create-agentfs 0.1.1

package/dist/memory/procedural.js

@@ -0,0 +1,126 @@
+/**
+ * Procedural memory writer — creates/updates skill files.
+ *
+ * Procedural memory stores learned workflows as individual markdown files:
+ *   `.agentos/memory/procedural/{skill-name}.md`
+ *
+ * Each file documents: description, steps, context, and optional examples.
+ * Creates new files or overwrites existing ones (skills are versioned as a
+ * whole, not appended line-by-line like episodic memory).
+ *
+ * @module memory/procedural
+ */
+import fs from 'node:fs/promises';
+import path from 'node:path';
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const PROCEDURAL_DIR = '.agentos/memory/procedural';
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Write or overwrite a procedural skill file.
+ *
+ * The skill name is slugified for the filename (lowercase, hyphens).
+ * The full content is always rewritten — procedural skills are atomic.
+ *
+ * @param vaultRoot - Absolute path to the vault root directory
+ * @param entry     - The procedural entry to persist
+ */
+export async function writeProceduralEntry(vaultRoot, entry) {
+    const dir = path.join(vaultRoot, PROCEDURAL_DIR);
+    await fs.mkdir(dir, { recursive: true });
+    const slug = slugify(entry.name);
+    const filePath = path.join(dir, `${slug}.md`);
+    const content = renderProceduralEntry(entry);
+    await fs.writeFile(filePath, content, 'utf8');
+}
+/**
+ * Read a procedural entry by skill name, returning null if it doesn't exist.
+ *
+ * @param vaultRoot - Absolute path to the vault root directory
+ * @param name      - Skill name (will be slugified)
+ * @returns The raw markdown content, or null
+ */
+export async function readProceduralEntry(vaultRoot, name) {
+    const slug = slugify(name);
+    const filePath = path.join(vaultRoot, PROCEDURAL_DIR, `${slug}.md`);
+    try {
+        return await fs.readFile(filePath, 'utf8');
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * List all procedural skill names available in the vault.
+ *
+ * @param vaultRoot - Absolute path to the vault root directory
+ * @returns Sorted array of skill names (derived from filenames)
+ */
+export async function listProceduralSkills(vaultRoot) {
+    const dir = path.join(vaultRoot, PROCEDURAL_DIR);
+    try {
+        const files = await fs.readdir(dir);
+        return files
+            .filter((f) => f.endsWith('.md'))
+            .map((f) => f.replace(/\.md$/, ''))
+            .sort();
+    }
+    catch {
+        return [];
+    }
+}
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+/**
+ * Slugify a skill name: lowercase, spaces → hyphens, strip non-alnum.
+ */
+export function slugify(name) {
+    return name
+        .toLowerCase()
+        .trim()
+        .replace(/\s+/g, '-')
+        .replace(/[^a-z0-9-]/g, '');
+}
+/**
+ * Render a full procedural entry as markdown.
+ */
+function renderProceduralEntry(entry) {
+    const lines = [];
+    // YAML frontmatter with triggers and metadata (SKILL.md pattern)
+    lines.push('---');
+    lines.push(`name: ${entry.name}`);
+    lines.push(`description: ${entry.description}`);
+    if (entry.triggers && entry.triggers.length > 0) {
+        lines.push(`triggers: [${entry.triggers.join(', ')}]`);
+    }
+    if (entry.useCount !== undefined) {
+        lines.push(`use_count: ${entry.useCount}`);
+    }
+    if (entry.lastUsed) {
+        lines.push(`last_used: ${entry.lastUsed}`);
+    }
+    lines.push('---');
+    lines.push('');
+    lines.push(`# ${entry.name}`);
+    lines.push('');
+    lines.push(entry.description);
+    lines.push('');
+    if (entry.context) {
+        lines.push('## Context');
+        lines.push(entry.context);
+        lines.push('');
+    }
+    if (entry.steps.length > 0) {
+        lines.push('## Steps');
+        for (let i = 0; i < entry.steps.length; i++) {
+            lines.push(`${i + 1}. ${entry.steps[i]}`);
+        }
+        lines.push('');
+    }
+    return lines.join('\n');
+}
+//# sourceMappingURL=procedural.js.map

