agent-threat-rules 0.2.1 → 0.3.0

package/dist/converters/elastic.js

@@ -0,0 +1,125 @@
+/**
+ * ATR-to-Elastic Query DSL Converter
+ *
+ * Converts ATR YAML rules into Elasticsearch Query DSL (JSON) that
+ * a SOC analyst can use in Kibana or the Elasticsearch API.
+ *
+ * @module agent-threat-rules/converters/elastic
+ */
+/**
+ * Convert a single ATR array condition to an Elastic Query DSL clause.
+ */
+function conditionToElastic(cond) {
+    const field = cond.field;
+    const value = cond.value;
+    switch (cond.operator) {
+        case 'regex':
+            return {
+                regexp: {
+                    [field]: {
+                        value: value,
+                        flags: 'ALL',
+                        case_insensitive: true,
+                    },
+                },
+            };
+        case 'contains':
+            return {
+                wildcard: {
+                    [field]: {
+                        value: `*${value}*`,
+                        case_insensitive: true,
+                    },
+                },
+            };
+        case 'exact':
+            return {
+                term: {
+                    [field]: value,
+                },
+            };
+        case 'starts_with':
+            return {
+                prefix: {
+                    [field]: {
+                        value: value,
+                        case_insensitive: true,
+                    },
+                },
+            };
+        case 'gt':
+            return { range: { [field]: { gt: Number(value) } } };
+        case 'lt':
+            return { range: { [field]: { lt: Number(value) } } };
+        case 'gte':
+            return { range: { [field]: { gte: Number(value) } } };
+        case 'lte':
+            return { range: { [field]: { lte: Number(value) } } };
+        case 'eq':
+            return { term: { [field]: Number(value) } };
+        default:
+            // Fallback: wildcard contains
+            return {
+                wildcard: {
+                    [field]: {
+                        value: `*${value}*`,
+                        case_insensitive: true,
+                    },
+                },
+            };
+    }
+}
+/**
+ * Convert an ATR rule to an Elasticsearch Query DSL object.
+ *
+ * Returns a JSON-serializable object with _meta and query fields.
+ * - "any" condition logic -> bool.should with minimum_should_match=1
+ * - "all" condition logic -> bool.must
+ */
+export function ruleToElastic(rule) {
+    const conditions = rule.detection.conditions;
+    const logic = rule.detection.condition;
+    const meta = {
+        rule_id: rule.id,
+        title: rule.title,
+        severity: rule.severity,
+        category: rule.tags.category,
+        source_type: rule.agent_source.type,
+        condition_logic: logic,
+    };
+    if (!Array.isArray(conditions)) {
+        // Named-map format: return empty query with warning
+        return {
+            _meta: meta,
+            query: {
+                bool: {
+                    should: [],
+                    minimum_should_match: 0,
+                },
+            },
+        };
+    }
+    const arrayConditions = conditions;
+    const clauses = arrayConditions.map(conditionToElastic);
+    if (logic === 'all') {
+        return {
+            _meta: meta,
+            query: {
+                bool: {
+                    must: clauses,
+                },
+            },
+        };
+    }
+    // Default: "any" -> should
+    return {
+        _meta: meta,
+        query: {
+            bool: {
+                should: clauses,
+                minimum_should_match: 1,
+            },
+        },
+    };
+}
+//# sourceMappingURL=elastic.js.map

