guardlink 1.0.0

package/dist/agents/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/agents/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,eAAO,MAAM,MAAM,EAAE,SAAS,UAAU,EAO9B,CAAC;AAEX,uEAAuE;AACvE,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,UAAU,GAAG,IAAI,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAO5F;AAED,mEAAmE;AACnE,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,UAAU,GAAG,IAAI,CAQ1E;AAED,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACpG,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC"}

package/dist/agents/index.js

@@ -0,0 +1,42 @@
+/**
+ * GuardLink Agents — Shared agent registry.
+ *
+ * Used by CLI, TUI, and MCP to identify and resolve coding agents
+ * (Claude Code, Codex, Cursor, Windsurf, Gemini, clipboard).
+ */
+export const AGENTS = [
+    { id: 'claude-code', name: 'Claude Code', cmd: 'claude', app: null, flag: '--claude-code' },
+    { id: 'cursor', name: 'Cursor', cmd: null, app: 'Cursor', flag: '--cursor' },
+    { id: 'windsurf', name: 'Windsurf', cmd: null, app: 'Windsurf', flag: '--windsurf' },
+    { id: 'codex', name: 'Codex CLI', cmd: 'codex', app: null, flag: '--codex' },
+    { id: 'gemini', name: 'Gemini CLI', cmd: 'gemini', app: null, flag: '--gemini' },
+    { id: 'clipboard', name: 'Clipboard', cmd: null, app: null, flag: '--clipboard' },
+];
+/** Parse --agent flags from a raw args string (TUI slash commands). */
+export function parseAgentFlag(args) {
+    for (const a of AGENTS) {
+        if (args.includes(a.flag)) {
+            return { agent: a, cleanArgs: args.replace(a.flag, '').trim() };
+        }
+    }
+    return { agent: null, cleanArgs: args };
+}
+/** Resolve agent from Commander option booleans (CLI commands). */
+export function agentFromOpts(opts) {
+    if (opts.claudeCode)
+        return AGENTS.find(a => a.id === 'claude-code');
+    if (opts.cursor)
+        return AGENTS.find(a => a.id === 'cursor');
+    if (opts.windsurf)
+        return AGENTS.find(a => a.id === 'windsurf');
+    if (opts.codex)
+        return AGENTS.find(a => a.id === 'codex');
+    if (opts.gemini)
+        return AGENTS.find(a => a.id === 'gemini');
+    if (opts.clipboard)
+        return AGENTS.find(a => a.id === 'clipboard');
+    return null;
+}
+export { launchAgentForeground, launchAgentIDE, launchAgent, copyToClipboard } from './launcher.js';
+export { buildAnnotatePrompt } from './prompts.js';
+//# sourceMappingURL=index.js.map

package/dist/agents/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/agents/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAYH,MAAM,CAAC,MAAM,MAAM,GAA0B;IAC3C,EAAE,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,GAAG,EAAE,QAAQ,EAAG,GAAG,EAAE,IAAI,EAAQ,IAAI,EAAE,eAAe,EAAE;IAClG,EAAE,EAAE,EAAE,QAAQ,EAAO,IAAI,EAAE,QAAQ,EAAO,GAAG,EAAE,IAAI,EAAO,GAAG,EAAE,QAAQ,EAAI,IAAI,EAAE,UAAU,EAAE;IAC7F,EAAE,EAAE,EAAE,UAAU,EAAK,IAAI,EAAE,UAAU,EAAK,GAAG,EAAE,IAAI,EAAO,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE;IAC/F,EAAE,EAAE,EAAE,OAAO,EAAQ,IAAI,EAAE,WAAW,EAAI,GAAG,EAAE,OAAO,EAAI,GAAG,EAAE,IAAI,EAAQ,IAAI,EAAE,SAAS,EAAE;IAC5F,EAAE,EAAE,EAAE,QAAQ,EAAO,IAAI,EAAE,YAAY,EAAG,GAAG,EAAE,QAAQ,EAAG,GAAG,EAAE,IAAI,EAAQ,IAAI,EAAE,UAAU,EAAE;IAC7F,EAAE,EAAE,EAAE,WAAW,EAAI,IAAI,EAAE,WAAW,EAAI,GAAG,EAAE,IAAI,EAAO,GAAG,EAAE,IAAI,EAAQ,IAAI,EAAE,aAAa,EAAE;CACxF,CAAC;AAEX,uEAAuE;AACvE,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QAClE,CAAC;IACH,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED,mEAAmE;AACnE,MAAM,UAAU,aAAa,CAAC,IAAyB;IACrD,IAAI,IAAI,CAAC,UAAU;QAAE,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAE,CAAC;IACtE,IAAI,IAAI,CAAC,MAAM;QAAM,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,QAAQ,CAAE,CAAC;IACjE,IAAI,IAAI,CAAC,QAAQ;QAAI,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAE,CAAC;IACnE,IAAI,IAAI,CAAC,KAAK;QAAO,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,OAAO,CAAE,CAAC;IAChE,IAAI,IAAI,CAAC,MAAM;QAAM,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,QAAQ,CAAE,CAAC;IACjE,IAAI,IAAI,CAAC,SAAS;QAAG,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,WAAW,CAAE,CAAC;IACpE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACpG,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC"}

