sentinelayer-cli 0.4.5 → 0.6.2

package/src/agents/jules/tools/shell.js

@@ -1,383 +1,2 @@
-import { execSync } from "node:child_process";
-import path from "node:path";
-
-const DEFAULT_TIMEOUT_MS = 120_000;
-const MAX_OUTPUT_CHARS = 30_000;
-const DEFAULT_ALLOWED_FETCH_HOSTS = [
-  "github.com",
-  "api.github.com",
-  "raw.githubusercontent.com",
-  "*.githubusercontent.com",
-  "registry.npmjs.org",
-  "registry.yarnpkg.com",
-  "pypi.org",
-  "files.pythonhosted.org",
-  "rubygems.org",
-  "crates.io",
-  "static.crates.io",
-];
-
-/**
- * Patterns that are BLOCKED unconditionally.
- * Sourced from review/local-review.js security rules + src bash security patterns.
- */
-const BLOCKED_PATTERNS = [
-  { pattern: /rm\s+(-[rR]f?|--recursive)\s+\/($|\s)/, desc: "rm -rf /" },
-  { pattern: /:\(\)\s*\{[^}]*\}\s*;?\s*:/, desc: "fork bomb" },
-  { pattern: /\beval\s*\(/, desc: "eval injection" },
-  { pattern: /curl[^|]*\|\s*(ba)?sh/, desc: "pipe to shell" },
-  { pattern: /wget[^|]*\|\s*(ba)?sh/, desc: "wget pipe to shell" },
-  { pattern: />\s*\/dev\/sd[a-z]/, desc: "write to raw device" },
-  { pattern: /mkfs\./, desc: "filesystem format" },
-  { pattern: /dd\s+.*of=\/dev\//, desc: "dd to device" },
-  { pattern: /chmod\s+777\s+\//, desc: "chmod 777 root" },
-  { pattern: />\s*\/etc\//, desc: "write to /etc" },
-  { pattern: /rm\s+-rf?\s+~/, desc: "rm home directory" },
-  { pattern: /git\s+push\s+.*--force\s+.*main/, desc: "force push to main" },
-  { pattern: /git\s+reset\s+--hard/, desc: "git reset hard" },
-  { pattern: /DROP\s+TABLE|DROP\s+DATABASE/i, desc: "SQL drop" },
-  { pattern: /TRUNCATE\s+TABLE/i, desc: "SQL truncate" },
-];
-
-/**
- * Patterns that trigger a WARNING but are allowed.
- */
-const WARN_PATTERNS = [
-  { pattern: /npm\s+install|yarn\s+add|pnpm\s+add/, desc: "package install" },
-  { pattern: /git\s+push/, desc: "git push" },
-  { pattern: /curl\s|wget\s|fetch\(/, desc: "network request" },
-  { pattern: /rm\s+-/, desc: "file deletion" },
-  { pattern: /sudo\s/, desc: "elevated privileges" },
-];
-
-/**
- * Environment variables to strip from child process env.
- * Prevents credential leakage to spawned commands.
- */
-const EXACT_ENV_KEYS_TO_STRIP = new Set([
-  "ANTHROPIC_API_KEY",
-  "OPENAI_API_KEY",
-  "GOOGLE_API_KEY",
-  "GEMINI_API_KEY",
-  "SENTINELAYER_TOKEN",
-  "AIDENID_API_KEY",
-  "AIDENID_TOKEN",
-  "AWS_ACCESS_KEY_ID",
-  "AWS_SECRET_ACCESS_KEY",
-  "AWS_SESSION_TOKEN",
-  "AWS_WEB_IDENTITY_TOKEN_FILE",
-  "AZURE_CLIENT_SECRET",
-  "GOOGLE_APPLICATION_CREDENTIALS",
-  "GITHUB_TOKEN",
-  "GH_TOKEN",
-  "GITLAB_TOKEN",
-  "BITBUCKET_TOKEN",
-  "NPM_TOKEN",
-  "NODE_AUTH_TOKEN",
-  "PYPI_API_TOKEN",
-  "RUBYGEMS_API_KEY",
-  "CARGO_REGISTRY_TOKEN",
-  "ACTIONS_ID_TOKEN_REQUEST_TOKEN",
-  "ACTIONS_RUNTIME_TOKEN",
-  "CI_JOB_TOKEN",
-  "CI_JOB_JWT",