package/dist/converters/elastic.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"elastic.js","sourceRoot":"","sources":["../../src/converters/elastic.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAsBH;;GAEG;AACH,SAAS,kBAAkB,CAAC,IAAuB;IACjD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IAEzB,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;QACtB,KAAK,OAAO;YACV,OAAO;gBACL,MAAM,EAAE;oBACN,CAAC,KAAK,CAAC,EAAE;wBACP,KAAK,EAAE,KAAK;wBACZ,KAAK,EAAE,KAAK;wBACZ,gBAAgB,EAAE,IAAI;qBACvB;iBACF;aACF,CAAC;QAEJ,KAAK,UAAU;YACb,OAAO;gBACL,QAAQ,EAAE;oBACR,CAAC,KAAK,CAAC,EAAE;wBACP,KAAK,EAAE,IAAI,KAAK,GAAG;wBACnB,gBAAgB,EAAE,IAAI;qBACvB;iBACF;aACF,CAAC;QAEJ,KAAK,OAAO;YACV,OAAO;gBACL,IAAI,EAAE;oBACJ,CAAC,KAAK,CAAC,EAAE,KAAK;iBACf;aACF,CAAC;QAEJ,KAAK,aAAa;YAChB,OAAO;gBACL,MAAM,EAAE;oBACN,CAAC,KAAK,CAAC,EAAE;wBACP,KAAK,EAAE,KAAK;wBACZ,gBAAgB,EAAE,IAAI;qBACvB;iBACF;aACF,CAAC;QAEJ,KAAK,IAAI;YACP,OAAO,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;QAEvD,KAAK,IAAI;YACP,OAAO,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;QAEvD,KAAK,KAAK;YACR,OAAO,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;QAExD,KAAK,KAAK;YACR,OAAO,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;QAExD,KAAK,IAAI;YACP,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QAE9C;YACE,8BAA8B;YAC9B,OAAO;gBACL,QAAQ,EAAE;oBACR,CAAC,KAAK,CAAC,EAAE;wBACP,KAAK,EAAE,IAAI,KAAK,GAAG;wBACnB,gBAAgB,EAAE,IAAI;qBACvB;iBACF;aACF,CAAC;IACN,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,IAAa;IACzC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;IAEvC,MAAM,IAAI,GAAG;QACX,OAAO,EAAE,IAAI,CAAC,EAAE;QAChB,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ;QAC5B,WAAW,EAAE,IAAI,CAAC,YAAY,CAAC,IAAI;QACnC,eAAe,EAAE,KAAK;KACvB,CAAC;IAEF,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,oDAAoD;QACpD,OAAO;YACL,KAAK,EAAE,IAAI;YACX,KAAK,EAAE;gBACL,IAAI,EAAE;oBACJ,MAAM,EAAE,EAAE;oBACV,oBAAoB,EAAE,CAAC;iBACxB;aACF;SACF,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,UAAiC,CAAC;IAC1D,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAExD,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;QACpB,OAAO;YACL,KAAK,EAAE,IAAI;YACX,KAAK,EAAE;gBACL,IAAI,EAAE;oBACJ,IAAI,EAAE,OAAO;iBACd;aACF;SACF,CAAC;IACJ,CAAC;IAED,2BAA2B;IAC3B,OAAO;QACL,KAAK,EAAE,IAAI;QACX,KAAK,EAAE;YACL,IAAI,EAAE;gBACJ,MAAM,EAAE,OAAO;gBACf,oBAAoB,EAAE,CAAC;aACxB;SACF;KACF,CAAC;AACJ,CAAC"}

package/dist/converters/index.d.ts

@@ -0,0 +1,28 @@
+/**
+ * ATR SIEM Query Converter
+ *
+ * Converts ATR YAML rules into SIEM-specific query formats
+ * (Splunk SPL and Elasticsearch Query DSL).
+ *
+ * @module agent-threat-rules/converters
+ */
+import type { ATRRule } from '../types.js';
+export type SIEMFormat = 'splunk' | 'elastic';
+export interface ConvertedQuery {
+    readonly ruleId: string;
+    readonly title: string;
+    readonly severity: string;
+    readonly format: SIEMFormat;
+    readonly query: string;
+}
+/**
+ * Convert a single ATR rule to a SIEM query.
+ */
+export declare function convertRule(rule: ATRRule, format: SIEMFormat): ConvertedQuery;
+/**
+ * Convert all ATR rules in a directory to SIEM queries.
+ */
+export declare function convertAllRules(rulesDir: string, format: SIEMFormat): readonly ConvertedQuery[];
+export { ruleToSPL } from './splunk.js';
+export { ruleToElastic } from './elastic.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/converters/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/converters/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAK3C,MAAM,MAAM,UAAU,GAAG,QAAQ,GAAG,SAAS,CAAC;AAE9C,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,GAAG,cAAc,CAY7E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,SAAS,cAAc,EAAE,CAG/F;AAED,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC"}

package/dist/converters/index.js

@@ -0,0 +1,36 @@
+/**
+ * ATR SIEM Query Converter
+ *
+ * Converts ATR YAML rules into SIEM-specific query formats
+ * (Splunk SPL and Elasticsearch Query DSL).
+ *
+ * @module agent-threat-rules/converters
+ */
+import { loadRulesFromDirectory } from '../loader.js';
+import { ruleToSPL } from './splunk.js';
+import { ruleToElastic } from './elastic.js';
+/**
+ * Convert a single ATR rule to a SIEM query.
+ */
+export function convertRule(rule, format) {
+    const query = format === 'splunk'
+        ? ruleToSPL(rule)
+        : JSON.stringify(ruleToElastic(rule), null, 2);
+    return {
+        ruleId: rule.id,
+        title: rule.title,
+        severity: rule.severity,
+        format,
+        query,
+    };
+}
+/**
+ * Convert all ATR rules in a directory to SIEM queries.
+ */
+export function convertAllRules(rulesDir, format) {
+    const rules = loadRulesFromDirectory(rulesDir);
+    return rules.map(rule => convertRule(rule, format));
+}
+export { ruleToSPL } from './splunk.js';
+export { ruleToElastic } from './elastic.js';
+//# sourceMappingURL=index.js.map