package/dist/agents/launcher.d.ts

@@ -0,0 +1,54 @@
+/**
+ * GuardLink Agents — Launch helpers.
+ *
+ * Two launch patterns:
+ *   1. Foreground spawn (CLI + TUI): takes over terminal, returns on exit
+ *   2. IDE launch: opens GUI app with project directory
+ *
+ * Clipboard copy is always performed first regardless of agent type.
+ *
+ * @exposes #agent-launcher to #child-proc-injection [high] cwe:CWE-78 -- "Spawns child processes for AI coding agents"
+ * @exposes #agent-launcher to #cmd-injection [critical] cwe:CWE-78 -- "Windows launch uses shell:true in spawnSync"
+ * @mitigates #agent-launcher against #child-proc-injection using #process-sandbox -- "Agent commands are fixed binaries (claude, codex), not user-controlled"
+ * @mitigates #agent-launcher against #cmd-injection using #param-commands -- "spawnSync with args array on macOS/Linux, only Windows uses shell"
+ * @flows #cli -> #agent-launcher via launchAgent -- "CLI invokes agent with prompt and cwd"
+ * @flows #agent-launcher -> External_Process via spawnSync -- "Spawns claude, codex, cursor, etc."
+ * @boundary between #agent-launcher and External_AI_Agents (#agent-boundary) -- "Process spawn crosses trust boundary to external AI tools"
+ * @comment -- "copyToClipboard uses platform-specific clipboard commands (pbcopy, xclip, clip)"
+ */
+import type { AgentEntry } from './index.js';
+/** Copy text to system clipboard. Returns true on success. */
+export declare function copyToClipboard(text: string): boolean;
+/**
+ * Launch a CLI agent in the foreground — takes over the current terminal.
+ * The agent gets full stdin/stdout/stderr (stdio: 'inherit').
+ * Returns when the agent exits. Works cross-platform.
+ *
+ * This is the `git commit` / `$EDITOR` pattern.
+ */
+export declare function launchAgentForeground(agent: AgentEntry, cwd: string): {
+    exitCode: number | null;
+    error?: string;
+};
+/**
+ * Open an IDE/GUI agent with the project directory.
+ * Uses `open -a` (macOS), `xdg-open` (Linux), or `start` (Windows).
+ */
+export declare function launchAgentIDE(agent: AgentEntry, cwd: string): {
+    success: boolean;
+    error?: string;
+};
+export interface LaunchResult {
+    launched: boolean;
+    clipboardCopied: boolean;
+    error?: string;
+}
+/**
+ * Launch an agent with a prompt. Always copies to clipboard first.
+ *
+ * For terminal agents (claude, codex, gemini): foreground spawn.
+ * For IDE agents (cursor, windsurf): open app.
+ * For clipboard: copy only.
+ */
+export declare function launchAgent(agent: AgentEntry, prompt: string, cwd: string): LaunchResult;
+//# sourceMappingURL=launcher.d.ts.map

