npm - soloforge - Versions diffs - 1.1.30 → 1.1.31 - Mend

soloforge 1.1.30 → 1.1.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (804) hide show

package/dist/engine/audit/privacy_grants.d.ts ADDED Viewed

@@ -0,0 +1,108 @@
+/**
+ * 隐私/机密/数据主权合约 — 授权与权限判定
+ *
+ * 包含读取禁止/确认判定、授权创建与验证、操作权限检查等功能。
+ */
+import type { SensitivityLabel, HandlingMode, CheckContext, DataAccessGrant, AllowedOperation } from "./privacy_types.js";
+/**
+ * 获取指定敏感标签的默认处理方式。
+ * @param label - 敏感标签
+ * @returns 处理方式
+ */
+export declare function getDefaultHandling(label: SensitivityLabel): HandlingMode;
+/**
+ * 获取指定敏感标签在特定上下文中的处理方式。
+ * @param label - 敏感标签
+ * @param context - 检查上下文
+ * @returns 处理方式
+ */
+export declare function getContextHandling(label: SensitivityLabel, context: CheckContext): HandlingMode;
+/**
+ * 判断数据是否可以注入 prompt。
+ * @param label - 敏感标签
+ * @returns 是否允许
+ */
+export declare function canInjectInPrompt(label: SensitivityLabel): boolean;
+/**
+ * 判断数据是否可以存入任务上下文。
+ * @param label - 敏感标签
+ * @returns 是否允许
+ */
+export declare function canStoreInTaskContext(label: SensitivityLabel): boolean;
+/**
+ * 判断数据是否可以存入产物。
+ * @param label - 敏感标签
+ * @returns 是否允许
+ */
+export declare function canStoreInArtifact(label: SensitivityLabel): boolean;
+/**
+ * 判断数据是否可以外部发送。
+ * @param label - 敏感标签
+ * @returns 是否允许
+ */
+export declare function canSendExternally(label: SensitivityLabel): boolean;
+/**
+ * 判断来源的内容是否可以读取。
+ * @param sourceRef - 来源引用路径
+ * @returns 读取许可结果
+ */
+export declare function canReadContent(sourceRef: string): {
+    allowed: boolean;
+    reason: string;
+    label: SensitivityLabel;
+    requires_confirmation?: boolean;
+};
+/**
+ * 判断来源是否禁止读取。
+ * @param sourceRef - 来源引用路径
+ * @returns 是否禁止
+ */
+export declare function isReadForbidden(sourceRef: string): boolean;
+/**
+ * 判断来源是否需要确认后才能读取。
+ * @param sourceRef - 来源引用路径
+ * @returns 是否需要确认
+ */
+export declare function isReadRequiresConfirmation(sourceRef: string): boolean;
+/**
+ * 创建数据访问授权。
+ * @param options.granted_by - 授权人
+ * @param options.scope_refs - 授权范围引用
+ * @param options.sensitivity_allowed - 允许的敏感标签
+ * @param options.allowed_operations - 允许的操作
+ * @param options.purpose - 用途
+ * @param options.duration_hours - 有效时长（小时）
+ * @returns 数据访问授权
+ */
+export declare function createDataAccessGrant(options: {
+    granted_by: string;
+    scope_refs: string[];
+    sensitivity_allowed: SensitivityLabel[];
+    allowed_operations: AllowedOperation[];
+    purpose: string;
+    duration_hours: number;
+}): DataAccessGrant;
+/**
+ * 判断授权是否有效。
+ * @param grant - 数据访问授权
+ * @returns 是否有效
+ */
+export declare function isGrantValid(grant: DataAccessGrant): boolean;
+/**
+ * 判断授权是否已过期。
+ * @param grant - 数据访问授权
+ * @returns 是否已过期
+ */
+export declare function isGrantExpired(grant: DataAccessGrant): boolean;
+/**
+ * 检查授权是否允许指定操作。
+ * @param grant - 数据访问授权
+ * @param operation - 请求的操作
+ * @param sensitivity - 敏感标签
+ * @returns 权限检查结果
+ */
+export declare function checkGrantPermission(grant: DataAccessGrant, operation: AllowedOperation, sensitivity: SensitivityLabel): {
+    allowed: boolean;
+    reason: string;
+};
+//# sourceMappingURL=privacy_grants.d.ts.map

package/dist/engine/audit/privacy_grants.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"privacy_grants.d.ts","sourceRoot":"","sources":["../../../src/engine/audit/privacy_grants.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EACV,gBAAgB,EAChB,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,gBAAgB,EACjB,MAAM,oBAAoB,CAAC;AAU5B;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,gBAAgB,GAAG,YAAY,CAGxE;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,YAAY,GAAG,YAAY,CAG/F;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAIlE;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAItE;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAInE;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAGlE;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,gBAAgB,CAAC;IAAC,qBAAqB,CAAC,EAAE,OAAO,CAAA;CAAE,CAahJ;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAG1D;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAGrE;AAID;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE;IAC7C,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,mBAAmB,EAAE,gBAAgB,EAAE,CAAC;IACxC,kBAAkB,EAAE,gBAAgB,EAAE,CAAC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,CAAC;CACxB,GAAG,eAAe,CAalB;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAG5D;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAG9D;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,eAAe,EACtB,SAAS,EAAE,gBAAgB,EAC3B,WAAW,EAAE,gBAAgB,GAC5B;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAgBtC"}

