mcp-recon 0.2.2

package/dist/classify/caveat.js

@@ -0,0 +1,103 @@
+/**
+ * Caveat synthesizer — the bridge from mcp-recon to capnagent.
+ *
+ * For each classified tool, generate a copy-pasteable capnagent
+ * caveat string that bounds the tool's authority to the smallest
+ * surface that preserves utility. The caveat is always a *suggestion*;
+ * the operator should review and tighten further to fit their
+ * deployment.
+ *
+ * Convention: every suggestion is a single DSL predicate that can be
+ * passed to `Issuer.issue(...).caveat(...)` or `cap.attenuate(...)`.
+ * The caveat language is documented in capnagent's
+ * `caveat_dsl.rs`.
+ */
+/**
+ * Suggest a capnagent caveat for the given classification + facts.
+ * The suggestion places `<placeholder>` markers where the operator
+ * must substitute deployment-specific values.
+ */
+export function synthesizeCaveat(input) {
+    const { tool, data_class, authority_level, facts } = input;
+    // Privileged tools: deny outright. Leaving exec/shell exposed is
+    // almost never the right answer; if it is, the operator can
+    // hand-write a tighter argv-allowlist caveat.
+    if (authority_level === "privileged") {
+        return `tool != "${tool}"  // PRIVILEGED — recommend deny outright; operator should hand-write argv allowlist if exposing`;
+    }
+    // Destructive tools: caller-bind + bounded args + expiry.
+    if (authority_level === "destructive") {
+        const argClauses = boundedArgClauses(tool, facts, "destructive");
+        return [
+            `tool == "${tool}"`,
+            `caller == "<your-caller-id>"`,
+            ...argClauses,
+            `now <= @<your-cap-expiry>`,
+        ].join(" AND ");
+    }
+    // Per-class write/read defaults.
+    const argClauses = boundedArgClauses(tool, facts, authority_level);
+    const baseClauses = [
+        `tool == "${tool}"`,
+        `caller == "<your-caller-id>"`,
+        ...argClauses,
+        `now <= @<your-cap-expiry>`,
+    ];
+    // Add a class-flavoured comment so the operator knows what
+    // surface they're bounding.
+    const flavor = flavorComment(data_class, authority_level);
+    return `${baseClauses.join(" AND ")}  // ${flavor}`;
+}
+function boundedArgClauses(_tool, facts, authority) {
+    const clauses = [];
+    for (const arg of facts.args) {
+        const argName = arg.path[0];
+        if (argName === undefined)
+            continue;
+        if (arg.isPathShaped && arg.declaredType === "string") {
+            // For path-shaped args, the recommended caveat is the same
+            // shape capnagent's mcp-fs-agent uses post-v0.5.
+            clauses.push(`arg.${argName} starts_with "<your-sandbox-prefix>/"`);
+            continue;
+        }
+        if (arg.isUrlShaped && arg.declaredType === "string") {
+            clauses.push(`arg.${argName} == "https://<your-allowed-origin>"`);
+            continue;
+        }
+        if (arg.isCommandShaped && arg.declaredType === "string") {
+            clauses.push(`arg.${argName} starts_with "<your-allowed-command-prefix>"`);
+            continue;
+        }
+        if (arg.enumValues !== undefined) {
+            // Enums constrain themselves; no extra caveat needed in v0.1.
+            continue;
+        }
+        if (authority === "destructive" &&
+            (arg.declaredType === "string" || arg.declaredType === "unknown")) {
+            // Destructive + free-form string arg = double-bound.
+            clauses.push(`arg.${argName} starts_with "<your-bounded-prefix>/"`);
+        }
+    }
+    return clauses;
+}
+function flavorComment(dc, auth) {
+    switch (dc) {
+        case "filesystem":
+            return `${auth.toUpperCase()} filesystem; bound the sandbox prefix tightly (capnagent round 07/10)`;
+        case "network":
+            return `${auth.toUpperCase()} network; allowlist exact origins (capnagent round 05/09)`;
+        case "shell":
+            return `${auth.toUpperCase()} shell; argv allowlist mandatory (capnagent shell-agent example)`;
+        case "payments":
+            return `${auth.toUpperCase()} payments; bound amount + merchant + caller`;
+        case "messaging":
+            return `${auth.toUpperCase()} messaging; bound recipient list + caller`;
+        case "system":
+            return `${auth.toUpperCase()} system; usually safe but verify env-var exposure`;
+        case "metadata":
+            return `${auth.toUpperCase()} metadata`;
+        case "unknown":
+            return `${auth.toUpperCase()} unclassified — operator must review`;
+    }
+}
+//# sourceMappingURL=caveat.js.map

