dravix-agent 0.1.0

package/dist/index/vulrag.d.ts

@@ -0,0 +1,86 @@
+import { Embedder } from "./embeddings.js";
+export interface VulRagEntry {
+    /** Canonical CWE id, e.g. ``"CWE-89"``. We allow duplicate-suffix ids like
+     * ``"CWE-209c"`` in the curated KB so multiple variants of one CWE can each
+     * get their own entry — the id is a slug, not an enforced MITRE key. */
+    cwe: string;
+    /** Short human label, e.g. ``"SQL Injection"``. Used in critic prompts. */
+    name: string;
+    /** One of: ``api_misuse | logic | resource | concurrency | auth | crypto``.
+     * Routing hint for the critic. */
+    category: string;
+    /** One of: ``critical | high | medium | low``. Default-block rank source. */
+    severity: string;
+    /** One-line explanation of why this class of bug exists. */
+    cause: string;
+    /** Languages this pattern applies to (lowercase, e.g. ``["python","javascript"]``).
+     * The critic uses this for the optional ``language`` filter on retrieval. */
+    languages: string[];
+    /** Canonical vulnerable code sample (short, ~5-15 lines). **Embedded** for
+     * semantic retrieval. The critic gets this verbatim to ground its reasoning. */
+    vulnerable_pattern: string;
+    /** Canonical fixed counterpart. Shown to the user in remediation prompts. */
+    fix_pattern: string;
+    /** Short strings the critic can grep mentally to confirm a match
+     * (e.g. ``["f-string in execute(", "innerHTML with user data"]``). */
+    detection_hints: string[];
+}
+export interface VulRagHit {
+    entry: VulRagEntry;
+    /** Cosine similarity in [-1, 1]; higher = more similar. */
+    similarity: number;
+}
+/** Resolve the path to the bundled ``vulnkb.json``. Exported for tests and
+ * tooling that want to load the KB without instantiating ``VulRag``. */
+export declare function vulRagKbPath(): string;
+export declare class VulRag {
+    private readonly kbPath;
+    private readonly embedder;
+    private entries;
+    private vectors;
+    private loaded;
+    private loadPromise;
+    private _sha;
+    private _model;
+    constructor(kbPath?: string, embedder?: Embedder);
+    get path(): string;
+    /** Number of indexed entries (0 until ensureLoaded() succeeds). */
+    get size(): number;
+    /** sha256 prefix of the KB file at load time; null before load. */
+    get kbSha(): string | null;
+    get model(): string | null;
+    /** Load the KB and embed every entry. Lazy + idempotent. Concurrent
+     * callers share one in-flight promise — we don't want two callers each
+     * spending ~0.6 s embedding the same 60 patterns. Returns false if the
+     * embedder can't load (e.g. transformers.js not installed). */
+    ensureLoaded(): Promise<boolean>;
+    /** Return the top-K semantically similar CWE entries for a snippet.
+     *
+     * @param snippet  Code (or finding message + code) to retrieve against.
+     * @param k        Max entries to return; clamped to KB size.
+     * @param opts.language  If set, only consider entries that list this
+     *                       language. Use the lowercase canonical form
+     *                       (``python | javascript | typescript | go``).
+     * @param opts.minSimilarity  Drop hits with cosine < this. Default 0
+     *                            (return whatever the embedder rates highest).
+     */
+    topK(snippet: string, k: number, opts?: {
+        language?: string;
+        minSimilarity?: number;
+    }): Promise<VulRagHit[]>;
+    /** Iterate every entry whose CWE matches one of ``cweIds``. Useful for the
+     * router-150m → critic path where the router predicts a CWE bucket and
+     * we want to ground the critic in the *predicted* CWE rather than (or in
+     * addition to) the top semantic neighbours.
+     *
+     * Match is loose: an entry's ``cwe`` of ``"CWE-89"`` matches any of
+     * ``["CWE-89", "89", "cwe-89"]`` in the input list.
