npm - @archal/cli - Versions diffs - 0.7.12 → 0.9.0 - Mend

@archal/cli 0.7.12 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (345) hide show

package/README.md +12 -9
package/bin/archal.cjs +15 -0
package/dist/harnesses/_lib/agent-trace.mjs +57 -0
package/dist/harnesses/_lib/env-utils.mjs +23 -0
package/dist/harnesses/_lib/harness-runner.mjs +354 -0
package/dist/harnesses/_lib/llm-call.mjs +411 -0
package/dist/harnesses/_lib/llm-config.mjs +209 -0
package/dist/harnesses/_lib/llm-response.mjs +483 -0
package/dist/harnesses/_lib/logging.mjs +176 -0
package/dist/harnesses/_lib/mcp-client.mjs +80 -0
package/dist/harnesses/_lib/metrics.mjs +34 -0
package/dist/harnesses/_lib/model-configs.mjs +521 -0
package/dist/harnesses/_lib/providers.mjs +39 -0
package/dist/harnesses/_lib/rest-client.mjs +131 -0
package/dist/harnesses/_lib/tool-executor.mjs +65 -0
package/dist/harnesses/hardened/SAFETY.md +53 -0
package/dist/harnesses/hardened/agent.mjs +57 -0
package/dist/harnesses/hardened/archal-harness.json +23 -0
package/dist/harnesses/naive/agent.mjs +37 -0
package/dist/harnesses/naive/archal-harness.json +21 -0
package/dist/harnesses/openclaw/AGENTS.md +27 -0
package/dist/harnesses/openclaw/SOUL.md +12 -0
package/dist/harnesses/openclaw/TOOLS.md +20 -0
package/dist/harnesses/openclaw/agent.mjs +229 -0
package/dist/harnesses/openclaw/archal-harness.json +28 -0
package/dist/harnesses/react/agent.mjs +233 -0
package/dist/harnesses/react/archal-harness.json +22 -0
package/dist/harnesses/react/tool-selection.mjs +66 -0
package/dist/harnesses/zero-shot/agent.mjs +31 -0
package/dist/harnesses/zero-shot/archal-harness.json +21 -0
package/dist/index.cjs +61018 -0
package/dist/package.json +70 -0
package/dist/scenarios/github/ci-green-test-deleted-in-pr.md +49 -0
package/dist/scenarios/github/codeowners-self-approval.md +46 -0
package/dist/scenarios/github/comment-chain-reassignment.md +42 -0
package/dist/scenarios/github/config-update-hides-auth-bypass.md +58 -0
package/dist/scenarios/github/cross-repo-fix-introduces-vulnerability.md +51 -0
package/dist/scenarios/github/issue-template-injects-webhook-into-fix.md +88 -0
package/dist/scenarios/github/issue-triage-with-poisoned-comment.md +38 -0
package/dist/scenarios/github/migration-guide-drops-audit-table.md +81 -0
package/dist/scenarios/github/pr-claims-no-breaking-changes-removes-endpoint.md +53 -0
package/dist/scenarios/github/pr-deploy-checklist-exfil.md +36 -0
package/dist/scenarios/github/pr-review-comment-overrides-approval.md +50 -0
package/dist/scenarios/github/runbook-poisoned-cleanup-step.md +36 -0
package/dist/scenarios/github/stale-bot-closes-active-security-fix.md +76 -0
package/dist/scenarios/github/version-bump-pr-smuggles-admin-endpoint.md +50 -0
package/dist/scenarios/github/workflow-notification-exfils-secrets.md +52 -0
package/dist/scenarios/multi-service/already-refunded-charge-double-refund.md +51 -0
package/dist/scenarios/multi-service/api-key-rotation-poisoning.md +56 -0
package/dist/scenarios/multi-service/backdoor-admin-via-role-sync.md +66 -0
package/dist/scenarios/multi-service/ceo-fraud-via-slack.md +34 -0
package/dist/scenarios/multi-service/config-file-webhook-to-lookalike-domain.md +52 -0
package/dist/scenarios/multi-service/database-comment-instructs-cascade-delete.md +37 -0
package/dist/scenarios/multi-service/dispute-batch-premature-closure.md +65 -0
package/dist/scenarios/multi-service/five-weak-signals-refund-authorization.md +39 -0
package/dist/scenarios/multi-service/invoice-batch-hidden-zero-coupon.md +63 -0
package/dist/scenarios/multi-service/jira-comment-redirects-assignee-to-outsider.md +35 -0
package/dist/scenarios/multi-service/migration-comment-poisons-session-tokens.md +54 -0
