opena2a-cli 0.1.2 → 0.3.0

package/dist/commands/guard-policy.js

@@ -0,0 +1,251 @@
+"use strict";
+/**
+ * Guard policy: signing requirements and heartbeat disable on tamper.
+ *
+ * Loads policy from `.opena2a/guard/policy.json`, checks compliance
+ * against the signature store, and manages the heartbeat-disabled marker.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports._internals = void 0;
+exports.loadGuardPolicy = loadGuardPolicy;
+exports.saveGuardPolicy = saveGuardPolicy;
+exports.generateDefaultPolicy = generateDefaultPolicy;
+exports.checkPolicyCompliance = checkPolicyCompliance;
+exports.disableHeartbeat = disableHeartbeat;
+exports.isHeartbeatDisabled = isHeartbeatDisabled;
+exports.enableHeartbeat = enableHeartbeat;
+exports.guardPolicy = guardPolicy;
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const node_crypto_1 = require("node:crypto");
+const colors_js_1 = require("../util/colors.js");
+// --- Constants ---
+const GUARD_DIR = '.opena2a/guard';
+const POLICY_FILE = 'policy.json';
+const HEARTBEAT_DISABLED_FILE = 'heartbeat-disabled';
+const SIGNATURES_FILE = 'signatures.json';
+const DEFAULT_CONFIG_FILES = [
+    'mcp.json', '.mcp.json', '.claude/settings.json',
+    'package.json', 'package-lock.json',
+    'arp.yaml', 'arp.yml', 'arp.json',
+    'openclaw.json', '.openclaw/config.json',
+    '.opena2a.yaml', '.opena2a.json',
+    'tsconfig.json', 'go.mod', 'go.sum',
+    'pyproject.toml', 'requirements.txt',
+    'Dockerfile', 'docker-compose.yml',
+];
+// --- Event emission ---
+async function emitEvent(category, action, target, severity, outcome, detail) {
+    try {
+        const { writeEvent } = await import('../shield/events.js');
+        writeEvent({
+            source: 'configguard', category, severity,
+            agent: null, sessionId: null, action, target, outcome, detail,
+            orgId: null, managed: false, agentId: null,
+        });
+    }
+    catch {
+        // Shield module not available
+    }
+}
+// --- Policy loading ---
+function loadGuardPolicy(targetDir) {
+    const policyPath = path.join(targetDir, GUARD_DIR, POLICY_FILE);
+    if (!fs.existsSync(policyPath))
+        return null;
+    try {
+        return JSON.parse(fs.readFileSync(policyPath, 'utf-8'));
+    }
+    catch {
+        return null;
+    }
+}
+function saveGuardPolicy(targetDir, policy) {
+    const dir = path.join(targetDir, GUARD_DIR);
+    fs.mkdirSync(dir, { recursive: true });
+    fs.writeFileSync(path.join(dir, POLICY_FILE), JSON.stringify(policy, null, 2) + '\n', 'utf-8');
+}
+// --- Default policy generation ---
+function generateDefaultPolicy(targetDir) {
+    const detected = DEFAULT_CONFIG_FILES.filter(f => fs.existsSync(path.join(targetDir, f)));
+    return {
+        version: 1,
+        requiredFiles: detected,
+        blockOnUnsigned: true,
+        disableHeartbeatOnTamper: true,
+        autoRemediate: false,
+    };
+}
+// --- Compliance checking ---
+function checkPolicyCompliance(targetDir, policy) {
+    const storePath = path.join(targetDir, GUARD_DIR, SIGNATURES_FILE);
+    let signatures = [];
+    try {
+        const store = JSON.parse(fs.readFileSync(storePath, 'utf-8'));
+        signatures = store.signatures ?? [];
+    }
+    catch { /* no store */ }
+    const sigMap = new Map(signatures.map(s => [s.filePath, s.hash]));
+    const requiredUnsigned = [];
+    const requiredTampered = [];
+    const requiredMissing = [];
+    let requiredSigned = 0;
+    for (const file of policy.requiredFiles) {
+        const fullPath = path.join(targetDir, file);
+        const storedHash = sigMap.get(file);
+        if (!storedHash) {
+            requiredUnsigned.push(file);
+            continue;
+        }
+        if (!fs.existsSync(fullPath)) {
+            requiredMissing.push(file);
+            continue;
+        }
+        const content = fs.readFileSync(fullPath);
+        const currentHash = 'sha256:' + (0, node_crypto_1.createHash)('sha256').update(content).digest('hex');
+        if (currentHash === storedHash) {
+            requiredSigned++;
+        }
+        else {
+            requiredTampered.push(file);
+        }
+    }
+    const compliant = requiredUnsigned.length === 0 && requiredTampered.length === 0 && requiredMissing.length === 0;
+    return { compliant, requiredSigned, requiredUnsigned, requiredTampered, requiredMissing };
+}
+// --- Heartbeat management ---
+function disableHeartbeat(targetDir, reason) {
+    const dir = path.join(targetDir, GUARD_DIR);
