npm - opena2a-cli - Versions diffs - 0.1.1 → 0.1.2 - Mend

opena2a-cli 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (76) hide show

package/README.md +2 -2
package/dist/adapters/registry.js +1 -1
package/dist/adapters/registry.js.map +1 -1
package/dist/commands/init.d.ts.map +1 -1
package/dist/commands/init.js +78 -3
package/dist/commands/init.js.map +1 -1
package/dist/commands/protect.d.ts +2 -0
package/dist/commands/protect.d.ts.map +1 -1
package/dist/commands/protect.js +56 -10
package/dist/commands/protect.js.map +1 -1
package/dist/commands/runtime.d.ts +1 -1
package/dist/commands/runtime.js +5 -5
package/dist/commands/runtime.js.map +1 -1
package/dist/commands/self-register.js +6 -6
package/dist/commands/self-register.js.map +1 -1
package/dist/commands/shield.d.ts +36 -0
package/dist/commands/shield.d.ts.map +1 -0
package/dist/commands/shield.js +834 -0
package/dist/commands/shield.js.map +1 -0
package/dist/commands/verify.js +1 -1
package/dist/commands/verify.js.map +1 -1
package/dist/index.js +29 -0
package/dist/index.js.map +1 -1
package/dist/shield/detect.d.ts +18 -0
package/dist/shield/detect.d.ts.map +1 -0
package/dist/shield/detect.js +402 -0
package/dist/shield/detect.js.map +1 -0
package/dist/shield/events.d.ts +65 -0
package/dist/shield/events.d.ts.map +1 -0
package/dist/shield/events.js +342 -0
package/dist/shield/events.js.map +1 -0
package/dist/shield/init.d.ts +22 -0
package/dist/shield/init.d.ts.map +1 -0
package/dist/shield/init.js +290 -0
package/dist/shield/init.js.map +1 -0
package/dist/shield/integrity.d.ts +75 -0
package/dist/shield/integrity.d.ts.map +1 -0
package/dist/shield/integrity.js +435 -0
package/dist/shield/integrity.js.map +1 -0
package/dist/shield/llm-backend.d.ts +36 -0
package/dist/shield/llm-backend.d.ts.map +1 -0
package/dist/shield/llm-backend.js +145 -0
package/dist/shield/llm-backend.js.map +1 -0
package/dist/shield/llm.d.ts +116 -0
package/dist/shield/llm.d.ts.map +1 -0
package/dist/shield/llm.js +536 -0
package/dist/shield/llm.js.map +1 -0
package/dist/shield/policy.d.ts +70 -0
package/dist/shield/policy.d.ts.map +1 -0
package/dist/shield/policy.js +399 -0
package/dist/shield/policy.js.map +1 -0
package/dist/shield/session.d.ts +63 -0
package/dist/shield/session.d.ts.map +1 -0
package/dist/shield/session.js +242 -0
package/dist/shield/session.js.map +1 -0
package/dist/shield/signing.d.ts +41 -0
package/dist/shield/signing.d.ts.map +1 -0
package/dist/shield/signing.js +161 -0
package/dist/shield/signing.js.map +1 -0
package/dist/shield/status.d.ts +4 -0
package/dist/shield/status.d.ts.map +1 -0
package/dist/shield/status.js +241 -0
package/dist/shield/status.js.map +1 -0
package/dist/shield/types.d.ts +398 -0
package/dist/shield/types.d.ts.map +1 -0
package/dist/shield/types.js +31 -0
package/dist/shield/types.js.map +1 -0
package/dist/util/drift-liveness.d.ts +37 -0
package/dist/util/drift-liveness.d.ts.map +1 -0
package/dist/util/drift-liveness.js +114 -0
package/dist/util/drift-liveness.js.map +1 -0
package/dist/util/drift-verification.d.ts +60 -0
package/dist/util/drift-verification.d.ts.map +1 -0
package/dist/util/drift-verification.js +457 -0
package/dist/util/drift-verification.js.map +1 -0
package/package.json +4 -2

package/dist/shield/llm.js ADDED Viewed

@@ -0,0 +1,536 @@
+"use strict";
+/**
+ * Shield LLM Intelligence Layer
+ *
+ * Uses Claude Haiku for lightweight, cost-efficient security analysis:
+ *   1. Policy suggestions from observed agent behavior
+ *   2. Anomaly explanations for unusual actions
+ *   3. Weekly report narrative generation
+ *   4. Incident triage and severity classification
+ *
+ * Design principles:
+ *   - Batch processing: aggregate events, analyze in bulk (not per-event)
+ *   - Aggressive caching: file-based cache with TTLs per analysis type
+ *   - Graceful degradation: returns null if no API key or no consent
+ *   - Cost target: <$1/month at typical usage (~$0.40/month estimated)
+ *   - Zero network by default: only calls API when LLM is explicitly enabled
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadCache = loadCache;
+exports.saveCache = saveCache;
+exports.cacheKey = cacheKey;
+exports.getCached = getCached;
+exports.callHaiku = callHaiku;
+exports.checkLlmAvailable = checkLlmAvailable;
+exports.suggestPolicy = suggestPolicy;
+exports.explainAnomaly = explainAnomaly;
+exports.generateNarrative = generateNarrative;
+exports.triageIncident = triageIncident;
+exports.getCacheStats = getCacheStats;
+const node_crypto_1 = require("node:crypto");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const types_js_1 = require("./types.js");
+const events_js_1 = require("./events.js");
+const signing_js_1 = require("./signing.js");
+const llm_backend_js_1 = require("./llm-backend.js");
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const MODEL = 'claude-haiku-4-5-20251001';
+const API_URL = 'https://api.anthropic.com/v1/messages';
+const API_VERSION = '2023-06-01';
+const REQUEST_TIMEOUT_MS = 15_000;
+// Max tokens per analysis type (minimize cost)
+const MAX_TOKENS = {
+    'policy-suggestion': 500,
+    'anomaly-explanation': 200,
+    'report-narrative': 400,
+    'incident-triage': 300,
+};
+// ---------------------------------------------------------------------------
+// Cache management
