opensentinel 3.1.1 → 3.7.0

package/dist/chunk-ODCFS5WD.js

@@ -0,0 +1,463 @@
+// src/core/intelligence/risk-engine.ts
+var DEFAULT_CONFIG = {
+  maxCostPerRequest: 5,
+  maxCostPerHour: 50,
+  maxCostPerDay: 200,
+  maxToolsPerMinute: 30,
+  maxToolsPerHour: 500,
+  maxMessagesPerMinute: 60,
+  blockedTools: [],
+  blockedPatterns: [],
+  safeMode: false,
+  killSwitch: false,
+  customChecks: [],
+  maxTradeSize: 100,
+  maxDailyTradeSpend: 500,
+  maxTradesPerHour: 5
+};
+var costTracker = {
+  hourly: /* @__PURE__ */ new Map(),
+  daily: /* @__PURE__ */ new Map()
+};
+var rateTracker = /* @__PURE__ */ new Map();
+var tradeSpendTracker = {
+  daily: /* @__PURE__ */ new Map(),
+  hourlyCount: /* @__PURE__ */ new Map()
+};
+var auditLog = [];
+var RiskEngine = class {
+  config;
+  checks = [];
+  constructor(config = {}) {
+    this.config = { ...DEFAULT_CONFIG, ...config };
+    this.initializeBuiltInChecks();
+    this.checks.push(...this.config.customChecks);
+  }
+  initializeBuiltInChecks() {
+    this.checks.push({
+      name: "kill_switch",
+      description: "Emergency kill switch - blocks all actions",
+      severity: "critical",
+      check: () => !this.config.killSwitch,
+      failMessage: "Kill switch is active. All actions are blocked."
+    });
+    this.checks.push({
+      name: "safe_mode",
+      description: "Safe mode restricts to read-only operations",
+      severity: "high",
+      check: (ctx) => {
+        if (!this.config.safeMode) return true;
+        const readOnlyActions = [
+          "read",
+          "search",
+          "list",
+          "get",
+          "query",
+          "analyze",
+          "view"
+        ];
+        return readOnlyActions.some(
+          (a) => ctx.action.toLowerCase().includes(a)
+        );
+      },
+      failMessage: "Safe mode is active. Only read-only operations are allowed."
+    });
+    this.checks.push({
+      name: "blocked_tools",
+      description: "Prevents execution of blocked tools",
+      severity: "high",
+      check: (ctx) => !ctx.toolName || !this.config.blockedTools.includes(ctx.toolName),
+      failMessage: "This tool is blocked by the risk policy."
+    });
+    this.checks.push({
+      name: "blocked_patterns",
+      description: "Prevents actions matching blocked patterns",
+      severity: "high",
+      check: (ctx) => {
+        const inputStr = JSON.stringify(ctx.input || {});
+        return !this.config.blockedPatterns.some(
+          (pattern) => new RegExp(pattern, "i").test(inputStr)
+        );
+      },
+      failMessage: "Input matches a blocked pattern."
+    });
+    this.checks.push({
+      name: "cost_per_request",
+      description: "Limits cost per individual request",
+      severity: "medium",
+      check: (ctx) => !ctx.estimatedCost || ctx.estimatedCost <= this.config.maxCostPerRequest,
+      failMessage: `Request exceeds maximum cost of $${this.config.maxCostPerRequest}.`
+    });
+    this.checks.push({
+      name: "hourly_cost_limit",
+      description: "Limits total cost per hour",
+      severity: "high",
+      check: (ctx) => {
+        const key = ctx.userId || "global";
+        const now = Date.now();
+        const hourMs = 3600 * 1e3;
+        const entry = costTracker.hourly.get(key);
+        if (!entry || now - entry.windowStart > hourMs) {
+          return true;
+        }
+        return entry.total + (ctx.estimatedCost || 0) <= this.config.maxCostPerHour;
+      },
+      failMessage: `Hourly cost limit of $${this.config.maxCostPerHour} exceeded.`
+    });
+    this.checks.push({
+      name: "daily_cost_limit",
+      description: "Limits total cost per day",
+      severity: "high",
+      check: (ctx) => {
+        const key = ctx.userId || "global";
+        const now = Date.now();
+        const dayMs = 86400 * 1e3;
+        const entry = costTracker.daily.get(key);
+        if (!entry || now - entry.windowStart > dayMs) {
+          return true;
+        }
+        return entry.total + (ctx.estimatedCost || 0) <= this.config.maxCostPerDay;
+      },
+      failMessage: `Daily cost limit of $${this.config.maxCostPerDay} exceeded.`
+    });
+    this.checks.push({
+      name: "tool_rate_limit_minute",
+      description: "Limits tool executions per minute",
+      severity: "medium",
+      check: (ctx) => {
+        if (!ctx.toolName) return true;
+        return this.checkRate(
+          `tool:${ctx.userId || "global"}`,
+          60 * 1e3,
+          this.config.maxToolsPerMinute
+        );
+      },
+      failMessage: `Tool execution rate limit exceeded (${this.config.maxToolsPerMinute}/min).`
+    });
+    this.checks.push({
+      name: "tool_rate_limit_hour",
+      description: "Limits tool executions per hour",
+      severity: "medium",
+      check: (ctx) => {
+        if (!ctx.toolName) return true;
+        return this.checkRate(
+          `tool_hourly:${ctx.userId || "global"}`,
+          3600 * 1e3,
+          this.config.maxToolsPerHour
+        );
+      },
+      failMessage: `Tool execution hourly limit exceeded (${this.config.maxToolsPerHour}/hr).`
+    });
+    this.checks.push({
+      name: "message_rate_limit",
+      description: "Limits messages per minute",
+      severity: "medium",
+      check: (ctx) => {
+        if (ctx.action !== "send_message") return true;
+        return this.checkRate(
+          `msg:${ctx.userId || "global"}`,
+          60 * 1e3,
+          this.config.maxMessagesPerMinute
+        );
+      },
+      failMessage: `Message rate limit exceeded (${this.config.maxMessagesPerMinute}/min).`
+    });
+    this.checks.push({
+      name: "command_injection",
+      description: "Prevents command injection in tool inputs",
+      severity: "critical",
+      check: (ctx) => {
+        if (!ctx.input) return true;
+        const dangerousPatterns = [
+          /;\s*(rm|del|format|mkfs|dd)\s/i,
+          /\|\s*(bash|sh|cmd|powershell)/i,
+          /`[^`]*`/,
+          /\$\([^)]*\)/,
+          />\s*\/dev\//i
+        ];
+        const inputStr = JSON.stringify(ctx.input);
+        return !dangerousPatterns.some((p) => p.test(inputStr));
+      },
+      failMessage: "Potential command injection detected in input."
+    });
+    this.checks.push({
+      name: "sensitive_data",
+      description: "Prevents leaking sensitive data patterns",
+      severity: "high",
+      check: (ctx) => {
+        if (!ctx.input) return true;
+        const sensitivePatterns = [
+          /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/,
+          // credit card
+          /\b\d{3}-\d{2}-\d{4}\b/,
+          // SSN
+          /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----/
+          // private key
+        ];
+        const inputStr = JSON.stringify(ctx.input);
+        return !sensitivePatterns.some((p) => p.test(inputStr));
+      },
+      failMessage: "Sensitive data pattern detected in input."
+    });
+    this.checks.push({
+      name: "trade_size_limit",
+      description: "Blocks orders exceeding maximum single trade size",
+      severity: "critical",
+      check: (ctx) => {
+        if (ctx.toolName !== "crypto_exchange") return true;
+        const input = ctx.input || {};
+        if (input.action !== "place_order") return true;
+        const estimatedTotal = input._estimatedTotal || 0;
+        if (estimatedTotal <= 0) return true;
+        return estimatedTotal <= this.config.maxTradeSize;
+      },
+      failMessage: `Trade exceeds maximum single order size of $${this.config.maxTradeSize}.`
+    });
+    this.checks.push({
+      name: "daily_trade_spend_limit",
+      description: "Blocks when daily trade spending cap exceeded",
+      severity: "critical",
+      check: (ctx) => {
+        if (ctx.toolName !== "crypto_exchange") return true;
+        const input = ctx.input || {};
+        if (input.action !== "place_order") return true;
+        const estimatedTotal = input._estimatedTotal || 0;
+        if (estimatedTotal <= 0) return true;
+        const key = ctx.userId || "global";
+        const now = Date.now();
+        const dayMs = 86400 * 1e3;
+        const entry = tradeSpendTracker.daily.get(key);
+        if (!entry || now - entry.windowStart > dayMs) {
+          return true;
+        }
+        return entry.total + estimatedTotal <= this.config.maxDailyTradeSpend;
+      },
+      failMessage: `Daily trade spend limit of $${this.config.maxDailyTradeSpend} exceeded.`
+    });
+    this.checks.push({
+      name: "trade_rate_limit",
+      description: "Blocks when hourly trade count exceeded",
+      severity: "high",
+      check: (ctx) => {
+        if (ctx.toolName !== "crypto_exchange") return true;
+        const input = ctx.input || {};
+        if (input.action !== "place_order") return true;
+        const key = ctx.userId || "global";
+        const now = Date.now();
+        const hourMs = 3600 * 1e3;
+        const entry = tradeSpendTracker.hourlyCount.get(key);
+        if (!entry || now - entry.windowStart > hourMs) {
+          return true;
+        }
+        return entry.count < this.config.maxTradesPerHour;
+      },
+      failMessage: `Trade rate limit exceeded (${this.config.maxTradesPerHour}/hr).`
+    });
+  }
+  checkRate(key, windowMs, maxCount) {
+    const now = Date.now();
+    let entry = rateTracker.get(key);
+    if (!entry) {
+      entry = { timestamps: [] };
+      rateTracker.set(key, entry);
+    }
+    entry.timestamps = entry.timestamps.filter((t) => now - t < windowMs);
+    return entry.timestamps.length < maxCount;
+  }
+  recordRate(key) {
+    let entry = rateTracker.get(key);
+    if (!entry) {
+      entry = { timestamps: [] };
+      rateTracker.set(key, entry);
+    }
+    entry.timestamps.push(Date.now());
+  }
+  /**
+   * Evaluate all risk checks for an action
+   * This is the main entry point - NON-BYPASSABLE
+   */
+  async evaluate(context) {
+    const results = [];
+    let allowed = true;
+    for (const check of this.checks) {
+      let passed;
+      try {
+        passed = await check.check(context);
+      } catch {
+        passed = false;
+      }
+      results.push({
+        name: check.name,
+        passed,
+        severity: check.severity,
+        message: passed ? void 0 : check.failMessage
+      });
+      if (!passed && (check.severity === "critical" || check.severity === "high")) {
+        allowed = false;
+      }
+    }
+    const decision = {
+      allowed,
+      checks: results,
+      timestamp: /* @__PURE__ */ new Date(),
+      context
+    };
+    auditLog.push(decision);
+    if (auditLog.length > 1e4) {
+      auditLog.splice(0, auditLog.length - 5e3);
+    }
+    if (allowed) {
+      if (context.toolName) {
+        this.recordRate(`tool:${context.userId || "global"}`);
+        this.recordRate(`tool_hourly:${context.userId || "global"}`);
+      }
+      if (context.action === "send_message") {
+        this.recordRate(`msg:${context.userId || "global"}`);
+      }
+      if (context.estimatedCost) {
+        this.recordCost(context.userId || "global", context.estimatedCost);
+      }
+    }
+    return decision;
+  }
+  recordCost(userId, cost) {
+    const now = Date.now();
+    const hourMs = 3600 * 1e3;
+    const dayMs = 86400 * 1e3;
+    let hourly = costTracker.hourly.get(userId);
+    if (!hourly || now - hourly.windowStart > hourMs) {
+      hourly = { total: 0, windowStart: now };
+      costTracker.hourly.set(userId, hourly);
+    }
+    hourly.total += cost;
+    let daily = costTracker.daily.get(userId);
+    if (!daily || now - daily.windowStart > dayMs) {
+      daily = { total: 0, windowStart: now };
+      costTracker.daily.set(userId, daily);
+    }
+    daily.total += cost;
+  }
+  /**
+   * Add a custom risk check
+   */
+  addCheck(check) {
+    this.checks.push(check);
+  }
+  /**
+   * Activate kill switch
+   */
+  activateKillSwitch() {
+    this.config.killSwitch = true;
+  }
+  /**
+   * Deactivate kill switch
+   */
+  deactivateKillSwitch() {
+    this.config.killSwitch = false;
+  }
+  /**
+   * Enable safe mode
+   */
+  enableSafeMode() {
+    this.config.safeMode = true;
+  }
+  /**
+   * Disable safe mode
+   */
+  disableSafeMode() {
+    this.config.safeMode = false;
+  }
+  /**
+   * Block a tool
+   */
+  blockTool(toolName) {
+    if (!this.config.blockedTools.includes(toolName)) {
+      this.config.blockedTools.push(toolName);
+    }
+  }
+  /**
+   * Unblock a tool
+   */
+  unblockTool(toolName) {
+    this.config.blockedTools = this.config.blockedTools.filter(
+      (t) => t !== toolName
+    );
+  }
+  /**
+   * Get recent audit log
+   */
+  getAuditLog(limit = 100) {
+    return auditLog.slice(-limit);
+  }
+  /**
+   * Get current configuration
+   */
+  getConfig() {
+    return { ...this.config };
+  }
+  /**
+   * Update configuration
+   */
+  updateConfig(updates) {
+    Object.assign(this.config, updates);
+  }
+  /**
+   * Record trade spend after a successful trade execution.
