opena2a-cli 0.1.1 → 0.2.0

package/dist/shield/types.d.ts

@@ -0,0 +1,416 @@
+export type ProjectType = 'node' | 'go' | 'python' | 'unknown';
+export interface DetectedCli {
+    name: string;
+    path: string;
+    version: string | null;
+    configDir: string | null;
+    hasCredentials: boolean;
+}
+export interface DetectedAssistant {
+    name: string;
+    detected: boolean;
+    method: 'process' | 'env' | 'config';
+    detail: string;
+    configPaths: string[];
+}
+export interface DetectedMcpServer {
+    name: string;
+    source: string;
+    command: string;
+    args: string[];
+    env: Record<string, string>;
+    tools: string[];
+}
+export interface DetectedOAuthSession {
+    provider: string;
+    configDir: string;
+    hasActiveSession: boolean;
+    lastModified: string | null;
+    scopes: string[];
+}
+export interface EnvironmentScan {
+    timestamp: string;
+    hostname: string;
+    platform: string;
+    shell: string;
+    clis: DetectedCli[];
+    assistants: DetectedAssistant[];
+    mcpServers: DetectedMcpServer[];
+    oauthSessions: DetectedOAuthSession[];
+    projectType: ProjectType;
+    projectName: string | null;
+}
+export type ShieldEventSource = 'secretless' | 'arp' | 'browser-guard' | 'hma' | 'registry' | 'configguard' | 'shield';
+export type EventSeverity = 'info' | 'low' | 'medium' | 'high' | 'critical';
+export type EventOutcome = 'allowed' | 'blocked' | 'monitored';
+export type RiskLevel = 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW' | 'SECURE';
+export interface ShieldEvent {
+    id: string;
+    timestamp: string;
+    version: 1;
+    source: ShieldEventSource;
+    category: string;
+    severity: EventSeverity;
+    agent: string | null;
+    sessionId: string | null;
+    action: string;
+    target: string;
+    outcome: EventOutcome;
+    detail: Record<string, unknown>;
+    prevHash: string;
+    eventHash: string;
+    orgId: string | null;
+    managed: boolean;
+    agentId: string | null;
+}
+export type PolicyMode = 'adaptive' | 'monitor' | 'enforce';
+export interface PolicyRules {
+    credentials: {
+        allow: string[];
+        deny: string[];
+    };
+    processes: {
+        allow: string[];
+        deny: string[];
+    };
+    network: {
+        allow: string[];
+        deny: string[];
+    };
+    filesystem: {
+        allow: string[];
+        deny: string[];
+    };
+    mcpServers: {
+        allow: string[];
+        deny: string[];
+    };
+    supplyChain: {
+        requireTrustScore: number;
+        blockAdvisories: boolean;
+    };
+}
+export interface ShieldPolicy {
+    version: 1;
+    mode: PolicyMode;
+    default: PolicyRules;
+    agents: Record<string, Partial<PolicyRules>>;
+}
+export interface PolicyDecision {
+    allowed: boolean;
+    outcome: EventOutcome;
+    rule: string;
+    agent: string | null;
+}
+/**
+ * Adaptive enforcement uses continuous learning with graduated confidence.
+ * Shield never stops learning. It starts suggesting policies once behavior
+ * is statistically stable (no new binaries/credentials for N consecutive
+ * sessions). It never blocks automatically -- the developer must approve.
+ *
+ * Phase transitions:
+ *   learn -> suggest: behavior stabilized (stability score >= 0.8)
+ *   suggest -> protect: developer approved recommended policy
+ *   protect (ongoing): continues learning, prompts for never-seen actions
+ *
+ * Stability is measured by "new behavior rate": if the agent hasn't used
+ * a new binary or accessed a new credential in the last 5 sessions,
+ * the baseline is considered stable enough to recommend a policy.