package/dist/classify/caveat.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"caveat.js","sourceRoot":"","sources":["../../src/classify/caveat.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAYH;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAkB;IACjD,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,eAAe,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC;IAE3D,iEAAiE;IACjE,4DAA4D;IAC5D,8CAA8C;IAC9C,IAAI,eAAe,KAAK,YAAY,EAAE,CAAC;QACrC,OAAO,YAAY,IAAI,mGAAmG,CAAC;IAC7H,CAAC;IAED,0DAA0D;IAC1D,IAAI,eAAe,KAAK,aAAa,EAAE,CAAC;QACtC,MAAM,UAAU,GAAG,iBAAiB,CAAC,IAAI,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC;QACjE,OAAO;YACL,YAAY,IAAI,GAAG;YACnB,8BAA8B;YAC9B,GAAG,UAAU;YACb,2BAA2B;SAC5B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClB,CAAC;IAED,iCAAiC;IACjC,MAAM,UAAU,GAAG,iBAAiB,CAAC,IAAI,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;IACnE,MAAM,WAAW,GAAG;QAClB,YAAY,IAAI,GAAG;QACnB,8BAA8B;QAC9B,GAAG,UAAU;QACb,2BAA2B;KAC5B,CAAC;IAEF,2DAA2D;IAC3D,4BAA4B;IAC5B,MAAM,MAAM,GAAG,aAAa,CAAC,UAAU,EAAE,eAAe,CAAC,CAAC;IAC1D,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,MAAM,EAAE,CAAC;AACtD,CAAC;AAED,SAAS,iBAAiB,CACxB,KAAa,EACb,KAAgB,EAChB,SAAyB;IAEzB,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,OAAO,KAAK,SAAS;YAAE,SAAS;QAEpC,IAAI,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;YACtD,2DAA2D;YAC3D,iDAAiD;YACjD,OAAO,CAAC,IAAI,CAAC,OAAO,OAAO,uCAAuC,CAAC,CAAC;YACpE,SAAS;QACX,CAAC;QACD,IAAI,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;YACrD,OAAO,CAAC,IAAI,CAAC,OAAO,OAAO,qCAAqC,CAAC,CAAC;YAClE,SAAS;QACX,CAAC;QACD,IAAI,GAAG,CAAC,eAAe,IAAI,GAAG,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;YACzD,OAAO,CAAC,IAAI,CAAC,OAAO,OAAO,8CAA8C,CAAC,CAAC;YAC3E,SAAS;QACX,CAAC;QACD,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YACjC,8DAA8D;YAC9D,SAAS;QACX,CAAC;QACD,IACE,SAAS,KAAK,aAAa;YAC3B,CAAC,GAAG,CAAC,YAAY,KAAK,QAAQ,IAAI,GAAG,CAAC,YAAY,KAAK,SAAS,CAAC,EACjE,CAAC;YACD,qDAAqD;YACrD,OAAO,CAAC,IAAI,CAAC,OAAO,OAAO,uCAAuC,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,aAAa,CAAC,EAAa,EAAE,IAAoB;IACxD,QAAQ,EAAE,EAAE,CAAC;QACX,KAAK,YAAY;YACf,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,uEAAuE,CAAC;QACtG,KAAK,SAAS;YACZ,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,2DAA2D,CAAC;QAC1F,KAAK,OAAO;YACV,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,kEAAkE,CAAC;QACjG,KAAK,UAAU;YACb,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,6CAA6C,CAAC;QAC5E,KAAK,WAAW;YACd,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,2CAA2C,CAAC;QAC1E,KAAK,QAAQ;YACX,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,mDAAmD,CAAC;QAClF,KAAK,UAAU;YACb,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC;QAC1C,KAAK,SAAS;YACZ,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,sCAAsC,CAAC;IACvE,CAAC;AACH,CAAC"}

package/dist/classify/index.d.ts

@@ -0,0 +1,21 @@
+/**
+ * `classify` — turn an inventory (+ optional fuzz results) into a
+ * v0.1 classification document.
+ *
+ * Methodology in docs/METHODOLOGY.md. The rules live in `./rules.ts`.
+ * Confidence combines via noisy-OR; authority is the lattice-join of
+ * rule floors plus side-effect-verb escalations.
+ */
+import type { ToolInventory } from "../enumerate.js";
+import type { FuzzResults } from "../fuzz/types.js";
+import { type ToolFacts } from "../fuzz/schema.js";
+import { type ClassificationResults } from "./types.js";
+export { CLASSIFICATION_SCHEMA } from "./types.js";
+export type { AuthorityLevel, Classification, ClassificationResults, DataClass, } from "./types.js";
+/** Classify every tool in `inventory`. Optionally fold in `fuzz` for confidence. */
+export declare function classify(inventory: ToolInventory, fuzz?: FuzzResults): ClassificationResults;
+/** Noisy-OR combiner: 1 - ∏(1 - c_i). */
+export declare function noisyOr(confidences: readonly number[]): number;
+export { synthesizeCaveat } from "./caveat.js";
+export type { ToolFacts };
+//# sourceMappingURL=index.d.ts.map

package/dist/classify/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/classify/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAkB,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACrE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAoB,KAAK,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAerE,OAAO,EAIL,KAAK,qBAAqB,EAE3B,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AACnD,YAAY,EACV,cAAc,EACd,cAAc,EACd,qBAAqB,EACrB,SAAS,GACV,MAAM,YAAY,CAAC;AAEpB,oFAAoF;AACpF,wBAAgB,QAAQ,CACtB,SAAS,EAAE,aAAa,EACxB,IAAI,CAAC,EAAE,WAAW,GACjB,qBAAqB,CAsBvB;AA2KD,yCAAyC;AACzC,wBAAgB,OAAO,CAAC,WAAW,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,CAO9D;AAcD,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,YAAY,EAAE,SAAS,EAAE,CAAC"}

package/dist/classify/index.js

@@ -0,0 +1,186 @@
+/**
+ * `classify` — turn an inventory (+ optional fuzz results) into a
+ * v0.1 classification document.
+ *
+ * Methodology in docs/METHODOLOGY.md. The rules live in `./rules.ts`.
+ * Confidence combines via noisy-OR; authority is the lattice-join of
+ * rule floors plus side-effect-verb escalations.
