@0dai-dev/cli 4.3.4 → 4.3.6

package/lib/commands/trust.js

@@ -0,0 +1,286 @@
+"use strict";
+// 0dai trust — pre-run blast-radius disclosure (F19 G3 / issue #3919).
+//
+// Renders, before any agent run, a human-readable summary of:
+//   (a) which paths agents may write vs which are protected
+//   (b) the authority matrix in force (AUTO / PICKER / FORBIDDEN per action x CLI)
+//   (c) what data leaves the repo
+//
+// WARM PATH (trust_scope.py found): delegates entirely to trust_scope.py, which
+// imports the SAME config the guards enforce.  No invented data.
+//
+// COLD PATH (trust_scope.py absent, i.e. pre-init repo): graceful degrade —
+// prints a clearly-labeled static DEFAULT scope summary and exits 0 (issue #4007).
+// This avoids the dead-end exit(1) that blocked maintainers evaluating blast-radius
+// before running `0dai init`.
+//
+// Usage:
+//   0dai trust [--json] [--target PATH]
+
+const shared = require("../shared");
+const { log, findRepoScript, spawnSync } = shared;
+
+// ── COLD-PATH: static default-scope payload ───────────────────────────────────
+//
+// Emitted when trust_scope.py is unavailable (pre-init / fresh npm install).
+//
+// Honesty contract — mirrors trust_scope.py's section labels:
+//   [ENFORCED] = gated right now, regardless of init state
+//   [DECLARED] = policy exists but gate materialises only after `0dai init`
+//   [DEFAULT]  = structural invariant described in docs, not a config file
+//
+// Why we are categorical rather than listing specific globs here:
+//   policy_enforcer.py (edit-time gate source) is NOT shipped in the npm bundle
+//   (package.json "files" includes only bin/, lib/, and scripts/ where scripts/
+//   carries only postinstall.js and build-tui.js — not policy_enforcer.py).
+//   Fabricating globs that might diverge from the enforced list would violate the
+//   honesty contract.  Run `0dai trust` after `0dai init` for the exact enforced list.
+//
+// Egress facts are derived from shared.js code (checkVersion fires unconditionally)
+// so they are the strongest honest cold signal we can disclose.
+
+function _buildColdPayload(target) {
+  return {
+    trust_scope_available: false,
+    scope: "default-pre-init",
+    note:
+      "trust_scope.py not found — this repo has not run `0dai init` yet. " +
+      "Showing DEFAULT scope: what 0dai does BEFORE repo-specific config exists. " +
+      "This is NOT the enforced scope. Run `0dai init` then `0dai trust` again.",
+    docs: "https://0dai.dev/docs",
+    target,
+    generated_at: new Date().toISOString().replace(/\.\d+Z$/, "Z"),
+
+    // ── A. Protected paths ────────────────────────────────────────────────
+    // Edit-time patterns come from policy_enforcer.py (not in npm bundle);
+    // merge-time patterns from ai/policy/path-protect.yaml (absent pre-init).
+    // Neither can be listed verbatim.  Describe the categories honestly.
+    //
+    // NOTE: ai/policy/** and ai/contracts/** are MERGE-TIME protected (by
+    // path-protect.yaml / 0dai-merge), NOT edit-time (not in policy_enforcer.py
+    // PROTECTED_WRITE_PATTERNS).  Do not conflate the two gates.
+    protected_paths: {
+      edit_time: {
+        status: "DEFAULT",
+        note:
+          "Edit-time gate is enforced by scripts/policy_enforcer.py via the 0dai MCP server. " +
+          "That file is not bundled in the npm package, so exact globs cannot be disclosed " +
+          "without a repo checkout.  The categories below are indicative examples from the " +
+          "published source; run `0dai trust` after `0dai init` for the authoritative list.",
+        categories_indicative: [
+          "credential / secret files (.env, .env.*, secrets/**, infra/secrets/**)",
+          "AI runtime state (ai/meta/**, ai/work/**, ai/sessions/**, ai/feedback/**)",
+          "AI memory file (ai/memory/memory.jsonl)",
+          "Applied lock (ai/manifest/applied-lock.json)",
+          "Terraform state (terraform.tfstate*)",
+          "Legacy memory bank (memory-bank/**)",
+        ],
+      },
+      merge_time: {
+        status: "DECLARED",
+        note:
