hackmyagent 0.16.5 → 0.17.0

package/dist/arp/index.js

@@ -33,7 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AgentRuntimeProtection = exports.mapEventType = exports.isAnomalousEvent = exports.submitGTINEvent = exports.buildGTINPayload = exports.generateSensorToken = exports.GTINForwarder = exports.PREMIUM_FEATURES = exports.registerLicenseValidator = exports.hasFeature = exports.checkLicense = exports.ARPProxy = exports.ALL_PATTERNS = exports.PATTERN_SETS = exports.scanText = exports.defaultConfig = exports.loadConfig = exports.LocalLogger = exports.EnforcementEngine = exports.A2AProtocolInterceptor = exports.MCPProtocolInterceptor = exports.PromptInterceptor = exports.FilesystemInterceptor = exports.NetworkInterceptor = exports.ProcessInterceptor = exports.parseDeclaredCapabilities = exports.createCapabilityMonitor = exports.SkillCapabilityMonitor = exports.FilesystemMonitor = exports.NetworkMonitor = exports.ProcessMonitor = exports.autoDetectAdapter = exports.createAdapter = exports.OllamaAdapter = exports.OpenAIAdapter = exports.AnthropicAdapter = exports.NanoMindL1 = exports.AnomalyDetector = exports.BudgetController = exports.IntelligenceCoordinator = exports.CorrelationEngine = exports.EventEngine = exports.VERSION = void 0;
+exports.AgentRuntimeProtection = exports.mapEventType = exports.isAnomalousEvent = exports.submitGTINEvent = exports.buildGTINPayload = exports.generateSensorToken = exports.GTINForwarder = exports.PREMIUM_FEATURES = exports.registerLicenseValidator = exports.hasFeature = exports.checkLicense = exports.ARPProxy = exports.ALL_PATTERNS = exports.PATTERN_SETS = exports.scanText = exports.defaultConfig = exports.loadConfig = exports.LocalLogger = exports.EnforcementEngine = exports.A2AProtocolInterceptor = exports.MCPProtocolInterceptor = exports.PromptInterceptor = exports.FilesystemInterceptor = exports.NetworkInterceptor = exports.ProcessInterceptor = exports.parseDeclaredCapabilities = exports.createCapabilityMonitor = exports.SkillCapabilityMonitor = exports.FilesystemMonitor = exports.NetworkMonitor = exports.ProcessMonitor = exports.autoDetectAdapter = exports.createAdapter = exports.OllamaAdapter = exports.OpenAIAdapter = exports.AnthropicAdapter = exports.RuntimeTwin = exports.AnomalyDetector = exports.BudgetController = exports.IntelligenceCoordinator = exports.CorrelationEngine = exports.EventEngine = exports.VERSION = void 0;
 exports.VERSION = '0.2.0';
 // Re-export components
 var event_engine_1 = require("./engine/event-engine");
@@ -46,8 +46,8 @@ var budget_1 = require("./intelligence/budget");
 Object.defineProperty(exports, "BudgetController", { enumerable: true, get: function () { return budget_1.BudgetController; } });
 var anomaly_1 = require("./intelligence/anomaly");
 Object.defineProperty(exports, "AnomalyDetector", { enumerable: true, get: function () { return anomaly_1.AnomalyDetector; } });
-var nanomind_l1_1 = require("./intelligence/nanomind-l1");
-Object.defineProperty(exports, "NanoMindL1", { enumerable: true, get: function () { return nanomind_l1_1.NanoMindL1; } });
+var runtime_twin_1 = require("./intelligence/runtime-twin");
+Object.defineProperty(exports, "RuntimeTwin", { enumerable: true, get: function () { return runtime_twin_1.RuntimeTwin; } });
 var adapters_1 = require("./intelligence/adapters");
 Object.defineProperty(exports, "AnthropicAdapter", { enumerable: true, get: function () { return adapters_1.AnthropicAdapter; } });
 Object.defineProperty(exports, "OpenAIAdapter", { enumerable: true, get: function () { return adapters_1.OpenAIAdapter; } });
@@ -105,6 +105,9 @@ Object.defineProperty(exports, "mapEventType", { enumerable: true, get: function
 const path = __importStar(require("path"));
 const event_engine_2 = require("./engine/event-engine");
 const coordinator_2 = require("./intelligence/coordinator");
+const runtime_twin_2 = require("./intelligence/runtime-twin");
+const behavioral_risk_1 = require("./intelligence/behavioral-risk");
+const guard_anomaly_1 = require("./intelligence/guard-anomaly");
 const kill_switch_2 = require("./enforcement/kill-switch");
 const local_log_2 = require("./reporting/local-log");
 const process_3 = require("./monitors/process");
@@ -146,7 +149,24 @@ class AgentRuntimeProtection {
         }
         const dataDir = this.config.dataDir ?? path.join(process.cwd(), '.opena2a', 'arp');
         this.engine = new event_engine_2.EventEngine(this.config);
-        this.intelligence = new coordinator_2.IntelligenceCoordinator(this.config, dataDir);
+        // Build the runtime twin and behavioral risk source. Runtime twin is
+        // on by default when intelligence is enabled; opt out via
+        // `intelligence.runtimeTwin.enabled = false`. We do NOT attach the
+        // twin to the event engine here; start() does that so a user who
+        // constructs an ARP without calling start() does not get surprise
+        // event handlers.
+        this.runtimeTwin = buildRuntimeTwin(this.config);
+        this.behavioralRiskSource = this.runtimeTwin
+            ? new behavioral_risk_1.InProcessBehavioralRiskSource(this.runtimeTwin, 'runtime-twin-inproc')
+            : null;
+        // Build the guard anomaly detector. Only constructed when the caller
+        // injected a baseline; otherwise drift detection is inert.
