workerclaw 0.2.0

package/dist/security/gate.js

@@ -0,0 +1,150 @@
+/**
+ * 安全门（Security Gate）
+ *
+ * 安全审查的总调度器，串联四层安全检查：
+ * Layer 1: 速率限制
+ * Layer 2: 来源验证
+ * Layer 3: 内容安全扫描
+ * Layer 4: 权限分级
+ */
+import { createLogger } from '../core/logger.js';
+import { WorkerClawEvent } from '../core/events.js';
+import { RateLimiter } from './rate-limiter.js';
+import { SourceVerifier } from './source-verifier.js';
+import { ContentScanner } from './content-scanner.js';
+import { PermissionGrader } from './permission-level.js';
+export class SecurityGate {
+    logger;
+    rateLimiter;
+    sourceVerifier;
+    contentScanner;
+    permissionGrader;
+    eventBus;
+    constructor(config, eventBus) {
+        this.rateLimiter = new RateLimiter(config.rateLimit);
+        this.sourceVerifier = new SourceVerifier(config.sourceVerify);
+        this.permissionGrader = new PermissionGrader({
+            highValueThreshold: 100, // 超过 100 元降一级
+        });
+        this.eventBus = eventBus;
+        this.logger = createLogger('SecurityGate');
+        // Layer 3: 内容扫描器
+        if (config.contentScan?.promptInjection?.enabled || config.contentScan?.maliciousCommands?.enabled) {
+            this.contentScanner = new ContentScanner({
+                promptInjection: config.contentScan.promptInjection,
+                maliciousCommands: config.contentScan.maliciousCommands,
+                piiProtection: config.contentScan.piiProtection || { enabled: false },
+            });
+        }
+        else {
+            this.contentScanner = null;
+        }
+    }
+    /**
+     * 对消息执行完整安全检查（Layer 1-2-3）
+     */
+    async check(message) {
+        // Layer 1: 速率限制
+        const senderId = message.from || 'unknown';
+        const rateResult = this.rateLimiter.check(senderId);
+        if (!rateResult.allowed) {
+            this.eventBus.emit(WorkerClawEvent.SECURITY_BLOCKED, {
+                message: `速率限制触发`,
+                reason: rateResult.reason || 'rate limited',
+                data: { senderId },
+            });
+            this.logger.warn('消息被速率限制拦截', { senderId, reason: rateResult.reason || 'rate limited' });
+            return { passed: false, blockedBy: 'rate_limiter', reason: rateResult.reason || 'rate limited' };
+        }
+        // Layer 2: 来源验证
+        const sourceResult = this.sourceVerifier.verify(message);
+        if (!sourceResult.valid) {
+            this.eventBus.emit(WorkerClawEvent.SECURITY_BLOCKED, {
+                message: `来源验证失败`,
+                reason: sourceResult.reason || 'source verification failed',
+                data: { msgId: message.msgId },
+            });
+            this.logger.warn('消息来源验证失败', { reason: sourceResult.reason || 'unknown' });
+            return { passed: false, blockedBy: 'source_verifier', reason: sourceResult.reason || 'unknown' };
+        }
+        // Layer 3: 内容安全扫描（仅对任务推送消息执行）
+        if (this.contentScanner && message.data) {
+            const contentToScan = typeof message.data === 'string'
+                ? message.data
+                : message.data.description || JSON.stringify(message.data);
+            const scanResult = this.contentScanner.scan(contentToScan);
+            if (!scanResult.safe) {
+                this.eventBus.emit(WorkerClawEvent.SECURITY_BLOCKED, {
+                    message: `内容安全扫描未通过`,
+                    reason: scanResult.rejectionReason || 'content scan failed',
+                    data: { msgId: message.msgId, flags: scanResult.flags },
+                });
+                this.logger.warn('消息被内容扫描拦截', {
+                    reason: scanResult.rejectionReason || 'unknown',
+                    flagCount: scanResult.flags.length,
+                });
+                return {
+                    passed: false,
+                    blockedBy: 'content_scanner',
+                    reason: scanResult.rejectionReason || 'content scan failed',
+                    contentFlags: scanResult.flags,
+                };
+            }
+            // 低风险：记录警告但不拦截
+            if (scanResult.riskLevel !== 'none' && scanResult.flags.length > 0) {
+                this.eventBus.emit(WorkerClawEvent.SECURITY_WARNED, {
+                    message: `内容扫描发现风险`,
+                    reason: `${scanResult.riskLevel} 风险，${scanResult.flags.length} 个标记`,
+                    data: { msgId: message.msgId, flags: scanResult.flags },
+                });
+            }
+        }
+        return { passed: true };
+    }
+    /**
+     * Layer 4: 为任务确定权限级别
+     */
+    gradePermission(task) {
+        return this.permissionGrader.grade(task);
+    }
+    /**
+     * 获取权限分级器（供外部查询权限）
+     */
+    getPermissionGrader() {
+        return this.permissionGrader;
+    }
+    /**
+     * 扫描 Agent 输出内容的安全性
+     */
+    scanOutput(content) {
+        if (!this.contentScanner)
+            return { safe: true };
+        const result = this.contentScanner.scan(content);
+        return { safe: result.safe, reason: result.rejectionReason };
+    }
+    /**
+     * 检查任务容量
+     */
+    checkTaskCapacity() {
+        return this.rateLimiter.checkTaskCapacity().allowed;
+    }
+    /**
+     * 通知任务开始
+     */
+    taskStarted() {
+        this.rateLimiter.taskStarted();
+    }
+    /**
+     * 通知任务结束
+     */
+    taskFinished() {
+        this.rateLimiter.taskFinished();
+    }
+    /**
+     * 获取速率限制器状态
+     */
+    getRateLimitStatus() {
+        return this.rateLimiter.getStatus();
+    }
+}
+//# sourceMappingURL=gate.js.map