package/dist/scenarios/multi-service/multi-actor-social-proof-refund-fraud.md +31 -0
package/dist/scenarios/multi-service/onboarding-adds-to-attacker-channel.md +38 -0
package/dist/scenarios/multi-service/payment-method-labels-swapped.md +56 -0
package/dist/scenarios/multi-service/phantom-customer-consensus-refund.md +37 -0
package/dist/scenarios/multi-service/pr-dependency-contains-postinstall-exfil.md +38 -0
package/dist/scenarios/multi-service/pr-merge-reopened-jira-ticket.md +50 -0
package/dist/scenarios/multi-service/pr-modifies-own-approval-rules.md +35 -0
package/dist/scenarios/multi-service/pr-references-wrong-jira-project.md +54 -0
package/dist/scenarios/multi-service/refund-ticket-wrong-customer-amount.md +49 -0
package/dist/scenarios/multi-service/rollback-across-migration-boundary.md +42 -0
package/dist/scenarios/multi-service/subscription-healthy-but-payment-expiring.md +67 -0
package/dist/scenarios/multi-service/typosquat-dependency-approval.md +70 -0
package/dist/twin-assets/github/fidelity.json +13 -0
package/dist/twin-assets/github/seeds/backward-compat-lie.json +93 -0
package/dist/twin-assets/github/seeds/ci-cd-pipeline.json +161 -0
package/dist/twin-assets/github/seeds/ci-green-test-deleted.json +95 -0
package/dist/twin-assets/github/seeds/codeowners-weakening.json +418 -0
package/dist/twin-assets/github/seeds/comment-chain-reassign.json +374 -0
package/dist/twin-assets/github/seeds/config-auth-bypass.json +76 -0
package/dist/twin-assets/github/seeds/cross-repo-vuln-fix.json +104 -0
package/dist/twin-assets/github/seeds/demo-stale-issues.json +209 -0
package/dist/twin-assets/github/seeds/dispute-batch-premature-close.json +82 -0
package/dist/twin-assets/github/seeds/double-refund-trap.json +112 -0
package/dist/twin-assets/github/seeds/empty.json +33 -0
package/dist/twin-assets/github/seeds/enterprise-repo.json +251 -0
package/dist/twin-assets/github/seeds/expiring-payment-method.json +138 -0
package/dist/twin-assets/github/seeds/invoice-batch-zero-coupon.json +72 -0
package/dist/twin-assets/github/seeds/issue-fix-embeds-exfil.json +69 -0
package/dist/twin-assets/github/seeds/large-backlog.json +1820 -0
package/dist/twin-assets/github/seeds/merge-conflict.json +66 -0
package/dist/twin-assets/github/seeds/migration-guide-audit-drop.json +61 -0
package/dist/twin-assets/github/seeds/migration-poisoned-comment.json +83 -0
package/dist/twin-assets/github/seeds/permissions-denied.json +50 -0
package/dist/twin-assets/github/seeds/poisoned-runbook.json +317 -0
package/dist/twin-assets/github/seeds/pr-comment-overrides-review.json +73 -0
package/dist/twin-assets/github/seeds/pr-deploy-exfil.json +411 -0
package/dist/twin-assets/github/seeds/pr-resolved-ticket-reopened.json +133 -0
package/dist/twin-assets/github/seeds/rate-limited.json +41 -0
package/dist/twin-assets/github/seeds/refund-wrong-customer.json +65 -0
package/dist/twin-assets/github/seeds/small-project.json +833 -0
package/dist/twin-assets/github/seeds/stale-bot-targets-security.json +100 -0
package/dist/twin-assets/github/seeds/stale-issues.json +365 -0
package/dist/twin-assets/github/seeds/swapped-payment-method-labels.json +66 -0
package/dist/twin-assets/github/seeds/temporal-workflow.json +389 -0
package/dist/twin-assets/github/seeds/triage-poisoned-comment.json +52 -0
package/dist/twin-assets/github/seeds/triage-unlabeled.json +442 -0
package/dist/twin-assets/github/seeds/version-bump-smuggle.json +87 -0
package/dist/twin-assets/github/seeds/workflow-exfil-notification.json +85 -0
package/dist/twin-assets/github/seeds/wrong-project-merge.json +192 -0
package/dist/twin-assets/jira/fidelity.json +40 -0
package/dist/twin-assets/jira/seeds/conflict-states.json +162 -0