package/dist/agents/launcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"launcher.d.ts","sourceRoot":"","sources":["../../src/agents/launcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAI7C,8DAA8D;AAC9D,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAmBrD;AAID;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,GAAG;IACrE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAyBA;AAID;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,GAAG;IAC9D,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAwCA;AAID,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,OAAO,CAAC;IAClB,eAAe,EAAE,OAAO,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,YAAY,CAyBxF"}

package/dist/agents/launcher.js

@@ -0,0 +1,152 @@
+/**
+ * GuardLink Agents — Launch helpers.
+ *
+ * Two launch patterns:
+ *   1. Foreground spawn (CLI + TUI): takes over terminal, returns on exit
+ *   2. IDE launch: opens GUI app with project directory
+ *
+ * Clipboard copy is always performed first regardless of agent type.
+ *
+ * @exposes #agent-launcher to #child-proc-injection [high] cwe:CWE-78 -- "Spawns child processes for AI coding agents"
+ * @exposes #agent-launcher to #cmd-injection [critical] cwe:CWE-78 -- "Windows launch uses shell:true in spawnSync"
+ * @mitigates #agent-launcher against #child-proc-injection using #process-sandbox -- "Agent commands are fixed binaries (claude, codex), not user-controlled"
+ * @mitigates #agent-launcher against #cmd-injection using #param-commands -- "spawnSync with args array on macOS/Linux, only Windows uses shell"
+ * @flows #cli -> #agent-launcher via launchAgent -- "CLI invokes agent with prompt and cwd"
+ * @flows #agent-launcher -> External_Process via spawnSync -- "Spawns claude, codex, cursor, etc."
+ * @boundary between #agent-launcher and External_AI_Agents (#agent-boundary) -- "Process spawn crosses trust boundary to external AI tools"
+ * @comment -- "copyToClipboard uses platform-specific clipboard commands (pbcopy, xclip, clip)"
+ */
+import { spawnSync } from 'node:child_process';
+import { platform } from 'node:os';
+// ─── Clipboard ───────────────────────────────────────────────────────
+/** Copy text to system clipboard. Returns true on success. */
+export function copyToClipboard(text) {
+    const cmds = platform() === 'darwin'
+        ? ['pbcopy']
+        : platform() === 'win32'
+            ? ['clip']
+            : ['xclip -selection clipboard', 'xsel --clipboard --input'];
+    for (const cmd of cmds) {
+        const [bin, ...args] = cmd.split(' ');
+        try {
+            const result = spawnSync(bin, args, {
+                input: text,
+                stdio: ['pipe', 'pipe', 'pipe'],
+                timeout: 5000,
+            });
+            if (result.status === 0)
+                return true;
+        }
+        catch {
+            continue;
+        }
+    }
+    return false;
+}
+// ─── Foreground spawn (CLI terminal agents) ──────────────────────────
+/**
+ * Launch a CLI agent in the foreground — takes over the current terminal.
+ * The agent gets full stdin/stdout/stderr (stdio: 'inherit').
+ * Returns when the agent exits. Works cross-platform.
+ *
+ * This is the `git commit` / `$EDITOR` pattern.
+ */
+export function launchAgentForeground(agent, cwd) {
+    if (!agent.cmd) {
+        return { exitCode: null, error: `${agent.name} is not a terminal agent` };
+    }
+    try {
+        const result = spawnSync(agent.cmd, [], {
+            cwd,
+            stdio: 'inherit',
+            env: { ...process.env },
+            // No timeout — user controls session duration
+        });
+        if (result.error) {
+            // Binary not found or spawn failed
+            const msg = result.error.code === 'ENOENT'
+                ? `${agent.name} (${agent.cmd}) not found. Install it first.`
+                : `Failed to launch ${agent.name}: ${result.error.message}`;
+            return { exitCode: null, error: msg };
+        }
+        return { exitCode: result.status };
+    }
+    catch (err) {
+        return { exitCode: null, error: `Failed to launch ${agent.name}: ${err.message}` };
+    }
+}
+// ─── IDE app launch ──────────────────────────────────────────────────
+/**
+ * Open an IDE/GUI agent with the project directory.
+ * Uses `open -a` (macOS), `xdg-open` (Linux), or `start` (Windows).
+ */
+export function launchAgentIDE(agent, cwd) {
+    if (!agent.app) {
+        return { success: false, error: `${agent.name} is not an IDE agent` };
+    }
+    try {
+        const os = platform();
+        let result;
+        if (os === 'darwin') {
+            result = spawnSync('open', ['-a', agent.app, cwd], {
+                stdio: ['pipe', 'pipe', 'pipe'],
+                timeout: 10000,
+            });
+        }
+        else if (os === 'win32') {
+            result = spawnSync('start', ['', agent.app], {
+                cwd,
+                shell: true,
+                stdio: ['pipe', 'pipe', 'pipe'],
+                timeout: 10000,
+            });
+        }
+        else {
+            // Linux — try xdg-open or direct binary
+            result = spawnSync('xdg-open', [cwd], {
+                stdio: ['pipe', 'pipe', 'pipe'],
+                timeout: 10000,
+            });
+        }
+        if (result.error || (result.status !== null && result.status !== 0)) {
+            return {
+                success: false,
+                error: `Could not open ${agent.name} automatically. Open it manually and navigate to: ${cwd}`,
+            };
+        }
+        return { success: true };
+    }
+    catch (err) {
+        return { success: false, error: err.message };
+    }
+}
+/**
+ * Launch an agent with a prompt. Always copies to clipboard first.
+ *
+ * For terminal agents (claude, codex, gemini): foreground spawn.
+ * For IDE agents (cursor, windsurf): open app.
+ * For clipboard: copy only.
+ */
+export function launchAgent(agent, prompt, cwd) {
+    // Step 1: Always copy to clipboard
+    const clipboardCopied = copyToClipboard(prompt);
+    // Step 2: clipboard-only mode
+    if (agent.id === 'clipboard') {
+        return { launched: true, clipboardCopied };
+    }
+    // Step 3: Terminal agent — foreground spawn
+    if (agent.cmd) {
+        const { exitCode, error } = launchAgentForeground(agent, cwd);
+        if (error) {
+            return { launched: false, clipboardCopied, error };
+        }
+        return { launched: true, clipboardCopied };
+    }
+    // Step 4: IDE agent — open app
+    if (agent.app) {
+        const { success, error } = launchAgentIDE(agent, cwd);
+        return { launched: success, clipboardCopied, error };
+    }
+    return { launched: false, clipboardCopied, error: `Unknown agent type: ${agent.id}` };
+}
+//# sourceMappingURL=launcher.js.map

