hivemind-pipeline 0.1.0

package/dist/src/core/risk-scorer.js

@@ -0,0 +1,226 @@
+import { readFileSync, existsSync } from 'node:fs';
+import { join, dirname, basename, extname } from 'node:path';
+import { execSync } from 'node:child_process';
+/** Patterns indicating core/critical files */
+const CRITICAL_PATTERNS = [
+    /auth/i, /login/i, /session/i, /token/i, /jwt/i, /oauth/i,
+    /payment/i, /billing/i, /stripe/i, /checkout/i, /invoice/i,
+    /database/i, /migration/i, /schema/i, /model/i,
+    /security/i, /encrypt/i, /decrypt/i, /secret/i, /credential/i,
+    /middleware/i, /guard/i, /permission/i, /rbac/i, /acl/i,
+];
+/** Patterns indicating high-risk infrastructure files */
+const INFRA_PATTERNS = [
+    /config/i, /env/i, /docker/i, /ci/i, /deploy/i, /pipeline/i,
+    /webpack/i, /vite\.config/i, /tsconfig/i, /package\.json$/,
+];
+/** Common test file patterns */
+const TEST_PATTERNS = [
+    '.test.', '.spec.', '__tests__', '__test__',
+    '.test.ts', '.test.tsx', '.test.js', '.test.jsx',
+    '.spec.ts', '.spec.tsx', '.spec.js', '.spec.jsx',
+];
+export class RiskScorer {
+    cwd;
+    constructor(cwd) {
+        this.cwd = cwd;
+    }
+    /** Score a set of changed files */
+    scoreFiles(files) {
+        return files.map(f => this.scoreFile(f)).sort((a, b) => b.overall - a.overall);
+    }
+    /** Score a single file */
+    scoreFile(file) {
+        const dimensions = [
+            { name: 'File Risk', score: this.fileRiskScore(file), weight: 0.25, detail: '' },
+            { name: 'Coverage', score: this.coverageScore(file), weight: 0.20, detail: '' },
+            { name: 'Blast Radius', score: this.blastRadiusScore(file), weight: 0.20, detail: '' },
+            { name: 'Change History', score: this.changeHistoryScore(file), weight: 0.15, detail: '' },
+            { name: 'Complexity', score: this.complexityScore(file), weight: 0.10, detail: '' },
+            { name: 'Novelty', score: this.noveltyScore(file), weight: 0.10, detail: '' },
+        ];
+        const overall = Math.round(dimensions.reduce((sum, d) => sum + d.score * d.weight, 0));
+        const level = this.scoreToLevel(overall);
+        return { file, overall, level, dimensions };
+    }
+    /** Detect core/critical files by path patterns */
+    fileRiskScore(file) {
+        const lower = file.toLowerCase();
+        // Skip test files — they are low risk
+        if (TEST_PATTERNS.some(p => lower.includes(p))) {
+            return 5;
+        }
+        // Critical domain files
+        const criticalMatches = CRITICAL_PATTERNS.filter(p => p.test(file));
+        if (criticalMatches.length >= 2)
+            return 95;
+        if (criticalMatches.length === 1)
+            return 75;
+        // Infrastructure files
+        const infraMatches = INFRA_PATTERNS.filter(p => p.test(file));
+        if (infraMatches.length > 0)
+            return 60;
+        // Entry points
+        if (/index\.[jt]sx?$/.test(file) || /main\.[jt]sx?$/.test(file) || /app\.[jt]sx?$/.test(file)) {
+            return 50;
+        }
+        // Default: moderate risk
+        return 25;
+    }
+    /** Check if test file exists — no test = higher risk */
+    coverageScore(file) {
+        const ext = extname(file);
+        const base = basename(file, ext);
+        const dir = dirname(file);
+        const fullDir = join(this.cwd, dir);
+        // Test files themselves have zero coverage risk
+        if (TEST_PATTERNS.some(p => file.includes(p))) {
+            return 0;
+        }
+        // Check common test file locations
+        const testVariants = [
+            join(fullDir, `${base}.test${ext}`),
+            join(fullDir, `${base}.spec${ext}`),
+            join(fullDir, '__tests__', `${base}${ext}`),
+            join(fullDir, '__tests__', `${base}.test${ext}`),
+            join(this.cwd, 'tests', dir, `${base}.test${ext}`),
+            join(this.cwd, 'test', dir, `${base}.test${ext}`),
+        ];
+        for (const testPath of testVariants) {
+            if (existsSync(testPath)) {
+                return 15; // Has a test file — low risk
+            }
+        }
+        return 85; // No test file found — high risk
+    }
+    /** Count importers of this file via grep */
+    blastRadiusScore(file) {
+        try {
+            const relPath = file.replace(/\.[jt]sx?$/, '');
+            const fileName = basename(relPath);
+            // Search for imports of this file
+            const result = execSync(`git grep -l --no-color -E "(import|require).*['\"].*${fileName}['\"]" -- "*.ts" "*.tsx" "*.js" "*.jsx" 2>/dev/null || true`, { cwd: this.cwd, encoding: 'utf-8', timeout: 10000 }).trim();
+            const importers = result ? result.split('\n').filter(l => l.trim().length > 0).length : 0;
+            // Scale: 0 importers = 0, 1-2 = 20, 3-5 = 40, 6-10 = 60, 11-20 = 80, 20+ = 100