package/dist/memory/procedural.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"procedural.js","sourceRoot":"","sources":["../../src/memory/procedural.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,cAAc,GAAG,4BAA4B,CAAC;AAEpD,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,SAAiB,EACjB,KAAsB;IAEtB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;IACjD,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEzC,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,CAAC;IAC9C,MAAM,OAAO,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAE7C,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;AAChD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,SAAiB,EACjB,IAAY;IAEZ,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,EAAE,GAAG,IAAI,KAAK,CAAC,CAAC;IACpE,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,SAAiB;IAEjB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;IACjD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpC,OAAO,KAAK;aACT,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;aAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;aAClC,IAAI,EAAE,CAAC;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;GAEG;AACH,MAAM,UAAU,OAAO,CAAC,IAAY;IAClC,OAAO,IAAI;SACR,WAAW,EAAE;SACb,IAAI,EAAE;SACN,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;SACpB,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,KAAsB;IACnD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,iEAAiE;IACjE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IAClC,KAAK,CAAC,IAAI,CAAC,gBAAgB,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;IAChD,IAAI,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC7C,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QACnB,KAAK,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC7C,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAC9B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5C,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC5C,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/secrets/exfil-guard.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Exfiltration guard — Story 8.4.
+ *
+ * Scans output text for patterns that may indicate secret leakage.
+ * Logs violations to `.agentos/security/audit/violations.log`.
+ *
+ * @module secrets/exfil-guard
+ */
+import type { SecurityPolicy } from '../types/index.js';
+/** Result of an exfiltration scan. */
+export interface ExfilResult {
+    clean: boolean;
+    matches: string[];
+}
+/**
+ * Scan text for exfiltration patterns defined in security policy.
+ *
+ * @param text   - Text to scan (agent output, file content, etc.)
+ * @param policy - Security policy with deny_exfil_patterns
+ * @returns ExfilResult with matches
+ */
+export declare function scanForExfiltration(text: string, policy: SecurityPolicy): ExfilResult;
+/**
+ * Log an exfiltration violation to the audit log.
+ *
+ * @param vaultRoot - Vault root path
+ * @param source    - Where the violation was detected
+ * @param matches   - Matched patterns
+ */
+export declare function logViolation(vaultRoot: string, source: string, matches: string[]): Promise<void>;
+//# sourceMappingURL=exfil-guard.d.ts.map

package/dist/secrets/exfil-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exfil-guard.d.ts","sourceRoot":"","sources":["../../src/secrets/exfil-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAKxD,sCAAsC;AACtC,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,cAAc,GACrB,WAAW,CAgBb;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EAAE,GAChB,OAAO,CAAC,IAAI,CAAC,CAWf"}

package/dist/secrets/exfil-guard.js

@@ -0,0 +1,51 @@
+/**
+ * Exfiltration guard — Story 8.4.
+ *
+ * Scans output text for patterns that may indicate secret leakage.
+ * Logs violations to `.agentos/security/audit/violations.log`.
+ *
+ * @module secrets/exfil-guard
+ */
+import fs from 'node:fs/promises';
+import path from 'node:path';
+const AUDIT_DIR = '.agentos/security/audit';
+const VIOLATIONS_LOG = 'violations.log';
+/**
+ * Scan text for exfiltration patterns defined in security policy.
+ *
+ * @param text   - Text to scan (agent output, file content, etc.)
+ * @param policy - Security policy with deny_exfil_patterns
+ * @returns ExfilResult with matches
+ */
+export function scanForExfiltration(text, policy) {
+    const matches = [];
+    for (const pattern of policy.network.deny_exfil_patterns) {
+        try {
+            const regex = new RegExp(pattern.regex, 'gi');
+            const found = text.match(regex);
+            if (found) {
+                matches.push(...found);
+            }
+        }
+        catch {
+            // Invalid regex — skip silently
+        }
+    }
+    return { clean: matches.length === 0, matches };
+}
+/**
+ * Log an exfiltration violation to the audit log.
+ *
+ * @param vaultRoot - Vault root path
+ * @param source    - Where the violation was detected
+ * @param matches   - Matched patterns
+ */
+export async function logViolation(vaultRoot, source, matches) {
+    const dir = path.join(vaultRoot, AUDIT_DIR);
+    await fs.mkdir(dir, { recursive: true });
+    const logPath = path.join(dir, VIOLATIONS_LOG);
+    const timestamp = new Date().toISOString();
+    const lines = matches.map((m) => `[${timestamp}] EXFIL_DETECTED source=${source} match="${m}"\n`);
+    await fs.appendFile(logPath, lines.join(''), 'utf8');
+}
+//# sourceMappingURL=exfil-guard.js.map