+        this.guardAnomaly = buildGuardAnomaly(this.config);
+        // Wire both sources into the coordinator. The third argument
+        // (manifest) stays null here; capability manifests are loaded by
+        // ARPProxy.start for HTTP proxy deployments and are not part of the
+        // AgentRuntimeProtection constructor surface today.
+        this.intelligence = new coordinator_2.IntelligenceCoordinator(this.config, dataDir, null, this.behavioralRiskSource, this.guardAnomaly);
         this.enforcement = new kill_switch_2.EnforcementEngine();
         this.logger = new local_log_2.LocalLogger(dataDir);
         // Wire up: events → intelligence → logger
@@ -211,6 +231,13 @@ class AgentRuntimeProtection {
     async start() {
         if (this.running)
             return;
+        // Attach the runtime twin to the event engine BEFORE monitors start
+        // so the twin observes every event from the first tick. The twin
+        // trains its own baseline over the first 100 events and does not
+        // mutate the event or block the L0 decision.
+        if (this.runtimeTwin) {
+            this.runtimeTwin.attach(this.engine);
+        }
         for (const monitor of this.monitors) {
             await monitor.start();
         }
@@ -275,6 +302,72 @@ class AgentRuntimeProtection {
     getEnforcement() {
         return this.enforcement;
     }
+    /**
+     * Get the intelligence coordinator. Exposed so tests can assert the
+     * coordinator was constructed with the expected behavioral risk and
+     * guard anomaly sources, and so advanced integrations can swap
+     * sources at runtime via `setBehavioralRiskSource` / `setGuardAnomaly`.
+     */
+    getIntelligence() {
+        return this.intelligence;
+    }
+    /** The runtime twin instance, or null when disabled. */
+    getRuntimeTwin() {
+        return this.runtimeTwin;
+    }
 }
 exports.AgentRuntimeProtection = AgentRuntimeProtection;
+/**
+ * Construct an in-process `RuntimeTwin` from the ARP config, or return
+ * null when the caller disabled intelligence or the runtime twin
+ * explicitly. Kept as a free function so the constructor stays short
+ * and the default policy is visible in one place.
+ *
+ * Default policy:
+ *   - When `intelligence.enabled === false`: no twin (L2 disabled implies
+ *     the behavioral layer is also unwanted).
+ *   - When `intelligence.runtimeTwin.enabled === false`: no twin.
+ *   - Otherwise: construct a twin seeded from `config.agentName`, with
+ *     fleet federation opt-in from the config (default off).
+ */
+function buildRuntimeTwin(config) {
+    const ic = config.intelligence;
+    if (ic?.enabled === false)
+        return null;
+    const twinCfg = ic?.runtimeTwin;
+    if (twinCfg?.enabled === false)
+        return null;
+    return new runtime_twin_2.RuntimeTwin(config.agentName, {
+        enabled: true,
+        fleetEnabled: twinCfg?.fleetEnabled ?? false,
+        agentCategory: twinCfg?.agentCategory ?? 'general',
+    });
+}
+/**
+ * Construct a `GuardAnomalyDetector` from the ARP config, or return
+ * null when no baseline was provided or the caller explicitly disabled
+ * guard anomaly detection. A baseline is required: drift detection
+ * without a reference distribution is nonsense, so we refuse to
+ * auto-bootstrap one from observations. The caller supplies a
+ * Registry-exported training distribution in production, or a
+ * snapshotted JSON file pre-Registry.
+ */
+function buildGuardAnomaly(config) {
+    const gaCfg = config.intelligence?.guardAnomaly;
+    if (!gaCfg)
+        return null;
+    if (gaCfg.enabled === false)
+        return null;
+    const baseline = gaCfg.baseline;
+    if (!baseline || Object.keys(baseline).length === 0)
+        return null;
+    return new guard_anomaly_1.GuardAnomalyDetector({
+        baseline,
+        windowSize: gaCfg.windowSize,
+        alarmThreshold: gaCfg.alarmThreshold,
+        smoothing: gaCfg.smoothing,
+        minObservations: gaCfg.minObservations,
+        sourceName: gaCfg.sourceName,
+    });
+}
 //# sourceMappingURL=index.js.map

package/dist/arp/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/arp/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAa,QAAA,OAAO,GAAG,OAAO,CAAC;AA4B/B,uBAAuB;AACvB,sDAAoD;AAA3C,2GAAA,WAAW,OAAA;AACpB,oDAAyD;AAAhD,gHAAA,iBAAiB,OAAA;AAC1B,0DAAqE;AAA5D,sHAAA,uBAAuB,OAAA;AAChC,gDAAyD;AAAhD,0GAAA,gBAAgB,OAAA;AACzB,kDAAyD;AAAhD,0GAAA,eAAe,OAAA;AACxB,0DAAwD;AAA/C,yGAAA,UAAU,OAAA;AACnB,oDAA2H;AAAlH,4GAAA,gBAAgB,OAAA;AAAE,yGAAA,aAAa,OAAA;AAAE,yGAAA,aAAa,OAAA;AAAE,yGAAA,aAAa,OAAA;AAAE,6GAAA,iBAAiB,OAAA;AACzF,8CAAoD;AAA3C,yGAAA,cAAc,OAAA;AACvB,8CAAoD;AAA3C,yGAAA,cAAc,OAAA;AACvB,oDAA0D;AAAjD,+GAAA,iBAAiB,OAAA;AAC1B,gFAAiI;AAAxH,kIAAA,sBAAsB,OAAA;AAAE,mIAAA,uBAAuB,OAAA;AAAE,qIAAA,yBAAyB,OAAA;AAEnF,kDAA4D;AAAnD,6GAAA,kBAAkB,OAAA;AAC3B,kDAA4D;AAAnD,6GAAA,kBAAkB,OAAA;AAC3B,wDAAkE;AAAzD,mHAAA,qBAAqB,OAAA;AAC9B,gDAA0D;AAAjD,2GAAA,iBAAiB,OAAA;AAC1B,4DAAqE;AAA5D,sHAAA,sBAAsB,OAAA;AAC/B,4DAAqE;AAA5D,sHAAA,sBAAsB,OAAA;AAC/B,yDAAkF;AAAzE,gHAAA,iBAAiB,OAAA;AAC1B,mDAAoD;AAA3C,wGAAA,WAAW,OAAA;AACpB,0CAA4D;AAAnD,oGAAA,UAAU,OAAA;AAAE,uGAAA,aAAa,OAAA;AAClC,oDAAkH;AAAzG,sGAAA,QAAQ,OAAA;AAAE,0GAAA,YAAY,OAAA;AAAE,0GAAA,YAAY,OAAA;AAC7C,yCAA6D;AAApD,kGAAA,QAAQ,OAAA;AACjB,qCAOmB;AANjB,uGAAA,YAAY,OAAA;AACZ,qGAAA,UAAU,OAAA;AACV,mHAAA,wBAAwB,OAAA;AACxB,2GAAA,gBAAgB,OAAA;AAKlB,sBAAsB;AACtB,yCAYqB;AAXnB,0GAAA,aAAa,OAAA;AACb,gHAAA,mBAAmB,OAAA;AACnB,6GAAA,gBAAgB,OAAA;AAChB,4GAAA,eAAe,OAAA;AACf,6GAAA,gBAAgB,OAAA;AAChB,yGAAA,YAAY,OAAA;AAQd,2CAA6B;AAE7B,wDAAoD;AACpD,4DAAqE;AACrE,2DAAkF;AAClF,qDAAoD;AACpD,gDAAoD;AACpD,gDAAoD;AACpD,sDAA0D;AAC1D,oDAA4D;AAC5D,oDAA4D;AAC5D,0DAAkE;AAClE,kDAA0D;AAC1D,8DAAqE;AACrE,8DAAqE;AACrE,4CAA6C;AAC7C,qDAAsD;AACtD,2CAAuD;AAEvD;;;;;;;;;;;;;GAaG;AACH,MAAa,sBAAsB;IAUjC,YAAY,YAAiC;QAJ5B,aAAQ,GAAc,EAAE,CAAC;QAClC,kBAAa,GAAyB,IAAI,CAAC;QAC3C,YAAO,GAAG,KAAK,CAAC;QAGtB,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;YACrC,IAAI,CAAC,MAAM,GAAG,IAAA,mBAAU,EAAC,YAAY,CAAC,CAAC;QACzC,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,GAAG,YAAY,IAAI,IAAA,mBAAU,GAAE,CAAC;QAC7C,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;QAEnF,IAAI,CAAC,MAAM,GAAG,IAAI,0BAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,YAAY,GAAG,IAAI,qCAAuB,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACtE,IAAI,CAAC,WAAW,GAAG,IAAI,+BAAiB,EAAE,CAAC;QAC3C,IAAI,CAAC,MAAM,GAAG,IAAI,uBAAW,CAAC,OAAO,CAAC,CAAC;QAEvC,0CAA0C;QAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YAClC,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QAEH,gCAAgC;QAChC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;YACzC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YAC7E,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,kCAAkC;QAClC,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;QAChC,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,KAAK,KAAK,EAAE,CAAC;YACnC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,wBAAc,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC;QAC/E,CAAC;QACD,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,KAAK,KAAK,EAAE,CAAC;YACnC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,wBAAc,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC;QAC1G,CAAC;QACD,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,KAAK,KAAK,EAAE,CAAC;YACtC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,8BAAiB,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC;QACnH,CAAC;QAED,8EAA8E;QAC9E,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;QACpC,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;YACzB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,4BAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1D,CAAC;QACD,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;YACzB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,4BAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;QACnF,CAAC;QACD,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,kCAAqB,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACpG,CAAC;QAED,+BAA+B;QAC/B,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC;QAC/B,IAAI,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;YACxB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,0BAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QACzD,CAAC;QACD,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;YACrB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,qCAAsB,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;QACnF,CAAC;QACD,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;YACrB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,qCAAsB,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC;QACpF,CAAC;QAED,oCAAoC;QACpC,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;YAC9B,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,IAAI,IAAA,0BAAmB,GAAE,CAAC;YAC1E,IAAI,CAAC,aAAa,GAAG,IAAI,yBAAa,CAAC;gBACrC,OAAO,EAAE,IAAI;gBACb,WAAW;gBACX,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW;gBACzC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;aACnC,CAAC,CAAC;YAEH,4DAA4D;YAC5D,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;gBAC5B,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;YACrC,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO;QAEzB,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC;QACxB,CAAC;QAED,qCAAqC;QACrC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;QAC7B,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;IACtB,CAAC;IAED,uCAAuC;IACvC,KAAK,CAAC,IAAI;QACR,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAE1B,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;QACvB,CAAC;QAED,oCAAoC;QACpC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,CAAC;QACtC,CAAC;QAED,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QAC/B,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;IACvB,CAAC;IAED,8BAA8B;IAC9B,SAAS;QACP,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,yBAAyB;