npm - tlc-claude-code - Versions diffs - 1.2.29 → 1.4.0 - Mend

tlc-claude-code 1.2.29 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (182) hide show

package/dashboard/dist/components/AuditPane.d.ts +30 -0
package/dashboard/dist/components/AuditPane.js +127 -0
package/dashboard/dist/components/AuditPane.test.d.ts +1 -0
package/dashboard/dist/components/AuditPane.test.js +339 -0
package/dashboard/dist/components/CompliancePane.d.ts +39 -0
package/dashboard/dist/components/CompliancePane.js +96 -0
package/dashboard/dist/components/CompliancePane.test.d.ts +1 -0
package/dashboard/dist/components/CompliancePane.test.js +183 -0
package/dashboard/dist/components/SSOPane.d.ts +36 -0
package/dashboard/dist/components/SSOPane.js +71 -0
package/dashboard/dist/components/SSOPane.test.d.ts +1 -0
package/dashboard/dist/components/SSOPane.test.js +155 -0
package/dashboard/dist/components/UsagePane.d.ts +13 -0
package/dashboard/dist/components/UsagePane.js +51 -0
package/dashboard/dist/components/UsagePane.test.d.ts +1 -0
package/dashboard/dist/components/UsagePane.test.js +142 -0
package/dashboard/dist/components/WorkspaceDocsPane.d.ts +19 -0
package/dashboard/dist/components/WorkspaceDocsPane.js +130 -0
package/dashboard/dist/components/WorkspaceDocsPane.test.d.ts +1 -0
package/dashboard/dist/components/WorkspaceDocsPane.test.js +242 -0
package/dashboard/dist/components/WorkspacePane.d.ts +18 -0
package/dashboard/dist/components/WorkspacePane.js +17 -0
package/dashboard/dist/components/WorkspacePane.test.d.ts +1 -0
package/dashboard/dist/components/WorkspacePane.test.js +84 -0
package/dashboard/dist/components/ZeroRetentionPane.d.ts +44 -0
package/dashboard/dist/components/ZeroRetentionPane.js +83 -0
package/dashboard/dist/components/ZeroRetentionPane.test.d.ts +1 -0
package/dashboard/dist/components/ZeroRetentionPane.test.js +160 -0
package/package.json +1 -1
package/server/lib/access-control-doc.js +541 -0
package/server/lib/access-control-doc.test.js +672 -0
package/server/lib/adr-generator.js +423 -0
package/server/lib/adr-generator.test.js +586 -0
package/server/lib/agent-progress-monitor.js +223 -0
package/server/lib/agent-progress-monitor.test.js +202 -0
package/server/lib/architecture-command.js +450 -0
package/server/lib/architecture-command.test.js +754 -0
package/server/lib/ast-analyzer.js +324 -0
package/server/lib/ast-analyzer.test.js +437 -0
package/server/lib/audit-attribution.js +191 -0
package/server/lib/audit-attribution.test.js +359 -0
package/server/lib/audit-classifier.js +202 -0
package/server/lib/audit-classifier.test.js +209 -0
package/server/lib/audit-command.js +275 -0
package/server/lib/audit-command.test.js +325 -0
package/server/lib/audit-exporter.js +380 -0
package/server/lib/audit-exporter.test.js +464 -0
package/server/lib/audit-logger.js +236 -0
package/server/lib/audit-logger.test.js +364 -0
package/server/lib/audit-query.js +257 -0
package/server/lib/audit-query.test.js +352 -0
package/server/lib/audit-storage.js +269 -0
package/server/lib/audit-storage.test.js +272 -0
package/server/lib/auth-system.test.js +4 -1
package/server/lib/boundary-detector.js +427 -0
package/server/lib/boundary-detector.test.js +320 -0
package/server/lib/budget-alerts.js +138 -0
package/server/lib/budget-alerts.test.js +235 -0
package/server/lib/bulk-repo-init.js +342 -0
package/server/lib/bulk-repo-init.test.js +388 -0
package/server/lib/candidates-tracker.js +210 -0
package/server/lib/candidates-tracker.test.js +300 -0
package/server/lib/checkpoint-manager.js +251 -0
package/server/lib/checkpoint-manager.test.js +474 -0
package/server/lib/circular-detector.js +337 -0
package/server/lib/circular-detector.test.js +353 -0
package/server/lib/cohesion-analyzer.js +310 -0
package/server/lib/cohesion-analyzer.test.js +447 -0
package/server/lib/compliance-checklist.js +866 -0
package/server/lib/compliance-checklist.test.js +476 -0
package/server/lib/compliance-command.js +616 -0
package/server/lib/compliance-command.test.js +551 -0
package/server/lib/compliance-reporter.js +692 -0
package/server/lib/compliance-reporter.test.js +707 -0