package/dist/engine/audit/privacy_grants.js ADDED Viewed

@@ -0,0 +1,171 @@
+/**
+ * 隐私/机密/数据主权合约 — 授权与权限判定
+ *
+ * 包含读取禁止/确认判定、授权创建与验证、操作权限检查等功能。
+ */
+import { debugLog } from "../core/logger.js";
+import { DEFAULT_HANDLING, CONTEXT_HANDLING, FORBIDDEN_READ_PATTERNS, CONFIRMATION_READ_PATTERNS, } from "./privacy_patterns.js";
+// ── 检查函数 ──
+/**
+ * 获取指定敏感标签的默认处理方式。
+ * @param label - 敏感标签
+ * @returns 处理方式
+ */
+export function getDefaultHandling(label) {
+    debugLog(`隐私契约: 获取默认处理方式 — ${label}`);
+    return DEFAULT_HANDLING[label];
+}
+/**
+ * 获取指定敏感标签在特定上下文中的处理方式。
+ * @param label - 敏感标签
+ * @param context - 检查上下文
+ * @returns 处理方式
+ */
+export function getContextHandling(label, context) {
+    debugLog(`隐私契约: 获取上下文处理方式 — ${label}/${context}`);
+    return CONTEXT_HANDLING[label][context];
+}
+/**
+ * 判断数据是否可以注入 prompt。
+ * @param label - 敏感标签
+ * @returns 是否允许
+ */
+export function canInjectInPrompt(label) {
+    debugLog(`隐私契约: 检查 prompt 注入许可 — ${label}`);
+    const handling = CONTEXT_HANDLING[label].prompt_injection;
+    return handling === "allow";
+}
+/**
+ * 判断数据是否可以存入任务上下文。
+ * @param label - 敏感标签
+ * @returns 是否允许
+ */
+export function canStoreInTaskContext(label) {
+    debugLog(`隐私契约: 检查 TaskContext 存储许可 — ${label}`);
+    const handling = CONTEXT_HANDLING[label].task_context_store;
+    return handling === "allow" || handling === "redact" || handling === "summarize_only";
+}
+/**
+ * 判断数据是否可以存入产物。
+ * @param label - 敏感标签
+ * @returns 是否允许
+ */
+export function canStoreInArtifact(label) {
+    debugLog(`隐私契约: 检查 artifact 存储许可 — ${label}`);
+    const handling = CONTEXT_HANDLING[label].artifact_store;
+    return handling === "allow" || handling === "redact" || handling === "summarize_only";
+}
+/**
+ * 判断数据是否可以外部发送。
+ * @param label - 敏感标签
+ * @returns 是否允许
+ */
+export function canSendExternally(label) {
+    debugLog(`隐私契约: 检查外发许可 — ${label}`);
+    return CONTEXT_HANDLING[label].external_send === "allow";
+}
+/**
+ * 判断来源的内容是否可以读取。
+ * @param sourceRef - 来源引用路径
+ * @returns 读取许可结果
+ */
+export function canReadContent(sourceRef) {
+    debugLog(`隐私契约: 检查内容读取许可 — ${sourceRef}`);
+    for (const { pattern, label, reason } of FORBIDDEN_READ_PATTERNS) {
+        if (pattern.test(sourceRef)) {
+            return { allowed: false, reason, label, requires_confirmation: false };
+        }
+    }
+    for (const { pattern, label, reason } of CONFIRMATION_READ_PATTERNS) {
+        if (pattern.test(sourceRef)) {
+            return { allowed: false, reason, label, requires_confirmation: true };
+        }
+    }
+    return { allowed: true, reason: "", label: "public" };
+}
+/**
+ * 判断来源是否禁止读取。
+ * @param sourceRef - 来源引用路径
+ * @returns 是否禁止
+ */
+export function isReadForbidden(sourceRef) {
+    debugLog(`隐私契约: 检查是否禁止读取 — ${sourceRef}`);
+    return FORBIDDEN_READ_PATTERNS.some(({ pattern }) => pattern.test(sourceRef));
+}
+/**
+ * 判断来源是否需要确认后才能读取。
+ * @param sourceRef - 来源引用路径
+ * @returns 是否需要确认
+ */
+export function isReadRequiresConfirmation(sourceRef) {
+    debugLog(`隐私契约: 检查是否需要确认读取 — ${sourceRef}`);
+    return CONFIRMATION_READ_PATTERNS.some(({ pattern }) => pattern.test(sourceRef));
+}
+// ── 授权管理 ──
+/**
+ * 创建数据访问授权。
+ * @param options.granted_by - 授权人
+ * @param options.scope_refs - 授权范围引用
+ * @param options.sensitivity_allowed - 允许的敏感标签
+ * @param options.allowed_operations - 允许的操作
+ * @param options.purpose - 用途
+ * @param options.duration_hours - 有效时长（小时）
+ * @returns 数据访问授权
+ */
+export function createDataAccessGrant(options) {
+    debugLog(`隐私契约: 创建数据访问授权 — 授权人: ${options.granted_by}, 范围: ${options.scope_refs.length} 个引用`);
+    const expiresAt = new Date(Date.now() + options.duration_hours * 3600_000);
+    return {
+        grant_id: `grant-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+        granted_by: options.granted_by,
+        scope_refs: options.scope_refs,
+        sensitivity_allowed: options.sensitivity_allowed,
+        allowed_operations: options.allowed_operations,
+        purpose: options.purpose,
+        expires_at: expiresAt.toISOString(),
+        revocable: true,
+    };
+}
+/**
+ * 判断授权是否有效。
+ * @param grant - 数据访问授权
+ * @returns 是否有效
+ */
+export function isGrantValid(grant) {
+    debugLog(`隐私契约: 检查授权有效性 — ${grant.grant_id}`);
+    return new Date(grant.expires_at) > new Date();
+}
+/**
+ * 判断授权是否已过期。
+ * @param grant - 数据访问授权
+ * @returns 是否已过期
+ */
+export function isGrantExpired(grant) {
+    debugLog(`隐私契约: 检查授权是否过期 — ${grant.grant_id}`);
+    return new Date(grant.expires_at) <= new Date();
+}
+/**
+ * 检查授权是否允许指定操作。
+ * @param grant - 数据访问授权
+ * @param operation - 请求的操作
+ * @param sensitivity - 敏感标签
+ * @returns 权限检查结果
+ */
+export function checkGrantPermission(grant, operation, sensitivity) {
+    debugLog(`隐私契约: 检查授权权限 — ${grant.grant_id}, 操作: ${operation}, 等级: ${sensitivity}`);
+    if (isGrantExpired(grant)) {
+        debugLog(`隐私契约: 授权权限拒绝 — 授权已过期`);
+        return { allowed: false, reason: `授权 ${grant.grant_id} 已过期` };
+    }
+    if (!grant.allowed_operations.includes(operation)) {
+        debugLog(`隐私契约: 授权权限拒绝 — 不允许操作 ${operation}`);
+        return { allowed: false, reason: `授权 ${grant.grant_id} 不允许操作 ${operation}` };
+    }
+    if (!grant.sensitivity_allowed.includes(sensitivity)) {
+        debugLog(`隐私契约: 授权权限拒绝 — 不允许敏感等级 ${sensitivity}`);
+        return { allowed: false, reason: `授权 ${grant.grant_id} 不允许敏感等级 ${sensitivity}` };
+    }
+    debugLog(`隐私契约: 授权权限通过`);
+    return { allowed: true, reason: "" };
+}
+//# sourceMappingURL=privacy_grants.js.map