+   * Call this after a trade completes to track daily/hourly limits.
+   */
+  recordTradeSpend(userId, amountUsd) {
+    const now = Date.now();
+    const dayMs = 86400 * 1e3;
+    const hourMs = 3600 * 1e3;
+    let daily = tradeSpendTracker.daily.get(userId);
+    if (!daily || now - daily.windowStart > dayMs) {
+      daily = { total: 0, windowStart: now };
+      tradeSpendTracker.daily.set(userId, daily);
+    }
+    daily.total += amountUsd;
+    let hourly = tradeSpendTracker.hourlyCount.get(userId);
+    if (!hourly || now - hourly.windowStart > hourMs) {
+      hourly = { count: 0, windowStart: now };
+      tradeSpendTracker.hourlyCount.set(userId, hourly);
+    }
+    hourly.count += 1;
+  }
+  /**
+   * Register risk engine as a hook on tool:execute to intercept
+   * financial tool calls at the hook level.
+   */
+  registerAsHook(hookMgr) {
+    return hookMgr.register({
+      event: "tool:execute",
+      phase: "before",
+      name: "risk-engine-financial",
+      priority: 3,
+      // Run before tool sandbox (priority 5)
+      handler: async (context) => {
+        const toolName = context.data.toolName || "";
+        const input = context.data.input || {};
+        if (toolName !== "crypto_exchange") return context;
+        const decision = await this.evaluate({
+          action: "tool_execute",
+          userId: context.userId,
+          toolName,
+          input
+        });
+        if (!decision.allowed) {
+          context.cancelled = true;
+          const failedChecks = decision.checks.filter((c) => !c.passed).map((c) => c.message).join("; ");
+          context.cancelReason = `[RiskEngine] BLOCKED: ${failedChecks}`;
+          console.log(`[RiskEngine] Blocked ${toolName}: ${failedChecks}`);
+        }
+        return context;
+      }
+    });
+  }
+};
+var riskEngine = new RiskEngine();
+
+export {
+  RiskEngine,
+  riskEngine
+};
+//# sourceMappingURL=chunk-ODCFS5WD.js.map

package/dist/chunk-ODCFS5WD.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/core/intelligence/risk-engine.ts"],"sourcesContent":["/**\r\n * Risk/Constraint Engine\r\n * Ported from PolyMarketAI (Python) to TypeScript\r\n *\r\n * Non-bypassable safety layer with configurable checks:\r\n * - Rate limiting per action type\r\n * - Cost/budget thresholds\r\n * - Content safety checks\r\n * - Tool execution constraints\r\n * - Kill switch and safe mode\r\n * - Audit trail for all decisions\r\n */\r\n\r\nexport interface RiskCheck {\r\n  name: string;\r\n  description: string;\r\n  severity: \"low\" | \"medium\" | \"high\" | \"critical\";\r\n  /** Return true if the check passes (action is safe) */\r\n  check: (context: RiskContext) => Promise<boolean> | boolean;\r\n  /** Message when check fails */\r\n  failMessage: string;\r\n}\r\n\r\nexport interface RiskContext {\r\n  action: string;\r\n  userId?: string;\r\n  toolName?: string;\r\n  input?: Record<string, unknown>;\r\n  estimatedCost?: number;\r\n  metadata?: Record<string, unknown>;\r\n}\r\n\r\nexport interface RiskDecision {\r\n  allowed: boolean;\r\n  checks: Array<{\r\n    name: string;\r\n    passed: boolean;\r\n    severity: string;\r\n    message?: string;\r\n  }>;\r\n  timestamp: Date;\r\n  context: RiskContext;\r\n}\r\n\r\nexport interface RiskConfig {\r\n  /** Maximum cost per request in USD */\r\n  maxCostPerRequest: number;\r\n  /** Maximum cost per hour in USD */\r\n  maxCostPerHour: number;\r\n  /** Maximum cost per day in USD */\r\n  maxCostPerDay: number;\r\n  /** Maximum tool executions per minute */\r\n  maxToolsPerMinute: number;\r\n  /** Maximum tool executions per hour */\r\n  maxToolsPerHour: number;\r\n  /** Maximum messages per minute */\r\n  maxMessagesPerMinute: number;\r\n  /** Blocked tool names */\r\n  blockedTools: string[];\r\n  /** Blocked action patterns (regex) */\r\n  blockedPatterns: string[];\r\n  /** Whether safe mode is active (restricts to read-only operations) */\r\n  safeMode: boolean;\r\n  /** Kill switch - blocks ALL actions */\r\n  killSwitch: boolean;\r\n  /** Custom risk checks */\r\n  customChecks: RiskCheck[];\r\n  /** Maximum single trade size in USD */\r\n  maxTradeSize: number;\r\n  /** Maximum daily trade spend in USD */\r\n  maxDailyTradeSpend: number;\r\n  /** Maximum trades per hour */\r\n  maxTradesPerHour: number;\r\n}\r\n\r\nconst DEFAULT_CONFIG: RiskConfig = {\r\n  maxCostPerRequest: 5.0,\r\n  maxCostPerHour: 50.0,\r\n  maxCostPerDay: 200.0,\r\n  maxToolsPerMinute: 30,\r\n  maxToolsPerHour: 500,\r\n  maxMessagesPerMinute: 60,\r\n  blockedTools: [],\r\n  blockedPatterns: [],\r\n  safeMode: false,\r\n  killSwitch: false,\r\n  customChecks: [],\r\n  maxTradeSize: 100,\r\n  maxDailyTradeSpend: 500,\r\n  maxTradesPerHour: 5,\r\n};\r\n\r\n// Tracking state\r\nconst costTracker = {\r\n  hourly: new Map<string, { total: number; windowStart: number }>(),\r\n  daily: new Map<string, { total: number; windowStart: number }>(),\r\n};\r\n\r\nconst rateTracker = new Map<\r\n  string,\r\n  { timestamps: number[] }\r\n>();\r\n\r\n// Financial trade spend tracker (daily window)\r\nconst tradeSpendTracker = {\r\n  daily: new Map<string, { total: number; windowStart: number }>(),\r\n  hourlyCount: new Map<string, { count: number; windowStart: number }>(),\r\n};\r\n\r\nconst auditLog: RiskDecision[] = [];\r\n\r\n/**\r\n * Risk Engine\r\n */\r\nexport class RiskEngine {\r\n  private config: RiskConfig;\r\n  private checks: RiskCheck[] = [];\r\n\r\n  constructor(config: Partial<RiskConfig> = {}) {\r\n    this.config = { ...DEFAULT_CONFIG, ...config };\r\n    this.initializeBuiltInChecks();\r\n    this.checks.push(...this.config.customChecks);\r\n  }\r\n\r\n  private initializeBuiltInChecks(): void {\r\n    // Kill switch check\r\n    this.checks.push({\r\n      name: \"kill_switch\",\r\n      description: \"Emergency kill switch - blocks all actions\",\r\n      severity: \"critical\",\r\n      check: () => !this.config.killSwitch,\r\n      failMessage: \"Kill switch is active. All actions are blocked.\",\r\n    });\r\n\r\n    // Safe mode check\r\n    this.checks.push({\r\n      name: \"safe_mode\",\r\n      description: \"Safe mode restricts to read-only operations\",\r\n      severity: \"high\",\r\n      check: (ctx) => {\r\n        if (!this.config.safeMode) return true;\r\n        const readOnlyActions = [\r\n          \"read\",\r\n          \"search\",\r\n          \"list\",\r\n          \"get\",\r\n          \"query\",\r\n          \"analyze\",\r\n          \"view\",\r\n        ];\r\n        return readOnlyActions.some((a) =>\r\n          ctx.action.toLowerCase().includes(a)\r\n        );\r\n      },\r\n      failMessage: \"Safe mode is active. Only read-only operations are allowed.\",\r\n    });\r\n\r\n    // Blocked tools check\r\n    this.checks.push({\r\n      name: \"blocked_tools\",\r\n      description: \"Prevents execution of blocked tools\",\r\n      severity: \"high\",\r\n      check: (ctx) =>\r\n        !ctx.toolName || !this.config.blockedTools.includes(ctx.toolName),\r\n      failMessage: \"This tool is blocked by the risk policy.\",\r\n    });\r\n\r\n    // Blocked patterns check\r\n    this.checks.push({\r\n      name: \"blocked_patterns\",\r\n      description: \"Prevents actions matching blocked patterns\",\r\n      severity: \"high\",\r\n      check: (ctx) => {\r\n        const inputStr = JSON.stringify(ctx.input || {});\r\n        return !this.config.blockedPatterns.some((pattern) =>\r\n          new RegExp(pattern, \"i\").test(inputStr)\r\n        );\r\n      },\r\n      failMessage: \"Input matches a blocked pattern.