bashbros 0.1.1 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (30) hide show
  1. package/dist/{chunk-VVSCAH2B.js → chunk-2RPTM6EQ.js} +211 -8
  2. package/dist/chunk-2RPTM6EQ.js.map +1 -0
  3. package/dist/chunk-EYO44OMN.js +181 -0
  4. package/dist/chunk-EYO44OMN.js.map +1 -0
  5. package/dist/chunk-FRMAIRQ2.js +89 -0
  6. package/dist/chunk-FRMAIRQ2.js.map +1 -0
  7. package/dist/chunk-JYWQT2B4.js +866 -0
  8. package/dist/chunk-JYWQT2B4.js.map +1 -0
  9. package/dist/{chunk-GD5VNHIN.js → chunk-QWZGB4V3.js} +4 -85
  10. package/dist/chunk-QWZGB4V3.js.map +1 -0
  11. package/dist/cli.js +520 -23
  12. package/dist/cli.js.map +1 -1
  13. package/dist/{db-EHQDB5OL.js → db-SWJUUSFX.js} +2 -2
  14. package/dist/engine-EGPAS2EX.js +10 -0
  15. package/dist/index.d.ts +19 -0
  16. package/dist/index.js +5 -3
  17. package/dist/index.js.map +1 -1
  18. package/dist/session-Y4MICATZ.js +15 -0
  19. package/dist/session-Y4MICATZ.js.map +1 -0
  20. package/dist/static/index.html +1873 -276
  21. package/dist/writer-4ZEAKUFD.js +12 -0
  22. package/dist/writer-4ZEAKUFD.js.map +1 -0
  23. package/package.json +1 -1
  24. package/dist/chunk-CSRPOGHY.js +0 -354
  25. package/dist/chunk-CSRPOGHY.js.map +0 -1
  26. package/dist/chunk-GD5VNHIN.js.map +0 -1
  27. package/dist/chunk-VVSCAH2B.js.map +0 -1
  28. package/dist/engine-PKLXW6OF.js +0 -9
  29. /package/dist/{db-EHQDB5OL.js.map → db-SWJUUSFX.js.map} +0 -0
  30. /package/dist/{engine-PKLXW6OF.js.map → engine-EGPAS2EX.js.map} +0 -0
package/dist/chunk-JYWQT2B4.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/dashboard/db.ts"],"sourcesContent":["/**\r\n * Dashboard Database Module\r\n * SQLite-based storage for security events, connector activity, and egress blocks\r\n */\r\n\r\nimport Database from 'better-sqlite3'\r\nimport { randomUUID } from 'crypto'\r\nimport type {\r\n EventSource,\r\n EventLevel,\r\n UnifiedEvent,\r\n ConnectorEvent,\r\n EgressMatch,\r\n EgressPattern,\r\n RedactedPayload,\r\n ExposureResult\r\n} from '../policy/ward/types.js'\r\n\r\n// ─────────────────────────────────────────────────────────────\r\n// Types\r\n// ─────────────────────────────────────────────────────────────\r\n\r\nexport interface EventFilter {\r\n source?: EventSource\r\n level?: EventLevel\r\n category?: string\r\n since?: Date\r\n limit?: number\r\n offset?: number\r\n}\r\n\r\nexport interface InsertEventInput {\r\n source: EventSource\r\n level: EventLevel\r\n category: string\r\n message: string\r\n data?: Record<string, unknown>\r\n}\r\n\r\nexport interface InsertConnectorEventInput {\r\n connector: string\r\n method: string\r\n direction: 'inbound' | 'outbound'\r\n payload: RedactedPayload\r\n resourcesAccessed: string[]\r\n}\r\n\r\nexport interface InsertEgressBlockInput {\r\n pattern: EgressPattern\r\n matchedText: string\r\n redactedText: string\r\n connector?: string\r\n destination?: string\r\n}\r\n\r\nexport interface DashboardStats {\r\n totalEvents: number\r\n eventsBySource: Record<string, number>\r\n eventsByLevel: Record<string, number>\r\n pendingBlocks: number\r\n connectorCount: number\r\n recentExposures: number\r\n // Enhanced stats\r\n activeSessions: number\r\n todayCommands: number\r\n todayViolations: number\r\n avgRiskScore24h: number\r\n ollamaStatus: 'connected' | 'disconnected' | 'unknown'\r\n}\r\n\r\n// ─────────────────────────────────────────────────────────────\r\n// Session & Command Types\r\n// ─────────────────────────────────────────────────────────────\r\n\r\nexport interface SessionRecord {\r\n id: string\r\n agent: string\r\n pid: number\r\n startTime: Date\r\n endTime?: Date\r\n status: 'active' | 'completed' | 'crashed'\r\n commandCount: number\r\n blockedCount: number\r\n avgRiskScore: number\r\n workingDir: string\r\n}\r\n\r\nexport interface CommandRecord {\r\n id: string\r\n sessionId: string\r\n timestamp: Date\r\n command: string\r\n allowed: boolean\r\n riskScore: number\r\n riskLevel: 'safe' | 'caution' | 'dangerous' | 'critical'\r\n riskFactors: string[]\r\n durationMs: number\r\n violations: string[]\r\n}\r\n\r\nexport interface BroEventRecord {\r\n id: string\r\n sessionId: string | null\r\n timestamp: Date\r\n eventType: string\r\n inputContext: string\r\n outputSummary: string\r\n modelUsed: string\r\n latencyMs: number\r\n success: boolean\r\n}\r\n\r\nexport interface BroStatusRecord {\r\n id: string\r\n timestamp: Date\r\n ollamaAvailable: boolean\r\n ollamaModel: string\r\n platform: string\r\n shell: string\r\n projectType: string | null\r\n}\r\n\r\nexport interface ToolUseRecord {\r\n id: string\r\n timestamp: Date\r\n toolName: string\r\n toolInput: string\r\n toolOutput: string\r\n exitCode: number | null\r\n success: boolean | null\r\n cwd: string\r\n repoName: string | null\r\n repoPath: string | null\r\n}\r\n\r\nexport interface InsertSessionInput {\r\n agent: string\r\n pid: number\r\n workingDir: string\r\n}\r\n\r\nexport interface InsertCommandInput {\r\n sessionId: string\r\n command: string\r\n allowed: boolean\r\n riskScore: number\r\n riskLevel: 'safe' | 'caution' | 'dangerous' | 'critical'\r\n riskFactors: string[]\r\n durationMs: number\r\n violations: string[]\r\n}\r\n\r\nexport interface InsertBroEventInput {\r\n sessionId?: string\r\n eventType: string\r\n inputContext: string\r\n outputSummary: string\r\n modelUsed: string\r\n latencyMs: number\r\n success: boolean\r\n}\r\n\r\nexport interface InsertBroStatusInput {\r\n ollamaAvailable: boolean\r\n ollamaModel: string\r\n platform: string\r\n shell: string\r\n projectType?: string\r\n}\r\n\r\nexport interface InsertToolUseInput {\r\n toolName: string\r\n toolInput: string\r\n toolOutput: string\r\n exitCode?: number | null\r\n success?: boolean | null\r\n cwd: string\r\n repoName?: string | null\r\n repoPath?: string | null\r\n}\r\n\r\nexport interface ToolUseFilter {\r\n toolName?: string\r\n since?: Date\r\n limit?: number\r\n offset?: number\r\n}\r\n\r\nexport interface SessionFilter {\r\n status?: 'active' | 'completed' | 'crashed'\r\n since?: Date\r\n until?: Date\r\n agent?: string\r\n limit?: number\r\n offset?: number\r\n}\r\n\r\nexport interface CommandFilter {\r\n sessionId?: string\r\n allowed?: boolean\r\n riskLevel?: string\r\n since?: Date\r\n afterId?: string\r\n limit?: number\r\n offset?: number\r\n}\r\n\r\n// ─────────────────────────────────────────────────────────────\r\n// Database Class\r\n// ─────────────────────────────────────────────────────────────\r\n\r\nexport class DashboardDB {\r\n private db: Database.Database\r\n\r\n constructor(dbPath: string = '.bashbros.db') {\r\n this.db = new Database(dbPath)\r\n this.db.pragma('journal_mode = WAL')\r\n this.initTables()\r\n }\r\n\r\n private initTables(): void {\r\n // Events table - unified security events\r\n this.db.exec(`\r\n CREATE TABLE IF NOT EXISTS events (\r\n id TEXT PRIMARY KEY,\r\n timestamp TEXT NOT NULL,\r\n source TEXT NOT NULL,\r\n level TEXT NOT NULL,\r\n category TEXT NOT NULL,\r\n message TEXT NOT NULL,\r\n data TEXT\r\n )\r\n `)\r\n\r\n // Connector events table - MCP connector activity\r\n this.db.exec(`\r\n CREATE TABLE IF NOT EXISTS connector_events (\r\n id TEXT PRIMARY KEY,\r\n timestamp TEXT NOT NULL,\r\n connector TEXT NOT NULL,\r\n method TEXT NOT NULL,\r\n direction TEXT NOT NULL,\r\n payload TEXT NOT NULL,\r\n resources_accessed TEXT NOT NULL\r\n )\r\n `)\r\n\r\n // Egress blocks table - blocked sensitive data\r\n this.db.exec(`\r\n CREATE TABLE IF NOT EXISTS egress_blocks (\r\n id TEXT PRIMARY KEY,\r\n timestamp TEXT NOT NULL,\r\n pattern TEXT NOT NULL,\r\n matched_text TEXT NOT NULL,\r\n redacted_text TEXT NOT NULL,\r\n connector TEXT,\r\n destination TEXT,\r\n status TEXT NOT NULL DEFAULT 'pending',\r\n approved_by TEXT,\r\n approved_at TEXT\r\n )\r\n `)\r\n\r\n // Exposure scans table - network exposure scan results\r\n this.db.exec(`\r\n CREATE TABLE IF NOT EXISTS exposure_scans (\r\n id TEXT PRIMARY KEY,\r\n timestamp TEXT NOT NULL,\r\n agent TEXT NOT NULL,\r\n pid INTEGER,\r\n port INTEGER NOT NULL,\r\n bind_address TEXT NOT NULL,\r\n has_auth TEXT NOT NULL,\r\n severity TEXT NOT NULL,\r\n action TEXT NOT NULL,\r\n message TEXT NOT NULL\r\n )\r\n `)\r\n\r\n // Create indexes for common queries\r\n this.db.exec(`\r\n CREATE INDEX IF NOT EXISTS idx_events_source ON events(source);\r\n CREATE INDEX IF NOT EXISTS idx_events_level ON events(level);\r\n CREATE INDEX IF NOT EXISTS idx_events_timestamp ON events(timestamp);\r\n CREATE INDEX IF NOT EXISTS idx_connector_events_connector ON connector_events(connector);\r\n CREATE INDEX IF NOT EXISTS idx_egress_blocks_status ON egress_blocks(status);\r\n `)\r\n\r\n // Sessions table - track watch sessions\r\n this.db.exec(`\r\n CREATE TABLE IF NOT EXISTS sessions (\r\n id TEXT PRIMARY KEY,\r\n agent TEXT NOT NULL,\r\n pid INTEGER NOT NULL,\r\n start_time TEXT NOT NULL,\r\n end_time TEXT,\r\n status TEXT NOT NULL DEFAULT 'active',\r\n command_count INTEGER NOT NULL DEFAULT 0,\r\n blocked_count INTEGER NOT NULL DEFAULT 0,\r\n avg_risk_score REAL NOT NULL DEFAULT 0,\r\n working_dir TEXT NOT NULL\r\n )\r\n `)\r\n\r\n // Commands table - detailed command history\r\n this.db.exec(`\r\n CREATE TABLE IF NOT EXISTS commands (\r\n id TEXT PRIMARY KEY,\r\n session_id TEXT NOT NULL,\r\n timestamp TEXT NOT NULL,\r\n command TEXT NOT NULL,\r\n allowed INTEGER NOT NULL,\r\n risk_score INTEGER NOT NULL,\r\n risk_level TEXT NOT NULL,\r\n risk_factors TEXT NOT NULL,\r\n duration_ms INTEGER NOT NULL,\r\n violations TEXT NOT NULL,\r\n FOREIGN KEY (session_id) REFERENCES sessions(id)\r\n )\r\n `)\r\n\r\n // Bash Bro events table - AI activity log\r\n this.db.exec(`\r\n CREATE TABLE IF NOT EXISTS bro_events (\r\n id TEXT PRIMARY KEY,\r\n session_id TEXT,\r\n timestamp TEXT NOT NULL,\r\n event_type TEXT NOT NULL,\r\n input_context TEXT NOT NULL,\r\n output_summary TEXT NOT NULL,\r\n model_used TEXT NOT NULL,\r\n latency_ms INTEGER NOT NULL,\r\n success INTEGER NOT NULL,\r\n FOREIGN KEY (session_id) REFERENCES sessions(id)\r\n )\r\n `)\r\n\r\n // Bash Bro status snapshots table\r\n this.db.exec(`\r\n CREATE TABLE IF NOT EXISTS bro_status (\r\n id TEXT PRIMARY KEY,\r\n timestamp TEXT NOT NULL,\r\n ollama_available INTEGER NOT NULL,\r\n ollama_model TEXT NOT NULL,\r\n platform TEXT NOT NULL,\r\n shell TEXT NOT NULL,\r\n project_type TEXT\r\n )\r\n `)\r\n\r\n // Tool uses table - generic Claude Code tool tracking\r\n this.db.exec(`\r\n CREATE TABLE IF NOT EXISTS