package/dist/agents/launcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"launcher.js","sourceRoot":"","sources":["../../src/agents/launcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAGnC,wEAAwE;AAExE,8DAA8D;AAC9D,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,MAAM,IAAI,GAAG,QAAQ,EAAE,KAAK,QAAQ;QAClC,CAAC,CAAC,CAAC,QAAQ,CAAC;QACZ,CAAC,CAAC,QAAQ,EAAE,KAAK,OAAO;YACtB,CAAC,CAAC,CAAC,MAAM,CAAC;YACV,CAAC,CAAC,CAAC,4BAA4B,EAAE,0BAA0B,CAAC,CAAC;IAEjE,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE;gBAClC,KAAK,EAAE,IAAI;gBACX,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;gBAC/B,OAAO,EAAE,IAAI;aACd,CAAC,CAAC;YACH,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;QACvC,CAAC;QAAC,MAAM,CAAC;YAAC,SAAS;QAAC,CAAC;IACvB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,wEAAwE;AAExE;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAiB,EAAE,GAAW;IAIlE,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QACf,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,IAAI,0BAA0B,EAAE,CAAC;IAC5E,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,EAAE;YACtC,GAAG;YACH,KAAK,EAAE,SAAS;YAChB,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE;YACvB,8CAA8C;SAC/C,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,mCAAmC;YACnC,MAAM,GAAG,GAAI,MAAM,CAAC,KAAa,CAAC,IAAI,KAAK,QAAQ;gBACjD,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,KAAK,KAAK,CAAC,GAAG,gCAAgC;gBAC7D,CAAC,CAAC,oBAAoB,KAAK,CAAC,IAAI,KAAK,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YAC9D,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;QACxC,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;IACrC,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,oBAAoB,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;IACrF,CAAC;AACH,CAAC;AAED,wEAAwE;AAExE;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,KAAiB,EAAE,GAAW;IAI3D,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QACf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,IAAI,sBAAsB,EAAE,CAAC;IACxE,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,QAAQ,EAAE,CAAC;QACtB,IAAI,MAAM,CAAC;QAEX,IAAI,EAAE,KAAK,QAAQ,EAAE,CAAC;YACpB,MAAM,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE;gBACjD,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;gBAC/B,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;YAC1B,MAAM,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,EAAE,EAAE,KAAK,CAAC,GAAG,CAAC,EAAE;gBAC3C,GAAG;gBACH,KAAK,EAAE,IAAI;gBACX,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;gBAC/B,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,wCAAwC;YACxC,MAAM,GAAG,SAAS,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,EAAE;gBACpC,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;gBAC/B,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;QACL,CAAC;QAED,IAAI,MAAM,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;YACpE,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,kBAAkB,KAAK,CAAC,IAAI,qDAAqD,GAAG,EAAE;aAC9F,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC;IAChD,CAAC;AACH,CAAC;AAUD;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CAAC,KAAiB,EAAE,MAAc,EAAE,GAAW;IACxE,mCAAmC;IACnC,MAAM,eAAe,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IAEhD,8BAA8B;IAC9B,IAAI,KAAK,CAAC,EAAE,KAAK,WAAW,EAAE,CAAC;QAC7B,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC;IAC7C,CAAC;IAED,4CAA4C;IAC5C,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;QACd,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,qBAAqB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9D,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;QACrD,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC;IAC7C,CAAC;IAED,+BAA+B;IAC/B,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;QACd,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,cAAc,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACtD,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;IACvD,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,uBAAuB,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;AACxF,CAAC"}