package/dist/converters/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/converters/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAY7C;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAa,EAAE,MAAkB;IAC3D,MAAM,KAAK,GAAG,MAAM,KAAK,QAAQ;QAC/B,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC;QACjB,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAEjD,OAAO;QACL,MAAM,EAAE,IAAI,CAAC,EAAE;QACf,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,MAAM;QACN,KAAK;KACN,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB,EAAE,MAAkB;IAClE,MAAM,KAAK,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IAC/C,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;AACtD,CAAC;AAED,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC"}

package/dist/converters/splunk.d.ts

@@ -0,0 +1,19 @@
+/**
+ * ATR-to-Splunk SPL Converter
+ *
+ * Converts ATR YAML rules into Splunk Search Processing Language (SPL) queries
+ * that a SOC analyst can use as a starting point for threat hunting.
+ *
+ * @module agent-threat-rules/converters/splunk
+ */
+import type { ATRRule } from '../types.js';
+/**
+ * Convert an ATR rule to a Splunk SPL query string.
+ *
+ * The generated query includes:
+ * - Comment header with rule metadata
+ * - Index/sourcetype base search (generic, analyst should customize)
+ * - Condition clauses joined with appropriate logic
+ */
+export declare function ruleToSPL(rule: ATRRule): string;
+//# sourceMappingURL=splunk.d.ts.map

package/dist/converters/splunk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"splunk.d.ts","sourceRoot":"","sources":["../../src/converters/splunk.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAqB,MAAM,aAAa,CAAC;AAoD9D;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,CAqG/C"}

