sentinel-agentos 0.3.7 → 0.3.9

package/dist/guard/audit-log.d.ts

@@ -1,47 +0,0 @@
-import { AuditEntry, VerifyStatus, Snapshot, VerifyCheck } from '../types';
-import { RiskGate } from './risk-gate';
-import { SchemaGate } from './schema-gate';
-export declare class AuditLog {
-    private logPath;
-    private schemaGate;
-    private riskGate;
-    private snapshotGate;
-    private entries;
-    private sessionIndex;
-    constructor(workspaceRoot: string, schemaGate: SchemaGate, riskGate: RiskGate);
-    record(options: {
-        sessionId: string;
-        agentId: string;
-        startedAt: number;
-        completedAt: number;
-        toolName: string;
-        toolParameters: Record<string, unknown>;
-        toolResult: unknown;
-        snapshot: Snapshot | null;
-        verifyStatus: VerifyStatus;
-        verifyChecks: VerifyCheck[];
-    }): AuditEntry;
-    query(filter?: {
-        sessionId?: string;
-        toolName?: string;
-        verifyStatus?: VerifyStatus;
-        minScore?: number;
-        maxScore?: number;
-        limit?: number;
-    }): AuditEntry[];
-    stats(): {
-        totalOperations: number;
-        byTool: Record<string, number>;
-        averageRiskScore: number;
-        verifyFailures: number;
-        sessionsTracked: number;
-        highRiskOps: number;
-    };
-    private sanitizeParams;
-    private truncateResult;
-    private append;
-    private loadFromDisk;
-    /** Get raw entries count (for debugging) */
-    get size(): number;
-}
-//# sourceMappingURL=audit-log.d.ts.map

package/dist/guard/audit-log.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"audit-log.d.ts","sourceRoot":"","sources":["../../src/guard/audit-log.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAE3E,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAS3C,qBAAa,QAAQ;IACnB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,QAAQ,CAAW;IAC3B,OAAO,CAAC,YAAY,CAAe;IAEnC,OAAO,CAAC,OAAO,CAAoB;IACnC,OAAO,CAAC,YAAY,CAAwC;gBAG1D,aAAa,EAAE,MAAM,EACrB,UAAU,EAAE,UAAU,EACtB,QAAQ,EAAE,QAAQ;IASpB,MAAM,CAAC,OAAO,EAAE;QACd,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC;QACjB,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACxC,UAAU,EAAE,OAAO,CAAC;QACpB,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAC;QAC1B,YAAY,EAAE,YAAY,CAAC;QAC3B,YAAY,EAAE,WAAW,EAAE,CAAC;KAC7B,GAAG,UAAU;IA2Bd,KAAK,CAAC,MAAM,GAAE;QACZ,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,YAAY,CAAC,EAAE,YAAY,CAAC;QAC5B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KACX,GAAG,UAAU,EAAE;IA8BrB,KAAK,IAAI;QACP,eAAe,EAAE,MAAM,CAAC;QACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC/B,gBAAgB,EAAE,MAAM,CAAC;QACzB,cAAc,EAAE,MAAM,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;KACrB;IA6BD,OAAO,CAAC,cAAc;IAetB,OAAO,CAAC,cAAc;IAYtB,OAAO,CAAC,MAAM;IAgBd,OAAO,CAAC,YAAY;IAiBpB,4CAA4C;IAC5C,IAAI,IAAI,IAAI,MAAM,CAEjB;CACF"}

