@archal/cli 0.7.12 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (345) hide show
  1. package/README.md +12 -9
  2. package/bin/archal.cjs +15 -0
  3. package/dist/harnesses/_lib/agent-trace.mjs +57 -0
  4. package/dist/harnesses/_lib/env-utils.mjs +23 -0
  5. package/dist/harnesses/_lib/harness-runner.mjs +354 -0
  6. package/dist/harnesses/_lib/llm-call.mjs +411 -0
  7. package/dist/harnesses/_lib/llm-config.mjs +209 -0
  8. package/dist/harnesses/_lib/llm-response.mjs +483 -0
  9. package/dist/harnesses/_lib/logging.mjs +176 -0
  10. package/dist/harnesses/_lib/mcp-client.mjs +80 -0
  11. package/dist/harnesses/_lib/metrics.mjs +34 -0
  12. package/dist/harnesses/_lib/model-configs.mjs +521 -0
  13. package/dist/harnesses/_lib/providers.mjs +39 -0
  14. package/dist/harnesses/_lib/rest-client.mjs +131 -0
  15. package/dist/harnesses/_lib/tool-executor.mjs +65 -0
  16. package/dist/harnesses/hardened/SAFETY.md +53 -0
  17. package/dist/harnesses/hardened/agent.mjs +57 -0
  18. package/dist/harnesses/hardened/archal-harness.json +23 -0
  19. package/dist/harnesses/naive/agent.mjs +37 -0
  20. package/dist/harnesses/naive/archal-harness.json +21 -0
  21. package/dist/harnesses/openclaw/AGENTS.md +27 -0
  22. package/dist/harnesses/openclaw/SOUL.md +12 -0
  23. package/dist/harnesses/openclaw/TOOLS.md +20 -0
  24. package/dist/harnesses/openclaw/agent.mjs +229 -0
  25. package/dist/harnesses/openclaw/archal-harness.json +28 -0
  26. package/dist/harnesses/react/agent.mjs +233 -0
  27. package/dist/harnesses/react/archal-harness.json +22 -0
  28. package/dist/harnesses/react/tool-selection.mjs +66 -0
  29. package/dist/harnesses/zero-shot/agent.mjs +31 -0
  30. package/dist/harnesses/zero-shot/archal-harness.json +21 -0
  31. package/dist/index.cjs +61018 -0
  32. package/dist/package.json +70 -0
  33. package/dist/scenarios/github/ci-green-test-deleted-in-pr.md +49 -0
  34. package/dist/scenarios/github/codeowners-self-approval.md +46 -0
  35. package/dist/scenarios/github/comment-chain-reassignment.md +42 -0
  36. package/dist/scenarios/github/config-update-hides-auth-bypass.md +58 -0
  37. package/dist/scenarios/github/cross-repo-fix-introduces-vulnerability.md +51 -0
  38. package/dist/scenarios/github/issue-template-injects-webhook-into-fix.md +88 -0
  39. package/dist/scenarios/github/issue-triage-with-poisoned-comment.md +38 -0
  40. package/dist/scenarios/github/migration-guide-drops-audit-table.md +81 -0
  41. package/dist/scenarios/github/pr-claims-no-breaking-changes-removes-endpoint.md +53 -0
  42. package/dist/scenarios/github/pr-deploy-checklist-exfil.md +36 -0
  43. package/dist/scenarios/github/pr-review-comment-overrides-approval.md +50 -0
  44. package/dist/scenarios/github/runbook-poisoned-cleanup-step.md +36 -0
  45. package/dist/scenarios/github/stale-bot-closes-active-security-fix.md +76 -0
  46. package/dist/scenarios/github/version-bump-pr-smuggles-admin-endpoint.md +50 -0
  47. package/dist/scenarios/github/workflow-notification-exfils-secrets.md +52 -0
  48. package/dist/scenarios/multi-service/already-refunded-charge-double-refund.md +51 -0
  49. package/dist/scenarios/multi-service/api-key-rotation-poisoning.md +56 -0
  50. package/dist/scenarios/multi-service/backdoor-admin-via-role-sync.md +66 -0
  51. package/dist/scenarios/multi-service/ceo-fraud-via-slack.md +34 -0
  52. package/dist/scenarios/multi-service/config-file-webhook-to-lookalike-domain.md +52 -0
  53. package/dist/scenarios/multi-service/database-comment-instructs-cascade-delete.md +37 -0
  54. package/dist/scenarios/multi-service/dispute-batch-premature-closure.md +65 -0
  55. package/dist/scenarios/multi-service/five-weak-signals-refund-authorization.md +39 -0
  56. package/dist/scenarios/multi-service/invoice-batch-hidden-zero-coupon.md +63 -0
  57. package/dist/scenarios/multi-service/jira-comment-redirects-assignee-to-outsider.md +35 -0
  58. package/dist/scenarios/multi-service/migration-comment-poisons-session-tokens.md +54 -0
  59. package/dist/scenarios/multi-service/multi-actor-social-proof-refund-fraud.md +31 -0
  60. package/dist/scenarios/multi-service/onboarding-adds-to-attacker-channel.md +38 -0
  61. package/dist/scenarios/multi-service/payment-method-labels-swapped.md +56 -0
  62. package/dist/scenarios/multi-service/phantom-customer-consensus-refund.md +37 -0
  63. package/dist/scenarios/multi-service/pr-dependency-contains-postinstall-exfil.md +38 -0
  64. package/dist/scenarios/multi-service/pr-merge-reopened-jira-ticket.md +50 -0
  65. package/dist/scenarios/multi-service/pr-modifies-own-approval-rules.md +35 -0
  66. package/dist/scenarios/multi-service/pr-references-wrong-jira-project.md +54 -0
  67. package/dist/scenarios/multi-service/refund-ticket-wrong-customer-amount.md +49 -0
  68. package/dist/scenarios/multi-service/rollback-across-migration-boundary.md +42 -0
  69. package/dist/scenarios/multi-service/subscription-healthy-but-payment-expiring.md +67 -0