package/server/lib/contract-testing.js +625 -0
package/server/lib/contract-testing.test.js +342 -0
package/server/lib/conversion-planner.js +469 -0
package/server/lib/conversion-planner.test.js +361 -0
package/server/lib/convert-command.js +351 -0
package/server/lib/convert-command.test.js +608 -0
package/server/lib/coupling-calculator.js +189 -0
package/server/lib/coupling-calculator.test.js +509 -0
package/server/lib/data-flow-doc.js +665 -0
package/server/lib/data-flow-doc.test.js +659 -0
package/server/lib/dependency-graph.js +367 -0
package/server/lib/dependency-graph.test.js +516 -0
package/server/lib/duplication-detector.js +349 -0
package/server/lib/duplication-detector.test.js +401 -0
package/server/lib/ephemeral-storage.js +249 -0
package/server/lib/ephemeral-storage.test.js +254 -0
package/server/lib/evidence-collector.js +627 -0
package/server/lib/evidence-collector.test.js +901 -0
package/server/lib/example-service.js +616 -0
package/server/lib/example-service.test.js +397 -0
package/server/lib/flow-diagram-generator.js +474 -0
package/server/lib/flow-diagram-generator.test.js +446 -0
package/server/lib/idp-manager.js +626 -0
package/server/lib/idp-manager.test.js +587 -0
package/server/lib/impact-scorer.js +184 -0
package/server/lib/impact-scorer.test.js +211 -0
package/server/lib/memory-exclusion.js +326 -0
package/server/lib/memory-exclusion.test.js +241 -0
package/server/lib/mermaid-generator.js +358 -0
package/server/lib/mermaid-generator.test.js +301 -0
package/server/lib/messaging-patterns.js +750 -0
package/server/lib/messaging-patterns.test.js +213 -0
package/server/lib/mfa-handler.js +452 -0
package/server/lib/mfa-handler.test.js +490 -0
package/server/lib/microservice-template.js +386 -0
package/server/lib/microservice-template.test.js +325 -0
package/server/lib/new-project-microservice.js +450 -0
package/server/lib/new-project-microservice.test.js +600 -0
package/server/lib/oauth-flow.js +375 -0
package/server/lib/oauth-flow.test.js +487 -0
package/server/lib/oauth-registry.js +190 -0
package/server/lib/oauth-registry.test.js +306 -0
package/server/lib/readme-generator.js +490 -0
package/server/lib/readme-generator.test.js +493 -0
package/server/lib/refactor-command.js +326 -0
package/server/lib/refactor-command.test.js +528 -0
package/server/lib/refactor-executor.js +254 -0
package/server/lib/refactor-executor.test.js +305 -0
package/server/lib/refactor-observer.js +292 -0
package/server/lib/refactor-observer.test.js +422 -0
package/server/lib/refactor-progress.js +193 -0
package/server/lib/refactor-progress.test.js +251 -0
package/server/lib/refactor-reporter.js +237 -0
package/server/lib/refactor-reporter.test.js +247 -0
package/server/lib/repo-dependency-tracker.js +261 -0
package/server/lib/repo-dependency-tracker.test.js +350 -0
package/server/lib/retention-policy.js +281 -0
package/server/lib/retention-policy.test.js +486 -0
package/server/lib/role-mapper.js +236 -0
package/server/lib/role-mapper.test.js +395 -0
package/server/lib/saml-provider.js +765 -0
package/server/lib/saml-provider.test.js +643 -0
package/server/lib/security-policy-generator.js +682 -0
package/server/lib/security-policy-generator.test.js +544 -0
package/server/lib/semantic-analyzer.js +198 -0
package/server/lib/semantic-analyzer.test.js +474 -0
package/server/lib/sensitive-detector.js +112 -0
package/server/lib/sensitive-detector.test.js +209 -0
package/server/lib/service-interaction-diagram.js +700 -0
package/server/lib/service-interaction-diagram.test.js +638 -0
package/server/lib/service-scaffold.js +486 -0
package/server/lib/service-scaffold.test.js +373 -0
package/server/lib/service-summary.js +553 -0
package/server/lib/service-summary.test.js +619 -0
package/server/lib/session-purge.js +460 -0
package/server/lib/session-purge.test.js +312 -0
package/server/lib/shared-kernel.js +578 -0
package/server/lib/shared-kernel.test.js +255 -0
package/server/lib/sso-command.js +544 -0
package/server/lib/sso-command.test.js +552 -0
package/server/lib/sso-session.js +492 -0
package/server/lib/sso-session.test.js +670 -0