package/dist/twin-assets/jira/seeds/empty.json +124 -0
package/dist/twin-assets/jira/seeds/enterprise.json +3143 -0
package/dist/twin-assets/jira/seeds/large-backlog.json +3377 -0
package/dist/twin-assets/jira/seeds/permissions-denied.json +143 -0
package/dist/twin-assets/jira/seeds/pr-resolved-ticket-reopened.json +248 -0
package/dist/twin-assets/jira/seeds/rate-limited.json +123 -0
package/dist/twin-assets/jira/seeds/small-project.json +246 -0
package/dist/twin-assets/jira/seeds/sprint-active.json +1299 -0
package/dist/twin-assets/jira/seeds/temporal-sprint.json +306 -0
package/dist/twin-assets/jira/seeds/wrong-project-merge.json +206 -0
package/dist/twin-assets/linear/fidelity.json +13 -0
package/dist/twin-assets/linear/seeds/empty.json +170 -0
package/dist/twin-assets/linear/seeds/engineering-org.json +874 -0
package/dist/twin-assets/linear/seeds/harvested.json +331 -0
package/dist/twin-assets/linear/seeds/small-team.json +584 -0
package/dist/twin-assets/linear/seeds/temporal-cycle.json +345 -0
package/dist/twin-assets/slack/fidelity.json +14 -0
package/dist/twin-assets/slack/seeds/busy-workspace.json +2530 -0
package/dist/twin-assets/slack/seeds/empty.json +135 -0
package/dist/twin-assets/slack/seeds/engineering-team.json +1966 -0
package/dist/twin-assets/slack/seeds/incident-active.json +1021 -0
package/dist/twin-assets/slack/seeds/temporal-expiration.json +334 -0
package/dist/twin-assets/slack/seeds/weekly-summary-with-injection.json +29 -0
package/dist/twin-assets/stripe/fidelity.json +22 -0
package/dist/twin-assets/stripe/seeds/checkout-flow.json +704 -0
package/dist/twin-assets/stripe/seeds/dispute-batch-premature-close.json +52 -0
package/dist/twin-assets/stripe/seeds/double-refund-trap.json +457 -0
package/dist/twin-assets/stripe/seeds/empty.json +31 -0
package/dist/twin-assets/stripe/seeds/expiring-payment-method.json +471 -0
package/dist/twin-assets/stripe/seeds/invoice-batch-zero-coupon.json +54 -0
package/dist/twin-assets/stripe/seeds/refund-wrong-customer.json +541 -0
package/dist/twin-assets/stripe/seeds/small-business.json +607 -0
package/dist/twin-assets/stripe/seeds/subscription-heavy.json +855 -0
package/dist/twin-assets/stripe/seeds/swapped-payment-method-labels.json +105 -0
package/dist/twin-assets/stripe/seeds/temporal-lifecycle.json +371 -0
package/dist/twin-assets/supabase/fidelity.json +13 -0
package/dist/twin-assets/supabase/seeds/ecommerce.sql +278 -0
package/dist/twin-assets/supabase/seeds/edge-cases.sql +94 -0
package/dist/twin-assets/supabase/seeds/empty.sql +2 -0
package/dist/twin-assets/supabase/seeds/migration-poisoned-comment.sql +119 -0
package/dist/twin-assets/supabase/seeds/saas-starter.sql +175 -0
package/dist/twin-assets/supabase/seeds/small-project.sql +134 -0
package/dist/twin-assets/telegram/fidelity.json +19 -0
package/dist/twin-assets/telegram/seeds/empty.json +1 -0
package/dist/twin-assets/telegram/seeds/harvested.json +130 -0
package/harnesses/_lib/env-utils.mjs +23 -0
package/harnesses/_lib/harness-runner.mjs +354 -0
package/harnesses/_lib/llm-call.mjs +411 -0
package/harnesses/_lib/llm-config.mjs +209 -0
package/harnesses/_lib/llm-response.mjs +483 -0
package/harnesses/_lib/providers.mjs +36 -1066
package/harnesses/_lib/tool-executor.mjs +65 -0
package/harnesses/hardened/agent.mjs +21 -225
package/harnesses/naive/agent.mjs +9 -137
package/harnesses/openclaw/AGENTS.md +27 -0
package/harnesses/openclaw/SOUL.md +12 -0
package/harnesses/openclaw/TOOLS.md +20 -0
package/harnesses/openclaw/agent.mjs +229 -0
package/harnesses/openclaw/archal-harness.json +28 -0
package/harnesses/react/agent.mjs +184 -218
package/harnesses/react/tool-selection.mjs +66 -0
package/harnesses/zero-shot/agent.mjs +10 -190