package/dist/engine/audit/privacy_grants.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"privacy_grants.js","sourceRoot":"","sources":["../../../src/engine/audit/privacy_grants.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAQ7C,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,uBAAuB,EACvB,0BAA0B,GAC3B,MAAM,uBAAuB,CAAC;AAE/B,aAAa;AAEb;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAuB;IACxD,QAAQ,CAAC,oBAAoB,KAAK,EAAE,CAAC,CAAC;IACtC,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC;AACjC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAuB,EAAE,OAAqB;IAC/E,QAAQ,CAAC,qBAAqB,KAAK,IAAI,OAAO,EAAE,CAAC,CAAC;IAClD,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC;AAC1C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAuB;IACvD,QAAQ,CAAC,0BAA0B,KAAK,EAAE,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC,gBAAgB,CAAC;IAC1D,OAAO,QAAQ,KAAK,OAAO,CAAC;AAC9B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAuB;IAC3D,QAAQ,CAAC,+BAA+B,KAAK,EAAE,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC,kBAAkB,CAAC;IAC5D,OAAO,QAAQ,KAAK,OAAO,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,gBAAgB,CAAC;AACxF,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAuB;IACxD,QAAQ,CAAC,4BAA4B,KAAK,EAAE,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC,cAAc,CAAC;IACxD,OAAO,QAAQ,KAAK,OAAO,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,gBAAgB,CAAC;AACxF,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAuB;IACvD,QAAQ,CAAC,kBAAkB,KAAK,EAAE,CAAC,CAAC;IACpC,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC,aAAa,KAAK,OAAO,CAAC;AAC3D,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,SAAiB;IAC9C,QAAQ,CAAC,oBAAoB,SAAS,EAAE,CAAC,CAAC;IAC1C,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,uBAAuB,EAAE,CAAC;QACjE,IAAI,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,qBAAqB,EAAE,KAAK,EAAE,CAAC;QACzE,CAAC;IACH,CAAC;IACD,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,0BAA0B,EAAE,CAAC;QACpE,IAAI,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAAC;QACxE,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;AACxD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,QAAQ,CAAC,oBAAoB,SAAS,EAAE,CAAC,CAAC;IAC1C,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;AAChF,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,0BAA0B,CAAC,SAAiB;IAC1D,QAAQ,CAAC,sBAAsB,SAAS,EAAE,CAAC,CAAC;IAC5C,OAAO,0BAA0B,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;AACnF,CAAC;AAED,aAAa;AAEb;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAOrC;IACC,QAAQ,CAAC,yBAAyB,OAAO,CAAC,UAAU,SAAS,OAAO,CAAC,UAAU,CAAC,MAAM,MAAM,CAAC,CAAC;IAC9F,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,cAAc,GAAG,QAAQ,CAAC,CAAC;IAC3E,OAAO;QACL,QAAQ,EAAE,SAAS,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;QACzE,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;QAChD,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;QAC9C,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,UAAU,EAAE,SAAS,CAAC,WAAW,EAAE;QACnC,SAAS,EAAE,IAAI;KAChB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,KAAsB;IACjD,QAAQ,CAAC,mBAAmB,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC9C,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,KAAsB;IACnD,QAAQ,CAAC,oBAAoB,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC/C,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;AAClD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAClC,KAAsB,EACtB,SAA2B,EAC3B,WAA6B;IAE7B,QAAQ,CAAC,kBAAkB,KAAK,CAAC,QAAQ,SAAS,SAAS,SAAS,WAAW,EAAE,CAAC,CAAC;IACnF,IAAI,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,QAAQ,CAAC,sBAAsB,CAAC,CAAC;QACjC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,KAAK,CAAC,QAAQ,MAAM,EAAE,CAAC;IAChE,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAClD,QAAQ,CAAC,wBAAwB,SAAS,EAAE,CAAC,CAAC;QAC9C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,KAAK,CAAC,QAAQ,UAAU,SAAS,EAAE,EAAE,CAAC;IAC/E,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QACrD,QAAQ,CAAC,0BAA0B,WAAW,EAAE,CAAC,CAAC;QAClD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,KAAK,CAAC,QAAQ,YAAY,WAAW,EAAE,EAAE,CAAC;IACnF,CAAC;IACD,QAAQ,CAAC,cAAc,CAAC,CAAC;IACzB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;AACvC,CAAC"}

