sentinel-agentos 0.3.6 → 0.3.8

package/dist/evaluator/profiler.js

@@ -1,117 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AgentProfiler = void 0;
-/**
- * AgentProfiler — builds and maintains the agent's quality profile.
- *
- * Aggregates PreExec + Runtime + PostExec metrics and
- * ImplicitFeedback to produce a composite quality score
- * that improves over time through self-correction.
- */
-class AgentProfiler {
-    feedbackEngine;
-    preMetrics = [];
-    runMetrics = [];
-    postMetrics = [];
-    sessionScores = new Map();
-    constructor(feedbackEngine) {
-        this.feedbackEngine = feedbackEngine;
-    }
-    /**
-     * Record a complete evaluation cycle for one tool call.
-     */
-    recordCycle(sessionId, pre, run, post) {
-        // Ensure timestamp is set for trend filtering
-        if (!pre.timestamp)
-            pre.timestamp = Date.now();
-        if (!post.timestamp)
-            post.timestamp = Date.now();
-        this.preMetrics.push(pre);
-        this.runMetrics.push(run);
-        this.postMetrics.push(post);
-        // Track per-session scores
-        const sessionScores = this.sessionScores.get(sessionId) ?? [];
-        sessionScores.push(post.outcomeScore);
-        this.sessionScores.set(sessionId, sessionScores);
-    }
-    /** Clean up session scores to prevent memory leak */
-    clearSession(sessionId) {
-        this.sessionScores.delete(sessionId);
-    }
-    /**
-     * Build the current agent profile.
-     */
-    getProfile(sessionId) {
-        const totalOps = this.preMetrics.length;
-        // Pre-exec scores
-        const preExecScore = this.average(this.preMetrics.map((m) => ((m.paramQuality.score + m.contextUtilization.score) / 2) * 100));
-        // Runtime scores
-        const runtimeScore = this.average(this.runMetrics.map((m) => m.adaptiveScore * 100));
-        // Post-exec scores
-        const postExecScore = this.average(this.postMetrics.map((m) => m.outcomeScore * 100));
-        // User satisfaction
-        const satisfaction = this.feedbackEngine.getSatisfactionScore(sessionId);
-        const satisfactionScore = ((satisfaction + 1) / 2) * 100; // Map -1..1 to 0..100
-        // Overall: weighted
-        const overallScore = Math.round(preExecScore * 0.2 +
-            runtimeScore * 0.25 +
-            postExecScore * 0.3 +
-            satisfactionScore * 0.25);
-        // Recent trend
-        const recentCutoff = Date.now() - 24 * 60 * 60 * 1000;
-        const recentPre = this.preMetrics.filter((m) => m.timestamp >= recentCutoff);
-        const recentRun = this.runMetrics.slice(-recentPre.length);
-        const recentPost = this.postMetrics.slice(-recentPre.length);
-        const recentScore = recentPre.length > 0
-            ? Math.round(this.average(recentPre.map((m) => (m.paramQuality.score + m.contextUtilization.score) / 2)) * 100 * 0.2 +
-                this.average(recentRun.map((m) => m.adaptiveScore)) * 100 * 0.25 +
-                this.average(recentPost.map((m) => m.outcomeScore)) * 100 * 0.3 +
-                satisfactionScore * 0.25)
-            : overallScore;
-        // Warnings and strengths
-        const warnings = [];
-        const strengths = [];
-        if (runtimeScore < 0.5) {
-            warnings.push('High retry rate — consider more planning before execution');
-        }
-        if (postExecScore < 0.5) {
-            warnings.push('Low verify pass rate — verify results before claiming success');
-        }
-        if (satisfaction < -0.3) {
-            warnings.push('User satisfaction declining — review recent sessions');
-        }
-        if (runtimeScore > 0.9) {
-            strengths.push('Excellent execution reliability');
-        }
-        if (postExecScore > 0.9) {
-            strengths.push('Verify gate passing consistently');
-        }
-        if (satisfaction > 0.5) {
-            strengths.push('Strong positive user feedback');
-        }
-        return {
-            overallScore: Number.isNaN(overallScore) ? 50 : overallScore, // 0-100, default 50 if no data
-            totalOps,
-            breakdown: {
-                preExec: totalOps > 0 ? Math.round(preExecScore * 100) / 100 : null,
-                runtime: totalOps > 0 ? Math.round(runtimeScore * 100) / 100 : null,
-                postExec: totalOps > 0 ? Math.round(postExecScore * 100) / 100 : null,
-                userSatisfaction: Math.round(satisfactionScore * 100) / 100,
-            },
-            trends: {
-                improving: recentScore > overallScore,
-                recentOps: recentPre.length,
-                recentScore: Math.round(recentScore) / 100,
-            },
-            warnings,
-            strengths,
-        };
-    }
-    average(values) {
-        return values.length > 0
-            ? values.reduce((s, v) => s + v, 0) / values.length
-            : 0;
-    }
-}
-exports.AgentProfiler = AgentProfiler;
-//# sourceMappingURL=profiler.js.map

