC7B,SAAS,CAAC,EAAE;QAAE,MAAM,EAAE,UAAU,GAAG,eAAe,GAAG,eAAe,CAAC;QAAC,aAAa,CAAC,EAAE,CAAC,CAAA;KAAE,CAAC;CAC3F,GACD;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAE5F,MAAM,WAAW,iBAAiB,CAAC,CAAC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,CAAC,CAAC;IACT,OAAO,EAAE,MAAM,IAAI,CAAC;CACrB;AAID,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAU/C;AAED,wBAAgB,oBAAoB,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,GAAG,IAAI,CAMjE;AAED,wBAAgB,kBAAkB,CAAC,CAAC,SAAS,gBAAgB,EAC3D,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,CAAC,EACR,IAAI,GAAE;IAAE,YAAY,CAAC,EAAE,MAAM,CAAA;CAAO,GACnC,wBAAwB,CAAC,CAAC,CAAC,CAkC7B"}

package/dist/shared/runtime-lock.js

@@ -0,0 +1,142 @@
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { writePrivateFileSync } from './private-file.js';
+const OWNER_FILE = 'owner.json';
+export function isPidAlive(pid) {
+    if (!Number.isInteger(pid) || pid <= 0)
+        return false;
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch (err) {
+        const code = err instanceof Error && 'code' in err ? err.code : undefined;
+        if (code === 'ESRCH')
+            return false;
+        return true;
+    }
+}
+export function readRuntimeLockOwner(lockDir) {
+    try {
+        return JSON.parse(fs.readFileSync(ownerPath(lockDir), 'utf8'));
+    }
+    catch {
+        return null;
+    }
+}
+export function acquireRuntimeLock(lockDir, owner, opts = {}) {
+    if (lockDir.trim() === '') {
+        return { ok: false, reason: 'io_error', message: 'lock directory is empty' };
+    }
+    try {
+        return acquireFreshLock(lockDir, owner);
+    }
+    catch (err) {
+        if (!isFileExistsError(err)) {
+            return { ok: false, reason: 'io_error', message: errorMessage(err) };
+        }
+    }
+    const currentOwner = readRuntimeLockOwner(lockDir);
+    if (currentOwner && isPidAlive(currentOwner.pid)) {
+        return { ok: false, reason: 'owner_alive', owner: currentOwner };
+    }
+    const recovered = recoveryReason(currentOwner, opts.staleAfterMs);
+    const removed = removeRuntimeLockDir(lockDir);
+    if (!removed.ok) {
+        return { ok: false, reason: 'io_error', owner: currentOwner ?? undefined, message: removed.message };
+    }
+    try {
+        const acquired = acquireFreshLock(lockDir, owner);
+        return {
+            ...acquired,
+            recovered: { reason: recovered, previousOwner: currentOwner ?? undefined },
+        };
+    }
+    catch (err) {
+        if (isFileExistsError(err))
+            return { ok: false, reason: 'held', owner: readRuntimeLockOwner(lockDir) ?? undefined };
+        return { ok: false, reason: 'io_error', message: errorMessage(err) };
+    }
+}
+function acquireFreshLock(lockDir, owner) {
+    fs.mkdirSync(lockDir);
+    writePrivateFileSync(ownerPath(lockDir), `${JSON.stringify(owner, null, 2)}\n`);
+    return {
+        ok: true,
+        handle: {
+            lockDir,
+            owner,
+            release: () => releaseRuntimeLock(lockDir, owner),
+        },
+    };
+}
+function releaseRuntimeLock(lockDir, owner) {
+    const currentOwner = readRuntimeLockOwner(lockDir);
+    if (!sameRuntimeLockOwner(currentOwner, owner))
+        return;
+    removeRuntimeLockDir(lockDir);
+}
+function sameRuntimeLockOwner(currentOwner, owner) {
+    return currentOwner !== null
+        && JSON.stringify(canonicalLockOwner(currentOwner)) === JSON.stringify(canonicalLockOwner(owner));
+}
+function canonicalLockOwner(value) {
+    if (Array.isArray(value))
+        return value.map(canonicalLockOwner);
+    if (!value || typeof value !== 'object')
+        return value;
+    return Object.fromEntries(Object.entries(value)
+        .sort(([left], [right]) => left.localeCompare(right))
+        .map(([key, entry]) => [key, canonicalLockOwner(entry)]));
+}
+function recoveryReason(currentOwner, staleAfterMs) {
+    if (!currentOwner)
+        return 'invalid_owner';
+    if (!isPidAlive(currentOwner.pid))
+        return 'dead_pid';
+    if (staleAfterMs !== undefined && lockAgeMs(currentOwner.createdAt) > staleAfterMs)
+        return 'stale_timeout';
+    return 'invalid_owner';
+}
+function lockAgeMs(createdAt) {
+    const parsed = Date.parse(createdAt);
+    if (Number.isNaN(parsed))
+        return 0;
+    return Date.now() - parsed;
+}
+function ownerPath(lockDir) {
+    return path.join(lockDir, OWNER_FILE);
+}
+function removeRuntimeLockDir(lockDir) {
+    const resolved = path.resolve(lockDir);
+    if (!canRemoveLockDir(resolved)) {
+        return { ok: false, message: `refusing to remove unsafe lock directory: ${lockDir}` };
+    }
+    try {
+        fs.rmSync(resolved, { recursive: true, force: true });
+        return { ok: true };
+    }
+    catch (err) {
+        return { ok: false, message: errorMessage(err) };
+    }
+}
+function canRemoveLockDir(lockDir) {
+    if (lockDir === path.parse(lockDir).root)
+        return false;
+    if (lockDir === os.homedir())
+        return false;
+    if (!path.basename(lockDir).endsWith('.lock'))
+        return false;
+    const configDir = process.env['VGE_CC_GUARD_CONFIG_DIR'];
+    if (configDir && lockDir === path.resolve(configDir))
+        return false;
+    return true;
+}
+function isFileExistsError(err) {
+    return err instanceof Error && 'code' in err && err.code === 'EEXIST';
+}
+function errorMessage(err) {
+    return err instanceof Error ? err.message : String(err);
+}
+//# sourceMappingURL=runtime-lock.js.map