IACzB,SAAS;QAMP,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAC9E,MAAM,EAAE,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE;YAC3C,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE;SAC7C,CAAC;IACJ,CAAC;IAED,wBAAwB;IACxB,SAAS,CAAC,KAAc;QACtB,OAAO,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC;IAED,8BAA8B;IAC9B,MAAM,CAAC,GAAW;QAChB,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACtC,CAAC;IAED,oFAAoF;IACpF,OAAO,CAAC,OAAkD;QACxD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;IAED,2CAA2C;IAC3C,aAAa,CAAC,OAA8E;QAC1F,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;IAED,wDAAwD;IACxD,gBAAgB,CAAC,QAAuB;QACtC,IAAI,CAAC,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAC9C,CAAC;IAED,qDAAqD;IACrD,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,sDAAsD;IACtD,cAAc;QACZ,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;CACF;AAhLD,wDAgLC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/arp/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAa,QAAA,OAAO,GAAG,OAAO,CAAC;AA4B/B,uBAAuB;AACvB,sDAAoD;AAA3C,2GAAA,WAAW,OAAA;AACpB,oDAAyD;AAAhD,gHAAA,iBAAiB,OAAA;AAC1B,0DAAqE;AAA5D,sHAAA,uBAAuB,OAAA;AAChC,gDAAyD;AAAhD,0GAAA,gBAAgB,OAAA;AACzB,kDAAyD;AAAhD,0GAAA,eAAe,OAAA;AACxB,4DAA0D;AAAjD,2GAAA,WAAW,OAAA;AACpB,oDAA2H;AAAlH,4GAAA,gBAAgB,OAAA;AAAE,yGAAA,aAAa,OAAA;AAAE,yGAAA,aAAa,OAAA;AAAE,yGAAA,aAAa,OAAA;AAAE,6GAAA,iBAAiB,OAAA;AACzF,8CAAoD;AAA3C,yGAAA,cAAc,OAAA;AACvB,8CAAoD;AAA3C,yGAAA,cAAc,OAAA;AACvB,oDAA0D;AAAjD,+GAAA,iBAAiB,OAAA;AAC1B,gFAAiI;AAAxH,kIAAA,sBAAsB,OAAA;AAAE,mIAAA,uBAAuB,OAAA;AAAE,qIAAA,yBAAyB,OAAA;AAEnF,kDAA4D;AAAnD,6GAAA,kBAAkB,OAAA;AAC3B,kDAA4D;AAAnD,6GAAA,kBAAkB,OAAA;AAC3B,wDAAkE;AAAzD,mHAAA,qBAAqB,OAAA;AAC9B,gDAA0D;AAAjD,2GAAA,iBAAiB,OAAA;AAC1B,4DAAqE;AAA5D,sHAAA,sBAAsB,OAAA;AAC/B,4DAAqE;AAA5D,sHAAA,sBAAsB,OAAA;AAC/B,yDAAkF;AAAzE,gHAAA,iBAAiB,OAAA;AAC1B,mDAAoD;AAA3C,wGAAA,WAAW,OAAA;AACpB,0CAA4D;AAAnD,oGAAA,UAAU,OAAA;AAAE,uGAAA,aAAa,OAAA;AAClC,oDAAkH;AAAzG,sGAAA,QAAQ,OAAA;AAAE,0GAAA,YAAY,OAAA;AAAE,0GAAA,YAAY,OAAA;AAC7C,yCAA6D;AAApD,kGAAA,QAAQ,OAAA;AACjB,qCAOmB;AANjB,uGAAA,YAAY,OAAA;AACZ,qGAAA,UAAU,OAAA;AACV,mHAAA,wBAAwB,OAAA;AACxB,2GAAA,gBAAgB,OAAA;AAKlB,sBAAsB;AACtB,yCAYqB;AAXnB,0GAAA,aAAa,OAAA;AACb,gHAAA,mBAAmB,OAAA;AACnB,6GAAA,gBAAgB,OAAA;AAChB,4GAAA,eAAe,OAAA;AACf,6GAAA,gBAAgB,OAAA;AAChB,yGAAA,YAAY,OAAA;AAQd,2CAA6B;AAE7B,wDAAoD;AACpD,4DAAqE;AACrE,8DAA0D;AAC1D,oEAGwC;AACxC,gEAGsC;AACtC,2DAAkF;AAClF,qDAAoD;AACpD,gDAAoD;AACpD,gDAAoD;AACpD,sDAA0D;AAC1D,oDAA4D;AAC5D,oDAA4D;AAC5D,0DAAkE;AAClE,kDAA0D;AAC1D,8DAAqE;AACrE,8DAAqE;AACrE,4CAA6C;AAC7C,qDAAsD;AACtD,2CAAuD;AAEvD;;;;;;;;;;;;;GAaG;AACH,MAAa,sBAAsB;IA2BjC,YAAY,YAAiC;QArB5B,aAAQ,GAAc,EAAE,CAAC;QAClC,kBAAa,GAAyB,IAAI,CAAC;QAC3C,YAAO,GAAG,KAAK,CAAC;QAoBtB,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;YACrC,IAAI,CAAC,MAAM,GAAG,IAAA,mBAAU,EAAC,YAAY,CAAC,CAAC;QACzC,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,GAAG,YAAY,IAAI,IAAA,mBAAU,GAAE,CAAC;QAC7C,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;QAEnF,IAAI,CAAC,MAAM,GAAG,IAAI,0BAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAE3C,qEAAqE;QACrE,0DAA0D;QAC1D,mEAAmE;QACnE,iEAAiE;QACjE,kEAAkE;QAClE,kBAAkB;QAClB,IAAI,CAAC,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACjD,IAAI,CAAC,oBAAoB,GAAG,IAAI,CAAC,WAAW;YAC1C,CAAC,CAAC,IAAI,+CAA6B,CAAC,IAAI,CAAC,WAAW,EAAE,qBAAqB,CAAC;YAC5E,CAAC,CAAC,IAAI,CAAC;QAET,qEAAqE;QACrE,2DAA2D;QAC3D,IAAI,CAAC,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAEnD,6DAA6D;QAC7D,iEAAiE;QACjE,oEAAoE;QACpE,oDAAoD;QACpD,IAAI,CAAC,YAAY,GAAG,IAAI,qCAAuB,CAC7C,IAAI,CAAC,MAAM,EACX,OAAO,EACP,IAAI,EACJ,IAAI,CAAC,oBAAoB,EACzB,IAAI,CAAC,YAAY,CAClB,CAAC;QACF,IAAI,CAAC,WAAW,GAAG,IAAI,+BAAiB,EAAE,CAAC;QAC3C,IAAI,CAAC,MAAM,GAAG,IAAI,uBAAW,CAAC,OAAO,CAAC,CAAC;QAEvC,0CAA0C;QAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YAClC,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QAEH,gCAAgC;QAChC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;YACzC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YAC7E,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,kCAAkC;QAClC,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;QAChC,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,KAAK,KAAK,EAAE,CAAC;YACnC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,wBAAc,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC;QAC/E,CAAC;QACD,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,KAAK,KAAK,EAAE,CAAC;YACnC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,wBAAc,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC;QAC1G,CAAC;QACD,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,KAAK,KAAK,EAAE,CAAC;YACtC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,8BAAiB,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC;QACnH,CAAC;QAED,8EAA8E;QAC9E,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;QACpC,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;YACzB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,4BAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