package/dist/agents/prompts.d.ts

@@ -0,0 +1,14 @@
+/**
+ * GuardLink Agents — Prompt builders for annotation and analysis.
+ *
+ * Extracted from tui/commands.ts for shared use across CLI, TUI, MCP.
+ */
+import type { ThreatModel } from '../types/index.js';
+/**
+ * Build a prompt for annotation agents.
+ *
+ * Includes the GuardLink reference doc (truncated), current model summary,
+ * user instructions, and precise GAL syntax rules with common pitfalls.
+ */
+export declare function buildAnnotatePrompt(userPrompt: string, root: string, model: ThreatModel | null): string;
+//# sourceMappingURL=prompts.d.ts.map

package/dist/agents/prompts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompts.d.ts","sourceRoot":"","sources":["../../src/agents/prompts.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,WAAW,GAAG,IAAI,GACxB,MAAM,CAyGR"}

package/dist/agents/prompts.js

@@ -0,0 +1,120 @@
+/**
+ * GuardLink Agents — Prompt builders for annotation and analysis.
+ *
+ * Extracted from tui/commands.ts for shared use across CLI, TUI, MCP.
+ */
+import { existsSync, readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+/**
+ * Build a prompt for annotation agents.
+ *
+ * Includes the GuardLink reference doc (truncated), current model summary,
+ * user instructions, and precise GAL syntax rules with common pitfalls.
+ */
+export function buildAnnotatePrompt(userPrompt, root, model) {
+    // Read the reference doc if available
+    let refDoc = '';
+    const refPath = resolve(root, '.guardlink', 'GUARDLINK_REFERENCE.md');
+    if (existsSync(refPath)) {
+        refDoc = readFileSync(refPath, 'utf-8');
+    }
+    let modelSummary = 'No threat model parsed yet. Run `guardlink parse` after annotating.';
+    let existingIds = '';
+    if (model) {
+        const parts = [
+            `${model.annotations_parsed} annotations`,
+            `${model.exposures.length} exposures`,
+            `${model.assets.length} assets`,
+            `${model.threats.length} threats`,
+            `${model.controls.length} controls`,
+            `${model.mitigations.length} mitigations`,
+        ];
+        modelSummary = `Current model: ${parts.join(', ')}.`;
+        // Include existing IDs so the agent doesn't create duplicates or dangling refs
+        const threatIds = model.threats.filter(t => t.id).map(t => `#${t.id}`);
+        const assetIds = model.assets.filter(a => a.id).map(a => `#${a.id}`);
+        const controlIds = model.controls.filter(c => c.id).map(c => `#${c.id}`);
+        if (threatIds.length + assetIds.length + controlIds.length > 0) {
+            const sections = [];
+            if (threatIds.length)
+                sections.push(`Threats: ${threatIds.join(', ')}`);
+            if (assetIds.length)
+                sections.push(`Assets: ${assetIds.join(', ')}`);
+            if (controlIds.length)
+                sections.push(`Controls: ${controlIds.join(', ')}`);
+            existingIds = `\n\nExisting defined IDs (use these in @exposes, @mitigates, etc.):\n${sections.join('\n')}`;
+        }
+    }
+    return `You are annotating a codebase with GuardLink security annotations.
+
+${refDoc ? '## GuardLink Reference\n\n' + refDoc.slice(0, 4000) + '\n\n' : ''}## Current State
+${modelSummary}${existingIds}
+
+## Task
+${userPrompt}
+
+## PRECISE Annotation Syntax (follow EXACTLY)
