proofscan 0.10.2 → 0.10.4

package/dist/popl/sanitizer.js

@@ -0,0 +1,271 @@
+/**
+ * POPL Sanitizer (Phase 6.0)
+ *
+ * Sanitization ruleset v1 for public disclosure safety.
+ *
+ * Rules:
+ * 1. Path removal - Windows and POSIX absolute paths
+ * 2. Secret token removal - Authorization, Bearer, api_key, token, secret
+ * 3. RPC payload handling - Replace values with hashes, keep key structure
+ */
+import { createHash } from 'crypto';
+/** Current sanitization ruleset version */
+export const SANITIZER_RULESET_VERSION = 1;
+/** Maximum string length to process with regex (ReDoS prevention) */
+const MAX_REGEX_INPUT_LENGTH = 1000;
+/** Redacted placeholder for paths */
+const REDACTED_PATH = '<redacted:path>';
+/** Redacted placeholder for secrets */
+const REDACTED_SECRET = '<redacted:secret>';
+/** Redacted placeholder for values (RPC payloads) */
+const REDACTED_VALUE = '<redacted:value>';
+/**
+ * Patterns for detecting absolute paths
+ */
+const PATH_PATTERNS = [
+    // Windows: C:\Users\... or D:\...
+    /^[A-Za-z]:\\[^\s"']+/,
+    // Windows: \\server\share
+    /^\\\\[^\s"']+/,
+    // POSIX: /home/... /Users/... /var/... etc.
+    /^\/(?:home|Users|var|tmp|etc|opt|usr|root|mnt|media|srv|private)[^\s"']*/,
+    // Generic POSIX paths starting with / followed by word chars
+    /^\/[a-zA-Z0-9_-]+(?:\/[^\s"']*)?/,
+];
+/**
+ * Patterns for detecting secret-like keys
+ */
+const SECRET_KEY_PATTERNS = [
+    /^api[_-]?key$/i,
+    /^auth(?:orization)?$/i,
+    /^bearer$/i,
+    /^token$/i,
+    /^secret$/i,
+    /^password$/i,
+    /^passwd$/i,
+    /^credential/i,
+    /^private[_-]?key$/i,
+    /^access[_-]?token$/i,
+    /^refresh[_-]?token$/i,
+    /^session[_-]?(?:id|token)$/i,
+    /^cookie$/i,
+    /^x-api-key$/i,
+    /^x-auth/i,
+];
+/**
+ * Patterns for detecting secret-like values
+ */
+const SECRET_VALUE_PATTERNS = [
+    // Bearer tokens
+    /^Bearer\s+[A-Za-z0-9._-]+/i,
+    // Authorization header
+    /^Basic\s+[A-Za-z0-9+/=]+/i,
+    // JWT-like tokens (three base64 sections)
+    /^eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/,
+    // API keys (long alphanumeric strings)
+    /^[a-zA-Z0-9_-]{32,}$/,
+    // Hedera keys
+    /^302[a-fA-F0-9]{64,}/,
+    // secret:// references (not already masked)
+    /^secret:\/\/(?!\*\*\*$)/,
+    // dpapi: references
+    /^dpapi:[a-zA-Z0-9_-]+$/,
+];
+/**
+ * Check if a string looks like an absolute path
+ * Includes length check to prevent ReDoS attacks
+ */
+function isAbsolutePath(value) {
+    // Skip long strings to prevent ReDoS
+    if (value.length > MAX_REGEX_INPUT_LENGTH) {
+        return false;
+    }
+    return PATH_PATTERNS.some((pattern) => pattern.test(value));
+}
+/**
+ * Check if a key name suggests it contains a secret
+ * Includes length check to prevent ReDoS attacks
+ */
+function isSecretKey(key) {
+    // Skip long strings to prevent ReDoS
+    if (key.length > MAX_REGEX_INPUT_LENGTH) {
+        return false;
+    }
+    return SECRET_KEY_PATTERNS.some((pattern) => pattern.test(key));
+}
+/**
+ * Check if a value looks like a secret
+ * Includes length check to prevent ReDoS attacks
+ */
+function isSecretValue(value) {
+    // Skip long strings to prevent ReDoS
+    if (value.length > MAX_REGEX_INPUT_LENGTH) {
+        return false;
+    }
+    return SECRET_VALUE_PATTERNS.some((pattern) => pattern.test(value));
+}
+/**
+ * Compute SHA-256 hash of a value (first 16 chars)
+ */
+export function hashValue(value) {
+    const str = typeof value === 'string' ? value : JSON.stringify(value);
+    const hash = createHash('sha256').update(str, 'utf8').digest('hex');
+    return hash.slice(0, 16);
+}
+/**
+ * Sanitize a JSON-like value for public disclosure.