+// ---------------------------------------------------------------------------
+function getCachePath() {
+    return (0, node_path_1.join)((0, events_js_1.getShieldDir)(), types_js_1.SHIELD_LLM_CACHE_FILE);
+}
+/** Load the LLM response cache from disk. Verifies signature integrity first. */
+function loadCache() {
+    const cachePath = getCachePath();
+    if (!(0, node_fs_1.existsSync)(cachePath)) {
+        return { version: 1, entries: [] };
+    }
+    // Verify cache file integrity before loading
+    const integrity = (0, signing_js_1.verifyArtifact)(cachePath);
+    if (!integrity.valid) {
+        // Cache has been tampered with -- return empty cache
+        return { version: 1, entries: [] };
+    }
+    try {
+        const raw = (0, node_fs_1.readFileSync)(cachePath, 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (parsed.version !== 1)
+            return { version: 1, entries: [] };
+        return parsed;
+    }
+    catch {
+        return { version: 1, entries: [] };
+    }
+}
+/** Save the cache to disk, pruning expired entries. Re-signs the cache file. */
+function saveCache(cache) {
+    const now = Date.now();
+    // Prune expired entries before saving
+    cache.entries = cache.entries.filter(entry => {
+        const created = new Date(entry.createdAt).getTime();
+        return now - created < entry.ttlMs;
+    });
+    // Cap at 200 entries to prevent unbounded growth
+    if (cache.entries.length > 200) {
+        cache.entries = cache.entries.slice(-200);
+    }
+    try {
+        (0, node_fs_1.writeFileSync)(getCachePath(), JSON.stringify(cache, null, 2), { mode: 0o600 });
+        // Re-sign the cache file after writing
+        const sig = (0, signing_js_1.signArtifact)(getCachePath());
+        const store = (0, signing_js_1.loadSignatures)() ?? { version: 1, signatures: [], updatedAt: '' };
+        // Replace existing signature for this file or add new one
+        const idx = store.signatures.findIndex(s => s.filePath === sig.filePath);
+        if (idx >= 0) {
+            store.signatures[idx] = sig;
+        }
+        else {
+            store.signatures.push(sig);
+        }
+        store.updatedAt = new Date().toISOString();
+        (0, signing_js_1.saveSignatures)(store);
+    }
+    catch {
+        // Best effort
+    }
+}
+/** Compute a cache key from input data. */
+function cacheKey(analysisType, input) {
+    return (0, node_crypto_1.createHash)('sha256').update(`${analysisType}:${input}`).digest('hex').slice(0, 32);
+}
+/** Look up a cached result. Returns null if not found or expired. */
+function getCached(cache, key) {
+    const now = Date.now();
+    const entry = cache.entries.find(e => e.key === key);
+    if (!entry)
+        return null;
+    const created = new Date(entry.createdAt).getTime();
+    if (now - created >= entry.ttlMs)
+        return null;
+    return entry;
+}
+function getTtl(analysisType) {
+    switch (analysisType) {
+        case 'policy-suggestion': return types_js_1.LLM_CACHE_TTL_POLICY;
+        case 'anomaly-explanation': return types_js_1.LLM_CACHE_TTL_ANOMALY;
+        case 'report-narrative': return types_js_1.LLM_CACHE_TTL_NARRATIVE;
+        case 'incident-triage': return types_js_1.LLM_CACHE_TTL_TRIAGE;
+    }
+}
+/**
+ * Make a single API call to Claude Haiku.
+ * Returns the text response and token usage, or null on failure.
+ */
+async function callHaiku(systemPrompt, userPrompt, maxTokens, apiKey) {
+    try {
+        const response = await fetch(API_URL, {
+            method: 'POST',
+            headers: {
+                'x-api-key': apiKey,
+                'anthropic-version': API_VERSION,
+                'content-type': 'application/json',
+            },
+            body: JSON.stringify({
+                model: MODEL,
+                max_tokens: maxTokens,
+                system: systemPrompt,
+                messages: [{ role: 'user', content: userPrompt }],
+            }),
+            signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
+        });
+        if (!response.ok)
+            return null;
+        const data = (await response.json());
+        const text = data.content?.[0]?.text;
+        if (!text)
+            return null;
+        return {
+            text,
+            inputTokens: data.usage?.input_tokens ?? 0,
+            outputTokens: data.usage?.output_tokens ?? 0,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+// ---------------------------------------------------------------------------
+// Consent & availability check
+// ---------------------------------------------------------------------------
+/**
+ * Check if LLM intelligence is available.
+ *
+ * Priority:
+ *   1. Claude Code CLI (zero-config, no API key needed)
+ *   2. Anthropic API (requires ANTHROPIC_API_KEY + consent)
+ *   3. None
+ *
+ * Returns the detected backend and optional API key.
+ */
+async function checkLlmAvailable() {
+    return (0, llm_backend_js_1.detectBackend)();
+}
+// ---------------------------------------------------------------------------
+// 1. Policy Suggestion
+// ---------------------------------------------------------------------------
+const POLICY_SYSTEM_PROMPT = `You are a security policy advisor for AI coding agents. Analyze the observed agent behavior and recommend a security policy.