package/dist/shared/runtime-lock.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-lock.js","sourceRoot":"","sources":["../../src/shared/runtime-lock.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAuBzD,MAAM,UAAU,GAAG,YAAY,CAAC;AAEhC,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACrD,IAAI,CAAC;QACH,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,GAAG,YAAY,KAAK,IAAI,MAAM,IAAI,GAAG,CAAC,CAAC,CAAE,GAA6B,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;QACrG,IAAI,IAAI,KAAK,OAAO;YAAE,OAAO,KAAK,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAI,OAAe;IACrD,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,CAAM,CAAC;IACtE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,KAAQ,EACR,OAAkC,EAAE;IAEpC,IAAI,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC1B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC;IAC/E,CAAC;IAED,IAAI,CAAC;QACH,OAAO,gBAAgB,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;QACvE,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,oBAAoB,CAAI,OAAO,CAAC,CAAC;IACtD,IAAI,YAAY,IAAI,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;QACjD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;IACnE,CAAC;IAED,MAAM,SAAS,GAAG,cAAc,CAAC,YAAY,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IAClE,MAAM,OAAO,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAC9C,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;QAChB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,YAAY,IAAI,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC;IACvG,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAClD,OAAO;YACL,GAAG,QAAQ;YACX,SAAS,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,YAAY,IAAI,SAAS,EAAE;SAC3E,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,iBAAiB,CAAC,GAAG,CAAC;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,oBAAoB,CAAI,OAAO,CAAC,IAAI,SAAS,EAAE,CAAC;QACvH,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;IACvE,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CACvB,OAAe,EACf,KAAQ;IAER,EAAE,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACtB,oBAAoB,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;IAEhF,OAAO;QACL,EAAE,EAAE,IAAI;QACR,MAAM,EAAE;YACN,OAAO;YACP,KAAK;YACL,OAAO,EAAE,GAAG,EAAE,CAAC,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC;SAClD;KACF,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAA6B,OAAe,EAAE,KAAQ;IAC/E,MAAM,YAAY,GAAG,oBAAoB,CAA6C,OAAO,CAAC,CAAC;IAC/F,IAAI,CAAC,oBAAoB,CAAC,YAAY,EAAE,KAAK,CAAC;QAAE,OAAO;IACvD,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,oBAAoB,CAC3B,YAAiE,EACjE,KAAuB;IAEvB,OAAO,YAAY,KAAK,IAAI;WACvB,IAAI,CAAC,SAAS,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC;AACtG,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAc;IACxC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAC/D,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAEtD,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC;SAC7C,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;SACpD,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,EAAE,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAC3D,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CACrB,YAAsB,EACtB,YAAgC;IAEhC,IAAI,CAAC,YAAY;QAAE,OAAO,eAAe,CAAC;IAC1C,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC;IACrD,IAAI,YAAY,KAAK,SAAS,IAAI,SAAS,CAAC,YAAY,CAAC,SAAS,CAAC,GAAG,YAAY;QAAE,OAAO,eAAe,CAAC;IAC3G,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACrC,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC;QAAE,OAAO,CAAC,CAAC;IACnC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC;AAC7B,CAAC;AAED,SAAS,SAAS,CAAC,OAAe;IAChC,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe;IAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACvC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAChC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,6CAA6C,OAAO,EAAE,EAAE,CAAC;IACxF,CAAC;IACD,IAAI,CAAC;QACH,EAAE,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;IACnD,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe;IACvC,IAAI,OAAO,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACvD,IAAI,OAAO,KAAK,EAAE,CAAC,OAAO,EAAE;QAAE,OAAO,KAAK,CAAC;IAC3C,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAE5D,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;IACzD,IAAI,SAAS,IAAI,OAAO,KAAK,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAY;IACrC,OAAO,GAAG,YAAY,KAAK,IAAI,MAAM,IAAI,GAAG,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,CAAC;AACnG,CAAC;AAED,SAAS,YAAY,CAAC,GAAY;IAChC,OAAO,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;AAC1D,CAAC"}

