opena2a-cli 0.1.1 → 0.2.0

package/dist/shield/detect.js

@@ -0,0 +1,402 @@
+"use strict";
+/**
+ * Shield environment detection.
+ *
+ * Scans the developer workstation for CLIs, AI coding assistants,
+ * MCP server configurations, and active OAuth sessions.  All detection
+ * is synchronous so the result can be used during CLI startup without
+ * awaiting promises.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectEnvironment = detectEnvironment;
+const node_fs_1 = require("node:fs");
+const node_child_process_1 = require("node:child_process");
+const node_os_1 = require("node:os");
+const node_path_1 = require("node:path");
+const detect_js_1 = require("../util/detect.js");
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Run a command silently and return trimmed stdout, or null on failure. */
+function tryExec(cmd) {
+    try {
+        return (0, node_child_process_1.execSync)(cmd, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+    }
+    catch {
+        return null;
+    }
+}
+/** Run a binary with args without shell interpretation (safe from injection). */
+function tryExecFile(binary, args) {
+    try {
+        return (0, node_child_process_1.execFileSync)(binary, args, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+    }
+    catch {
+        return null;
+    }
+}
+/** Read a JSON file and return the parsed object, or null on failure. */
+function readJson(filePath) {
+    try {
+        if (!(0, node_fs_1.existsSync)(filePath))
+            return null;
+        const raw = (0, node_fs_1.readFileSync)(filePath, 'utf-8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+/** Return ISO-8601 mtime string for a file, or null if unreadable. */
+function fileMtime(filePath) {
+    try {
+        return (0, node_fs_1.statSync)(filePath).mtime.toISOString();
+    }
+    catch {
+        return null;
+    }
+}
+const CLI_SPECS = [
+    {
+        name: 'aws',
+        binary: 'aws',
+        versionFlag: '--version',
+        configDir: (0, node_path_1.join)((0, node_os_1.homedir)(), '.aws'),
+        credentialFiles: ['credentials', 'sso/cache'],
+    },
+    {
+        name: 'az',
+        binary: 'az',
+        versionFlag: '--version',
+        configDir: (0, node_path_1.join)((0, node_os_1.homedir)(), '.azure'),
+        credentialFiles: ['msal_token_cache.json', 'accessTokens.json'],
+    },
+    {
+        name: 'gcloud',
+        binary: 'gcloud',
+        versionFlag: '--version',
+        configDir: (0, node_path_1.join)((0, node_os_1.homedir)(), '.config', 'gcloud'),
+        credentialFiles: ['application_default_credentials.json', 'credentials.db'],
+    },
+    {
+        name: 'vercel',
+        binary: 'vercel',
+        versionFlag: '--version',
+        configDir: (0, node_path_1.join)((0, node_os_1.homedir)(), '.vercel'),
+        credentialFiles: ['auth.json'],
+    },
+    {
+        name: 'gh',
+        binary: 'gh',
+        versionFlag: '--version',
+        configDir: (0, node_path_1.join)((0, node_os_1.homedir)(), '.config', 'gh'),
+        credentialFiles: ['hosts.yml'],
+    },
+    {
+        name: 'kubectl',
+        binary: 'kubectl',
+        versionFlag: 'version --client --short',
+        configDir: (0, node_path_1.join)((0, node_os_1.homedir)(), '.kube'),
+        credentialFiles: ['config'],
+    },
+    {
+        name: 'terraform',
+        binary: 'terraform',
+        versionFlag: '--version',
+        configDir: (0, node_path_1.join)((0, node_os_1.homedir)(), '.terraform.d'),
+        credentialFiles: ['credentials.tfrc.json'],
+    },
+];
+function detectClis() {
+    const results = [];
+    for (const spec of CLI_SPECS) {
+        const binaryPath = tryExecFile('which', [spec.binary]);
+        if (!binaryPath)
+            continue;
+        // Extract version string -- take only the first line to keep it concise
+        let version = null;
+        const rawVersion = tryExecFile(spec.binary, spec.versionFlag.split(/\s+/));
+        if (rawVersion) {
+            version = rawVersion.split('\n')[0].trim();
+        }
+        const configDirExists = (0, node_fs_1.existsSync)(spec.configDir);
+        const hasCredentials = configDirExists && spec.credentialFiles.some(f => (0, node_fs_1.existsSync)((0, node_path_1.join)(spec.configDir, f)));
+        results.push({
+            name: spec.name,
+            path: binaryPath,
+            version,