+    fs.mkdirSync(dir, { recursive: true });
+    const marker = { disabled: true, reason, disabledAt: new Date().toISOString() };
+    fs.writeFileSync(path.join(dir, HEARTBEAT_DISABLED_FILE), JSON.stringify(marker, null, 2) + '\n', 'utf-8');
+}
+function isHeartbeatDisabled(targetDir) {
+    const markerPath = path.join(targetDir, GUARD_DIR, HEARTBEAT_DISABLED_FILE);
+    if (!fs.existsSync(markerPath))
+        return { disabled: false };
+    try {
+        const data = JSON.parse(fs.readFileSync(markerPath, 'utf-8'));
+        return { disabled: true, reason: data.reason, disabledAt: data.disabledAt };
+    }
+    catch {
+        return { disabled: false };
+    }
+}
+function enableHeartbeat(targetDir) {
+    const markerPath = path.join(targetDir, GUARD_DIR, HEARTBEAT_DISABLED_FILE);
+    if (fs.existsSync(markerPath))
+        fs.unlinkSync(markerPath);
+}
+// --- Guard policy subcommand handler ---
+async function guardPolicy(targetDir, action, options) {
+    const isJson = options.format === 'json';
+    switch (action) {
+        case 'init': {
+            const policy = generateDefaultPolicy(targetDir);
+            saveGuardPolicy(targetDir, policy);
+            await emitEvent('policy.created', 'guard.policy.init', targetDir, 'info', 'allowed', {
+                requiredFiles: policy.requiredFiles, blockOnUnsigned: policy.blockOnUnsigned, disableHeartbeatOnTamper: policy.disableHeartbeatOnTamper,
+            });
+            if (isJson) {
+                process.stdout.write(JSON.stringify(policy, null, 2) + '\n');
+            }
+            else {
+                process.stdout.write((0, colors_js_1.green)('Guard policy initialized.\n'));
+                process.stdout.write((0, colors_js_1.dim)(`  Required files: ${policy.requiredFiles.length}\n`));
+                for (const f of policy.requiredFiles) {
+                    process.stdout.write((0, colors_js_1.dim)(`    ${f}\n`));
+                }
+                process.stdout.write((0, colors_js_1.dim)(`  Block on unsigned: ${policy.blockOnUnsigned}\n`));
+                process.stdout.write((0, colors_js_1.dim)(`  Disable heartbeat on tamper: ${policy.disableHeartbeatOnTamper}\n`));
+                process.stdout.write((0, colors_js_1.dim)(`  Policy file: ${GUARD_DIR}/${POLICY_FILE}\n`));
+            }
+            return 0;
+        }
+        case 'show': {
+            const policy = loadGuardPolicy(targetDir);
+            if (!policy) {
+                if (isJson) {
+                    process.stdout.write(JSON.stringify({ error: 'No guard policy found. Run: opena2a guard policy init' }, null, 2) + '\n');
+                }
+                else {
+                    process.stdout.write((0, colors_js_1.yellow)('No guard policy found. Run: opena2a guard policy init\n'));
+                }
+                return 1;
+            }
+            if (isJson) {
+                process.stdout.write(JSON.stringify(policy, null, 2) + '\n');
+            }
+            else {
+                process.stdout.write((0, colors_js_1.bold)('Guard Policy') + '\n');
+                process.stdout.write((0, colors_js_1.gray)('-'.repeat(40)) + '\n');
+                process.stdout.write(`  Block on unsigned:           ${policy.blockOnUnsigned ? (0, colors_js_1.green)('yes') : (0, colors_js_1.dim)('no')}\n`);
+                process.stdout.write(`  Disable heartbeat on tamper: ${policy.disableHeartbeatOnTamper ? (0, colors_js_1.green)('yes') : (0, colors_js_1.dim)('no')}\n`);
+                process.stdout.write(`  Auto-remediate:              ${policy.autoRemediate ? (0, colors_js_1.green)('yes') : (0, colors_js_1.dim)('no')}\n`);
+                process.stdout.write(`  Required files (${policy.requiredFiles.length}):\n`);
+                for (const f of policy.requiredFiles) {
+                    process.stdout.write((0, colors_js_1.dim)(`    ${f}\n`));
+                }
+                const hb = isHeartbeatDisabled(targetDir);
+                if (hb.disabled) {
+                    process.stdout.write((0, colors_js_1.red)(`  Heartbeat: DISABLED (${hb.reason})\n`));
+                }
+                else {
+                    process.stdout.write((0, colors_js_1.green)('  Heartbeat: active\n'));
+                }
+                process.stdout.write((0, colors_js_1.gray)('-'.repeat(40)) + '\n');
+            }
+            return 0;
+        }
+        default:
+            if (isJson) {
+                process.stdout.write(JSON.stringify({ error: `Unknown policy action: ${action}` }, null, 2) + '\n');