package/dist/shared/system-ca.d.ts

@@ -0,0 +1,2 @@
+export declare function installSystemCAs(): void;
+//# sourceMappingURL=system-ca.d.ts.map

package/dist/shared/system-ca.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"system-ca.d.ts","sourceRoot":"","sources":["../../src/shared/system-ca.ts"],"names":[],"mappings":"AAeA,wBAAgB,gBAAgB,IAAI,IAAI,CAavC"}

package/dist/shared/system-ca.js

@@ -0,0 +1,31 @@
+import * as tls from 'node:tls';
+let installed = false;
+// Merge OS keychain (`system`) and `NODE_EXTRA_CA_CERTS` (`extra`) into Node's
+// default CA set so that fetch / undici trust corporate or self-signed roots
+// installed by the user. Equivalent to launching Node with --use-system-ca,
+// done at runtime so we don't need to re-exec or pollute NODE_OPTIONS.
+//
+// Available on Node 22.10+; we silently no-op on older runtimes.
+export function installSystemCAs() {
+    if (installed)
+        return;
+    installed = true;
+    const t = tls;
+    if (!t.getCACertificates || !t.setDefaultCACertificates)
+        return;
+    const system = safeGet(t, 'system');
+    const extra = safeGet(t, 'extra');
+    if (system.length === 0 && extra.length === 0)
+        return;
+    const merged = [...tls.rootCertificates, ...system, ...extra];
+    t.setDefaultCACertificates(merged);
+}
+function safeGet(t, source) {
+    try {
+        return t.getCACertificates ? t.getCACertificates(source) : [];
+    }
+    catch {
+        return [];
+    }
+}
+//# sourceMappingURL=system-ca.js.map

package/dist/shared/system-ca.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"system-ca.js","sourceRoot":"","sources":["../../src/shared/system-ca.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAEhC,IAAI,SAAS,GAAG,KAAK,CAAC;AAOtB,+EAA+E;AAC/E,6EAA6E;AAC7E,4EAA4E;AAC5E,uEAAuE;AACvE,EAAE;AACF,iEAAiE;AACjE,MAAM,UAAU,gBAAgB;IAC9B,IAAI,SAAS;QAAE,OAAO;IACtB,SAAS,GAAG,IAAI,CAAC;IAEjB,MAAM,CAAC,GAAG,GAA2B,CAAC;IACtC,IAAI,CAAC,CAAC,CAAC,iBAAiB,IAAI,CAAC,CAAC,CAAC,wBAAwB;QAAE,OAAO;IAEhE,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAClC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IAEtD,MAAM,MAAM,GAAG,CAAC,GAAG,GAAG,CAAC,gBAAgB,EAAE,GAAG,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC;IAC9D,CAAC,CAAC,wBAAwB,CAAC,MAAM,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,OAAO,CAAC,CAAY,EAAE,MAA0B;IACvD,IAAI,CAAC;QACH,OAAO,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC"}