package/dist/secrets/exfil-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exfil-guard.js","sourceRoot":"","sources":["../../src/secrets/exfil-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,MAAM,SAAS,GAAG,yBAAyB,CAAC;AAC5C,MAAM,cAAc,GAAG,gBAAgB,CAAC;AAQxC;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CACjC,IAAY,EACZ,MAAsB;IAEtB,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC;QACzD,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YAChC,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gCAAgC;QAClC,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC;AAClD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,SAAiB,EACjB,MAAc,EACd,OAAiB;IAEjB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IAC5C,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEzC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CACvB,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,SAAS,2BAA2B,MAAM,WAAW,CAAC,KAAK,CACvE,CAAC;IAEF,MAAM,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;AACvD,CAAC"}

package/dist/secrets/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Secrets module — barrel export.
+ * @module secrets
+ */
+export { addSecret, removeSecret, listSecrets, rotateSecret, decryptSecrets, resolveSecretRefs, } from './vault.js';
+export { scanForExfiltration, logViolation, } from './exfil-guard.js';
+export type { ExfilResult } from './exfil-guard.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/secrets/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,SAAS,EACT,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,cAAc,EACd,iBAAiB,GAClB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,mBAAmB,EACnB,YAAY,GACb,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/secrets/index.js

@@ -0,0 +1,7 @@
+/**
+ * Secrets module — barrel export.
+ * @module secrets
+ */
+export { addSecret, removeSecret, listSecrets, rotateSecret, decryptSecrets, resolveSecretRefs, } from './vault.js';
+export { scanForExfiltration, logViolation, } from './exfil-guard.js';
+//# sourceMappingURL=index.js.map

package/dist/secrets/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,SAAS,EACT,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,cAAc,EACd,iBAAiB,GAClB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,mBAAmB,EACnB,YAAY,GACb,MAAM,kBAAkB,CAAC"}

package/dist/secrets/vault.d.ts

@@ -0,0 +1,63 @@
+/**
+ * Secrets vault — encrypted secret storage with reference-only access.
+ *
+ * Story 8.1: Manages secrets in `.agentos/secrets/vault.yaml` (encrypted)
+ * and `.agentos/secrets/refs.yaml` (reference names only).
+ *
+ * In a full implementation, this would use SOPS/age for real encryption.
+ * For MVP, we use a simple base64 encoding with a marker to simulate
+ * the encrypted-at-rest pattern. The API surface is identical to what
+ * a SOPS integration would provide.
+ *
+ * @module secrets/vault
+ */
+/**
+ * Add a secret to the vault.
+ *
+ * @param vaultRoot - Vault root path
+ * @param name      - Secret name (e.g. 'github-token')
+ * @param value     - Secret value to encrypt
+ */
+export declare function addSecret(vaultRoot: string, name: string, value: string): Promise<void>;
+/**
+ * Remove a secret from the vault.
+ *
+ * @param vaultRoot - Vault root path
+ * @param name      - Secret name to remove
+ * @returns true if removed, false if not found
+ */
+export declare function removeSecret(vaultRoot: string, name: string): Promise<boolean>;
+/**
+ * List all secret names (never values).
+ *
+ * @param vaultRoot - Vault root path
+ * @returns Sorted array of secret names
+ */
+export declare function listSecrets(vaultRoot: string): Promise<string[]>;
+/**
+ * Rotate a secret (re-encrypt with new value).
+ *
+ * @param vaultRoot - Vault root path
+ * @param name      - Secret name to rotate
+ * @param newValue  - New secret value
+ * @returns true if rotated, false if not found
+ */
+export declare function rotateSecret(vaultRoot: string, name: string, newValue: string): Promise<boolean>;
+/**
+ * Decrypt all secrets to a key-value map (for exec proxy).
+ * WARNING: Returns plaintext — only use in-memory for child process env.
+ *
+ * @param vaultRoot - Vault root path
+ * @returns Map of name → plaintext value
+ */
+export declare function decryptSecrets(vaultRoot: string): Promise<Record<string, string>>;
+/**
+ * Resolve secret references in a string.
+ * Replaces `${{secret:name}}` with actual values.
+ *
+ * @param template  - String with secret references
+ * @param vaultRoot - Vault root path
+ * @returns Resolved string
+ */
+export declare function resolveSecretRefs(template: string, vaultRoot: string): Promise<string>;
+//# sourceMappingURL=vault.d.ts.map

