attocode 0.2.4 → 0.2.5

package/dist/src/integrations/safety/policy-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-engine.js","sourceRoot":"","sources":["../../../../src/integrations/safety/policy-engine.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAEtD,MAAM,CAAC,MAAM,uBAAuB,GAAkC;IACpE,eAAe,EAAE;QACf,cAAc,EAAE,WAAW;QAC3B,YAAY,EAAE,CAAC,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,WAAW,CAAC;QACtH,WAAW,EAAE,CAAC,aAAa,CAAC;QAC5B,QAAQ,EAAE,WAAW;QACrB,mBAAmB,EAAE,qBAAqB;KAC3C;IACD,kBAAkB,EAAE;QAClB,cAAc,EAAE,WAAW;QAC3B,YAAY,EAAE,CAAC,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,UAAU,EAAE,WAAW,CAAC;QACjK,QAAQ,EAAE,MAAM;QAChB,mBAAmB,EAAE,qBAAqB;KAC3C;IACD,WAAW,EAAE;QACX,cAAc,EAAE,KAAK;QACrB,QAAQ,EAAE,MAAM;QAChB,mBAAmB,EAAE,KAAK;KAC3B;IACD,aAAa,EAAE;QACb,cAAc,EAAE,WAAW;QAC3B,YAAY,EAAE,CAAC,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,CAAC;QAChG,WAAW,EAAE,CAAC,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,CAAC;QAC/D,QAAQ,EAAE,UAAU;QACpB,mBAAmB,EAAE,qBAAqB;KAC3C;CACF,CAAC;AAEF,MAAM,CAAC,MAAM,4BAA4B,GAErC;IACF,OAAO,EAAE,IAAI;IACb,cAAc,EAAE,IAAI;IACpB,cAAc,EAAE,WAAW;IAC3B,mBAAmB,EAAE,kBAAkB;CACxC,CAAC;AA0BF,SAAS,aAAa,CAAC,GAAG,QAA0C;IAClE,MAAM,MAAM,GAAkB,EAAE,CAAC;IACjC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC;YAAE,SAAS;QACjB,MAAM,CAAC,cAAc,GAAG,CAAC,CAAC,cAAc,IAAI,MAAM,CAAC,cAAc,CAAC;QAClE,MAAM,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY,IAAI,MAAM,CAAC,YAAY,CAAC;QAC5D,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,IAAI,MAAM,CAAC,WAAW,CAAC;QACzD,MAAM,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC;QAChD,MAAM,CAAC,mBAAmB,GAAG,CAAC,CAAC,mBAAmB,IAAI,MAAM,CAAC,mBAAmB,CAAC;QACjF,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;YACf,MAAM,CAAC,QAAQ,GAAG;gBAChB,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,IAAI,MAAM,CAAC,QAAQ,EAAE,WAAW;gBACnE,aAAa,EAAE,CAAC,CAAC,QAAQ,CAAC,aAAa,IAAI,MAAM,CAAC,QAAQ,EAAE,aAAa;gBACzE,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,eAAe,IAAI,MAAM,CAAC,QAAQ,EAAE,eAAe;aAChF,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,wBAAwB,CAAC,QAAiB,EAAE,WAAyB;IAC5E,IAAI,CAAC,QAAQ;QAAE,OAAO,kBAAkB,CAAC;IACzC,yDAAyD;IACzD,MAAM,UAAU,GAAG,iBAAiB,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IAC5D,OAAO,UAAU,CAAC,aAAa,IAAI,kBAAkB,CAAC;AACxD,CAAC;AAED,SAAS,0BAA0B,CAAC,MAAwB;IAC1D,IAAI,CAAC,MAAM,EAAE,YAAY,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAChF,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAE1C,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;QACtF,OAAO,kBAAkB,CAAC;IAC5B,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvB,OAAO,aAAa,CAAC;IACvB,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;QACzB,OAAO,eAAe,CAAC;IACzB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,mBAAmB,CAC1B,OAAsB,EACtB,OAAoC;IAKpC,MAAM,MAAM,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;IAC9B,MAAM,QAAQ,GAAsC;QAClD,eAAe,EAAE,SAAS;QAC1B,kBAAkB,EAAE,KAAK;QACzB,oBAAoB,EAAE,EAAE;QACxB,QAAQ,EAAE,EAAE;KACb,CAAC;IAEF,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,IAAI,OAAO,CAAC,MAAM,EAAE,YAAY,CAAC;IACjF,IAAI,aAAa,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,MAAM,CAAC,cAAc,GAAG,WAAW,CAAC;QACpC,MAAM,CAAC,YAAY,GAAG,CAAC,GAAG,aAAa,CAAC,CAAC;QACzC,QAAQ,CAAC,kBAAkB,GAAG,IAAI,CAAC;QACnC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACzD,QAAQ,CAAC,QAAQ,CAAC,IAAI,CACpB,oFAAoF,CACrF,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG;QACb,GAAG,CAAC,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC;QAC7B,GAAG,CAAC,OAAO,CAAC,iBAAiB,IAAI,OAAO,CAAC,MAAM,EAAE,WAAW,IAAI,EAAE,CAAC;QACnE,GAAG,CAAC,OAAO,CAAC,iBAAiB,IAAI,OAAO,CAAC,WAAW,EAAE,iBAAiB,IAAI,EAAE,CAAC;KAC/E,CAAC;IACF,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,CAAC,WAAW,