+
+Definitions go in .guardlink/definitions.js (or .py/.rs). Source files use only relationship verbs.
+
+### Definitions
+\`\`\`
+// @shield:begin -- "Example annotations for agent prompt, excluded from parsing"
+// @asset Server.Auth (#auth) -- "Authentication service"
+// @threat SQL_Injection (#sqli) [P0] cwe:CWE-89 -- "Unsanitized input in SQL"
+// @control Prepared_Statements (#prepared-stmts) -- "Parameterized queries"
+// @shield:end
+\`\`\`
+
+### Relationships (use in source files)
+\`\`\`
+// @shield:begin -- "Example annotations for agent prompt, excluded from parsing"
+// @exposes #auth to #sqli [P0] cwe:CWE-89 owasp:A03:2021 -- "User input concatenated into query"
+// @mitigates #auth against #sqli using #prepared-stmts -- "Uses parameterized queries"
+// @flows req.body.username -> db.query via string-concat -- "User input flows to SQL"
+// @boundary between #frontend and #api (#trust-boundary) -- "Public/private boundary"
+// @handles pii on #auth -- "Processes user credentials"
+// @comment -- "TODO: add rate limiting to prevent brute force"
+// @shield:end
+\`\`\`
+
+## CRITICAL SYNTAX RULES (violations cause parse errors)
+
+1. **@boundary requires TWO assets**: \`@boundary between #A and #B\` or \`@boundary #A | #B\`.
+   WRONG: \`@boundary api -- "desc"\`  (only one argument — will NOT parse)
+   RIGHT: \`@boundary between #api and #client (#api-boundary) -- "Trust boundary"\`
+
+2. **@flows is ONE source → ONE target per line**: \`@flows <source> -> <target> via <mechanism>\`.
+   WRONG: \`@flows A -> B, C -> D -- "desc"\`  (commas not supported)
+   RIGHT: \`@flows A -> B via mechanism -- "desc"\` (one per line, repeat for multiple)
+
+3. **@exposes / @mitigates require DEFINED #id refs**: Every \`#id\` you reference must exist as a definition.
+   Before using \`@exposes #app to #sqli\`, ensure \`@threat SQL_Injection (#sqli)\` exists in definitions.
+   Add new definitions to .guardlink/definitions.js FIRST, then reference them in source files.
+
+4. **Severity in square brackets**: \`[P0]\` \`[P1]\` \`[P2]\` \`[P3]\` or \`[critical]\` \`[high]\` \`[medium]\` \`[low]\`.
+   Goes AFTER the threat ref in @exposes: \`@exposes #app to #sqli [P0] cwe:CWE-89\`
+
+5. **Descriptions in double quotes after --**: \`-- "description text here"\`
+   WRONG: \`@comment "just a note"\` or \`@comment -- note without quotes\`
+   RIGHT: \`@comment -- "security-relevant developer note"\`
+
+6. **IDs use parentheses in definitions, hash in references**:
+   Definition: \`@threat SQL_Injection (#sqli)\`
+   Reference:  \`@exposes #app to #sqli\`
+
+7. **Asset references**: Use \`#id\` or \`Dotted.Path\` (e.g., \`Server.Auth\`, \`req.body.input\`).
+   Names with spaces or special chars will NOT parse.
+
+8. **External refs are space-separated after severity**: \`cwe:CWE-89 owasp:A03:2021 capec:CAPEC-66\`
+
+## Workflow
+1. Read existing definitions in .guardlink/definitions.js — reuse existing IDs
+2. Add any NEW threat/control definitions FIRST
+3. Then add relationship annotations (@exposes, @mitigates, @flows, etc.) in source files
+4. Use the project's comment style (// for JS/TS, # for Python, etc.)
+5. Run guardlink_validate (MCP) or \`guardlink validate\` to check for errors
+6. Fix any validation errors before finishing
+`;
+}
+//# sourceMappingURL=prompts.js.map

