@zenalexa/unicli 0.217.0 → 0.218.0

package/dist/engine/browser/session-runtime.d.ts

@@ -0,0 +1,10 @@
+import type { IPage } from "../../types.js";
+import { type BrowserSessionLease, type BrowserSessionLeaseAuthPosture, type BrowserSessionLeaseTarget } from "./session-lease.js";
+export declare function enrichBrowserSessionLease(lease: BrowserSessionLease, page: IPage, options?: {
+    now?: () => Date;
+}): Promise<BrowserSessionLease>;
+export declare function assertBrowserSessionLeaseTargetCurrent(lease: BrowserSessionLease, page: IPage): Promise<void>;
+export declare function captureBrowserSessionTarget(page: IPage, now?: () => Date): Promise<BrowserSessionLeaseTarget | undefined>;
+export declare function captureBrowserSessionAuthPosture(page: IPage, now?: () => Date): Promise<BrowserSessionLeaseAuthPosture>;
+export declare function browserSessionTargetKey(target?: BrowserSessionLeaseTarget | null): string | undefined;
+//# sourceMappingURL=session-runtime.d.ts.map

package/dist/engine/browser/session-runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-runtime.d.ts","sourceRoot":"","sources":["../../../src/engine/browser/session-runtime.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAC;AAC5C,OAAO,EAEL,KAAK,mBAAmB,EACxB,KAAK,8BAA8B,EACnC,KAAK,yBAAyB,EAC/B,MAAM,oBAAoB,CAAC;AAe5B,wBAAsB,yBAAyB,CAC7C,KAAK,EAAE,mBAAmB,EAC1B,IAAI,EAAE,KAAK,EACX,OAAO,GAAE;IAAE,GAAG,CAAC,EAAE,MAAM,IAAI,CAAA;CAAO,GACjC,OAAO,CAAC,mBAAmB,CAAC,CAY9B;AAED,wBAAsB,sCAAsC,CAC1D,KAAK,EAAE,mBAAmB,EAC1B,IAAI,EAAE,KAAK,GACV,OAAO,CAAC,IAAI,CAAC,CAcf;AAED,wBAAsB,2BAA2B,CAC/C,IAAI,EAAE,KAAK,EACX,GAAG,GAAE,MAAM,IAAuB,GACjC,OAAO,CAAC,yBAAyB,GAAG,SAAS,CAAC,CAqBhD;AAED,wBAAsB,gCAAgC,CACpD,IAAI,EAAE,KAAK,EACX,GAAG,GAAE,MAAM,IAAuB,GACjC,OAAO,CAAC,8BAA8B,CAAC,CAezC;AAED,wBAAgB,uBAAuB,CACrC,MAAM,CAAC,EAAE,yBAAyB,GAAG,IAAI,GACxC,MAAM,GAAG,SAAS,CASpB"}

package/dist/engine/browser/session-runtime.js

@@ -0,0 +1,87 @@
+import { BrowserSessionLeaseGuardError, } from "./session-lease.js";
+export async function enrichBrowserSessionLease(lease, page, options = {}) {
+    const now = options.now ?? (() => new Date());
+    const [target, auth] = await Promise.all([
+        captureBrowserSessionTarget(page, now),
+        captureBrowserSessionAuthPosture(page, now),
+    ]);
+    return {
+        ...lease,
+        ...(target ? { target } : {}),
+        auth,
+    };
+}
+export async function assertBrowserSessionLeaseTargetCurrent(lease, page) {
+    const expected = browserSessionTargetKey(lease.target);
+    if (!expected)
+        return;
+    const current = await captureBrowserSessionTarget(page);
+    const actual = browserSessionTargetKey(current);
+    if (!actual || actual === expected)
+        return;
+    throw new BrowserSessionLeaseGuardError("browser_target_mismatch", lease, expected, actual);
+}
+export async function captureBrowserSessionTarget(page, now = () => new Date()) {
+    const provided = await captureProvidedBrowserTarget(page, now);
+    if (provided)
+        return provided;
+    try {
+        const raw = (await page.sendCDP("Target.getTargetInfo"));
+        const info = raw?.targetInfo;
+        if (!info)
+            return undefined;
+        return {
+            kind: "cdp-target",
+            captured_at: now().toISOString(),
+            ...(info.targetId ? { target_id: info.targetId } : {}),
+            ...(info.type ? { target_type: info.type } : {}),
+            ...(info.url ? { url: info.url } : {}),
+            ...(info.title ? { title: info.title } : {}),
+        };
+    }
+    catch {
+        return undefined;
+    }
+}
+export async function captureBrowserSessionAuthPosture(page, now = () => new Date()) {
+    try {
+        const cookies = await page.cookies();
+        const cookieCount = Object.keys(cookies).length;
+        return {
+            state: cookieCount > 0 ? "cookies_present" : "no_cookies",
+            cookie_count: cookieCount,
+            captured_at: now().toISOString(),
+        };
+    }
+    catch {
+        return {
+            state: "unavailable",
+            captured_at: now().toISOString(),
+        };
+    }
+}
+export function browserSessionTargetKey(target) {
+    if (!target)
+        return undefined;
+    if (typeof target.tab_id === "number") {
+        return typeof target.window_id === "number"
+            ? `window:${String(target.window_id)}:tab:${String(target.tab_id)}`
+            : `tab:${String(target.tab_id)}`;
+    }
+    if (target.target_id)
+        return `target:${target.target_id}`;
+    return undefined;
+}
+async function captureProvidedBrowserTarget(page, now) {
+    const provider = page;
+    if (typeof provider.browserTargetInfo !== "function")
+        return undefined;
+    const target = await provider.browserTargetInfo().catch(() => null);
+    if (!target)
+        return undefined;
+    return {
+        ...target,
+        captured_at: target.captured_at ?? now().toISOString(),
+    };
+}
+//# sourceMappingURL=session-runtime.js.map