package/dist/guard/audit-log.js

@@ -1,199 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuditLog = void 0;
-const snapshot_verify_1 = require("./snapshot-verify");
-const crypto = __importStar(require("crypto"));
-const fs = __importStar(require("fs"));
-const path = __importStar(require("path"));
-function generateAuditId() {
-    return `audit_${Date.now()}_${crypto.randomBytes(4).toString('hex')}`;
-}
-class AuditLog {
-    logPath;
-    schemaGate;
-    riskGate;
-    snapshotGate;
-    // In-memory entries + session index for fast lookups
-    entries = [];
-    sessionIndex = new Map();
-    constructor(workspaceRoot, schemaGate, riskGate) {
-        this.logPath = path.join(workspaceRoot, '.agentos', 'audit.jsonl');
-        this.schemaGate = schemaGate;
-        this.riskGate = riskGate;
-        this.snapshotGate = new snapshot_verify_1.SnapshotGate(workspaceRoot);
-        this.loadFromDisk();
-    }
-    record(options) {
-        const entry = {
-            id: generateAuditId(),
-            sessionId: options.sessionId,
-            agentId: options.agentId,
-            startedAt: options.startedAt,
-            completedAt: options.completedAt,
-            durationMs: options.completedAt - options.startedAt,
-            toolName: options.toolName,
-            toolParameters: this.sanitizeParams(options.toolParameters),
-            toolResult: this.truncateResult(options.toolResult),
-            schemaGate: this.schemaGate.check(options.toolName, options.toolParameters),
-            riskGate: this.riskGate.evaluate(options.toolName, options.toolParameters),
-            snapshot: options.snapshot,
-            verifyGate: {
-                status: options.verifyStatus,
-                checks: options.verifyChecks,
-            },
-            diff: options.snapshot
-                ? this.snapshotGate.computeDiff(options.snapshot)
-                : null,
-        };
-        this.append(entry);
-        return entry;
-    }
-    query(filter = {}) {
-        // Use session index for session-only queries (O(1) lookup)
-        let results;
-        if (filter.sessionId && !filter.toolName && !filter.verifyStatus &&
-            filter.minScore === undefined && filter.maxScore === undefined) {
-            results = this.sessionIndex.get(filter.sessionId) ?? [];
-        }
-        else {
-            // Fall back to full scan with filters
-            results = this.entries;
-            if (filter.sessionId) {
-                results = results.filter((e) => e.sessionId === filter.sessionId);
-            }
-            if (filter.toolName) {
-                results = results.filter((e) => e.toolName === filter.toolName);
-            }
-            if (filter.verifyStatus) {
-                results = results.filter((e) => e.verifyGate.status === filter.verifyStatus);
-            }
-            if (filter.minScore !== undefined) {
-                results = results.filter((e) => e.riskGate.score >= filter.minScore);
-            }
-            if (filter.maxScore !== undefined) {
-                results = results.filter((e) => e.riskGate.score <= filter.maxScore);
-            }
-        }
-        const limit = filter.limit ?? 100;
-        return results.slice(-limit);
-    }
-    stats() {
-        const entries = this.entries;
-        const byTool = {};
-        let totalScore = 0;
-        let verifyFailures = 0;
-        let highRiskOps = 0;
-        const sessions = new Set();
-        for (const entry of entries) {
-            byTool[entry.toolName] = (byTool[entry.toolName] || 0) + 1;
-            totalScore += entry.riskGate?.score ?? 0;
-            if (entry.verifyGate?.status === 'FAIL')
-                verifyFailures++;
-            if ((entry.riskGate?.score ?? 0) > 3.0)
-                highRiskOps++;
-            sessions.add(entry.sessionId);
-        }
-        return {
-            totalOperations: entries.length,
-            byTool,
-            averageRiskScore: entries.length > 0
-                ? Math.round((totalScore / entries.length) * 100) / 100
-                : 0,
-            verifyFailures,
-            sessionsTracked: sessions.size,
-            highRiskOps,
-        };
-    }
-    sanitizeParams(params) {
-        const sensitive = ['token', 'password', 'secret', 'key', 'api_key', 'auth'];
-        const sanitized = {};
-        for (const [key, value] of Object.entries(params)) {
-            if (sensitive.some((s) => key.toLowerCase().includes(s))) {
-                sanitized[key] = '***REDACTED***';
-            }
-            else {
-                sanitized[key] = value;
-            }
-        }
-        return sanitized;
-    }
-    truncateResult(result, maxChars = 5000) {
-        const str = typeof result === 'string'
-            ? result
-            : JSON.stringify(result);
-        if (str.length > maxChars) {
-            return str.slice(0, maxChars) + `... [truncated ${str.length - maxChars} chars]`;
-        }
-        return result;
-    }
-    append(entry) {
-        // Update in-memory index
-        this.entries.push(entry);
-        const sessionEntries = this.sessionIndex.get(entry.sessionId) ?? [];
-        sessionEntries.push(entry);
-        this.sessionIndex.set(entry.sessionId, sessionEntries);
-        const dir = path.dirname(this.logPath);
-        if (!fs.existsSync(dir)) {
-            fs.mkdirSync(dir, { recursive: true });
-        }
-        const line = JSON.stringify(entry) + '\n';
-        fs.appendFileSync(this.logPath, line, 'utf-8');
-    }
-    loadFromDisk() {
-        try {
-            if (!fs.existsSync(this.logPath))
-                return;
-            const content = fs.readFileSync(this.logPath, 'utf-8');
-            const lines = content.split('\n').filter((l) => l.trim());
-            const entries = lines.map((l) => JSON.parse(l));
-            for (const e of entries) {
-                this.entries.push(e);
-                const se = this.sessionIndex.get(e.sessionId) ?? [];
-                se.push(e);
-                this.sessionIndex.set(e.sessionId, se);
-            }
-        }
-        catch {
-            // Keep empty state
-        }
-    }
-    /** Get raw entries count (for debugging) */
-    get size() {
-        return this.entries.length;
-    }
-}
-exports.AuditLog = AuditLog;
-//# sourceMappingURL=audit-log.js.map