+            configDir: configDirExists ? spec.configDir : null,
+            hasCredentials,
+        });
+    }
+    return results;
+}
+const ASSISTANT_SPECS = [
+    {
+        name: 'Claude Code',
+        envVars: ['CLAUDE_CODE'],
+        configDirs: [(0, node_path_1.join)((0, node_os_1.homedir)(), '.claude')],
+        processEnv: 'TERM_PROGRAM',
+    },
+    {
+        name: 'Cursor',
+        envVars: ['CURSOR'],
+        configDirs: [(0, node_path_1.join)((0, node_os_1.homedir)(), '.cursor')],
+    },
+    {
+        name: 'GitHub Copilot',
+        envVars: ['GITHUB_COPILOT'],
+        configDirs: [(0, node_path_1.join)((0, node_os_1.homedir)(), '.config', 'github-copilot')],
+    },
+    {
+        name: 'Windsurf',
+        envVars: [],
+        configDirs: [(0, node_path_1.join)((0, node_os_1.homedir)(), '.windsurf')],
+    },
+    {
+        name: 'Aider',
+        envVars: ['AIDER'],
+        configDirs: [],
+    },
+];
+function detectAssistants(targetDir) {
+    const results = [];
+    for (const spec of ASSISTANT_SPECS) {
+        let detected = false;
+        let method = 'config';
+        let detail = '';
+        const configPaths = [];
+        // Check process-level env (TERM_PROGRAM for Claude Code)
+        if (spec.name === 'Claude Code' && process.env['TERM_PROGRAM'] === 'claude') {
+            detected = true;
+            method = 'process';
+            detail = 'TERM_PROGRAM=claude';
+        }
+        // Check env vars
+        if (!detected) {
+            for (const envVar of spec.envVars) {
+                if (process.env[envVar]) {
+                    detected = true;
+                    method = 'env';
+                    detail = `${envVar} is set`;
+                    break;
+                }
+            }
+        }
+        // Check config directories
+        for (const dir of spec.configDirs) {
+            if ((0, node_fs_1.existsSync)(dir)) {
+                if (!detected) {
+                    detected = true;
+                    method = 'config';
+                    detail = `Config directory found: ${dir}`;
+                }
+                configPaths.push(dir);
+            }
+        }
+        // Aider: also check for .aider* files in the target directory
+        if (spec.name === 'Aider') {
+            const aiderConfFiles = ['.aider.conf.yml', '.aider.model.settings.yml', '.aider.input.history'];
+            for (const f of aiderConfFiles) {
+                const p = (0, node_path_1.join)(targetDir, f);
+                if ((0, node_fs_1.existsSync)(p)) {
+                    if (!detected) {
+                        detected = true;
+                        method = 'config';
+                        detail = `Aider config found: ${f}`;
+                    }
+                    configPaths.push(p);
+                }
+            }
+        }
+        if (detected) {
+            results.push({ name: spec.name, detected, method, detail, configPaths });
+        }
+    }
+    return results;
+}
+// ---------------------------------------------------------------------------
+// MCP server detection
+// ---------------------------------------------------------------------------
+/** Paths (relative to project and home) that may contain mcpServers config. */
+function mcpConfigPaths(targetDir) {
+    return [
+        { label: 'mcp.json', path: (0, node_path_1.join)(targetDir, 'mcp.json') },
+        { label: '.mcp.json', path: (0, node_path_1.join)(targetDir, '.mcp.json') },
+        { label: '.claude/settings.json', path: (0, node_path_1.join)(targetDir, '.claude', 'settings.json') },
+        { label: '.cursor/mcp.json', path: (0, node_path_1.join)(targetDir, '.cursor', 'mcp.json') },
+        { label: '~/.claude/settings.json', path: (0, node_path_1.join)((0, node_os_1.homedir)(), '.claude', 'settings.json') },
+    ];
+}
+/** Redact values that look like environment variable references or secrets. */
+function redactEnv(env) {
+    const redacted = {};
+    for (const [key, value] of Object.entries(env)) {
+        if (typeof value === 'string' && value.length > 0) {
+            redacted[key] = '[REDACTED]';
+        }
+        else {
+            redacted[key] = String(value ?? '');
+        }
+    }
+    return redacted;
+}
+function detectMcpServers(targetDir) {
+    const results = [];
+    const seen = new Set();
+    for (const { label, path: cfgPath } of mcpConfigPaths(targetDir)) {