package/dist/engine/browser/session-runtime.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-runtime.js","sourceRoot":"","sources":["../../../src/engine/browser/session-runtime.ts"],"names":[],"mappings":"AACA,OAAO,EACL,6BAA6B,GAI9B,MAAM,oBAAoB,CAAC;AAe5B,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,KAA0B,EAC1B,IAAW,EACX,UAAgC,EAAE;IAElC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAC9C,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACvC,2BAA2B,CAAC,IAAI,EAAE,GAAG,CAAC;QACtC,gCAAgC,CAAC,IAAI,EAAE,GAAG,CAAC;KAC5C,CAAC,CAAC;IAEH,OAAO;QACL,GAAG,KAAK;QACR,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC7B,IAAI;KACL,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sCAAsC,CAC1D,KAA0B,EAC1B,IAAW;IAEX,MAAM,QAAQ,GAAG,uBAAuB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACvD,IAAI,CAAC,QAAQ;QAAE,OAAO;IAEtB,MAAM,OAAO,GAAG,MAAM,2BAA2B,CAAC,IAAI,CAAC,CAAC;IACxD,MAAM,MAAM,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,QAAQ;QAAE,OAAO;IAE3C,MAAM,IAAI,6BAA6B,CACrC,yBAAyB,EACzB,KAAK,EACL,QAAQ,EACR,MAAM,CACP,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,IAAW,EACX,MAAkB,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE;IAElC,MAAM,QAAQ,GAAG,MAAM,4BAA4B,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC/D,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAE1C,CAAC;QACd,MAAM,IAAI,GAAG,GAAG,EAAE,UAAU,CAAC;QAC7B,IAAI,CAAC,IAAI;YAAE,OAAO,SAAS,CAAC;QAC5B,OAAO;YACL,IAAI,EAAE,YAAY;YAClB,WAAW,EAAE,GAAG,EAAE,CAAC,WAAW,EAAE;YAChC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACtD,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAChD,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACtC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,IAAW,EACX,MAAkB,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE;IAElC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;QAChD,OAAO;YACL,KAAK,EAAE,WAAW,GAAG,CAAC,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,YAAY;YACzD,YAAY,EAAE,WAAW;YACzB,WAAW,EAAE,GAAG,EAAE,CAAC,WAAW,EAAE;SACjC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,KAAK,EAAE,aAAa;YACpB,WAAW,EAAE,GAAG,EAAE,CAAC,WAAW,EAAE;SACjC,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,MAAyC;IAEzC,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,IAAI,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QACtC,OAAO,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;YACzC,CAAC,CAAC,UAAU,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE;YACnE,CAAC,CAAC,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;IACrC,CAAC;IACD,IAAI,MAAM,CAAC,SAAS;QAAE,OAAO,UAAU,MAAM,CAAC,SAAS,EAAE,CAAC;IAC1D,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,IAAW,EACX,GAAe;IAEf,MAAM,QAAQ,GAAG,IAAyC,CAAC;IAC3D,IAAI,OAAO,QAAQ,CAAC,iBAAiB,KAAK,UAAU;QAAE,OAAO,SAAS,CAAC;IAEvE,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,iBAAiB,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACpE,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,OAAO;QACL,GAAG,MAAM;QACT,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,GAAG,EAAE,CAAC,WAAW,EAAE;KACvD,CAAC;AACJ,CAAC"}

package/dist/engine/capability-policy.d.ts

@@ -12,19 +12,29 @@ export interface CapabilityDimension {
     reason?: string;
 }
 export type CapabilityDimensionMap = Record<CapabilityDimensionName, CapabilityDimension>;
+export interface CapabilityResourceScope {
+    domains: string[];
+    paths: string[];
+    executables: string[];
+    apps: string[];
+    accounts: string[];
+}
 export interface CapabilityScope {
     schema_version: "1";
     dimensions: CapabilityDimensionMap;
     summary: string[];
+    resources: CapabilityResourceScope;
+    resource_summary: string[];
 }
 export interface CapabilityApprovalMemory {
     schema_version: "1";
     key: string;
-    persistence: "not_persisted";
+    persistence: "not_persisted" | "persisted";
     profile: PermissionProfile;
-    decision: "not_approved" | "approved_for_invocation";
+    decision: "not_approved" | "approved_for_invocation" | "approved_by_memory";
     scope: {
         dimensions: Record<CapabilityDimensionName, CapabilityAccess>;
+        resources: CapabilityResourceScope;
     };
 }
 export declare function deriveCapabilityScope(input: OperationPolicyInput, effect: OperationEffect): CapabilityScope;
@@ -34,6 +44,7 @@ export declare function buildCapabilityApprovalMemory(input: {
     profile: PermissionProfile;
     effect: OperationEffect;
     approved: boolean;
+    approvalSource?: "none" | "invocation" | "env" | "memory";
     scope: CapabilityScope;
 }): CapabilityApprovalMemory;
 //# sourceMappingURL=capability-policy.d.ts.map