package/dist/engine/audit/privacy_patterns.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * 隐私/机密/数据主权合约 — 常量与查找表
+ *
+ * 包含所有敏感模式正则、处理规则映射、禁止读取模式等常量。
+ */
+import type { SensitivityLabel, CheckContext, HandlingMode } from "./privacy_types.js";
+export declare const DEFAULT_HANDLING: Record<SensitivityLabel, HandlingMode>;
+export declare const CONTEXT_HANDLING: Record<SensitivityLabel, Record<CheckContext, HandlingMode>>;
+export declare const FORBIDDEN_READ_PATTERNS: Array<{
+    pattern: RegExp;
+    label: SensitivityLabel;
+    reason: string;
+}>;
+export declare const CONFIRMATION_READ_PATTERNS: Array<{
+    pattern: RegExp;
+    label: SensitivityLabel;
+    reason: string;
+}>;
+export declare const TEXT_SECRET_PATTERNS: Array<{
+    pattern: RegExp;
+    label: SensitivityLabel;
+    fields: string[];
+}>;
+//# sourceMappingURL=privacy_patterns.d.ts.map

package/dist/engine/audit/privacy_patterns.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"privacy_patterns.d.ts","sourceRoot":"","sources":["../../../src/engine/audit/privacy_patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAIvF,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,EAAE,YAAY,CAUnE,CAAC;AAIF,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,CAyEzF,CAAC;AAIF,eAAO,MAAM,uBAAuB,EAAE,KAAK,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,gBAAgB,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAcvG,CAAC;AAIF,eAAO,MAAM,0BAA0B,EAAE,KAAK,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,gBAAgB,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAW1G,CAAC;AAIF,eAAO,MAAM,oBAAoB,EAAE,KAAK,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,gBAAgB,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAmBtG,CAAC"}