+ */
+import { extractToolFacts } from "../fuzz/schema.js";
+import { synthesizeCaveat } from "./caveat.js";
+import { DESCRIPTION_MATCH_WEIGHT, DESTRUCTIVE_VERBS, FUZZ_INFORMED_BONUS, NAME_MATCH_WEIGHT, PRIVILEGED_VERBS, RULES, SCHEMA_MATCH_WEIGHT, SIDE_EFFECT_VERBS, escalateAuthority, maxAuthority, } from "./rules.js";
+import { CLASSIFICATION_SCHEMA, } from "./types.js";
+export { CLASSIFICATION_SCHEMA } from "./types.js";
+/** Classify every tool in `inventory`. Optionally fold in `fuzz` for confidence. */
+export function classify(inventory, fuzz) {
+    const fuzzByTool = new Map();
+    if (fuzz) {
+        for (const s of fuzz.summary) {
+            fuzzByTool.set(s.tool, {
+                ok: s.ok,
+                total: s.ok + s.protocol_error + s.runtime_error,
+            });
+        }
+    }
+    const classifications = inventory.tools.map((tool) => classifyTool(tool, fuzzByTool.get(tool.name)));
+    return {
+        schema: CLASSIFICATION_SCHEMA,
+        scanned_at: new Date().toISOString(),
+        server: inventory.server,
+        fuzz_informed: fuzz !== undefined,
+        classifications,
+    };
+}
+function classifyTool(tool, fuzzStats) {
+    const facts = extractToolFacts(tool.name, tool.inputSchema);
+    const description = tool.description ?? "";
+    const name = tool.name;
+    const fired = [];
+    for (const rule of RULES) {
+        if (rule.scope !== "description" && rule.pattern.test(name)) {
+            fired.push({ rule, weight: NAME_MATCH_WEIGHT, where: "name" });
+        }
+        if (rule.scope !== "name" && rule.pattern.test(description)) {
+            fired.push({ rule, weight: DESCRIPTION_MATCH_WEIGHT, where: "description" });
+        }
+    }
+    // Schema-shape signal — adds to filesystem / network if arg names
+    // are path-shaped or URL-shaped.
+    const schemaFired = [];
+    for (const arg of facts.args) {
+        if (arg.isPathShaped) {
+            schemaFired.push({
+                data_class: "filesystem",
+                weight: SCHEMA_MATCH_WEIGHT,
+                reason: `arg "${arg.path[0]}" is path-shaped`,
+            });
+        }
+        if (arg.isUrlShaped) {
+            schemaFired.push({
+                data_class: "network",
+                weight: SCHEMA_MATCH_WEIGHT,
+                reason: `arg "${arg.path[0]}" is URL-shaped`,
+            });
+        }
+        if (arg.isCommandShaped) {
+            schemaFired.push({
+                data_class: "shell",
+                weight: SCHEMA_MATCH_WEIGHT,
+                reason: `arg "${arg.path[0]}" is command-shaped`,
+            });
+        }
+    }
+    // Bucket evidence by data_class. Per-bucket noisy-OR over rule
+    // confidences gives us the final per-class confidence; the winner
+    // is the highest.
+    const evidenceByClass = new Map();
+    const floorsByClass = new Map();
+    const rationaleParts = [];
+    for (const f of fired) {
+        pushEvidence(evidenceByClass, f.rule.data_class, f.weight);
+        floorsByClass.set(f.rule.data_class, maxAuthority(floorsByClass.get(f.rule.data_class) ?? f.rule.authority_floor, f.rule.authority_floor));
+        rationaleParts.push(`${f.where} match "${f.rule.pattern.source}" → ${f.rule.data_class}/${f.rule.authority_floor} (${f.weight.toFixed(2)})`);
+    }
+    for (const s of schemaFired) {
+        pushEvidence(evidenceByClass, s.data_class, s.weight);
+        rationaleParts.push(`schema: ${s.reason} → ${s.data_class} (${s.weight.toFixed(2)})`);
+    }
+    // Pick the highest-confidence data-class.
+    let winnerClass = "unknown";
+    let winnerConfidence = 0;
+    for (const [dc, confidences] of evidenceByClass.entries()) {
+        const combined = noisyOr(confidences);
+        if (combined > winnerConfidence) {
+            winnerClass = dc;
+            winnerConfidence = combined;
+        }
+    }
+    // Apply fuzz-informed bonus: if the server actually accepted any of
+    // our adversarial inputs, raise confidence we know what kind of
+    // tool this is (the fuzzer crossed enough surface to confirm a
+    // real interaction, even if accepted inputs are not "successes").
+    if (fuzzStats && fuzzStats.total > 0 && fuzzStats.ok > 0) {
+        winnerConfidence = noisyOr([winnerConfidence, FUZZ_INFORMED_BONUS]);
+        rationaleParts.push(`fuzz: ${fuzzStats.ok}/${fuzzStats.total} accepted → +${FUZZ_INFORMED_BONUS}`);
+    }
+    // Authority: the floor for the winning class, escalated by any
+    // side-effect verbs in the description.
+    let authority = floorsByClass.get(winnerClass) ?? "read";
+    for (const verb of PRIVILEGED_VERBS) {
+        if (verb.test(description)) {
+            authority = "privileged";
+            rationaleParts.push(`description has privileged verb → escalate to privileged`);
+        }
+    }
+    for (const verb of DESTRUCTIVE_VERBS) {
+        if (verb.test(description)) {
+            authority = maxAuthority(authority, "destructive");
+            rationaleParts.push(`description has destructive verb → escalate to destructive`);
+        }
+    }
+    // Generic side-effect verbs only escalate by ONE step, and only if
+    // we haven't already saturated.