package/dist/evaluator/profiler.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"profiler.js","sourceRoot":"","sources":["../../src/evaluator/profiler.ts"],"names":[],"mappings":";;;AAkCA;;;;;;GAMG;AACH,MAAa,aAAa;IAChB,cAAc,CAAyB;IAEvC,UAAU,GAAqB,EAAE,CAAC;IAClC,UAAU,GAAqB,EAAE,CAAC;IAClC,WAAW,GAAsB,EAAE,CAAC;IACpC,aAAa,GAA0B,IAAI,GAAG,EAAE,CAAC;IAEzD,YAAY,cAAsC;QAChD,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,SAAiB,EAAE,GAAmB,EAAE,GAAmB,EAAE,IAAqB;QAC5F,8CAA8C;QAC9C,IAAI,CAAC,GAAG,CAAC,SAAS;YAAE,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC/C,IAAI,CAAC,IAAI,CAAC,SAAS;YAAG,IAAY,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC1D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE5B,2BAA2B;QAC3B,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QAC9D,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACtC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IACnD,CAAC;IAED,qDAAqD;IACrD,YAAY,CAAC,SAAiB;QAC5B,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,SAAkB;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;QAExC,kBAAkB;QAClB,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAC/B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACxB,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,KAAK,GAAG,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,GAAG,CAChE,CACF,CAAC;QAEF,iBAAiB;QACjB,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAC/B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,GAAG,GAAG,CAAC,CAClD,CAAC;QAEF,mBAAmB;QACnB,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAChC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,GAAG,GAAG,CAAC,CAClD,CAAC;QAEF,oBAAoB;QACpB,MAAM,YAAY,GAAG,IAAI,CAAC,cAAc,CAAC,oBAAoB,CAAC,SAAS,CAAC,CAAC;QACzE,MAAM,iBAAiB,GAAG,CAAC,CAAC,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,sBAAsB;QAEhF,oBAAoB;QACpB,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAC7B,YAAY,GAAG,GAAG;YAClB,YAAY,GAAG,IAAI;YACnB,aAAa,GAAG,GAAG;YACnB,iBAAiB,GAAG,IAAI,CACzB,CAAC;QAEF,eAAe;QACf,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACtD,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,YAAY,CAAC,CAAC;QAC7E,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAC3D,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAE7D,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,GAAG,CAAC;YACtC,CAAC,CAAC,IAAI,CAAC,KAAK,CACV,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,KAAK,GAAG,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,GAAG;gBACvG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,GAAG,GAAG,GAAG,IAAI;gBAChE,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,GAAG,GAAG,GAAG,GAAG;gBAC/D,iBAAiB,GAAG,IAAI,CACzB;YACD,CAAC,CAAC,YAAY,CAAC;QAEjB,yBAAyB;QACzB,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,MAAM,SAAS,GAAa,EAAE,CAAC;QAE/B,IAAI,YAAY,GAAG,GAAG,EAAE,CAAC;YACvB,QAAQ,CAAC,IAAI,CAAC,2DAA2D,CAAC,CAAC;QAC7E,CAAC;QACD,IAAI,aAAa,GAAG,GAAG,EAAE,CAAC;YACxB,QAAQ,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;QACjF,CAAC;QACD,IAAI,YAAY,GAAG,CAAC,GAAG,EAAE,CAAC;YACxB,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QACxE,CAAC;QAED,IAAI,YAAY,GAAG,GAAG,EAAE,CAAC;YACvB,SAAS,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,aAAa,GAAG,GAAG,EAAE,CAAC;YACxB,SAAS,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QACrD,CAAC;QACD,IAAI,YAAY,GAAG,GAAG,EAAE,CAAC;YACvB,SAAS,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAClD,CAAC;QAED,OAAO;YACL,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,EAAE,+BAA+B;YAC7F,QAAQ;YACR,SAAS,EAAE;gBACT,OAAO,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI;gBACnE,OAAO,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI;gBACnE,QAAQ,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI;gBACrE,gBAAgB,EAAE,IAAI,CAAC,KAAK,CAAC,iBAAiB,GAAG,GAAG,CAAC,GAAG,GAAG;aAC5D;YACD,MAAM,EAAE;gBACN,SAAS,EAAE,WAAW,GAAG,YAAY;gBACrC,SAAS,EAAE,SAAS,CAAC,MAAM;gBAC3B,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,GAAG;aAC3C;YACD,QAAQ;YACR,SAAS;SACV,CAAC;IACJ,CAAC;IAEO,OAAO,CAAC,MAAgB;QAC9B,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC;YACtB,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM;YACnD,CAAC,CAAC,CAAC,CAAC;IACR,CAAC;CACF;AApID,sCAoIC"}