\",\r\n    });\r\n\r\n    // Cost per request check\r\n    this.checks.push({\r\n      name: \"cost_per_request\",\r\n      description: \"Limits cost per individual request\",\r\n      severity: \"medium\",\r\n      check: (ctx) =>\r\n        !ctx.estimatedCost ||\r\n        ctx.estimatedCost <= this.config.maxCostPerRequest,\r\n      failMessage: `Request exceeds maximum cost of $${this.config.maxCostPerRequest}.`,\r\n    });\r\n\r\n    // Hourly cost check\r\n    this.checks.push({\r\n      name: \"hourly_cost_limit\",\r\n      description: \"Limits total cost per hour\",\r\n      severity: \"high\",\r\n      check: (ctx) => {\r\n        const key = ctx.userId || \"global\";\r\n        const now = Date.now();\r\n        const hourMs = 3600 * 1000;\r\n        const entry = costTracker.hourly.get(key);\r\n\r\n        if (!entry || now - entry.windowStart > hourMs) {\r\n          return true;\r\n        }\r\n        return entry.total + (ctx.estimatedCost || 0) <= this.config.maxCostPerHour;\r\n      },\r\n      failMessage: `Hourly cost limit of $${this.config.maxCostPerHour} exceeded.`,\r\n    });\r\n\r\n    // Daily cost check\r\n    this.checks.push({\r\n      name: \"daily_cost_limit\",\r\n      description: \"Limits total cost per day\",\r\n      severity: \"high\",\r\n      check: (ctx) => {\r\n        const key = ctx.userId || \"global\";\r\n        const now = Date.now();\r\n        const dayMs = 86400 * 1000;\r\n        const entry = costTracker.daily.get(key);\r\n\r\n        if (!entry || now - entry.windowStart > dayMs) {\r\n          return true;\r\n        }\r\n        return entry.total + (ctx.estimatedCost || 0) <= this.config.maxCostPerDay;\r\n      },\r\n      failMessage: `Daily cost limit of $${this.config.maxCostPerDay} exceeded.`,\r\n    });\r\n\r\n    // Rate limit: tools per minute\r\n    this.checks.push({\r\n      name: \"tool_rate_limit_minute\",\r\n      description: \"Limits tool executions per minute\",\r\n      severity: \"medium\",\r\n      check: (ctx) => {\r\n        if (!ctx.toolName) return true;\r\n        return this.checkRate(\r\n          `tool:${ctx.userId || \"global\"}`,\r\n          60 * 1000,\r\n          this.config.maxToolsPerMinute\r\n        );\r\n      },\r\n      failMessage: `Tool execution rate limit exceeded (${this.config.maxToolsPerMinute}/min).`,\r\n    });\r\n\r\n    // Rate limit: tools per hour\r\n    this.checks.push({\r\n      name: \"tool_rate_limit_hour\",\r\n      description: \"Limits tool executions per hour\",\r\n      severity: \"medium\",\r\n      check: (ctx) => {\r\n        if (!ctx.toolName) return true;\r\n        return this.checkRate(\r\n          `tool_hourly:${ctx.userId || \"global\"}`,\r\n          3600 * 1000,\r\n          this.config.maxToolsPerHour\r\n        );\r\n      },\r\n      failMessage: `Tool execution hourly limit exceeded (${this.config.maxToolsPerHour}/hr).`,\r\n    });\r\n\r\n    // Rate limit: messages per minute\r\n    this.checks.push({\r\n      name: \"message_rate_limit\",\r\n      description: \"Limits messages per minute\",\r\n      severity: \"medium\",\r\n      check: (ctx) => {\r\n        if (ctx.action !== \"send_message\") return true;\r\n        return this.checkRate(\r\n          `msg:${ctx.userId || \"global\"}`,\r\n          60 * 1000,\r\n          this.config.maxMessagesPerMinute\r\n        );\r\n      },\r\n      failMessage: `Message rate limit exceeded (${this.config.maxMessagesPerMinute}/min).`,\r\n    });\r\n\r\n    // Command injection check\r\n    this.checks.push({\r\n      name: \"command_injection\",\r\n      description: \"Prevents command injection in tool inputs\",\r\n      severity: \"critical\",\r\n      check: (ctx) => {\r\n        if (!ctx.input) return true;\r\n        const dangerousPatterns = [\r\n          /;\\s*(rm|del|format|mkfs|dd)\\s/i,\r\n          /\\|\\s*(bash|sh|cmd|powershell)/i,\r\n          /`[^`]*`/,\r\n          /\\$\\([^)]*\\)/,\r\n          />\\s*\\/dev\\//i,\r\n        ];\r\n        const inputStr = JSON.stringify(ctx.input);\r\n        return !dangerousPatterns.some((p) => p.test(inputStr));\r\n      },\r\n      failMessage: \"Potential command injection detected in input.\",\r\n    });\r\n\r\n    // Sensitive data check\r\n    this.checks.push({\r\n      name: \"sensitive_data\",\r\n      description: \"Prevents leaking sensitive data patterns\",\r\n      severity: \"high\",\r\n      check: (ctx) => {\r\n        if (!ctx.input) return true;\r\n        const sensitivePatterns = [\r\n          /\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b/, // credit card\r\n          /\\b\\d{3}-\\d{2}-\\d{4}\\b/, // SSN\r\n          /-----BEGIN\\s+(RSA\\s+)?PRIVATE\\s+KEY-----/, // private key\r\n        ];\r\n        const inputStr = JSON.stringify(ctx.input);\r\n        return !sensitivePatterns.some((p) => p.test(inputStr));\r\n      },\r\n      failMessage: \"Sensitive data pattern detected in input.\",\r\n    });\r\n\r\n    // ── Financial Trade Safeguards ─────────────────────────────────────────\r\n\r\n    // Trade size limit\r\n    this.checks.push({\r\n      name: \"trade_size_limit\",\r\n      description: \"Blocks orders exceeding maximum single trade size\",\r\n      severity: \"critical\",\r\n      check: (ctx) => {\r\n        if (ctx.toolName !== \"crypto_exchange\") return true;\r\n        const input = ctx.input || {};\r\n        if (input.action !== \"place_order\") return true;\r\n        const estimatedTotal = (input._estimatedTotal as number) || 0;\r\n        if (estimatedTotal <= 0) return true;\r\n        return estimatedTotal <= this.config.maxTradeSize;\r\n      },\r\n      failMessage: `Trade exceeds maximum single order size of $${this.config.maxTradeSize}.`,\r\n    });\r\n\r\n    // Daily trade spend limit\r\n    this.checks.push({\r\n      name: \"daily_trade_spend_limit\",\r\n      description: \"Blocks when daily trade spending cap exceeded\",\r\n      severity: \"critical\",\r\n      check: (ctx) => {\r\n        if (ctx.toolName !== \"crypto_exchange\") return true;\r\n        const input = ctx.input || {};\r\n        if (input.action !== \"place_order\") return true;\r\n        const estimatedTotal = (input._estimatedTotal as number) || 0;\r\n        if (estimatedTotal <= 0) return true;\r\n\r\n        const key = ctx.userId || \"global\";\r\n        const now = Date.now();\r\n        const dayMs = 86400 * 1000;\r\n        const entry = tradeSpendTracker.daily.get(key);\r\n\r\n        if (!entry || now - entry.windowStart > dayMs) {\r\n          return true;\r\n        }\r\n        return entry.total + estimatedTotal <= this.config.maxDailyTradeSpend;\r\n      },\r\n      failMessage: `Daily trade spend limit of $${this.config.maxDailyTradeSpend} exceeded.`,\r\n    });\r\n\r\n    // Trade rate limit (per hour)\r\n    this.checks.push({\r\n      name: \"trade_rate_limit\",\r\n      description: \"Blocks when hourly trade count exceeded\",\r\n      severity: \"high\",\r\n      check: (ctx) => {\r\n        if (ctx.toolName !== \"crypto_exchange\") return true;\r\n        const input = ctx.input || {};\r\n        if (input.action !== \"place_order\") return true;\r\n\r\n        const key = ctx.userId || \"global\";\r\n        const now = Date.now();\r\n        const hourMs = 3600 * 1000;\r\n        const entry = tradeSpendTracker.hourlyCount.get(key);\r\n\r\n        if (!entry || now - entry.windowStart > hourMs) {\r\n          return true;\r\n        }\r\n        return entry.count < this.config.maxTradesPerHour;\r\n      },\r\n      failMessage: `Trade rate limit exceeded (${this.config.maxTradesPerHour}/hr).