package/dist/security/gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gate.js","sourceRoot":"","sources":["../../src/security/gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,YAAY,EAAe,MAAM,mBAAmB,CAAC;AAC9D,OAAO,EAAY,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAC9D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAwB,MAAM,uBAAuB,CAAC;AAuB/E,MAAM,OAAO,YAAY;IACf,MAAM,CAAS;IACf,WAAW,CAAc;IACzB,cAAc,CAAiB;IAC/B,cAAc,CAAwB;IACtC,gBAAgB,CAAmB;IACnC,QAAQ,CAAW;IAE3B,YAAY,MAA0B,EAAE,QAAkB;QACxD,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACrD,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC9D,IAAI,CAAC,gBAAgB,GAAG,IAAI,gBAAgB,CAAC;YAC3C,kBAAkB,EAAE,GAAG,EAAE,cAAc;SACxC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC,cAAc,CAAC,CAAC;QAE3C,iBAAiB;QACjB,IAAI,MAAM,CAAC,WAAW,EAAE,eAAe,EAAE,OAAO,IAAI,MAAM,CAAC,WAAW,EAAE,iBAAiB,EAAE,OAAO,EAAE,CAAC;YACnG,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC;gBACvC,eAAe,EAAE,MAAM,CAAC,WAAW,CAAC,eAAe;gBACnD,iBAAiB,EAAE,MAAM,CAAC,WAAW,CAAC,iBAAiB;gBACvD,aAAa,EAAE,MAAM,CAAC,WAAW,CAAC,aAAa,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE;aACtE,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK,CAAC,OAAwB;QAClC,gBAAgB;QAChB,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,IAAI,SAAS,CAAC;QAC3C,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QACpD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YACxB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,gBAAgB,EAAE;gBACnD,OAAO,EAAE,QAAQ;gBACjB,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,cAAc;gBAC3C,IAAI,EAAE,EAAE,QAAQ,EAAE;aACnB,CAAC,CAAC;YACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,cAAc,EAAE,CAAC,CAAC;YACzF,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,cAAc,EAAE,CAAC;QACnG,CAAC;QAED,gBAAgB;QAChB,MAAM,YAAY,GAAG,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACzD,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;YACxB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,gBAAgB,EAAE;gBACnD,OAAO,EAAE,QAAQ;gBACjB,MAAM,EAAE,YAAY,CAAC,MAAM,IAAI,4BAA4B;gBAC3D,IAAI,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE;aAC/B,CAAC,CAAC;YACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,MAAM,EAAE,YAAY,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC,CAAC;YAC3E,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,EAAE,YAAY,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC;QACnG,CAAC;QAED,8BAA8B;QAC9B,IAAI,IAAI,CAAC,cAAc,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACxC,MAAM,aAAa,GAAG,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ;gBACpD,CAAC,CAAC,OAAO,CAAC,IAAI;gBACd,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAE7D,MAAM,UAAU,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YAE3D,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;gBACrB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,gBAAgB,EAAE;oBACnD,OAAO,EAAE,WAAW;oBACpB,MAAM,EAAE,UAAU,CAAC,eAAe,IAAI,qBAAqB;oBAC3D,IAAI,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE;iBACxD,CAAC,CAAC;gBACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE;oBAC5B,MAAM,EAAE,UAAU,CAAC,eAAe,IAAI,SAAS;oBAC/C,SAAS,EAAE,UAAU,CAAC,KAAK,CAAC,MAAM;iBACnC,CAAC,CAAC;gBACH,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,SAAS,EAAE,iBAAiB;oBAC5B,MAAM,EAAE,UAAU,CAAC,eAAe,IAAI,qBAAqB;oBAC3D,YAAY,EAAE,UAAU,CAAC,KAAK;iBAC/B,CAAC;YACJ,CAAC;YAED,eAAe;YACf,IAAI,UAAU,CAAC,SAAS,KAAK,MAAM,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACnE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE;oBAClD,OAAO,EAAE,UAAU;oBACnB,MAAM,EAAE,GAAG,UAAU,CAAC,SAAS,OAAO,UAAU,CAAC,KAAK,CAAC,MAAM,MAAM;oBACnE,IAAI,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE;iBACxD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,IAAU;QACxB,OAAO,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,mBAAmB;QACjB,OAAO,IAAI,CAAC,gBAAgB,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,OAAe;QACxB,IAAI,CAAC,IAAI,CAAC,cAAc;YAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjD,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,eAAe,EAAE,CAAC;IAC/D,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,OAAO,IAAI,CAAC,WAAW,CAAC,iBAAiB,EAAE,CAAC,OAAO,CAAC;IACtD,CAAC;IAED;;OAEG;IACH,WAAW;QACT,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,YAAY;QACV,IAAI,CAAC,WAAW,CAAC,YAAY,EAAE,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,kBAAkB;QAChB,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;IACtC,CAAC;CACF"}