-  "STRIPE_SECRET_KEY",
-  "SLACK_BOT_TOKEN",
-  "TELEGRAM_BOT_TOKEN",
-  "DISCORD_BOT_TOKEN",
-  "TWILIO_AUTH_TOKEN",
-  "SENDGRID_API_KEY",
-  "RESEND_API_KEY",
-  "DATABASE_URL",
-  "REDIS_URL",
-  "MONGODB_URI",
-  "SSH_SIGNING_KEY",
-  "SSH_PRIVATE_KEY",
-  "KUBECONFIG",
-  "KUBE_CONFIG_DATA",
-]);
-
-const ENV_KEY_PREFIX_PATTERNS = [
-  /^AIDENID_/i,
-  /^SENTINELAYER_/i,
-  /^OPENAI_/i,
-  /^ANTHROPIC_/i,
-  /^GOOGLE_/i,
-  /^GITHUB_/i,
-  /^GH_/i,
-  /^AWS_/i,
-  /^AZURE_/i,
-  /^SLACK_/i,
-  /^STRIPE_/i,
-  /^TELEGRAM_/i,
-  /^DISCORD_/i,
-  /^TWILIO_/i,
-  /^SENDGRID_/i,
-  /^RESEND_/i,
-];
-
-const ENV_KEY_SUFFIX_PATTERNS = [
-  /_TOKEN$/i,
-  /_API_KEY$/i,
-  /_SECRET$/i,
-  /_SECRET_KEY$/i,
-  /_PASSWORD$/i,
-  /_PRIVATE_KEY$/i,
-  /_ACCESS_KEY$/i,
-  /_AUTH_TOKEN$/i,
-  /_SESSION_TOKEN$/i,
-];
-
-/**
- * Execute a shell command with security analysis, timeout, and env scrubbing.
- *
- * @param {object} input
- * @param {string} input.command - The shell command to execute.
- * @param {string} [input.cwd] - Working directory (default: process.cwd()).
- * @param {number} [input.timeout] - Timeout in ms (default: 120000).
- * @returns {{ stdout, stderr, exitCode, durationMs, command, security }}
- */
-export function shell(input) {
-  if (!input.command || typeof input.command !== "string") {
-    throw new ShellError("command is required and must be a non-empty string.");
-  }
-
-  const command = input.command.trim();
-  const cwd = input.cwd ? path.resolve(input.cwd) : process.cwd();
-  const timeout = input.timeout ?? DEFAULT_TIMEOUT_MS;
-
-  // Security analysis
-  const security = analyzeCommand(command);
-  if (security.risk === "blocked") {
-    throw new ShellBlockedError(
-      `Command blocked: ${security.patterns[0].desc}`,
-      security,
-    );
-  }
-
-  // Build scrubbed environment
-  const env = buildScrubbedEnv();
-
-  const startMs = Date.now();
-  let stdout = "";
-  let stderr = "";
-  let exitCode = 0;
-
-  try {
-    stdout = execSync(command, {
-      cwd,
-      encoding: "utf-8",
-      timeout,
-      env,
-      maxBuffer: 10 * 1024 * 1024,
-      stdio: ["pipe", "pipe", "pipe"],
-    });
-  } catch (err) {
-    exitCode = err.status ?? 1;
-    stdout = err.stdout ?? "";
-    stderr = err.stderr ?? "";
-    if (err.killed) {
-      stderr += `\n[Process killed: timeout after ${timeout}ms]`;
-    }
-  }
-
-  const durationMs = Date.now() - startMs;
-
-  // Truncate large outputs
-  if (stdout.length > MAX_OUTPUT_CHARS) {
-    stdout = stdout.slice(0, MAX_OUTPUT_CHARS) + "\n[... truncated]";
-  }
-  if (stderr.length > MAX_OUTPUT_CHARS) {
-    stderr = stderr.slice(0, MAX_OUTPUT_CHARS) + "\n[... truncated]";
-  }
-
-  return { stdout, stderr, exitCode, durationMs, command, security };
-}
-
-/**
- * Analyze a command for security risks.