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1C,QAAQ,CAAC,kBAAkB,GAAG,IAAI,CAAC;QACnC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QAC1E,QAAQ,CAAC,QAAQ,CAAC,IAAI,CACpB,0EAA0E,CAC3E,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,aAAa,EAAE,wBAAwB,EAAE,CAAC;QACpD,MAAM,CAAC,mBAAmB,GAAG,qBAAqB,CAAC;QACnD,QAAQ,CAAC,kBAAkB,GAAG,IAAI,CAAC;QACnC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QACvE,QAAQ,CAAC,QAAQ,CAAC,IAAI,CACpB,4GAA4G,CAC7G,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,aAAa,EAAE,QAAQ,EAAE,CAAC;QACpC,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC;QACjD,QAAQ,CAAC,kBAAkB,GAAG,IAAI,CAAC;QACnC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACvD,QAAQ,CAAC,QAAQ,CAAC,IAAI,CACpB,qEAAqE,CACtE,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,aAAa,EAAE,mBAAmB,EAAE,CAAC;QAC/C,MAAM,CAAC,mBAAmB,GAAG,OAAO,CAAC,aAAa,CAAC,mBAAmB,CAAC;QACvE,QAAQ,CAAC,kBAAkB,GAAG,IAAI,CAAC;QACnC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;QAClE,QAAQ,CAAC,QAAQ,CAAC,IAAI,CACpB,2FAA2F,CAC5F,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,OAAoC;IACvE,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,SAAS,CAAC;IACvD,MAAM,cAAc,GAAG,YAAY,EAAE,cAAc,IAAI,4BAA4B,CAAC,cAAc,CAAC;IACnG,MAAM,cAAc,GAAkC;QACpD,GAAG,uBAAuB;QAC1B,GAAG,CAAC,YAAY,EAAE,QAAQ,IAAI,EAAE,CAAC;QACjC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,cAAc,IAAI,EAAE,CAAC;KAC/C,CAAC;IAEF,uDAAuD;IACvD,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,EAAE,iBAAiB,CAAC;IAC1D,IAAI,UAAU,EAAE,CAAC;QACf,KAAK,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5D,MAAM,MAAM,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;YAC3C,IAAI,CAAC,MAAM;gBAAE,SAAS;YACtB,IAAI,GAAG,CAAC,QAAQ,EAAE,MAAM,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;gBAChD,MAAM,CAAC,YAAY,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,YAAY,EAAE,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;gBAC9E,gFAAgF;gBAChF,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;oBACvB,MAAM,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,QAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;gBAClF,CAAC;YACH,CAAC;YACD,IAAI,GAAG,CAAC,WAAW,EAAE,MAAM,EAAE,CAAC;gBAC5B,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;oBACxB,MAAM,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,WAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;gBACvF,CAAC;gBACD,gEAAgE;gBAChE,MAAM,CAAC,WAAW,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC,EAAE,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;YACzF,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,kBAAkB,GAAG,OAAO,CAAC,aAAa;QAC9C,CAAC,CAAC,CAAC,YAAY,EAAE,mBAAmB,IAAI,4BAA4B,CAAC,mBAAmB,CAAC;QACzF,CAAC,CAAC,CAAC,YAAY,EAAE,cAAc,IAAI,4BAA4B,CAAC,cAAc,CAAC,CAAC;IAElF,IAAI,eAAe,GAAyD,SAAS,CAAC;IACtF,IAAI,gBAAgB,GAAW,kBAAkB,CAAC;IAElD,IAAI,OAAO,CAAC,gBAAgB,IAAI,OAAO,CAAC,MAAM,EAAE,aAAa,EAAE,CAAC;QAC9D,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,OAAO,CAAC,MAAM,EAAE,aAAa,IAAI,kBAAkB,CAAC;QACnG,eAAe,GAAG,UAAU,CAAC;IAC/B,CAAC;SAAM,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;QACjC,MAAM,cAAc,GAAG,0BAA0B,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAClE,IAAI,cAAc,EAAE,CAAC;YACnB,gBAAgB,GAAG,cAAc,CAAC;YAClC,eAAe,GAAG,mBAAmB,CAAC;QACxC,CAAC;aAAM,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YAC5B,gBAAgB,GAAG,wBAAwB,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;YACnF,eAAe,GAAG,WAAW,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,gBAAgB,GAAG,kBAAkB,CAAC;YACtC,eAAe,GAAG,SAAS,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,cAAc,CAAC,kBAAkB,CAAC,IAAI,uBAAuB,CAAC,WAAW,CAAC,CAAC;IACxF,MAAM,SAAS,GAAG,cAAc,CAAC,gBAAgB,CAAC,IAAI,IAAI,CAAC;IAE3D,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IAC9C,