package/server/lib/traefik-config.js +282 -0
package/server/lib/traefik-config.test.js +312 -0
package/server/lib/usage-command.js +218 -0
package/server/lib/usage-command.test.js +391 -0
package/server/lib/usage-formatter.js +192 -0
package/server/lib/usage-formatter.test.js +267 -0
package/server/lib/usage-history.js +122 -0
package/server/lib/usage-history.test.js +206 -0
package/server/lib/workspace-command.js +249 -0
package/server/lib/workspace-command.test.js +264 -0
package/server/lib/workspace-config.js +270 -0
package/server/lib/workspace-config.test.js +312 -0
package/server/lib/workspace-docs-command.js +547 -0
package/server/lib/workspace-docs-command.test.js +692 -0
package/server/lib/workspace-memory.js +451 -0
package/server/lib/workspace-memory.test.js +403 -0
package/server/lib/workspace-scanner.js +452 -0
package/server/lib/workspace-scanner.test.js +677 -0
package/server/lib/workspace-test-runner.js +315 -0
package/server/lib/workspace-test-runner.test.js +294 -0
package/server/lib/zero-retention-command.js +439 -0
package/server/lib/zero-retention-command.test.js +448 -0
package/server/lib/zero-retention.js +322 -0
package/server/lib/zero-retention.test.js +258 -0
package/server/package-lock.json +14 -0
package/server/package.json +1 -0

package/server/lib/audit-attribution.test.js ADDED Viewed

@@ -0,0 +1,359 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import {
+  getAttribution,
+  identifySource,
+  createSessionId,
+  correlateSession,
+  getGitUser,
+  getSystemUser,
+  getParentProcessContext,
+} from './audit-attribution.js';
+describe('audit-attribution', () => {
+  let originalEnv;
+  beforeEach(() => {
+    originalEnv = { ...process.env };
+  });
+  afterEach(() => {
+    process.env = originalEnv;
+    vi.restoreAllMocks();
+  });
+  describe('getGitUser', () => {
+    it('returns git user info when available', async () => {
+      const mockExecSync = vi.fn()
+        .mockReturnValueOnce(Buffer.from('Test User\n'))
+        .mockReturnValueOnce(Buffer.from('test@example.com\n'));
+      const result = await getGitUser({ execSync: mockExecSync });
+      expect(result).toEqual({
+        name: 'Test User',
+        email: 'test@example.com',
+      });
+    });
+    it('returns null when git config fails', async () => {
+      const mockExecSync = vi.fn().mockImplementation(() => {
+        throw new Error('git not configured');
+      });
+      const result = await getGitUser({ execSync: mockExecSync });
+      expect(result).toBeNull();
+    });
+  });
+  describe('getSystemUser', () => {
+    it('returns username from os.userInfo', () => {
+      const mockUserInfo = vi.fn().mockReturnValue({ username: 'systemuser' });
+      const result = getSystemUser({ userInfo: mockUserInfo });
+      expect(result).toBe('systemuser');
+    });
+    it('falls back to USER env var', () => {
+      const mockUserInfo = vi.fn().mockImplementation(() => {
+        throw new Error('userInfo not available');
+      });
+      const env = { USER: 'envuser' };
+      const result = getSystemUser({ userInfo: mockUserInfo, env });
+      expect(result).toBe('envuser');
+    });
+    it('falls back to USERNAME env var on Windows', () => {
+      const mockUserInfo = vi.fn().mockImplementation(() => {
+        throw new Error('userInfo not available');
+      });
+      const env = { USERNAME: 'winuser' };
+      const result = getSystemUser({ userInfo: mockUserInfo, env });
+      expect(result).toBe('winuser');
+    });
+    it('returns unknown when all methods fail', () => {
+      const mockUserInfo = vi.fn().mockImplementation(() => {
+        throw new Error('userInfo not available');
+      });
+      const result = getSystemUser({ userInfo: mockUserInfo, env: {} });
+      expect(result).toBe('unknown');
+    });
+  });
+  describe('getAttribution', () => {
+    it('returns git user info when available', async () => {
+      const mockExecSync = vi.fn()
+        .mockReturnValueOnce(Buffer.from('Git User\n'))
+        .mockReturnValueOnce(Buffer.from('git@example.com\n'));