package/dist/shared/types.d.ts

@@ -0,0 +1,172 @@
+export type SessionState = 'clean' | 'caution' | 'tainted';
+export type RouterOutcome = 'HARD_TAINT' | 'SOFT_TAINT' | 'ESCALATE' | 'ALLOW';
+export type GateDecision = 'allow' | 'deny' | 'ask';
+export type EscalationDecision = 'once' | 'session' | 'block' | 'quarantine';
+export type UrlBlockDecision = 'block' | 'allow_once' | 'allow_persist';
+export interface Escalation {
+    kind?: 'tool-output' | 'url-block';
+    escalationId: string;
+    sessionId: string;
+    toolName: string;
+    resourceId: string;
+    analysisId: string | null;
+    branches: {
+        heuristics: number;
+        semantic: number;
+        llmGuard: number;
+    };
+    routerOutcome: RouterOutcome;
+    enqueuedAt: number;
+    url?: string;
+    host?: string;
+    vgeDecision?: string;
+    vgeArbiterSignal?: string;
+    vgeRuleAction?: string;
+    vgeScore?: number;
+    vgeCategories?: string[];
+    blockMessage?: string;
+}
+export interface SessionData {
+    sessionId: string;
+    parentSessionId: string | null;
+    createdAt: number;
+    lastActivity: number;
+    state: SessionState;
+    allowlist: Set<string>;
+    allowlistEscalationIds: Map<string, string>;
+    blocklist: Set<string>;
+    blocklistEscalationIds: Map<string, string>;
+    pendingEscalations: Escalation[];
+    escalationCount: number;
+    urlAllowOnce: Set<string>;
+    attachmentCursors: Map<string, AttachmentCursor>;
+    attachmentSeenFingerprints: string[];
+    attachmentAllowOnce: Set<string>;
+    promptAllowOnce: Set<string>;
+}
+export type AttachmentScanTerminalStatus = 'allowed' | 'pending_decision' | 'blocked_by_user' | 'allowed_by_user' | 'scan_failed_to_hitl' | 'skipped_by_policy';
+export interface AttachmentCursor {
+    offset: number;
+}
+export interface GuardBranches {
+    heuristics?: {
+        score: number;
+    } | null;
+    semantic?: {
+        score: number;
+    } | null;
+    llmGuard?: {
+        score: number;
+    } | null;
+}
+export interface GuardResponseSubset {
+    decision: 'ALLOWED' | 'BLOCKED' | 'SANITIZED';
+    score: number;
+    branches: GuardBranches;
+    arbiterSignal?: 'ALLOW' | 'BLOCK';
+    ruleAction?: 'ALLOW' | 'BLOCK' | 'LOG' | 'SANITIZE';
+    decisionFlags?: string[];
+    failOpen?: boolean;
+    id?: string;
+    blockMessage?: string;
+    threatLevel?: string;
+    confidence?: number;
+    categories?: string[];
+    localFallbackReason?: string;
+}
+export type BlockingDecisionKind = 'pretool_url' | 'posttool_output' | 'attachment_input' | 'prompt_input';
+export type BlockingDecisionChoice = 'allow_once' | 'allow_session' | 'block';
+export type BlockingDecisionStatus = 'pending' | 'resolved_allow_once' | 'resolved_allow_session' | 'resolved_block' | 'resolver_missing_fail_closed' | 'session_locked_fail_closed' | 'capacity_evicted' | 'dropped_on_restart';