+    for (const verb of SIDE_EFFECT_VERBS) {
+        if (verb.test(description) && authority === "read") {
+            authority = escalateAuthority(authority);
+            rationaleParts.push(`description has side-effect verb → escalate one step`);
+            break;
+        }
+    }
+    // Confused-deputy flag: tool takes user-controllable string args
+    // AND has write/destructive/privileged authority. (METHODOLOGY.md
+    // §"The confused-deputy flag")
+    const hasUserStringArg = facts.args.some((a) => (a.declaredType === "string" || a.declaredType === "unknown") &&
+        a.enumValues === undefined);
+    const writeOrAbove = authority !== "read";
+    const confusedDeputy = hasUserStringArg && writeOrAbove;
+    if (confusedDeputy) {
+        rationaleParts.push("user-controllable string arg + non-read authority → confused-deputy candidate");
+    }
+    const recommended_caveat = synthesizeCaveat({
+        tool: name,
+        data_class: winnerClass,
+        authority_level: authority,
+        facts,
+    });
+    return {
+        tool: name,
+        data_class: winnerClass,
+        authority_level: authority,
+        confused_deputy_candidate: confusedDeputy,
+        confidence: round(winnerConfidence, 3),
+        rationale: rationaleParts.length === 0 ? "no rules fired" : rationaleParts.join("; "),
+        recommended_caveat,
+    };
+}
+function pushEvidence(map, dc, w) {
+    const arr = map.get(dc);
+    if (arr)
+        arr.push(w);
+    else
+        map.set(dc, [w]);
+}
+/** Noisy-OR combiner: 1 - ∏(1 - c_i). */
+export function noisyOr(confidences) {
+    if (confidences.length === 0)
+        return 0;
+    let product = 1;
+    for (const c of confidences) {
+        product *= 1 - clamp(c, 0, 1);
+    }
+    return clamp(1 - product, 0, 1);
+}
+function clamp(x, lo, hi) {
+    if (x < lo)
+        return lo;
+    if (x > hi)
+        return hi;
+    return x;
+}
+function round(x, decimals) {
+    const f = 10 ** decimals;
+    return Math.round(x * f) / f;
+}
+// Re-export the synthesizer / facts for downstream tools that want it.
+export { synthesizeCaveat } from "./caveat.js";
+//# sourceMappingURL=index.js.map

package/dist/classify/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/classify/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,EAAE,gBAAgB,EAAkB,MAAM,mBAAmB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EACL,wBAAwB,EACxB,iBAAiB,EACjB,mBAAmB,EACnB,iBAAiB,EACjB,gBAAgB,EAChB,KAAK,EACL,mBAAmB,EACnB,iBAAiB,EACjB,iBAAiB,EACjB,YAAY,GAEb,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,qBAAqB,GAKtB,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAQnD,oFAAoF;AACpF,MAAM,UAAU,QAAQ,CACtB,SAAwB,EACxB,IAAkB;IAElB,MAAM,UAAU,GAAG,IAAI,GAAG,EAAyC,CAAC;IACpE,IAAI,IAAI,EAAE,CAAC;QACT,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAC7B,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE;gBACrB,EAAE,EAAE,CAAC,CAAC,EAAE;gBACR,KAAK,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,cAAc,GAAG,CAAC,CAAC,aAAa;aACjD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,eAAe,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CACnD,YAAY,CAAC,IAAI,EAAE,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAC9C,CAAC;IAEF,OAAO;QACL,MAAM,EAAE,qBAAqB;QAC7B,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,MAAM,EAAE,SAAS,CAAC,MAAM;QACxB,aAAa,EAAE,IAAI,KAAK,SAAS;QACjC,eAAe;KAChB,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CACnB,IAAoB,EACpB,SAAyC;IAEzC,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;IAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IAWvB,MAAM,KAAK,GAAY,EAAE,CAAC;IAE1B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,KAAK,KAAK,aAAa,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5D,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,iBAAiB,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,KAAK,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC5D,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,wBAAwB,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC,CAAC;QAC/E,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,iCAAiC;IACjC,MAAM,WAAW,GAAqE,EAAE,CAAC;IACzF,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;QAC7B,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;YACrB,WAAW,CAAC,IAAI,CAAC;gBACf,UAAU,EAAE,YAAY;gBACxB,MAAM,EAAE,mBAAmB;gBAC3B,MAAM,EAAE,QAAQ,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,kBAAkB;aAC9C,CAAC,CAAC;QACL,CAAC;QACD,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;YACpB,WAAW,CAAC,IAAI,CAAC;gBACf,UAAU,EAAE,SAAS;gBACrB,MAAM,EAAE,mBAAmB;gBAC3B,MAAM,EAAE,QAAQ,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,iBAAiB;aAC7C,CAAC,CAAC;QACL,CAAC;QACD,IAAI,GAAG,CAAC,eAAe,EAAE,CAAC;YACxB,WAAW,CAAC,IAAI,CAAC;gBACf,UAAU,EAAE,OAAO;gBACnB,MAAM,EAAE,mBAAmB;gBAC3B,MAAM,EAAE,QAAQ,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,qBAAqB;aACjD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,kEAAkE;IAClE,kBAAkB;IAClB,MAAM,eAAe,GAAG,IAAI,GAAG,EAAuB,CAAC;IACvD,MAAM,aAAa,GAAG,IAAI,GAAG,EAA6B,CAAC;IAC3D,MAAM,cAAc,GAAa,EAAE,CAAC;IAEpC,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,YAAY,CAAC,eAAe,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;QAC3D,aAAa,CAAC,GAAG,CACf,CAAC,CAAC,IAAI,CAAC,UAAU,EACjB,YAAY,CACV,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,EAC9D,CAAC,CAAC,IAAI,CAAC,eAAe,CACvB,CACF,CAAC;QACF,cAAc,CAAC,IAAI,CACjB,GAAG,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,OAAO,CAAC,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,CAAC,IAAI,CAAC,eAAe,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACxH,CAAC;IACJ,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,YAAY,CAAC,eAAe,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;QACtD,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,UAAU,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACxF,CAAC;IAED,0CAA0C;IAC1C,IAAI,WAAW,GAAc,SAAS,CAAC;IACvC,IAAI,gBAAgB,GAAG,CAAC,CAAC;IACzB,KAAK,MAAM,CAAC,EAAE,EAAE,WAAW,CAAC,IAAI,eAAe,CAAC,OAAO,EAAE,EAAE,CAAC;QAC1D,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;QACtC,IAAI,QAAQ,GAAG,gBAAgB,EAAE,CAAC;YAChC,WAAW,GAAG,EAAE,CAAC;YACjB,gBAAgB,GAAG,QAAQ,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,gEAAgE;IAChE,+DAA+D;IAC/D,kEAAkE;IAClE,IAAI,SAAS,IAAI,SAAS,CAAC,KAAK,GAAG,CAAC,IAAI,SAAS,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;QACzD,gBAAgB,GAAG,OAAO,CAAC,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAC,CAAC;QACpE,cAAc,CAAC,IAAI,CACjB,SAAS,SAAS,CAAC,EAAE,IAAI,SAAS,CAAC,KAAK,gBAAgB,mBAAmB,EAAE,CAC9E,CAAC;IACJ,CAAC;IAED,+DAA+D;IAC/D,wCAAwC;IACxC,IAAI,SAAS,GAAmB,aAAa,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,MAAM,CAAC;IACzE,KAAK,MAAM,IAAI,IAAI,gBAAgB,EAAE,CAAC;QACpC,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC3B,SAAS,GAAG,YAAY,CAAC;YACzB,cAAc,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;IACD,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC3B,SAAS,GAAG,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;YACnD,cAAc,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;QACpF,CAAC;IACH,CAAC;IACD,mEAAmE;IACnE,gCAAgC;IAChC,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;YACnD,SAAS,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;YACzC,cAAc,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;YAC5E,MAAM;QACR,CAAC;IACH,CAAC;IAED,iEAAiE;IACjE,kEAAkE;IAClE,+BAA+B;IAC/B,MAAM,gBAAgB,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CACtC,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,CAAC,YAAY,KAAK,QAAQ,IAAI,CAAC,CAAC,YAAY,KAAK,SAAS,CAAC;QAC7D,CAAC,CAAC,UAAU,KAAK,SAAS,CAC7B,CAAC;IACF,MAAM,YAAY,GAAG,SAAS,KAAK,MAAM,CAAC;IAC1C,MAAM,cAAc,GAAG,gBAAgB,IAAI,YAAY,CAAC;IAExD,IAAI,cAAc,EAAE,CAAC;QACnB,cAAc,CAAC,IAAI,CACjB,+EAA+E,CAChF,CAAC;IACJ,CAAC;IAED,MAAM,kBAAkB,GAAG,gBAAgB,CAAC;QAC1C,IAAI,EAAE,IAAI;QACV,UAAU,EAAE,WAAW;QACvB,eAAe,EAAE,SAAS;QAC1B,KAAK;KACN,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,IAAI;QACV,UAAU,EAAE,WAAW;QACvB,eAAe,EAAE,SAAS;QAC1B,yBAAyB,EAAE,cAAc;QACzC,UAAU,EAAE,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;QACtC,SAAS,EAAE,cAAc,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;QACrF,kBAAkB;KACnB,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,GAA6B,EAAE,EAAa,EAAE,CAAS;IAC3E,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACxB,IAAI,GAAG;QAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;;QAChB,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;AACxB,CAAC;AAED,yCAAyC;AACzC,MAAM,UAAU,OAAO,CAAC,WAA8B;IACpD,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IACvC,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,KAAK,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,KAAK,CAAC,CAAS,EAAE,EAAU,EAAE,EAAU;IAC9C,IAAI,CAAC,GAAG,EAAE;QAAE,OAAO,EAAE,CAAC;IACtB,IAAI,CAAC,GAAG,EAAE;QAAE,OAAO,EAAE,CAAC;IACtB,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,KAAK,CAAC,CAAS,EAAE,QAAgB;IACxC,MAAM,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;IACzB,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;AAC/B,CAAC;AAED,uEAAuE;AACvE,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC"}

package/dist/classify/rules.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Rule table — the single source of truth the classifier reads.
+ *
+ * Every rule is a triple: (pattern, data-class, authority-level)
+ * plus a confidence weight. Rules over tool *names* and *descriptions*
+ * use regex match; rules over *schemas* use heuristic shape detection
+ * already implemented in `../fuzz/schema.ts`.
+ *
+ * Per docs/METHODOLOGY.md §"Confidence scoring":
+ *   - Tool name match           — 0.7 (strong cue, gameable)
+ *   - Description match         — 0.5 (helpful, often missing)
+ *   - Schema match              — 0.4 (structural, gameable too)
+ *   - Side-effect verb in desc  — 0.6 (raises authority by one step)
+ *
+ * Adding a rule? Update this file AND docs/METHODOLOGY.md's change-log
+ * with date + reason. No silent drift.
+ */
+import type { AuthorityLevel, DataClass } from "./types.js";
+/** Single rule predicting (data_class, authority_level) given a name/description match. */
+export interface NameOrDescRule {
+    /** Regex pattern (case-insensitive). */
+    pattern: RegExp;
+    data_class: DataClass;
+    /**
+     * Authority floor — the rule asserts at least this authority level.
+     * Final authority can be escalated by side-effect verbs.
+     */
+    authority_floor: AuthorityLevel;
+    /** Where this rule applies. */
+    scope: "name" | "description" | "either";
+}
+/** Confidence weights per rule scope. */
+export declare const NAME_MATCH_WEIGHT = 0.7;
+export declare const DESCRIPTION_MATCH_WEIGHT = 0.5;
+export declare const SCHEMA_MATCH_WEIGHT = 0.4;
+/**
+ * Bonus added when fuzz results show the tool actually accepts adversarial
+ * inputs (i.e. > 1 ok response in the fuzz stream). Caps confidence higher.
+ */
+export declare const FUZZ_INFORMED_BONUS = 0.1;
+/** Side-effect verbs that raise authority by one step when seen in description. */
+export declare const SIDE_EFFECT_VERBS: RegExp[];
+/**
+ * Side-effect verbs strong enough to assert *destructive* directly
+ * (matches push authority to "destructive", not just "write").
+ */
+export declare const DESTRUCTIVE_VERBS: RegExp[];
+/**
+ * Side-effect verbs strong enough to assert *privileged* directly
+ * (subprocess spawn / shell execution).
+ */
+export declare const PRIVILEGED_VERBS: RegExp[];
+/**
+ * Rule list. Ordered from most specific to most general — the
+ * classifier evaluates all rules; this ordering is for human review.