+Respond with ONLY a JSON object matching this schema:
+{
+  "rules": {
+    "processes": { "allow": ["list of safe commands"], "deny": ["list of dangerous commands"] },
+    "credentials": { "allow": [], "deny": ["patterns that should be blocked"] },
+    "filesystem": { "allow": ["safe paths"], "deny": ["sensitive paths"] },
+    "network": { "allow": [], "deny": [] }
+  },
+  "reasoning": "1-2 sentence explanation",
+  "confidence": 0.85
+}
+Focus on the most impactful rules. Keep allow/deny lists concise (max 15 items each).
+Only include rules where you have strong evidence from the observed behavior.`;
+/**
+ * Analyze observed agent behavior and suggest a security policy.
+ *
+ * Input: summarized event data (not raw events -- pre-aggregated to save tokens).
+ */
+async function suggestPolicy(agent, behaviorSummary) {
+    const { backend } = await checkLlmAvailable();
+    if (backend === 'none')
+        return null;
+    // Build cache key from behavior summary
+    const summaryKey = JSON.stringify({
+        agent,
+        actions: behaviorSummary.totalActions,
+        sessions: behaviorSummary.totalSessions,
+        procs: behaviorSummary.topProcesses.map(p => p.name).sort(),
+    });
+    const key = cacheKey('policy-suggestion', summaryKey);
+    // Check cache
+    const cache = loadCache();
+    const cached = getCached(cache, key);
+    if (cached)
+        return cached.result;
+    // Build prompt
+    const userPrompt = `Agent: ${agent}
+Observed over ${behaviorSummary.totalSessions} sessions, ${behaviorSummary.totalActions} total actions.
+Top processes spawned:
+${behaviorSummary.topProcesses.slice(0, 20).map(p => `  ${p.name} (${p.count}x)`).join('\n')}
+Credential access patterns:
+${behaviorSummary.topCredentials.slice(0, 10).map(c => `  ${c.name} (${c.count}x)`).join('\n') || '  (none observed)'}
+Filesystem paths accessed:
+${behaviorSummary.topFilePaths.slice(0, 15).map(f => `  ${f.path} (${f.count}x)`).join('\n') || '  (none observed)'}
+Network connections:
+${behaviorSummary.topNetworkHosts.slice(0, 10).map(n => `  ${n.host} (${n.count}x)`).join('\n') || '  (none observed)'}
+Generate a security policy that allows the observed safe behavior and blocks potentially dangerous actions.`;
+    const result = await (0, llm_backend_js_1.callLlm)(POLICY_SYSTEM_PROMPT, userPrompt, MAX_TOKENS['policy-suggestion']);
+    if (!result)
+        return null;
+    try {
+        const parsed = JSON.parse(result.text);
+        const suggestion = {
+            agent,
+            rules: parsed.rules ?? {},
+            reasoning: parsed.reasoning ?? '',
+            confidence: Math.max(0, Math.min(1, parsed.confidence ?? 0.5)),
+            basedOnActions: behaviorSummary.totalActions,
+            basedOnSessions: behaviorSummary.totalSessions,
+        };
+        // Cache the result
+        cache.entries.push({
+            key,
+            analysisType: 'policy-suggestion',
+            result: suggestion,
+            createdAt: new Date().toISOString(),
+            ttlMs: getTtl('policy-suggestion'),
+            inputTokens: result.inputTokens,
+            outputTokens: result.outputTokens,
+        });
+        saveCache(cache);
+        return suggestion;
+    }
+    catch {
+        return null;
+    }
+}
+// ---------------------------------------------------------------------------
+// 2. Anomaly Explanation
+// ---------------------------------------------------------------------------
+const ANOMALY_SYSTEM_PROMPT = `You are a security analyst reviewing AI agent actions on a developer workstation. Explain why the flagged action is anomalous and assess its risk.
+Respond with ONLY a JSON object:
+{
+  "severity": "info|low|medium|high|critical",
+  "explanation": "1-2 sentence explanation of why this is anomalous",
+  "riskFactors": ["factor1", "factor2"],
+  "suggestedAction": "ignore|investigate|block"
+}
+Be concise. Focus on actual risk, not theoretical concerns.`;
+/**
+ * Explain why a specific event or action is anomalous.
+ *
+ * Designed for batch use: call with a few flagged events, not every event.
+ */
+async function explainAnomaly(event, context) {
+    const { backend } = await checkLlmAvailable();
+    if (backend === 'none')
+        return null;
+    const key = cacheKey('anomaly-explanation', `${event.id}:${event.action}:${event.target}`);
+    const cache = loadCache();
+    const cached = getCached(cache, key);
+    if (cached)
+        return cached.result;
+    const userPrompt = `Agent "${context.agentName}" performed an action that may be anomalous.
