opena2a-cli 0.1.1 → 0.1.2

package/dist/shield/events.js

@@ -0,0 +1,342 @@
+"use strict";
+/**
+ * Shield tamper-evident event system.
+ *
+ * Events are stored as newline-delimited JSON (JSONL) with SHA-256 hash
+ * chains.  Each event references the hash of the previous event, forming
+ * an append-only tamper-evident log.  The very first event in the chain
+ * uses SHA-256("genesis") as its prevHash.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GENESIS_HASH = void 0;
+exports.uuidv7 = uuidv7;
+exports.getShieldDir = getShieldDir;
+exports.getEventsPath = getEventsPath;
+exports.writeEvent = writeEvent;
+exports.readEvents = readEvents;
+exports.verifyEventChain = verifyEventChain;
+const node_crypto_1 = require("node:crypto");
+const node_fs_1 = require("node:fs");
+const node_os_1 = require("node:os");
+const node_path_1 = require("node:path");
+const types_js_1 = require("./types.js");
+// ---------------------------------------------------------------------------
+// UUIDv7 (RFC 9562)
+// ---------------------------------------------------------------------------
+/**
+ * Generate a UUIDv7 (time-sortable) per RFC 9562.
+ *
+ * Layout (128 bits):
+ *   48 bits - unix_ts_ms
+ *    4 bits - version (0b0111)
+ *   12 bits - rand_a
+ *    2 bits - variant (0b10)
+ *   62 bits - rand_b
+ */
+function uuidv7() {
+    const now = Date.now();
+    const rand = (0, node_crypto_1.randomBytes)(10); // 80 random bits; we use 74
+    // Bytes 0-5: 48-bit unix timestamp in milliseconds (big-endian)
+    const buf = Buffer.alloc(16);
+    buf[0] = (now / 2 ** 40) & 0xff;
+    buf[1] = (now / 2 ** 32) & 0xff;
+    buf[2] = (now / 2 ** 24) & 0xff;
+    buf[3] = (now / 2 ** 16) & 0xff;
+    buf[4] = (now / 2 ** 8) & 0xff;
+    buf[5] = now & 0xff;
+    // Bytes 6-7: version (4 bits = 0111) + rand_a (12 bits)
+    buf[6] = 0x70 | (rand[0] & 0x0f);
+    buf[7] = rand[1];
+    // Bytes 8-15: variant (2 bits = 10) + rand_b (62 bits)
+    buf[8] = 0x80 | (rand[2] & 0x3f);
+    buf[9] = rand[3];
+    buf[10] = rand[4];
+    buf[11] = rand[5];
+    buf[12] = rand[6];
+    buf[13] = rand[7];
+    buf[14] = rand[8];
+    buf[15] = rand[9];
+    const hex = buf.toString('hex');
+    return [
+        hex.slice(0, 8),
+        hex.slice(8, 12),
+        hex.slice(12, 16),
+        hex.slice(16, 20),
+        hex.slice(20, 32),
+    ].join('-');
+}
+// ---------------------------------------------------------------------------
+// Directory helpers
+// ---------------------------------------------------------------------------
+/** Return the absolute path to the Shield data directory (~/.opena2a/shield). */
+function getShieldDir() {
+    const dir = (0, node_path_1.join)((0, node_os_1.homedir)(), '.opena2a', 'shield');
+    if (!(0, node_fs_1.existsSync)(dir)) {
+        (0, node_fs_1.mkdirSync)(dir, { recursive: true, mode: 0o700 });
+    }
+    return dir;
+}
+/** Return the absolute path to the events JSONL file. */
+function getEventsPath() {
+    return (0, node_path_1.join)(getShieldDir(), types_js_1.SHIELD_EVENTS_FILE);
+}
+// ---------------------------------------------------------------------------
+// Hashing helpers
+// ---------------------------------------------------------------------------
+exports.GENESIS_HASH = (0, node_crypto_1.createHash)('sha256').update('genesis').digest('hex');
+/** Compute SHA-256 hex digest of a string. */
+function sha256(data) {
+    return (0, node_crypto_1.createHash)('sha256').update(data).digest('hex');
+}
+/**
+ * Read the last non-empty line from a file.  Returns null if the file
+ * does not exist or is empty.