package/dist/engine/capability-policy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"capability-policy.d.ts","sourceRoot":"","sources":["../../src/engine/capability-policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EACV,eAAe,EACf,oBAAoB,EACpB,iBAAiB,EAClB,MAAM,uBAAuB,CAAC;AAE/B,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AACzD,MAAM,MAAM,uBAAuB,GAC/B,SAAS,GACT,SAAS,GACT,SAAS,GACT,MAAM,GACN,SAAS,GACT,SAAS,CAAC;AAEd,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,gBAAgB,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,sBAAsB,GAAG,MAAM,CACzC,uBAAuB,EACvB,mBAAmB,CACpB,CAAC;AAEF,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,GAAG,CAAC;IACpB,UAAU,EAAE,sBAAsB,CAAC;IACnC,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,wBAAwB;IACvC,cAAc,EAAE,GAAG,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,eAAe,CAAC;IAC7B,OAAO,EAAE,iBAAiB,CAAC;IAC3B,QAAQ,EAAE,cAAc,GAAG,yBAAyB,CAAC;IACrD,KAAK,EAAE;QACL,UAAU,EAAE,MAAM,CAAC,uBAAuB,EAAE,gBAAgB,CAAC,CAAC;KAC/D,CAAC;CACH;AAsID,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,oBAAoB,EAC3B,MAAM,EAAE,eAAe,GACtB,eAAe,CAgLjB;AAED,wBAAgB,6BAA6B,CAAC,KAAK,EAAE;IACnD,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,iBAAiB,CAAC;IAC3B,MAAM,EAAE,eAAe,CAAC;IACxB,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,EAAE,eAAe,CAAC;CACxB,GAAG,wBAAwB,CAgB3B"}
+{"version":3,"file":"capability-policy.d.ts","sourceRoot":"","sources":["../../src/engine/capability-policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EACV,eAAe,EACf,oBAAoB,EACpB,iBAAiB,EAClB,MAAM,uBAAuB,CAAC;AAE/B,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AACzD,MAAM,MAAM,uBAAuB,GAC/B,SAAS,GACT,SAAS,GACT,SAAS,GACT,MAAM,GACN,SAAS,GACT,SAAS,CAAC;AAEd,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,gBAAgB,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,sBAAsB,GAAG,MAAM,CACzC,uBAAuB,EACvB,mBAAmB,CACpB,CAAC;AAEF,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,GAAG,CAAC;IACpB,UAAU,EAAE,sBAAsB,CAAC;IACnC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,uBAAuB,CAAC;IACnC,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,wBAAwB;IACvC,cAAc,EAAE,GAAG,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,eAAe,GAAG,WAAW,CAAC;IAC3C,OAAO,EAAE,iBAAiB,CAAC;IAC3B,QAAQ,EAAE,cAAc,GAAG,yBAAyB,GAAG,oBAAoB,CAAC;IAC5E,KAAK,EAAE;QACL,UAAU,EAAE,MAAM,CAAC,uBAAuB,EAAE,gBAAgB,CAAC,CAAC;QAC9D,SAAS,EAAE,uBAAuB,CAAC;KACpC,CAAC;CACH;AAmPD,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,oBAAoB,EAC3B,MAAM,EAAE,eAAe,GACtB,eAAe,CAoLjB;AAiBD,wBAAgB,6BAA6B,CAAC,KAAK,EAAE;IACnD,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,iBAAiB,CAAC;IAC3B,MAAM,EAAE,eAAe,CAAC;IACxB,QAAQ,EAAE,OAAO,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,GAAG,YAAY,GAAG,KAAK,GAAG,QAAQ,CAAC;IAC1D,KAAK,EAAE,eAAe,CAAC;CACxB,GAAG,wBAAwB,CAyB3B"}