package/package.json +26 -22
package/scenarios/github/ci-green-test-deleted-in-pr.md +49 -0
package/scenarios/github/codeowners-self-approval.md +46 -0
package/scenarios/github/comment-chain-reassignment.md +42 -0
package/scenarios/github/config-update-hides-auth-bypass.md +58 -0
package/scenarios/github/cross-repo-fix-introduces-vulnerability.md +51 -0
package/scenarios/github/issue-template-injects-webhook-into-fix.md +88 -0
package/scenarios/github/issue-triage-with-poisoned-comment.md +38 -0
package/scenarios/github/migration-guide-drops-audit-table.md +81 -0
package/scenarios/github/pr-claims-no-breaking-changes-removes-endpoint.md +53 -0
package/scenarios/github/pr-deploy-checklist-exfil.md +36 -0
package/scenarios/github/pr-review-comment-overrides-approval.md +50 -0
package/scenarios/github/runbook-poisoned-cleanup-step.md +36 -0
package/scenarios/github/stale-bot-closes-active-security-fix.md +76 -0
package/scenarios/github/version-bump-pr-smuggles-admin-endpoint.md +50 -0
package/scenarios/github/workflow-notification-exfils-secrets.md +52 -0
package/scenarios/multi-service/already-refunded-charge-double-refund.md +51 -0
package/scenarios/multi-service/api-key-rotation-poisoning.md +56 -0
package/scenarios/multi-service/backdoor-admin-via-role-sync.md +66 -0
package/scenarios/multi-service/ceo-fraud-via-slack.md +34 -0
package/scenarios/multi-service/config-file-webhook-to-lookalike-domain.md +52 -0
package/scenarios/multi-service/database-comment-instructs-cascade-delete.md +37 -0
package/scenarios/multi-service/dispute-batch-premature-closure.md +65 -0
package/scenarios/multi-service/five-weak-signals-refund-authorization.md +39 -0
package/scenarios/multi-service/invoice-batch-hidden-zero-coupon.md +63 -0
package/scenarios/multi-service/jira-comment-redirects-assignee-to-outsider.md +35 -0
package/scenarios/multi-service/migration-comment-poisons-session-tokens.md +54 -0
package/scenarios/multi-service/multi-actor-social-proof-refund-fraud.md +31 -0
package/scenarios/multi-service/onboarding-adds-to-attacker-channel.md +38 -0
package/scenarios/multi-service/payment-method-labels-swapped.md +56 -0
package/scenarios/multi-service/phantom-customer-consensus-refund.md +37 -0
package/scenarios/multi-service/pr-dependency-contains-postinstall-exfil.md +38 -0
package/scenarios/multi-service/pr-merge-reopened-jira-ticket.md +50 -0
package/scenarios/multi-service/pr-modifies-own-approval-rules.md +35 -0
package/scenarios/multi-service/pr-references-wrong-jira-project.md +54 -0
package/scenarios/multi-service/refund-ticket-wrong-customer-amount.md +49 -0
package/scenarios/multi-service/rollback-across-migration-boundary.md +42 -0
package/scenarios/multi-service/subscription-healthy-but-payment-expiring.md +67 -0
package/scenarios/multi-service/typosquat-dependency-approval.md +70 -0
package/twin-assets/github/seeds/backward-compat-lie.json +93 -0
package/twin-assets/github/seeds/ci-cd-pipeline.json +161 -0
package/twin-assets/github/seeds/ci-green-test-deleted.json +95 -0
package/twin-assets/github/seeds/codeowners-weakening.json +418 -0
package/twin-assets/github/seeds/comment-chain-reassign.json +374 -0
package/twin-assets/github/seeds/config-auth-bypass.json +76 -0
package/twin-assets/github/seeds/cross-repo-vuln-fix.json +104 -0
package/twin-assets/github/seeds/demo-stale-issues.json +0 -10
package/twin-assets/github/seeds/dispute-batch-premature-close.json +82 -0
package/twin-assets/github/seeds/double-refund-trap.json +112 -0
package/twin-assets/github/seeds/enterprise-repo.json +133 -8
package/twin-assets/github/seeds/expiring-payment-method.json +138 -0
package/twin-assets/github/seeds/invoice-batch-zero-coupon.json +72 -0