package/dist/guard/audit-log.d.ts

@@ -1,47 +0,0 @@
-import { AuditEntry, VerifyStatus, Snapshot, VerifyCheck } from '../types';
-import { RiskGate } from './risk-gate';
-import { SchemaGate } from './schema-gate';
-export declare class AuditLog {
-    private logPath;
-    private schemaGate;
-    private riskGate;
-    private snapshotGate;
-    private entries;
-    private sessionIndex;
-    constructor(workspaceRoot: string, schemaGate: SchemaGate, riskGate: RiskGate);
-    record(options: {
-        sessionId: string;
-        agentId: string;
-        startedAt: number;
-        completedAt: number;
-        toolName: string;
-        toolParameters: Record<string, unknown>;
-        toolResult: unknown;
-        snapshot: Snapshot | null;
-        verifyStatus: VerifyStatus;
-        verifyChecks: VerifyCheck[];
-    }): AuditEntry;
-    query(filter?: {
-        sessionId?: string;
-        toolName?: string;
-        verifyStatus?: VerifyStatus;
-        minScore?: number;
-        maxScore?: number;
-        limit?: number;
-    }): AuditEntry[];
-    stats(): {
-        totalOperations: number;
-        byTool: Record<string, number>;
-        averageRiskScore: number;
-        verifyFailures: number;
-        sessionsTracked: number;
-        highRiskOps: number;
-    };
-    private sanitizeParams;
-    private truncateResult;
-    private append;
-    private loadFromDisk;
-    /** Get raw entries count (for debugging) */
-    get size(): number;
-}
-//# sourceMappingURL=audit-log.d.ts.map

package/dist/guard/audit-log.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"audit-log.d.ts","sourceRoot":"","sources":["../../src/guard/audit-log.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAE3E,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAS3C,qBAAa,QAAQ;IACnB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,QAAQ,CAAW;IAC3B,OAAO,CAAC,YAAY,CAAe;IAEnC,OAAO,CAAC,OAAO,CAAoB;IACnC,OAAO,CAAC,YAAY,CAAwC;gBAG1D,aAAa,EAAE,MAAM,EACrB,UAAU,EAAE,UAAU,EACtB,QAAQ,EAAE,QAAQ;IASpB,MAAM,CAAC,OAAO,EAAE;QACd,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC;QACjB,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACxC,UAAU,EAAE,OAAO,CAAC;QACpB,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAC;QAC1B,YAAY,EAAE,YAAY,CAAC;QAC3B,YAAY,EAAE,WAAW,EAAE,CAAC;KAC7B,GAAG,UAAU;IA2Bd,KAAK,CAAC,MAAM,GAAE;QACZ,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,YAAY,CAAC,EAAE,YAAY,CAAC;QAC5B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KACX,GAAG,UAAU,EAAE;IA8BrB,KAAK,IAAI;QACP,eAAe,EAAE,MAAM,CAAC;QACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC/B,gBAAgB,EAAE,MAAM,CAAC;QACzB,cAAc,EAAE,MAAM,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;KACrB;IA6BD,OAAO,CAAC,cAAc;IAetB,OAAO,CAAC,cAAc;IAYtB,OAAO,CAAC,MAAM;IAgBd,OAAO,CAAC,YAAY;IAiBpB,4CAA4C;IAC5C,IAAI,IAAI,IAAI,MAAM,CAEjB;CACF"}

