network-ai 3.0.0

package/dist/security.js

@@ -0,0 +1,713 @@
+"use strict";
+/**
+ * SwarmOrchestrator Security Module
+ *
+ * This module addresses security vulnerabilities in the multi-agent system:
+ *
+ * 1. Token Security - HMAC-signed tokens with expiration
+ * 2. Input Sanitization - Prevent injection attacks
+ * 3. Rate Limiting - Prevent DoS from rogue agents
+ * 4. Audit Integrity - Cryptographically signed audit logs
+ * 5. Data Encryption - Encrypt sensitive blackboard entries
+ * 6. Permission Hardening - Prevent privilege escalation
+ * 7. Path Traversal Protection - Sanitize file paths
+ *
+ * @module SwarmSecurity
+ * @version 1.0.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_CONFIG = exports.SecureSwarmGateway = exports.SecurityError = exports.PermissionHardener = exports.DataEncryptor = exports.SecureAuditLogger = exports.RateLimiter = exports.InputSanitizer = exports.SecureTokenManager = void 0;
+const crypto_1 = require("crypto");
+const fs_1 = require("fs");
+const path_1 = require("path");
+const DEFAULT_CONFIG = {
+    tokenSecret: process.env.SWARM_TOKEN_SECRET || (0, crypto_1.randomBytes)(32).toString('hex'),
+    tokenAlgorithm: 'sha256',
+    maxTokenAge: 300000, // 5 minutes
+    maxRequestsPerMinute: 100,
+    maxFailedAuthAttempts: 5,
+    lockoutDuration: 900000, // 15 minutes
+    encryptionKey: process.env.SWARM_ENCRYPTION_KEY || (0, crypto_1.randomBytes)(32).toString('hex'),
+    encryptSensitiveData: true,
+    signAuditLogs: true,
+    auditLogPath: './security-audit.log',
+    allowedBasePath: process.cwd(),
+};
+exports.DEFAULT_CONFIG = DEFAULT_CONFIG;
+class SecureTokenManager {
+    config;
+    revokedTokens = new Set();
+    constructor(config = {}) {
+        this.config = { ...DEFAULT_CONFIG, ...config };
+    }
+    /**
+     * Generate a cryptographically signed token
+     */
+    generateToken(agentId, resourceType, scope) {
+        const tokenId = (0, crypto_1.randomBytes)(16).toString('hex');
+        const issuedAt = Date.now();
+        const expiresAt = issuedAt + this.config.maxTokenAge;
+        // Create token payload
+        const payload = `${tokenId}:${agentId}:${resourceType}:${scope}:${issuedAt}:${expiresAt}`;
+        // Sign the payload
+        const signature = this.sign(payload);
+        return {
+            tokenId,
+            agentId,
+            resourceType,
+            scope,
+            issuedAt,
+            expiresAt,
+            signature,
+        };
+    }
+    /**
+     * Validate a token's authenticity and expiration
+     */
+    validateToken(token) {
+        // Check if revoked
+        if (this.revokedTokens.has(token.tokenId)) {
+            return { valid: false, reason: 'Token has been revoked' };
+        }
+        // Check expiration
+        if (Date.now() > token.expiresAt) {
+            return { valid: false, reason: 'Token has expired' };
+        }
+        // Verify signature
+        const payload = `${token.tokenId}:${token.agentId}:${token.resourceType}:${token.scope}:${token.issuedAt}:${token.expiresAt}`;
+        const expectedSignature = this.sign(payload);
+        if (!this.constantTimeCompare(token.signature, expectedSignature)) {
+            return { valid: false, reason: 'Invalid token signature' };
+        }
+        return { valid: true };
+    }
+    /**
+     * Revoke a token
+     */
+    revokeToken(tokenId) {
+        this.revokedTokens.add(tokenId);
+    }
+    /**
+     * HMAC sign a payload
+     */
+    sign(payload) {
+        return (0, crypto_1.createHmac)(this.config.tokenAlgorithm, this.config.tokenSecret)
+            .update(payload)
+            .digest('hex');
+    }
+    /**
+     * Constant-time string comparison to prevent timing attacks
+     */
+    constantTimeCompare(a, b) {
+        if (a.length !== b.length)
+            return false;
+        let result = 0;
+        for (let i = 0; i < a.length; i++) {
+            result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+        }
+        return result === 0;
+    }
+}
+exports.SecureTokenManager = SecureTokenManager;
+// ============================================================================
+// 2. INPUT SANITIZER
+// ============================================================================
+class InputSanitizer {
+    // Dangerous patterns that could indicate injection attempts
+    static DANGEROUS_PATTERNS = [
+        /\$\{.*\}/g, // Template injection
+        /<script.*?>.*?<\/script>/gi, // XSS
+        /javascript:/gi, // JavaScript protocol