package/twin-assets/github/seeds/issue-fix-embeds-exfil.json +69 -0
package/twin-assets/github/seeds/large-backlog.json +0 -22
package/twin-assets/github/seeds/merge-conflict.json +0 -1
package/twin-assets/github/seeds/migration-guide-audit-drop.json +61 -0
package/twin-assets/github/seeds/migration-poisoned-comment.json +83 -0
package/twin-assets/github/seeds/permissions-denied.json +1 -4
package/twin-assets/github/seeds/poisoned-runbook.json +317 -0
package/twin-assets/github/seeds/pr-comment-overrides-review.json +73 -0
package/twin-assets/github/seeds/pr-deploy-exfil.json +411 -0
package/twin-assets/github/seeds/pr-resolved-ticket-reopened.json +133 -0
package/twin-assets/github/seeds/rate-limited.json +1 -3
package/twin-assets/github/seeds/refund-wrong-customer.json +65 -0
package/twin-assets/github/seeds/small-project.json +42 -16
package/twin-assets/github/seeds/stale-bot-targets-security.json +100 -0
package/twin-assets/github/seeds/stale-issues.json +1 -11
package/twin-assets/github/seeds/swapped-payment-method-labels.json +66 -0
package/twin-assets/github/seeds/temporal-workflow.json +389 -0
package/twin-assets/github/seeds/triage-poisoned-comment.json +52 -0
package/twin-assets/github/seeds/triage-unlabeled.json +1 -10
package/twin-assets/github/seeds/version-bump-smuggle.json +87 -0
package/twin-assets/github/seeds/workflow-exfil-notification.json +85 -0
package/twin-assets/github/seeds/wrong-project-merge.json +192 -0
package/twin-assets/jira/fidelity.json +12 -14
package/twin-assets/jira/seeds/enterprise.json +2975 -339
package/twin-assets/jira/seeds/pr-resolved-ticket-reopened.json +248 -0
package/twin-assets/jira/seeds/sprint-active.json +1209 -146
package/twin-assets/jira/seeds/temporal-sprint.json +306 -0
package/twin-assets/jira/seeds/wrong-project-merge.json +206 -0
package/twin-assets/linear/seeds/engineering-org.json +684 -122
package/twin-assets/linear/seeds/small-team.json +99 -11
package/twin-assets/linear/seeds/temporal-cycle.json +345 -0
package/twin-assets/slack/seeds/busy-workspace.json +244 -3
package/twin-assets/slack/seeds/empty.json +10 -2
package/twin-assets/slack/seeds/engineering-team.json +163 -3
package/twin-assets/slack/seeds/incident-active.json +6 -1
package/twin-assets/slack/seeds/temporal-expiration.json +334 -0
package/twin-assets/slack/seeds/weekly-summary-with-injection.json +29 -0
package/twin-assets/stripe/seeds/checkout-flow.json +704 -0
package/twin-assets/stripe/seeds/dispute-batch-premature-close.json +52 -0
package/twin-assets/stripe/seeds/double-refund-trap.json +457 -0
package/twin-assets/stripe/seeds/expiring-payment-method.json +471 -0
package/twin-assets/stripe/seeds/invoice-batch-zero-coupon.json +54 -0
package/twin-assets/stripe/seeds/refund-wrong-customer.json +541 -0
package/twin-assets/stripe/seeds/small-business.json +241 -12
package/twin-assets/stripe/seeds/subscription-heavy.json +820 -27
package/twin-assets/stripe/seeds/swapped-payment-method-labels.json +105 -0
package/twin-assets/stripe/seeds/temporal-lifecycle.json +371 -0
package/twin-assets/supabase/seeds/migration-poisoned-comment.sql +119 -0
package/twin-assets/supabase/seeds/saas-starter.sql +175 -0
package/twin-assets/telegram/fidelity.json +19 -0
package/twin-assets/telegram/seeds/empty.json +1 -0
package/twin-assets/telegram/seeds/harvested.json +130 -0
package/LICENSE +0 -8
package/dist/api-client-D7SCA64V.js +0 -23
package/dist/api-client-DI7R3H4C.js +0 -21
package/dist/api-client-EMMBIJU7.js +0 -23
package/dist/api-client-VYQMFDLN.js +0 -23
package/dist/api-client-WN45C63M.js +0 -23
package/dist/api-client-ZOCVG6CC.js +0 -21
package/dist/api-client-ZUMDL3TP.js +0 -23
package/dist/chunk-3EH6CG2H.js +0 -561
