heron-ai 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Heron Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,423 @@
+<p align="center">
+  <img src=".github/heron-logo.svg" alt="Heron" width="80" />
+</p>
+
+<h1 align="center">Heron</h1>
+
+<p align="center">
+  <strong>Open-source AI agent auditor</strong><br />
+  Know what your AI agents actually access before they go to production.
+</p>
+
+<p align="center">
+  <a href="#quick-start">Quick Start</a> &bull;
+  <a href="#how-it-works">How It Works</a> &bull;
+  <a href="#example-report">Example Report</a> &bull;
+  <a href="#use-cases">Use Cases</a>
+</p>
+
+---
+
+> You wouldn't give a contractor the keys to your office without checking their ID.
+> Why give an AI agent production access without an audit?
+
+## Why Heron?
+
+AI agents are requesting access to production systems &mdash; CRMs, databases, APIs, internal tools. Before granting access, someone needs to answer:
+
+- **What** does this agent actually do in this specific project?
+- **What data** does it handle &mdash; and does it need write access?
+- **What happens** if something goes wrong?
+
+Today these questions are answered in Slack threads, docs, or not at all.
+
+**Heron answers them automatically.** Point agents at it, get a structured audit report. No SDK integration, no code changes to the agent.
+
+```
+┌──────────┐         ┌──────────────┐         ┌──────────────┐
+│          │         │              │         │              │
+│  Agent   │────────>│    Heron     │────────>│ Audit Report │
+│          │         │              │         │              │
+│          │<────────│  Structured  │         │  Findings    │
+└──────────┘         │  Interview   │         │  Systems     │
+                     │  (10 core +  │         │  Regulatory  │
+                     │  follow-ups) │         │  Verdict     │
+                     └──────────────┘         └──────────────┘
+```
+
+## Quick Start
+
+### Option 1: Interactive CLI
+
+```bash
+git clone https://github.com/jonydony/Heron.git
+cd Heron && npm install
+
+export HERON_LLM_API_KEY=sk-xxx  # Anthropic, OpenAI, or Gemini key — auto-detected
+
+npx tsx bin/heron.ts
+```
+
+An interactive menu lets you choose:
+
+```
+  Heron — AI Agent Auditor
+
+  > Start server    agents connect to you
+    Scan an agent   you connect to an agent
+```
+
+### Option 2: Use the hosted version
+
+Paste this into your AI agent's chat:
+
+```
+I need you to complete a security access review for this project.
+Make sequential API calls to the Heron endpoint until it says "Interview complete".
+
+Step 1 — Start the interview:
+POST https://heron-open-source-production.up.railway.app/v1/chat/completions
+Body: {"model":"any","messages":[{"role":"user","content":"Hi, I am ready to answer questions about this project."}]}
+
+The response will contain a question and a session ID (in the text and in the "heron_session_id" JSON field).
+
+Step 2 — Send each answer:
+POST https://heron-open-source-production.up.railway.app/v1/chat/completions
+Body: {"model":"any","messages":[{"role":"user","content":"YOUR ANSWER HERE"}],"heron_session_id":"SESSION_ID_FROM_STEP_1"}
+
+Step 3 — Repeat step 2 with each new answer until the response says "Interview complete".
+
+Important: answer about THIS specific project — what you actually do, what systems
+you connect to, what data you handle. Not general capabilities. Never reveal actual
+secret values — just describe credential types.
+```
+
+View reports at: https://heron-open-source-production.up.railway.app
+
+### Option 3: OPENAI_BASE_URL
+
+Redirect any OpenAI-compatible agent to Heron without changing the agent's code:
+
+```bash
+OPENAI_BASE_URL=http://localhost:3700/v1 python your_agent.py
+```
+
+The agent thinks it's talking to GPT. Heron intercepts, runs the interview, generates a report.
+
+### Option 4: Claude Code skill (zero setup)
+
+If you use [Claude Code](https://claude.ai/code), install the `/heron-audit` skill:
+
+```bash
+bash Heron/skills/heron-audit/install.sh
+```
+
+Then in any project:
+
+```
+/heron-audit
+```
+
+Claude interviews itself about the current project and generates an audit report.
+
+## How It Works
+
+<table>
+<tr>
+<td width="50%">
+
+**Step 1 — Start Heron**
+
+One command. Interactive menu or direct flags.