`,\r\n    });\r\n  }\r\n\r\n  private checkRate(key: string, windowMs: number, maxCount: number): boolean {\r\n    const now = Date.now();\r\n    let entry = rateTracker.get(key);\r\n\r\n    if (!entry) {\r\n      entry = { timestamps: [] };\r\n      rateTracker.set(key, entry);\r\n    }\r\n\r\n    // Remove expired timestamps\r\n    entry.timestamps = entry.timestamps.filter((t) => now - t < windowMs);\r\n\r\n    return entry.timestamps.length < maxCount;\r\n  }\r\n\r\n  private recordRate(key: string): void {\r\n    let entry = rateTracker.get(key);\r\n    if (!entry) {\r\n      entry = { timestamps: [] };\r\n      rateTracker.set(key, entry);\r\n    }\r\n    entry.timestamps.push(Date.now());\r\n  }\r\n\r\n  /**\r\n   * Evaluate all risk checks for an action\r\n   * This is the main entry point - NON-BYPASSABLE\r\n   */\r\n  async evaluate(context: RiskContext): Promise<RiskDecision> {\r\n    const results: RiskDecision[\"checks\"] = [];\r\n    let allowed = true;\r\n\r\n    for (const check of this.checks) {\r\n      let passed: boolean;\r\n      try {\r\n        passed = await check.check(context);\r\n      } catch {\r\n        passed = false;\r\n      }\r\n\r\n      results.push({\r\n        name: check.name,\r\n        passed,\r\n        severity: check.severity,\r\n        message: passed ? undefined : check.failMessage,\r\n      });\r\n\r\n      if (!passed && (check.severity === \"critical\" || check.severity === \"high\")) {\r\n        allowed = false;\r\n      }\r\n    }\r\n\r\n    const decision: RiskDecision = {\r\n      allowed,\r\n      checks: results,\r\n      timestamp: new Date(),\r\n      context,\r\n    };\r\n\r\n    // Record in audit log\r\n    auditLog.push(decision);\r\n    if (auditLog.length > 10000) {\r\n      auditLog.splice(0, auditLog.length - 5000);\r\n    }\r\n\r\n    // Record rate tracking if allowed\r\n    if (allowed) {\r\n      if (context.toolName) {\r\n        this.recordRate(`tool:${context.userId || \"global\"}`);\r\n        this.recordRate(`tool_hourly:${context.userId || \"global\"}`);\r\n      }\r\n      if (context.action === \"send_message\") {\r\n        this.recordRate(`msg:${context.userId || \"global\"}`);\r\n      }\r\n      if (context.estimatedCost) {\r\n        this.recordCost(context.userId || \"global\", context.estimatedCost);\r\n      }\r\n    }\r\n\r\n    return decision;\r\n  }\r\n\r\n  private recordCost(userId: string, cost: number): void {\r\n    const now = Date.now();\r\n    const hourMs = 3600 * 1000;\r\n    const dayMs = 86400 * 1000;\r\n\r\n    // Hourly\r\n    let hourly = costTracker.hourly.get(userId);\r\n    if (!hourly || now - hourly.windowStart > hourMs) {\r\n      hourly = { total: 0, windowStart: now };\r\n      costTracker.hourly.set(userId, hourly);\r\n    }\r\n    hourly.total += cost;\r\n\r\n    // Daily\r\n    let daily = costTracker.daily.get(userId);\r\n    if (!daily || now - daily.windowStart > dayMs) {\r\n      daily = { total: 0, windowStart: now };\r\n      costTracker.daily.set(userId, daily);\r\n    }\r\n    daily.total += cost;\r\n  }\r\n\r\n  /**\r\n   * Add a custom risk check\r\n   */\r\n  addCheck(check: RiskCheck): void {\r\n    this.checks.push(check);\r\n  }\r\n\r\n  /**\r\n   * Activate kill switch\r\n   */\r\n  activateKillSwitch(): void {\r\n    this.config.killSwitch = true;\r\n  }\r\n\r\n  /**\r\n   * Deactivate kill switch\r\n   */\r\n  deactivateKillSwitch(): void {\r\n    this.config.killSwitch = false;\r\n  }\r\n\r\n  /**\r\n   * Enable safe mode\r\n   */\r\n  enableSafeMode(): void {\r\n    this.config.safeMode = true;\r\n  }\r\n\r\n  /**\r\n   * Disable safe mode\r\n   */\r\n  disableSafeMode(): void {\r\n    this.config.safeMode = false;\r\n  }\r\n\r\n  /**\r\n   * Block a tool\r\n   */\r\n  blockTool(toolName: string): void {\r\n    if (!this.config.blockedTools.includes(toolName)) {\r\n      this.config.blockedTools.push(toolName);\r\n    }\r\n  }\r\n\r\n  /**\r\n   * Unblock a tool\r\n   */\r\n  unblockTool(toolName: string): void {\r\n    this.config.blockedTools = this.config.blockedTools.filter(\r\n      (t) => t !== toolName\r\n    );\r\n  }\r\n\r\n  /**\r\n   * Get recent audit log\r\n   */\r\n  getAuditLog(limit = 100): RiskDecision[] {\r\n    return auditLog.slice(-limit);\r\n  }\r\n\r\n  /**\r\n   * Get current configuration\r\n   */\r\n  getConfig(): RiskConfig {\r\n    return { ...this.config };\r\n  }\r\n\r\n  /**\r\n   * Update configuration\r\n   */\r\n  updateConfig(updates: Partial<RiskConfig>): void {\r\n    Object.assign(this.config, updates);\r\n  }\r\n\r\n  /**\r\n   * Record trade spend after a successful trade execution.\r\n   * Call this after a trade completes to track daily/hourly limits.\r\n   */\r\n  recordTradeSpend(userId: string, amountUsd: number): void {\r\n    const now = Date.now();\r\n    const dayMs = 86400 * 1000;\r\n    const hourMs = 3600 * 1000;\r\n\r\n    // Daily spend\r\n    let daily = tradeSpendTracker.daily.get(userId);\r\n    if (!daily || now - daily.windowStart > dayMs) {\r\n      daily = { total: 0, windowStart: now };\r\n      tradeSpendTracker.daily.set(userId, daily);\r\n    }\r\n    daily.total += amountUsd;\r\n\r\n    // Hourly count\r\n    let hourly = tradeSpendTracker.hourlyCount.get(userId);\r\n    if (!hourly || now - hourly.windowStart > hourMs) {\r\n      hourly = { count: 0, windowStart: now };\r\n      tradeSpendTracker.hourlyCount.set(userId, hourly);\r\n    }\r\n    hourly.count += 1;\r\n  }\r\n\r\n  /**\r\n   * Register risk engine as a hook on tool:execute to intercept\r\n   * financial tool calls at the hook level.\r\n   */\r\n  registerAsHook(hookMgr: {\r\n    register: (hook: {\r\n      event: \"tool:execute\";\r\n      phase: \"before\";\r\n      name: string;\r\n      priority?: number;\r\n      handler: (context: any) => Promise<any>;\r\n    }) => string;\r\n  }): string {\r\n    return hookMgr.register({\r\n      event: \"tool:execute\",\r\n      phase: \"before\",\r\n      name: \"risk-engine-financial\",\r\n      priority: 3, // Run before tool sandbox (priority 5)\r\n      handler: async (context: any) => {\r\n        const toolName = context.data.toolName as string || \"\";\r\n        const input = (context.data.input as Record<string, unknown>) || {};\r\n\r\n        // Only intercept financial tools\r\n        if (toolName !== \"crypto_exchange\") return context;\r\n\r\n        const decision = await this.evaluate({\r\n          action: \"tool_execute\",\r\n          userId: context.userId,\r\n          toolName,\r\n          input,\r\n        });\r\n\r\n        if (!decision.allowed) {\r\n          context.cancelled = true;\r\n          const failedChecks = decision.checks\r\n            .filter((c: any) => !c.passed)\r\n            .map((c: any) => c.message)\r\n            .join(\"; \");\r\n          context.cancelReason = `[RiskEngine] BLOCKED: ${failedChecks}`;\r\n          console.log(`[RiskEngine] Blocked ${toolName}: ${failedChecks}`);\r\n        }\r\n\r\n        return context;\r\n      },\r\n    });\r\n  }\r\n}\r\n\r\n/** Singleton risk engine instance */\r\nexport const riskEngine = new