+      const result = await getAttribution({
+        execSync: mockExecSync,
+        env: {},
+      });
+      expect(result.user.name).toBe('Git User');
+      expect(result.user.email).toBe('git@example.com');
+      expect(result.source).toBe('git');
+    });
+    it('uses TLC_USER if set', async () => {
+      const mockExecSync = vi.fn()
+        .mockReturnValueOnce(Buffer.from('Git User\n'))
+        .mockReturnValueOnce(Buffer.from('git@example.com\n'));
+      const env = { TLC_USER: 'tlc-custom-user' };
+      const result = await getAttribution({
+        execSync: mockExecSync,
+        env,
+      });
+      expect(result.user.name).toBe('tlc-custom-user');
+      expect(result.source).toBe('env');
+    });
+    it('falls back to system user when git unavailable', async () => {
+      const mockExecSync = vi.fn().mockImplementation(() => {
+        throw new Error('git not configured');
+      });
+      const mockUserInfo = vi.fn().mockReturnValue({ username: 'sysuser' });
+      const result = await getAttribution({
+        execSync: mockExecSync,
+        userInfo: mockUserInfo,
+        env: {},
+      });
+      expect(result.user.name).toBe('sysuser');
+      expect(result.source).toBe('system');
+    });
+    it('includes timestamp', async () => {
+      const mockExecSync = vi.fn()
+        .mockReturnValueOnce(Buffer.from('User\n'))
+        .mockReturnValueOnce(Buffer.from('user@example.com\n'));
+      const result = await getAttribution({
+        execSync: mockExecSync,
+        env: {},
+      });
+      expect(result.timestamp).toBeDefined();
+      expect(typeof result.timestamp).toBe('string');
+    });
+  });
+  describe('identifySource', () => {
+    it('returns agent for Task tool calls', () => {
+      const context = {
+        toolName: 'Task',
+        parentProcess: 'claude',
+      };
+      const result = identifySource(context);
+      expect(result).toBe('agent');
+    });
+    it('returns agent for Skill tool calls', () => {
+      const context = {
+        toolName: 'Skill',
+        parentProcess: 'claude',
+      };
+      const result = identifySource(context);
+      expect(result).toBe('agent');
+    });
+    it('returns human for direct commands', () => {
+      const context = {
+        toolName: null,
+        parentProcess: 'bash',
+        tty: true,
+      };
+      const result = identifySource(context);
+      expect(result).toBe('human');
+    });
+    it('returns human for terminal interactions', () => {
+      const context = {
+        parentProcess: 'zsh',
+        tty: true,
+      };
+      const result = identifySource(context);
+      expect(result).toBe('human');
+    });
+    it('returns hook for hook-triggered actions', () => {
+      const context = {
+        env: { TLC_HOOK: 'pre-commit' },
+      };
+      const result = identifySource(context);
+      expect(result).toBe('hook');
+    });
+    it('returns hook when triggered by git hooks', () => {
+      const context = {
+        parentProcess: 'git',
+        env: { GIT_EXEC_PATH: '/usr/lib/git-core' },
+        argv: ['pre-commit'],
+      };
+      const result = identifySource(context);
+      expect(result).toBe('hook');
+    });
+    it('returns agent when CLAUDE_CODE is set', () => {
+      const context = {
+        env: { CLAUDE_CODE: '1' },
+      };
+      const result = identifySource(context);
+      expect(result).toBe('agent');
+    });
+    it('returns unknown for unidentifiable source', () => {
+      const context = {};
+      const result = identifySource(context);
+      expect(result).toBe('unknown');
+    });
+  });
+  describe('createSessionId', () => {
+    it('generates unique ID', () => {
+      const id1 = createSessionId();
+      const id2 = createSessionId();
+      expect(id1).not.toBe(id2);
+    });
+    it('returns string', () => {
+      const id = createSessionId();
+      expect(typeof id).toBe('string');
+    });
+    it('has expected format (uuid-like)', () => {
+      const id = createSessionId();
+      // Should be a valid UUID-like format or similar unique string