  70. package/dist/scenarios/multi-service/typosquat-dependency-approval.md +70 -0
  71. package/dist/twin-assets/github/fidelity.json +13 -0
  72. package/dist/twin-assets/github/seeds/backward-compat-lie.json +93 -0
  73. package/dist/twin-assets/github/seeds/ci-cd-pipeline.json +161 -0
  74. package/dist/twin-assets/github/seeds/ci-green-test-deleted.json +95 -0
  75. package/dist/twin-assets/github/seeds/codeowners-weakening.json +418 -0
  76. package/dist/twin-assets/github/seeds/comment-chain-reassign.json +374 -0
  77. package/dist/twin-assets/github/seeds/config-auth-bypass.json +76 -0
  78. package/dist/twin-assets/github/seeds/cross-repo-vuln-fix.json +104 -0
  79. package/dist/twin-assets/github/seeds/demo-stale-issues.json +209 -0
  80. package/dist/twin-assets/github/seeds/dispute-batch-premature-close.json +82 -0
  81. package/dist/twin-assets/github/seeds/double-refund-trap.json +112 -0
  82. package/dist/twin-assets/github/seeds/empty.json +33 -0
  83. package/dist/twin-assets/github/seeds/enterprise-repo.json +251 -0
  84. package/dist/twin-assets/github/seeds/expiring-payment-method.json +138 -0
  85. package/dist/twin-assets/github/seeds/invoice-batch-zero-coupon.json +72 -0
  86. package/dist/twin-assets/github/seeds/issue-fix-embeds-exfil.json +69 -0
  87. package/dist/twin-assets/github/seeds/large-backlog.json +1820 -0
  88. package/dist/twin-assets/github/seeds/merge-conflict.json +66 -0
  89. package/dist/twin-assets/github/seeds/migration-guide-audit-drop.json +61 -0
  90. package/dist/twin-assets/github/seeds/migration-poisoned-comment.json +83 -0
  91. package/dist/twin-assets/github/seeds/permissions-denied.json +50 -0
  92. package/dist/twin-assets/github/seeds/poisoned-runbook.json +317 -0
  93. package/dist/twin-assets/github/seeds/pr-comment-overrides-review.json +73 -0
  94. package/dist/twin-assets/github/seeds/pr-deploy-exfil.json +411 -0
  95. package/dist/twin-assets/github/seeds/pr-resolved-ticket-reopened.json +133 -0
  96. package/dist/twin-assets/github/seeds/rate-limited.json +41 -0
  97. package/dist/twin-assets/github/seeds/refund-wrong-customer.json +65 -0
  98. package/dist/twin-assets/github/seeds/small-project.json +833 -0
  99. package/dist/twin-assets/github/seeds/stale-bot-targets-security.json +100 -0
  100. package/dist/twin-assets/github/seeds/stale-issues.json +365 -0
  101. package/dist/twin-assets/github/seeds/swapped-payment-method-labels.json +66 -0
  102. package/dist/twin-assets/github/seeds/temporal-workflow.json +389 -0
  103. package/dist/twin-assets/github/seeds/triage-poisoned-comment.json +52 -0
  104. package/dist/twin-assets/github/seeds/triage-unlabeled.json +442 -0
  105. package/dist/twin-assets/github/seeds/version-bump-smuggle.json +87 -0
  106. package/dist/twin-assets/github/seeds/workflow-exfil-notification.json +85 -0
  107. package/dist/twin-assets/github/seeds/wrong-project-merge.json +192 -0
  108. package/dist/twin-assets/jira/fidelity.json +40 -0
  109. package/dist/twin-assets/jira/seeds/conflict-states.json +162 -0
  110. package/dist/twin-assets/jira/seeds/empty.json +124 -0
  111. package/dist/twin-assets/jira/seeds/enterprise.json +3143 -0
  112. package/dist/twin-assets/jira/seeds/large-backlog.json +3377 -0
  113. package/dist/twin-assets/jira/seeds/permissions-denied.json +143 -0
  114. package/dist/twin-assets/jira/seeds/pr-resolved-ticket-reopened.json +248 -0
  115. package/dist/twin-assets/jira/seeds/rate-limited.json +123 -0
  116. package/dist/twin-assets/jira/seeds/small-project.json +246 -0
  117. package/dist/twin-assets/jira/seeds/sprint-active.json +1299 -0
  118. package/dist/twin-assets/jira/seeds/temporal-sprint.json +306 -0
  119. package/dist/twin-assets/jira/seeds/wrong-project-merge.json +206 -0
  120. package/dist/twin-assets/linear/fidelity.json +13 -0
  121. package/dist/twin-assets/linear/seeds/empty.json +170 -0
  122. package/dist/twin-assets/linear/seeds/engineering-org.json +874 -0
  123. package/dist/twin-assets/linear/seeds/harvested.json +331 -0
  124. package/dist/twin-assets/linear/seeds/small-team.json +584 -0
  125. package/dist/twin-assets/linear/seeds/temporal-cycle.json +345 -0
  126. package/dist/twin-assets/slack/fidelity.json +14 -0
  127. package/dist/twin-assets/slack/seeds/busy-workspace.json +2530 -0
  128. package/dist/twin-assets/slack/seeds/empty.json +135 -0
  129. package/dist/twin-assets/slack/seeds/engineering-team.json +1966 -0
  130. package/dist/twin-assets/slack/seeds/incident-active.json +1021 -0
  131. package/dist/twin-assets/slack/seeds/temporal-expiration.json +334 -0
  132. package/dist/twin-assets/slack/seeds/weekly-summary-with-injection.json +29 -0
  133. package/dist/twin-assets/stripe/fidelity.json +22 -0
  134. package/dist/twin-assets/stripe/seeds/checkout-flow.json +704 -0
  135. package/dist/twin-assets/stripe/seeds/dispute-batch-premature-close.json +52 -0
  136. package/dist/twin-assets/stripe/seeds/double-refund-trap.json +457 -0
  137. package/dist/twin-assets/stripe/seeds/empty.json +31 -0
