airlock-bot 0.0.1 → 0.2.1

package/dist/hitl/providers/types.d.ts

@@ -0,0 +1,18 @@
+export interface HitlNotification {
+    id: string;
+    code: string;
+    agentId: string;
+    tool: string;
+    args: Record<string, unknown>;
+    timeoutMs: number;
+}
+export interface HitlProvider {
+    init(): Promise<void>;
+    notify(requests: HitlNotification[]): Promise<void>;
+    stop(): Promise<void>;
+}
+export interface ApprovalApi {
+    approve(id: string): void;
+    deny(id: string, reason?: string): void;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/hitl/providers/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/hitl/providers/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACtB,MAAM,CAAC,QAAQ,EAAE,gBAAgB,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACvB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACzC"}

package/dist/hitl/providers/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/hitl/providers/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/hitl/providers/types.ts"],"names":[],"mappings":""}

package/dist/hitl/providers/webhook.d.ts

@@ -0,0 +1,13 @@
+import type { HitlProvider, HitlNotification } from './types.js';
+export interface WebhookHitlConfig {
+    url: string;
+    headers: Record<string, string>;
+}
+export declare class WebhookHitlProvider implements HitlProvider {
+    private cfg;
+    constructor(cfg: WebhookHitlConfig);
+    init(): Promise<void>;
+    stop(): Promise<void>;
+    notify(requests: HitlNotification[]): Promise<void>;
+}
+//# sourceMappingURL=webhook.d.ts.map

package/dist/hitl/providers/webhook.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhook.d.ts","sourceRoot":"","sources":["../../../src/hitl/providers/webhook.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAIjE,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,qBAAa,mBAAoB,YAAW,YAAY;IAC1C,OAAO,CAAC,GAAG;gBAAH,GAAG,EAAE,iBAAiB;IAEpC,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAErB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAErB,MAAM,CAAC,QAAQ,EAAE,gBAAgB,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;CAiB1D"}

package/dist/hitl/providers/webhook.js

@@ -0,0 +1,27 @@
+import { formatBatch } from '../formatter.js';
+import { childLogger } from '../../util/logger.js';
+const log = childLogger('hitl-webhook');
+export class WebhookHitlProvider {
+    cfg;
+    constructor(cfg) {
+        this.cfg = cfg;
+    }
+    async init() { }
+    async stop() { }
+    async notify(requests) {
+        const text = formatBatch(requests);
+        const body = JSON.stringify({ requests, text });
+        const res = await fetch(this.cfg.url, {
+            method: 'POST',
+            headers: {
+                ...this.cfg.headers,
+                'Content-Type': 'application/json',
+            },
+            body,
+        });
+        if (!res.ok) {
+            log.warn({ status: res.status }, 'Webhook returned non-2xx');
+        }
+    }
+}
+//# sourceMappingURL=webhook.js.map

package/dist/hitl/providers/webhook.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhook.js","sourceRoot":"","sources":["../../../src/hitl/providers/webhook.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGnD,MAAM,GAAG,GAAG,WAAW,CAAC,cAAc,CAAC,CAAC;AAOxC,MAAM,OAAO,mBAAmB;IACV;IAApB,YAAoB,GAAsB;QAAtB,QAAG,GAAH,GAAG,CAAmB;IAAG,CAAC;IAE9C,KAAK,CAAC,IAAI,KAAmB,CAAC;IAE9B,KAAK,CAAC,IAAI,KAAmB,CAAC;IAE9B,KAAK,CAAC,MAAM,CAAC,QAA4B;QACvC,MAAM,IAAI,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QAEhD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE;YACpC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO;gBACnB,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI;SACL,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,EAAE,0BAA0B,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;CACF"}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/dist/index.js