+     */
+    byCwe(cweIds: ReadonlyArray<string>): VulRagEntry[];
+}
+/** Process-wide singleton. Engines should always use this rather than
+ * constructing their own ``VulRag`` — the embedding cost is paid once. */
+export declare function getVulRag(): VulRag;
+/** Reset the singleton — test-only. Production should never call this. */
+export declare function _resetVulRagForTests(): void;
+//# sourceMappingURL=vulrag.d.ts.map

package/dist/index/vulrag.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vulrag.d.ts","sourceRoot":"","sources":["../../src/index/vulrag.ts"],"names":[],"mappings":"AA4CA,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAQ3C,MAAM,WAAW,WAAW;IAC1B;;4EAEwE;IACxE,GAAG,EAAE,MAAM,CAAC;IACZ,2EAA2E;IAC3E,IAAI,EAAE,MAAM,CAAC;IACb;sCACkC;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,6EAA6E;IAC7E,QAAQ,EAAE,MAAM,CAAC;IACjB,4DAA4D;IAC5D,KAAK,EAAE,MAAM,CAAC;IACd;iFAC6E;IAC7E,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB;oFACgF;IAChF,kBAAkB,EAAE,MAAM,CAAC;IAC3B,6EAA6E;IAC7E,WAAW,EAAE,MAAM,CAAC;IACpB;0EACsE;IACtE,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,WAAW,CAAC;IACnB,2DAA2D;IAC3D,UAAU,EAAE,MAAM,CAAC;CACpB;AAgBD;wEACwE;AACxE,wBAAgB,YAAY,IAAI,MAAM,CAqBrC;AA2BD,qBAAa,MAAM;IASf,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,QAAQ;IAT3B,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,OAAO,CAAsB;IACrC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,WAAW,CAAiC;IACpD,OAAO,CAAC,IAAI,CAAuB;IACnC,OAAO,CAAC,MAAM,CAAuB;gBAGlB,MAAM,GAAE,MAAuB,EAC/B,QAAQ,GAAE,QAAyB;IAGtD,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED,mEAAmE;IACnE,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED,mEAAmE;IACnE,IAAI,KAAK,IAAI,MAAM,GAAG,IAAI,CAEzB;IAED,IAAI,KAAK,IAAI,MAAM,GAAG,IAAI,CAEzB;IAED;;;mEAG+D;IACzD,YAAY,IAAI,OAAO,CAAC,OAAO,CAAC;IA2CtC;;;;;;;;;OASG;IACG,IAAI,CACR,OAAO,EAAE,MAAM,EACf,CAAC,EAAE,MAAM,EACT,IAAI,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE,GACnD,OAAO,CAAC,SAAS,EAAE,CAAC;IA2BvB;;;;;;;OAOG;IACH,KAAK,CAAC,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG,WAAW,EAAE;CAKpD;AAUD;0EAC0E;AAC1E,wBAAgB,SAAS,IAAI,MAAM,CAGlC;AAED,0EAA0E;AAC1E,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C"}

package/dist/index/vulrag.js

@@ -0,0 +1,242 @@
+/**
+ * Vul-RAG — retrieval over a curated CWE knowledge base.
+ *
+ * Each entry in ``data/vulnkb.json`` is a canonical (cause, vulnerable_pattern,
+ * fix_pattern, detection_hints) tuple for one CWE. At first use we embed the
+ * vulnerable_pattern of every entry using the same local model the SCIP
+ * embedder uses (``Xenova/all-MiniLM-L6-v2`` by default, 384-d, MIT licensed,
+ * runs on CPU in transformers.js).
+ *
+ * The LLM critic (Phase 2, V2-07) calls ``topK(snippet, 3)`` to fetch the
+ * three most semantically similar CWE patterns and inlines them in its prompt
+ * as evidence — this is the Du 2024 Vul-RAG pattern (arxiv 2406.11147) that
+ * the research credits with +16-24 pp accuracy over a pure LLM judge.