+ *
+ * @param value - Any JSON-serializable value
+ * @param options - Sanitization options
+ * @returns Sanitized value and statistics
+ */
+export function sanitize(value, options = {}) {
+    let redactedCount = 0;
+    const redactedCategories = new Set();
+    function process(val, key) {
+        // Null/undefined pass through
+        if (val === null || val === undefined) {
+            return val;
+        }
+        // String processing
+        if (typeof val === 'string') {
+            // Check for paths
+            if (isAbsolutePath(val)) {
+                redactedCount++;
+                redactedCategories.add('path');
+                return REDACTED_PATH;
+            }
+            // Check for secret values
+            if (isSecretValue(val)) {
+                redactedCount++;
+                redactedCategories.add('secret');
+                return REDACTED_SECRET;
+            }
+            // Check if key suggests secret
+            if (key && isSecretKey(key) && val.length > 0) {
+                redactedCount++;
+                redactedCategories.add('secret');
+                return REDACTED_SECRET;
+            }
+            return val;
+        }
+        // Array processing
+        if (Array.isArray(val)) {
+            return val.map((item, i) => process(item, String(i)));
+        }
+        // Object processing
+        if (typeof val === 'object') {
+            const result = {};
+            for (const [k, v] of Object.entries(val)) {
+                result[k] = process(v, k);
+            }
+            return result;
+        }
+        // Primitives (number, boolean) pass through
+        return val;
+    }
+    const sanitized = process(value, options.context?.key);
+    return { value: sanitized, redactedCount, redactedCategories };
+}
+/**
+ * Sanitize RPC payload for public disclosure.
+ *
+ * This is more aggressive than general sanitization:
+ * - Replaces all argument values with hashes
+ * - Keeps key structure for auditability
+ * - Stores original hash for verification
+ *
+ * @param payload - RPC arguments or result
+ * @returns Sanitized structure with hashes
+ */
+export function sanitizeRpcPayload(payload) {
+    if (payload === null || payload === undefined) {
+        return {
+            sanitized: null,
+            payload_sha256: hashValue(null),
+            keys: [],
+        };
+    }
+    // Get original hash before any processing
+    const payload_sha256 = hashValue(payload);
+    // Extract keys
+    const keys = Object.keys(payload);
+    // Create sanitized version with value hashes
+    const sanitized = {};
+    for (const [key, value] of Object.entries(payload)) {
+        sanitized[key] = {
+            _type: typeof value,
+            _hash: hashValue(value),
+        };
+    }
+    return { sanitized, payload_sha256, keys };
+}
+/**
+ * Sanitize a log line for public disclosure.
+ *
+ * @param line - Log line object
+ * @returns Sanitized log line
+ */
+export function sanitizeLogLine(line) {
+    const result = sanitize(line);
+    return result.value;
+}
+/**
+ * Sanitize RPC event for public disclosure.