+
+</td>
+<td width="50%">
+
+```bash
+$ npx tsx bin/heron.ts
+
+  Heron — AI Agent Auditor
+
+  > Start server    agents connect to you
+    Scan an agent   you connect to an agent
+```
+
+</td>
+</tr>
+<tr>
+<td>
+
+**Step 2 — Agent connects**
+
+Heron speaks OpenAI-compatible API. No SDK, no code changes needed.
+
+</td>
+<td>
+
+```bash
+# Paste the prompt into agent's chat
+# Or redirect the base URL:
+OPENAI_BASE_URL=http://localhost:3700/v1 \
+  your-agent start
+```
+
+</td>
+</tr>
+<tr>
+<td>
+
+**Step 3 — Structured interview**
+
+10 core questions, each targeting a compliance field. Smart follow-ups probe vague answers. Format examples guide the agent to give concrete, structured responses.
+
+</td>
+<td>
+
+```
+Heron: "List every system you connect to.
+       Format: Name → API type → Auth method
+       Example: Google Sheets → REST API → OAuth2"
+
+Agent: "HubSpot → REST API → OAuth2
+        PostgreSQL → Direct TCP → Password
+        Slack → Bot API → Bot token"
+```
+
+</td>
+</tr>
+<tr>
+<td>
+
+**Step 4 — Report generated**
+
+Per-system access cards, findings with IDs, risk scoring, regulatory flags, and actionable recommendations.
+
+</td>
+<td>
+
+```
+  Audit complete: sess_abc123
+  Risk:         MEDIUM
+  Data quality: 100/100
+  Verdict:      APPROVE WITH CONDITIONS
+  Findings:     4
+  Report:       ./reports/sess_abc123.md
+  Dashboard:    http://localhost:3700/sessions/sess_abc123
+```
+
+</td>
+</tr>
+</table>
+
+### Interview Protocol
+
+10 structured questions targeting compliance fields, plus LLM-generated follow-ups:
+
+| # | Question | Compliance Field |
+|---|----------|-----------------|
+| 1 | Deployment profile (project name, owner, trigger) | Agent identity |
+| 2 | Permissions and scopes per system | `scopesRequested` |
+| 3 | Systems enumeration (Name &rarr; API &rarr; Auth) | `systemId` |
+| 4 | Data sensitivity per system (PII/financial/confidential) | `dataSensitivity` |
+| 5 | Detailed permissions | Access assessment |
+| 6 | Data read operations and classification | Data inventory |
+| 7 | Reversibility of operations | `reversibility` |
+| 8 | Write operations (Action &rarr; Target &rarr; Reversible? &rarr; Volume) | `writeOperations` |
+| 9 | Blast radius (records/users affected if write fails) | `blastRadius` |
+| 10 | Frequency and volume (runs/week, API calls/run) | `frequencyAndVolume` |
+| +  | Unused permissions, worst-case failure, decision-making about people | Excess access, risk, regulatory |
+
+Follow-ups are generated when answers are vague or compliance fields are missing (up to 6 per interview).
+
+### Report Structure
+
+1. **Executive Summary** &mdash; dashboard table (risk / systems / findings)
+2. **Agent Profile** &mdash; purpose, trigger, owner, frequency
+3. **Findings** &mdash; severity-ranked with IDs (HERON-001, ...), split description and recommendation
+4. **Systems & Access** &mdash; per-system cards with risk rating, scopes, data, writes, blast radius
+5. **What's Working Well** &mdash; positive findings
+6. **Verdict & Recommendations** &mdash; APPROVE / APPROVE WITH CONDITIONS / DENY
+7. **Regulatory Compliance** &mdash; EU (AI Act + GDPR), US (SOC 2 + state AI laws), UK (UK GDPR + ICO)
+8. **Data Quality** &mdash; field-by-field coverage score, repeated answer warnings
+9. **Interview Transcript** &mdash; full Q&A for manual review
+
+## Example Report
+
+<details>
+<summary>Expand example: CRM sync agent audit</summary>
+
+```markdown
+# Agent Access Audit Report
+
+**Generated**: 2026-04-05 | **Agent**: SalesSync | **Risk Level**: HIGH
+**Data Quality**: 83/100
+**Regulatory**: EU: Review | US: Review | UK: Review
+
+---
+
+## Executive Summary
+
+| Risk | Systems | Findings |
+|------|---------|----------|
+| **HIGH** | 3 | 1 Critical, 1 High, 2 Medium |
+
+SalesSync syncs contact and deal data between HubSpot CRM and an internal
+PostgreSQL database, and sends Slack notifications on deal stage changes.