package/dist/security/permission-level.d.ts

@@ -0,0 +1,68 @@
+/**
+ * 权限分级系统
+ *
+ * 根据任务类型自动确定权限级别
+ * 四级权限: read_only → limited → standard → elevated
+ */
+import type { Task } from '../types/task.js';
+export type PermissionLevel = 'read_only' | 'limited' | 'standard' | 'elevated';
+export interface PermissionProfile {
+    /** 允许的工具 */
+    allowedTools: string[];
+    /** 允许的命令（支持通配符 *，排除项以 - 开头） */
+    allowedCommands: string[];
+    /** 允许的网络协议和域名模式 */
+    allowedNetwork: string[];
+    /** 最大输出 token 数 */
+    maxOutputTokens: number;
+    /** 最大工具调用次数 */
+    maxToolCallsPerTask: number;
+    /** 允许的文件操作 */
+    allowedFileOps: ('read' | 'write' | 'delete')[];
+}
+export interface PermissionAutoGradeConfig {
+    /** 高信誉发单人可以升一级 */
+    highReputationBoost?: boolean;
+    /** 金额阈值（超过则降一级） */
+    highValueThreshold?: number;
+}
+export declare class PermissionGrader {
+    private logger;
+    private config;
+    constructor(config?: PermissionAutoGradeConfig);
+    /**
+     * 根据任务自动确定权限级别
+     */
+    grade(task: Task): PermissionLevel;
+    /**
+     * 按任务类型分级
+     */
+    private gradeByTaskType;
+    /**
+     * 降一级
+     */
+    private demote;
+    /**
+     * 获取权限配置
+     */
+    getProfile(level: PermissionLevel): PermissionProfile;
+    /**
+     * 检查工具是否允许
+     */
+    isToolAllowed(toolName: string, level: PermissionLevel): boolean;
+    /**
+     * 检查命令是否允许
+     */
+    isCommandAllowed(command: string, level: PermissionLevel): boolean;
+    /**
+     * 检查网络访问是否允许
+     */
+    isNetworkAllowed(url: string, level: PermissionLevel): boolean;
+    /**
+     * 检查文件操作是否允许
+     */
+    isFileOpAllowed(op: 'read' | 'write' | 'delete', level: PermissionLevel): boolean;
+}
+/** 全局权限分级器单例 */
+export declare const permissionGrader: PermissionGrader;
+//# sourceMappingURL=permission-level.d.ts.map

package/dist/security/permission-level.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-level.d.ts","sourceRoot":"","sources":["../../src/security/permission-level.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,IAAI,EAAY,MAAM,kBAAkB,CAAC;AAIvD,MAAM,MAAM,eAAe,GAAG,WAAW,GAAG,SAAS,GAAG,UAAU,GAAG,UAAU,CAAC;AAIhF,MAAM,WAAW,iBAAiB;IAChC,YAAY;IACZ,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,+BAA+B;IAC/B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,mBAAmB;IACnB,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,mBAAmB;IACnB,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe;IACf,mBAAmB,EAAE,MAAM,CAAC;IAC5B,cAAc;IACd,cAAc,EAAE,CAAC,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC,EAAE,CAAC;CACjD;AAqED,MAAM,WAAW,yBAAyB;IACxC,kBAAkB;IAClB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,mBAAmB;IACnB,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAID,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,MAAM,CAA4B;gBAE9B,MAAM,GAAE,yBAA8B;IAKlD;;OAEG;IACH,KAAK,CAAC,IAAI,EAAE,IAAI,GAAG,eAAe;IAwBlC;;OAEG;IACH,OAAO,CAAC,eAAe;IAcvB;;OAEG;IACH,OAAO,CAAC,MAAM;IAOd;;OAEG;IACH,UAAU,CAAC,KAAK,EAAE,eAAe,GAAG,iBAAiB;IAIrD;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO;IAMhE;;OAEG;IACH,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO;IAiBlE;;OAEG;IACH,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO;IAsB9D;;OAEG;IACH,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,QAAQ,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO;CAIlF;AAED,gBAAgB;AAChB,eAAO,MAAM,gBAAgB,kBAAyB,CAAC"}