+ */
+export interface AgentBaseline {
+    agent: string;
+    observationStart: string;
+    observationEnd: string;
+    totalActions: number;
+    totalSessions: number;
+    phase: 'learn' | 'suggest' | 'protect';
+    stabilityScore: number;
+    lastNewBehaviorAt: string | null;
+    observed: {
+        processes: Record<string, number>;
+        credentials: Record<string, number>;
+        filesystemPaths: Record<string, number>;
+        networkHosts: Record<string, number>;
+        mcpServers: Record<string, number>;
+    };
+    recommended: Partial<PolicyRules> | null;
+    thresholds: {
+        maxProcessesPerHour: number;
+        maxCredentialAccessPerSession: number;
+        maxNewBinariesPerDay: number;
+    };
+}
+export type SessionSignalType = 'env' | 'process' | 'tty' | 'pid' | 'hook' | 'timing';
+export interface SessionSignal {
+    type: SessionSignalType;
+    name: string;
+    value: string;
+    confidence: number;
+}
+export interface SessionIdentity {
+    sessionId: string;
+    agent: string;
+    confidence: number;
+    signals: SessionSignal[];
+    startedAt: string;
+    lastSeenAt: string;
+}
+export type IntegrityStatus = 'healthy' | 'degraded' | 'compromised' | 'lockdown';
+export interface IntegrityCheck {
+    name: string;
+    status: 'pass' | 'warn' | 'fail';
+    detail: string;
+    checkedAt: string;
+}
+export interface IntegrityState {
+    status: IntegrityStatus;
+    checks: IntegrityCheck[];
+    lastVerified: string;
+    chainHash: string;
+}
+export interface AgentActivitySummary {
+    sessions: number;
+    actions: number;
+    firstSeen: string;
+    lastSeen: string;
+    topActions: {
+        action: string;
+        count: number;
+    }[];
+}
+export interface PolicyViolation {
+    action: string;
+    target: string;
+    agent: string;
+    count: number;
+    severity: EventSeverity;
+    recommendation: string;
+    findingId?: string;
+    remediationCommand?: string;
+    compliance?: string[];
+}
+export interface PostureFactor {
+    name: string;
+    score: number;
+    weight: number;
+    detail: string;
+}
+export interface ComparativeMetric {
+    percentile: number;
+    sampleSize: number;
+    optInDate: string;
+}
+export interface PostureTrend {
+    previousScore: number;
+    previousGrade: string;
+    delta: number;
+    direction: 'improving' | 'declining' | 'stable';
+    periodDays: number;
+}
+export interface PostureScore {
+    score: number;
+    grade: string;
+    factors: PostureFactor[];
+    trend: PostureTrend | null;
+    comparative: ComparativeMetric | null;
+}
+export interface ReportSnapshot {
+    timestamp: string;
+    score: number;
+    grade: string;
+    findingCounts: Record<string, number>;
+    totalFindings: number;
+}
+export interface WeeklyReport {
+    version: 1;
+    generatedAt: string;
+    periodStart: string;
+    periodEnd: string;
+    hostname: string;
+    agentActivity: {
+        totalSessions: number;
+        totalActions: number;
+        byAgent: Record<string, AgentActivitySummary>;
+    };
+    policyEvaluation: {
+        monitored: number;
+        wouldBlock: number;
+        blocked: number;
+        topViolations: PolicyViolation[];
+    };
+    credentialExposure: {
+        accessAttempts: number;
+        uniqueCredentials: number;
+        byProvider: Record<string, number>;
+        recommendations: string[];
+    };
+    supplyChain: {
+        packagesInstalled: number;
+        advisoriesFound: number;
+        blockedInstalls: number;
+        lowTrustPackages: string[];
+    };
+    configIntegrity: {
+        filesMonitored: number;
+        tamperedFiles: string[];
+        signatureStatus: 'valid' | 'tampered' | 'unsigned';
+    };
+    runtimeProtection: {
+        arpActive: boolean;
+        processesSpawned: number;
+        networkConnections: number;
+        anomalies: number;
+    };
+    posture: PostureScore;
+}
+export interface ProductStatus {
+    name: string;
+    installed: boolean;
+    active: boolean;
