agentmb 0.1.0

package/dist/daemon/session.d.ts

@@ -0,0 +1,52 @@
+import { BrowserContext, Page } from 'playwright-core';
+/** Resolve raw env-var string to a 32-byte Buffer, or throw on bad length. */
+export declare function resolveEncryptionKey(raw: string): Buffer;
+export interface SessionInfo {
+    id: string;
+    profile: string;
+    headless: boolean;
+    createdAt: string;
+    agentId?: string;
+    /** 'live' = browser running; 'zombie' = metadata only (browser not started) */
+    state: 'live' | 'zombie';
+}
+export interface LiveSession extends SessionInfo {
+    context: BrowserContext | null;
+    page: Page | null;
+}
+export declare class SessionRegistry {
+    private sessions;
+    private stateFile;
+    private encryptionKey?;
+    constructor(dataDir: string, encryptionKeyStr?: string);
+    /** Load persisted session metadata from previous daemon run. */
+    loadPersistedSessions(): void;
+    private persist;
+    create(opts: {
+        profile?: string;
+        headless?: boolean;
+        agentId?: string;
+    }): string;
+    attach(id: string, context: BrowserContext, page: Page): void;
+    get(id: string): LiveSession | undefined;
+    getOrThrow(id: string): LiveSession;
+    /** Get a live (browser-running) session or return an error discriminant. */
+    getLive(id: string): (LiveSession & {
+        context: BrowserContext;
+        page: Page;
+    }) | {
+        notFound: true;
+    } | {
+        zombie: true;
+        info: SessionInfo;
+    };
+    list(): SessionInfo[];
+    count(): number;
+    /** Update the headless flag in memory and persist to disk (called after mode switch). */
+    updateHeadless(id: string, headless: boolean): void;
+    close(id: string): Promise<void>;
+    /** On daemon shutdown: persist zombie metadata to disk, then close all contexts. */
+    shutdownAll(): Promise<void>;
+    closeAll(): Promise<void>;
+}
+//# sourceMappingURL=session.d.ts.map

package/dist/daemon/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/daemon/session.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AActD,8EAA8E;AAC9E,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CASxD;AAgCD,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAA;IACV,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,EAAE,OAAO,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,+EAA+E;IAC/E,KAAK,EAAE,MAAM,GAAG,QAAQ,CAAA;CACzB;AAED,MAAM,WAAW,WAAY,SAAQ,WAAW;IAC9C,OAAO,EAAE,cAAc,GAAG,IAAI,CAAA;IAC9B,IAAI,EAAE,IAAI,GAAG,IAAI,CAAA;CAClB;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAiC;IACjD,OAAO,CAAC,SAAS,CAAQ;IACzB,OAAO,CAAC,aAAa,CAAC,CAAQ;gBAElB,OAAO,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAAE,MAAM;IAQtD,gEAAgE;IAChE,qBAAqB,IAAI,IAAI;IAgC7B,OAAO,CAAC,OAAO;IAcf,MAAM,CAAC,IAAI,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,MAAM;IAehF,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,GAAG,IAAI;IAO7D,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAIxC,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,WAAW;IAMnC,4EAA4E;IAC5E,OAAO,CAAC,EAAE,EAAE,MAAM,GACd,CAAC,WAAW,GAAG;QAAE,OAAO,EAAE,cAAc,CAAC;QAAC,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC,GACvD;QAAE,QAAQ,EAAE,IAAI,CAAA;KAAE,GAClB;QAAE,MAAM,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE;IAOvC,IAAI,IAAI,WAAW,EAAE;IAIrB,KAAK,IAAI,MAAM;IAIf,yFAAyF;IACzF,cAAc,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,GAAG,IAAI;IAO7C,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUtC,oFAAoF;IAC9E,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC;IAiB5B,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAGhC"}