package/dist/guard/audit-log.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"audit-log.js","sourceRoot":"","sources":["../../src/guard/audit-log.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,uDAAiD;AAGjD,+CAAiC;AACjC,uCAAyB;AACzB,2CAA6B;AAE7B,SAAS,eAAe;IACtB,OAAO,SAAS,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACxE,CAAC;AAED,MAAa,QAAQ;IACX,OAAO,CAAS;IAChB,UAAU,CAAa;IACvB,QAAQ,CAAW;IACnB,YAAY,CAAe;IACnC,qDAAqD;IAC7C,OAAO,GAAiB,EAAE,CAAC;IAC3B,YAAY,GAA8B,IAAI,GAAG,EAAE,CAAC;IAE5D,YACE,aAAqB,EACrB,UAAsB,EACtB,QAAkB;QAElB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;QACnE,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,YAAY,GAAG,IAAI,8BAAY,CAAC,aAAa,CAAC,CAAC;QACpD,IAAI,CAAC,YAAY,EAAE,CAAC;IACtB,CAAC;IAED,MAAM,CAAC,OAWN;QACC,MAAM,KAAK,GAAe;YACxB,EAAE,EAAE,eAAe,EAAE;YACrB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,UAAU,EAAE,OAAO,CAAC,WAAW,GAAG,OAAO,CAAC,SAAS;YACnD,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,cAAc,EAAE,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,cAAc,CAAC;YAC3D,UAAU,EAAE,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC;YACnD,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,cAAc,CAAC;YAC3E,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,cAAc,CAAC;YAC1E,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,UAAU,EAAE;gBACV,MAAM,EAAE,OAAO,CAAC,YAAY;gBAC5B,MAAM,EAAE,OAAO,CAAC,YAAY;aAC7B;YACD,IAAI,EAAE,OAAO,CAAC,QAAQ;gBACpB,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC;gBACjD,CAAC,CAAC,IAAI;SACT,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,SAOF,EAAE;QACJ,2DAA2D;QAC3D,IAAI,OAAqB,CAAC;QAC1B,IAAI,MAAM,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,MAAM,CAAC,YAAY;YAC5D,MAAM,CAAC,QAAQ,KAAK,SAAS,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACnE,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QAC1D,CAAC;aAAM,CAAC;YACN,sCAAsC;YACtC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;YACvB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACrB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,CAAC,SAAS,CAAC,CAAC;YACpE,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAS,CAAC,CAAC;YACnE,CAAC;YACD,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;gBACxB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,KAAK,MAAM,CAAC,YAAY,CAAC,CAAC;YAC/E,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAClC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,IAAI,MAAM,CAAC,QAAS,CAAC,CAAC;YACxE,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAClC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,IAAI,MAAM,CAAC,QAAS,CAAC,CAAC;YACxE,CAAC;QACH,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,GAAG,CAAC;QAClC,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK;QAQH,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAE7B,MAAM,MAAM,GAA2B,EAAE,CAAC;QAC1C,IAAI,UAAU,GAAG,CAAC,CAAC;QACnB,IAAI,cAAc,GAAG,CAAC,CAAC;QACvB,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;QAEnC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAC3D,UAAU,IAAI,KAAK,CAAC,QAAQ,EAAE,KAAK,IAAI,CAAC,CAAC;YACzC,IAAI,KAAK,CAAC,UAAU,EAAE,MAAM,KAAK,MAAM;gBAAE,cAAc,EAAE,CAAC;YAC1D,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,IAAI,CAAC,CAAC,GAAG,GAAG;gBAAE,WAAW,EAAE,CAAC;YACtD,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAChC,CAAC;QAED,OAAO;YACL,eAAe,EAAE,OAAO,CAAC,MAAM;YAC/B,MAAM;YACN,gBAAgB,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC;gBAClC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG;gBACvD,CAAC,CAAC,CAAC;YACL,cAAc;YACd,eAAe,EAAE,QAAQ,CAAC,IAAI;YAC9B,WAAW;SACZ,CAAC;IACJ,CAAC;IAEO,cAAc,CAAC,MAA+B;QACpD,MAAM,SAAS,GAAG,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QAC5E,MAAM,SAAS,GAA4B,EAAE,CAAC;QAE9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAClD,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACzD,SAAS,CAAC,GAAG,CAAC,GAAG,gBAAgB,CAAC;YACpC,CAAC;iBAAM,CAAC;gBACN,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACzB,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,cAAc,CAAC,MAAe,EAAE,QAAQ,GAAG,IAAI;QACrD,MAAM,GAAG,GAAG,OAAO,MAAM,KAAK,QAAQ;YACpC,CAAC,CAAC,MAAM;YACR,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAE3B,IAAI,GAAG,CAAC,MAAM,GAAG,QAAQ,EAAE,CAAC;YAC1B,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,GAAG,kBAAkB,GAAG,CAAC,MAAM,GAAG,QAAQ,SAAS,CAAC;QACnF,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,MAAM,CAAC,KAAiB;QAC9B,yBAAyB;QACzB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzB,MAAM,cAAc,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QACpE,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3B,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAEvD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;QAC1C,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACjD,CAAC;IAEO,YAAY;QAClB,IAAI,CAAC;YACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,OAAO;YACzC,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACvD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAC1D,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAiB,CAAC;YAChE,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACxB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACrB,MAAM,EAAE,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;gBACpD,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACX,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,mBAAmB;QACrB,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;IAC7B,CAAC;CACF;AApMD,4BAoMC"}