+Action: ${event.action}
+Target: ${event.target}
+Category: ${event.category}
+Source: ${event.source}
+First time: ${context.isFirstOccurrence ? 'yes' : 'no'}
+Normal behavior for this agent:
+${context.normalActions.slice(0, 10).map(a => `  - ${a}`).join('\n')}
+Assess this action.`;
+    const result = await (0, llm_backend_js_1.callLlm)(ANOMALY_SYSTEM_PROMPT, userPrompt, MAX_TOKENS['anomaly-explanation']);
+    if (!result)
+        return null;
+    try {
+        const parsed = JSON.parse(result.text);
+        const explanation = {
+            eventId: event.id,
+            severity: parsed.severity ?? event.severity,
+            explanation: parsed.explanation ?? '',
+            riskFactors: parsed.riskFactors ?? [],
+            suggestedAction: parsed.suggestedAction ?? 'investigate',
+        };
+        cache.entries.push({
+            key,
+            analysisType: 'anomaly-explanation',
+            result: explanation,
+            createdAt: new Date().toISOString(),
+            ttlMs: getTtl('anomaly-explanation'),
+            inputTokens: result.inputTokens,
+            outputTokens: result.outputTokens,
+        });
+        saveCache(cache);
+        return explanation;
+    }
+    catch {
+        return null;
+    }
+}
+// ---------------------------------------------------------------------------
+// 3. Report Narrative
+// ---------------------------------------------------------------------------
+const NARRATIVE_SYSTEM_PROMPT = `You are a security report writer for AI agent workstation security. Generate a concise, actionable narrative for a weekly security report.
+Respond with ONLY a JSON object:
+{
+  "summary": "2-3 sentence overall summary",
+  "highlights": ["positive finding 1", "positive finding 2"],
+  "concerns": ["concern 1", "concern 2"],
+  "recommendations": ["actionable recommendation 1", "actionable recommendation 2"]
+}
+Use clear, non-alarmist language. Focus on actionable insights. Max 3 items per array.`;
+/**
+ * Generate a human-readable narrative for a weekly report.
+ *
+ * Input: pre-computed report metrics (not raw events).
+ */
+async function generateNarrative(report) {
+    const { backend } = await checkLlmAvailable();
+    if (backend === 'none')
+        return null;
+    const key = cacheKey('report-narrative', `${report.periodStart}:${report.periodEnd}`);
+    const cache = loadCache();
+    const cached = getCached(cache, key);
+    if (cached)
+        return cached.result;
+    const userPrompt = `Weekly Security Report (${report.periodStart.slice(0, 10)} to ${report.periodEnd.slice(0, 10)})
+Agent Activity:
+  Total sessions: ${report.agentActivity.totalSessions}
+  Total actions: ${report.agentActivity.totalActions}
+  Agents: ${Object.keys(report.agentActivity.byAgent).join(', ') || 'none'}
+Policy Evaluation:
+  Monitored: ${report.policyEvaluation.monitored}
+  Would block: ${report.policyEvaluation.wouldBlock}
+  Blocked: ${report.policyEvaluation.blocked}
+  Top violations: ${report.policyEvaluation.topViolations.slice(0, 3).map(v => `${v.action} (${v.count}x, ${v.severity})`).join(', ') || 'none'}
+Credential Exposure:
+  Access attempts: ${report.credentialExposure.accessAttempts}
+  Unique credentials: ${report.credentialExposure.uniqueCredentials}
+  Providers: ${Object.entries(report.credentialExposure.byProvider).map(([k, v]) => `${k}: ${v}`).join(', ') || 'none'}
+Supply Chain:
+  Packages installed: ${report.supplyChain.packagesInstalled}
+  Advisories: ${report.supplyChain.advisoriesFound}
+  Blocked installs: ${report.supplyChain.blockedInstalls}
+Config Integrity: ${report.configIntegrity.signatureStatus}
+  Tampered files: ${report.configIntegrity.tamperedFiles.length}
+Posture Score: ${report.posture.score}/100 (${report.posture.grade})
+Trend: ${report.posture.trend ?? 'first report'}
+Generate a weekly narrative.`;
+    const result = await (0, llm_backend_js_1.callLlm)(NARRATIVE_SYSTEM_PROMPT, userPrompt, MAX_TOKENS['report-narrative']);
+    if (!result)
+        return null;
+    try {
+        const parsed = JSON.parse(result.text);
+        const narrative = {
+            summary: parsed.summary ?? '',
+            highlights: parsed.highlights ?? [],
+            concerns: parsed.concerns ?? [],
+            recommendations: parsed.recommendations ?? [],
+        };
+        cache.entries.push({
+            key,
+            analysisType: 'report-narrative',
+            result: narrative,
+            createdAt: new Date().toISOString(),
+            ttlMs: getTtl('report-narrative'),
+            inputTokens: result.inputTokens,
+            outputTokens: result.outputTokens,
+        });
+        saveCache(cache);
+        return narrative;
+    }
+    catch {
+        return null;
+    }
+}
+// ---------------------------------------------------------------------------
+// 4. Incident Triage
+// ---------------------------------------------------------------------------
+const TRIAGE_SYSTEM_PROMPT = `You are a security incident analyst for AI agent workstation security. Classify the incident severity and recommend response steps.
+Respond with ONLY a JSON object:
+{
+  "classification": "false-positive|suspicious|confirmed-threat",
+  "severity": "info|low|medium|high|critical",
+  "explanation": "1-2 sentence classification rationale",
+  "responseSteps": ["step 1", "step 2"]
+}
+Be precise. Only classify as "confirmed-threat" if there is clear evidence of malicious intent. Max 4 response steps.`;
+/**
+ * Triage a batch of related events as a potential incident.
+ *
+ * Input: a small batch of related high-severity events.