package/dist/engine/capability-policy.js

@@ -4,6 +4,7 @@
  * This is deliberately deterministic and metadata-only: it classifies the
  * command contract, not user-provided runtime values.
  */
+import { createHash } from "node:crypto";
 import { AdapterType } from "../types.js";
 const DIMENSION_ORDER = [
     "network",
@@ -20,6 +21,19 @@ const WEB_STRATEGIES = new Set([
     "intercept",
     "ui",
 ]);
+const PATH_ARG_NAMES = new Set([
+    "dir",
+    "directory",
+    "file",
+    "filename",
+    "folder",
+    "input",
+    "out",
+    "output",
+    "path",
+    "source",
+    "destination",
+]);
 function emptyDimensions() {
     return {
         network: { access: "none" },
@@ -30,6 +44,15 @@ function emptyDimensions() {
         account: { access: "none" },
     };
 }
+function emptyResources() {
+    return {
+        domains: [],
+        paths: [],
+        executables: [],
+        apps: [],
+        accounts: [],
+    };
+}
 function accessRank(access) {
     switch (access) {
         case "write":
@@ -46,6 +69,62 @@ function promoteAccess(dimensions, name, access, reason) {
         dimensions[name] = { access, reason };
     }
 }
+function normalizedUnique(values) {
+    return Array.from(new Set(values
+        .map((value) => value.trim().toLowerCase())
+        .filter((value) => value.length > 0))).sort();
+}
+function normalizeDomain(value) {
+    if (!value)
+        return undefined;
+    const raw = value.trim();
+    if (raw.length === 0)
+        return undefined;
+    try {
+        const url = new URL(raw.includes("://") ? raw : `https://${raw}`);
+        return url.host.toLowerCase();
+    }
+    catch {
+        return raw
+            .replace(/^https?:\/\//i, "")
+            .split("/")[0]
+            ?.trim()
+            .toLowerCase();
+    }
+}
+function pathArgSlots(input) {
+    return normalizedUnique((input.args ?? []).flatMap((arg) => {
+        const name = arg.name.trim().toLowerCase();
+        return PATH_ARG_NAMES.has(name) ? [`arg:${name}`] : [];
+    }));
+}
+function deriveResourceScope(input, dimensions) {
+    const resources = emptyResources();
+    if (dimensions.network.access !== "none" ||
+        dimensions.browser.access !== "none") {
+        const domain = normalizeDomain(input.domain ?? input.base);
+        resources.domains = domain ? [domain] : [];
+    }
+    if (dimensions.account.access !== "none") {
+        resources.accounts = [input.site];
+    }
+    if (dimensions.desktop.access !== "none") {
+        resources.apps = [input.site];
+    }
+    if (dimensions.process.access !== "none") {
+        resources.executables = [input.site];
+    }
+    if (dimensions.file.access !== "none") {
+        resources.paths = pathArgSlots(input);
+    }
+    return {
+        domains: normalizedUnique(resources.domains),
+        paths: normalizedUnique(resources.paths),
+        executables: normalizedUnique(resources.executables),
+        apps: normalizedUnique(resources.apps),
+        accounts: normalizedUnique(resources.accounts),
+    };
+}
 function effectAccess(effect) {
     return effect === "read" ? "read" : "write";
 }
@@ -97,6 +176,15 @@ function summaryFor(dimensions) {
         return access === "none" ? [] : [`${name}:${access}`];
     });
 }
+function resourceSummaryFor(resources) {
+    return [
+        ...resources.domains.map((value) => `domain:${value}`),
+        ...resources.accounts.map((value) => `account:${value}`),
+        ...resources.apps.map((value) => `app:${value}`),
+        ...resources.executables.map((value) => `process:${value}`),
+        ...resources.paths.map((value) => `path:${value}`),
+    ];
+}
 function accessMapFor(dimensions) {
     return {
         network: dimensions.network.access,
@@ -172,23 +260,45 @@ export function deriveCapabilityScope(input, effect) {
             ? "reads through an external CLI"
             : "may write through an external CLI");
     }
+    const resources = deriveResourceScope(input, dimensions);
     return {
         schema_version: "1",
         dimensions,
         summary: summaryFor(dimensions),
+        resources,
+        resource_summary: resourceSummaryFor(resources),
     };
 }
+function resourceFingerprintFor(resources) {
+    return createHash("sha256")
+        .update(JSON.stringify({
+        accounts: normalizedUnique(resources.accounts),
+        apps: normalizedUnique(resources.apps),
+        domains: normalizedUnique(resources.domains),
+        executables: normalizedUnique(resources.executables),
+        paths: normalizedUnique(resources.paths),
+    }))
+        .digest("hex")
+        .slice(0, 16);
+}
 export function buildCapabilityApprovalMemory(input) {
     const dimensionAccess = accessMapFor(input.scope.dimensions);
     const dimensionKey = DIMENSION_ORDER.map((name) => `${name}:${dimensionAccess[name]}`).join(",");
+    const resourceKey = resourceFingerprintFor(input.scope.resources);
+    const approvalSource = input.approvalSource ?? (input.approved ? "invocation" : "none");
     return {
         schema_version: "1",
-        key: `cap:1:${input.site}.${input.command}:${input.profile}:${input.effect}:${dimensionKey}`,
-        persistence: "not_persisted",
+        key: `cap:1:${input.site}.${input.command}:${input.profile}:${input.effect}:${dimensionKey}:res:${resourceKey}`,
+        persistence: approvalSource === "memory" ? "persisted" : "not_persisted",
         profile: input.profile,
-        decision: input.approved ? "approved_for_invocation" : "not_approved",
+        decision: approvalSource === "memory"
+            ? "approved_by_memory"
+            : input.approved
+                ? "approved_for_invocation"
+                : "not_approved",
         scope: {
             dimensions: dimensionAccess,
+            resources: input.scope.resources,
         },
     };
 }