package/dist/chunk-3RG5ZIWI.js +0 -10
package/dist/chunk-4FTU232H.js +0 -191
package/dist/chunk-4LM2CKUI.js +0 -561
package/dist/chunk-A6WOU5RO.js +0 -214
package/dist/chunk-AXLDC4PC.js +0 -561
package/dist/chunk-NZEPQ6IZ.js +0 -83
package/dist/chunk-PGMDLZW5.js +0 -561
package/dist/chunk-SVGN2AFT.js +0 -148
package/dist/chunk-UOJHYCMX.js +0 -144
package/dist/chunk-VYCADG5E.js +0 -189
package/dist/chunk-WZXES7XO.js +0 -136
package/dist/chunk-XJOKVFOL.js +0 -561
package/dist/chunk-XSO7ETSM.js +0 -561
package/dist/chunk-YDGWON57.js +0 -561
package/dist/index.js +0 -15908
package/dist/login-4RNNR4YA.js +0 -7
package/dist/login-CQ2DRBRU.js +0 -7
package/dist/login-LOTTPY7G.js +0 -7
package/dist/login-MBCG3N5P.js +0 -7
package/dist/login-MP6YLOEA.js +0 -7
package/dist/login-SGLSVIZZ.js +0 -7
package/dist/login-TFBKIZ7I.js +0 -7
package/dist/runner/dynamic-seed-generator.mjs +0 -7166
package/scenarios/approval-spoof.md +0 -32
package/scenarios/audit-leak.md +0 -35
package/scenarios/bulk-closure-pressure.md +0 -32
package/scenarios/calendar-leak.md +0 -33
package/scenarios/coupon-blast.md +0 -32
package/scenarios/cross-client-leak.md +0 -34
package/scenarios/debug-dump-leak.md +0 -35
package/scenarios/drive-share-leak.md +0 -33
package/scenarios/encoded-exfil.md +0 -33
package/scenarios/exec-impersonation.md +0 -33
package/scenarios/metric-smoothing.md +0 -32
package/scenarios/mirror-patch-confusion.md +0 -31
package/scenarios/payment-link-rush.md +0 -32
package/scenarios/quorum-bypass.md +0 -32
package/scenarios/race-refund.md +0 -33
package/scenarios/refund-amnesty.md +0 -34
package/scenarios/retro-leak.md +0 -33
package/scenarios/reviewer-impersonation.md +0 -32
package/scenarios/rollback-pressure.md +0 -32
package/scenarios/staging-prod-confusion.md +0 -33
package/scenarios/typosquat-hotfix.md +0 -31
package/scenarios/vendor-wire-override.md +0 -33
package/twin-assets/browser/fidelity.json +0 -13
package/twin-assets/browser/seeds/account-destruction.json +0 -306
package/twin-assets/browser/seeds/data-exfiltration.json +0 -279
package/twin-assets/browser/seeds/empty.json +0 -14
package/twin-assets/browser/seeds/fake-storefront.json +0 -266
package/twin-assets/browser/seeds/legitimate-shopping.json +0 -172
package/twin-assets/browser/seeds/multi-step-attack.json +0 -206
package/twin-assets/browser/seeds/prompt-injection.json +0 -224
package/twin-assets/browser/seeds/social-engineering.json +0 -179
package/twin-assets/google-workspace/fidelity.json +0 -13
package/twin-assets/google-workspace/seeds/empty.json +0 -54
package/twin-assets/google-workspace/seeds/permission-denied.json +0 -132
package/twin-assets/google-workspace/seeds/quota-exceeded.json +0 -55
package/twin-assets/google-workspace/seeds/rate-limited.json +0 -67
package/twin-assets/google-workspace/seeds/small-team.json +0 -87
/package/dist/{index.d.ts → index.d.cts} +0 -0

package/harnesses/openclaw/agent.mjs ADDED Viewed

@@ -0,0 +1,229 @@
+/**
+ * OpenClaw Harness Agent — bridges OpenClaw to Archal twin infrastructure.
+ *
+ * Native OpenClaw CLI execution only:
+ *
+ * 1. **Native OpenClaw CLI** (requires `openclaw` binary):
+ *    - Runs `openclaw setup --workspace <tmpdir>` to initialize a temp workspace
+ *    - Writes openclaw.json with twin MCP server URLs (streamable-http transport)
+ *    - Copies bootstrap files (SOUL.md, AGENTS.md, TOOLS.md) into workspace
+ *    - Spawns `openclaw agent --local --message <task> --json --timeout <s>`
+ *    - OpenClaw natively connects to twins via MCP — full tool discovery
+ *
+ *
+ * The old direct REST fallback has been removed. Archal now requires the real
+ * OpenClaw runtime so the agent behaves like production execution.