package/dist/daemon/session.js

@@ -0,0 +1,191 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionRegistry = void 0;
+exports.resolveEncryptionKey = resolveEncryptionKey;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const crypto_1 = __importDefault(require("crypto"));
+/** Resolve raw env-var string to a 32-byte Buffer, or throw on bad length. */
+function resolveEncryptionKey(raw) {
+    // Prefer base64 (44 chars for 32 bytes); fall back to hex (64 chars)
+    const b64 = Buffer.from(raw, 'base64');
+    if (b64.length === 32)
+        return b64;
+    const hex = Buffer.from(raw, 'hex');
+    if (hex.length === 32)
+        return hex;
+    throw new Error('AGENTMB_ENCRYPTION_KEY must be exactly 32 bytes — provide as base64 (44 chars) or hex (64 chars)');
+}
+function encryptSessions(data, key) {
+    const iv = crypto_1.default.randomBytes(12);
+    const cipher = crypto_1.default.createCipheriv('aes-256-gcm', key, iv);
+    const plaintext = JSON.stringify(data);
+    const ct = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const envelope = {
+        v: 1,
+        alg: 'aes-256-gcm',
+        iv: iv.toString('hex'),
+        tag: cipher.getAuthTag().toString('hex'),
+        ct: ct.toString('hex'),
+    };
+    return JSON.stringify(envelope);
+}
+function decryptSessions(raw, key) {
+    const env = JSON.parse(raw);
+    const decipher = crypto_1.default.createDecipheriv('aes-256-gcm', key, Buffer.from(env.iv, 'hex'));
+    decipher.setAuthTag(Buffer.from(env.tag, 'hex'));
+    const pt = Buffer.concat([
+        decipher.update(Buffer.from(env.ct, 'hex')),
+        decipher.final(),
+    ]).toString('utf8');
+    return JSON.parse(pt);
+}
+class SessionRegistry {
+    sessions = new Map();
+    stateFile;
+    encryptionKey;
+    constructor(dataDir, encryptionKeyStr) {
+        this.stateFile = path_1.default.join(dataDir, 'sessions.json');
+        fs_1.default.mkdirSync(dataDir, { recursive: true });
+        if (encryptionKeyStr) {
+            this.encryptionKey = resolveEncryptionKey(encryptionKeyStr);
+        }
+    }
+    /** Load persisted session metadata from previous daemon run. */
+    loadPersistedSessions() {
+        if (!fs_1.default.existsSync(this.stateFile))
+            return;
+        try {
+            const raw = fs_1.default.readFileSync(this.stateFile, 'utf8');
+            let data;
+            const parsed = JSON.parse(raw);
+            if (Array.isArray(parsed)) {
+                // Plain JSON (no encryption configured, or pre-encryption file)
+                data = parsed;
+            }
+            else if (parsed.v === 1 && parsed.ct) {
+                // Encrypted envelope
+                if (!this.encryptionKey) {
+                    process.stderr.write('[agentmb] sessions.json is encrypted but AGENTMB_ENCRYPTION_KEY is not set — skipping session load\n');
+                    return;
+                }
+                data = decryptSessions(raw, this.encryptionKey);
+            }
+            else {
+                return; // unknown format, start fresh
+            }
+            for (const info of data) {
+                // Register as zombie — profile is on disk, browser not running
+                this.sessions.set(info.id, { ...info, state: 'zombie', context: null, page: null });
+            }
+        }
+        catch {
+            // Corrupt or tampered state file — ignore, start fresh
+        }
+    }
+    persist() {
+        const infos = Array.from(this.sessions.values()).map(({ context: _c, page: _p, ...info }) => info);
+        try {
+            const content = this.encryptionKey
+                ? encryptSessions(infos, this.encryptionKey)
+                : JSON.stringify(infos, null, 2);
+            fs_1.default.writeFileSync(this.stateFile, content);
+        }
+        catch {
+            // non-critical
+        }
+    }
+    create(opts) {
+        const id = 'sess_' + crypto_1.default.randomBytes(6).toString('hex');
+        const info = {
+            id,
+            profile: opts.profile ?? 'default',
+            headless: opts.headless ?? true,
+            createdAt: new Date().toISOString(),
+            agentId: opts.agentId,
+            state: 'zombie', // becomes 'live' after attach()
+        };
+        this.sessions.set(id, { ...info, context: null, page: null });
+        this.persist();
+        return id;
+    }
+    attach(id, context, page) {
+        const existing = this.sessions.get(id);
+        if (!existing)
+            throw new Error(`Session ${id} not found`);
+        this.sessions.set(id, { ...existing, state: 'live', context, page });
+        this.persist();
+    }
+    get(id) {
+        return this.sessions.get(id);
+    }
+    getOrThrow(id) {
+        const s = this.sessions.get(id);
+        if (!s)
+            throw new Error(`Session not found: ${id}`);
+        return s;
+    }
+    /** Get a live (browser-running) session or return an error discriminant. */
+    getLive(id) {
+        const s = this.sessions.get(id);
+        if (!s)
+            return { notFound: true };
+        if (s.state !== 'live' || !s.page || !s.context)
+            return { zombie: true, info: s };
+        return s;
+    }
+    list() {
+        return Array.from(this.sessions.values()).map(({ context: _c, page: _p, ...info }) => info);
+    }
+    count() {
+        return Array.from(this.sessions.values()).filter((s) => s.state === 'live').length;
+    }
+    /** Update the headless flag in memory and persist to disk (called after mode switch). */
+    updateHeadless(id, headless) {
+        const s = this.sessions.get(id);
+        if (!s)
+            return;
+        s.headless = headless;
+        this.persist();
+    }
+    async close(id) {
+        const s = this.sessions.get(id);
+        if (!s)
+            return;
+        if (s.context) {
+            try {
+                await s.context.close();
+            }
+            catch { /* ignore */ }
+        }
+        this.sessions.delete(id);
+        this.persist();
+    }
+    /** On daemon shutdown: persist zombie metadata to disk, then close all contexts. */
+    async shutdownAll() {
+        // 1. Mark all live sessions as zombie and persist to disk (so they survive restart)
+        for (const [, s] of this.sessions) {
+            if (s.state === 'live')
+                s.state = 'zombie';
+        }
+        this.persist();
+        // 2. Close all browser contexts
+        await Promise.all(Array.from(this.sessions.values()).map(async (s) => {
+            if (s.context) {
+                try {
+                    await s.context.close();
+                }
+                catch { /* ignore */ }
+            }
+        }));
+        this.sessions.clear();
+    }
+    async closeAll() {
+        await Promise.all(Array.from(this.sessions.keys()).map((id) => this.close(id)));
+    }
+}
+exports.SessionRegistry = SessionRegistry;
+//# sourceMappingURL=session.js.map