+
+---
+
+## Findings
+
+| ID | Severity | Finding | Description | Recommendation |
+|----|----------|---------|-------------|----------------|
+| HERON-001 | CRITICAL | Bulk update risk | Can overwrite all ~15,000 contacts | Add validation + staged rollout |
+| HERON-002 | HIGH | Sensitive data writable | PII + financial in PostgreSQL | Restrict to needed columns |
+| HERON-003 | MEDIUM | Excessive HubSpot scope | deals.write granted but unused | Revoke unused scope |
+| HERON-004 | MEDIUM | Irreversible Slack messages | Deal notifications can't be recalled | Add pre-send validation |
+
+---
+
+## Systems & Access
+
+### HubSpot CRM → REST API → OAuth2 — Risk: HIGH
+
+| | |
+|---|---|
+| **Scopes granted** | contacts.read, contacts.write, deals.read, deals.write |
+| **Excessive** | deals.write (never used) |
+| **Data** | PII + financial |
+| **Blast radius** | org-wide (~15,000 records) |
+
+---
+
+## Verdict: APPROVE WITH CONDITIONS
+```
+
+</details>
+
+## Use Cases
+
+**Security team: "vet before you deploy"** &mdash; Deploy Heron as a gate. Agents must pass an audit before getting production access. Review structured reports with findings, risk levels, and recommendations.
+
+**Team lead: "what does this agent actually do?"** &mdash; Paste the prompt into the agent's chat. Get a clear breakdown of systems, data, permissions, and blast radius.
+
+**Compliance: "prove your agents are controlled"** &mdash; Heron generates audit-ready reports with regulatory flags for EU AI Act, GDPR, SOC 2, and UK GDPR. Attach to compliance evidence packages.
+
+## Two Modes
+
+| Mode | Command | Direction | Use Case |
+|------|---------|-----------|----------|
+| **Server** | `serve` | Agent &rarr; Heron | Deploy as a gate. Agents connect to Heron |
+| **Scan** | `scan` | Heron &rarr; Agent | Connect to an agent's API and interrogate it |
+
+## LLM Provider
+
+Heron auto-detects the provider from your API key:
+
+| Key prefix | Provider | Default model |
+|------------|----------|---------------|
+| `sk-ant-` | Anthropic | claude-sonnet-4 |
+| `sk-` | OpenAI | gpt-5.4-mini |
+| `AIza` | Gemini | gemini-2.0-flash |
+
+```bash
+export HERON_LLM_API_KEY=sk-xxx   # that's it — provider and model auto-selected
+```
+
+Override with `--llm-provider` and `--llm-model` if needed.
+
+## Reference
+
+<details>
+<summary>Server Mode &mdash; <code>heron serve</code></summary>
+
+```bash
+npx tsx bin/heron.ts serve [options]
+```
+
+| Flag | Description | Default |
+|------|-------------|---------|
+| `-p, --port <port>` | Port to listen on | `3700` |
+| `-H, --host <host>` | Host to bind to | `0.0.0.0` |
+| `--llm-key <key>` | LLM API key | `HERON_LLM_API_KEY` env |
+| `--llm-provider <p>` | `anthropic`, `openai`, or `gemini` | auto-detect |
+| `--llm-model <model>` | Analysis LLM model | auto per provider |
+| `--max-followups <n>` | Max follow-up questions | `3` |
+| `--report-dir <dir>` | Where to save reports | `./reports` |
+
+**API Endpoints**
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/v1/chat/completions` | POST | OpenAI-compatible &mdash; agents connect here |
+| `/api/sessions` | GET | List all sessions (JSON) |
+| `/api/sessions/:id` | GET | Session details + transcript |
+| `/api/sessions/:id/report` | GET | Download audit report (markdown) |
+| `/` | GET | Dashboard |
+
+</details>
+
+<details>
+<summary>Scan Mode &mdash; <code>heron scan</code></summary>
+
+```bash
+npx tsx bin/heron.ts scan [options]
+```
+
+| Flag | Description | Default |
+|------|-------------|---------|
+| `-t, --target <url>` | Agent's chat API URL | required |
+| `--llm-key <key>` | LLM API key | `HERON_LLM_API_KEY` env |
+| `--llm-provider <p>` | `anthropic`, `openai`, or `gemini` | auto-detect |
+| `--llm-model <model>` | Analysis LLM model | auto per provider |
+| `-o, --output <path>` | Save report to file | `./reports/scan_xxx.md` |
+| `--max-followups <n>` | Max follow-up questions | `3` |
+| `--report-dir <dir>` | Where to save reports | `./reports` |
+
+</details>
+
+## Architecture
+
+```
+bin/heron.ts              CLI entry point (interactive menu, scan, serve)
+src/
+  server/
+    index.ts              HTTP server + dashboard + OpenAI-compatible endpoint
+    sessions.ts           Session manager with follow-ups and async analysis