tool_uses (\r\n id TEXT PRIMARY KEY,\r\n timestamp TEXT NOT NULL,\r\n tool_name TEXT NOT NULL,\r\n tool_input TEXT NOT NULL,\r\n tool_output TEXT NOT NULL,\r\n exit_code INTEGER,\r\n success INTEGER,\r\n cwd TEXT NOT NULL,\r\n repo_name TEXT,\r\n repo_path TEXT\r\n )\r\n `)\r\n\r\n // Create indexes for new tables\r\n this.db.exec(`\r\n CREATE INDEX IF NOT EXISTS idx_sessions_status ON sessions(status);\r\n CREATE INDEX IF NOT EXISTS idx_sessions_start_time ON sessions(start_time);\r\n CREATE INDEX IF NOT EXISTS idx_commands_session_id ON commands(session_id);\r\n CREATE INDEX IF NOT EXISTS idx_commands_timestamp ON commands(timestamp);\r\n CREATE INDEX IF NOT EXISTS idx_commands_allowed ON commands(allowed);\r\n CREATE INDEX IF NOT EXISTS idx_bro_events_session_id ON bro_events(session_id);\r\n CREATE INDEX IF NOT EXISTS idx_bro_events_timestamp ON bro_events(timestamp);\r\n CREATE INDEX IF NOT EXISTS idx_bro_status_timestamp ON bro_status(timestamp);\r\n CREATE INDEX IF NOT EXISTS idx_tool_uses_timestamp ON tool_uses(timestamp);\r\n CREATE INDEX IF NOT EXISTS idx_tool_uses_tool_name ON tool_uses(tool_name);\r\n `)\r\n }\r\n\r\n // ─────────────────────────────────────────────────────────────\r\n // Events\r\n // ─────────────────────────────────────────────────────────────\r\n\r\n insertEvent(input: InsertEventInput): string {\r\n const id = randomUUID()\r\n const timestamp = new Date().toISOString()\r\n const data = input.data ? JSON.stringify(input.data) : null\r\n\r\n const stmt = this.db.prepare(`\r\n INSERT INTO events (id, timestamp, source, level, category, message, data)\r\n VALUES (?, ?, ?, ?, ?, ?, ?)\r\n `)\r\n\r\n stmt.run(id, timestamp, input.source, input.level, input.category, input.message, data)\r\n return id\r\n }\r\n\r\n getEvents(filter: EventFilter = {}): UnifiedEvent[] {\r\n const conditions: string[] = []\r\n const params: unknown[] = []\r\n\r\n if (filter.source) {\r\n conditions.push('source = ?')\r\n params.push(filter.source)\r\n }\r\n\r\n if (filter.level) {\r\n conditions.push('level = ?')\r\n params.push(filter.level)\r\n }\r\n\r\n if (filter.category) {\r\n conditions.push('category = ?')\r\n params.push(filter.category)\r\n }\r\n\r\n if (filter.since) {\r\n conditions.push('timestamp >= ?')\r\n params.push(filter.since.toISOString())\r\n }\r\n\r\n const whereClause = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : ''\r\n const limit = filter.limit ?? 100\r\n const offset = filter.offset ?? 0\r\n\r\n const stmt = this.db.prepare(`\r\n SELECT * FROM events\r\n ${whereClause}\r\n ORDER BY timestamp DESC\r\n LIMIT ? OFFSET ?\r\n `)\r\n\r\n params.push(limit, offset)\r\n const rows = stmt.all(...params) as Array<{\r\n id: string\r\n timestamp: string\r\n source: EventSource\r\n level: EventLevel\r\n category: string\r\n message: string\r\n data: string | null\r\n }>\r\n\r\n return rows.map(row => ({\r\n id: row.id,\r\n timestamp: new Date(row.timestamp),\r\n source: row.source,\r\n level: row.level,\r\n category: row.category,\r\n message: row.message,\r\n data: row.data ? JSON.parse(row.data) : undefined\r\n }))\r\n }\r\n\r\n // ─────────────────────────────────────────────────────────────\r\n // Connector Events\r\n // ─────────────────────────────────────────────────────────────\r\n\r\n insertConnectorEvent(input: InsertConnectorEventInput): string {\r\n const id = randomUUID()\r\n const timestamp = new Date().toISOString()\r\n\r\n const stmt = this.db.prepare(`\r\n INSERT INTO connector_events (id, timestamp, connector, method, direction, payload, resources_accessed)\r\n VALUES (?, ?, ?, ?, ?, ?, ?)\r\n `)\r\n\r\n stmt.run(\r\n id,\r\n timestamp,\r\n input.connector,\r\n input.method,\r\n input.direction,\r\n JSON.stringify(input.payload),\r\n JSON.stringify(input.resourcesAccessed)\r\n )\r\n\r\n return id\r\n }\r\n\r\n getConnectorEvents(connector: string, limit: number = 100): ConnectorEvent[] {\r\n const stmt = this.db.prepare(`\r\n SELECT * FROM connector_events\r\n WHERE connector = ?\r\n ORDER BY timestamp DESC\r\n LIMIT ?\r\n `)\r\n\r\n const rows = stmt.all(connector, limit) as Array<{\r\n id: string\r\n timestamp: string\r\n connector: string\r\n method: string\r\n direction: 'inbound' | 'outbound'\r\n payload: string\r\n resources_accessed: string\r\n }>\r\n\r\n return rows.map(row => ({\r\n id: row.id,\r\n timestamp: new Date(row.timestamp),\r\n connector: row.connector,\r\n method: row.method,\r\n direction: row.direction,\r\n payload: JSON.parse(row.payload),\r\n resourcesAccessed: JSON.parse(row.resources_accessed)\r\n }))\r\n }\r\n\r\n getAllConnectorEvents(limit: number = 100): ConnectorEvent[] {\r\n const stmt = this.db.prepare(`\r\n SELECT * FROM connector_events\r\n ORDER BY timestamp DESC\r\n LIMIT ?\r\n `)\r\n\r\n const rows = stmt.all(limit) as Array<{\r\n id: string\r\n timestamp: string\r\n connector: string\r\n method: string\r\n direction: 'inbound' | 'outbound'\r\n payload: string\r\n resources_accessed: string\r\n }>\r\n\r\n return rows.map(row => ({\r\n id: row.id,\r\n timestamp: new Date(row.timestamp),\r\n connector: row.connector,\r\n method: row.method,\r\n direction: row.direction,\r\n payload: JSON.parse(row.payload),\r\n resourcesAccessed: JSON.parse(row.resources_accessed)\r\n }))\r\n }\r\n\r\n // ─────────────────────────────────────────────────────────────\r\n // Egress Blocks\r\n // ─────────────────────────────────────────────────────────────\r\n\r\n insertEgressBlock(input: InsertEgressBlockInput): string {\r\n const id = randomUUID()\r\n const timestamp = new Date().toISOString()\r\n\r\n const stmt = this.db.prepare(`\r\n INSERT INTO egress_blocks (id, timestamp, pattern, matched_text, redacted_text, connector, destination, status)\r\n VALUES (?, ?, ?, ?, ?, ?, ?, 'pending')\r\n `)\r\n\r\n stmt.run(\r\n id,\r\n timestamp,\r\n JSON.stringify(input.pattern),\r\n input.matchedText,\r\n input.redactedText,\r\n input.connector ?? null,\r\n input.destination ?? null\r\n )\r\n\r\n return id\r\n }\r\n\r\n getPendingBlocks(): EgressMatch[] {\r\n const stmt = this.db.prepare(`\r\n SELECT * FROM egress_blocks\r\n WHERE status = 'pending'\r\n ORDER BY timestamp DESC\r\n `)\r\n\r\n const rows = stmt.all() as Array<{\r\n id: string\r\n timestamp: string\r\n pattern: string\r\n matched_text: string\r\n redacted_text: string\r\n connector: string | null\r\n destination: string | null\r\n status: 'pending' | 'approved' | 'denied'\r\n approved_by: string | null\r\n approved_at: string | null\r\n }>\r\n\r\n return rows.map(row => this.rowToEgressMatch(row))\r\n }\r\n\r\n getBlock(id: string): EgressMatch | null {\r\n const stmt = this.db.prepare(`\r\n SELECT * FROM egress_blocks WHERE id = ?\r\n `)\r\n\r\n const row = stmt.get(id) as {\r\n id: string\r\n timestamp: string\r\n pattern: string\r\n matched_text: string\r\n redacted_text: string\r\n connector: string | null\r\n destination: string | null\r\n status: 'pending' | 'approved' | 'denied'\r\n approved_by: string | null\r\n approved_at: string | null\r\n } | undefined\r\n\r\n if (!row) return null\r\n return this.rowToEgressMatch(row)\r\n }\r\n\r\n approveBlock(id: string, approvedBy: string): void {\r\n const stmt = this.db.prepare(`\r\n UPDATE egress_blocks\r\n SET status = 'approved', approved_by = ?, approved_at = ?\r\n WHERE id = ?\r\n `)\r\n\r\n stmt.run(approvedBy, new Date().toISOString(), id)\r\n }\r\n\r\n denyBlock(id: string, deniedBy: string): void {\r\n const stmt = this.db.prepare(`\r\n UPDATE egress_blocks\r\n SET status = 'denied', approved_by = ?, approved_at = ?\r\n WHERE id = ?\r\n `)\r\n\r\n stmt.run(deniedBy, new Date().toISOString(), id)\r\n }\r\n\r\n private rowToEgressMatch(row: {\r\n id: string\r\n timestamp: string\r\n pattern: string\r\n matched_text: string\r\n redacted_text: string\r\n connector: string | null\r\n destination: string | null\r\n status: 'pending' | 'approved' | 'denied'\r\n approved_by: string | null\r\n approved_at: string | null\r\n }): EgressMatch {\r\n return {\r\n id: row.id,\r\n timestamp: new Date(row.timestamp),\r\n pattern: JSON.parse(row.pattern),\r\n matchedText: row.matched_text,\r\n redactedText: row.redacted_text,\r\n connector: row.connector ?? undefined,\r\n destination: row.destination ?? undefined,\r\n status: row.status,\r\n approvedBy: row.approved_by ?? undefined,\r\n approvedAt: row.approved_at ? new Date(row.approved_at) : undefined\r\n }\r\n }\r\n\r\n // ─────────────────────────────────────────────────────────────\r\n // Exposure Scans\r\n // ─────────────────────────────────────────────────────────────\r\n\r\n insertExposureScan(result: ExposureResult): string {\r\n const id = randomUUID()\r\n const timestamp = result.timestamp.toISOString()\r\n\r\n const stmt = this.db.prepare(`\r\n INSERT INTO exposure_scans (id, timestamp, agent, pid, port, bind_address, has_auth, severity, action, message)\r\n VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\r\n `)\r\n\r\n stmt.run(\r\n id,\r\n timestamp,\r\n result.agent,\r\n result.pid ?? null,\r\n result.port,\r\n result.bindAddress,\r\n String(result.hasAuth),\r\n result.severity,\r\n result.action,\r\n result.message\r\n )\r\n\r\n return id\r\n }\r\n\r\n getRecentExposures(limit: number = 100): ExposureResult[] {\r\n const stmt = this.db.prepare(`\r\n SELECT * FROM exposure_scans\r\n ORDER BY timestamp DESC\r\n LIMIT ?\r\n `)\r\n\r\n const rows = stmt.all(limit) as Array<{\r\n id: string\r\n timestamp: string\r\n agent: string\r\n pid: number | null\r\n port: number\r\n bind_address: string\r\n has_auth: string\r\n severity: string\r\n action: string\r\n message: string\r\n }>\r\n\r\n return rows.map(row => ({\r\n agent: row.agent,\r\n pid: row.pid ?? undefined,\r\n port: row.port,\r\n bindAddress: row.bind_address,\r\n hasAuth: row.has_auth === 'true' ? true : row.has_auth === 'false' ? false : 'unknown' as const,\r\n severity: row.severity as ExposureResult['severity'],\r\n action: row.action as ExposureResult['action'],\r\n message: row.message,\r\n timestamp: new Date(row.timestamp)\r\n }))\r\n }\r\n\r\n // ─────────────────────────────────────────────────────────────\r\n // Sessions\r\n // ─────────────────────────────────────────────────────────────\r\n\r\n insertSession(input: InsertSessionInput): string {\r\n const id = randomUUID()\r\n const startTime = new Date().toISOString()\r\n\r\n const stmt = this.db.prepare(`\r\n INSERT INTO sessions (id, agent, pid, start_time, status, command_count, blocked_count, avg_risk_score, working_dir)\r\n VALUES (?, ?, ?, ?, 'active', 0, 0, 0, ?)