package/dist/guard/audit-log.js

@@ -1,199 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuditLog = void 0;
-const snapshot_verify_1 = require("./snapshot-verify");
-const crypto = __importStar(require("crypto"));
-const fs = __importStar(require("fs"));
-const path = __importStar(require("path"));
-function generateAuditId() {
-    return `audit_${Date.now()}_${crypto.randomBytes(4).toString('hex')}`;
-}
-class AuditLog {
-    logPath;
-    schemaGate;
-    riskGate;
-    snapshotGate;
-    // In-memory entries + session index for fast lookups
-    entries = [];
-    sessionIndex = new Map();
-    constructor(workspaceRoot, schemaGate, riskGate) {
-        this.logPath = path.join(workspaceRoot, '.agentos', 'audit.jsonl');
-        this.schemaGate = schemaGate;
-        this.riskGate = riskGate;
-        this.snapshotGate = new snapshot_verify_1.SnapshotGate(workspaceRoot);
-        this.loadFromDisk();
-    }
-    record(options) {
-        const entry = {
-            id: generateAuditId(),
-            sessionId: options.sessionId,
-            agentId: options.agentId,
-            startedAt: options.startedAt,
-            completedAt: options.completedAt,
-            durationMs: options.completedAt - options.startedAt,
-            toolName: options.toolName,
-            toolParameters: this.sanitizeParams(options.toolParameters),
-            toolResult: this.truncateResult(options.toolResult),
-            schemaGate: this.schemaGate.check(options.toolName, options.toolParameters),
-            riskGate: this.riskGate.evaluate(options.toolName, options.toolParameters),
-            snapshot: options.snapshot,
-            verifyGate: {
-                status: options.verifyStatus,
-                checks: options.verifyChecks,
-            },
-            diff: options.snapshot
-                ? this.snapshotGate.computeDiff(options.snapshot)
-                : null,
-        };
-        this.append(entry);
-        return entry;
-    }
-    query(filter = {}) {
-        // Use session index for session-only queries (O(1) lookup)
-        let results;
-        if (filter.sessionId && !filter.toolName && !filter.verifyStatus &&
-            filter.minScore === undefined && filter.maxScore === undefined) {
-            results = this.sessionIndex.get(filter.sessionId) ?? [];
-        }
-        else {
-            // Fall back to full scan with filters
-            results = this.entries;
-            if (filter.sessionId) {
-                results = results.filter((e) => e.sessionId === filter.sessionId);
-            }
-            if (filter.toolName) {
-                results = results.filter((e) => e.toolName === filter.toolName);
-            }
-            if (filter.verifyStatus) {
-                results = results.filter((e) => e.verifyGate.status === filter.verifyStatus);
-            }
-            if (filter.minScore !== undefined) {
-                results = results.filter((e) => e.riskGate.score >= filter.minScore);
-            }
-            if (filter.maxScore !== undefined) {
-                results = results.filter((e) => e.riskGate.score <= filter.maxScore);
-            }
-        }
-        const limit = filter.limit ?? 100;
-        return results.slice(-limit);
-    }
-    stats() {
-        const entries = this.entries;
-        const byTool = {};
-        let totalScore = 0;
-        let verifyFailures = 0;
-        let highRiskOps = 0;
-        const sessions = new Set();
-        for (const entry of entries) {
-            byTool[entry.toolName] = (byTool[entry.toolName] || 0) + 1;
-            totalScore += entry.riskGate.score;
-            if (entry.verifyGate.status === 'FAIL')
-                verifyFailures++;
-            if (entry.riskGate.score > 3.0)
-                highRiskOps++;
-            sessions.add(entry.sessionId);
-        }
-        return {
-            totalOperations: entries.length,
-            byTool,
-            averageRiskScore: entries.length > 0
-                ? Math.round((totalScore / entries.length) * 100) / 100
-                : 0,
-            verifyFailures,
-            sessionsTracked: sessions.size,
-            highRiskOps,
-        };
-    }
-    sanitizeParams(params) {
-        const sensitive = ['token', 'password', 'secret', 'key', 'api_key', 'auth'];
-        const sanitized = {};
-        for (const [key, value] of Object.entries(params)) {
-            if (sensitive.some((s) => key.toLowerCase().includes(s))) {
-                sanitized[key] = '***REDACTED***';
-            }
-            else {
-                sanitized[key] = value;
-            }
-        }
-        return sanitized;
-    }
-    truncateResult(result, maxChars = 5000) {
-        const str = typeof result === 'string'
-            ? result
-            : JSON.stringify(result);
-        if (str.length > maxChars) {
-            return str.slice(0, maxChars) + `... [truncated ${str.length - maxChars} chars]`;
-        }
-        return result;
-    }
-    append(entry) {
-        // Update in-memory index
-        this.entries.push(entry);
-        const sessionEntries = this.sessionIndex.get(entry.sessionId) ?? [];
-        sessionEntries.push(entry);
-        this.sessionIndex.set(entry.sessionId, sessionEntries);
-        const dir = path.dirname(this.logPath);
-        if (!fs.existsSync(dir)) {
-            fs.mkdirSync(dir, { recursive: true });
-        }
-        const line = JSON.stringify(entry) + '\n';
-        fs.appendFileSync(this.logPath, line, 'utf-8');
-    }
-    loadFromDisk() {
-        try {
-            if (!fs.existsSync(this.logPath))
-                return;
-            const content = fs.readFileSync(this.logPath, 'utf-8');
-            const lines = content.split('\n').filter((l) => l.trim());
-            const entries = lines.map((l) => JSON.parse(l));
-            for (const e of entries) {
-                this.entries.push(e);
-                const se = this.sessionIndex.get(e.sessionId) ?? [];
-                se.push(e);
-                this.sessionIndex.set(e.sessionId, se);
-            }
-        }
-        catch {
-            // Keep empty state
-        }
-    }
-    /** Get raw entries count (for debugging) */
-    get size() {
-        return this.entries.length;
-    }
-}
-exports.AuditLog = AuditLog;
-//# sourceMappingURL=audit-log.js.map