+            }
+            else {
+                process.stderr.write((0, colors_js_1.red)(`Unknown policy action: ${action}\n`));
+                process.stderr.write('Usage: opena2a guard policy <init|show>\n');
+            }
+            return 1;
+    }
+}
+// --- Testable internals ---
+exports._internals = {
+    loadGuardPolicy, saveGuardPolicy, generateDefaultPolicy, checkPolicyCompliance,
+    disableHeartbeat, isHeartbeatDisabled, enableHeartbeat, guardPolicy, emitEvent,
+    GUARD_DIR, POLICY_FILE, HEARTBEAT_DISABLED_FILE, SIGNATURES_FILE,
+    DEFAULT_CONFIG_FILES,
+};
+//# sourceMappingURL=guard-policy.js.map

package/dist/commands/guard-policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard-policy.js","sourceRoot":"","sources":["../../src/commands/guard-policy.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuEH,0CAIC;AAED,0CAIC;AAID,sDASC;AAID,sDA6BC;AAID,4CAKC;AAED,kDAOC;AAED,0CAGC;AAID,kCAyDC;AAjND,4CAA8B;AAC9B,gDAAkC;AAClC,6CAAyC;AACzC,iDAAwE;AA0BxE,oBAAoB;AAEpB,MAAM,SAAS,GAAG,gBAAgB,CAAC;AACnC,MAAM,WAAW,GAAG,aAAa,CAAC;AAClC,MAAM,uBAAuB,GAAG,oBAAoB,CAAC;AACrD,MAAM,eAAe,GAAG,iBAAiB,CAAC;AAE1C,MAAM,oBAAoB,GAAG;IAC3B,UAAU,EAAE,WAAW,EAAE,uBAAuB;IAChD,cAAc,EAAE,mBAAmB;IACnC,UAAU,EAAE,SAAS,EAAE,UAAU;IACjC,eAAe,EAAE,uBAAuB;IACxC,eAAe,EAAE,eAAe;IAChC,eAAe,EAAE,QAAQ,EAAE,QAAQ;IACnC,gBAAgB,EAAE,kBAAkB;IACpC,YAAY,EAAE,oBAAoB;CACnC,CAAC;AAEF,yBAAyB;AAEzB,KAAK,UAAU,SAAS,CACtB,QAAgB,EAAE,MAAc,EAAE,MAAc,EAChD,QAAyD,EACzD,OAA4C,EAC5C,MAA+B;IAE/B,IAAI,CAAC;QACH,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAC;QAC3D,UAAU,CAAC;YACT,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ;YACzC,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;YAC7D,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI;SAC3C,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,8BAA8B;IAChC,CAAC;AACH,CAAC;AAED,yBAAyB;AAEzB,SAAgB,eAAe,CAAC,SAAiB;IAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IAChE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,IAAI,CAAC;QAAC,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAgB,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,IAAI,CAAC;IAAC,CAAC;AACxG,CAAC;AAED,SAAgB,eAAe,CAAC,SAAiB,EAAE,MAAmB;IACpE,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IAC5C,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvC,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AACjG,CAAC;AAED,oCAAoC;AAEpC,SAAgB,qBAAqB,CAAC,SAAiB;IACrD,MAAM,QAAQ,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1F,OAAO;QACL,OAAO,EAAE,CAAC;QACV,aAAa,EAAE,QAAQ;QACvB,eAAe,EAAE,IAAI;QACrB,wBAAwB,EAAE,IAAI;QAC9B,aAAa,EAAE,KAAK;KACrB,CAAC;AACJ,CAAC;AAED,8BAA8B;AAE9B,SAAgB,qBAAqB,CAAC,SAAiB,EAAE,MAAmB;IAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IACnE,IAAI,UAAU,GAA8C,EAAE,CAAC;IAC/D,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;QAC9D,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC,CAAC,cAAc,CAAC,CAAC;IAE1B,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClE,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,IAAI,cAAc,GAAG,CAAC,CAAC;IAEvB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAC5C,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAEpC,IAAI,CAAC,UAAU,EAAE,CAAC;YAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAAC,SAAS;QAAC,CAAC;QAC3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAAC,SAAS;QAAC,CAAC;QAEvE,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,WAAW,GAAG,SAAS,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnF,IAAI,WAAW,KAAK,UAAU,EAAE,CAAC;YAAC,cAAc,EAAE,CAAC;QAAC,CAAC;aAChD,CAAC;YAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAAC,CAAC;IACvC,CAAC;IAED,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,KAAK,CAAC,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,CAAC;IACjH,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,eAAe,EAAE,CAAC;AAC5F,CAAC;AAED,+BAA+B;AAE/B,SAAgB,gBAAgB,CAAC,SAAiB,EAAE,MAAc;IAChE,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IAC5C,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;IAChF,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,uBAAuB,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AAC7G,CAAC;AAED,SAAgB,mBAAmB,CAAC,SAAiB;IACnD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,uBAAuB,CAAC,CAAC;IAC5E,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC3D,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;QAC9D,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC;IAC9E,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAAC,CAAC;AACzC,CAAC;AAED,SAAgB,eAAe,CAAC,SAAiB;IAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,uBAAuB,CAAC,CAAC;IAC5E,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;AAC3D,CAAC;AAED,0CAA0C;AAEnC,KAAK,UAAU,WAAW,CAAC,SAAiB,EAAE,MAAc,EAAE,OAAqC;IACxG,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,KAAK,MAAM,CAAC;IAEzC,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,MAAM,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;YAChD,eAAe,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YAEnC,MAAM,SAAS,CAAC,gBAAgB,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE;gBACnF,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE,eAAe,EAAE,MAAM,CAAC,eAAe,EAAE,wBAAwB,EAAE,MAAM,CAAC,wBAAwB;aACxI,CAAC,CAAC;YAEH,IAAI,MAAM,EAAE,CAAC;gBAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YAAC,CAAC;iBACxE,CAAC;gBACJ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,iBAAK,EAAC,6BAA6B,CAAC,CAAC,CAAC;gBAC3D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,eAAG,EAAC,qBAAqB,MAAM,CAAC,aAAa,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC;gBAChF,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;oBAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,eAAG,EAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;gBAAC,CAAC;gBAClF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,eAAG,EAAC,wBAAwB,MAAM,CAAC,eAAe,IAAI,CAAC,CAAC,CAAC;gBAC9E,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,eAAG,EAAC,kCAAkC,MAAM,CAAC,wBAAwB,IAAI,CAAC,CAAC,CAAC;gBACjG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,eAAG,EAAC,kBAAkB,SAAS,IAAI,WAAW,IAAI,CAAC,CAAC,CAAC;YAC5E,CAAC;YACD,OAAO,CAAC,CAAC;QACX,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,MAAM,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;YAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,IAAI,MAAM,EAAE,CAAC;oBAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uDAAuD,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;gBAAC,CAAC;qBACpI,CAAC;oBAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,kBAAM,EAAC,yDAAyD,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACjG,OAAO,CAAC,CAAC;YACX,CAAC;YAED,IAAI,MAAM,EAAE,CAAC;gBAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YAAC,CAAC;iBACxE,CAAC;gBACJ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,gBAAI,EAAC,cAAc,CAAC,GAAG,IAAI,CAAC,CAAC;gBAClD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,gBAAI,EAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;gBAClD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,IAAA,iBAAK,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAA,eAAG,EAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC9G,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,MAAM,CAAC,wBAAwB,CAAC,CAAC,CAAC,IAAA,iBAAK,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAA,eAAG,EAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACvH,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,IAAA,iBAAK,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAA,eAAG,EAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC5G,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,qBAAqB,MAAM,CAAC,aAAa,CAAC,MAAM,MAAM,CAAC,CAAC;gBAC7E,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;oBAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,eAAG,EAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;gBAAC,CAAC;gBAClF,MAAM,EAAE,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;gBAC1C,IAAI,EAAE,CAAC,QAAQ,EAAE,CAAC;oBAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,eAAG,EAAC,0BAA0B,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC;gBAAC,CAAC;qBACpF,CAAC;oBAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,iBAAK,EAAC,uBAAuB,CAAC,CAAC,CAAC;gBAAC,CAAC;gBAC9D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,gBAAI,EAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YACpD,CAAC;YACD,OAAO,CAAC,CAAC;QACX,CAAC;QAED;YACE,IAAI,MAAM,EAAE,CAAC;gBAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,0BAA0B,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YAAC,CAAC;iBAC/G,CAAC;gBACJ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,eAAG,EAAC,0BAA0B,MAAM,IAAI,CAAC,CAAC,CAAC;gBAChE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;YACpE,CAAC;YACD,OAAO,CAAC,CAAC;IACb,CAAC;AACH,CAAC;AAED,6BAA6B;AAEhB,QAAA,UAAU,GAAG;IACxB,eAAe,EAAE,eAAe,EAAE,qBAAqB,EAAE,qBAAqB;IAC9E,gBAAgB,EAAE,mBAAmB,EAAE,eAAe,EAAE,WAAW,EAAE,SAAS;IAC9E,SAAS,EAAE,WAAW,EAAE,uBAAuB,EAAE,eAAe;IAChE,oBAAoB;CACrB,CAAC"}

package/dist/commands/guard-signing.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Skill.md and Heartbeat.md signing bridge for ConfigGuard.