+ */
+async function triageIncident(events, context) {
+    const { backend } = await checkLlmAvailable();
+    if (backend === 'none')
+        return null;
+    const eventIds = events.map(e => e.id);
+    const key = cacheKey('incident-triage', eventIds.sort().join(':'));
+    const cache = loadCache();
+    const cached = getCached(cache, key);
+    if (cached)
+        return cached.result;
+    const eventSummary = events.slice(0, 10).map(e => `  [${e.severity}] ${e.action} -> ${e.target} (${e.outcome})`).join('\n');
+    const userPrompt = `Incident triage for agent "${context.agentName}" (policy mode: ${context.policyMode})
+Events (${events.length} total):
+${eventSummary}
+Known-safe baseline actions:
+${context.recentBaseline.slice(0, 10).map(a => `  - ${a}`).join('\n') || '  (no baseline established)'}
+Classify this incident.`;
+    const result = await (0, llm_backend_js_1.callLlm)(TRIAGE_SYSTEM_PROMPT, userPrompt, MAX_TOKENS['incident-triage']);
+    if (!result)
+        return null;
+    try {
+        const parsed = JSON.parse(result.text);
+        const triage = {
+            eventIds,
+            classification: parsed.classification ?? 'suspicious',
+            severity: parsed.severity ?? 'medium',
+            explanation: parsed.explanation ?? '',
+            responseSteps: parsed.responseSteps ?? [],
+        };
+        cache.entries.push({
+            key,
+            analysisType: 'incident-triage',
+            result: triage,
+            createdAt: new Date().toISOString(),
+            ttlMs: getTtl('incident-triage'),
+            inputTokens: result.inputTokens,
+            outputTokens: result.outputTokens,
+        });
+        saveCache(cache);
+        return triage;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Compute cache statistics for diagnostics.
+ *
+ * Estimated cost uses Haiku pricing:
+ *   Input: $0.80 per million tokens
+ *   Output: $4.00 per million tokens
+ */
+function getCacheStats() {
+    const cache = loadCache();
+    const now = Date.now();
+    let totalInput = 0;
+    let totalOutput = 0;
+    let validCount = 0;
+    const byType = {
+        'policy-suggestion': 0,
+        'anomaly-explanation': 0,
+        'report-narrative': 0,
+        'incident-triage': 0,
+    };
+    for (const entry of cache.entries) {
+        const created = new Date(entry.createdAt).getTime();
+        const isValid = now - created < entry.ttlMs;
+        if (isValid)
+            validCount++;
+        totalInput += entry.inputTokens;
+        totalOutput += entry.outputTokens;
+        byType[entry.analysisType] = (byType[entry.analysisType] ?? 0) + 1;
+    }
+    // Haiku pricing: $0.80/M input, $4.00/M output
+    const costInput = (totalInput / 1_000_000) * 0.80;
+    const costOutput = (totalOutput / 1_000_000) * 4.00;
+    return {
+        totalEntries: cache.entries.length,
+        validEntries: validCount,
+        totalInputTokens: totalInput,
+        totalOutputTokens: totalOutput,
+        estimatedCostUsd: Math.round((costInput + costOutput) * 10000) / 10000,
+        byType,
+    };
+}
+//# sourceMappingURL=llm.js.map

package/dist/shield/llm.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"llm.js","sourceRoot":"","sources":["../../src/shield/llm.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;AA4DH,8BAqBC;AAGD,8BA4BC;AAGD,4BAEC;AAGD,8BAUC;AAwBD,8BAqCC;AAgBD,8CAEC;AA4BD,sCAqFC;AAuBD,wCAoEC;AAuBD,8CA2EC;AAuBD,wCAsEC;AAsBD,sCAoCC;AAppBD,6CAAyC;AACzC,qCAAkE;AAClE,yCAAiC;AAkBjC,yCAMoB;AAEpB,2CAA2C;AAC3C,6CAA4F;AAC5F,qDAA0D;AAE1D,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,KAAK,GAAG,2BAA2B,CAAC;AAC1C,MAAM,OAAO,GAAG,uCAAuC,CAAC;AACxD,MAAM,WAAW,GAAG,YAAY,CAAC;AACjC,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAElC,+CAA+C;AAC/C,MAAM,UAAU,GAAoC;IAClD,mBAAmB,EAAE,GAAG;IACxB,qBAAqB,EAAE,GAAG;IAC1B,kBAAkB,EAAE,GAAG;IACvB,iBAAiB,EAAE,GAAG;CACvB,CAAC;AAEF,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,SAAS,YAAY;IACnB,OAAO,IAAA,gBAAI,EAAC,IAAA,wBAAY,GAAE,EAAE,gCAAqB,CAAC,CAAC;AACrD,CAAC;AAED,iFAAiF;AACjF,SAAgB,SAAS;IACvB,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,IAAI,CAAC,IAAA,oBAAU,EAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACrC,CAAC;IAED,6CAA6C;IAC7C,MAAM,SAAS,GAAG,IAAA,2BAAc,EAAC,SAAS,CAAC,CAAC;IAC5C,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;QACrB,qDAAqD;QACrD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACrC,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAC;QAC3C,IAAI,MAAM,CAAC,OAAO,KAAK,CAAC;YAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC7D,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACrC,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,SAAgB,SAAS,CAAC,KAAe;IACvC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,sCAAsC;IACtC,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;QAC3C,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;QACpD,OAAO,GAAG,GAAG,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC;IACrC,CAAC,CAAC,CAAC;IACH,iDAAiD;IACjD,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QAC/B,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,CAAC;QACH,IAAA,uBAAa,EAAC,YAAY,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/E,uCAAuC;QACvC,MAAM,GAAG,GAAG,IAAA,yBAAY,EAAC,YAAY,EAAE,CAAC,CAAC;QACzC,MAAM,KAAK,GAAG,IAAA,2BAAc,GAAE,IAAI,EAAE,OAAO,EAAE,CAAU,