RiskEngine();\r\n"],"mappings":";AA2EA,IAAM,iBAA6B;AAAA,EACjC,mBAAmB;AAAA,EACnB,gBAAgB;AAAA,EAChB,eAAe;AAAA,EACf,mBAAmB;AAAA,EACnB,iBAAiB;AAAA,EACjB,sBAAsB;AAAA,EACtB,cAAc,CAAC;AAAA,EACf,iBAAiB,CAAC;AAAA,EAClB,UAAU;AAAA,EACV,YAAY;AAAA,EACZ,cAAc,CAAC;AAAA,EACf,cAAc;AAAA,EACd,oBAAoB;AAAA,EACpB,kBAAkB;AACpB;AAGA,IAAM,cAAc;AAAA,EAClB,QAAQ,oBAAI,IAAoD;AAAA,EAChE,OAAO,oBAAI,IAAoD;AACjE;AAEA,IAAM,cAAc,oBAAI,IAGtB;AAGF,IAAM,oBAAoB;AAAA,EACxB,OAAO,oBAAI,IAAoD;AAAA,EAC/D,aAAa,oBAAI,IAAoD;AACvE;AAEA,IAAM,WAA2B,CAAC;AAK3B,IAAM,aAAN,MAAiB;AAAA,EACd;AAAA,EACA,SAAsB,CAAC;AAAA,EAE/B,YAAY,SAA8B,CAAC,GAAG;AAC5C,SAAK,SAAS,EAAE,GAAG,gBAAgB,GAAG,OAAO;AAC7C,SAAK,wBAAwB;AAC7B,SAAK,OAAO,KAAK,GAAG,KAAK,OAAO,YAAY;AAAA,EAC9C;AAAA,EAEQ,0BAAgC;AAEtC,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,MAAM,CAAC,KAAK,OAAO;AAAA,MAC1B,aAAa;AAAA,IACf,CAAC;AAGD,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ;AACd,YAAI,CAAC,KAAK,OAAO,SAAU,QAAO;AAClC,cAAM,kBAAkB;AAAA,UACtB;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AACA,eAAO,gBAAgB;AAAA,UAAK,CAAC,MAC3B,IAAI,OAAO,YAAY,EAAE,SAAS,CAAC;AAAA,QACrC;AAAA,MACF;AAAA,MACA,aAAa;AAAA,IACf,CAAC;AAGD,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,CAAC,QACN,CAAC,IAAI,YAAY,CAAC,KAAK,OAAO,aAAa,SAAS,IAAI,QAAQ;AAAA,MAClE,aAAa;AAAA,IACf,CAAC;AAGD,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ;AACd,cAAM,WAAW,KAAK,UAAU,IAAI,SAAS,CAAC,CAAC;AAC/C,eAAO,CAAC,KAAK,OAAO,gBAAgB;AAAA,UAAK,CAAC,YACxC,IAAI,OAAO,SAAS,GAAG,EAAE,KAAK,QAAQ;AAAA,QACxC;AAAA,MACF;AAAA,MACA,aAAa;AAAA,IACf,CAAC;AAGD,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,CAAC,QACN,CAAC,IAAI,iBACL,IAAI,iBAAiB,KAAK,OAAO;AAAA,MACnC,aAAa,oCAAoC,KAAK,OAAO,iBAAiB;AAAA,IAChF,CAAC;AAGD,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ;AACd,cAAM,MAAM,IAAI,UAAU;AAC1B,cAAM,MAAM,KAAK,IAAI;AACrB,cAAM,SAAS,OAAO;AACtB,cAAM,QAAQ,YAAY,OAAO,IAAI,GAAG;AAExC,YAAI,CAAC,SAAS,MAAM,MAAM,cAAc,QAAQ;AAC9C,iBAAO;AAAA,QACT;AACA,eAAO,MAAM,SAAS,IAAI,iBAAiB,MAAM,KAAK,OAAO;AAAA,MAC/D;AAAA,MACA,aAAa,yBAAyB,KAAK,OAAO,cAAc;AAAA,IAClE,CAAC;AAGD,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ;AACd,cAAM,MAAM,IAAI,UAAU;AAC1B,cAAM,MAAM,KAAK,IAAI;AACrB,cAAM,QAAQ,QAAQ;AACtB,cAAM,QAAQ,YAAY,MAAM,IAAI,GAAG;AAEvC,YAAI,CAAC,SAAS,MAAM,MAAM,cAAc,OAAO;AAC7C,iBAAO;AAAA,QACT;AACA,eAAO,MAAM,SAAS,IAAI,iBAAiB,MAAM,KAAK,OAAO;AAAA,MAC/D;AAAA,MACA,aAAa,wBAAwB,KAAK,OAAO,aAAa;AAAA,IAChE,CAAC;AAGD,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ;AACd,YAAI,CAAC,IAAI,SAAU,QAAO;AAC1B,eAAO,KAAK;AAAA,UACV,QAAQ,IAAI,UAAU,QAAQ;AAAA,UAC9B,KAAK;AAAA,UACL,KAAK,OAAO;AAAA,QACd;AAAA,MACF;AAAA,MACA,aAAa,uCAAuC,KAAK,OAAO,iBAAiB;AAAA,IACnF,CAAC;AAGD,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ;AACd,YAAI,CAAC,IAAI,SAAU,QAAO;AAC1B,eAAO,KAAK;AAAA,UACV,eAAe,IAAI,UAAU,QAAQ;AAAA,UACrC,OAAO;AAAA,UACP,KAAK,OAAO;AAAA,QACd;AAAA,MACF;AAAA,MACA,aAAa,yCAAyC,KAAK,OAAO,eAAe;AAAA,IACnF,CAAC;AAGD,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ;AACd,YAAI,IAAI,WAAW,eAAgB,QAAO;AAC1C,eAAO,KAAK;AAAA,UACV,OAAO,IAAI,UAAU,QAAQ;AAAA,UAC7B,KAAK;AAAA,UACL,KAAK,OAAO;AAAA,QACd;AAAA,MACF;AAAA,MACA,aAAa,gCAAgC,KAAK,OAAO,oBAAoB;AAAA,IAC/E,CAAC;AAGD,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ;AACd,YAAI,CAAC,IAAI,MAAO,QAAO;AACvB,cAAM,oBAAoB;AAAA,UACxB;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AACA,cAAM,WAAW,KAAK,UAAU,IAAI,KAAK;AACzC,eAAO,CAAC,kBAAkB,KAAK,CAAC,MAAM,EAAE,KAAK,QAAQ,CAAC;AAAA,MACxD;AAAA,MACA,aAAa;AAAA,IACf,CAAC;AAGD,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ;AACd,YAAI,CAAC,IAAI,MAAO,QAAO;AACvB,cAAM,oBAAoB;AAAA,UACxB;AAAA;AAAA,UACA;AAAA;AAAA,UACA;AAAA;AAAA,QACF;AACA,cAAM,WAAW,KAAK,UAAU,IAAI,KAAK;AACzC,eAAO,CAAC,kBAAkB,KAAK,CAAC,MAAM,EAAE,KAAK,QAAQ,CAAC;AAAA,MACxD;AAAA,MACA,aAAa;AAAA,IACf,CAAC;AAKD,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ;AACd,YAAI,IAAI,aAAa,kBAAmB,QAAO;AAC/C,cAAM,QAAQ,IAAI,SAAS,CAAC;AAC5B,YAAI,MAAM,WAAW,cAAe,QAAO;AAC3C,cAAM,iBAAkB,MAAM,mBAA8B;AAC5D,YAAI,kBAAkB,EAAG,QAAO;AAChC,eAAO,kBAAkB,KAAK,OAAO;AAAA,MACvC;AAAA,MACA,aAAa,+CAA+C,KAAK,OAAO,YAAY;AAAA,IACtF,CAAC;AAGD,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ;AACd,YAAI,IAAI,aAAa,kBAAmB,QAAO;AAC/C,cAAM,QAAQ,IAAI,SAAS,CAAC;AAC5B,YAAI,MAAM,WAAW,cAAe,QAAO;AAC3C,cAAM,iBAAkB,MAAM,mBAA8B;AAC5D,YAAI,kBAAkB,EAAG,QAAO;AAEhC,cAAM,MAAM,IAAI,UAAU;AAC1B,cAAM,MAAM,KAAK,IAAI;AACrB,cAAM,QAAQ,QAAQ;AACtB,cAAM,QAAQ,kBAAkB,MAAM,IAAI,GAAG;AAE7C,YAAI,CAAC,SAAS,MAAM,MAAM,cAAc,OAAO;AAC7C,iBAAO;AAAA,QACT;AACA,eAAO,MAAM,QAAQ,kBAAkB,KAAK,OAAO;AAAA,MACrD;AAAA,MACA,aAAa,+BAA+B,KAAK,OAAO,kBAAkB;AAAA,IAC5E,CAAC;AAGD,SAAK,OAAO,KAAK;AAAA,MACf,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ;AACd,YAAI,IAAI,aAAa,kBAAmB,QAAO;AAC/C,cAAM,QAAQ,IAAI,SAAS,CAAC;AAC5B,YAAI,MAAM,WAAW,cAAe,QAAO;AAE3C,cAAM,MAAM,IAAI,UAAU;AAC1B,cAAM,MAAM,KAAK,IAAI;AACrB,cAAM,SAAS,OAAO;AACtB,cAAM,QAAQ,kBAAkB,YAAY,IAAI,GAAG;AAEnD,YAAI,CAAC,SAAS,MAAM,MAAM,cAAc,QAAQ;AAC9C,iBAAO;AAAA,QACT;AACA,eAAO,MAAM,QAAQ,KAAK,OAAO;AAAA,MACnC;AAAA,MACA,aAAa,8BAA8B,KAAK,OAAO,gBAAgB;AAAA,IACzE,CAAC;AAAA,EACH;AAAA,EAEQ,UAAU,KAAa,UAAkB,UAA2B;AAC1E,UAAM,MAAM,KAAK,IAAI;AACrB,QAAI,QAAQ,YAAY,IAAI,GAAG;AAE/B,QAAI,CAAC,OAAO;AACV,cAAQ,EAAE,YAAY,CAAC,EAAE;AACzB,kBAAY,IAAI,KAAK,KAAK;AAAA,IAC5B;AAGA,UAAM,aAAa,MAAM,WAAW,OAAO,CAAC,MAAM,MAAM,IAAI,QAAQ;AAEpE,WAAO,MAAM,WAAW,SAAS;AAAA,EACnC;AAAA,EAEQ,WAAW,KAAmB;AACpC,QAAI,QAAQ,YAAY,IAAI,GAAG;AAC/B,QAAI,CAAC,OAAO;AACV,cAAQ,EAAE,YAAY,CAAC,EAAE;AACzB,kBAAY,IAAI,KAAK,KAAK;AAAA,IAC5B;AACA,UAAM,WAAW,KAAK,KAAK,IAAI,CAAC;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,SAAS,SAA6C;AAC1D,UAAM,UAAkC,CAAC;AACzC,QAAI,UAAU;AAEd,eAAW,SAAS,KAAK,QAAQ;AAC/B,UAAI;AACJ,UAAI;AACF,iBAAS,MAAM,MAAM,MAAM,OAAO;AAAA,MACpC,QAAQ;AACN,iBAAS;AAAA,MACX;AAEA,cAAQ,KAAK;AAAA,QACX,MAAM,MAAM;AAAA,QACZ;AAAA,QACA,UAAU,MAAM;AAAA,QAChB,SAAS,SAAS,SAAY,MAAM;AAAA,MACtC,CAAC;AAED,UAAI,CAAC,WAAW,MAAM,aAAa,cAAc,MAAM,aAAa,SAAS;AAC3E,kBAAU;AAAA,MACZ;AAAA,IACF;AAEA,UAAM,WAAyB;AAAA,MAC7B;AAAA,MACA,QAAQ;AAAA,MACR,WAAW,oBAAI,KAAK;AAAA,MACpB;AAAA,IACF;AAGA,aAAS,KAAK,QAAQ;AACtB,QAAI,SAAS,SAAS,KAAO;AAC3B,eAAS,OAAO,GAAG,SAAS,SAAS,GAAI;AAAA,IAC3C;AAGA,QAAI,SAAS;AACX,UAAI,QAAQ,UAAU;AACpB,aAAK,WAAW,QAAQ,QAAQ,UAAU,QAAQ,EAAE;AACpD,aAAK,WAAW,eAAe,QAAQ,UAAU,QAAQ,EAAE;AAAA,MAC7D;AACA,UAAI,QAAQ,WAAW,gBAAgB;AACrC,aAAK,WAAW,OAAO,QAAQ,UAAU,QAAQ,EAAE;AAAA,MACrD;AACA,UAAI,QAAQ,eAAe;AACzB,aAAK,WAAW,QAAQ,UAAU,UAAU,QAAQ,aAAa;AAAA,MACnE;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,WAAW,QAAgB,MAAoB;AACrD,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,SAAS,OAAO;AACtB,UAAM,QAAQ,QAAQ;AAGtB,QAAI,SAAS,YAAY,OAAO,IAAI,MAAM;AAC1C,QAAI,CAAC,UAAU,MAAM,OAAO,cAAc,QAAQ;AAChD,eAAS,EAAE,OAAO,GAAG,aAAa,IAAI;AACtC,kBAAY,OAAO,IAAI,QAAQ,MAAM;AAAA,IACvC;AACA,WAAO,SAAS;AAGhB,QAAI,QAAQ,YAAY,MAAM,IAAI,MAAM;AACxC,QAAI,CAAC,SAAS,MAAM,MAAM,cAAc,OAAO;AAC7C,cAAQ,EAAE,OAAO,GAAG,aAAa,IAAI;AACrC,kBAAY,MAAM,IAAI,QAAQ,KAAK;AAAA,IACrC;AACA,UAAM,SAAS;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAKA,SAAS,OAAwB;AAC/B,SAAK,OAAO,KAAK,KAAK;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA,EAKA,qBAA2B;AACzB,SAAK,OAAO,aAAa;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA,EAKA,uBAA6B;AAC3B,SAAK,OAAO,aAAa;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA,EAKA,iBAAuB;AACrB,SAAK,OAAO,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAwB;AACtB,SAAK,OAAO,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,UAAU,UAAwB;AAChC,QAAI,CAAC,KAAK,OAAO,aAAa,SAAS,QAAQ,GAAG;AAChD,WAAK,OAAO,aAAa,KAAK,QAAQ;AAAA,IACxC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,YAAY,UAAwB;AAClC,SAAK,OAAO,eAAe,KAAK,OAAO,aAAa;AAAA,MAClD,CAAC,MAAM,MAAM;AAAA,IACf;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,YAAY,QAAQ,KAAqB;AACvC,WAAO,SAAS,MAAM,CAAC,KAAK;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA,EAKA,YAAwB;AACtB,WAAO,EAAE,GAAG,KAAK,OAAO;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,SAAoC;AAC/C,WAAO,OAAO,KAAK,QAAQ,OAAO;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAiB,QAAgB,WAAyB;AACxD,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,QAAQ,QAAQ;AACtB,UAAM,SAAS,OAAO;AAGtB,QAAI,QAAQ,kBAAkB,MAAM,IAAI,MAAM;AAC9C,QAAI,CAAC,SAAS,MAAM,MAAM,cAAc,OAAO;AAC7C,cAAQ,EAAE,OAAO,GAAG,aAAa,IAAI;AACrC,wBAAkB,MAAM,IAAI,QAAQ,KAAK;AAAA,IAC3C;AACA,UAAM,SAAS;AAGf,QAAI,SAAS,kBAAkB,YAAY,IAAI,MAAM;AACrD,QAAI,CAAC,UAAU,MAAM,OAAO,cAAc,QAAQ;AAChD,eAAS,EAAE,OAAO,GAAG,aAAa,IAAI;AACtC,wBAAkB,YAAY,IAAI,QAAQ,MAAM;AAAA,IAClD;AACA,WAAO,SAAS;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,eAAe,SAQJ;AACT,WAAO,QAAQ,SAAS;AAAA,MACtB,OAAO;AAAA,MACP,OAAO;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA;AAAA,MACV,SAAS,OAAO,YAAiB;AAC/B,cAAM,WAAW,QAAQ,KAAK,YAAsB;AACpD,cAAM,QAAS,QAAQ,KAAK,SAAqC,CAAC;AAGlE,YAAI,aAAa,kBAAmB,QAAO;AAE3C,cAAM,WAAW,MAAM,KAAK,SAAS;AAAA,UACnC,QAAQ;AAAA,UACR,QAAQ,QAAQ;AAAA,UAChB;AAAA,UACA;AAAA,QACF,CAAC;AAED,YAAI,CAAC,SAAS,SAAS;AACrB,kBAAQ,YAAY;AACpB,gBAAM,eAAe,SAAS,OAC3B,OAAO,CAAC,MAAW,CAAC,EAAE,MAAM,EAC5B,IAAI,CAAC,MAAW,EAAE,OAAO,EACzB,KAAK,IAAI;AACZ,kBAAQ,eAAe,yBAAyB,YAAY;AAC5D,kBAAQ,IAAI,wBAAwB,QAAQ,KAAK,YAAY,EAAE;AAAA,QACjE;AAEA,eAAO;AAAA,MACT;AAAA,IACF,CAAC;AAAA,EACH;AACF;AAGO,IAAM,aAAa,IAAI,WAAW;","names":[]}