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,cAAc;QACrD,CAAC,CAAC,mBAAmB,CAAC,MAAM,EAAE,OAAO,CAAC;QACtC,CAAC,CAAC;YACE,OAAO,EAAE,MAAM;YACf,QAAQ,EAAE;gBACR,eAAe,EAAE,SAAkB;gBACnC,kBAAkB,EAAE,KAAK;gBACzB,oBAAoB,EAAE,EAAE;gBACxB,QAAQ,EAAE,EAAE;aACb;SACF,CAAC;IAEN,uFAAuF;IACvF,IAAI,OAAO,CAAC,MAAM,EAAE,UAAU,EAAE,MAAM,IAAI,SAAS,CAAC,cAAc,KAAK,WAAW,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC;QAC7G,SAAS,CAAC,YAAY,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,SAAS,CAAC,YAAY,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QACjG,+FAA+F;QAC/F,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC;YAC1B,SAAS,CAAC,WAAW,GAAG,SAAS,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,MAAO,CAAC,UAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QACtG,CAAC;IACH,CAAC;IAED,OAAO;QACL,WAAW,EAAE,gBAAgB;QAC7B,OAAO,EAAE,SAAS;QAClB,QAAQ,EAAE;YACR,GAAG,QAAQ;YACX,eAAe;SAChB;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,QAAgB,EAChB,OAAsB;IAEtB,MAAM,IAAI,GAAG,OAAO,CAAC,cAAc,IAAI,KAAK,CAAC;IAE7C,IAAI,IAAI,KAAK,WAAW,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,IAAI,EAAE,CAAC;QAC3C,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,QAAQ,uCAAuC,EAAE,CAAC;QAC9F,CAAC;IACH,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,QAAQ,gCAAgC,EAAE,CAAC;IACvF,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,OAAe,EACf,OAAsB,EACtB,QAAiB;IAEjB,IAAI,IAAI,GAAG,OAAO,CAAC,QAAQ,IAAI,MAAM,CAAC;IACtC,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;QAC3B,IAAI,GAAG,CAAC,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,IAAI,EAAE,CAAC;YAClG,CAAC,CAAC,WAAW;YACb,CAAC,CAAC,UAAU,CAAC;IACjB,CAAC;IAED,MAAM,QAAQ,GAAG,kBAAkB,CACjC,OAAO,EACP,IAAI,EACJ,OAAO,CAAC,mBAAmB,IAAI,KAAK,CACrC,CAAC;IAEF,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC;AAChE,CAAC;AAED,MAAM,UAAU,6BAA6B,CAC3C,KAIC,EACD,OAAsB;IAMtB,OAAO;QACL,WAAW,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,WAAW,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACnG,aAAa,EAAE,EAAE,GAAG,CAAC,KAAK,CAAC,aAAa,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,aAAa,IAAI,EAAE,CAAC,EAAE;QAC7F,eAAe,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,eAAe,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,eAAe,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;KAChH,CAAC;AACJ,CAAC"}

package/dist/src/integrations/safety/safety.d.ts

@@ -0,0 +1,174 @@
+/**
+ * Lesson 23: Safety Integration
+ *
+ * Integrates sandboxing (Lesson 20) and human-in-the-loop (Lesson 21)
+ * into the production agent. Provides execution safety and approval workflows.
+ */
+import type { SandboxConfig, PolicyEngineConfig, HumanInLoopConfig, ToolCall } from '../../types.js';
+/**
+ * Manages sandboxed execution of tools.
+ */
+export declare class SandboxManager {
+    private config;
+    private policyEngineConfig?;
+    constructor(config: SandboxConfig, policyEngineConfig?: PolicyEngineConfig | false);
+    /**
+     * Check if a command is allowed.
+     */
+    isCommandAllowed(command: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /**
+     * Check if a path is allowed.
+     * Resolves relative paths against cwd before comparison.
+     * Uses realpath to resolve symlinks and prevent symlink escape attacks.
+     */
+    isPathAllowed(path: string): boolean;
+    /**
+     * Get resource limits.
+     */
+    getResourceLimits(): NonNullable<SandboxConfig['resourceLimits']>;
+    /**
+     * Wrap execution with resource limits.
+     */
+    executeWithLimits<T>(fn: () => Promise<T>, timeout?: number): Promise<T>;
+    /**
+     * Validate tool call against sandbox rules.
+     */
+    validateToolCall(toolCall: ToolCall): {
+        valid: boolean;
+        reason?: string;
+    };
+}
+/**
+ * Manages human approval workflows.