+ */
+function readLastLine(filePath) {
+    if (!(0, node_fs_1.existsSync)(filePath))
+        return null;
+    let content;
+    try {
+        content = (0, node_fs_1.readFileSync)(filePath, 'utf-8');
+    }
+    catch {
+        return null;
+    }
+    const lines = content.split('\n');
+    // Walk backwards to find the last non-empty line
+    for (let i = lines.length - 1; i >= 0; i--) {
+        const line = lines[i].trim();
+        if (line.length > 0)
+            return line;
+    }
+    return null;
+}
+/**
+ * Extract the prevHash for the next event by reading the eventHash
+ * of the last event in the chain.  Returns the genesis hash if the
+ * file is empty or missing.
+ */
+function getPrevHash(eventsPath) {
+    const lastLine = readLastLine(eventsPath);
+    if (!lastLine)
+        return exports.GENESIS_HASH;
+    try {
+        const parsed = JSON.parse(lastLine);
+        if (parsed.eventHash && typeof parsed.eventHash === 'string') {
+            return parsed.eventHash;
+        }
+    }
+    catch {
+        // Corrupted last line -- fall through to genesis
+    }
+    return exports.GENESIS_HASH;
+}
+/**
+ * Rotate the events file if it exceeds MAX_EVENTS_FILE_SIZE.
+ * The current file is renamed with a timestamp suffix, and a fresh
+ * file is started.
+ */
+function rotateIfNeeded(eventsPath) {
+    if (!(0, node_fs_1.existsSync)(eventsPath))
+        return;
+    let size;
+    try {
+        size = (0, node_fs_1.statSync)(eventsPath).size;
+    }
+    catch {
+        return;
+    }
+    if (size <= types_js_1.MAX_EVENTS_FILE_SIZE)
+        return;
+    const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+    const rotatedPath = eventsPath.replace(/\.jsonl$/, `-${timestamp}.jsonl`);
+    (0, node_fs_1.renameSync)(eventsPath, rotatedPath);
+}
+/**
+ * Write a new event to the tamper-evident log.
+ *
+ * The caller provides all event fields except id, timestamp, version,
+ * prevHash, and eventHash -- those are generated automatically.
+ */
+function writeEvent(partial) {
+    const eventsPath = getEventsPath();
+    // Rotate before writing if the file is oversized
+    rotateIfNeeded(eventsPath);
+    const prevHash = getPrevHash(eventsPath);
+    // Build the event without the final eventHash
+    const event = {
+        id: uuidv7(),
+        timestamp: new Date().toISOString(),
+        version: 1,
+        ...partial,
+        prevHash,
+    };
+    // Compute the hash over the event (without the eventHash field itself)
+    const hashInput = JSON.stringify(event);
+    const eventHash = sha256(hashInput);
+    const fullEvent = {
+        ...event,
+        eventHash,
+    };
+    const line = JSON.stringify(fullEvent) + '\n';
+    // Ensure the shield directory exists (getEventsPath already calls getShieldDir)
+    (0, node_fs_1.appendFileSync)(eventsPath, line, { encoding: 'utf-8', mode: 0o600 });
+    // Ensure restrictive permissions on the events file
+    try {
+        (0, node_fs_1.chmodSync)(eventsPath, 0o600);
+    }
+    catch {
+        // Best-effort; appendFileSync already set mode on creation
+    }
+    return fullEvent;
+}
+/**
+ * Parse a relative time string into a Date.
+ *
+ * Supported formats:
+ *   "7d"  - 7 days ago
+ *   "1w"  - 1 week ago
+ *   "2w"  - 2 weeks ago
+ *   "1m"  - 1 month ago (30 days)
+ *   "3m"  - 3 months ago (90 days)
+ *
+ * If the string is not a relative format, it is parsed as ISO 8601.
+ * Returns null if parsing fails entirely.
+ */
+function parseSince(since) {
+    const relativeMatch = since.match(/^(\d+)([dwm])$/);
+    if (relativeMatch) {
+        const amount = parseInt(relativeMatch[1], 10);
+        const unit = relativeMatch[2];
+        const now = Date.now();
+        let ms;
+        switch (unit) {
+            case 'd':
+                ms = amount * 24 * 60 * 60 * 1000;
+                break;
+            case 'w':
+                ms = amount * 7 * 24 * 60 * 60 * 1000;
+                break;
+            case 'm':
+                ms = amount * 30 * 24 * 60 * 60 * 1000;
+                break;
+            default:
+                return null;
+        }
+        return new Date(now - ms);
+    }
+    // Try ISO 8601
+    const d = new Date(since);
+    if (isNaN(d.getTime()))
+        return null;
+    return d;
+}
+/**
+ * Read events from the JSONL log file, applying optional filters.