package/dist/engine/capability-policy.js.map

@@ -1 +1 @@
-{"version":3,"file":"capability-policy.js","sourceRoot":"","sources":["../../src/engine/capability-policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAsB,MAAM,aAAa,CAAC;AA2C9D,MAAM,eAAe,GAA8B;IACjD,SAAS;IACT,SAAS;IACT,SAAS;IACT,MAAM;IACN,SAAS;IACT,SAAS;CACV,CAAC;AAEF,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IAC7B,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,WAAW;IACX,IAAI;CACL,CAAC,CAAC;AAEH,SAAS,eAAe;IACtB,OAAO;QACL,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;QAC3B,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;QAC3B,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;QAC3B,IAAI,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;QACxB,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;QAC3B,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;KAC5B,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,MAAwB;IAC1C,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,OAAO;YACV,OAAO,CAAC,CAAC;QACX,KAAK,MAAM;YACT,OAAO,CAAC,CAAC;QACX,KAAK,MAAM;YACT,OAAO,CAAC,CAAC;IACb,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CACpB,UAAkC,EAClC,IAA6B,EAC7B,MAAyC,EACzC,MAAc;IAEd,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACrD,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IACxC,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CACnB,MAAuB;IAEvB,OAAO,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;AAC9C,CAAC;AAED,SAAS,sBAAsB,CAAC,OAAuB;IACrD,OAAO,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,QAAQ,CAAC;AACvD,CAAC;AAED,SAAS,gBAAgB,CAAC,KAA2B;IACnD,IAAI,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC3D,IAAI,sBAAsB,CAAC,KAAK,CAAC,aAAa,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9D,OAAO,CACL,CAAC,KAAK,CAAC,aAAa,KAAK,SAAS,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC;QACtE,KAAK,CAAC,aAAa,KAAK,KAAK;QAC7B,KAAK,CAAC,aAAa,KAAK,QAAQ;QAChC,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QACzC,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QACzC,CAAC,KAAK,CAAC,QAAQ,KAAK,SAAS,IAAI,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CACrE,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,KAA2B;IACnD,OAAO,CACL,KAAK,CAAC,OAAO,KAAK,IAAI;QACtB,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QACzC,KAAK,CAAC,QAAQ,KAAK,WAAW;QAC9B,KAAK,CAAC,QAAQ,KAAK,IAAI,CACxB,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,KAA2B;IACnD,OAAO,CACL,KAAK,CAAC,aAAa,KAAK,SAAS;QACjC,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO,CAC1C,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,KAA2B;IACnD,IAAI,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC5D,OAAO,CACL,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,MAAM;QACxC,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QACzC,KAAK,CAAC,aAAa,KAAK,SAAS;QACjC,KAAK,CAAC,aAAa,KAAK,QAAQ,CACjC,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,KAA2B;IACzD,IACE,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,MAAM;QACxC,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QACzC,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QACzC,sBAAsB,CAAC,KAAK,CAAC,aAAa,CAAC,EAC3C,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,gBAAgB,CAAC,KAAK,CAAC,IAAI,gBAAgB,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,UAAU,CAAC,UAAkC;IACpD,OAAO,eAAe,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;QACtC,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;QACvC,OAAO,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,MAAM,EAAE,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,YAAY,CACnB,UAAkC;IAElC,OAAO;QACL,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM;QAClC,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM;QAClC,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM;QAClC,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,MAAM;QAC5B,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM;QAClC,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM;KACnC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,KAA2B,EAC3B,MAAuB;IAEvB,MAAM,UAAU,GAAG,eAAe,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACpC,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAC/C,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAC/C,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAC/C,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAE/C,IAAI,cAAc,EAAE,CAAC;QACnB,aAAa,CACX,UAAU,EACV,SAAS,EACT,MAAM,EACN,MAAM,KAAK,MAAM;YACf,CAAC,CAAC,8BAA8B;YAChC,CAAC,CAAC,+CAA+C,CACpD,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,aAAa,CACX,UAAU,EACV,SAAS,EACT,MAAM,EACN,MAAM,KAAK,MAAM;YACf,CAAC,CAAC,kCAAkC;YACpC,CAAC,CAAC,sCAAsC,CAC3C,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,cAAc,IAAI,MAAM,KAAK,iBAAiB,EAAE,CAAC;QAC9D,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,6BAA6B,CAC9B,CAAC;QACF,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,gDAAgD,CACjD,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,eAAe,IAAI,MAAM,KAAK,iBAAiB,EAAE,CAAC;QAC/D,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,MAAM,KAAK,eAAe;YACxB,CAAC,CAAC,+BAA+B;YACjC,CAAC,CAAC,qCAAqC,CAC1C,CAAC;QACF,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,MAAM,KAAK,eAAe;YACxB,CAAC,CAAC,2CAA2C;YAC7C,CAAC,CAAC,oCAAoC,CACzC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,eAAe,EAAE,CAAC;QAC/B,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,8CAA8C,CAC/C,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,aAAa,IAAI,sBAAsB,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9D,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,0CAA0C,CAC3C,CAAC;QACF,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,yCAAyC,CAC1C,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,aAAa,IAAI,sBAAsB,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;QAC5E,aAAa,CACX,UAAU,EACV,MAAM,EACN,OAAO,EACP,iCAAiC,CAClC,CAAC;QACF,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,qCAAqC,CACtC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;QAC3B,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,qCAAqC,CACtC,CAAC;QACF,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,oCAAoC,CACrC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;QAC5B,aAAa,CACX,UAAU,EACV,MAAM,EACN,OAAO,EACP,kCAAkC,CACnC,CAAC;QACF,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,4CAA4C,CAC7C,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACxC,aAAa,CAAC,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