package/dist/converters/splunk.js

@@ -0,0 +1,148 @@
+/**
+ * ATR-to-Splunk SPL Converter
+ *
+ * Converts ATR YAML rules into Splunk Search Processing Language (SPL) queries
+ * that a SOC analyst can use as a starting point for threat hunting.
+ *
+ * @module agent-threat-rules/converters/splunk
+ */
+/**
+ * Escape a string for use in Splunk SPL double-quoted values.
+ */
+function escapeForSPL(value) {
+    return value.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+}
+/**
+ * Convert a single ATR array condition to an SPL clause.
+ *
+ * Supports operators: regex, contains, exact, starts_with, gt, lt, gte, lte, eq
+ */
+function conditionToSPL(cond) {
+    const field = cond.field;
+    const value = cond.value;
+    switch (cond.operator) {
+        case 'regex':
+            return `| regex ${field}="${escapeForSPL(value)}"`;
+        case 'contains':
+            return `${field}="*${escapeForSPL(value)}*"`;
+        case 'exact':
+            return `${field}="${escapeForSPL(value)}"`;
+        case 'starts_with':
+            return `${field}="${escapeForSPL(value)}*"`;
+        case 'gt':
+            return `| where ${field} > ${Number(value)}`;
+        case 'lt':
+            return `| where ${field} < ${Number(value)}`;
+        case 'gte':
+            return `| where ${field} >= ${Number(value)}`;
+        case 'lte':
+            return `| where ${field} <= ${Number(value)}`;
+        case 'eq':
+            return `| where ${field} == ${Number(value)}`;
+        default:
+            // Fallback: treat unknown operators as a contains search
+            return `${field}="*${escapeForSPL(value)}*"`;
+    }
+}
+/**
+ * Convert an ATR rule to a Splunk SPL query string.
+ *
+ * The generated query includes:
+ * - Comment header with rule metadata
+ * - Index/sourcetype base search (generic, analyst should customize)
+ * - Condition clauses joined with appropriate logic
+ */
+export function ruleToSPL(rule) {
+    const conditions = rule.detection.conditions;
+    const logic = rule.detection.condition; // "any" or "all"
+    const lines = [];
+    // Comment header with rule metadata
+    lines.push(`\`\`\` ATR Rule: ${rule.id} \`\`\``);
+    lines.push(`\`\`\` Title: ${rule.title} \`\`\``);
+    lines.push(`\`\`\` Severity: ${rule.severity} | Category: ${rule.tags.category} \`\`\``);
+    lines.push(`\`\`\` Source: ${rule.agent_source.type} | Condition logic: ${logic} \`\`\``);
+    lines.push('');
+    // Base search -- analyst should adjust index and sourcetype
+    lines.push('index=ai_agent_logs sourcetype=agent_events');
+    if (!Array.isArray(conditions)) {
+        // Named-map format: not common in current rules, emit a placeholder
+        lines.push('```` Warning: Named-map conditions not fully supported. Review manually. ````');
+        return lines.join('\n');
+    }
+    const arrayConditions = conditions;
+    if (arrayConditions.length === 0) {
+        return lines.join('\n');
+    }
+    // For "any" logic with regex conditions, we can combine them using
+    // a single regex with OR (|) alternation where possible, or use
+    // multiple search branches.
+    // For clarity and analyst usability, we emit each condition separately.
+    if (logic === 'all') {
+        // AND logic: chain all conditions sequentially
+        for (const cond of arrayConditions) {
+            lines.push(conditionToSPL(cond));
+        }
+    }
+    else {
+        // OR logic ("any"): use Splunk's multisearch or OR-joined search
+        // For regex conditions, wrap in a single eval+match approach
+        // For simplicity and readability, use OR-joined subsearches
+        const regexConditions = arrayConditions.filter(c => c.operator === 'regex');
+        const otherConditions = arrayConditions.filter(c => c.operator !== 'regex');
+        if (regexConditions.length > 0 && otherConditions.length === 0) {
+            // All regex: combine with OR in eval/match
+            lines.push('| where (');
+            const regexClauses = regexConditions.map((cond, i) => {
+                const prefix = i === 0 ? '    ' : '    OR ';
+                return `${prefix}match(${cond.field}, "${escapeForSPL(cond.value)}")`;
+            });
+            lines.push(...regexClauses);
+            lines.push(')');
+        }
+        else {
+            // Mixed operators: emit each as separate OR clause
+            lines.push('| where (');
+            const clauses = [];
+            for (const cond of arrayConditions) {
+                switch (cond.operator) {
+                    case 'regex':
+                        clauses.push(`match(${cond.field}, "${escapeForSPL(cond.value)}")`);
+                        break;
+                    case 'contains':
+                        clauses.push(`like(${cond.field}, "%${escapeForSPL(cond.value)}%")`);
+                        break;
+                    case 'exact':
+                        clauses.push(`${cond.field}="${escapeForSPL(cond.value)}"`);
+                        break;
+                    case 'starts_with':
+                        clauses.push(`like(${cond.field}, "${escapeForSPL(cond.value)}%")`);
+                        break;
+                    case 'gt':
+                        clauses.push(`${cond.field} > ${Number(cond.value)}`);
+                        break;
+                    case 'lt':
+                        clauses.push(`${cond.field} < ${Number(cond.value)}`);
+                        break;
+                    case 'gte':
+                        clauses.push(`${cond.field} >= ${Number(cond.value)}`);
+                        break;
+                    case 'lte':
+                        clauses.push(`${cond.field} <= ${Number(cond.value)}`);
+                        break;
+                    case 'eq':
+                        clauses.push(`${cond.field} == ${Number(cond.value)}`);
+                        break;
+                    default:
+                        clauses.push(`like(${cond.field}, "%${escapeForSPL(cond.value)}%")`);
+                }
+            }
+            lines.push(clauses.map((c, i) => (i === 0 ? `    ${c}` : `    OR ${c}`)).join('\n'));
+            lines.push(')');
+        }
+    }
+    // Add a table output for the analyst
+    const fields = [...new Set(arrayConditions.map(c => c.field))];
+    lines.push(`| table _time ${fields.join(' ')} source`);
+    return lines.join('\n');
+}
+//# sourceMappingURL=splunk.js.map

