avorelo 0.1.0

package/scripts/lib/agent-security/permission-minimizer.js

@@ -0,0 +1,403 @@
+"use strict";
+
+const { isSafeTestCommand } = require("./action-evaluator");
+const { classifyFilesystemWriteTarget } = require("./file-write-rules");
+const { classifyPackageAction } = require("./package-action-rules");
+const { classifyMcpAction } = require("./mcp-action-rules");
+
+function normalizePath(value) {
+  return String(value || "").replace(/\\/g, "/");
+}
+
+function isSafeLimitedShellCommand(command) {
+  const normalized = String(command || "").trim().toLowerCase();
+  if (!normalized) return false;
+  if (/[|;&><]/.test(normalized)) return false;
+  if (isSafeTestCommand(normalized)) return true;
+  return /^(npm run lint\b|pnpm run lint\b|yarn lint\b|node (?:scripts|tools|tests)[\\/][a-z0-9._/-]+)\s*$/i.test(normalized);
+}
+
+function buildPermissionLimitPlan(input, options = {}) {
+  const evaluation = input?.evaluation || {};
+  const action = input?.action || {};
+  const componentCard = options.componentCard || null;
+  const target = normalizePath(action?.target || evaluation?.target || "");
+  const command = String(action?.command || evaluation?.command || "");
+
+  const plan = {
+    recommendedMode: "limited",
+    wouldAllow: [],
+    wouldLimit: [],
+    wouldDeny: [],
+    ttlRecommendation: "once",
+    scope: {
+      componentId: evaluation.componentId || componentCard?.id || null,
+      actionType: evaluation.actionType || action?.actionType || null,
+      target: target || null,
+      command: command || null,
+    },
+    reason: "Wuz will allow only the minimum needed for this task.",
+  };
+
+  if (/\b(curl|wget)\b[^\n]*\|\s*(bash|sh|pwsh|powershell)\b|\b(invoke-webrequest|invoke-restmethod|downloadstring)\b/i.test(command)) {
+    plan.recommendedMode = "deny";
+    plan.wouldDeny.push("remote script execution");
+    plan.ttlRecommendation = "none";
+    plan.reason = "Remote script execution should be denied.";
+    return plan;
+  }
+
+  if ((evaluation.actionType || action?.actionType).startsWith("mcp.")) {
+    const mcpProfile = classifyMcpAction({
+      ...action,
+      actionType: evaluation.actionType || action?.actionType || "mcp.unknown",
+      target,
+      mcpServer: action?.mcpServer || evaluation?.mcpServer || null,
+      toolName: action?.toolName || evaluation?.toolName || null,
+      args: action?.args,
+      resource: action?.resource,
+    });
+
+    plan.scope.mcpServer = mcpProfile.mcpServer;
+    plan.scope.toolName = mcpProfile.toolName;
+    plan.scope.repo = mcpProfile.repoScope || "current";
+    plan.scope.branchPrefix = mcpProfile.safeBranchPrefix ? "wuz/" : null;
+    plan.scope.allowedTargets = [mcpProfile.target || "requested-mcp-action"];
+
+    if (mcpProfile.deleteLike || mcpProfile.adminLike) {
+      plan.recommendedMode = "deny";
+      plan.wouldDeny.push("delete actions");
+      plan.wouldDeny.push("admin actions");
+      plan.ttlRecommendation = "none";
+      plan.reason = "Destructive external actions should be denied.";
+      return plan;
+    }
+
+    if (mcpProfile.secretLike) {
+      plan.recommendedMode = "deny";
+      plan.wouldDeny.push("secrets modification");
+      plan.ttlRecommendation = "none";
+      plan.reason = "Secrets modification should be denied.";
+      return plan;
+    }
+
+    if (mcpProfile.workflowLike) {
+      plan.recommendedMode = "deny";
+      plan.wouldDeny.push("workflow modification");
+      plan.ttlRecommendation = "none";
+      plan.reason = "Workflow changes should not be auto-limited through MCP.";
+      return plan;
+    }
+