+            if (importers === 0)
+                return 0;
+            if (importers <= 2)
+                return 20;
+            if (importers <= 5)
+                return 40;
+            if (importers <= 10)
+                return 60;
+            if (importers <= 20)
+                return 80;
+            return 100;
+        }
+        catch {
+            return 30; // Default moderate if git grep fails
+        }
+    }
+    /** Count recent commits touching this file (last 90 days) */
+    changeHistoryScore(file) {
+        try {
+            const result = execSync(`git log --oneline --since="90 days ago" -- "${file}" 2>/dev/null | wc -l`, { cwd: this.cwd, encoding: 'utf-8', timeout: 10000 }).trim();
+            const commits = parseInt(result, 10) || 0;
+            // Scale: 0-1 = 10, 2-5 = 30, 6-10 = 50, 11-20 = 70, 21-50 = 85, 50+ = 100
+            if (commits <= 1)
+                return 10;
+            if (commits <= 5)
+                return 30;
+            if (commits <= 10)
+                return 50;
+            if (commits <= 20)
+                return 70;
+            if (commits <= 50)
+                return 85;
+            return 100;
+        }
+        catch {
+            return 30; // Default moderate if git fails
+        }
+    }
+    /** File size / line count as complexity proxy */
+    complexityScore(file) {
+        const fullPath = join(this.cwd, file);
+        if (!existsSync(fullPath))
+            return 50; // Can't assess — moderate default
+        try {
+            const content = readFileSync(fullPath, 'utf-8');
+            const lines = content.split('\n').length;
+            // Count nesting depth (braces, brackets for complexity)
+            let maxDepth = 0;
+            let currentDepth = 0;
+            for (const char of content) {
+                if (char === '{') {
+                    currentDepth++;
+                    if (currentDepth > maxDepth)
+                        maxDepth = currentDepth;
+                }
+                else if (char === '}') {
+                    currentDepth--;
+                }
+            }
+            // Combine line count and nesting
+            let lineScore;
+            if (lines <= 50)
+                lineScore = 10;
+            else if (lines <= 150)
+                lineScore = 25;
+            else if (lines <= 300)
+                lineScore = 45;
+            else if (lines <= 500)
+                lineScore = 65;
+            else if (lines <= 1000)
+                lineScore = 80;
+            else
+                lineScore = 95;
+            let depthScore;
+            if (maxDepth <= 3)
+                depthScore = 10;
+            else if (maxDepth <= 5)
+                depthScore = 30;
+            else if (maxDepth <= 8)
+                depthScore = 55;
+            else if (maxDepth <= 12)
+                depthScore = 75;
+            else
+                depthScore = 95;
+            return Math.round(lineScore * 0.6 + depthScore * 0.4);
+        }
+        catch {
+            return 50;
+        }
+    }
+    /** Is this a new file (no git history)? */
+    noveltyScore(file) {
+        try {
+            const result = execSync(`git log --oneline -- "${file}" 2>/dev/null | wc -l`, { cwd: this.cwd, encoding: 'utf-8', timeout: 10000 }).trim();
+            const totalCommits = parseInt(result, 10) || 0;
+            // Brand new (0-1 commits) = high risk, battle-tested = low
+            if (totalCommits === 0)
+                return 100; // Untracked / brand new
+            if (totalCommits === 1)
+                return 80; // Just added
+            if (totalCommits <= 3)
+                return 55; // Young
+            if (totalCommits <= 10)
+                return 30; // Moderate history
+            return 10; // Well-established
+        }
+        catch {
+            return 70; // If we can't check, assume fairly new
+        }
+    }
+    /** Map overall score to risk level */
+    scoreToLevel(score) {
+        if (score <= 25)
+            return 'low';
+        if (score <= 50)
+            return 'medium';
+        if (score <= 75)
+            return 'high';
+        return 'critical';
+    }
+}
+//# sourceMappingURL=risk-scorer.js.map