+ *
+ * Returns events in newest-first order.  Corrupted JSON lines are
+ * silently skipped.
+ */
+function readEvents(filters = {}) {
+    const eventsPath = getEventsPath();
+    if (!(0, node_fs_1.existsSync)(eventsPath))
+        return [];
+    let content;
+    try {
+        content = (0, node_fs_1.readFileSync)(eventsPath, 'utf-8');
+    }
+    catch {
+        return [];
+    }
+    const lines = content.split('\n');
+    const events = [];
+    for (const line of lines) {
+        const trimmed = line.trim();
+        if (trimmed.length === 0)
+            continue;
+        try {
+            const event = JSON.parse(trimmed);
+            events.push(event);
+        }
+        catch {
+            // Skip corrupted lines
+            continue;
+        }
+    }
+    // Apply filters
+    let filtered = events;
+    if (filters.source) {
+        const src = filters.source;
+        filtered = filtered.filter(e => e.source === src);
+    }
+    if (filters.severity) {
+        const sev = filters.severity;
+        filtered = filtered.filter(e => e.severity === sev);
+    }
+    if (filters.agent) {
+        const agent = filters.agent;
+        filtered = filtered.filter(e => e.agent === agent);
+    }
+    if (filters.category) {
+        const cat = filters.category;
+        filtered = filtered.filter(e => e.category === cat);
+    }
+    if (filters.since) {
+        const sinceDate = parseSince(filters.since);
+        if (sinceDate) {
+            const sinceMs = sinceDate.getTime();
+            filtered = filtered.filter(e => {
+                const eventTime = new Date(e.timestamp).getTime();
+                return eventTime >= sinceMs;
+            });
+        }
+    }
+    // Newest-first (reverse chronological order)
+    filtered.reverse();
+    // Apply count limit after reversing
+    if (filters.count !== undefined && filters.count > 0) {
+        filtered = filtered.slice(0, filters.count);
+    }
+    return filtered;
+}
+// ---------------------------------------------------------------------------
+// verifyEventChain
+// ---------------------------------------------------------------------------
+/**
+ * Verify the integrity of a hash chain.
+ *
+ * Events must be provided in chronological order (oldest first).
+ * The first event's prevHash must equal SHA-256("genesis").
+ *
+ * Returns { valid: true, brokenAt: null } if the chain is intact,
+ * or { valid: false, brokenAt: <index> } pointing to the first
+ * event where the chain breaks.
+ */
+function verifyEventChain(events) {
+    if (events.length === 0) {
+        return { valid: true, brokenAt: null };
+    }
+    for (let i = 0; i < events.length; i++) {
+        const event = events[i];
+        // 1. Verify prevHash links to the previous event (or genesis)
+        if (i === 0) {
+            if (event.prevHash !== exports.GENESIS_HASH) {
+                return { valid: false, brokenAt: 0 };
+            }
+        }
+        else {
+            if (event.prevHash !== events[i - 1].eventHash) {
+                return { valid: false, brokenAt: i };
+            }
+        }
+        // 2. Verify the eventHash matches the event content
+        // Reconstruct the event without eventHash and compute the hash
+        const { eventHash: _storedHash, ...rest } = event;
+        const computedHash = sha256(JSON.stringify(rest));
+        if (computedHash !== event.eventHash) {
+            return { valid: false, brokenAt: i };
+        }
+    }
+    return { valid: true, brokenAt: null };
+}
+//# sourceMappingURL=events.js.map

package/dist/shield/events.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"events.js","sourceRoot":"","sources":["../../src/shield/events.