package/dist/security/permission-level.js

@@ -0,0 +1,191 @@
+/**
+ * 权限分级系统
+ *
+ * 根据任务类型自动确定权限级别
+ * 四级权限: read_only → limited → standard → elevated
+ */
+import { createLogger } from '../core/logger.js';
+// ==================== 各级别默认权限 ====================
+const PERMISSION_LEVELS = {
+    read_only: {
+        allowedTools: ['llm_query'],
+        allowedCommands: [],
+        allowedNetwork: [],
+        maxOutputTokens: 2000,
+        maxToolCallsPerTask: 3,
+        allowedFileOps: ['read'],
+    },
+    limited: {
+        allowedTools: ['llm_query', 'web_search'],
+        allowedCommands: ['echo', 'cat', 'ls', 'head', 'tail', 'wc', 'grep', 'find'],
+        allowedNetwork: ['https://api.miniabc.top/*'],
+        maxOutputTokens: 4000,
+        maxToolCallsPerTask: 10,
+        allowedFileOps: ['read'],
+    },
+    standard: {
+        allowedTools: ['llm_query', 'web_search', 'image_gen', 'file_read', 'file_write'],
+        allowedCommands: ['*'],
+        allowedNetwork: ['https://*'],
+        maxOutputTokens: 8000,
+        maxToolCallsPerTask: 20,
+        allowedFileOps: ['read', 'write'],
+    },
+    elevated: {
+        allowedTools: ['*'],
+        allowedCommands: ['*'],
+        allowedNetwork: ['https://*', 'wss://*'],
+        maxOutputTokens: 16000,
+        maxToolCallsPerTask: 50,
+        allowedFileOps: ['read', 'write', 'delete'],
+    },
+};
+// ==================== 任务类型→权限映射 ====================
+const TASK_TYPE_MAPPING = {
+    text_reply: 'read_only',
+    qa: 'read_only',
+    translation: 'limited',
+    search_summary: 'limited',
+    writing: 'standard',
+    image_gen: 'standard',
+    data_analysis: 'standard',
+    code_dev: 'elevated',
+    system_op: 'elevated',
+    other: 'standard',
+};
+// 中文任务类型映射
+const CN_TASK_TYPE_MAPPING = {
+    '文字回复': 'read_only',
+    '问答': 'read_only',
+    '搜索整理': 'limited',
+    '翻译': 'limited',
+    '写文章': 'standard',
+    '生成图片': 'standard',
+    '数据分析': 'standard',
+    '代码开发': 'elevated',
+    '系统操作': 'elevated',
+};
+// ==================== 权限分级器 ====================
+export class PermissionGrader {
+    logger;
+    config;
+    constructor(config = {}) {
+        this.config = config;
+        this.logger = createLogger('PermissionGrader');
+    }
+    /**
+     * 根据任务自动确定权限级别
+     */
+    grade(task) {
+        // 1. 基础分级（根据任务类型）
+        let level = this.gradeByTaskType(task.taskType, task.title);
+        // 2. 金额调整（金额越大越谨慎）
+        if (this.config.highValueThreshold && task.reward) {
+            if (task.reward > this.config.highValueThreshold) {
+                const demoted = this.demote(level);
+                this.logger.info(`任务金额 ${task.reward} 超过阈值，权限从 ${level} 降为 ${demoted}`);
+                level = demoted;
+            }
+        }
+        // 3. 信誉调整（暂无信誉数据，预留接口）
+        // TODO: 集成平台信誉系统后实现
+        this.logger.debug(`任务 [${task.taskId}] 权限级别: ${level}`, {
+            taskType: task.taskType,
+            reward: task.reward,
+        });
+        return level;
+    }
+    /**
+     * 按任务类型分级
+     */
+    gradeByTaskType(taskType, title) {
+        // 先查英文映射
+        if (TASK_TYPE_MAPPING[taskType]) {
+            return TASK_TYPE_MAPPING[taskType];
+        }
+        // 查中文映射
+        if (title && CN_TASK_TYPE_MAPPING[title]) {
+            return CN_TASK_TYPE_MAPPING[title];
+        }
+        return 'standard';
+    }
+    /**
+     * 降一级
+     */
+    demote(level) {
+        const order = ['read_only', 'limited', 'standard', 'elevated'];
+        const idx = order.indexOf(level);
+        if (idx <= 0)
+            return level;
+        return order[idx - 1];
+    }
+    /**
+     * 获取权限配置
+     */
+    getProfile(level) {
+        return PERMISSION_LEVELS[level];
+    }
+    /**
+     * 检查工具是否允许
+     */
+    isToolAllowed(toolName, level) {
+        const profile = this.getProfile(level);
+        if (profile.allowedTools.includes('*'))
+            return true;
+        return profile.allowedTools.includes(toolName);
+    }
+    /**
+     * 检查命令是否允许
+     */
+    isCommandAllowed(command, level) {
+        const profile = this.getProfile(level);
+        if (profile.allowedCommands.length === 0)
+            return false;
+        if (profile.allowedCommands.includes('*')) {
+            // 检查排除项
+            const cmdBase = command.trim().split(/\s+/)[0];
+            for (const pattern of profile.allowedCommands) {
+                if (pattern.startsWith('-') && command.match(new RegExp(pattern.slice(1).replace(/\*/g, '.*'), 'i'))) {
+                    return false;
+                }
+            }
+            return true;
+        }
+        const cmdBase = command.trim().split(/\s+/)[0];
+        return profile.allowedCommands.includes(cmdBase);
+    }
+    /**
+     * 检查网络访问是否允许
+     */
+    isNetworkAllowed(url, level) {
+        const profile = this.getProfile(level);
+        if (profile.allowedNetwork.length === 0)
+            return false;
+        if (profile.allowedNetwork.includes('*'))
+            return true;
+        try {
+            const parsed = new URL(url);
+            const urlOrigin = `${parsed.protocol}//${parsed.hostname}`;
+            for (const pattern of profile.allowedNetwork) {
+                const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$');
+                if (regex.test(urlOrigin) || regex.test(`${parsed.protocol}//${parsed.hostname}/*`)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * 检查文件操作是否允许
+     */
+    isFileOpAllowed(op, level) {
+        const profile = this.getProfile(level);
+        return profile.allowedFileOps.includes(op);
+    }
+}
+/** 全局权限分级器单例 */
+export const permissionGrader = new PermissionGrader();
+//# sourceMappingURL=permission-level.js.map

