safari-pilot 0.1.0

package/dist/security/kill-switch.js

@@ -0,0 +1,103 @@
+import { KillSwitchActiveError } from '../errors.js';
+// ─── KillSwitch ──────────────────────────────────────────────────────────────
+export class KillSwitch {
+    _active = false;
+    _reason;
+    _activatedAt;
+    auditLog;
+    threshold;
+    errorWindow = [];
+    constructor(options) {
+        this.auditLog = options?.auditLog;
+        this.threshold = options?.autoActivation;
+    }
+    // ── Core API ────────────────────────────────────────────────────────────────
+    /**
+     * Activate the kill switch. All subsequent `checkBeforeAction` calls will
+     * throw `KillSwitchActiveError` until `deactivate` is called.
+     */
+    activate(reason) {
+        this._active = true;
+        this._reason = reason;
+        this._activatedAt = new Date().toISOString();
+        this.auditLog?.record({
+            tool: 'kill_switch',
+            tabUrl: '',
+            engine: 'applescript',
+            params: { action: 'activate', reason },
+            result: 'ok',
+            elapsed_ms: 0,
+            session: 'kill-switch',
+        });
+    }
+    /**
+     * Deactivate the kill switch, re-enabling automation.
+     */
+    deactivate() {
+        const wasActive = this._active;
+        this._active = false;
+        this._reason = undefined;
+        this._activatedAt = undefined;
+        this.errorWindow.length = 0;
+        if (wasActive) {
+            this.auditLog?.record({
+                tool: 'kill_switch',
+                tabUrl: '',
+                engine: 'applescript',
+                params: { action: 'deactivate' },
+                result: 'ok',
+                elapsed_ms: 0,
+                session: 'kill-switch',
+            });
+        }
+    }
+    /**
+     * Returns true if the kill switch is currently active.
+     */
+    isActive() {
+        return this._active;
+    }
+    /**
+     * Returns the current activation state including reason and timestamp.
+     */
+    getActivation() {
+        if (!this._active) {
+            return { active: false };
+        }
+        return {
+            active: true,
+            reason: this._reason,
+            activatedAt: this._activatedAt,
+        };
+    }
+    // ── Guard ────────────────────────────────────────────────────────────────────
+    /**
+     * Call before every automation action. Throws `KillSwitchActiveError` if the
+     * kill switch is active, otherwise returns normally.
+     */
+    checkBeforeAction() {
+        if (this._active) {
+            throw new KillSwitchActiveError(this._reason ?? 'kill switch activated');
+        }
+    }
+    // ── Auto-activation ──────────────────────────────────────────────────────────
+    /**
+     * Record an error event. If the configured threshold is exceeded within the
+     * rolling window, the kill switch auto-activates.
+     */
+    recordError() {
+        if (!this.threshold)
+            return;
+        const now = Date.now();
+        const windowStart = now - this.threshold.windowSeconds * 1000;
+        // Evict timestamps outside the rolling window
+        while (this.errorWindow.length > 0 && this.errorWindow[0].at < windowStart) {
+            this.errorWindow.shift();
+        }
+        this.errorWindow.push({ at: now });
+        if (this.errorWindow.length >= this.threshold.maxErrors) {
+            this.activate(`Auto-activated: ${this.errorWindow.length} errors in ${this.threshold.windowSeconds}s window`);
+        }
+    }
+}
+//# sourceMappingURL=kill-switch.js.map