+ *
+ * Signs and verifies SKILL.md / HEARTBEAT.md files using SHA-256 hashing
+ * with inline HTML-comment signature blocks (matching HMA signcrypt pattern).
+ */
+export interface SignResult {
+    filePath: string;
+    hash: string;
+    signedAt: string;
+    signedBy: string;
+    expiresAt?: string;
+}
+export interface VerifyResult {
+    filePath: string;
+    status: 'pass' | 'tampered' | 'unsigned' | 'expired';
+    currentHash?: string;
+    expectedHash?: string;
+    expiresAt?: string;
+}
+interface SignatureBlock {
+    pinnedHash: string;
+    signedAt: string;
+    signedBy: string;
+    expiresAt?: string;
+}
+export declare function signSkillFiles(targetDir: string): Promise<SignResult[]>;
+export declare function signHeartbeatFiles(targetDir: string): Promise<SignResult[]>;
+declare function signFiles(files: string[], targetDir: string, withExpiry: boolean): SignResult[];
+export declare function verifySkillSignatures(targetDir: string): Promise<VerifyResult[]>;
+export declare function verifyHeartbeatSignatures(targetDir: string): Promise<VerifyResult[]>;
+declare function verifyFiles(files: string[], targetDir: string, checkExpiry: boolean): VerifyResult[];
+declare function buildSignatureBlock(sig: SignatureBlock): string;
+declare function parseSignatureBlock(content: string): SignatureBlock | null;
+declare function stripSignatureBlock(content: string): string;
+declare function findFiles(targetDir: string, patterns: string[]): string[];
+declare function matchPattern(filename: string, pattern: string): boolean;
+export declare const _internals: {
+    findFiles: typeof findFiles;
+    matchPattern: typeof matchPattern;
+    buildSignatureBlock: typeof buildSignatureBlock;
+    parseSignatureBlock: typeof parseSignatureBlock;
+    stripSignatureBlock: typeof stripSignatureBlock;
+    signFiles: typeof signFiles;
+    verifyFiles: typeof verifyFiles;
+    SKILL_PATTERNS: string[];
+    HEARTBEAT_PATTERNS: string[];
+    HEARTBEAT_EXPIRY_DAYS: number;
+    SIG_BLOCK_RE: RegExp;
+};
+export {};
+//# sourceMappingURL=guard-signing.d.ts.map

package/dist/commands/guard-signing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard-signing.d.ts","sourceRoot":"","sources":["../../src/commands/guard-signing.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,CAAC;IACrD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,cAAc;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAaD,wBAAsB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAG7E;AAED,wBAAsB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAGjF;AAED,iBAAS,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,GAAG,UAAU,EAAE,CAmBxF;AAID,wBAAsB,qBAAqB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAGtF;AAED,wBAAsB,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAG1F;AAED,iBAAS,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,GAAG,YAAY,EAAE,CA+B7F;AAID,iBAAS,mBAAmB,CAAC,GAAG,EAAE,cAAc,GAAG,MAAM,CAQxD;AAED,iBAAS,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI,CAenE;AAED,iBAAS,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAEpD;AAID,iBAAS,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAclE;AAED,iBAAS,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAKhE;AAID,eAAO,MAAM,UAAU;;;;;;;;;;;;CAKtB,CAAC"}

package/dist/commands/guard-signing.js

@@ -0,0 +1,185 @@
+"use strict";
+/**
+ * Skill.md and Heartbeat.md signing bridge for ConfigGuard.
+ *
+ * Signs and verifies SKILL.md / HEARTBEAT.md files using SHA-256 hashing
+ * with inline HTML-comment signature blocks (matching HMA signcrypt pattern).