+ */
+export declare class HumanInLoopManager {
+    private config;
+    private auditLog;
+    private pendingApprovals;
+    private approvalScope;
+    private readonly maxAuditEntries;
+    private readonly auditTrimSize;
+    constructor(config: HumanInLoopConfig);
+    /**
+     * Set an approval scope for pre-approved operations.
+     * Used by subagents to reduce approval interruptions.
+     */
+    setApprovalScope(scope: ApprovalScope): void;
+    /**
+     * Check if a tool call is pre-approved by the current scope.
+     */
+    private isPreApproved;
+    /**
+     * Determine risk level of an action.
+     */
+    assessRisk(toolCall: ToolCall): RiskLevel;
+    /**
+     * Check if action needs approval.
+     */
+    needsApproval(toolCall: ToolCall): boolean;
+    /**
+     * Request approval for an action.
+     */
+    requestApproval(toolCall: ToolCall, context: string): Promise<ApprovalResult>;
+    /**
+     * Console-based approval (for demos).
+     */
+    private consoleApproval;
+    /**
+     * Execute with timeout.
+     */
+    private executeWithTimeout;
+    /**
+     * Log an action to audit trail.
+     * Trims the log when it exceeds maxAuditEntries to prevent unbounded growth.
+     */
+    private logAction;
+    /**
+     * Get audit log.
+     */
+    getAuditLog(): AuditEntry[];
+    /**
+     * Get audit summary.
+     */
+    getAuditSummary(): AuditSummary;
+    /**
+     * Clear audit log.
+     */
+    clearAuditLog(): void;
+}
+/**
+ * Combined safety manager for the production agent.
+ */
+export declare class SafetyManager {
+    sandbox: SandboxManager | null;
+    humanInLoop: HumanInLoopManager | null;
+    constructor(sandboxConfig: SandboxConfig | false, hilConfig: HumanInLoopConfig | false, policyEngineConfig?: PolicyEngineConfig | false);
+    /**
+     * Validate a tool call against all safety rules.
+     */
+    validateAndApprove(toolCall: ToolCall, context: string, options?: {
+        skipHumanApproval?: boolean;
+    }): Promise<{
+        allowed: boolean;
+        reason?: string;
+    }>;
+    /**
+     * Execute a tool call with safety wrapping.
+     */
+    executeWithSafety<T>(fn: () => Promise<T>, toolCall: ToolCall, context: string): Promise<T>;
+}
+/**
+ * Approval scope for subagent pre-approval.
+ * Allows specifying which tools and paths are pre-approved,
+ * reducing interruptions during multi-agent workflows.
+ */
+export interface ApprovalScope {
+    /** Tools that are always auto-approved (e.g., read_file, glob, grep) */
+    autoApprove?: string[];
+    /** Tools approved within specific path scopes */
+    scopedApprove?: Record<string, {
+        paths: string[];
+    }>;
+    /** Tools that always require approval regardless of scope */
+    requireApproval?: string[];
+}
+/**
+ * Risk levels for safety assessment.
+ * Matches the risk property in ApprovalRequest from types.ts.
+ */
+type RiskLevel = 'low' | 'moderate' | 'high' | 'critical';
+/**
+ * Result of an approval request.
+ * Extends ApprovalResponse with additional tracking info.
+ */
+interface ApprovalResult {
+    approved: boolean;
+    reason?: string;
+    modifiedArgs?: Record<string, unknown>;
+    /** Who approved the action (for audit trail) */
+    approver?: string;
+}
+interface AuditEntry {
+    timestamp: Date;
+    action: string;
+    args: unknown;
+    approved: boolean;
+    approver: string;
+    risk: RiskLevel;
+}
+interface AuditSummary {
+    total: number;
+    approved: number;
+    denied: number;
+    byRisk: {
+        low: number;
+        medium: number;
+        high: number;
+    };
+}
+export declare function createSafetyManager(sandboxConfig: SandboxConfig | false, hilConfig: HumanInLoopConfig | false, policyEngineConfig?: PolicyEngineConfig | false): SafetyManager;
+export {};
+//# sourceMappingURL=safety.d.ts.map

package/dist/src/integrations/safety/safety.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"safety.d.ts","sourceRoot":"","sources":["../../../../src/integrations/safety/safety.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EACV,aAAa,EACb,kBAAkB,EAClB,iBAAiB,EACjB,QAAQ,EAGT,MAAM,gBAAgB,CAAC;AAaxB;;GAEG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,kBAAkB,CAAC,CAAqB;gBAEpC,MAAM,EAAE,aAAa,EAAE,kBAAkB,CAAC,EAAE,kBAAkB,GAAG,KAAK;IAKlF;;OAEG;IACH,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAkCxE;;;;OAIG;IACH,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAyDpC;;OAEG;IACH,iBAAiB,IAAI,WAAW,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC;IASjE;;OAEG;IACG,iBAAiB,CAAC,CAAC,EACvB,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,EACpB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,CAAC,CAAC;IAqBb;;OAEG;IACH,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;CA6B1E;AAMD;;GAEG