package/dist/{chunk-XMCVRVTF.js → chunk-P64EV4YY.js}

@@ -208,4 +208,4 @@ export {
   printBanner,
   loadEnvFile
 };
-//# sourceMappingURL=chunk-XMCVRVTF.js.map
+//# sourceMappingURL=chunk-P64EV4YY.js.map

package/dist/chunk-P64EV4YY.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/commands/utils.ts"],"sourcesContent":["/**\r\n * Shared CLI utilities for OpenSentinel commands.\r\n */\r\n\r\nimport { createInterface } from \"node:readline\";\r\nimport { exec as execCb } from \"node:child_process\";\r\nimport { homedir } from \"node:os\";\r\nimport { join } from \"node:path\";\r\nimport { existsSync, mkdirSync, readFileSync } from \"node:fs\";\r\n\r\n// ── Colors (ANSI escape codes) ───────────────────────────────────────────────\r\n\r\nexport const colors = {\r\n  reset: \"\\x1b[0m\",\r\n  bold: \"\\x1b[1m\",\r\n  dim: \"\\x1b[2m\",\r\n  green: \"\\x1b[32m\",\r\n  cyan: \"\\x1b[36m\",\r\n  yellow: \"\\x1b[33m\",\r\n  red: \"\\x1b[31m\",\r\n  magenta: \"\\x1b[35m\",\r\n};\r\n\r\n// ── Interactive prompts ──────────────────────────────────────────────────────\r\n\r\nexport async function prompt(question: string): Promise<string> {\r\n  const rl = createInterface({ input: process.stdin, output: process.stdout });\r\n  return new Promise((resolve) => {\r\n    rl.question(question, (answer) => {\r\n      rl.close();\r\n      resolve(answer.trim());\r\n    });\r\n  });\r\n}\r\n\r\nexport async function confirm(question: string, defaultYes = true): Promise<boolean> {\r\n  const hint = defaultYes ? \"[Y/n]\" : \"[y/N]\";\r\n  const answer = await prompt(`${question} ${hint} `);\r\n  if (answer === \"\") return defaultYes;\r\n  return answer.toLowerCase().startsWith(\"y\");\r\n}\r\n\r\nexport async function promptSecret(question: string): Promise<string> {\r\n  const rl = createInterface({ input: process.stdin, output: process.stdout });\r\n  // Disable echo for secret input\r\n  if (process.stdin.isTTY) {\r\n    process.stdin.setRawMode?.(false);\r\n  }\r\n  return new Promise((resolve) => {\r\n    rl.question(question, (answer) => {\r\n      rl.close();\r\n      resolve(answer.trim());\r\n    });\r\n  });\r\n}\r\n\r\n// ── Shell execution ──────────────────────────────────────────────────────────\r\n\r\nexport interface ExecResult {\r\n  stdout: string;\r\n  stderr: string;\r\n  exitCode: number;\r\n}\r\n\r\nexport async function exec(cmd: string, opts?: { throws?: boolean; input?: string }): Promise<ExecResult> {\r\n  return new Promise((resolve, reject) => {\r\n    const child = execCb(cmd, { maxBuffer: 10 * 1024 * 1024 }, (error, stdout, stderr) => {\r\n      const exitCode = error?.code ?? 0;\r\n      const result = { stdout: stdout.toString(), stderr: stderr.toString(), exitCode: typeof exitCode === \"number\" ? exitCode : 1 };\r\n      if (error && opts?.throws !== false) {\r\n        reject(Object.assign(error, result));\r\n      } else {\r\n        resolve(result);\r\n      }\r\n    });\r\n    if (opts?.input) {\r\n      child.stdin?.write(opts.input);\r\n      child.stdin?.end();\r\n    }\r\n  });\r\n}\r\n\r\nexport async function which(binary: string): Promise<string | null> {\r\n  try {\r\n    const result = await exec(`which ${binary}`, { throws: false });\r\n    return result.stdout.trim() || null;\r\n  } catch {\r\n    return null;\r\n  }\r\n}\r\n\r\n// ── Platform detection ───────────────────────────────────────────────────────\r\n\r\nexport interface Platform {\r\n  os: \"linux\" | \"darwin\" | \"other\";\r\n  distro: string;\r\n  packageManager: \"apt\" | \"brew\" | \"dnf\" | \"pacman\" | \"unknown\";\r\n}\r\n\r\nexport function detectPlatform(): Platform {\r\n  const os = process.platform === \"linux\" ? \"linux\"\r\n    : process.platform === \"darwin\" ? \"darwin\"\r\n    : \"other\" as const;\r\n\r\n  let distro = \"unknown\";\r\n  let packageManager: Platform[\"packageManager\"] = \"unknown\";\r\n\r\n  if (os === \"linux\") {\r\n    try {\r\n      const osRelease = readFileSync(\"/etc/os-release\", \"utf-8\");\r\n      const idMatch = osRelease.match(/^ID=(.+)$/m);\r\n      const idLikeMatch = osRelease.match(/^ID_LIKE=(.+)$/m);\r\n      distro = idMatch?.[1]?.replace(/\"/g, \"\") || \"unknown\";\r\n      const idLike = idLikeMatch?.[1]?.replace(/\"/g, \"\") || \"\";\r\n\r\n      if (distro === \"ubuntu\" || distro === \"debian\" || idLike.includes(\"debian\")) {\r\n        packageManager = \"apt\";\r\n      } else if (distro === \"fedora\" || idLike.includes(\"fedora\") || idLike.includes(\"rhel\")) {\r\n        packageManager = \"dnf\";\r\n      } else if (distro === \"arch\" || idLike.includes(\"arch\")) {\r\n        packageManager = \"pacman\";\r\n      }\r\n    } catch {}\r\n  } else if (os === \"darwin\") {\r\n    packageManager = \"brew\";\r\n    distro = \"macos\";\r\n  }\r\n\r\n  return { os, distro, packageManager };\r\n}\r\n\r\n// ── Config directory ─────────────────────────────────────────────────────────\r\n\r\nexport function getConfigDir(): string {\r\n  const dir = process.env.OPENSENTINEL_HOME || join(homedir(), \".opensentinel\");\r\n  if (!existsSync(dir)) {\r\n    mkdirSync(dir, { recursive: true });\r\n  }\r\n  return dir;\r\n}\r\n\r\nexport function getPackageRoot(): string {\r\n  // When running from source: import.meta.dirname is src/commands/\r\n  // When installed globally: import.meta.dirname is dist/commands/ or dist/\r\n  // Go up to find package.json\r\n  let dir = import.meta.dirname || __dirname;\r\n  for (let i = 0; i < 5; i++) {\r\n    if (existsSync(join(dir, \"package.json\"))) {\r\n      return dir;\r\n    }\r\n    dir = join(dir, \"..\");\r\n  }\r\n  return process.cwd();\r\n}\r\n\r\nexport function getMigrationsDir(): string {\r\n  return join(getPackageRoot(), \"drizzle\");\r\n}\r\n\r\n// ── Port and service checks ──────────────────────────────────────────────────\r\n\r\nexport async function checkPort(port: number): Promise<boolean> {\r\n  try {\r\n    const result = await exec(`ss -tlnp 2>/dev/null | grep :${port} || netstat -tlnp 2>/dev/null | grep :${port}`, { throws: false });\r\n    return result.stdout.trim().length > 0;\r\n  } catch {\r\n    return false;\r\n  }\r\n}\r\n\r\nexport async function checkPostgres(): Promise<{ installed: boolean; running: boolean; port: number }> {\r\n  const installed = !!(await which(\"psql\"));\r\n  let running = false;\r\n  let port = 5432;\r\n\r\n  if (installed) {\r\n    const result = await exec(\"pg_isready -q 2>/dev/null\", { throws: false });\r\n    running = result.exitCode === 0;\r\n  }\r\n\r\n  // Also check if running on non-standard port\r\n  if (!running) {\r\n    const port5445 = await checkPort(5445);\r\n    if (port5445) {\r\n      running = true;\r\n      port = 5445;\r\n    }\r\n  }\r\n\r\n  return { installed, running, port };\r\n}\r\n\r\nexport async function checkRedis(): Promise<{ installed: boolean; running: boolean; port: number }> {\r\n  const installed = !!