+    if (mcpProfile.deployLike || mcpProfile.pushMainLike) {
+      plan.recommendedMode = "deny";
+      plan.wouldDeny.push("push to main or publish/deploy actions");
+      plan.ttlRecommendation = "none";
+      plan.reason = "Push-to-main, deploy, or publish actions should be denied by default.";
+      return plan;
+    }
+
+    if (mcpProfile.createPullRequest) {
+      plan.recommendedMode = "limited";
+      plan.wouldAllow.push("create pull request");
+      plan.wouldLimit.push("current repo only");
+      plan.wouldLimit.push("safe branch scope only");
+      plan.wouldDeny.push("delete actions");
+      plan.wouldDeny.push("push to main");
+      plan.wouldDeny.push("workflow or secrets modification");
+      plan.wouldDeny.push("workflow modification");
+      plan.wouldDeny.push("secrets modification");
+      plan.wouldDeny.push("admin actions");
+      plan.ttlRecommendation = "30 minutes";
+      plan.reason = "Wuz limited this MCP action to the current task.";
+      return plan;
+    }
+
+    if (mcpProfile.createIssue) {
+      plan.recommendedMode = "limited";
+      plan.wouldAllow.push("create or update issue");
+      plan.wouldLimit.push("current repo only");
+      plan.wouldDeny.push("delete actions");
+      plan.wouldDeny.push("workflow or secrets modification");
+      plan.wouldDeny.push("workflow modification");
+      plan.wouldDeny.push("secrets modification");
+      plan.wouldDeny.push("admin actions");
+      plan.ttlRecommendation = "30 minutes";
+      plan.reason = "Wuz limited this MCP action to the current task.";
+      return plan;
+    }
+
+    if (mcpProfile.readOnly) {
+      plan.recommendedMode = "limited";
+      plan.wouldAllow.push("read requested metadata");
+      plan.wouldLimit.push("current repo only");
+      plan.wouldDeny.push("external mutation");
+      plan.ttlRecommendation = "30 minutes";
+      plan.reason = "The action can stay within a small read-only MCP scope.";
+      return plan;
+    }
+
+    plan.recommendedMode = "approval-required";
+    plan.wouldAllow.push("run the exact requested MCP action if explicitly approved");
+    plan.wouldLimit.push("current repo only");
+    plan.wouldDeny.push("delete actions");
+    plan.wouldDeny.push("workflow modification");
+    plan.wouldDeny.push("secrets modification");
+    plan.ttlRecommendation = "once";
+    plan.reason = "Unknown external mutation should be reviewed before it is allowed.";
+    return plan;
+  }
+
+  if ((evaluation.actionType || action?.actionType) === "workflow.modify" || /(?:^|[\\/])\.github[\\/]workflows[\\/].+/i.test(target)) {
+    plan.recommendedMode = "approval-required";
+    plan.wouldAllow.push("modify only the requested workflow file if explicitly approved");
+    plan.wouldLimit.push("no broad .github write");
+    plan.wouldDeny.push("secrets changes");
+    plan.ttlRecommendation = "this session";
+    plan.scope.allowedPaths = [target || ".github/workflows/*"];
+    plan.reason = "Workflow changes should stay tightly scoped and session-bound.";
+    return plan;
+  }
+
+  if ((evaluation.actionType || action?.actionType) === "filesystem.write") {
+    const writeProfile = classifyFilesystemWriteTarget(action?.context?.cwd || process.cwd(), target);
+
+    if (!writeProfile.insideProject || writeProfile.pathTraversal) {
+      plan.recommendedMode = "deny";
+      plan.wouldDeny.push("path traversal or outside project root");
+      plan.ttlRecommendation = "none";
+      plan.reason = "Path outside project root is not allowed.";
+      return plan;
+    }
+
+    if (writeProfile.broadWrite) {
+      plan.recommendedMode = "deny";