package/dist/converters/splunk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"splunk.js","sourceRoot":"","sources":["../../src/converters/splunk.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH;;GAEG;AACH,SAAS,YAAY,CAAC,KAAa;IACjC,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AAC3D,CAAC;AAED;;;;GAIG;AACH,SAAS,cAAc,CAAC,IAAuB;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IAEzB,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;QACtB,KAAK,OAAO;YACV,OAAO,WAAW,KAAK,KAAK,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC;QAErD,KAAK,UAAU;YACb,OAAO,GAAG,KAAK,MAAM,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC;QAE/C,KAAK,OAAO;YACV,OAAO,GAAG,KAAK,KAAK,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC;QAE7C,KAAK,aAAa;YAChB,OAAO,GAAG,KAAK,KAAK,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC;QAE9C,KAAK,IAAI;YACP,OAAO,WAAW,KAAK,MAAM,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAE/C,KAAK,IAAI;YACP,OAAO,WAAW,KAAK,MAAM,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAE/C,KAAK,KAAK;YACR,OAAO,WAAW,KAAK,OAAO,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAEhD,KAAK,KAAK;YACR,OAAO,WAAW,KAAK,OAAO,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAEhD,KAAK,IAAI;YACP,OAAO,WAAW,KAAK,OAAO,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAEhD;YACE,yDAAyD;YACzD,OAAO,GAAG,KAAK,MAAM,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC;IACjD,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,IAAa;IACrC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,iBAAiB;IAEzD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,oCAAoC;IACpC,KAAK,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,EAAE,SAAS,CAAC,CAAC;IACjD,KAAK,CAAC,IAAI,CAAC,iBAAiB,IAAI,CAAC,KAAK,SAAS,CAAC,CAAC;IACjD,KAAK,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,QAAQ,gBAAgB,IAAI,CAAC,IAAI,CAAC,QAAQ,SAAS,CAAC,CAAC;IACzF,KAAK,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,YAAY,CAAC,IAAI,uBAAuB,KAAK,SAAS,CAAC,CAAC;IAC1F,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,4DAA4D;IAC5D,KAAK,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IAE1D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,oEAAoE;QACpE,KAAK,CAAC,IAAI,CAAC,+EAA+E,CAAC,CAAC;QAC5F,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,eAAe,GAAG,UAAiC,CAAC;IAE1D,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,mEAAmE;IACnE,gEAAgE;IAChE,4BAA4B;IAC5B,wEAAwE;IAExE,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;QACpB,+CAA+C;QAC/C,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;YACnC,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,iEAAiE;QACjE,6DAA6D;QAC7D,4DAA4D;QAC5D,MAAM,eAAe,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;QAC5E,MAAM,eAAe,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;QAE5E,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/D,2CAA2C;YAC3C,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACxB,MAAM,YAAY,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;gBACnD,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;gBAC5C,OAAO,GAAG,MAAM,SAAS,IAAI,CAAC,KAAK,MAAM,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;YACxE,CAAC,CAAC,CAAC;YACH,KAAK,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClB,CAAC;aAAM,CAAC;YACN,mDAAmD;YACnD,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACxB,MAAM,OAAO,GAAa,EAAE,CAAC;YAC7B,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;gBACnC,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACtB,KAAK,OAAO;wBACV,OAAO,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,KAAK,MAAM,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;wBACpE,MAAM;oBACR,KAAK,UAAU;wBACb,OAAO,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,KAAK,OAAO,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;wBACrE,MAAM;oBACR,KAAK,OAAO;wBACV,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,KAAK,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;wBAC5D,MAAM;oBACR,KAAK,aAAa;wBAChB,OAAO,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,KAAK,MAAM,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;wBACpE,MAAM;oBACR,KAAK,IAAI;wBACP,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,MAAM,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;wBACtD,MAAM;oBACR,KAAK,IAAI;wBACP,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,MAAM,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;wBACtD,MAAM;oBACR,KAAK,KAAK;wBACR,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;wBACvD,MAAM;oBACR,KAAK,KAAK;wBACR,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;wBACvD,MAAM;oBACR,KAAK,IAAI;wBACP,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;wBACvD,MAAM;oBACR;wBACE,OAAO,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,KAAK,OAAO,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBACzE,CAAC;YACH,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YACrF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,qCAAqC;IACrC,MAAM,MAAM,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAEvD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/embedding/build-corpus.d.ts