(await which(\"redis-cli\"));\r\n  let running = false;\r\n  let port = 6379;\r\n\r\n  if (installed) {\r\n    const result = await exec(\"redis-cli ping 2>/dev/null\", { throws: false });\r\n    running = result.stdout.trim() === \"PONG\";\r\n  }\r\n\r\n  // Check alternate ports\r\n  if (!running) {\r\n    for (const p of [6384, 6380]) {\r\n      const result = await exec(`redis-cli -p ${p} ping 2>/dev/null`, { throws: false });\r\n      if (result.stdout.trim() === \"PONG\") {\r\n        running = true;\r\n        port = p;\r\n        break;\r\n      }\r\n    }\r\n  }\r\n\r\n  return { installed, running, port };\r\n}\r\n\r\n// ── Banner ───────────────────────────────────────────────────────────────────\r\n\r\nexport function printBanner() {\r\n  console.log(`\r\n${colors.cyan}${colors.bold}╔══════════════════════════════════════════╗\r\n║           OPENSENTINEL v3.0.0            ║\r\n║       Your Personal AI Assistant         ║\r\n╚══════════════════════════════════════════╝${colors.reset}\r\n`);\r\n}\r\n\r\n// ── .env file loading ────────────────────────────────────────────────────────\r\n\r\nexport function loadEnvFile(): string | null {\r\n  const candidates = [\r\n    process.env.OPENSENTINEL_HOME && join(process.env.OPENSENTINEL_HOME, \".env\"),\r\n    join(homedir(), \".opensentinel\", \".env\"),\r\n    join(process.cwd(), \".env\"),\r\n  ].filter(Boolean) as string[];\r\n\r\n  for (const candidate of candidates) {\r\n    if (existsSync(candidate)) {\r\n      const content = readFileSync(candidate, \"utf-8\");\r\n      for (const line of content.split(\"\\n\")) {\r\n        const trimmed = line.trim();\r\n        if (!trimmed || trimmed.startsWith(\"#\")) continue;\r\n        const eqIndex = trimmed.indexOf(\"=\");\r\n        if (eqIndex === -1) continue;\r\n        const key = trimmed.slice(0, eqIndex).trim();\r\n        const value = trimmed.slice(eqIndex + 1).trim();\r\n        // Don't override existing env vars\r\n        if (!process.env[key]) {\r\n          process.env[key] = value;\r\n        }\r\n      }\r\n      return candidate;\r\n    }\r\n  }\r\n  return null;\r\n}\r\n"],"mappings":";AAIA,SAAS,uBAAuB;AAChC,SAAS,QAAQ,cAAc;AAC/B,SAAS,eAAe;AACxB,SAAS,YAAY;AACrB,SAAS,YAAY,WAAW,oBAAoB;AAI7C,IAAM,SAAS;AAAA,EACpB,OAAO;AAAA,EACP,MAAM;AAAA,EACN,KAAK;AAAA,EACL,OAAO;AAAA,EACP,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,KAAK;AAAA,EACL,SAAS;AACX;AAIA,eAAsB,OAAO,UAAmC;AAC9D,QAAM,KAAK,gBAAgB,EAAE,OAAO,QAAQ,OAAO,QAAQ,QAAQ,OAAO,CAAC;AAC3E,SAAO,IAAI,QAAQ,CAAC,YAAY;AAC9B,OAAG,SAAS,UAAU,CAAC,WAAW;AAChC,SAAG,MAAM;AACT,cAAQ,OAAO,KAAK,CAAC;AAAA,IACvB,CAAC;AAAA,EACH,CAAC;AACH;AAEA,eAAsB,QAAQ,UAAkB,aAAa,MAAwB;AACnF,QAAM,OAAO,aAAa,UAAU;AACpC,QAAM,SAAS,MAAM,OAAO,GAAG,QAAQ,IAAI,IAAI,GAAG;AAClD,MAAI,WAAW,GAAI,QAAO;AAC1B,SAAO,OAAO,YAAY,EAAE,WAAW,GAAG;AAC5C;AAEA,eAAsB,aAAa,UAAmC;AACpE,QAAM,KAAK,gBAAgB,EAAE,OAAO,QAAQ,OAAO,QAAQ,QAAQ,OAAO,CAAC;AAE3E,MAAI,QAAQ,MAAM,OAAO;AACvB,YAAQ,MAAM,aAAa,KAAK;AAAA,EAClC;AACA,SAAO,IAAI,QAAQ,CAAC,YAAY;AAC9B,OAAG,SAAS,UAAU,CAAC,WAAW;AAChC,SAAG,MAAM;AACT,cAAQ,OAAO,KAAK,CAAC;AAAA,IACvB,CAAC;AAAA,EACH,CAAC;AACH;AAUA,eAAsB,KAAK,KAAa,MAAkE;AACxG,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAM,QAAQ,OAAO,KAAK,EAAE,WAAW,KAAK,OAAO,KAAK,GAAG,CAAC,OAAO,QAAQ,WAAW;AACpF,YAAM,WAAW,OAAO,QAAQ;AAChC,YAAM,SAAS,EAAE,QAAQ,OAAO,SAAS,GAAG,QAAQ,OAAO,SAAS,GAAG,UAAU,OAAO,aAAa,WAAW,WAAW,EAAE;AAC7H,UAAI,SAAS,MAAM,WAAW,OAAO;AACnC,eAAO,OAAO,OAAO,OAAO,MAAM,CAAC;AAAA,MACrC,OAAO;AACL,gBAAQ,MAAM;AAAA,MAChB;AAAA,IACF,CAAC;AACD,QAAI,MAAM,OAAO;AACf,YAAM,OAAO,MAAM,KAAK,KAAK;AAC7B,YAAM,OAAO,IAAI;AAAA,IACnB;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,MAAM,QAAwC;AAClE,MAAI;AACF,UAAM,SAAS,MAAM,KAAK,SAAS,MAAM,IAAI,EAAE,QAAQ,MAAM,CAAC;AAC9D,WAAO,OAAO,OAAO,KAAK,KAAK;AAAA,EACjC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAUO,SAAS,iBAA2B;AACzC,QAAM,KAAK,QAAQ,aAAa,UAAU,UACtC,QAAQ,aAAa,WAAW,WAChC;AAEJ,MAAI,SAAS;AACb,MAAI,iBAA6C;AAEjD,MAAI,OAAO,SAAS;AAClB,QAAI;AACF,YAAM,YAAY,aAAa,mBAAmB,OAAO;AACzD,YAAM,UAAU,UAAU,MAAM,YAAY;AAC5C,YAAM,cAAc,UAAU,MAAM,iBAAiB;AACrD,eAAS,UAAU,CAAC,GAAG,QAAQ,MAAM,EAAE,KAAK;AAC5C,YAAM,SAAS,cAAc,CAAC,GAAG,QAAQ,MAAM,EAAE,KAAK;AAEtD,UAAI,WAAW,YAAY,WAAW,YAAY,OAAO,SAAS,QAAQ,GAAG;AAC3E,yBAAiB;AAAA,MACnB,WAAW,WAAW,YAAY,OAAO,SAAS,QAAQ,KAAK,OAAO,SAAS,MAAM,GAAG;AACtF,yBAAiB;AAAA,MACnB,WAAW,WAAW,UAAU,OAAO,SAAS,MAAM,GAAG;AACvD,yBAAiB;AAAA,MACnB;AAAA,IACF,QAAQ;AAAA,IAAC;AAAA,EACX,WAAW,OAAO,UAAU;AAC1B,qBAAiB;AACjB,aAAS;AAAA,EACX;AAEA,SAAO,EAAE,IAAI,QAAQ,eAAe;AACtC;AAIO,SAAS,eAAuB;AACrC,QAAM,MAAM,QAAQ,IAAI,qBAAqB,KAAK,QAAQ,GAAG,eAAe;AAC5E,MAAI,CAAC,WAAW,GAAG,GAAG;AACpB,cAAU,KAAK,EAAE,WAAW,KAAK,CAAC;AAAA,EACpC;AACA,SAAO;AACT;AAEO,SAAS,iBAAyB;AAIvC,MAAI,MAAM,YAAY,WAAW;AACjC,WAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AAC1B,QAAI,WAAW,KAAK,KAAK,cAAc,CAAC,GAAG;AACzC,aAAO;AAAA,IACT;AACA,UAAM,KAAK,KAAK,IAAI;AAAA,EACtB;AACA,SAAO,QAAQ,IAAI;AACrB;AAEO,SAAS,mBAA2B;AACzC,SAAO,KAAK,eAAe,GAAG,SAAS;AACzC;AAIA,eAAsB,UAAU,MAAgC;AAC9D,MAAI;AACF,UAAM,SAAS,MAAM,KAAK,gCAAgC,IAAI,yCAAyC,IAAI,IAAI,EAAE,QAAQ,MAAM,CAAC;AAChI,WAAO,OAAO,OAAO,KAAK,EAAE,SAAS;AAAA,EACvC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,gBAAiF;AACrG,QAAM,YAAY,CAAC,CAAE,MAAM,MAAM,MAAM;AACvC,MAAI,UAAU;AACd,MAAI,OAAO;AAEX,MAAI,WAAW;AACb,UAAM,SAAS,MAAM,KAAK,6BAA6B,EAAE,QAAQ,MAAM,CAAC;AACxE,cAAU,OAAO,aAAa;AAAA,EAChC;AAGA,MAAI,CAAC,SAAS;AACZ,UAAM,WAAW,MAAM,UAAU,IAAI;AACrC,QAAI,UAAU;AACZ,gBAAU;AACV,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO,EAAE,WAAW,SAAS,KAAK;AACpC;AAEA,eAAsB,aAA8E;AAClG,QAAM,YAAY,CAAC,CAAE,MAAM,MAAM,WAAW;AAC5C,MAAI,UAAU;AACd,MAAI,OAAO;AAEX,MAAI,WAAW;AACb,UAAM,SAAS,MAAM,KAAK,8BAA8B,EAAE,QAAQ,MAAM,CAAC;AACzE,cAAU,OAAO,OAAO,KAAK,MAAM;AAAA,EACrC;AAGA,MAAI,CAAC,SAAS;AACZ,eAAW,KAAK,CAAC,MAAM,IAAI,GAAG;AAC5B,YAAM,SAAS,MAAM,KAAK,gBAAgB,CAAC,qBAAqB,EAAE,QAAQ,MAAM,CAAC;AACjF,UAAI,OAAO,OAAO,KAAK,MAAM,QAAQ;AACnC,kBAAU;AACV,eAAO;AACP;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO,EAAE,WAAW,SAAS,KAAK;AACpC;AAIO,SAAS,cAAc;AAC5B,UAAQ,IAAI;AAAA,EACZ,OAAO,IAAI,GAAG,OAAO,IAAI;AAAA;AAAA;AAAA,0QAGmB,OAAO,KAAK;AAAA,CACzD;AACD;AAIO,SAAS,cAA6B;AAC3C,QAAM,aAAa;AAAA,IACjB,QAAQ,IAAI,qBAAqB,KAAK,QAAQ,IAAI,mBAAmB,MAAM;AAAA,IAC3E,KAAK,QAAQ,GAAG,iBAAiB,MAAM;AAAA,IACvC,KAAK,QAAQ,IAAI,GAAG,MAAM;AAAA,EAC5B,EAAE,OAAO,OAAO;AAEhB,aAAW,aAAa,YAAY;AAClC,QAAI,WAAW,SAAS,GAAG;AACzB,YAAM,UAAU,aAAa,WAAW,OAAO;AAC/C,iBAAW,QAAQ,QAAQ,MAAM,IAAI,GAAG;AACtC,cAAM,UAAU,KAAK,KAAK;AAC1B,YAAI,CAAC,WAAW,QAAQ,WAAW,GAAG,EAAG;AACzC,cAAM,UAAU,QAAQ,QAAQ,GAAG;AACnC,YAAI,YAAY,GAAI;AACpB,cAAM,MAAM,QAAQ,MAAM,GAAG,OAAO,EAAE,KAAK;AAC3C,cAAM,QAAQ,QAAQ,MAAM,UAAU,CAAC,EAAE,KAAK;AAE9C,YAAI,CAAC,QAAQ,IAAI,GAAG,GAAG;AACrB,kBAAQ,IAAI,GAAG,IAAI;AAAA,QACrB;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;","names":[]}

package/dist/chunk-PBOCSGNL.js

@@ -0,0 +1,84 @@
+import {
+  createLogger
+} from "./chunk-7BNFELEK.js";
+
+// src/integrations/m365/graph-client.ts
+var log = createLogger("m365:graph");
+var GRAPH_ROOT = "https://graph.microsoft.com/v1.0";
+var GraphError = class extends Error {
+  constructor(status, code, message) {
+    super(message);
+    this.status = status;
+    this.code = code;
+    this.name = "GraphError";
+  }
+};
+async function graphFetch(accessToken, path, init) {
+  const url = path.startsWith("http") ? path : `${GRAPH_ROOT}${path}`;
+  const res = await fetch(url, {
+    ...init,
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      "Content-Type": "application/json",
+      ...init?.headers ?? {}
+    }
+  });
+  if (!res.ok) {
+    let body = null;
+    try {
+      body = await res.json();
+    } catch {
+    }
+    const code = body?.error?.code || String(res.status);
+    const message = body?.error?.message || res.statusText;
+    log.warn("graph call failed", { path, status: res.status, code });
+    throw new GraphError(res.status, code, message);
+  }
+  if (res.status === 204) return void 0;
+  return await res.json();
+}
+async function getMe(accessToken) {
+  return graphFetch(accessToken, "/me");
+}