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;QACzF,0DAA0D;QAC1D,MAAM,GAAG,GAAG,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,CAAC,CAAC;QACzE,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC;YACb,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;QAC9B,CAAC;aAAM,CAAC;YACN,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,CAAC;QACD,KAAK,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC3C,IAAA,2BAAc,EAAC,KAAK,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,cAAc;IAChB,CAAC;AACH,CAAC;AAED,2CAA2C;AAC3C,SAAgB,QAAQ,CAAC,YAA6B,EAAE,KAAa;IACnE,OAAO,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,YAAY,IAAI,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC5F,CAAC;AAED,qEAAqE;AACrE,SAAgB,SAAS,CACvB,KAAe,EACf,GAAW;IAEX,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;IACrD,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;IACpD,IAAI,GAAG,GAAG,OAAO,IAAI,KAAK,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAC9C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,MAAM,CAAC,YAA6B;IAC3C,QAAQ,YAAY,EAAE,CAAC;QACrB,KAAK,mBAAmB,CAAC,CAAC,OAAO,+BAAoB,CAAC;QACtD,KAAK,qBAAqB,CAAC,CAAC,OAAO,gCAAqB,CAAC;QACzD,KAAK,kBAAkB,CAAC,CAAC,OAAO,kCAAuB,CAAC;QACxD,KAAK,iBAAiB,CAAC,CAAC,OAAO,+BAAoB,CAAC;IACtD,CAAC;AACH,CAAC;AAWD;;;GAGG;AACI,KAAK,UAAU,SAAS,CAC7B,YAAoB,EACpB,UAAkB,EAClB,SAAiB,EACjB,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;YACpC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,WAAW,EAAE,MAAM;gBACnB,mBAAmB,EAAE,WAAW;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,KAAK;gBACZ,UAAU,EAAE,SAAS;gBACrB,MAAM,EAAE,YAAY;gBACpB,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC;aAClD,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,kBAAkB,CAAC;SAChD,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAE9B,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAgB,CAAC;QACpD,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC;QACrC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,OAAO;YACL,IAAI;YACJ,WAAW,EAAE,IAAI,CAAC,KAAK,EAAE,YAAY,IAAI,CAAC;YAC1C,YAAY,EAAE,IAAI,CAAC,KAAK,EAAE,aAAa,IAAI,CAAC;SAC7C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,+BAA+B;AAC/B,8EAA8E;AAE9E;;;;;;;;;GASG;AACI,KAAK,UAAU,iBAAiB;IACrC,OAAO,IAAA,8BAAa,GAAE,CAAC;AACzB,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,MAAM,oBAAoB,GAAG;;;;;;;;;;;;;;;8EAeiD,CAAC;AAE/E;;;;GAIG;AACI,KAAK,UAAU,aAAa,CACjC,KAAa,EACb,eAOC;IAED,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,iBAAiB,EAAE,CAAC;IAC9C,IAAI,OAAO,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAEpC,wCAAwC;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,KAAK;QACL,OAAO,EAAE,eAAe,CAAC,YAAY;QACrC,QAAQ,EAAE,eAAe,CAAC,aAAa;QACvC,KAAK,EAAE,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE;KAC5D,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,QAAQ,CAAC,mBAAmB,EAAE,UAAU,CAAC,CAAC;IAEtD,cAAc;IACd,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACrC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,MAA0B,CAAC;IAErD,eAAe;IACf,MAAM,UAAU,GAAG,UAAU,KAAK;gBACpB,eAAe,CAAC,aAAa,cAAc,eAAe,CAAC,YAAY;;;EAGrF,eAAe,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;;;EAG1F,eAAe,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,mBAAmB;;;EAGnH,eAAe,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,mBAAmB;;;EAGjH,eAAe,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,mBAAmB;;4GAEV,CAAC;IAE3G,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAO,EAC1B,oBAAoB,EACpB,UAAU,EACV,UAAU,CAAC,mBAAmB,CAAC,CAChC,CAAC;IACF,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAIpC,CAAC;QAEF,MAAM,UAAU,GAAqB;YACnC,KAAK;YACL,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE;YACzB,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,EAAE;YACjC,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC;YAC9D,cAAc,EAAE,eAAe,CAAC,YAAY;YAC5C,eAAe,EAAE,eAAe,CAAC,aAAa;SAC/C,CAAC;QAEF,mBAAmB;QACnB,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;YACjB,GAAG;YACH,YAAY,EAAE,mBAAmB;YACjC,MAAM,EAAE,UAAU;YAClB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,MAAM,CAAC,mBAAmB,CAAC;YAClC,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;SAClC,CAAC,CAAC;QACH,SAAS,CAAC,KAAK,CAAC,CAAC;QAEjB,OAAO,UAAU,CAAC;IACpB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E,MAAM,qBAAqB,GAAG;;;;;;;;;;4DAU8B,CAAC;AAE7D;;;;GAIG;AACI,KAAK,UAAU,cAAc,CAClC,KAAkB,EAClB,OAIC;IAED,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,iBAAiB,EAAE,CAAC;IAC9C,IAAI,OAAO,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,GAAG,GAAG,QAAQ,CAAC,qBAAqB,EAAE,GAAG,KAAK,CAAC,EAAE,IAAI,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IAE3F,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACrC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,MAA4B,CAAC;IAEvD,MAAM,UAAU,GAAG,UAAU,OAAO,CAAC,SAAS;;UAEtC,KAAK,CAAC,MAAM;UACZ,KAAK,CAAC,MAAM;YACV,KAAK,CAAC,QAAQ;UAChB,KAAK,CAAC,MAAM;cACR,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI;;;EAGpD,OAAO,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;;oBAEhD,CAAC;IAEnB,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAO,EAC1B,qBAAqB,EACrB,UAAU,EACV,UAAU,CAAC,qBAAqB,CAAC,CAClC,CAAC;IACF,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAKpC,CAAC;QAEF,MAAM,WAAW,GAAuB;YACtC,OAAO,EAAE,KAAK,CAAC,EAAE;YACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ;YAC3C,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,EAAE;YACrC,