package/dist/daemon/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/daemon/session.ts"],"names":[],"mappings":";;;;;;AAkBA,oDASC;AA3BD,4CAAmB;AACnB,gDAAuB;AACvB,oDAA2B;AAe3B,8EAA8E;AAC9E,SAAgB,oBAAoB,CAAC,GAAW;IAC9C,qEAAqE;IACrE,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;IACtC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,GAAG,CAAA;IACjC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IACnC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,GAAG,CAAA;IACjC,MAAM,IAAI,KAAK,CACb,kGAAkG,CACnG,CAAA;AACH,CAAC;AAED,SAAS,eAAe,CAAC,IAAmB,EAAE,GAAW;IACvD,MAAM,EAAE,GAAG,gBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAA;IACjC,MAAM,MAAM,GAAG,gBAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAA;IAC5D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAA;IACtC,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;IAC5E,MAAM,QAAQ,GAAsB;QAClC,CAAC,EAAE,CAAC;QACJ,GAAG,EAAE,aAAa;QAClB,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;QACtB,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;QACxC,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;KACvB,CAAA;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;AACjC,CAAC;AAED,SAAS,eAAe,CAAC,GAAW,EAAE,GAAW;IAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAsB,CAAA;IAChD,MAAM,QAAQ,GAAG,gBAAM,CAAC,gBAAgB,CACtC,aAAa,EACb,GAAG,EACH,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,CAC3B,CAAA;IACD,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;IAChD,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC;QACvB,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAC3C,QAAQ,CAAC,KAAK,EAAE;KACjB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;IACnB,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAkB,CAAA;AACxC,CAAC;AAiBD,MAAa,eAAe;IAClB,QAAQ,GAAG,IAAI,GAAG,EAAuB,CAAA;IACzC,SAAS,CAAQ;IACjB,aAAa,CAAS;IAE9B,YAAY,OAAe,EAAE,gBAAyB;QACpD,IAAI,CAAC,SAAS,GAAG,cAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAA;QACpD,YAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;QAC1C,IAAI,gBAAgB,EAAE,CAAC;YACrB,IAAI,CAAC,aAAa,GAAG,oBAAoB,CAAC,gBAAgB,CAAC,CAAA;QAC7D,CAAC;IACH,CAAC;IAED,gEAAgE;IAChE,qBAAqB;QACnB,IAAI,CAAC,YAAE,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC;YAAE,OAAM;QAC1C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,YAAE,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAA;YACnD,IAAI,IAAmB,CAAA;YAEvB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC9B,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC1B,gEAAgE;gBAChE,IAAI,GAAG,MAAM,CAAA;YACf,CAAC;iBAAM,IAAI,MAAM,CAAC,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,EAAE,EAAE,CAAC;gBACvC,qBAAqB;gBACrB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;oBACxB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,sGAAsG,CACvG,CAAA;oBACD,OAAM;gBACR,CAAC;gBACD,IAAI,GAAG,eAAe,CAAC,GAAG,EAAE,IAAI,CAAC,aAAa,CAAC,CAAA;YACjD,CAAC;iBAAM,CAAC;gBACN,OAAM,CAAC,8BAA8B;YACvC,CAAC;YAED,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,CAAC;gBACxB,+DAA+D;gBAC/D,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;YACrF,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,uDAAuD;QACzD,CAAC;IACH,CAAC;IAEO,OAAO;QACb,MAAM,KAAK,GAAkB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CACjE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAC7C,CAAA;QACD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa;gBAChC,CAAC,CAAC,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,aAAa,CAAC;gBAC5C,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAA;YAClC,YAAE,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,eAAe;QACjB,CAAC;IACH,CAAC;IAED,MAAM,CAAC,IAAgE;QACrE,MAAM,EAAE,GAAG,OAAO,GAAG,gBAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;QAC1D,MAAM,IAAI,GAAgB;YACxB,EAAE;YACF,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,SAAS;YAClC,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI;YAC/B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,KAAK,EAAE,QAAQ,EAAE,gCAAgC;SAClD,CAAA;QACD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;QAC7D,IAAI,CAAC,OAAO,EAAE,CAAA;QACd,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,CAAC,EAAU,EAAE,OAAuB,EAAE,IAAU;QACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QACtC,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,KAAK,CAAC,WAAW,EAAE,YAAY,CAAC,CAAA;QACzD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,GAAG,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAA;QACpE,IAAI,CAAC,OAAO,EAAE,CAAA;IAChB,CAAC;IAED,GAAG,CAAC,EAAU;QACZ,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAC9B,CAAC;IAED,UAAU,CAAC,EAAU;QACnB,MAAM,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QAC/B,IAAI,CAAC,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,EAAE,EAAE,CAAC,CAAA;QACnD,OAAO,CAAC,CAAA;IACV,CAAC;IAED,4EAA4E;IAC5E,OAAO,CAAC,EAAU;QAIhB,MAAM,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QAC/B,IAAI,CAAC,CAAC;YAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAA;QACjC,IAAI,CAAC,CAAC,KAAK,KAAK,MAAM,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,OAAO;YAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,CAAA;QACjF,OAAO,CAA0D,CAAA;IACnE,CAAC;IAED,IAAI;QACF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,CAAA;IAC7F,CAAC;IAED,KAAK;QACH,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,MAAM,CAAC,CAAC,MAAM,CAAA;IACpF,CAAC;IAED,yFAAyF;IACzF,cAAc,CAAC,EAAU,EAAE,QAAiB;QAC1C,MAAM,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QAC/B,IAAI,CAAC,CAAC;YAAE,OAAM;QACd,CAAC,CAAC,QAAQ,GAAG,QAAQ,CAAA;QACrB,IAAI,CAAC,OAAO,EAAE,CAAA;IAChB,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,EAAU;QACpB,MAAM,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QAC/B,IAAI,CAAC,CAAC;YAAE,OAAM;QACd,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YACd,IAAI,CAAC;gBAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,CAAA;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;QACxB,IAAI,CAAC,OAAO,EAAE,CAAA;IAChB,CAAC;IAED,oFAAoF;IACpF,KAAK,CAAC,WAAW;QACf,oFAAoF;QACpF,KAAK,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClC,IAAI,CAAC,CAAC,KAAK,KAAK,MAAM;gBAAE,CAAC,CAAC,KAAK,GAAG,QAAQ,CAAA;QAC5C,CAAC;QACD,IAAI,CAAC,OAAO,EAAE,CAAA;QACd,gCAAgC;QAChC,MAAM,OAAO,CAAC,GAAG,CACf,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;YACjD,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;gBACd,IAAI,CAAC;oBAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,CAAA;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YACxD,CAAC;QACH,CAAC,CAAC,CACH,CAAA;QACD,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAA;IACvB,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,MAAM,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IACjF,CAAC;CACF;AAtJD,0CAsJC"}

