first commit

Author: mheadd

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,11 @@
+---
+name: Bug report
+about: Report a problem
+title: "[Bug] "
+labels: bug
+---
+
+**Describe the bug**
+**Repro steps**
+**Expected behavior**
+**Additional context**

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,10 @@
+---
+name: Feature request
+about: Propose an enhancement
+title: "[Feat] "
+labels: enhancement
+---
+
+**Problem**
+**Proposed solution**
+**Security patterns applied**

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,21 @@
+## Summary
+-
+
+## Patterns used
+- [ ] action-selector
+- [ ] plan-then-execute
+- [ ] dual-llm
+- [ ] map-reduce
+- [ ] code-then-execute
+- [ ] context-minimization
+
+## Trust boundaries & tool scopes
+-
+
+## Tests
+- [ ] Injection / exfiltration
+- [ ] Tool misuse
+- [ ] DoS
+
+## Notes
+- Add `security-approved` label if CI/infra/lockfiles are changed.

.github/copilot-instructions.md

@@ -0,0 +1,21 @@
+# Copilot Operating Instructions — Building Secure LLM Agents (Node/TS)
+
+You are a coding assistant inside this repository. Help build task-specific LLM agents that resist prompt injection and unsafe tool use. Follow exactly:
+
+## Principles
+- Constrain by design; clear trust boundaries.
+- Treat free text as untrusted.
+- Separate planning from execution and untrusted text from tool use.
+- Least privilege & sandboxing.
+
+## Workflow (Plan → Patch)
+- Always produce a PLAN (YAML) before code.
+- Then produce a PATCH (unified diff) matching the PLAN.
+
+## Untrusted Data Handling
+- Quarantined Reader: convert raw text ➜ strict JSON schema (no free text pass-through, no tools).
+- Reducer/Orchestrator: aggregate sanitized outputs; only this layer may use tools.
+- Context minimization between steps.
+
+## Output Contracts
+- PLAN YAML, PATCH diff, API summary JSON as documented in /schemas.

.github/docker/ci.Dockerfile

@@ -0,0 +1,15 @@
+FROM node:20-alpine
+
+RUN apk add --no-cache python3 py3-pip bash git && ln -sf python3 /usr/bin/python
+WORKDIR /work
+
+# Copy manifests first for caching
+COPY package.json package-lock.json* /work/
+RUN if [ -f package-lock.json ]; then npm ci --ignore-scripts; else npm install --ignore-scripts; fi
+
+# Python tooling for validators
+COPY requirements.txt* /tmp/ 2>/dev/null || true
+RUN if [ -f /tmp/requirements.txt ]; then pip install --no-cache-dir -r /tmp/requirements.txt; fi
+RUN pip install --no-cache-dir pytest jsonschema pyyaml
+
+CMD ["bash"]

.github/workflows/secure-agents.yml

@@ -0,0 +1,44 @@
+name: Secure LLM Agents CI (Node/TS)
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, labeled]
+  push:
+    branches: [ main ]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  validate-changed-paths:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+      - uses: actions/setup-python@v5
+        with: { python-version: '3.11' }
+      - run: python -m pip install --upgrade pip pyyaml
+      - name: Validate changed paths
+        env:
+          GITHUB_EVENT_PATH: ${{ github.event_path }}
+        run: python scripts/validate_changed_paths.py
+
+  schema-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with: { python-version: '3.11' }
+      - run: python -m pip install --upgrade pip jsonschema pyyaml
+      - name: Validate schemas
+        run: python scripts/validate_schemas.py
+
+  tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build CI image
+        run: docker build -f .github/docker/ci.Dockerfile -t secure-agents-ci .
+      - name: Run tests (network=none)
+        run: docker run --rm --network=none -v "$PWD":/work -w /work secure-agents-ci bash -lc "./scripts/ci_test_runner.sh"

.gitignore

@@ -0,0 +1,71 @@
+# Node dependencies
+node_modules/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+package-lock.json
+yarn.lock
+pnpm-lock.yaml
+
+# Build output
+dist/
+coverage/
+.nyc_output/
+.vitest/
+*.tsbuildinfo
+
+# Logs
+logs/
+*.log
+*.log.*
+*.out
+*.err
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Environment files
+.env
+.env.*.local
+.env.local
+.env.test.local
+.env.production.local
+
+# OS / Editor cruft
+.DS_Store
+Thumbs.db
+.idea/
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/extensions.json
+
+# Docker
+docker-compose.override.yml
+.docker/
+*.tar
+
+# CI cache / artifacts
+.cache/
+tmp/
+*.swp
+
+# Python tooling (validators)
+__pycache__/
+*.pyc
+.venv/
+pip-wheel-metadata/
+
+# Test snapshots
+*.snap
+
+# Prettier/ESLint cache
+.eslintcache
+.prettier-cache/
+
+# Misc
+*.tgz

.npmrc

@@ -0,0 +1,3 @@
+fund=false
+audit=true
+prefer-online=false

.pre-commit-config.yaml

@@ -0,0 +1,20 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+  - repo: local
+    hooks:
+      - id: schema-validate
+        name: Schema validate (plans & api summaries)
+        entry: python scripts/validate_schemas.py
+        language: system
+        pass_filenames: false
+      - id: path-validate
+        name: Path restrictions (no sensitive edits)
+        entry: python scripts/validate_changed_paths.py
+        language: system
+        pass_filenames: false

.prettierrc.json

@@ -0,0 +1,5 @@
+{
+  "singleQuote": true,
+  "semi": true,
+  "printWidth": 100
+}