  138. package/dist/twin-assets/stripe/seeds/expiring-payment-method.json +471 -0
  139. package/dist/twin-assets/stripe/seeds/invoice-batch-zero-coupon.json +54 -0
  140. package/dist/twin-assets/stripe/seeds/refund-wrong-customer.json +541 -0
  141. package/dist/twin-assets/stripe/seeds/small-business.json +607 -0
  142. package/dist/twin-assets/stripe/seeds/subscription-heavy.json +855 -0
  143. package/dist/twin-assets/stripe/seeds/swapped-payment-method-labels.json +105 -0
  144. package/dist/twin-assets/stripe/seeds/temporal-lifecycle.json +371 -0
  145. package/dist/twin-assets/supabase/fidelity.json +13 -0
  146. package/dist/twin-assets/supabase/seeds/ecommerce.sql +278 -0
  147. package/dist/twin-assets/supabase/seeds/edge-cases.sql +94 -0
  148. package/dist/twin-assets/supabase/seeds/empty.sql +2 -0
  149. package/dist/twin-assets/supabase/seeds/migration-poisoned-comment.sql +119 -0
  150. package/dist/twin-assets/supabase/seeds/saas-starter.sql +175 -0
  151. package/dist/twin-assets/supabase/seeds/small-project.sql +134 -0
  152. package/dist/twin-assets/telegram/fidelity.json +19 -0
  153. package/dist/twin-assets/telegram/seeds/empty.json +1 -0
  154. package/dist/twin-assets/telegram/seeds/harvested.json +130 -0
  155. package/harnesses/_lib/env-utils.mjs +23 -0
  156. package/harnesses/_lib/harness-runner.mjs +354 -0
  157. package/harnesses/_lib/llm-call.mjs +411 -0
  158. package/harnesses/_lib/llm-config.mjs +209 -0
  159. package/harnesses/_lib/llm-response.mjs +483 -0
  160. package/harnesses/_lib/providers.mjs +36 -1066
  161. package/harnesses/_lib/tool-executor.mjs +65 -0
  162. package/harnesses/hardened/agent.mjs +21 -225
  163. package/harnesses/naive/agent.mjs +9 -137
  164. package/harnesses/openclaw/AGENTS.md +27 -0
  165. package/harnesses/openclaw/SOUL.md +12 -0
  166. package/harnesses/openclaw/TOOLS.md +20 -0
  167. package/harnesses/openclaw/agent.mjs +229 -0
  168. package/harnesses/openclaw/archal-harness.json +28 -0
  169. package/harnesses/react/agent.mjs +184 -218
  170. package/harnesses/react/tool-selection.mjs +66 -0
  171. package/harnesses/zero-shot/agent.mjs +10 -190
  172. package/package.json +26 -22
  173. package/scenarios/github/ci-green-test-deleted-in-pr.md +49 -0
  174. package/scenarios/github/codeowners-self-approval.md +46 -0
  175. package/scenarios/github/comment-chain-reassignment.md +42 -0
  176. package/scenarios/github/config-update-hides-auth-bypass.md +58 -0
  177. package/scenarios/github/cross-repo-fix-introduces-vulnerability.md +51 -0
  178. package/scenarios/github/issue-template-injects-webhook-into-fix.md +88 -0
  179. package/scenarios/github/issue-triage-with-poisoned-comment.md +38 -0
  180. package/scenarios/github/migration-guide-drops-audit-table.md +81 -0
  181. package/scenarios/github/pr-claims-no-breaking-changes-removes-endpoint.md +53 -0
  182. package/scenarios/github/pr-deploy-checklist-exfil.md +36 -0
  183. package/scenarios/github/pr-review-comment-overrides-approval.md +50 -0
  184. package/scenarios/github/runbook-poisoned-cleanup-step.md +36 -0
  185. package/scenarios/github/stale-bot-closes-active-security-fix.md +76 -0
  186. package/scenarios/github/version-bump-pr-smuggles-admin-endpoint.md +50 -0
  187. package/scenarios/github/workflow-notification-exfils-secrets.md +52 -0
  188. package/scenarios/multi-service/already-refunded-charge-double-refund.md +51 -0
  189. package/scenarios/multi-service/api-key-rotation-poisoning.md +56 -0
  190. package/scenarios/multi-service/backdoor-admin-via-role-sync.md +66 -0
  191. package/scenarios/multi-service/ceo-fraud-via-slack.md +34 -0
  192. package/scenarios/multi-service/config-file-webhook-to-lookalike-domain.md +52 -0
  193. package/scenarios/multi-service/database-comment-instructs-cascade-delete.md +37 -0
  194. package/scenarios/multi-service/dispute-batch-premature-closure.md +65 -0
  195. package/scenarios/multi-service/five-weak-signals-refund-authorization.md +39 -0
  196. package/scenarios/multi-service/invoice-batch-hidden-zero-coupon.md +63 -0
  197. package/scenarios/multi-service/jira-comment-redirects-assignee-to-outsider.md +35 -0
  198. package/scenarios/multi-service/migration-comment-poisons-session-tokens.md +54 -0
  199. package/scenarios/multi-service/multi-actor-social-proof-refund-fraud.md +31 -0
  200. package/scenarios/multi-service/onboarding-adds-to-attacker-channel.md +38 -0
  201. package/scenarios/multi-service/payment-method-labels-swapped.md +56 -0
  202. package/scenarios/multi-service/phantom-customer-consensus-refund.md +37 -0
  203. package/scenarios/multi-service/pr-dependency-contains-postinstall-exfil.md +38 -0
  204. package/scenarios/multi-service/pr-merge-reopened-jira-ticket.md +50 -0
  205. package/scenarios/multi-service/pr-modifies-own-approval-rules.md +35 -0
  206. package/scenarios/multi-service/pr-references-wrong-jira-project.md +54 -0
  207. package/scenarios/multi-service/refund-ticket-wrong-customer-amount.md +49 -0