+  interview/
+    questions.ts          10 structured questions (one per compliance field)
+    protocol.ts           Interview flow: greeting skip, repeat detection, follow-ups
+  analysis/
+    analyzer.ts           LLM transcript analysis with Zod validation + retry + fallback
+    risk-scorer.ts        Rubric-driven risk scoring from structured per-system data
+  report/
+    generator.ts          Regulatory compliance flags (EU/US/UK) + report assembly
+    templates.ts          Markdown report: per-system cards, findings, positive findings
+    types.ts              Zod schemas for SystemAssessment, AuditReport, RegulatoryFlags
+  llm/
+    client.ts             Unified LLM client (Anthropic/OpenAI/Gemini, auto-detect)
+    prompts.ts            Interview + analysis prompts with anti-hallucination rules
+  connectors/             Agent connection (HTTP, interactive)
+  config/                 YAML config loading + Zod validation
+```
+
+## Development
+
+```bash
+git clone https://github.com/jonydony/Heron.git
+cd Heron && npm install
+
+# Run locally
+HERON_LLM_API_KEY=sk-xxx npx tsx bin/heron.ts serve
+
+# Tests
+npm test
+```
+
+## Contributing
+
+Issues and PRs welcome.
+
+## License
+
+[MIT](LICENSE)

package/dist/bin/heron.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=heron.d.ts.map

package/dist/bin/heron.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"heron.d.ts","sourceRoot":"","sources":["../../bin/heron.ts"],"names":[],"mappings":""}

package/dist/bin/heron.js

@@ -0,0 +1,198 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import { loadConfigFromFlags } from '../src/config/loader.js';
+import { run } from '../src/index.js';
+import { startServer } from '../src/server/index.js';
+import * as logger from '../src/util/logger.js';
+const program = new Command();
+program
+    .name('heron')
+    .description('Open-source agent checkpoint — vet AI agents before granting production access')
+    .version('0.1.0');
+// ─── scan: active mode (Heron → Agent) ───────────────────────────────────
+program
+    .command('scan')
+    .description('Interrogate an agent by connecting to its API')
+    .option('-t, --target <url>', 'Target agent URL (OpenAI-compatible chat API)')
+    .option('--target-type <type>', 'Connection type: http or interactive', 'http')
+    .option('--llm-provider <provider>', 'LLM provider: anthropic, openai, or gemini (auto-detected from key)')
+    .option('--llm-model <model>', 'LLM model (auto-selected per provider)')
+    .option('--llm-key <key>', 'LLM API key (or set HERON_LLM_API_KEY)')
+    .option('-o, --output <path>', 'Save report to file (default: stdout)')
+    .option('-f, --format <format>', 'Output format: markdown or json', 'markdown')
+    .option('-c, --config <path>', 'Path to heron.yaml config file')
+    .option('--max-followups <n>', 'Max follow-up questions per category', '3')
+    .option('--report-dir <dir>', 'Directory to save reports', './reports')
+    .option('-v, --verbose', 'Show detailed interview progress')
+    .action(async (opts) => {
+    try {
+        if (!opts.target && !opts.config && opts.targetType !== 'interactive') {
+            console.error('Either --target <url>, --config <path>, or --target-type interactive is required');
+            process.exit(1);
+        }
+        const config = loadConfigFromFlags({
+            target: opts.target,
+            targetType: opts.targetType,
+            llmProvider: opts.llmProvider,
+            llmModel: opts.llmModel,
+            llmKey: opts.llmKey,
+            output: opts.output,
+            format: opts.format,
+            config: opts.config,
+        });
+        await run(config, {
+            verbose: opts.verbose ?? false,
+            maxFollowUps: parseInt(opts.maxFollowups ?? '3', 10),
+            reportDir: opts.reportDir,
+        });
+    }
+    catch (err) {
+        logger.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+    }
+});
+// ─── serve: passive mode (Agent → Heron) ─────────────────────────────────
+program
+    .command('serve')
+    .description('Start Heron server — agents connect to be interrogated')
+    .option('-p, --port <port>', 'Port to listen on', '3700')