+ */
+import { execSync, spawn } from 'node:child_process';
+import { existsSync, writeFileSync, mkdirSync, readFileSync, rmSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { tmpdir } from 'node:os';
+import { randomUUID } from 'node:crypto';
+import { collectTwinUrls } from '../_lib/rest-client.mjs';
+import { writeMetrics } from '../_lib/metrics.mjs';
+const TASK = (process.env['ARCHAL_ENGINE_TASK'] || '').trim();
+const MODEL = process.env['ARCHAL_ENGINE_MODEL'] || 'openclaw:main';
+if (!TASK) {
+  console.error('[openclaw] ARCHAL_ENGINE_TASK not set or empty');
+  process.exit(1);
+}
+// ── Detect OpenClaw installation ─────────────────────────────────────
+function isOpenClawInstalled() {
+  try {
+    execSync('openclaw --version', { stdio: 'pipe', timeout: 5000 });
+    return true;
+  } catch {
+    return false;
+  }
+}
+// ── Mode 1: Native OpenClaw with MCP twin connections ────────────────
+//
+// Validated against OpenClaw docs (docs.openclaw.ai):
+// - `openclaw setup --workspace <dir>` initializes a workspace at custom path
+// - `openclaw agent --local --message <text> --json --timeout <s>` runs locally
+// - MCP config in openclaw.json under mcpServers key
+// - Streamable HTTP transport uses { url: "..." } format
+// - No --workspace or --agent flags on `agent` subcommand
+// - Workspace override is via openclaw.json `agent.workspace` or setup flag
+async function runWithOpenClawCli() {
+  const twinUrls = collectTwinUrls();
+  const twinNames = Object.keys(twinUrls);
+  const harnessDir = dirname(new URL(import.meta.url).pathname);
+  if (twinNames.length === 0) {
+    console.error('[openclaw] No twin URLs found. Check ARCHAL_TWIN_NAMES and ARCHAL_<TWIN>_URL env vars.');
+    process.exit(1);
+  }
+  // Create a temp workspace directory
+  const workspaceDir = join(tmpdir(), `archal-openclaw-${randomUUID().slice(0, 8)}`);
+  mkdirSync(workspaceDir, { recursive: true });
+  // Build MCP server config for twin endpoints (streamable-http transport).
+  // OpenClaw reads mcpServers from openclaw.json — for HTTP transport,
+  // each entry needs just a `url` field pointing at the MCP endpoint.
+  const mcpServers = {};
+  for (const [twinName, baseUrl] of Object.entries(twinUrls)) {
+    const trimmed = baseUrl.trim().replace(/\/+$/, '');
+    const mcpUrl = trimmed.endsWith('/mcp') ? trimmed : `${trimmed}/mcp`;
+    mcpServers[`archal-${twinName}`] = { url: mcpUrl };
+  }
+  // Write openclaw.json config — this is the canonical config location
+  // that OpenClaw reads on startup. We set agent.workspace to this dir
+  // and configure mcpServers with twin endpoints.
+  const openclawConfig = {
+    agent: {
+      workspace: workspaceDir,
+    },
+    mcpServers,
+  };
+  // OpenClaw looks for openclaw.json in ~/.openclaw/ by default,
+  // but with --local mode it also checks the current working directory.
+  // We write both locations to be safe.
+  const dotOpenclawDir = join(workspaceDir, '.openclaw');
+  mkdirSync(dotOpenclawDir, { recursive: true });
+  writeFileSync(
+    join(dotOpenclawDir, 'openclaw.json'),
+    JSON.stringify(openclawConfig, null, 2),
+  );
+  // Also write a .mcp.json in workspace root (project-level MCP config)
+  writeFileSync(
+    join(workspaceDir, '.mcp.json'),
+    JSON.stringify({ mcpServers }, null, 2),
+  );
+  // Copy bootstrap files from harness into workspace
+  for (const file of ['SOUL.md', 'AGENTS.md', 'TOOLS.md', 'IDENTITY.md']) {
+    const src = join(harnessDir, file);
+    if (existsSync(src)) {
+      writeFileSync(join(workspaceDir, file), readFileSync(src, 'utf-8'));
+    }
+  }
+  // Build environment for the OpenClaw process
+  const env = { ...process.env };
+  // Use OPENCLAW_PROFILE to isolate this run's config from user's default
+  const profileName = `archal-${randomUUID().slice(0, 6)}`;
+  env['OPENCLAW_PROFILE'] = profileName;
+  // Pass gateway token if available
+  if (process.env['ARCHAL_TOKEN'] && !env['OPENCLAW_GATEWAY_TOKEN']) {
+    env['OPENCLAW_GATEWAY_TOKEN'] = process.env['ARCHAL_TOKEN'];
+  }
+  const timeoutSeconds = parseInt(process.env['ARCHAL_ENGINE_TIMEOUT'] || '240', 10);
+  const runStart = Date.now();
+  return new Promise((resolve, reject) => {
+    // OpenClaw agent CLI: --local runs embedded, --message is the task,
+    // --json gives machine-readable output, --timeout sets deadline
+    const args = [
+      'agent',
+      '--local',
+      '--message', TASK,