+ *
+ * Storage strategy
+ * ----------------
+ * For ~60 entries we use **brute-force cosine** over an in-memory
+ * ``Float32Array[]``. 60 × 384 × 4 bytes ≈ 92 KB; one query is sub-ms even
+ * unrolled. An HNSW (like the SCIP embedder uses) would be theatre at this
+ * scale and add a deserialize-on-load cost without measurable speedup.
+ *
+ * The KB-embedding cost (~10 ms × 60 = 0.6 s cold) happens once per process,
+ * lazily on first ``ensureLoaded()``. We do NOT persist embeddings to disk in
+ * v1: the cost is tolerable on every cold start, and avoiding the persist
+ * step means we can never serve stale vectors after a KB edit.
+ *
+ * Public surface:
+ *   - VulRagEntry      — strict shape of one KB entry
+ *   - VulRagHit        — { entry, similarity } returned by topK
+ *   - VulRag           — instance class (loads, embeds, queries)
+ *   - getVulRag()      — process-wide singleton (use this in engines)
+ *   - vulRagKbPath()   — resolve the bundled vulnkb.json (test + tooling)
+ *
+ * The KB file path resolution mirrors how ``embeddings.ts`` finds the bundled
+ * ``scip.proto``: try several candidate paths derived from cwd + module URL,
+ * pick the first that exists. This lets the package work whether it's
+ * installed from npm, linked locally, or run from a checkout.
+ */
+import { createHash } from "node:crypto";
+import { existsSync, readFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import { dirname, resolve } from "node:path";
+import { getLogger } from "../util/logger.js";
+import { Embedder } from "./embeddings.js";
+const log = getLogger("aegis.vulrag");
+const KB_SOURCE_FIELD = "vulnerable_pattern";
+// ── KB-path resolution ───────────────────────────────────────────────────
+function moduleDir() {
+    // import.meta.url is e.g. file:///C:/.../dist/index/vulrag.js
+    // dirname gives .../dist/index/. Walk up two to reach package root.
+    return dirname(fileURLToPath(import.meta.url));
+}
+/** Resolve the path to the bundled ``vulnkb.json``. Exported for tests and
+ * tooling that want to load the KB without instantiating ``VulRag``. */
+export function vulRagKbPath() {
+    const overrides = process.env.AEGIS_VULNKB_PATH;
+    if (overrides && existsSync(overrides))
+        return resolve(overrides);
+    const mod = moduleDir();
+    const candidates = [
+        // run from a built install — package root is two levels above dist/index/
+        resolve(mod, "..", "..", "data", "vulnkb.json"),
+        // run from a source checkout via tsx — module is in src/index/
+        resolve(mod, "..", "..", "data", "vulnkb.json"),
+        // running from cwd in a dev shell
+        resolve(process.cwd(), "data", "vulnkb.json"),
+        // monorepo-style cwd one level up
+        resolve(process.cwd(), "aegis-v2", "data", "vulnkb.json"),
+    ];
+    for (const c of candidates) {
+        if (existsSync(c))
+            return c;
+    }
+    // Default to the most-likely path even if missing — caller decides what
+    // to do (loadKb will throw with a clear message).