+        const data = readJson(cfgPath);
+        if (!data)
+            continue;
+        const servers = data['mcpServers'];
+        if (!servers || typeof servers !== 'object')
+            continue;
+        for (const [name, raw] of Object.entries(servers)) {
+            // Deduplicate by server name per source file
+            const dedupeKey = `${label}:${name}`;
+            if (seen.has(dedupeKey))
+                continue;
+            seen.add(dedupeKey);
+            if (!raw || typeof raw !== 'object')
+                continue;
+            const entry = raw;
+            const command = typeof entry['command'] === 'string' ? entry['command'] : '';
+            const args = Array.isArray(entry['args'])
+                ? entry['args'].map(a => String(a))
+                : [];
+            const env = entry['env'] && typeof entry['env'] === 'object'
+                ? redactEnv(entry['env'])
+                : {};
+            results.push({
+                name,
+                source: label,
+                command,
+                args,
+                env,
+                tools: [], // Tool enumeration requires MCP handshake; left empty during static scan
+            });
+        }
+    }
+    return results;
+}
+function buildOAuthSpecs(detectedClis) {
+    const specs = [];
+    for (const cli of detectedClis) {
+        if (!cli.configDir)
+            continue;
+        switch (cli.name) {
+            case 'aws':
+                specs.push({
+                    provider: 'aws',
+                    configDir: cli.configDir,
+                    credentialFiles: ['credentials', 'sso/cache'],
+                });
+                break;
+            case 'az':
+                specs.push({
+                    provider: 'azure',
+                    configDir: cli.configDir,
+                    credentialFiles: ['msal_token_cache.json', 'accessTokens.json'],
+                });
+                break;
+            case 'gcloud':
+                specs.push({
+                    provider: 'gcp',
+                    configDir: cli.configDir,
+                    credentialFiles: ['application_default_credentials.json', 'credentials.db'],
+                });
+                break;
+            case 'gh':
+                specs.push({
+                    provider: 'github',
+                    configDir: cli.configDir,
+                    credentialFiles: ['hosts.yml'],
+                });
+                break;
+            case 'vercel':
+                specs.push({
+                    provider: 'vercel',
+                    configDir: cli.configDir,
+                    credentialFiles: ['auth.json'],
+                });
+                break;
+            case 'kubectl':
+                specs.push({
+                    provider: 'kubernetes',
+                    configDir: cli.configDir,
+                    credentialFiles: ['config'],
+                });
+                break;
+            case 'terraform':
+                specs.push({
+                    provider: 'terraform',
+                    configDir: cli.configDir,
+                    credentialFiles: ['credentials.tfrc.json'],
+                });
+                break;
+        }
+    }
+    return specs;
+}
+function detectOAuthSessions(detectedClis) {
+    const results = [];
+    const specs = buildOAuthSpecs(detectedClis);
+    for (const spec of specs) {
+        let hasActiveSession = false;
+        let latestMtime = null;
+        for (const credFile of spec.credentialFiles) {
+            const fullPath = (0, node_path_1.join)(spec.configDir, credFile);
+            if (!(0, node_fs_1.existsSync)(fullPath))
+                continue;
+            hasActiveSession = true;
+            const mtime = fileMtime(fullPath);
+            if (mtime && (!latestMtime || mtime > latestMtime)) {
+                latestMtime = mtime;
+            }
+        }
+        results.push({
+            provider: spec.provider,
+            configDir: spec.configDir,
+            hasActiveSession,
+            lastModified: latestMtime,
+            scopes: [], // Scope extraction would require parsing provider-specific token formats
+        });
+    }
+    return results;
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Scan the current developer workstation and project directory for
+ * CLIs, AI assistants, MCP servers, and OAuth sessions.