,2BAA2B,CAAC,CAAC;IAC5E,CAAC;SAAM,IAAI,cAAc,EAAE,CAAC;QAC1B,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,uCAAuC,CACxC,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACxC,aAAa,CACX,UAAU,EACV,SAAS,EACT,MAAM,EACN,+BAA+B,CAChC,CAAC;IACJ,CAAC;SAAM,IAAI,cAAc,EAAE,CAAC;QAC1B,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,8BAA8B,CAC/B,CAAC;IACJ,CAAC;IAED,IAAI,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,MAAM,EAAE,CAAC;QAC7C,aAAa,CACX,UAAU,EACV,SAAS,EACT,MAAM,EACN,MAAM,KAAK,MAAM;YACf,CAAC,CAAC,+BAA+B;YACjC,CAAC,CAAC,mCAAmC,CACxC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,cAAc,EAAE,GAAG;QACnB,UAAU;QACV,OAAO,EAAE,UAAU,CAAC,UAAU,CAAC;KAChC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,6BAA6B,CAAC,KAO7C;IACC,MAAM,eAAe,GAAG,YAAY,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC7D,MAAM,YAAY,GAAG,eAAe,CAAC,GAAG,CACtC,CAAC,IAAI,EAAE,EAAE,CAAC,GAAG,IAAI,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAC7C,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEZ,OAAO;QACL,cAAc,EAAE,GAAG;QACnB,GAAG,EAAE,SAAS,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,MAAM,IAAI,YAAY,EAAE;QAC5F,WAAW,EAAE,eAAe;QAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,cAAc;QACrE,KAAK,EAAE;YACL,UAAU,EAAE,eAAe;SAC5B;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"capability-policy.js","sourceRoot":"","sources":["../../src/engine/capability-policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,WAAW,EAAsB,MAAM,aAAa,CAAC;AAsD9D,MAAM,eAAe,GAA8B;IACjD,SAAS;IACT,SAAS;IACT,SAAS;IACT,MAAM;IACN,SAAS;IACT,SAAS;CACV,CAAC;AAEF,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IAC7B,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,WAAW;IACX,IAAI;CACL,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IAC7B,KAAK;IACL,WAAW;IACX,MAAM;IACN,UAAU;IACV,QAAQ;IACR,OAAO;IACP,KAAK;IACL,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,aAAa;CACd,CAAC,CAAC;AAEH,SAAS,eAAe;IACtB,OAAO;QACL,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;QAC3B,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;QAC3B,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;QAC3B,IAAI,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;QACxB,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;QAC3B,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;KAC5B,CAAC;AACJ,CAAC;AAED,SAAS,cAAc;IACrB,OAAO;QACL,OAAO,EAAE,EAAE;QACX,KAAK,EAAE,EAAE;QACT,WAAW,EAAE,EAAE;QACf,IAAI,EAAE,EAAE;QACR,QAAQ,EAAE,EAAE;KACb,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,MAAwB;IAC1C,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,OAAO;YACV,OAAO,CAAC,CAAC;QACX,KAAK,MAAM;YACT,OAAO,CAAC,CAAC;QACX,KAAK,MAAM;YACT,OAAO,CAAC,CAAC;IACb,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CACpB,UAAkC,EAClC,IAA6B,EAC7B,MAAyC,EACzC,MAAc;IAEd,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACrD,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IACxC,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAgB;IACxC,OAAO,KAAK,CAAC,IAAI,CACf,IAAI,GAAG,CACL,MAAM;SACH,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;SAC1C,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CACvC,CACF,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AAED,SAAS,eAAe,CAAC,KAAc;IACrC,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IACzB,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAEvC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,GAAG,EAAE,CAAC,CAAC;QAClE,OAAO,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG;aACP,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC;aAC5B,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACd,EAAE,IAAI,EAAE;aACP,WAAW,EAAE,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,KAA2B;IAC/C,OAAO,gBAAgB,CACrB,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACjC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC3C,OAAO,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACzD,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAC1B,KAA2B,EAC3B,UAAkC;IAElC,MAAM,SAAS,GAAG,cAAc,EAAE,CAAC;IAEnC,IACE,UAAU,CAAC,OAAO,CAAC,MAAM,KAAK,MAAM;QACpC,UAAU,CAAC,OAAO,CAAC,MAAM,KAAK,MAAM,EACpC,CAAC;QACD,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3D,SAAS,CAAC,OAAO,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7C,CAAC;IAED,IAAI,UAAU,CAAC,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACzC,SAAS,CAAC,QAAQ,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;IAED,IAAI,UAAU,CAAC,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACzC,SAAS,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC;IAED,IAAI,UAAU,CAAC,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACzC,SAAS,CAAC,WAAW,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACtC,SAAS,CAAC,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IACxC,CAAC;IAED,OAAO;QACL,OAAO,EAAE,gBAAgB,CAAC,SAAS,CAAC,OAAO,CAAC;QAC5C,KAAK,EAAE,gBAAgB,CAAC,SAAS,CAAC,KAAK,CAAC;QACxC,WAAW,EAAE,gBAAgB,CAAC,SAAS,CAAC,WAAW,CAAC;QACpD,IAAI,EAAE,gBAAgB,CAAC,SAAS,CAAC,IAAI,CAAC;QACtC,QAAQ,EAAE,gBAAgB,CAAC,SAAS,CAAC,QAAQ,CAAC;KAC/C,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CACnB,MAAuB;IAEvB,OAAO,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;AAC9C,CAAC;AAED,SAAS,sBAAsB,CAAC,OAAuB;IACrD,OAAO,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,QAAQ,CAAC;AACvD,CAAC;AAED,SAAS,gBAAgB,CAAC,KAA2B;IACnD,IAAI,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC3D,IAAI,sBAAsB,CAAC,KAAK,CAAC,aAAa,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9D,OAAO,CACL,CAAC,KAAK,CAAC,aAAa,KAAK,SAAS,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC;QACtE,KAAK,CAAC,aAAa,KAAK,KAAK;QAC7B,KAAK,CAAC,aAAa,KAAK,QAAQ;QAChC,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QACzC,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QACzC,CAAC,KAAK,CAAC,QAAQ,KAAK,SAAS,IAAI,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CACrE,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,KAA2B;IACnD,OAAO,CACL,KAAK,CAAC,OAAO,KAAK,IAAI;QACtB,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QACzC,KAAK,CAAC,QAAQ,KAAK,WAAW;QAC9B,KAAK,CAAC,QAAQ,KAAK,IAAI,CACxB,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,KAA2B;IACnD,OAAO,CACL,KAAK,CAAC,aAAa,KAAK,SAAS;QACjC,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO,CAC1C,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,KAA2B;IACnD,IAAI,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC5D,OAAO,CACL,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,MAAM;QACxC,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QACzC,KAAK,CAAC,aAAa,KAAK,SAAS;QACjC,KAAK,CAAC,aAAa,KAAK,QAAQ,CACjC,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,KAA2B;IACzD,IACE,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,MAAM;QACxC,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QACzC,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,OAAO;QACzC,sBAAsB,CAAC,KAAK,CAAC,aAAa,CAAC,EAC3C,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,gBAAgB,CAAC,KAAK,CAAC,IAAI,gBAAgB,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,UAAU,CAAC,UAAkC;IACpD,OAAO,eAAe,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;QACtC,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;QACvC,OAAO,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,MAAM,EAAE,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,kBAAkB,CAAC,SAAkC;IAC5D,OAAO;QACL,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,UAAU,KAAK,EAAE,CAAC;QACtD,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,WAAW,KAAK,EAAE,CAAC;QACxD,GAAG,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,EAAE,CAAC;QAChD,GAAG,SAAS,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,WAAW,KAAK,EAAE,CAAC;QAC3D,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,QAAQ,KAAK,EAAE,CAAC;KACnD,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CACnB,UAAkC;IAElC,OAAO;QACL,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM;QAClC,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM;QAClC,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM;QAClC,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,MAAM;QAC5B,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM;QAClC,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM;KACnC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,KAA2B,EAC3B,MAAuB;IAEvB,MAAM,UAAU,GAAG,eAAe,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACpC,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAC/C,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAC/C,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAC/C,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAE/C,IAAI,cAAc,EAAE,CAAC;QACnB,aAAa,CACX,UAAU,EACV,SAAS,EACT,MAAM,EACN,MAAM,KAAK,MAAM;YACf,CAAC,CAAC,8BAA8B;YAChC,CAAC,CAAC,+CAA+C,CACpD,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,aAAa,CACX,UAAU,EACV,SAAS,EACT,MAAM,EACN,MAAM,KAAK,MAAM;YACf,CAAC,CAAC,kCAAkC;YACpC,CAAC,CAAC,sCAAsC,CAC3C,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,cAAc,IAAI,MAAM,KAAK,iBAAiB,EAAE,CAAC;QAC9D,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,6BAA6B,CAC9B,CAAC;QACF,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,gDAAgD,CACjD,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,eAAe,IAAI,MAAM,KAAK,iBAAiB,EAAE,CAAC;QAC/D,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,MAAM,KAAK,eAAe;YACxB,CAAC,CAAC,+BAA+B;YACjC,CAAC,CAAC,qCAAqC,CAC1C,CAAC;QACF,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,MAAM,KAAK,eAAe;YACxB,CAAC,CAAC,2CAA2C;YAC7C,CAAC,CAAC,oCAAoC,CACzC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,eAAe,EAAE,CAAC;QAC/B,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,8CAA8C,CAC/C,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,aAAa,IAAI,sBAAsB,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9D,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,0CAA0C,CAC3C,CAAC;QACF,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,yCAAyC,CAC1C,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,aAAa,IAAI,sBAAsB,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;QAC5E,aAAa,CACX,UAAU,EACV,MAAM,EACN,OAAO,EACP,iCAAiC,CAClC,CAAC;QACF,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,qCAAqC,CACtC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;QAC3B,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,qCAAqC,CACtC,CAAC;QACF,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,oCAAoC,CACrC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;QAC5B,aAAa,CACX,UAAU,EACV,MAAM,EACN,OAAO,EACP,kCAAkC,CACnC,CAAC;QACF,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,4CAA4C,CAC7C,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACxC,aAAa,CAAC,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,2BAA2B,CAAC,CAAC;IAC5E,CAAC;SAAM,IAAI,cAAc,EAAE,CAAC;QAC1B,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,uCAAuC,CACxC,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACxC,aAAa,CACX,UAAU,EACV,SAAS,EACT,MAAM,EACN,+BAA+B,CAChC,CAAC;IACJ,CAAC;SAAM,IAAI,cAAc,EAAE,CAAC;QAC1B,aAAa,CACX,UAAU,EACV,SAAS,EACT,OAAO,EACP,8BAA8B,CAC/B,CAAC;IACJ,CAAC;IAED,IAAI,KAAK,CAAC,WAAW,KAAK,WAAW,CAAC,MAAM,EAAE,CAAC;QAC7C,aAAa,CACX,UAAU,EACV,SAAS,EACT,MAAM,EACN,MAAM,KAAK,MAAM;YACf,CAAC,CAAC,+BAA+B;YACjC,CAAC,CAAC,mCAAmC,CACxC,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,mBAAmB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAEzD,OAAO;QACL,cAAc,EAAE,GAAG;QACnB,UAAU;QACV,OAAO,EAAE,UAAU,CAAC,UAAU,CAAC;QAC/B,SAAS;QACT,gBAAgB,EAAE,kBAAkB,CAAC,SAAS,CAAC;KAChD,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,SAAkC;IAChE,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CACL,IAAI,CAAC,SAAS,CAAC;QACb,QAAQ,EAAE,gBAAgB,CAAC,SAAS,CAAC,QAAQ,CAAC;QAC9C,IAAI,EAAE,gBAAgB,CAAC,SAAS,CAAC,IAAI,CAAC;QACtC,OAAO,EAAE,gBAAgB,CAAC,SAAS,CAAC,OAAO,CAAC;QAC5C,WAAW,EAAE,gBAAgB,CAAC,SAAS,CAAC,WAAW,CAAC;QACpD,KAAK,EAAE,gBAAgB,CAAC,SAAS,CAAC,KAAK,CAAC;KACzC,CAAC,CACH;SACA,MAAM,CAAC,KAAK,CAAC;SACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,6BAA6B,CAAC,KAQ7C;IACC,MAAM,eAAe,GAAG,YAAY,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC7D,MAAM,YAAY,GAAG,eAAe,CAAC,GAAG,CACtC,CAAC,IAAI,EAAE,EAAE,CAAC,GAAG,IAAI,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAC7C,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACZ,MAAM,WAAW,GAAG,sBAAsB,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAClE,MAAM,cAAc,GAClB,KAAK,CAAC,cAAc,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAEnE,OAAO;QACL,cAAc,EAAE,GAAG;QACnB,GAAG,EAAE,SAAS,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,MAAM,IAAI,YAAY,QAAQ,WAAW,EAAE;QAC/G,WAAW,EAAE,cAAc,KAAK,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,eAAe;QACxE,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,QAAQ,EACN,cAAc,KAAK,QAAQ;YACzB,CAAC,CAAC,oBAAoB;YACtB,CAAC,CAAC,KAAK,CAAC,QAAQ;gBACd,CAAC,CAAC,yBAAyB;gBAC3B,CAAC,CAAC,cAAc;QACtB,KAAK,EAAE;YACL,UAAU,EAAE,eAAe;YAC3B,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,SAAS;SACjC;KACF,CAAC;AACJ,CAAC"}