+    return candidates[0];
+}
+function loadKb(path) {
+    const raw = readFileSync(path, "utf8");
+    const parsed = JSON.parse(raw);
+    if (!parsed || !Array.isArray(parsed.entries)) {
+        throw new Error(`vulnkb.json at ${path} is malformed: missing entries[]`);
+    }
+    return parsed;
+}
+function kbSha(path) {
+    const buf = readFileSync(path);
+    return createHash("sha256").update(buf).digest("hex").slice(0, 16);
+}
+// ── Cosine over L2-normalised vectors = dot product ──────────────────────
+function dot(a, b) {
+    let s = 0;
+    const n = Math.min(a.length, b.length);
+    for (let i = 0; i < n; i++)
+        s += a[i] * b[i];
+    return s;
+}
+// ── The class ─────────────────────────────────────────────────────────────
+export class VulRag {
+    kbPath;
+    embedder;
+    entries = [];
+    vectors = [];
+    loaded = false;
+    loadPromise = null;
+    _sha = null;
+    _model = null;
+    constructor(kbPath = vulRagKbPath(), embedder = new Embedder()) {
+        this.kbPath = kbPath;
+        this.embedder = embedder;
+    }
+    get path() {
+        return this.kbPath;
+    }
+    /** Number of indexed entries (0 until ensureLoaded() succeeds). */
+    get size() {
+        return this.entries.length;
+    }
+    /** sha256 prefix of the KB file at load time; null before load. */
+    get kbSha() {
+        return this._sha;
+    }
+    get model() {
+        return this._model;
+    }
+    /** Load the KB and embed every entry. Lazy + idempotent. Concurrent
+     * callers share one in-flight promise — we don't want two callers each
+     * spending ~0.6 s embedding the same 60 patterns. Returns false if the
+     * embedder can't load (e.g. transformers.js not installed). */
+    async ensureLoaded() {
+        if (this.loaded)
+            return true;
+        if (this.loadPromise)
+            return this.loadPromise;
+        this.loadPromise = (async () => {
+            try {
+                const file = loadKb(this.kbPath);
+                this.entries = file.entries;
+                this._sha = kbSha(this.kbPath);
+                const ok = await this.embedder.ensureLoaded();
+                if (!ok) {
+                    log.warn("vul-rag: embedder unavailable; topK will return []");
+                    // Keep entries set so callers can still iterate the KB shape if
+                    // they want to (e.g. category breakdown reports).
+                    return false;
+                }
+                this._model = this.embedder.model;
+                const t0 = Date.now();
+                for (const e of this.entries) {
+                    // Embed "<CWE> <name>\n<vulnerable_pattern>" — concatenating the
+                    // label gives the embedder a stronger semantic signal than the
+                    // raw code alone (especially for short snippets where the code
+                    // shape doesn't uniquely identify the bug class).
+                    const text = `${e.cwe} ${e.name}\n${e[KB_SOURCE_FIELD]}`;
+                    const vec = await this.embedder.embed(text);
+                    this.vectors.push(vec ?? new Float32Array(this.embedder.dim));
+                }
+                log.info("vul-rag: loaded + embedded", {
+                    entries: this.entries.length,
+                    model: this.embedder.model,
+                    dim: this.embedder.dim,
+                    durationMs: Date.now() - t0,
+                    kbSha: this._sha,
+                });
+                this.loaded = true;
+                return true;
+            }
+            catch (err) {
+                log.warn("vul-rag: load failed", { err: String(err), path: this.kbPath });
+                return false;
+            }
+        })();
+        return this.loadPromise;
+    }
+    /** Return the top-K semantically similar CWE entries for a snippet.
+     *
+     * @param snippet  Code (or finding message + code) to retrieve against.
+     * @param k        Max entries to return; clamped to KB size.
+     * @param opts.language  If set, only consider entries that list this
+     *                       language. Use the lowercase canonical form
+     *                       (``python | javascript | typescript | go``).
+     * @param opts.minSimilarity  Drop hits with cosine < this. Default 0
+     *                            (return whatever the embedder rates highest).
+     */
+    async topK(snippet, k, opts) {
+        if (!(await this.ensureLoaded()))
+            return [];
+        if (k <= 0 || this.entries.length === 0)
+            return [];
+        const qv = await this.embedder.embed(snippet);
+        if (!qv)
+            return [];
+        const minSim = opts?.minSimilarity ?? -1;
+        const langFilter = opts?.language?.toLowerCase();
+        // Score every entry. With 60 entries this is ~60 × 384 = ~23K mults
+        // per query — well under 1 ms on a warm V8.