package/dist/guard/container-sandbox.d.ts

@@ -1,25 +0,0 @@
-import type { SandboxResult } from './sandbox';
-export interface ContainerConfig {
-    image?: string;
-    workspaceVolume?: 'ro' | 'rw';
-    network?: 'none' | 'host' | 'bridge';
-    memoryLimit?: string;
-    cpuLimit?: number;
-    timeoutSec?: number;
-    autoRemove?: boolean;
-    env?: Record<string, string>;
-}
-export declare function executeInContainer(command: string, cwd: string, config?: Partial<ContainerConfig>): SandboxResult;
-export declare class ContainerSandbox {
-    private cfg;
-    constructor(opts?: Partial<ContainerConfig> & {
-        workspaceRoot?: string;
-    });
-    validate(_toolName: string, params: Record<string, unknown>): {
-        success: boolean;
-        sandboxRejectReason?: string;
-    };
-    execute(_toolName: string, params: Record<string, unknown>): SandboxResult;
-    private isSensitive;
-}
-//# sourceMappingURL=container-sandbox.d.ts.map

package/dist/guard/container-sandbox.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"container-sandbox.d.ts","sourceRoot":"","sources":["../../src/guard/container-sandbox.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAY/C,MAAM,WAAW,eAAe;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC9B,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,QAAQ,CAAC;IACrC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC9B;AAOD,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,MAAM,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,GAChC,aAAa,CA6Cf;AAGD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,GAAG,CAAwD;gBAEvD,IAAI,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG;QAAE,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE;IAIxE,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,mBAAmB,CAAC,EAAE,MAAM,CAAA;KAAE;IAchH,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,aAAa;IAI1E,OAAO,CAAC,WAAW;CAIpB"}

package/dist/guard/container-sandbox.js

@@ -1,145 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ContainerSandbox = void 0;
-exports.executeInContainer = executeInContainer;
-/**
- * DockerContainerSandbox �?V2.0 container-level isolation.
- */
-const path = __importStar(require("path"));
-const child_process_1 = require("child_process");
-function dockerAvailable() {
-    try {
-        (0, child_process_1.execSync)('docker info', { stdio: 'ignore', timeout: 5000 });
-        return true;
-    }
-    catch {
-        return false;
-    }
-}
-function imageExists(image) {
-    try {
-        (0, child_process_1.execSync)(`docker image inspect ${image}`, { stdio: 'ignore' });
-        return true;
-    }
-    catch {
-        return false;
-    }
-}
-function pullImage(image) {
-    (0, child_process_1.execSync)(`docker pull ${image}`, { stdio: 'inherit', timeout: 60000 });
-}
-const DEFAULTS = {
-    image: 'node:24-alpine', workspaceVolume: 'ro', network: 'none',
-    memoryLimit: '512m', cpuLimit: 0.5, timeoutSec: 30, autoRemove: true, env: {},
-};
-function executeInContainer(command, cwd, config) {
-    const cfg = { ...DEFAULTS, ...config };
-    if (!dockerAvailable()) {
-        return { success: false, exitCode: 127, stdout: '', stderr: 'Docker not available', truncated: false, durationMs: 0 };