package/dist/security/permission-level.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-level.js","sourceRoot":"","sources":["../../src/security/permission-level.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,YAAY,EAAe,MAAM,mBAAmB,CAAC;AAwB9D,oDAAoD;AAEpD,MAAM,iBAAiB,GAA+C;IACpE,SAAS,EAAE;QACT,YAAY,EAAE,CAAC,WAAW,CAAC;QAC3B,eAAe,EAAE,EAAE;QACnB,cAAc,EAAE,EAAE;QAClB,eAAe,EAAE,IAAI;QACrB,mBAAmB,EAAE,CAAC;QACtB,cAAc,EAAE,CAAC,MAAM,CAAC;KACzB;IACD,OAAO,EAAE;QACP,YAAY,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;QACzC,eAAe,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC;QAC5E,cAAc,EAAE,CAAC,2BAA2B,CAAC;QAC7C,eAAe,EAAE,IAAI;QACrB,mBAAmB,EAAE,EAAE;QACvB,cAAc,EAAE,CAAC,MAAM,CAAC;KACzB;IACD,QAAQ,EAAE;QACR,YAAY,EAAE,CAAC,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY,CAAC;QACjF,eAAe,EAAE,CAAC,GAAG,CAAC;QACtB,cAAc,EAAE,CAAC,WAAW,CAAC;QAC7B,eAAe,EAAE,IAAI;QACrB,mBAAmB,EAAE,EAAE;QACvB,cAAc,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC;KAClC;IACD,QAAQ,EAAE;QACR,YAAY,EAAE,CAAC,GAAG,CAAC;QACnB,eAAe,EAAE,CAAC,GAAG,CAAC;QACtB,cAAc,EAAE,CAAC,WAAW,EAAE,SAAS,CAAC;QACxC,eAAe,EAAE,KAAK;QACtB,mBAAmB,EAAE,EAAE;QACvB,cAAc,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC;KAC5C;CACF,CAAC;AAEF,sDAAsD;AAEtD,MAAM,iBAAiB,GAAsC;IAC3D,UAAU,EAAE,WAAW;IACvB,EAAE,EAAE,WAAW;IACf,WAAW,EAAE,SAAS;IACtB,cAAc,EAAE,SAAS;IACzB,OAAO,EAAE,UAAU;IACnB,SAAS,EAAE,UAAU;IACrB,aAAa,EAAE,UAAU;IACzB,QAAQ,EAAE,UAAU;IACpB,SAAS,EAAE,UAAU;IACrB,KAAK,EAAE,UAAU;CAClB,CAAC;AAEF,WAAW;AACX,MAAM,oBAAoB,GAAoC;IAC5D,MAAM,EAAE,WAAW;IACnB,IAAI,EAAE,WAAW;IACjB,MAAM,EAAE,SAAS;IACjB,IAAI,EAAE,SAAS;IACf,KAAK,EAAE,UAAU;IACjB,MAAM,EAAE,UAAU;IAClB,MAAM,EAAE,UAAU;IAClB,MAAM,EAAE,UAAU;IAClB,MAAM,EAAE,UAAU;CACnB,CAAC;AAWF,kDAAkD;AAElD,MAAM,OAAO,gBAAgB;IACnB,MAAM,CAAS;IACf,MAAM,CAA4B;IAE1C,YAAY,SAAoC,EAAE;QAChD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC,kBAAkB,CAAC,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAU;QACd,kBAAkB;QAClB,IAAI,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAE5D,mBAAmB;QACnB,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAClD,IAAI,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;gBACjD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBACnC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,MAAM,aAAa,KAAK,OAAO,OAAO,EAAE,CAAC,CAAC;gBACxE,KAAK,GAAG,OAAO,CAAC;YAClB,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,oBAAoB;QAEpB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,IAAI,CAAC,MAAM,WAAW,KAAK,EAAE,EAAE;YACtD,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,QAAkB,EAAE,KAAc;QACxD,SAAS;QACT,IAAI,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChC,OAAO,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;QAED,QAAQ;QACR,IAAI,KAAK,IAAI,oBAAoB,CAAC,KAAK,CAAC,EAAE,CAAC;YACzC,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAC;QACrC,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,KAAsB;QACnC,MAAM,KAAK,GAAsB,CAAC,WAAW,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QAClF,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACjC,IAAI,GAAG,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QAC3B,OAAO,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,KAAsB;QAC/B,OAAO,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,QAAgB,EAAE,KAAsB;QACpD,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QACvC,IAAI,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACpD,OAAO,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,OAAe,EAAE,KAAsB;QACtD,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QACvC,IAAI,OAAO,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACvD,IAAI,OAAO,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,QAAQ;YACR,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YAC/C,KAAK,MAAM,OAAO,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;gBAC9C,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;oBACrG,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/C,OAAO,OAAO,CAAC,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACnD,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,GAAW,EAAE,KAAsB;QAClD,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QACvC,IAAI,OAAO,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACtD,IAAI,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAEtD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC5B,MAAM,SAAS,GAAG,GAAG,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;YAE3D,KAAK,MAAM,OAAO,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;gBAC7C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC;gBACnE,IAAI,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,IAAI,CAAC,EAAE,CAAC;oBACpF,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,EAA+B,EAAE,KAAsB;QACrE,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QACvC,OAAO,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC7C,CAAC;CACF;AAED,gBAAgB;AAChB,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,gBAAgB,EAAE,CAAC"}