@@ -0,0 +1,15 @@
+#!/usr/bin/env npx tsx
+/**
+ * Build attack embedding corpus from ATR rule test cases.
+ *
+ * Reads all stable ATR rules, extracts true_positive test cases,
+ * encodes them through all-MiniLM-L6-v2, and saves as JSON.
+ *
+ * Usage:
+ *   npx tsx src/embedding/build-corpus.ts
+ *
+ * Output:
+ *   data/attack-embeddings.json
+ */
+export {};
+//# sourceMappingURL=build-corpus.d.ts.map

package/dist/embedding/build-corpus.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"build-corpus.d.ts","sourceRoot":"","sources":["../../src/embedding/build-corpus.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;GAWG"}

package/dist/embedding/build-corpus.js

@@ -0,0 +1,105 @@
+#!/usr/bin/env npx tsx
+/**
+ * Build attack embedding corpus from ATR rule test cases.
+ *
+ * Reads all stable ATR rules, extracts true_positive test cases,
+ * encodes them through all-MiniLM-L6-v2, and saves as JSON.
+ *
+ * Usage:
+ *   npx tsx src/embedding/build-corpus.ts
+ *
+ * Output:
+ *   data/attack-embeddings.json
+ */
+import { readFileSync, writeFileSync, mkdirSync, readdirSync } from 'node:fs';
+import { join, resolve } from 'node:path';
+import * as yaml from 'js-yaml';
+const RULES_DIR = resolve(join(import.meta.dirname ?? '.', '..', '..', 'rules'));
+const OUTPUT_PATH = resolve(join(import.meta.dirname ?? '.', '..', '..', 'data', 'attack-embeddings.json'));
+async function main() {
+    console.log('Building attack embedding corpus...');
+    console.log(`Rules dir: ${RULES_DIR}`);
+    // Load model
+    console.log('Loading embedding model (first run downloads ~22MB)...');
+    const { TransformersJSModel } = await import('./model-loader.js');
+    const model = new TransformersJSModel();
+    await model.initialize();
+    console.log('Model loaded.');
+    // Collect all true_positive texts from rules
+    const attacks = [];
+    function walkDir(dir) {
+        const files = [];
+        for (const entry of readdirSync(dir, { withFileTypes: true })) {
+            const fullPath = join(dir, entry.name);
+            if (entry.isDirectory()) {
+                files.push(...walkDir(fullPath));
+            }
+            else if (entry.name.endsWith('.yaml') || entry.name.endsWith('.yml')) {
+                files.push(fullPath);
+            }
+        }
+        return files;
+    }
+    const ruleFiles = walkDir(RULES_DIR);
+    console.log(`Found ${ruleFiles.length} rule files.`);
+    for (const file of ruleFiles) {
+        try {
+            const content = readFileSync(file, 'utf-8');
+            const rule = yaml.load(content);
+            if (!rule?.id || !rule?.test_cases?.true_positives)
+                continue;
+            for (const tp of rule.test_cases.true_positives) {
+                const text = tp.input ?? tp.content ?? tp.user_input ?? tp.tool_response ?? tp.tool_description ?? tp.tool_args;
+                if (!text || text.length < 10)
+                    continue;
+                attacks.push({
+                    id: rule.id,
+                    text: text.slice(0, 512),
+                    category: rule.tags?.category ?? 'unknown',
+                    severity: rule.severity ?? 'medium',
+                    ruleTitle: rule.title ?? rule.id,
+                });
+            }
+        }
+        catch {
+            // Skip unparseable rules
+        }
+    }
+    console.log(`Extracted ${attacks.length} attack payloads from ${ruleFiles.length} rules.`);
+    // Deduplicate by text
+    const seen = new Set();
+    const unique = attacks.filter((a) => {
+        if (seen.has(a.text))
+            return false;
+        seen.add(a.text);
+        return true;
+    });
+    console.log(`Unique payloads: ${unique.length}`);
+    // Encode all payloads
+    console.log('Encoding payloads...');
+    const output = [];
+    for (let i = 0; i < unique.length; i++) {
+        const a = unique[i];
+        process.stdout.write(`\r  [${i + 1}/${unique.length}] ${a.id}`);
+        const vec = await model.encode(a.text);
+        output.push({
+            id: `${a.id}-tp${i}`,
+            text: a.text,
+            vector: Array.from(vec),
+            label: `${a.ruleTitle}: ${a.text.slice(0, 80)}`,
+            category: a.category,
+            severity: a.severity,
+        });
+    }
+    console.log('\n');
+    // Save
+    mkdirSync(join(OUTPUT_PATH, '..'), { recursive: true });
+    writeFileSync(OUTPUT_PATH, JSON.stringify(output, null, 2));
+    console.log(`Saved ${output.length} embeddings to ${OUTPUT_PATH}`);
+    console.log(`File size: ${(readFileSync(OUTPUT_PATH).length / 1024).toFixed(0)} KB`);
+}
+main().catch((err) => {
+    console.error('Fatal:', err);
+    process.exit(1);
+});
+//# sourceMappingURL=build-corpus.js.map