@@ -0,0 +1,103 @@
+#!/usr/bin/env node
+import { parseArgs } from 'util';
+import { loadConfig } from './config/loader.js';
+import { ConfigWatcher } from './config/watcher.js';
+import { Gateway } from './gateway.js';
+import { runStdioMode } from './stdio-mode.js';
+import { runDiscover } from './discover/cli.js';
+import { logger } from './util/logger.js';
+// Handle `airlock discover ...` subcommand before parseArgs
+const subcommand = process.argv[2];
+if (subcommand === 'discover') {
+    runDiscover(process.argv.slice(3)).catch((err) => {
+        console.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+    });
+}
+else {
+    runGateway();
+}
+function runGateway() {
+    const { values } = parseArgs({
+        options: {
+            config: { type: 'string', short: 'c', default: './airlock.yaml' },
+            agent: { type: 'string', short: 'a' },
+            help: { type: 'boolean', short: 'h', default: false },
+        },
+        allowPositionals: false,
+    });
+    if (values.help) {
+        console.log(`
+airlock — permissions-aware MCP gateway
+
+Usage:
+  airlock [options]
+  airlock discover <cli|api> [options]
+
+Options:
+  -c, --config <path>    Config file path (default: ./airlock.yaml)
+  -a, --agent <name>     Run in stdio mode for the given agent
+  -h, --help             Show this help message
+
+Subcommands:
+  discover cli <tool>    Auto-discover CLI commands from --help or Fig specs
+  discover api <spec>    Auto-discover API endpoints from an OpenAPI spec
+
+Examples:
+  # Start full gateway server
+  airlock --config /etc/airlock/gateway.yaml
+
+  # Connect as a specific agent via stdio (for Claude Code, Cursor, etc.)
+  airlock --agent helena
+
+  # Discover CLI tool commands
+  airlock discover cli git --output git-commands.yaml
+
+  # Discover API endpoints
+  airlock discover api ./petstore.json --output petstore-api.yaml
+`);
+        process.exit(0);
+    }
+    async function main() {
+        const configPath = values.config ?? './airlock.yaml';
+        const config = loadConfig(configPath);
+        if (values.agent) {
+            await runStdioMode(config, values.agent, configPath).catch((err) => {
+                logger.error({ err }, 'Fatal error in stdio mode');
+                process.exit(1);
+            });
+            return;
+        }
+        // Full gateway mode
+        const gateway = new Gateway(config);
+        const watcher = new ConfigWatcher(configPath);
+        watcher.on('reload', (newConfig) => {
+            gateway.reload(newConfig).catch((err) => {
+                logger.error({ err }, 'Failed to apply reloaded config');
+            });
+        });
+        watcher.start();
+        const shutdown = async (signal) => {
+            logger.info({ signal }, 'Shutdown signal received');
+            try {
+                watcher.stop();
+                await gateway.stop();
+            }
+            catch (err) {
+                logger.error({ err }, 'Error during shutdown');
+            }
+            process.exit(0);
+        };
+        process.on('SIGTERM', () => void shutdown('SIGTERM'));
+        process.on('SIGINT', () => void shutdown('SIGINT'));
+        process.on('unhandledRejection', (err) => {
+            logger.error({ err }, 'Unhandled promise rejection');
+        });
+        await gateway.start();
+    }
+    main().catch((err) => {
+        logger.error({ err }, 'Fatal error');
+        process.exit(1);
+    });
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAE1C,4DAA4D;AAC5D,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACnC,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;IAC9B,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QAC/C,OAAO,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAChE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;KAAM,CAAC;IACN,UAAU,EAAE,CAAC;AACf,CAAC;AAED,SAAS,UAAU;IACjB,MAAM,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC;QAC3B,OAAO,EAAE;YACP,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,gBAAgB,EAAE;YACjE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE;YACrC,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE;SACtD;QACD,gBAAgB,EAAE,KAAK;KACxB,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA4Bf,CAAC,CAAC;QACC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,KAAK,UAAU,IAAI;QACjB,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,IAAI,gBAAgB,CAAC;QACrD,MAAM,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;QAEtC,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,MAAM,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBACjE,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,EAAE,2BAA2B,CAAC,CAAC;gBACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,oBAAoB;QACpB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;QAEpC,MAAM,OAAO,GAAG,IAAI,aAAa,CAAC,UAAU,CAAC,CAAC;QAC9C,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC,SAAS,EAAE,EAAE;YACjC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBACtC,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,EAAE,iCAAiC,CAAC,CAAC;YAC3D,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,OAAO,CAAC,KAAK,EAAE,CAAC;QAEhB,MAAM,QAAQ,GAAG,KAAK,EAAE,MAAc,EAAE,EAAE;YACxC,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,0BAA0B,CAAC,CAAC;YACpD,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,EAAE,CAAC;gBACf,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;YACvB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,EAAE,uBAAuB,CAAC,CAAC;YACjD,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,CAAC;QAEF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;QACtD,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;QACpD,OAAO,CAAC,EAAE,CAAC,oBAAoB,EAAE,CAAC,GAAG,EAAE,EAAE;YACvC,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,EAAE,6BAA6B,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;QAEH,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC;IACxB,CAAC;IAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACnB,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,EAAE,aAAa,CAAC,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/middleware/chain-builder.d.ts