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAgCH,wBAmCC;AAOD,oCAMC;AAGD,sCAEC;AA4FD,gCAuCC;AAiED,gCAuEC;AAgBD,4CA+BC;AA7YD,6CAAsD;AACtD,qCAQiB;AACjB,qCAAkC;AAClC,yCAAiC;AAGjC,yCAAsE;AAEtE,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,SAAgB,MAAM;IACpB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,IAAI,GAAG,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC,CAAC,4BAA4B;IAE1D,gEAAgE;IAChE,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC7B,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAChC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAChC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAChC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAChC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;IAC/B,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,IAAI,CAAC;IAEpB,wDAAwD;IACxD,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IACjC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IAEjB,uDAAuD;IACvD,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IACjC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IAElB,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAChC,OAAO;QACL,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;QACf,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;QAChB,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;QACjB,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;QACjB,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;KAClB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,iFAAiF;AACjF,SAAgB,YAAY;IAC1B,MAAM,GAAG,GAAG,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IAClD,IAAI,CAAC,IAAA,oBAAU,EAAC,GAAG,CAAC,EAAE,CAAC;QACrB,IAAA,mBAAS,EAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,yDAAyD;AACzD,SAAgB,aAAa;IAC3B,OAAO,IAAA,gBAAI,EAAC,YAAY,EAAE,EAAE,6BAAkB,CAAC,CAAC;AAClD,CAAC;AAED,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAEjE,QAAA,YAAY,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAEjF,8CAA8C;AAC9C,SAAS,MAAM,CAAC,IAAY;IAC1B,OAAO,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,SAAS,YAAY,CAAC,QAAgB;IACpC,IAAI,CAAC,IAAA,oBAAU,EAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvC,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,IAAA,sBAAY,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,iDAAiD;IACjD,KAAK,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACnC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,SAAS,WAAW,CAAC,UAAkB;IACrC,MAAM,QAAQ,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;IAC1C,IAAI,CAAC,QAAQ;QAAE,OAAO,oBAAY,CAAC;IAEnC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAgB,CAAC;QACnD,IAAI,MAAM,CAAC,SAAS,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YAC7D,OAAO,MAAM,CAAC,SAAS,CAAC;QAC1B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,iDAAiD;IACnD,CAAC;IAED,OAAO,oBAAY,CAAC;AACtB,CAAC;AAED;;;;GAIG;AACH,SAAS,cAAc,CAAC,UAAkB;IACxC,IAAI,CAAC,IAAA,oBAAU,EAAC,UAAU,CAAC;QAAE,OAAO;IAEpC,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,GAAG,IAAA,kBAAQ,EAAC,UAAU,CAAC,CAAC,IAAI,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;IACT,CAAC;IAED,IAAI,IAAI,IAAI,+BAAoB;QAAE,OAAO;IAEzC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACjE,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,SAAS,QAAQ,CAAC,CAAC;IAC1E,IAAA,oBAAU,EAAC,UAAU,EAAE,WAAW,CAAC,CAAC;AACtC,CAAC;AASD;;;;;GAKG;AACH,SAAgB,UAAU,CAAC,OAA2C;IACpE,MAAM,UAAU,GAAG,aAAa,EAAE,CAAC;IAEnC,iDAAiD;IACjD,cAAc,CAAC,UAAU,CAAC,CAAC;IAE3B,MAAM,QAAQ,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;IAEzC,8CAA8C;IAC9C,MAAM,KAAK,GAA4D;QACrE,EAAE,EAAE,MAAM,EAAE;QACZ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,OAAO,EAAE,CAAC;QACV,GAAG,OAAO;QACV,QAAQ;KACT,CAAC;IAEF,uEAAuE;IACvE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;IAEpC,MAAM,SAAS,GAAgB;QAC7B,GAAI,KAAwC;QAC5C,SAAS;KACV,CAAC;IAEF,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;IAE9C,gFAAgF;IAChF,IAAA,wBAAc,EAAC,UAAU,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAErE,oDAAoD;IACpD,IAAI,CAAC;QACH,IAAA,mBAAS,EAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,2DAA2D;IAC7D,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAeD;;;;;;;;;;;;GAYG;AACH,SAAS,UAAU,CAAC,KAAa;IAC/B,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IACpD,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,MAAM,GAAG,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC9C,MAAM,IAAI,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,EAAU,CAAC;QAEf,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,GAAG;gBACN,EAAE,GAAG,MAAM,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;gBAClC,MAAM;YACR,KAAK,GAAG;gBACN,EAAE,GAAG,MAAM,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;gBACtC,MAAM;YACR,KAAK,GAAG;gBACN,EAAE,GAAG,MAAM,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;gBACvC,MAAM;YACR;gBACE,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,OAAO,IAAI,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC;IAC5B,CAAC;IAED,eAAe;IACf,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1B,IAAI,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;;GAKG;AACH,SAAgB,UAAU,CAAC,UAAwB,EAAE;IACnD,MAAM,UAAU,GAAG,aAAa,EAAE,CAAC;IAEnC,IAAI,CAAC,IAAA,oBAAU,EAAC,UAAU,CAAC;QAAE,OAAO,EAAE,CAAC;IAEvC,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,IAAA,sBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,MAAM,GAAkB,EAAE,CAAC;IAEjC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAEnC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAgB,CAAC;YACjD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,uBAAuB;YACvB,SAAS;QACX,CAAC;IACH,CAAC;IAED,gBAAgB;IAChB,IAAI,QAAQ,GAAG,MAAM,CAAC;IAEtB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;QAC3B,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,GAAG,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC;QAC7B,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC;IACtD,CAAC;IAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC5B,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC;IACrD,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC;QAC7B,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC;IACtD,CAAC;IAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC;YACpC,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;gBAC7B,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;gBAClD,OAAO,SAAS,IAAI,OAAO,CAAC;YAC9B,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,QAAQ,CAAC,OAAO,EAAE,CAAC;IAEnB,oCAAoC;IACpC,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS,IAAI,OAAO,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;QACrD,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,SAAgB,gBAAgB,CAC9B,MAAqB;IAErB,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IACzC,CAAC;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QAExB,8DAA8D;QAC9D,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACZ,IAAI,KAAK,CAAC,QAAQ,KAAK,oBAAY,EAAE,CAAC;gBACpC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;YACvC,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,KAAK,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;gBAC/C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;YACvC,CAAC;QACH,CAAC;QAED,oDAAoD;QACpD,+DAA+D;QAC/D,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC;QAClD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;QAClD,IAAI,YAAY,KAAK,KAAK,CAAC,SAAS,EAAE,CAAC;YACrC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QACvC,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;AACzC,CAAC"}

package/dist/shield/init.d.ts

@@ -0,0 +1,22 @@
+import type { EnvironmentScan, ShieldPolicy } from './types.js';
+interface InitResult {
+    scan: EnvironmentScan;
+    policy: ShieldPolicy;
+    shellHookInstalled: boolean;
+    policyPath: string;
+    steps: {
+        name: string;
+        status: 'done' | 'skipped' | 'warn';
+    }[];
+}
+export declare function shieldInit(options: {
+    targetDir?: string;
+    ci?: boolean;
+    format?: string;
+    verbose?: boolean;
+}): Promise<{
+    exitCode: number;
+    result: InitResult;
+}>;
+export {};
+//# sourceMappingURL=init.d.ts.map

package/dist/shield/init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/shield/init.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,eAAe,EACf,YAAY,EAKb,MAAM,YAAY,CAAC;AAUpB,UAAU,UAAU;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,MAAM,EAAE,YAAY,CAAC;IACrB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,CAAA;KAAE,EAAE,CAAC;CAChE;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE;IACxC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GAAG,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,UAAU,CAAA;CAAE,CAAC,CAoQpD"}

package/dist/shield/init.js

@@ -0,0 +1,290 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.shieldInit = shieldInit;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const node_os_1 = require("node:os");
+const types_js_1 = require("./types.js");
+const detect_js_1 = require("./detect.js");
+const policy_js_1 = require("./policy.js");
+const events_js_1 = require("./events.js");
+const integrity_js_1 = require("./integrity.js");