+      plan.wouldDeny.push("broad or wildcard file writes");
+      plan.ttlRecommendation = "none";
+      plan.reason = "Broad project-wide writes are not allowed.";
+      return plan;
+    }
+
+    if (writeProfile.sensitive) {
+      plan.recommendedMode = "deny";
+      plan.wouldDeny.push("sensitive file access");
+      plan.ttlRecommendation = "none";
+      plan.reason = "Sensitive environment or credential files should not be modified through a limited plan.";
+      return plan;
+    }
+
+    if (writeProfile.workflow) {
+      plan.recommendedMode = "approval-required";
+      plan.wouldAllow.push("modify only the requested workflow file if explicitly approved");
+      plan.wouldLimit.push("no broad .github write");
+      plan.wouldDeny.push("workflow secrets changes");
+      plan.ttlRecommendation = "this session";
+      plan.scope.allowedPaths = [writeProfile.normalizedTarget || ".github/workflows/*"];
+      plan.reason = "Workflow files can execute code in CI and should require explicit approval.";
+      return plan;
+    }
+
+    if (writeProfile.packageFile || writeProfile.dockerFile || writeProfile.configFile || writeProfile.scriptFile) {
+      plan.recommendedMode = "approval-required";
+      plan.wouldAllow.push("write only the requested project file if explicitly approved");
+      plan.wouldLimit.push("no broad config or script changes");
+      plan.wouldDeny.push("sensitive file access");
+      plan.ttlRecommendation = "once";
+      plan.scope.allowedPaths = [writeProfile.normalizedTarget || "requested-path"];
+      plan.reason = "Config, package, Docker, and script writes need explicit review.";
+      return plan;
+    }
+
+    if (writeProfile.safeLimited) {
+      plan.recommendedMode = "limited";
+      plan.wouldAllow.push("write the exact requested file once");
+      plan.wouldLimit.push("current project only");
+      plan.wouldDeny.push("sensitive file access");
+      plan.wouldDeny.push("workflow modification");
+      plan.wouldDeny.push("path traversal");
+      plan.wouldDeny.push("outside project root");
+      plan.ttlRecommendation = writeProfile.testFile ? "this session" : "30 minutes";
+      plan.scope.allowedPaths = [writeProfile.normalizedTarget];
+      plan.reason = writeProfile.testFile
+        ? "Wuz limited this action to the current task."
+        : "Wuz limited this action to the current task.";
+      return plan;
+    }
+
+    plan.recommendedMode = "approval-required";
+    plan.wouldAllow.push("write only the requested project path if explicitly approved");
+    plan.wouldDeny.push("sensitive file access");
+    plan.wouldDeny.push("workflow modification");
+    plan.ttlRecommendation = "once";
+    plan.scope.allowedPaths = [writeProfile.normalizedTarget || "requested-path"];
+    plan.reason = "This file write should be reviewed before it is allowed.";
+    return plan;
+  }
+
+  if (
+    (evaluation.actionType || action?.actionType) === "package.install" ||
+    (evaluation.actionType || action?.actionType) === "package.run" ||
+    (evaluation.actionType || action?.actionType) === "package.script"
+  ) {
+    const packageProfile = classifyPackageAction({
+      ...action,
+      actionType: evaluation.actionType || action?.actionType || null,
+      command,
+      target,
+    });
+
+    plan.scope.packageManager = packageProfile.packageManager;
+    plan.scope.scriptName = packageProfile.scriptName !== "unknown" ? packageProfile.scriptName : null;
+    plan.scope.packageName = packageProfile.packageName || null;
+
+    if (
+      packageProfile.remoteScript ||