+    version: string | null;
+    keyMetric: string;
+}
+export interface ShieldStatus {
+    timestamp: string;
+    products: ProductStatus[];
+    policyLoaded: boolean;
+    policyMode: PolicyMode | null;
+    shellIntegration: boolean;
+    integrityStatus: IntegrityStatus;
+    lastReportScore: number | null;
+    lastReportDate: string | null;
+}
+export type ShieldSubcommand = 'init' | 'status' | 'log' | 'report' | 'check' | 'policy' | 'evaluate' | 'selfcheck' | 'recover';
+export interface ShieldOptions {
+    subcommand: ShieldSubcommand;
+    targetDir?: string;
+    agent?: string;
+    count?: number;
+    since?: string;
+    severity?: string;
+    source?: string;
+    category?: string;
+    ci?: boolean;
+    format?: string;
+    verbose?: boolean;
+    verify?: boolean;
+    reset?: boolean;
+    forensic?: boolean;
+    analyze?: boolean;
+}
+export interface ShieldUserConfig {
+    initialized: boolean;
+    shellIntegration: {
+        enabled: boolean;
+        shell: 'zsh' | 'bash' | 'fish' | null;
+        installedAt: string | null;
+    };
+    report: {
+        scheduled: boolean;
+        scheduledDay: number;
+        scheduledHour: number;
+        lastGenerated: string | null;
+    };
+}
+export type LlmAnalysisType = 'policy-suggestion' | 'anomaly-explanation' | 'report-narrative' | 'incident-triage';
+export interface PolicySuggestion {
+    agent: string;
+    rules: Partial<PolicyRules>;
+    reasoning: string;
+    confidence: number;
+    basedOnActions: number;
+    basedOnSessions: number;
+}
+export interface AnomalyExplanation {
+    eventId: string;
+    severity: EventSeverity;
+    explanation: string;
+    riskFactors: string[];
+    suggestedAction: 'ignore' | 'investigate' | 'block';
+}
+export interface ReportNarrative {
+    summary: string;
+    highlights: string[];
+    concerns: string[];
+    recommendations: string[];
+}
+export interface IncidentTriage {
+    eventIds: string[];
+    classification: 'false-positive' | 'suspicious' | 'confirmed-threat';
+    severity: EventSeverity;
+    explanation: string;
+    responseSteps: string[];
+}
+export interface LlmCacheEntry {
+    key: string;
+    analysisType: LlmAnalysisType;
+    result: PolicySuggestion | AnomalyExplanation | ReportNarrative | IncidentTriage;
+    createdAt: string;
+    ttlMs: number;
+    inputTokens: number;
+    outputTokens: number;
+}
+export interface LlmCache {
+    version: 1;
+    entries: LlmCacheEntry[];
+}
+export type LlmBackend = 'claude-code' | 'api' | 'none';
+export interface LlmResponse {
+    text: string;
+    inputTokens: number;
+    outputTokens: number;
+    backend: LlmBackend;
+}
+export interface ShieldSignature {
+    filePath: string;
+    hash: string;
+    signedAt: string;
+    signedBy: string;
+    fileSize: number;
+}
+export interface ShieldSignatureStore {
+    version: 1;
+    signatures: ShieldSignature[];
+    updatedAt: string;
+}
+export interface RegistryIntelligence {
+    /** Check if a package/binary is known-safe or flagged */
+    checkReputation(target: string): Promise<ReputationResult | null>;
+    /** Get threat feed for policy enrichment */
+    getThreatFeed(): Promise<ThreatFeedEntry[]>;
+}
+export interface ReputationResult {
+    target: string;
+    trustScore: number;
+    advisories: string[];
+    lastScanned: string;
+}
+export interface ThreatFeedEntry {
+    indicator: string;
+    type: 'package' | 'binary' | 'domain';
+    severity: EventSeverity;
+    description: string;
+}
+export declare const SHIELD_DIR = ".opena2a/shield";
+export declare const SHIELD_SIGNATURES_FILE = "signatures.json";
+export declare const SHIELD_EVENTS_FILE = "events.jsonl";
+export declare const SHIELD_POLICY_FILE = "policy.yaml";
+export declare const SHIELD_POLICY_CACHE = "policy-cache.json";
+export declare const SHIELD_SCAN_FILE = "scan.json";
+export declare const SHIELD_CONFIG_FILE = "config.json";
+export declare const SHIELD_BASELINES_DIR = "baselines";
+export declare const SHIELD_REPORTS_DIR = "reports";
