npm - @bastani/atomic - Versions diffs - 0.9.0-alpha.1 → 0.9.0-alpha.2 - Mend

@bastani/atomic 0.9.0-alpha.1 → 0.9.0-alpha.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (211) hide show

package/CHANGELOG.md +23 -0
package/dist/builtin/cursor/CHANGELOG.md +6 -0
package/dist/builtin/cursor/package.json +2 -2
package/dist/builtin/intercom/CHANGELOG.md +6 -0
package/dist/builtin/intercom/package.json +2 -2
package/dist/builtin/mcp/CHANGELOG.md +6 -0
package/dist/builtin/mcp/package.json +3 -3
package/dist/builtin/subagents/CHANGELOG.md +6 -0
package/dist/builtin/subagents/package.json +4 -4
package/dist/builtin/web-access/CHANGELOG.md +6 -0
package/dist/builtin/web-access/package.json +2 -2
package/dist/builtin/workflows/CHANGELOG.md +12 -0
package/dist/builtin/workflows/README.md +189 -122
package/dist/builtin/workflows/builtin/deep-research-codebase.ts +30 -27
package/dist/builtin/workflows/builtin/goal-runner.ts +10 -17
package/dist/builtin/workflows/builtin/goal.ts +39 -44
package/dist/builtin/workflows/builtin/index.d.ts +1 -0
package/dist/builtin/workflows/builtin/open-claude-design-runner.ts +16 -17
package/dist/builtin/workflows/builtin/open-claude-design.d.ts +1 -0
package/dist/builtin/workflows/builtin/open-claude-design.ts +42 -50
package/dist/builtin/workflows/builtin/ralph.ts +44 -41
package/dist/builtin/workflows/package.json +2 -2
package/dist/builtin/workflows/src/authoring/typebox-defaults.d.ts +41 -0
package/dist/builtin/workflows/src/authoring/typebox-defaults.ts +217 -0
package/dist/builtin/workflows/src/authoring/workflow.ts +184 -0
package/dist/builtin/workflows/src/authoring.d.ts +14 -66
package/dist/builtin/workflows/src/engine/graph-inference.ts +100 -0
package/dist/builtin/workflows/src/engine/options.ts +40 -0
package/dist/builtin/workflows/src/engine/primitives/chain.ts +29 -0
package/dist/builtin/workflows/src/engine/primitives/exit.ts +2 -0
package/dist/builtin/workflows/src/engine/primitives/parallel.ts +47 -0
package/dist/builtin/workflows/src/engine/primitives/task.ts +108 -0
package/dist/builtin/workflows/src/engine/primitives/ui.ts +41 -0
package/dist/builtin/workflows/src/engine/primitives/workflow.ts +159 -0
package/dist/builtin/workflows/src/engine/replay.ts +8 -0
package/dist/builtin/workflows/src/engine/run.ts +356 -0
package/dist/builtin/workflows/src/engine/runtime.ts +160 -0
package/dist/builtin/workflows/src/extension/workflow-module-loader.ts +9 -3
package/dist/builtin/workflows/src/extension/workflow-schema.ts +0 -18
package/dist/builtin/workflows/src/index.ts +0 -2
package/dist/builtin/workflows/src/runs/background/runner.ts +6 -3
package/dist/builtin/workflows/src/runs/foreground/executor-child-boundary.ts +3 -3
package/dist/builtin/workflows/src/runs/foreground/executor-child-helpers.ts +4 -4
package/dist/builtin/workflows/src/runs/foreground/executor-child-workflow.ts +1 -158
package/dist/builtin/workflows/src/runs/foreground/executor-direct-helpers.ts +1 -1
package/dist/builtin/workflows/src/runs/foreground/executor-outputs.ts +2 -2
package/dist/builtin/workflows/src/runs/foreground/executor-prompt-nodes.ts +1 -1
package/dist/builtin/workflows/src/runs/foreground/executor-run.ts +1 -359
package/dist/builtin/workflows/src/runs/foreground/executor-scheduler.ts +1 -1
package/dist/builtin/workflows/src/runs/foreground/executor-stage-call.ts +2 -5
package/dist/builtin/workflows/src/runs/foreground/executor-stage-factory.ts +12 -4
package/dist/builtin/workflows/src/runs/foreground/executor-stage-replay.ts +4 -3
package/dist/builtin/workflows/src/runs/foreground/executor-stage-types.ts +9 -2
package/dist/builtin/workflows/src/runs/foreground/executor-task-context.ts +2 -132
package/dist/builtin/workflows/src/runs/foreground/executor-types.ts +2 -2
package/dist/builtin/workflows/src/runs/shared/graph-inference.ts +2 -100
package/dist/builtin/workflows/src/sdk-surface.ts +6 -9
package/dist/builtin/workflows/src/shared/authoring-contract-stage.d.ts +9 -3
package/dist/builtin/workflows/src/shared/authoring-contract-stage.ts +17 -3
package/dist/builtin/workflows/src/shared/authoring-contract-ui.d.ts +3 -33
package/dist/builtin/workflows/src/shared/authoring-contract-ui.ts +9 -81
package/dist/builtin/workflows/src/shared/types.ts +25 -8
package/dist/builtin/workflows/src/shared/workflow-authoring-types.d.ts +49 -0
package/dist/builtin/workflows/src/shared/workflow-authoring-types.ts +84 -0
package/dist/builtin/workflows/src/workflows/registry.ts +7 -3
package/dist/core/agent-session-auto-compaction.d.ts.map +1 -1
package/dist/core/agent-session-auto-compaction.js +6 -1
package/dist/core/agent-session-auto-compaction.js.map +1 -1
package/dist/core/agent-session-bash.d.ts.map +1 -1
package/dist/core/agent-session-bash.js +0 -5
package/dist/core/agent-session-bash.js.map +1 -1
package/dist/core/agent-session-methods.d.ts +0 -2
package/dist/core/agent-session-methods.d.ts.map +1 -1
package/dist/core/agent-session-methods.js.map +1 -1
package/dist/core/agent-session-services.d.ts +0 -1
package/dist/core/agent-session-services.d.ts.map +1 -1
package/dist/core/agent-session-services.js +0 -1
package/dist/core/agent-session-services.js.map +1 -1
package/dist/core/agent-session-tool-registry.d.ts.map +1 -1
package/dist/core/agent-session-tool-registry.js +0 -2
package/dist/core/agent-session-tool-registry.js.map +1 -1
package/dist/core/agent-session-types.d.ts +0 -2
package/dist/core/agent-session-types.d.ts.map +1 -1
package/dist/core/agent-session-types.js.map +1 -1
package/dist/core/agent-session.d.ts +0 -2
package/dist/core/agent-session.d.ts.map +1 -1
package/dist/core/agent-session.js +0 -1
package/dist/core/agent-session.js.map +1 -1
package/dist/core/atomic-guide-command.d.ts.map +1 -1
package/dist/core/atomic-guide-command.js +1 -1
package/dist/core/atomic-guide-command.js.map +1 -1
package/dist/core/extensions/loader-core.d.ts +1 -3
package/dist/core/extensions/loader-core.d.ts.map +1 -1
package/dist/core/extensions/loader-core.js +13 -6
package/dist/core/extensions/loader-core.js.map +1 -1
package/dist/core/extensions/loader-virtual-modules.d.ts +7 -1
package/dist/core/extensions/loader-virtual-modules.d.ts.map +1 -1
package/dist/core/extensions/loader-virtual-modules.js +34 -2
package/dist/core/extensions/loader-virtual-modules.js.map +1 -1
package/dist/core/extensions/loader.d.ts +2 -1
package/dist/core/extensions/loader.d.ts.map +1 -1
package/dist/core/extensions/loader.js +2 -1
package/dist/core/extensions/loader.js.map +1 -1
package/dist/core/index.d.ts +0 -1
package/dist/core/index.d.ts.map +1 -1
package/dist/core/index.js +0 -1
package/dist/core/index.js.map +1 -1
package/dist/core/model-registry-builtins.d.ts.map +1 -1
package/dist/core/model-registry-builtins.js +6 -0
package/dist/core/model-registry-builtins.js.map +1 -1
package/dist/core/model-registry-schemas.d.ts +65 -13
package/dist/core/model-registry-schemas.d.ts.map +1 -1
package/dist/core/model-registry-schemas.js +10 -0
package/dist/core/model-registry-schemas.js.map +1 -1
package/dist/core/resource-loader-core.d.ts +1 -0
package/dist/core/resource-loader-core.d.ts.map +1 -1
package/dist/core/resource-loader-core.js +2 -0
package/dist/core/resource-loader-core.js.map +1 -1
package/dist/core/resource-loader-extensions.d.ts.map +1 -1
package/dist/core/resource-loader-extensions.js +3 -3
package/dist/core/resource-loader-extensions.js.map +1 -1
package/dist/core/resource-loader-internals.d.ts +1 -0
package/dist/core/resource-loader-internals.d.ts.map +1 -1
package/dist/core/resource-loader-internals.js.map +1 -1
package/dist/core/resource-loader-reload.d.ts.map +1 -1
package/dist/core/resource-loader-reload.js +6 -2
package/dist/core/resource-loader-reload.js.map +1 -1
package/dist/core/sdk-exports.d.ts +1 -1
package/dist/core/sdk-exports.d.ts.map +1 -1
package/dist/core/sdk-exports.js.map +1 -1
package/dist/core/sdk-types.d.ts +0 -3
package/dist/core/sdk-types.d.ts.map +1 -1
package/dist/core/sdk-types.js.map +1 -1
package/dist/core/sdk.d.ts.map +1 -1
package/dist/core/sdk.js +0 -1
package/dist/core/sdk.js.map +1 -1
package/dist/core/session-manager-history.d.ts.map +1 -1
package/dist/core/session-manager-history.js +2 -1
package/dist/core/session-manager-history.js.map +1 -1
package/dist/core/tools/bash.d.ts +0 -5
package/dist/core/tools/bash.d.ts.map +1 -1