package/dist/guard/audit-log.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"audit-log.js","sourceRoot":"","sources":["../../src/guard/audit-log.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,uDAAiD;AAGjD,+CAAiC;AACjC,uCAAyB;AACzB,2CAA6B;AAE7B,SAAS,eAAe;IACtB,OAAO,SAAS,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACxE,CAAC;AAED,MAAa,QAAQ;IACX,OAAO,CAAS;IAChB,UAAU,CAAa;IACvB,QAAQ,CAAW;IACnB,YAAY,CAAe;IACnC,qDAAqD;IAC7C,OAAO,GAAiB,EAAE,CAAC;IAC3B,YAAY,GAA8B,IAAI,GAAG,EAAE,CAAC;IAE5D,YACE,aAAqB,EACrB,UAAsB,EACtB,QAAkB;QAElB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;QACnE,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,YAAY,GAAG,IAAI,8BAAY,CAAC,aAAa,CAAC,CAAC;QACpD,IAAI,CAAC,YAAY,EAAE,CAAC;IACtB,CAAC;IAED,MAAM,CAAC,OAWN;QACC,MAAM,KAAK,GAAe;YACxB,EAAE,EAAE,eAAe,EAAE;YACrB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,UAAU,EAAE,OAAO,CAAC,WAAW,GAAG,OAAO,CAAC,SAAS;YACnD,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,cAAc,EAAE,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,cAAc,CAAC;YAC3D,UAAU,EAAE,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC;YACnD,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,cAAc,CAAC;YAC3E,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,cAAc,CAAC;YAC1E,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,UAAU,EAAE;gBACV,MAAM,EAAE,OAAO,CAAC,YAAY;gBAC5B,MAAM,EAAE,OAAO,CAAC,YAAY;aAC7B;YACD,IAAI,EAAE,OAAO,CAAC,QAAQ;gBACpB,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC;gBACjD,CAAC,CAAC,IAAI;SACT,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,SAOF,EAAE;QACJ,2DAA2D;QAC3D,IAAI,OAAqB,CAAC;QAC1B,IAAI,MAAM,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,MAAM,CAAC,YAAY;YAC5D,MAAM,CAAC,QAAQ,KAAK,SAAS,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACnE,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QAC1D,CAAC;aAAM,CAAC;YACN,sCAAsC;YACtC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;YACvB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACrB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,CAAC,SAAS,CAAC,CAAC;YACpE,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAS,CAAC,CAAC;YACnE,CAAC;YACD,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;gBACxB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,KAAK,MAAM,CAAC,YAAY,CAAC,CAAC;YAC/E,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAClC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,IAAI,MAAM,CAAC,QAAS,CAAC,CAAC;YACxE,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAClC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,IAAI,MAAM,CAAC,QAAS,CAAC,CAAC;YACxE,CAAC;QACH,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,GAAG,CAAC;QAClC,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK;QAQH,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAE7B,MAAM,MAAM,GAA2B,EAAE,CAAC;QAC1C,IAAI,UAAU,GAAG,CAAC,CAAC;QACnB,IAAI,cAAc,GAAG,CAAC,CAAC;QACvB,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;QAEnC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAC3D,UAAU,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC;YACnC,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,KAAK,MAAM;gBAAE,cAAc,EAAE,CAAC;YACzD,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,GAAG,GAAG;gBAAE,WAAW,EAAE,CAAC;YAC9C,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAChC,CAAC;QAED,OAAO;YACL,eAAe,EAAE,OAAO,CAAC,MAAM;YAC/B,MAAM;YACN,gBAAgB,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC;gBAClC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG;gBACvD,CAAC,CAAC,CAAC;YACL,cAAc;YACd,eAAe,EAAE,QAAQ,CAAC,IAAI;YAC9B,WAAW;SACZ,CAAC;IACJ,CAAC;IAEO,cAAc,CAAC,MAA+B;QACpD,MAAM,SAAS,GAAG,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QAC5E,MAAM,SAAS,GAA4B,EAAE,CAAC;QAE9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAClD,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACzD,SAAS,CAAC,GAAG,CAAC,GAAG,gBAAgB,CAAC;YACpC,CAAC;iBAAM,CAAC;gBACN,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACzB,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,cAAc,CAAC,MAAe,EAAE,QAAQ,GAAG,IAAI;QACrD,MAAM,GAAG,GAAG,OAAO,MAAM,KAAK,QAAQ;YACpC,CAAC,CAAC,MAAM;YACR,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAE3B,IAAI,GAAG,CAAC,MAAM,GAAG,QAAQ,EAAE,CAAC;YAC1B,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,GAAG,kBAAkB,GAAG,CAAC,MAAM,GAAG,QAAQ,SAAS,CAAC;QACnF,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,MAAM,CAAC,KAAiB;QAC9B,yBAAyB;QACzB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzB,MAAM,cAAc,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QACpE,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3B,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAEvD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;QAC1C,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACjD,CAAC;IAEO,YAAY;QAClB,IAAI,CAAC;YACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,OAAO;YACzC,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACvD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAC1D,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAiB,CAAC;YAChE,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACxB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACrB,MAAM,EAAE,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;gBACpD,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACX,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,mBAAmB;QACrB,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;IAC7B,CAAC;CACF;AApMD,4BAoMC"}

