opena2a-cli 0.1.1 → 0.2.0

package/dist/shield/policy.js

@@ -0,0 +1,399 @@
+"use strict";
+/**
+ * Shield: Policy loading, evaluation, and default generation.
+ *
+ * Loads YAML-formatted policies (stored as JSON with .yaml extension),
+ * evaluates actions against allow/deny rules, and generates default
+ * policies from environment scans.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.matchesPattern = matchesPattern;
+exports.getDefaultPolicyRules = getDefaultPolicyRules;
+exports.createDefaultPolicy = createDefaultPolicy;
+exports.generatePolicyFromScan = generatePolicyFromScan;
+exports.loadPolicy = loadPolicy;
+exports.savePolicy = savePolicy;
+exports.loadPolicyCache = loadPolicyCache;
+exports.savePolicyCache = savePolicyCache;
+exports.evaluatePolicy = evaluatePolicy;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const node_os_1 = require("node:os");
+const types_js_1 = require("./types.js");
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Return the path to the user-level shield directory. */
+function getShieldDir() {
+    return (0, node_path_1.join)((0, node_os_1.homedir)(), '.opena2a', 'shield');
+}
+/** Expand leading ~/ to the user home directory. */
+function expandHomedir(pattern) {
+    if (pattern.startsWith('~/')) {
+        return (0, node_path_1.join)((0, node_os_1.homedir)(), pattern.slice(2));
+    }
+    return pattern;
+}
+// ---------------------------------------------------------------------------
+// Pattern matching
+// ---------------------------------------------------------------------------
+/**
+ * Glob-like pattern matching.
+ *
+ * Supports:
+ *   - `*` matches any sequence of characters
+ *   - Exact string match
+ *   - Path prefix matching: pattern ending with `/` matches anything under
+ *     that path (e.g. `~/.ssh/` matches `~/.ssh/id_rsa`)
+ */
+function matchesPattern(value, pattern) {
+    // Universal wildcard
+    if (pattern === '*') {
+        return true;
+    }
+    // Path prefix matching: pattern ending with '/' matches anything under it
+    if (pattern.endsWith('/')) {
+        const prefix = pattern;
+        return value === pattern.slice(0, -1) || value.startsWith(prefix);
+    }
+    // Glob with wildcards
+    if (pattern.includes('*')) {
+        const parts = pattern.split('*');
+        if (parts.length === 2) {
+            const [prefix, suffix] = parts;
+            return value.startsWith(prefix) && value.endsWith(suffix);
+        }
+        // Multi-wildcard: convert to regex
+        const escaped = pattern
+            .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+            .replace(/\*/g, '.*');
+        return new RegExp(`^${escaped}$`).test(value);
+    }
+    // Exact match
+    return value === pattern;
+}
+// ---------------------------------------------------------------------------
+// Default rules
+// ---------------------------------------------------------------------------
+/** Return sensible default policy rules for a developer workstation. */
+function getDefaultPolicyRules() {
+    return {
+        processes: {
+            deny: ['aws', 'gcloud', 'az', 'kubectl', 'terraform', 'rm -rf'],
+            allow: [
+                'git', 'npm', 'node', 'npx', 'tsc', 'eslint', 'prettier',
+                'cargo', 'go', 'python', 'pip', 'pytest', 'bun', 'deno',
+            ],
+        },
+        credentials: {
+            deny: ['~/.ssh/*', '~/.aws/*', '~/.config/gcloud/*', '~/.azure/*'],
+            allow: [],
+        },
+        network: {
+            deny: [],
+            allow: ['localhost', '127.0.0.1', 'registry.npmjs.org', 'github.com'],
+        },
+        filesystem: {
+            deny: ['~/.ssh/', '~/.gnupg/'],
+            allow: [],
+        },
+        mcpServers: {
+            deny: [],
+            allow: [],
+        },
+        supplyChain: {
+            requireTrustScore: 0,
+            blockAdvisories: false,
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Policy creation
+// ---------------------------------------------------------------------------
+/** Create a default policy with standard rules and no agent-specific overrides. */
+function createDefaultPolicy(mode = 'adaptive') {
+    return {
+        version: 1,
+        mode,
+        default: getDefaultPolicyRules(),
+        agents: {},
+    };
+}
+// ---------------------------------------------------------------------------
+// Policy generation from environment scan
+// ---------------------------------------------------------------------------
+/** Map project types to additional tools that should be in the allow list. */
+const PROJECT_TYPE_TOOLS = {
+    node: ['node', 'npm', 'npx', 'tsc', 'eslint', 'prettier'],
+    go: ['go', 'golangci-lint', 'gopls'],
+    python: ['python', 'pip', 'pytest', 'ruff', 'mypy'],
+};
+/**
+ * Generate a policy tailored to the scanned environment.