+      packageProfile.destructiveChain ||
+      packageProfile.globalInstall ||
+      packageProfile.unsafeFlags ||
+      packageProfile.installFromUrlOrPath ||
+      packageProfile.sensitiveTarget ||
+      packageProfile.workflowTarget
+    ) {
+      plan.recommendedMode = "deny";
+      plan.wouldDeny.push(packageProfile.reasons[0] || "unsafe package action");
+      plan.ttlRecommendation = "none";
+      plan.scope.allowedCommands = [];
+      plan.reason = packageProfile.reasons[0] || "No safe limited version found. Recommended: deny.";
+      return plan;
+    }
+
+    if (packageProfile.lifecycleRisk) {
+      plan.recommendedMode = "deny";
+      plan.wouldDeny.push("lifecycle script execution");
+      plan.ttlRecommendation = "none";
+      plan.scope.allowedCommands = [];
+      plan.reason = "Lifecycle scripts like preinstall, postinstall, or prepare require explicit approval.";
+      return plan;
+    }
+
+    if (packageProfile.safeTestOrLint) {
+      plan.recommendedMode = "limited";
+      plan.wouldAllow.push(
+        packageProfile.scriptName === "lint"
+          ? "run the exact lint command once"
+          : "run the exact test command once",
+      );
+      plan.wouldLimit.push("current project only");
+      plan.wouldDeny.push("remote script execution");
+      plan.wouldDeny.push("global install");
+      plan.wouldDeny.push("lifecycle script execution");
+      plan.wouldDeny.push("sensitive file access");
+      plan.ttlRecommendation = packageProfile.scriptName === "test" ? "this session" : "30 minutes";
+      plan.scope.allowedCommands = [command];
+      plan.reason = "Wuz limited this action to the current task.";
+      return plan;
+    }
+
+    if (packageProfile.specificPackageInstall && packageProfile.ignoreScripts) {
+      plan.recommendedMode = "limited";
+      plan.wouldAllow.push("install the exact requested package once");
+      plan.wouldLimit.push("current project only");
+      plan.wouldDeny.push("remote script execution");
+      plan.wouldDeny.push("global install");
+      plan.wouldDeny.push("lifecycle script execution");
+      plan.wouldDeny.push("sensitive file access");
+      plan.ttlRecommendation = "30 minutes";
+      plan.scope.allowedCommands = [command];
+      plan.reason = "Wuz limited this package install to the current project and exact requested dependency.";
+      return plan;
+    }
+
+    if (packageProfile.specificPackageInstall) {
+      plan.recommendedMode = "approval-required";
+      plan.wouldAllow.push("install the exact requested package if explicitly approved");
+      plan.wouldLimit.push("current project only");
+      plan.wouldDeny.push("global install");
+      plan.wouldDeny.push("lifecycle script execution");
+      plan.ttlRecommendation = "once";
+      plan.scope.allowedCommands = [command];
+      plan.reason = "Specific dependency installs should be reviewed before they are allowed.";
+      return plan;
+    }
+
+    plan.recommendedMode = "approval-required";
+    plan.wouldAllow.push("run the exact requested package command if explicitly approved");
+    plan.wouldLimit.push("current project only");
+    plan.wouldDeny.push("remote script execution");
+    plan.wouldDeny.push("global install");
+    plan.wouldDeny.push("lifecycle script execution");
+    plan.ttlRecommendation = "once";
+    plan.scope.allowedCommands = [command];
+    plan.reason = "This package action should be reviewed before it is allowed.";
+    return plan;
+  }
+
+  if ((evaluation.actionType || action?.actionType) === "shell.run") {
+    if (isSafeLimitedShellCommand(command)) {