package/dist/embedding/build-corpus.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"build-corpus.js","sourceRoot":"","sources":["../../src/embedding/build-corpus.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAc,MAAM,SAAS,CAAC;AAC1F,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,KAAK,IAAI,MAAM,SAAS,CAAC;AAEhC,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;AACjF,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,wBAAwB,CAAC,CAAC,CAAC;AAuB5G,KAAK,UAAU,IAAI;IACjB,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,CAAC,cAAc,SAAS,EAAE,CAAC,CAAC;IAEvC,aAAa;IACb,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;IACtE,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;IAClE,MAAM,KAAK,GAAG,IAAI,mBAAmB,EAAE,CAAC;IACxC,MAAM,KAAK,CAAC,UAAU,EAAE,CAAC;IACzB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAE7B,6CAA6C;IAC7C,MAAM,OAAO,GAA+F,EAAE,CAAC;IAE/G,SAAS,OAAO,CAAC,GAAW;QAC1B,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;YAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YACvC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;YACnC,CAAC;iBAAM,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBACvE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,SAAS,SAAS,CAAC,MAAM,cAAc,CAAC,CAAC;IAErD,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAgB,CAAC;YAC/C,IAAI,CAAC,IAAI,EAAE,EAAE,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,cAAc;gBAAE,SAAS;YAE7D,KAAK,MAAM,EAAE,IAAI,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;gBAChD,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC,aAAa,IAAI,EAAE,CAAC,gBAAgB,IAAI,EAAE,CAAC,SAAS,CAAC;gBAChH,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE;oBAAE,SAAS;gBAExC,OAAO,CAAC,IAAI,CAAC;oBACX,EAAE,EAAE,IAAI,CAAC,EAAE;oBACX,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACxB,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,IAAI,SAAS;oBAC1C,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,QAAQ;oBACnC,SAAS,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,EAAE;iBACjC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,yBAAyB;QAC3B,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,CAAC,MAAM,yBAAyB,SAAS,CAAC,MAAM,SAAS,CAAC,CAAC;IAE3F,sBAAsB;IACtB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QACnC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACjB,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IACH,OAAO,CAAC,GAAG,CAAC,oBAAoB,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAEjD,sBAAsB;IACtB,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACpC,MAAM,MAAM,GAOP,EAAE,CAAC;IAER,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAE,CAAC;QACrB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC;YACV,EAAE,EAAE,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,EAAE;YACpB,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC;YACvB,KAAK,EAAE,GAAG,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;YAC/C,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;SACrB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAElB,OAAO;IACP,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,aAAa,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC5D,OAAO,CAAC,GAAG,CAAC,SAAS,MAAM,CAAC,MAAM,kBAAkB,WAAW,EAAE,CAAC,CAAC;IACnE,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;AACvF,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC7B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/embedding/model-loader.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Embedding model loader.
+ *
+ * Lazy-loads all-MiniLM-L6-v2 via @xenova/transformers (optional dep).
+ * Model is ~22MB, cached to disk after first download.
+ * Runs in pure JS/WASM -- no native bindings needed.
+ *
+ * @module agent-threat-rules/embedding/model-loader
+ */
+export interface EmbeddingModel {
+    /** Encode text to embedding vector */
+    encode(text: string): Promise<Float32Array>;
+    /** Encode multiple texts (batched) */
+    encodeBatch(texts: readonly string[]): Promise<Float32Array[]>;
+    /** Initialize / load the model */
+    initialize(): Promise<void>;
+    /** Model output dimension */
+    readonly dimension: number;
+    /** Whether model is loaded */
+    readonly isLoaded: boolean;
+}
+export declare class TransformersJSModel implements EmbeddingModel {
+    readonly dimension = 384;
+    private pipeline;
+    get isLoaded(): boolean;
+    /** Lazy-load the model on first use */
+    initialize(): Promise<void>;
+    encode(text: string): Promise<Float32Array>;
+    encodeBatch(texts: readonly string[]): Promise<Float32Array[]>;
+}
+/** Create a no-op model for testing */
+export declare class MockEmbeddingModel implements EmbeddingModel {
+    readonly dimension = 384;
+    readonly isLoaded = true;
+    private readonly mockVectors;
+    constructor(mockVectors?: Map<string, Float32Array>);
+    initialize(): Promise<void>;
+    encode(text: string): Promise<Float32Array>;
+    encodeBatch(texts: readonly string[]): Promise<Float32Array[]>;
+}
+//# sourceMappingURL=model-loader.d.ts.map