@@ -0,0 +1,16 @@
+import type { AgentConfig } from '../config/schema.js';
+import type { Middleware, MiddlewareDeps } from './types.js';
+/**
+ * Builds the complete middleware chain for an agent.
+ *
+ * Core zone (fixed order, always present):
+ *   allowlist → exec-policy → schema-validator → [detectors from config] → hitl-gate → execute
+ *
+ * Post zone (user-configurable, wraps around core):
+ *   Applied in config order, each wraps the downstream response
+ *
+ * Default middlewares (schema-validator, untrusted-envelope, output-injection-detector)
+ * are included unless explicitly disabled via `enabled: false`.
+ */
+export declare function buildMiddlewareChain(agentConfig: AgentConfig, _deps: MiddlewareDeps): Middleware;
+//# sourceMappingURL=chain-builder.d.ts.map

package/dist/middleware/chain-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain-builder.d.ts","sourceRoot":"","sources":["../../src/middleware/chain-builder.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAwF7D;;;;;;;;;;;GAWG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,WAAW,EAAE,KAAK,EAAE,cAAc,GAAG,UAAU,CAmDhG"}

package/dist/middleware/chain-builder.js

@@ -0,0 +1,139 @@
+import { compose } from './compose.js';
+import { allowlistMiddleware } from './core/allowlist.js';
+import { execPolicyMiddleware } from './core/exec-policy.js';
+import { hitlGateMiddleware } from './core/hitl-gate.js';
+import { executeMiddleware } from './core/execute.js';
+import { schemaValidatorMiddleware } from './core/schema-validator.js';
+import { rateLimiterMiddleware } from './core/rate-limiter.js';
+import { untrustedEnvelopeMiddleware } from './post/untrusted-envelope.js';
+import { stripQueryParamsMiddleware } from './post/strip-query-params.js';
+import { outputInjectionDetectorMiddleware } from './post/output-injection-detector.js';
+import { canaryTokenInjectorMiddleware } from './post/canary-token-injector.js';
+import { outputSizeLimiterMiddleware } from './post/output-size-limiter.js';
+import { outputSummarizerMiddleware } from './post/output-summarizer.js';
+import { injectionDetectorMiddleware } from './detectors/injection-detector.js';
+import { sensitivityClassifierMiddleware } from './detectors/sensitivity-classifier.js';
+import { matches } from '../allowlist/pattern.js';
+function shouldRunForTool(toolName, tools, exclude) {
+    if (exclude?.some((p) => matches(p, toolName)))
+        return false;
+    if (tools && !tools.some((p) => matches(p, toolName)))
+        return false;
+    return true;
+}
+function withToolFilter(mw, item) {
+    if (!item.tools && !item.exclude)
+        return mw;
+    return (ctx, next) => {
+        if (!shouldRunForTool(ctx.toolName, item.tools, item.exclude))
+            return next();
+        return mw(ctx, next);
+    };
+}
+function resolveMiddleware(item) {
+    switch (item.name) {
+        case 'schema-validator':
+            return schemaValidatorMiddleware();
+        case 'rate-limiter':
+            return rateLimiterMiddleware({
+                max_requests: item.max_requests ?? 60,
+                window_ms: item.window_ms ?? 60_000,
+                per: item.per,
+            });
+        case 'untrusted-envelope':
+            return untrustedEnvelopeMiddleware();
+        case 'strip-query-params':
+            return stripQueryParamsMiddleware();
+        case 'output-injection-detector':
+            return outputInjectionDetectorMiddleware({
+                mode: item.mode, // schema includes 'escalate' which is not valid for output-injection-detector
+            });
+        case 'canary-token-injector':
+            return canaryTokenInjectorMiddleware();
+        case 'output-size-limiter':
+            return outputSizeLimiterMiddleware({
+                max_lines: item.max_lines,
+                max_chars: item.max_chars,
+            });
+        case 'output-summarizer':
+            return outputSummarizerMiddleware({