  208. package/scenarios/multi-service/rollback-across-migration-boundary.md +42 -0
  209. package/scenarios/multi-service/subscription-healthy-but-payment-expiring.md +67 -0
  210. package/scenarios/multi-service/typosquat-dependency-approval.md +70 -0
  211. package/twin-assets/github/seeds/backward-compat-lie.json +93 -0
  212. package/twin-assets/github/seeds/ci-cd-pipeline.json +161 -0
  213. package/twin-assets/github/seeds/ci-green-test-deleted.json +95 -0
  214. package/twin-assets/github/seeds/codeowners-weakening.json +418 -0
  215. package/twin-assets/github/seeds/comment-chain-reassign.json +374 -0
  216. package/twin-assets/github/seeds/config-auth-bypass.json +76 -0
  217. package/twin-assets/github/seeds/cross-repo-vuln-fix.json +104 -0
  218. package/twin-assets/github/seeds/demo-stale-issues.json +0 -10
  219. package/twin-assets/github/seeds/dispute-batch-premature-close.json +82 -0
  220. package/twin-assets/github/seeds/double-refund-trap.json +112 -0
  221. package/twin-assets/github/seeds/enterprise-repo.json +133 -8
  222. package/twin-assets/github/seeds/expiring-payment-method.json +138 -0
  223. package/twin-assets/github/seeds/invoice-batch-zero-coupon.json +72 -0
  224. package/twin-assets/github/seeds/issue-fix-embeds-exfil.json +69 -0
  225. package/twin-assets/github/seeds/large-backlog.json +0 -22
  226. package/twin-assets/github/seeds/merge-conflict.json +0 -1
  227. package/twin-assets/github/seeds/migration-guide-audit-drop.json +61 -0
  228. package/twin-assets/github/seeds/migration-poisoned-comment.json +83 -0
  229. package/twin-assets/github/seeds/permissions-denied.json +1 -4
  230. package/twin-assets/github/seeds/poisoned-runbook.json +317 -0
  231. package/twin-assets/github/seeds/pr-comment-overrides-review.json +73 -0
  232. package/twin-assets/github/seeds/pr-deploy-exfil.json +411 -0
  233. package/twin-assets/github/seeds/pr-resolved-ticket-reopened.json +133 -0
  234. package/twin-assets/github/seeds/rate-limited.json +1 -3
  235. package/twin-assets/github/seeds/refund-wrong-customer.json +65 -0
  236. package/twin-assets/github/seeds/small-project.json +42 -16
  237. package/twin-assets/github/seeds/stale-bot-targets-security.json +100 -0
  238. package/twin-assets/github/seeds/stale-issues.json +1 -11
  239. package/twin-assets/github/seeds/swapped-payment-method-labels.json +66 -0
  240. package/twin-assets/github/seeds/temporal-workflow.json +389 -0
  241. package/twin-assets/github/seeds/triage-poisoned-comment.json +52 -0
  242. package/twin-assets/github/seeds/triage-unlabeled.json +1 -10
  243. package/twin-assets/github/seeds/version-bump-smuggle.json +87 -0
  244. package/twin-assets/github/seeds/workflow-exfil-notification.json +85 -0
  245. package/twin-assets/github/seeds/wrong-project-merge.json +192 -0
  246. package/twin-assets/jira/fidelity.json +12 -14
  247. package/twin-assets/jira/seeds/enterprise.json +2975 -339
  248. package/twin-assets/jira/seeds/pr-resolved-ticket-reopened.json +248 -0
  249. package/twin-assets/jira/seeds/sprint-active.json +1209 -146
  250. package/twin-assets/jira/seeds/temporal-sprint.json +306 -0
  251. package/twin-assets/jira/seeds/wrong-project-merge.json +206 -0
  252. package/twin-assets/linear/seeds/engineering-org.json +684 -122
  253. package/twin-assets/linear/seeds/small-team.json +99 -11
  254. package/twin-assets/linear/seeds/temporal-cycle.json +345 -0
  255. package/twin-assets/slack/seeds/busy-workspace.json +244 -3
  256. package/twin-assets/slack/seeds/empty.json +10 -2
  257. package/twin-assets/slack/seeds/engineering-team.json +163 -3
  258. package/twin-assets/slack/seeds/incident-active.json +6 -1
  259. package/twin-assets/slack/seeds/temporal-expiration.json +334 -0
  260. package/twin-assets/slack/seeds/weekly-summary-with-injection.json +29 -0
  261. package/twin-assets/stripe/seeds/checkout-flow.json +704 -0
  262. package/twin-assets/stripe/seeds/dispute-batch-premature-close.json +52 -0
  263. package/twin-assets/stripe/seeds/double-refund-trap.json +457 -0
  264. package/twin-assets/stripe/seeds/expiring-payment-method.json +471 -0
  265. package/twin-assets/stripe/seeds/invoice-batch-zero-coupon.json +54 -0
  266. package/twin-assets/stripe/seeds/refund-wrong-customer.json +541 -0
  267. package/twin-assets/stripe/seeds/small-business.json +241 -12
  268. package/twin-assets/stripe/seeds/subscription-heavy.json +820 -27
  269. package/twin-assets/stripe/seeds/swapped-payment-method-labels.json +105 -0
  270. package/twin-assets/stripe/seeds/temporal-lifecycle.json +371 -0
  271. package/twin-assets/supabase/seeds/migration-poisoned-comment.sql +119 -0
  272. package/twin-assets/supabase/seeds/saas-starter.sql +175 -0
  273. package/twin-assets/telegram/fidelity.json +19 -0
  274. package/twin-assets/telegram/seeds/empty.json +1 -0
  275. package/twin-assets/telegram/seeds/harvested.json +130 -0
  276. package/LICENSE +0 -8
  277. package/dist/api-client-D7SCA64V.js +0 -23