package/dist/daemon/types.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Fastify instance type augmentation (T11: auditLogger type safety)
+ *
+ * Adds typed `auditLogger` and `browserManager` properties to FastifyInstance
+ * so route handlers can access them without `(server as any)` casts.
+ */
+import type { AuditLogger } from '../audit/logger';
+import type { BrowserManager } from '../browser/manager';
+import type { PolicyEngine } from '../policy/engine';
+declare module 'fastify' {
+    interface FastifyInstance {
+        auditLogger: AuditLogger | undefined;
+        browserManager: BrowserManager | undefined;
+        policyEngine: PolicyEngine | undefined;
+    }
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/daemon/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/daemon/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAClD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AACxD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAA;AAEpD,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,eAAe;QACvB,WAAW,EAAE,WAAW,GAAG,SAAS,CAAA;QACpC,cAAc,EAAE,cAAc,GAAG,SAAS,CAAA;QAC1C,YAAY,EAAE,YAAY,GAAG,SAAS,CAAA;KACvC;CACF"}

package/dist/daemon/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/daemon/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/daemon/types.ts"],"names":[],"mappings":""}

package/dist/policy/engine.d.ts

@@ -0,0 +1,43 @@
+import type { AuditLogger } from '../audit/logger';
+import { PolicyConfig, PolicyProfileName, PolicyCheckResult } from './types';
+export declare function extractDomain(url: string): string;
+export declare class PolicyEngine {
+    /** Base policy config (from daemon startup profile) */
+    private baseConfig;
+    /** Per-session policy overrides (set by POST /sessions/:id/policy) */
+    private sessionOverrides;
+    /** Timestamp of last completed action per domain-session */
+    private lastActionTs;
+    /** Rolling window of action timestamps (60s) per domain-session */
+    private actionWindow;
+    /** Retry count per domain-session */
+    private retryCount;
+    /** Cooldown-ends-at timestamp per domain-session */
+    private cooldownUntil;
+    /** TTL for idle domain state entries (30 minutes) */
+    private static readonly DOMAIN_TTL_MS;
+    /** Minimum interval between cleanup passes (5 minutes) */
+    private static readonly CLEANUP_INTERVAL_MS;
+    /** Timestamp of last domain-state cleanup pass */
+    private lastCleanupTs;
+    constructor(profileName?: PolicyProfileName);
+    /**
+     * Lazily prune per-domain state entries that have been idle longer than
+     * DOMAIN_TTL_MS. Called from checkAndWait() at most once per
+     * CLEANUP_INTERVAL_MS to avoid O(n) work on every action.
+     */
+    private maybeCleanupStaleDomains;
+    setSessionPolicy(sessionId: string, profileName: PolicyProfileName, overrides?: Partial<PolicyConfig>): void;
+    getSessionPolicy(sessionId: string): PolicyConfig;
+    clearSession(sessionId: string): void;
+    checkAndWait(params: {
+        sessionId: string;
+        domain: string;
+        action: string;
+        sensitive?: boolean;
+        retry?: boolean;
+        auditLogger?: AuditLogger;
+    }): Promise<PolicyCheckResult>;
+    recordError(sessionId: string, domain: string, auditLogger?: AuditLogger): void;
+}
+//# sourceMappingURL=engine.d.ts.map

package/dist/policy/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/policy/engine.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAClD,OAAO,EACL,YAAY,EACZ,iBAAiB,EAEjB,iBAAiB,EAElB,MAAM,SAAS,CAAA;AAahB,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAOjD;AAED,qBAAa,YAAY;IACvB,uDAAuD;IACvD,OAAO,CAAC,UAAU,CAAc;IAEhC,sEAAsE;IACtE,OAAO,CAAC,gBAAgB,CAAkC;IAI1D,4DAA4D;IAC5D,OAAO,CAAC,YAAY,CAA+B;IAEnD,mEAAmE;IACnE,OAAO,CAAC,YAAY,CAAiC;IAErD,qCAAqC;IACrC,OAAO,CAAC,UAAU,CAA+B;IAEjD,oDAAoD;IACpD,OAAO,CAAC,aAAa,CAA+B;IAEpD,qDAAqD;IACrD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAc;IAEnD,0DAA0D;IAC1D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAa;IAExD,kDAAkD;IAClD,OAAO,CAAC,aAAa,CAAI;gBAEb,WAAW,GAAE,iBAA0B;IAInD;;;;OAIG;IACH,OAAO,CAAC,wBAAwB;IAkBhC,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,iBAAiB,EAAE,SAAS,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,GAAG,IAAI;IAK5G,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,YAAY;IAIjD,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAgB/B,YAAY,CAAC,MAAM,EAAE;QACzB,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;QACd,MAAM,EAAE,MAAM,CAAA;QACd,SAAS,CAAC,EAAE,OAAO,CAAA;QACnB,KAAK,CAAC,EAAE,OAAO,CAAA;QACf,WAAW,CAAC,EAAE,WAAW,CAAA;KAC1B,GAAG,OAAO,CAAC,iBAAiB,CAAC;IA0I9B,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,WAAW,GAAG,IAAI;CAehF"}