+        /on\w+\s*=/gi, // Event handlers
+        /\.\.\//g, // Path traversal
+        /[;&|`$]/g, // Command injection chars
+        /__proto__/gi, // Prototype pollution
+        /constructor/gi, // Prototype pollution
+    ];
+    /**
+     * Sanitize a string input
+     */
+    static sanitizeString(input, maxLength = 10000) {
+        if (typeof input !== 'string') {
+            throw new SecurityError('Input must be a string', 'INVALID_INPUT_TYPE');
+        }
+        // Truncate to max length
+        let sanitized = input.slice(0, maxLength);
+        // Remove dangerous patterns
+        for (const pattern of this.DANGEROUS_PATTERNS) {
+            sanitized = sanitized.replace(pattern, '');
+        }
+        // Encode special characters
+        sanitized = sanitized
+            .replace(/&/g, '&amp;')
+            .replace(/</g, '&lt;')
+            .replace(/>/g, '&gt;')
+            .replace(/"/g, '&quot;')
+            .replace(/'/g, '&#x27;');
+        return sanitized;
+    }
+    /**
+     * Sanitize an object recursively
+     */
+    static sanitizeObject(obj, depth = 0, maxDepth = 10) {
+        if (depth > maxDepth) {
+            throw new SecurityError('Object nesting too deep', 'MAX_DEPTH_EXCEEDED');
+        }
+        if (obj === null || obj === undefined) {
+            return obj;
+        }
+        if (typeof obj === 'string') {
+            return this.sanitizeString(obj);
+        }
+        if (typeof obj === 'number' || typeof obj === 'boolean') {
+            return obj;
+        }
+        if (Array.isArray(obj)) {
+            return obj.map(item => this.sanitizeObject(item, depth + 1, maxDepth));
+        }
+        if (typeof obj === 'object') {
+            const sanitized = {};
+            for (const [key, value] of Object.entries(obj)) {
+                // Sanitize keys too
+                const sanitizedKey = this.sanitizeString(key, 100);
+                // Block prototype pollution attempts
+                if (sanitizedKey === '__proto__' || sanitizedKey === 'constructor' || sanitizedKey === 'prototype') {
+                    continue;
+                }
+                sanitized[sanitizedKey] = this.sanitizeObject(value, depth + 1, maxDepth);
+            }
+            return sanitized;
+        }
+        return undefined; // Unknown types are dropped
+    }
+    /**
+     * Validate and sanitize an agent ID
+     */
+    static sanitizeAgentId(agentId) {
+        if (typeof agentId !== 'string' || agentId.length === 0) {
+            throw new SecurityError('Invalid agent ID', 'INVALID_AGENT_ID');
+        }
+        // Agent IDs should be alphanumeric with underscores/hyphens only
+        const sanitized = agentId.replace(/[^a-zA-Z0-9_-]/g, '');
+        if (sanitized.length === 0 || sanitized.length > 64) {
+            throw new SecurityError('Agent ID format invalid', 'INVALID_AGENT_ID_FORMAT');
+        }
+        return sanitized;
+    }
+    /**
+     * Validate and sanitize a file path
+     */
+    static sanitizePath(inputPath, basePath) {
+        // Normalize the path
+        const normalized = (0, path_1.normalize)(inputPath);
+        // Resolve to absolute
+        const absolute = (0, path_1.isAbsolute)(normalized)
+            ? normalized
+            : (0, path_1.join)(basePath, normalized);
+        // Ensure it's within the allowed base path
+        const resolvedBase = (0, path_1.normalize)(basePath);
+        const resolvedPath = (0, path_1.normalize)(absolute);
+        if (!resolvedPath.startsWith(resolvedBase)) {
+            throw new SecurityError('Path traversal attempt detected', 'PATH_TRAVERSAL');
+        }
+        return resolvedPath;
+    }
+}
+exports.InputSanitizer = InputSanitizer;
+class RateLimiter {
+    limits = new Map();
+    config;
+    constructor(config = {}) {
+        this.config = { ...DEFAULT_CONFIG, ...config };
+    }
+    /**
+     * Check if an agent is rate limited
+     */
+    isRateLimited(agentId) {
+        const entry = this.limits.get(agentId);
+        const now = Date.now();
+        if (!entry) {
+            this.limits.set(agentId, {
+                count: 1,
+                windowStart: now,
+                failedAttempts: 0,
+                lockedUntil: null,
+            });
+            return { limited: false };
+        }
+        // Check if locked out
+        if (entry.lockedUntil && now < entry.lockedUntil) {
+            return {
+                limited: true,
+                retryAfter: Math.ceil((entry.lockedUntil - now) / 1000)