\r\n `)\r\n\r\n stmt.run(id, input.agent, input.pid, startTime, input.workingDir)\r\n return id\r\n }\r\n\r\n updateSession(id: string, updates: {\r\n endTime?: Date\r\n status?: 'active' | 'completed' | 'crashed'\r\n commandCount?: number\r\n blockedCount?: number\r\n avgRiskScore?: number\r\n }): void {\r\n const setClauses: string[] = []\r\n const params: unknown[] = []\r\n\r\n if (updates.endTime !== undefined) {\r\n setClauses.push('end_time = ?')\r\n params.push(updates.endTime.toISOString())\r\n }\r\n if (updates.status !== undefined) {\r\n setClauses.push('status = ?')\r\n params.push(updates.status)\r\n }\r\n if (updates.commandCount !== undefined) {\r\n setClauses.push('command_count = ?')\r\n params.push(updates.commandCount)\r\n }\r\n if (updates.blockedCount !== undefined) {\r\n setClauses.push('blocked_count = ?')\r\n params.push(updates.blockedCount)\r\n }\r\n if (updates.avgRiskScore !== undefined) {\r\n setClauses.push('avg_risk_score = ?')\r\n params.push(updates.avgRiskScore)\r\n }\r\n\r\n if (setClauses.length === 0) return\r\n\r\n params.push(id)\r\n const stmt = this.db.prepare(`\r\n UPDATE sessions SET ${setClauses.join(', ')} WHERE id = ?\r\n `)\r\n stmt.run(...params)\r\n }\r\n\r\n getSession(id: string): SessionRecord | null {\r\n const stmt = this.db.prepare('SELECT * FROM sessions WHERE id = ?')\r\n const row = stmt.get(id) as {\r\n id: string\r\n agent: string\r\n pid: number\r\n start_time: string\r\n end_time: string | null\r\n status: 'active' | 'completed' | 'crashed'\r\n command_count: number\r\n blocked_count: number\r\n avg_risk_score: number\r\n working_dir: string\r\n } | undefined\r\n\r\n if (!row) return null\r\n return this.rowToSession(row)\r\n }\r\n\r\n getSessions(filter: SessionFilter = {}): SessionRecord[] {\r\n const conditions: string[] = []\r\n const params: unknown[] = []\r\n\r\n if (filter.status) {\r\n conditions.push('status = ?')\r\n params.push(filter.status)\r\n }\r\n if (filter.since) {\r\n conditions.push('start_time >= ?')\r\n params.push(filter.since.toISOString())\r\n }\r\n if (filter.until) {\r\n conditions.push('start_time <= ?')\r\n params.push(filter.until.toISOString())\r\n }\r\n if (filter.agent) {\r\n conditions.push('agent = ?')\r\n params.push(filter.agent)\r\n }\r\n\r\n const whereClause = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : ''\r\n const limit = filter.limit ?? 100\r\n const offset = filter.offset ?? 0\r\n\r\n const stmt = this.db.prepare(`\r\n SELECT * FROM sessions\r\n ${whereClause}\r\n ORDER BY start_time DESC\r\n LIMIT ? OFFSET ?\r\n `)\r\n\r\n params.push(limit, offset)\r\n const rows = stmt.all(...params) as Array<{\r\n id: string\r\n agent: string\r\n pid: number\r\n start_time: string\r\n end_time: string | null\r\n status: 'active' | 'completed' | 'crashed'\r\n command_count: number\r\n blocked_count: number\r\n avg_risk_score: number\r\n working_dir: string\r\n }>\r\n\r\n return rows.map(row => this.rowToSession(row))\r\n }\r\n\r\n getActiveSession(): SessionRecord | null {\r\n const stmt = this.db.prepare(`\r\n SELECT * FROM sessions WHERE status = 'active' ORDER BY start_time DESC LIMIT 1\r\n `)\r\n const row = stmt.get() as {\r\n id: string\r\n agent: string\r\n pid: number\r\n start_time: string\r\n end_time: string | null\r\n status: 'active' | 'completed' | 'crashed'\r\n command_count: number\r\n blocked_count: number\r\n avg_risk_score: number\r\n working_dir: string\r\n } | undefined\r\n\r\n if (!row) return null\r\n return this.rowToSession(row)\r\n }\r\n\r\n private rowToSession(row: {\r\n id: string\r\n agent: string\r\n pid: number\r\n start_time: string\r\n end_time: string | null\r\n status: 'active' | 'completed' | 'crashed'\r\n command_count: number\r\n blocked_count: number\r\n avg_risk_score: number\r\n working_dir: string\r\n }): SessionRecord {\r\n return {\r\n id: row.id,\r\n agent: row.agent,\r\n pid: row.pid,\r\n startTime: new Date(row.start_time),\r\n endTime: row.end_time ? new Date(row.end_time) : undefined,\r\n status: row.status,\r\n commandCount: row.command_count,\r\n blockedCount: row.blocked_count,\r\n avgRiskScore: row.avg_risk_score,\r\n workingDir: row.working_dir\r\n }\r\n }\r\n\r\n // ─────────────────────────────────────────────────────────────\r\n // Commands\r\n // ─────────────────────────────────────────────────────────────\r\n\r\n insertCommand(input: InsertCommandInput): string {\r\n const id = randomUUID()\r\n const timestamp = new Date().toISOString()\r\n\r\n const stmt = this.db.prepare(`\r\n INSERT INTO commands (id, session_id, timestamp, command, allowed, risk_score, risk_level, risk_factors, duration_ms, violations)\r\n VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\r\n `)\r\n\r\n stmt.run(\r\n id,\r\n input.sessionId,\r\n timestamp,\r\n input.command,\r\n input.allowed ? 1 : 0,\r\n input.riskScore,\r\n input.riskLevel,\r\n JSON.stringify(input.riskFactors),\r\n input.durationMs,\r\n JSON.stringify(input.violations)\r\n )\r\n\r\n return id\r\n }\r\n\r\n getCommands(filter: CommandFilter = {}): CommandRecord[] {\r\n const conditions: string[] = []\r\n const params: unknown[] = []\r\n\r\n if (filter.sessionId) {\r\n conditions.push('session_id = ?')\r\n params.push(filter.sessionId)\r\n }\r\n if (filter.allowed !== undefined) {\r\n conditions.push('allowed = ?')\r\n params.push(filter.allowed ? 1 : 0)\r\n }\r\n if (filter.riskLevel) {\r\n conditions.push('risk_level = ?')\r\n params.push(filter.riskLevel)\r\n }\r\n if (filter.since) {\r\n conditions.push('timestamp >= ?')\r\n params.push(filter.since.toISOString())\r\n }\r\n if (filter.afterId) {\r\n conditions.push('id > ?')\r\n params.push(filter.afterId)\r\n }\r\n\r\n const whereClause = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : ''\r\n const limit = filter.limit ?? 100\r\n const offset = filter.offset ?? 0\r\n\r\n const stmt = this.db.prepare(`\r\n SELECT * FROM commands\r\n ${whereClause}\r\n ORDER BY timestamp DESC\r\n LIMIT ? OFFSET ?\r\n `)\r\n\r\n params.push(limit, offset)\r\n const rows = stmt.all(...params) as Array<{\r\n id: string\r\n session_id: string\r\n timestamp: string\r\n command: string\r\n allowed: number\r\n risk_score: number\r\n risk_level: 'safe' | 'caution' | 'dangerous' | 'critical'\r\n risk_factors: string\r\n duration_ms: number\r\n violations: string\r\n }>\r\n\r\n return rows.map(row => this.rowToCommand(row))\r\n }\r\n\r\n getCommandsBySession(sessionId: string, limit: number = 100): CommandRecord[] {\r\n return this.getCommands({ sessionId, limit })\r\n }\r\n\r\n getLiveCommands(limit: number = 20): CommandRecord[] {\r\n const stmt = this.db.prepare(`\r\n SELECT * FROM commands\r\n ORDER BY timestamp DESC\r\n LIMIT ?\r\n `)\r\n\r\n const rows = stmt.all(limit) as Array<{\r\n id: string\r\n session_id: string\r\n timestamp: string\r\n command: string\r\n allowed: number\r\n risk_score: number\r\n risk_level: 'safe' | 'caution' | 'dangerous' | 'critical'\r\n risk_factors: string\r\n duration_ms: number\r\n violations: string\r\n }>\r\n\r\n return rows.map(row => this.rowToCommand(row))\r\n }\r\n\r\n private rowToCommand(row: {\r\n id: string\r\n session_id: string\r\n timestamp: string\r\n command: string\r\n allowed: number\r\n risk_score: number\r\n risk_level: 'safe' | 'caution' | 'dangerous' | 'critical'\r\n risk_factors: string\r\n duration_ms: number\r\n violations: string\r\n }): CommandRecord {\r\n return {\r\n id: row.id,\r\n sessionId: row.session_id,\r\n timestamp: new Date(row.timestamp),\r\n command: row.command,\r\n allowed: row.allowed === 1,\r\n riskScore: row.risk_score,\r\n riskLevel: row.risk_level,\r\n riskFactors: JSON.parse(row.risk_factors),\r\n durationMs: row.duration_ms,\r\n violations: JSON.parse(row.violations)\r\n }\r\n }\r\n\r\n // ─────────────────────────────────────────────────────────────\r\n // Bro Events\r\n // ─────────────────────────────────────────────────────────────\r\n\r\n insertBroEvent(input: InsertBroEventInput): string {\r\n const id = randomUUID()\r\n const timestamp = new Date().toISOString()\r\n\r\n const stmt = this.db.prepare(`\r\n INSERT INTO bro_events (id, session_id, timestamp, event_type, input_context, output_summary, model_used, latency_ms, success)\r\n VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)\r\n `)\r\n\r\n stmt.run(\r\n id,\r\n input.sessionId ?? null,\r\n timestamp,\r\n input.eventType,\r\n input.inputContext,\r\n input.outputSummary,\r\n input.modelUsed,\r\n input.latencyMs,\r\n input.success ? 1 : 0\r\n )\r\n\r\n return id\r\n }\r\n\r\n getBroEvents(limit: number = 100, sessionId?: string): BroEventRecord[] {\r\n let stmt\r\n let rows\r\n\r\n if (sessionId) {\r\n stmt = this.db.prepare(`\r\n SELECT * FROM bro_events\r\n WHERE session_id = ?\r\n ORDER BY timestamp DESC\r\n LIMIT ?\r\n `)\r\n rows = stmt.all(sessionId, limit)\r\n } else {\r\n stmt = this.db.prepare(`\r\n SELECT * FROM bro_events\r\n ORDER BY timestamp DESC\r\n LIMIT ?\r\n `)\r\n rows = stmt.all(limit)\r\n }\r\n\r\n return (rows as Array<{\r\n id: string\r\n session_id: string | null\r\n timestamp: string\r\n event_type: string\r\n input_context: string\r\n output_summary: string\r\n model_used: string\r\n latency_ms: number\r\n success: number\r\n }>).map(row => ({\r\n id: row.id,\r\n sessionId: row.session_id,\r\n timestamp: new Date(row.timestamp),\r\n eventType: row.event_type,\r\n inputContext: row.input_context,\r\n outputSummary: row.output_summary,\r\n modelUsed: row.model_used,\r\n latencyMs: row.latency_ms,\r\n success: row.success === 1\r\n }))\r\n }\r\n\r\n // ─────────────────────────────────────────────────────────────\r\n // Bro Status\r\n // ─────────────────────────────────────────────────────────────\r\n\r\n updateBroStatus(input: InsertBroStatusInput): string {\r\n const id = randomUUID()\r\n const timestamp = new Date().toISOString()\r\n\r\n const stmt = this.db.prepare(`\r\n INSERT INTO bro_status (id, timestamp, ollama_available, ollama_model, platform, shell, project_type)\r\n VALUES (?, ?, ?, ?, ?, ?, ?)\r\n `)\r\n\r\n stmt.run(\r\n id,\r\n timestamp,\r\n input.ollamaAvailable ? 