package/dist/src/core/risk-scorer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"risk-scorer.js","sourceRoot":"","sources":["../../../src/core/risk-scorer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAyB,MAAM,SAAS,CAAC;AAC1E,OAAO,EAAE,IAAI,EAAY,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACvE,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAgB9C,8CAA8C;AAC9C,MAAM,iBAAiB,GAAG;IACxB,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ;IACzD,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU;IAC1D,WAAW,EAAE,YAAY,EAAE,SAAS,EAAE,QAAQ;IAC9C,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa;IAC7D,aAAa,EAAE,QAAQ,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM;CACxD,CAAC;AAEF,yDAAyD;AACzD,MAAM,cAAc,GAAG;IACrB,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW;IAC3D,UAAU,EAAE,eAAe,EAAE,WAAW,EAAE,gBAAgB;CAC3D,CAAC;AAEF,gCAAgC;AAChC,MAAM,aAAa,GAAG;IACpB,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU;IAC3C,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,WAAW;IAChD,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,WAAW;CACjD,CAAC;AAEF,MAAM,OAAO,UAAU;IACD;IAApB,YAAoB,GAAW;QAAX,QAAG,GAAH,GAAG,CAAQ;IAAG,CAAC;IAEnC,mCAAmC;IACnC,UAAU,CAAC,KAAe;QACxB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC;IACjF,CAAC;IAED,0BAA0B;IAClB,SAAS,CAAC,IAAY;QAC5B,MAAM,UAAU,GAAoB;YAClC,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE;YAChF,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE;YAC/E,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE;YACtF,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE;YAC1F,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE;YACnF,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE;SAC9E,CAAC;QAEF,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CACxB,UAAU,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAC3D,CAAC;QAEF,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAEzC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IAC9C,CAAC;IAED,kDAAkD;IAC1C,aAAa,CAAC,IAAY;QAChC,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAEjC,sCAAsC;QACtC,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC/C,OAAO,CAAC,CAAC;QACX,CAAC;QAED,wBAAwB;QACxB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QACpE,IAAI,eAAe,CAAC,MAAM,IAAI,CAAC;YAAE,OAAO,EAAE,CAAC;QAC3C,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAE5C,uBAAuB;QACvB,MAAM,YAAY,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAC9D,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,EAAE,CAAC;QAEvC,eAAe;QACf,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9F,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,yBAAyB;QACzB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,wDAAwD;IAChD,aAAa,CAAC,IAAY;QAChC,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1B,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACjC,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAEpC,gDAAgD;QAChD,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9C,OAAO,CAAC,CAAC;QACX,CAAC;QAED,mCAAmC;QACnC,MAAM,YAAY,GAAG;YACnB,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,QAAQ,GAAG,EAAE,CAAC;YACnC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,QAAQ,GAAG,EAAE,CAAC;YACnC,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,IAAI,GAAG,GAAG,EAAE,CAAC;YAC3C,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,IAAI,QAAQ,GAAG,EAAE,CAAC;YAChD,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,IAAI,QAAQ,GAAG,EAAE,CAAC;YAClD,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,IAAI,QAAQ,GAAG,EAAE,CAAC;SAClD,CAAC;QAEF,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACzB,OAAO,EAAE,CAAC,CAAC,6BAA6B;YAC1C,CAAC;QACH,CAAC;QAED,OAAO,EAAE,CAAC,CAAC,iCAAiC;IAC9C,CAAC;IAED,4CAA4C;IACpC,gBAAgB,CAAC,IAAY;QACnC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;YAC/C,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;YAEnC,kCAAkC;YAClC,MAAM,MAAM,GAAG,QAAQ,CACrB,uDAAuD,QAAQ,6DAA6D,EAC5H,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CACrD,CAAC,IAAI,EAAE,CAAC;YAET,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YAE1F,+EAA+E;YAC/E,IAAI,SAAS,KAAK,CAAC;gBAAE,OAAO,CAAC,CAAC;YAC9B,IAAI,SAAS,IAAI,CAAC;gBAAE,OAAO,EAAE,CAAC;YAC9B,IAAI,SAAS,IAAI,CAAC;gBAAE,OAAO,EAAE,CAAC;YAC9B,IAAI,SAAS,IAAI,EAAE;gBAAE,OAAO,EAAE,CAAC;YAC/B,IAAI,SAAS,IAAI,EAAE;gBAAE,OAAO,EAAE,CAAC;YAC/B,OAAO,GAAG,CAAC;QACb,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC,CAAC,qCAAqC;QAClD,CAAC;IACH,CAAC;IAED,6DAA6D;IACrD,kBAAkB,CAAC,IAAY;QACrC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,QAAQ,CACrB,+CAA+C,IAAI,uBAAuB,EAC1E,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CACrD,CAAC,IAAI,EAAE,CAAC;YAET,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;YAE1C,0EAA0E;YAC1E,IAAI,OAAO,IAAI,CAAC;gBAAE,OAAO,EAAE,CAAC;YAC5B,IAAI,OAAO,IAAI,CAAC;gBAAE,OAAO,EAAE,CAAC;YAC5B,IAAI,OAAO,IAAI,EAAE;gBAAE,OAAO,EAAE,CAAC;YAC7B,IAAI,OAAO,IAAI,EAAE;gBAAE,OAAO,EAAE,CAAC;YAC7B,IAAI,OAAO,IAAI,EAAE;gBAAE,OAAO,EAAE,CAAC;YAC7B,OAAO,GAAG,CAAC;QACb,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC,CAAC,gCAAgC;QAC7C,CAAC;IACH,CAAC;IAED,iDAAiD;IACzC,eAAe,CAAC,IAAY;QAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAC,CAAC,kCAAkC;QAExE,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAChD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;YAEzC,wDAAwD;YACxD,IAAI,QAAQ,GAAG,CAAC,CAAC;YACjB,IAAI,YAAY,GAAG,CAAC,CAAC;YACrB,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;gBAC3B,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;oBACjB,YAAY,EAAE,CAAC;oBACf,IAAI,YAAY,GAAG,QAAQ;wBAAE,QAAQ,GAAG,YAAY,CAAC;gBACvD,CAAC;qBAAM,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;oBACxB,YAAY,EAAE,CAAC;gBACjB,CAAC;YACH,CAAC;YAED,iCAAiC;YACjC,IAAI,SAAiB,CAAC;YACtB,IAAI,KAAK,IAAI,EAAE;gBAAE,SAAS,GAAG,EAAE,CAAC;iBAC3B,IAAI,KAAK,IAAI,GAAG;gBAAE,SAAS,GAAG,EAAE,CAAC;iBACjC,IAAI,KAAK,IAAI,GAAG;gBAAE,SAAS,GAAG,EAAE,CAAC;iBACjC,IAAI,KAAK,IAAI,GAAG;gBAAE,SAAS,GAAG,EAAE,CAAC;iBACjC,IAAI,KAAK,IAAI,IAAI;gBAAE,SAAS,GAAG,EAAE,CAAC;;gBAClC,SAAS,GAAG,EAAE,CAAC;YAEpB,IAAI,UAAkB,CAAC;YACvB,IAAI,QAAQ,IAAI,CAAC;gBAAE,UAAU,GAAG,EAAE,CAAC;iBAC9B,IAAI,QAAQ,IAAI,CAAC;gBAAE,UAAU,GAAG,EAAE,CAAC;iBACnC,IAAI,QAAQ,IAAI,CAAC;gBAAE,UAAU,GAAG,EAAE,CAAC;iBACnC,IAAI,QAAQ,IAAI,EAAE;gBAAE,UAAU,GAAG,EAAE,CAAC;;gBACpC,UAAU,GAAG,EAAE,CAAC;YAErB,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,GAAG,GAAG,UAAU,GAAG,GAAG,CAAC,CAAC;QACxD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,2CAA2C;IACnC,YAAY,CAAC,IAAY;QAC/B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,QAAQ,CACrB,yBAAyB,IAAI,uBAAuB,EACpD,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CACrD,CAAC,IAAI,EAAE,CAAC;YAET,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;YAE/C,2DAA2D;YAC3D,IAAI,YAAY,KAAK,CAAC;gBAAE,OAAO,GAAG,CAAC,CAAC,wBAAwB;YAC5D,IAAI,YAAY,KAAK,CAAC;gBAAE,OAAO,EAAE,CAAC,CAAE,aAAa;YACjD,IAAI,YAAY,IAAI,CAAC;gBAAE,OAAO,EAAE,CAAC,CAAG,QAAQ;YAC5C,IAAI,YAAY,IAAI,EAAE;gBAAE,OAAO,EAAE,CAAC,CAAE,mBAAmB;YACvD,OAAO,EAAE,CAAC,CAAC,mBAAmB;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC,CAAC,uCAAuC;QACpD,CAAC;IACH,CAAC;IAED,sCAAsC;IAC9B,YAAY,CAAC,KAAa;QAChC,IAAI,KAAK,IAAI,EAAE;YAAE,OAAO,KAAK,CAAC;QAC9B,IAAI,KAAK,IAAI,EAAE;YAAE,OAAO,QAAQ,CAAC;QACjC,IAAI,KAAK,IAAI,EAAE;YAAE,OAAO,MAAM,CAAC;QAC/B,OAAO,UAAU,CAAC;IACpB,CAAC;CACF"}

package/dist/src/core/runtime-monitor.d.ts

@@ -0,0 +1,49 @@
+export interface RuntimeEvent {
+    type: 'filesystem' | 'network' | 'env-access' | 'subprocess' | 'install-script';
+    detail: string;
+    timestamp: number;
+    severity: 'info' | 'warning' | 'critical';
+    source: string;
+}
+export interface RuntimeBaseline {
+    expectedFilesystem: string[];
+    expectedNetwork: string[];
+    expectedSubprocesses: string[];
+    createdAt: number;
+}
+export declare class RuntimeMonitor {
+    private swarmDir;
+    private events;
+    private baseline;
+    private eventsFile;
+    private baselineFile;
+    constructor(swarmDir: string);
+    /** Record a runtime event */
+    recordEvent(event: Omit<RuntimeEvent, 'timestamp'>): void;
+    /** Check event against baseline — returns true if anomalous */
+    checkAnomaly(event: RuntimeEvent): boolean;
+    /** Save current events as baseline */
+    saveBaseline(): void;
+    /** Load baseline from disk */
+    private loadBaseline;
+    /** Load existing events from disk */
+    private loadEvents;
+    /** Get all events, optionally filtered by time */
+    getEvents(since?: number): RuntimeEvent[];
+    /** Get anomalies (events not in baseline) */
+    getAnomalies(): RuntimeEvent[];
+    /** Monitor npm install for suspicious behavior */
+    monitorInstall(packageName: string): RuntimeEvent[];
+    /** Clear events */
+    clearEvents(): void;
+    /** Generate summary report */
+    getSummary(): {
+        totalEvents: number;
+        anomalies: number;
+        byType: Record<string, number>;
+        bySeverity: Record<string, number>;
+    };
+    /** Simple glob-like matching (supports * wildcards) */
+    private matchGlob;
+}
+//# sourceMappingURL=runtime-monitor.d.ts.map

package/dist/src/core/runtime-monitor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-monitor.d.ts","sourceRoot":"","sources":["../../../src/core/runtime-monitor.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,YAAY,GAAG,SAAS,GAAG,YAAY,GAAG,YAAY,GAAG,gBAAgB,CAAC;IAChF,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC;IAC1C,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,eAAe;IAC9B,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAC7B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,cAAc;IAMb,OAAO,CAAC,QAAQ;IAL5B,OAAO,CAAC,MAAM,CAAsB;IACpC,OAAO,CAAC,QAAQ,CAAgC;IAChD,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,YAAY,CAAS;gBAET,QAAQ,EAAE,MAAM;IAUpC,6BAA6B;IAC7B,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG,IAAI;IAWzD,+DAA+D;IAC/D,YAAY,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO;IA6B1C,sCAAsC;IACtC,YAAY,IAAI,IAAI;IA8BpB,8BAA8B;IAC9B,OAAO,CAAC,YAAY;IAWpB,qCAAqC;IACrC,OAAO,CAAC,UAAU;IAalB,kDAAkD;IAClD,SAAS,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,YAAY,EAAE;IAOzC,6CAA6C;IAC7C,YAAY,IAAI,YAAY,EAAE;IAK9B,kDAAkD;IAClD,cAAc,CAAC,WAAW,EAAE,MAAM,GAAG,YAAY,EAAE;IA0FnD,mBAAmB;IACnB,WAAW,IAAI,IAAI;IASnB,8BAA8B;IAC9B,UAAU,IAAI;QACZ,WAAW,EAAE,MAAM,CAAC;QACpB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC/B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACpC;IAiBD,uDAAuD;IACvD,OAAO,CAAC,SAAS;CAIlB"}