+export declare const SHIELD_SNAPSHOTS_FILE = "snapshots.jsonl";
+export declare const SHIELD_LLM_CACHE_FILE = "llm-cache.json";
+export declare const LLM_CACHE_TTL_POLICY: number;
+export declare const LLM_CACHE_TTL_ANOMALY: number;
+export declare const LLM_CACHE_TTL_NARRATIVE: number;
+export declare const LLM_CACHE_TTL_TRIAGE: number;
+export declare const MAX_EVENTS_FILE_SIZE: number;
+export declare const STABILITY_THRESHOLD = 0.8;
+export declare const STABILITY_WINDOW_SESSIONS = 5;
+export declare const LEARN_PHASE_MIN_ACTIONS = 50;
+export declare const LEARN_PHASE_MIN_SESSIONS = 3;
+export declare const SESSION_TIMEOUT_MS: number;
+export declare const EVALUATE_BUDGET_MS = 50;
+//# sourceMappingURL=types.d.ts.map

package/dist/shield/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/shield/types.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,IAAI,GAAG,QAAQ,GAAG,SAAS,CAAC;AAE/D,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,cAAc,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,SAAS,GAAG,KAAK,GAAG,QAAQ,CAAC;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,WAAW,EAAE,CAAC;IACpB,UAAU,EAAE,iBAAiB,EAAE,CAAC;IAChC,UAAU,EAAE,iBAAiB,EAAE,CAAC;IAChC,aAAa,EAAE,oBAAoB,EAAE,CAAC;IACtC,WAAW,EAAE,WAAW,CAAC;IACzB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAID,MAAM,MAAM,iBAAiB,GACzB,YAAY,GACZ,KAAK,GACL,eAAe,GACf,KAAK,GACL,UAAU,GACV,aAAa,GACb,QAAQ,CAAC;AAEb,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAC5E,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,SAAS,GAAG,WAAW,CAAC;AAC/D,MAAM,MAAM,SAAS,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,QAAQ,CAAC;AAE1E,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,CAAC,CAAC;IAEX,MAAM,EAAE,iBAAiB,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,aAAa,CAAC;IAExB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAEzB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,YAAY,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEhC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAElB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AAID,MAAM,MAAM,UAAU,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,CAAC;AAE5D,MAAM,WAAW,WAAW;IAC1B,WAAW,EAAE;QAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IACjD,SAAS,EAAE;QAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAC/C,OAAO,EAAE;QAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAC7C,UAAU,EAAE;QAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAChD,UAAU,EAAE;QAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAChD,WAAW,EAAE;QAAE,iBAAiB,EAAE,MAAM,CAAC;QAAC,eAAe,EAAE,OAAO,CAAA;KAAE,CAAC;CACtE;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,CAAC,CAAC;IACX,IAAI,EAAE,UAAU,CAAC;IACjB,OAAO,EAAE,WAAW,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;CAC9C;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,YAAY,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAID;;;;;;;;;;;;;;GAcG;AACH,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,gBAAgB,EAAE,MAAM,CAAC;IACzB,cAAc,EAAE,MAAM,CAAC;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,OAAO,GAAG,SAAS,GAAG,SAAS,CAAC;IACvC,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,QAAQ,EAAE;QACR,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAClC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACpC,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACpC,CAAC;IACF,WAAW,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC;IACzC,UAAU,EAAE;QACV,mBAAmB,EAAE,MAAM,CAAC;QAC5B,6BAA6B,EAAE,MAAM,CAAC;QACtC,oBAAoB,EAAE,MAAM,CAAC;KAC9B,CAAC;CACH;AAID,MAAM,MAAM,iBAAiB,GAAG,KAAK,GAAG,SAAS,GAAG,KAAK,GAAG,KAAK,GAAG,MAAM,GAAG,QAAQ,CAAC;AAEtF,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,iBAAiB,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAID,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,UAAU,GAAG,aAAa,GAAG,UAAU,CAAC;AAElF,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,eAAe,CAAC;IACxB,MAAM,EAAE,cAAc,EAAE,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CACjD;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,aAAa,CAAC;IACxB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,WAAW,GAAG,WAAW,GAAG,QAAQ,CAAC;IAChD,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,KAAK,EAAE,YAAY,GAAG,IAAI,CAAC;IAC3B,WAAW,EAAE,iBAAiB,GAAG,IAAI,CAAC;CACvC;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtC,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IAEjB,aAAa,EAAE;QACb,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC;QACrB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;KAC/C,CAAC;IAEF,gBAAgB,EAAE;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,EAAE,MAAM,CAAC;QACnB,OAAO,EAAE,MAAM,CAAC;QAChB,aAAa,EAAE,eAAe,EAAE,CAAC;KAClC,CAAC;IAEF,kBAAkB,EAAE;QAClB,cAAc,EAAE,MAAM,CAAC;QACvB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACnC,eAAe,EAAE,MAAM,EAAE,CAAC;KAC3B,CAAC;IAEF,WAAW,EAAE;QACX,iBAAiB,EAAE,MAAM,CAAC;QAC1B,eAAe,EAAE,MAAM,CAAC;QACxB,eAAe,EAAE,MAAM,CAAC;QACxB,gBAAgB,EAAE,MAAM,EAAE,CAAC;KAC5B,CAAC;IAEF,eAAe,EAAE;QACf,cAAc,EAAE,MAAM,CAAC;QACvB,aAAa,EAAE,MAAM,EAAE,CAAC;QACxB,eAAe,EAAE,OAAO,GAAG,UAAU,GAAG,UAAU,CAAC;KACpD,CAAC;IAEF,iBAAiB,EAAE;QACjB,SAAS,EAAE,OAAO,CAAC;QACnB,gBAAgB,EAAE,MAAM,CAAC;QACzB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;IAEF,OAAO,EAAE,YAAY,CAAC;CACvB;AAID,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,YAAY,EAAE,OAAO,CAAC;IACtB,UAAU,EAAE,UAAU,GAAG,IAAI,CAAC;IAC9B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,eAAe,EAAE,eAAe,CAAC;IACjC,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;AAID,MAAM,MAAM,gBAAgB,GACxB,MAAM,GACN,QAAQ,GACR,KAAK,GACL,QAAQ,GACR,OAAO,GACP,QAAQ,GACR,UAAU,GACV,WAAW,GACX,SAAS,CAAC;AAEd,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,gBAAgB,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAC;IAEnB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAID,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,OAAO,CAAC;IACrB,gBAAgB,EAAE;QAChB,OAAO,EAAE,OAAO,CAAC;QACjB,KAAK,EAAE,KAAK,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;QACtC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;KAC5B,CAAC;IACF,MAAM,EAAE;QACN,SAAS,EAAE,OAAO,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,aAAa,EAAE,MAAM,CAAC;QACtB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;KAC9B,CAAC;CACH;AAID,MAAM,MAAM,eAAe,GACvB,mBAAmB,GACnB,qBAAqB,GACrB,kBAAkB,GAClB,iBAAiB,CAAC;AAEtB,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,aAAa,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,eAAe,EAAE,QAAQ,GAAG,aAAa,GAAG,OAAO,CAAC;CACrD;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,cAAc,EAAE,gBAAgB,GAAG,YAAY,GAAG,kBAAkB,CAAC;IACrE,QAAQ,EAAE,aAAa,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,eAAe,CAAC;IAC9B,MAAM,EAAE,gBAAgB,GAAG,kBAAkB,GAAG,eAAe,GAAG,cAAc,CAAC;IACjF,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,QAAQ;IACvB,OAAO,EAAE,CAAC,CAAC;IACX,OAAO,EAAE,aAAa,EAAE,CAAC;CAC1B;AAID,MAAM,MAAM,UAAU,GAAG,aAAa,GAAG,KAAK,GAAG,MAAM,CAAC;AAExD,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,UAAU,CAAC;CACrB;AAID,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,CAAC,CAAC;IACX,UAAU,EAAE,eAAe,EAAE,CAAC;IAC9B,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,oBAAoB;IACnC,yDAAyD;IACzD,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAC;IAClE,4CAA4C;IAC5C,aAAa,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;CAC7C;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,SAAS,GAAG,QAAQ,GAAG,QAAQ,CAAC;IACtC,QAAQ,EAAE,aAAa,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;CACrB;AAID,eAAO,MAAM,UAAU,oBAAoB,CAAC;AAC5C,eAAO,MAAM,sBAAsB,oBAAoB,CAAC;AACxD,eAAO,MAAM,kBAAkB,iBAAiB,CAAC;AACjD,eAAO,MAAM,kBAAkB,gBAAgB,CAAC;AAChD,eAAO,MAAM,mBAAmB,sBAAsB,CAAC;AACvD,eAAO,MAAM,gBAAgB,cAAc,CAAC;AAC5C,eAAO,MAAM,kBAAkB,gBAAgB,CAAC;AAChD,eAAO,MAAM,oBAAoB,cAAc,CAAC;AAChD,eAAO,MAAM,kBAAkB,YAAY,CAAC;AAC5C,eAAO,MAAM,qBAAqB,oBAAoB,CAAC;AACvD,eAAO,MAAM,qBAAqB,mBAAmB,CAAC;AAGtD,eAAO,MAAM,oBAAoB,QAAsB,CAAC;AACxD,eAAO,MAAM,qBAAqB,QAA0B,CAAC;AAC7D,eAAO,MAAM,uBAAuB,QAA2B,CAAC;AAChE,eAAO,MAAM,oBAAoB,QAAiB,CAAC;AAEnD,eAAO,MAAM,oBAAoB,QAAmB,CAAC;AAIrD,eAAO,MAAM,mBAAmB,MAAM,CAAC;AACvC,eAAO,MAAM,yBAAyB,IAAI,CAAC;AAC3C,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAC1C,eAAO,MAAM,wBAAwB,IAAI,CAAC;AAE1C,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AACjD,eAAO,MAAM,kBAAkB,KAAK,CAAC"}