+ *
+ * @param targetDir - Directory to scan for project-level artifacts.
+ *                    Defaults to `process.cwd()`.
+ */
+function detectEnvironment(targetDir) {
+    const dir = (0, node_path_1.resolve)(targetDir ?? process.cwd());
+    // CLI detection
+    const clis = detectClis();
+    // Assistant detection
+    const assistants = detectAssistants(dir);
+    // MCP server detection
+    const mcpServers = detectMcpServers(dir);
+    // OAuth session detection (depends on detected CLIs)
+    const oauthSessions = detectOAuthSessions(clis);
+    // Project detection (reuse existing utility)
+    const project = (0, detect_js_1.detectProject)(dir);
+    return {
+        timestamp: new Date().toISOString(),
+        hostname: (0, node_os_1.hostname)(),
+        platform: (0, node_os_1.platform)(),
+        shell: process.env['SHELL'] ?? 'unknown',
+        clis,
+        assistants,
+        mcpServers,
+        oauthSessions,
+        projectType: project.type,
+        projectName: project.name,
+    };
+}
+//# sourceMappingURL=detect.js.map

package/dist/shield/detect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detect.js","sourceRoot":"","sources":["../../src/shield/detect.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;AA2bH,8CA8BC;AAvdD,qCAA6D;AAC7D,2DAA4D;AAC5D,qCAAsD;AACtD,yCAA0C;AAW1C,iDAAkD;AAElD,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,4EAA4E;AAC5E,SAAS,OAAO,CAAC,GAAW;IAC1B,IAAI,CAAC;QACH,OAAO,IAAA,6BAAQ,EAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACtF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,iFAAiF;AACjF,SAAS,WAAW,CAAC,MAAc,EAAE,IAAc;IACjD,IAAI,CAAC;QACH,OAAO,IAAA,iCAAY,EAAC,MAAM,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACnG,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,yEAAyE;AACzE,SAAS,QAAQ,CAAC,QAAgB;IAChC,IAAI,CAAC;QACH,IAAI,CAAC,IAAA,oBAAU,EAAC,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAC;QACvC,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,sEAAsE;AACtE,SAAS,SAAS,CAAC,QAAgB;IACjC,IAAI,CAAC;QACH,OAAO,IAAA,kBAAQ,EAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAcD,MAAM,SAAS,GAAc;IAC3B;QACE,IAAI,EAAE,KAAK;QACX,MAAM,EAAE,KAAK;QACb,WAAW,EAAE,WAAW;QACxB,SAAS,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,MAAM,CAAC;QAClC,eAAe,EAAE,CAAC,aAAa,EAAE,WAAW,CAAC;KAC9C;IACD;QACE,IAAI,EAAE,IAAI;QACV,MAAM,EAAE,IAAI;QACZ,WAAW,EAAE,WAAW;QACxB,SAAS,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,QAAQ,CAAC;QACpC,eAAe,EAAE,CAAC,uBAAuB,EAAE,mBAAmB,CAAC;KAChE;IACD;QACE,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,WAAW;QACxB,SAAS,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,EAAE,QAAQ,CAAC;QAC/C,eAAe,EAAE,CAAC,sCAAsC,EAAE,gBAAgB,CAAC;KAC5E;IACD;QACE,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,WAAW;QACxB,SAAS,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,CAAC;QACrC,eAAe,EAAE,CAAC,WAAW,CAAC;KAC/B;IACD;QACE,IAAI,EAAE,IAAI;QACV,MAAM,EAAE,IAAI;QACZ,WAAW,EAAE,