package/dist/security/kill-switch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kill-switch.js","sourceRoot":"","sources":["../../src/security/kill-switch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AA4BrD,gFAAgF;AAEhF,MAAM,OAAO,UAAU;IACb,OAAO,GAAG,KAAK,CAAC;IAChB,OAAO,CAAqB;IAC5B,YAAY,CAAqB;IAExB,QAAQ,CAAuB;IAC/B,SAAS,CAAsC;IAC/C,WAAW,GAAqB,EAAE,CAAC;IAEpD,YAAY,OAGX;QACC,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,CAAC;QAClC,IAAI,CAAC,SAAS,GAAG,OAAO,EAAE,cAAc,CAAC;IAC3C,CAAC;IAED,+EAA+E;IAE/E;;;OAGG;IACH,QAAQ,CAAC,MAAc;QACrB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,YAAY,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAE7C,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC;YACpB,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,EAAE;YACV,MAAM,EAAE,aAAa;YACrB,MAAM,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE;YACtC,MAAM,EAAE,IAAI;YACZ,UAAU,EAAE,CAAC;YACb,OAAO,EAAE,aAAa;SACvB,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,UAAU;QACR,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;QACrB,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;QACzB,IAAI,CAAC,YAAY,GAAG,SAAS,CAAC;QAC9B,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC;QAE5B,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC;gBACpB,IAAI,EAAE,aAAa;gBACnB,MAAM,EAAE,EAAE;gBACV,MAAM,EAAE,aAAa;gBACrB,MAAM,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE;gBAChC,MAAM,EAAE,IAAI;gBACZ,UAAU,EAAE,CAAC;gBACb,OAAO,EAAE,aAAa;aACvB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,aAAa;QACX,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,WAAW,EAAE,IAAI,CAAC,YAAY;SAC/B,CAAC;IACJ,CAAC;IAED,gFAAgF;IAEhF;;;OAGG;IACH,iBAAiB;QACf,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,IAAI,qBAAqB,CAAC,IAAI,CAAC,OAAO,IAAI,uBAAuB,CAAC,CAAC;QAC3E,CAAC;IACH,CAAC;IAED,gFAAgF;IAEhF;;;OAGG;IACH,WAAW;QACT,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO;QAE5B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,WAAW,GAAG,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,aAAa,GAAG,IAAI,CAAC;QAE9D,8CAA8C;QAC9C,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC,CAAE,CAAC,EAAE,GAAG,WAAW,EAAE,CAAC;YAC5E,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;QAC3B,CAAC;QAED,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;QAEnC,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,IAAI,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;YACxD,IAAI,CAAC,QAAQ,CACX,mBAAmB,IAAI,CAAC,WAAW,CAAC,MAAM,cAAc,IAAI,CAAC,SAAS,CAAC,aAAa,UAAU,CAC/F,CAAC;QACJ,CAAC;IACH,CAAC;CACF"}

package/dist/security/rate-limiter.d.ts

@@ -0,0 +1,30 @@
+export interface CheckResult {
+    allowed: boolean;
+    remaining: number;
+    resetMs: number;
+}
+export declare class RateLimiter {
+    private windows;
+    private domainLimits;
+    setDomainLimit(domain: string, limit: number): void;
+    /**
+     * Check if an action is allowed for the given domain.
+     * Does NOT record the action — call recordAction() separately.
+     */
+    checkLimit(domain: string): CheckResult;
+    /**
+     * Record an action for the given domain.
+     * Throws RateLimitedError if the limit has already been reached.
+     */
+    recordAction(domain: string): void;
+    /**
+     * Returns the count of recorded actions for a domain in the current window.
+     */
+    getCount(domain: string): number;
+    private limitFor;
+    /**
+     * Remove entries older than the 60-second window and return the live list.
+     * Mutates the map in-place for efficiency.
+     */
+    private prune;
+}