+        const scored = [];
+        for (let i = 0; i < this.entries.length; i++) {
+            const e = this.entries[i];
+            if (langFilter && !e.languages.map((l) => l.toLowerCase()).includes(langFilter)) {
+                continue;
+            }
+            const sim = dot(qv, this.vectors[i]);
+            if (sim < minSim)
+                continue;
+            scored.push({ entry: e, similarity: sim });
+        }
+        scored.sort((a, b) => b.similarity - a.similarity);
+        return scored.slice(0, Math.min(k, scored.length));
+    }
+    /** Iterate every entry whose CWE matches one of ``cweIds``. Useful for the
+     * router-150m → critic path where the router predicts a CWE bucket and
+     * we want to ground the critic in the *predicted* CWE rather than (or in
+     * addition to) the top semantic neighbours.
+     *
+     * Match is loose: an entry's ``cwe`` of ``"CWE-89"`` matches any of
+     * ``["CWE-89", "89", "cwe-89"]`` in the input list.
+     */
+    byCwe(cweIds) {
+        if (!this.loaded)
+            return [];
+        const norm = new Set(cweIds.map((c) => normalizeCwe(c)));
+        return this.entries.filter((e) => norm.has(normalizeCwe(e.cwe)));
+    }
+}
+function normalizeCwe(s) {
+    return s.trim().toUpperCase().replace(/^CWE-/, "");
+}
+// ── Singleton accessor ────────────────────────────────────────────────────
+let _singleton = null;
+/** Process-wide singleton. Engines should always use this rather than
+ * constructing their own ``VulRag`` — the embedding cost is paid once. */
+export function getVulRag() {
+    if (!_singleton)
+        _singleton = new VulRag();
+    return _singleton;
+}
+/** Reset the singleton — test-only. Production should never call this. */
+export function _resetVulRagForTests() {
+    _singleton = null;
+}
+//# sourceMappingURL=vulrag.js.map

package/dist/index/vulrag.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vulrag.js","sourceRoot":"","sources":["../../src/index/vulrag.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE7C,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE3C,MAAM,GAAG,GAAG,SAAS,CAAC,cAAc,CAAC,CAAC;AAEtC,MAAM,eAAe,GAAG,oBAA6B,CAAC;AA2CtD,4EAA4E;AAE5E,SAAS,SAAS;IAChB,8DAA8D;IAC9D,oEAAoE;IACpE,OAAO,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACjD,CAAC;AAED;wEACwE;AACxE,MAAM,UAAU,YAAY;IAC1B,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAChD,IAAI,SAAS,IAAI,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,OAAO,CAAC,SAAS,CAAC,CAAC;IAElE,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;IACxB,MAAM,UAAU,GAAG;QACjB,0EAA0E;QAC1E,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,CAAC;QAC/C,+DAA+D;QAC/D,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,CAAC;QAC/C,kCAAkC;QAClC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,aAAa,CAAC;QAC7C,kCAAkC;QAClC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,CAAC;KAC1D,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,IAAI,UAAU,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;IAC9B,CAAC;IACD,wEAAwE;IACxE,kDAAkD;IAClD,OAAO,UAAU,CAAC,CAAC,CAAE,CAAC;AACxB,CAAC;AAED,SAAS,MAAM,CAAC,IAAY;IAC1B,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAe,CAAC;IAC7C,IAAI,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,kBAAkB,IAAI,kCAAkC,CAAC,CAAC;IAC5E,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAC/B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED,4EAA4E;AAE5E,SAAS,GAAG,CAAC,CAAe,EAAE,CAAe;IAC3C,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE;QAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAE,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;IAC/C,OAAO,CAAC,CAAC;AACX,CAAC;AAED,6EAA6E;AAE7E,MAAM,OAAO,MAAM;IASE;IACA;IATX,OAAO,GAAkB,EAAE,CAAC;IAC5B,OAAO,GAAmB,EAAE,CAAC;IAC7B,MAAM,GAAG,KAAK,CAAC;IACf,WAAW,GAA4B,IAAI,CAAC;IAC5C,IAAI,GAAkB,IAAI,CAAC;IAC3B,MAAM,GAAkB,IAAI,CAAC;IAErC,YACmB,SAAiB,YAAY,EAAE,EAC/B,WAAqB,IAAI,QAAQ,EAAE;QADnC,WAAM,GAAN,MAAM,CAAyB;QAC/B,aAAQ,GAAR,QAAQ,CAA2B;IACnD,CAAC;IAEJ,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,mEAAmE;IACnE,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;IAC7B,CAAC;IAED,mEAAmE;IACnE,IAAI,KAAK;QACP,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED,IAAI,KAAK;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;;mEAG+D;IAC/D,KAAK,CAAC,YAAY;QAChB,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAC7B,IAAI,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC,WAAW,CAAC;QAC9C,IAAI,CAAC,WAAW,GAAG,CAAC,KAAK,IAAI,EAAE;YAC7B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACjC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;gBAC5B,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAC/B,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;gBAC9C,IAAI,CAAC,EAAE,EAAE,CAAC;oBACR,GAAG,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;oBAC/D,gEAAgE;oBAChE,kDAAkD;oBAClD,OAAO,KAAK,CAAC;gBACf,CAAC;gBACD,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAClC,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;gBACtB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBAC7B,iEAAiE;oBACjE,+DAA+D;oBAC/D,+DAA+D;oBAC/D,kDAAkD;oBAClD,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,eAAe,CAAC,EAAE,CAAC;oBACzD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAC5C,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,IAAI,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;gBAChE,CAAC;gBACD,GAAG,CAAC,IAAI,CAAC,4BAA4B,EAAE;oBACrC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM;oBAC5B,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK;oBAC1B,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG;oBACtB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;oBAC3B,KAAK,EAAE,IAAI,CAAC,IAAI;iBACjB,CAAC,CAAC;gBACH,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;gBACnB,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;gBAC1E,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC,CAAC,EAAE,CAAC;QACL,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,IAAI,CACR,OAAe,EACf,CAAS,EACT,IAAoD;QAEpD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YAAE,OAAO,EAAE,CAAC;QAC5C,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAEnD,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC9C,IAAI,CAAC,EAAE;YAAE,OAAO,EAAE,CAAC;QAEnB,MAAM,MAAM,GAAG,IAAI,EAAE,aAAa,IAAI,CAAC,CAAC,CAAC;QACzC,MAAM,UAAU,GAAG,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;QAEjD,oEAAoE;QACpE,4CAA4C;QAC5C,MAAM,MAAM,GAAgB,EAAE,CAAC;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7C,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAE,CAAC;YAC3B,IAAI,UAAU,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBAChF,SAAS;YACX,CAAC;YACD,MAAM,GAAG,GAAG,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAE,CAAC,CAAC;YACtC,IAAI,GAAG,GAAG,MAAM;gBAAE,SAAS;YAC3B,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;QACnD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IACrD,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,MAA6B;QACjC,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACzD,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACnE,CAAC;CACF;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;AACrD,CAAC;AAED,6EAA6E;AAE7E,IAAI,UAAU,GAAkB,IAAI,CAAC;AAErC;0EAC0E;AAC1E,MAAM,UAAU,SAAS;IACvB,IAAI,CAAC,UAAU;QAAE,UAAU,GAAG,IAAI,MAAM,EAAE,CAAC;IAC3C,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,0EAA0E;AAC1E,MAAM,UAAU,oBAAoB;IAClC,UAAU,GAAG,IAAI,CAAC;AACpB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,9 @@
+/** Public API re-exports. */
+export { runGate, type GateInput, type GateReport } from "./orchestrator.js";
+export { decide, scoreOne, exitCodeFor, type Action, type ActionDecision } from "./risk.js";
+export { FindingSchema, type Finding, type Severity, type Engine as EngineName, type SourceKind, makeFindingId, safeValidate, validateFinding, severityRank, SEVERITY_ORDER, } from "./findings.js";