1D,CAAC;QACD,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;YACzB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,4BAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;QACnF,CAAC;QACD,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,kCAAqB,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACpG,CAAC;QAED,+BAA+B;QAC/B,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC;QAC/B,IAAI,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;YACxB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,0BAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QACzD,CAAC;QACD,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;YACrB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,qCAAsB,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;QACnF,CAAC;QACD,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;YACrB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,qCAAsB,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC;QACpF,CAAC;QAED,oCAAoC;QACpC,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;YAC9B,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,IAAI,IAAA,0BAAmB,GAAE,CAAC;YAC1E,IAAI,CAAC,aAAa,GAAG,IAAI,yBAAa,CAAC;gBACrC,OAAO,EAAE,IAAI;gBACb,WAAW;gBACX,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW;gBACzC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;aACnC,CAAC,CAAC;YAEH,4DAA4D;YAC5D,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;gBAC5B,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;YACrC,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO;QAEzB,oEAAoE;QACpE,iEAAiE;QACjE,iEAAiE;QACjE,6CAA6C;QAC7C,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC;QAED,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC;QACxB,CAAC;QAED,qCAAqC;QACrC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;QAC7B,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;IACtB,CAAC;IAED,uCAAuC;IACvC,KAAK,CAAC,IAAI;QACR,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAE1B,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;QACvB,CAAC;QAED,oCAAoC;QACpC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,CAAC;QACtC,CAAC;QAED,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QAC/B,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;IACvB,CAAC;IAED,8BAA8B;IAC9B,SAAS;QACP,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,yBAAyB;IACzB,SAAS;QAMP,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAC9E,MAAM,EAAE,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE;YAC3C,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE;SAC7C,CAAC;IACJ,CAAC;IAED,wBAAwB;IACxB,SAAS,CAAC,KAAc;QACtB,OAAO,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC;IAED,8BAA8B;IAC9B,MAAM,CAAC,GAAW;QAChB,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACtC,CAAC;IAED,oFAAoF;IACpF,OAAO,CAAC,OAAkD;QACxD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;IAED,2CAA2C;IAC3C,aAAa,CAAC,OAA8E;QAC1F,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;IAED,wDAAwD;IACxD,gBAAgB,CAAC,QAAuB;QACtC,IAAI,CAAC,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAC9C,CAAC;IAED,qDAAqD;IACrD,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,sDAAsD;IACtD,cAAc;QACZ,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED;;;;;OAKG;IACH,eAAe;QACb,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,wDAAwD;IACxD,cAAc;QACZ,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;CACF;AAlPD,wDAkPC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,gBAAgB,CAAC,MAAiB;IACzC,MAAM,EAAE,GAAG,MAAM,CAAC,YAAY,CAAC;IAC/B,IAAI,EAAE,EAAE,OAAO,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IACvC,MAAM,OAAO,GAAG,EAAE,EAAE,WAAW,CAAC;IAChC,IAAI,OAAO,EAAE,OAAO,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAC5C,OAAO,IAAI,0BAAW,CAAC,MAAM,CAAC,SAAS,EAAE;QACvC,OAAO,EAAE,IAAI;QACb,YAAY,EAAE,OAAO,EAAE,YAAY,IAAI,KAAK;QAC5C,aAAa,EAAE,OAAO,EAAE,aAAa,IAAI,SAAS;KACnD,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,iBAAiB,CAAC,MAAiB;IAC1C,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC;IAChD,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,IAAI,KAAK,CAAC,OAAO,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IACzC,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC;IAChC,IAAI,CAAC,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjE,OAAO,IAAI,oCAAoB,CAAC;QAC9B,QAAQ;QACR,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,cAAc,EAAE,KAAK,CAAC,cAAc;QACpC,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,eAAe,EAAE,KAAK,CAAC,eAAe;QACtC,UAAU,EAAE,KAAK,CAAC,UAAU;KAC7B,CAAC,CAAC;AACL,CAAC"}

package/dist/arp/intelligence/behavioral-risk-server.d.ts

@@ -0,0 +1,82 @@
+/**
+ * Behavioral risk IPC server (AIComply P1, producer side).
+ *
+ * Partner to `behavioral-risk.ts`. Listens on a unix domain socket (or
+ * Windows named pipe) and answers risk signal requests by delegating to a
+ * caller-supplied `BehavioralRiskScoreable`, which in production is a
+ * `RuntimeTwin` instance running in the twin's own process.