package/dist/core/tools/bash.js +10 -11
package/dist/core/tools/bash.js.map +1 -1
package/dist/core/tools/edit-diff-preserve.d.ts +18 -0
package/dist/core/tools/edit-diff-preserve.d.ts.map +1 -0
package/dist/core/tools/edit-diff-preserve.js +85 -0
package/dist/core/tools/edit-diff-preserve.js.map +1 -0
package/dist/core/tools/edit-diff.d.ts +3 -2
package/dist/core/tools/edit-diff.d.ts.map +1 -1
package/dist/core/tools/edit-diff.js +15 -18
package/dist/core/tools/edit-diff.js.map +1 -1
package/dist/core/tools/index.d.ts +0 -1
package/dist/core/tools/index.d.ts.map +1 -1
package/dist/core/tools/index.js +0 -1
package/dist/core/tools/index.js.map +1 -1
package/dist/index.d.ts +2 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1 -1
package/dist/index.js.map +1 -1
package/dist/modes/interactive/components/model-selector.d.ts.map +1 -1
package/dist/modes/interactive/components/model-selector.js +2 -2
package/dist/modes/interactive/components/model-selector.js.map +1 -1
package/dist/modes/interactive/model-search.d.ts +5 -0
package/dist/modes/interactive/model-search.d.ts.map +1 -1
package/dist/modes/interactive/model-search.js +9 -0
package/dist/modes/interactive/model-search.js.map +1 -1
package/dist/utils/shell.d.ts +1 -0
package/dist/utils/shell.d.ts.map +1 -1
package/dist/utils/shell.js +12 -5
package/dist/utils/shell.js.map +1 -1
package/docs/custom-provider.md +4 -3
package/docs/models.md +3 -2
package/docs/packages.md +2 -2
package/docs/quickstart.md +1 -1
package/docs/sdk.md +2 -40
package/docs/security.md +1 -1
package/docs/workflows.md +238 -173
package/package.json +5 -5
package/dist/builtin/workflows/src/workflows/define-workflow.ts +0 -277
package/dist/core/tools/bash-policy-compile.d.ts +0 -5
package/dist/core/tools/bash-policy-compile.d.ts.map +0 -1
package/dist/core/tools/bash-policy-compile.js +0 -241
package/dist/core/tools/bash-policy-compile.js.map +0 -1
package/dist/core/tools/bash-policy-evaluate.d.ts +0 -3
package/dist/core/tools/bash-policy-evaluate.d.ts.map +0 -1
package/dist/core/tools/bash-policy-evaluate.js +0 -92
package/dist/core/tools/bash-policy-evaluate.js.map +0 -1
package/dist/core/tools/bash-policy-format.d.ts +0 -5
package/dist/core/tools/bash-policy-format.d.ts.map +0 -1
package/dist/core/tools/bash-policy-format.js +0 -49
package/dist/core/tools/bash-policy-format.js.map +0 -1
package/dist/core/tools/bash-policy-parser.d.ts +0 -4
package/dist/core/tools/bash-policy-parser.d.ts.map +0 -1
package/dist/core/tools/bash-policy-parser.js +0 -155
package/dist/core/tools/bash-policy-parser.js.map +0 -1
package/dist/core/tools/bash-policy-segment.d.ts +0 -3
package/dist/core/tools/bash-policy-segment.d.ts.map +0 -1
package/dist/core/tools/bash-policy-segment.js +0 -275
package/dist/core/tools/bash-policy-segment.js.map +0 -1
package/dist/core/tools/bash-policy-shell.d.ts +0 -11
package/dist/core/tools/bash-policy-shell.d.ts.map +0 -1
package/dist/core/tools/bash-policy-shell.js +0 -267
package/dist/core/tools/bash-policy-shell.js.map +0 -1
package/dist/core/tools/bash-policy-types.d.ts +0 -146
package/dist/core/tools/bash-policy-types.d.ts.map +0 -1
package/dist/core/tools/bash-policy-types.js +0 -2
package/dist/core/tools/bash-policy-types.js.map +0 -1
package/dist/core/tools/bash-policy.d.ts +0 -6
package/dist/core/tools/bash-policy.d.ts.map +0 -1
package/dist/core/tools/bash-policy.js +0 -5
package/dist/core/tools/bash-policy.js.map +0 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bastani/atomic",
-  "version": "0.9.0-alpha.1",
+  "version": "0.9.0-alpha.2",
   "description": "Atomic coding agent CLI with read, bash, edit, write tools and session management",
   "type": "module",
   "atomicConfig": {
@@ -68,11 +68,11 @@
     "prepublishOnly": "bun run clean && bun run build"
   },
   "dependencies": {
-    "@bastani/atomic-natives": "0.9.0-alpha.1",
+    "@bastani/atomic-natives": "0.9.0-alpha.2",
     "@bufbuild/protobuf": "^2.0.0",
-    "@earendil-works/pi-agent-core": "^0.79.7",
-    "@earendil-works/pi-ai": "^0.79.7",
-    "@earendil-works/pi-tui": "^0.79.7",
+    "@earendil-works/pi-agent-core": "^0.79.9",
+    "@earendil-works/pi-ai": "^0.79.9",
+    "@earendil-works/pi-tui": "^0.79.9",
     "@modelcontextprotocol/ext-apps": "^1.7.2",
     "@modelcontextprotocol/sdk": "^1.25.1",
     "@mozilla/readability": "^0.6.0",

package/dist/builtin/workflows/src/workflows/define-workflow.ts DELETED Viewed

@@ -1,277 +0,0 @@
-/**
- * Workflow definition builder.
- * Authoring API: defineWorkflow(name).description(...).input(...).run(fn).compile()
- *
- * Immutable/chained semantics: every builder method returns a NEW builder
- * instance; the previous instance is unchanged.
- *
- * cross-ref: v0.x packages/atomic-sdk/src/define-workflow.ts
- */
-import type { Static, TOptional, TSchema } from "typebox";
-import type * as AuthoringContract from "../shared/authoring-contract.js";
-import type {
-  WorkflowDefinition,
-  WorkflowInputBindings,
-  WorkflowInputValues,
-  WorkflowOutputValues,
-  WorkflowRunContext,
-  WorkflowSerializableValue,
-  WorkflowRunFn,
-  WorkflowWorktreeInputBinding,
-} from "../shared/types.js";
-import { normalizeWorkflowName } from "./identity.js";
-const BRANDED_WORKFLOW_DEFINITIONS = new WeakSet<object>();
-// Package-internal runtime brand. It deliberately is not exported through the
-// public SDK surface; only defineWorkflow(...).compile() and executor-created
-// direct workflows can mint discoverable definitions.
-export function stampWorkflowDefinition<
-  TInputs extends WorkflowInputValues,
-  TOutputs extends WorkflowOutputValues,
->(
-  definition: WorkflowDefinition<TInputs, TOutputs>,
-): WorkflowDefinition<TInputs, TOutputs> {
-  BRANDED_WORKFLOW_DEFINITIONS.add(definition);
-  return definition;
-}
-export function isBrandedWorkflowDefinition(value: unknown): value is WorkflowDefinition {
-  return value !== null &&
-    typeof value === "object" &&
-    BRANDED_WORKFLOW_DEFINITIONS.has(value);
-}
-// ---------------------------------------------------------------------------
-// Type inference helpers (TypeBox Static<> mapping)
-// ---------------------------------------------------------------------------
-/**
- * One declared key as a single-key object type. An `Type.Optional(...)` schema
- * makes the KEY optional (so access yields `T | undefined`); every other schema
- * — including a defaulted one — makes the key required (defaults are always
- * present at runtime after they are applied). A schema `default` is not
- * detectable at the type level, which is the correct behavior here.
- */
-type DeclaredEntry<K extends string, S extends TSchema> =
-  S extends TOptional<TSchema>
-    ? { readonly [P in K]?: Static<S> }
-    : { readonly [P in K]: Static<S> };
-/** Collapse an accumulated intersection into a single, readable object type. */
-type Simplify<T> = { [K in keyof T]: T[K] } & {};
-type SimplifyWorkflowOutputs<T> = Simplify<T>;
-type DeclaredOutputEntry<K extends string, S extends TSchema> =
-  S extends TOptional<TSchema>
-    ? { readonly [P in K]?: Static<S> & WorkflowSerializableValue }
-    : { readonly [P in K]: Static<S> & WorkflowSerializableValue };
-type AccumulateWorkflowOutput<TOutputs, K extends string, S extends TSchema> = Simplify<
-  string extends keyof TOutputs
-    ? DeclaredOutputEntry<K, S>
-    : TOutputs & DeclaredOutputEntry<K, S>
->;
-interface BuilderState<TInputs extends WorkflowInputValues> {
-  readonly name: string;
-  readonly description: string;
-  readonly inputs: Readonly<Record<string, TSchema>>;
-  readonly outputs: Readonly<Record<string, TSchema>>;
-  readonly inputBindings: WorkflowInputBindings;
-  // Stored type-erased on outputs: the builder threads the precise output map
-  // through its public interface, but the immutable state survives across
-  // generic changes, so it keeps the loose run-fn type and re-applies the
-  // precise type at .run()/.compile() boundaries via casts.
-  readonly runFn: WorkflowRunFn<TInputs, WorkflowOutputValues> | undefined;
-}
-// ---------------------------------------------------------------------------
-// Public builder interfaces — split so .compile() only appears after .run()
-// ---------------------------------------------------------------------------
-/**
- * Builder returned by defineWorkflow(name) before .run() is called.