- * @param {object} [options]
- * @param {Record<string, string|undefined>} [options.env]
- * @returns {{ risk: "safe"|"warn"|"blocked", patterns: Array<{desc}>, networkPolicy?: object }}
- */
-export function analyzeCommand(command, options = {}) {
-  const networkPolicy = evaluateNetworkPolicy(command, options.env);
-  if (networkPolicy.blocking) {
-    return {
-      risk: "blocked",
-      patterns: [{ desc: networkPolicy.reason }],
-      networkPolicy,
-    };
-  }
-
-  for (const rule of BLOCKED_PATTERNS) {
-    if (rule.pattern.test(command)) {
-      return { risk: "blocked", patterns: [rule], networkPolicy };
-    }
-  }
-
-  const warnings = [];
-  for (const rule of WARN_PATTERNS) {
-    if (rule.pattern.test(command)) {
-      warnings.push(rule);
-    }
-  }
-
-  if (warnings.length > 0) {
-    return { risk: "warn", patterns: warnings, networkPolicy };
-  }
-
-  return { risk: "safe", patterns: [], networkPolicy };
-}
-
-export function buildScrubbedEnv(sourceEnv = process.env) {
-  const env = { ...sourceEnv };
-  for (const key of Object.keys(env)) {
-    if (shouldStripEnvKey(key)) {
-      delete env[key];
-    }
-  }
-  return env;
-}
-
-function shouldStripEnvKey(key) {
-  if (!key) {
-    return false;
-  }
-
-  const upperKey = String(key).toUpperCase();
-  if (EXACT_ENV_KEYS_TO_STRIP.has(upperKey)) {
-    return true;
-  }
-
-  if (upperKey.startsWith("INPUT_")) {
-    const baseKey = upperKey.slice("INPUT_".length);
-    if (EXACT_ENV_KEYS_TO_STRIP.has(baseKey)) {
-      return true;
-    }
-    if (ENV_KEY_PREFIX_PATTERNS.some((pattern) => pattern.test(baseKey))) {
-      return true;
-    }
-    if (ENV_KEY_SUFFIX_PATTERNS.some((pattern) => pattern.test(baseKey))) {
-      return true;
-    }
-  }
-
-  if (ENV_KEY_PREFIX_PATTERNS.some((pattern) => pattern.test(upperKey))) {
-    return true;
-  }
-
-  return ENV_KEY_SUFFIX_PATTERNS.some((pattern) => pattern.test(upperKey));
-}
-
-function evaluateNetworkPolicy(command, sourceEnv = process.env) {
-  if (!/\b(curl|wget)\b/i.test(command)) {
-    return {
-      blocking: false,
-      hosts: [],
-      deniedHosts: [],
-    };
-  }
-
-  const hosts = extractNetworkHosts(command);
-  if (hosts.length === 0) {
-    return {
-      blocking: true,
-      hosts: [],
-      deniedHosts: [],
-      reason: "network command requires explicit URL host",
-    };
-  }
-
-  const allowlist = resolveAllowedFetchHosts(sourceEnv);
-  const deniedHosts = hosts.filter((host) => !isAllowedHost(host, allowlist));
-  if (deniedHosts.length > 0) {
-    return {
-      blocking: true,
-      hosts,
-      deniedHosts,
-      reason: `network host not allowlisted: ${deniedHosts.join(", ")}`,
-    };
-  }
-
-  return {
-    blocking: false,
-    hosts,
-    deniedHosts: [],
-  };
-}
-
-function resolveAllowedFetchHosts(sourceEnv = process.env) {
-  const configured = String(sourceEnv.SENTINELAYER_ALLOWED_FETCH_HOSTS || "")
-    .split(",")
-    .map((item) => normalizeHostPattern(item))
-    .filter(Boolean);
-
-  const allPatterns = [...DEFAULT_ALLOWED_FETCH_HOSTS, ...configured]
-    .map((item) => normalizeHostPattern(item))
-    .filter(Boolean);
-  return Array.from(new Set(allPatterns));
-}
-
-function extractNetworkHosts(command) {
-  const matches = command.matchAll(/\bhttps?:\/\/([^\s"'`]+)/gi);
-  const hosts = new Set();
-  for (const match of matches) {
-    const candidate = match?.[0];
-    if (!candidate) {
-      continue;
-    }
-    try {
-      const parsed = new URL(candidate);
-      const host = normalizeHostPattern(parsed.hostname);
-      if (host) {
-        hosts.add(host);
-      }
-    } catch {
-      // Skip malformed URL segments.
-    }
-  }
-  return Array.from(hosts);
-}
-
-function isAllowedHost(host, allowlist) {
-  const normalizedHost = normalizeHostPattern(host);
-  if (!normalizedHost) {
-    return false;
-  }
-
-  return allowlist.some((pattern) => {
-    if (!pattern) {
-      return false;
-    }
-
-    if (pattern.startsWith("*.")) {
-      const suffix = pattern.slice(2);
-      return normalizedHost === suffix || normalizedHost.endsWith(`.${suffix}`);
-    }
-
-    return normalizedHost === pattern;
-  });
-}
-
-function normalizeHostPattern(value) {
-  return String(value || "")
-    .trim()
-    .toLowerCase()
-    .replace(/\.$/, "");
-}
-
-export class ShellError extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "ShellError";
-  }
-}
-
-export class ShellBlockedError extends ShellError {
-  constructor(message, security) {
-    super(message);
-    this.name = "ShellBlockedError";
-    this.security = security;
-  }
-}
+// Re-export from shared tools. Shell is not Jules-specific.