package/dist/engine/audit/privacy_patterns.js ADDED Viewed

@@ -0,0 +1,143 @@
+/**
+ * 隐私/机密/数据主权合约 — 常量与查找表
+ *
+ * 包含所有敏感模式正则、处理规则映射、禁止读取模式等常量。
+ */
+// ── 敏感标签的默认处理方式 ──
+export const DEFAULT_HANDLING = {
+    public: "allow",
+    internal: "allow",
+    confidential: "require_human",
+    secret: "forbidden",
+    credential: "forbidden",
+    pii: "require_human",
+    customer_data: "require_human",
+    production_data: "require_human",
+    unknown: "require_human",
+};
+// ── 上下文相关处理方式 ──
+export const CONTEXT_HANDLING = {
+    public: {
+        prompt_injection: "allow",
+        task_context_store: "allow",
+        artifact_store: "allow",
+        evidence_store: "allow",
+        external_send: "allow",
+        read_operation: "allow",
+    },
+    internal: {
+        prompt_injection: "allow",
+        task_context_store: "allow",
+        artifact_store: "allow",
+        evidence_store: "allow",
+        external_send: "forbidden",
+        read_operation: "allow",
+    },
+    confidential: {
+        prompt_injection: "summarize_only",
+        task_context_store: "redact",
+        artifact_store: "redact",
+        evidence_store: "redact",
+        external_send: "require_human",
+        read_operation: "require_human",
+    },
+    secret: {
+        prompt_injection: "forbidden",
+        task_context_store: "forbidden",
+        artifact_store: "forbidden",
+        evidence_store: "forbidden",
+        external_send: "forbidden",
+        read_operation: "forbidden",
+    },
+    credential: {
+        prompt_injection: "forbidden",
+        task_context_store: "forbidden",
+        artifact_store: "forbidden",
+        evidence_store: "forbidden",
+        external_send: "forbidden",
+        read_operation: "forbidden",
+    },
+    pii: {
+        prompt_injection: "redact",
+        task_context_store: "redact",
+        artifact_store: "redact",
+        evidence_store: "redact",
+        external_send: "require_human",
+        read_operation: "require_human",
+    },
+    customer_data: {
+        prompt_injection: "summarize_only",
+        task_context_store: "summarize_only",
+        artifact_store: "summarize_only",
+        evidence_store: "summarize_only",
+        external_send: "require_human",
+        read_operation: "require_human",
+    },
+    production_data: {
+        prompt_injection: "summarize_only",
+        task_context_store: "summarize_only",
+        artifact_store: "summarize_only",
+        evidence_store: "summarize_only",
+        external_send: "require_human",
+        read_operation: "require_human",
+    },
+    unknown: {
+        prompt_injection: "summarize_only",
+        task_context_store: "summarize_only",
+        artifact_store: "summarize_only",
+        evidence_store: "summarize_only",
+        external_send: "require_human",
+        read_operation: "require_human",
+    },
+};
+// ── 禁止读取模式（内容读取禁止，仅允许存在性检查） ──
+export const FORBIDDEN_READ_PATTERNS = [
+    { pattern: /\.env($|\.)/, label: "credential", reason: ".env 文件默认禁止读取内容" },
+    { pattern: /id_rsa/, label: "secret", reason: "SSH 私钥默认禁止读取" },
+    { pattern: /\.pem$/, label: "secret", reason: "PEM 私钥默认禁止读取" },
+    { pattern: /\.key$/, label: "secret", reason: "密钥文件默认禁止读取" },
+    { pattern: /\.aws[\\/]credentials/, label: "credential", reason: "AWS 凭证默认禁止读取" },
+    { pattern: /\.npmrc$/, label: "credential", reason: "npmrc 可能包含 token" },
+    { pattern: /\.pypirc$/, label: "credential", reason: "PyPI 配置可能包含凭证" },
+    { pattern: /kubeconfig/, label: "credential", reason: "kubeconfig 可能包含集群凭证" },
+    { pattern: /\.docker[\\/]config\.json/, label: "credential", reason: "Docker 配置可能包含 registry 凭证" },
+    { pattern: /tokens\.json|token_store|\.token/, label: "credential", reason: "token store 文件默认禁止读取" },
+    { pattern: /cookies\.sqlite|cookies\.db|\.cookie[\\/]/, label: "secret", reason: "浏览器 cookie/session 默认禁止读取" },
+    { pattern: /login\.keychain|\.keychain|\.keystore/, label: "secret", reason: "系统钥匙串默认禁止读取" },
+    { pattern: /ssh[\\/]config$/i, label: "secret", reason: "SSH config 可能包含敏感主机/代理配置" },
+];
+// ── 需确认读取模式 ──
+export const CONFIRMATION_READ_PATTERNS = [
+    { pattern: /\.log$/, label: "production_data", reason: "日志文件可能包含敏感信息" },
+    { pattern: /\.sql$/, label: "production_data", reason: "SQL 文件可能是数据库 dump" },
+    { pattern: /\.csv$/, label: "customer_data", reason: "CSV 可能包含客户数据" },
+    { pattern: /dump/, label: "production_data", reason: "dump 文件可能包含生产数据" },
+    { pattern: /[\\/]export[\\/]/, label: "customer_data", reason: "export 目录可能包含客户导出数据" },
+    { pattern: /figma[\\/]|notion[\\/]|drive[\\/]|slack[\\/]|github[\\/]private/, label: "confidential", reason: "私有云文档/协作平台数据需确认" },
+    { pattern: /api[_-]?response|_response\.json|_result\.json/, label: "confidential", reason: "外部系统返回数据需确认" },
+    { pattern: new RegExp('\\b(Users|home)\\/[\\w.-]+\\/(Desktop|Documents|Downloads|Pictures)', 's'), label: "confidential", reason: "用户 home 大范围目录需确认" },
+    { pattern: /sample.*\.json|fixture.*\.json/, label: "confidential", reason: "真实 API 响应样本需确认" },
+    { pattern: /\.vcf$|\. contacts$/, label: "pii", reason: "包含联系方式/PII 的文件需确认" },
+];
+// ── 文本内容敏感模式（用于 scanTextSensitivity） ──
+export const TEXT_SECRET_PATTERNS = [
+    { pattern: /sk-[a-zA-Z0-9]{32,}/, label: "secret", fields: ["api_key"] },
+    { pattern: /AKIA[0-9A-Z]{16}/, label: "credential", fields: ["aws_access_key"] },
+    { pattern: /aws_secret_access_key\s*=\s*['"][^'"]+['"]/, label: "credential", fields: ["aws_secret"] },
+    { pattern: /password\s*=\s*['"][^'"]{4,}['"]/, label: "credential", fields: ["password"] },
+    { pattern: /secret_key\s*=\s*['"][^'"]+['"]/, label: "secret", fields: ["secret_key"] },
+    { pattern: /jwt_secret\s*=\s*['"][^'"]+['"]/, label: "secret", fields: ["jwt_secret"] },
+    { pattern: /1[3-9]\d{9}/, label: "pii", fields: ["phone"] },
+    { pattern: /[\w.+-]+@[\w-]+\.[\w.]+/, label: "pii", fields: ["email"] },
+    { pattern: /\b\d{17}[\dXx]\b/, label: "pii", fields: ["id_number"] },
+    // 生产数据模式
+    { pattern: /production\.log|prod-\w+\.\w+|\bproduction\s+data\b/i, label: "production_data", fields: ["production_log"] },
+    { pattern: /SELECT\s+.{1,}?\s+FROM\s+/is, label: "production_data", fields: ["sql_query"] },
+    { pattern: /database\s+dump|db\s+dump|\bdb_dump\b/i, label: "production_data", fields: ["database_dump"] },
+    { pattern: /API\s+Response:\s*\{/i, label: "production_data", fields: ["api_response"] },
+    // 客户数据模式
+    { pattern: /email,\s*phone,\s*name|name,\s*email,\s*phone/i, label: "customer_data", fields: ["customer_csv"] },
+    { pattern: /user_id["']?\s*:\s*\d+.*["']?email["']?\s*:/i, label: "customer_data", fields: ["user_export"] },
+    { pattern: /customer.*export|export.*customer/i, label: "customer_data", fields: ["customer_export"] },
+];
+//# sourceMappingURL=privacy_patterns.js.map