+export { detectLang, isFocusLang, type Lang } from "./lang.js";
+export { ENGINES, engineByName } from "./engines/registry.js";
+export type { Engine, EngineRunInput, EngineRunResult } from "./engines/types.js";
+export { startServer } from "./mcp/server.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,6BAA6B;AAC7B,OAAO,EAAE,OAAO,EAAE,KAAK,SAAS,EAAE,KAAK,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC7E,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,KAAK,MAAM,EAAE,KAAK,cAAc,EAAE,MAAM,WAAW,CAAC;AAC5F,OAAO,EACL,aAAa,EACb,KAAK,OAAO,EACZ,KAAK,QAAQ,EACb,KAAK,MAAM,IAAI,UAAU,EACzB,KAAK,UAAU,EACf,aAAa,EACb,YAAY,EACZ,eAAe,EACf,YAAY,EACZ,cAAc,GACf,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,KAAK,IAAI,EAAE,MAAM,WAAW,CAAC;AAC/D,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAC9D,YAAY,EAAE,MAAM,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAClF,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/index.js

@@ -0,0 +1,8 @@
+/** Public API re-exports. */
+export { runGate } from "./orchestrator.js";
+export { decide, scoreOne, exitCodeFor } from "./risk.js";
+export { FindingSchema, makeFindingId, safeValidate, validateFinding, severityRank, SEVERITY_ORDER, } from "./findings.js";
+export { detectLang, isFocusLang } from "./lang.js";
+export { ENGINES, engineByName } from "./engines/registry.js";
+export { startServer } from "./mcp/server.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,6BAA6B;AAC7B,OAAO,EAAE,OAAO,EAAmC,MAAM,mBAAmB,CAAC;AAC7E,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAoC,MAAM,WAAW,CAAC;AAC5F,OAAO,EACL,aAAa,EAKb,aAAa,EACb,YAAY,EACZ,eAAe,EACf,YAAY,EACZ,cAAc,GACf,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAa,MAAM,WAAW,CAAC;AAC/D,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAE9D,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/install/claude-code.d.ts

@@ -0,0 +1,31 @@
+export interface InstallOptions {
+    dryRun?: boolean;
+    /** Skip CLAUDE.md edit (hook + MCP only). */
+    skipClaudeMd?: boolean;
+    /** Use a custom Claude home (defaults to ~/.claude). For testing. */
+    claudeHome?: string;
+}
+export interface ChangeRecord {
+    file: string;
+    op: "create" | "modify" | "skip";
+    reason: string;
+    before?: string;
+    after?: string;
+}
+export interface InstallReport {
+    dryRun: boolean;
+    aegisBinPath: string;
+    claudeHome: string;
+    changes: ChangeRecord[];
+    fixmeBlockRemoved: boolean;
+}
+/** Public entry: register aegis in Claude Code. */
+export declare function installClaudeCode(opts?: InstallOptions): InstallReport;
+/** Public entry: remove aegis from Claude Code. Idempotent. */
+export declare function uninstallClaudeCode(opts?: {
+    dryRun?: boolean;
+    claudeHome?: string;
+}): InstallReport;
+/** Human-readable summary for the CLI. */
+export declare function formatReport(r: InstallReport): string;
+//# sourceMappingURL=claude-code.d.ts.map

package/dist/install/claude-code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"claude-code.d.ts","sourceRoot":"","sources":["../../src/install/claude-code.ts"],"names":[],"mappings":"AA+BA,MAAM,WAAW,cAAc;IAC7B,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,6CAA6C;IAC7C,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,qEAAqE;IACrE,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,QAAQ,GAAG,QAAQ,GAAG,MAAM,CAAC;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,OAAO,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,YAAY,EAAE,CAAC;IACxB,iBAAiB,EAAE,OAAO,CAAC;CAC5B;AA0PD,mDAAmD;AACnD,wBAAgB,iBAAiB,CAAC,IAAI,GAAE,cAAmB,GAAG,aAAa,CAgF1E;AAED,+DAA+D;AAC/D,wBAAgB,mBAAmB,CAAC,IAAI,GAAE;IAAE,MAAM,CAAC,EAAE,OAAO,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAO,GAAG,aAAa,CAoGvG;AAED,0CAA0C;AAC1C,wBAAgB,YAAY,CAAC,CAAC,EAAE,aAAa,GAAG,MAAM,CA2BrD"}