+          "Merge-time gate reads ai/policy/path-protect.yaml (enforced by scripts/0dai-merge). " +
+          "Covers governance files including ai/policy/**, ai/contracts/**, and repo-specific " +
+          "protected paths declared by the maintainer. " +
+          "This file is generated by `0dai init`. Not present in a pre-init repo.",
+      },
+    },
+
+    // ── B. Agent authority matrix ─────────────────────────────────────────
+    // The per-action grant table (AUTO / PICKER / FORBIDDEN per action-id x CLI)
+    // materialises from ai/contracts/agent-authority.yaml after `0dai init`.
+    // That file is NOT in the npm bundle and cannot be verified at cold runtime,
+    // so we describe the structure categorically — not a fabricated action table.
+    authority: {
+      status: "DEFAULT",
+      note:
+        "Per-action grant table (AUTO / PICKER / FORBIDDEN) materialises from " +
+        "ai/contracts/agent-authority.yaml after `0dai init`. " +
+        "Dispatch-gate enforcement (ODAI_AUTONOMY_MATRIX_GATE=1) is opt-in, not default-on. " +
+        "Before init, no repo-specific grants are enforced.",
+      structural_description: {
+        "AUTO":    "agent may proceed unattended (e.g. issue create, read, CI runs)",
+        "PICKER":  "human must confirm before action executes (e.g. admin merges, deploys, protected writes)",
+        "FORBIDDEN": "action is never permitted without an explicit override (e.g. force-push to main, editing constitution)",
+      },
+      note_on_defaults:
+        "After `0dai init`, high-risk actions (admin merge, deploy, editing governance files) " +
+        "default to PICKER or FORBIDDEN.  Low-risk read and CI actions default to AUTO. " +
+        "Run `0dai trust` post-init to see the exact per-agent x per-action table.",
+    },
+
+    // ── C. Egress / telemetry ─────────────────────────────────────────────
+    // Derived from shared.js (checkVersion, apiCall).  These apply
+    // unconditionally on every CLI run, regardless of init state.
+    egress: {
+      status: "DEFAULT",
+      note:
+        "Derived from cli source (shared.js checkVersion + apiCall). " +
+        "Unconditional items fire on every CLI run, pre-init included.",
+      unconditional: [
+        {
+          endpoint: "GET /v1/version (api.0dai.dev)",
+          trigger:
+            "Every CLI run, throttled to at most once per " +
+            "ODAI_UPDATE_CHECK_INTERVAL (default 3600 s). Checks for CLI updates.",
+          headers_sent: [
+            "X-Device-ID — sha256 of stable local machine identifiers (no PII)",
+            "X-CLI-Version — installed CLI version string",
+          ],
+          request_body: null,
+        },
+      ],
+      on_explicit_command_only: [
+        {
+          endpoint: "POST /v1/graph/push",
+          trigger: "0dai graph push",
+          data: "graph-eligible artifact classes (no credentials, no file contents)",
+        },
+        {
+          endpoint: "POST /v1/report",
+          trigger: "0dai report push",
+          data: "cloud-sync-allowed artifact classes",
+        },
+        {
+          endpoint: "POST /v1/feedback",
+          trigger: "0dai feedback push",
+          data: "user_feedback_payload",
+        },
+        {
+          endpoint: "POST /v1/licenses/activate",
+          trigger: "0dai activate",
+          data: "device_fingerprint + license_code",
+        },
+      ],
+    },
+  };
+}
+
+/**
+ * Return the static default-scope output for a cold (pre-init) repo.
+ *
+ * Exported for direct unit-testing — avoids fighting findRepoScript's
+ * __dirname-anchored candidate resolution in subprocess tests.
+ *
+ * @param {string} target - Repo path shown in output (informational; not read from disk).
+ * @param {boolean} asJson - Emit JSON string instead of human-readable text.
+ * @returns {string}
+ */
+function renderColdScope(target, asJson) {
+  const payload = _buildColdPayload(target);
+
+  if (asJson) {
+    return JSON.stringify(payload, null, 2);
+  }
+
+  const HR  = "─".repeat(64);
+  const HR2 = "═".repeat(64);
+  const lines = [];
+
+  lines.push("");
+  lines.push(HR2);