package/dist/agents/prompts.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompts.js","sourceRoot":"","sources":["../../src/agents/prompts.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGpC;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CACjC,UAAkB,EAClB,IAAY,EACZ,KAAyB;IAEzB,sCAAsC;IACtC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,YAAY,EAAE,wBAAwB,CAAC,CAAC;IACtE,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACxB,MAAM,GAAG,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC;IAED,IAAI,YAAY,GAAG,qEAAqE,CAAC;IACzF,IAAI,WAAW,GAAG,EAAE,CAAC;IACrB,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,KAAK,GAAG;YACZ,GAAG,KAAK,CAAC,kBAAkB,cAAc;YACzC,GAAG,KAAK,CAAC,SAAS,CAAC,MAAM,YAAY;YACrC,GAAG,KAAK,CAAC,MAAM,CAAC,MAAM,SAAS;YAC/B,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,UAAU;YACjC,GAAG,KAAK,CAAC,QAAQ,CAAC,MAAM,WAAW;YACnC,GAAG,KAAK,CAAC,WAAW,CAAC,MAAM,cAAc;SAC1C,CAAC;QACF,YAAY,GAAG,kBAAkB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;QAErD,+EAA+E;QAC/E,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACvE,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrE,MAAM,UAAU,GAAG,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACzE,IAAI,SAAS,CAAC,MAAM,GAAG,QAAQ,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/D,MAAM,QAAQ,GAAa,EAAE,CAAC;YAC9B,IAAI,SAAS,CAAC,MAAM;gBAAE,QAAQ,CAAC,IAAI,CAAC,YAAY,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACxE,IAAI,QAAQ,CAAC,MAAM;gBAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACrE,IAAI,UAAU,CAAC,MAAM;gBAAE,QAAQ,CAAC,IAAI,CAAC,aAAa,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC3E,WAAW,GAAG,wEAAwE,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9G,CAAC;IACH,CAAC;IAED,OAAO;;EAEP,MAAM,CAAC,CAAC,CAAC,4BAA4B,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE;EAC3E,YAAY,GAAG,WAAW;;;EAG1B,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgEX,CAAC;AACF,CAAC"}