+    .option('-H, --host <host>', 'Host to bind to', '0.0.0.0')
+    .option('--llm-provider <provider>', 'LLM provider: anthropic, openai, or gemini (auto-detected from key)')
+    .option('--llm-model <model>', 'LLM model (auto-selected per provider)')
+    .option('--llm-key <key>', 'LLM API key (or set HERON_LLM_API_KEY)')
+    .option('--max-followups <n>', 'Max follow-up questions per category', '3')
+    .option('--report-dir <dir>', 'Directory to save reports', './reports')
+    .action(async (opts) => {
+    try {
+        await startServer({
+            port: parseInt(opts.port, 10),
+            host: opts.host,
+            llm: {
+                provider: opts.llmProvider,
+                apiKey: opts.llmKey,
+                model: opts.llmModel,
+            },
+            maxFollowUps: parseInt(opts.maxFollowups ?? '3', 10),
+            reportDir: opts.reportDir,
+        });
+    }
+    catch (err) {
+        logger.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+    }
+});
+// ─── Interactive mode: no args → ask what to do ─────────────────────────────
+import { createInterface } from 'node:readline';
+/** Arrow-key selector like Claude Code / npm init */
+function selectPrompt(title, options) {
+    return new Promise(resolve => {
+        let selected = 0;
+        const out = process.stderr;
+        function render() {
+            // Move cursor up to redraw (after first render)
+            for (const [i, opt] of options.entries()) {
+                const indicator = i === selected ? '\x1b[36m❯\x1b[0m' : ' ';
+                const label = i === selected ? `\x1b[1m${opt.label}\x1b[0m` : `\x1b[2m${opt.label}\x1b[0m`;
+                const desc = i === selected ? `  \x1b[2m${opt.description}\x1b[0m` : '';
+                out.write(`  ${indicator} ${label}${desc}\n`);
+            }
+        }
+        function clear() {
+            // Move up and clear each line
+            for (let i = 0; i < options.length; i++) {
+                out.write('\x1b[A\x1b[2K');
+            }
+        }
+        out.write(`\n  \x1b[1m${title}\x1b[0m\n\n`);
+        render();
+        if (!process.stdin.isTTY) {
+            // Non-interactive: use default
+            resolve(options[0].value);
+            return;
+        }
+        process.stdin.setRawMode(true);
+        process.stdin.resume();
+        process.stdin.setEncoding('utf-8');
+        function onData(key) {
+            if (key === '\x1b[A' || key === 'k') {
+                // Up arrow or k
+                selected = (selected - 1 + options.length) % options.length;
+                clear();
+                render();
+            }
+            else if (key === '\x1b[B' || key === 'j') {
+                // Down arrow or j
+                selected = (selected + 1) % options.length;
+                clear();
+                render();
+            }
+            else if (key === '\r' || key === '\n') {
+                // Enter
+                process.stdin.setRawMode(false);
+                process.stdin.pause();
+                process.stdin.removeListener('data', onData);
+                // Redraw final state with checkmark
+                clear();
+                for (const [i, opt] of options.entries()) {
+                    if (i === selected) {
+                        out.write(`  \x1b[32m✓\x1b[0m \x1b[1m${opt.label}\x1b[0m\n`);
+                    }
+                }
+                out.write('\n');
+                resolve(options[selected].value);
+            }
+            else if (key === '\x03') {
+                // Ctrl+C
+                process.stdin.setRawMode(false);
+                process.exit(0);
+            }
+        }
+        process.stdin.on('data', onData);
+    });
+}
+function textPrompt(label) {
+    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    return new Promise(resolve => {
+        rl.question(`  ${label}`, (answer) => {
+            rl.close();
+            resolve(answer.trim());
+        });
+    });
+}
+async function interactiveStart() {
+    const mode = await selectPrompt('Heron — AI Agent Auditor', [
+        { label: 'Start server', description: 'agents connect to you', value: 'serve' },
+        { label: 'Scan an agent', description: 'you connect to an agent', value: 'scan' },