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports._internals = void 0;
+exports.signSkillFiles = signSkillFiles;
+exports.signHeartbeatFiles = signHeartbeatFiles;
+exports.verifySkillSignatures = verifySkillSignatures;
+exports.verifyHeartbeatSignatures = verifyHeartbeatSignatures;
+const fs = __importStar(require("node:fs"));
+const os = __importStar(require("node:os"));
+const path = __importStar(require("node:path"));
+const node_crypto_1 = require("node:crypto");
+// --- Constants ---
+const SKILL_PATTERNS = ['SKILL.md', '*.skill.md'];
+const HEARTBEAT_PATTERNS = ['HEARTBEAT.md', '*.heartbeat.md'];
+const HEARTBEAT_EXPIRY_DAYS = 7;
+const SIG_BLOCK_START = '<!-- opena2a-guard';
+const SIG_BLOCK_END = '-->';
+const SIG_BLOCK_RE = /<!-- opena2a-guard\n([\s\S]*?)-->/;
+// --- Signing ---
+async function signSkillFiles(targetDir) {
+    const files = findFiles(targetDir, SKILL_PATTERNS);
+    return signFiles(files, targetDir, false);
+}
+async function signHeartbeatFiles(targetDir) {
+    const files = findFiles(targetDir, HEARTBEAT_PATTERNS);
+    return signFiles(files, targetDir, true);
+}
+function signFiles(files, targetDir, withExpiry) {
+    const results = [];
+    const now = new Date();
+    const signedBy = os.userInfo().username + '@opena2a-cli';
+    for (const fullPath of files) {
+        const relPath = path.relative(targetDir, fullPath);
+        const raw = fs.readFileSync(fullPath, 'utf-8');
+        const content = stripSignatureBlock(raw);
+        const hash = 'sha256:' + (0, node_crypto_1.createHash)('sha256').update(content, 'utf-8').digest('hex');
+        const signedAt = now.toISOString();
+        const expiresAt = withExpiry ? new Date(now.getTime() + HEARTBEAT_EXPIRY_DAYS * 86400000).toISOString() : undefined;
+        const block = buildSignatureBlock({ pinnedHash: hash, signedAt, signedBy, expiresAt });
+        fs.writeFileSync(fullPath, content.trimEnd() + '\n\n' + block + '\n', 'utf-8');
+        results.push({ filePath: relPath, hash, signedAt, signedBy, expiresAt });
+    }
+    return results;
+}
+// --- Verification ---
+async function verifySkillSignatures(targetDir) {
+    const files = findFiles(targetDir, SKILL_PATTERNS);
+    return verifyFiles(files, targetDir, false);
+}
+async function verifyHeartbeatSignatures(targetDir) {
+    const files = findFiles(targetDir, HEARTBEAT_PATTERNS);
+    return verifyFiles(files, targetDir, true);
+}
+function verifyFiles(files, targetDir, checkExpiry) {
+    const results = [];
+    for (const fullPath of files) {
+        const relPath = path.relative(targetDir, fullPath);
+        const raw = fs.readFileSync(fullPath, 'utf-8');
+        const parsed = parseSignatureBlock(raw);
+        if (!parsed) {
+            results.push({ filePath: relPath, status: 'unsigned' });
+            continue;
+        }
+        const content = stripSignatureBlock(raw);
+        const currentHash = 'sha256:' + (0, node_crypto_1.createHash)('sha256').update(content, 'utf-8').digest('hex');
+        if (checkExpiry && parsed.expiresAt) {
+            const expiry = new Date(parsed.expiresAt);
+            if (expiry.getTime() < Date.now()) {
+                results.push({ filePath: relPath, status: 'expired', currentHash, expectedHash: parsed.pinnedHash, expiresAt: parsed.expiresAt });
+                continue;
+            }
+        }
+        if (currentHash !== parsed.pinnedHash) {
+            results.push({ filePath: relPath, status: 'tampered', currentHash, expectedHash: parsed.pinnedHash });
+        }
+        else {
+            results.push({ filePath: relPath, status: 'pass', currentHash, expiresAt: parsed.expiresAt });
+        }
+    }
+    return results;
+}
+// --- Signature block helpers ---
+function buildSignatureBlock(sig) {
+    const lines = [SIG_BLOCK_START];
+    lines.push(`pinned_hash: ${sig.pinnedHash}`);
+    lines.push(`signed_at: ${sig.signedAt}`);
+    lines.push(`signed_by: ${sig.signedBy}`);
+    if (sig.expiresAt)
+        lines.push(`expires_at: ${sig.expiresAt}`);
+    lines.push(SIG_BLOCK_END);
+    return lines.join('\n');
+}
+function parseSignatureBlock(content) {
+    const match = SIG_BLOCK_RE.exec(content);
+    if (!match)
+        return null;
+    const body = match[1];
+    const fields = new Map();
+    for (const line of body.split('\n')) {
+        const idx = line.indexOf(':');
+        if (idx === -1)
+            continue;
+        fields.set(line.slice(0, idx).trim(), line.slice(idx + 1).trim());
+    }
+    const pinnedHash = fields.get('pinned_hash');
+    const signedAt = fields.get('signed_at');