+      expect(id.length).toBeGreaterThan(0);
+      expect(id).toMatch(/^[a-z0-9-]+$/i);
+    });
+    it('includes timestamp component for ordering', () => {
+      const before = Date.now();
+      const id = createSessionId();
+      const after = Date.now();
+      // The ID should encode time information (first part is timestamp)
+      const parts = id.split('-');
+      expect(parts.length).toBeGreaterThanOrEqual(1);
+    });
+  });
+  describe('correlateSession', () => {
+    it('groups related actions by session ID', () => {
+      const sessionId = createSessionId();
+      const actions = [
+        { id: 'a1', sessionId, timestamp: new Date('2024-01-01T10:00:00Z').toISOString() },
+        { id: 'a2', sessionId, timestamp: new Date('2024-01-01T10:01:00Z').toISOString() },
+        { id: 'a3', sessionId: 'other', timestamp: new Date('2024-01-01T10:02:00Z').toISOString() },
+      ];
+      const result = correlateSession(sessionId, actions);
+      expect(result).toHaveLength(2);
+      expect(result.map(a => a.id)).toEqual(['a1', 'a2']);
+    });
+    it('returns empty array when no matching session', () => {
+      const actions = [
+        { id: 'a1', sessionId: 'session-1' },
+        { id: 'a2', sessionId: 'session-2' },
+      ];
+      const result = correlateSession('nonexistent', actions);
+      expect(result).toEqual([]);
+    });
+    it('sorts actions by timestamp', () => {
+      const sessionId = 'test-session';
+      const actions = [
+        { id: 'a2', sessionId, timestamp: new Date('2024-01-01T10:05:00Z').toISOString() },
+        { id: 'a1', sessionId, timestamp: new Date('2024-01-01T10:00:00Z').toISOString() },
+        { id: 'a3', sessionId, timestamp: new Date('2024-01-01T10:10:00Z').toISOString() },
+      ];
+      const result = correlateSession(sessionId, actions);
+      expect(result.map(a => a.id)).toEqual(['a1', 'a2', 'a3']);
+    });
+    it('handles actions without timestamps', () => {
+      const sessionId = 'test-session';
+      const actions = [
+        { id: 'a1', sessionId },
+        { id: 'a2', sessionId },
+      ];
+      const result = correlateSession(sessionId, actions);
+      expect(result).toHaveLength(2);
+    });
+  });
+  describe('getParentProcessContext', () => {
+    it('returns process info', () => {
+      const mockProcess = {
+        ppid: 1234,
+        env: { TERM: 'xterm' },
+        argv: ['node', 'script.js'],
+      };
+      const result = getParentProcessContext({ process: mockProcess });
+      expect(result.ppid).toBe(1234);
+      expect(result.argv).toEqual(['node', 'script.js']);
+    });
+    it('includes terminal info when available', () => {
+      const mockProcess = {
+        ppid: 1234,
+        stdout: { isTTY: true },
+        env: { TERM: 'xterm-256color' },
+      };
+      const result = getParentProcessContext({ process: mockProcess });
+      expect(result.tty).toBe(true);
+      expect(result.term).toBe('xterm-256color');
+    });
+    it('handles missing process info gracefully', () => {
+      const result = getParentProcessContext({ process: {} });
+      expect(result).toBeDefined();
+      expect(result.ppid).toBeUndefined();
+    });
+  });
+});

package/server/lib/audit-classifier.js ADDED Viewed

@@ -0,0 +1,202 @@
+/**
+ * Audit Action Classifier Module
+ * Classifies agent actions into categories for filtering and compliance
+ */
+/**
+ * Sensitive file patterns that should trigger alerts
+ */
+const SENSITIVE_FILE_PATTERNS = [
+  /\.env($|\.)/i,
+  /credentials\.json$/i,
+  /\.secrets\//i,
+  /secrets\.json$/i,
+  /\.aws\/credentials$/i,
+  /\.ssh\/(id_rsa|id_ed25519|id_dsa)$/i,
+  /\.pem$/i,
+  /private\.key$/i,
+  /\.p12$/i,
+  /\.pfx$/i,
+];
+/**
+ * Sensitive content patterns that should trigger alerts
+ */
+const SENSITIVE_CONTENT_PATTERNS = [
+  /password\s*[=:]/i,
+  /api[_-]?key\s*[=:]/i,
+  /secret\s*[=:]/i,
+  /token\s*[=:]/i,
+  /Bearer\s+[a-zA-Z0-9_-]+/i,
+  /sk-[a-zA-Z0-9]+/i,  // OpenAI keys
+  /ghp_[a-zA-Z0-9]+/i, // GitHub tokens
+  /AWS_SECRET/i,
+  /PRIVATE_KEY/i,
+];
+/**