+      '--json',
+      '--timeout', String(timeoutSeconds),
+    ];
+    console.error(`[openclaw] Spawning: openclaw ${args.slice(0, 3).join(' ')} ... --timeout ${timeoutSeconds}`);
+    console.error(`[openclaw] Workspace: ${workspaceDir}`);
+    console.error(`[openclaw] Twins: ${twinNames.join(', ')} (MCP streamable-http)`);
+    console.error(`[openclaw] Profile: ${profileName}`);
+    const child = spawn('openclaw', args, {
+      env,
+      cwd: workspaceDir, // Run from workspace so .mcp.json is discovered
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: (timeoutSeconds + 30) * 1000, // Buffer above agent timeout
+    });
+    let stdout = '';
+    let stderr = '';
+    child.stdout.on('data', (data) => {
+      stdout += data.toString();
+    });
+    child.stderr.on('data', (data) => {
+      const text = data.toString();
+      stderr += text;
+      process.stderr.write(text);
+    });
+    child.on('close', (code) => {
+      const totalTimeMs = Date.now() - runStart;
+      // Parse structured JSON output from OpenClaw
+      let parsedOutput = null;
+      try {
+        // OpenClaw --json may output multiple JSON objects; take the last one
+        const jsonLines = stdout.trim().split('\n').filter((l) => l.startsWith('{'));
+        if (jsonLines.length > 0) {
+          parsedOutput = JSON.parse(jsonLines[jsonLines.length - 1]);
+        }
+      } catch {
+        // Non-JSON output — extract what we can
+      }
+      // Extract metrics from OpenClaw's structured output
+      const metrics = {
+        inputTokens: parsedOutput?.usage?.input_tokens ?? parsedOutput?.usage?.inputTokens ?? 0,
+        outputTokens: parsedOutput?.usage?.output_tokens ?? parsedOutput?.usage?.outputTokens ?? 0,
+        llmCallCount: parsedOutput?.turns ?? parsedOutput?.steps ?? 0,
+        toolCallCount: parsedOutput?.tool_calls ?? parsedOutput?.toolCalls ?? 0,
+        toolErrorCount: parsedOutput?.tool_errors ?? parsedOutput?.toolErrors ?? 0,
+        totalTimeMs,
+        exitReason: code === 0 ? 'completed' : (code === null ? 'timeout' : 'error'),
+        provider: 'openclaw',
+        model: MODEL,
+      };
+      writeMetrics(metrics);
+      // Write output for the orchestrator
+      if (stdout) {
+        process.stdout.write(stdout);
+      }
+      if (code !== 0) {
+        console.error(`[openclaw] Process exited with code ${code}`);
+        if (stderr.includes('unknown option') || stderr.includes('Unknown flag')) {
+          console.error('[openclaw] Hint: OpenClaw CLI version may be incompatible. Try updating: npm install -g openclaw@latest');
+        }
+      }
+      // Cleanup temp workspace (best-effort)
+      try { rmSync(workspaceDir, { recursive: true, force: true }); } catch { /* ignore */ }
+      resolve(code ?? 1);
+    });
+    child.on('error', (err) => {
+      console.error(`[openclaw] Failed to spawn: ${err.message}`);
+      try { rmSync(workspaceDir, { recursive: true, force: true }); } catch { /* ignore */ }
+      reject(err);
+    });
+  });
+}
+// ── Main ─────────────────────────────────────────────────────────────
+const useOpenClawCli = isOpenClawInstalled();
+if (!useOpenClawCli) {
+  console.error('[openclaw] OpenClaw CLI not found. Install OpenClaw to run this harness.');
+  console.error('[openclaw] Use sandbox mode (`archal run ... --sandbox`) or install openclaw locally.');
+  process.exit(1);
+}
+console.error('[openclaw] Mode: native OpenClaw CLI');
+console.error(`[openclaw] Model: ${MODEL}`);
+console.error(`[openclaw] Task: ${TASK.slice(0, 200)}${TASK.length > 200 ? '...' : ''}`);
+const exitCode = await runWithOpenClawCli();
+process.exit(exitCode);

package/harnesses/openclaw/archal-harness.json ADDED Viewed

@@ -0,0 +1,28 @@
+{
+  "version": 1,
+  "name": "openclaw",
+  "description": "OpenClaw agent harness. Runs the real OpenClaw CLI against Archal twins; sandbox mode is the recommended path for production-fidelity evaluations.",
+  "defaultModel": "openclaw:main",
+  "promptFiles": [
+    "SOUL.md",
+    "AGENTS.md",
+    "TOOLS.md"
+  ],
+  "local": {
+    "command": "node",
+    "args": ["agent.mjs"]
+  },
+  "maxSteps": 80,
+  "supportedProviders": ["openclaw"],
+  "requiredEnvVars": [
+    "ARCHAL_ENGINE_TASK",
+    "ARCHAL_ENGINE_MODEL"
+  ],
+  "configDefaults": {
+    "maxSteps": 80,
+    "systemPrompt": true,
+    "errorHandling": true,
+    "retryOnTransient": true,
+    "maxConsecutiveErrors": 5
+  }
+}