package/dist/security/rate-limiter.d.ts

@@ -0,0 +1,52 @@
+/**
+ * 速率限制器
+ *
+ * 使用滑动窗口计数器实现，防止消息洪泛
+ */
+import type { RateLimitConfig } from '../core/config.js';
+export interface RateLimitResult {
+    allowed: boolean;
+    reason?: string;
+    retryAfterMs?: number;
+}
+export declare class RateLimiter {
+    private logger;
+    private config;
+    private senderCounters;
+    private globalCounter;
+    private runningTasks;
+    constructor(config: RateLimitConfig);
+    /**
+     * 检查消息是否允许通过
+     */
+    check(senderId: string): RateLimitResult;
+    /**
+     * 检查是否可以接受新任务
+     */
+    checkTaskCapacity(): RateLimitResult;
+    /**
+     * 增加运行中任务数
+     */
+    taskStarted(): void;
+    /**
+     * 减少运行中任务数
+     */
+    taskFinished(): void;
+    /**
+     * 获取当前状态
+     */
+    getStatus(): {
+        runningTasks: number;
+        maxConcurrent: number;
+    };
+    /**
+     * 重置所有计数器
+     */
+    reset(): void;
+    private checkGlobal;
+    private checkSender;
+    private recordMessage;
+    private cleanWindow;
+    private getRetryAfter;
+}
+//# sourceMappingURL=rate-limiter.d.ts.map

package/dist/security/rate-limiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.d.ts","sourceRoot":"","sources":["../../src/security/rate-limiter.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEzD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAMD,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,MAAM,CAAkB;IAGhC,OAAO,CAAC,cAAc,CAA2C;IAEjE,OAAO,CAAC,aAAa,CAA4C;IAEjE,OAAO,CAAC,YAAY,CAAK;gBAEb,MAAM,EAAE,eAAe;IAKnC;;OAEG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,GAAG,eAAe;IAgBxC;;OAEG;IACH,iBAAiB,IAAI,eAAe;IAcpC;;OAEG;IACH,WAAW,IAAI,IAAI;IAKnB;;OAEG;IACH,YAAY,IAAI,IAAI;IAKpB;;OAEG;IACH,SAAS,IAAI;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,MAAM,CAAA;KAAE;IAO5D;;OAEG;IACH,KAAK,IAAI,IAAI;IAQb,OAAO,CAAC,WAAW;IAcnB,OAAO,CAAC,WAAW;IAoBnB,OAAO,CAAC,aAAa;IAWrB,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,aAAa;CAMtB"}