package/dist/engine/audit/privacy_patterns.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"privacy_patterns.js","sourceRoot":"","sources":["../../../src/engine/audit/privacy_patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,oBAAoB;AAEpB,MAAM,CAAC,MAAM,gBAAgB,GAA2C;IACtE,MAAM,EAAE,OAAO;IACf,QAAQ,EAAE,OAAO;IACjB,YAAY,EAAE,eAAe;IAC7B,MAAM,EAAE,WAAW;IACnB,UAAU,EAAE,WAAW;IACvB,GAAG,EAAE,eAAe;IACpB,aAAa,EAAE,eAAe;IAC9B,eAAe,EAAE,eAAe;IAChC,OAAO,EAAE,eAAe;CACzB,CAAC;AAEF,kBAAkB;AAElB,MAAM,CAAC,MAAM,gBAAgB,GAAiE;IAC5F,MAAM,EAAE;QACN,gBAAgB,EAAE,OAAO;QACzB,kBAAkB,EAAE,OAAO;QAC3B,cAAc,EAAE,OAAO;QACvB,cAAc,EAAE,OAAO;QACvB,aAAa,EAAE,OAAO;QACtB,cAAc,EAAE,OAAO;KACxB;IACD,QAAQ,EAAE;QACR,gBAAgB,EAAE,OAAO;QACzB,kBAAkB,EAAE,OAAO;QAC3B,cAAc,EAAE,OAAO;QACvB,cAAc,EAAE,OAAO;QACvB,aAAa,EAAE,WAAW;QAC1B,cAAc,EAAE,OAAO;KACxB;IACD,YAAY,EAAE;QACZ,gBAAgB,EAAE,gBAAgB;QAClC,kBAAkB,EAAE,QAAQ;QAC5B,cAAc,EAAE,QAAQ;QACxB,cAAc,EAAE,QAAQ;QACxB,aAAa,EAAE,eAAe;QAC9B,cAAc,EAAE,eAAe;KAChC;IACD,MAAM,EAAE;QACN,gBAAgB,EAAE,WAAW;QAC7B,kBAAkB,EAAE,WAAW;QAC/B,cAAc,EAAE,WAAW;QAC3B,cAAc,EAAE,WAAW;QAC3B,aAAa,EAAE,WAAW;QAC1B,cAAc,EAAE,WAAW;KAC5B;IACD,UAAU,EAAE;QACV,gBAAgB,EAAE,WAAW;QAC7B,kBAAkB,EAAE,WAAW;QAC/B,cAAc,EAAE,WAAW;QAC3B,cAAc,EAAE,WAAW;QAC3B,aAAa,EAAE,WAAW;QAC1B,cAAc,EAAE,WAAW;KAC5B;IACD,GAAG,EAAE;QACH,gBAAgB,EAAE,QAAQ;QAC1B,kBAAkB,EAAE,QAAQ;QAC5B,cAAc,EAAE,QAAQ;QACxB,cAAc,EAAE,QAAQ;QACxB,aAAa,EAAE,eAAe;QAC9B,cAAc,EAAE,eAAe;KAChC;IACD,aAAa,EAAE;QACb,gBAAgB,EAAE,gBAAgB;QAClC,kBAAkB,EAAE,gBAAgB;QACpC,cAAc,EAAE,gBAAgB;QAChC,cAAc,EAAE,gBAAgB;QAChC,aAAa,EAAE,eAAe;QAC9B,cAAc,EAAE,eAAe;KAChC;IACD,eAAe,EAAE;QACf,gBAAgB,EAAE,gBAAgB;QAClC,kBAAkB,EAAE,gBAAgB;QACpC,cAAc,EAAE,gBAAgB;QAChC,cAAc,EAAE,gBAAgB;QAChC,aAAa,EAAE,eAAe;QAC9B,cAAc,EAAE,eAAe;KAChC;IACD,OAAO,EAAE;QACP,gBAAgB,EAAE,gBAAgB;QAClC,kBAAkB,EAAE,gBAAgB;QACpC,cAAc,EAAE,gBAAgB;QAChC,cAAc,EAAE,gBAAgB;QAChC,aAAa,EAAE,eAAe;QAC9B,cAAc,EAAE,eAAe;KAChC;CACF,CAAC;AAEF,gCAAgC;AAEhC,MAAM,CAAC,MAAM,uBAAuB,GAAwE;IAC1G,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,iBAAiB,EAAE;IAC1E,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE;IAC9D,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE;IAC9D,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE;IAC5D,EAAE,OAAO,EAAE,uBAAuB,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,cAAc,EAAE;IACjF,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,kBAAkB,EAAE;IACxE,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,eAAe,EAAE;IACtE,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,qBAAqB,EAAE;IAC7E,EAAE,OAAO,EAAE,2BAA2B,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,2BAA2B,EAAE;IAClG,EAAE,OAAO,EAAE,kCAAkC,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,sBAAsB,EAAE;IACpG,EAAE,OAAO,EAAE,2CAA2C,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,2BAA2B,EAAE;IAC9G,EAAE,OAAO,EAAE,uCAAuC,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE;IAC5F,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,0BAA0B,EAAE;CACrF,CAAC;AAEF,gBAAgB;AAEhB,MAAM,CAAC,MAAM,0BAA0B,GAAwE;IAC7G,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,cAAc,EAAE;IACvE,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,mBAAmB,EAAE;IAC5E,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,cAAc,EAAE;IACrE,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,iBAAiB,EAAE;IACxE,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,qBAAqB,EAAE;IACtF,EAAE,OAAO,EAAE,iEAAiE,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,iBAAiB,EAAE;IAChI,EAAE,OAAO,EAAE,gDAAgD,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,aAAa,EAAE;IAC3G,EAAE,OAAO,EAAE,IAAI,MAAM,CAAC,qEAAqE,EAAE,GAAG,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,kBAAkB,EAAE;IACtJ,EAAE,OAAO,EAAE,gCAAgC,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,gBAAgB,EAAE;IAC9F,EAAE,OAAO,EAAE,qBAAqB,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE;CAC9E,CAAC;AAEF,yCAAyC;AAEzC,MAAM,CAAC,MAAM,oBAAoB,GAA0E;IACzG,EAAE,OAAO,EAAE,qBAAqB,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,SAAS,CAAC,EAAE;IACxE,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC,gBAAgB,CAAC,EAAE;IAChF,EAAE,OAAO,EAAE,4CAA4C,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC,YAAY,CAAC,EAAE;IACtG,EAAE,OAAO,EAAE,kCAAkC,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE;IAC1F,EAAE,OAAO,EAAE,iCAAiC,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,YAAY,CAAC,EAAE;IACvF,EAAE,OAAO,EAAE,iCAAiC,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,YAAY,CAAC,EAAE;IACvF,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE;IAC3D,EAAE,OAAO,EAAE,yBAAyB,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE;IACvE,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,WAAW,CAAC,EAAE;IACpE,SAAS;IACT,EAAE,OAAO,EAAE,sDAAsD,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,CAAC,gBAAgB,CAAC,EAAE;IACzH,EAAE,OAAO,EAAE,6BAA6B,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,CAAC,WAAW,CAAC,EAAE;IAC3F,EAAE,OAAO,EAAE,wCAAwC,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,CAAC,eAAe,CAAC,EAAE;IAC1G,EAAE,OAAO,EAAE,uBAAuB,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,CAAC,cAAc,CAAC,EAAE;IACxF,SAAS;IACT,EAAE,OAAO,EAAE,gDAAgD,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,CAAC,cAAc,CAAC,EAAE;IAC/G,EAAE,OAAO,EAAE,8CAA8C,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,CAAC,aAAa,CAAC,EAAE;IAC5G,EAAE,OAAO,EAAE,oCAAoC,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,CAAC,iBAAiB,CAAC,EAAE;CACvG,CAAC"}