package/dist/policy/engine.js

@@ -0,0 +1,234 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PolicyEngine = void 0;
+exports.extractDomain = extractDomain;
+const crypto_1 = __importDefault(require("crypto"));
+const types_1 = require("./types");
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function actionId() {
+    return 'act_' + crypto_1.default.randomBytes(6).toString('hex');
+}
+function extractDomain(url) {
+    try {
+        return new URL(url).hostname || url;
+    }
+    catch {
+        // data: URIs or relative paths — use as-is, truncated
+        return url.slice(0, 64);
+    }
+}
+class PolicyEngine {
+    /** Base policy config (from daemon startup profile) */
+    baseConfig;
+    /** Per-session policy overrides (set by POST /sessions/:id/policy) */
+    sessionOverrides = new Map();
+    // -- Per-domain, per-session tracking --
+    /** Timestamp of last completed action per domain-session */
+    lastActionTs = new Map();
+    /** Rolling window of action timestamps (60s) per domain-session */
+    actionWindow = new Map();
+    /** Retry count per domain-session */
+    retryCount = new Map();
+    /** Cooldown-ends-at timestamp per domain-session */
+    cooldownUntil = new Map();
+    /** TTL for idle domain state entries (30 minutes) */
+    static DOMAIN_TTL_MS = 30 * 60_000;
+    /** Minimum interval between cleanup passes (5 minutes) */
+    static CLEANUP_INTERVAL_MS = 5 * 60_000;
+    /** Timestamp of last domain-state cleanup pass */
+    lastCleanupTs = 0;
+    constructor(profileName = 'safe') {
+        this.baseConfig = types_1.POLICY_PROFILES[profileName] ?? types_1.POLICY_PROFILES.safe;
+    }
+    /**
+     * Lazily prune per-domain state entries that have been idle longer than
+     * DOMAIN_TTL_MS. Called from checkAndWait() at most once per
+     * CLEANUP_INTERVAL_MS to avoid O(n) work on every action.
+     */
+    maybeCleanupStaleDomains() {
+        const now = Date.now();
+        if (now - this.lastCleanupTs < PolicyEngine.CLEANUP_INTERVAL_MS)
+            return;
+        this.lastCleanupTs = now;
+        for (const [key, ts] of this.lastActionTs) {
+            if (now - ts > PolicyEngine.DOMAIN_TTL_MS) {
+                this.lastActionTs.delete(key);
+                this.actionWindow.delete(key);
+                this.retryCount.delete(key);
+                this.cooldownUntil.delete(key);
+            }
+        }
+    }
+    // ---------------------------------------------------------------------------
+    // Per-session policy management
+    // ---------------------------------------------------------------------------
+    setSessionPolicy(sessionId, profileName, overrides) {
+        const base = types_1.POLICY_PROFILES[profileName] ?? types_1.POLICY_PROFILES.safe;
+        this.sessionOverrides.set(sessionId, { ...base, ...overrides });
+    }
+    getSessionPolicy(sessionId) {
+        return this.sessionOverrides.get(sessionId) ?? this.baseConfig;
+    }
+    clearSession(sessionId) {
+        this.sessionOverrides.delete(sessionId);
+        for (const key of [...this.lastActionTs.keys()]) {
+            if (key.startsWith(`${sessionId}|`)) {
+                this.lastActionTs.delete(key);
+                this.actionWindow.delete(key);
+                this.retryCount.delete(key);
+                this.cooldownUntil.delete(key);
+            }
+        }
+    }
+    // ---------------------------------------------------------------------------
+    // Core check: throttle + cooldown + bulk rate-limit + jitter + guardrails
+    // ---------------------------------------------------------------------------
+    async checkAndWait(params) {
+        const { sessionId, domain, action, sensitive = false, retry = false, auditLogger } = params;
+        const cfg = this.getSessionPolicy(sessionId);
+        const key = `${sessionId}|${domain}`;
+        let waitedMs = 0;
+        // Profile 'disabled' — fast path, no checks
+        if (cfg.profile === 'disabled') {
+            return { allowed: true, waitedMs: 0 };
+        }
+        // Lazy domain-state TTL cleanup (runs at most every 5 min)
+        this.maybeCleanupStaleDomains();
+        const aId = actionId();
+        // -- Sensitive action guardrail --
+        if (sensitive && !cfg.allowSensitiveActions) {
+            auditLogger?.write({
+                session_id: sessionId,
+                action_id: aId,
+                type: 'policy',
+                action: 'deny',
+                params: { domain, action, reason: 'sensitive_action_blocked' },
+                result: { policy_event: 'deny', profile: cfg.profile },
+            });
+            return {
+                allowed: false,
+                reason: `Sensitive action blocked by '${cfg.profile}' policy. Enable via POST /api/v1/sessions/:id/policy with {"allow_sensitive_actions":true}.`,
+                policyEvent: 'deny',
+                waitedMs: 0,
+            };
+        }
+        // -- Retry budget check --
+        if (retry) {
+            const used = this.retryCount.get(key) ?? 0;
+            if (used >= cfg.maxRetriesPerDomain) {
+                auditLogger?.write({
+                    session_id: sessionId,
+                    action_id: aId,
+                    type: 'policy',
+                    action: 'deny',
+                    params: { domain, action, reason: 'retry_budget_exhausted', used, max: cfg.maxRetriesPerDomain },
+                    result: { policy_event: 'deny', profile: cfg.profile },
+                });
+                return {
+                    allowed: false,
+                    reason: `Retry budget exhausted for domain '${domain}' (${used}/${cfg.maxRetriesPerDomain} retries used).`,
+                    policyEvent: 'deny',
+                    waitedMs: 0,
+                };
+            }
+            this.retryCount.set(key, used + 1);
+            auditLogger?.write({
+                session_id: sessionId,
+                action_id: aId,
+                type: 'policy',
+                action: 'retry',
+                params: { domain, action, retry_count: used + 1, max: cfg.maxRetriesPerDomain },
+                result: { policy_event: 'retry', profile: cfg.profile },
+            });
+        }
+        // -- Cooldown check --
+        const cooldownEnd = this.cooldownUntil.get(key) ?? 0;
+        const now = Date.now();
+        if (now < cooldownEnd) {
+            const waitMs = cooldownEnd - now;
+            auditLogger?.write({
+                session_id: sessionId,
+                action_id: aId,
+                type: 'policy',
+                action: 'cooldown',
+                params: { domain, action, wait_ms: waitMs },
+                result: { policy_event: 'cooldown', profile: cfg.profile },
+            });
+            await sleep(waitMs);
+            waitedMs += waitMs;
+        }
+        // -- Bulk rate-limit (rolling 60s window) --
+        const now2 = Date.now();
+        const recent = (this.actionWindow.get(key) ?? []).filter((t) => now2 - t < 60_000);
+        if (recent.length >= cfg.maxActionsPerMinute) {
+            const oldestInWindow = recent[0];
+            const waitMs = 60_000 - (now2 - oldestInWindow) + 100;
+            auditLogger?.write({
+                session_id: sessionId,
+                action_id: aId,
+                type: 'policy',
+                action: 'throttle',
+                params: { domain, action, reason: 'bulk_rate_limit', wait_ms: waitMs, actions_in_window: recent.length },
+                result: { policy_event: 'throttle', profile: cfg.profile },
+            });
+            await sleep(waitMs);
+            waitedMs += waitMs;
+        }
+        // -- Domain min-interval throttle --
+        const now3 = Date.now();
+        const lastT = this.lastActionTs.get(key) ?? 0;
+        const elapsed = now3 - lastT;
+        if (elapsed < cfg.domainMinIntervalMs) {
+            const waitMs = cfg.domainMinIntervalMs - elapsed;
+            auditLogger?.write({
+                session_id: sessionId,
+                action_id: aId,
+                type: 'policy',
+                action: 'throttle',
+                params: { domain, action, reason: 'min_interval', wait_ms: waitMs, elapsed_ms: elapsed },
+                result: { policy_event: 'throttle', profile: cfg.profile },
+            });
+            await sleep(waitMs);
+            waitedMs += waitMs;
+        }
+        // -- Jitter --
+        const [jMin, jMax] = cfg.jitterMs;
+        const jitter = jMax > jMin ? Math.round(jMin + Math.random() * (jMax - jMin)) : jMin;
+        if (jitter > 0) {
+            await sleep(jitter);
+            waitedMs += jitter;
+        }
+        // -- Update tracking state --
+        const now4 = Date.now();
+        this.lastActionTs.set(key, now4);
+        const updatedWindow = [...recent.filter((t) => now4 - t < 60_000), now4];
+        this.actionWindow.set(key, updatedWindow);
+        return { allowed: true, waitedMs, policyEvent: waitedMs > 0 ? 'throttle' : undefined };
+    }
+    // ---------------------------------------------------------------------------
+    // Error / cooldown recording (call after an action receives a rate-limit error)
+    // ---------------------------------------------------------------------------
+    recordError(sessionId, domain, auditLogger) {
+        const cfg = this.getSessionPolicy(sessionId);
+        if (cfg.cooldownAfterErrorMs <= 0)
+            return;
+        const key = `${sessionId}|${domain}`;
+        const until = Date.now() + cfg.cooldownAfterErrorMs;
+        this.cooldownUntil.set(key, until);
+        auditLogger?.write({
+            session_id: sessionId,
+            action_id: actionId(),
+            type: 'policy',
+            action: 'cooldown',
+            params: { domain, reason: 'error_recorded', cooldown_until: new Date(until).toISOString() },
+            result: { policy_event: 'cooldown', profile: cfg.profile },
+        });
+    }
+}
+exports.PolicyEngine = PolicyEngine;
+//# sourceMappingURL=engine.js.map