+ *
+ * @param event - RPC event object from events.db
+ * @returns Sanitized event
+ */
+export function sanitizeRpcEvent(event) {
+    // Basic fields (safe to include)
+    const sanitized = {
+        event_id: event.event_id,
+        session_id: event.session_id,
+        rpc_id: event.rpc_id,
+        direction: event.direction,
+        kind: event.kind,
+        ts: event.ts,
+        seq: event.seq,
+        summary: event.summary ? sanitize(event.summary).value : null,
+        payload_hash: event.payload_hash,
+    };
+    // Process raw_json if present
+    if (event.raw_json) {
+        try {
+            const parsed = JSON.parse(event.raw_json);
+            // For request/response, sanitize params/result
+            if (parsed.params) {
+                const { sanitized: sanParams, payload_sha256, keys } = sanitizeRpcPayload(parsed.params);
+                sanitized.params_keys = keys;
+                sanitized.params_sha256 = payload_sha256;
+                // Don't include sanitized params - just keys and hash
+            }
+            if (parsed.result !== undefined) {
+                const resultHash = hashValue(parsed.result);
+                sanitized.result_sha256 = resultHash;
+                sanitized.result_type = typeof parsed.result;
+            }
+            if (parsed.error) {
+                // Error codes/messages are generally safe
+                sanitized.error_code = parsed.error.code;
+                sanitized.error_message = sanitize(parsed.error.message).value;
+            }
+            // Method name is safe
+            if (parsed.method) {
+                sanitized.method = parsed.method;
+            }
+        }
+        catch {
+            // If parsing fails, just note that
+            sanitized.raw_json_parse_error = true;
+        }
+    }
+    return sanitized;
+}
+/**
+ * Compute SHA-256 hash of file contents
+ */
+export function hashFileContent(content) {
+    return createHash('sha256').update(content).digest('hex');
+}
+//# sourceMappingURL=sanitizer.js.map

package/dist/popl/sanitizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitizer.js","sourceRoot":"","sources":["../../src/popl/sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEpC,2CAA2C;AAC3C,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC;AAE3C,qEAAqE;AACrE,MAAM,sBAAsB,GAAG,IAAI,CAAC;AAEpC,qCAAqC;AACrC,MAAM,aAAa,GAAG,iBAAiB,CAAC;AAExC,uCAAuC;AACvC,MAAM,eAAe,GAAG,mBAAmB,CAAC;AAE5C,qDAAqD;AACrD,MAAM,cAAc,GAAG,kBAAkB,CAAC;AAE1C;;GAEG;AACH,MAAM,aAAa,GAAG;IACpB,kCAAkC;IAClC,sBAAsB;IACtB,0BAA0B;IAC1B,eAAe;IACf,4CAA4C;IAC5C,0EAA0E;IAC1E,6DAA6D;IAC7D,kCAAkC;CACnC,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GAAG;IAC1B,gBAAgB;IAChB,uBAAuB;IACvB,WAAW;IACX,UAAU;IACV,WAAW;IACX,aAAa;IACb,WAAW;IACX,cAAc;IACd,oBAAoB;IACpB,qBAAqB;IACrB,sBAAsB;IACtB,6BAA6B;IAC7B,WAAW;IACX,cAAc;IACd,UAAU;CACX,CAAC;AAEF;;GAEG;AACH,MAAM,qBAAqB,GAAG;IAC5B,gBAAgB;IAChB,4BAA4B;IAC5B,uBAAuB;IACvB,2BAA2B;IAC3B,0CAA0C;IAC1C,wDAAwD;IACxD,uCAAuC;IACvC,sBAAsB;IACtB,cAAc;IACd,sBAAsB;IACtB,4CAA4C;IAC5C,yBAAyB;IACzB,oBAAoB;IACpB,wBAAwB;CACzB,CAAC;AAcF;;;GAGG;AACH,SAAS,cAAc,CAAC,KAAa;IACnC,qCAAqC;IACrC,IAAI,KAAK,CAAC,MAAM,GAAG,sBAAsB,EAAE,CAAC;QAC1C,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAAC,GAAW;IAC9B,qCAAqC;IACrC,IAAI,GAAG,CAAC,MAAM,GAAG,sBAAsB,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAClE,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,KAAa;IAClC,qCAAqC;IACrC,IAAI,KAAK,CAAC,MAAM,GAAG,sBAAsB,EAAE,CAAC;QAC1C,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AACtE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,KAAc;IACtC,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACtE,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