+export { shell, analyzeCommand, buildScrubbedEnv, ShellError, ShellBlockedError } from "../../shared-tools/shell.js";

package/src/agents/jules/tools/url-policy.js

@@ -1,100 +1,100 @@
-const PRIVATE_HOST_SUFFIXES = [".internal", ".local", ".localhost"];
-const BLOCKED_LITERAL_HOSTS = new Set([
-  "localhost",
-  "127.0.0.1",
-  "::1",
-  "0.0.0.0",
-  "169.254.169.254",
-  "metadata.google.internal",
-  "metadata.google.internal.",
-]);
-
-function isNumericIpv4(hostname) {
-  const parts = String(hostname || "").split(".");
-  if (parts.length !== 4) {
-    return false;
-  }
-  return parts.every((part) => /^[0-9]{1,3}$/.test(part) && Number(part) >= 0 && Number(part) <= 255);
-}
-
-function isPrivateIpv4(hostname) {
-  if (!isNumericIpv4(hostname)) {
-    return false;
-  }
-  const parts = hostname.split(".").map((part) => Number(part));
-  const [a, b] = parts;
-  if (a === 10 || a === 127 || a === 0) return true;
-  if (a === 169 && b === 254) return true;
-  if (a === 172 && b >= 16 && b <= 31) return true;
-  if (a === 192 && b === 168) return true;
-  if (a === 100 && b >= 64 && b <= 127) return true;
-  if (a === 198 && (b === 18 || b === 19)) return true;
-  return false;
-}
-
-function isPrivateIpv6(hostname) {
-  const normalized = String(hostname || "").toLowerCase().split("%")[0];
-  if (!normalized.includes(":")) {
-    return false;
-  }
-  if (normalized === "::1" || normalized === "::") {
-    return true;
-  }
-  if (normalized.startsWith("fc") || normalized.startsWith("fd")) {
-    return true;
-  }
-  if (normalized.startsWith("fe8") || normalized.startsWith("fe9") || normalized.startsWith("fea") || normalized.startsWith("feb")) {
-    return true;
-  }
-  return false;
-}
-
-function isPrivateHostname(hostname) {
-  const normalized = String(hostname || "").toLowerCase();
-  if (!normalized) {
-    return true;
-  }
-  if (BLOCKED_LITERAL_HOSTS.has(normalized)) {
-    return true;
-  }
-  if (PRIVATE_HOST_SUFFIXES.some((suffix) => normalized.endsWith(suffix))) {
-    return true;
-  }
-  if (isPrivateIpv4(normalized) || isPrivateIpv6(normalized)) {
-    return true;
-  }
-  return false;
-}
-
-function isPrivateTargetBypassEnabled(allowPrivateTargets) {
-  if (allowPrivateTargets === true) {
-    return true;
-  }
-  if (process.env.SENTINELAYER_ALLOW_PRIVATE_AUDIT_TARGETS === "1") {
-    return true;
-  }
-  if (process.env.NODE_ENV === "test") {
-    return true;
-  }
-  return false;
-}
-
-export function assertPermittedAuditTarget(urlValue, options = {}) {
-  const { operation = "audit", allowPrivateTargets = false } = options;
-  let parsed;
-  try {
-    parsed = new URL(urlValue);
-  } catch {
-    throw new Error("Invalid URL: " + urlValue);
-  }
-  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-    throw new Error("Invalid URL: " + parsed.toString());
-  }
-  if (!isPrivateTargetBypassEnabled(allowPrivateTargets) && isPrivateHostname(parsed.hostname)) {
-    throw new Error(
-      `Blocked private audit target for ${operation}: ${parsed.hostname}. ` +
-      "Set allowPrivateTargets=true or SENTINELAYER_ALLOW_PRIVATE_AUDIT_TARGETS=1 to override."