+ * Detected CLIs are added to the process deny list. Detected MCP servers
+ * are added to the mcpServers allow list. Project-type-appropriate tools
+ * are added to the process allow list. Mode is set to 'adaptive'.
+ */
+function generatePolicyFromScan(scan) {
+    const policy = createDefaultPolicy('adaptive');
+    // Add detected cloud CLIs to processes.deny
+    for (const cli of scan.clis) {
+        if (!policy.default.processes.deny.includes(cli.name)) {
+            policy.default.processes.deny.push(cli.name);
+        }
+    }
+    // Add detected CLI config dirs to filesystem.deny
+    for (const cli of scan.clis) {
+        if (cli.configDir && !policy.default.filesystem.deny.includes(cli.configDir)) {
+            policy.default.filesystem.deny.push(cli.configDir);
+        }
+    }
+    // Add project-appropriate dev tools to processes.allow based on projectType
+    const tools = PROJECT_TYPE_TOOLS[scan.projectType];
+    if (tools) {
+        for (const tool of tools) {
+            if (!policy.default.processes.allow.includes(tool)) {
+                policy.default.processes.allow.push(tool);
+            }
+        }
+    }
+    // Add detected MCP server names to mcpServers.allow
+    for (const server of scan.mcpServers) {
+        if (!policy.default.mcpServers.allow.includes(server.name)) {
+            policy.default.mcpServers.allow.push(server.name);
+        }
+    }
+    return policy;
+}
+// ---------------------------------------------------------------------------
+// Policy persistence
+// ---------------------------------------------------------------------------
+/**
+ * Load a shield policy from disk.
+ *
+ * Checks the user-level policy file at `~/.opena2a/shield/policy.yaml`.
+ * The file is stored as JSON despite the .yaml extension (simplest approach
+ * since we control the format).
+ *
+ * Returns null if no policy file exists or it cannot be parsed.
+ */
+function loadPolicy(targetDir) {
+    // Try project-level first if a target directory is provided
+    if (targetDir) {
+        const projectPolicyPath = (0, node_path_1.join)(targetDir, types_js_1.SHIELD_DIR, types_js_1.SHIELD_POLICY_FILE);
+        try {
+            if ((0, node_fs_1.existsSync)(projectPolicyPath)) {
+                const raw = (0, node_fs_1.readFileSync)(projectPolicyPath, 'utf-8');
+                return JSON.parse(raw);
+            }
+        }
+        catch {
+            // Fall through to user-level
+        }
+    }
+    // Try user-level
+    const userPolicyPath = (0, node_path_1.join)((0, node_os_1.homedir)(), types_js_1.SHIELD_DIR, types_js_1.SHIELD_POLICY_FILE);
+    try {
+        if ((0, node_fs_1.existsSync)(userPolicyPath)) {
+            const raw = (0, node_fs_1.readFileSync)(userPolicyPath, 'utf-8');
+            return JSON.parse(raw);
+        }
+    }
+    catch {
+        return null;
+    }
+    return null;
+}
+/**
+ * Write a policy to disk as JSON with restrictive permissions (0o600).
+ * Creates parent directories if they do not exist.