-    }
-    const image = cfg.image;
-    if (!imageExists(image)) {
-        try {
-            pullImage(image);
-        }
-        catch (e) {
-            return { success: false, exitCode: 127, stdout: '',
-                stderr: `Failed to pull image "${image}"`, truncated: false, durationMs: 0 };
-        }
-    }
-    const containerName = `sentinel-sb-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`;
-    const workspaceAbs = path.resolve(cwd);
-    const args = [
-        'run', '--rm', '--name', containerName,
-        '--memory', cfg.memoryLimit, '--cpus', String(cfg.cpuLimit),
-        ...(cfg.network === 'none' ? ['--network', 'none'] : cfg.network === 'host' ? ['--network', 'host'] : []),
-        '-v', `${workspaceAbs}:/workspace:${cfg.workspaceVolume}`,
-        '-w', '/workspace',
-        image, 'sh', '-c', command,
-    ];
-    const startTime = Date.now();
-    try {
-        const r = (0, child_process_1.spawnSync)('docker', args, {
-            encoding: 'utf-8', timeout: cfg.timeoutSec * 1000,
-            maxBuffer: 10 * 1024 * 1024, stdio: ['ignore', 'pipe', 'pipe'],
-        });
-        const durationMs = Date.now() - startTime;
-        if (r.status === null) {
-            return { success: false, exitCode: -1, stdout: '', stderr: r.stderr || 'timeout', truncated: false, durationMs };
-        }
-        return {
-            success: r.status === 0, exitCode: r.status ?? 1,
-            stdout: r.stdout || '', stderr: r.stderr || '', truncated: false, durationMs,
-        };
-    }
-    catch (e) {
-        try {
-            (0, child_process_1.execSync)(`docker rm -f ${containerName}`, { stdio: 'ignore' });
-        }
-        catch { }
-        return { success: false, exitCode: -1, stdout: '',
-            stderr: e instanceof Error ? e.message : String(e), truncated: false, durationMs: Date.now() - startTime };
-    }
-}
-// ContainerSandbox class
-class ContainerSandbox {
-    cfg;
-    constructor(opts) {
-        this.cfg = { ...DEFAULTS, workspaceRoot: opts?.workspaceRoot || process.cwd(), ...opts };
-    }
-    validate(_toolName, params) {
-        if (['write', 'write_file', 'delete', 'edit', 'rm'].includes(_toolName)) {
-            const p = String(params.path || params.file || '');
-            const absPath = path.resolve(this.cfg.workspaceRoot, p);
-            if (!absPath.startsWith(path.resolve(this.cfg.workspaceRoot))) {
-                return { success: false, sandboxRejectReason: `Path outside workspace: ${p}` };
-            }
-            if (['write', 'edit'].includes(_toolName) && this.isSensitive(p)) {
-                return { success: false, sandboxRejectReason: `Sensitive file in container: ${p}` };
-            }
-        }
-        return { success: true };
-    }
-    execute(_toolName, params) {
-        return executeInContainer(String(params.command || ''), this.cfg.workspaceRoot, this.cfg);
-    }
-    isSensitive(fp) {
-        const p = fp.replace(/\\/g, '/');
-        return ['.env', 'package.json'].some(s => p === s || p.endsWith('/' + s));
-    }
-}
-exports.ContainerSandbox = ContainerSandbox;
-//# sourceMappingURL=container-sandbox.js.map