+                model: item.model ?? 'claude-haiku-4-5-20251001',
+                threshold_chars: item.threshold_chars,
+            });
+        case 'injection-detector':
+            return injectionDetectorMiddleware({
+                backend: item.backend,
+                mode: item.mode,
+                inference_url: item.inference_url,
+                threshold: item.threshold,
+            });
+        case 'sensitivity-classifier':
+            return sensitivityClassifierMiddleware({
+                mode: item.mode,
+                threshold: item.threshold,
+                backend: item.backend,
+                model: item.model,
+            });
+        default:
+            throw new Error(`Unknown middleware: ${item.name}`);
+    }
+}
+const DEFAULT_MIDDLEWARE = [
+    { name: 'schema-validator', enabled: true },
+    { name: 'untrusted-envelope', enabled: true },
+    { name: 'output-injection-detector', mode: 'detect', enabled: true },
+];
+/**
+ * Builds the complete middleware chain for an agent.
+ *
+ * Core zone (fixed order, always present):
+ *   allowlist → exec-policy → schema-validator → [detectors from config] → hitl-gate → execute
+ *
+ * Post zone (user-configurable, wraps around core):
+ *   Applied in config order, each wraps the downstream response
+ *
+ * Default middlewares (schema-validator, untrusted-envelope, output-injection-detector)
+ * are included unless explicitly disabled via `enabled: false`.
+ */
+export function buildMiddlewareChain(agentConfig, _deps) {
+    const userMiddleware = agentConfig.middleware;
+    // undefined  → defaults (schema-validator, untrusted-envelope, output-injection-detector)
+    // []         → bare pipeline, no middlewares at all
+    // [items...] → defaults + user items; use `enabled: false` to disable a default
+    let enabledMiddleware;
+    if (userMiddleware === undefined) {
+        enabledMiddleware = DEFAULT_MIDDLEWARE;
+    }
+    else if (userMiddleware.length === 0) {
+        enabledMiddleware = [];
+    }
+    else {
+        const disabledNames = new Set(userMiddleware.filter((m) => m.enabled === false).map((m) => m.name));
+        const userNames = new Set(userMiddleware.map((m) => m.name));
+        const defaults = DEFAULT_MIDDLEWARE.filter((m) => !disabledNames.has(m.name) && !userNames.has(m.name));
+        enabledMiddleware = [...defaults, ...userMiddleware.filter((m) => m.enabled !== false)];
+    }
+    // Separate core-zone middleware (detectors + schema-validator) from post middlewares
+    const coreNames = new Set(['injection-detector', 'sensitivity-classifier', 'schema-validator']);
+    const coreUserMiddleware = enabledMiddleware.filter((m) => coreNames.has(m.name));
+    const postUserMiddleware = enabledMiddleware.filter((m) => !coreNames.has(m.name));
+    // Extract schema-validator separately — it runs before detectors
+    const schemaValidators = coreUserMiddleware.filter((m) => m.name === 'schema-validator');
+    const detectors = coreUserMiddleware.filter((m) => m.name !== 'schema-validator');
+    // Core zone: fixed security-critical order
+    //   allowlist → exec-policy → schema-validator → [detectors] → hitl-gate → execute
+    const coreMiddlewares = [
+        allowlistMiddleware(),
+        execPolicyMiddleware(),
+        ...schemaValidators.map((m) => withToolFilter(resolveMiddleware(m), m)),
+        ...detectors.map((m) => withToolFilter(resolveMiddleware(m), m)),
+        hitlGateMiddleware(),
+        executeMiddleware(),
+    ];
+    // Post zone: user-configurable
+    const postMiddlewares = postUserMiddleware.map((m) => withToolFilter(resolveMiddleware(m), m));
+    // Post middlewares wrap the core chain
+    // They run after execution (or wrap around it), so they go before core in compose order
+    return compose([...postMiddlewares, ...coreMiddlewares]);
+}
+//# sourceMappingURL=chain-builder.js.map