package/dist/secrets/vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../../src/secrets/vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAiFH;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,OAAO,CAAC,CAYlB;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAGtE;AAED;;;;;;;GAOG;AACH,wBAAsB,YAAY,CAChC,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,OAAO,CAAC,CAOlB;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CASjC;AAED;;;;;;;GAOG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC,CAMjB"}

package/dist/secrets/vault.js

@@ -0,0 +1,163 @@
+/**
+ * Secrets vault — encrypted secret storage with reference-only access.
+ *
+ * Story 8.1: Manages secrets in `.agentos/secrets/vault.yaml` (encrypted)
+ * and `.agentos/secrets/refs.yaml` (reference names only).
+ *
+ * In a full implementation, this would use SOPS/age for real encryption.
+ * For MVP, we use a simple base64 encoding with a marker to simulate
+ * the encrypted-at-rest pattern. The API surface is identical to what
+ * a SOPS integration would provide.
+ *
+ * @module secrets/vault
+ */
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import yaml from 'js-yaml';
+const SECRETS_DIR = '.agentos/secrets';
+const VAULT_FILE = 'vault.yaml';
+const REFS_FILE = 'refs.yaml';
+/** Header marker for "encrypted" values. */
+const ENC_PREFIX = 'ENC[agentfs:';
+const ENC_SUFFIX = ']';
+function encode(value) {
+    return `${ENC_PREFIX}${Buffer.from(value).toString('base64')}${ENC_SUFFIX}`;
+}
+function decode(encoded) {
+    const inner = encoded.slice(ENC_PREFIX.length, -ENC_SUFFIX.length);
+    return Buffer.from(inner, 'base64').toString('utf8');
+}
+function isEncoded(value) {
+    return value.startsWith(ENC_PREFIX) && value.endsWith(ENC_SUFFIX);
+}
+async function ensureDir(vaultRoot) {
+    const dir = path.join(vaultRoot, SECRETS_DIR);
+    await fs.mkdir(dir, { recursive: true });
+    return dir;
+}
+async function readVault(vaultRoot) {
+    const filePath = path.join(vaultRoot, SECRETS_DIR, VAULT_FILE);
+    try {
+        const content = await fs.readFile(filePath, 'utf8');
+        return yaml.load(content) ?? { version: '1.0', secrets: {} };
+    }
+    catch {
+        return { version: '1.0', secrets: {} };
+    }
+}
+async function writeVault(vaultRoot, data) {
+    const dir = await ensureDir(vaultRoot);
+    await fs.writeFile(path.join(dir, VAULT_FILE), yaml.dump(data), 'utf8');
+}
+async function readRefs(vaultRoot) {
+    const filePath = path.join(vaultRoot, SECRETS_DIR, REFS_FILE);
+    try {
+        const content = await fs.readFile(filePath, 'utf8');
+        return yaml.load(content) ?? { version: '1.0', refs: [] };
+    }
+    catch {
+        return { version: '1.0', refs: [] };
+    }
+}
+async function writeRefs(vaultRoot, data) {
+    const dir = await ensureDir(vaultRoot);
+    await fs.writeFile(path.join(dir, REFS_FILE), yaml.dump(data), 'utf8');
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Add a secret to the vault.
+ *
+ * @param vaultRoot - Vault root path