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,EAAE;YACrC,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,aAAa;SACzD,CAAC;QAEF,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;YACjB,GAAG;YACH,YAAY,EAAE,qBAAqB;YACnC,MAAM,EAAE,WAAW;YACnB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,MAAM,CAAC,qBAAqB,CAAC;YACpC,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;SAClC,CAAC,CAAC;QACH,SAAS,CAAC,KAAK,CAAC,CAAC;QAEjB,OAAO,WAAW,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,MAAM,uBAAuB,GAAG;;;;;;;;;;uFAUuD,CAAC;AAExF;;;;GAIG;AACI,KAAK,UAAU,iBAAiB,CACrC,MAAoB;IAEpB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,iBAAiB,EAAE,CAAC;IAC9C,IAAI,OAAO,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,GAAG,GAAG,QAAQ,CAAC,kBAAkB,EAAE,GAAG,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IAEtF,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACrC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,MAAyB,CAAC;IAEpD,MAAM,UAAU,GAAG,2BAA2B,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;;;oBAG/F,MAAM,CAAC,aAAa,CAAC,aAAa;mBACnC,MAAM,CAAC,aAAa,CAAC,YAAY;YACxC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM;;;eAG3D,MAAM,CAAC,gBAAgB,CAAC,SAAS;iBAC/B,MAAM,CAAC,gBAAgB,CAAC,UAAU;aACtC,MAAM,CAAC,gBAAgB,CAAC,OAAO;oBACxB,MAAM,CAAC,gBAAgB,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM;;;qBAG1H,MAAM,CAAC,kBAAkB,CAAC,cAAc;wBACrC,MAAM,CAAC,kBAAkB,CAAC,iBAAiB;eACpD,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM;;;wBAG9F,MAAM,CAAC,WAAW,CAAC,iBAAiB;gBAC5C,MAAM,CAAC,WAAW,CAAC,eAAe;sBAC5B,MAAM,CAAC,WAAW,CAAC,eAAe;;oBAEpC,MAAM,CAAC,eAAe,CAAC,eAAe;oBACtC,MAAM,CAAC,eAAe,CAAC,aAAa,CAAC,MAAM;;iBAE9C,MAAM,CAAC,OAAO,CAAC,KAAK,SAAS,MAAM,CAAC,OAAO,CAAC,KAAK;SACzD,MAAM,CAAC,OAAO,CAAC,KAAK,IAAI,cAAc;;6BAElB,CAAC;IAE5B,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAO,EAC1B,uBAAuB,EACvB,UAAU,EACV,UAAU,CAAC,kBAAkB,CAAC,CAC/B,CAAC;IACF,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAoB,CAAC;QAE1D,MAAM,SAAS,GAAoB;YACjC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,EAAE;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,EAAE;YACnC,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE;YAC/B,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,EAAE;SAC9C,CAAC;QAEF,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;YACjB,GAAG;YACH,YAAY,EAAE,kBAAkB;YAChC,MAAM,EAAE,SAAS;YACjB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,MAAM,CAAC,kBAAkB,CAAC;YACjC,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;SAClC,CAAC,CAAC;QACH,SAAS,CAAC,KAAK,CAAC,CAAC;QAEjB,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,MAAM,oBAAoB,GAAG;;;;;;;;;;sHAUyF,CAAC;AAEvH;;;;GAIG;AACI,KAAK,UAAU,cAAc,CAClC,MAAqB,EACrB,OAIC;IAED,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,iBAAiB,EAAE,CAAC;IAC9C,IAAI,OAAO,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,QAAQ,CAAC,iBAAiB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAEnE,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACrC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,MAAwB,CAAC;IAEnD,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAC/C,MAAM,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,MAAM,OAAO,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,OAAO,GAAG,CAC9D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,MAAM,UAAU,GAAG,8BAA8B,OAAO,CAAC,SAAS,mBAAmB,OAAO,CAAC,UAAU;;UAE/F,MAAM,CAAC,MAAM;EACrB,YAAY;;;EAGZ,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,6BAA6B;;wBAE9E,CAAC;IAEvB,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAO,EAC1B,oBAAoB,EACpB,UAAU,EACV,UAAU,CAAC,iBAAiB,CAAC,CAC9B,CAAC;IACF,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAKpC,CAAC;QAEF,MAAM,MAAM,GAAmB;YAC7B,QAAQ;YACR,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,YAAY;YACrD,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,QAAQ;YACrC,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,EAAE;YACrC,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;SAC1C,CAAC;QAEF,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;YACjB,GAAG;YACH,YAAY,EAAE,iBAAiB;YAC/B,MAAM,EAAE,MAAM;YACd,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,MAAM,CAAC,iBAAiB,CAAC;YAChC,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;SAClC,CAAC,CAAC;QACH,SAAS,CAAC,KAAK,CAAC,CAAC;QAEjB,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAeD;;;;;;GAMG;AACH,SAAgB,aAAa;IAC3B,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,MAAM,MAAM,GAAoC;QAC9C,mBAAmB,EAAE,CAAC;QACtB,qBAAqB,EAAE,CAAC;QACxB,kBAAkB,EAAE,CAAC;QACrB,iBAAiB,EAAE,CAAC;KACrB,CAAC;IAEF,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;QACpD,MAAM,OAAO,GAAG,GAAG,GAAG,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC;QAC5C,IAAI,OAAO;YAAE,UAAU,EAAE,CAAC;QAE1B,UAAU,IAAI,KAAK,CAAC,WAAW,CAAC;QAChC,WAAW,IAAI,KAAK,CAAC,YAAY,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACrE,CAAC;IAED,+CAA+C;IAC/C,MAAM,SAAS,GAAG,CAAC,UAAU,GAAG,SAAS,CAAC,GAAG,IAAI,CAAC;IAClD,MAAM,UAAU,GAAG,CAAC,WAAW,GAAG,SAAS,CAAC,GAAG,IAAI,CAAC;IAEpD,OAAO;QACL,YAAY,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM;QAClC,YAAY,EAAE,UAAU;QACxB,gBAAgB,EAAE,UAAU;QAC5B,iBAAiB,EAAE,WAAW;QAC9B,gBAAgB,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,UAAU,CAAC,GAAG,KAAK,CAAC,GAAG,KAAK;QACtE,MAAM;KACP,CAAC;AACJ,CAAC"}

package/dist/shield/policy.d.ts ADDED Viewed

@@ -0,0 +1,70 @@
+/**
+ * Shield: Policy loading, evaluation, and default generation.