package/dist/middleware/chain-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain-builder.js","sourceRoot":"","sources":["../../src/middleware/chain-builder.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AACvE,OAAO,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,EAAE,2BAA2B,EAAE,MAAM,8BAA8B,CAAC;AAC3E,OAAO,EAAE,0BAA0B,EAAE,MAAM,8BAA8B,CAAC;AAC1E,OAAO,EAAE,iCAAiC,EAAE,MAAM,qCAAqC,CAAC;AACxF,OAAO,EAAE,6BAA6B,EAAE,MAAM,iCAAiC,CAAC;AAChF,OAAO,EAAE,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAC5E,OAAO,EAAE,0BAA0B,EAAE,MAAM,6BAA6B,CAAC;AACzE,OAAO,EAAE,2BAA2B,EAAE,MAAM,mCAAmC,CAAC;AAChF,OAAO,EAAE,+BAA+B,EAAE,MAAM,uCAAuC,CAAC;AACxF,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAGlD,SAAS,gBAAgB,CAAC,QAAgB,EAAE,KAAgB,EAAE,OAAkB;IAC9E,IAAI,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7D,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACpE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,cAAc,CAAC,EAAc,EAAE,IAA0B;IAChE,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IAC5C,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;QACnB,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,EAAE,CAAC;QAC7E,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACvB,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,IAA0B;IACnD,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,KAAK,kBAAkB;YACrB,OAAO,yBAAyB,EAAE,CAAC;QACrC,KAAK,cAAc;YACjB,OAAO,qBAAqB,CAAC;gBAC3B,YAAY,EAAE,IAAI,CAAC,YAAY,IAAI,EAAE;gBACrC,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,MAAM;gBACnC,GAAG,EAAE,IAAI,CAAC,GAAG;aACd,CAAC,CAAC;QACL,KAAK,oBAAoB;YACvB,OAAO,2BAA2B,EAAE,CAAC;QACvC,KAAK,oBAAoB;YACvB,OAAO,0BAA0B,EAAE,CAAC;QACtC,KAAK,2BAA2B;YAC9B,OAAO,iCAAiC,CAAC;gBACvC,IAAI,EAAE,IAAI,CAAC,IAAuC,EAAE,8EAA8E;aACnI,CAAC,CAAC;QACL,KAAK,uBAAuB;YAC1B,OAAO,6BAA6B,EAAE,CAAC;QACzC,KAAK,qBAAqB;YACxB,OAAO,2BAA2B,CAAC;gBACjC,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B,CAAC,CAAC;QACL,KAAK,mBAAmB;YACtB,OAAO,0BAA0B,CAAC;gBAChC,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,2BAA2B;gBAChD,eAAe,EAAE,IAAI,CAAC,eAAe;aACtC,CAAC,CAAC;QACL,KAAK,oBAAoB;YACvB,OAAO,2BAA2B,CAAC;gBACjC,OAAO,EAAE,IAAI,CAAC,OAA0C;gBACxD,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,aAAa,EAAE,IAAI,CAAC,aAAa;gBACjC,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B,CAAC,CAAC;QACL,KAAK,wBAAwB;YAC3B,OAAO,+BAA+B,CAAC;gBACrC,IAAI,EAAE,IAAI,CAAC,IAAyC;gBACpD,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,OAAO,EAAE,IAAI,CAAC,OAA0C;gBACxD,KAAK,EAAE,IAAI,CAAC,KAAK;aAClB,CAAC,CAAC;QACL;YACE,MAAM,IAAI,KAAK,CAAC,uBAAwB,IAAyB,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9E,CAAC;AACH,CAAC;AAED,MAAM,kBAAkB,GAA2B;IACjD,EAAE,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,IAAI,EAAE;IAC3C,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,IAAI,EAAE;IAC7C,EAAE,IAAI,EAAE,2BAA2B,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE;CACrE,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,oBAAoB,CAAC,WAAwB,EAAE,KAAqB;IAClF,MAAM,cAAc,GAAG,WAAW,CAAC,UAAU,CAAC;IAE9C,0FAA0F;IAC1F,oDAAoD;IACpD,gFAAgF;IAChF,IAAI,iBAAyC,CAAC;IAE9C,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QACjC,iBAAiB,GAAG,kBAAkB,CAAC;IACzC,CAAC;SAAM,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvC,iBAAiB,GAAG,EAAE,CAAC;IACzB,CAAC;SAAM,CAAC;QACN,MAAM,aAAa,GAAG,IAAI,GAAG,CAC3B,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CACrE,CAAC;QACF,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QAC7D,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CACxC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAC5D,CAAC;QACF,iBAAiB,GAAG,CAAC,GAAG,QAAQ,EAAE,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,KAAK,CAAC,CAAC,CAAC;IAC1F,CAAC;IAED,qFAAqF;IACrF,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,oBAAoB,EAAE,wBAAwB,EAAE,kBAAkB,CAAC,CAAC,CAAC;IAChG,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAClF,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAEnF,iEAAiE;IACjE,MAAM,gBAAgB,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,kBAAkB,CAAC,CAAC;IACzF,MAAM,SAAS,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,kBAAkB,CAAC,CAAC;IAElF,2CAA2C;IAC3C,mFAAmF;IACnF,MAAM,eAAe,GAAiB;QACpC,mBAAmB,EAAE;QACrB,oBAAoB,EAAE;QACtB,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACvE,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAChE,kBAAkB,EAAE;QACpB,iBAAiB,EAAE;KACpB,CAAC;IAEF,+BAA+B;IAC/B,MAAM,eAAe,GAAiB,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACjE,cAAc,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CACxC,CAAC;IAEF,uCAAuC;IACvC,wFAAwF;IACxF,OAAO,OAAO,CAAC,CAAC,GAAG,eAAe,EAAE,GAAG,eAAe,CAAC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/middleware/compose.d.ts