+async function listMessages(accessToken, opts = {}) {
+  const top = Math.max(1, Math.min(opts.top ?? 20, 100));
+  const params = new URLSearchParams();
+  params.set("$top", String(top));
+  if (opts.skip) params.set("$skip", String(opts.skip));
+  params.set(
+    "$select",
+    "id,subject,bodyPreview,from,toRecipients,receivedDateTime,isRead,webLink"
+  );
+  params.set("$orderby", "receivedDateTime desc");
+  if (opts.unreadOnly) params.set("$filter", "isRead eq false");
+  if (opts.search) params.set("$search", `"${opts.search.replace(/"/g, "")}"`);
+  const base = opts.folder ? `/me/mailFolders/${encodeURIComponent(opts.folder)}/messages` : "/me/messages";
+  const resp = await graphFetch(
+    accessToken,
+    `${base}?${params.toString()}`
+  );
+  return { value: resp.value, nextLink: resp["@odata.nextLink"] };
+}
+async function getMessage(accessToken, id) {
+  const params = new URLSearchParams();
+  params.set(
+    "$select",
+    "id,subject,bodyPreview,from,toRecipients,receivedDateTime,isRead,webLink,body,internetMessageHeaders"
+  );
+  return graphFetch(
+    accessToken,
+    `/me/messages/${encodeURIComponent(id)}?${params.toString()}`
+  );
+}
+function stripHtml(html) {
+  return html.replace(/<style[\s\S]*?<\/style>/gi, " ").replace(/<script[\s\S]*?<\/script>/gi, " ").replace(/<[^>]+>/g, " ").replace(/\s+/g, " ").trim();
+}
+
+export {
+  GraphError,
+  getMe,
+  listMessages,
+  getMessage,
+  stripHtml
+};
+//# sourceMappingURL=chunk-PBOCSGNL.js.map

package/dist/chunk-PBOCSGNL.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/integrations/m365/graph-client.ts"],"sourcesContent":["/**\n * Thin Microsoft Graph client — fetch based, no SDK dep.\n *\n * Only the surface needed by routes lives here. Extend as needed; the one-off\n * helpers match the patterns from docs.microsoft.com/graph/api.\n */\n\nimport { createLogger } from \"../../core/logger\";\n\nconst log = createLogger(\"m365:graph\");\nconst GRAPH_ROOT = \"https://graph.microsoft.com/v1.0\";\n\nexport interface GraphMe {\n  id: string;\n  userPrincipalName?: string;\n  mail?: string;\n  displayName?: string;\n  givenName?: string;\n  surname?: string;\n  jobTitle?: string;\n}\n\nexport interface GraphMessageSummary {\n  id: string;\n  subject: string;\n  bodyPreview: string;\n  from?: { emailAddress: { name: string; address: string } };\n  toRecipients?: Array<{ emailAddress: { name: string; address: string } }>;\n  receivedDateTime: string;\n  isRead: boolean;\n  webLink?: string;\n}\n\nexport interface GraphMessageFull extends GraphMessageSummary {\n  body?: { contentType: \"html\" | \"text\"; content: string };\n  internetMessageHeaders?: Array<{ name: string; value: string }>;\n}\n\nexport class GraphError extends Error {\n  constructor(public status: number, public code: string, message: string) {\n    super(message);\n    this.name = \"GraphError\";\n  }\n}\n\nasync function graphFetch<T>(accessToken: string, path: string, init?: RequestInit): Promise<T> {\n  const url = path.startsWith(\"http\") ? path : `${GRAPH_ROOT}${path}`;\n  const res = await fetch(url, {\n    ...init,\n    headers: {\n      Authorization: `Bearer ${accessToken}`,\n      \"Content-Type\": \"application/json\",\n      ...(init?.headers ?? {}),\n    },\n  });\n\n  if (!res.ok) {\n    let body: any = null;\n    try {\n      body = await res.json();\n    } catch {\n      /* ignore */\n    }\n    const code = body?.error?.code || String(res.status);\n    const message = body?.error?.message || res.statusText;\n    log.warn(\"graph call failed\", { path, status: res.status, code });\n    throw new GraphError(res.status, code, message);\n  }\n\n  // 204 No Content\n  if (res.status === 204) return undefined as unknown as T;\n  return (await res.json()) as T;\n}\n\nexport async function getMe(accessToken: string): Promise<GraphMe> {\n  return graphFetch<GraphMe>(accessToken, \"/me\");\n}\n\nexport interface ListMessagesOptions {\n  top?: number;\n  skip?: number;\n  folder?: string; // e.g. \"inbox\", \"sentitems\"\n  unreadOnly?: boolean;\n  search?: string;\n}\n\nexport async function listMessages(\n  accessToken: string,\n  opts: ListMessagesOptions = {}\n): Promise<{ value: GraphMessageSummary[]; nextLink?: string }> {\n  const top = Math.max(1, Math.min(opts.top ?? 20, 100));\n  const params = new URLSearchParams();\n  params.set(\"$top\", String(top));\n  if (opts.skip) params.set(\"$skip\", String(opts.skip));\n  params.set(\n    \"$select\",\n    \"id,subject,bodyPreview,from,toRecipients,receivedDateTime,isRead,webLink\"\n  );\n  params.set(\"$orderby\", \"receivedDateTime desc\");\n  if (opts.unreadOnly) params.set(\"$filter\", \"isRead eq false\");\n  if (opts.search) params.set(\"$search\", `\"${opts.search.replace(/\"/g, \"\")}\"`);\n\n  const base = opts.folder\n    ? `/me/mailFolders/${encodeURIComponent(opts.folder)}/messages`\n    : \"/me/messages\";\n  const resp = await graphFetch<{ value: GraphMessageSummary[]; \"@odata.nextLink\"?: string }>(\n    accessToken,\n    `${base}?${params.toString()}`\n  );\n  return { value: resp.value, nextLink: resp[\"@odata.nextLink\"] };\n}\n\nexport async function getMessage(accessToken: string, id: string): Promise<GraphMessageFull> {\n  const params = new URLSearchParams();\n  params.set(\n    \"$select\",\n    \"id,subject,bodyPreview,from,toRecipients,receivedDateTime,isRead,webLink,body,internetMessageHeaders\"\n  );\n  return graphFetch<GraphMessageFull>(\n    accessToken,\n    `/me/messages/${encodeURIComponent(id)}?${params.toString()}`\n  );\n}\n\nexport function stripHtml(html: string): string {\n  return html\n    .replace(/<style[\\s\\S]*?<\\/style>/gi, \" \")\n    .replace(/<script[\\s\\S]*?<\\/script>/gi, \" \")\n    .replace(/<[^>]+>/g, \" \")\n    .replace(/\\s+/g, \" \")\n    .trim();\n}\n"],"mappings":";;;;;AASA,IAAM,MAAM,aAAa,YAAY;AACrC,IAAM,aAAa;AA4BZ,IAAM,aAAN,cAAyB,MAAM;AAAA,EACpC,YAAmB,QAAuB,MAAc,SAAiB;AACvE,UAAM,OAAO;AADI;AAAuB;AAExC,SAAK,OAAO;AAAA,EACd;AACF;AAEA,eAAe,WAAc,aAAqB,MAAc,MAAgC;AAC9F,QAAM,MAAM,KAAK,WAAW,MAAM,IAAI,OAAO,GAAG,UAAU,GAAG,IAAI;AACjE,QAAM,MAAM,MAAM,MAAM,KAAK;AAAA,IAC3B,GAAG;AAAA,IACH,SAAS;AAAA,MACP,eAAe,UAAU,WAAW;AAAA,MACpC,gBAAgB;AAAA,MAChB,GAAI,MAAM,WAAW,CAAC;AAAA,IACxB;AAAA,EACF,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,QAAI,OAAY;AAChB,QAAI;AACF,aAAO,MAAM,IAAI,KAAK;AAAA,IACxB,QAAQ;AAAA,IAER;AACA,UAAM,OAAO,MAAM,OAAO,QAAQ,OAAO,IAAI,MAAM;AACnD,UAAM,UAAU,MAAM,OAAO,WAAW,IAAI;AAC5C,QAAI,KAAK,qBAAqB,EAAE,MAAM,QAAQ,IAAI,QAAQ,KAAK,CAAC;AAChE,UAAM,IAAI,WAAW,IAAI,QAAQ,MAAM,OAAO;AAAA,EAChD;AAGA,MAAI,IAAI,WAAW,IAAK,QAAO;AAC/B,SAAQ,MAAM,IAAI,KAAK;AACzB;AAEA,eAAsB,MAAM,aAAuC;AACjE,SAAO,WAAoB,aAAa,KAAK;AAC/C;AAUA,eAAsB,aACpB,aACA,OAA4B,CAAC,GACiC;AAC9D,QAAM,MAAM,KAAK,IAAI,GAAG,KAAK,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC;AACrD,QAAM,SAAS,IAAI,gBAAgB;AACnC,SAAO,IAAI,QAAQ,OAAO,GAAG,CAAC;AAC9B,MAAI,KAAK,KAAM,QAAO,IAAI,SAAS,OAAO,KAAK,IAAI,CAAC;AACpD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACA,SAAO,IAAI,YAAY,uBAAuB;AAC9C,MAAI,KAAK,WAAY,QAAO,IAAI,WAAW,iBAAiB;AAC5D,MAAI,KAAK,OAAQ,QAAO,IAAI,WAAW,IAAI,KAAK,OAAO,QAAQ,MAAM,EAAE,CAAC,GAAG;AAE3E,QAAM,OAAO,KAAK,SACd,mBAAmB,mBAAmB,KAAK,MAAM,CAAC,cAClD;AACJ,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA,GAAG,IAAI,IAAI,OAAO,SAAS,CAAC;AAAA,EAC9B;AACA,SAAO,EAAE,OAAO,KAAK,OAAO,UAAU,KAAK,iBAAiB,EAAE;AAChE;AAEA,eAAsB,WAAW,aAAqB,IAAuC;AAC3F,QAAM,SAAS,IAAI,gBAAgB;AACnC,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACA,SAAO;AAAA,IACL;AAAA,IACA,gBAAgB,mBAAmB,EAAE,CAAC,IAAI,OAAO,SAAS,CAAC;AAAA,EAC7D;AACF;AAEO,SAAS,UAAU,MAAsB;AAC9C,SAAO,KACJ,QAAQ,6BAA6B,GAAG,EACxC,QAAQ,+BAA+B,GAAG,EAC1C,QAAQ,YAAY,GAAG,EACvB,QAAQ,QAAQ,GAAG,EACnB,KAAK;AACV;","names":[]}