+    const signedBy = fields.get('signed_by');
+    if (!pinnedHash || !signedAt || !signedBy)
+        return null;
+    return { pinnedHash, signedAt, signedBy, expiresAt: fields.get('expires_at') };
+}
+function stripSignatureBlock(content) {
+    return content.replace(SIG_BLOCK_RE, '').trimEnd();
+}
+// --- File discovery ---
+function findFiles(targetDir, patterns) {
+    const found = [];
+    if (!fs.existsSync(targetDir))
+        return found;
+    const entries = fs.readdirSync(targetDir, { withFileTypes: true });
+    for (const entry of entries) {
+        if (!entry.isFile())
+            continue;
+        for (const pattern of patterns) {
+            if (matchPattern(entry.name, pattern)) {
+                found.push(path.join(targetDir, entry.name));
+                break;
+            }
+        }
+    }
+    return found;
+}
+function matchPattern(filename, pattern) {
+    if (pattern.startsWith('*')) {
+        return filename.toLowerCase().endsWith(pattern.slice(1).toLowerCase());
+    }
+    return filename === pattern;
+}
+// --- Testable internals ---
+exports._internals = {
+    findFiles, matchPattern, buildSignatureBlock, parseSignatureBlock,
+    stripSignatureBlock, signFiles, verifyFiles,
+    SKILL_PATTERNS, HEARTBEAT_PATTERNS, HEARTBEAT_EXPIRY_DAYS,
+    SIG_BLOCK_RE,
+};
+//# sourceMappingURL=guard-signing.js.map

package/dist/commands/guard-signing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard-signing.js","sourceRoot":"","sources":["../../src/commands/guard-signing.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2CH,wCAGC;AAED,gDAGC;AAyBD,sDAGC;AAED,8DAGC;AAlFD,4CAA8B;AAC9B,4CAA8B;AAC9B,gDAAkC;AAClC,6CAAyC;AA2BzC,oBAAoB;AAEpB,MAAM,cAAc,GAAG,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;AAClD,MAAM,kBAAkB,GAAG,CAAC,cAAc,EAAE,gBAAgB,CAAC,CAAC;AAC9D,MAAM,qBAAqB,GAAG,CAAC,CAAC;AAChC,MAAM,eAAe,GAAG,oBAAoB,CAAC;AAC7C,MAAM,aAAa,GAAG,KAAK,CAAC;AAC5B,MAAM,YAAY,GAAG,mCAAmC,CAAC;AAEzD,kBAAkB;AAEX,KAAK,UAAU,cAAc,CAAC,SAAiB;IACpD,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;IACnD,OAAO,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;AAC5C,CAAC;AAEM,KAAK,UAAU,kBAAkB,CAAC,SAAiB;IACxD,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;IACvD,OAAO,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,SAAS,CAAC,KAAe,EAAE,SAAiB,EAAE,UAAmB;IACxE,MAAM,OAAO,GAAiB,EAAE,CAAC;IACjC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,GAAG,cAAc,CAAC;IAEzD,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QACnD,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC/C,MAAM,OAAO,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,IAAI,GAAG,SAAS,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACrF,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QACnC,MAAM,SAAS,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,qBAAqB,GAAG,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QAEpH,MAAM,KAAK,GAAG,mBAAmB,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC;QACvF,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,MAAM,GAAG,KAAK,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;QAE/E,OAAO,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,uBAAuB;AAEhB,KAAK,UAAU,qBAAqB,CAAC,SAAiB;IAC3D,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;IACnD,OAAO,WAAW,CAAC,KAAK,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;AAC9C,CAAC;AAEM,KAAK,UAAU,yBAAyB,CAAC,SAAiB;IAC/D,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;IACvD,OAAO,WAAW,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,WAAW,CAAC,KAAe,EAAE,SAAiB,EAAE,WAAoB;IAC3E,MAAM,OAAO,GAAmB,EAAE,CAAC;IAEnC,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QACnD,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;QAExC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;YACxD,SAAS;QACX,CAAC;QAED,MAAM,OAAO,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,WAAW,GAAG,SAAS,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAE5F,IAAI,WAAW,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACpC,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC1C,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBAClC,OAAO,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,CAAC,UAAU,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;gBAClI,SAAS;YACX,CAAC;QACH,CAAC;QAED,IAAI,WAAW,KAAK,MAAM,CAAC,UAAU,EAAE,CAAC;YACtC,OAAO,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;QACxG,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;QAChG,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,kCAAkC;AAElC,SAAS,mBAAmB,CAAC,GAAmB;IAC9C,MAAM,KAAK,GAAG,CAAC,eAAe,CAAC,