- * Allows chaining .description() and .input() in any order; .run() seals
- * the run function and returns a CompletedWorkflowBuilder.
- *
- * TInputs defaults to serializable input values so compiled definitions stay
- * compatible with the type-erased registry without casts.
- */
-export interface WorkflowBuilder<
-  TInputs extends WorkflowInputValues = {},
-  TOutputs extends WorkflowOutputValues = {},
-> extends Omit<
-  AuthoringContract.WorkflowBuilder<TInputs, TOutputs>,
-  "description" | "input" | "output" | "worktreeFromInputs" | "run"
-> {
-  description(text: string): WorkflowBuilder<TInputs, TOutputs>;
-  input<K extends string, S extends TSchema>(key: K, schema: S): WorkflowBuilder<TInputs & DeclaredEntry<K, S>, TOutputs>;
-  output<K extends string, S extends TSchema>(key: K, schema: S): WorkflowBuilder<TInputs, AccumulateWorkflowOutput<TOutputs, K, S>>;
-  worktreeFromInputs(binding: WorkflowWorktreeInputBinding): WorkflowBuilder<TInputs, TOutputs>;
-  run<TActualOutputs extends SimplifyWorkflowOutputs<TOutputs>>(
-    fn: (ctx: WorkflowRunContext<Simplify<TInputs>, SimplifyWorkflowOutputs<TOutputs>>) => Promise<AuthoringContract.NoExtraOutputs<SimplifyWorkflowOutputs<TOutputs>, TActualOutputs>> | AuthoringContract.NoExtraOutputs<SimplifyWorkflowOutputs<TOutputs>, TActualOutputs>,
-  ): CompletedWorkflowBuilder<TInputs, TOutputs>;
-}
-/**
- * Builder returned after .run() is called.
- * Still allows chaining .description() and .input(); .compile() is now available.
- */
-export interface CompletedWorkflowBuilder<
-  TInputs extends WorkflowInputValues,
-  TOutputs extends WorkflowOutputValues,
-> extends Omit<
-  AuthoringContract.CompletedWorkflowBuilder<TInputs, TOutputs>,
-  "description" | "input" | "output" | "worktreeFromInputs" | "run" | "compile"
-> {
-  description(text: string): CompletedWorkflowBuilder<TInputs, TOutputs>;
-  input<K extends string, S extends TSchema>(key: K, schema: S): CompletedWorkflowBuilder<TInputs & DeclaredEntry<K, S>, TOutputs>;
-  output<K extends string, S extends TSchema>(key: K, schema: S): CompletedWorkflowBuilder<TInputs, AccumulateWorkflowOutput<TOutputs, K, S>>;
-  worktreeFromInputs(binding: WorkflowWorktreeInputBinding): CompletedWorkflowBuilder<TInputs, TOutputs>;
-  run<TActualOutputs extends SimplifyWorkflowOutputs<TOutputs>>(
-    fn: (ctx: WorkflowRunContext<Simplify<TInputs>, SimplifyWorkflowOutputs<TOutputs>>) => Promise<AuthoringContract.NoExtraOutputs<SimplifyWorkflowOutputs<TOutputs>, TActualOutputs>> | AuthoringContract.NoExtraOutputs<SimplifyWorkflowOutputs<TOutputs>, TActualOutputs>,
-  ): CompletedWorkflowBuilder<TInputs, TOutputs>;
-  compile(): WorkflowDefinition<Simplify<TInputs>, SimplifyWorkflowOutputs<TOutputs>>;
-}
-// ---------------------------------------------------------------------------
-// Internal factory — constructs a builder from immutable state
-// ---------------------------------------------------------------------------
-function requireNonEmptyString(value: string, label: string): void {
-  if (typeof value !== "string" || value.trim().length === 0) {
-    throw new TypeError(`defineWorkflow: ${label} must be a non-empty string`);
-  }
-}
-// Freeze only the top-level map. The per-key TypeBox schemas are shared,
-// internally-symbol-keyed objects and must not be shallow-cloned (that would
-// drop the Kind/Optional symbols the runtime validator relies on).
-function freezeSchemaMap(
-  schemas: Readonly<Record<string, TSchema>>,
-): Readonly<Record<string, TSchema>> {
-  return Object.freeze({ ...schemas });
-}
-function makeBuilder<
-  TInputs extends WorkflowInputValues,
-  TOutputs extends WorkflowOutputValues,
->(
-  state: BuilderState<TInputs>,
-): WorkflowBuilder<TInputs, TOutputs> & CompletedWorkflowBuilder<TInputs, TOutputs> {
-  return {
-    description(text: string) {
-      return makeBuilder<TInputs, TOutputs>({ ...state, description: text });
-    },
-    input<K extends string, S extends TSchema>(key: K, schema: S) {
-      requireNonEmptyString(key, "input key");
-      return makeBuilder<TInputs & DeclaredEntry<K, S>, TOutputs>({
-        ...state,
-        inputs: { ...state.inputs, [key]: schema },
-      } as BuilderState<TInputs & DeclaredEntry<K, S>>);
-    },
-    output<K extends string, S extends TSchema>(key: K, schema: S) {
-      requireNonEmptyString(key, "output key");
-      return makeBuilder<TInputs, AccumulateWorkflowOutput<TOutputs, K, S>>({
-        ...state,
-        outputs: { ...state.outputs, [key]: schema },
-      });
-    },
-    worktreeFromInputs(binding: WorkflowWorktreeInputBinding) {
-      return makeBuilder<TInputs, TOutputs>({
-        ...state,
-        inputBindings: {
-          ...state.inputBindings,
-          worktree: { ...binding },
-        },
-      });
-    },
-    run<TActualOutputs extends SimplifyWorkflowOutputs<TOutputs>>(
-      fn: (ctx: WorkflowRunContext<Simplify<TInputs>, SimplifyWorkflowOutputs<TOutputs>>) => Promise<AuthoringContract.NoExtraOutputs<SimplifyWorkflowOutputs<TOutputs>, TActualOutputs>> | AuthoringContract.NoExtraOutputs<SimplifyWorkflowOutputs<TOutputs>, TActualOutputs>,
-    ) {
-      return makeBuilder<TInputs, TOutputs>({
-        ...state,
-        runFn: fn as unknown as WorkflowRunFn<TInputs, WorkflowOutputValues>,
-      });
-    },
-    compile(): WorkflowDefinition<Simplify<TInputs>, SimplifyWorkflowOutputs<TOutputs>> {
-      if (!state.runFn) {
-        throw new Error(
-          `defineWorkflow("${state.name}"): .run(fn) must be called before .compile()`,
-        );
-      }
-      const normalizedName = normalizeWorkflowName(state.name);
-      // Deep-freeze nested maps first, then the top-level definition.
-      const frozenInputs = freezeSchemaMap(state.inputs);
-      const frozenOutputs = freezeSchemaMap(state.outputs);
-      const inputBindings = Object.freeze({
-        ...state.inputBindings,
-        ...(state.inputBindings.worktree !== undefined
-          ? { worktree: Object.freeze({ ...state.inputBindings.worktree }) }
-          : {}),
-      });
-      const definition = {
-        __piWorkflow: true,
-        name: state.name,
-        normalizedName,
-        description: state.description,
-        inputs: frozenInputs,
-        ...(Object.keys(frozenOutputs).length > 0 ? { outputs: frozenOutputs } : {}),
-        ...(Object.keys(inputBindings).length > 0 ? { inputBindings } : {}),
-        run: state.runFn as unknown as WorkflowRunFn<Simplify<TInputs>, SimplifyWorkflowOutputs<TOutputs>>,
-      } as WorkflowDefinition<Simplify<TInputs>, SimplifyWorkflowOutputs<TOutputs>>;
-      // Stamp before freezing so the WeakSet brand can be attached.
-      stampWorkflowDefinition(definition);
-      return Object.freeze(definition) as WorkflowDefinition<Simplify<TInputs>, SimplifyWorkflowOutputs<TOutputs>>;
-    },
-  };
-}
-// ---------------------------------------------------------------------------
-// Public entry point
-// ---------------------------------------------------------------------------
-/**
- * Start building a workflow definition.