-    );
-  }
-  return parsed;
-}
+const PRIVATE_HOST_SUFFIXES = [".internal", ".local", ".localhost"];
+const BLOCKED_LITERAL_HOSTS = new Set([
+  "localhost",
+  "127.0.0.1",
+  "::1",
+  "0.0.0.0",
+  "169.254.169.254",
+  "metadata.google.internal",
+  "metadata.google.internal.",
+]);
+
+function isNumericIpv4(hostname) {
+  const parts = String(hostname || "").split(".");
+  if (parts.length !== 4) {
+    return false;
+  }
+  return parts.every((part) => /^[0-9]{1,3}$/.test(part) && Number(part) >= 0 && Number(part) <= 255);
+}
+
+function isPrivateIpv4(hostname) {
+  if (!isNumericIpv4(hostname)) {
+    return false;
+  }
+  const parts = hostname.split(".").map((part) => Number(part));
+  const [a, b] = parts;
+  if (a === 10 || a === 127 || a === 0) return true;
+  if (a === 169 && b === 254) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 100 && b >= 64 && b <= 127) return true;
+  if (a === 198 && (b === 18 || b === 19)) return true;
+  return false;
+}
+
+function isPrivateIpv6(hostname) {
+  const normalized = String(hostname || "").toLowerCase().split("%")[0];
+  if (!normalized.includes(":")) {
+    return false;
+  }
+  if (normalized === "::1" || normalized === "::") {
+    return true;
+  }
+  if (normalized.startsWith("fc") || normalized.startsWith("fd")) {
+    return true;
+  }
+  if (normalized.startsWith("fe8") || normalized.startsWith("fe9") || normalized.startsWith("fea") || normalized.startsWith("feb")) {
+    return true;
+  }
+  return false;
+}
+
+function isPrivateHostname(hostname) {
+  const normalized = String(hostname || "").toLowerCase();
+  if (!normalized) {
+    return true;
+  }
+  if (BLOCKED_LITERAL_HOSTS.has(normalized)) {
+    return true;
+  }
+  if (PRIVATE_HOST_SUFFIXES.some((suffix) => normalized.endsWith(suffix))) {
+    return true;
+  }
+  if (isPrivateIpv4(normalized) || isPrivateIpv6(normalized)) {
+    return true;
+  }
+  return false;
+}
+
+function isPrivateTargetBypassEnabled(allowPrivateTargets) {
+  if (allowPrivateTargets === true) {
+    return true;
+  }
+  if (process.env.SENTINELAYER_ALLOW_PRIVATE_AUDIT_TARGETS === "1") {
+    return true;
+  }
+  if (process.env.NODE_ENV === "test") {
+    return true;
+  }
+  return false;
+}
+
+export function assertPermittedAuditTarget(urlValue, options = {}) {
+  const { operation = "audit", allowPrivateTargets = false } = options;
+  let parsed;
+  try {
+    parsed = new URL(urlValue);
+  } catch {
+    throw new Error("Invalid URL: " + urlValue);
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error("Invalid URL: " + parsed.toString());
+  }
+  if (!isPrivateTargetBypassEnabled(allowPrivateTargets) && isPrivateHostname(parsed.hostname)) {
+    throw new Error(
+      `Blocked private audit target for ${operation}: ${parsed.hostname}. ` +
+      "Set allowPrivateTargets=true or SENTINELAYER_ALLOW_PRIVATE_AUDIT_TARGETS=1 to override."
+    );
+  }
+  return parsed;
+}

package/src/agents/persona-visuals.js

@@ -0,0 +1,61 @@
+/**
+ * SentinelLayer Persona Visual Identity Registry
+ *
+ * All 13 personas — visual identity, domain specialty, and bias.
+ * Shared across all persona packages, daemon services, and orchestrators.
+ * NOT Jules-specific — this is platform infrastructure.