+ *
+ * The server is deliberately narrow: one request per connection, no
+ * session state, no authentication beyond filesystem permissions on the
+ * socket path. The threat model assumes the socket is owned by the same
+ * local user and is reachable only from processes with appropriate
+ * filesystem access; cross-host or cross-user use is out of scope.
+ *
+ * Wire format (both directions, newline-delimited JSON):
+ *
+ *   request  {"kind":"risk_signal_request","version":1,"event":<ARPEvent>}
+ *   response {"kind":"risk_signal_response","version":1,"score":...,
+ *             "action":"allow|alert|throttle|suspend|kill","reason":"...",
+ *             "source":"...","computedAtMs":...}
+ *   error    {"kind":"risk_signal_error","version":1,"code":<code>,
+ *             "reason":"..."}
+ *
+ * Any parse failure, unknown kind, or thrown exception inside the scorer
+ * is converted to a structured `risk_signal_error` message. The server
+ * never crashes on a malformed request; per-request isolation keeps a
+ * bad client from affecting others.
+ */
+import { type BehavioralRiskScoreable, type BehavioralRiskUnavailableCode } from './behavioral-risk';
+/**
+ * Options accepted by `startBehavioralRiskServer`. Only `twin` is
+ * required; everything else has a defensible default.
+ */
+export interface BehavioralRiskServerOptions {
+    /**
+     * Handle that knows how to score an ARP event. In production this is a
+     * RuntimeTwin instance. In tests it can be any stub that returns a
+     * deterministic risk score.
+     */
+    twin: BehavioralRiskScoreable;
+    /**
+     * Filesystem path where the server listens. On POSIX systems, a unix
+     * domain socket; on Windows, a named pipe path. Any existing socket
+     * file at this path is removed before binding (POSIX only).
+     */
+    socketPath: string;
+    /**
+     * Identifier written back into the `source` field of every response.
+     * Helps the coordinator's audit log distinguish between multiple risk
+     * sources during A/B rollout.
+     */
+    sourceName?: string;
+    /**
+     * Invoked whenever the server rejects a request with an error response.
+     * Gets the code and reason. Useful for routing to a SIEM or surfacing
+     * in an operator dashboard. Optional; defaults to a no-op.
+     */
+    onError?: (code: BehavioralRiskUnavailableCode, reason: string) => void;
+}
+/**
+ * Handle returned by `startBehavioralRiskServer`. Callers hold this for
+ * the lifetime of the coordinator and invoke `close()` on shutdown.
+ */
+export interface BehavioralRiskServerHandle {
+    /** The listening socket path. */
+    readonly socketPath: string;
+    /**
+     * Stop accepting new connections, tear down the listening socket, and
+     * clean up the socket file on POSIX. Safe to call more than once.
+     */
+    close(): Promise<void>;
+}
+/**
+ * Start the behavioral risk IPC server. Resolves once the server is
+ * actively listening on the socket path so the caller can hand the path
+ * to clients without a race against a half-open listener.
+ *
+ * Throws on bind failure (unrecoverable; the caller should decide
+ * whether to degrade to an in-process source or fail the startup).
+ */
+export declare function startBehavioralRiskServer(options: BehavioralRiskServerOptions): Promise<BehavioralRiskServerHandle>;
+//# sourceMappingURL=behavioral-risk-server.d.ts.map

package/dist/arp/intelligence/behavioral-risk-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"behavioral-risk-server.d.ts","sourceRoot":"","sources":["../../../src/arp/intelligence/behavioral-risk-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAMH,OAAO,EAEL,KAAK,uBAAuB,EAC5B,KAAK,6BAA6B,EACnC,MAAM,mBAAmB,CAAC;AAE3B;;;GAGG;AACH,MAAM,WAAW,2BAA2B;IAC1C;;;;OAIG;IACH,IAAI,EAAE,uBAAuB,CAAC;IAC9B;;;;OAIG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,OAAO,CAAC,EAAE,CAAC,IAAI,EAAE,6BAA6B,EAAE,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;CACzE;AAED;;;GAGG;AACH,MAAM,WAAW,0BAA0B;IACzC,iCAAiC;IACjC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B;;;OAGG;IACH,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAED;;;;;;;GAOG;AACH,wBAAsB,yBAAyB,CAC7C,OAAO,EAAE,2BAA2B,GACnC,OAAO,CAAC,0BAA0B,CAAC,CAkGrC"}

package/dist/arp/intelligence/behavioral-risk-server.js

@@ -0,0 +1,258 @@
+"use strict";
+/**
+ * Behavioral risk IPC server (AIComply P1, producer side).
+ *
+ * Partner to `behavioral-risk.ts`. Listens on a unix domain socket (or
+ * Windows named pipe) and answers risk signal requests by delegating to a
+ * caller-supplied `BehavioralRiskScoreable`, which in production is a
+ * `RuntimeTwin` instance running in the twin's own process.
+ *
+ * The server is deliberately narrow: one request per connection, no
+ * session state, no authentication beyond filesystem permissions on the
+ * socket path. The threat model assumes the socket is owned by the same
+ * local user and is reachable only from processes with appropriate
+ * filesystem access; cross-host or cross-user use is out of scope.
+ *
+ * Wire format (both directions, newline-delimited JSON):
+ *
+ *   request  {"kind":"risk_signal_request","version":1,"event":<ARPEvent>}
+ *   response {"kind":"risk_signal_response","version":1,"score":...,
+ *             "action":"allow|alert|throttle|suspend|kill","reason":"...",
+ *             "source":"...","computedAtMs":...}
+ *   error    {"kind":"risk_signal_error","version":1,"code":<code>,
+ *             "reason":"..."}
+ *
+ * Any parse failure, unknown kind, or thrown exception inside the scorer
+ * is converted to a structured `risk_signal_error` message. The server
+ * never crashes on a malformed request; per-request isolation keeps a
+ * bad client from affecting others.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startBehavioralRiskServer = startBehavioralRiskServer;
+const net = __importStar(require("net"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const behavioral_risk_1 = require("./behavioral-risk");
+/**
+ * Start the behavioral risk IPC server. Resolves once the server is
+ * actively listening on the socket path so the caller can hand the path
+ * to clients without a race against a half-open listener.