- *
- * @example
- * import { defineWorkflow, Type } from "@bastani/workflows";
- *
- * export default defineWorkflow("deep-research-codebase")
- *   .description("Scout → specialists → aggregator")
- *   .input("prompt", Type.String({ description: "research question" }))
- *   .input("max_partitions", Type.Number({ default: 4 }))
- *   .run(async (ctx) => {
- *     const scout = ctx.stage("scout");
- *     const findings = await scout.prompt(`Scout: ${ctx.inputs.prompt}`);
- *     return { findings };
- *   })
- *   .compile();
- */
-export function defineWorkflow(name: string): WorkflowBuilder {
-  if (!name || typeof name !== "string") {
-    throw new TypeError("defineWorkflow: name must be a non-empty string");
-  }
-  const initialState: BuilderState<{}> = {
-    name,
-    description: "",
-    inputs: {},
-    outputs: {},
-    inputBindings: {},
-    runFn: undefined,
-  };
-  return makeBuilder<{}, {}>(initialState);
-}

package/dist/core/tools/bash-policy-compile.d.ts DELETED Viewed

@@ -1,5 +0,0 @@
-import type { BashCommandPolicy, BashCommandPolicyMatchMode, CompileResult } from "./bash-policy-types.ts";
-export declare function compilePolicy(policy: BashCommandPolicy): CompileResult;
-export declare function validateBashCommandPolicy(policy: BashCommandPolicy): void;
-export declare function invalidPolicyMode(policy: BashCommandPolicy): BashCommandPolicyMatchMode;
-//# sourceMappingURL=bash-policy-compile.d.ts.map

package/dist/core/tools/bash-policy-compile.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"bash-policy-compile.d.ts","sourceRoot":"","sources":["../../../src/core/tools/bash-policy-compile.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACX,iBAAiB,EACjB,0BAA0B,EAG1B,aAAa,EAGb,MAAM,wBAAwB,CAAC;AAqNhC,wBAAgB,aAAa,CAAC,MAAM,EAAE,iBAAiB,GAAG,aAAa,CA2CtE;AAED,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI,CAKzE;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,iBAAiB,GAAG,0BAA0B,CAGvF","sourcesContent":["import type {\n\tBashCommandPolicy,\n\tBashCommandPolicyMatchMode,\n\tBashCommandRule,\n\tCompiledRule,\n\tCompileResult,\n\tCompileRuleResult,\n\tCompileRulesResult,\n} from \"./bash-policy-types.ts\";\n\ntype RuntimePropertyValue =\n\t| string\n\t| number\n\t| boolean\n\t| bigint\n\t| symbol\n\t| null\n\t| object\n\t| ((...args: readonly never[]) => RuntimePropertyValue)\n\t| undefined;\n\ntype RuleObjectKey = \"prefix\" | \"glob\" | \"regex\" | \"flags\";\n\nconst BASH_POLICY_TOP_LEVEL_KEYS = [\"default\", \"allow\", \"deny\", \"match\"] as const;\nconst BASH_POLICY_TOP_LEVEL_KEY_SET: ReadonlySet<string> = new Set(BASH_POLICY_TOP_LEVEL_KEYS);\n\nfunction hasOwnRuleKey<Key extends RuleObjectKey>(\n\tvalue: object,\n\tkey: Key,\n): value is Record<Key, RuntimePropertyValue> {\n\treturn Object.prototype.hasOwnProperty.call(value, key);\n}\n\nfunction hasOnlyRuleKeys(value: object, allowedKeys: readonly string[]): boolean {\n\treturn Object.keys(value).every((key) => allowedKeys.includes(key));\n}\n\nfunction unknownBashPolicyTopLevelKeys(policy: object): readonly string[] {\n\treturn Object.keys(policy).filter((key) => !BASH_POLICY_TOP_LEVEL_KEY_SET.has(key));\n}\n\nfunction escapeRegexLiteral(value: string): string {\n\treturn value.replace(/[\\\\^$.*+?()[\\]{}|]/g, \"\\\\$&\");\n}\n\nfunction escapeGlobClassCharacter(char: string): string {\n\tif (char === \"\\\\\") return \"\\\\\\\\\";\n\tif (char === \"]\") return \"\\\\]\";\n\tif (char === \"[\") return \"\\\\[\";\n\treturn char;\n}\n\nfunction escapeEscapedGlobClassCharacter(char: string): string {\n\tif (char === \"\\\\\") return \"\\\\\\\\\";\n\tif (char === \"-\") return \"\\\\-\";\n\tif (char === \"^\") return \"\\\\^\";\n\tif (char === \"]\") return \"\\\\]\";\n\tif (char === \"[\") return \"\\\\[\";\n\treturn char;\n}\n\nfunction readGlobBracketClass(\n\tpattern: string,\n\topenIndex: number,\n): { readonly regexSource: string; readonly closeIndex: number } | undefined {\n\tlet cursor = openIndex + 1;\n\tlet negated = false;\n\tlet hasContent = false;\n\tlet content = \"\";\n\n\tif (cursor >= pattern.length) return undefined;\n\tif (pattern[cursor] === \"!\" || pattern[cursor] === \"^\") {\n\t\tnegated = true;\n\t\tcursor += 1;\n\t}\n\tif (pattern[cursor] === \"]\") {\n\t\tcontent += \"\\\\]\";\n\t\thasContent = true;\n\t\tcursor += 1;\n\t}\n\n\tfor (; cursor < pattern.length; cursor += 1) {\n\t\tconst char = pattern[cursor]!;\n\t\tif (char === \"]\") {\n\t\t\tif (!hasContent) return undefined;\n\t\t\treturn { regexSource: `[${negated ? \"^\" : \"\"}${content}]`, closeIndex: cursor };\n\t\t}\n\t\thasContent = true;\n\t\tif (char === \"\\\\\" && cursor + 1 < pattern.length) {\n\t\t\tcursor += 1;\n\t\t\tcontent += escapeEscapedGlobClassCharacter(pattern[cursor]!);\n\t\t\tcontinue;\n\t\t}\n\t\tcontent += escapeGlobClassCharacter(char);\n\t}\n\n\treturn undefined;\n}\n\nfunction compileCommandStringGlob(pattern: string): RegExp {\n\tlet source = \"^\";\n\tfor (let index = 0; index < pattern.length; index += 1) {\n\t\tconst char = pattern[index]!;\n\t\tif (char === \"*\") {\n\t\t\tsource += \".*\";\n\t\t\tcontinue;\n\t\t}\n\t\tif (char === \"?\") {\n\t\t\tsource += \".\";\n\t\t\tcontinue;\n\t\t}\n\t\tif (char === \"[\") {\n\t\t\tconst bracket = readGlobBracketClass(pattern, index);\n\t\t\tif (bracket !== undefined) {\n\t\t\t\tsource += bracket.regexSource;\n\t\t\t\tindex = bracket.closeIndex;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t}\n\t\tif (char === \"\\\\\" && index + 1 < pattern.length) {\n\t\t\tindex += 1;\n\t\t\tsource += escapeRegexLiteral(pattern[index]!);\n\t\t\tcontinue;\n\t\t}\n\t\tsource += escapeRegexLiteral(char);\n\t}\n\treturn new RegExp(`${source}$`);\n}\n\nfunction compileRule(rule: BashCommandRule, listName: \"allow\" | \"deny\", index: number): CompileRuleResult {\n\tif (typeof rule === \"string\") {\n\t\tif (rule.length === 0) {\n\t\t\treturn { ok: false, message: `${listName}[${index}] exact rule must not be empty` };\n\t\t}\n\t\treturn { ok: true, rule: { kind: \"exact\", source: rule, value: rule } };\n\t}\n\n\tif (typeof rule !== \"object\" || rule === null || Array.isArray(rule)) {\n\t\treturn { ok: false, message: `${listName}[${index}] rule must be a non-empty string or an object rule` };\n\t}\n\n\tconst hasPrefix = hasOwnRuleKey(rule, \"prefix\");\n\tconst hasGlob = hasOwnRuleKey(rule, \"glob\");\n\tconst hasRegex = hasOwnRuleKey(rule, \"regex\");\n\tconst variantCount = (hasPrefix ? 1 : 0) + (hasGlob ? 1 : 0) + (hasRegex ? 1 : 0);\n\tif (variantCount !== 1) {\n\t\treturn {\n\t\t\tok: false,\n\t\t\tmessage: `${listName}[${index}] must specify exactly one of prefix, glob, or regex`,\n\t\t};\n\t}\n\n\tif (hasPrefix) {\n\t\tif (!hasOnlyRuleKeys(rule, [\"prefix\"])) {\n\t\t\treturn { ok: false, message: `${listName}[${index}] prefix rule must only contain prefix` };\n\t\t}\n\t\tif (typeof rule.prefix !== \"string\") {\n\t\t\treturn { ok: false, message: `${listName}[${index}].prefix must be a string` };\n\t\t}\n\t\tif (rule.prefix.length === 0) {\n\t\t\treturn { ok: false, message: `${listName}[${index}].prefix must not be empty` };\n\t\t}\n\t\treturn { ok: true, rule: { kind: \"prefix\", source: rule, value: rule.prefix } };\n\t}\n\n\tif (hasGlob) {\n\t\tif (!hasOnlyRuleKeys(rule, [\"glob\"])) {\n\t\t\treturn { ok: false, message: `${listName}[${index}] glob rule must only contain glob` };\n\t\t}\n\t\tif (typeof rule.glob !== \"string\") {\n\t\t\treturn { ok: false, message: `${listName}[${index}].glob must be a string` };\n\t\t}\n\t\tif (rule.glob.length === 0) {\n\t\t\treturn { ok: false, message: `${listName}[${index}].glob must not be empty` };\n\t\t}\n\t\ttry {\n\t\t\treturn { ok: true, rule: { kind: \"glob\", source: rule, value: compileCommandStringGlob(rule.glob) } };\n\t\t} catch {\n\t\t\treturn { ok: false, message: `${listName}[${index}].glob is not a valid command string glob` };\n\t\t}\n\t}\n\n\tif (!hasOnlyRuleKeys(rule, [\"regex\", \"flags\"])) {\n\t\treturn { ok: false, message: `${listName}[${index}] regex rule must only contain regex and optional flags` };\n\t}\n\tif (typeof rule.regex !== \"string\") {\n\t\treturn { ok: false, message: `${listName}[${index}].regex must be a string` };\n\t}\n\tif (rule.regex.length === 0) {\n\t\treturn { ok: false, message: `${listName}[${index}].regex must not be empty` };\n\t}\n\tconst hasFlags = hasOwnRuleKey(rule, \"flags\");\n\tif (hasFlags && typeof rule.flags !