1 : 0,\r\n input.ollamaModel,\r\n input.platform,\r\n input.shell,\r\n input.projectType ?? null\r\n )\r\n\r\n return id\r\n }\r\n\r\n getLatestBroStatus(): BroStatusRecord | null {\r\n const stmt = this.db.prepare(`\r\n SELECT * FROM bro_status\r\n ORDER BY timestamp DESC\r\n LIMIT 1\r\n `)\r\n\r\n const row = stmt.get() as {\r\n id: string\r\n timestamp: string\r\n ollama_available: number\r\n ollama_model: string\r\n platform: string\r\n shell: string\r\n project_type: string | null\r\n } | undefined\r\n\r\n if (!row) return null\r\n\r\n return {\r\n id: row.id,\r\n timestamp: new Date(row.timestamp),\r\n ollamaAvailable: row.ollama_available === 1,\r\n ollamaModel: row.ollama_model,\r\n platform: row.platform,\r\n shell: row.shell,\r\n projectType: row.project_type\r\n }\r\n }\r\n\r\n // ─────────────────────────────────────────────────────────────\r\n // Tool Uses\r\n // ─────────────────────────────────────────────────────────────\r\n\r\n insertToolUse(input: InsertToolUseInput): string {\r\n const id = randomUUID()\r\n const timestamp = new Date().toISOString()\r\n\r\n const stmt = this.db.prepare(`\r\n INSERT INTO tool_uses (id, timestamp, tool_name, tool_input, tool_output, exit_code, success, cwd, repo_name, repo_path)\r\n VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\r\n `)\r\n\r\n stmt.run(\r\n id,\r\n timestamp,\r\n input.toolName,\r\n input.toolInput.substring(0, 50000), // Truncate very long inputs\r\n input.toolOutput.substring(0, 50000), // Truncate very long outputs\r\n input.exitCode ?? null,\r\n input.success === undefined ? null : (input.success ? 1 : 0),\r\n input.cwd,\r\n input.repoName ?? null,\r\n input.repoPath ?? null\r\n )\r\n\r\n return id\r\n }\r\n\r\n getToolUses(filter: ToolUseFilter = {}): ToolUseRecord[] {\r\n const conditions: string[] = []\r\n const params: unknown[] = []\r\n\r\n if (filter.toolName) {\r\n conditions.push('tool_name = ?')\r\n params.push(filter.toolName)\r\n }\r\n if (filter.since) {\r\n conditions.push('timestamp >= ?')\r\n params.push(filter.since.toISOString())\r\n }\r\n\r\n const whereClause = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : ''\r\n const limit = filter.limit ?? 100\r\n const offset = filter.offset ?? 0\r\n\r\n const stmt = this.db.prepare(`\r\n SELECT * FROM tool_uses\r\n ${whereClause}\r\n ORDER BY timestamp DESC\r\n LIMIT ? OFFSET ?\r\n `)\r\n\r\n params.push(limit, offset)\r\n const rows = stmt.all(...params) as Array<{\r\n id: string\r\n timestamp: string\r\n tool_name: string\r\n tool_input: string\r\n tool_output: string\r\n exit_code: number | null\r\n success: number | null\r\n cwd: string\r\n repo_name: string | null\r\n repo_path: string | null\r\n }>\r\n\r\n return rows.map(row => ({\r\n id: row.id,\r\n timestamp: new Date(row.timestamp),\r\n toolName: row.tool_name,\r\n toolInput: row.tool_input,\r\n toolOutput: row.tool_output,\r\n exitCode: row.exit_code,\r\n success: row.success === null ? null : row.success === 1,\r\n cwd: row.cwd,\r\n repoName: row.repo_name,\r\n repoPath: row.repo_path\r\n }))\r\n }\r\n\r\n getLiveToolUses(limit: number = 50): ToolUseRecord[] {\r\n return this.getToolUses({ limit })\r\n }\r\n\r\n getToolUseStats(): {\r\n totalUses: number\r\n byTool: Record<string, number>\r\n last24h: number\r\n } {\r\n const totalRow = this.db.prepare('SELECT COUNT(*) as count FROM tool_uses').get() as { count: number }\r\n\r\n const toolRows = this.db.prepare(`\r\n SELECT tool_name, COUNT(*) as count FROM tool_uses GROUP BY tool_name ORDER BY count DESC\r\n `).all() as Array<{ tool_name: string; count: number }>\r\n\r\n const byTool: Record<string, number> = {}\r\n for (const row of toolRows) {\r\n byTool[row.tool_name] = row.count\r\n }\r\n\r\n const oneDayAgo = new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString()\r\n const last24hRow = this.db.prepare(`\r\n SELECT COUNT(*) as count FROM tool_uses WHERE timestamp >= ?\r\n `).get(oneDayAgo) as { count: number }\r\n\r\n return {\r\n totalUses: totalRow.count,\r\n byTool,\r\n last24h: last24hRow.count\r\n }\r\n }\r\n\r\n // ─────────────────────────────────────────────────────────────\r\n // Session Metrics\r\n // ─────────────────────────────────────────────────────────────\r\n\r\n getSessionMetrics(sessionId: string): {\r\n totalCommands: number\r\n allowedCommands: number\r\n blockedCommands: number\r\n avgRiskScore: number\r\n riskDistribution: Record<string, number>\r\n topCommands: Array<{ command: string; count: number }>\r\n } {\r\n // Total commands\r\n const totalRow = this.db.prepare(`\r\n SELECT COUNT(*) as count FROM commands WHERE session_id = ?\r\n `).get(sessionId) as { count: number }\r\n\r\n // Allowed/blocked counts\r\n const allowedRow = this.db.prepare(`\r\n SELECT COUNT(*) as count FROM commands WHERE session_id = ? AND allowed = 1\r\n `).get(sessionId) as { count: number }\r\n\r\n const blockedRow = this.db.prepare(`\r\n SELECT COUNT(*) as count FROM commands WHERE session_id = ? AND allowed = 0\r\n `).get(sessionId) as { count: number }\r\n\r\n // Average risk score\r\n const avgRow = this.db.prepare(`\r\n SELECT AVG(risk_score) as avg FROM commands WHERE session_id = ?\r\n `).get(sessionId) as { avg: number | null }\r\n\r\n // Risk distribution\r\n const riskRows = this.db.prepare(`\r\n SELECT risk_level, COUNT(*) as count FROM commands WHERE session_id = ? GROUP BY risk_level\r\n `).all(sessionId) as Array<{ risk_level: string; count: number }>\r\n\r\n const riskDistribution: Record<string, number> = {}\r\n for (const row of riskRows) {\r\n riskDistribution[row.risk_level] = row.count\r\n }\r\n\r\n // Top commands (by base command, first word)\r\n const cmdRows = this.db.prepare(`\r\n SELECT command, COUNT(*) as count FROM commands WHERE session_id = ?\r\n GROUP BY command ORDER BY count DESC LIMIT 10\r\n `).all(sessionId) as Array<{ command: string; count: number }>\r\n\r\n return {\r\n totalCommands: totalRow.count,\r\n allowedCommands: allowedRow.count,\r\n blockedCommands: blockedRow.count,\r\n avgRiskScore: avgRow.avg ?? 0,\r\n riskDistribution,\r\n topCommands: cmdRows\r\n }\r\n }\r\n\r\n // ─────────────────────────────────────────────────────────────\r\n // Stats\r\n // ─────────────────────────────────────────────────────────────\r\n\r\n getStats(): DashboardStats {\r\n // Total events\r\n const totalEventsRow = this.db.prepare('SELECT COUNT(*) as count FROM events').get() as { count: number }\r\n\r\n // Events by source\r\n const sourceRows = this.db.prepare(`\r\n SELECT source, COUNT(*) as count FROM events GROUP BY source\r\n `).all() as Array<{ source: string; count: number }>\r\n\r\n const eventsBySource: Record<string, number> = {}\r\n for (const row of sourceRows) {\r\n eventsBySource[row.source] = row.count\r\n }\r\n\r\n // Events by level\r\n const levelRows = this.db.prepare(`\r\n SELECT level, COUNT(*) as count FROM events GROUP BY level\r\n `).all() as Array<{ level: string; count: number }>\r\n\r\n const eventsByLevel: Record<string, number> = {}\r\n for (const row of levelRows) {\r\n eventsByLevel[row.level] = row.count\r\n }\r\n\r\n // Pending blocks\r\n const pendingBlocksRow = this.db.prepare(`\r\n SELECT COUNT(*) as count FROM egress_blocks WHERE status = 'pending'\r\n `).get() as { count: number }\r\n\r\n // Unique connectors\r\n const connectorCountRow = this.db.prepare(`\r\n SELECT COUNT(DISTINCT connector) as count FROM connector_events\r\n `).get() as { count: number }\r\n\r\n // Recent exposures (last 24 hours)\r\n const oneDayAgo = new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString()\r\n const recentExposuresRow = this.db.prepare(`\r\n SELECT COUNT(*) as count FROM exposure_scans WHERE timestamp >= ?\r\n `).get(oneDayAgo) as { count: number }\r\n\r\n // Active sessions\r\n const activeSessionsRow = this.db.prepare(`\r\n SELECT COUNT(*) as count FROM sessions WHERE status = 'active'\r\n `).get() as { count: number }\r\n\r\n // Today's commands\r\n const todayStart = new Date()\r\n todayStart.setHours(0, 0, 0, 0)\r\n const todayCommandsRow = this.db.prepare(`\r\n SELECT COUNT(*) as count FROM commands WHERE timestamp >= ?\r\n `).get(todayStart.toISOString()) as { count: number }\r\n\r\n // Today's violations (blocked commands)\r\n const todayViolationsRow = this.db.prepare(`\r\n SELECT COUNT(*) as count FROM commands WHERE timestamp >= ? AND allowed = 0\r\n `).get(todayStart.toISOString()) as { count: number }\r\n\r\n // Average risk score in last 24 hours\r\n const avgRiskRow = this.db.prepare(`\r\n SELECT AVG(risk_score) as avg FROM commands WHERE timestamp >= ?\r\n `).get(oneDayAgo) as { avg: number | null }\r\n\r\n // Ollama status from latest bro_status\r\n const latestStatus = this.getLatestBroStatus()\r\n let ollamaStatus: 'connected' | 'disconnected' | 'unknown' = 'unknown'\r\n if (latestStatus) {\r\n ollamaStatus = latestStatus.ollamaAvailable ? 'connected' : 'disconnected'\r\n }\r\n\r\n return {\r\n totalEvents: totalEventsRow.count,\r\n eventsBySource,\r\n eventsByLevel,\r\n pendingBlocks: pendingBlocksRow.count,\r\n connectorCount: connectorCountRow.count,\r\n recentExposures: recentExposuresRow.count,\r\n activeSessions: activeSessionsRow.count,\r\n todayCommands: todayCommandsRow.count,\r\n todayViolations: todayViolationsRow.count,\r\n avgRiskScore24h: avgRiskRow.avg ?? 