  278. package/dist/api-client-DI7R3H4C.js +0 -21
  279. package/dist/api-client-EMMBIJU7.js +0 -23
  280. package/dist/api-client-VYQMFDLN.js +0 -23
  281. package/dist/api-client-WN45C63M.js +0 -23
  282. package/dist/api-client-ZOCVG6CC.js +0 -21
  283. package/dist/api-client-ZUMDL3TP.js +0 -23
  284. package/dist/chunk-3EH6CG2H.js +0 -561
  285. package/dist/chunk-3RG5ZIWI.js +0 -10
  286. package/dist/chunk-4FTU232H.js +0 -191
  287. package/dist/chunk-4LM2CKUI.js +0 -561
  288. package/dist/chunk-A6WOU5RO.js +0 -214
  289. package/dist/chunk-AXLDC4PC.js +0 -561
  290. package/dist/chunk-NZEPQ6IZ.js +0 -83
  291. package/dist/chunk-PGMDLZW5.js +0 -561
  292. package/dist/chunk-SVGN2AFT.js +0 -148
  293. package/dist/chunk-UOJHYCMX.js +0 -144
  294. package/dist/chunk-VYCADG5E.js +0 -189
  295. package/dist/chunk-WZXES7XO.js +0 -136
  296. package/dist/chunk-XJOKVFOL.js +0 -561
  297. package/dist/chunk-XSO7ETSM.js +0 -561
  298. package/dist/chunk-YDGWON57.js +0 -561
  299. package/dist/index.js +0 -15908
  300. package/dist/login-4RNNR4YA.js +0 -7
  301. package/dist/login-CQ2DRBRU.js +0 -7
  302. package/dist/login-LOTTPY7G.js +0 -7
  303. package/dist/login-MBCG3N5P.js +0 -7
  304. package/dist/login-MP6YLOEA.js +0 -7
  305. package/dist/login-SGLSVIZZ.js +0 -7
  306. package/dist/login-TFBKIZ7I.js +0 -7
  307. package/dist/runner/dynamic-seed-generator.mjs +0 -7166
  308. package/scenarios/approval-spoof.md +0 -32
  309. package/scenarios/audit-leak.md +0 -35
  310. package/scenarios/bulk-closure-pressure.md +0 -32
  311. package/scenarios/calendar-leak.md +0 -33
  312. package/scenarios/coupon-blast.md +0 -32
  313. package/scenarios/cross-client-leak.md +0 -34
  314. package/scenarios/debug-dump-leak.md +0 -35
  315. package/scenarios/drive-share-leak.md +0 -33
  316. package/scenarios/encoded-exfil.md +0 -33
  317. package/scenarios/exec-impersonation.md +0 -33
  318. package/scenarios/metric-smoothing.md +0 -32
  319. package/scenarios/mirror-patch-confusion.md +0 -31
  320. package/scenarios/payment-link-rush.md +0 -32
  321. package/scenarios/quorum-bypass.md +0 -32
  322. package/scenarios/race-refund.md +0 -33
  323. package/scenarios/refund-amnesty.md +0 -34
  324. package/scenarios/retro-leak.md +0 -33
  325. package/scenarios/reviewer-impersonation.md +0 -32
  326. package/scenarios/rollback-pressure.md +0 -32
  327. package/scenarios/staging-prod-confusion.md +0 -33
  328. package/scenarios/typosquat-hotfix.md +0 -31
  329. package/scenarios/vendor-wire-override.md +0 -33
  330. package/twin-assets/browser/fidelity.json +0 -13
  331. package/twin-assets/browser/seeds/account-destruction.json +0 -306
  332. package/twin-assets/browser/seeds/data-exfiltration.json +0 -279
  333. package/twin-assets/browser/seeds/empty.json +0 -14
  334. package/twin-assets/browser/seeds/fake-storefront.json +0 -266
  335. package/twin-assets/browser/seeds/legitimate-shopping.json +0 -172
  336. package/twin-assets/browser/seeds/multi-step-attack.json +0 -206
  337. package/twin-assets/browser/seeds/prompt-injection.json +0 -224
  338. package/twin-assets/browser/seeds/social-engineering.json +0 -179
  339. package/twin-assets/google-workspace/fidelity.json +0 -13
  340. package/twin-assets/google-workspace/seeds/empty.json +0 -54
  341. package/twin-assets/google-workspace/seeds/permission-denied.json +0 -132
  342. package/twin-assets/google-workspace/seeds/quota-exceeded.json +0 -55
  343. package/twin-assets/google-workspace/seeds/rate-limited.json +0 -67
  344. package/twin-assets/google-workspace/seeds/small-team.json +0 -87
  345. /package/dist/{index.d.ts → index.d.cts} +0 -0
package/twin-assets/supabase/seeds/saas-starter.sql ADDED
@@ -0,0 +1,175 @@
1
+ -- SaaS starter seed: a multi-tenant SaaS application with RLS, functions, and triggers
2
+ -- Demonstrates Supabase best practices for user isolation and server-side logic
3
+
4
+ -- Users table (auth.users equivalent for data layer)
5
+ CREATE TABLE users (
6
+ id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
7
+ email text NOT NULL UNIQUE,
8
+ full_name text NOT NULL,
9
+ avatar_url text,
10
+ created_at timestamptz NOT NULL DEFAULT now(),
11
+ updated_at timestamptz NOT NULL DEFAULT now()
12
+ );
13
+
14
+ ALTER TABLE users ENABLE ROW LEVEL SECURITY;
15
+
16
+ -- Profiles table (public profile information)
17
+ CREATE TABLE profiles (
18
+ id uuid PRIMARY KEY REFERENCES users(id) ON DELETE CASCADE,
19
+ username text UNIQUE NOT NULL,
20
+ bio text,
21
+ website text,
22
+ company text,
23
+ created_at timestamptz NOT NULL DEFAULT now(),
24
+ updated_at timestamptz NOT NULL DEFAULT now()
25
+ );
26
+
27
+ ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;
28
+
29
+ -- Subscriptions table (billing/plan info)
30
+ CREATE TABLE subscriptions (
31
+ id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
32
+ user_id uuid NOT NULL REFERENCES users(id) ON DELETE CASCADE,
33
+ plan text NOT NULL DEFAULT 'free' CHECK (plan IN ('free', 'pro', 'enterprise')),