+const signing_js_1 = require("./signing.js");
+const colors_js_1 = require("../util/colors.js");
+const spinner_js_1 = require("../util/spinner.js");
+async function shieldInit(options) {
+    const targetDir = options.targetDir ?? process.cwd();
+    const ci = options.ci ?? false;
+    const format = options.format ?? 'text';
+    const isText = format === 'text' && !ci;
+    const steps = [];
+    // --- Step 1: Environment Detection ---
+    if (isText)
+        process.stdout.write((0, colors_js_1.bold)('\nShield Init\n\n'));
+    const spinner = isText ? new spinner_js_1.Spinner('Scanning environment...') : null;
+    spinner?.start();
+    const scan = (0, detect_js_1.detectEnvironment)(targetDir);
+    spinner?.stop();
+    steps.push({ name: 'Environment scan', status: 'done' });
+    if (isText) {
+        process.stdout.write((0, colors_js_1.bold)('Step 1: Environment Detection\n'));
+        // CLIs
+        if (scan.clis.length > 0) {
+            process.stdout.write(`  CLIs found: ${scan.clis.map((c) => c.name).join(', ')}\n`);
+        }
+        else {
+            process.stdout.write(`  No cloud CLIs detected\n`);
+        }
+        // Assistants
+        const activeAssistants = scan.assistants.filter((a) => a.detected);
+        if (activeAssistants.length > 0) {
+            process.stdout.write(`  AI assistants: ${activeAssistants.map((a) => a.name).join(', ')}\n`);
+        }
+        // MCP servers
+        if (scan.mcpServers.length > 0) {
+            process.stdout.write(`  MCP servers: ${scan.mcpServers.map((s) => s.name).join(', ')}\n`);
+        }
+        // OAuth sessions
+        const activeSessions = scan.oauthSessions.filter((s) => s.hasActiveSession);
+        if (activeSessions.length > 0) {
+            process.stdout.write((0, colors_js_1.yellow)(`  Active OAuth sessions: ${activeSessions.map((s) => s.provider).join(', ')}\n`));
+        }
+        // Project
+        process.stdout.write(`  Project: ${scan.projectName ?? 'unknown'} (${scan.projectType})\n`);
+        process.stdout.write('\n');
+    }
+    // --- Step 2: Credential Audit ---
+    if (isText)
+        process.stdout.write((0, colors_js_1.bold)('Step 2: Credential Audit\n'));
+    let credentialFindings = 0;
+    try {
+        const { quickCredentialScan } = await import('../util/credential-patterns.js');
+        const matches = quickCredentialScan(targetDir);
+        credentialFindings = matches.length;
+        if (isText) {
+            if (matches.length === 0) {
+                process.stdout.write((0, colors_js_1.green)('  No hardcoded credentials found\n'));
+            }
+            else {
+                process.stdout.write((0, colors_js_1.yellow)(`  ${matches.length} credential${matches.length !== 1 ? 's' : ''} found\n`));
+                for (const m of matches.slice(0, 5)) {
+                    process.stdout.write(`    ${m.severity.toUpperCase()}: ${m.title} in ${m.filePath}:${m.line}\n`);
+                }
+                if (matches.length > 5) {
+                    process.stdout.write((0, colors_js_1.dim)(`    ... and ${matches.length - 5} more\n`));
+                }
+                process.stdout.write((0, colors_js_1.dim)('  Run: opena2a protect\n'));
+            }
+        }
+    }
+    catch {
+        if (isText)
+            process.stdout.write((0, colors_js_1.dim)('  Credential scan skipped (module unavailable)\n'));
+    }
+    steps.push({ name: 'Credential audit', status: credentialFindings > 0 ? 'warn' : 'done' });
+    if (isText)
+        process.stdout.write('\n');
+    // --- Step 3: Config Integrity Baseline ---
+    if (isText)
+        process.stdout.write((0, colors_js_1.bold)('Step 3: Config Integrity Baseline\n'));
+    try {
+        const { guard } = await import('../commands/guard.js');
+        await guard({
+            subcommand: 'sign',
+            targetDir,
+            ci: true,
+            format: 'json',
+            verbose: false,
+        });
+        steps.push({ name: 'Config signing', status: 'done' });
+        if (isText)
+            process.stdout.write((0, colors_js_1.green)('  Config files signed as baseline\n'));
+    }
+    catch {
+        steps.push({ name: 'Config signing', status: 'skipped' });