@@ -0,0 +1,3 @@
+import type { Middleware } from './types.js';
+export declare function compose(middlewares: Middleware[]): Middleware;
+//# sourceMappingURL=compose.d.ts.map

package/dist/middleware/compose.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"compose.d.ts","sourceRoot":"","sources":["../../src/middleware/compose.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAqC,MAAM,YAAY,CAAC;AAEhF,wBAAgB,OAAO,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,UAAU,CAgB7D"}

package/dist/middleware/compose.js

@@ -0,0 +1,15 @@
+export function compose(middlewares) {
+    return function composed(ctx, finalNext) {
+        let index = -1;
+        function dispatch(i) {
+            if (i <= index) {
+                return Promise.reject(new Error('next() called multiple times'));
+            }
+            index = i;
+            const fn = i < middlewares.length ? middlewares[i] : finalNext;
+            return fn(ctx, () => dispatch(i + 1));
+        }
+        return dispatch(0);
+    };
+}
+//# sourceMappingURL=compose.js.map

package/dist/middleware/compose.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compose.js","sourceRoot":"","sources":["../../src/middleware/compose.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,OAAO,CAAC,WAAyB;IAC/C,OAAO,SAAS,QAAQ,CAAC,GAAoB,EAAE,SAA0C;QACvF,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC;QAEf,SAAS,QAAQ,CAAC,CAAS;YACzB,IAAI,CAAC,IAAI,KAAK,EAAE,CAAC;gBACf,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC,CAAC;YACnE,CAAC;YACD,KAAK,GAAG,CAAC,CAAC;YAEV,MAAM,EAAE,GAAG,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAC/D,OAAO,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC;IACrB,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/core/allowlist.d.ts

@@ -0,0 +1,3 @@
+import type { Middleware } from '../types.js';
+export declare function allowlistMiddleware(): Middleware;
+//# sourceMappingURL=allowlist.d.ts.map

package/dist/middleware/core/allowlist.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"allowlist.d.ts","sourceRoot":"","sources":["../../../src/middleware/core/allowlist.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAK9C,wBAAgB,mBAAmB,IAAI,UAAU,CAoBhD"}

package/dist/middleware/core/allowlist.js

@@ -0,0 +1,23 @@
+import { McpError, ErrorCode } from '@modelcontextprotocol/sdk/types.js';
+import { childLogger } from '../../util/logger.js';
+const log = childLogger('mw:allowlist');
+export function allowlistMiddleware() {
+    return async (ctx, next) => {
+        const decision = ctx.deps.allowlist.evaluate(ctx.agentId, ctx.toolName);
+        if (decision === 'deny') {
+            log.info({ agentId: ctx.agentId, toolName: ctx.toolName }, 'Tool call denied by allowlist');
+            ctx.deps.auditLogger.log({
+                agent_id: ctx.agentId,
+                tool: ctx.toolName,
+                args: JSON.stringify(ctx.args),
+                result: 'denied',
+            });
+            throw new McpError(ErrorCode.InvalidRequest, `Tool not available: ${ctx.toolName}`);
+        }
+        if (decision === 'ask') {
+            ctx.meta.needsApproval = true;
+        }
+        return next();
+    };
+}
+//# sourceMappingURL=allowlist.js.map

package/dist/middleware/core/allowlist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"allowlist.js","sourceRoot":"","sources":["../../../src/middleware/core/allowlist.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,oCAAoC,CAAC;AAEzE,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAEnD,MAAM,GAAG,GAAG,WAAW,CAAC,cAAc,CAAC,CAAC;AAExC,MAAM,UAAU,mBAAmB;IACjC,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;QACxE,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,EAAE,+BAA+B,CAAC,CAAC;YAC5F,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;gBACvB,QAAQ,EAAE,GAAG,CAAC,OAAO;gBACrB,IAAI,EAAE,GAAG,CAAC,QAAQ;gBAClB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;gBAC9B,MAAM,EAAE,QAAQ;aACjB,CAAC,CAAC;YACH,MAAM,IAAI,QAAQ,CAAC,SAAS,CAAC,cAAc,EAAE,uBAAuB,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;QACtF,CAAC;QAED,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;YACvB,GAAG,CAAC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;QAChC,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/core/exec-policy.d.ts

@@ -0,0 +1,3 @@
+import type { Middleware } from '../types.js';
+export declare function execPolicyMiddleware(): Middleware;
+//# sourceMappingURL=exec-policy.d.ts.map

package/dist/middleware/core/exec-policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exec-policy.d.ts","sourceRoot":"","sources":["../../../src/middleware/core/exec-policy.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAK9C,wBAAgB,oBAAoB,IAAI,UAAU,CA0BjD"}

package/dist/middleware/core/exec-policy.js

@@ -0,0 +1,30 @@
+import { McpError, ErrorCode } from '@modelcontextprotocol/sdk/types.js';
+import { evaluateExecCommand } from '../../tools/exec.js';
+import { childLogger } from '../../util/logger.js';
+const log = childLogger('mw:exec-policy');
+export function execPolicyMiddleware() {
+    return async (ctx, next) => {
+        if (ctx.toolName !== 'exec/run')
+            return next();
+        const command = ctx.args['command'];
+        if (typeof command !== 'string' || !command) {
+            throw new McpError(ErrorCode.InvalidParams, 'exec/run requires a string command');
+        }
+        const cmdDecision = evaluateExecCommand(command, ctx.agentConfig);
+        if (cmdDecision === 'deny') {
+            log.info({ agentId: ctx.agentId, command }, 'exec command denied by policy');
+            ctx.deps.auditLogger.log({
+                agent_id: ctx.agentId,
+                tool: ctx.toolName,
+                args: JSON.stringify(ctx.args),
+                result: 'denied',
+            });
+            throw new McpError(ErrorCode.InvalidRequest, 'Command denied by policy');
+        }
+        if (cmdDecision === 'ask') {
+            ctx.meta.needsApproval = true;
+        }
+        return next();
+    };
+}
+//# sourceMappingURL=exec-policy.js.map