+ * @param name      - Secret name (e.g. 'github-token')
+ * @param value     - Secret value to encrypt
+ */
+export async function addSecret(vaultRoot, name, value) {
+    const vault = await readVault(vaultRoot);
+    vault.secrets[name] = encode(value);
+    await writeVault(vaultRoot, vault);
+    const refs = await readRefs(vaultRoot);
+    if (!refs.refs.includes(name)) {
+        refs.refs.push(name);
+        refs.refs.sort();
+        await writeRefs(vaultRoot, refs);
+    }
+}
+/**
+ * Remove a secret from the vault.
+ *
+ * @param vaultRoot - Vault root path
+ * @param name      - Secret name to remove
+ * @returns true if removed, false if not found
+ */
+export async function removeSecret(vaultRoot, name) {
+    const vault = await readVault(vaultRoot);
+    if (!(name in vault.secrets))
+        return false;
+    delete vault.secrets[name];
+    await writeVault(vaultRoot, vault);
+    const refs = await readRefs(vaultRoot);
+    refs.refs = refs.refs.filter((r) => r !== name);
+    await writeRefs(vaultRoot, refs);
+    return true;
+}
+/**
+ * List all secret names (never values).
+ *
+ * @param vaultRoot - Vault root path
+ * @returns Sorted array of secret names
+ */
+export async function listSecrets(vaultRoot) {
+    const refs = await readRefs(vaultRoot);
+    return refs.refs;
+}
+/**
+ * Rotate a secret (re-encrypt with new value).
+ *
+ * @param vaultRoot - Vault root path
+ * @param name      - Secret name to rotate
+ * @param newValue  - New secret value
+ * @returns true if rotated, false if not found
+ */
+export async function rotateSecret(vaultRoot, name, newValue) {
+    const vault = await readVault(vaultRoot);
+    if (!(name in vault.secrets))
+        return false;
+    vault.secrets[name] = encode(newValue);
+    await writeVault(vaultRoot, vault);
+    return true;
+}
+/**
+ * Decrypt all secrets to a key-value map (for exec proxy).
+ * WARNING: Returns plaintext — only use in-memory for child process env.
+ *
+ * @param vaultRoot - Vault root path
+ * @returns Map of name → plaintext value
+ */
+export async function decryptSecrets(vaultRoot) {
+    const vault = await readVault(vaultRoot);
+    const result = {};
+    for (const [name, encrypted] of Object.entries(vault.secrets)) {
+        if (isEncoded(encrypted)) {
+            result[name.toUpperCase().replace(/-/g, '_')] = decode(encrypted);
+        }
+    }
+    return result;
+}
+/**
+ * Resolve secret references in a string.
+ * Replaces `${{secret:name}}` with actual values.
+ *
+ * @param template  - String with secret references
+ * @param vaultRoot - Vault root path
+ * @returns Resolved string
+ */
+export async function resolveSecretRefs(template, vaultRoot) {
+    const secrets = await decryptSecrets(vaultRoot);
+    return template.replace(/\$\{\{secret:([^}]+)\}\}/g, (_match, name) => {
+        const envKey = name.toUpperCase().replace(/-/g, '_');
+        return secrets[envKey] ?? ('${{secret:' + name + '}}');
+    });
+}
+//# sourceMappingURL=vault.js.map