== \"string\") {\n\t\treturn { ok: false, message: `${listName}[${index}].flags must be a string when present` };\n\t}\n\tconst flags = hasFlags && typeof rule.flags === \"string\" ? rule.flags : \"\";\n\tif (/[gy]/.test(flags)) {\n\t\treturn {\n\t\t\tok: false,\n\t\t\tmessage: `${listName}[${index}].flags must not include stateful g or y regex flags`,\n\t\t};\n\t}\n\ttry {\n\t\treturn { ok: true, rule: { kind: \"regex\", source: rule, value: new RegExp(rule.regex, flags) } };\n\t} catch {\n\t\treturn { ok: false, message: `${listName}[${index}].regex is not a valid JavaScript RegExp` };\n\t}\n}\n\nfunction compileRules(rules: readonly BashCommandRule[] | undefined, listName: \"allow\" | \"deny\"): CompileRulesResult {\n\tconst compiled: CompiledRule[] = [];\n\tif (rules === undefined) return { ok: true, rules: compiled };\n\tfor (let index = 0; index < rules.length; index += 1) {\n\t\tconst rule = rules[index]!;\n\t\tconst result = compileRule(rule, listName, index);\n\t\tif (!result.ok) return result;\n\t\tcompiled.push(result.rule);\n\t}\n\treturn { ok: true, rules: compiled };\n}\n\nexport function compilePolicy(policy: BashCommandPolicy): CompileResult {\n\tif (typeof policy !== \"object\" || policy === null || Array.isArray(policy)) {\n\t\treturn { ok: false, message: \"bash policy must be a non-null object\" };\n\t}\n\n\tconst unknownKeys = unknownBashPolicyTopLevelKeys(policy);\n\tif (unknownKeys.length > 0) {\n\t\tconst formattedKeys = unknownKeys.map((key) => JSON.stringify(key)).join(\", \");\n\t\treturn {\n\t\t\tok: false,\n\t\t\tmessage: `bash policy contains unknown top-level key${unknownKeys.length === 1 ? \"\" : \"s\"} ${formattedKeys}; allowed keys are default, allow, deny, and match`,\n\t\t};\n\t}\n\n\tconst defaultDecision = policy.default === undefined ? \"allow\" : policy.default;\n\tif (defaultDecision !== \"allow\" && defaultDecision !== \"deny\") {\n\t\treturn { ok: false, message: `bash policy default must be \"allow\" or \"deny\"` };\n\t}\n\tconst match = policy.match === undefined ? \"segments\" : policy.match;\n\tif (match !== \"whole\" && match !== \"segments\") {\n\t\treturn { ok: false, message: `bash policy match must be \"whole\" or \"segments\"` };\n\t}\n\tif (policy.allow !== undefined && !Array.isArray(policy.allow)) {\n\t\treturn { ok: false, message: \"bash policy allow must be an array\" };\n\t}\n\tif (policy.deny !== undefined && !Array.isArray(policy.deny)) {\n\t\treturn { ok: false, message: \"bash policy deny must be an array\" };\n\t}\n\n\tconst allow = compileRules(policy.allow, \"allow\");\n\tif (!allow.ok) return allow;\n\tconst deny = compileRules(policy.deny, \"deny\");\n\tif (!deny.ok) return deny;\n\n\treturn {\n\t\tok: true,\n\t\tpolicy: {\n\t\t\tdefaultDecision,\n\t\t\tmatch,\n\t\t\tallow: allow.rules,\n\t\t\tdeny: deny.rules,\n\t\t},\n\t};\n}\n\nexport function validateBashCommandPolicy(policy: BashCommandPolicy): void {\n\tconst compiled = compilePolicy(policy);\n\tif (!compiled.ok) {\n\t\tthrow new Error(`Invalid bash command policy: ${compiled.message}`);\n\t}\n}\n\nexport function invalidPolicyMode(policy: BashCommandPolicy): BashCommandPolicyMatchMode {\n\tif (typeof policy !== \"object\" || policy === null || Array.isArray(policy)) return \"segments\";\n\treturn policy.match === \"whole\" ? \"whole\" : \"segments\";\n}\n"]}

package/dist/core/tools/bash-policy-compile.js DELETED Viewed

@@ -1,241 +0,0 @@
-const BASH_POLICY_TOP_LEVEL_KEYS = ["default", "allow", "deny", "match"];
-const BASH_POLICY_TOP_LEVEL_KEY_SET = new Set(BASH_POLICY_TOP_LEVEL_KEYS);
-function hasOwnRuleKey(value, key) {
-    return Object.prototype.hasOwnProperty.call(value, key);
-}
-function hasOnlyRuleKeys(value, allowedKeys) {
-    return Object.keys(value).every((key) => allowedKeys.includes(key));
-}
-function unknownBashPolicyTopLevelKeys(policy) {
-    return Object.keys(policy).filter((key) => !BASH_POLICY_TOP_LEVEL_KEY_SET.has(key));
-}
-function escapeRegexLiteral(value) {
-    return value.replace(/[\\^$.*+?()[\]{}|]/g, "\\$&");
-}
-function escapeGlobClassCharacter(char) {
-    if (char === "\\")
-        return "\\\\";
-    if (char === "]")
-        return "\\]";
-    if (char === "[")
-        return "\\[";
-    return char;
-}
-function escapeEscapedGlobClassCharacter(char) {
-    if (char === "\\")
-        return "\\\\";
-    if (char === "-")
-        return "\\-";
-    if (char === "^")
-        return "\\^";
-    if (char === "]")
-        return "\\]";
-    if (char === "[")
-        return "\\[";
-    return char;
-}
-function readGlobBracketClass(pattern, openIndex) {
-    let cursor = openIndex + 1;
-    let negated = false;
-    let hasContent = false;
-    let content = "";
-    if (cursor >= pattern.length)
-        return undefined;
-    if (pattern[cursor] === "!" || pattern[cursor] === "^") {
-        negated = true;
-        cursor += 1;
-    }
-    if (pattern[cursor] === "]") {
-        content += "\\]";
-        hasContent = true;
-        cursor += 1;
-    }
-    for (; cursor < pattern.length; cursor += 1) {
-        const char = pattern[cursor];
-        if (char === "]") {
-            if (!hasContent)
-                return undefined;
-            return { regexSource: `[${negated ? "^" : ""}${content}]`, closeIndex: cursor };
-        }
-        hasContent = true;
-        if (char === "\\" && cursor + 1 < pattern.length) {
-            cursor += 1;
-            content += escapeEscapedGlobClassCharacter(pattern[cursor]);
-            continue;
-        }
-        content += escapeGlobClassCharacter(char);
-    }
-    return undefined;
-}
-function compileCommandStringGlob(pattern) {
-    let source = "^";
-    for (let index = 0; index < pattern.length; index += 1) {
-        const char = pattern[index];
-        if (char === "*") {
-            source += ".*";
-            continue;
-        }
-        if (char === "?") {
-            source += ".";
-            continue;
-        }
-        if (char === "[") {
-            const bracket = readGlobBracketClass(pattern, index);
-            if (bracket !== undefined) {
-                source += bracket.regexSource;
-                index = bracket.closeIndex;
-                continue;
-            }
-        }
-        if (char === "\\" && index + 1 < pattern.length) {
-            index += 1;
-            source += escapeRegexLiteral(pattern[index]);
-            continue;
-        }
-        source += escapeRegexLiteral(char);
-    }
-    return new RegExp(`${source}$`);
-}
-function compileRule(rule, listName, index) {
-    if (typeof rule === "string") {
-        if (rule.length === 0) {
-            return { ok: false, message: `${listName}[${index}] exact rule must not be empty` };
-        }
-        return { ok: true, rule: { kind: "exact", source: rule, value: rule } };
-    }
-    if (typeof rule !== "object" || rule === null || Array.isArray(rule)) {
-        return { ok: false, message: `${listName}[${index}] rule must be a non-empty string or an object rule` };
-    }
-    const hasPrefix = hasOwnRuleKey(rule, "prefix");
-    const hasGlob = hasOwnRuleKey(rule, "glob");
-    const hasRegex = hasOwnRuleKey(rule, "regex");
-    const variantCount = (hasPrefix ? 1 : 0) + (hasGlob ? 1 : 0) + (hasRegex ? 1 : 0);
-    if (variantCount !== 1) {
-        return {
-            ok: false,
-            message: `${listName}[${index}] must specify exactly one of prefix, glob, or regex`,
-        };
-    }
-    if (hasPrefix) {
-        if (!hasOnlyRuleKeys(rule, ["prefix"])) {
-            return { ok: false, message: `${listName}[${index}] prefix rule must only contain prefix` };
-        }
-        if (typeof rule.prefix !== "string") {
-            return { ok: false, message: `${listName}[${index}].prefix must be a string` };
-        }
-        if (rule.prefix.length === 0) {
-            return { ok: false, message: `${listName}[${index}].prefix must not be empty` };
-        }
-        return { ok: true, rule: { kind: "prefix", source: rule, value: rule.prefix } };
-    }
-    if (hasGlob) {
-        if (!hasOnlyRuleKeys(rule, ["glob"])) {
-            return { ok: false, message: `${listName}[${index}] glob rule must only contain glob` };
-        }
-        if (typeof rule.glob !== "string") {
-            return { ok: false, message: `${listName}[${index}].glob must be a string` };
-        }
-        if (rule.glob.length === 0) {
-            return { ok: false, message: `${listName}[${index}].glob must not be empty` };
-        }
-        try {
-            return { ok: true, rule: { kind: "glob", source: rule, value: compileCommandStringGlob(rule.glob) } };
-        }
-        catch {
-            return { ok: false, message: `${listName}[${index}].glob is not a valid command string glob` };
-        }
-    }
-    if (!hasOnlyRuleKeys(rule, ["regex", "flags"])) {