package/dist/middleware/core/exec-policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exec-policy.js","sourceRoot":"","sources":["../../../src/middleware/core/exec-policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAEnD,MAAM,GAAG,GAAG,WAAW,CAAC,gBAAgB,CAAC,CAAC;AAE1C,MAAM,UAAU,oBAAoB;IAClC,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,IAAI,GAAG,CAAC,QAAQ,KAAK,UAAU;YAAE,OAAO,IAAI,EAAE,CAAC;QAE/C,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACpC,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,CAAC,OAAO,EAAE,CAAC;YAC5C,MAAM,IAAI,QAAQ,CAAC,SAAS,CAAC,aAAa,EAAE,oCAAoC,CAAC,CAAC;QACpF,CAAC;QAED,MAAM,WAAW,GAAG,mBAAmB,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;QAClE,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;YAC3B,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,+BAA+B,CAAC,CAAC;YAC7E,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;gBACvB,QAAQ,EAAE,GAAG,CAAC,OAAO;gBACrB,IAAI,EAAE,GAAG,CAAC,QAAQ;gBAClB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;gBAC9B,MAAM,EAAE,QAAQ;aACjB,CAAC,CAAC;YACH,MAAM,IAAI,QAAQ,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;QAC3E,CAAC;QACD,IAAI,WAAW,KAAK,KAAK,EAAE,CAAC;YAC1B,GAAG,CAAC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;QAChC,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/core/execute.d.ts

@@ -0,0 +1,3 @@
+import type { Middleware } from '../types.js';
+export declare function executeMiddleware(): Middleware;
+//# sourceMappingURL=execute.d.ts.map

package/dist/middleware/core/execute.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"execute.d.ts","sourceRoot":"","sources":["../../../src/middleware/core/execute.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAoB,MAAM,aAAa,CAAC;AAEhE,wBAAgB,iBAAiB,IAAI,UAAU,CAkC9C"}

package/dist/middleware/core/execute.js

@@ -0,0 +1,35 @@
+import { McpError, ErrorCode } from '@modelcontextprotocol/sdk/types.js';
+export function executeMiddleware() {
+    return async (ctx, _next) => {
+        const { registry, auditLogger } = ctx.deps;
+        try {
+            const callResult = await registry.call(ctx.toolName, ctx.args, ctx.agentId);
+            const duration = Date.now() - ctx.startedAt;
+            auditLogger.log({
+                agent_id: ctx.agentId,
+                tool: ctx.toolName,
+                args: JSON.stringify(ctx.args),
+                result: 'success',
+                duration_ms: duration,
+            });
+            return {
+                result: callResult,
+                text: JSON.stringify(callResult),
+            };
+        }
+        catch (err) {
+            const duration = Date.now() - ctx.startedAt;
+            const error = err instanceof Error ? err.message : String(err);
+            auditLogger.log({
+                agent_id: ctx.agentId,
+                tool: ctx.toolName,
+                args: JSON.stringify(ctx.args),
+                result: 'error',
+                error,
+                duration_ms: duration,
+            });
+            throw new McpError(ErrorCode.InternalError, error);
+        }
+    };
+}
+//# sourceMappingURL=execute.js.map

package/dist/middleware/core/execute.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"execute.js","sourceRoot":"","sources":["../../../src/middleware/core/execute.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,oCAAoC,CAAC;AAGzE,MAAM,UAAU,iBAAiB;IAC/B,OAAO,KAAK,EAAE,GAAG,EAAE,KAAK,EAA6B,EAAE;QACrD,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAE5E,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,SAAS,CAAC;YAC5C,WAAW,CAAC,GAAG,CAAC;gBACd,QAAQ,EAAE,GAAG,CAAC,OAAO;gBACrB,IAAI,EAAE,GAAG,CAAC,QAAQ;gBAClB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;gBAC9B,MAAM,EAAE,SAAS;gBACjB,WAAW,EAAE,QAAQ;aACtB,CAAC,CAAC;YAEH,OAAO;gBACL,MAAM,EAAE,UAAU;gBAClB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC;aACjC,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,SAAS,CAAC;YAC5C,MAAM,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC/D,WAAW,CAAC,GAAG,CAAC;gBACd,QAAQ,EAAE,GAAG,CAAC,OAAO;gBACrB,IAAI,EAAE,GAAG,CAAC,QAAQ;gBAClB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;gBAC9B,MAAM,EAAE,OAAO;gBACf,KAAK;gBACL,WAAW,EAAE,QAAQ;aACtB,CAAC,CAAC;YACH,MAAM,IAAI,QAAQ,CAAC,SAAS,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;QACrD,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/core/hitl-gate.d.ts