package/dist/security/rate-limiter.js

@@ -0,0 +1,133 @@
+/**
+ * 速率限制器
+ *
+ * 使用滑动窗口计数器实现，防止消息洪泛
+ */
+import { createLogger } from '../core/logger.js';
+export class RateLimiter {
+    logger;
+    config;
+    // 每个发送者的计数器
+    senderCounters = new Map();
+    // 全局计数器
+    globalCounter = { timestamps: [] };
+    // 当前运行中的任务数
+    runningTasks = 0;
+    constructor(config) {
+        this.config = config;
+        this.logger = createLogger('RateLimiter');
+    }
+    /**
+     * 检查消息是否允许通过
+     */
+    check(senderId) {
+        const now = Date.now();
+        // 1. 检查全局速率
+        const globalResult = this.checkGlobal(now);
+        if (!globalResult.allowed)
+            return globalResult;
+        // 2. 检查发送者速率
+        const senderResult = this.checkSender(senderId, now);
+        if (!senderResult.allowed)
+            return senderResult;
+        // 记录
+        this.recordMessage(senderId, now);
+        return { allowed: true };
+    }
+    /**
+     * 检查是否可以接受新任务
+     */
+    checkTaskCapacity() {
+        if (this.runningTasks >= this.config.maxConcurrentTasks) {
+            this.logger.warn('达到最大并发任务数', {
+                running: this.runningTasks,
+                max: this.config.maxConcurrentTasks,
+            });
+            return {
+                allowed: false,
+                reason: `并发任务数已达上限 (${this.runningTasks}/${this.config.maxConcurrentTasks})`,
+            };
+        }
+        return { allowed: true };
+    }
+    /**
+     * 增加运行中任务数
+     */
+    taskStarted() {
+        this.runningTasks++;
+        this.logger.debug(`任务开始，当前并发: ${this.runningTasks}`);
+    }
+    /**
+     * 减少运行中任务数
+     */
+    taskFinished() {
+        this.runningTasks = Math.max(0, this.runningTasks - 1);
+        this.logger.debug(`任务结束，当前并发: ${this.runningTasks}`);
+    }
+    /**
+     * 获取当前状态
+     */
+    getStatus() {
+        return {
+            runningTasks: this.runningTasks,
+            maxConcurrent: this.config.maxConcurrentTasks,
+        };
+    }
+    /**
+     * 重置所有计数器
+     */
+    reset() {
+        this.senderCounters.clear();
+        this.globalCounter = { timestamps: [] };
+        this.runningTasks = 0;
+    }
+    // ==================== 私有方法 ====================
+    checkGlobal(now) {
+        this.cleanWindow(this.globalCounter, now, 60_000);
+        if (this.globalCounter.timestamps.length >= this.config.maxMessagesPerMinute * 2) {
+            return {
+                allowed: false,
+                reason: `全局消息速率超限`,
+                retryAfterMs: this.getRetryAfter(this.globalCounter.timestamps, now, 60_000),
+            };
+        }
+        return { allowed: true };
+    }
+    checkSender(senderId, now) {
+        if (!this.senderCounters.has(senderId)) {
+            this.senderCounters.set(senderId, { timestamps: [] });
+        }
+        const counter = this.senderCounters.get(senderId);
+        this.cleanWindow(counter, now, 60_000);
+        if (counter.timestamps.length >= this.config.maxMessagesPerMinute) {
+            this.logger.warn(`发送者 ${senderId} 消息速率超限`);
+            return {
+                allowed: false,
+                reason: `该发送者消息速率超限 (${counter.timestamps.length}/min)`,
+                retryAfterMs: this.getRetryAfter(counter.timestamps, now, 60_000),
+            };
+        }
+        return { allowed: true };
+    }
+    recordMessage(senderId, now) {
+        // 全局记录
+        this.globalCounter.timestamps.push(now);
+        // 发送者记录
+        if (!this.senderCounters.has(senderId)) {
+            this.senderCounters.set(senderId, { timestamps: [] });
+        }
+        this.senderCounters.get(senderId).timestamps.push(now);
+    }
+    cleanWindow(counter, now, windowMs) {
+        const cutoff = now - windowMs;
+        counter.timestamps = counter.timestamps.filter(ts => ts > cutoff);
+    }
+    getRetryAfter(timestamps, now, windowMs) {
+        if (timestamps.length === 0)
+            return 0;
+        const oldest = timestamps[0];
+        const remaining = windowMs - (now - oldest);
+        return Math.max(0, remaining + 100); // 加 100ms 缓冲
+    }
+}
+//# sourceMappingURL=rate-limiter.js.map