+ */
+function savePolicy(policy, path) {
+    const dir = (0, node_path_1.dirname)(path);
+    if (!(0, node_fs_1.existsSync)(dir)) {
+        (0, node_fs_1.mkdirSync)(dir, { recursive: true });
+    }
+    (0, node_fs_1.writeFileSync)(path, JSON.stringify(policy, null, 2) + '\n', { mode: 0o600 });
+}
+// ---------------------------------------------------------------------------
+// Policy cache
+// ---------------------------------------------------------------------------
+/** Return the path to the policy cache file. */
+function getPolicyCachePath() {
+    return (0, node_path_1.join)(getShieldDir(), types_js_1.SHIELD_POLICY_CACHE);
+}
+/** Return the path to the user-level policy file. */
+function getUserPolicyPath() {
+    return (0, node_path_1.join)(getShieldDir(), types_js_1.SHIELD_POLICY_FILE);
+}
+/**
+ * Load the cached policy. Returns null if the cache does not exist or
+ * if the policy file has been modified more recently than the cache.
+ */
+function loadPolicyCache() {
+    const cachePath = getPolicyCachePath();
+    if (!(0, node_fs_1.existsSync)(cachePath)) {
+        return null;
+    }
+    // Invalidate cache if the policy file is newer
+    const policyPath = getUserPolicyPath();
+    if ((0, node_fs_1.existsSync)(policyPath)) {
+        try {
+            const cacheStat = (0, node_fs_1.statSync)(cachePath);
+            const policyStat = (0, node_fs_1.statSync)(policyPath);
+            if (policyStat.mtimeMs > cacheStat.mtimeMs) {
+                return null;
+            }
+        }
+        catch {
+            return null;
+        }
+    }
+    try {
+        const raw = (0, node_fs_1.readFileSync)(cachePath, 'utf-8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+/** Save a policy to the cache file with restrictive permissions. */
+function savePolicyCache(policy) {
+    const cachePath = getPolicyCachePath();
+    const dir = (0, node_path_1.dirname)(cachePath);
+    if (!(0, node_fs_1.existsSync)(dir)) {
+        (0, node_fs_1.mkdirSync)(dir, { recursive: true });
+    }
+    (0, node_fs_1.writeFileSync)(cachePath, JSON.stringify(policy, null, 2) + '\n', { mode: 0o600 });
+}
+// ---------------------------------------------------------------------------
+// Policy evaluation
+// ---------------------------------------------------------------------------
+/**
+ * Map action strings (used by callers like shield evaluate) to policy
+ * rule category keys. This allows callers to pass either an action string
+ * like 'process.spawn' or a direct category name like 'processes'.
+ */
+const ACTION_CATEGORY_MAP = {
+    'process.spawn': 'processes',
+    'credential.read': 'credentials',
+    'file.access': 'filesystem',
+    'network.connect': 'network',
+    'mcp.call': 'mcpServers',
+};
+/** Valid category keys that can be used directly. */
+const VALID_CATEGORIES = new Set([
+    'processes', 'credentials', 'network', 'filesystem', 'mcpServers',
+]);
+/**
+ * Merge agent-specific rule overrides onto a base set of rules.
+ * Agent-specific rules completely replace the base for any category they define.
+ */
+function mergeRules(base, overrides) {
+    const merged = JSON.parse(JSON.stringify(base));
+    for (const key of ['credentials', 'processes', 'network', 'filesystem', 'mcpServers']) {
+        const override = overrides[key];
+        if (override && 'allow' in override && 'deny' in override) {
+            merged[key] = {
+                allow: [...override.allow],
+                deny: [...override.deny],
+            };
+        }
+    }
+    if (overrides.supplyChain) {
+        merged.supplyChain = { ...merged.supplyChain, ...overrides.supplyChain };
+    }
+    return merged;
+}
+/**
+ * Evaluate an action against the policy.
+ *
+ * Resolution order:
+ *   1. Agent-specific rules are merged over default rules if the agent
+ *      has overrides defined.
+ *   2. Deny rules are checked first -- deny takes precedence over allow.