,QAAQ,CACtB,KAAc,EACd,UAA0D,EAAE;IAE5D,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAA+B,CAAC;IAElE,SAAS,OAAO,CAAC,GAAY,EAAE,GAAY;QACzC,8BAA8B;QAC9B,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YACtC,OAAO,GAAG,CAAC;QACb,CAAC;QAED,oBAAoB;QACpB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,kBAAkB;YAClB,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,aAAa,EAAE,CAAC;gBAChB,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC/B,OAAO,aAAa,CAAC;YACvB,CAAC;YAED,0BAA0B;YAC1B,IAAI,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;gBACvB,aAAa,EAAE,CAAC;gBAChB,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACjC,OAAO,eAAe,CAAC;YACzB,CAAC;YAED,+BAA+B;YAC/B,IAAI,GAAG,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9C,aAAa,EAAE,CAAC;gBAChB,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACjC,OAAO,eAAe,CAAC;YACzB,CAAC;YAED,OAAO,GAAG,CAAC;QACb,CAAC;QAED,mBAAmB;QACnB,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACxD,CAAC;QAED,oBAAoB;QACpB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;gBACzC,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAC5B,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,4CAA4C;QAC5C,OAAO,GAAG,CAAC;IACb,CAAC;IAED,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACvD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,aAAa,EAAE,kBAAkB,EAAE,CAAC;AACjE,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAmD;IAMnD,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC9C,OAAO;YACL,SAAS,EAAE,IAAI;YACf,cAAc,EAAE,SAAS,CAAC,IAAI,CAAC;YAC/B,IAAI,EAAE,EAAE;SACT,CAAC;IACJ,CAAC;IAED,0CAA0C;IAC1C,MAAM,cAAc,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;IAE1C,eAAe;IACf,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAElC,6CAA6C;IAC7C,MAAM,SAAS,GAA4B,EAAE,CAAC;IAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACnD,SAAS,CAAC,GAAG,CAAC,GAAG;YACf,KAAK,EAAE,OAAO,KAAK;YACnB,KAAK,EAAE,SAAS,CAAC,KAAK,CAAC;SACxB,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC;AAC7C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAC7B,IAA6B;IAE7B,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC9B,OAAO,MAAM,CAAC,KAAgC,CAAC;AACjD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAWhC;IACC,iCAAiC;IACjC,MAAM,SAAS,GAA4B;QACzC,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,GAAG,EAAE,KAAK,CAAC,GAAG;QACd,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI;QAC7D,YAAY,EAAE,KAAK,CAAC,YAAY;KACjC,CAAC;IAEF,8BAA8B;IAC9B,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAE1C,+CAA+C;YAC/C,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAClB,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,cAAc,EAAE,IAAI,EAAE,GAAG,kBAAkB,CACvE,MAAM,CAAC,MAAiC,CACzC,CAAC;gBACF,SAAS,CAAC,WAAW,GAAG,IAAI,CAAC;gBAC7B,SAAS,CAAC,aAAa,GAAG,cAAc,CAAC;gBACzC,sDAAsD;YACxD,CAAC;YAED,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAChC,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;gBAC5C,SAAS,CAAC,aAAa,GAAG,UAAU,CAAC;gBACrC,SAAS,CAAC,WAAW,GAAG,OAAO,MAAM,CAAC,MAAM,CAAC;YAC/C,CAAC;YAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,0CAA0C;gBAC1C,SAAS,CAAC,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC;gBACzC,SAAS,CAAC,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC;YACjE,CAAC;YAED,sBAAsB;YACtB,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAClB,SAAS,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;YACnC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,mCAAmC;YACnC,SAAS,CAAC,oBAAoB,GAAG,IAAI,CAAC;QACxC,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAwB;IACtD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC"}

package/dist/popl/service.d.ts

@@ -0,0 +1,46 @@
+/**
+ * POPL Service Layer (Phase 6.0)
+ *
+ * Core service for POPL entry generation.