package/dist/security/rate-limiter.js

@@ -0,0 +1,70 @@
+import { RateLimitedError } from '../errors.js';
+// ─── RateLimiter ──────────────────────────────────────────────────────────────
+//
+// Sliding-window rate limiter. Tracks action timestamps per domain in the last
+// 60 seconds. Enforces a global default limit and per-domain overrides.
+const WINDOW_MS = 60_000; // 60-second sliding window
+const GLOBAL_DEFAULT_LIMIT = 120; // actions per 60 seconds
+export class RateLimiter {
+    // domain → sorted list of timestamp (ms) entries within the window
+    windows = new Map();
+    // per-domain limit overrides (set from DomainPolicy)
+    domainLimits = new Map();
+    // ── Configuration ───────────────────────────────────────────────────────────
+    setDomainLimit(domain, limit) {
+        this.domainLimits.set(domain, limit);
+    }
+    // ── Core operations ─────────────────────────────────────────────────────────
+    /**
+     * Check if an action is allowed for the given domain.
+     * Does NOT record the action — call recordAction() separately.
+     */
+    checkLimit(domain) {
+        const now = Date.now();
+        const entries = this.prune(domain, now);
+        const limit = this.limitFor(domain);
+        const count = entries.length;
+        const allowed = count < limit;
+        const remaining = Math.max(0, limit - count);
+        // Time until the oldest entry would fall out of the window
+        const resetMs = entries.length > 0 ? Math.max(0, entries[0] + WINDOW_MS - now) : 0;
+        return { allowed, remaining, resetMs };
+    }
+    /**
+     * Record an action for the given domain.
+     * Throws RateLimitedError if the limit has already been reached.
+     */
+    recordAction(domain) {
+        const now = Date.now();
+        const entries = this.prune(domain, now);
+        const limit = this.limitFor(domain);
+        if (entries.length >= limit) {
+            throw new RateLimitedError(domain, limit);
+        }
+        entries.push(now);
+        this.windows.set(domain, entries);
+    }
+    /**
+     * Returns the count of recorded actions for a domain in the current window.
+     */
+    getCount(domain) {
+        const now = Date.now();
+        return this.prune(domain, now).length;
+    }
+    // ── Internal helpers ────────────────────────────────────────────────────────
+    limitFor(domain) {
+        return this.domainLimits.get(domain) ?? GLOBAL_DEFAULT_LIMIT;
+    }
+    /**
+     * Remove entries older than the 60-second window and return the live list.
+     * Mutates the map in-place for efficiency.
+     */
+    prune(domain, now) {
+        const entries = this.windows.get(domain) ?? [];
+        const cutoff = now - WINDOW_MS;
+        const pruned = entries.filter((ts) => ts > cutoff);
+        this.windows.set(domain, pruned);
+        return pruned;
+    }
+}
+//# sourceMappingURL=rate-limiter.js.map

package/dist/security/rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../src/security/rate-limiter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,iFAAiF;AACjF,EAAE;AACF,+EAA+E;AAC/E,wEAAwE;AAExE,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,2BAA2B;AACrD,MAAM,oBAAoB,GAAG,GAAG,CAAC,CAAC,yBAAyB;AAQ3D,MAAM,OAAO,WAAW;IACtB,mEAAmE;IAC3D,OAAO,GAA0B,IAAI,GAAG,EAAE,CAAC;IACnD,qDAAqD;IAC7C,YAAY,GAAwB,IAAI,GAAG,EAAE,CAAC;IAEtD,+EAA+E;IAE/E,cAAc,CAAC,MAAc,EAAE,KAAa;QAC1C,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACvC,CAAC;IAED,+EAA+E;IAE/E;;;OAGG;IACH,UAAU,CAAC,MAAc;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACxC,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACpC,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,MAAM,OAAO,GAAG,KAAK,GAAG,KAAK,CAAC;QAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,KAAK,CAAC,CAAC;QAE7C,2DAA2D;QAC3D,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAE,GAAG,SAAS,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEpF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;IACzC,CAAC;IAED;;;OAGG;IACH,YAAY,CAAC,MAAc;QACzB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACxC,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAEpC,IAAI,OAAO,CAAC,MAAM,IAAI,KAAK,EAAE,CAAC;YAC5B,MAAM,IAAI,gBAAgB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,MAAc;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC;IACxC,CAAC;IAED,+EAA+E;IAEvE,QAAQ,CAAC,MAAc;QAC7B,OAAO,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,oBAAoB,CAAC;IAC/D,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,MAAc,EAAE,GAAW;QACvC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC/C,MAAM,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC;QAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,GAAG,MAAM,CAAC,CAAC;QACnD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/dist/security/screenshot-redaction.d.ts