+  lines.push("  0dai trust — pre-run blast-radius disclosure  [DEFAULT (pre-init) scope]");
+  lines.push(HR2);
+  lines.push(`  target:    ${payload.target}`);
+  lines.push(`  generated: ${payload.generated_at}`);
+  lines.push("");
+  lines.push("  NOTE  trust_scope.py not found — this repo has not run `0dai init` yet.");
+  lines.push("        This output shows DEFAULT scope: what 0dai does BEFORE any");
+  lines.push("        repo-specific config exists.  It is NOT the enforced scope.");
+  lines.push("        Run `0dai init`, then re-run `0dai trust` for the real scope.");
+  lines.push("");
+  lines.push("  Key: [ENFORCED] = gated now   [DECLARED] = post-init only");
+  lines.push("       [DEFAULT]  = structural invariant, not a config file");
+  lines.push("");
+
+  // ── A. Protected paths ────────────────────────────────────────────────────
+  lines.push("  A. Protected paths");
+  lines.push("  " + HR.slice(0, 60));
+
+  const et = payload.protected_paths.edit_time;
+  lines.push(`  [${et.status}] Edit-time gate`);
+  lines.push(`    ${et.note}`);
+  lines.push("    Indicative categories (run `0dai trust` post-init for the authoritative list):");
+  for (const cat of et.categories_indicative) {
+    lines.push(`      - ${cat}`);
+  }
+  lines.push("");
+
+  const mt = payload.protected_paths.merge_time;
+  lines.push(`  [${mt.status}] Merge-time gate`);
+  lines.push(`    ${mt.note}`);
+  lines.push("");
+
+  // ── B. Agent authority matrix ─────────────────────────────────────────────
+  lines.push("  B. Agent authority matrix");
+  lines.push("  " + HR.slice(0, 60));
+
+  const auth = payload.authority;
+  lines.push(`  [${auth.status}] ${auth.note}`);
+  lines.push("");
+  lines.push("    Decision levels:");
+  for (const [level, desc] of Object.entries(auth.structural_description)) {
+    lines.push(`      ${level.padEnd(12)} ${desc}`);
+  }
+  lines.push("");
+  lines.push(`    ${auth.note_on_defaults}`);
+  lines.push("");
+
+  // ── C. Data that leaves the repo ──────────────────────────────────────────
+  lines.push("  C. Data that leaves the repo");
+  lines.push("  " + HR.slice(0, 60));
+
+  const eg = payload.egress;
+  lines.push(`  [${eg.status}] ${eg.note}`);
+  lines.push("");
+  lines.push("    Unconditional (every CLI run, pre-init included):");
+  for (const ep of eg.unconditional) {
+    lines.push(`      * ${ep.endpoint}`);
+    lines.push(`          trigger: ${ep.trigger}`);
+    for (const h of ep.headers_sent) {
+      lines.push(`          header:  ${h}`);
+    }
+  }
+  lines.push("");
+  lines.push("    On explicit command only (not triggered by `0dai trust` itself):");
+  for (const ep of eg.on_explicit_command_only) {
+    lines.push(`      * ${ep.endpoint}`);
+    lines.push(`          trigger: ${ep.trigger}`);
+    lines.push(`          data:    ${ep.data}`);
+  }
+  lines.push("");
+
+  lines.push(HR);
+  lines.push("  Next steps to get the full enforced scope:");
+  lines.push("    1. Run `0dai init` to generate ai/ config.");
+  lines.push("    2. Run `0dai trust` again to see the repo-specific enforced scope.");
+  lines.push(`  Docs: ${payload.docs}`);
+  lines.push(HR);
+  lines.push("");
+
+  return lines.join("\n");
+}
+
+function cmdTrust(target, args) {
+  const scriptPath = findRepoScript(target, "trust_scope.py");
+
+  // COLD PATH — trust_scope.py not found (pre-init / cold npm install).
+  // Graceful degrade: print static DEFAULT scope summary and exit 0.
+  // Clearly labeled as "DEFAULT (pre-init) scope" — cannot be mistaken for
+  // the repo-specific enforced scope rendered by trust_scope.py (WARM path).
+  if (!scriptPath) {
+    const asJson = !!(args && args.includes("--json"));
+    console.log(renderColdScope(target, asJson));
+    process.exit(0);
+  }
+
+  // WARM PATH — delegate to trust_scope.py (behaviour unchanged).
+  const forwarded = [scriptPath, "--target", target];
+  if (args && args.includes("--json")) forwarded.push("--json");
+
+  const result = spawnSync("python3", forwarded, { stdio: "inherit" });
+  if (typeof result.status === "number") process.exit(result.status);
+  process.exit(1);
+}
+
+module.exports = { cmdTrust, renderColdScope };