package/dist/src/core/runtime-monitor.js

@@ -0,0 +1,235 @@
+import { readFileSync, writeFileSync, appendFileSync, existsSync, mkdirSync } from 'node:fs';
+import { join } from 'node:path';
+import { execSync } from 'node:child_process';
+export class RuntimeMonitor {
+    swarmDir;
+    events = [];
+    baseline = null;
+    eventsFile;
+    baselineFile;
+    constructor(swarmDir) {
+        this.swarmDir = swarmDir;
+        this.eventsFile = join(swarmDir, 'runtime-events.jsonl');
+        this.baselineFile = join(swarmDir, 'runtime-baseline.json');
+        if (!existsSync(swarmDir)) {
+            mkdirSync(swarmDir, { recursive: true });
+        }
+        this.loadBaseline();
+        this.loadEvents();
+    }
+    /** Record a runtime event */
+    recordEvent(event) {
+        const fullEvent = { ...event, timestamp: Date.now() };
+        this.events.push(fullEvent);
+        // Append to JSONL log
+        try {
+            appendFileSync(this.eventsFile, JSON.stringify(fullEvent) + '\n', 'utf-8');
+        }
+        catch {
+            // If we can't write, just keep in-memory
+        }
+    }
+    /** Check event against baseline — returns true if anomalous */
+    checkAnomaly(event) {
+        if (!this.baseline)
+            return false;
+        switch (event.type) {
+            case 'filesystem':
+                return !this.baseline.expectedFilesystem.some((pattern) => event.detail.includes(pattern) || this.matchGlob(event.detail, pattern));
+            case 'network':
+                return !this.baseline.expectedNetwork.some((host) => event.detail.includes(host));
+            case 'subprocess':
+                return !this.baseline.expectedSubprocesses.some((cmd) => event.detail.includes(cmd));
+            case 'install-script':
+                // Install scripts are always flagged as anomalous unless in baseline
+                return !this.baseline.expectedSubprocesses.some((cmd) => event.detail.includes(cmd));
+            case 'env-access':
+                // Environment access is always potentially anomalous
+                return true;
+            default:
+                return false;
+        }
+    }
+    /** Save current events as baseline */
+    saveBaseline() {
+        const filesystem = new Set();
+        const network = new Set();
+        const subprocesses = new Set();
+        for (const event of this.events) {
+            switch (event.type) {
+                case 'filesystem':
+                    filesystem.add(event.detail);
+                    break;
+                case 'network':
+                    network.add(event.detail);
+                    break;
+                case 'subprocess':
+                case 'install-script':
+                    subprocesses.add(event.detail);
+                    break;
+            }
+        }
+        this.baseline = {
+            expectedFilesystem: [...filesystem],
+            expectedNetwork: [...network],
+            expectedSubprocesses: [...subprocesses],
+            createdAt: Date.now(),
+        };
+        writeFileSync(this.baselineFile, JSON.stringify(this.baseline, null, 2), 'utf-8');
+    }
+    /** Load baseline from disk */
+    loadBaseline() {
+        try {
+            if (existsSync(this.baselineFile)) {
+                const raw = readFileSync(this.baselineFile, 'utf-8');
+                this.baseline = JSON.parse(raw);
+            }
+        }
+        catch {
+            this.baseline = null;
+        }
+    }
+    /** Load existing events from disk */
+    loadEvents() {
+        try {
+            if (existsSync(this.eventsFile)) {
+                const raw = readFileSync(this.eventsFile, 'utf-8').trim();
+                if (raw) {
+                    this.events = raw.split('\n').map((line) => JSON.parse(line));
+                }
+            }
+        }
+        catch {
+            this.events = [];
+        }
+    }
+    /** Get all events, optionally filtered by time */
+    getEvents(since) {
+        if (since !== undefined) {
+            return this.events.filter((e) => e.timestamp >= since);
+        }
+        return [...this.events];
+    }
+    /** Get anomalies (events not in baseline) */
+    getAnomalies() {
+        if (!this.baseline)
+            return [];
+        return this.events.filter((e) => this.checkAnomaly(e));
+    }
+    /** Monitor npm install for suspicious behavior */
+    monitorInstall(packageName) {
+        const installEvents = [];
+        try {
+            // Run npm install --dry-run --json to inspect what would happen
+            const result = execSync(`npm install ${packageName} --dry-run --json 2>&1`, {
+                encoding: 'utf-8',
+                timeout: 30000,
+                cwd: process.cwd(),
+            });
+            let parsed = null;