@@ -0,0 +1,42 @@
+export interface Rect {
+    x: number;
+    y: number;
+    width: number;
+    height: number;
+}
+export interface IframeInfo {
+    src: string;
+    rect: Rect;
+    crossOrigin: boolean;
+}
+export interface PageInfo {
+    iframes: IframeInfo[];
+}
+export interface SensitiveRegion {
+    rect: Rect;
+    reason: string;
+}
+export declare class ScreenshotRedaction {
+    /**
+     * Analyse page metadata and return regions that must be redacted.
+     *
+     * Rules applied (in order):
+     *   - Cross-origin iframes are always flagged — their content cannot be
+     *     inspected and may contain sensitive third-party UI.
+     *   - Banking-domain iframes are flagged even if same-origin is claimed,
+     *     because financial data warrants extra caution.
+     *
+     * Same-origin, non-banking iframes are considered safe and are not flagged.
+     */
+    identifySensitiveRegions(pageInfo: PageInfo): SensitiveRegion[];
+    /**
+     * Return JavaScript that should be evaluated in the page context before the
+     * screenshot is captured.
+     *
+     * The script locates sensitive elements (cross-origin iframes, password
+     * inputs) and temporarily applies `filter: blur(20px)` so the screenshot
+     * captures already-blurred content. A cleanup function is attached to
+     * `window.__redactionCleanup` for callers to call after the screenshot.
+     */
+    getRedactionScript(): string;
+}

package/dist/security/screenshot-redaction.js

@@ -0,0 +1,134 @@
+// ─── ScreenshotRedaction ─────────────────────────────────────────────────────
+//
+// Identifies sensitive regions in screenshots that must be redacted before
+// the image is surfaced to downstream consumers.
+//
+// Redaction happens in two stages:
+//   1. `identifySensitiveRegions` — server-side analysis of page metadata
+//      (iframe origins, DOM field types) to locate what must be hidden.
+//   2. `getRedactionScript` — client-side JS injected before capture that adds
+//      a CSS blur overlay to sensitive elements, so they are blurred in the
+//      raw screenshot rather than cropped after the fact.
+// ─── Banking domain patterns ───────────────────────────────────────────────────
+const BANKING_DOMAIN_PATTERNS = [
+    /bank(ofamerica|ofengland|west|\.com)/i,
+    /chase\.com/i,
+    /wellsfargo\.com/i,
+    /citibank\.com/i,
+    /hsbc\.com/i,
+    /barclays\.com/i,
+    /paypal\.com/i,
+    /stripe\.com/i,
+];
+function isBankingDomain(src) {
+    try {
+        const hostname = new URL(src).hostname;
+        return BANKING_DOMAIN_PATTERNS.some((p) => p.test(hostname));
+    }
+    catch {
+        return false;
+    }
+}
+// ─── ScreenshotRedaction ──────────────────────────────────────────────────────
+export class ScreenshotRedaction {
+    /**
+     * Analyse page metadata and return regions that must be redacted.
+     *
+     * Rules applied (in order):
+     *   - Cross-origin iframes are always flagged — their content cannot be
+     *     inspected and may contain sensitive third-party UI.
+     *   - Banking-domain iframes are flagged even if same-origin is claimed,
+     *     because financial data warrants extra caution.
+     *
+     * Same-origin, non-banking iframes are considered safe and are not flagged.
+     */
+    identifySensitiveRegions(pageInfo) {
+        const regions = [];
+        for (const iframe of pageInfo.iframes) {
+            if (iframe.crossOrigin) {
+                regions.push({
+                    rect: iframe.rect,
+                    reason: 'Cross-origin iframe content cannot be inspected and must be redacted',
+                });
+                continue; // already flagged — no need for additional banking check
+            }
+            if (isBankingDomain(iframe.src)) {
+                regions.push({
+                    rect: iframe.rect,
+                    reason: 'Banking-domain iframe content must be redacted for financial privacy',
+                });
+            }
+        }
+        return regions;
+    }
+    /**
+     * Return JavaScript that should be evaluated in the page context before the
+     * screenshot is captured.
+     *
+     * The script locates sensitive elements (cross-origin iframes, password
+     * inputs) and temporarily applies `filter: blur(20px)` so the screenshot
+     * captures already-blurred content. A cleanup function is attached to
+     * `window.__redactionCleanup` for callers to call after the screenshot.
+     */
+    getRedactionScript() {
+        return `
+(function () {
+  var BLUR_STYLE = 'filter: blur(20px) !important; pointer-events: none;';
+  var ATTR = 'data-safari-pilot-redacted';
+  var affected = [];
+
+  function redact(el) {
+    if (el.hasAttribute(ATTR)) return;
+    var prev = el.getAttribute('style') || '';
+    el.setAttribute(ATTR, prev);
+    el.setAttribute('style', (prev ? prev + '; ' : '') + BLUR_STYLE);
+    affected.push(el);
+  }
+
+  // 1. All iframes — cross-origin frames cannot be origin-checked from JS,
+  //    so redact all iframes as a conservative default.
+  var iframes = document.querySelectorAll('iframe');
+  for (var i = 0; i < iframes.length; i++) {
+    redact(iframes[i]);
+  }
+
+  // 2. Password input fields
+  var passwords = document.querySelectorAll('input[type="password"]');
+  for (var j = 0; j < passwords.length; j++) {
+    redact(passwords[j]);
+  }
+
+  // 3. Sensitive input fields by name/id attributes
+  var sensitiveSelectors = [
+    'input[name*="card"]',
+    'input[name*="cvv"]',
+    'input[name*="ssn"]',
+    'input[name*="account"]',
+    'input[autocomplete="cc-number"]',
+    'input[autocomplete="cc-csc"]',
+  ].join(', ');
+  var sensitiveInputs = document.querySelectorAll(sensitiveSelectors);
+  for (var k = 0; k < sensitiveInputs.length; k++) {
+    redact(sensitiveInputs[k]);
+  }
+
+  // Cleanup: restore original styles
+  window.__redactionCleanup = function () {
+    for (var n = 0; n < affected.length; n++) {
+      var el = affected[n];
+      var orig = el.getAttribute(ATTR) || '';
+      if (orig) {
+        el.setAttribute('style', orig);
+      } else {
+        el.removeAttribute('style');
+      }
+      el.removeAttribute(ATTR);
+    }
+    affected = [];
+    delete window.__redactionCleanup;
+  };
+})();
+`.trim();
+    }
+}
+//# sourceMappingURL=screenshot-redaction.js.map