package/dist/policy/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/policy/engine.ts"],"names":[],"mappings":";;;;;;AAqBA,sCAOC;AA5BD,oDAA2B;AAE3B,mCAMgB;AAKhB,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAA;AAC1D,CAAC;AAED,SAAS,QAAQ;IACf,OAAO,MAAM,GAAG,gBAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AACvD,CAAC;AAED,SAAgB,aAAa,CAAC,GAAW;IACvC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,IAAI,GAAG,CAAA;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,sDAAsD;QACtD,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IACzB,CAAC;AACH,CAAC;AAED,MAAa,YAAY;IACvB,uDAAuD;IAC/C,UAAU,CAAc;IAEhC,sEAAsE;IAC9D,gBAAgB,GAAG,IAAI,GAAG,EAAwB,CAAA;IAE1D,yCAAyC;IAEzC,4DAA4D;IACpD,YAAY,GAAG,IAAI,GAAG,EAAqB,CAAA;IAEnD,mEAAmE;IAC3D,YAAY,GAAG,IAAI,GAAG,EAAuB,CAAA;IAErD,qCAAqC;IAC7B,UAAU,GAAG,IAAI,GAAG,EAAqB,CAAA;IAEjD,oDAAoD;IAC5C,aAAa,GAAG,IAAI,GAAG,EAAqB,CAAA;IAEpD,qDAAqD;IAC7C,MAAM,CAAU,aAAa,GAAG,EAAE,GAAG,MAAM,CAAA;IAEnD,0DAA0D;IAClD,MAAM,CAAU,mBAAmB,GAAG,CAAC,GAAG,MAAM,CAAA;IAExD,kDAAkD;IAC1C,aAAa,GAAG,CAAC,CAAA;IAEzB,YAAY,cAAiC,MAAM;QACjD,IAAI,CAAC,UAAU,GAAG,uBAAe,CAAC,WAAW,CAAC,IAAI,uBAAe,CAAC,IAAI,CAAA;IACxE,CAAC;IAED;;;;OAIG;IACK,wBAAwB;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACtB,IAAI,GAAG,GAAG,IAAI,CAAC,aAAa,GAAG,YAAY,CAAC,mBAAmB;YAAE,OAAM;QACvE,IAAI,CAAC,aAAa,GAAG,GAAG,CAAA;QACxB,KAAK,MAAM,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YAC1C,IAAI,GAAG,GAAG,EAAE,GAAG,YAAY,CAAC,aAAa,EAAE,CAAC;gBAC1C,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBAC7B,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBAC7B,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBAC3B,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IAED,8EAA8E;IAC9E,gCAAgC;IAChC,8EAA8E;IAE9E,gBAAgB,CAAC,SAAiB,EAAE,WAA8B,EAAE,SAAiC;QACnG,MAAM,IAAI,GAAG,uBAAe,CAAC,WAAW,CAAC,IAAI,uBAAe,CAAC,IAAI,CAAA;QACjE,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,GAAG,IAAI,EAAE,GAAG,SAAS,EAAE,CAAC,CAAA;IACjE,CAAC;IAED,gBAAgB,CAAC,SAAiB;QAChC,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,UAAU,CAAA;IAChE,CAAC;IAED,YAAY,CAAC,SAAiB;QAC5B,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;QACvC,KAAK,MAAM,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YAChD,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,SAAS,GAAG,CAAC,EAAE,CAAC;gBACpC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBAC7B,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBAC7B,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBAC3B,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IAED,8EAA8E;IAC9E,0EAA0E;IAC1E,8EAA8E;IAE9E,KAAK,CAAC,YAAY,CAAC,MAOlB;QACC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,GAAG,KAAK,EAAE,KAAK,GAAG,KAAK,EAAE,WAAW,EAAE,GAAG,MAAM,CAAA;QAC3F,MAAM,GAAG,GAAG,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAA;QAC5C,MAAM,GAAG,GAAc,GAAG,SAAS,IAAI,MAAM,EAAE,CAAA;QAC/C,IAAI,QAAQ,GAAG,CAAC,CAAA;QAEhB,4CAA4C;QAC5C,IAAI,GAAG,CAAC,OAAO,KAAK,UAAU,EAAE,CAAC;YAC/B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAA;QACvC,CAAC;QAED,2DAA2D;QAC3D,IAAI,CAAC,wBAAwB,EAAE,CAAA;QAE/B,MAAM,GAAG,GAAG,QAAQ,EAAE,CAAA;QAEtB,mCAAmC;QACnC,IAAI,SAAS,IAAI,CAAC,GAAG,CAAC,qBAAqB,EAAE,CAAC;YAC5C,WAAW,EAAE,KAAK,CAAC;gBACjB,UAAU,EAAE,SAAS;gBACrB,SAAS,EAAE,GAAG;gBACd,IAAI,EAAE,QAAQ;gBACd,MAAM,EAAE,MAAM;gBACd,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,0BAA0B,EAAE;gBAC9D,MAAM,EAAE,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE;aACvD,CAAC,CAAA;YACF,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,gCAAgC,GAAG,CAAC,OAAO,8FAA8F;gBACjJ,WAAW,EAAE,MAAM;gBACnB,QAAQ,EAAE,CAAC;aACZ,CAAA;QACH,CAAC;QAED,2BAA2B;QAC3B,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;YAC1C,IAAI,IAAI,IAAI,GAAG,CAAC,mBAAmB,EAAE,CAAC;gBACpC,WAAW,EAAE,KAAK,CAAC;oBACjB,UAAU,EAAE,SAAS;oBACrB,SAAS,EAAE,GAAG;oBACd,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