+ */
+
+export const PERSONA_VISUALS = Object.freeze({
+  frontend:        { color: "cyan",    avatar: "\u{1F3AF}", shortName: "Jules",  fullName: "Jules Tanaka",     domain: "frontend_runtime",      specialty: "React/Next.js/Vue production specialist — hydration safety, render cost, accessibility, bundle weight, mobile responsiveness", bias: "user-perceived performance over vanity optimization" },
+  security:        { color: "red",     avatar: "\u{1F6E1}\uFE0F", shortName: "Nina",   fullName: "Nina Patel",       domain: "security_overlay",      specialty: "AuthZ breaks, secret exposure, injection paths, policy bypass, externally reachable abuse conditions", bias: "assume hostile inputs until proven safe" },
+  backend:         { color: "blue",    avatar: "\u2699\uFE0F",    shortName: "Maya",   fullName: "Maya Volkov",      domain: "backend_runtime",       specialty: "Unsafe request handling, runtime crashes, unbounded work, validation gaps, server-side trust boundary failures", bias: "every request is potentially adversarial" },
+  testing:         { color: "green",   avatar: "\u{1F9EA}",       shortName: "Priya",  fullName: "Priya Raman",      domain: "testing_correctness",   specialty: "Missing regression coverage, false confidence from shallow tests, broken invariants with no executable proof", bias: "tests that pass but miss real bugs are worse than no tests" },
+  release:         { color: "yellow",  avatar: "\u{1F680}",       shortName: "Omar",   fullName: "Omar Singh",       domain: "release_engineering",   specialty: "CI/CD integrity, workflow trust, artifact provenance, bypassable gates, unsafe deployment automation", bias: "every deployment is a security boundary" },
+  "code-quality":  { color: "purple",  avatar: "\u{1F48E}",       shortName: "Ethan",  fullName: "Ethan Park",       domain: "code_quality",          specialty: "Complexity hotspots, unsafe shortcuts, brittle structure, maintenance risks that hide future defects", bias: "simplicity is a security feature" },
+  infrastructure:  { color: "orange",  avatar: "\u{1F3D7}\uFE0F", shortName: "Kat",    fullName: "Kat Hughes",       domain: "infrastructure",        specialty: "IAM blast radius, public exposure, network posture, secrets placement, infrastructure policy drift", bias: "least privilege by default, explicit escalation required" },
+  data:            { color: "pink",    avatar: "\u{1F5C4}\uFE0F", shortName: "Linh",   fullName: "Linh Tran",        domain: "data_layer",            specialty: "Query safety, migration drift, integrity failures, tenancy leaks, schema/application mismatches", bias: "data integrity is non-negotiable" },
+  observability:   { color: "magenta", avatar: "\u{1F4CA}",       shortName: "Sofia",  fullName: "Sofia Alvarez",    domain: "observability",         specialty: "Missing telemetry, broken alerting, weak auditability, blind spots that hide failures or attacks", bias: "if you can't observe it, you can't secure it" },
+  reliability:     { color: "white",   avatar: "\u{1F504}",       shortName: "Noah",   fullName: "Noah Ben-David",   domain: "reliability_sre",       specialty: "Timeout safety, retry storms, backlog growth, partial failure handling, operational blast radius", bias: "graceful degradation over silent failure" },
+  documentation:   { color: "gray",    avatar: "\u{1F4DD}",       shortName: "Samir",  fullName: "Samir Okafor",     domain: "docs_knowledge",        specialty: "Operational drift between docs and code, missing runbook steps, misleading instructions that break operators", bias: "documentation is a contract, not decoration" },
+  "supply-chain":  { color: "brown",   avatar: "\u{1F4E6}",       shortName: "Nora",   fullName: "Nora Kline",       domain: "supply_chain",          specialty: "Dependency risk, provenance gaps, pinning drift, artifact trust, compromised build inputs", bias: "every dependency is a trust decision" },
+  "ai-governance": { color: "violet",  avatar: "\u{1F916}",       shortName: "Amina",  fullName: "Amina Chen",       domain: "ai_pipeline",           specialty: "Prompt injection, tool abuse, eval regressions, unsafe model routing, guardrail bypass, policy drift in agentic flows", bias: "AI autonomy requires proportional governance" },
+});
+
+/**
+ * Resolve persona visual identity by agent ID or persona name.
+ */
+export function resolvePersonaVisual(idOrName) {
+  if (!idOrName) return null;
+  const lower = String(idOrName).toLowerCase();
+
+  // Direct ID match
+  if (PERSONA_VISUALS[lower]) return { id: lower, ...PERSONA_VISUALS[lower] };
+
+  // Name match (first name or full name)
+  for (const [id, visual] of Object.entries(PERSONA_VISUALS)) {
+    if (visual.shortName.toLowerCase() === lower || visual.fullName.toLowerCase() === lower) {
+      return { id, ...visual };
+    }
+  }
+
+  return null;
+}
+
+/**
+ * List all persona IDs for autocomplete.
+ */
+export function listPersonaIds() {
+  return Object.keys(PERSONA_VISUALS);
+}
+
+/**
+ * List all persona names (short + full) for autocomplete.
+ */
+export function listPersonaNames() {
+  const names = [];
+  for (const [id, visual] of Object.entries(PERSONA_VISUALS)) {
+    names.push(id, visual.shortName.toLowerCase(), visual.fullName.toLowerCase());
+  }
+  return names;
+}