-        return { ok: false, message: `${listName}[${index}] regex rule must only contain regex and optional flags` };
-    }
-    if (typeof rule.regex !== "string") {
-        return { ok: false, message: `${listName}[${index}].regex must be a string` };
-    }
-    if (rule.regex.length === 0) {
-        return { ok: false, message: `${listName}[${index}].regex must not be empty` };
-    }
-    const hasFlags = hasOwnRuleKey(rule, "flags");
-    if (hasFlags && typeof rule.flags !== "string") {
-        return { ok: false, message: `${listName}[${index}].flags must be a string when present` };
-    }
-    const flags = hasFlags && typeof rule.flags === "string" ? rule.flags : "";
-    if (/[gy]/.test(flags)) {
-        return {
-            ok: false,
-            message: `${listName}[${index}].flags must not include stateful g or y regex flags`,
-        };
-    }
-    try {
-        return { ok: true, rule: { kind: "regex", source: rule, value: new RegExp(rule.regex, flags) } };
-    }
-    catch {
-        return { ok: false, message: `${listName}[${index}].regex is not a valid JavaScript RegExp` };
-    }
-}
-function compileRules(rules, listName) {
-    const compiled = [];
-    if (rules === undefined)
-        return { ok: true, rules: compiled };
-    for (let index = 0; index < rules.length; index += 1) {
-        const rule = rules[index];
-        const result = compileRule(rule, listName, index);
-        if (!result.ok)
-            return result;
-        compiled.push(result.rule);
-    }
-    return { ok: true, rules: compiled };
-}
-export function compilePolicy(policy) {
-    if (typeof policy !== "object" || policy === null || Array.isArray(policy)) {
-        return { ok: false, message: "bash policy must be a non-null object" };
-    }
-    const unknownKeys = unknownBashPolicyTopLevelKeys(policy);
-    if (unknownKeys.length > 0) {
-        const formattedKeys = unknownKeys.map((key) => JSON.stringify(key)).join(", ");
-        return {
-            ok: false,
-            message: `bash policy contains unknown top-level key${unknownKeys.length === 1 ? "" : "s"} ${formattedKeys}; allowed keys are default, allow, deny, and match`,
-        };
-    }
-    const defaultDecision = policy.default === undefined ? "allow" : policy.default;
-    if (defaultDecision !== "allow" && defaultDecision !== "deny") {
-        return { ok: false, message: `bash policy default must be "allow" or "deny"` };
-    }
-    const match = policy.match === undefined ? "segments" : policy.match;
-    if (match !== "whole" && match !== "segments") {
-        return { ok: false, message: `bash policy match must be "whole" or "segments"` };
-    }
-    if (policy.allow !== undefined && !Array.isArray(policy.allow)) {
-        return { ok: false, message: "bash policy allow must be an array" };
-    }
-    if (policy.deny !== undefined && !Array.isArray(policy.deny)) {
-        return { ok: false, message: "bash policy deny must be an array" };
-    }
-    const allow = compileRules(policy.allow, "allow");
-    if (!allow.ok)
-        return allow;
-    const deny = compileRules(policy.deny, "deny");
-    if (!deny.ok)
-        return deny;
-    return {
-        ok: true,
-        policy: {
-            defaultDecision,
-            match,
-            allow: allow.rules,
-            deny: deny.rules,
-        },
-    };
-}
-export function validateBashCommandPolicy(policy) {
-    const compiled = compilePolicy(policy);
-    if (!compiled.ok) {
-        throw new Error(`Invalid bash command policy: ${compiled.message}`);
-    }
-}
-export function invalidPolicyMode(policy) {
-    if (typeof policy !== "object" || policy === null || Array.isArray(policy))
-        return "segments";
-    return policy.match === "whole" ? "whole" : "segments";
-}
-//# sourceMappingURL=bash-policy-compile.js.map

package/dist/core/tools/bash-policy-compile.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"bash-policy-compile.js","sourceRoot":"","sources":["../../../src/core/tools/bash-policy-compile.ts"],"names":[],"mappings":"AAuBA,MAAM,0BAA0B,GAAG,CAAC,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAU,CAAC;AAClF,MAAM,6BAA6B,GAAwB,IAAI,GAAG,CAAC,0BAA0B,CAAC,CAAC;AAE/F,SAAS,aAAa,CACrB,KAAa,EACb,GAAQ;IAER,OAAO,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,eAAe,CAAC,KAAa,EAAE,WAA8B;IACrE,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AACrE,CAAC;AAED,SAAS,6BAA6B,CAAC,MAAc;IACpD,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,6BAA6B,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;AACrF,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAa;IACxC,OAAO,KAAK,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,wBAAwB,CAAC,IAAY;IAC7C,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IACjC,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IAC/B,OAAO,IAAI,CAAC;AACb,CAAC;AAED,SAAS,+BAA+B,CAAC,IAAY;IACpD,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IACjC,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IAC/B,OAAO,IAAI,CAAC;AACb,CAAC;AAED,SAAS,oBAAoB,CAC5B,OAAe,EACf,SAAiB;IAEjB,IAAI,MAAM,GAAG,SAAS,GAAG,CAAC,CAAC;IAC3B,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,IAAI,OAAO,GAAG,EAAE,CAAC;IAEjB,IAAI,MAAM,IAAI,OAAO,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC/C,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,EAAE,CAAC;QACxD,OAAO,GAAG,IAAI,CAAC;QACf,MAAM,IAAI,CAAC,CAAC;IACb,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,EAAE,CAAC;QAC7B,OAAO,IAAI,KAAK,CAAC;QACjB,UAAU,GAAG,IAAI,CAAC;QAClB,MAAM,IAAI,CAAC,CAAC;IACb,CAAC;IAED,OAAO,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAE,CAAC;QAC9B,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YAClB,IAAI,CAAC,UAAU;gBAAE,OAAO,SAAS,CAAC;YAClC,OAAO,EAAE,WAAW,EAAE,IAAI,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,GAAG,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;QACjF,CAAC;QACD,UAAU,GAAG,IAAI,CAAC;QAClB,IAAI,IAAI,KAAK,IAAI,IAAI,MAAM,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;YAClD,MAAM,IAAI,CAAC,CAAC;YACZ,OAAO,IAAI,+BAA+B,CAAC,OAAO,CAAC,MAAM,CAAE,CAAC,CAAC;YAC7D,SAAS;QACV,CAAC;QACD,OAAO,IAAI,wBAAwB,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC;IAED,OAAO,SAAS,CAAC;AAClB,CAAC;AAED,SAAS,wBAAwB,CAAC,OAAe;IAChD,IAAI,MAAM,GAAG,GAAG,CAAC;IACjB,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,OAAO,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAE,CAAC;QAC7B,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YAClB,MAAM,IAAI,IAAI,CAAC;YACf,SAAS;QACV,CAAC;QACD,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YAClB,MAAM,IAAI,GAAG,CAAC;YACd,SAAS;QACV,CAAC;QACD,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YAClB,MAAM,OAAO,GAAG,oBAAoB,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YACrD,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;gBAC3B,MAAM,IAAI,OAAO,CAAC,WAAW,CAAC;gBAC9B,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC;gBAC3B,SAAS;YACV,CAAC;QACF,CAAC;QACD,IAAI,IAAI,KAAK,IAAI,IAAI,KAAK,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;YACjD,KAAK,IAAI,CAAC,CAAC;YACX,MAAM,IAAI,kBAAkB,CAAC,OAAO,CAAC,KAAK,CAAE,CAAC,CAAC;YAC9C,SAAS;QACV,CAAC;QACD,MAAM,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;IACD,OAAO,IAAI,MAAM,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,WAAW,CAAC,IAAqB,EAAE,QAA0B,EAAE,KAAa;IACpF,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,gCAAgC,EAAE,CAAC;QACrF,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC;IACzE,CAAC;IAED,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACtE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,qDAAqD,EAAE,CAAC;IAC1G,CAAC;IAED,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC9C,MAAM,YAAY,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAClF,IAAI,YAAY,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO;YACN,EAAE,EAAE,KAAK;YACT,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,sDAAsD;SACnF,CAAC;IACH,CAAC;IAED,IAAI,SAAS,EAAE,CAAC;QACf,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACxC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,wCAAwC,EAAE,CAAC;QAC7F,CAAC;QACD,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YACrC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,2BAA2B,EAAE,CAAC;QAChF,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,4BAA4B,EAAE,CAAC;QACjF,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;IACjF,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACb,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;YACtC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,oCAAoC,EAAE,CAAC;QACzF,CAAC;QACD,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,yBAAyB,EAAE,CAAC;QAC9E,CAAC;QACD,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,0BAA0B,EAAE,CAAC;QAC/E,CAAC;QACD,IAAI,CAAC;YACJ,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACvG,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,2CAA2C,EAAE,CAAC;QAChG,CAAC;IACF,CAAC;IAED,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC;QAChD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,yDAAyD,EAAE,CAAC;IAC9G,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACpC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,0BAA0B,EAAE,CAAC;IAC/E,CAAC;IACD,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,2BAA2B,EAAE,CAAC;IAChF,CAAC;IACD,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC9C,IAAI,QAAQ,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QAChD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,uCAAuC,EAAE,CAAC;IAC5F,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3E,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO;YACN,EAAE,EAAE,KAAK;YACT,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,sDAAsD;SACnF,CAAC;IACH,CAAC;IACD,IAAI,CAAC;QACJ,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;IAClG,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,KAAK,0CAA0C,EAAE,CAAC;IAC/F,CAAC;AACF,CAAC;AAED,SAAS,YAAY,CAAC,KAA6C,EAAE,QAA0B;IAC9F,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;IAC9D,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAClD,IAAI,CAAC,MAAM,CAAC,EAAE;YAAE,OAAO,MAAM,CAAC;QAC9B,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAyB;IACtD,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5E,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC;IACxE,CAAC;IAED,MAAM,WAAW,GAAG,6BAA6B,CAAC,MAAM,CAAC,CAAC;IAC1D,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,aAAa,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/E,OAAO;YACN,EAAE,EAAE,KAAK;YACT,OAAO,EAAE,6CAA6C,WAAW,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,IAAI,aAAa,oDAAoD;SAC9J,CAAC;IACH,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;IAChF,IAAI,eAAe,KAAK,OAAO,IAAI,eAAe,KAAK,MAAM,EAAE,CAAC;QAC/D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,+CAA+C,EAAE,CAAC;IAChF,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;IACrE,IAAI,KAAK,KAAK,OAAO,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;QAC/C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,iDAAiD,EAAE,CAAC;IAClF,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAChE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC;IACrE,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,mCAAmC,EAAE,CAAC;IACpE,CAAC;IAED,MAAM,KAAK,GAAG,YAAY,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAClD,IAAI,CAAC,KAAK,CAAC,EAAE;QAAE,OAAO,KAAK,CAAC;IAC5B,MAAM,IAAI,GAAG,YAAY,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC/C,IAAI,CAAC,IAAI,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAE1B,OAAO;QACN,EAAE,EAAE,IAAI;QACR,MAAM,EAAE;YACP,eAAe;YACf,KAAK;YACL,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,IAAI,EAAE,IAAI,CAAC,KAAK;SAChB;KACD,CAAC;AACH,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,MAAyB;IAClE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;IACrE,CAAC;AACF,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAyB;IAC1D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,UAAU,CAAC;IAC9F,OAAO,MAAM,CAAC,KAAK,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC;AACxD,CAAC","sourcesContent":["import type {\n\tBashCommandPolicy,\n\tBashCommandPolicyMatchMode,\n\tBashCommandRule,\n\tCompiledRule,\n\tCompileResult,\n\tCompileRuleResult,\n\tCompileRulesResult,\n} from \"./bash-policy-types.ts\";\n\ntype RuntimePropertyValue =\n\t| string\n\t| number\n\t| boolean\n\t| bigint\n\t| symbol\n\t| null\n\t| object\n\t| ((...args: readonly never[]) => RuntimePropertyValue)\n\t| undefined;\n\ntype RuleObjectKey = \"prefix\" | \"glob\" | \"regex\" | \"flags\";\n\nconst BASH_POLICY_TOP_LEVEL_KEYS = [\"default\", \"allow\", \"deny\", \"match\"] as const;\nconst BASH_POLICY_TOP_LEVEL_KEY_SET: ReadonlySet<string> = new Set(BASH_POLICY_TOP_LEVEL_KEYS);\n\nfunction hasOwnRuleKey<Key extends RuleObjectKey>(\n\tvalue: object,\n\tkey: Key,\n): value is Record<Key, RuntimePropertyValue> {\n\treturn Object.prototype.hasOwnProperty.call(value, key);\n}\n\nfunction hasOnlyRuleKeys(value: object, allowedKeys: readonly string[]): boolean {\n\treturn Object.keys(value).every((key) => allowedKeys.includes(key));\n}\n\nfunction unknownBashPolicyTopLevelKeys(policy: object): readonly string[] {\n\treturn Object.keys(policy).filter((key) => !BASH_POLICY_TOP_LEVEL_KEY_SET.has(key));\n}\n\nfunction escapeRegexLiteral(value: string): string {\n\treturn value.replace(/[\\\\^$.*+?()[\\]{}|]/g, \"\\\\$&\");\n}\n\nfunction escapeGlobClassCharacter(char: string): string {\n\tif (char === \"\\\\\") return \"\\\\\\\\\";\n\tif (char === \"]\") return \"\\\\]\";\n\tif (char === \"[\") return \"\\\\[\";\n\treturn char;\n}\n\nfunction escapeEscapedGlobClassCharacter(char: string): string {\n\tif (char === \"\\\\\") return \"\\\\\\\\\";\n\tif (char === \"-\") return \"\\\\-\";\n\tif (char === \"^\") return \"\\\\^\";\n\tif (char === \"]\") return \"\\\\]\";\n\tif (char === \"[\") return \"\\\\[\";\n\treturn char;\n}\n\nfunction readGlobBracketClass(\n\tpattern: string,\n\topenIndex: number,\n): { readonly regexSource: string; readonly closeIndex: number } | undefined {\n\tlet cursor = openIndex + 1;\n\tlet negated = false;\n\tlet hasContent = false;\n\tlet content = \"\";\n\n\tif (cursor >= pattern.length) return undefined;\n\tif (pattern[cursor] === \"!\" || pattern[cursor] === \"^\") {\n\t\tnegated = true;\n\t\tcursor += 1;\n\t}\n\tif (pattern[cursor] === \"]\") {\n\t\tcontent += \"\\\\]\";\n\t\thasContent = true;\n\t\tcursor += 1;\n\t}\n\n\tfor (; cursor < pattern.length; cursor += 1) {\n\t\tconst char = pattern[cursor]!;\n\t\tif (char === \"]\") {\n\t\t\tif (!hasContent) return undefined;\n\t\t\treturn { regexSource: `[${negated ? \"^\" : \"\"}${content}]`, closeIndex: cursor };\n\t\t}\n\t\thasContent = true;\n\t\tif (char === \"\\\\\" && cursor + 1 < pattern.length) {\n\t\t\tcursor += 1;\n\t\t\tcontent += escapeEscapedGlobClassCharacter(pattern[cursor]!);\n\t\t\tcontinue;\n\t\t}\n\t\tcontent += escapeGlobClassCharacter(char);\n\t}\n\n\treturn undefined;\n}\n\nfunction compileCommandStringGlob(pattern: string): RegExp {\n\tlet source = \"^\";\n\tfor (let index = 0; index < pattern.length; index += 1) {\n\t\tconst char = pattern[index]!;\n\t\tif (char === \"*\") {\n\t\t\tsource += \".*\";\n\t\t\tcontinue;\n\t\t}\n\t\tif (char === \"?\") {\n\t\t\tsource += \".\";\n\t\t\tcontinue;\n\t\t}\n\t\tif (char === \"[\") {\n\t\t\tconst bracket = readGlobBracketClass(pattern, index);\n\t\t\tif (bracket !== undefined) {\n\t\t\t\tsource += bracket.regexSource;\n\t\t\t\tindex = bracket.closeIndex;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t}\n\t\tif (char === \"\\\\\" && index + 1 < pattern.length) {\n\t\t\tindex += 1;\n\t\t\tsource += escapeRegexLiteral(pattern[index]!);\n\t\t\tcontinue;\n\t\t}\n\t\tsource += escapeRegexLiteral(char);\n\t}\n\treturn new RegExp(`${source}$`);\n}\n\nfunction compileRule(rule: BashCommandRule, listName: \"allow\" | \"deny\", index: number): CompileRuleResult {\n\tif (typeof rule === \"string\") {\n\t\tif (rule.length === 0) {\n\t\t\treturn { ok: false, message: `${listName}[${index}] exact rule must not be empty` };\n\t\t}\n\t\treturn { ok: true, rule: { kind: \"exact\", source: rule, value: rule } };\n\t}\n\n\tif (typeof rule !== \"object\" || rule === null || Array.isArray(rule)) {\n\t\treturn { ok: false, message: `${listName}[${index}] rule must be a non-empty string or an object rule` };\n\t}\n\n\tconst hasPrefix = hasOwnRuleKey(rule, \"prefix\");\n\tconst hasGlob = hasOwnRuleKey(rule, \"glob\");\n\tconst hasRegex = hasOwnRuleKey(rule, \"regex\");\n\tconst variantCount = (hasPrefix ? 1 : 0) + (hasGlob ? 1 : 0) + (hasRegex ? 1 : 0);\n\tif (variantCount !== 1) {\n\t\treturn {\n\t\t\tok: false,\n\t\t\tmessage: `${listName}[${index}] must specify exactly one of prefix, glob, or regex`,\n\t\t};\n\t}\n\n\tif (hasPrefix) {\n\t\tif (!hasOnlyRuleKeys(rule, [\"prefix\"])) {\n\t\t\treturn { ok: false, message: `${listName}[${index}] prefix rule must only contain prefix` };\n\t\t}\n\t\tif (typeof rule.prefix !== \"string\") {\n\t\t\treturn { ok: false, message: `${listName}[${index}].prefix must be a string` };\n\t\t}\n\t\tif (rule.prefix.length === 0) {\n\t\t\treturn { ok: false, message: `${listName}[${index}].prefix must not be empty` };\n\t\t}\n\t\treturn { ok: true, rule: { kind: \"prefix\", source: rule, value: rule.prefix } };\n\t}\n\n\tif (hasGlob) {\n\t\tif (!hasOnlyRuleKeys(rule, [\"glob\"])) {\n\t\t\treturn { ok: false, message: `${listName}[${index}] glob rule must only contain glob` };\n\t\t}\n\t\tif (typeof rule.glob !