WAAW;QACxB,SAAS,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,EAAE,IAAI,CAAC;QAC3C,eAAe,EAAE,CAAC,WAAW,CAAC;KAC/B;IACD;QACE,IAAI,EAAE,SAAS;QACf,MAAM,EAAE,SAAS;QACjB,WAAW,EAAE,0BAA0B;QACvC,SAAS,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,OAAO,CAAC;QACnC,eAAe,EAAE,CAAC,QAAQ,CAAC;KAC5B;IACD;QACE,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,WAAW;QACnB,WAAW,EAAE,WAAW;QACxB,SAAS,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,cAAc,CAAC;QAC1C,eAAe,EAAE,CAAC,uBAAuB,CAAC;KAC3C;CACF,CAAC;AAEF,SAAS,UAAU;IACjB,MAAM,OAAO,GAAkB,EAAE,CAAC;IAElC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,MAAM,UAAU,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QACvD,IAAI,CAAC,UAAU;YAAE,SAAS;QAE1B,wEAAwE;QACxE,IAAI,OAAO,GAAkB,IAAI,CAAC;QAClC,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;QAC3E,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,CAAC;QAED,MAAM,eAAe,GAAG,IAAA,oBAAU,EAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACnD,MAAM,cAAc,GAAG,eAAe,IAAI,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACtE,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,CACpC,CAAC;QAEF,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,IAAI,EAAE,UAAU;YAChB,OAAO;YACP,SAAS,EAAE,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI;YAClD,cAAc;SACf,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAaD,MAAM,eAAe,GAAoB;IACvC;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,CAAC,aAAa,CAAC;QACxB,UAAU,EAAE,CAAC,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,CAAC,CAAC;QACxC,UAAU,EAAE,cAAc;KAC3B;IACD;QACE,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,CAAC,QAAQ,CAAC;QACnB,UAAU,EAAE,CAAC,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,CAAC,CAAC;KACzC;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,CAAC,gBAAgB,CAAC;QAC3B,UAAU,EAAE,CAAC,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,EAAE,gBAAgB,CAAC,CAAC;KAC3D;IACD;QACE,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,EAAE;QACX,UAAU,EAAE,CAAC,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,WAAW,CAAC,CAAC;KAC3C;IACD;QACE,IAAI,EAAE,OAAO;QACb,OAAO,EAAE,CAAC,OAAO,CAAC;QAClB,UAAU,EAAE,EAAE;KACf;CACF,CAAC;AAEF,SAAS,gBAAgB,CAAC,SAAiB;IACzC,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,MAAM,GAAgC,QAAQ,CAAC;QACnD,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,MAAM,WAAW,GAAa,EAAE,CAAC;QAEjC,yDAAyD;QACzD,IAAI,IAAI,CAAC,IAAI,KAAK,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC5E,QAAQ,GAAG,IAAI,CAAC;YAChB,MAAM,GAAG,SAAS,CAAC;YACnB,MAAM,GAAG,qBAAqB,CAAC;QACjC,CAAC;QAED,iBAAiB;QACjB,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBAClC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;oBACxB,QAAQ,GAAG,IAAI,CAAC;oBAChB,MAAM,GAAG,KAAK,CAAC;oBACf,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC;oBAC5B,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YAClC,IAAI,IAAA,oBAAU,EAAC,GAAG,CAAC,EAAE,CAAC;gBACpB,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,QAAQ,GAAG,IAAI,CAAC;oBAChB,MAAM,GAAG,QAAQ,CAAC;oBAClB,MAAM,GAAG,2BAA2B,GAAG,EAAE,CAAC;gBAC5C,CAAC;gBACD,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC1B,MAAM,cAAc,GAAG,CAAC,iBAAiB,EAAE,2BAA2B,EAAE,sBAAsB,CAAC,CAAC;YAChG,KAAK,MAAM,CAAC,IAAI,cAAc,EAAE,CAAC;gBAC/B,MAAM,CAAC,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,CAAC,CAAC,CAAC;gBAC7B,IAAI,IAAA,oBAAU,EAAC,CAAC,CAAC,EAAE,CAAC;oBAClB,IAAI,CAAC,QAAQ,EAAE,CAAC;wBACd,QAAQ,GAAG,IAAI,CAAC;wBAChB,MAAM,GAAG,QAAQ,CAAC;wBAClB,MAAM,GAAG,uBAAuB,CAAC,EAAE,CAAC;oBACtC,CAAC;oBACD,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACtB,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;QAC3E,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,+EAA+E;AAC/E,SAAS,cAAc,CAAC,SAAiB;IACvC,OAAO;QACL,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,IAAA,gBAAI,EAAC,SAAS,EAAE,UAAU,CAAC,EAAE;QACxD,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,IAAA,gBAAI,EAAC,SAAS,EAAE,WAAW,CAAC,EAAE;QAC1D,EAAE,KAAK,EAAE,uBAAuB,EAAE,IAAI,EAAE,IAAA,gBAAI,EAAC,SAAS,EAAE,SAAS,EAAE,eAAe,CAAC,EAAE;QACrF,EAAE,KAAK,EAAE,kBAAkB,EAAE,IAAI,EAAE,IAAA,gBAAI,EAAC,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC,EAAE;QAC3E,EAAE,KAAK,EAAE,yBAAyB,EAAE,IAAI,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,EAAE,eAAe,CAAC,EAAE;KACxF,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,SAAS,SAAS,CAAC,GAA4B;IAC7C,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAC5C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClD,QAAQ,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,gBAAgB,CAAC,SAAiB;IACzC,MAAM,OAAO,GAAwB,EAAE,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,cAAc,CAAC,SAAS,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC/B,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAwC,CAAC;QAC1E,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,SAAS;QAEtD,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAClD,6CAA6C;YAC7C,MAAM,SAAS,GAAG,GAAG,KAAK,IAAI,IAAI,EAAE,CAAC;YACrC,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;gBAAE,SAAS;YAClC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAEpB,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;gBAAE,SAAS;YAC9C,MAAM,KAAK,GAAG,GAA8B,CAAC;YAE7C,MAAM,OAAO,GAAG,OAAO,KAAK,CAAC,SAAS,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7E,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;gBACvC,CAAC,CAAE,KAAK,CAAC,MAAM,CAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBAClD,CAAC,CAAC,EAAE,CAAC;YACP,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,QAAQ;gBAC1D,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,CAA4B,CAAC;gBACpD,CAAC,CAAC,EAAE,CAAC;YAEP,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI;gBACJ,MAAM,EAAE,KAAK;gBACb,OAAO;gBACP,IAAI;gBACJ,GAAG;gBACH,KAAK,EAAE,EAAE,EAAE,yEAAyE;aACrF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAYD,SAAS,eAAe,CAAC,YAA2B;IAClD,MAAM,KAAK,GAAgB,EAAE,CAAC;IAE9B,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,IAAI,CAAC,GAAG,CAAC,SAAS;YAAE,SAAS;QAE7B,QAAQ,GAAG,CAAC,IAAI,EAAE,CAAC;YACjB,KAAK,KAAK;gBACR,KAAK,CAAC,IAAI,CAAC;oBACT,QAAQ,EAAE,KAAK;oBACf,SAAS,EAAE,GAAG,CAAC,SAAS;oBACxB,eAAe,EAAE,CAAC,aAAa,EAAE,WAAW,CAAC;iBAC9C,CAAC,CAAC;gBACH,MAAM;YACR,KAAK,IAAI;gBACP,KAAK,CAAC,IAAI,CAAC;oBACT,QAAQ,EAAE,OAAO;oBACjB,SAAS,EAAE,GAAG,CAAC,SAAS;oBACxB,eAAe,EAAE,CAAC,uBAAuB,EAAE,mBAAmB,CAAC;iBAChE,CAAC,CAAC;gBACH,MAAM;YACR,KAAK,QAAQ;gBACX,KAAK,CAAC,IAAI,CAAC;oBACT,QAAQ,EAAE,KAAK;oBACf,SAAS,EAAE,GAAG,CAAC,SAAS;oBACxB,eAAe,EAAE,CAAC,sCAAsC,EAAE,gBAAgB,CAAC;iBAC5E,CAAC,CAAC;gBACH,MAAM;YACR,KAAK,IAAI;gBACP,KAAK,CAAC,IAAI,CAAC;oBACT,QAAQ,EAAE,QAAQ;oBAClB,SAAS,EAAE,GAAG,CAAC,SAAS;oBACxB,eAAe,EAAE,CAAC,WAAW,CAAC;iBAC/B,CAAC,CAAC;gBACH,MAAM;YACR,KAAK,QAAQ;gBACX,KAAK,CAAC,IAAI,CAAC;oBACT,QAAQ,EAAE,QAAQ;oBAClB,SAAS,EAAE,GAAG,CAAC,SAAS;oBACxB,eAAe,EAAE,CAAC,WAAW,CAAC;iBAC/B,CAAC,CAAC;gBACH,MAAM;YACR,KAAK,SAAS;gBACZ,KAAK,CAAC,IAAI,CAAC;oBACT,QAAQ,EAAE,YAAY;oBACtB,SAAS,EAAE,GAAG,CAAC,SAAS;oBACxB,eAAe,EAAE,CAAC,QAAQ,CAAC;iBAC5B,CAAC,CAAC;gBACH,MAAM;YACR,KAAK,WAAW;gBACd,KAAK,CAAC,IAAI,CAAC;oBACT,QAAQ,EAAE,WAAW;oBACrB,SAAS,EAAE,GAAG,CAAC,SAAS;oBACxB,eAAe,EAAE,CAAC,uBAAuB,CAAC;iBAC3C,CAAC,CAAC;gBACH,MAAM;QACV,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,mBAAmB,CAAC,YAA2B;IACtD,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;IAE5C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,gBAAgB,GAAG,KAAK,CAAC;QAC7B,IAAI,WAAW,GAAkB,IAAI,CAAC;QAEtC,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YAC5C,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YAChD,IAAI,CAAC,IAAA,oBAAU,EAAC,QAAQ,CAAC;gBAAE,SAAS;YAEpC,gBAAgB,GAAG,IAAI,CAAC;YACxB,MAAM,KAAK,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;YAClC,IAAI,KAAK,IAAI,CAAC,CAAC,WAAW,IAAI,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC;gBACnD,WAAW,GAAG,KAAK,CAAC;YACtB,CAAC;QACH,CAAC;QAED,OAAO,CAAC,IAAI,CAAC;YACX,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,gBAAgB;YAChB,YAAY,EAAE,WAAW;YACzB,MAAM,EAAE,EAAE,EAAE,yEAAyE;SACtF,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;;GAMG;AACH,SAAgB,iBAAiB,CAAC,SAAkB;IAClD,MAAM,GAAG,GAAG,IAAA,mBAAO,EAAC,SAAS,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAEhD,gBAAgB;IAChB,MAAM,IAAI,GAAG,UAAU,EAAE,CAAC;IAE1B,sBAAsB;IACtB,MAAM,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAEzC,uBAAuB;IACvB,MAAM,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAEzC,qDAAqD;IACrD,MAAM,aAAa,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAEhD,6CAA6C;IAC7C,MAAM,OAAO,GAAG,IAAA,yBAAa,EAAC,GAAG,CAAC,CAAC;IAEnC,OAAO;QACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ,EAAE,IAAA,kBAAQ,GAAE;QACpB,QAAQ,EAAE,IAAA,kBAAQ,GAAE;QACpB,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,SAAS;QACxC,IAAI;QACJ,UAAU;QACV,UAAU;QACV,aAAa;QACb,WAAW,EAAE,OAAO,CAAC,IAAmB;QACxC,WAAW,EAAE,OAAO,CAAC,IAAI;KAC1B,CAAC;AACJ,CAAC"}

package/dist/shield/events.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Shield tamper-evident event system.