+ * Shared by CLI and shell - neither knows about @references.
+ */
+import { type PoplDocument, type PoplConfig, type CreatePoplOptions, type CreatePoplResult } from './types.js';
+/**
+ * Check if .popl directory exists
+ */
+export declare function hasPoplDir(root: string): boolean;
+/**
+ * Get path to .popl directory
+ */
+export declare function getPoplDir(root: string): string;
+/**
+ * Get path to popl_entries directory
+ */
+export declare function getPoplEntriesDir(root: string): string;
+/**
+ * Initialize .popl directory structure
+ */
+export declare function initPoplDir(root: string): Promise<void>;
+/**
+ * Load POPL config from .popl/config.json
+ * Returns empty config with warning on parse error.
+ */
+export declare function loadPoplConfig(root: string): Promise<PoplConfig>;
+/**
+ * Create a POPL entry for a session
+ *
+ * This is the core service function called by both CLI and shell.
+ */
+export declare function createSessionPoplEntry(sessionId: string, configDir: string, options: Omit<CreatePoplOptions, 'kind' | 'ids'>): Promise<CreatePoplResult>;
+/**
+ * List existing POPL entries
+ */
+export declare function listPoplEntries(root: string): Promise<{
+    id: string;
+    path: string;
+}[]>;
+/**
+ * Read a POPL entry document
+ */
+export declare function readPoplEntry(entryPath: string): Promise<PoplDocument | null>;
+//# sourceMappingURL=service.d.ts.map

package/dist/popl/service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../../src/popl/service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,OAAO,EAGL,KAAK,YAAY,EAEjB,KAAK,UAAU,EACf,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EAGtB,MAAM,YAAY,CAAC;AAapB;;GAEG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEhD;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAEtD;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAkB7D;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAiBtE;AA8BD;;;;GAIG;AACH,wBAAsB,sBAAsB,CAC1C,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,IAAI,CAAC,iBAAiB,EAAE,MAAM,GAAG,KAAK,CAAC,GAC/C,OAAO,CAAC,gBAAgB,CAAC,CA2G3B;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,EAAE,CAAC,CAgBzC;AAED;;GAEG;AACH,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAanF"}

package/dist/popl/service.js

@@ -0,0 +1,231 @@
+/**
+ * POPL Service Layer (Phase 6.0)
+ *
+ * Core service for POPL entry generation.
+ * Shared by CLI and shell - neither knows about @references.
+ */
+import { mkdir, writeFile, readFile } from 'fs/promises';
+import { existsSync } from 'fs';
+import { join, relative, isAbsolute } from 'path';
+import { ulid } from 'ulid';
+import * as yaml from 'yaml';
+import { POPL_VERSION, TRUST_LABELS, } from './types.js';
+import { generateSessionArtifacts } from './artifacts.js';
+import { SANITIZER_RULESET_VERSION } from './sanitizer.js';
+/** POPL directory name */
+const POPL_DIR = '.popl';
+/** POPL entries subdirectory */
+const POPL_ENTRIES_DIR = 'popl_entries';
+/** POPL config filename */
+const POPL_CONFIG_FILE = 'config.json';
+/**
+ * Check if .popl directory exists
+ */
+export function hasPoplDir(root) {
+    return existsSync(join(root, POPL_DIR));
+}
+/**
+ * Get path to .popl directory
+ */
+export function getPoplDir(root) {
+    return join(root, POPL_DIR);
+}
+/**
+ * Get path to popl_entries directory
+ */
+export function getPoplEntriesDir(root) {
+    return join(root, POPL_DIR, POPL_ENTRIES_DIR);
+}
+/**
+ * Initialize .popl directory structure
+ */
+export async function initPoplDir(root) {
+    const poplDir = getPoplDir(root);
+    const entriesDir = getPoplEntriesDir(root);
+    // Create directories
+    await mkdir(entriesDir, { recursive: true });
+    // Create default config if not exists
+    const configPath = join(poplDir, POPL_CONFIG_FILE);
+    if (!existsSync(configPath)) {
+        const defaultConfig = {
+            author: {
+                name: 'Unknown',
+            },
+            redaction: 'default',
+        };
+        await writeFile(configPath, JSON.stringify(defaultConfig, null, 2), 'utf-8');
+    }
+}
+/**
+ * Load POPL config from .popl/config.json
+ * Returns empty config with warning on parse error.