+ *
+ * Throws on bind failure (unrecoverable; the caller should decide
+ * whether to degrade to an in-process source or fail the startup).
+ */
+async function startBehavioralRiskServer(options) {
+    const { twin, socketPath, sourceName = 'nanomind-l1-ipc', onError } = options;
+    // On POSIX, a stale socket file from a crashed previous run blocks
+    // bind. We remove it defensively. On Windows named pipes, the path is
+    // in its own namespace and this step is a no-op.
+    if (process.platform !== 'win32') {
+        try {
+            const dir = path.dirname(socketPath);
+            if (!fs.existsSync(dir))
+                fs.mkdirSync(dir, { recursive: true });
+            if (fs.existsSync(socketPath))
+                fs.unlinkSync(socketPath);
+        }
+        catch {
+            // If we cannot clean up the stale file, let listen() surface the
+            // real error below.
+        }
+    }
+    const server = net.createServer((socket) => {
+        let buffer = '';
+        let handled = false;
+        const sendAndClose = (payload) => {
+            if (handled)
+                return;
+            handled = true;
+            try {
+                socket.write(JSON.stringify(payload) + '\n');
+            }
+            catch {
+                // If the client already hung up, there is nothing useful to do.
+            }
+            socket.end();
+        };
+        const sendError = (code, reason) => {
+            onError?.(code, reason);
+            sendAndClose({
+                kind: 'risk_signal_error',
+                version: behavioral_risk_1.BEHAVIORAL_RISK_WIRE_VERSION,
+                code,
+                reason,
+            });
+        };
+        socket.on('data', (chunk) => {
+            if (handled)
+                return;
+            buffer += chunk.toString('utf8');
+            const nl = buffer.indexOf('\n');
+            if (nl < 0) {
+                // Cap unparsed buffer to keep a misbehaving client from
+                // exhausting server memory. One request per connection means a
+                // single line; anything beyond a reasonable ceiling is hostile.
+                if (buffer.length > 64 * 1024) {
+                    sendError('PARSE_ERROR', 'request exceeded maximum size');
+                }
+                return;
+            }
+            const line = buffer.slice(0, nl);
+            handleRequest(line, twin, sourceName, sendAndClose, sendError);
+        });
+        socket.on('error', () => {
+            // Drop per-connection errors; nothing to log that the client will
+            // see. A wedged client eventually times out.
+        });
+    });
+    server.on('error', (err) => {
+        // Per-connection errors bubble up here after a catastrophic failure.
+        // We defer to the caller's onError hook so operators can spot
+        // repeating listen-level failures.
+        onError?.('TRANSPORT_ERROR', `server error: ${err.message}`);
+    });
+    await new Promise((resolve, reject) => {
+        server.once('error', reject);
+        server.listen(socketPath, () => {
+            server.removeListener('error', reject);
+            resolve();
+        });
+    });
+    let closed = false;
+    return {
+        socketPath,
+        close: async () => {
+            if (closed)
+                return;
+            closed = true;
+            await new Promise((resolve) => {
+                server.close(() => resolve());
+            });
+            if (process.platform !== 'win32') {
+                try {
+                    if (fs.existsSync(socketPath))
+                        fs.unlinkSync(socketPath);
+                }
+                catch {
+                    // Nothing actionable; the socket file may already be gone.
+                }
+            }
+        },
+    };
+}
+/**
+ * Parse and dispatch a single request line. Extracted so the connection
+ * handler stays readable and so the request path can be unit tested in
+ * isolation later if needed. Every failure path resolves to a
+ * `risk_signal_error` rather than propagating an exception: the server
+ * must never crash on a malformed request.
+ */
+function handleRequest(line, twin, sourceName, sendAndClose, sendError) {
+    let msg;
+    try {
+        msg = JSON.parse(line);
+    }
+    catch (err) {
+        sendError('PARSE_ERROR', `invalid json: ${err.message}`);
+        return;
+    }
+    if (msg === null || typeof msg !== 'object') {
+        sendError('PARSE_ERROR', 'request is not a json object');
+        return;
+    }
+    const obj = msg;
+    if (obj.version !== behavioral_risk_1.BEHAVIORAL_RISK_WIRE_VERSION) {
+        sendError('PARSE_ERROR', `unsupported wire version: ${JSON.stringify(obj.version)}`);
+        return;
+    }
+    if (obj.kind !== 'risk_signal_request') {
+        sendError('PARSE_ERROR', `unexpected kind: ${JSON.stringify(obj.kind)}`);
+        return;
+    }
+    const event = obj.event;
+    if (!isArpEventLike(event)) {
+        sendError('PARSE_ERROR', 'event field is missing required ARPEvent shape');
+        return;
+    }
+    let result;
+    try {
+        result = twin.scoreARPEvent(event);
+    }
+    catch (err) {
+        sendError('INTERNAL_ERROR', `twin threw: ${err.message ?? String(err)}`);
+        return;
+    }
+    if (result === null) {
+        sendError('NOT_READY', 'twin baseline not yet trained');
+        return;
+    }
+    sendAndClose({
+        kind: 'risk_signal_response',
+        version: behavioral_risk_1.BEHAVIORAL_RISK_WIRE_VERSION,
+        score: result.score,
+        action: result.action,
+        reason: result.reason,
+        source: sourceName,
+        computedAtMs: Date.now(),
+    });
+}
+/**
+ * Narrow runtime check for an ARPEvent-shaped request payload. Only
+ * validates the fields the twin's scoreARPEvent path actually reads,
+ * which is by design: stricter validation would reject valid events
+ * whose extra fields the server does not care about.