+ */
+export declare const RULES: readonly NameOrDescRule[];
+/** Return the higher of two authority levels (lattice join). */
+export declare function maxAuthority(a: AuthorityLevel, b: AuthorityLevel): AuthorityLevel;
+/** Escalate authority by one step (read → write → destructive → privileged). */
+export declare function escalateAuthority(a: AuthorityLevel): AuthorityLevel;
+//# sourceMappingURL=rules.d.ts.map

package/dist/classify/rules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rules.d.ts","sourceRoot":"","sources":["../../src/classify/rules.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE5D,2FAA2F;AAC3F,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,SAAS,CAAC;IACtB;;;OAGG;IACH,eAAe,EAAE,cAAc,CAAC;IAChC,+BAA+B;IAC/B,KAAK,EAAE,MAAM,GAAG,aAAa,GAAG,QAAQ,CAAC;CAC1C;AAED,yCAAyC;AACzC,eAAO,MAAM,iBAAiB,MAAM,CAAC;AACrC,eAAO,MAAM,wBAAwB,MAAM,CAAC;AAC5C,eAAO,MAAM,mBAAmB,MAAM,CAAC;AACvC;;;GAGG;AACH,eAAO,MAAM,mBAAmB,MAAM,CAAC;AAEvC,mFAAmF;AACnF,eAAO,MAAM,iBAAiB,UAM7B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,iBAAiB,UAE7B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,gBAAgB,UAA2D,CAAC;AAEzF;;;GAGG;AACH,eAAO,MAAM,KAAK,EAAE,SAAS,cAAc,EA+I1C,CAAC;AAUF,gEAAgE;AAChE,wBAAgB,YAAY,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE,cAAc,GAAG,cAAc,CAEjF;AAED,gFAAgF;AAChF,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,cAAc,GAAG,cAAc,CAWnE"}

package/dist/classify/rules.js

@@ -0,0 +1,219 @@
+/**
+ * Rule table — the single source of truth the classifier reads.
+ *
+ * Every rule is a triple: (pattern, data-class, authority-level)
+ * plus a confidence weight. Rules over tool *names* and *descriptions*
+ * use regex match; rules over *schemas* use heuristic shape detection
+ * already implemented in `../fuzz/schema.ts`.
+ *
+ * Per docs/METHODOLOGY.md §"Confidence scoring":
+ *   - Tool name match           — 0.7 (strong cue, gameable)
+ *   - Description match         — 0.5 (helpful, often missing)
+ *   - Schema match              — 0.4 (structural, gameable too)
+ *   - Side-effect verb in desc  — 0.6 (raises authority by one step)
+ *
+ * Adding a rule? Update this file AND docs/METHODOLOGY.md's change-log
+ * with date + reason. No silent drift.
+ */
+/** Confidence weights per rule scope. */
+export const NAME_MATCH_WEIGHT = 0.7;
+export const DESCRIPTION_MATCH_WEIGHT = 0.5;
+export const SCHEMA_MATCH_WEIGHT = 0.4;
+/**
+ * Bonus added when fuzz results show the tool actually accepts adversarial
+ * inputs (i.e. > 1 ok response in the fuzz stream). Caps confidence higher.
+ */
+export const FUZZ_INFORMED_BONUS = 0.1;
+/** Side-effect verbs that raise authority by one step when seen in description. */
+export const SIDE_EFFECT_VERBS = [
+    /\b(write|create|insert|append|update|modify|edit|set|put|post|patch)\b/i,
+    /\b(delete|remove|drop|unlink|destroy|cancel|revoke)\b/i,
+    /\b(send|email|notify|page|alert|publish|broadcast)\b/i,
+    /\b(spawn|exec|launch|run|invoke|fork|shell)\b/i,
+    /\b(charge|pay|transfer|wire|refund|debit|credit)\b/i,
+];
+/**
+ * Side-effect verbs strong enough to assert *destructive* directly
+ * (matches push authority to "destructive", not just "write").
+ */
+export const DESTRUCTIVE_VERBS = [
+    /\b(delete|remove|drop|unlink|destroy|cancel|revoke|wipe|purge|truncate)\b/i,
+];
+/**
+ * Side-effect verbs strong enough to assert *privileged* directly
+ * (subprocess spawn / shell execution).
+ */
+export const PRIVILEGED_VERBS = [/\b(spawn|exec|shell|bash|cmd|invoke_program|fork)\b/i];
+/**
+ * Rule list. Ordered from most specific to most general — the
+ * classifier evaluates all rules; this ordering is for human review.