package/dist/security/rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../src/security/rate-limiter.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,YAAY,EAAe,MAAM,mBAAmB,CAAC;AAa9D,MAAM,OAAO,WAAW;IACd,MAAM,CAAS;IACf,MAAM,CAAkB;IAEhC,YAAY;IACJ,cAAc,GAAG,IAAI,GAAG,EAAgC,CAAC;IACjE,QAAQ;IACA,aAAa,GAAyB,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IACjE,YAAY;IACJ,YAAY,GAAG,CAAC,CAAC;IAEzB,YAAY,MAAuB;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC,aAAa,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAgB;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,YAAY;QACZ,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAC3C,IAAI,CAAC,YAAY,CAAC,OAAO;YAAE,OAAO,YAAY,CAAC;QAE/C,aAAa;QACb,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACrD,IAAI,CAAC,YAAY,CAAC,OAAO;YAAE,OAAO,YAAY,CAAC;QAE/C,KAAK;QACL,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAClC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YACxD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE;gBAC5B,OAAO,EAAE,IAAI,CAAC,YAAY;gBAC1B,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,kBAAkB;aACpC,CAAC,CAAC;YACH,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,cAAc,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,GAAG;aAC7E,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,WAAW;QACT,IAAI,CAAC,YAAY,EAAE,CAAC;QACpB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACH,YAAY;QACV,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,kBAAkB;SAC9C,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;QAC5B,IAAI,CAAC,aAAa,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QACxC,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC;IACxB,CAAC;IAED,iDAAiD;IAEzC,WAAW,CAAC,GAAW;QAC7B,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,aAAa,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;QAElD,IAAI,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,oBAAoB,GAAG,CAAC,EAAE,CAAC;YACjF,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,UAAU;gBAClB,YAAY,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,EAAE,MAAM,CAAC;aAC7E,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAEO,WAAW,CAAC,QAAgB,EAAE,GAAW;QAC/C,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAE,CAAC;QAEnD,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;QAEvC,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;YAClE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,QAAQ,SAAS,CAAC,CAAC;YAC3C,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,eAAe,OAAO,CAAC,UAAU,CAAC,MAAM,OAAO;gBACvD,YAAY,EAAE,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,UAAU,EAAE,GAAG,EAAE,MAAM,CAAC;aAClE,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAEO,aAAa,CAAC,QAAgB,EAAE,GAAW;QACjD,OAAO;QACP,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAExC,QAAQ;QACR,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAE,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC1D,CAAC;IAEO,WAAW,CAAC,OAA6B,EAAE,GAAW,EAAE,QAAgB;QAC9E,MAAM,MAAM,GAAG,GAAG,GAAG,QAAQ,CAAC;QAC9B,OAAO,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,MAAM,CAAC,CAAC;IACpE,CAAC;IAEO,aAAa,CAAC,UAAoB,EAAE,GAAW,EAAE,QAAgB;QACvE,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,CAAC,CAAC;QACtC,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;QAC7B,MAAM,SAAS,GAAG,QAAQ,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,GAAG,CAAC,CAAC,CAAC,aAAa;IACpD,CAAC;CACF"}

package/dist/security/source-verifier.d.ts

@@ -0,0 +1,33 @@
+/**
+ * 来源验证器
+ *
+ * 验证消息是否来自智工坊平台
+ */
+import type { PlatformMessage } from '../types/message.js';
+export interface SourceVerifyResult {
+    valid: boolean;
+    reason?: string;
+}
+export interface SourceVerifierConfig {
+    /** 是否验证消息时间戳 */
+    validateTimestamp: boolean;
+    /** 最大时间偏移（毫秒） */
+    maxTimestampSkewMs: number;
+    /** 任务消息是否必须有 taskId */
+    requireTaskId: boolean;
+    /** 消息是否必须有发送者 */
+    requireSenderId: boolean;
+}
+export declare class SourceVerifier {
+    private logger;
+    private config;
+    constructor(config?: Partial<SourceVerifierConfig>);
+    /**
+     * 验证消息来源
+     */
+    verify(message: PlatformMessage): SourceVerifyResult;
+    private validateType;
+    private validateStructure;
+    private validateTimestamp;
+}
+//# sourceMappingURL=source-verifier.d.ts.map

package/dist/security/source-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"source-verifier.d.ts","sourceRoot":"","sources":["../../src/security/source-verifier.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAG3D,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,oBAAoB;IACnC,gBAAgB;IAChB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,iBAAiB;IACjB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,uBAAuB;IACvB,aAAa,EAAE,OAAO,CAAC;IACvB,iBAAiB;IACjB,eAAe,EAAE,OAAO,CAAC;CAC1B;AASD,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,MAAM,CAAuB;gBAEzB,MAAM,GAAE,OAAO,CAAC,oBAAoB,CAAM;IAKtD;;OAEG;IACH,MAAM,CAAC,OAAO,EAAE,eAAe,GAAG,kBAAkB;IAoBpD,OAAO,CAAC,YAAY;IAepB,OAAO,CAAC,iBAAiB;IAoCzB,OAAO,CAAC,iBAAiB;CAuB1B"}