+      plan.recommendedMode = "limited";
+      plan.wouldAllow.push(command.startsWith("npm run lint") || command.startsWith("pnpm run lint") || command.startsWith("yarn lint")
+        ? "run the requested lint command once"
+        : "run the requested command once");
+      plan.wouldLimit.push("current project only");
+      plan.wouldLimit.push("no network assumption");
+      plan.wouldDeny.push("remote script execution");
+      plan.wouldDeny.push("workflow modification");
+      plan.wouldDeny.push("sensitive file access");
+      plan.ttlRecommendation = "30 minutes";
+      plan.scope.allowedCommands = [command];
+      plan.scope.allowedPaths = ["current-project"];
+      plan.reason = "Wuz will limit this command to the current project and current task.";
+      return plan;
+    }
+    plan.recommendedMode = "deny";
+    plan.wouldDeny.push("no safe limited version for this shell command");
+    plan.ttlRecommendation = "none";
+    plan.scope.allowedCommands = [];
+    plan.reason = "No safe limited version found. Recommended: deny.";
+    return plan;
+  }
+
+  if ((evaluation.actionType || action?.actionType) === "network.call") {
+    plan.recommendedMode = "approval-required";
+    plan.wouldAllow.push("call only the requested remote target");
+    plan.wouldLimit.push("no credential export");
+    plan.wouldLimit.push("no follow-up write actions");
+    plan.ttlRecommendation = "once";
+    plan.scope.allowedTargets = [target || "requested-network-target"];
+    plan.reason = "Remote network access should be reviewed and narrowed to the requested target.";
+    return plan;
+  }
+
+  if ((evaluation.actionType || action?.actionType) === "package.install") {
+    plan.recommendedMode = "approval-required";
+    plan.wouldAllow.push("run the requested package install once if approved");
+    plan.wouldLimit.push("no remote script execution");
+    plan.wouldDeny.push("postinstall or preinstall expansion");
+    plan.ttlRecommendation = "once";
+    plan.scope.allowedCommands = [command || "requested-package-install"];
+    plan.reason = "Package install actions can execute code and should stay bounded.";
+    return plan;
+  }
+
+  if ((evaluation.actionType || action?.actionType) === "filesystem.read" && Array.isArray(evaluation.sensitiveTargets) && evaluation.sensitiveTargets.length > 0) {
+    plan.recommendedMode = "approval-required";
+    plan.wouldAllow.push("inspect only the requested sensitive target");
+    plan.wouldDeny.push("secret value reads");
+    plan.wouldDeny.push("credential export or copying");
+    plan.ttlRecommendation = "once";
+    plan.scope.allowedPaths = evaluation.sensitiveTargets.slice(0, 3);
+    plan.reason = "Sensitive reads should be explicit, narrow, and temporary.";
+    return plan;
+  }
+
+  plan.wouldAllow.push("read local project state");
+  plan.wouldLimit.push("no write or destructive actions");
+  plan.ttlRecommendation = "once";
+  plan.reason = "The action can stay within a small read-oriented scope.";
+  return plan;
+}
+
+module.exports = {
+  buildPermissionLimitPlan,
+  isSafeLimitedShellCommand,
+};

package/scripts/lib/agent-security/scan-cache.js

@@ -0,0 +1,74 @@
+"use strict";
+
+const crypto = require("crypto");
+const { safeReadJson, safeWriteJson, nowIso } = require("../fsx");
+
+const SCAN_CACHE_REL_PATH = ".claude/cco/security/scan-cache.json";
+const SCAN_CACHE_VERSION = 1;
+
+function sha256(value) {
+  return crypto.createHash("sha256").update(String(value || "")).digest("hex");
+}
+
+function stableStringify(value) {
+  if (Array.isArray(value)) return `[${value.map((item) => stableStringify(item)).join(",")}]`;