+            };
+        }
+        // Reset window if expired (1 minute)
+        if (now - entry.windowStart > 60000) {
+            entry.count = 1;
+            entry.windowStart = now;
+            entry.lockedUntil = null;
+            return { limited: false };
+        }
+        // Increment counter
+        entry.count++;
+        // Check if over limit
+        if (entry.count > this.config.maxRequestsPerMinute) {
+            return {
+                limited: true,
+                retryAfter: Math.ceil((entry.windowStart + 60000 - now) / 1000)
+            };
+        }
+        return { limited: false };
+    }
+    /**
+     * Record a failed authentication attempt
+     */
+    recordFailedAuth(agentId) {
+        const entry = this.limits.get(agentId) || {
+            count: 0,
+            windowStart: Date.now(),
+            failedAttempts: 0,
+            lockedUntil: null,
+        };
+        entry.failedAttempts++;
+        if (entry.failedAttempts >= this.config.maxFailedAuthAttempts) {
+            entry.lockedUntil = Date.now() + this.config.lockoutDuration;
+            this.limits.set(agentId, entry);
+            return { locked: true };
+        }
+        this.limits.set(agentId, entry);
+        return {
+            locked: false,
+            attemptsRemaining: this.config.maxFailedAuthAttempts - entry.failedAttempts
+        };
+    }
+    /**
+     * Reset failed attempts after successful auth
+     */
+    resetFailedAttempts(agentId) {
+        const entry = this.limits.get(agentId);
+        if (entry) {
+            entry.failedAttempts = 0;
+            entry.lockedUntil = null;
+        }
+    }
+    /**
+     * Get rate limit status for an agent
+     */
+    getStatus(agentId) {
+        return this.limits.get(agentId) || null;
+    }
+}
+exports.RateLimiter = RateLimiter;
+class SecureAuditLogger {
+    config;
+    previousHash = '';
+    constructor(config = {}) {
+        this.config = { ...DEFAULT_CONFIG, ...config };
+        this.initializeLog();
+    }
+    initializeLog() {
+        const logPath = this.config.auditLogPath;
+        if (!(0, fs_1.existsSync)(logPath)) {
+            (0, fs_1.writeFileSync)(logPath, '');
+        }
+        else {
+            // Continue the hash chain from the last entry so integrity
+            // verification works across process restarts.
+            try {
+                const content = (0, fs_1.readFileSync)(logPath, 'utf-8').trim();
+                if (content) {
+                    const lines = content.split('\n').filter((l) => l);
+                    const lastLine = lines[lines.length - 1];
+                    const lastEntry = JSON.parse(lastLine);
+                    if (lastEntry.signature) {
+                        this.previousHash = lastEntry.signature;
+                    }
+                }
+            }
+            catch {
+                // If we can't read the last entry, start fresh chain
+            }
+        }
+    }
+    /**
+     * Log a security event with cryptographic integrity
+     */
+    log(eventType, agentId, action, outcome, details = {}, resource) {
+        const entry = {
+            timestamp: new Date().toISOString(),
+            eventId: (0, crypto_1.randomBytes)(8).toString('hex'),
+            eventType,
+            agentId: InputSanitizer.sanitizeAgentId(agentId),
+            action,
+            resource,
+            outcome,
+            details: InputSanitizer.sanitizeObject(details),
+        };
+        // Sign the entry if configured
+        if (this.config.signAuditLogs) {
+            const payload = JSON.stringify({
+                ...entry,
+                previousHash: this.previousHash,
+            });
+            entry.signature = (0, crypto_1.createHmac)('sha256', this.config.tokenSecret)
+                .update(payload)
+                .digest('hex');
+            this.previousHash = entry.signature ?? '';
+        }
+        // Append to log file
+        const logLine = JSON.stringify(entry) + '\n';
+        (0, fs_1.appendFileSync)(this.config.auditLogPath, logLine);
+        return entry;
+    }
+    /**
+     * Log a permission request
+     */
+    logPermissionRequest(agentId, resourceType, scope, granted, reason) {
+        this.log('PERMISSION_REQUEST', agentId, `request_${resourceType}`, granted ? 'success' : 'denied', { resourceType, scope, reason }, resourceType);
+    }
+    /**
+     * Log a security violation
+     */
+    logViolation(agentId, violationType, details) {