package/lib/commands/upgrade.js

@@ -0,0 +1,58 @@
+"use strict";
+
+const { spawnSync } = require("child_process");
+const { buildUpgradeUrl } = require("../utils/plan");
+
+function isInteractive() {
+  return !!(process.stdin && process.stdin.isTTY && process.stdout && process.stdout.isTTY);
+}
+
+function isBrowserDisabled(env = process.env) {
+  const browser = env.BROWSER;
+  if (browser == null) return false;
+  const normalized = String(browser).trim().toLowerCase();
+  return normalized === "" || normalized === "0" || normalized === "false" || normalized === "none";
+}
+
+function openBrowser(url, deps = {}) {
+  const spawn = deps.spawnSync || spawnSync;
+  const platform = deps.platform || process.platform;
+  let command;
+  let args;
+  if (platform === "darwin") {
+    command = "open";
+    args = [url];
+  } else if (platform === "win32") {
+    command = "cmd";
+    args = ["/c", "start", "", url];
+  } else {
+    command = "xdg-open";
+    args = [url];
+  }
+  const result = spawn(command, args, { stdio: "ignore", timeout: 5000 });
+  return result.status === 0;
+}
+
+function cmdUpgrade(options = {}) {
+  const writeLine = typeof options.writeLine === "function" ? options.writeLine : (msg) => console.log(msg);
+  const url = buildUpgradeUrl(options.params);
+  const interactive = typeof options.isInteractive === "function"
+    ? options.isInteractive()
+    : isInteractive();
+  const browserDisabled = isBrowserDisabled(options.env || process.env);
+
+  if (interactive && !browserDisabled) {
+    const opened = openBrowser(url, options);
+    if (!opened) writeLine(url);
+    return;
+  }
+
+  writeLine(url);
+}
+
+module.exports = {
+  cmdUpgrade,
+  openBrowser,
+  isInteractive,
+  isBrowserDisabled,
+};

package/lib/commands/vault.js

@@ -209,7 +209,9 @@ function cmdVaultDeferred(sub, args) {
 
 function cmdVault(_target, sub, args) {
   const command = sub && !sub.startsWith("-") ? sub : "";
-  const forwarded = command === sub ? args.slice(2) : args.slice(1);
+  // args is already args.slice(2) from bin/0dai.js (the tail after "vault <sub>"),
+  // so forwarded is the remaining flags/positionals unchanged.
+  const forwarded = command ? args : args.slice(1);
 
   if (!command || command === "help" || command === "-h" || command === "--help") {
     printUsage();

package/lib/shared.js

@@ -21,7 +21,7 @@ const { SUPPORTED_CLIS, MANIFEST_FILES, PROBE_DIRS, SETTINGS_PRESERVE_FIELDS } =
 const {
   deviceFingerprint, registerProject, projectIdFor,
   getGitRemoteOrigin, inferProjectName, detectStackHint,
-  collectMetadata, buildProjectIdentity,
+  collectMetadata, buildProjectIdentity, hashManifestFiles,
 } = require("./utils/identity");
 const { PLAN_LEVELS, _detectPlanLocal, requirePlan, getSwarmQuotaLocal } = require("./utils/plan");
 
@@ -403,7 +403,7 @@ module.exports = {
   // Identity
   deviceFingerprint, registerProject, projectIdFor,
   getGitRemoteOrigin, inferProjectName, detectStackHint,
-  collectMetadata, buildProjectIdentity,
+  collectMetadata, buildProjectIdentity, hashManifestFiles,
   // Plan / Tier
   _detectPlanLocal, requirePlan, getSwarmQuotaLocal,
   // Project