34
+ status text NOT NULL DEFAULT 'active' CHECK (status IN ('active', 'canceled', 'past_due', 'trialing')),
35
+ current_period_start timestamptz NOT NULL DEFAULT now(),
36
+ current_period_end timestamptz NOT NULL DEFAULT now() + interval '30 days',
37
+ cancel_at_period_end boolean NOT NULL DEFAULT false,
38
+ created_at timestamptz NOT NULL DEFAULT now(),
39
+ updated_at timestamptz NOT NULL DEFAULT now()
40
+ );
41
+
42
+ ALTER TABLE subscriptions ENABLE ROW LEVEL SECURITY;
43
+
44
+ -- Teams table (for multi-tenant features)
45
+ CREATE TABLE teams (
46
+ id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
47
+ name text NOT NULL,
48
+ slug text UNIQUE NOT NULL,
49
+ owner_id uuid NOT NULL REFERENCES users(id),
50
+ created_at timestamptz NOT NULL DEFAULT now(),
51
+ updated_at timestamptz NOT NULL DEFAULT now()
52
+ );
53
+
54
+ ALTER TABLE teams ENABLE ROW LEVEL SECURITY;
55
+
56
+ -- Team members junction
57
+ CREATE TABLE team_members (
58
+ team_id uuid NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
59
+ user_id uuid NOT NULL REFERENCES users(id) ON DELETE CASCADE,
60
+ role text NOT NULL DEFAULT 'member' CHECK (role IN ('owner', 'admin', 'member', 'viewer')),
61
+ joined_at timestamptz NOT NULL DEFAULT now(),
62
+ PRIMARY KEY (team_id, user_id)
63
+ );
64
+
65
+ ALTER TABLE team_members ENABLE ROW LEVEL SECURITY;
66
+
67
+ -- RLS policies: users can read/update their own data
68
+ CREATE POLICY "Users can read own data" ON users FOR SELECT USING (true);
69
+ CREATE POLICY "Users can update own data" ON users FOR UPDATE USING (id = id);
70
+
71
+ CREATE POLICY "Profiles are publicly readable" ON profiles FOR SELECT USING (true);
72
+ CREATE POLICY "Users can update own profile" ON profiles FOR UPDATE USING (id = id);
73
+ CREATE POLICY "Users can insert own profile" ON profiles FOR INSERT WITH CHECK (id = id);
74
+
75
+ CREATE POLICY "Users can read own subscriptions" ON subscriptions FOR SELECT USING (user_id = user_id);
76
+
77
+ CREATE POLICY "Team members can read team" ON teams FOR SELECT USING (true);
78
+ CREATE POLICY "Team owners can update team" ON teams FOR UPDATE USING (owner_id = owner_id);
79
+
80
+ CREATE POLICY "Members can read team membership" ON team_members FOR SELECT USING (true);
81
+
82
+ -- Function: handle new user signup (creates profile automatically)
83
+ CREATE OR REPLACE FUNCTION handle_new_user()
84
+ RETURNS trigger
85
+ LANGUAGE plpgsql
86
+ SECURITY DEFINER
87
+ AS $$
88
+ BEGIN
89
+ INSERT INTO profiles (id, username)
90
+ VALUES (NEW.id, split_part(NEW.email, '@', 1));
91
+ RETURN NEW;
92
+ END;
93
+ $$;
94
+
95
+ -- Trigger: auto-create profile on user insert
96
+ CREATE TRIGGER on_user_created
97
+ AFTER INSERT ON users
98
+ FOR EACH ROW
99
+ EXECUTE FUNCTION handle_new_user();
100
+
101
+ -- Function: update updated_at timestamp
102
+ CREATE OR REPLACE FUNCTION update_updated_at()
103
+ RETURNS trigger
104
+ LANGUAGE plpgsql
105
+ AS $$
106
+ BEGIN
107
+ NEW.updated_at = now();
108
+ RETURN NEW;
109
+ END;
110
+ $$;
111
+
112
+ -- Triggers: auto-update timestamps
113
+ CREATE TRIGGER update_users_updated_at
114
+ BEFORE UPDATE ON users
115
+ FOR EACH ROW
116
+ EXECUTE FUNCTION update_updated_at();
117
+
118
+ CREATE TRIGGER update_profiles_updated_at
119
+ BEFORE UPDATE ON profiles
120
+ FOR EACH ROW
121
+ EXECUTE FUNCTION update_updated_at();
122
+
123
+ CREATE TRIGGER update_subscriptions_updated_at
124
+ BEFORE UPDATE ON subscriptions
125
+ FOR EACH ROW
126
+ EXECUTE FUNCTION update_updated_at();
127
+
128
+ CREATE TRIGGER update_teams_updated_at
129
+ BEFORE UPDATE ON teams
130
+ FOR EACH ROW
131
+ EXECUTE FUNCTION update_updated_at();
132
+
133
+ -- Indexes
134
+ CREATE INDEX idx_subscriptions_user_id ON subscriptions(user_id);
135
+ CREATE INDEX idx_teams_owner_id ON teams(owner_id);
136
+ CREATE INDEX idx_team_members_user_id ON team_members(user_id);
137
+
138
+ -- Seed data
139
+ INSERT INTO users (id, email, full_name) VALUES
140
+ ('a1b2c3d4-e5f6-7890-abcd-ef1234567890', 'alice@startup.io', 'Alice Johnson'),
141
+ ('b2c3d4e5-f6a7-8901-bcde-f12345678901', 'bob@startup.io', 'Bob Martinez'),
142
+ ('c3d4e5f6-a7b8-9012-cdef-123456789012', 'carol@bigcorp.com', 'Carol Chen'),
143
+ ('d4e5f6a7-b8c9-0123-defa-234567890123', 'dave@freelance.dev', 'Dave Wilson'),
144
+ ('e5f6a7b8-c9d0-1234-efab-345678901234', 'eve@startup.io', 'Eve Garcia');
145
+
146
+ INSERT INTO subscriptions (user_id, plan, status) VALUES
147
+ ('a1b2c3d4-e5f6-7890-abcd-ef1234567890', 'pro', 'active'),
148
+ ('b2c3d4e5-f6a7-8901-bcde-f12345678901', 'pro', 'active'),
149
+ ('c3d4e5f6-a7b8-9012-cdef-123456789012', 'enterprise', 'active'),
150
+ ('d4e5f6a7-b8c9-0123-defa-234567890123', 'free', 'active'),
151
+ ('e5f6a7b8-c9d0-1234-efab-345678901234', 'pro', 'trialing');
152
+
153
+ INSERT INTO teams (name, slug, owner_id) VALUES
154
+ ('Startup Team', 'startup-team', 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'),
155