@@ -0,0 +1,3 @@
+import type { Middleware } from '../types.js';
+export declare function hitlGateMiddleware(): Middleware;
+//# sourceMappingURL=hitl-gate.d.ts.map

package/dist/middleware/core/hitl-gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hitl-gate.d.ts","sourceRoot":"","sources":["../../../src/middleware/core/hitl-gate.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,wBAAgB,kBAAkB,IAAI,UAAU,CA0C/C"}

package/dist/middleware/core/hitl-gate.js

@@ -0,0 +1,38 @@
+import { McpError, ErrorCode } from '@modelcontextprotocol/sdk/types.js';
+export function hitlGateMiddleware() {
+    return async (ctx, next) => {
+        if (!ctx.meta.needsApproval)
+            return next();
+        const { hitlEngine, hitlBatcher, auditLogger } = ctx.deps;
+        const ticket = hitlEngine.create({ agentId: ctx.agentId, tool: ctx.toolName, args: ctx.args });
+        hitlBatcher.add({
+            id: ticket.id,
+            code: ticket.code,
+            agentId: ctx.agentId,
+            tool: ctx.toolName,
+            args: ctx.args,
+            timeoutMs: hitlEngine.timeoutMs,
+        });
+        const result = await ticket.result;
+        if (result === 'denied') {
+            auditLogger.log({
+                agent_id: ctx.agentId,
+                tool: ctx.toolName,
+                args: JSON.stringify(ctx.args),
+                result: 'hitl_denied',
+            });
+            throw new McpError(ErrorCode.InvalidRequest, 'Request denied by operator');
+        }
+        if (result === 'timeout') {
+            auditLogger.log({
+                agent_id: ctx.agentId,
+                tool: ctx.toolName,
+                args: JSON.stringify(ctx.args),
+                result: 'hitl_timeout',
+            });
+            throw new McpError(ErrorCode.InvalidRequest, 'Approval timed out. Re-request when operator is available.');
+        }
+        return next();
+    };
+}
+//# sourceMappingURL=hitl-gate.js.map

package/dist/middleware/core/hitl-gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hitl-gate.js","sourceRoot":"","sources":["../../../src/middleware/core/hitl-gate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,oCAAoC,CAAC;AAGzE,MAAM,UAAU,kBAAkB;IAChC,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa;YAAE,OAAO,IAAI,EAAE,CAAC;QAE3C,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;QAC1D,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QAE/F,WAAW,CAAC,GAAG,CAAC;YACd,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,IAAI,EAAE,GAAG,CAAC,QAAQ;YAClB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,SAAS,EAAE,UAAU,CAAC,SAAS;SAChC,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC;QAEnC,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,WAAW,CAAC,GAAG,CAAC;gBACd,QAAQ,EAAE,GAAG,CAAC,OAAO;gBACrB,IAAI,EAAE,GAAG,CAAC,QAAQ;gBAClB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;gBAC9B,MAAM,EAAE,aAAa;aACtB,CAAC,CAAC;YACH,MAAM,IAAI,QAAQ,CAAC,SAAS,CAAC,cAAc,EAAE,4BAA4B,CAAC,CAAC;QAC7E,CAAC;QACD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,WAAW,CAAC,GAAG,CAAC;gBACd,QAAQ,EAAE,GAAG,CAAC,OAAO;gBACrB,IAAI,EAAE,GAAG,CAAC,QAAQ;gBAClB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;gBAC9B,MAAM,EAAE,cAAc;aACvB,CAAC,CAAC;YACH,MAAM,IAAI,QAAQ,CAChB,SAAS,CAAC,cAAc,EACxB,4DAA4D,CAC7D,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/core/rate-limiter.d.ts

@@ -0,0 +1,10 @@
+import type { Middleware } from '../types.js';
+export interface RateLimiterOptions {
+    max_requests: number;
+    window_ms: number;
+    per?: 'agent' | 'tool';
+}
+export declare function rateLimiterMiddleware(opts: RateLimiterOptions): Middleware;
+/** For testing */
+export declare function resetRateLimiterState(): void;
+//# sourceMappingURL=rate-limiter.d.ts.map

package/dist/middleware/core/rate-limiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.d.ts","sourceRoot":"","sources":["../../../src/middleware/core/rate-limiter.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;CACxB;AAcD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,kBAAkB,GAAG,UAAU,CAsB1E;AAED,kBAAkB;AAClB,wBAAgB,qBAAqB,IAAI,IAAI,CAE5C"}