@aexhq/sdk 0.22.0 → 0.22.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -445,7 +445,16 @@ const forbiddenStringPatterns = Object.freeze([
445
445
  { reason: "vault_id", regex: /\b(?:vault|vlt|secret)[_:-][A-Za-z0-9][A-Za-z0-9_-]{7,}\b/i },
446
446
  {
447
447
  reason: "private_resource_handle",
448
- regex: /\b(?:machine|session|agent|file|skill|env|resource|handle|token_hash|bearer_hash)[_:-][A-Za-z0-9][A-Za-z0-9_-]{7,}\b/i
448
+ // `<keyword><sep><id>` opaque handles (`session_a1B2c3D4e5`, `file_9f8e7d…`).
449
+ // The keyword set overlaps ordinary English (agent/file/skill/resource/…), so
450
+ // the bare shape also matched documentation prose that simply chains those
451
+ // words with `_`/`-` (`agent_decision_failure`, `file_grounded`,
452
+ // `session_handoff_contract`, `agent-judgment` — read straight out of a
453
+ // skill-pack doc in tool-result text). The `accept` predicate keeps the shape
454
+ // but requires the id segment to look minted rather than spelled — i.e. carry
455
+ // a digit — so genuine handles stay flagged while dictionary-word prose does not.
456
+ regex: /\b(?:machine|session|agent|file|skill|env|resource|handle|token_hash|bearer_hash)[_:-][A-Za-z0-9][A-Za-z0-9_-]{7,}\b/i,
457
+ accept: isMintedResourceHandle
449
458
  },
450
459
  {
451
460
  reason: "high_entropy_token",
@@ -487,6 +496,20 @@ function isHighEntropySecretRun(run) {
487
496
  }
488
497
  return highEntropyShannonBits(run) >= 3.0;
489
498
  }
499
+ /**
500
+ * Decide whether a `<keyword><sep><id>` shape-match is a genuinely minted private
501
+ * handle rather than dictionary-word prose. The id segment (everything after the
502
+ * first `_`/`-`/`:`) must carry a digit — the property that separates a minted
503
+ * opaque handle (`session_a1B2c3D4e5`, `file_9f8e7d6c5b4a`, `machine_1234567890`)
504
+ * from a chain of English words (`agent_decision_failure`, `file_grounded`). This
505
+ * mirrors `isHighEntropySecretRun`'s letter+digit requirement: a prefixless secret
506
+ * blob and a minted handle both carry digits; prose does not.
507
+ */
508
+ function isMintedResourceHandle(match) {
509
+ const separatorIndex = match.search(/[_:-]/);
510
+ const id = match.slice(separatorIndex + 1);
511
+ return /\d/.test(id);
512
+ }
490
513
  function highEntropyCharClassCount(value) {
491
514
  let count = 0;
492
515
  if (/[a-z]/.test(value))
package/dist/cli.mjs CHANGED
@@ -901,7 +901,16 @@ var forbiddenStringPatterns = Object.freeze([
901
901
  { reason: "vault_id", regex: /\b(?:vault|vlt|secret)[_:-][A-Za-z0-9][A-Za-z0-9_-]{7,}\b/i },
902
902
  {
903
903
  reason: "private_resource_handle",
904
- regex: /\b(?:machine|session|agent|file|skill|env|resource|handle|token_hash|bearer_hash)[_:-][A-Za-z0-9][A-Za-z0-9_-]{7,}\b/i
904
+ // `<keyword><sep><id>` opaque handles (`session_a1B2c3D4e5`, `file_9f8e7d…`).
905
+ // The keyword set overlaps ordinary English (agent/file/skill/resource/…), so
906
+ // the bare shape also matched documentation prose that simply chains those
907
+ // words with `_`/`-` (`agent_decision_failure`, `file_grounded`,
908
+ // `session_handoff_contract`, `agent-judgment` — read straight out of a
909
+ // skill-pack doc in tool-result text). The `accept` predicate keeps the shape
910
+ // but requires the id segment to look minted rather than spelled — i.e. carry
911
+ // a digit — so genuine handles stay flagged while dictionary-word prose does not.
912
+ regex: /\b(?:machine|session|agent|file|skill|env|resource|handle|token_hash|bearer_hash)[_:-][A-Za-z0-9][A-Za-z0-9_-]{7,}\b/i,
913
+ accept: isMintedResourceHandle
905
914
  },
906
915
  {
907
916
  reason: "high_entropy_token",
@@ -931,6 +940,11 @@ function isHighEntropySecretRun(run) {
931
940
  }
932
941
  return highEntropyShannonBits(run) >= 3;
933
942
  }
943
+ function isMintedResourceHandle(match) {
944
+ const separatorIndex = match.search(/[_:-]/);
945
+ const id = match.slice(separatorIndex + 1);
946
+ return /\d/.test(id);
947
+ }
934
948
  function highEntropyCharClassCount(value) {
935
949
  let count = 0;
936
950
  if (/[a-z]/.test(value))
@@ -1 +1 @@
1
- bfd0fb573fa113fe08d69fc50f246c821bfc9e0acd9bddd6e92775d38120e201 cli.mjs
1
+ 84dede6ed017defb49617f6f799912364125363867fa9ca8054150ebc0446286 cli.mjs
package/dist/version.d.ts CHANGED
@@ -6,4 +6,4 @@
6
6
  *
7
7
  * Used by the (future) User-Agent header on outbound SDK requests.
8
8
  */
9
- export declare const SDK_VERSION = "0.22.0";
9
+ export declare const SDK_VERSION = "0.22.1";
package/dist/version.js CHANGED
@@ -6,5 +6,5 @@
6
6
  *
7
7
  * Used by the (future) User-Agent header on outbound SDK requests.
8
8
  */
9
- export const SDK_VERSION = "0.22.0";
9
+ export const SDK_VERSION = "0.22.1";
10
10
  //# sourceMappingURL=version.js.map
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@aexhq/sdk",
3
- "version": "0.22.0",
3
+ "version": "0.22.1",
4
4
  "description": "TypeScript SDK for running autonomous agent sessions across providers (Anthropic, OpenAI, DeepSeek, Gemini, Mistral) behind one interface.",
5
5
  "license": "Apache-2.0",
6
6
  "repository": {
@@ -26,7 +26,7 @@
26
26
  "examples"
27
27
  ],
28
28
  "devDependencies": {
29
- "@aexhq/contracts": "0.22.0"
29
+ "@aexhq/contracts": "0.22.1"
30
30
  },
31
31
  "engines": {
32
32
  "node": ">=20"