== \"string\") {\n\t\t\treturn { ok: false, message: `${listName}[${index}].glob must be a string` };\n\t\t}\n\t\tif (rule.glob.length === 0) {\n\t\t\treturn { ok: false, message: `${listName}[${index}].glob must not be empty` };\n\t\t}\n\t\ttry {\n\t\t\treturn { ok: true, rule: { kind: \"glob\", source: rule, value: compileCommandStringGlob(rule.glob) } };\n\t\t} catch {\n\t\t\treturn { ok: false, message: `${listName}[${index}].glob is not a valid command string glob` };\n\t\t}\n\t}\n\n\tif (!hasOnlyRuleKeys(rule, [\"regex\", \"flags\"])) {\n\t\treturn { ok: false, message: `${listName}[${index}] regex rule must only contain regex and optional flags` };\n\t}\n\tif (typeof rule.regex !== \"string\") {\n\t\treturn { ok: false, message: `${listName}[${index}].regex must be a string` };\n\t}\n\tif (rule.regex.length === 0) {\n\t\treturn { ok: false, message: `${listName}[${index}].regex must not be empty` };\n\t}\n\tconst hasFlags = hasOwnRuleKey(rule, \"flags\");\n\tif (hasFlags && typeof rule.flags !== \"string\") {\n\t\treturn { ok: false, message: `${listName}[${index}].flags must be a string when present` };\n\t}\n\tconst flags = hasFlags && typeof rule.flags === \"string\" ? rule.flags : \"\";\n\tif (/[gy]/.test(flags)) {\n\t\treturn {\n\t\t\tok: false,\n\t\t\tmessage: `${listName}[${index}].flags must not include stateful g or y regex flags`,\n\t\t};\n\t}\n\ttry {\n\t\treturn { ok: true, rule: { kind: \"regex\", source: rule, value: new RegExp(rule.regex, flags) } };\n\t} catch {\n\t\treturn { ok: false, message: `${listName}[${index}].regex is not a valid JavaScript RegExp` };\n\t}\n}\n\nfunction compileRules(rules: readonly BashCommandRule[] | undefined, listName: \"allow\" | \"deny\"): CompileRulesResult {\n\tconst compiled: CompiledRule[] = [];\n\tif (rules === undefined) return { ok: true, rules: compiled };\n\tfor (let index = 0; index < rules.length; index += 1) {\n\t\tconst rule = rules[index]!;\n\t\tconst result = compileRule(rule, listName, index);\n\t\tif (!result.ok) return result;\n\t\tcompiled.push(result.rule);\n\t}\n\treturn { ok: true, rules: compiled };\n}\n\nexport function compilePolicy(policy: BashCommandPolicy): CompileResult {\n\tif (typeof policy !== \"object\" || policy === null || Array.isArray(policy)) {\n\t\treturn { ok: false, message: \"bash policy must be a non-null object\" };\n\t}\n\n\tconst unknownKeys = unknownBashPolicyTopLevelKeys(policy);\n\tif (unknownKeys.length > 0) {\n\t\tconst formattedKeys = unknownKeys.map((key) => JSON.stringify(key)).join(\", \");\n\t\treturn {\n\t\t\tok: false,\n\t\t\tmessage: `bash policy contains unknown top-level key${unknownKeys.length === 1 ? \"\" : \"s\"} ${formattedKeys}; allowed keys are default, allow, deny, and match`,\n\t\t};\n\t}\n\n\tconst defaultDecision = policy.default === undefined ? \"allow\" : policy.default;\n\tif (defaultDecision !== \"allow\" && defaultDecision !== \"deny\") {\n\t\treturn { ok: false, message: `bash policy default must be \"allow\" or \"deny\"` };\n\t}\n\tconst match = policy.match === undefined ? \"segments\" : policy.match;\n\tif (match !== \"whole\" && match !== \"segments\") {\n\t\treturn { ok: false, message: `bash policy match must be \"whole\" or \"segments\"` };\n\t}\n\tif (policy.allow !== undefined && !Array.isArray(policy.allow)) {\n\t\treturn { ok: false, message: \"bash policy allow must be an array\" };\n\t}\n\tif (policy.deny !== undefined && !Array.isArray(policy.deny)) {\n\t\treturn { ok: false, message: \"bash policy deny must be an array\" };\n\t}\n\n\tconst allow = compileRules(policy.allow, \"allow\");\n\tif (!allow.ok) return allow;\n\tconst deny = compileRules(policy.deny, \"deny\");\n\tif (!deny.ok) return deny;\n\n\treturn {\n\t\tok: true,\n\t\tpolicy: {\n\t\t\tdefaultDecision,\n\t\t\tmatch,\n\t\t\tallow: allow.rules,\n\t\t\tdeny: deny.rules,\n\t\t},\n\t};\n}\n\nexport function validateBashCommandPolicy(policy: BashCommandPolicy): void {\n\tconst compiled = compilePolicy(policy);\n\tif (!compiled.ok) {\n\t\tthrow new Error(`Invalid bash command policy: ${compiled.message}`);\n\t}\n}\n\nexport function invalidPolicyMode(policy: BashCommandPolicy): BashCommandPolicyMatchMode {\n\tif (typeof policy !== \"object\" || policy === null || Array.isArray(policy)) return \"segments\";\n\treturn policy.match === \"whole\" ? \"whole\" : \"segments\";\n}\n"]}

package/dist/core/tools/bash-policy-evaluate.d.ts DELETED Viewed

@@ -1,3 +0,0 @@
-import type { BashCommandPolicy, BashCommandPolicyDecision } from "./bash-policy-types.ts";
-export declare function evaluateBashCommandPolicy(command: string, policy: BashCommandPolicy | undefined): BashCommandPolicyDecision;
-//# sourceMappingURL=bash-policy-evaluate.d.ts.map

package/dist/core/tools/bash-policy-evaluate.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"bash-policy-evaluate.d.ts","sourceRoot":"","sources":["../../../src/core/tools/bash-policy-evaluate.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAEX,iBAAiB,EACjB,yBAAyB,EAIzB,MAAM,wBAAwB,CAAC;AA0BhC,wBAAgB,yBAAyB,CACxC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,iBAAiB,GAAG,SAAS,GACnC,yBAAyB,CA0E3B","sourcesContent":["import { compilePolicy, invalidPolicyMode } from \"./bash-policy-compile.ts\";\nimport { parseBashCommandSegments, wholeCommandTarget } from \"./bash-policy-parser.ts\";\nimport type {\n\tBashCommandParseResult,\n\tBashCommandPolicy,\n\tBashCommandPolicyDecision,\n\tBashCommandRule,\n\tCompiledBashCommandPolicy,\n\tCompiledRule,\n} from \"./bash-policy-types.ts\";\n\nfunction ruleMatches(rule: CompiledRule, target: string): boolean {\n\tswitch (rule.kind) {\n\t\tcase \"exact\":\n\t\t\treturn target === rule.value;\n\t\tcase \"prefix\":\n\t\t\treturn target.startsWith(rule.value);\n\t\tcase \"glob\":\n\t\t\treturn rule.value.test(target);\n\t\tcase \"regex\":\n\t\t\treturn rule.value.test(target);\n\t}\n}\n\nfunction firstMatchingRule(rules: readonly CompiledRule[], target: string): BashCommandRule | undefined {\n\tfor (const rule of rules) {\n\t\tif (ruleMatches(rule, target)) return rule.source;\n\t}\n\treturn undefined;\n}\n\nfunction isNoRuleDefaultAllowPolicy(policy: CompiledBashCommandPolicy): boolean {\n\treturn policy.defaultDecision === \"allow\" && policy.allow.length === 0 && policy.deny.length === 0;\n}\n\nexport function evaluateBashCommandPolicy(\n\tcommand: string,\n\tpolicy: BashCommandPolicy | undefined,\n): BashCommandPolicyDecision {\n\tif (policy === undefined) {\n\t\treturn { allowed: true, mode: \"segments\", targets: [] };\n\t}\n\n\tconst compiled = compilePolicy(policy);\n\tif (!compiled.ok) {\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\tmode: invalidPolicyMode(policy),\n\t\t\ttargets: [],\n\t\t\trejection: {\n\t\t\t\treason: \"invalid-policy\",\n\t\t\t\tmessage: compiled.message,\n\t\t\t},\n\t\t};\n\t}\n\n\tconst activePolicy = compiled.policy;\n\tif (isNoRuleDefaultAllowPolicy(activePolicy)) {\n\t\treturn { allowed: true, mode: activePolicy.match, targets: [] };\n\t}\n\n\tconst targetsResult: BashCommandParseResult = activePolicy.match === \"whole\"\n\t\t? { ok: true, segments: [wholeCommandTarget(command)] }\n\t\t: parseBashCommandSegments(command);\n\n\tif (!targetsResult.ok) {\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\tmode: activePolicy.match,\n\t\t\ttargets: [],\n\t\t\trejection: {\n\t\t\t\treason: \"unsupported-shell-syntax\",\n\t\t\t\tmessage: targetsResult.error.reason,\n\t\t\t\tparseError: targetsResult.error,\n\t\t\t},\n\t\t};\n\t}\n\n\tfor (const target of targetsResult.segments) {\n\t\tconst denyRule = firstMatchingRule(activePolicy.deny, target.target);\n\t\tif (denyRule !== undefined) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\tmode: activePolicy.match,\n\t\t\t\ttargets: targetsResult.segments,\n\t\t\t\trejection: {\n\t\t\t\t\treason: \"matched-deny\",\n\t\t\t\t\tmessage: `command ${JSON.stringify(target.head)} matched a deny rule`,\n\t\t\t\t\ttarget,\n\t\t\t\t\tmatchedRule: denyRule,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tconst allowRule = firstMatchingRule(activePolicy.allow, target.target);\n\t\tif (allowRule !== undefined || activePolicy.defaultDecision === \"allow\") {\n\t\t\tcontinue;\n\t\t}\n\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\tmode: activePolicy.match,\n\t\t\ttargets: targetsResult.segments,\n\t\t\trejection: {\n\t\t\t\treason: \"default-deny\",\n\t\t\t\tmessage: `command ${JSON.stringify(target.head)} is not permitted by default-deny bash policy`,\n\t\t\t\ttarget,\n\t\t\t},\n\t\t};\n\t}\n\n\treturn { allowed: true, mode: activePolicy.match, targets: targetsResult.segments };\n}\n"]}