+            try {
+                parsed = JSON.parse(result);
+            }
+            catch {
+                // Non-JSON output, still record
+            }
+            if (parsed) {
+                // Check for install scripts
+                const added = parsed.added || [];
+                for (const pkg of added) {
+                    const scripts = pkg.scripts;
+                    if (scripts) {
+                        for (const [hook, cmd] of Object.entries(scripts)) {
+                            if (['preinstall', 'postinstall', 'install', 'prepare'].includes(hook)) {
+                                const event = {
+                                    type: 'install-script',
+                                    detail: `${pkg.name}@${pkg.version}: ${hook} → ${cmd}`,
+                                    severity: 'warning',
+                                    source: `npm-install:${packageName}`,
+                                };
+                                this.recordEvent(event);
+                                installEvents.push({ ...event, timestamp: Date.now() });
+                            }
+                        }
+                    }
+                }
+            }
+            // Also check for known suspicious patterns
+            const suspiciousPatterns = [
+                /curl\s+/i,
+                /wget\s+/i,
+                /eval\s*\(/,
+                /child_process/,
+                /exec\s*\(/,
+                /\.env/,
+                /process\.env/,
+                /base64/i,
+            ];
+            for (const pattern of suspiciousPatterns) {
+                if (pattern.test(result)) {
+                    const event = {
+                        type: 'install-script',
+                        detail: `Suspicious pattern detected in ${packageName}: ${pattern.source}`,
+                        severity: 'critical',
+                        source: `npm-install:${packageName}`,
+                    };
+                    this.recordEvent(event);
+                    installEvents.push({ ...event, timestamp: Date.now() });
+                }
+            }
+            // Record successful dry-run as info
+            if (installEvents.length === 0) {
+                const event = {
+                    type: 'subprocess',
+                    detail: `npm install ${packageName} --dry-run completed (clean)`,
+                    severity: 'info',
+                    source: `npm-install:${packageName}`,
+                };
+                this.recordEvent(event);
+                installEvents.push({ ...event, timestamp: Date.now() });
+            }
+        }
+        catch (err) {
+            const event = {
+                type: 'subprocess',
+                detail: `npm install ${packageName} --dry-run failed: ${err instanceof Error ? err.message : String(err)}`,
+                severity: 'warning',
+                source: `npm-install:${packageName}`,
+            };
+            this.recordEvent(event);
+            installEvents.push({ ...event, timestamp: Date.now() });
+        }
+        return installEvents;
+    }
+    /** Clear events */
+    clearEvents() {
+        this.events = [];
+        try {
+            writeFileSync(this.eventsFile, '', 'utf-8');
+        }
+        catch {
+            // Ignore write errors
+        }
+    }
+    /** Generate summary report */
+    getSummary() {
+        const byType = {};
+        const bySeverity = {};
+        for (const event of this.events) {
+            byType[event.type] = (byType[event.type] || 0) + 1;
+            bySeverity[event.severity] = (bySeverity[event.severity] || 0) + 1;
+        }
+        return {
+            totalEvents: this.events.length,
+            anomalies: this.getAnomalies().length,
+            byType,
+            bySeverity,
+        };
+    }
+    /** Simple glob-like matching (supports * wildcards) */
+    matchGlob(value, pattern) {
+        const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, '\\$&').replace(/\*/g, '.*');
+        return new RegExp(`^${escaped}$`).test(value);
+    }
+}
+//# sourceMappingURL=runtime-monitor.js.map