package/dist/secrets/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../src/secrets/vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,IAAI,MAAM,SAAS,CAAC;AAE3B,MAAM,WAAW,GAAG,kBAAkB,CAAC;AACvC,MAAM,UAAU,GAAG,YAAY,CAAC;AAChC,MAAM,SAAS,GAAG,WAAW,CAAC;AAE9B,4CAA4C;AAC5C,MAAM,UAAU,GAAG,cAAc,CAAC;AAClC,MAAM,UAAU,GAAG,GAAG,CAAC;AAgBvB,SAAS,MAAM,CAAC,KAAa;IAC3B,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,UAAU,EAAE,CAAC;AAC9E,CAAC;AAED,SAAS,MAAM,CAAC,OAAe;IAC7B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IACnE,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,KAAK,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;AACpE,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,SAAiB;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IAC9C,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,SAAiB;IACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;IAC/D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACpD,OAAQ,IAAI,CAAC,IAAI,CAAC,OAAO,CAAe,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IAC9E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACzC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,SAAiB,EAAE,IAAe;IAC1D,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IACvC,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;AAC1E,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,SAAiB;IACvC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;IAC9D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACpD,OAAQ,IAAI,CAAC,IAAI,CAAC,OAAO,CAAc,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IAC1E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACtC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,SAAiB,EAAE,IAAc;IACxD,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IACvC,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;AACzE,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,SAAiB,EACjB,IAAY,EACZ,KAAa;IAEb,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IACzC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,UAAU,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAEnC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,CAAC;IACvC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACjB,MAAM,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IACnC,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,SAAiB,EACjB,IAAY;IAEZ,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAE3C,OAAO,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,UAAU,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAEnC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,CAAC;IACvC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;IAChD,MAAM,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAEjC,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,SAAiB;IACjD,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,CAAC;IACvC,OAAO,IAAI,CAAC,IAAI,CAAC;AACnB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,SAAiB,EACjB,IAAY,EACZ,QAAgB;IAEhB,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAE3C,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;IACvC,MAAM,UAAU,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IACnC,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,SAAiB;IAEjB,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IACzC,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9D,IAAI,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;YACzB,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,QAAgB,EAChB,SAAiB;IAEjB,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,SAAS,CAAC,CAAC;IAChD,OAAO,QAAQ,CAAC,OAAO,CAAC,2BAA2B,EAAE,CAAC,MAAM,EAAE,IAAY,EAAE,EAAE;QAC5E,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACrD,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/security/claude-compiler.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Claude AppArmor compiler — Story 7.2.
+ *
+ * Compiles SecurityPolicy into `.claude/settings.json` permissions format.
+ * Preserves existing user settings when the file already exists.
+ *
+ * @module security/claude-compiler
+ */
+import type { SecurityPolicy } from '../types/index.js';
+/** Shape of .claude/settings.json that we manage. */
+interface ClaudeSettings {
+    permissions?: {
+        deny?: string[];
+        ask?: string[];
+    };
+    [key: string]: unknown;
+}
+/**
+ * Compile SecurityPolicy into .claude/settings.json permissions.
+ *
+ * @param vaultRoot - Absolute path to vault root
+ * @param policy    - Parsed security policy
+ * @param dryRun    - If true, returns the settings without writing
+ * @returns The compiled ClaudeSettings object
+ */
+export declare function compileClaudeSecurity(vaultRoot: string, policy: SecurityPolicy, dryRun?: boolean): Promise<ClaudeSettings>;
+export {};
+//# sourceMappingURL=claude-compiler.d.ts.map

package/dist/security/claude-compiler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"claude-compiler.d.ts","sourceRoot":"","sources":["../../src/security/claude-compiler.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAExD,qDAAqD;AACrD,UAAU,cAAc;IACtB,WAAW,CAAC,EAAE;QACZ,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;QAChB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;KAChB,CAAC;IACF,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CACzC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,cAAc,EACtB,MAAM,UAAQ,GACb,OAAO,CAAC,cAAc,CAAC,CAwDzB"}