package/dist/guard/container-sandbox.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"container-sandbox.js","sourceRoot":"","sources":["../../src/guard/container-sandbox.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiCA,gDAiDC;AAlFD;;GAEG;AACH,2CAA6B;AAC7B,iDAAoD;AAGpD,SAAS,eAAe;IACtB,IAAI,CAAC;QAAC,IAAA,wBAAQ,EAAC,aAAa,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAAC,OAAO,IAAI,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,KAAK,CAAC;IAAC,CAAC;AAC3G,CAAC;AACD,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,CAAC;QAAC,IAAA,wBAAQ,EAAC,wBAAwB,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;QAAC,OAAO,IAAI,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,KAAK,CAAC;IAAC,CAAC;AAC9G,CAAC;AACD,SAAS,SAAS,CAAC,KAAa;IAC9B,IAAA,wBAAQ,EAAC,eAAe,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;AACzE,CAAC;AAaD,MAAM,QAAQ,GAA8B;IAC1C,KAAK,EAAE,gBAAgB,EAAE,eAAe,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM;IAC/D,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;CAC9E,CAAC;AAEF,SAAgB,kBAAkB,CAChC,OAAe,EACf,GAAW,EACX,MAAiC;IAEjC,MAAM,GAAG,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,MAAM,EAAE,CAAC;IAEvC,IAAI,CAAC,eAAe,EAAE,EAAE,CAAC;QACvB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,sBAAsB,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;IACxH,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;IACxB,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,IAAI,CAAC;YAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAAC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACnC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE;gBAChD,MAAM,EAAE,yBAAyB,KAAK,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;QACjF,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,eAAe,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAC,CAAC,CAAC,EAAE,CAAC;IAC3F,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,IAAI,GAAG;QACX,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa;QACtC,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC3D,GAAG,CAAC,GAAG,CAAC,OAAO,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACzG,IAAI,EAAE,GAAG,YAAY,eAAe,GAAG,CAAC,eAAe,EAAE;QACzD,IAAI,EAAE,YAAY;QAClB,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO;KAC3B,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAA,yBAAS,EAAC,QAAQ,EAAE,IAAI,EAAE;YAClC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,UAAU,GAAG,IAAI;YACjD,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAC/D,CAAC,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAC1C,IAAI,CAAC,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;YACtB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;QACnH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC;YAChD,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU;SAC7E,CAAC;IACJ,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC;YAAC,IAAA,wBAAQ,EAAC,gBAAgB,aAAa,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;QAChF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE;YAC/C,MAAM,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,EAAE,CAAC;IAC/G,CAAC;AACH,CAAC;AAED,yBAAyB;AACzB,MAAa,gBAAgB;IACnB,GAAG,CAAwD;IAEnE,YAAY,IAA4D;QACtE,IAAI,CAAC,GAAG,GAAG,EAAE,GAAG,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,IAAI,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,CAAC;IAC3F,CAAC;IAED,QAAQ,CAAC,SAAiB,EAAE,MAA+B;QACzD,IAAI,CAAC,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACxE,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC;YACxD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;gBAC9D,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,2BAA2B,CAAC,EAAE,EAAE,CAAC;YACjF,CAAC;YACD,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,gCAAgC,CAAC,EAAE,EAAE,CAAC;YACtF,CAAC;QACH,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,OAAO,CAAC,SAAiB,EAAE,MAA+B;QACxD,OAAO,kBAAkB,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5F,CAAC;IAEO,WAAW,CAAC,EAAU;QAC5B,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACjC,OAAO,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;IAC5E,CAAC;CACF;AA7BD,4CA6BC"}