+ */
+export async function loadPoplConfig(root) {
+    const configPath = join(getPoplDir(root), POPL_CONFIG_FILE);
+    if (!existsSync(configPath)) {
+        return {};
+    }
+    try {
+        const content = await readFile(configPath, 'utf-8');
+        return JSON.parse(content);
+    }
+    catch (error) {
+        // Log warning for invalid config (don't fail silently)
+        console.warn(`Warning: Failed to parse .popl/config.json: ${error instanceof Error ? error.message : String(error)}`);
+        return {};
+    }
+}
+/**
+ * Convert absolute path to relative path for POPL output
+ * Ensures no absolute paths leak into POPL.yml
+ */
+function toRelativePath(absolutePath, baseDir) {
+    if (!isAbsolute(absolutePath)) {
+        return absolutePath;
+    }
+    return relative(baseDir, absolutePath);
+}
+/**
+ * Generate default title for a POPL entry
+ */
+function generateDefaultTitle(kind, connectorId, timestamp) {
+    const dateStr = timestamp.toISOString().slice(0, 19).replace('T', ' ');
+    const kindLabel = kind.charAt(0).toUpperCase() + kind.slice(1);
+    if (connectorId) {
+        return `MCP ${kindLabel} POPL Entry ${connectorId} ${dateStr}`;
+    }
+    return `MCP ${kindLabel} POPL Entry ${dateStr}`;
+}
+/**
+ * Create a POPL entry for a session
+ *
+ * This is the core service function called by both CLI and shell.
+ */
+export async function createSessionPoplEntry(sessionId, configDir, options) {
+    const { outputRoot, title, author, unsafeIncludeRaw = false } = options;
+    // Validate .popl exists
+    if (!hasPoplDir(outputRoot)) {
+        return {
+            success: false,
+            error: '.popl directory not found. Run "pfscan popl init" first.',
+        };
+    }
+    try {
+        // Generate artifacts and get session info
+        const { artifacts, session, summary } = await generateSessionArtifacts(sessionId, configDir);
+        // Generate entry ID
+        const entryId = ulid();
+        // Create entry directory
+        const entryPath = join(getPoplEntriesDir(outputRoot), entryId);
+        await mkdir(entryPath, { recursive: true });
+        // Write artifacts
+        const artifactList = [artifacts.status, artifacts.rpc, artifacts.validation];
+        if (artifacts.logs) {
+            artifactList.push(artifacts.logs);
+        }
+        for (const artifact of artifactList) {
+            const artifactPath = join(entryPath, artifact.artifact.path);
+            await writeFile(artifactPath, artifact.content, 'utf-8');
+        }
+        // Load config for author
+        const config = await loadPoplConfig(outputRoot);
+        const effectiveAuthor = author || config.author || { name: 'Unknown' };
+        // Generate title
+        const createdAt = new Date();
+        const effectiveTitle = title || generateDefaultTitle('session', session.connector_id, createdAt);
+        // Build POPL document
+        const poplDoc = {
+            popl: POPL_VERSION,
+            entry: {
+                id: entryId,
+                created_at: createdAt.toISOString(),
+                title: effectiveTitle,
+                author: effectiveAuthor,
+                trust: {
+                    level: 0,
+                    label: TRUST_LABELS[0],
+                },
+            },
+            target: {
+                kind: 'session',
+                name: 'session',
+                ids: {
+                    connector_id: session.connector_id,
+                    session_id: session.session_id,
+                },
+            },
+            capture: {
+                window: {
+                    started_at: session.started_at,
+                    ended_at: session.ended_at || createdAt.toISOString(),
+                },
+                summary,
+                mcp: {