+export type DecisionOwnerKind = 'session' | 'subagent';
+export type DecisionOwner = {
+    kind: 'session';
+    sessionId: string;
+} | {
+    kind: 'subagent';
+    sessionId: string;
+    agentId: string;
+    agentType?: string;
+};
+export interface BlockingDecisionVge {
+    id: string | null;
+    decision: GuardResponseSubset['decision'] | null;
+    arbiterSignal?: GuardResponseSubset['arbiterSignal'];
+    ruleAction?: GuardResponseSubset['ruleAction'];
+    score: number;
+    categories?: string[];
+    blockMessage?: string;
+    branches: {
+        heuristics: number;
+        semantic: number;
+        llmGuard: number;
+    };
+    origin?: 'vge' | 'local_fallback';
+}
+export interface BlockingDecision {
+    decisionId: string;
+    dedupKey: string;
+    sessionId: string;
+    owner?: DecisionOwner;
+    kind: BlockingDecisionKind;
+    toolName: string;
+    resourceId: string;
+    resourceLabel: string;
+    reason: string;
+    createdAt: number;
+    creationSequence?: number;
+    expiresAt: number;
+    status: BlockingDecisionStatus;
+    vge: BlockingDecisionVge;
+}
+export interface CCBasePayload {
+    session_id: string;
+    hook_event_name: string;
+    agent_id?: string;
+    agent_type?: string;
+    cwd?: string;
+    transcript_path?: string;
+    parent_session_id?: string;
+}
+export interface ConversationMessage {
+    role: 'system' | 'user' | 'assistant' | 'tool';
+    content: string;
+    toolName?: string;
+    toolId?: string;
+}
+export interface CCSessionStartPayload extends CCBasePayload {
+    hook_event_name: 'SessionStart';
+}
+export interface CCSessionEndPayload extends CCBasePayload {
+    hook_event_name: 'SessionEnd';
+}
+export interface CCUserPromptPayload extends CCBasePayload {
+    hook_event_name: 'UserPromptSubmit';
+    prompt: string;
+}
+export interface CCPreToolPayload extends CCBasePayload {
+    hook_event_name: 'PreToolUse';
+    tool_name: string;
+    tool_input: Record<string, unknown>;
+}
+export interface CCPostToolPayload extends CCBasePayload {
+    hook_event_name: 'PostToolUse';
+    tool_name: string;
+    tool_input: Record<string, unknown>;
+    tool_response?: unknown;
+    tool_error?: unknown;
+}
+export interface CCSubagentStartPayload extends CCBasePayload {
+    hook_event_name: 'SubagentStart';
+    agent_id: string;
+    agent_type?: string;
+}
+export interface CCSubagentStopPayload extends CCBasePayload {
+    hook_event_name: 'SubagentStop';
+    agent_id: string;
+    agent_type?: string;
+    agent_transcript_path?: string;
+    last_assistant_message?: string;
+    stop_hook_active?: boolean;
+}
+export type CCHookPayload = CCSessionStartPayload | CCSessionEndPayload | CCUserPromptPayload | CCPreToolPayload | CCPostToolPayload | CCSubagentStartPayload | CCSubagentStopPayload;
+//# sourceMappingURL=types.d.ts.map