+    ]);
+    if (mode === 'serve') {
+        process.argv.splice(2, 0, 'serve');
+        program.parse();
+    }
+    else {
+        const url = await textPrompt('Agent URL: ');
+        if (!url) {
+            console.error('  URL is required.');
+            process.exit(1);
+        }
+        process.argv.splice(2, 0, 'scan', '--target', url);
+        program.parse();
+    }
+}
+const args = process.argv.slice(2);
+const hasSubcommand = args.length > 0 && ['scan', 'serve', 'help', '--help', '-h', '--version', '-V'].includes(args[0]);
+if (!hasSubcommand && args.length > 0) {
+    // Legacy: flags without subcommand → scan
+    process.argv.splice(2, 0, 'scan');
+    program.parse();
+}
+else if (!hasSubcommand) {
+    // No args at all → interactive menu
+    interactiveStart().catch(err => {
+        logger.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+    });
+}
+else {
+    program.parse();
+}
+//# sourceMappingURL=heron.js.map

package/dist/bin/heron.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"heron.js","sourceRoot":"","sources":["../../bin/heron.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAC;AACtC,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,KAAK,MAAM,MAAM,uBAAuB,CAAC;AAEhD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,OAAO,CAAC;KACb,WAAW,CAAC,gFAAgF,CAAC;KAC7F,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,4EAA4E;AAE5E,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,+CAA+C,CAAC;KAC5D,MAAM,CAAC,oBAAoB,EAAE,+CAA+C,CAAC;KAC7E,MAAM,CAAC,sBAAsB,EAAE,sCAAsC,EAAE,MAAM,CAAC;KAC9E,MAAM,CAAC,2BAA2B,EAAE,qEAAqE,CAAC;KAC1G,MAAM,CAAC,qBAAqB,EAAE,wCAAwC,CAAC;KACvE,MAAM,CAAC,iBAAiB,EAAE,wCAAwC,CAAC;KACnE,MAAM,CAAC,qBAAqB,EAAE,uCAAuC,CAAC;KACtE,MAAM,CAAC,uBAAuB,EAAE,iCAAiC,EAAE,UAAU,CAAC;KAC9E,MAAM,CAAC,qBAAqB,EAAE,gCAAgC,CAAC;KAC/D,MAAM,CAAC,qBAAqB,EAAE,sCAAsC,EAAE,GAAG,CAAC;KAC1E,MAAM,CAAC,oBAAoB,EAAE,2BAA2B,EAAE,WAAW,CAAC;KACtE,MAAM,CAAC,eAAe,EAAE,kCAAkC,CAAC;KAC3D,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,IAAI,CAAC;QACH,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,UAAU,KAAK,aAAa,EAAE,CAAC;YACtE,OAAO,CAAC,KAAK,CAAC,kFAAkF,CAAC,CAAC;YAClG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,MAAM,GAAG,mBAAmB,CAAC;YACjC,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB,CAAC,CAAC;QAEH,MAAM,GAAG,CAAC,MAAM,EAAE;YAChB,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,KAAK;YAC9B,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,YAAY,IAAI,GAAG,EAAE,EAAE,CAAC;YACpD,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,4EAA4E;AAE5E,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,wDAAwD,CAAC;KACrE,MAAM,CAAC,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,CAAC;KACxD,MAAM,CAAC,mBAAmB,EAAE,iBAAiB,EAAE,SAAS,CAAC;KACzD,MAAM,CAAC,2BAA2B,EAAE,qEAAqE,CAAC;KAC1G,MAAM,CAAC,qBAAqB,EAAE,wCAAwC,CAAC;KACvE,MAAM,CAAC,iBAAiB,EAAE,wCAAwC,CAAC;KACnE,MAAM,CAAC,qBAAqB,EAAE,sCAAsC,EAAE,GAAG,CAAC;KAC1E,MAAM,CAAC,oBAAoB,EAAE,2BAA2B,EAAE,WAAW,CAAC;KACtE,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,IAAI,CAAC;QACH,MAAM,WAAW,CAAC;YAChB,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YAC7B,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,EAAE;gBACH,QAAQ,EAAE,IAAI,CAAC,WAAgD;gBAC/D,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,KAAK,EAAE,IAAI,CAAC,QAAQ;aACrB;YACD,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,YAAY,IAAI,GAAG,EAAE,EAAE,CAAC;YACpD,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,+EAA+E;AAE/E,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAQhD,qDAAqD;AACrD,SAAS,YAAY,CAAC,KAAa,EAAE,OAAuB;IAC1D,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE;QAC3B,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;QAE3B,SAAS,MAAM;YACb,gDAAgD;YAChD,KAAK,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;gBACzC,MAAM,SAAS,GAAG,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC5D,MAAM,KAAK,GAAG,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,KAAK,SAAS,CAAC;gBAC3F,MAAM,IAAI,GAAG,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,GAAG,CAAC,WAAW,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;gBACxE,GAAG,CAAC,KAAK,CAAC,KAAK,SAAS,IAAI,KAAK,GAAG,IAAI,IAAI,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;QAED,SAAS,KAAK;YACZ,8BAA8