+ *   3. In adaptive/monitor mode, denied actions are logged but not blocked
+ *      (outcome='monitored'). In enforce mode, they are blocked
+ *      (outcome='blocked').
+ *   4. If no rule matches, the action is implicitly allowed.
+ *
+ * @param policy  - The loaded shield policy.
+ * @param agent   - Agent identifier (or null for unknown agents).
+ * @param category - The action or category string (e.g. 'process.spawn' or 'processes').
+ * @param target  - The target of the action (e.g. binary name, file path, hostname).
+ */
+function evaluatePolicy(policy, agent, category, target) {
+    // Resolve effective rules: agent-specific merged over defaults
+    let effectiveRules = policy.default;
+    if (agent && policy.agents[agent]) {
+        effectiveRules = mergeRules(policy.default, policy.agents[agent]);
+    }
+    // Resolve category: support both action strings and direct category names
+    let resolvedCategory = ACTION_CATEGORY_MAP[category];
+    if (!resolvedCategory && VALID_CATEGORIES.has(category)) {
+        resolvedCategory = category;
+    }
+    if (!resolvedCategory) {
+        return {
+            allowed: true,
+            outcome: 'allowed',
+            rule: `no-policy-for-action:${category}`,
+            agent,
+        };
+    }
+    const rules = effectiveRules[resolvedCategory];
+    // supplyChain does not have allow/deny arrays
+    if (!rules || !('allow' in rules) || !('deny' in rules)) {
+        return {
+            allowed: true,
+            outcome: 'allowed',
+            rule: `${resolvedCategory}:no-allow-deny-rules`,
+            agent,
+        };
+    }
+    const { allow, deny } = rules;
+    // For credentials and filesystem categories, expand ~ in patterns
+    const shouldExpandHome = resolvedCategory === 'filesystem' || resolvedCategory === 'credentials';
+    const expandPattern = shouldExpandHome ? expandHomedir : (p) => p;
+    // Check deny first (deny takes precedence)
+    for (const pattern of deny) {
+        const expanded = expandPattern(pattern);
+        if (matchesPattern(target, expanded)) {
+            if (policy.mode === 'enforce') {
+                return {
+                    allowed: false,
+                    outcome: 'blocked',
+                    rule: `${resolvedCategory}.deny:${pattern}`,
+                    agent,
+                };
+            }
+            // adaptive or monitor mode: allow but mark as monitored
+            return {
+                allowed: true,
+                outcome: 'monitored',
+                rule: `${resolvedCategory}.deny:${pattern}`,
+                agent,
+            };
+        }
+    }
+    // Check allow
+    for (const pattern of allow) {
+        const expanded = expandPattern(pattern);
+        if (matchesPattern(target, expanded)) {
+            return {
+                allowed: true,
+                outcome: 'allowed',
+                rule: `${resolvedCategory}.allow:${pattern}`,
+                agent,
+            };
+        }
+    }
+    // No explicit match: implicitly allowed
+    return {
+        allowed: true,
+        outcome: 'allowed',
+        rule: `${resolvedCategory}:no-match`,
+        agent,
+    };
+}
+//# sourceMappingURL=policy.js.map