package/dist/guard/risk-gate.d.ts

@@ -1,101 +0,0 @@
-import { RiskScore } from '../types';
-/**
- * Impact level — how broadly the operation affects the system.
- */
-export type ImpactLevel = 'local' | 'workspace' | 'project' | 'system';
-/**
- * Sensitivity level — how sensitive the data involved is.
- */
-export type SensitivityLevel = 'none' | 'low' | 'medium' | 'high' | 'critical';
-/**
- * Tool-level risk profile — users define this per tool.
- */
-export interface ToolRiskProfile {
-    /** Tool name to match */
-    tool: string;
-    /** Impact level of this tool */
-    impact: ImpactLevel;
-    /** How reversible the operation is (0 = irreversible, 1 = fully reversible) */
-    reversibility: number;
-    /** Sensitivity of data this tool accesses */
-    sensitivity: SensitivityLevel;
-    /** Tool category for default error rate */
-    category?: 'read' | 'write' | 'delete' | 'network' | 'compute';
-    /** Optional override for initial error rate (skips category default) */
-    initialErrorRate?: number;
-}
-/**
- * Tool call statistics for dynamic error-rate tracking.
- */
-interface ToolStats {
-    totalCalls: number;
-    failures: number;
-    errorRate: number;
-    lastUpdated: number;
-}
-/**
- * Threshold configuration for risk-based actions.
- */
-export interface RiskThresholds {
-    /** Score ≤ autoApprove → execute immediately */
-    autoApprove: number;
-    /** Score ≤ notify → execute but notify user */
-    notify: number;
-    /** Score ≤ confirm → pause and ask for user confirmation */
-    confirm: number;
-    /** Score > deny → block entirely */
-    deny: number;
-}
-/**
- * Default thresholds — conservative but workable.
- */
-export declare const DEFAULT_RISK_THRESHOLDS: RiskThresholds;
-/**
- * Risk Gate — deterministic, pure-math risk scoring.
- *
- * Formula: RiskScore = Impact × (1 - Reversibility) × Sensitivity × (1 + ErrorRate)
- *
- * Zero LLM dependency. The formula, thresholds, and mappings are all
- * explicit and auditable.
- */
-export declare class RiskGate {
-    private profiles;
-    private stats;
-    private thresholds;
-    constructor(thresholds?: RiskThresholds);
-    /** Register a risk profile for a tool */
-    registerProfile(profile: ToolRiskProfile): void;
-    /** Register multiple profiles at once */
-    registerProfiles(profiles: ToolRiskProfile[]): void;
-    /** Get all registered profiles */
-    getProfiles(): ToolRiskProfile[];
-    /** Check if a tool has a registered profile */
-    hasProfile(tool: string): boolean;
-    /**
-     * Compute the risk score for a tool call.
-     *
-     * If no profile is registered, returns a default moderate-risk score
-     * (auto-approve with notification).
-     */
-    evaluate(tool: string, _params?: Record<string, unknown>): RiskScore;
-    /**
-     * Evaluate risk for an unregistered tool by scanning params for danger patterns.
-     */
-    private evaluateUntracked;
-    /** Record the outcome of a tool call to update stats */
-    recordOutcome(tool: string, success: boolean): void;
-    /** Get tool statistics */
-    getStats(tool: string): ToolStats | undefined;
-    /** Get all tool statistics */
-    getAllStats(): Map<string, ToolStats>;
-    /** Update thresholds at runtime */
-    setThresholds(thresholds: Partial<RiskThresholds>): void;
-    /** Get current thresholds */
-    getThresholds(): RiskThresholds;
-    /**
-     * Map a numeric risk score to the appropriate action.
-     */
-    private scoreToAction;
-}
-export {};
-//# sourceMappingURL=risk-gate.d.ts.map