+        if (isText)
+            process.stdout.write((0, colors_js_1.dim)('  Config signing skipped\n'));
+    }
+    if (isText)
+        process.stdout.write('\n');
+    // --- Step 4: Generate Policy ---
+    if (isText)
+        process.stdout.write((0, colors_js_1.bold)('Step 4: Generate Policy\n'));
+    const policy = (0, policy_js_1.generatePolicyFromScan)(scan);
+    const shieldDir = (0, events_js_1.getShieldDir)();
+    const policyPath = (0, node_path_1.join)(shieldDir, types_js_1.SHIELD_POLICY_FILE);
+    if ((0, node_fs_1.existsSync)(policyPath) && !ci) {
+        if (isText) {
+            process.stdout.write((0, colors_js_1.yellow)('  Existing policy found. Preserving current policy.\n'));
+            process.stdout.write((0, colors_js_1.dim)('  To regenerate: delete ~/.opena2a/shield/policy.yaml and re-run init\n'));
+        }
+    }
+    else {
+        (0, policy_js_1.savePolicy)(policy, policyPath);
+        (0, integrity_js_1.recordPolicyHash)(policyPath);
+        if (isText) {
+            process.stdout.write((0, colors_js_1.green)('  Policy generated (adaptive mode)\n'));
+            process.stdout.write(`  Shield will learn agent behavior before suggesting rules.\n`);
+            const denyProcs = policy.default.processes.deny;
+            if (denyProcs.length > 0) {
+                process.stdout.write(`  Recommended blocks: ${denyProcs.join(', ')}\n`);
+            }
+        }
+    }
+    steps.push({ name: 'Policy generation', status: 'done' });
+    if (isText)
+        process.stdout.write('\n');
+    // --- Step 5: Shell Integration ---
+    if (isText)
+        process.stdout.write((0, colors_js_1.bold)('Step 5: Shell Integration\n'));
+    let shellHookInstalled = false;
+    const shell = process.env.SHELL?.includes('zsh') ? 'zsh'
+        : process.env.SHELL?.includes('bash') ? 'bash'
+            : null;
+    if (shell && !ci) {
+        const rcFile = shell === 'zsh'
+            ? (0, node_path_1.join)((0, node_os_1.homedir)(), '.zshrc')
+            : (0, node_path_1.join)((0, node_os_1.homedir)(), '.bashrc');
+        let rcContent = '';
+        if ((0, node_fs_1.existsSync)(rcFile)) {
+            try {
+                rcContent = (0, node_fs_1.readFileSync)(rcFile, 'utf-8');
+            }
+            catch {
+                if (isText)
+                    process.stdout.write((0, colors_js_1.yellow)('  Cannot read rc file, skipping shell hooks\n'));
+                steps.push({ name: 'Shell integration', status: 'skipped' });
+                if (isText)
+                    process.stdout.write('\n');
+                // Skip shell integration entirely if we can't read an existing file
+                rcContent = '';
+            }
+        }
+        if (rcContent.includes('opena2a_shield_preexec') || rcContent.includes('opena2a_shield_debug')) {
+            shellHookInstalled = true;
+            if (isText)
+                process.stdout.write((0, colors_js_1.green)('  Shell hooks already installed\n'));
+        }
+        else {
+            const hookContent = (0, integrity_js_1.getExpectedHookContent)(shell);
+            (0, node_fs_1.appendFileSync)(rcFile, '\n' + hookContent + '\n', { mode: 0o600 });
+            shellHookInstalled = true;
+            if (isText)
+                process.stdout.write((0, colors_js_1.green)(`  Shell hooks installed in ~/.${shell}rc\n`));
+        }
+    }
+    else if (ci) {
+        if (isText)
+            process.stdout.write((0, colors_js_1.dim)('  Shell hooks skipped (CI mode)\n'));
+    }
+    else {
+        if (isText)
+            process.stdout.write((0, colors_js_1.dim)('  Shell not detected (zsh or bash required)\n'));
+    }
+    steps.push({ name: 'Shell integration', status: shellHookInstalled ? 'done' : 'skipped' });
+    if (isText)
+        process.stdout.write('\n');
+    // --- Step 6: ARP Initialization ---
+    if (isText)
+        process.stdout.write((0, colors_js_1.bold)('Step 6: Runtime Protection\n'));
+    try {
+        const { runtime } = await import('../commands/runtime.js');
+        await runtime({
+            subcommand: 'init',
+            targetDir,
+            ci: true,
+            format: 'json',
+            verbose: false,