package/dist/shield/types.js

@@ -0,0 +1,32 @@
+"use strict";
+// Shield: Unified Developer Workstation Security Orchestration
+// All TypeScript interfaces for the Shield module.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EVALUATE_BUDGET_MS = exports.SESSION_TIMEOUT_MS = exports.LEARN_PHASE_MIN_SESSIONS = exports.LEARN_PHASE_MIN_ACTIONS = exports.STABILITY_WINDOW_SESSIONS = exports.STABILITY_THRESHOLD = exports.MAX_EVENTS_FILE_SIZE = exports.LLM_CACHE_TTL_TRIAGE = exports.LLM_CACHE_TTL_NARRATIVE = exports.LLM_CACHE_TTL_ANOMALY = exports.LLM_CACHE_TTL_POLICY = exports.SHIELD_LLM_CACHE_FILE = exports.SHIELD_SNAPSHOTS_FILE = exports.SHIELD_REPORTS_DIR = exports.SHIELD_BASELINES_DIR = exports.SHIELD_CONFIG_FILE = exports.SHIELD_SCAN_FILE = exports.SHIELD_POLICY_CACHE = exports.SHIELD_POLICY_FILE = exports.SHIELD_EVENTS_FILE = exports.SHIELD_SIGNATURES_FILE = exports.SHIELD_DIR = void 0;
+// --- Constants ---
+exports.SHIELD_DIR = '.opena2a/shield';
+exports.SHIELD_SIGNATURES_FILE = 'signatures.json';
+exports.SHIELD_EVENTS_FILE = 'events.jsonl';
+exports.SHIELD_POLICY_FILE = 'policy.yaml';
+exports.SHIELD_POLICY_CACHE = 'policy-cache.json';
+exports.SHIELD_SCAN_FILE = 'scan.json';
+exports.SHIELD_CONFIG_FILE = 'config.json';
+exports.SHIELD_BASELINES_DIR = 'baselines';
+exports.SHIELD_REPORTS_DIR = 'reports';
+exports.SHIELD_SNAPSHOTS_FILE = 'snapshots.jsonl';
+exports.SHIELD_LLM_CACHE_FILE = 'llm-cache.json';
+// LLM cache TTLs (milliseconds)
+exports.LLM_CACHE_TTL_POLICY = 24 * 60 * 60 * 1000; // 24h
+exports.LLM_CACHE_TTL_ANOMALY = 7 * 24 * 60 * 60 * 1000; // 7d
+exports.LLM_CACHE_TTL_NARRATIVE = 30 * 24 * 60 * 60 * 1000; // 30d (per report)
+exports.LLM_CACHE_TTL_TRIAGE = 60 * 60 * 1000; // 1h
+exports.MAX_EVENTS_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+// Adaptive enforcement: continuous learning, not timer-based.
+// Suggestions appear when behavior stabilizes, not after a fixed period.
+exports.STABILITY_THRESHOLD = 0.8; // suggest policy when stability >= this
+exports.STABILITY_WINDOW_SESSIONS = 5; // sessions without new behavior = stable
+exports.LEARN_PHASE_MIN_ACTIONS = 50; // minimum actions before stability is checked
+exports.LEARN_PHASE_MIN_SESSIONS = 3; // minimum sessions before stability is checked
+exports.SESSION_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes
+exports.EVALUATE_BUDGET_MS = 50;
+//# sourceMappingURL=types.js.map

package/dist/shield/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/shield/types.ts"],"names":[],"mappings":";AAAA,+DAA+D;AAC/D,mDAAmD;;;AAmenD,oBAAoB;AAEP,QAAA,UAAU,GAAG,iBAAiB,CAAC;AAC/B,QAAA,sBAAsB,GAAG,iBAAiB,CAAC;AAC3C,QAAA,kBAAkB,GAAG,cAAc,CAAC;AACpC,QAAA,kBAAkB,GAAG,aAAa,CAAC;AACnC,QAAA,mBAAmB,GAAG,mBAAmB,CAAC;AAC1C,QAAA,gBAAgB,GAAG,WAAW,CAAC;AAC/B,QAAA,kBAAkB,GAAG,aAAa,CAAC;AACnC,QAAA,oBAAoB,GAAG,WAAW,CAAC;AACnC,QAAA,kBAAkB,GAAG,SAAS,CAAC;AAC/B,QAAA,qBAAqB,GAAG,iBAAiB,CAAC;AAC1C,QAAA,qBAAqB,GAAG,gBAAgB,CAAC;AAEtD,gCAAgC;AACnB,QAAA,oBAAoB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAM,MAAM;AACvD,QAAA,qBAAqB,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,KAAK;AACtD,QAAA,uBAAuB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,mBAAmB;AACvE,QAAA,oBAAoB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAY,KAAK;AAEvD,QAAA,oBAAoB,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO;AAE7D,8DAA8D;AAC9D,yEAAyE;AAC5D,QAAA,mBAAmB,GAAG,GAAG,CAAC,CAAC,wCAAwC;AACnE,QAAA,yBAAyB,GAAG,CAAC,CAAC,CAAC,yCAAyC;AACxE,QAAA,uBAAuB,GAAG,EAAE,CAAC,CAAC,8CAA8C;AAC5E,QAAA,wBAAwB,GAAG,CAAC,CAAC,CAAC,+CAA+C;AAE7E,QAAA,kBAAkB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,aAAa;AAClD,QAAA,kBAAkB,GAAG,EAAE,CAAC"}

package/dist/util/drift-liveness.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Drift liveness verification — confirms whether a detected credential
+ * actually grants access to AI/ML services (scope drift).