+ */
+export const RULES = [
+    // ─── filesystem ──────────────────────────────────────────────
+    {
+        pattern: /\b(read[_-]?(file|text[_-]?file|media[_-]?file|multiple[_-]?files))\b/i,
+        data_class: "filesystem",
+        authority_floor: "read",
+        scope: "name",
+    },
+    {
+        pattern: /\b(list[_-]?(directory|directory[_-]?with[_-]?sizes)|directory[_-]?tree)\b/i,
+        data_class: "filesystem",
+        authority_floor: "read",
+        scope: "name",
+    },
+    {
+        pattern: /\b(get[_-]?file[_-]?info|search[_-]?files|list[_-]?allowed[_-]?directories)\b/i,
+        data_class: "filesystem",
+        authority_floor: "read",
+        scope: "name",
+    },
+    {
+        pattern: /\b(write[_-]?file|edit[_-]?file|create[_-]?directory|move[_-]?file)\b/i,
+        data_class: "filesystem",
+        authority_floor: "write",
+        scope: "name",
+    },
+    {
+        pattern: /\b(delete[_-]?(path|file|directory|dir))\b/i,
+        data_class: "filesystem",
+        authority_floor: "destructive",
+        scope: "name",
+    },
+    {
+        pattern: /\b(file|directory|folder|filesystem|filepath|dirent)\b/i,
+        data_class: "filesystem",
+        authority_floor: "read",
+        scope: "description",
+    },
+    // ─── network ─────────────────────────────────────────────────
+    {
+        pattern: /\b(http[_-]?(get|post|put|delete)|fetch|request)\b/i,
+        data_class: "network",
+        authority_floor: "read",
+        scope: "name",
+    },
+    {
+        pattern: /\b(http|https|fetch|request|webhook|api[_-]?call|url|origin)\b/i,
+        data_class: "network",
+        authority_floor: "read",
+        scope: "description",
+    },
+    // ─── shell ──────────────────────────────────────────────────
+    {
+        pattern: /\b(exec|shell|run[_-]?command|spawn|process)\b/i,
+        data_class: "shell",
+        authority_floor: "privileged",
+        scope: "name",
+    },
+    {
+        pattern: /\b(execute|shell|subprocess|invoke|launch[_-]?process)\b/i,
+        data_class: "shell",
+        authority_floor: "privileged",
+        scope: "description",
+    },
+    // ─── payments ───────────────────────────────────────────────
+    {
+        pattern: /\b(charge|refund|purchase|wire|payment|invoice|debit|credit)\b/i,
+        data_class: "payments",
+        authority_floor: "write",
+        scope: "either",
+    },
+    // ─── messaging ──────────────────────────────────────────────
+    {
+        pattern: /\b(send[_-]?(email|message|sms|notification)|notify|publish|broadcast)\b/i,
+        data_class: "messaging",
+        authority_floor: "write",
+        scope: "name",
+    },
+    {
+        pattern: /\b(email|notification|message|chat|page|alert)\b/i,
+        data_class: "messaging",
+        authority_floor: "read",
+        scope: "description",
+    },
+    // ─── system ─────────────────────────────────────────────────
+    {
+        pattern: /\b(get[_-]?env|environ(ment)?|process[_-]?(info|status)|sysinfo|system[_-]?info|hostname)\b/i,
+        data_class: "system",
+        authority_floor: "read",
+        scope: "either",
+    },
+    // ─── metadata / read-only ───────────────────────────────────
+    {
+        pattern: /\b(read[_-]?graph|search[_-]?nodes|open[_-]?nodes)\b/i,
+        data_class: "metadata",
+        authority_floor: "read",
+        scope: "name",
+    },
+    {
+        pattern: /\b(echo|get[_-]?(structured[_-]?content|annotated[_-]?message|resource[_-]?(links|reference)|sum|tiny[_-]?image))\b/i,
+        data_class: "metadata",
+        authority_floor: "read",
+        scope: "name",
+    },
+    {
+        pattern: /\b(toggle[_-]?(simulated[_-]?logging|subscriber[_-]?updates))\b/i,
+        data_class: "system",
+        authority_floor: "write",
+        scope: "name",
+    },
+    // ─── memory-server CRUD on a knowledge graph ─────────────────
+    {
+        pattern: /\b(create[_-]?(entities|relations))\b/i,
+        data_class: "metadata",
+        authority_floor: "write",
+        scope: "name",
+    },
+    {
+        pattern: /\b(add[_-]?observations)\b/i,
+        data_class: "metadata",
+        authority_floor: "write",
+        scope: "name",
+    },
+    {
+        pattern: /\b(delete[_-]?(entities|relations|observations))\b/i,
+        data_class: "metadata",
+        authority_floor: "destructive",
+        scope: "name",
+    },
+    // ─── thinking / opaque reasoning tools ──────────────────────
+    {
+        pattern: /\b(sequentialthinking|reason|plan|think)\b/i,
+        data_class: "metadata",