+                    servers: [
+                        {
+                            name: session.connector_id,
+                        },
+                    ],
+                },
+            },
+            evidence: {
+                policy: {
+                    redaction: unsafeIncludeRaw ? 'none' : 'default',
+                    ruleset_version: SANITIZER_RULESET_VERSION,
+                },
+                artifacts: artifactList.map((a) => a.artifact),
+            },
+        };
+        // Write POPL.yml
+        const poplYmlPath = join(entryPath, 'POPL.yml');
+        const poplYmlContent = yaml.stringify(poplDoc);
+        await writeFile(poplYmlPath, poplYmlContent, 'utf-8');
+        // Return relative paths for display (avoid leaking absolute paths)
+        return {
+            success: true,
+            entryId,
+            entryPath: toRelativePath(entryPath, outputRoot),
+            poplYmlPath: toRelativePath(poplYmlPath, outputRoot),
+        };
+    }
+    catch (error) {
+        return {
+            success: false,
+            error: error instanceof Error ? error.message : String(error),
+        };
+    }
+}
+/**
+ * List existing POPL entries
+ */
+export async function listPoplEntries(root) {
+    const entriesDir = getPoplEntriesDir(root);
+    if (!existsSync(entriesDir)) {
+        return [];
+    }
+    const { readdir } = await import('fs/promises');
+    const entries = await readdir(entriesDir, { withFileTypes: true });
+    return entries
+        .filter((e) => e.isDirectory())
+        .map((e) => ({
+        id: e.name,
+        path: join(entriesDir, e.name),
+    }));
+}
+/**
+ * Read a POPL entry document
+ */
+export async function readPoplEntry(entryPath) {
+    const poplYmlPath = join(entryPath, 'POPL.yml');
+    if (!existsSync(poplYmlPath)) {
+        return null;
+    }
+    try {
+        const content = await readFile(poplYmlPath, 'utf-8');
+        return yaml.parse(content);
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=service.js.map

package/dist/popl/service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.js","sourceRoot":"","sources":["../../src/popl/service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAChC,OAAO,EAAE,IAAI,EAAW,QAAQ,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAE7B,OAAO,EACL,YAAY,EACZ,YAAY,GAQb,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EAAE,yBAAyB,EAAE,MAAM,gBAAgB,CAAC;AAE3D,0BAA0B;AAC1B,MAAM,QAAQ,GAAG,OAAO,CAAC;AAEzB,gCAAgC;AAChC,MAAM,gBAAgB,GAAG,cAAc,CAAC;AAExC,2BAA2B;AAC3B,MAAM,gBAAgB,GAAG,aAAa,CAAC;AAEvC;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,OAAO,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,OAAO,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,OAAO,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,gBAAgB,CAAC,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAY;IAC5C,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IACjC,MAAM,UAAU,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAE3C,qBAAqB;IACrB,MAAM,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE7C,sCAAsC;IACtC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;IACnD,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,MAAM,aAAa,GAAe;YAChC,MAAM,EAAE;gBACN,IAAI,EAAE,SAAS;aAChB;YACD,SAAS,EAAE,SAAS;SACrB,CAAC;QACF,MAAM,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAC/E,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,IAAY;IAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,gBAAgB,CAAC,CAAC;IAE5D,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACpD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAe,CAAC;IAC3C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,uDAAuD;QACvD,OAAO,CAAC,IAAI,CACV,+CAA+C,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACxG,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