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,MAAM,CAAoB;IAClC,OAAO,CAAC,QAAQ,CAAoB;IACpC,OAAO,CAAC,gBAAgB,CAA2C;IACnE,OAAO,CAAC,aAAa,CAA8B;IAGnD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;IACzC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAQ;gBAE1B,MAAM,EAAE,iBAAiB;IAIrC;;;OAGG;IACH,gBAAgB,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAI5C;;OAEG;IACH,OAAO,CAAC,aAAa;IAsCrB;;OAEG;IACH,UAAU,CAAC,QAAQ,EAAE,QAAQ,GAAG,SAAS;IAgDzC;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO;IAgB1C;;OAEG;IACG,eAAe,CACnB,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,cAAc,CAAC;IAyC1B;;OAEG;YACW,eAAe;IAkB7B;;OAEG;YACW,kBAAkB;IAqBhC;;;OAGG;IACH,OAAO,CAAC,SAAS;IAyBjB;;OAEG;IACH,WAAW,IAAI,UAAU,EAAE;IAI3B;;OAEG;IACH,eAAe,IAAI,YAAY;IAa/B;;OAEG;IACH,aAAa,IAAI,IAAI;CAGtB;AAMD;;GAEG;AACH,qBAAa,aAAa;IACjB,OAAO,EAAE,cAAc,GAAG,IAAI,CAAQ;IACtC,WAAW,EAAE,kBAAkB,GAAG,IAAI,CAAQ;gBAGnD,aAAa,EAAE,aAAa,GAAG,KAAK,EACpC,SAAS,EAAE,iBAAiB,GAAG,KAAK,EACpC,kBAAkB,CAAC,EAAE,kBAAkB,GAAG,KAAK;IAWjD;;OAEG;IACG,kBAAkB,CACtB,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,iBAAiB,CAAC,EAAE,OAAO,CAAA;KAAE,GACxC,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAsBjD;;OAEG;IACG,iBAAiB,CAAC,CAAC,EACvB,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,EACpB,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,CAAC,CAAC;CAcd;AAMD;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,wEAAwE;IACxE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,iDAAiD;IACjD,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IACpD,6DAA6D;IAC7D,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED;;;GAGG;AACH,KAAK,SAAS,GAAG,KAAK,GAAG,UAAU,GAAG,MAAM,GAAG,UAAU,CAAC;AAE1D;;;GAGG;AACH,UAAU,cAAc;IACtB,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvC,gDAAgD;IAChD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAWD,UAAU,UAAU;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,OAAO,CAAC;IACd,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,SAAS,CAAC;CACjB;AAED,UAAU,YAAY;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE;QACN,GAAG,EAAE,MAAM,CAAC;QACZ,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAMD,wBAAgB,mBAAmB,CACjC,aAAa,EAAE,aAAa,GAAG,KAAK,EACpC,SAAS,EAAE,iBAAiB,GAAG,KAAK,EACpC,kBAAkB,CAAC,EAAE,kBAAkB,GAAG,KAAK,GAC9C,aAAa,CAEf"}

package/dist/src/integrations/safety/safety.js

@@ -0,0 +1,470 @@
+/**
+ * Lesson 23: Safety Integration
+ *
+ * Integrates sandboxing (Lesson 20) and human-in-the-loop (Lesson 21)
+ * into the production agent. Provides execution safety and approval workflows.
+ */
+import { resolve, isAbsolute, dirname } from 'node:path';
+import { realpathSync, existsSync, lstatSync } from 'node:fs';
+import { evaluateBashCommandByProfile, isToolAllowedByProfile, resolvePolicyProfile, } from './policy-engine.js';
+import { stripCdPrefix } from './bash-policy.js';
+import { logger } from '../utilities/logger.js';
+// =============================================================================
+// SANDBOX MANAGER
+// =============================================================================
+/**
+ * Manages sandboxed execution of tools.
+ */
+export class SandboxManager {
+    config;
+    policyEngineConfig;
+    constructor(config, policyEngineConfig) {
+        this.config = config;
+        this.policyEngineConfig = policyEngineConfig || undefined;
+    }
+    /**
+     * Check if a command is allowed.
+     */
+    isCommandAllowed(command) {
+        const { profile } = resolvePolicyProfile({
+            policyEngine: this.policyEngineConfig,
+            sandboxConfig: this.config,
+        });
+        const policyDecision = evaluateBashCommandByProfile(command, profile);
+        if (!policyDecision.allowed) {
+            return { allowed: false, reason: policyDecision.reason };
+        }
+        // Check blocked patterns first
+        for (const blocked of this.config.blockedCommands || []) {
+            if (command.includes(blocked)) {
+                return { allowed: false, reason: `Blocked pattern: ${blocked}` };
+            }
+        }
+        // Check allowed commands
+        const allowedCommands = this.config.allowedCommands || [];
+        const effective = stripCdPrefix(command);
+        const commandBase = effective.split(' ')[0];
+        if (allowedCommands.length > 0 && !allowedCommands.includes(commandBase)) {
+            const suggestions = allowedCommands.slice(0, 10).join(', ');
+            return {
+                allowed: false,
+                reason: `Command '${commandBase}' is not in the sandbox allowlist. Use built-in tools (read_file, write_file, edit_file, glob, grep) instead, or use bash with an allowed command: ${suggestions}...`,
+            };
+        }
+        return { allowed: true };
+    }
+    /**
+     * Check if a path is allowed.