package/dist/guard/container-sandbox.d.ts

@@ -1,25 +0,0 @@
-import type { SandboxResult } from './sandbox';
-export interface ContainerConfig {
-    image?: string;
-    workspaceVolume?: 'ro' | 'rw';
-    network?: 'none' | 'host' | 'bridge';
-    memoryLimit?: string;
-    cpuLimit?: number;
-    timeoutSec?: number;
-    autoRemove?: boolean;
-    env?: Record<string, string>;
-}
-export declare function executeInContainer(command: string, cwd: string, config?: Partial<ContainerConfig>): SandboxResult;
-export declare class ContainerSandbox {
-    private cfg;
-    constructor(opts?: Partial<ContainerConfig> & {
-        workspaceRoot?: string;
-    });
-    validate(_toolName: string, params: Record<string, unknown>): {
-        success: boolean;
-        sandboxRejectReason?: string;
-    };
-    execute(_toolName: string, params: Record<string, unknown>): SandboxResult;
-    private isSensitive;
-}
-//# sourceMappingURL=container-sandbox.d.ts.map

package/dist/guard/container-sandbox.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"container-sandbox.d.ts","sourceRoot":"","sources":["../../src/guard/container-sandbox.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAY/C,MAAM,WAAW,eAAe;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC9B,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,QAAQ,CAAC;IACrC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC9B;AAOD,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,MAAM,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,GAChC,aAAa,CA6Cf;AAGD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,GAAG,CAAwD;gBAEvD,IAAI,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG;QAAE,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE;IAIxE,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,mBAAmB,CAAC,EAAE,MAAM,CAAA;KAAE;IAchH,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,aAAa;IAI1E,OAAO,CAAC,WAAW;CAIpB"}