B;YAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACxC,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,GAAG,CAAC,KAAK,CAAC,cAAc,KAAK,aAAa,CAAC,CAAC;QAC5C,MAAM,EAAE,CAAC;QAET,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACzB,+BAA+B;YAC/B,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAC/B,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;QACvB,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAEnC,SAAS,MAAM,CAAC,GAAW;YACzB,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;gBACpC,gBAAgB;gBAChB,QAAQ,GAAG,CAAC,QAAQ,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;gBAC5D,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,CAAC;YACX,CAAC;iBAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;gBAC3C,kBAAkB;gBAClB,QAAQ,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;gBAC3C,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,CAAC;YACX,CAAC;iBAAM,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;gBACxC,QAAQ;gBACR,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;gBAChC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;gBACtB,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBAC7C,oCAAoC;gBACpC,KAAK,EAAE,CAAC;gBACR,KAAK,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;oBACzC,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;wBACnB,GAAG,CAAC,KAAK,CAAC,6BAA6B,GAAG,CAAC,KAAK,WAAW,CAAC,CAAC;oBAC/D,CAAC;gBACH,CAAC;gBACD,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAChB,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC;YACnC,CAAC;iBAAM,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;gBAC1B,SAAS;gBACT,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;gBAChC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAED,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,MAAM,EAAE,GAAG,eAAe,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7E,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE;QAC3B,EAAE,CAAC,QAAQ,CAAC,KAAK,KAAK,EAAE,EAAE,CAAC,MAAM,EAAE,EAAE;YACnC,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QACzB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,gBAAgB;IAC7B,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,0BAA0B,EAAE;QAC1D,EAAE,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,uBAAuB,EAAE,KAAK,EAAE,OAAO,EAAE;QAC/E,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,yBAAyB,EAAE,KAAK,EAAE,MAAM,EAAE;KAClF,CAAC,CAAC;IAEH,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACrB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;QACnC,OAAO,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,aAAa,CAAC,CAAC;QAC5C,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;QACnD,OAAO,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACnC,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AAExH,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;IACtC,0CAA0C;IAC1C,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;IAClC,OAAO,CAAC,KAAK,EAAE,CAAC;AAClB,CAAC;KAAM,IAAI,CAAC,aAAa,EAAE,CAAC;IAC1B,oCAAoC;IACpC,gBAAgB,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;QAC7B,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;KAAM,CAAC;IACN,OAAO,CAAC,KAAK,EAAE,CAAC;AAClB,CAAC"}

package/dist/src/analysis/analyzer.d.ts

@@ -0,0 +1,14 @@
+import type { LLMClient } from '../llm/client.js';
+import type { QAPair, AccessAssessment, DataNeed } from '../report/types.js';
+import { type AnalysisResult } from '../report/types.js';
+export interface FullAnalysisResult extends AnalysisResult {
+    dataNeeds: DataNeed[];
+    accessAssessment: AccessAssessment;
+}
+/**
+ * Uses LLM to analyze the interview transcript and produce a structured audit.
+ * Validates output with Zod schema. Retries once on parse failure.
+ * Falls back to partial report on double failure.
+ */
+export declare function analyzeTranscript(llmClient: LLMClient, transcript: QAPair[]): Promise<FullAnalysisResult>;
+//# sourceMappingURL=analyzer.d.ts.map

package/dist/src/analysis/analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,QAAQ,EAA0B,MAAM,oBAAoB,CAAC;AACrG,OAAO,EAAwB,KAAK,cAAc,EAAuB,MAAM,oBAAoB,CAAC;AAKpG,MAAM,WAAW,kBAAmB,SAAQ,cAAc;IACxD,SAAS,EAAE,QAAQ,EAAE,CAAC;IACtB,gBAAgB,EAAE,gBAAgB,CAAC;CACpC;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,MAAM,EAAE,GACnB,OAAO,CAAC,kBAAkB,CAAC,CAwB7B"}