package/dist/shield/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/shield/policy.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAkDH,wCA4BC;AAOD,sDA8BC;AAOD,kDAOC;AAmBD,wDAmCC;AAeD,gCA0BC;AAMD,gCAMC;AAoBD,0CA0BC;AAGD,0CAOC;AAiED,wCAuFC;AA1bD,qCAAuF;AACvF,yCAA0C;AAC1C,qCAAkC;AAUlC,yCAIoB;AAEpB,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,0DAA0D;AAC1D,SAAS,YAAY;IACnB,OAAO,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;AAC/C,CAAC;AAED,oDAAoD;AACpD,SAAS,aAAa,CAAC,OAAe;IACpC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,OAAO,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,SAAgB,cAAc,CAAC,KAAa,EAAE,OAAe;IAC3D,qBAAqB;IACrB,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,0EAA0E;IAC1E,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAG,OAAO,CAAC;QACvB,OAAO,KAAK,KAAK,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IACpE,CAAC;IAED,sBAAsB;IACtB,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC;YAC/B,OAAO,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC5D,CAAC;QACD,mCAAmC;QACnC,MAAM,OAAO,GAAG,OAAO;aACpB,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC;aACpC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACxB,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;IAED,cAAc;IACd,OAAO,KAAK,KAAK,OAAO,CAAC;AAC3B,CAAC;AAED,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,wEAAwE;AACxE,SAAgB,qBAAqB;IACnC,OAAO;QACL,SAAS,EAAE;YACT,IAAI,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC;YAC/D,KAAK,EAAE;gBACL,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU;gBACxD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM;aACxD;SACF;QACD,WAAW,EAAE;YACX,IAAI,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,oBAAoB,EAAE,YAAY,CAAC;YAClE,KAAK,EAAE,EAAE;SACV;QACD,OAAO,EAAE;YACP,IAAI,EAAE,EAAE;YACR,KAAK,EAAE,CAAC,WAAW,EAAE,WAAW,EAAE,oBAAoB,EAAE,YAAY,CAAC;SACtE;QACD,UAAU,EAAE;YACV,IAAI,EAAE,CAAC,SAAS,EAAE,WAAW,CAAC;YAC9B,KAAK,EAAE,EAAE;SACV;QACD,UAAU,EAAE;YACV,IAAI,EAAE,EAAE;YACR,KAAK,EAAE,EAAE;SACV;QACD,WAAW,EAAE;YACX,iBAAiB,EAAE,CAAC;YACpB,eAAe,EAAE,KAAK;SACvB;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E,mFAAmF;AACnF,SAAgB,mBAAmB,CAAC,OAAmB,UAAU;IAC/D,OAAO;QACL,OAAO,EAAE,CAAC;QACV,IAAI;QACJ,OAAO,EAAE,qBAAqB,EAAE;QAChC,MAAM,EAAE,EAAE;KACX,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,0CAA0C;AAC1C,8EAA8E;AAE9E,8EAA8E;AAC9E,MAAM,kBAAkB,GAA6B;IACnD,IAAI,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,CAAC;IACzD,EAAE,EAAE,CAAC,IAAI,EAAE,eAAe,EAAE,OAAO,CAAC;IACpC,MAAM,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;CACpD,CAAC;AAEF;;;;;GAKG;AACH,SAAgB,sBAAsB,CAAC,IAAqB;IAC1D,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC;IAE/C,4CAA4C;IAC5C,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACtD,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,GAAG,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7E,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED,4EAA4E;IAC5E,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACnD,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5C,CAAC;QACH,CAAC;IACH,CAAC;IAED,oDAAoD;IACpD,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACrC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3D,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,SAAgB,UAAU,CAAC,SAAkB;IAC3C,4DAA4D;IAC5D,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,iBAAiB,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,qBAAU,EAAE,6BAAkB,CAAC,CAAC;QAC1E,IAAI,CAAC;YACH,IAAI,IAAA,oBAAU,EAAC,iBAAiB,CAAC,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;gBACrD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiB,CAAC;YACzC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,6BAA6B;QAC/B,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,MAAM,cAAc,GAAG,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,qBAAU,EAAE,6BAAkB,CAAC,CAAC;IACvE,IAAI,CAAC;QACH,IAAI,IAAA,oBAAU,EAAC,cAAc,CAAC,EAAE,CAAC;YAC/B,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,cAAc,EAAE,OAAO,CAAC,CAAC;YAClD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiB,CAAC;QACzC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,UAAU,CAAC,MAAoB,EAAE,IAAY;IAC3D,MAAM,GAAG,GAAG,IAAA,mBAAO,EAAC,IAAI,CAAC,CAAC;IAC1B,IAAI,CAAC,IAAA,oBAAU,EAAC,GAAG,CAAC,EAAE,CAAC;QACrB,IAAA,mBAAS,EAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;IACD,IAAA,uBAAa,EAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AAC/E,CAAC;AAED,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E,gDAAgD;AAChD,SAAS,kBAAkB;IACzB,OAAO,IAAA,gBAAI,EAAC,YAAY,EAAE,EAAE,8BAAmB,CAAC,CAAC;AACnD,CAAC;AAED,qDAAqD;AACrD,SAAS,iBAAiB;IACxB,OAAO,IAAA,gBAAI,EAAC,YAAY,EAAE,EAAE,6BAAkB,CAAC,CAAC;AAClD,CAAC;AAED;;;GAGG;AACH,SAAgB,eAAe;IAC7B,MAAM,SAAS,GAAG,kBAAkB,EAAE,CAAC;IACvC,IAAI,CAAC,IAAA,oBAAU,EAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,+CAA+C;IAC/C,MAAM,UAAU,GAAG,iBAAiB,EAAE,CAAC;IACvC,IAAI,IAAA,oBAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAA,kBAAQ,EAAC,SAAS,CAAC,CAAC;YACtC,MAAM,UAAU,GAAG,IAAA,kBAAQ,EAAC,UAAU,CAAC,CAAC;YACxC,IAAI,UAAU,CAAC,OAAO,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC;gBAC3C,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC7C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiB,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,oEAAoE;AACpE,SAAgB,eAAe,CAAC,MAAoB;IAClD,MAAM,SAAS,GAAG,kBAAkB,EAAE,CAAC;IACvC,MAAM,GAAG,GAAG,IAAA,mBAAO,EAAC,SAAS,CAAC,CAAC;IAC/B,IAAI,CAAC,IAAA,oBAAU,EAAC,GAAG,CAAC,EAAE,CAAC;QACrB,IAAA,mBAAS,EAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;IACD,IAAA,uBAAa,EAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACpF,CAAC;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,mBAAmB,GAAsC;IAC7D,eAAe,EAAE,WAAW;IAC5B,iBAAiB,EAAE,aAAa;IAChC,aAAa,EAAE,YAAY;IAC3B,iBAAiB,EAAE,SAAS;IAC5B,UAAU,EAAE,YAAY;CACzB,CAAC;AAEF,qDAAqD;AACrD,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAS;IACvC,WAAW,EAAE,aAAa,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY;CAClE,CAAC,CAAC;AAEH;;;GAGG;AACH,SAAS,UAAU,CAAC,IAAiB,EAAE,SAA+B;IACpE,MAAM,MAAM,GAAgB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;IAE7D,KAAK,MAAM,GAAG,IAAI,CAAC,aAAa,EAAE,WAAW,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY,CAAU,EAAE,CAAC;QAC/F,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,QAAQ,IAAI,OAAO,IAAI,QAAQ,IAAI,MAAM,IAAI,QAAQ,EAAE,CAAC;YAC1D,MAAM,CAAC,GAAG,CAAC,GAAG;gBACZ,KAAK,EAAE,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC;gBAC1B,IAAI,EAAE,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC;aACzB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC;QAC1B,MAAM,CAAC,WAAW,GAAG,EAAE,GAAG,MAAM,CAAC,WAAW,EAAE,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;IAC3E,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,cAAc,CAC5B,MAAoB,EACpB,KAAoB,EACpB,QAAgB,EAChB,MAAc;IAEd,+DAA+D;IAC/D,IAAI,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC;IACpC,IAAI,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAClC,cAAc,GAAG,UAAU,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACpE,CAAC;IAED,0EAA0E;IAC1E,IAAI,gBAAgB,GAAuB,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACzE,IAAI,CAAC,gBAAgB,IAAI,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxD,gBAAgB,GAAG,QAAQ,CAAC;IAC9B,CAAC;IAED,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO;YACL,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,SAAS;YAClB,IAAI,EAAE,wBAAwB,QAAQ,EAAE;YACxC,KAAK;SACN,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