package/dist/guard/container-sandbox.js

@@ -1,145 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ContainerSandbox = void 0;
-exports.executeInContainer = executeInContainer;
-/**
- * DockerContainerSandbox �?V2.0 container-level isolation.
- */
-const path = __importStar(require("path"));
-const child_process_1 = require("child_process");
-function dockerAvailable() {
-    try {
-        (0, child_process_1.execSync)('docker info', { stdio: 'ignore', timeout: 5000 });
-        return true;
-    }
-    catch {
-        return false;
-    }
-}
-function imageExists(image) {
-    try {
-        (0, child_process_1.execSync)(`docker image inspect ${image}`, { stdio: 'ignore' });
-        return true;
-    }
-    catch {
-        return false;
-    }
-}
-function pullImage(image) {
-    (0, child_process_1.execSync)(`docker pull ${image}`, { stdio: 'inherit', timeout: 60000 });
-}
-const DEFAULTS = {
-    image: 'node:24-alpine', workspaceVolume: 'ro', network: 'none',
-    memoryLimit: '512m', cpuLimit: 0.5, timeoutSec: 30, autoRemove: true, env: {},
-};
-function executeInContainer(command, cwd, config) {
-    const cfg = { ...DEFAULTS, ...config };
-    if (!dockerAvailable()) {
-        return { success: false, exitCode: 127, stdout: '', stderr: 'Docker not available', truncated: false, durationMs: 0 };
-    }
-    const image = cfg.image;
-    if (!imageExists(image)) {
-        try {
-            pullImage(image);
-        }
-        catch (e) {
-            return { success: false, exitCode: 127, stdout: '',
-                stderr: `Failed to pull image "${image}"`, truncated: false, durationMs: 0 };
-        }
-    }
-    const containerName = `sentinel-sb-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`;
-    const workspaceAbs = path.resolve(cwd);
-    const args = [
-        'run', '--rm', '--name', containerName,
-        '--memory', cfg.memoryLimit, '--cpus', String(cfg.cpuLimit),
-        ...(cfg.network === 'none' ? ['--network', 'none'] : cfg.network === 'host' ? ['--network', 'host'] : []),
-        '-v', `${workspaceAbs}:/workspace:${cfg.workspaceVolume}`,
-        '-w', '/workspace',
-        image, 'sh', '-c', command,
-    ];
-    const startTime = Date.now();
-    try {
-        const r = (0, child_process_1.spawnSync)('docker', args, {
-            encoding: 'utf-8', timeout: cfg.timeoutSec * 1000,
-            maxBuffer: 10 * 1024 * 1024, stdio: ['ignore', 'pipe', 'pipe'],
-        });
-        const durationMs = Date.now() - startTime;
-        if (r.status === null) {
-            return { success: false, exitCode: -1, stdout: '', stderr: r.stderr || 'timeout', truncated: false, durationMs };
-        }
-        return {
-            success: r.status === 0, exitCode: r.status ?? 1,
-            stdout: r.stdout || '', stderr: r.stderr || '', truncated: false, durationMs,
-        };
-    }
-    catch (e) {
-        try {
-            (0, child_process_1.execSync)(`docker rm -f ${containerName}`, { stdio: 'ignore' });
-        }
-        catch { }
-        return { success: false, exitCode: -1, stdout: '',
-            stderr: e instanceof Error ? e.message : String(e), truncated: false, durationMs: Date.now() - startTime };
-    }
-}
-// ContainerSandbox class
-class ContainerSandbox {
-    cfg;
-    constructor(opts) {
-        this.cfg = { ...DEFAULTS, workspaceRoot: opts?.workspaceRoot || process.cwd(), ...opts };
-    }
-    validate(_toolName, params) {
-        if (['write', 'write_file', 'delete', 'edit', 'rm'].includes(_toolName)) {
-            const p = String(params.path || params.file || '');
-            const absPath = path.resolve(this.cfg.workspaceRoot, p);
-            if (!absPath.startsWith(path.resolve(this.cfg.workspaceRoot))) {
-                return { success: false, sandboxRejectReason: `Path outside workspace: ${p}` };
-            }
-            if (['write', 'edit'].includes(_toolName) && this.isSensitive(p)) {
-                return { success: false, sandboxRejectReason: `Sensitive file in container: ${p}` };
-            }
-        }
-        return { success: true };
-    }
-    execute(_toolName, params) {
-        return executeInContainer(String(params.command || ''), this.cfg.workspaceRoot, this.cfg);
-    }
-    isSensitive(fp) {
-        const p = fp.replace(/\\/g, '/');
-        return ['.env', 'package.json'].some(s => p === s || p.endsWith('/' + s));
-    }
-}
-exports.ContainerSandbox = ContainerSandbox;
-//# sourceMappingURL=container-sandbox.js.map