+        this.log('SECURITY_VIOLATION', agentId, violationType, 'denied', details);
+    }
+    /**
+     * Verify audit log integrity
+     */
+    verifyLogIntegrity() {
+        const logContent = (0, fs_1.readFileSync)(this.config.auditLogPath, 'utf-8');
+        const lines = logContent.trim().split('\n').filter((l) => l);
+        let previousHash = '';
+        const invalidEntries = [];
+        for (let i = 0; i < lines.length; i++) {
+            try {
+                const entry = JSON.parse(lines[i]);
+                if (entry.signature) {
+                    const { signature, ...rest } = entry;
+                    const payload = JSON.stringify({
+                        ...rest,
+                        previousHash,
+                    });
+                    const expectedSignature = (0, crypto_1.createHmac)('sha256', this.config.tokenSecret)
+                        .update(payload)
+                        .digest('hex');
+                    if (signature !== expectedSignature) {
+                        invalidEntries.push(i);
+                    }
+                    previousHash = signature;
+                }
+            }
+            catch {
+                invalidEntries.push(i);
+            }
+        }
+        return {
+            valid: invalidEntries.length === 0,
+            invalidEntries,
+        };
+    }
+}
+exports.SecureAuditLogger = SecureAuditLogger;
+// ============================================================================
+// 5. DATA ENCRYPTION
+// ============================================================================
+class DataEncryptor {
+    key;
+    algorithm = 'aes-256-gcm';
+    constructor(encryptionKey) {
+        // Derive a proper key from the provided key
+        this.key = (0, crypto_1.scryptSync)(encryptionKey, 'swarm-salt', 32);
+    }
+    /**
+     * Encrypt sensitive data
+     */
+    encrypt(data) {
+        const iv = (0, crypto_1.randomBytes)(16);
+        const cipher = (0, crypto_1.createCipheriv)(this.algorithm, this.key, iv);
+        let encrypted = cipher.update(data, 'utf8', 'hex');
+        encrypted += cipher.final('hex');
+        const authTag = cipher.getAuthTag();
+        // Return iv:authTag:encryptedData
+        return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
+    }
+    /**
+     * Decrypt sensitive data
+     */
+    decrypt(encryptedData) {
+        const parts = encryptedData.split(':');
+        if (parts.length !== 3) {
+            throw new SecurityError('Invalid encrypted data format', 'INVALID_ENCRYPTED_FORMAT');
+        }
+        const [ivHex, authTagHex, encrypted] = parts;
+        const iv = Buffer.from(ivHex, 'hex');
+        const authTag = Buffer.from(authTagHex, 'hex');
+        const decipher = (0, crypto_1.createDecipheriv)(this.algorithm, this.key, iv);
+        decipher.setAuthTag(authTag);
+        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    /**
+     * Encrypt an object
+     */
+    encryptObject(obj) {
+        return this.encrypt(JSON.stringify(obj));
+    }
+    /**
+     * Decrypt to object
+     */
+    decryptObject(encryptedData) {
+        return JSON.parse(this.decrypt(encryptedData));
+    }
+}
+exports.DataEncryptor = DataEncryptor;
+class PermissionHardener {
+    trustPolicies = new Map();
+    auditLogger;
+    constructor(auditLogger, defaultPolicies) {
+        this.auditLogger = auditLogger;
+        this.initializeDefaultPolicies(defaultPolicies);
+    }
+    initializeDefaultPolicies(customPolicies) {
+        if (customPolicies && customPolicies.length > 0) {
+            for (const policy of customPolicies) {
+                this.trustPolicies.set(policy.agentId, {
+                    agentId: policy.agentId,
+                    trustLevel: policy.trustLevel,
+                    allowedResources: policy.allowedResources,
+                    maxScope: policy.maxScope ?? ['read'],
+                    createdBy: 'SYSTEM',
+                    immutable: policy.immutable ?? false,
+                });
+            }
+            return;
+        }
+        // Fallback: universal defaults that cover common domains
+        this.trustPolicies.set('orchestrator', {
+            agentId: 'orchestrator',
+            trustLevel: 0.9,
+            allowedResources: ['*'],
+            maxScope: ['read', 'write', 'execute', 'delegate'],
+            createdBy: 'SYSTEM',
+            immutable: true,
+        });
+    }
+    /**
+     * Register or update a trust policy for an agent at runtime.