,MAAM;oBACd,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,wBAAwB,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,mBAAmB,EAAE;oBAChG,MAAM,EAAE,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE;iBACvD,CAAC,CAAA;gBACF,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,sCAAsC,MAAM,MAAM,IAAI,IAAI,GAAG,CAAC,mBAAmB,iBAAiB;oBAC1G,WAAW,EAAE,MAAM;oBACnB,QAAQ,EAAE,CAAC;iBACZ,CAAA;YACH,CAAC;YACD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,CAAA;YAClC,WAAW,EAAE,KAAK,CAAC;gBACjB,UAAU,EAAE,SAAS;gBACrB,SAAS,EAAE,GAAG;gBACd,IAAI,EAAE,QAAQ;gBACd,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,mBAAmB,EAAE;gBAC/E,MAAM,EAAE,EAAE,YAAY,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE;aACxD,CAAC,CAAA;QACJ,CAAC;QAED,uBAAuB;QACvB,MAAM,WAAW,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACtB,IAAI,GAAG,GAAG,WAAW,EAAE,CAAC;YACtB,MAAM,MAAM,GAAG,WAAW,GAAG,GAAG,CAAA;YAChC,WAAW,EAAE,KAAK,CAAC;gBACjB,UAAU,EAAE,SAAS;gBACrB,SAAS,EAAE,GAAG;gBACd,IAAI,EAAE,QAAQ;gBACd,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE;gBAC3C,MAAM,EAAE,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE;aAC3D,CAAC,CAAA;YACF,MAAM,KAAK,CAAC,MAAM,CAAC,CAAA;YACnB,QAAQ,IAAI,MAAM,CAAA;QACpB,CAAC;QAED,6CAA6C;QAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACvB,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,GAAG,MAAM,CAAC,CAAA;QAClF,IAAI,MAAM,CAAC,MAAM,IAAI,GAAG,CAAC,mBAAmB,EAAE,CAAC;YAC7C,MAAM,cAAc,GAAG,MAAM,CAAC,CAAC,CAAC,CAAA;YAChC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,GAAG,cAAc,CAAC,GAAG,GAAG,CAAA;YACrD,WAAW,EAAE,KAAK,CAAC;gBACjB,UAAU,EAAE,SAAS;gBACrB,SAAS,EAAE,GAAG;gBACd,IAAI,EAAE,QAAQ;gBACd,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE;gBACxG,MAAM,EAAE,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE;aAC3D,CAAC,CAAA;YACF,MAAM,KAAK,CAAC,MAAM,CAAC,CAAA;YACnB,QAAQ,IAAI,MAAM,CAAA;QACpB,CAAC;QAED,qCAAqC;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACvB,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QAC7C,MAAM,OAAO,GAAG,IAAI,GAAG,KAAK,CAAA;QAC5B,IAAI,OAAO,GAAG,GAAG,CAAC,mBAAmB,EAAE,CAAC;YACtC,MAAM,MAAM,GAAG,GAAG,CAAC,mBAAmB,GAAG,OAAO,CAAA;YAChD,WAAW,EAAE,KAAK,CAAC;gBACjB,UAAU,EAAE,SAAS;gBACrB,SAAS,EAAE,GAAG;gBACd,IAAI,EAAE,QAAQ;gBACd,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE;gBACxF,MAAM,EAAE,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE;aAC3D,CAAC,CAAA;YACF,MAAM,KAAK,CAAC,MAAM,CAAC,CAAA;YACnB,QAAQ,IAAI,MAAM,CAAA;QACpB,CAAC;QAED,eAAe;QACf,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAA;QACjC,MAAM,MAAM,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;QACpF,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;YACf,MAAM,KAAK,CAAC,MAAM,CAAC,CAAA;YACnB,QAAQ,IAAI,MAAM,CAAA;QACpB,CAAC;QAED,8BAA8B;QAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACvB,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QAChC,MAAM,aAAa,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,GAAG,MAAM,CAAC,EAAE,IAAI,CAAC,CAAA;QACxE,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;QAEzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,EAAE,CAAA;IACxF,CAAC;IAED,8EAA8E;IAC9E,gFAAgF;IAChF,8EAA8E;IAE9E,WAAW,CAAC,SAAiB,EAAE,MAAc,EAAE,WAAyB;QACtE,MAAM,GAAG,GAAG,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAA;QAC5C,IAAI,GAAG,CAAC,oBAAoB,IAAI,CAAC;YAAE,OAAM;QACzC,MAAM,GAAG,GAAc,GAAG,SAAS,IAAI,MAAM,EAAE,CAAA;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,oBAAoB,CAAA;QACnD,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;QAClC,WAAW,EAAE,KAAK,CAAC;YACjB,UAAU,EAAE,SAAS;YACrB,SAAS,EAAE,QAAQ,EAAE;YACrB,IAAI,EAAE,QAAQ;YACd,MAAM,EAAE,UAAU;YAClB,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,EAAE,cAAc,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,EAAE;YAC3F,MAAM,EAAE,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE;SAC3D,CAAC,CAAA;IACJ,CAAC;;AAjPH,oCAkPC"}