package/dist/guard/risk-gate.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"risk-gate.d.ts","sourceRoot":"","sources":["../../src/guard/risk-gate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,SAAS,EAAE,MAAM,UAAU,CAAC;AAEjD;;GAEG;AACH,MAAM,MAAM,WAAW,GAAG,OAAO,GAAG,WAAW,GAAG,SAAS,GAAG,QAAQ,CAAC;AASvE;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAsC/E;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,MAAM,EAAE,WAAW,CAAC;IACpB,+EAA+E;IAC/E,aAAa,EAAE,MAAM,CAAC;IACtB,6CAA6C;IAC7C,WAAW,EAAE,gBAAgB,CAAC;IAC9B,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,QAAQ,GAAG,SAAS,GAAG,SAAS,CAAC;IAC/D,wEAAwE;IACxE,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,UAAU,SAAS;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,gDAAgD;IAChD,WAAW,EAAE,MAAM,CAAC;IACpB,+CAA+C;IAC/C,MAAM,EAAE,MAAM,CAAC;IACf,4DAA4D;IAC5D,OAAO,EAAE,MAAM,CAAC;IAChB,oCAAoC;IACpC,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAKrC,CAAC;AAEF;;;;;;;GAOG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAA2C;IAC3D,OAAO,CAAC,KAAK,CAAqC;IAClD,OAAO,CAAC,UAAU,CAAiB;gBAEvB,UAAU,GAAE,cAAwC;IAIhE,yCAAyC;IACzC,eAAe,CAAC,OAAO,EAAE,eAAe,GAAG,IAAI;IAgB/C,yCAAyC;IACzC,gBAAgB,CAAC,QAAQ,EAAE,eAAe,EAAE,GAAG,IAAI;IAInD,kCAAkC;IAClC,WAAW,IAAI,eAAe,EAAE;IAIhC,+CAA+C;IAC/C,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIjC;;;;;OAKG;IACH,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS;IA+BpE;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAiCzB,wDAAwD;IACxD,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI;IAWnD,0BAA0B;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS;IAI7C,8BAA8B;IAC9B,WAAW,IAAI,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC;IAIrC,mCAAmC;IACnC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,cAAc,CAAC,GAAG,IAAI;IAIxD,6BAA6B;IAC7B,aAAa,IAAI,cAAc;IAI/B;;OAEG;IACH,OAAO,CAAC,aAAa;CAMtB"}