+        authority_floor: "read",
+        scope: "name",
+    },
+    // ─── trigger-shaped + simulate-shaped (test surfaces) ────────
+    {
+        pattern: /\b(trigger[_-]?(long[_-]?running[_-]?operation)?|simulate[_-]?(research[_-]?query))\b/i,
+        data_class: "metadata",
+        authority_floor: "write",
+        scope: "name",
+    },
+];
+/** Rank the four authority levels so we can take the strongest signal. */
+const AUTHORITY_RANK = {
+    read: 0,
+    write: 1,
+    destructive: 2,
+    privileged: 3,
+};
+/** Return the higher of two authority levels (lattice join). */
+export function maxAuthority(a, b) {
+    return AUTHORITY_RANK[a] >= AUTHORITY_RANK[b] ? a : b;
+}
+/** Escalate authority by one step (read → write → destructive → privileged). */
+export function escalateAuthority(a) {
+    switch (a) {
+        case "read":
+            return "write";
+        case "write":
+            return "destructive";
+        case "destructive":
+            return "privileged";
+        case "privileged":
+            return "privileged"; // saturates
+    }
+}
+//# sourceMappingURL=rules.js.map

package/dist/classify/rules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rules.js","sourceRoot":"","sources":["../../src/classify/rules.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAkBH,yCAAyC;AACzC,MAAM,CAAC,MAAM,iBAAiB,GAAG,GAAG,CAAC;AACrC,MAAM,CAAC,MAAM,wBAAwB,GAAG,GAAG,CAAC;AAC5C,MAAM,CAAC,MAAM,mBAAmB,GAAG,GAAG,CAAC;AACvC;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,GAAG,CAAC;AAEvC,mFAAmF;AACnF,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,yEAAyE;IACzE,wDAAwD;IACxD,uDAAuD;IACvD,gDAAgD;IAChD,qDAAqD;CACtD,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,4EAA4E;CAC7E,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,sDAAsD,CAAC,CAAC;AAEzF;;;GAGG;AACH,MAAM,CAAC,MAAM,KAAK,GAA8B;IAC9C,gEAAgE;IAChE;QACE,OAAO,EAAE,wEAAwE;QACjF,UAAU,EAAE,YAAY;QACxB,eAAe,EAAE,MAAM;QACvB,KAAK,EAAE,MAAM;KACd;IACD;QACE,OAAO,EAAE,6EAA6E;QACtF,UAAU,EAAE,YAAY;QACxB,eAAe,EAAE,MAAM;QACvB,KAAK,EAAE,MAAM;KACd;IACD;QACE,OAAO,EAAE,gFAAgF;QACzF,UAAU,EAAE,YAAY;QACxB,eAAe,EAAE,MAAM;QACvB,KAAK,EAAE,MAAM;KACd;IACD;QACE,OAAO,EAAE,wEAAwE;QACjF,UAAU,EAAE,YAAY;QACxB,eAAe,EAAE,OAAO;QACxB,KAAK,EAAE,MAAM;KACd;IACD;QACE,OAAO,EAAE,6CAA6C;QACtD,UAAU,EAAE,YAAY;QACxB,eAAe,EAAE,aAAa;QAC9B,KAAK,EAAE,MAAM;KACd;IACD;QACE,OAAO,EAAE,yDAAyD;QAClE,UAAU,EAAE,YAAY;QACxB,eAAe,EAAE,MAAM;QACvB,KAAK,EAAE,aAAa;KACrB;IACD,gEAAgE;IAChE;QACE,OAAO,EAAE,qDAAqD;QAC9D,UAAU,EAAE,SAAS;QACrB,eAAe,EAAE,MAAM;QACvB,KAAK,EAAE,MAAM;KACd;IACD;QACE,OAAO,EAAE,iEAAiE;QAC1E,UAAU,EAAE,SAAS;QACrB,eAAe,EAAE,MAAM;QACvB,KAAK,EAAE,aAAa;KACrB;IACD,+DAA+D;IAC/D;QACE,OAAO,EAAE,iDAAiD;QAC1D,UAAU,EAAE,OAAO;QACnB,eAAe,EAAE,YAAY;QAC7B,KAAK,EAAE,MAAM;KACd;IACD;QACE,OAAO,EAAE,2DAA2D;QACpE,UAAU,EAAE,OAAO;QACnB,eAAe,EAAE,YAAY;QAC7B,KAAK,EAAE,aAAa;KACrB;IACD,+DAA+D;IAC/D;QACE,OAAO,EAAE,iEAAiE;QAC1E,UAAU,EAAE,UAAU;QACtB,eAAe,EAAE,OAAO;QACxB,KAAK,EAAE,QAAQ;KAChB;IACD,+DAA+D;IAC/D;QACE,OAAO,EAAE,2EAA2E;QACpF,UAAU,EAAE,WAAW;QACvB,eAAe,EAAE,OAAO;QACxB,KAAK,EAAE,MAAM;KACd;IACD;QACE,OAAO,EAAE,mDAAmD;QAC5D,UAAU,EAAE,WAAW;QACvB,eAAe,EAAE,MAAM;QACvB,KAAK,EAAE,aAAa;KACrB;IACD,+DAA+D;IAC/D;QACE,OAAO,EAAE,8FAA8F;QACvG,UAAU,EAAE,QAAQ;QACpB,eAAe,EAAE,MAAM;QACvB,KAAK,EAAE,QAAQ;KAChB;IACD,+DAA+D;IAC/D;QACE,OAAO,EAAE,uDAAuD;QAChE,UAAU,EAAE,UAAU;QACtB,eAAe,EAAE,MAAM;QACvB,KAAK,EAAE,MAAM;KACd;IACD;QACE,OAAO,EAAE,sHAAsH;QAC/H,UAAU,EAAE,UAAU;QACtB,eAAe,EAAE,MAAM;QACvB,KAAK,EAAE,MAAM;KACd;IACD;QACE,OAAO,EAAE,kEAAkE;QAC3E,UAAU,EAAE,QAAQ;QACpB,eAAe,EAAE,OAAO;QACxB,KAAK,EAAE,MAAM;KACd;IACD,gEAAgE;IAChE;QACE,OAAO,EAAE,wCAAwC;QACjD,UAAU,EAAE,UAAU;QACtB,eAAe,EAAE,OAAO;QACxB,KAAK,EAAE,MAAM;KACd;IACD;QACE,OAAO,EAAE,6BAA6B;QACtC,UAAU,EAAE,UAAU;QACtB,eAAe,EAAE,OAAO;QACxB,KAAK,EAAE,MAAM;KACd;IACD;QACE,OAAO,EAAE,qDAAqD;QAC9D,UAAU,EAAE,UAAU;QACtB,eAAe,EAAE,aAAa;QAC9B,KAAK,EAAE,MAAM;KACd;IACD,+DAA+D;IAC/D;QACE,OAAO,EAAE,6CAA6C;QACtD,UAAU,EAAE,UAAU;QACtB,eAAe,EAAE,MAAM;QACvB,KAAK,EAAE,MAAM;KACd;IACD,gEAAgE;IAChE;QACE,OAAO,EAAE,wFAAwF;QACjG,UAAU,EAAE,UAAU;QACtB,eAAe,EAAE,OAAO;QACxB,KAAK,EAAE,MAAM;KACd;CACF,CAAC;AAEF,0EAA0E;AAC1E,MAAM,cAAc,GAAmC;IACrD,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;IACR,WAAW,EAAE,CAAC;IACd,UAAU,EAAE,CAAC;CACd,CAAC;AAEF,gEAAgE;AAChE,MAAM,UAAU,YAAY,CAAC,CAAiB,EAAE,CAAiB;IAC/D,OAAO,cAAc,CAAC,CAAC,CAAC,IAAI,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,iBAAiB,CAAC,CAAiB;IACjD,QAAQ,CAAC,EAAE,CAAC;QACV,KAAK,MAAM;YACT,OAAO,OAAO,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,aAAa,CAAC;QACvB,KAAK,aAAa;YAChB,OAAO,YAAY,CAAC;QACtB,KAAK,YAAY;YACf,OAAO,YAAY,CAAC,CAAC,YAAY;IACrC,CAAC;AACH,CAAC"}