/**
 * Sentori Runtime Anomaly Rules
 * Defines anomaly detection patterns for ToolCallEvent streams.
 */
import type { ToolCallEvent } from './event-schema';
export type AnomalyType = 'high_frequency' | 'sensitive_operation' | 'resource_abuse' | 'error_cascade' | 'data_exfiltration';
export interface AnomalyRule {
    id: string;
    type: AnomalyType;
    severity: 'critical' | 'high' | 'medium' | 'low';
    detect(events: ToolCallEvent[]): AnomalyMatch[];
}
export interface AnomalyMatch {
    ruleId: string;
    type: AnomalyType;
    severity: AnomalyRule['severity'];
    description: string;
    relatedEvents: string[];
    score: number;
}
/**
 * RULE-001: high_frequency
 * Same tool called ≥ 10 times within any rolling 30-second window.
 */
export declare const RULE_001: AnomalyRule;
/**
 * RULE-002: sensitive_operation
 * toolName matches bash/shell/exec/run/execute/delete/rm/write AND called by AI agent.
 */
export declare const RULE_002: AnomalyRule;
/**
 * RULE-003: resource_abuse
 * Single call took longer than 30 seconds (durationMs > 30000).
 */
export declare const RULE_003: AnomalyRule;
/**
 * RULE-004: error_cascade
 * At least 3 of the most recent 5 events are errors.
 */
export declare const RULE_004: AnomalyRule;
/**
 * RULE-005: data_exfiltration
 * Triggers when args either (a) exceed 10 KB serialised, or (b) contain a
 * base64-encoded string of ≥ 100 chars — a common technique to smuggle data
 * past size-only detectors.
 */
export declare const RULE_005: AnomalyRule;
/** All built-in rules, in evaluation order. */
export declare const DEFAULT_RULES: AnomalyRule[];
//# sourceMappingURL=anomaly-rules.d.ts.map