+  if (value && typeof value === "object") {
+    return `{${Object.keys(value).sort().map((key) => `${JSON.stringify(key)}:${stableStringify(value[key])}`).join(",")}}`;
+  }
+  return JSON.stringify(value);
+}
+
+function loadScanCache(cwd) {
+  const doc = safeReadJson(cwd, SCAN_CACHE_REL_PATH, null);
+  if (!doc || typeof doc !== "object" || !Array.isArray(doc.records)) {
+    return {
+      cacheVersion: SCAN_CACHE_VERSION,
+      scannerVersion: "unknown",
+      records: [],
+    };
+  }
+  return doc;
+}
+
+function cacheLookup(cwd, payload) {
+  const cache = loadScanCache(cwd);
+  const record = cache.records.find((item) =>
+    item &&
+    item.cacheKey === payload.cacheKey &&
+    item.path === payload.path &&
+    item.mtimeMs === payload.mtimeMs &&
+    item.size === payload.size &&
+    item.contentHash === payload.contentHash &&
+    item.scannerVersion === payload.scannerVersion
+  );
+  return record || null;
+}
+
+function writeScanCache(cwd, scannerVersion, records) {
+  safeWriteJson(cwd, SCAN_CACHE_REL_PATH, {
+    cacheVersion: SCAN_CACHE_VERSION,
+    scannerVersion,
+    updatedAt: nowIso(),
+    records: records.slice(-500),
+  });
+}
+
+function updateScanCache(cwd, scannerVersion, nextRecord) {
+  const current = loadScanCache(cwd);
+  const records = (Array.isArray(current.records) ? current.records : []).filter((item) => item.cacheKey !== nextRecord.cacheKey);
+  records.push(nextRecord);
+  writeScanCache(cwd, scannerVersion, records);
+}
+
+function buildCacheKey(parts) {
+  return sha256(stableStringify(parts)).slice(0, 24);
+}
+
+module.exports = {
+  SCAN_CACHE_REL_PATH,
+  SCAN_CACHE_VERSION,
+  loadScanCache,
+  cacheLookup,
+  updateScanCache,
+  buildCacheKey,
+};

package/scripts/lib/agent-security/source-trust.js

@@ -0,0 +1,146 @@
+"use strict";
+
+const crypto = require("crypto");
+
+const SOURCE_TYPE_TO_TRUST_LEVEL = {
+  trusted_system: "trusted",
+  user_prompt: "user_supplied",
+  local_project_file: "project_local",
+  skill_instruction: "project_local",
+  claude_command: "project_local",
+  cursor_rule: "project_local",
+  mcp_config: "project_local",
+  mcp_response: "tool_returned_untrusted",
+  rag_chunk: "external_untrusted",
+  web_content: "external_untrusted",
+  issue_ticket: "external_untrusted",
+  generated_file: "project_local",
+  unknown_external: "unknown",
+};
+
+function sha256(value) {
+  return crypto.createHash("sha256").update(String(value || "")).digest("hex");
+}
+
+function boundText(value, max = 4000) {
+  const text = String(value || "");
+  return text.length > max ? `${text.slice(0, max)}...` : text;
+}
+
+function redactInlineSecrets(text) {
+  return String(text || "")
+    .replace(/((?:secret|token|password|private[_ -]?key|api[_ -]?key)\s*[:=]\s*)([^\r\n]+)/ig, "$1[redacted]")
+    .replace(/(-----BEGIN [A-Z ]+-----)[\s\S]{0,800}?(-----END [A-Z ]+-----)/g, "$1 [redacted] $2");
+}
+
+function sanitizeStoredContent(text, max = 4000) {
+  return boundText(redactInlineSecrets(text), max);
+}
+
+function normalizeSourceType(sourceType) {
+  const value = String(sourceType || "").trim();
+  return Object.prototype.hasOwnProperty.call(SOURCE_TYPE_TO_TRUST_LEVEL, value) ? value : "unknown_external";
+}
+
+function deriveTrustLevel(sourceType) {
+  return SOURCE_TYPE_TO_TRUST_LEVEL[normalizeSourceType(sourceType)] || "unknown";
+}
+
+function deriveUsedAs(sourceType, intendedUse) {
+  const normalizedSourceType = normalizeSourceType(sourceType);
+  const normalizedIntendedUse = String(intendedUse || "").toLowerCase();
