/** * Tier 1: Blacklist Provider * * Hash/name-based lookup for known-bad skills. * O(1) lookup, zero false positives, zero latency. * * Sources: Threat Cloud skill_blacklist, CVE advisories, community reports. * * @module agent-threat-rules/tier1-blacklist */ import type { ATRMatch, ATRSeverity } from './types.js'; export interface BlacklistEntry { readonly skillHash: string; readonly skillName: string; readonly reason: string; readonly reportCount: number; readonly severity: ATRSeverity; } export interface BlacklistProvider { /** Check if a skill is blacklisted. Returns entry if found. */ lookup(skillId: string): BlacklistEntry | undefined; /** Refresh the blacklist from source */ refresh(): Promise; /** Total blacklist size */ size(): number; } export declare class InMemoryBlacklist implements BlacklistProvider { private byHash; private byName; constructor(entries?: readonly BlacklistEntry[]); lookup(skillId: string): BlacklistEntry | undefined; refresh(): Promise; size(): number; /** Replace all entries (immutable update) */ withEntries(entries: readonly BlacklistEntry[]): InMemoryBlacklist; } /** Build a synthetic ATRMatch from a blacklist hit */ export declare function buildBlacklistMatch(entry: BlacklistEntry): ATRMatch; /** * Resolve skill identifier from event for blacklist lookup. * Prioritizes package-level identifiers (hash, package name) over * tool function names, since blacklists store package names. */ export declare function resolveSkillId(event: { fields?: Record; metadata?: Record; }): string | undefined; //# sourceMappingURL=tier1-blacklist.d.ts.map