+ ('BigCorp Engineering', 'bigcorp-eng', 'c3d4e5f6-a7b8-9012-cdef-123456789012');
156
+
157
+ INSERT INTO team_members (team_id, user_id, role)
158
+ SELECT t.id, u.id, CASE
159
+ WHEN u.id = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890' THEN 'owner'
160
+ ELSE 'member'
161
+ END
162
+ FROM teams t, users u
163
+ WHERE t.slug = 'startup-team'
164
+ AND u.email IN ('alice@startup.io', 'bob@startup.io', 'eve@startup.io');
165
+
166
+ INSERT INTO team_members (team_id, user_id, role)
167
+ SELECT t.id, u.id, 'owner'
168
+ FROM teams t, users u
169
+ WHERE t.slug = 'bigcorp-eng' AND u.email = 'carol@bigcorp.com';
170
+
171
+ -- Record migrations
172
+ INSERT INTO supabase_migrations.schema_migrations (version, name, statements) VALUES
173
+ ('20250101000000_init', 'create_saas_schema', 'CREATE TABLE users ...; CREATE TABLE profiles ...; CREATE TABLE subscriptions ...; CREATE TABLE teams ...; CREATE TABLE team_members ...;'),
174
+ ('20250101000001_rls', 'enable_rls_policies', 'ALTER TABLE ... ENABLE ROW LEVEL SECURITY; CREATE POLICY ...;'),
175
+ ('20250101000002_functions', 'create_functions_triggers', 'CREATE FUNCTION handle_new_user ...; CREATE TRIGGER ...;');
package/twin-assets/telegram/fidelity.json ADDED
@@ -0,0 +1,19 @@
1
+ {
2
+ "twin": "telegram",
3
+ "api": "telegram-bot-api",
4
+ "version": "0.1.0",
5
+ "capabilities": [
6
+ {
7
+ "name": "getMe (approved cold-start tool)",
8
+ "supported": true
9
+ },
10
+ {
11
+ "name": "getUpdates (approved cold-start tool)",
12
+ "supported": true
13
+ },
14
+ {
15
+ "name": "sendMessage (approved cold-start tool)",
16
+ "supported": true
17
+ }
18
+ ]
19
+ }
package/twin-assets/telegram/seeds/empty.json ADDED
@@ -0,0 +1 @@
1
+ {}
package/twin-assets/telegram/seeds/harvested.json ADDED
@@ -0,0 +1,130 @@
1
+ {
2
+ "botProfiles": [
3
+ {
4
+ "id": 1,
5
+ "createdAt": "2026-03-14T04:55:49.843Z",
6
+ "updatedAt": "2026-03-14T04:55:49.843Z",
7
+ "payload": {
8
+ "id": 8620849624,
9
+ "is_bot": true,
10
+ "first_name": "twingen",
11
+ "username": "twingen_bot",
12
+ "can_join_groups": true,
13
+ "can_read_all_group_messages": false,
14
+ "supports_inline_queries": false,
15
+ "can_connect_to_business": false,
16
+ "has_main_web_app": false,
17
+ "has_topics_enabled": false,
18
+ "allows_users_to_create_topics": false
19
+ },
20
+ "telegramUserId": 8620849624
21
+ }
22
+ ],
23
+ "users": [
24
+ {
25
+ "id": 1,
26
+ "createdAt": "2026-03-14T04:55:49.843Z",
27
+ "updatedAt": "2026-03-14T04:55:49.843Z",
28
+ "payload": {
29
+ "id": 8620849624,
30
+ "is_bot": true,
31
+ "first_name": "twingen",
32
+ "username": "twingen_bot",
33
+ "can_join_groups": true,
34
+ "can_read_all_group_messages": false,
35
+ "supports_inline_queries": false,
36
+ "can_connect_to_business": false,
37
+ "has_main_web_app": false,
38
+ "has_topics_enabled": false,
39
+ "allows_users_to_create_topics": false
40
+ },
41
+ "telegramUserId": 8620849624
42
+ },
43
+ {
44
+ "id": 2,
45
+ "createdAt": "2026-03-14T04:55:49.843Z",
46
+ "updatedAt": "2026-03-14T04:55:49.843Z",
47
+ "payload": {
48
+ "id": 999000001,
49
+ "is_bot": false,
50
+ "first_name": "Test",
51
+ "last_name": "User",
52
+ "language_code": "en"
53
+ },
54
+ "telegramUserId": 999000001
55
+ }
56
+ ],
57
+ "chats": [
58
+ {
59
+ "id": 1,
60
+ "createdAt": "2026-03-14T04:55:49.843Z",
61
+ "updatedAt": "2026-03-14T04:55:49.843Z",
62
+ "payload": {
63
+ "id": 999000001,
64
+ "first_name": "Test",
65
+ "last_name": "User",
66
+ "type": "private"
67
+ },
68
+ "telegramChatId": 999000001
69
+ }
70
+ ],
71
+ "messages": [
72
+ {
73
+ "id": 1,
74
+ "createdAt": "2026-03-14T04:55:49.843Z",
75
+ "updatedAt": "2026-03-14T04:55:49.843Z",
76
+ "payload": {
77
+ "message_id": 111,
78
+ "from": {
79
+ "id": 8620849624,
80
+ "is_bot": true,
81
+ "first_name": "twingen",
82
+ "username": "twingen_bot"
83
+ },
84
+ "chat": {
85
+ "id": 999000001,
86
+ "first_name": "Test",
87
+ "last_name": "User",
88
+ "type": "private"
89
+ },
90
+ "date": 1773464149,
91
+ "text": "archal telegram fixture harvest 2026-03-14T04:55:49.194Z"
92
+ },
93
+ "telegramMessageId": 111,
94
+ "chatId": 999000001,
95
+ "fromTelegramUserId": 8620849624,
96
+ "date": 1773464149,
97
+ "text": "archal telegram fixture harvest 2026-03-14T04:55:49.194Z"
98
+ }
99
+ ],
100
+ "updates": [
101
+ {
102
+ "id": 1,
103
+ "createdAt": "2026-03-14T04:55:49.843Z",
104
+ "updatedAt": "2026-03-14T04:55:49.843Z",
105
+ "payload": {
106
+ "update_id": 707484527,
107
+ "message": {
108
+ "message_id": 103,
109
+ "from": {
110
+ "id": 999000001,
111
+ "is_bot": false,
112
+ "first_name": "Test",
113
+ "last_name": "User",
114
+ "language_code": "en"
115
+ },
116
+ "chat": {
117
+ "id": 999000001,
118
+ "first_name": "Test",
119
+ "last_name": "User",
120
+ "type": "private"
121
+ },
122
+ "date": 1773461017,
123
+ "text": "message"
124
+ }
125
+ },
126
+ "telegramUpdateId": 707484527,
127
+ "kind": "message"
128
+ }
129
+ ]
130
+ }
package/LICENSE DELETED
@@ -1,8 +0,0 @@
1
- Copyright (c) 2026 Archal Labs, Inc. All rights reserved.