+ *
+ * Events are stored as newline-delimited JSON (JSONL) with SHA-256 hash
+ * chains.  Each event references the hash of the previous event, forming
+ * an append-only tamper-evident log.  The very first event in the chain
+ * uses SHA-256("genesis") as its prevHash.
+ */
+import type { ShieldEvent } from './types.js';
+/**
+ * Generate a UUIDv7 (time-sortable) per RFC 9562.
+ *
+ * Layout (128 bits):
+ *   48 bits - unix_ts_ms
+ *    4 bits - version (0b0111)
+ *   12 bits - rand_a
+ *    2 bits - variant (0b10)
+ *   62 bits - rand_b
+ */
+export declare function uuidv7(): string;
+/** Return the absolute path to the Shield data directory (~/.opena2a/shield). */
+export declare function getShieldDir(): string;
+/** Return the absolute path to the events JSONL file. */
+export declare function getEventsPath(): string;
+export declare const GENESIS_HASH: string;
+/** Fields that writeEvent generates automatically. */
+type GeneratedFields = 'id' | 'timestamp' | 'version' | 'prevHash' | 'eventHash';
+/**
+ * Write a new event to the tamper-evident log.
+ *
+ * The caller provides all event fields except id, timestamp, version,
+ * prevHash, and eventHash -- those are generated automatically.
+ */
+export declare function writeEvent(partial: Omit<ShieldEvent, GeneratedFields>): ShieldEvent;
+export interface EventFilters {
+    count?: number;
+    source?: string;
+    severity?: string;
+    agent?: string;
+    since?: string;
+    category?: string;
+}
+/**
+ * Read events from the JSONL log file, applying optional filters.
+ *
+ * Returns events in newest-first order.  Corrupted JSON lines are
+ * silently skipped.
+ */
+export declare function readEvents(filters?: EventFilters): ShieldEvent[];
+/**
+ * Verify the integrity of a hash chain.
+ *
+ * Events must be provided in chronological order (oldest first).
+ * The first event's prevHash must equal SHA-256("genesis").
+ *
+ * Returns { valid: true, brokenAt: null } if the chain is intact,
+ * or { valid: false, brokenAt: <index> } pointing to the first
+ * event where the chain breaks.
+ */
+export declare function verifyEventChain(events: ShieldEvent[]): {
+    valid: boolean;
+    brokenAt: number | null;
+};
+export {};
+//# sourceMappingURL=events.d.ts.map

package/dist/shield/events.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"events.d.ts","sourceRoot":"","sources":["../../src/shield/events.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAeH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAO9C;;;;;;;;;GASG;AACH,wBAAgB,MAAM,IAAI,MAAM,CAmC/B;AAMD,iFAAiF;AACjF,wBAAgB,YAAY,IAAI,MAAM,CAMrC;AAED,yDAAyD;AACzD,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAMD,eAAO,MAAM,YAAY,QAAuD,CAAC;AA6EjF,sDAAsD;AACtD,KAAK,eAAe,GAAG,IAAI,GAAG,WAAW,GAAG,SAAS,GAAG,UAAU,GAAG,WAAW,CAAC;AAEjF;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE,eAAe,CAAC,GAAG,WAAW,CAuCnF;AAMD,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AA8CD;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,OAAO,GAAE,YAAiB,GAAG,WAAW,EAAE,CAuEpE;AAMD;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,WAAW,EAAE,GACpB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CA6B7C"}