package/dist/engine/audit/privacy_scanning.d.ts ADDED Viewed

@@ -0,0 +1,153 @@
+/**
+ * 隐私/机密/数据主权合约 — 扫描与评估
+ *
+ * 包含敏感信息检测、脱敏处理、外发检查、prompt 注入检查、
+ * 治理验证和统一隐私门禁评估等功能。
+ */
+import type { SensitivityLabel, HandlingMode, DataSensitivityLabel, DataAccessGrant, RedactionRecord, PrivacyGovernanceFinding } from "./privacy_types.js";
+/**
+ * 检测来源的敏感等级。
+ * @param sourceRef - 来源引用路径
+ * @param contentHints - 内容提示关键词（可选）
+ * @returns 数据敏感标签
+ */
+export declare function detectSensitivity(sourceRef: string, contentHints?: string[]): DataSensitivityLabel;
+/**
+ * 对内容进行脱敏处理。
+ * @param content - 原始内容
+ * @param label - 敏感标签
+ * @param sourceRef - 来源引用（可选）
+ * @returns 脱敏结果和脱敏记录
+ */
+export declare function redactContent(content: string, label: SensitivityLabel, sourceRef?: string): {
+    redacted: string;
+    record: RedactionRecord;
+};
+/**
+ * 检查内容是否可以外部发送。
+ * @param content - 待发送内容
+ * @param sensitivity - 敏感标签
+ * @param grants - 授权列表
+ * @returns 外发检查结果
+ */
+export declare function checkExternalSend(content: string, sensitivity: DataSensitivityLabel, grants: DataAccessGrant[]): {
+    allowed: boolean;
+    reason: string;
+    requiresRedaction: boolean;
+    redactedContent?: string;
+};
+/**
+ * 检查数据是否可以注入 prompt。
+ * @param sensitivity - 敏感标签
+ * @param grants - 授权列表
+ * @returns 注入检查结果
+ */
+export declare function checkPromptInjection(sensitivity: DataSensitivityLabel, grants: DataAccessGrant[]): {
+    allowed: boolean;
+    reason: string;
+    handling: HandlingMode;
+};
+/**
+ * 构建隐私处理反馈信息。
+ * @param options - 反馈选项
+ * @returns 格式化的反馈文本
+ */
+export declare function buildPrivacyFeedback(options: {
+    notRead: string[];
+    redacted: string[];
+    requiresAuth: string[];
+    notInPrompt: string[];
+    blocked: boolean;
+    externalRedaction: boolean;
+}): string;
+/**
+ * 验证隐私契约合规性。
+ * @param options.sensitivities - 敏感标签列表
+ * @param options.grants - 授权列表
+ * @param options.redactionRecords - 脱敏记录列表
+ * @param options.promptInjections - prompt 注入列表
+ * @param options.taskContextStores - 任务上下文存储列表
+ * @param options.artifactStores - 产物存储列表
+ * @param options.externalSends - 外部发送列表
+ * @returns 治理发现列表
+ */
+export declare function validatePrivacyContract(options: {
+    sensitivities: DataSensitivityLabel[];
+    grants: DataAccessGrant[];
+    redactionRecords: RedactionRecord[];
+    promptInjections: Array<{
+        source_ref: string;
+        label: SensitivityLabel;
+    }>;
+    taskContextStores: Array<{
+        source_ref: string;
+        label: SensitivityLabel;
+    }>;
+    artifactStores: Array<{
+        source_ref: string;
+        label: SensitivityLabel;
+    }>;
+    externalSends: Array<{
+        source_ref: string;
+        label: SensitivityLabel;
+    }>;
+}): PrivacyGovernanceFinding[];
+export interface PrivacyGateResult {
+    allowed: boolean;
+    hard_fail: boolean;
+    blocked_sources: string[];
+    findings: PrivacyGovernanceFinding[];
+    redacted_text?: string;
+    redaction_records: RedactionRecord[];
+    labels: DataSensitivityLabel[];
+}
+/**
+ * 扫描文本中的敏感信息。
+ * @param text - 待扫描文本
+ * @param sourceRef - 来源引用
+ * @returns 检测到的敏感标签列表
+ */
+export declare function scanTextSensitivity(text: string, sourceRef: string): DataSensitivityLabel[];
+/**
+ * 扫描来源引用的敏感等级。
+ * @param sourceRef - 来源引用路径
+ * @returns 数据敏感标签
+ */
+export declare function scanSourceRefSensitivity(sourceRef: string): DataSensitivityLabel;
+/**
+ * 对文本中的敏感信息进行脱敏处理。
+ * @param text - 原始文本
+ * @param sourceRef - 来源引用（可选）
+ * @returns 脱敏结果和脱敏记录
+ */
+export declare function redactSensitiveText(text: string, sourceRef?: string): {
+    redacted: string;
+    records: RedactionRecord[];
+};
+/**
+ * 评估隐私门禁，决定是否阻断操作。
+ * @param options - 门禁评估选项
+ * @returns 门禁结果，包含是否通过、阻断源和警告
+ */
+export declare function evaluatePrivacyGate(params: {
+    intent?: string;
+    input_materials?: Array<{
+        path_or_ref: string;
+        content?: string;
+    }>;
+    prompt_sources?: string[];
+    task_context_stores?: Array<{
+        source_ref: string;
+        content?: string;
+    }>;
+    artifact_stores?: Array<{
+        source_ref: string;
+        content?: string;
+    }>;
+    external_sends?: Array<{
+        source_ref: string;
+        content?: string;
+    }>;
+    grants?: DataAccessGrant[];
+}): PrivacyGateResult;
+//# sourceMappingURL=privacy_scanning.d.ts.map