package/dist/analyze/index.d.ts

@@ -0,0 +1,80 @@
+/**
+ * GuardLink Threat Reports — AI-powered threat model analysis.
+ *
+ * Serializes the threat model, sends it to an LLM with a framework-
+ * specific prompt, streams the response, and saves timestamped results
+ * to .guardlink/threat-reports/.
+ *
+ * @exposes #llm-client to #arbitrary-write [high] cwe:CWE-73 -- "Writes threat reports to .guardlink/threat-reports/"
+ * @exposes #llm-client to #prompt-injection [medium] cwe:CWE-77 -- "Serialized threat model embedded in LLM prompt"
+ * @accepts #prompt-injection on #llm-client -- "Core feature: threat model serialized as LLM prompt for analysis"
+ * @mitigates #llm-client against #arbitrary-write using #path-validation -- "Reports written to fixed .guardlink/threat-reports/ subdirectory"
+ * @flows #parser -> #llm-client via ThreatModel -- "Parsed model data serialized for LLM analysis"
+ * @flows #llm-client -> Filesystem via writeFileSync -- "Analysis results saved as markdown files"
+ * @handles internal on #llm-client -- "Processes security-sensitive threat model for AI analysis"
+ */
+import type { ThreatModel } from '../types/index.js';
+import { type AnalysisFramework } from './prompts.js';
+import { type LLMConfig } from './llm.js';
+export { type AnalysisFramework, FRAMEWORK_LABELS, FRAMEWORK_PROMPTS, buildUserMessage } from './prompts.js';
+export { type LLMConfig, type LLMProvider, buildConfig, autoDetectConfig } from './llm.js';
+export interface ThreatReportOptions {
+    root: string;
+    model: ThreatModel;
+    framework: AnalysisFramework;
+    llmConfig: LLMConfig;
+    customPrompt?: string;
+    stream?: boolean;
+    onChunk?: (text: string) => void;
+}
+export interface ThreatReportResult {
+    framework: AnalysisFramework;
+    label: string;
+    content: string;
+    model: string;
+    timestamp: string;
+    savedTo?: string;
+    inputTokens?: number;
+    outputTokens?: number;
+}
+/**
+ * Serialize the threat model to a compact representation for LLM context.
+ * Strips empty arrays and location details to save tokens.
+ */
+export declare function serializeModel(model: ThreatModel): string;
+/**
+ * Compact serialization for MCP agent mode.
+ *
+ * Designed to minimize token usage (~2-3k tokens vs ~10k for full)
+ * while giving the agent everything it needs:
+ *   - Stats summary (one line)
+ *   - Asset list (compact)
+ *   - ALL unmitigated exposures (the actionable stuff)
+ *   - Threat severity index (deduped)
+ *   - Flows & boundaries (structural context)
+ *   - Data handling classifications
+ *
+ * Omits: resolved mitigations, acceptances, working controls,
+ * full descriptions (capped at 80 chars), per-exposure file paths,
+ * comments, validations, assumptions (low signal for analysis).
+ *
+ * The agent can call guardlink_parse or read guardlink://model
+ * for full detail if needed.
+ */
+export declare function serializeModelCompact(model: ThreatModel): string;
+export declare function generateThreatReport(opts: ThreatReportOptions): Promise<ThreatReportResult>;
+export interface SavedThreatReport {
+    filename: string;
+    framework: string;
+    timestamp: string;
+    label: string;
+    model?: string;
+    /** Which directory this report was found in */
+    dirName?: string;
+}
+export declare function listThreatReports(root: string): SavedThreatReport[];
+export interface ThreatReportWithContent extends SavedThreatReport {
+    content: string;
+}
+export declare function loadThreatReportsForDashboard(root: string): ThreatReportWithContent[];
+//# sourceMappingURL=index.d.ts.map

package/dist/analyze/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/analyze/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,KAAK,iBAAiB,EAAyD,MAAM,cAAc,CAAC;AAC7G,OAAO,EAAE,KAAK,SAAS,EAA+B,MAAM,UAAU,CAAC;AAEvE,OAAO,EAAE,KAAK,iBAAiB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAC7G,OAAO,EAAE,KAAK,SAAS,EAAE,KAAK,WAAW,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAI3F,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,WAAW,CAAC;IACnB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,SAAS,EAAE,SAAS,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;CAClC;AAED,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,iBAAiB,CAAC;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAID;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,WAAW,GAAG,MAAM,CAwEzD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,WAAW,GAAG,MAAM,CAwEhE;AASD,wBAAsB,oBAAoB,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAwDjG;AAID,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,+CAA+C;IAC/C,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AA8BD,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,iBAAiB,EAAE,CAenE;AAID,MAAM,WAAW,uBAAwB,SAAQ,iBAAiB;IAChE,OAAO,EAAE,MAAM,CAAC;CACjB;AAID,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,MAAM,GAAG,uBAAuB,EAAE,CAcrF"}