0,\r\n ollamaStatus\r\n }\r\n }\r\n\r\n // ─────────────────────────────────────────────────────────────\r\n // Maintenance\r\n // ─────────────────────────────────────────────────────────────\r\n\r\n cleanup(olderThanDays: number = 30): number {\r\n const cutoff = new Date(Date.now() - olderThanDays * 24 * 60 * 60 * 1000).toISOString()\r\n\r\n const eventsDeleted = this.db.prepare('DELETE FROM events WHERE timestamp < ?').run(cutoff).changes\r\n const connectorDeleted = this.db.prepare('DELETE FROM connector_events WHERE timestamp < ?').run(cutoff).changes\r\n const blocksDeleted = this.db.prepare(`\r\n DELETE FROM egress_blocks WHERE timestamp < ? AND status != 'pending'\r\n `).run(cutoff).changes\r\n const exposuresDeleted = this.db.prepare('DELETE FROM exposure_scans WHERE timestamp < ?').run(cutoff).changes\r\n\r\n // Cleanup new tables - commands first (due to foreign key), then sessions\r\n const commandsDeleted = this.db.prepare('DELETE FROM commands WHERE timestamp < ?').run(cutoff).changes\r\n const sessionsDeleted = this.db.prepare(`\r\n DELETE FROM sessions WHERE start_time < ? AND status != 'active'\r\n `).run(cutoff).changes\r\n const broEventsDeleted = this.db.prepare('DELETE FROM bro_events WHERE timestamp < ?').run(cutoff).changes\r\n const broStatusDeleted = this.db.prepare('DELETE FROM bro_status WHERE timestamp < ?').run(cutoff).changes\r\n const toolUsesDeleted = this.db.prepare('DELETE FROM tool_uses WHERE timestamp < ?').run(cutoff).changes\r\n\r\n return eventsDeleted + connectorDeleted + blocksDeleted + exposuresDeleted +\r\n commandsDeleted + sessionsDeleted + broEventsDeleted + broStatusDeleted + toolUsesDeleted\r\n }\r\n\r\n close(): void {\r\n this.db.close()\r\n }\r\n}\r\n\r\nexport default DashboardDB\r\n"],"mappings":";;;AAKA,OAAO,cAAc;AACrB,SAAS,kBAAkB;AA6MpB,IAAM,cAAN,MAAkB;AAAA,EACf;AAAA,EAER,YAAY,SAAiB,gBAAgB;AAC3C,SAAK,KAAK,IAAI,SAAS,MAAM;AAC7B,SAAK,GAAG,OAAO,oBAAoB;AACnC,SAAK,WAAW;AAAA,EAClB;AAAA,EAEQ,aAAmB;AAEzB,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAUZ;AAGD,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAUZ;AAGD,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAaZ;AAGD,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAaZ;AAGD,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAMZ;AAGD,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAaZ;AAGD,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAcZ;AAGD,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAaZ;AAGD,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAUZ;AAGD,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAaZ;AAGD,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAWZ;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAMA,YAAY,OAAiC;AAC3C,UAAM,KAAK,WAAW;AACtB,UAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AACzC,UAAM,OAAO,MAAM,OAAO,KAAK,UAAU,MAAM,IAAI,IAAI;AAEvD,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAG5B;AAED,SAAK,IAAI,IAAI,WAAW,MAAM,QAAQ,MAAM,OAAO,MAAM,UAAU,MAAM,SAAS,IAAI;AACtF,WAAO;AAAA,EACT;AAAA,EAEA,UAAU,SAAsB,CAAC,GAAmB;AAClD,UAAM,aAAuB,CAAC;AAC9B,UAAM,SAAoB,CAAC;AAE3B,QAAI,OAAO,QAAQ;AACjB,iBAAW,KAAK,YAAY;AAC5B,aAAO,KAAK,OAAO,MAAM;AAAA,IAC3B;AAEA,QAAI,OAAO,OAAO;AAChB,iBAAW,KAAK,WAAW;AAC3B,aAAO,KAAK,OAAO,KAAK;AAAA,IAC1B;AAEA,QAAI,OAAO,UAAU;AACnB,iBAAW,KAAK,cAAc;AAC9B,aAAO,KAAK,OAAO,QAAQ;AAAA,IAC7B;AAEA,QAAI,OAAO,OAAO;AAChB,iBAAW,KAAK,gBAAgB;AAChC,aAAO,KAAK,OAAO,MAAM,YAAY,CAAC;AAAA,IACxC;AAEA,UAAM,cAAc,WAAW,SAAS,IAAI,SAAS,WAAW,KAAK,OAAO,CAAC,KAAK;AAClF,UAAM,QAAQ,OAAO,SAAS;AAC9B,UAAM,SAAS,OAAO,UAAU;AAEhC,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA,QAEzB,WAAW;AAAA;AAAA;AAAA,KAGd;AAED,WAAO,KAAK,OAAO,MAAM;AACzB,UAAM,OAAO,KAAK,IAAI,GAAG,MAAM;AAU/B,WAAO,KAAK,IAAI,UAAQ;AAAA,MACtB,IAAI,IAAI;AAAA,MACR,WAAW,IAAI,KAAK,IAAI,SAAS;AAAA,MACjC,QAAQ,IAAI;AAAA,MACZ,OAAO,IAAI;AAAA,MACX,UAAU,IAAI;AAAA,MACd,SAAS,IAAI;AAAA,MACb,MAAM,IAAI,OAAO,KAAK,MAAM,IAAI,IAAI,IAAI;AAAA,IAC1C,EAAE;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA,EAMA,qBAAqB,OAA0C;AAC7D,UAAM,KAAK,WAAW;AACtB,UAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AAEzC,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAG5B;AAED,SAAK;AAAA,MACH;AAAA,MACA;AAAA,MACA,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM;AAAA,MACN,KAAK,UAAU,MAAM,OAAO;AAAA,MAC5B,KAAK,UAAU,MAAM,iBAAiB;AAAA,IACxC;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,mBAAmB,WAAmB,QAAgB,KAAuB;AAC3E,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA,KAK5B;AAED,UAAM,OAAO,KAAK,IAAI,WAAW,KAAK;AAUtC,WAAO,KAAK,IAAI,UAAQ;AAAA,MACtB,IAAI,IAAI;AAAA,MACR,WAAW,IAAI,KAAK,IAAI,SAAS;AAAA,MACjC,WAAW,IAAI;AAAA,MACf,QAAQ,IAAI;AAAA,MACZ,WAAW,IAAI;AAAA,MACf,SAAS,KAAK,MAAM,IAAI,OAAO;AAAA,MAC/B,mBAAmB,KAAK,MAAM,IAAI,kBAAkB;AAAA,IACtD,EAAE;AAAA,EACJ;AAAA,EAEA,sBAAsB,QAAgB,KAAuB;AAC3D,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA,KAI5B;AAED,UAAM,OAAO,KAAK,IAAI,KAAK;AAU3B,WAAO,KAAK,IAAI,UAAQ;AAAA,MACtB,IAAI,IAAI;AAAA,MACR,WAAW,IAAI,KAAK,IAAI,SAAS;AAAA,MACjC,WAAW,IAAI;AAAA,MACf,QAAQ,IAAI;AAAA,MACZ,WAAW,IAAI;AAAA,MACf,SAAS,KAAK,MAAM,IAAI,OAAO;AAAA,MAC/B,mBAAmB,KAAK,MAAM,IAAI,kBAAkB;AAAA,IACtD,EAAE;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAkB,OAAuC;AACvD,UAAM,KAAK,WAAW;AACtB,UAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AAEzC,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAG5B;AAED,SAAK;AAAA,MACH;AAAA,MACA;AAAA,MACA,KAAK,UAAU,MAAM,OAAO;AAAA,MAC5B,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM,aAAa;AAAA,MACnB,MAAM,eAAe;AAAA,IACvB;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,mBAAkC;AAChC,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA,KAI5B;AAED,UAAM,OAAO,KAAK,IAAI;AAatB,WAAO,KAAK,IAAI,SAAO,KAAK,iBAAiB,GAAG,CAAC;AAAA,EACnD;AAAA,EAEA,SAAS,IAAgC;AACvC,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA,KAE5B;AAED,UAAM,MAAM,KAAK,IAAI,EAAE;AAavB,QAAI,CAAC,IAAK,QAAO;AACjB,WAAO,KAAK,iBAAiB,GAAG;AAAA,EAClC;AAAA,EAEA,aAAa,IAAY,YAA0B;AACjD,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA,KAI5B;AAED,SAAK,IAAI,aAAY,oBAAI,KAAK,GAAE,YAAY,GAAG,EAAE;AAAA,EACnD;AAAA,EAEA,UAAU,IAAY,UAAwB;AAC5C,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA,KAI5B;AAED,SAAK,IAAI,WAAU,oBAAI,KAAK,GAAE,YAAY,GAAG,EAAE;AAAA,EACjD;AAAA,EAEQ,iBAAiB,KAWT;AACd,WAAO;AAAA,MACL,IAAI,IAAI;AAAA,MACR,WAAW,IAAI,KAAK,IAAI,SAAS;AAAA,MACjC,SAAS,KAAK,MAAM,IAAI,OAAO;AAAA,MAC/B,aAAa,IAAI;AAAA,MACjB,cAAc,IAAI;AAAA,MAClB,WAAW,IAAI,aAAa;AAAA,MAC5B,aAAa,IAAI,eAAe;AAAA,MAChC,QAAQ,IAAI;AAAA,MACZ,YAAY,IAAI,eAAe;AAAA,MAC/B,YAAY,IAAI,cAAc,IAAI,KAAK,IAAI,WAAW,IAAI;AAAA,IAC5D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,mBAAmB,QAAgC;AACjD,UAAM,KAAK,WAAW;AACtB,UAAM,YAAY,OAAO,UAAU,YAAY;AAE/C,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAG5B;AAED,SAAK;AAAA,MACH;AAAA,MACA;AAAA,MACA,OAAO;AAAA,MACP,OAAO,OAAO;AAAA,MACd,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO,OAAO,OAAO;AAAA,MACrB,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,mBAAmB,QAAgB,KAAuB;AACxD,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA,KAI5B;AAED,UAAM,OAAO,KAAK,IAAI,KAAK;AAa3B,WAAO,KAAK,IAAI,UAAQ;AAAA,MACtB,OAAO,IAAI;AAAA,MACX,KAAK,IAAI,OAAO;AAAA,MAChB,MAAM,IAAI;AAAA,MACV,aAAa,IAAI;AAAA,MACjB,SAAS,IAAI,aAAa,SAAS,OAAO,IAAI,aAAa,UAAU,QAAQ;AAAA,MAC7E,UAAU,IAAI;AAAA,MACd,QAAQ,IAAI;AAAA,MACZ,SAAS,IAAI;AAAA,MACb,WAAW,IAAI,KAAK,IAAI,SAAS;AAAA,IACnC,EAAE;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA,EAMA,cAAc,OAAmC;AAC/C,UAAM,KAAK,WAAW;AACtB,UAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AAEzC,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAG5B;AAED,SAAK,IAAI,IAAI,MAAM,OAAO,MAAM,KAAK,WAAW,MAAM,UAAU;AAChE,WAAO;AAAA,EACT;AAAA,EAEA,cAAc,IAAY,SAMjB;AACP,UAAM,aAAuB,CAAC;AAC9B,UAAM,SAAoB,CAAC;AAE3B,QAAI,QAAQ,YAAY,QAAW;AACjC,iBAAW,KAAK,cAAc;AAC9B,aAAO,KAAK,QAAQ,QAAQ,YAAY,CAAC;AAAA,IAC3C;AACA,QAAI,QAAQ,WAAW,QAAW;AAChC,iBAAW,KAAK,YAAY;AAC5B,aAAO,KAAK,QAAQ,MAAM;AAAA,IAC5B;AACA,QAAI,QAAQ,iBAAiB,QAAW;AACtC,iBAAW,KAAK,mBAAmB;AACnC,aAAO,KAAK,QAAQ,YAAY;AAAA,IAClC;AACA,QAAI,QAAQ,iBAAiB,QAAW;AACtC,iBAAW,KAAK,mBAAmB;AACnC,aAAO,KAAK,QAAQ,YAAY;AAAA,IAClC;AACA,QAAI,QAAQ,iBAAiB,QAAW;AACtC,iBAAW,KAAK,oBAAoB;AACpC,aAAO,KAAK,QAAQ,YAAY;AAAA,IAClC;AAEA,QAAI,WAAW,WAAW,EAAG;AAE7B,WAAO,KAAK,EAAE;AACd,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA,4BACL,WAAW,KAAK,IAAI,CAAC;AAAA,KAC5C;AACD,SAAK,IAAI,GAAG,MAAM;AAAA,EACpB;AAAA,EAEA,WAAW,IAAkC;AAC3C,UAAM,OAAO,KAAK,GAAG,QAAQ,qCAAqC;AAClE,UAAM,MAAM,KAAK,IAAI,EAAE;AAavB,QAAI,CAAC,IAAK,QAAO;AACjB,WAAO,KAAK,aAAa,GAAG;AAAA,EAC9B;AAAA,EAEA,YAAY,SAAwB,CAAC,GAAoB;AACvD,UAAM,aAAuB,CAAC;AAC9B,UAAM,SAAoB,CAAC;AAE3B,QAAI,OAAO,QAAQ;AACjB,iBAAW,KAAK,YAAY;AAC5B,aAAO,KAAK,OAAO,MAAM;AAAA,IAC3B;AACA,QAAI,OAAO,OAAO;AAChB,iBAAW,KAAK,iBAAiB;AACjC,aAAO,KAAK,OAAO,MAAM,YAAY,CAAC;AAAA,IACxC;AACA,QAAI,OAAO,OAAO;AAChB,iBAAW,KAAK,iBAAiB;AACjC,aAAO,KAAK,OAAO,MAAM,YAAY,CAAC;AAAA,IACxC;AACA,QAAI,OAAO,OAAO;AAChB,iBAAW,KAAK,WAAW;AAC3B,aAAO,KAAK,OAAO,KAAK;AAAA,IAC1B;AAEA,UAAM,cAAc,WAAW,SAAS,IAAI,SAAS,WAAW,KAAK,OAAO,CAAC,KAAK;AAClF,UAAM,QAAQ,OAAO,SAAS;AAC9B,UAAM,SAAS,OAAO,UAAU;AAEhC,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA,QAEzB,WAAW;AAAA;AAAA;AAAA,KAGd;AAED,WAAO,KAAK,OAAO,MAAM;AACzB,UAAM,OAAO,KAAK,IAAI,GAAG,MAAM;AAa/B,WAAO,KAAK,IAAI,SAAO,KAAK,aAAa,GAAG,CAAC;AAAA,EAC/C;AAAA,EAEA,mBAAyC;AACvC,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA,KAE5B;AACD,UAAM,MAAM,KAAK,IAAI;AAarB,QAAI,CAAC,IAAK,QAAO;AACjB,WAAO,KAAK,aAAa,GAAG;AAAA,EAC9B;AAAA,EAEQ,aAAa,KAWH;AAChB,WAAO;AAAA,MACL,IAAI,IAAI;AAAA,MACR,OAAO,IAAI;AAAA,MACX,KAAK,IAAI;AAAA,MACT,WAAW,IAAI,KAAK,IAAI,UAAU;AAAA,MAClC,SAAS,IAAI,WAAW,IAAI,KAAK,IAAI,QAAQ,IAAI;AAAA,MACjD,QAAQ,IAAI;AAAA,MACZ,cAAc,IAAI;AAAA,MAClB,cAAc,IAAI;AAAA,MAClB,cAAc,IAAI;AAAA,MAClB,YAAY,IAAI;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,cAAc,OAAmC;AAC/C,UAAM,KAAK,WAAW;AACtB,UAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AAEzC,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAG5B;AAED,SAAK;AAAA,MACH;AAAA,MACA,MAAM;AAAA,MACN;AAAA,MACA,MAAM;AAAA,MACN,MAAM,UAAU,IAAI;AAAA,MACpB,MAAM;AAAA,MACN,MAAM;AAAA,MACN,KAAK,UAAU,MAAM,WAAW;AAAA,MAChC,MAAM;AAAA,MACN,KAAK,UAAU,MAAM,UAAU;AAAA,IACjC;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,YAAY,SAAwB,CAAC,GAAoB;AACvD,UAAM,aAAuB,CAAC;AAC9B,UAAM,SAAoB,CAAC;AAE3B,QAAI,OAAO,WAAW;AACpB,iBAAW,KAAK,gBAAgB;AAChC,aAAO,KAAK,OAAO,SAAS;AAAA,IAC9B;AACA,QAAI,OAAO,YAAY,QAAW;AAChC,iBAAW,KAAK,aAAa;AAC7B,aAAO,KAAK,OAAO,UAAU,IAAI,CAAC;AAAA,IACpC;AACA,QAAI,OAAO,WAAW;AACpB,iBAAW,KAAK,gBAAgB;AAChC,aAAO,KAAK,OAAO,SAAS;AAAA,IAC9B;AACA,QAAI,OAAO,OAAO;AAChB,iBAAW,KAAK,gBAAgB;AAChC,aAAO,KAAK,OAAO,MAAM,YAAY,CAAC;AAAA,IACxC;AACA,QAAI,OAAO,SAAS;AAClB,iBAAW,KAAK,QAAQ;AACxB,aAAO,KAAK,OAAO,OAAO;AAAA,IAC5B;AAEA,UAAM,cAAc,WAAW,SAAS,IAAI,SAAS,WAAW,KAAK,OAAO,CAAC,KAAK;AAClF,UAAM,QAAQ,OAAO,SAAS;AAC9B,UAAM,SAAS,OAAO,UAAU;AAEhC,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA,QAEzB,WAAW;AAAA;AAAA;AAAA,KAGd;AAED,WAAO,KAAK,OAAO,MAAM;AACzB,UAAM,OAAO,KAAK,IAAI,GAAG,MAAM;AAa/B,WAAO,KAAK,IAAI,SAAO,KAAK,aAAa,GAAG,CAAC;AAAA,EAC/C;AAAA,EAEA,qBAAqB,WAAmB,QAAgB,KAAsB;AAC5E,WAAO,KAAK,YAAY,EAAE,WAAW,MAAM,CAAC;AAAA,EAC9C;AAAA,EAEA,gBAAgB,QAAgB,IAAqB;AACnD,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA,KAI5B;AAED,UAAM,OAAO,KAAK,IAAI,KAAK;AAa3B,WAAO,KAAK,IAAI,SAAO,KAAK,aAAa,GAAG,CAAC;AAAA,EAC/C;AAAA,EAEQ,aAAa,KAWH;AAChB,WAAO;AAAA,MACL,IAAI,IAAI;AAAA,MACR,WAAW,IAAI;AAAA,MACf,WAAW,IAAI,KAAK,IAAI,SAAS;AAAA,MACjC,SAAS,IAAI;AAAA,MACb,SAAS,IAAI,YAAY;AAAA,MACzB,WAAW,IAAI;AAAA,MACf,WAAW,IAAI;AAAA,MACf,aAAa,KAAK,MAAM,IAAI,YAAY;AAAA,MACxC,YAAY,IAAI;AAAA,MAChB,YAAY,KAAK,MAAM,IAAI,UAAU;AAAA,IACvC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,eAAe,OAAoC;AACjD,UAAM,KAAK,WAAW;AACtB,UAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AAEzC,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAG5B;AAED,SAAK;AAAA,MACH;AAAA,MACA,MAAM,aAAa;AAAA,MACnB;AAAA,MACA,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM,UAAU,IAAI;AAAA,IACtB;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,aAAa,QAAgB,KAAK,WAAsC;AACtE,QAAI;AACJ,QAAI;AAEJ,QAAI,WAAW;AACb,aAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA,OAKtB;AACD,aAAO,KAAK,IAAI,WAAW,KAAK;AAAA,IAClC,OAAO;AACL,aAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA,OAItB;AACD,aAAO,KAAK,IAAI,KAAK;AAAA,IACvB;AAEA,WAAQ,KAUJ,IAAI,UAAQ;AAAA,MACd,IAAI,IAAI;AAAA,MACR,WAAW,IAAI;AAAA,MACf,WAAW,IAAI,KAAK,IAAI,SAAS;AAAA,MACjC,WAAW,IAAI;AAAA,MACf,cAAc,IAAI;AAAA,MAClB,eAAe,IAAI;AAAA,MACnB,WAAW,IAAI;AAAA,MACf,WAAW,IAAI;AAAA,MACf,SAAS,IAAI,YAAY;AAAA,IAC3B,EAAE;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA,EAMA,gBAAgB,OAAqC;AACnD,UAAM,KAAK,WAAW;AACtB,UAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AAEzC,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAG5B;AAED,SAAK;AAAA,MACH;AAAA,MACA;AAAA,MACA,MAAM,kBAAkB,IAAI;AAAA,MAC5B,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM,eAAe;AAAA,IACvB;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,qBAA6C;AAC3C,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA,KAI5B;AAED,UAAM,MAAM,KAAK,IAAI;AAUrB,QAAI,CAAC,IAAK,QAAO;AAEjB,WAAO;AAAA,MACL,IAAI,IAAI;AAAA,MACR,WAAW,IAAI,KAAK,IAAI,SAAS;AAAA,MACjC,iBAAiB,IAAI,qBAAqB;AAAA,MAC1C,aAAa,IAAI;AAAA,MACjB,UAAU,IAAI;AAAA,MACd,OAAO,IAAI;AAAA,MACX,aAAa,IAAI;AAAA,IACnB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,cAAc,OAAmC;AAC/C,UAAM,KAAK,WAAW;AACtB,UAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AAEzC,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAG5B;AAED,SAAK;AAAA,MACH;AAAA,MACA;AAAA,MACA,MAAM;AAAA,MACN,MAAM,UAAU,UAAU,GAAG,GAAK;AAAA;AAAA,MAClC,MAAM,WAAW,UAAU,GAAG,GAAK;AAAA;AAAA,MACnC,MAAM,YAAY;AAAA,MAClB,MAAM,YAAY,SAAY,OAAQ,MAAM,UAAU,IAAI;AAAA,MAC1D,MAAM;AAAA,MACN,MAAM,YAAY;AAAA,MAClB,MAAM,YAAY;AAAA,IACpB;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,YAAY,SAAwB,CAAC,GAAoB;AACvD,UAAM,aAAuB,CAAC;AAC9B,UAAM,SAAoB,CAAC;AAE3B,QAAI,OAAO,UAAU;AACnB,iBAAW,KAAK,eAAe;AAC/B,aAAO,KAAK,OAAO,QAAQ;AAAA,IAC7B;AACA,QAAI,OAAO,OAAO;AAChB,iBAAW,KAAK,gBAAgB;AAChC,aAAO,KAAK,OAAO,MAAM,YAAY,CAAC;AAAA,IACxC;AAEA,UAAM,cAAc,WAAW,SAAS,IAAI,SAAS,WAAW,KAAK,OAAO,CAAC,KAAK;AAClF,UAAM,QAAQ,OAAO,SAAS;AAC9B,UAAM,SAAS,OAAO,UAAU;AAEhC,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA,QAEzB,WAAW;AAAA;AAAA;AAAA,KAGd;AAED,WAAO,KAAK,OAAO,MAAM;AACzB,UAAM,OAAO,KAAK,IAAI,GAAG,MAAM;AAa/B,WAAO,KAAK,IAAI,UAAQ;AAAA,MACtB,IAAI,IAAI;AAAA,MACR,WAAW,IAAI,KAAK,IAAI,SAAS;AAAA,MACjC,UAAU,IAAI;AAAA,MACd,WAAW,IAAI;AAAA,MACf,YAAY,IAAI;AAAA,MAChB,UAAU,IAAI;AAAA,MACd,SAAS,IAAI,YAAY,OAAO,OAAO,IAAI,YAAY;AAAA,MACvD,KAAK,IAAI;AAAA,MACT,UAAU,IAAI;AAAA,MACd,UAAU,IAAI;AAAA,IAChB,EAAE;AAAA,EACJ;AAAA,EAEA,gBAAgB,QAAgB,IAAqB;AACnD,WAAO,KAAK,YAAY,EAAE,MAAM,CAAC;AAAA,EACnC;AAAA,EAEA,kBAIE;AACA,UAAM,WAAW,KAAK,GAAG,QAAQ,yCAAyC,EAAE,IAAI;AAEhF,UAAM,WAAW,KAAK,GAAG,QAAQ;AAAA;AAAA,KAEhC,EAAE,IAAI;AAEP,UAAM,SAAiC,CAAC;AACxC,eAAW,OAAO,UAAU;AAC1B,aAAO,IAAI,SAAS,IAAI,IAAI;AAAA,IAC9B;AAEA,UAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,KAAK,GAAI,EAAE,YAAY;AACzE,UAAM,aAAa,KAAK,GAAG,QAAQ;AAAA;AAAA,KAElC,EAAE,IAAI,SAAS;AAEhB,WAAO;AAAA,MACL,WAAW,SAAS;AAAA,MACpB;AAAA,MACA,SAAS,WAAW;AAAA,IACtB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAkB,WAOhB;AAEA,UAAM,WAAW,KAAK,GAAG,QAAQ;AAAA;AAAA,KAEhC,EAAE,IAAI,SAAS;AAGhB,UAAM,aAAa,KAAK,GAAG,QAAQ;AAAA;AAAA,KAElC,EAAE,IAAI,SAAS;AAEhB,UAAM,aAAa,KAAK,GAAG,QAAQ;AAAA;AAAA,KAElC,EAAE,IAAI,SAAS;AAGhB,UAAM,SAAS,KAAK,GAAG,QAAQ;AAAA;AAAA,KAE9B,EAAE,IAAI,SAAS;AAGhB,UAAM,WAAW,KAAK,GAAG,QAAQ;AAAA;AAAA,KAEhC,EAAE,IAAI,SAAS;AAEhB,UAAM,mBAA2C,CAAC;AAClD,eAAW,OAAO,UAAU;AAC1B,uBAAiB,IAAI,UAAU,IAAI,IAAI;AAAA,IACzC;AAGA,UAAM,UAAU,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAG/B,EAAE,IAAI,SAAS;AAEhB,WAAO;AAAA,MACL,eAAe,SAAS;AAAA,MACxB,iBAAiB,WAAW;AAAA,MAC5B,iBAAiB,WAAW;AAAA,MAC5B,cAAc,OAAO,OAAO;AAAA,MAC5B;AAAA,MACA,aAAa;AAAA,IACf;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,WAA2B;AAEzB,UAAM,iBAAiB,KAAK,GAAG,QAAQ,sCAAsC,EAAE,IAAI;AAGnF,UAAM,aAAa,KAAK,GAAG,QAAQ;AAAA;AAAA,KAElC,EAAE,IAAI;AAEP,UAAM,iBAAyC,CAAC;AAChD,eAAW,OAAO,YAAY;AAC5B,qBAAe,IAAI,MAAM,IAAI,IAAI;AAAA,IACnC;AAGA,UAAM,YAAY,KAAK,GAAG,QAAQ;AAAA;AAAA,KAEjC,EAAE,IAAI;AAEP,UAAM,gBAAwC,CAAC;AAC/C,eAAW,OAAO,WAAW;AAC3B,oBAAc,IAAI,KAAK,IAAI,IAAI;AAAA,IACjC;AAGA,UAAM,mBAAmB,KAAK,GAAG,QAAQ;AAAA;AAAA,KAExC,EAAE,IAAI;AAGP,UAAM,oBAAoB,KAAK,GAAG,QAAQ;AAAA;AAAA,KAEzC,EAAE,IAAI;AAGP,UAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,KAAK,GAAI,EAAE,YAAY;AACzE,UAAM,qBAAqB,KAAK,GAAG,QAAQ;AAAA;AAAA,KAE1C,EAAE,IAAI,SAAS;AAGhB,UAAM,oBAAoB,KAAK,GAAG,QAAQ;AAAA;AAAA,KAEzC,EAAE,IAAI;AAGP,UAAM,aAAa,oBAAI,KAAK;AAC5B,eAAW,SAAS,GAAG,GAAG,GAAG,CAAC;AAC9B,UAAM,mBAAmB,KAAK,GAAG,QAAQ;AAAA;AAAA,KAExC,EAAE,IAAI,WAAW,YAAY,CAAC;AAG/B,UAAM,qBAAqB,KAAK,GAAG,QAAQ;AAAA;AAAA,KAE1C,EAAE,IAAI,WAAW,YAAY,CAAC;AAG/B,UAAM,aAAa,KAAK,GAAG,QAAQ;AAAA;AAAA,KAElC,EAAE,IAAI,SAAS;AAGhB,UAAM,eAAe,KAAK,mBAAmB;AAC7C,QAAI,eAAyD;AAC7D,QAAI,cAAc;AAChB,qBAAe,aAAa,kBAAkB,cAAc;AAAA,IAC9D;AAEA,WAAO;AAAA,MACL,aAAa,eAAe;AAAA,MAC5B;AAAA,MACA;AAAA,MACA,eAAe,iBAAiB;AAAA,MAChC,gBAAgB,kBAAkB;AAAA,MAClC,iBAAiB,mBAAmB;AAAA,MACpC,gBAAgB,kBAAkB;AAAA,MAClC,eAAe,iBAAiB;AAAA,MAChC,iBAAiB,mBAAmB;AAAA,MACpC,iBAAiB,WAAW,OAAO;AAAA,MACnC;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,QAAQ,gBAAwB,IAAY;AAC1C,UAAM,SAAS,IAAI,KAAK,KAAK,IAAI,IAAI,gBAAgB,KAAK,KAAK,KAAK,GAAI,EAAE,YAAY;AAEtF,UAAM,gBAAgB,KAAK,GAAG,QAAQ,wCAAwC,EAAE,IAAI,MAAM,EAAE;AAC5F,UAAM,mBAAmB,KAAK,GAAG,QAAQ,kDAAkD,EAAE,IAAI,MAAM,EAAE;AACzG,UAAM,gBAAgB,KAAK,GAAG,QAAQ;AAAA;AAAA,KAErC,EAAE,IAAI,MAAM,EAAE;AACf,UAAM,mBAAmB,KAAK,GAAG,QAAQ,gDAAgD,EAAE,IAAI,MAAM,EAAE;AAGvG,UAAM,kBAAkB,KAAK,GAAG,QAAQ,0CAA0C,EAAE,IAAI,MAAM,EAAE;AAChG,UAAM,kBAAkB,KAAK,GAAG,QAAQ;AAAA;AAAA,KAEvC,EAAE,IAAI,MAAM,EAAE;AACf,UAAM,mBAAmB,KAAK,GAAG,QAAQ,4CAA4C,EAAE,IAAI,MAAM,EAAE;AACnG,UAAM,mBAAmB,KAAK,GAAG,QAAQ,4CAA4C,EAAE,IAAI,MAAM,EAAE;AACnG,UAAM,kBAAkB,KAAK,GAAG,QAAQ,2CAA2C,EAAE,IAAI,MAAM,EAAE;AAEjG,WAAO,gBAAgB,mBAAmB,gBAAgB,mBACnD,kBAAkB,kBAAkB,mBAAmB,mBAAmB;AAAA,EACnF;AAAA,EAEA,QAAc;AACZ,SAAK,GAAG,MAAM;AAAA,EAChB;AACF;AAEA,IAAO,aAAQ;","names":[]}
package/dist/{chunk-GD5VNHIN.js → chunk-QWZGB4V3.js} RENAMED
@@ -1,4 +1,7 @@
1
1
  #!/usr/bin/env node
2
+ import {
3
+ isAllowedForSession
4
+ } from "./chunk-FRMAIRQ2.js";
2
5
 
3
6
  // src/policy/command-filter.ts
4
7
  var CommandFilter = class {
@@ -356,86 +359,6 @@ var RateLimiter = class {
356
359
  }
357
360
  };
358
361
 
359
- // src/session.ts
360
- import { existsSync as existsSync2, readFileSync, writeFileSync, mkdirSync } from "fs";
361
- import { join } from "path";
362
- import { homedir as homedir2 } from "os";
363
- var SESSION_FILE = join(homedir2(), ".bashbros", "session-allow.json");
364
- function ensureDir() {
365
- const dir = join(homedir2(), ".bashbros");
366
- if (!existsSync2(dir)) {
367
- mkdirSync(dir, { recursive: true, mode: 448 });
368
- }
369
- }
370
- function loadSession() {
371
- try {
372
- if (!existsSync2(SESSION_FILE)) {
373
- return null;
374
- }
375
- const data = JSON.parse(readFileSync(SESSION_FILE, "utf-8"));
376
- if (data.pid !== process.pid) {
377
- const age = Date.now() - data.startTime;
378
- if (age > 24 * 60 * 60 * 1e3) {
379
- return null;
380
- }
381
- }
382
- return data;
383
- } catch {
384
- return null;
385
- }
386
- }
387
- function saveSession(data) {
388
- ensureDir();
389
- writeFileSync(SESSION_FILE, JSON.stringify(data, null, 2), { mode: 384 });
390
- }
391
- function getOrCreateSession() {
392
- const existing = loadSession();
393
- if (existing) {
394
- return existing;
395
- }
396
- const newSession = {
397
- pid: process.pid,
398
- startTime: Date.now(),
399
- allowedCommands: []
400
- };
401
- saveSession(newSession);
402
- return newSession;
403
- }
404
- function allowForSession(command) {
405
- const session = getOrCreateSession();
406
- if (!session.allowedCommands.includes(command)) {
407
- session.allowedCommands.push(command);
408
- saveSession(session);
409
- }
410
- }
411
- function isAllowedForSession(command) {
412
- const session = loadSession();
413
- if (!session) {
414
- return false;
415
- }
416
- if (session.allowedCommands.includes(command)) {
417
- return true;
418
- }
419
- for (const allowed of session.allowedCommands) {
420
- if (allowed.endsWith("*")) {
421
- const prefix = allowed.slice(0, -1);
422
- if (command.startsWith(prefix)) {
423
- return true;
424
- }
425
- }
426
- }
427
- return false;
428
- }
429
- function getSessionAllowlist() {
430
- const session = loadSession();
431
- return session?.allowedCommands || [];
432
- }
433
- function clearSessionAllowlist() {
434
- const session = getOrCreateSession();
435
- session.allowedCommands = [];
436
- saveSession(session);
437
- }
438
-
439
362
  // src/policy/engine.ts
440
363
  var PolicyEngine = class {
441
364
  constructor(config) {
@@ -510,10 +433,6 @@ export {
510
433
  PathSandbox,
511
434
  SecretsGuard,
512
435
  RateLimiter,
513
- allowForSession,
514
- isAllowedForSession,
515
- getSessionAllowlist,
516
- clearSessionAllowlist,
517
436
  PolicyEngine
518
437
  };
519
- //# sourceMappingURL=chunk-GD5VNHIN.js.map
438
+ //# sourceMappingURL=chunk-QWZGB4V3.js.map