+ */
+function isArpEventLike(v) {
+    if (v === null || typeof v !== 'object')
+        return false;
+    const e = v;
+    if (typeof e.id !== 'string')
+        return false;
+    if (typeof e.timestamp !== 'string')
+        return false;
+    if (typeof e.source !== 'string')
+        return false;
+    if (typeof e.category !== 'string')
+        return false;
+    if (typeof e.severity !== 'string')
+        return false;
+    if (typeof e.description !== 'string')
+        return false;
+    if (e.data === null || typeof e.data !== 'object')
+        return false;
+    return true;
+}
+//# sourceMappingURL=behavioral-risk-server.js.map

package/dist/arp/intelligence/behavioral-risk-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"behavioral-risk-server.js","sourceRoot":"","sources":["../../../src/arp/intelligence/behavioral-risk-server.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiEH,8DAoGC;AAnKD,yCAA2B;AAC3B,uCAAyB;AACzB,2CAA6B;AAE7B,uDAI2B;AA+C3B;;;;;;;GAOG;AACI,KAAK,UAAU,yBAAyB,CAC7C,OAAoC;IAEpC,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,GAAG,iBAAiB,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC;IAE9E,mEAAmE;IACnE,sEAAsE;IACtE,iDAAiD;IACjD,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YACrC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAChE,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;gBAAE,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;YACjE,oBAAoB;QACtB,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,EAAE;QACzC,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,MAAM,YAAY,GAAG,CAAC,OAAgC,EAAE,EAAE;YACxD,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;YAC/C,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;YAClE,CAAC;YACD,MAAM,CAAC,GAAG,EAAE,CAAC;QACf,CAAC,CAAC;QAEF,MAAM,SAAS,GAAG,CAAC,IAAmC,EAAE,MAAc,EAAE,EAAE;YACxE,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YACxB,YAAY,CAAC;gBACX,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,8CAA4B;gBACrC,IAAI;gBACJ,MAAM;aACP,CAAC,CAAC;QACL,CAAC,CAAC;QAEF,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAClC,IAAI,OAAO;gBAAE,OAAO;YACpB,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACjC,MAAM,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAChC,IAAI,EAAE,GAAG,CAAC,EAAE,CAAC;gBACX,wDAAwD;gBACxD,+DAA+D;gBAC/D,gEAAgE;gBAChE,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;oBAC9B,SAAS,CAAC,aAAa,EAAE,+BAA+B,CAAC,CAAC;gBAC5D,CAAC;gBACD,OAAO;YACT,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACjC,aAAa,CAAC,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACtB,kEAAkE;YAClE,6CAA6C;QAC/C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;QACzB,qEAAqE;QACrE,8DAA8D;QAC9D,mCAAmC;QACnC,OAAO,EAAE,CAAC,iBAAiB,EAAE,iBAAkB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,GAAG,EAAE;YAC7B,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACvC,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,OAAO;QACL,UAAU;QACV,KAAK,EAAE,KAAK,IAAI,EAAE;YAChB,IAAI,MAAM;gBAAE,OAAO;YACnB,MAAM,GAAG,IAAI,CAAC;YACd,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;gBAClC,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YAChC,CAAC,CAAC,CAAC;YACH,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACjC,IAAI,CAAC;oBACH,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;wBAAE,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;gBAC3D,CAAC;gBAAC,MAAM,CAAC;oBACP,2DAA2D;gBAC7D,CAAC;YACH,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAS,aAAa,CACpB,IAAY,EACZ,IAA6B,EAC7B,UAAkB,EAClB,YAAwD,EACxD,SAAwE;IAExE,IAAI,GAAY,CAAC;IACjB,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,SAAS,CAAC,aAAa,EAAE,iBAAkB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACpE,OAAO;IACT,CAAC;IACD,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5C,SAAS,CAAC,aAAa,EAAE,8BAA8B,CAAC,CAAC;QACzD,OAAO;IACT,CAAC;IACD,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,IAAI,GAAG,CAAC,OAAO,KAAK,8CAA4B,EAAE,CAAC;QACjD,SAAS,CAAC,aAAa,EAAE,6BAA6B,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACrF,OAAO;IACT,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;QACvC,SAAS,CAAC,aAAa,EAAE,oBAAoB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACzE,OAAO;IACT,CAAC;IACD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;IACxB,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3B,SAAS,CAAC,aAAa,EAAE,gDAAgD,CAAC,CAAC;QAC3E,OAAO;IACT,CAAC;IACD,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,SAAS,CAAC,gBAAgB,EAAE,eAAgB,GAAa,CAAC,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACpF,OAAO;IACT,CAAC;IACD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,SAAS,CAAC,WAAW,EAAE,+BAA+B,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IACD,YAAY,CAAC;QACX,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,8CAA4B;QACrC,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,MAAM,EAAE,UAAU;QAClB,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE;KACzB,CAAC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,SAAS,cAAc,CAAC,CAAU;IAChC,IAAI,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACtD,MAAM,CAAC,GAAG,CAA4B,CAAC;IACvC,IAAI,OAAO,CAAC,CAAC,EAAE,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC3C,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC/C,IAAI,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACjD,IAAI,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACjD,IAAI,OAAO,CAAC,CAAC,WAAW,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACpD,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAChE,OAAO,IAAI,CAAC;AACd,CAAC"}