+     */
+    registerPolicy(policy) {
+        const existing = this.trustPolicies.get(policy.agentId);
+        if (existing?.immutable)
+            return; // Cannot overwrite immutable policies
+        this.trustPolicies.set(policy.agentId, {
+            agentId: policy.agentId,
+            trustLevel: policy.trustLevel,
+            allowedResources: policy.allowedResources,
+            maxScope: policy.maxScope ?? ['read'],
+            createdBy: 'RUNTIME',
+            immutable: policy.immutable ?? false,
+        });
+    }
+    /**
+     * Check if an agent can access a resource
+     */
+    canAccess(agentId, resourceType, requestedScope) {
+        const policy = this.trustPolicies.get(agentId);
+        if (!policy) {
+            this.auditLogger.logViolation(agentId, 'UNKNOWN_AGENT', { resourceType, requestedScope });
+            return { allowed: false, reason: 'Agent has no trust policy' };
+        }
+        // Check resource access (support '*' wildcard)
+        if (!policy.allowedResources.includes('*') && !policy.allowedResources.includes(resourceType)) {
+            this.auditLogger.logViolation(agentId, 'RESOURCE_NOT_ALLOWED', {
+                resourceType,
+                allowedResources: policy.allowedResources
+            });
+            return { allowed: false, reason: `Agent not allowed to access ${resourceType}` };
+        }
+        // Check scope
+        const scopeMatch = policy.maxScope.some(s => requestedScope.startsWith(s));
+        if (!scopeMatch) {
+            this.auditLogger.logViolation(agentId, 'SCOPE_EXCEEDED', {
+                requestedScope,
+                maxScope: policy.maxScope,
+            });
+            return { allowed: false, reason: 'Requested scope exceeds allowed scope' };
+        }
+        return { allowed: true };
+    }
+    /**
+     * Attempt to modify trust level (with escalation prevention)
+     */
+    modifyTrustLevel(requestingAgent, targetAgent, newTrustLevel) {
+        const requestorPolicy = this.trustPolicies.get(requestingAgent);
+        const targetPolicy = this.trustPolicies.get(targetAgent);
+        // Only orchestrator can modify trust
+        if (requestingAgent !== 'orchestrator') {
+            this.auditLogger.logViolation(requestingAgent, 'UNAUTHORIZED_TRUST_MODIFICATION', {
+                targetAgent,
+                attemptedTrustLevel: newTrustLevel,
+            });
+            return { success: false, reason: 'Only orchestrator can modify trust levels' };
+        }
+        // Cannot modify immutable policies
+        if (targetPolicy?.immutable) {
+            return { success: false, reason: 'Cannot modify immutable policy' };
+        }
+        // Cannot set trust higher than your own
+        if (requestorPolicy && newTrustLevel > requestorPolicy.trustLevel) {
+            this.auditLogger.logViolation(requestingAgent, 'PRIVILEGE_ESCALATION_ATTEMPT', {
+                targetAgent,
+                attemptedTrustLevel: newTrustLevel,
+                requestorTrustLevel: requestorPolicy.trustLevel,
+            });
+            return { success: false, reason: 'Cannot grant trust level higher than your own' };
+        }
+        // Apply the modification
+        if (targetPolicy) {
+            targetPolicy.trustLevel = newTrustLevel;
+        }
+        else {
+            this.trustPolicies.set(targetAgent, {
+                agentId: targetAgent,
+                trustLevel: newTrustLevel,
+                allowedResources: [],
+                maxScope: ['read'],
+                createdBy: requestingAgent,
+                immutable: false,
+            });
+        }
+        return { success: true };
+    }
+    /**
+     * Get policy for an agent
+     */
+    getPolicy(agentId) {
+        return this.trustPolicies.get(agentId);
+    }
+}
+exports.PermissionHardener = PermissionHardener;
+// ============================================================================
+// 7. SECURITY ERROR CLASS
+// ============================================================================
+class SecurityError extends Error {
+    code;
+    constructor(message, code) {
+        super(message);
+        this.name = 'SecurityError';
+        this.code = code;
+    }
+}
+exports.SecurityError = SecurityError;
+// ============================================================================
+// 8. SECURE SWARM GATEWAY (Integration Point)
+// ============================================================================