package/dist/embedding/model-loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"model-loader.d.ts","sourceRoot":"","sources":["../../src/embedding/model-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,WAAW,cAAc;IAC7B,sCAAsC;IACtC,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IAC5C,sCAAsC;IACtC,WAAW,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;IAC/D,kCAAkC;IAClC,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5B,6BAA6B;IAC7B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,8BAA8B;IAC9B,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;CAC5B;AAKD,qBAAa,mBAAoB,YAAW,cAAc;IACxD,QAAQ,CAAC,SAAS,OAAa;IAC/B,OAAO,CAAC,QAAQ,CAAiB;IAEjC,IAAI,QAAQ,IAAI,OAAO,CAEtB;IAED,uCAAuC;IACjC,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAoB3B,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAQ3C,WAAW,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;CAYrE;AAED,uCAAuC;AACvC,qBAAa,kBAAmB,YAAW,cAAc;IACvD,QAAQ,CAAC,SAAS,OAAa;IAC/B,QAAQ,CAAC,QAAQ,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA4B;gBAE5C,WAAW,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC;IAI7C,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAI3B,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAgB3C,WAAW,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;CAGrE"}

package/dist/embedding/model-loader.js

@@ -0,0 +1,90 @@
+/**
+ * Embedding model loader.
+ *
+ * Lazy-loads all-MiniLM-L6-v2 via @xenova/transformers (optional dep).
+ * Model is ~22MB, cached to disk after first download.
+ * Runs in pure JS/WASM -- no native bindings needed.
+ *
+ * @module agent-threat-rules/embedding/model-loader
+ */
+const MODEL_NAME = 'Xenova/all-MiniLM-L6-v2';
+const DIMENSION = 384;
+export class TransformersJSModel {
+    dimension = DIMENSION;
+    pipeline = null;
+    get isLoaded() {
+        return this.pipeline !== null;
+    }
+    /** Lazy-load the model on first use */
+    async initialize() {
+        if (this.pipeline)
+            return;
+        try {
+            // Dynamic import to keep @xenova/transformers optional
+            const { pipeline } = await import('@xenova/transformers');
+            this.pipeline = (await pipeline('feature-extraction', MODEL_NAME, {
+                quantized: true,
+            }));
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            if (msg.includes('Cannot find module') || msg.includes('MODULE_NOT_FOUND')) {
+                throw new Error('Embedding model requires @xenova/transformers. Install: npm install @xenova/transformers');
+            }
+            throw new Error(`Failed to load embedding model: ${msg}`);
+        }
+    }
+    async encode(text) {
+        if (!this.pipeline)
+            await this.initialize();
+        const pipelineFn = this.pipeline;
+        const output = await pipelineFn([text], { pooling: 'mean', normalize: true });
+        return new Float32Array(output.data.slice(0, DIMENSION));
+    }
+    async encodeBatch(texts) {
+        if (!this.pipeline)
+            await this.initialize();
+        const pipelineFn = this.pipeline;
+        const results = [];
+        // Process one at a time to control memory
+        for (const text of texts) {
+            const output = await pipelineFn([text], { pooling: 'mean', normalize: true });
+            results.push(new Float32Array(output.data.slice(0, DIMENSION)));
+        }
+        return results;
+    }
+}
+/** Create a no-op model for testing */
+export class MockEmbeddingModel {
+    dimension = DIMENSION;
+    isLoaded = true;
+    mockVectors;
+    constructor(mockVectors) {
+        this.mockVectors = mockVectors ?? new Map();
+    }
+    async initialize() {
+        // No-op for mock
+    }
+    async encode(text) {
+        const existing = this.mockVectors.get(text);
+        if (existing)
+            return existing;
+        // Generate deterministic vector from text hash
+        const vec = new Float32Array(DIMENSION);
+        for (let i = 0; i < DIMENSION; i++) {
+            vec[i] = Math.sin(text.charCodeAt(i % text.length) * (i + 1) * 0.01);
+        }
+        // Normalize
+        let mag = 0;
+        for (let i = 0; i < DIMENSION; i++)
+            mag += vec[i] * vec[i];
+        mag = Math.sqrt(mag);
+        for (let i = 0; i < DIMENSION; i++)
+            vec[i] /= mag;
+        return vec;
+    }
+    async encodeBatch(texts) {
+        return Promise.all(texts.map((t) => this.encode(t)));
+    }
+}
+//# sourceMappingURL=model-loader.js.map