+ *
+ * DRIFT-001: Google API Key -> Gemini Generative Language API
+ * DRIFT-002: AWS Access Key -> no liveness check (requires secret key)
+ */
+export interface LivenessResult {
+    /** Whether the credential confirmed access to the AI service */
+    confirmed: boolean;
+    /** HTTP status code from the verification request */
+    statusCode?: number;
+    /** Human-readable detail (e.g., model names found) */
+    details?: string;
+    /** Error message if the check failed to complete */
+    error?: string;
+}
+/** Timeout for each liveness HTTP request (ms) */
+export declare const LIVENESS_TIMEOUT = 5000;
+/** Delay between consecutive liveness checks to avoid rate limiting (ms) */
+export declare const LIVENESS_DELAY = 500;
+/** Maximum number of liveness checks per scan run */
+export declare const MAX_LIVENESS_CHECKS = 5;
+/**
+ * Verify whether a Google API key grants access to the Gemini Generative
+ * Language API by listing available models.
+ *
+ * GET {baseUrl}/v1beta/models?key={KEY}
+ *   - 200 with model list -> confirmed (scope drift to AI)
+ *   - 401/403            -> not confirmed (key restricted)
+ *   - timeout/error      -> not confirmed (inconclusive)
+ *
+ * @param apiKey  The Google API key value
+ * @param baseUrl Override for testing (default: generativelanguage.googleapis.com)
+ */
+export declare function verifyGeminiAccess(apiKey: string, baseUrl?: string): Promise<LivenessResult>;
+//# sourceMappingURL=drift-liveness.d.ts.map

package/dist/util/drift-liveness.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"drift-liveness.d.ts","sourceRoot":"","sources":["../../src/util/drift-liveness.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAOH,MAAM,WAAW,cAAc;IAC7B,gEAAgE;IAChE,SAAS,EAAE,OAAO,CAAC;IACnB,qDAAqD;IACrD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sDAAsD;IACtD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAID,kDAAkD;AAClD,eAAO,MAAM,gBAAgB,OAAO,CAAC;AAErC,4EAA4E;AAC5E,eAAO,MAAM,cAAc,MAAM,CAAC;AAElC,qDAAqD;AACrD,eAAO,MAAM,mBAAmB,IAAI,CAAC;AAIrC;;;;;;;;;;;GAWG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,cAAc,CAAC,CAmDzB"}

package/dist/util/drift-liveness.js

@@ -0,0 +1,114 @@
+"use strict";
+/**
+ * Drift liveness verification — confirms whether a detected credential
+ * actually grants access to AI/ML services (scope drift).
+ *
+ * DRIFT-001: Google API Key -> Gemini Generative Language API
+ * DRIFT-002: AWS Access Key -> no liveness check (requires secret key)
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MAX_LIVENESS_CHECKS = exports.LIVENESS_DELAY = exports.LIVENESS_TIMEOUT = void 0;
+exports.verifyGeminiAccess = verifyGeminiAccess;
+const https = __importStar(require("node:https"));
+const http = __importStar(require("node:http"));
+// --- Constants ---
+/** Timeout for each liveness HTTP request (ms) */
+exports.LIVENESS_TIMEOUT = 5000;
+/** Delay between consecutive liveness checks to avoid rate limiting (ms) */
+exports.LIVENESS_DELAY = 500;
+/** Maximum number of liveness checks per scan run */
+exports.MAX_LIVENESS_CHECKS = 5;
+// --- Gemini liveness ---
+/**
+ * Verify whether a Google API key grants access to the Gemini Generative
+ * Language API by listing available models.