package/dist/security/screenshot-redaction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"screenshot-redaction.js","sourceRoot":"","sources":["../../src/security/screenshot-redaction.ts"],"names":[],"mappings":"AAAA,gFAAgF;AAChF,EAAE;AACF,2EAA2E;AAC3E,iDAAiD;AACjD,EAAE;AACF,mCAAmC;AACnC,0EAA0E;AAC1E,wEAAwE;AACxE,+EAA+E;AAC/E,4EAA4E;AAC5E,0DAA0D;AAwB1D,kFAAkF;AAElF,MAAM,uBAAuB,GAAa;IACxC,uCAAuC;IACvC,aAAa;IACb,kBAAkB;IAClB,gBAAgB;IAChB,YAAY;IACZ,gBAAgB;IAChB,cAAc;IACd,cAAc;CACf,CAAC;AAEF,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;QACvC,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF,MAAM,OAAO,mBAAmB;IAC9B;;;;;;;;;;OAUG;IACH,wBAAwB,CAAC,QAAkB;QACzC,MAAM,OAAO,GAAsB,EAAE,CAAC;QAEtC,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;gBACvB,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,MAAM,EAAE,sEAAsE;iBAC/E,CAAC,CAAC;gBACH,SAAS,CAAC,yDAAyD;YACrE,CAAC;YAED,IAAI,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;gBAChC,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,MAAM,EAAE,sEAAsE;iBAC/E,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;;;OAQG;IACH,kBAAkB;QAChB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyDV,CAAC,IAAI,EAAE,CAAC;IACP,CAAC;CACF"}