package/dist/guard/container-sandbox.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"container-sandbox.js","sourceRoot":"","sources":["../../src/guard/container-sandbox.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiCA,gDAiDC;AAlFD;;GAEG;AACH,2CAA6B;AAC7B,iDAAoD;AAGpD,SAAS,eAAe;IACtB,IAAI,CAAC;QAAC,IAAA,wBAAQ,EAAC,aAAa,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAAC,OAAO,IAAI,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,KAAK,CAAC;IAAC,CAAC;AAC3G,CAAC;AACD,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,CAAC;QAAC,IAAA,wBAAQ,EAAC,wBAAwB,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;QAAC,OAAO,IAAI,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,KAAK,CAAC;IAAC,CAAC;AAC9G,CAAC;AACD,SAAS,SAAS,CAAC,KAAa;IAC9B,IAAA,wBAAQ,EAAC,eAAe,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;AACzE,CAAC;AAaD,MAAM,QAAQ,GAA8B;IAC1C,KAAK,EAAE,gBAAgB,EAAE,eAAe,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM;IAC/D,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;CAC9E,CAAC;AAEF,SAAgB,kBAAkB,CAChC,OAAe,EACf,GAAW,EACX,MAAiC;IAEjC,MAAM,GAAG,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,MAAM,EAAE,CAAC;IAEvC,IAAI,CAAC,eAAe,EAAE,EAAE,CAAC;QACvB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,sBAAsB,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;IACxH,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;IACxB,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,IAAI,CAAC;YAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAAC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACnC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE;gBAChD,MAAM,EAAE,yBAAyB,KAAK,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;QACjF,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,eAAe,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAC,CAAC,CAAC,EAAE,CAAC;IAC3F,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,IAAI,GAAG;QACX,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa;QACtC,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,OAAO,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACzG,IAAI,EAAE,GAAG,YAAY,eAAe,GAAG,CAAC,eAAe,EAAE;QACzD,IAAI,EAAE,YAAY;QAClB,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO;KAC3B,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAA,yBAAS,EAAC,QAAQ,EAAE,IAAI,EAAE;YAClC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,UAAU,GAAG,IAAI;YACjD,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAC/D,CAAC,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAC1C,IAAI,CAAC,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;YACtB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;QACnH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC;YAChD,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU;SAC7E,CAAC;IACJ,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC;YAAC,IAAA,wBAAQ,EAAC,gBAAgB,aAAa,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;QAChF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE;YAC/C,MAAM,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,EAAE,CAAC;IAC/G,CAAC;AACH,CAAC;AAED,yBAAyB;AACzB,MAAa,gBAAgB;IACnB,GAAG,CAAwD;IAEnE,YAAY,IAA4D;QACtE,IAAI,CAAC,GAAG,GAAG,EAAE,GAAG,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,IAAI,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,CAAC;IAC3F,CAAC;IAED,QAAQ,CAAC,SAAiB,EAAE,MAA+B;QACzD,IAAI,CAAC,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACxE,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC;YACxD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;gBAC9D,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,2BAA2B,CAAC,EAAE,EAAE,CAAC;YACjF,CAAC;YACD,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,gCAAgC,CAAC,EAAE,EAAE,CAAC;YACtF,CAAC;QACH,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,OAAO,CAAC,SAAiB,EAAE,MAA+B;QACxD,OAAO,kBAAkB,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5F,CAAC;IAEO,WAAW,CAAC,EAAU;QAC5B,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACjC,OAAO,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;IAC5E,CAAC;CACF;AA7BD,4CA6BC"}