+  if (["mcp_response", "rag_chunk", "web_content", "issue_ticket", "unknown_external"].includes(normalizedSourceType)) {
+    return normalizedIntendedUse === "instruction" ? "data_only" : "evidence_only";
+  }
+  if (normalizedIntendedUse === "instruction") return "instruction";
+  if (normalizedIntendedUse === "evidence") return "evidence_only";
+  if (normalizedIntendedUse === "data") return "data_only";
+  return "unknown";
+}
+
+function deriveAllowedToInfluenceTools(trustLevel, usedAs, instructionRisk, remediations = []) {
+  if (["external_untrusted", "tool_returned_untrusted", "unknown"].includes(trustLevel)) return false;
+  if (usedAs === "data_only" || usedAs === "evidence_only") return false;
+  if (instructionRisk === "high") return false;
+  if (remediations.includes("treat_as_data_only") || remediations.includes("quarantine_source")) return false;
+  return true;
+}
+
+function deriveRecommendation(sourceType, trustLevel, instructionRisk, findings = []) {
+  const normalizedSourceType = normalizeSourceType(sourceType);
+  if (["external_untrusted", "tool_returned_untrusted", "unknown"].includes(trustLevel)) {
+    return instructionRisk === "low" ? "treat_as_data_only" : "quarantine_source";
+  }
+  if (instructionRisk === "high") {
+    return ["skill_instruction", "claude_command", "cursor_rule", "mcp_config"].includes(normalizedSourceType)
+      ? "require_approval"
+      : "quarantine_source";
+  }
+  if (instructionRisk === "medium" || findings.length > 0) return "require_approval";
+  return "trust_source";
+}
+
+function buildSourceId(input = {}) {
+  if (input.sourceId) return String(input.sourceId);
+  const seed = [
+    normalizeSourceType(input.sourceType),
+    input.origin || "",
+    input.path || "",
+    input.contentHash || sha256(input.content || ""),
+  ].join(":");
+  return `source-${sha256(seed).slice(0, 12)}`;
+}
+
+function buildSourceRecord(input = {}) {
+  const sourceType = normalizeSourceType(input.sourceType);
+  const trustLevel = deriveTrustLevel(sourceType);
+  const instructionRisk = input.instructionRisk || "low";
+  const findings = Array.isArray(input.findings) ? input.findings : [];
+  const usedAs = input.usedAs || deriveUsedAs(sourceType, input.intendedUse);
+  const remediationActions = Array.isArray(input.remediationActions) ? input.remediationActions : [];
+  return {
+    sourceId: buildSourceId(input),
+    sourceType,
+    trustLevel,
+    origin: input.origin || null,
+    path: input.path || null,
+    contentHash: input.contentHash || sha256(input.content || ""),
+    contentSample: sanitizeStoredContent(input.content || input.contentSample || ""),
+    instructionRisk,
+    usedAs,
+    allowedToInfluenceTools: deriveAllowedToInfluenceTools(trustLevel, usedAs, instructionRisk, remediationActions),
+    findings,
+    recommendation: input.recommendation || deriveRecommendation(sourceType, trustLevel, instructionRisk, findings),
+    remediationActions,
+    createdAt: input.createdAt || null,
+    updatedAt: input.updatedAt || null,
+  };
+}
+
+function sourceTypeForComponentType(componentType) {
+  switch (String(componentType || "")) {
+    case "skill":
+      return "skill_instruction";
+    case "command":
+      return "claude_command";
+    case "cursor-rule":
+      return "cursor_rule";
+    case "mcp":
+      return "mcp_config";
+    default:
+      return "local_project_file";
+  }
+}
+
+module.exports = {
+  boundText,
+  sanitizeStoredContent,
+  normalizeSourceType,
+  deriveTrustLevel,
+  deriveUsedAs,
+  deriveAllowedToInfluenceTools,
+  deriveRecommendation,
+  buildSourceId,
+  buildSourceRecord,
+  sourceTypeForComponentType,
+};