package/dist/shared/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/shared/types.ts"],"names":[],"mappings":"AACA,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,SAAS,GAAG,SAAS,CAAC;AAG3D,MAAM,MAAM,aAAa,GAAG,YAAY,GAAG,YAAY,GAAG,UAAU,GAAG,OAAO,CAAC;AAG/E,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,MAAM,GAAG,KAAK,CAAC;AAGpD,MAAM,MAAM,kBAAkB,GAAG,MAAM,GAAG,SAAS,GAAG,OAAO,GAAG,YAAY,CAAC;AAE7E,MAAM,MAAM,gBAAgB,GAAG,OAAO,GAAG,YAAY,GAAG,eAAe,CAAC;AAGxE,MAAM,WAAW,UAAU;IACzB,IAAI,CAAC,EAAE,aAAa,GAAG,WAAW,CAAC;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IACrE,aAAa,EAAE,aAAa,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAGD,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,YAAY,CAAC;IAEpB,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACvB,sBAAsB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5C,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACvB,sBAAsB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5C,kBAAkB,EAAE,UAAU,EAAE,CAAC;IACjC,eAAe,EAAE,MAAM,CAAC;IACxB,YAAY,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC1B,iBAAiB,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IACjD,0BAA0B,EAAE,MAAM,EAAE,CAAC;IACrC,mBAAmB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CAC9B;AAED,MAAM,MAAM,4BAA4B,GACpC,SAAS,GACT,kBAAkB,GAClB,iBAAiB,GACjB,iBAAiB,GACjB,qBAAqB,GACrB,mBAAmB,CAAC;AAExB,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;CAChB;AAID,MAAM,WAAW,aAAa;IAC5B,UAAU,CAAC,EAAE;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,EAAE;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IACpC,QAAQ,CAAC,EAAE;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;CACrC;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,SAAS,GAAG,SAAS,GAAG,WAAW,CAAC;IAC9C,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,aAAa,CAAC;IACxB,aAAa,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC;IAClC,UAAU,CAAC,EAAE,OAAO,GAAG,OAAO,GAAG,KAAK,GAAG,UAAU,CAAC;IACpD,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAGD,MAAM,MAAM,oBAAoB,GAAG,aAAa,GAAG,iBAAiB,GAAG,kBAAkB,GAAG,cAAc,CAAC;AAE3G,MAAM,MAAM,sBAAsB,GAAG,YAAY,GAAG,eAAe,GAAG,OAAO,CAAC;AAE9E,MAAM,MAAM,sBAAsB,GAC9B,SAAS,GACT,qBAAqB,GACrB,wBAAwB,GACxB,gBAAgB,GAChB,8BAA8B,GAC9B,4BAA4B,GAC5B,kBAAkB,GAClB,oBAAoB,CAAC;AAEzB,MAAM,MAAM,iBAAiB,GAAG,SAAS,GAAG,UAAU,CAAC;AAEvD,MAAM,MAAM,aAAa,GACrB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GACtC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjF,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,QAAQ,EAAE,mBAAmB,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC;IACjD,aAAa,CAAC,EAAE,mBAAmB,CAAC,eAAe,CAAC,CAAC;IACrD,UAAU,CAAC,EAAE,mBAAmB,CAAC,YAAY,CAAC,CAAC;IAC/C,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IACrE,MAAM,CAAC,EAAE,KAAK,GAAG,gBAAgB,CAAC;CACnC;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,IAAI,EAAE,oBAAoB,CAAC;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,sBAAsB,CAAC;IAC/B,GAAG,EAAE,mBAAmB,CAAC;CAC1B;AAGD,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,WAAW,GAAG,MAAM,CAAC;IAC/C,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,qBAAsB,SAAQ,aAAa;IAC1D,eAAe,EAAE,cAAc,CAAC;CACjC;AAED,MAAM,WAAW,mBAAoB,SAAQ,aAAa;IACxD,eAAe,EAAE,YAAY,CAAC;CAC/B;AAED,MAAM,WAAW,mBAAoB,SAAQ,aAAa;IACxD,eAAe,EAAE,kBAAkB,CAAC;IACpC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,gBAAiB,SAAQ,aAAa;IACrD,eAAe,EAAE,YAAY,CAAC;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,MAAM,WAAW,iBAAkB,SAAQ,aAAa;IACtD,eAAe,EAAE,aAAa,CAAC;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACpC,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,sBAAuB,SAAQ,aAAa;IAC3D,eAAe,EAAE,eAAe,CAAC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,qBAAsB,SAAQ,aAAa;IAC1D,eAAe,EAAE,cAAc,CAAC;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED,MAAM,MAAM,aAAa,GACrB,qBAAqB,GACrB,mBAAmB,GACnB,mBAAmB,GACnB,gBAAgB,GAChB,iBAAiB,GACjB,sBAAsB,GACtB,qBAAqB,CAAC"}