+        });
+        steps.push({ name: 'ARP init', status: 'done' });
+        if (isText)
+            process.stdout.write((0, colors_js_1.green)('  ARP config generated\n'));
+    }
+    catch {
+        steps.push({ name: 'ARP init', status: 'skipped' });
+        if (isText)
+            process.stdout.write((0, colors_js_1.dim)('  ARP initialization skipped (hackmyagent not installed)\n'));
+    }
+    if (isText)
+        process.stdout.write('\n');
+    // --- Step 7: Browser Guard ---
+    if (isText)
+        process.stdout.write((0, colors_js_1.bold)('Step 7: Browser Guard\n'));
+    const hasBrowserGuard = (0, node_fs_1.existsSync)((0, node_path_1.join)((0, node_os_1.homedir)(), '.config', 'opena2a', 'browser-guard.json')) ||
+        (0, node_fs_1.existsSync)((0, node_path_1.join)((0, node_os_1.homedir)(), '.opena2a', 'browser-guard.json'));
+    if (hasBrowserGuard) {
+        steps.push({ name: 'Browser Guard', status: 'done' });
+        if (isText)
+            process.stdout.write((0, colors_js_1.green)('  Browser Guard detected\n'));
+    }
+    else {
+        steps.push({ name: 'Browser Guard', status: 'skipped' });
+        if (isText) {
+            process.stdout.write((0, colors_js_1.dim)('  Browser Guard not installed\n'));
+            process.stdout.write((0, colors_js_1.dim)('  Browser session protection is optional.\n'));
+        }
+    }
+    if (isText)
+        process.stdout.write('\n');
+    // --- Step 8: Summary ---
+    // Save scan results
+    const scanPath = (0, node_path_1.join)(shieldDir, types_js_1.SHIELD_SCAN_FILE);
+    (0, node_fs_1.writeFileSync)(scanPath, JSON.stringify(scan, null, 2) + '\n', { mode: 0o600 });
+    // Sign all Shield artifacts (policy.yaml, scan.json, llm-cache.json)
+    (0, signing_js_1.signAllArtifacts)();
+    // Write init event
+    (0, events_js_1.writeEvent)({
+        source: 'shield',
+        category: 'shield.init',
+        severity: 'info',
+        agent: null,
+        sessionId: null,
+        action: 'shield.init',
+        target: targetDir,
+        outcome: 'allowed',
+        detail: {
+            clis: scan.clis.length,
+            assistants: scan.assistants.filter((a) => a.detected).length,
+            mcpServers: scan.mcpServers.length,
+            oauthSessions: scan.oauthSessions.filter((s) => s.hasActiveSession).length,
+            credentialFindings,
+            shellHookInstalled,
+        },
+        orgId: null,
+        managed: false,
+        agentId: null,
+    });
+    steps.push({ name: 'Summary', status: 'done' });
+    if (isText) {
+        process.stdout.write((0, colors_js_1.bold)('Step 8: Summary\n'));
+        const doneCount = steps.filter(s => s.status === 'done').length;
+        const warnCount = steps.filter(s => s.status === 'warn').length;
+        process.stdout.write(`  ${(0, colors_js_1.green)(`${doneCount} steps completed`)}`);
+        if (warnCount > 0)
+            process.stdout.write(`, ${(0, colors_js_1.yellow)(`${warnCount} warnings`)}`);
+        process.stdout.write('\n');
+        process.stdout.write(`  Policy: ${policyPath}\n`);
+        process.stdout.write(`  Events: ${(0, node_path_1.join)(shieldDir, 'events.jsonl')}\n`);
+        process.stdout.write('\n');
+        process.stdout.write((0, colors_js_1.cyan)('  Shield is now in adaptive mode. It will learn your agent behavior\n'));
+        process.stdout.write((0, colors_js_1.cyan)('  and suggest a policy once patterns stabilize.\n'));
+        process.stdout.write('\n');
+        process.stdout.write((0, colors_js_1.dim)('  View status:  opena2a shield status\n'));
+        process.stdout.write((0, colors_js_1.dim)('  View events:  opena2a shield log\n'));
+        process.stdout.write((0, colors_js_1.dim)('  Run check:    opena2a shield selfcheck\n'));
+        process.stdout.write('\n');
+    }
+    const result = {
+        scan,
+        policy,
+        shellHookInstalled,
+        policyPath,
+        steps,
+    };
+    if (format === 'json' || ci) {
+        process.stdout.write(JSON.stringify(result, null, 2) + '\n');
+    }
+    const hasFailure = credentialFindings > 0;
+    return { exitCode: hasFailure ? 1 : 0, result };
+}
+//# sourceMappingURL=init.js.map