package/dist/security/claude-compiler.js

@@ -0,0 +1,66 @@
+/**
+ * Claude AppArmor compiler — Story 7.2.
+ *
+ * Compiles SecurityPolicy into `.claude/settings.json` permissions format.
+ * Preserves existing user settings when the file already exists.
+ *
+ * @module security/claude-compiler
+ */
+import fs from 'node:fs/promises';
+import path from 'node:path';
+/**
+ * Compile SecurityPolicy into .claude/settings.json permissions.
+ *
+ * @param vaultRoot - Absolute path to vault root
+ * @param policy    - Parsed security policy
+ * @param dryRun    - If true, returns the settings without writing
+ * @returns The compiled ClaudeSettings object
+ */
+export async function compileClaudeSecurity(vaultRoot, policy, dryRun = false) {
+    const settingsPath = path.join(vaultRoot, '.claude', 'settings.json');
+    // Read existing settings to preserve user customizations
+    let existing = {};
+    try {
+        const raw = await fs.readFile(settingsPath, 'utf8');
+        existing = JSON.parse(raw);
+    }
+    catch {
+        // No existing settings — start fresh
+    }
+    // Build deny rules from policy
+    const denyRules = [];
+    // File read denials → "Read" deny
+    for (const pattern of policy.file_access.deny_read) {
+        denyRules.push(`Read(${pattern})`);
+    }
+    // File write denials → "Write" deny
+    for (const pattern of policy.file_access.deny_write) {
+        denyRules.push(`Write(${pattern})`);
+    }
+    // Blocked commands
+    for (const cmd of policy.commands.blocked) {
+        denyRules.push(`Execute(${cmd})`);
+    }
+    // Build ask rules from policy
+    const askRules = [];
+    for (const pattern of policy.file_access.ask_write) {
+        askRules.push(`Write(${pattern})`);
+    }
+    for (const cmd of policy.commands.ask_before) {
+        askRules.push(`Execute(${cmd})`);
+    }
+    // Merge with existing settings
+    const result = {
+        ...existing,
+        permissions: {
+            deny: denyRules,
+            ask: askRules,
+        },
+    };
+    if (!dryRun) {
+        await fs.mkdir(path.dirname(settingsPath), { recursive: true });
+        await fs.writeFile(settingsPath, JSON.stringify(result, null, 2) + '\n', 'utf8');
+    }
+    return result;
+}
+//# sourceMappingURL=claude-compiler.js.map

package/dist/security/claude-compiler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"claude-compiler.js","sourceRoot":"","sources":["../../src/security/claude-compiler.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAY7B;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,SAAiB,EACjB,MAAsB,EACtB,MAAM,GAAG,KAAK;IAEd,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IAEtE,yDAAyD;IACzD,IAAI,QAAQ,GAAmB,EAAE,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QACpD,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAmB,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,qCAAqC;IACvC,CAAC;IAED,+BAA+B;IAC/B,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,kCAAkC;IAClC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;QACnD,SAAS,CAAC,IAAI,CAAC,QAAQ,OAAO,GAAG,CAAC,CAAC;IACrC,CAAC;IAED,oCAAoC;IACpC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;QACpD,SAAS,CAAC,IAAI,CAAC,SAAS,OAAO,GAAG,CAAC,CAAC;IACtC,CAAC;IAED,mBAAmB;IACnB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QAC1C,SAAS,CAAC,IAAI,CAAC,WAAW,GAAG,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,8BAA8B;IAC9B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;QACnD,QAAQ,CAAC,IAAI,CAAC,SAAS,OAAO,GAAG,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,CAAC;QAC7C,QAAQ,CAAC,IAAI,CAAC,WAAW,GAAG,GAAG,CAAC,CAAC;IACnC,CAAC;IAED,+BAA+B;IAC/B,MAAM,MAAM,GAAmB;QAC7B,GAAG,QAAQ;QACX,WAAW,EAAE;YACX,IAAI,EAAE,SAAS;YACf,GAAG,EAAE,QAAQ;SACd;KACF,CAAC;IAEF,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChE,MAAM,EAAE,CAAC,SAAS,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;IACnF,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/security/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Security module — barrel export.
+ * @module security
+ */
+export { readSecurityPolicy, writeSecurityPolicy, scanForInjections, checkCommand, DEFAULT_POLICY, } from './parser.js';
+export { compileClaudeSecurity } from './claude-compiler.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/security/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,cAAc,GACf,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/security/index.js

@@ -0,0 +1,7 @@
+/**
+ * Security module — barrel export.
+ * @module security
+ */
+export { readSecurityPolicy, writeSecurityPolicy, scanForInjections, checkCommand, DEFAULT_POLICY, } from './parser.js';
+export { compileClaudeSecurity } from './claude-compiler.js';
+//# sourceMappingURL=index.js.map

package/dist/security/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,cAAc,GACf,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC"}