package/dist/policy/types.d.ts

@@ -0,0 +1,40 @@
+/**
+ * agentmb — social-media safety execution policy (r06-c02)
+ *
+ * Provides domain-level throttling, random jitter, cooldown windows, retry
+ * budgets, and sensitive-action guardrails to reduce platform risk-control
+ * triggering during automated browser workflows.
+ */
+export type PolicyProfileName = 'safe' | 'permissive' | 'disabled';
+export interface PolicyConfig {
+    /** Profile name used for identification and audit logs. */
+    profile: PolicyProfileName;
+    /** Minimum milliseconds between two successive actions on the same domain. */
+    domainMinIntervalMs: number;
+    /** [min, max] random jitter added before every action (ms). */
+    jitterMs: [number, number];
+    /** Milliseconds to wait after a rate-limit/error response before next action. */
+    cooldownAfterErrorMs: number;
+    /** Maximum number of retry attempts allowed per domain per session. */
+    maxRetriesPerDomain: number;
+    /** Maximum total actions per domain within a rolling 60-second window. */
+    maxActionsPerMinute: number;
+    /**
+     * When false (default in 'safe'), requests with sensitive=true are denied
+     * unless the session has explicitly enabled sensitive actions.
+     */
+    allowSensitiveActions: boolean;
+}
+/** Built-in policy profiles. */
+export declare const POLICY_PROFILES: Record<PolicyProfileName, PolicyConfig>;
+export type PolicyEvent = 'throttle' | 'cooldown' | 'deny' | 'retry' | 'jitter';
+export interface PolicyCheckResult {
+    allowed: boolean;
+    /** Present when allowed=false */
+    reason?: string;
+    /** Type of policy event that triggered a wait or denial */
+    policyEvent?: PolicyEvent;
+    /** Total milliseconds waited due to policy (jitter + throttle + cooldown) */
+    waitedMs: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/policy/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/policy/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,MAAM,iBAAiB,GAAG,MAAM,GAAG,YAAY,GAAG,UAAU,CAAA;AAElE,MAAM,WAAW,YAAY;IAC3B,2DAA2D;IAC3D,OAAO,EAAE,iBAAiB,CAAA;IAK1B,8EAA8E;IAC9E,mBAAmB,EAAE,MAAM,CAAA;IAE3B,+DAA+D;IAC/D,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAK1B,iFAAiF;IACjF,oBAAoB,EAAE,MAAM,CAAA;IAK5B,uEAAuE;IACvE,mBAAmB,EAAE,MAAM,CAAA;IAK3B,0EAA0E;IAC1E,mBAAmB,EAAE,MAAM,CAAA;IAK3B;;;OAGG;IACH,qBAAqB,EAAE,OAAO,CAAA;CAC/B;AAED,gCAAgC;AAChC,eAAO,MAAM,eAAe,EAAE,MAAM,CAAC,iBAAiB,EAAE,YAAY,CA0CnE,CAAA;AAED,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,UAAU,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAA;AAE/E,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAA;IAChB,iCAAiC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,2DAA2D;IAC3D,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,6EAA6E;IAC7E,QAAQ,EAAE,MAAM,CAAA;CACjB"}