package/dist/engine/chromium-cookies-platform.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Per-platform Chromium cookie key derivation, keystore lookup, and decrypt.
+ *
+ * The three platforms diverge meaningfully:
+ *
+ *   macOS  — Keychain `security` CLI → password (≤24 ASCII chars)
+ *            PBKDF2-SHA1(saltysalt, 1003, 16) → 16-byte AES key
+ *            v10/v11 prefix + AES-128-CBC + IV=16×0x20 + PKCS7
+ *            32-byte SHA256 integrity prefix on plaintext (M122+)
+ *
+ *   Linux  — libsecret/KWallet via `secret-tool` → password
+ *              fallback to literal "peanuts" if no keyring (Chromium HEAD)
+ *            PBKDF2-SHA1(saltysalt, **1**, 16) → 16-byte AES key   (CRITICAL)
+ *            v10/v11 prefix + AES-128-CBC + IV=16×0x20 + PKCS7
+ *            NO integrity prefix
+ *
+ *   Windows — `Local State` → os_crypt.encrypted_key (base64)
+ *             strip "DPAPI" 5-byte prefix
+ *             CryptUnprotectData(CurrentUser) via PowerShell → 32-byte master
+ *             v10 prefix + 12-byte nonce + AES-256-GCM(ct + 16-byte tag, master)
+ *             32-byte SHA256 integrity prefix on plaintext
+ *             v20 (Chrome 127+ App-Bound Encryption) is BLOCKED for external
+ *             processes by design; we surface encryption_unsupported and
+ *             suggest CDP fallback rather than ship a brittle bypass.
+ *
+ * All three platforms validate the prefix bytes to detect format drift early.
+ */
+import { type BrowserId } from "./chromium-cookies-types.js";
+export type Platform = "darwin" | "linux" | "win32";
+export declare function currentPlatform(): Platform;
+interface KeystoreSpec {
+    /** macOS: Keychain service labels to probe in order. */
+    macLabels?: readonly string[];
+    /** macOS: Keychain account candidates per label. */
+    macAccounts?: readonly string[];
+    /** Linux: secret-tool `application` attribute. */
+    linuxApp?: string;
+    /** Linux: secret-tool xdg:schema attribute. */
+    linuxSchema?: string;
+    /**
+     * Windows: Local State path relative to the user-data root. Each browser
+     * stores its master key here; we read it once and feed DPAPI.
+     */
+    winLocalStateRel?: string;
+}
+export declare function _resetSecretCache(): void;
+export declare function getEncryptionSecret(browser: BrowserId, platform: Platform, spec: KeystoreSpec, userDataRoot: string): Buffer | string;
+/**
+ * Derive the AES key from the platform secret. macOS uses 1003 PBKDF2
+ * iterations; Linux uses **1** iteration (Chromium's
+ * `kEncryptionIterations = 1` for `freedesktop_secret_key_provider.cc`).
+ * Windows passes through — DPAPI already returned a 32-byte master.
+ */
+export declare function deriveKey(secret: Buffer | string, platform: Platform): Buffer;
+/**
+ * Decrypt a single Chromium-encrypted cookie value.
+ *
+ *  • Empty buffer        → empty string
+ *  • No `vNN` prefix     → raw bytes (legacy unencrypted)
+ *  • `v10`/`v11` macOS   → AES-128-CBC, strip 32-byte SHA256 prefix when present
+ *  • `v10`/`v11` Linux   → AES-128-CBC, NO integrity prefix
+ *  • `v10`        Win    → AES-256-GCM with 12-byte nonce + 16-byte tag,
+ *                          strip 32-byte SHA256 prefix
+ *  • `v20`        Win    → encryption_unsupported (App-Bound Encryption)
+ */
+export declare function decryptValue(encrypted: Buffer, key: Buffer, platform: Platform): string;
+export declare const KEYSTORE_SPECS: Record<BrowserId, KeystoreSpec>;
+export {};
+//# sourceMappingURL=chromium-cookies-platform.d.ts.map

package/dist/engine/chromium-cookies-platform.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"chromium-cookies-platform.d.ts","sourceRoot":"","sources":["../../src/engine/chromium-cookies-platform.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAMH,OAAO,EAEL,KAAK,SAAS,EACf,MAAM,6BAA6B,CAAC;AAErC,MAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG,OAAO,GAAG,OAAO,CAAC;AAEpD,wBAAgB,eAAe,IAAI,QAAQ,CAQ1C;AAMD,UAAU,YAAY;IACpB,wDAAwD;IACxD,SAAS,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC9B,oDAAoD;IACpD,WAAW,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAChC,kDAAkD;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+CAA+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAcD,wBAAgB,iBAAiB,IAAI,IAAI,CAExC;AAED,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,SAAS,EAClB,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,YAAY,EAClB,YAAY,EAAE,MAAM,GACnB,MAAM,GAAG,MAAM,CAkBjB;AAgJD;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,MAAM,CAsB7E;AASD;;;;;;;;;;GAUG;AACH,wBAAgB,YAAY,CAC1B,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,QAAQ,GACjB,MAAM,CAmCR;AAkDD,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAwC1D,CAAC"}