+     * Resolves relative paths against cwd before comparison.
+     * Uses realpath to resolve symlinks and prevent symlink escape attacks.
+     */
+    isPathAllowed(path) {
+        const allowedPaths = this.config.allowedPaths || ['.'];
+        // Resolve the path, handling symlinks for security
+        let resolvedPath;
+        try {
+            const absolutePath = isAbsolute(path) ? path : resolve(process.cwd(), path);
+            // If path exists, use realpath to resolve symlinks
+            if (existsSync(absolutePath)) {
+                resolvedPath = realpathSync(absolutePath);
+            }
+            else {
+                // Special case: broken symlink exists as a link entry but target is missing.
+                // Deny to fail closed and avoid symlink-escape bypasses.
+                try {
+                    const stat = lstatSync(absolutePath);
+                    if (stat.isSymbolicLink()) {
+                        return false;
+                    }
+                }
+                catch {
+                    // No direct entry - continue with parent-directory check.
+                }
+                // Path doesn't exist yet - recursively check that parent is allowed
+                const parentDir = dirname(absolutePath);
+                if (parentDir === absolutePath) {
+                    return false; // Root reached without match
+                }
+                return this.isPathAllowed(parentDir);
+            }
+        }
+        catch {
+            // realpath failed (broken symlink, permission denied, etc.)
+            // Fail closed - deny access
+            return false;
+        }
+        for (const allowed of allowedPaths) {
+            let resolvedAllowed;
+            try {
+                const absoluteAllowed = isAbsolute(allowed) ? allowed : resolve(process.cwd(), allowed);
+                // Use realpath if allowed path exists, otherwise just the absolute path
+                resolvedAllowed = existsSync(absoluteAllowed)
+                    ? realpathSync(absoluteAllowed)
+                    : absoluteAllowed;
+            }
+            catch {
+                continue; // Skip invalid allowed paths
+            }
+            // Check if resolved target is within resolved allowed path
+            if (resolvedPath === resolvedAllowed || resolvedPath.startsWith(resolvedAllowed + '/')) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Get resource limits.
+     */
+    getResourceLimits() {
+        return this.config.resourceLimits || {
+            maxCpuSeconds: 30,
+            maxMemoryMB: 512,
+            maxOutputBytes: 1024 * 1024,
+            timeout: 60000,
+        };
+    }
+    /**
+     * Wrap execution with resource limits.
+     */
+    async executeWithLimits(fn, timeout) {
+        const limits = this.getResourceLimits();
+        const timeoutMs = timeout || limits.timeout;
+        return new Promise((resolve, reject) => {
+            const timer = setTimeout(() => {
+                reject(new Error(`Execution timeout: ${timeoutMs}ms`));
+            }, timeoutMs);
+            fn()
+                .then((result) => {
+                clearTimeout(timer);
+                resolve(result);
+            })
+                .catch((err) => {
+                clearTimeout(timer);
+                reject(err);
+            });
+        });
+    }
+    /**
+     * Validate tool call against sandbox rules.
+     */
+    validateToolCall(toolCall) {
+        const args = toolCall.arguments;
+        const { profile } = resolvePolicyProfile({
+            policyEngine: this.policyEngineConfig,
+            sandboxConfig: this.config,
+        });
+        const toolDecision = isToolAllowedByProfile(toolCall.name, profile);
+        if (!toolDecision.allowed) {
+            return { valid: false, reason: toolDecision.reason };
+        }
+        // Check for command execution tools
+        if (toolCall.name === 'bash' || toolCall.name === 'shell' || toolCall.name === 'execute') {
+            const command = String(args.command || args.cmd || '');
+            const result = this.isCommandAllowed(command);
+            return { valid: result.allowed, reason: result.reason };
+        }
+        // Check for file operation tools
+        if (toolCall.name === 'read_file' || toolCall.name === 'write_file' || toolCall.name === 'edit_file') {
+            const path = String(args.path || args.file || args.file_path || '');
+            if (!this.isPathAllowed(path)) {
+                return { valid: false, reason: `Path not allowed: ${path}` };
+            }
+        }
+        return { valid: true };
+    }
+}
+// =============================================================================
+// HUMAN-IN-LOOP MANAGER
+// =============================================================================
+/**
+ * Manages human approval workflows.