package/dist/chunk-QWZGB4V3.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/policy/command-filter.ts","../src/policy/path-sandbox.ts","../src/policy/secrets-guard.ts","../src/policy/rate-limiter.ts","../src/policy/engine.ts"],"sourcesContent":["import type { CommandPolicy, PolicyViolation } from '../types.js'\r\n\r\nexport class CommandFilter {\r\n private allowPatterns: RegExp[]\r\n private blockPatterns: RegExp[]\r\n\r\n constructor(private policy: CommandPolicy) {\r\n this.allowPatterns = policy.allow.map(p => this.globToRegex(p))\r\n this.blockPatterns = policy.block.map(p => this.globToRegex(p))\r\n }\r\n\r\n check(command: string): PolicyViolation | null {\r\n // Check block list first (higher priority)\r\n for (let i = 0; i < this.blockPatterns.length; i++) {\r\n if (this.blockPatterns[i].test(command)) {\r\n return {\r\n type: 'command',\r\n rule: `block[${i}]: ${this.policy.block[i]}`,\r\n message: `Command matches blocked pattern: ${this.policy.block[i]}`\r\n }\r\n }\r\n }\r\n\r\n // If allow list is empty or contains '*', allow by default\r\n if (this.policy.allow.length === 0 || this.policy.allow.includes('*')) {\r\n return null\r\n }\r\n\r\n // Check if command matches any allow pattern\r\n const allowed = this.allowPatterns.some(pattern => pattern.test(command))\r\n\r\n if (!allowed) {\r\n return {\r\n type: 'command',\r\n rule: 'allow (no match)',\r\n message: 'Command not in allowlist'\r\n }\r\n }\r\n\r\n return null\r\n }\r\n\r\n private globToRegex(glob: string): RegExp {\r\n // Escape special regex chars except *\r\n const escaped = glob\r\n .replace(/[.+?^${}()|[\\]\\\\]/g, '\\\\$&')\r\n .replace(/\\*/g, '.*')\r\n\r\n return new RegExp(`^${escaped}$`, 'i')\r\n }\r\n}\r\n","import { resolve } from 'path'\nimport { homedir } from 'os'\nimport { realpathSync, lstatSync, existsSync } from 'fs'\nimport type { PathPolicy, PolicyViolation } from '../types.js'\n\nexport class PathSandbox {\n private allowedPaths: string[]\n private blockedPaths: string[]\n\n constructor(private policy: PathPolicy) {\n this.allowedPaths = policy.allow.map(p => this.normalizePath(p))\n this.blockedPaths = policy.block.map(p => this.normalizePath(p))\n }\n\n check(path: string): PolicyViolation | null {\n // SECURITY: Resolve symlinks to get real path\n const { realPath, isSymlink } = this.resolvePath(path)\n\n // Check for symlink attacks\n if (isSymlink) {\n const originalNormalized = this.normalizePath(path)\n // If symlink points outside of where it appears to be, block it\n if (!realPath.startsWith(originalNormalized.split('/')[0])) {\n return {\n type: 'path',\n rule: 'symlink_escape',\n message: `Symlink escape detected: ${path} -> ${realPath}`\n }\n }\n }\n\n // Check block list first (use real path)\n for (const blocked of this.blockedPaths) {\n if (realPath.startsWith(blocked) || realPath === blocked) {\n return {\n type: 'path',\n rule: `block: ${blocked}`,\n message: `Access to path is blocked: ${path}`\n }\n }\n }\n\n // If allow list contains '*', allow anything not blocked\n if (this.policy.allow.includes('*')) {\n return null\n }\n\n // Check if real path is within allowed directories\n const allowed = this.allowedPaths.some(\n allowedPath =>\n realPath.startsWith(allowedPath) || realPath === allowedPath\n )\n\n if (!allowed) {\n return {\n type: 'path',\n rule: 'allow (outside sandbox)',\n message: `Path is outside allowed directories: ${path}`\n }\n }\n\n return null\n }\n\n /**\n * SECURITY FIX: Resolve symlinks to detect escape attempts\n */\n private resolvePath(path: string): { realPath: string; isSymlink: boolean } {\n const normalizedPath = this.normalizePath(path)\n\n try {\n // Check if path exists and is a symlink\n if (existsSync(normalizedPath)) {\n const stats = lstatSync(normalizedPath)\n const isSymlink = stats.isSymbolicLink()\n\n // Get real path (follows symlinks)\n const realPath = realpathSync(normalizedPath)\n\n return { realPath, isSymlink }\n }\n } catch {\n // Path doesn't exist yet or can't be accessed\n }\n\n return { realPath: normalizedPath, isSymlink: false }\n }\n\n private normalizePath(path: string): string {\n // Expand ~ to home directory\n if (path.startsWith('~')) {\n path = path.replace('~', homedir())\n }\n\n // Handle . as current directory\n if (path === '.') {\n return process.cwd()\n }\n\n return resolve(path)\n }\n\n /**\n * Check if a path would escape the sandbox via symlink\n */\n isSymlinkEscape(path: string): boolean {\n const { realPath, isSymlink } = this.resolvePath(path)\n\n if (!isSymlink) return false\n\n // Check if real path is in blocked list\n for (const blocked of this.blockedPaths) {\n if (realPath.startsWith(blocked)) {\n return true\n }\n }\n\n // Check if real path escapes allowed directories\n if (!this.policy.allow.includes('*')) {\n const inAllowed = this.allowedPaths.some(\n allowedPath => realPath.startsWith(allowedPath)\n )\n if (!inAllowed) {\n return true\n }\n }\n\n return false\n }\n}\n","import type { SecretsPolicy, PolicyViolation } from '../types.js'\n\nexport class SecretsGuard {\n private patterns: RegExp[]\n\n constructor(private policy: SecretsPolicy) {\n this.patterns = policy.patterns.map(p => this.globToRegex(p))\n }\n\n check(command: string, paths: string[]): PolicyViolation | null {\n if (!this.policy.enabled) {\n return null\n }\n\n // Check command for secret file access\n for (const path of paths) {\n if (this.isSecretPath(path)) {\n return {\n type: 'secrets',\n rule: `pattern match: ${path}`,\n message: `Attempted access to sensitive file: ${path}`\n }\n }\n }\n\n // Check for common secret-leaking patterns in commands\n // SECURITY FIX: Enhanced patterns to catch bypass attempts\n const dangerousPatterns = [\n // Direct file access (multiple readers)\n /(cat|head|tail|less|more|bat)\\s+.*\\.env/i,\n /(cat|head|tail|less|more|bat)\\s+.*\\.pem/i,\n /(cat|head|tail|less|more|bat)\\s+.*\\.key/i,\n /(cat|head|tail|less|more|bat)\\s+.*credentials/i,\n /(cat|head|tail|less|more|bat)\\s+.*secret/i,\n /(cat|head|tail|less|more|bat)\\s+.*password/i,\n /(cat|head|tail|less|more|bat)\\s+.*token/i,\n\n // Python/Perl/Ruby file readers\n /python.*open\\s*\\(.*\\.(env|pem|key)/i,\n /python.*-c.*open/i,\n /perl.*-[pne].*\\.(env|pem|key)/i,\n /ruby.*-e.*File\\.(read|open)/i,\n\n // Environment variable exposure\n /echo\\s+\\$\\w*(KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|API)/i,\n /printenv.*(KEY|SECRET|TOKEN|PASSWORD)/i,\n /env\\s*\\|\\s*grep.*(KEY|SECRET|TOKEN|PASSWORD)/i,\n\n // Curl/wget with secrets\n /curl.*-d.*\\$\\w*(KEY|SECRET|TOKEN)/i,\n /curl.*-H.*Authorization/i,\n /wget.*--header.*Authorization/i,\n\n // Base64 encoding (obfuscation attempt)\n /base64.*\\.env/i,\n /base64.*\\.pem/i,\n /base64.*\\.key/i,\n /base64\\s+-d/i, // Decoding could reveal secrets\n\n // SECURITY FIX: Command substitution bypass attempts\n /cat\\s+\\$\\(/i, // cat $(...)\n /cat\\s+`/i, // cat `...`\n /cat\\s+\\$\\{/i, // cat ${...}\n\n // SECURITY FIX: Variable indirection\n /\\w+=.*\\.env.*;\\s*cat\\s+\\$/i, // VAR=.env; cat $VAR\n /\\w+=.*secret.*;\\s*cat\\s+\\$/i,\n\n // SECURITY FIX: Glob expansion bypass\n /cat\\s+\\*env/i, // cat *env\n /cat\\s+\\.\\*env/i, // cat .*env\n /cat\\s+\\?\\?env/i, // cat ??env\n\n // SECURITY FIX: Printf/echo tricks\n /printf\\s+.*\\\\x/i, // Hex encoding\n /echo\\s+-e.*\\\\x/i, // Echo with hex\n /echo\\s+-e.*\\\\[0-7]/i, // Octal encoding\n\n // SECURITY FIX: Here-doc/here-string\n /cat\\s*<<.*\\.env/i,\n /cat\\s*<<<.*secret/i,\n\n // Process substitution\n /cat\\s+<\\(/i, // cat <(...)\n\n // History/log access\n /cat.*\\.bash_history/i,\n /cat.*\\.zsh_history/i,\n /cat.*history/i,\n\n // AWS/cloud credentials\n /cat.*\\.aws\\/credentials/i,\n /cat.*\\.aws\\/config/i,\n /cat.*\\.kube\\/config/i,\n /cat.*\\.docker\\/config/i,\n\n // SSH keys\n /cat.*id_rsa/i,\n /cat.*id_ed25519/i,\n /cat.*id_ecdsa/i,\n /cat.*known_hosts/i,\n /cat.*authorized_keys/i,\n\n // GPG\n /cat.*\\.gnupg/i,\n /gpg.*--export-secret/i,\n\n // Git credentials\n /cat.*\\.git-credentials/i,\n /cat.*\\.netrc/i,\n\n // Database files\n /cat.*\\.pgpass/i,\n /cat.*\\.my\\.cnf/i,\n ]\n\n for (const pattern of dangerousPatterns) {\n if (pattern.test(command)) {\n return {\n type: 'secrets',\n rule: 'dangerous pattern',\n message: 'Command may expose secrets'\n }\n }\n }\n\n // SECURITY FIX: Check for encoded commands\n if (this.containsEncodedSecretAccess(command)) {\n return {\n type: 'secrets',\n rule: 'encoded command',\n message: 'Command contains encoded secret access attempt'\n }\n }\n\n return null\n }\n\n /**\n * SECURITY FIX: Detect base64/hex encoded secret access\n */\n private containsEncodedSecretAccess(command: string): boolean {\n // Check for base64 encoded sensitive paths\n const sensitiveBase64 = [\n 'LmVudg==', // .env\n 'LnBlbQ==', // .pem\n 'LmtleQ==', // .key\n 'aWRfcnNh', // id_rsa\n 'Y3JlZGVudGlhbHM=', // credentials\n 'c2VjcmV0', // secret\n ]\n\n for (const encoded of sensitiveBase64) {\n if (command.includes(encoded)) {\n return true\n }\n }\n\n // Check for hex encoded paths\n const sensitiveHex = [\n '2e656e76', // .env\n '2e70656d', // .pem\n '2e6b6579', // .key\n '69645f727361', // id_rsa\n ]\n\n for (const hex of sensitiveHex) {\n if (command.toLowerCase().includes(hex)) {\n return true\n }\n }\n\n return false\n }\n\n private isSecretPath(path: string): boolean {\n const lowerPath = path.toLowerCase()\n\n return this.patterns.some(pattern => pattern.test(lowerPath))\n }\n\n private globToRegex(glob: string): RegExp {\n const escaped = glob\n .replace(/[.+?^${}()|[\\]\\\\]/g, '\\\\$&')\n .replace(/\\*/g, '.*')\n\n return new RegExp(escaped, 'i')\n }\n}\n","import type { RateLimitPolicy, PolicyViolation } from '../types.js'\r\n\r\nexport class RateLimiter {\r\n private minuteWindow: number[] = []\r\n private hourWindow: number[] = []\r\n\r\n constructor(private policy: RateLimitPolicy) {}\r\n\r\n check(): PolicyViolation | null {\r\n if (!this.policy.enabled) {\r\n return null\r\n }\r\n\r\n const now = Date.now()\r\n this.cleanup(now)\r\n\r\n // Check per-minute limit\r\n if (this.minuteWindow.length >= this.policy.maxPerMinute) {\r\n return {\r\n type: 'rate_limit',\r\n rule: `maxPerMinute: ${this.policy.maxPerMinute}`,\r\n message: `Rate limit exceeded: ${this.minuteWindow.length}/${this.policy.maxPerMinute} commands per minute`\r\n }\r\n }\r\n\r\n // Check per-hour limit\r\n if (this.hourWindow.length >= this.policy.maxPerHour) {\r\n return {\r\n type: 'rate_limit',\r\n rule: `maxPerHour: ${this.policy.maxPerHour}`,\r\n message: `Rate limit exceeded: ${this.hourWindow.length}/${this.policy.maxPerHour} commands per hour`\r\n }\r\n }\r\n\r\n return null\r\n }\r\n\r\n record(): void {\r\n const now = Date.now()\r\n this.minuteWindow.push(now)\r\n this.hourWindow.push(now)\r\n }\r\n\r\n private cleanup(now: number): void {\r\n const oneMinuteAgo = now - 60 * 1000\r\n const oneHourAgo = now - 60 * 60 * 1000\r\n\r\n this.minuteWindow = this.minuteWindow.filter(t => t > oneMinuteAgo)\r\n this.hourWindow = this.hourWindow.filter(t => t > oneHourAgo)\r\n }\r\n\r\n getStats(): { minute: number; hour: number } {\r\n const now = Date.now()\r\n this.cleanup(now)\r\n\r\n return {\r\n minute: this.minuteWindow.length,\r\n hour: this.hourWindow.length\r\n }\r\n }\r\n}\r\n","import type { BashBrosConfig, PolicyViolation } from '../types.js'\r\nimport { CommandFilter } from './command-filter.js'\r\nimport { PathSandbox } from './path-sandbox.js'\r\nimport { SecretsGuard } from './secrets-guard.js'\r\nimport { RateLimiter } from './rate-limiter.js'\r\nimport { isAllowedForSession } from '../session.js'\r\n\r\nexport class PolicyEngine {\r\n private commandFilter: CommandFilter\r\n private pathSandbox: PathSandbox\r\n private secretsGuard: SecretsGuard\r\n private rateLimiter: RateLimiter\r\n\r\n constructor(private config: BashBrosConfig) {\r\n this.commandFilter = new CommandFilter(config.commands)\r\n this.pathSandbox = new