package/dist/shared/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/shared/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/shared/types.ts"],"names":[],"mappings":""}

package/dist/shared/url-allowlist.d.ts

@@ -0,0 +1,4 @@
+export declare function normalizeUrlAllowlistPattern(pattern: string): string;
+export declare function isValidUrlAllowlistPattern(pattern: string): boolean;
+export declare function hostnameMatchesPattern(hostname: string, pattern: string): boolean;
+//# sourceMappingURL=url-allowlist.d.ts.map

package/dist/shared/url-allowlist.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-allowlist.d.ts","sourceRoot":"","sources":["../../src/shared/url-allowlist.ts"],"names":[],"mappings":"AAGA,wBAAgB,4BAA4B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAEpE;AAED,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAYnE;AAED,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CASjF"}

package/dist/shared/url-allowlist.js

@@ -0,0 +1,33 @@
+const HOST_LABEL = '[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?';
+const HOST_PATTERN_RE = new RegExp(`^(?:${HOST_LABEL}\\.)+${HOST_LABEL}$`);
+export function normalizeUrlAllowlistPattern(pattern) {
+    return pattern.trim().toLowerCase();
+}
+export function isValidUrlAllowlistPattern(pattern) {
+    const normalized = normalizeUrlAllowlistPattern(pattern);
+    if (!normalized)
+        return false;
+    if (normalized.includes('://') || normalized.includes('/') || normalized.includes('\\')) {
+        return false;
+    }
+    if (normalized.includes('*') && !normalized.startsWith('*.'))
+        return false;
+    if (normalized.startsWith('*.')) {
+        const suffix = normalized.slice(2);
+        return HOST_PATTERN_RE.test(suffix);
+    }
+    return HOST_PATTERN_RE.test(normalized);
+}
+export function hostnameMatchesPattern(hostname, pattern) {
+    const host = normalizeUrlAllowlistPattern(hostname);
+    const normalizedPattern = normalizeUrlAllowlistPattern(pattern);
+    if (!isValidUrlAllowlistPattern(normalizedPattern))
+        return false;
+    if (host === normalizedPattern)
+        return true;
+    if (!normalizedPattern.startsWith('*.'))
+        return host === normalizedPattern;
+    const suffix = normalizedPattern.slice(2);
+    return host.endsWith(`.${suffix}`);
+}
+//# sourceMappingURL=url-allowlist.js.map

package/dist/shared/url-allowlist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-allowlist.js","sourceRoot":"","sources":["../../src/shared/url-allowlist.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,GAAG,sCAAsC,CAAC;AAC1D,MAAM,eAAe,GAAG,IAAI,MAAM,CAAC,OAAO,UAAU,QAAQ,UAAU,GAAG,CAAC,CAAC;AAE3E,MAAM,UAAU,4BAA4B,CAAC,OAAe;IAC1D,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,OAAe;IACxD,MAAM,UAAU,GAAG,4BAA4B,CAAC,OAAO,CAAC,CAAC;IACzD,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC9B,IAAI,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACxF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3E,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACnC,OAAO,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,QAAgB,EAAE,OAAe;IACtE,MAAM,IAAI,GAAG,4BAA4B,CAAC,QAAQ,CAAC,CAAC;IACpD,MAAM,iBAAiB,GAAG,4BAA4B,CAAC,OAAO,CAAC,CAAC;IAChE,IAAI,CAAC,0BAA0B,CAAC,iBAAiB,CAAC;QAAE,OAAO,KAAK,CAAC;IACjE,IAAI,IAAI,KAAK,iBAAiB;QAAE,OAAO,IAAI,CAAC;IAC5C,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,KAAK,iBAAiB,CAAC;IAE3E,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC1C,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,MAAM,EAAE,CAAC,CAAC;AACrC,CAAC"}

package/dist/shared/url-patterns.d.ts

@@ -0,0 +1,12 @@
+export declare function normalizeUrlHostPattern(pattern: string): string;
+export declare function isValidUrlHostPattern(pattern: string): boolean;
+export declare function hostnameMatchesUrlPattern(hostname: string, pattern: string): boolean;
+export declare function normalizeUrlScheme(scheme: string): string;
+export declare function isValidUrlScheme(scheme: string): boolean;
+export declare function normalizeCidr(cidr: string): string;
+export declare function isValidCidr(cidr: string): boolean;
+export declare function cidrContainsIp(ip: string, cidr: string): boolean;
+export declare function normalizeUrlGlobPattern(pattern: string): string;
+export declare function isValidUrlGlobPattern(pattern: string): boolean;
+export declare function urlMatchesGlobPattern(rawUrl: string, pattern: string): boolean;
+//# sourceMappingURL=url-patterns.d.ts.map

package/dist/shared/url-patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-patterns.d.ts","sourceRoot":"","sources":["../../src/shared/url-patterns.ts"],"names":[],"mappings":"AASA,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAE/D;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAU9D;AAED,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CASpF;AAED,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEzD;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAGxD;AAED,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAElD;AAED,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAYjD;AAED,wBAAgB,cAAc,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAuBhE;AAED,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAE/D;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAa9D;AAED,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAU9E"}