+ * Destructive command patterns
+ */
+const DESTRUCTIVE_COMMAND_PATTERNS = [
+  /rm\s+(-rf|-r\s+-f|-f\s+-r)\s+/i,
+  /git\s+push\s+--force/i,
+  /git\s+push\s+-f\b/i,
+  /git\s+reset\s+--hard/i,
+  /git\s+clean\s+-f/i,
+];
+/**
+ * Classify an agent action into a category
+ * @param {Object} action - Action object with tool and params
+ * @returns {string} Classification category
+ */
+function classifyAction(action) {
+  const { tool, params } = action;
+  // File operations
+  if (tool === 'Read') {
+    return 'file:read';
+  }
+  if (tool === 'Write') {
+    return 'file:write';
+  }
+  if (tool === 'Edit') {
+    return 'file:edit';
+  }
+  if (tool === 'Glob') {
+    return 'file:glob';
+  }
+  if (tool === 'Grep') {
+    return 'file:grep';
+  }
+  // Network operations
+  if (tool === 'WebFetch') {
+    return 'network:fetch';
+  }
+  if (tool === 'WebSearch') {
+    return 'network:search';
+  }
+  // Shell operations
+  if (tool === 'Bash') {
+    const command = params?.command || '';
+    // Git commands
+    if (/^\s*git\s+/i.test(command)) {
+      return 'shell:git';
+    }
+    // NPM commands
+    if (/^\s*npm\s+/i.test(command)) {
+      return 'shell:npm';
+    }
+    return 'shell:execute';
+  }
+  return 'unknown';
+}
+/**
+ * Detect if an action involves sensitive data
+ * @param {Object} action - Action object with tool and params
+ * @returns {Object} Detection result with isSensitive flag and reason
+ */
+function detectSensitive(action) {
+  const { tool, params } = action;
+  // Check file paths
+  const filePath = params?.file_path || '';
+  for (const pattern of SENSITIVE_FILE_PATTERNS) {
+    if (pattern.test(filePath)) {
+      let reason = 'Accessing sensitive file';
+      if (/\.env/i.test(filePath)) {
+        reason = 'Accessing .env file';
+      } else if (/credential/i.test(filePath)) {
+        reason = 'Accessing credential file';
+      } else if (/\.ssh.*id_/i.test(filePath)) {
+        reason = 'Accessing private key file';
+      } else if (/\.aws/i.test(filePath)) {
+        reason = 'Accessing AWS credentials';
+      } else if (/\.secrets/i.test(filePath)) {
+        reason = 'Accessing secrets directory';
+      }
+      return { isSensitive: true, reason };
+    }
+  }
+  // Check command content
+  const command = params?.command || '';
+  for (const pattern of SENSITIVE_CONTENT_PATTERNS) {
+    if (pattern.test(command)) {
+      return { isSensitive: true, reason: 'Command contains sensitive data' };
+    }
+  }
+  // Check file content for write operations
+  const content = params?.content || '';
+  for (const pattern of SENSITIVE_CONTENT_PATTERNS) {
+    if (pattern.test(content)) {
+      return { isSensitive: true, reason: 'File content contains sensitive data' };
+    }
+  }
+  return { isSensitive: false, reason: null };
+}
+/**
+ * Get severity level for an action
+ * @param {Object} action - Action object with tool and params
+ * @returns {string} Severity level: 'info', 'warning', or 'critical'
+ */
+function getSeverity(action) {
+  const { tool, params } = action;
+  // First check if it's a sensitive operation
+  const sensitiveCheck = detectSensitive(action);
+  if (sensitiveCheck.isSensitive) {
+    return 'critical';
+  }
+  // Check for destructive commands
+  const command = params?.command || '';
+  for (const pattern of DESTRUCTIVE_COMMAND_PATTERNS) {
+    if (pattern.test(command)) {
+      return 'critical';
+    }
+  }
+  // File operations
+  if (tool === 'Write' || tool === 'Edit') {
+    return 'warning';
+  }
+  if (tool === 'Read' || tool === 'Glob' || tool === 'Grep') {
+    return 'info';
+  }
+  // Network operations
+  if (tool === 'WebFetch' || tool === 'WebSearch') {
+    return 'info';
+  }
+  // Shell operations
+  if (tool === 'Bash') {
+    // Git read commands are info level
+    if (/^\s*git\s+(status|log|diff|branch|show)\b/i.test(command)) {
+      return 'info';
+    }
+    // General shell execution is warning
+    return 'warning';
+  }
+  return 'info';
+}
+module.exports = {
+  classifyAction,
+  detectSensitive,
+  getSeverity,
+};