CAAC,YAAoB,EAAE,OAAe;IAC3D,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,OAAO,QAAQ,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAC3B,IAAgB,EAChB,WAA+B,EAC/B,SAAe;IAEf,MAAM,OAAO,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACvE,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE/D,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,OAAO,SAAS,eAAe,WAAW,IAAI,OAAO,EAAE,CAAC;IACjE,CAAC;IACD,OAAO,OAAO,SAAS,eAAe,OAAO,EAAE,CAAC;AAClD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,SAAiB,EACjB,SAAiB,EACjB,OAAgD;IAEhD,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAExE,wBAAwB;IACxB,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,0DAA0D;SAClE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,0CAA0C;QAC1C,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,MAAM,wBAAwB,CACpE,SAAS,EACT,SAAS,CACV,CAAC;QAEF,oBAAoB;QACpB,MAAM,OAAO,GAAG,IAAI,EAAE,CAAC;QAEvB,yBAAyB;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC,CAAC;QAC/D,MAAM,KAAK,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE5C,kBAAkB;QAClB,MAAM,YAAY,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,GAAG,EAAE,SAAS,CAAC,UAAU,CAAC,CAAC;QAC7E,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YACnB,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACpC,CAAC;QAED,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC7D,MAAM,SAAS,CAAC,YAAY,EAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC3D,CAAC;QAED,yBAAyB;QACzB,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,eAAe,GAAe,MAAM,IAAI,MAAM,CAAC,MAAM,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QAEnF,iBAAiB;QACjB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;QAC7B,MAAM,cAAc,GAClB,KAAK,IAAI,oBAAoB,CAAC,SAAS,EAAE,OAAO,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAE5E,sBAAsB;QACtB,MAAM,OAAO,GAAiB;YAC5B,IAAI,EAAE,YAAY;YAClB,KAAK,EAAE;gBACL,EAAE,EAAE,OAAO;gBACX,UAAU,EAAE,SAAS,CAAC,WAAW,EAAE;gBACnC,KAAK,EAAE,cAAc;gBACrB,MAAM,EAAE,eAAe;gBACvB,KAAK,EAAE;oBACL,KAAK,EAAE,CAAe;oBACtB,KAAK,EAAE,YAAY,CAAC,CAAC,CAAC;iBACvB;aACF;YACD,MAAM,EAAE;gBACN,IAAI,EAAE,SAAS;gBACf,IAAI,EAAE,SAAS;gBACf,GAAG,EAAE;oBACH,YAAY,EAAE,OAAO,CAAC,YAAY;oBAClC,UAAU,EAAE,OAAO,CAAC,UAAU;iBAC/B;aACF;YACD,OAAO,EAAE;gBACP,MAAM,EAAE;oBACN,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,SAAS,CAAC,WAAW,EAAE;iBACtD;gBACD,OAAO;gBACP,GAAG,EAAE;oBACH,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,OAAO,CAAC,YAAY;yBAC3B;qBACF;iBACF;aACF;YACD,QAAQ,EAAE;gBACR,MAAM,EAAE;oBACN,SAAS,EAAE,gBAAgB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;oBAChD,eAAe,EAAE,yBAAyB;iBAC3C;gBACD,SAAS,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC;aAC/C;SACF,CAAC;QAEF,iBAAiB;QACjB,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAChD,MAAM,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC/C,MAAM,SAAS,CAAC,WAAW,EAAE,cAAc,EAAE,OAAO,CAAC,CAAC;QAEtD,mEAAmE;QACnE,OAAO;YACL,OAAO,EAAE,IAAI;YACb,OAAO;YACP,SAAS,EAAE,cAAc,CAAC,SAAS,EAAE,UAAU,CAAC;YAChD,WAAW,EAAE,cAAc,CAAC,WAAW,EAAE,UAAU,CAAC;SACrD,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC9D,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAY;IAEZ,MAAM,UAAU,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAE3C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IAChD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAEnE,OAAO,OAAO;SACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;SAC9B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACX,EAAE,EAAE,CAAC,CAAC,IAAI;QACV,IAAI,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC;KAC/B,CAAC,CAAC,CAAC;AACR,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAiB;IACnD,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAEhD,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QACrD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAiB,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}