package/dist/security/tab-ownership.d.ts

@@ -0,0 +1,46 @@
+import type { TabId } from '../types.js';
+export declare class TabOwnership {
+    private ownedTabs;
+    private preExistingTabs;
+    /**
+     * Compute a numeric TabId from Safari's 1-based window/tab indices.
+     * Formula: windowIndex * 1000 + tabIndex
+     */
+    static makeTabId(windowIndex: number, tabIndex: number): TabId;
+    /**
+     * Record a tab that existed before this agent session started.
+     * Pre-existing tabs are NOT agent-owned and cannot be interacted with.
+     */
+    recordPreExisting(tabId: TabId): void;
+    /**
+     * Register a tab as agent-opened. Call this immediately after open_tab.
+     */
+    registerTab(tabId: TabId, url: string): void;
+    /**
+     * Remove a tab from the registry when it is closed.
+     */
+    removeTab(tabId: TabId): void;
+    /**
+     * Update the tracked URL for an owned tab after navigation.
+     * No-op if the tab is not owned (avoids silently adopting foreign tabs).
+     */
+    updateUrl(tabId: TabId, newUrl: string): void;
+    isOwned(tabId: TabId): boolean;
+    isPreExisting(tabId: TabId): boolean;
+    getUrl(tabId: TabId): string | undefined;
+    /**
+     * Find the TabId for an owned tab by its current URL.
+     * Returns undefined if no owned tab matches the URL.
+     */
+    findByUrl(url: string): TabId | undefined;
+    getOwnedCount(): number;
+    getAllOwned(): Array<{
+        tabId: TabId;
+        url: string;
+    }>;
+    /**
+     * Throws TabNotOwnedError if the tab was not opened by this agent session.
+     * Use this as a pre-condition check before every tool that mutates a tab.
+     */
+    assertOwnership(tabId: TabId): void;
+}

package/dist/security/tab-ownership.js

@@ -0,0 +1,85 @@
+import { TabNotOwnedError } from '../errors.js';
+// ─── TabOwnership ─────────────────────────────────────────────────────────────
+//
+// Tracks which tabs the agent opened vs. tabs that already existed when the
+// session started. Only agent-owned tabs may be interacted with.
+export class TabOwnership {
+    ownedTabs = new Map(); // tabId -> url
+    preExistingTabs = new Set();
+    // ── Static helpers ──────────────────────────────────────────────────────────
+    /**
+     * Compute a numeric TabId from Safari's 1-based window/tab indices.
+     * Formula: windowIndex * 1000 + tabIndex
+     */
+    static makeTabId(windowIndex, tabIndex) {
+        return windowIndex * 1000 + tabIndex;
+    }
+    // ── Session initialisation ──────────────────────────────────────────────────
+    /**
+     * Record a tab that existed before this agent session started.
+     * Pre-existing tabs are NOT agent-owned and cannot be interacted with.
+     */
+    recordPreExisting(tabId) {
+        this.preExistingTabs.add(tabId);
+    }
+    // ── Ownership lifecycle ─────────────────────────────────────────────────────
+    /**
+     * Register a tab as agent-opened. Call this immediately after open_tab.
+     */
+    registerTab(tabId, url) {
+        this.ownedTabs.set(tabId, url);
+    }
+    /**
+     * Remove a tab from the registry when it is closed.
+     */
+    removeTab(tabId) {
+        this.ownedTabs.delete(tabId);
+    }
+    /**
+     * Update the tracked URL for an owned tab after navigation.
+     * No-op if the tab is not owned (avoids silently adopting foreign tabs).
+     */
+    updateUrl(tabId, newUrl) {
+        if (this.ownedTabs.has(tabId)) {
+            this.ownedTabs.set(tabId, newUrl);
+        }
+    }
+    // ── Queries ─────────────────────────────────────────────────────────────────
+    isOwned(tabId) {
+        return this.ownedTabs.has(tabId);
+    }
+    isPreExisting(tabId) {
+        return this.preExistingTabs.has(tabId);
+    }
+    getUrl(tabId) {
+        return this.ownedTabs.get(tabId);
+    }
+    /**
+     * Find the TabId for an owned tab by its current URL.
+     * Returns undefined if no owned tab matches the URL.
+     */
+    findByUrl(url) {
+        for (const [tabId, tabUrl] of this.ownedTabs) {
+            if (tabUrl === url)
+                return tabId;
+        }
+        return undefined;
+    }
+    getOwnedCount() {
+        return this.ownedTabs.size;
+    }
+    getAllOwned() {
+        return Array.from(this.ownedTabs.entries()).map(([tabId, url]) => ({ tabId, url }));
+    }
+    // ── Guard ────────────────────────────────────────────────────────────────────
+    /**
+     * Throws TabNotOwnedError if the tab was not opened by this agent session.
+     * Use this as a pre-condition check before every tool that mutates a tab.
+     */
+    assertOwnership(tabId) {
+        if (!this.ownedTabs.has(tabId)) {
+            throw new TabNotOwnedError(tabId);
+        }
+    }
+}
+//# sourceMappingURL=tab-ownership.js.map