,cAAc,CAAC,gBAAqC,CAAC,CAAC;IAEpE,8CAA8C;IAC9C,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,IAAI,KAAK,CAAC,EAAE,CAAC;QACxD,OAAO;YACL,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,SAAS;YAClB,IAAI,EAAE,GAAG,gBAAgB,sBAAsB;YAC/C,KAAK;SACN,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,KAA4C,CAAC;IAErE,kEAAkE;IAClE,MAAM,gBAAgB,GAAG,gBAAgB,KAAK,YAAY,IAAI,gBAAgB,KAAK,aAAa,CAAC;IACjG,MAAM,aAAa,GAAG,gBAAgB,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC;IAE1E,2CAA2C;IAC3C,KAAK,MAAM,OAAO,IAAI,IAAI,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QACxC,IAAI,cAAc,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,CAAC;YACrC,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,OAAO,EAAE,SAAS;oBAClB,IAAI,EAAE,GAAG,gBAAgB,SAAS,OAAO,EAAE;oBAC3C,KAAK;iBACN,CAAC;YACJ,CAAC;YACD,wDAAwD;YACxD,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,WAAW;gBACpB,IAAI,EAAE,GAAG,gBAAgB,SAAS,OAAO,EAAE;gBAC3C,KAAK;aACN,CAAC;QACJ,CAAC;IACH,CAAC;IAED,cAAc;IACd,KAAK,MAAM,OAAO,IAAI,KAAK,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QACxC,IAAI,cAAc,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,CAAC;YACrC,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,SAAS;gBAClB,IAAI,EAAE,GAAG,gBAAgB,UAAU,OAAO,EAAE;gBAC5C,KAAK;aACN,CAAC;QACJ,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,OAAO;QACL,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,SAAS;QAClB,IAAI,EAAE,GAAG,gBAAgB,WAAW;QACpC,KAAK;KACN,CAAC;AACJ,CAAC"}

package/dist/shield/report-html.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Shield HTML Posture Report Generator.
+ *
+ * Generates a self-contained HTML file with:
+ * - Dark theme (slate-900 background, slate-800 cards)
+ * - Posture score circular gauge with grade letter
+ * - Severity breakdown horizontal bar chart
+ * - Agent activity table
+ * - Policy violations table with severity filter
+ * - Runtime protection, credential exposure, supply chain cards
+ * - Event timeline / narrative section
+ *
+ * Design tokens:
+ *   Background: #0f172a (slate-900), Card: #1e293b (slate-800)
+ *   Primary: #06b6d4 (teal), Score: teal
+ *   Critical: #ef4444, High: #f97316, Medium: #eab308, Low: #3b82f6, Info: #6b7280
+ *   Font: system monospace (JetBrains Mono fallback)
+ *
+ * No external dependencies. No emojis.
+ */
+import type { WeeklyReport, ReportNarrative, PostureTrend } from './types.js';
+import type { ClassifiedFinding } from './findings.js';
+/**
+ * Generate the executive summary text from report data.
+ * No LLM needed -- deterministic sentence generation.
+ */
+export declare function generateExecutiveSummary(report: WeeklyReport, findings: ClassifiedFinding[], trend: PostureTrend | null): string;
+export declare function generateShieldHtmlReport(report: WeeklyReport, narrative?: ReportNarrative | null, findings?: ClassifiedFinding[], trend?: PostureTrend | null): string;
+//# sourceMappingURL=report-html.d.ts.map

package/dist/shield/report-html.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"report-html.d.ts","sourceRoot":"","sources":["../../src/shield/report-html.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC9E,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAEvD;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,YAAY,EACpB,QAAQ,EAAE,iBAAiB,EAAE,EAC7B,KAAK,EAAE,YAAY,GAAG,IAAI,GACzB,MAAM,CAkER;AAED,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,YAAY,EACpB,SAAS,CAAC,EAAE,eAAe,GAAG,IAAI,EAClC,QAAQ,CAAC,EAAE,iBAAiB,EAAE,EAC9B,KAAK,CAAC,EAAE,YAAY,GAAG,IAAI,GAC1B,MAAM,CAsER"}