package/dist/src/core/runtime-monitor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-monitor.js","sourceRoot":"","sources":["../../../src/core/runtime-monitor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,cAAc,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC7F,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAiB9C,MAAM,OAAO,cAAc;IAML;IALZ,MAAM,GAAmB,EAAE,CAAC;IAC5B,QAAQ,GAA2B,IAAI,CAAC;IACxC,UAAU,CAAS;IACnB,YAAY,CAAS;IAE7B,YAAoB,QAAgB;QAAhB,aAAQ,GAAR,QAAQ,CAAQ;QAClC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,QAAQ,EAAE,sBAAsB,CAAC,CAAC;QACzD,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,uBAAuB,CAAC,CAAC;QAC5D,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1B,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3C,CAAC;QACD,IAAI,CAAC,YAAY,EAAE,CAAC;QACpB,IAAI,CAAC,UAAU,EAAE,CAAC;IACpB,CAAC;IAED,6BAA6B;IAC7B,WAAW,CAAC,KAAsC;QAChD,MAAM,SAAS,GAAiB,EAAE,GAAG,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QACpE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC5B,sBAAsB;QACtB,IAAI,CAAC;YACH,cAAc,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;QAC7E,CAAC;QAAC,MAAM,CAAC;YACP,yCAAyC;QAC3C,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,YAAY,CAAC,KAAmB;QAC9B,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAEjC,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;YACnB,KAAK,YAAY;gBACf,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,CAC3C,CAAC,OAAO,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,CACrF,CAAC;YACJ,KAAK,SAAS;gBACZ,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,CACxC,CAAC,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CACtC,CAAC;YACJ,KAAK,YAAY;gBACf,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,CAC7C,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CACpC,CAAC;YACJ,KAAK,gBAAgB;gBACnB,qEAAqE;gBACrE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,CAC7C,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CACpC,CAAC;YACJ,KAAK,YAAY;gBACf,qDAAqD;gBACrD,OAAO,IAAI,CAAC;YACd;gBACE,OAAO,KAAK,CAAC;QACjB,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,YAAY;QACV,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;QACrC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;QAClC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;QAEvC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;gBACnB,KAAK,YAAY;oBACf,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;oBAC7B,MAAM;gBACR,KAAK,SAAS;oBACZ,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;oBAC1B,MAAM;gBACR,KAAK,YAAY,CAAC;gBAClB,KAAK,gBAAgB;oBACnB,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;oBAC/B,MAAM;YACV,CAAC;QACH,CAAC;QAED,IAAI,CAAC,QAAQ,GAAG;YACd,kBAAkB,EAAE,CAAC,GAAG,UAAU,CAAC;YACnC,eAAe,EAAE,CAAC,GAAG,OAAO,CAAC;YAC7B,oBAAoB,EAAE,CAAC,GAAG,YAAY,CAAC;YACvC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC;QAEF,aAAa,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACpF,CAAC;IAED,8BAA8B;IACtB,YAAY;QAClB,IAAI,CAAC;YACH,IAAI,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;gBACrD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB,CAAC;YACrD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QACvB,CAAC;IACH,CAAC;IAED,qCAAqC;IAC7B,UAAU;QAChB,IAAI,CAAC;YACH,IAAI,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;gBAChC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC1D,IAAI,GAAG,EAAE,CAAC;oBACR,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAiB,CAAC,CAAC;gBAChF,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC;QACnB,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,SAAS,CAAC,KAAc;QACtB,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,KAAK,CAAC,CAAC;QACzD,CAAC;QACD,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1B,CAAC;IAED,6CAA6C;IAC7C,YAAY;QACV,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,OAAO,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,CAAC;IAED,kDAAkD;IAClD,cAAc,CAAC,WAAmB;QAChC,MAAM,aAAa,GAAmB,EAAE,CAAC;QAEzC,IAAI,CAAC;YACH,gEAAgE;YAChE,MAAM,MAAM,GAAG,QAAQ,CAAC,eAAe,WAAW,wBAAwB,EAAE;gBAC1E,QAAQ,EAAE,OAAO;gBACjB,OAAO,EAAE,KAAK;gBACd,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE;aACnB,CAAC,CAAC;YAEH,IAAI,MAAM,GAAmC,IAAI,CAAC;YAClD,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAC9B,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;YAClC,CAAC;YAED,IAAI,MAAM,EAAE,CAAC;gBACX,4BAA4B;gBAC5B,MAAM,KAAK,GAAI,MAAM,CAAC,KAAwC,IAAI,EAAE,CAAC;gBACrE,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;oBACxB,MAAM,OAAO,GAAG,GAAG,CAAC,OAA6C,CAAC;oBAClE,IAAI,OAAO,EAAE,CAAC;wBACZ,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;4BAClD,IAAI,CAAC,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gCACvE,MAAM,KAAK,GAAoC;oCAC7C,IAAI,EAAE,gBAAgB;oCACtB,MAAM,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,KAAK,IAAI,MAAM,GAAG,EAAE;oCACtD,QAAQ,EAAE,SAAS;oCACnB,MAAM,EAAE,eAAe,WAAW,EAAE;iCACrC,CAAC;gCACF,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;gCACxB,aAAa,CAAC,IAAI,CAAC,EAAE,GAAG,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;4BAC1D,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,2CAA2C;YAC3C,MAAM,kBAAkB,GAAG;gBACzB,UAAU;gBACV,UAAU;gBACV,WAAW;gBACX,eAAe;gBACf,WAAW;gBACX,OAAO;gBACP,cAAc;gBACd,SAAS;aACV,CAAC;YAEF,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;gBACzC,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;oBACzB,MAAM,KAAK,GAAoC;wBAC7C,IAAI,EAAE,gBAAgB;wBACtB,MAAM,EAAE,kCAAkC,WAAW,KAAK,OAAO,CAAC,MAAM,EAAE;wBAC1E,QAAQ,EAAE,UAAU;wBACpB,MAAM,EAAE,eAAe,WAAW,EAAE;qBACrC,CAAC;oBACF,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;oBACxB,aAAa,CAAC,IAAI,CAAC,EAAE,GAAG,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBAC1D,CAAC;YACH,CAAC;YAED,oCAAoC;YACpC,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/B,MAAM,KAAK,GAAoC;oBAC7C,IAAI,EAAE,YAAY;oBAClB,MAAM,EAAE,eAAe,WAAW,8BAA8B;oBAChE,QAAQ,EAAE,MAAM;oBAChB,MAAM,EAAE,eAAe,WAAW,EAAE;iBACrC,CAAC;gBACF,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;gBACxB,aAAa,CAAC,IAAI,CAAC,EAAE,GAAG,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,KAAK,GAAoC;gBAC7C,IAAI,EAAE,YAAY;gBAClB,MAAM,EAAE,eAAe,WAAW,sBAAsB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;gBAC1G,QAAQ,EAAE,SAAS;gBACnB,MAAM,EAAE,eAAe,WAAW,EAAE;aACrC,CAAC;YACF,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YACxB,aAAa,CAAC,IAAI,CAAC,EAAE,GAAG,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,mBAAmB;IACnB,WAAW;QACT,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC;QACjB,IAAI,CAAC;YACH,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,sBAAsB;QACxB,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,UAAU;QAMR,MAAM,MAAM,GAA2B,EAAE,CAAC;QAC1C,MAAM,UAAU,GAA2B,EAAE,CAAC;QAE9C,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACnD,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACrE,CAAC;QAED,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC/B,SAAS,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,MAAM;YACrC,MAAM;YACN,UAAU;SACX,CAAC;IACJ,CAAC;IAED,uDAAuD;IAC/C,SAAS,CAAC,KAAa,EAAE,OAAe;QAC9C,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAClF,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;CACF"}

package/dist/src/core/sandbox.d.ts

@@ -0,0 +1,47 @@
+export type SandboxMode = 'strict' | 'moderate' | 'off';
+export interface SandboxViolation {
+    type: 'filesystem' | 'network' | 'command' | 'process';
+    detail: string;
+    severity: 'blocked' | 'warning';
+    timestamp: number;
+}
+export interface SandboxConfig {
+    mode: SandboxMode;
+    /** Allowed filesystem paths (project dir always allowed) */
+    allowedPaths?: string[];
+    /** Blocked filesystem paths */
+    blockedPaths?: string[];
+    /** Allowed network hosts (package registries always allowed) */
+    allowedHosts?: string[];
+    /** Blocked commands */
+    blockedCommands?: string[];
+}
+export declare class Sandbox {
+    private projectDir;
+    private config;
+    private violations;
+    private auditFilePath;
+    constructor(projectDir: string, config?: SandboxConfig);
+    /** Get the current sandbox mode */
+    getMode(): SandboxMode;
+    /** Get the current config */
+    getConfig(): SandboxConfig;
+    /** Validate a filesystem operation */
+    checkFilesystem(path: string, operation: 'read' | 'write' | 'delete'): boolean;
+    /** Validate a network request */
+    checkNetwork(host: string): boolean;
+    /** Validate a command execution */
+    checkCommand(cmd: string): boolean;
+    /** Get violation log */
+    getViolations(): SandboxViolation[];
+    /** Get violations from the persisted security audit log */
+    getPersistedViolations(limit?: number): SandboxViolation[];
+    /** Build --disallowed-tools and --append-system-prompt for sandbox mode */
+    getAgentConstraints(): {
+        disallowedTools?: string[];
+        appendSystemPrompt?: string;
+    };
+    /** Log violation to .swarm/security-audit.jsonl */
+    private logViolation;
+}
+//# sourceMappingURL=sandbox.d.ts.map

package/dist/src/core/sandbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.d.ts","sourceRoot":"","sources":["../../../src/core/sandbox.ts"],"names":[],"mappings":"AAIA,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,UAAU,GAAG,KAAK,CAAC;AAExD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,YAAY,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;IACvD,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,SAAS,GAAG,SAAS,CAAC;IAChC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,WAAW,CAAC;IAClB,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,+BAA+B;IAC/B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,gEAAgE;IAChE,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,uBAAuB;IACvB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAwCD,qBAAa,OAAO;IAKhB,OAAO,CAAC,UAAU;IAClB,OAAO,CAAC,MAAM;IALhB,OAAO,CAAC,UAAU,CAA0B;IAC5C,OAAO,CAAC,aAAa,CAAS;gBAGpB,UAAU,EAAE,MAAM,EAClB,MAAM,GAAE,aAAoC;IAStD,mCAAmC;IACnC,OAAO,IAAI,WAAW;IAItB,6BAA6B;IAC7B,SAAS,IAAI,aAAa;IAI1B,sCAAsC;IACtC,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,GAAG,QAAQ,GAAG,OAAO;IAyE9E,iCAAiC;IACjC,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IA2CnC,mCAAmC;IACnC,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAmDlC,wBAAwB;IACxB,aAAa,IAAI,gBAAgB,EAAE;IAInC,2DAA2D;IAC3D,sBAAsB,CAAC,KAAK,SAAM,GAAG,gBAAgB,EAAE;IAmBvD,2EAA2E;IAC3E,mBAAmB,IAAI;QAAE,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,kBAAkB,CAAC,EAAE,MAAM,CAAA;KAAE;IAyClF,mDAAmD;IACnD,OAAO,CAAC,YAAY;CAQrB"}