+ */
+export class HumanInLoopManager {
+    config;
+    auditLog = [];
+    pendingApprovals = new Map();
+    approvalScope = null;
+    // Audit log limits to prevent unbounded memory growth
+    maxAuditEntries = 10000;
+    auditTrimSize = 5000; // Keep this many when trimming
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Set an approval scope for pre-approved operations.
+     * Used by subagents to reduce approval interruptions.
+     */
+    setApprovalScope(scope) {
+        this.approvalScope = scope;
+    }
+    /**
+     * Check if a tool call is pre-approved by the current scope.
+     */
+    isPreApproved(toolCall) {
+        if (!this.approvalScope)
+            return false;
+        const toolName = toolCall.name.toLowerCase();
+        // Check require-approval list first (highest priority) — exact match only
+        if (this.approvalScope.requireApproval?.some(t => toolName === t.toLowerCase())) {
+            return false;
+        }
+        // Check auto-approve list — exact match only
+        if (this.approvalScope.autoApprove?.some(t => toolName === t.toLowerCase())) {
+            return true;
+        }
+        // Check scoped approval (tool + path match)
+        if (this.approvalScope.scopedApprove?.[toolCall.name]) {
+            const scope = this.approvalScope.scopedApprove[toolCall.name];
+            const args = toolCall.arguments;
+            const filePath = String(args.path || args.file_path || '');
+            if (filePath && scope.paths.some(p => {
+                // Directory-aware path matching
+                const dir = p.endsWith('/**') ? p.slice(0, -3) : p;
+                // Ensure directory boundary: "src/" matches "src/foo.ts" but not "src-backup/foo.ts"
+                // If dir already ends with '/', use as-is; otherwise check exact match or '/' boundary
+                if (dir.endsWith('/')) {
+                    return filePath.startsWith(dir);
+                }
+                return filePath === dir || filePath.startsWith(dir + '/');
+            })) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Determine risk level of an action.
+     */
+    assessRisk(toolCall) {
+        const toolName = toolCall.name.toLowerCase();
+        const args = toolCall.arguments;
+        // Check always-approve list (high risk)
+        for (const pattern of this.config.alwaysApprove || []) {
+            if (toolName.includes(pattern.toLowerCase())) {
+                return 'high';
+            }
+        }
+        // Check never-approve list (low risk, auto-approve)
+        for (const pattern of this.config.neverApprove || []) {
+            if (toolName.includes(pattern.toLowerCase())) {
+                return 'low';
+            }
+        }
+        // Internal bookkeeping tools are always low risk regardless of name patterns
+        const internalTools = ['task_create', 'task_update', 'task_get', 'task_list'];
+        if (internalTools.includes(toolName)) {
+            return 'low';
+        }
+        // Heuristic risk assessment
+        const highRiskPatterns = ['delete', 'remove', 'drop', 'truncate', 'wipe', 'destroy'];
+        for (const pattern of highRiskPatterns) {
+            if (toolName.includes(pattern)) {
+                return 'high';
+            }
+        }
+        const moderateRiskPatterns = ['write', 'modify', 'update'];
+        for (const pattern of moderateRiskPatterns) {
+            if (toolName.includes(pattern)) {
+                return 'moderate';
+            }
+        }
+        // Check for destructive arguments
+        const argsStr = JSON.stringify(args).toLowerCase();
+        if (argsStr.includes('--force') || argsStr.includes('-rf') || argsStr.includes('--hard')) {
+            return 'moderate';
+        }
+        return 'low';
+    }
+    /**
+     * Check if action needs approval.
+     */
+    needsApproval(toolCall) {
+        // Check pre-approval scope first (for subagent batched approvals)
+        if (this.isPreApproved(toolCall)) {
+            return false;
+        }
+        const risk = this.assessRisk(toolCall);
+        const threshold = this.config.riskThreshold || 'high';
+        const riskLevels = ['low', 'moderate', 'high'];
+        const riskIndex = riskLevels.indexOf(risk);
+        const thresholdIndex = riskLevels.indexOf(threshold);
+        return riskIndex >= thresholdIndex;
+    }
+    /**
+     * Request approval for an action.
+     */
+    async requestApproval(toolCall, context) {
+        const risk = this.assessRisk(toolCall);
+        // Auto-approve low risk if below threshold
+        if (!this.needsApproval(toolCall)) {
+            this.logAction(toolCall, true, 'auto', risk);
+            return { approved: true, approver: 'auto' };
+        }
+        // Use custom handler if provided
+        if (this.config.approvalHandler) {
+            const approvalRequest = {
+                id: `approval-${Date.now()}`,
+                action: toolCall.name,
+                tool: toolCall.name,
+                args: toolCall.arguments,
+                risk,
+                context,
+            };
+            const response = await this.executeWithTimeout(() => this.config.approvalHandler(approvalRequest), this.config.approvalTimeout || 300000);
+            // Convert ApprovalResponse to ApprovalResult
+            const result = {
+                approved: response.approved,
+                reason: response.reason,
+                modifiedArgs: response.modifiedArgs,
+                approver: 'handler',
+            };
+            this.logAction(toolCall, result.approved, result.approver || 'handler', risk);
+            return result;
+        }
+        // Default: console-based approval
+        return this.consoleApproval(toolCall, context, risk);
+    }
+    /**
+     * Console-based approval (for demos).