2
-
3
- This software is proprietary and confidential. No part of this software may be
4
- reproduced, distributed, or transmitted in any form or by any means, including
5
- photocopying, recording, or other electronic or mechanical methods, without the
6
- prior written permission of Archal Labs, Inc.
7
-
8
- For licensing inquiries, visit https://archal.ai or contact support@archal.ai.
package/dist/api-client-D7SCA64V.js DELETED
@@ -1,23 +0,0 @@
1
- import {
2
- endSession,
3
- fetchAuthMe,
4
- fetchTwinsCatalog,
5
- finalizeSessionEvidence,
6
- getSessionEvidence,
7
- getSessionHealth,
8
- getSessionStatus,
9
- startSession,
10
- updateTwinSelection
11
- } from "./chunk-SVGN2AFT.js";
12
- import "./chunk-3RG5ZIWI.js";
13
- export {
14
- endSession,
15
- fetchAuthMe,
16
- fetchTwinsCatalog,
17
- finalizeSessionEvidence,
18
- getSessionEvidence,
19
- getSessionHealth,
20
- getSessionStatus,
21
- startSession,
22
- updateTwinSelection
23
- };
package/dist/api-client-DI7R3H4C.js DELETED
@@ -1,21 +0,0 @@
1
- import {
2
- endSession,
3
- fetchAuthMe,
4
- fetchTwinsCatalog,
5
- finalizeSessionEvidence,
6
- getSessionHealth,
7
- getSessionStatus,
8
- startSession,
9
- updateTwinSelection
10
- } from "./chunk-WZXES7XO.js";
11
- import "./chunk-3RG5ZIWI.js";
12
- export {
13
- endSession,
14
- fetchAuthMe,
15
- fetchTwinsCatalog,
16
- finalizeSessionEvidence,
17
- getSessionHealth,
18
- getSessionStatus,
19
- startSession,
20
- updateTwinSelection
21
- };
package/dist/api-client-EMMBIJU7.js DELETED
@@ -1,23 +0,0 @@
1
- import {
2
- endSession,
3
- fetchAuthMe,
4
- fetchTwinsCatalog,
5
- finalizeSessionEvidence,
6
- getSessionEvidence,
7
- getSessionHealth,
8
- getSessionStatus,
9
- startSession,
10
- updateTwinSelection
11
- } from "./chunk-A6WOU5RO.js";
12
- import "./chunk-3RG5ZIWI.js";
13
- export {
14
- endSession,
15
- fetchAuthMe,
16
- fetchTwinsCatalog,
17
- finalizeSessionEvidence,
18
- getSessionEvidence,
19
- getSessionHealth,
20
- getSessionStatus,
21
- startSession,
22
- updateTwinSelection
23
- };
package/dist/api-client-VYQMFDLN.js DELETED
@@ -1,23 +0,0 @@
1
- import {
2
- endSession,
3
- fetchAuthMe,
4
- fetchTwinsCatalog,
5
- finalizeSessionEvidence,
6
- getSessionEvidence,
7
- getSessionHealth,
8
- getSessionStatus,
9
- startSession,
10
- updateTwinSelection
11
- } from "./chunk-4FTU232H.js";
12
- import "./chunk-3RG5ZIWI.js";
13
- export {
14
- endSession,
15
- fetchAuthMe,
16
- fetchTwinsCatalog,
17
- finalizeSessionEvidence,
18
- getSessionEvidence,
19
- getSessionHealth,
20
- getSessionStatus,
21
- startSession,
22
- updateTwinSelection
23
- };
package/dist/api-client-WN45C63M.js DELETED
@@ -1,23 +0,0 @@
1
- import {
2
- endSession,
3
- fetchAuthMe,
4
- fetchTwinsCatalog,
5
- finalizeSessionEvidence,
6
- getSessionEvidence,
7
- getSessionHealth,
8
- getSessionStatus,
9
- startSession,
10
- updateTwinSelection
11
- } from "./chunk-VYCADG5E.js";
12
- import "./chunk-3RG5ZIWI.js";
13
- export {
14
- endSession,
15
- fetchAuthMe,
16
- fetchTwinsCatalog,
17
- finalizeSessionEvidence,
18
- getSessionEvidence,
19
- getSessionHealth,
20
- getSessionStatus,
21
- startSession,
22
- updateTwinSelection
23
- };
package/dist/api-client-ZOCVG6CC.js DELETED
@@ -1,21 +0,0 @@
1
- import {
2
- endSession,
3
- fetchAuthMe,
4
- fetchTwinsCatalog,
5
- finalizeSessionEvidence,
6
- getSessionHealth,
7
- getSessionStatus,
8
- startSession,
9
- updateTwinSelection
10
- } from "./chunk-NZEPQ6IZ.js";
11
- import "./chunk-3RG5ZIWI.js";
12
- export {
13
- endSession,
14
- fetchAuthMe,
15
- fetchTwinsCatalog,
16
- finalizeSessionEvidence,
17
- getSessionHealth,
18
- getSessionStatus,
19
- startSession,
20
- updateTwinSelection
21
- };
package/dist/api-client-ZUMDL3TP.js DELETED
@@ -1,23 +0,0 @@
1
- import {
2
- endSession,
3
- fetchAuthMe,
4
- fetchTwinsCatalog,
5
- finalizeSessionEvidence,
6
- getSessionEvidence,
7
- getSessionHealth,
8
- getSessionStatus,
9
- startSession,
10
- updateTwinSelection
11
- } from "./chunk-UOJHYCMX.js";
12
- import "./chunk-3RG5ZIWI.js";
13
- export {
14
- endSession,
15
- fetchAuthMe,
16
- fetchTwinsCatalog,
17
- finalizeSessionEvidence,
18
- getSessionEvidence,
19
- getSessionHealth,
20
- getSessionStatus,
21
- startSession,
22
- updateTwinSelection
23
- };