PathSandbox(config.paths)\r\n this.secretsGuard = new SecretsGuard(config.secrets)\r\n this.rateLimiter = new RateLimiter(config.rateLimit)\r\n }\r\n\r\n validate(command: string): PolicyViolation[] {\r\n const violations: PolicyViolation[] = []\r\n\r\n // Check rate limit first\r\n const rateViolation = this.rateLimiter.check()\r\n if (rateViolation) {\r\n violations.push(rateViolation)\r\n return violations // Early exit on rate limit\r\n }\r\n\r\n // Check session allowlist first (temporary permissions)\r\n if (isAllowedForSession(command)) {\r\n this.rateLimiter.record()\r\n return [] // Allowed for this session\r\n }\r\n\r\n // Check command against allow/block lists\r\n const commandViolation = this.commandFilter.check(command)\r\n if (commandViolation) {\r\n violations.push(commandViolation)\r\n }\r\n\r\n // Extract paths from command and check sandbox\r\n const paths = this.extractPaths(command)\r\n for (const path of paths) {\r\n const pathViolation = this.pathSandbox.check(path)\r\n if (pathViolation) {\r\n violations.push(pathViolation)\r\n }\r\n }\r\n\r\n // Check for secrets access\r\n if (this.config.secrets.enabled) {\r\n const secretsViolation = this.secretsGuard.check(command, paths)\r\n if (secretsViolation) {\r\n violations.push(secretsViolation)\r\n }\r\n }\r\n\r\n // Record for rate limiting\r\n this.rateLimiter.record()\r\n\r\n return violations\r\n }\r\n\r\n private extractPaths(command: string): string[] {\r\n const paths: string[] = []\r\n\r\n // Remove quotes for analysis but preserve content\r\n const unquoted = command.replace(/[\"']/g, ' ')\r\n\r\n // Simple path extraction - look for file-like arguments\r\n const tokens = unquoted.split(/\\s+/)\r\n\r\n for (const token of tokens) {\r\n // Skip flags and empty tokens\r\n if (token.startsWith('-') || !token) continue\r\n\r\n // Check if it looks like a path\r\n if (\r\n token.startsWith('/') ||\r\n token.startsWith('./') ||\r\n token.startsWith('../') ||\r\n token.startsWith('~/') ||\r\n token.startsWith('$HOME') ||\r\n token.startsWith('${HOME}') ||\r\n token.includes('.env') ||\r\n token.includes('.pem') ||\r\n token.includes('.key') ||\r\n token.includes('.ssh') ||\r\n token.includes('.aws') ||\r\n token.includes('.gnupg') ||\r\n token.includes('.kube') ||\r\n token.includes('credentials') ||\r\n token.includes('secret') ||\r\n token.includes('password') ||\r\n token.includes('id_rsa') ||\r\n token.includes('id_ed25519') ||\r\n // Files with extensions that might be sensitive\r\n /\\.(env|pem|key|crt|pfx|p12|jks|keystore)$/i.test(token)\r\n ) {\r\n paths.push(token)\r\n }\r\n }\r\n\r\n // Also extract paths from variable assignments\r\n const varAssignments = command.match(/\\w+=[^\\s;]+/g) || []\r\n for (const assignment of varAssignments) {\r\n const value = assignment.split('=')[1]\r\n if (value && (value.includes('/') || value.includes('.'))) {\r\n paths.push(value)\r\n }\r\n }\r\n\r\n return paths\r\n }\r\n\r\n isAllowed(command: string): boolean {\r\n return this.validate(command).length === 0\r\n }\r\n}\r\n"],"mappings":";;;;;;AAEO,IAAM,gBAAN,MAAoB;AAAA,EAIzB,YAAoB,QAAuB;AAAvB;AAClB,SAAK,gBAAgB,OAAO,MAAM,IAAI,OAAK,KAAK,YAAY,CAAC,CAAC;AAC9D,SAAK,gBAAgB,OAAO,MAAM,IAAI,OAAK,KAAK,YAAY,CAAC,CAAC;AAAA,EAChE;AAAA,EANQ;AAAA,EACA;AAAA,EAOR,MAAM,SAAyC;AAE7C,aAAS,IAAI,GAAG,IAAI,KAAK,cAAc,QAAQ,KAAK;AAClD,UAAI,KAAK,cAAc,CAAC,EAAE,KAAK,OAAO,GAAG;AACvC,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM,SAAS,CAAC,MAAM,KAAK,OAAO,MAAM,CAAC,CAAC;AAAA,UAC1C,SAAS,oCAAoC,KAAK,OAAO,MAAM,CAAC,CAAC;AAAA,QACnE;AAAA,MACF;AAAA,IACF;AAGA,QAAI,KAAK,OAAO,MAAM,WAAW,KAAK,KAAK,OAAO,MAAM,SAAS,GAAG,GAAG;AACrE,aAAO;AAAA,IACT;AAGA,UAAM,UAAU,KAAK,cAAc,KAAK,aAAW,QAAQ,KAAK,OAAO,CAAC;AAExE,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,QACL,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS;AAAA,MACX;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,YAAY,MAAsB;AAExC,UAAM,UAAU,KACb,QAAQ,sBAAsB,MAAM,EACpC,QAAQ,OAAO,IAAI;AAEtB,WAAO,IAAI,OAAO,IAAI,OAAO,KAAK,GAAG;AAAA,EACvC;AACF;;;AClDA,SAAS,eAAe;AACxB,SAAS,eAAe;AACxB,SAAS,cAAc,WAAW,kBAAkB;AAG7C,IAAM,cAAN,MAAkB;AAAA,EAIvB,YAAoB,QAAoB;AAApB;AAClB,SAAK,eAAe,OAAO,MAAM,IAAI,OAAK,KAAK,cAAc,CAAC,CAAC;AAC/D,SAAK,eAAe,OAAO,MAAM,IAAI,OAAK,KAAK,cAAc,CAAC,CAAC;AAAA,EACjE;AAAA,EANQ;AAAA,EACA;AAAA,EAOR,MAAM,MAAsC;AAE1C,UAAM,EAAE,UAAU,UAAU,IAAI,KAAK,YAAY,IAAI;AAGrD,QAAI,WAAW;AACb,YAAM,qBAAqB,KAAK,cAAc,IAAI;AAElD,UAAI,CAAC,SAAS,WAAW,mBAAmB,MAAM,GAAG,EAAE,CAAC,CAAC,GAAG;AAC1D,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,SAAS,4BAA4B,IAAI,OAAO,QAAQ;AAAA,QAC1D;AAAA,MACF;AAAA,IACF;AAGA,eAAW,WAAW,KAAK,cAAc;AACvC,UAAI,SAAS,WAAW,OAAO,KAAK,aAAa,SAAS;AACxD,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM,UAAU,OAAO;AAAA,UACvB,SAAS,8BAA8B,IAAI;AAAA,QAC7C;AAAA,MACF;AAAA,IACF;AAGA,QAAI,KAAK,OAAO,MAAM,SAAS,GAAG,GAAG;AACnC,aAAO;AAAA,IACT;AAGA,UAAM,UAAU,KAAK,aAAa;AAAA,MAChC,iBACE,SAAS,WAAW,WAAW,KAAK,aAAa;AAAA,IACrD;AAEA,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,QACL,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS,wCAAwC,IAAI;AAAA,MACvD;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAY,MAAwD;AAC1E,UAAM,iBAAiB,KAAK,cAAc,IAAI;AAE9C,QAAI;AAEF,UAAI,WAAW,cAAc,GAAG;AAC9B,cAAM,QAAQ,UAAU,cAAc;AACtC,cAAM,YAAY,MAAM,eAAe;AAGvC,cAAM,WAAW,aAAa,cAAc;AAE5C,eAAO,EAAE,UAAU,UAAU;AAAA,MAC/B;AAAA,IACF,QAAQ;AAAA,IAER;AAEA,WAAO,EAAE,UAAU,gBAAgB,WAAW,MAAM;AAAA,EACtD;AAAA,EAEQ,cAAc,MAAsB;AAE1C,QAAI,KAAK,WAAW,GAAG,GAAG;AACxB,aAAO,KAAK,QAAQ,KAAK,QAAQ,CAAC;AAAA,IACpC;AAGA,QAAI,SAAS,KAAK;AAChB,aAAO,QAAQ,IAAI;AAAA,IACrB;AAEA,WAAO,QAAQ,IAAI;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAgB,MAAuB;AACrC,UAAM,EAAE,UAAU,UAAU,IAAI,KAAK,YAAY,IAAI;AAErD,QAAI,CAAC,UAAW,QAAO;AAGvB,eAAW,WAAW,KAAK,cAAc;AACvC,UAAI,SAAS,WAAW,OAAO,GAAG;AAChC,eAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,CAAC,KAAK,OAAO,MAAM,SAAS,GAAG,GAAG;AACpC,YAAM,YAAY,KAAK,aAAa;AAAA,QAClC,iBAAe,SAAS,WAAW,WAAW;AAAA,MAChD;AACA,UAAI,CAAC,WAAW;AACd,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;;;AC/HO,IAAM,eAAN,MAAmB;AAAA,EAGxB,YAAoB,QAAuB;AAAvB;AAClB,SAAK,WAAW,OAAO,SAAS,IAAI,OAAK,KAAK,YAAY,CAAC,CAAC;AAAA,EAC9D;AAAA,EAJQ;AAAA,EAMR,MAAM,SAAiB,OAAyC;AAC9D,QAAI,CAAC,KAAK,OAAO,SAAS;AACxB,aAAO;AAAA,IACT;AAGA,eAAW,QAAQ,OAAO;AACxB,UAAI,KAAK,aAAa,IAAI,GAAG;AAC3B,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM,kBAAkB,IAAI;AAAA,UAC5B,SAAS,uCAAuC,IAAI;AAAA,QACtD;AAAA,MACF;AAAA,IACF;AAIA,UAAM,oBAAoB;AAAA;AAAA,MAExB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA;AAAA;AAAA,MAGA;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA;AAAA,MAGA;AAAA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA;AAAA,MAGA;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,IACF;AAEA,eAAW,WAAW,mBAAmB;AACvC,UAAI,QAAQ,KAAK,OAAO,GAAG;AACzB,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAGA,QAAI,KAAK,4BAA4B,OAAO,GAAG;AAC7C,aAAO;AAAA,QACL,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS;AAAA,MACX;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,4BAA4B,SAA0B;AAE5D,UAAM,kBAAkB;AAAA,MACtB;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA,IACF;AAEA,eAAW,WAAW,iBAAiB;AACrC,UAAI,QAAQ,SAAS,OAAO,GAAG;AAC7B,eAAO;AAAA,MACT;AAAA,IACF;AAGA,UAAM,eAAe;AAAA,MACnB;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA,IACF;AAEA,eAAW,OAAO,cAAc;AAC9B,UAAI,QAAQ,YAAY,EAAE,SAAS,GAAG,GAAG;AACvC,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,aAAa,MAAuB;AAC1C,UAAM,YAAY,KAAK,YAAY;AAEnC,WAAO,KAAK,SAAS,KAAK,aAAW,QAAQ,KAAK,SAAS,CAAC;AAAA,EAC9D;AAAA,EAEQ,YAAY,MAAsB;AACxC,UAAM,UAAU,KACb,QAAQ,sBAAsB,MAAM,EACpC,QAAQ,OAAO,IAAI;AAEtB,WAAO,IAAI,OAAO,SAAS,GAAG;AAAA,EAChC;AACF;;;AC1LO,IAAM,cAAN,MAAkB;AAAA,EAIvB,YAAoB,QAAyB;AAAzB;AAAA,EAA0B;AAAA,EAHtC,eAAyB,CAAC;AAAA,EAC1B,aAAuB,CAAC;AAAA,EAIhC,QAAgC;AAC9B,QAAI,CAAC,KAAK,OAAO,SAAS;AACxB,aAAO;AAAA,IACT;AAEA,UAAM,MAAM,KAAK,IAAI;AACrB,SAAK,QAAQ,GAAG;AAGhB,QAAI,KAAK,aAAa,UAAU,KAAK,OAAO,cAAc;AACxD,aAAO;AAAA,QACL,MAAM;AAAA,QACN,MAAM,iBAAiB,KAAK,OAAO,YAAY;AAAA,QAC/C,SAAS,wBAAwB,KAAK,aAAa,MAAM,IAAI,KAAK,OAAO,YAAY;AAAA,MACvF;AAAA,IACF;AAGA,QAAI,KAAK,WAAW,UAAU,KAAK,OAAO,YAAY;AACpD,aAAO;AAAA,QACL,MAAM;AAAA,QACN,MAAM,eAAe,KAAK,OAAO,UAAU;AAAA,QAC3C,SAAS,wBAAwB,KAAK,WAAW,MAAM,IAAI,KAAK,OAAO,UAAU;AAAA,MACnF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,SAAe;AACb,UAAM,MAAM,KAAK,IAAI;AACrB,SAAK,aAAa,KAAK,GAAG;AAC1B,SAAK,WAAW,KAAK,GAAG;AAAA,EAC1B;AAAA,EAEQ,QAAQ,KAAmB;AACjC,UAAM,eAAe,MAAM,KAAK;AAChC,UAAM,aAAa,MAAM,KAAK,KAAK;AAEnC,SAAK,eAAe,KAAK,aAAa,OAAO,OAAK,IAAI,YAAY;AAClE,SAAK,aAAa,KAAK,WAAW,OAAO,OAAK,IAAI,UAAU;AAAA,EAC9D;AAAA,EAEA,WAA6C;AAC3C,UAAM,MAAM,KAAK,IAAI;AACrB,SAAK,QAAQ,GAAG;AAEhB,WAAO;AAAA,MACL,QAAQ,KAAK,aAAa;AAAA,MAC1B,MAAM,KAAK,WAAW;AAAA,IACxB;AAAA,EACF;AACF;;;ACrDO,IAAM,eAAN,MAAmB;AAAA,EAMxB,YAAoB,QAAwB;AAAxB;AAClB,SAAK,gBAAgB,IAAI,cAAc,OAAO,QAAQ;AACtD,SAAK,cAAc,IAAI,YAAY,OAAO,KAAK;AAC/C,SAAK,eAAe,IAAI,aAAa,OAAO,OAAO;AACnD,SAAK,cAAc,IAAI,YAAY,OAAO,SAAS;AAAA,EACrD;AAAA,EAVQ;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EASR,SAAS,SAAoC;AAC3C,UAAM,aAAgC,CAAC;AAGvC,UAAM,gBAAgB,KAAK,YAAY,MAAM;AAC7C,QAAI,eAAe;AACjB,iBAAW,KAAK,aAAa;AAC7B,aAAO;AAAA,IACT;AAGA,QAAI,oBAAoB,OAAO,GAAG;AAChC,WAAK,YAAY,OAAO;AACxB,aAAO,CAAC;AAAA,IACV;AAGA,UAAM,mBAAmB,KAAK,cAAc,MAAM,OAAO;AACzD,QAAI,kBAAkB;AACpB,iBAAW,KAAK,gBAAgB;AAAA,IAClC;AAGA,UAAM,QAAQ,KAAK,aAAa,OAAO;AACvC,eAAW,QAAQ,OAAO;AACxB,YAAM,gBAAgB,KAAK,YAAY,MAAM,IAAI;AACjD,UAAI,eAAe;AACjB,mBAAW,KAAK,aAAa;AAAA,MAC/B;AAAA,IACF;AAGA,QAAI,KAAK,OAAO,QAAQ,SAAS;AAC/B,YAAM,mBAAmB,KAAK,aAAa,MAAM,SAAS,KAAK;AAC/D,UAAI,kBAAkB;AACpB,mBAAW,KAAK,gBAAgB;AAAA,MAClC;AAAA,IACF;AAGA,SAAK,YAAY,OAAO;AAExB,WAAO;AAAA,EACT;AAAA,EAEQ,aAAa,SAA2B;AAC9C,UAAM,QAAkB,CAAC;AAGzB,UAAM,WAAW,QAAQ,QAAQ,SAAS,GAAG;AAG7C,UAAM,SAAS,SAAS,MAAM,KAAK;AAEnC,eAAW,SAAS,QAAQ;AAE1B,UAAI,MAAM,WAAW,GAAG,KAAK,CAAC,MAAO;AAGrC,UACE,MAAM,WAAW,GAAG,KACpB,MAAM,WAAW,IAAI,KACrB,MAAM,WAAW,KAAK,KACtB,MAAM,WAAW,IAAI,KACrB,MAAM,WAAW,OAAO,KACxB,MAAM,WAAW,SAAS,KAC1B,MAAM,SAAS,MAAM,KACrB,MAAM,SAAS,MAAM,KACrB,MAAM,SAAS,MAAM,KACrB,MAAM,SAAS,MAAM,KACrB,MAAM,SAAS,MAAM,KACrB,MAAM,SAAS,QAAQ,KACvB,MAAM,SAAS,OAAO,KACtB,MAAM,SAAS,aAAa,KAC5B,MAAM,SAAS,QAAQ,KACvB,MAAM,SAAS,UAAU,KACzB,MAAM,SAAS,QAAQ,KACvB,MAAM,SAAS,YAAY;AAAA,MAE3B,6CAA6C,KAAK,KAAK,GACvD;AACA,cAAM,KAAK,KAAK;AAAA,MAClB;AAAA,IACF;AAGA,UAAM,iBAAiB,QAAQ,MAAM,cAAc,KAAK,CAAC;AACzD,eAAW,cAAc,gBAAgB;AACvC,YAAM,QAAQ,WAAW,MAAM,GAAG,EAAE,CAAC;AACrC,UAAI,UAAU,MAAM,SAAS,GAAG,KAAK,MAAM,SAAS,GAAG,IAAI;AACzD,cAAM,KAAK,KAAK;AAAA,MAClB;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,UAAU,SAA0B;AAClC,WAAO,KAAK,SAAS,OAAO,EAAE,WAAW;AAAA,EAC3C;AACF;","names":[]}