+ *
+ * Loads YAML-formatted policies (stored as JSON with .yaml extension),
+ * evaluates actions against allow/deny rules, and generates default
+ * policies from environment scans.
+ */
+import type { ShieldPolicy, PolicyRules, PolicyDecision, PolicyMode, EnvironmentScan } from './types.js';
+/**
+ * Glob-like pattern matching.
+ *
+ * Supports:
+ *   - `*` matches any sequence of characters
+ *   - Exact string match
+ *   - Path prefix matching: pattern ending with `/` matches anything under
+ *     that path (e.g. `~/.ssh/` matches `~/.ssh/id_rsa`)
+ */
+export declare function matchesPattern(value: string, pattern: string): boolean;
+/** Return sensible default policy rules for a developer workstation. */
+export declare function getDefaultPolicyRules(): PolicyRules;
+/** Create a default policy with standard rules and no agent-specific overrides. */
+export declare function createDefaultPolicy(mode?: PolicyMode): ShieldPolicy;
+/**
+ * Generate a policy tailored to the scanned environment.
+ * Detected CLIs are added to the process deny list. Detected MCP servers
+ * are added to the mcpServers allow list. Project-type-appropriate tools
+ * are added to the process allow list. Mode is set to 'adaptive'.
+ */
+export declare function generatePolicyFromScan(scan: EnvironmentScan): ShieldPolicy;
+/**
+ * Load a shield policy from disk.
+ *
+ * Checks the user-level policy file at `~/.opena2a/shield/policy.yaml`.
+ * The file is stored as JSON despite the .yaml extension (simplest approach
+ * since we control the format).
+ *
+ * Returns null if no policy file exists or it cannot be parsed.
+ */
+export declare function loadPolicy(targetDir?: string): ShieldPolicy | null;
+/**
+ * Write a policy to disk as JSON with restrictive permissions (0o600).
+ * Creates parent directories if they do not exist.
+ */
+export declare function savePolicy(policy: ShieldPolicy, path: string): void;
+/**
+ * Load the cached policy. Returns null if the cache does not exist or
+ * if the policy file has been modified more recently than the cache.
+ */
+export declare function loadPolicyCache(): ShieldPolicy | null;
+/** Save a policy to the cache file with restrictive permissions. */
+export declare function savePolicyCache(policy: ShieldPolicy): void;
+/**
+ * Evaluate an action against the policy.
+ *
+ * Resolution order:
+ *   1. Agent-specific rules are merged over default rules if the agent
+ *      has overrides defined.
+ *   2. Deny rules are checked first -- deny takes precedence over allow.
+ *   3. In adaptive/monitor mode, denied actions are logged but not blocked
+ *      (outcome='monitored'). In enforce mode, they are blocked
+ *      (outcome='blocked').
+ *   4. If no rule matches, the action is implicitly allowed.
+ *
+ * @param policy  - The loaded shield policy.
+ * @param agent   - Agent identifier (or null for unknown agents).
+ * @param category - The action or category string (e.g. 'process.spawn' or 'processes').
+ * @param target  - The target of the action (e.g. binary name, file path, hostname).
+ */
+export declare function evaluatePolicy(policy: ShieldPolicy, agent: string | null, category: string, target: string): PolicyDecision;
+//# sourceMappingURL=policy.d.ts.map

package/dist/shield/policy.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/shield/policy.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,KAAK,EACV,YAAY,EACZ,WAAW,EACX,cAAc,EACd,UAAU,EACV,eAAe,EAChB,MAAM,YAAY,CAAC;AA6BpB;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CA4BtE;AAMD,wEAAwE;AACxE,wBAAgB,qBAAqB,IAAI,WAAW,CA8BnD;AAMD,mFAAmF;AACnF,wBAAgB,mBAAmB,CAAC,IAAI,GAAE,UAAuB,GAAG,YAAY,CAO/E;AAaD;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,eAAe,GAAG,YAAY,CAmC1E;AAMD;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI,CA0BlE;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAMnE;AAgBD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,YAAY,GAAG,IAAI,CA0BrD;AAED,oEAAoE;AACpE,wBAAgB,eAAe,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,CAO1D;AAgDD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,YAAY,EACpB,KAAK,EAAE,MAAM,GAAG,IAAI,EACpB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,GACb,cAAc,CAkFhB"}