+     */
+    async consoleApproval(toolCall, context, risk) {
+        logger.info('Approval required', {
+            tool: toolCall.name,
+            risk: risk.toUpperCase(),
+            arguments: JSON.stringify(toolCall.arguments).slice(0, 47),
+            context: context.slice(0, 47),
+        });
+        // In non-interactive mode, auto-approve for demo
+        logger.debug('Demo mode: Auto-approving');
+        this.logAction(toolCall, true, 'demo', risk);
+        return { approved: true, approver: 'demo' };
+    }
+    /**
+     * Execute with timeout.
+     */
+    async executeWithTimeout(fn, timeout) {
+        return new Promise((resolve, reject) => {
+            const timer = setTimeout(() => {
+                reject(new Error('Approval timeout'));
+            }, timeout);
+            fn()
+                .then((result) => {
+                clearTimeout(timer);
+                resolve(result);
+            })
+                .catch((err) => {
+                clearTimeout(timer);
+                reject(err);
+            });
+        });
+    }
+    /**
+     * Log an action to audit trail.
+     * Trims the log when it exceeds maxAuditEntries to prevent unbounded growth.
+     */
+    logAction(toolCall, approved, approver, risk) {
+        if (!this.config.auditLog)
+            return;
+        const entry = {
+            timestamp: new Date(),
+            action: toolCall.name,
+            args: toolCall.arguments,
+            approved,
+            approver,
+            risk,
+        };
+        this.auditLog.push(entry);
+        // Trim if exceeded max size - keep most recent entries
+        if (this.auditLog.length > this.maxAuditEntries) {
+            this.auditLog = this.auditLog.slice(-this.auditTrimSize);
+        }
+    }
+    /**
+     * Get audit log.
+     */
+    getAuditLog() {
+        return [...this.auditLog];
+    }
+    /**
+     * Get audit summary.
+     */
+    getAuditSummary() {
+        const total = this.auditLog.length;
+        const approved = this.auditLog.filter((e) => e.approved).length;
+        const denied = total - approved;
+        const byRisk = {
+            low: this.auditLog.filter((e) => e.risk === 'low').length,
+            medium: this.auditLog.filter((e) => e.risk === 'moderate').length,
+            high: this.auditLog.filter((e) => e.risk === 'high').length,
+        };
+        return { total, approved, denied, byRisk };
+    }
+    /**
+     * Clear audit log.
+     */
+    clearAuditLog() {
+        this.auditLog = [];
+    }
+}
+// =============================================================================
+// COMBINED SAFETY MANAGER
+// =============================================================================
+/**
+ * Combined safety manager for the production agent.
+ */
+export class SafetyManager {
+    sandbox = null;
+    humanInLoop = null;
+    constructor(sandboxConfig, hilConfig, policyEngineConfig) {
+        if (sandboxConfig && sandboxConfig.enabled !== false) {
+            this.sandbox = new SandboxManager(sandboxConfig, policyEngineConfig);
+        }
+        if (hilConfig && hilConfig.enabled !== false) {
+            this.humanInLoop = new HumanInLoopManager(hilConfig);
+        }
+    }
+    /**
+     * Validate a tool call against all safety rules.
+     */
+    async validateAndApprove(toolCall, context, options) {
+        // Sandbox validation
+        if (this.sandbox) {
+            const validation = this.sandbox.validateToolCall(toolCall);
+            if (!validation.valid) {
+                return { allowed: false, reason: validation.reason };
+            }
+        }
+        // Human-in-loop approval
+        if (this.humanInLoop) {
+            if (!options?.skipHumanApproval && this.humanInLoop.needsApproval(toolCall)) {
+                const result = await this.humanInLoop.requestApproval(toolCall, context);
+                if (!result.approved) {
+                    return { allowed: false, reason: `Denied by ${result.approver}` };
+                }
+            }
+        }
+        return { allowed: true };
+    }
+    /**
+     * Execute a tool call with safety wrapping.
+     */
+    async executeWithSafety(fn, toolCall, context) {
+        // Validate first
+        const validation = await this.validateAndApprove(toolCall, context);
+        if (!validation.allowed) {
+            throw new Error(`Tool call blocked: ${validation.reason}`);
+        }
+        // Execute with sandbox limits if enabled
+        if (this.sandbox) {
+            return this.sandbox.executeWithLimits(fn);
+        }
+        return fn();
+    }
+}
+// =============================================================================
+// FACTORY
+// =============================================================================
+export function createSafetyManager(sandboxConfig, hilConfig, policyEngineConfig) {
+    return new SafetyManager(sandboxConfig, hilConfig, policyEngineConfig);
+}
+//# sourceMappingURL=safety.js.map