package/dist/security/tab-ownership.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tab-ownership.js","sourceRoot":"","sources":["../../src/security/tab-ownership.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,iFAAiF;AACjF,EAAE;AACF,4EAA4E;AAC5E,iEAAiE;AAEjE,MAAM,OAAO,YAAY;IACf,SAAS,GAAuB,IAAI,GAAG,EAAE,CAAC,CAAC,eAAe;IAC1D,eAAe,GAAe,IAAI,GAAG,EAAE,CAAC;IAEhD,+EAA+E;IAE/E;;;OAGG;IACH,MAAM,CAAC,SAAS,CAAC,WAAmB,EAAE,QAAgB;QACpD,OAAO,WAAW,GAAG,IAAI,GAAG,QAAQ,CAAC;IACvC,CAAC;IAED,+EAA+E;IAE/E;;;OAGG;IACH,iBAAiB,CAAC,KAAY;QAC5B,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;IAED,+EAA+E;IAE/E;;OAEG;IACH,WAAW,CAAC,KAAY,EAAE,GAAW;QACnC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,KAAY;QACpB,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED;;;OAGG;IACH,SAAS,CAAC,KAAY,EAAE,MAAc;QACpC,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED,+EAA+E;IAE/E,OAAO,CAAC,KAAY;QAClB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAED,aAAa,CAAC,KAAY;QACxB,OAAO,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;IAED,MAAM,CAAC,KAAY;QACjB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAED;;;OAGG;IACH,SAAS,CAAC,GAAW;QACnB,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7C,IAAI,MAAM,KAAK,GAAG;gBAAE,OAAO,KAAK,CAAC;QACnC,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,aAAa;QACX,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;IAC7B,CAAC;IAED,WAAW;QACT,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IACtF,CAAC;IAED,gFAAgF;IAEhF;;;OAGG;IACH,eAAe,CAAC,KAAY;QAC1B,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;CACF"}

package/dist/server.d.ts

@@ -0,0 +1,53 @@
+import type { Engine, ToolResponse, ToolRequirements } from './types.js';
+import { AppleScriptEngine } from './engines/applescript.js';
+import { KillSwitch } from './security/kill-switch.js';
+import { TabOwnership } from './security/tab-ownership.js';
+import { AuditLog } from './security/audit-log.js';
+import { DomainPolicy } from './security/domain-policy.js';
+import { RateLimiter } from './security/rate-limiter.js';
+import { CircuitBreaker } from './security/circuit-breaker.js';
+import { IdpiScanner } from './security/idpi-scanner.js';
+interface ToolDefinition {
+    name: string;
+    description: string;
+    inputSchema: Record<string, unknown>;
+    requirements: ToolRequirements;
+    handler: (params: Record<string, unknown>) => Promise<ToolResponse>;
+}
+export declare class SafariPilotServer {
+    private tools;
+    private engines;
+    private engineAvailability;
+    private sessionId;
+    private _engine;
+    readonly killSwitch: KillSwitch;
+    readonly tabOwnership: TabOwnership;
+    readonly auditLog: AuditLog;
+    readonly domainPolicy: DomainPolicy;
+    readonly rateLimiter: RateLimiter;
+    readonly circuitBreaker: CircuitBreaker;
+    readonly idpiScanner: IdpiScanner;
+    constructor();
+    initialize(): Promise<void>;
+    private handleHealthCheck;
+    registerTool(tool: ToolDefinition): void;
+    getToolNames(): string[];
+    callTool(name: string, params: Record<string, unknown>): Promise<ToolResponse>;
+    /**
+     * Execute a tool through the full security pipeline:
+     * kill switch → tab ownership → domain policy → rate limiter →
+     * circuit breaker → tool execution → audit log
+     */
+    executeToolWithSecurity(name: string, params: Record<string, unknown>): Promise<ToolResponse>;
+    getSelectedEngine(requirements: ToolRequirements): Engine;
+    setEngineAvailability(availability: {
+        daemon: boolean;
+        extension: boolean;
+    }): void;
+    getSessionId(): string;
+    getEngine(): AppleScriptEngine | null;
+    start(): Promise<void>;
+    shutdown(): Promise<void>;
+}
+export declare function createServer(): Promise<SafariPilotServer>;
+export {};