+ *
+ * GET {baseUrl}/v1beta/models?key={KEY}
+ *   - 200 with model list -> confirmed (scope drift to AI)
+ *   - 401/403            -> not confirmed (key restricted)
+ *   - timeout/error      -> not confirmed (inconclusive)
+ *
+ * @param apiKey  The Google API key value
+ * @param baseUrl Override for testing (default: generativelanguage.googleapis.com)
+ */
+function verifyGeminiAccess(apiKey, baseUrl) {
+    const host = baseUrl ?? 'https://generativelanguage.googleapis.com';
+    const url = `${host}/v1beta/models?key=${apiKey}`;
+    return new Promise((resolve) => {
+        const transport = url.startsWith('https') ? https : http;
+        const req = transport.get(url, { timeout: exports.LIVENESS_TIMEOUT }, (res) => {
+            const chunks = [];
+            res.on('data', (chunk) => chunks.push(chunk));
+            res.on('end', () => {
+                const statusCode = res.statusCode ?? 0;
+                if (statusCode === 200) {
+                    try {
+                        const body = JSON.parse(Buffer.concat(chunks).toString('utf-8'));
+                        const models = (body.models ?? [])
+                            .slice(0, 3)
+                            .map((m) => m.name ?? 'unknown');
+                        resolve({
+                            confirmed: true,
+                            statusCode,
+                            details: `Active Gemini access: ${models.join(', ')}`,
+                        });
+                    }
+                    catch {
+                        resolve({
+                            confirmed: true,
+                            statusCode,
+                            details: 'Active Gemini access (response parsed partially)',
+                        });
+                    }
+                }
+                else {
+                    resolve({
+                        confirmed: false,
+                        statusCode,
+                    });
+                }
+            });
+        });
+        req.on('timeout', () => {
+            req.destroy();
+            resolve({ confirmed: false, error: 'Liveness check timed out' });
+        });
+        req.on('error', (err) => {
+            resolve({ confirmed: false, error: err.message });
+        });
+    });
+}
+//# sourceMappingURL=drift-liveness.js.map

package/dist/util/drift-liveness.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"drift-liveness.js","sourceRoot":"","sources":["../../src/util/drift-liveness.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2CH,gDAsDC;AA/FD,kDAAoC;AACpC,gDAAkC;AAelC,oBAAoB;AAEpB,kDAAkD;AACrC,QAAA,gBAAgB,GAAG,IAAI,CAAC;AAErC,4EAA4E;AAC/D,QAAA,cAAc,GAAG,GAAG,CAAC;AAElC,qDAAqD;AACxC,QAAA,mBAAmB,GAAG,CAAC,CAAC;AAErC,0BAA0B;AAE1B;;;;;;;;;;;GAWG;AACH,SAAgB,kBAAkB,CAChC,MAAc,EACd,OAAgB;IAEhB,MAAM,IAAI,GAAG,OAAO,IAAI,2CAA2C,CAAC;IACpE,MAAM,GAAG,GAAG,GAAG,IAAI,sBAAsB,MAAM,EAAE,CAAC;IAElD,OAAO,IAAI,OAAO,CAAiB,CAAC,OAAO,EAAE,EAAE;QAC7C,MAAM,SAAS,GAAG,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;QAEzD,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,wBAAgB,EAAE,EAAE,CAAC,GAAG,EAAE,EAAE;YACpE,MAAM,MAAM,GAAa,EAAE,CAAC;YAE5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YAEtD,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACjB,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,IAAI,CAAC,CAAC;gBAEvC,IAAI,UAAU,KAAK,GAAG,EAAE,CAAC;oBACvB,IAAI,CAAC;wBACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;wBACjE,MAAM,MAAM,GAAa,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC;6BACzC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;6BACX,GAAG,CAAC,CAAC,CAAoB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,SAAS,CAAC,CAAC;wBACtD,OAAO,CAAC;4BACN,SAAS,EAAE,IAAI;4BACf,UAAU;4BACV,OAAO,EAAE,yBAAyB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;yBACtD,CAAC,CAAC;oBACL,CAAC;oBAAC,MAAM,CAAC;wBACP,OAAO,CAAC;4BACN,SAAS,EAAE,IAAI;4BACf,UAAU;4BACV,OAAO,EAAE,kDAAkD;yBAC5D,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC;wBACN,SAAS,EAAE,KAAK;wBAChB,UAAU;qBACX,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;YACrB,GAAG,CAAC,OAAO,EAAE,CAAC;YACd,OAAO,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YAC7B,OAAO,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}