+class SecureSwarmGateway {
+    tokenManager;
+    rateLimiter;
+    auditLogger;
+    permissionHardener;
+    encryptor;
+    constructor(config = {}) {
+        const fullConfig = { ...DEFAULT_CONFIG, ...config };
+        this.tokenManager = new SecureTokenManager(fullConfig);
+        this.rateLimiter = new RateLimiter(fullConfig);
+        this.auditLogger = new SecureAuditLogger(fullConfig);
+        this.permissionHardener = new PermissionHardener(this.auditLogger);
+        this.encryptor = new DataEncryptor(fullConfig.encryptionKey);
+    }
+    /**
+     * Secure request handler - validates all security requirements
+     */
+    async handleSecureRequest(agentId, action, params, token) {
+        // 1. Sanitize agent ID
+        let sanitizedAgentId;
+        try {
+            sanitizedAgentId = InputSanitizer.sanitizeAgentId(agentId);
+        }
+        catch (error) {
+            this.auditLogger.logViolation(agentId, 'INVALID_AGENT_ID', { error: String(error) });
+            return { allowed: false, reason: 'Invalid agent ID' };
+        }
+        // 2. Check rate limit
+        const rateLimit = this.rateLimiter.isRateLimited(sanitizedAgentId);
+        if (rateLimit.limited) {
+            this.auditLogger.log('RATE_LIMITED', sanitizedAgentId, action, 'denied', {
+                retryAfter: rateLimit.retryAfter,
+            });
+            return { allowed: false, reason: `Rate limited. Retry after ${rateLimit.retryAfter}s` };
+        }
+        // 3. Validate token if provided
+        if (token) {
+            const tokenValidation = this.tokenManager.validateToken(token);
+            if (!tokenValidation.valid) {
+                const failedAuth = this.rateLimiter.recordFailedAuth(sanitizedAgentId);
+                this.auditLogger.log('TOKEN_VALIDATION_FAILED', sanitizedAgentId, action, 'denied', {
+                    reason: tokenValidation.reason,
+                    locked: failedAuth.locked,
+                });
+                if (failedAuth.locked) {
+                    return { allowed: false, reason: 'Account locked due to failed authentication attempts' };
+                }
+                return { allowed: false, reason: tokenValidation.reason };
+            }
+            // Reset failed attempts on successful validation
+            this.rateLimiter.resetFailedAttempts(sanitizedAgentId);
+        }
+        // 4. Sanitize parameters
+        let sanitizedParams;
+        try {
+            sanitizedParams = InputSanitizer.sanitizeObject(params);
+        }
+        catch (error) {
+            this.auditLogger.logViolation(sanitizedAgentId, 'MALICIOUS_INPUT', {
+                action,
+                error: String(error),
+            });
+            return { allowed: false, reason: 'Invalid input parameters' };
+        }
+        // 5. Log successful request
+        this.auditLogger.log('REQUEST_PROCESSED', sanitizedAgentId, action, 'success', {
+            paramKeys: Object.keys(sanitizedParams),
+        });
+        return { allowed: true, sanitizedParams };
+    }
+    /**
+     * Request a new permission grant
+     */
+    async requestPermission(agentId, resourceType, scope, justification) {
+        const sanitizedAgentId = InputSanitizer.sanitizeAgentId(agentId);
+        // Check if agent can access this resource
+        const accessCheck = this.permissionHardener.canAccess(sanitizedAgentId, resourceType, scope);
+        if (!accessCheck.allowed) {
+            this.auditLogger.logPermissionRequest(sanitizedAgentId, resourceType, scope, false, accessCheck.reason);
+            return { granted: false, reason: accessCheck.reason };
+        }
+        // Generate secure token
+        const token = this.tokenManager.generateToken(sanitizedAgentId, resourceType, scope);
+        this.auditLogger.logPermissionRequest(sanitizedAgentId, resourceType, scope, true);
+        return { granted: true, token };
+    }
+    /**
+     * Encrypt sensitive data for blackboard storage
+     */
+    encryptSensitiveData(data) {
+        return this.encryptor.encryptObject(data);
+    }
+    /**
+     * Decrypt sensitive data from blackboard
+     */
+    decryptSensitiveData(encryptedData) {
+        return this.encryptor.decryptObject(encryptedData);
+    }
+    /**
+     * Verify audit log integrity
+     */
+    verifyAuditIntegrity() {
+        return this.auditLogger.verifyLogIntegrity();
+    }
+}
+exports.SecureSwarmGateway = SecureSwarmGateway;
+//# sourceMappingURL=security.js.map