package/dist/engine/audit/privacy_scanning.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"privacy_scanning.d.ts","sourceRoot":"","sources":["../../../src/engine/audit/privacy_scanning.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EACV,gBAAgB,EAChB,YAAY,EAEZ,oBAAoB,EACpB,eAAe,EACf,eAAe,EACf,wBAAwB,EACzB,MAAM,oBAAoB,CAAC;AAY5B;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,MAAM,EACjB,YAAY,CAAC,EAAE,MAAM,EAAE,GACtB,oBAAoB,CA+EtB;AAID;;;;;;GAMG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,gBAAgB,EACvB,SAAS,CAAC,EAAE,MAAM,GACjB;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,eAAe,CAAA;CAAE,CA4B/C;AAyCD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,oBAAoB,EACjC,MAAM,EAAE,eAAe,EAAE,GACxB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,iBAAiB,EAAE,OAAO,CAAC;IAAC,eAAe,CAAC,EAAE,MAAM,CAAA;CAAE,CA6B5F;AAID;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAClC,WAAW,EAAE,oBAAoB,EACjC,MAAM,EAAE,eAAe,EAAE,GACxB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,YAAY,CAAA;CAAE,CAuB9D;AAID;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE;IAC5C,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,OAAO,EAAE,OAAO,CAAC;IACjB,iBAAiB,EAAE,OAAO,CAAC;CAC5B,GAAG,MAAM,CAwBT;AAID;;;;;;;;;;GAUG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE;IAC/C,aAAa,EAAE,oBAAoB,EAAE,CAAC;IACtC,MAAM,EAAE,eAAe,EAAE,CAAC;IAC1B,gBAAgB,EAAE,eAAe,EAAE,CAAC;IACpC,gBAAgB,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,gBAAgB,CAAA;KAAE,CAAC,CAAC;IACzE,iBAAiB,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,gBAAgB,CAAA;KAAE,CAAC,CAAC;IAC1E,cAAc,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,gBAAgB,CAAA;KAAE,CAAC,CAAC;IACvE,aAAa,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,gBAAgB,CAAA;KAAE,CAAC,CAAC;CACvE,GAAG,wBAAwB,EAAE,CAwH7B;AAID,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;IACnB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,QAAQ,EAAE,wBAAwB,EAAE,CAAC;IACrC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,iBAAiB,EAAE,eAAe,EAAE,CAAC;IACrC,MAAM,EAAE,oBAAoB,EAAE,CAAC;CAChC;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,oBAAoB,EAAE,CAe3F;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,SAAS,EAAE,MAAM,GAAG,oBAAoB,CAGhF;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,eAAe,EAAE,CAAA;CAAE,CAyCtH;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,KAAK,CAAC;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACnE,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,mBAAmB,CAAC,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,eAAe,CAAC,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClE,cAAc,CAAC,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACjE,MAAM,CAAC,EAAE,eAAe,EAAE,CAAC;CAC5B,GAAG,iBAAiB,CAiHpB"}