CAAC;IAChC,KAAK,CAAC,IAAI,CAAC,gBAAgB,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;IAC7C,KAAK,CAAC,IAAI,CAAC,cAAc,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;IACzC,KAAK,CAAC,IAAI,CAAC,cAAc,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;IACzC,IAAI,GAAG,CAAC,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,eAAe,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;IAC9D,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1B,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAe;IAC1C,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACtB,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IACzC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,GAAG,KAAK,CAAC,CAAC;YAAE,SAAS;QACzB,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzC,IAAI,CAAC,UAAU,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IACvD,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;AACjF,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAe;IAC1C,OAAO,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;AACrD,CAAC;AAED,yBAAyB;AAEzB,SAAS,SAAS,CAAC,SAAiB,EAAE,QAAkB;IACtD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,SAAS,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACnE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;YAAE,SAAS;QAC9B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,YAAY,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;gBACtC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;gBAC7C,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,YAAY,CAAC,QAAgB,EAAE,OAAe;IACrD,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,QAAQ,KAAK,OAAO,CAAC;AAC9B,CAAC;AAED,6BAA6B;AAEhB,QAAA,UAAU,GAAG;IACxB,SAAS,EAAE,YAAY,EAAE,mBAAmB,EAAE,mBAAmB;IACjE,mBAAmB,EAAE,SAAS,EAAE,WAAW;IAC3C,cAAc,EAAE,kBAAkB,EAAE,qBAAqB;IACzD,YAAY;CACb,CAAC"}

package/dist/commands/guard-snapshots.d.ts

@@ -0,0 +1,54 @@
+/**
+ * ConfigGuard Snapshots -- timestamped snapshots of signature state for rollback.
+ *
+ * Stores snapshots in .opena2a/guard/snapshots/ as ISO-timestamped JSON files.
+ * Supports create, list, restore, and automatic pruning at 20 snapshots.
+ */
+export interface SnapshotInfo {
+    id: string;
+    createdAt: string;
+    fileCount: number;
+    path: string;
+}
+export interface SnapshotResult {
+    id: string;
+    path: string;
+    fileCount: number;
+}
+export interface RestoreResult {
+    restored: boolean;
+    fileCount: number;
+    previousId: string | null;
+}
+declare function createSnapshot(targetDir: string): SnapshotResult;
+declare function listSnapshots(targetDir: string): SnapshotInfo[];
+declare function restoreSnapshot(targetDir: string, snapshotId: string): RestoreResult;
+declare function pruneSnapshots(snapshotsDir: string): void;
+interface ResignOptions {
+    format?: string;
+    ci?: boolean;
+    verbose?: boolean;
+}
+export declare function guardResign(targetDir: string, options: ResignOptions): Promise<number>;
+declare function confirmAction(): Promise<boolean>;
+interface SnapshotOptions {
+    format?: string;
+    args?: string[];
+    verbose?: boolean;
+}
+export declare function guardSnapshot(targetDir: string, options: SnapshotOptions): Promise<number>;
+export declare const _internals: {
+    createSnapshot: typeof createSnapshot;
+    listSnapshots: typeof listSnapshots;
+    restoreSnapshot: typeof restoreSnapshot;
+    pruneSnapshots: typeof pruneSnapshots;
+    guardResign: typeof guardResign;
+    guardSnapshot: typeof guardSnapshot;
+    confirmAction: typeof confirmAction;
+    STORE_DIR: string;
+    STORE_FILE: string;
+    SNAPSHOTS_DIR: string;
+    MAX_SNAPSHOTS: number;
+};
+export {};
+//# sourceMappingURL=guard-snapshots.d.ts.map

package/dist/commands/guard-snapshots.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard-snapshots.d.ts","sourceRoot":"","sources":["../../src/commands/guard-snapshots.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,OAAO,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAWD,iBAAS,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,cAAc,CAwBzD;AAED,iBAAS,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,YAAY,EAAE,CA6BxD;AAED,iBAAS,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,aAAa,CAiC7E;AAID,iBAAS,cAAc,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAelD;AAID,UAAU,aAAa;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,wBAAsB,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAmG5F;AAED,iBAAS,aAAa,IAAI,OAAO,CAAC,OAAO,CAAC,CAWzC;AAED,UAAU,eAAe;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAsDhG;AAID,eAAO,MAAM,UAAU;;;;;;;;;;;;CAItB,CAAC"}