@calliopelabs/cli 2.2.0 → 2.5.0

package/dist/providers/openai-compat-shims.d.ts

@@ -0,0 +1,31 @@
+/**
+ * OpenAI-Compatible Server Shims
+ *
+ * Provides compatibility shims for popular local inference servers:
+ * LM Studio, AnythingLLM, vLLM, Jan, LocalAI.
+ *
+ * Each shim can detect its target server by URL pattern and transform
+ * request parameters to work around server-specific limitations.
+ */
+import type { ChatCompletionCreateParamsBase } from 'openai/resources/chat/completions.js';
+export interface CompatShim {
+    id: 'lmstudio' | 'anythingllm' | 'vllm' | 'jan' | 'localai' | 'none';
+    name: string;
+    description: string;
+    detect(baseUrl: string): boolean;
+    transformRequest(params: ChatCompletionCreateParamsBase): ChatCompletionCreateParamsBase;
+    supportsTools: boolean;
+    supportsStreaming: boolean;
+}
+/** Reset tool-strip warnings — for use in tests only. */
+export declare function resetToolWarnings(): void;
+/**
+ * Detect which compatibility shim to use for the given base URL.
+ *
+ * Priority:
+ * 1. `OPENAI_COMPAT_SHIM` env var (exact match to shim id)
+ * 2. URL pattern matching (in order: lmstudio, anythingllm, vllm, jan, localai)
+ * 3. Fallback to pass-through (none)
+ */
+export declare function detectShim(baseUrl: string): CompatShim;
+//# sourceMappingURL=openai-compat-shims.d.ts.map

package/dist/providers/openai-compat-shims.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openai-compat-shims.d.ts","sourceRoot":"","sources":["../../src/providers/openai-compat-shims.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,8BAA8B,EAAE,MAAM,sCAAsC,CAAC;AAE3F,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,UAAU,GAAG,aAAa,GAAG,MAAM,GAAG,KAAK,GAAG,SAAS,GAAG,MAAM,CAAC;IACrE,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;IACjC,gBAAgB,CAAC,MAAM,EAAE,8BAA8B,GAAG,8BAA8B,CAAC;IACzF,aAAa,EAAE,OAAO,CAAC;IACvB,iBAAiB,EAAE,OAAO,CAAC;CAC5B;AASD,yDAAyD;AACzD,wBAAgB,iBAAiB,IAAI,IAAI,CAExC;AAsJD;;;;;;;GAOG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,CAqBtD"}

package/dist/providers/openai-compat-shims.js

@@ -0,0 +1,179 @@
+/**
+ * OpenAI-Compatible Server Shims
+ *
+ * Provides compatibility shims for popular local inference servers:
+ * LM Studio, AnythingLLM, vLLM, Jan, LocalAI.
+ *
+ * Each shim can detect its target server by URL pattern and transform
+ * request parameters to work around server-specific limitations.
+ */
+// ---------------------------------------------------------------------------
+// One-time tool-strip warnings (keyed by shim id)
+// Exported for test resets via resetToolWarnings()
+// ---------------------------------------------------------------------------
+const warnedShims = new Set();
+/** Reset tool-strip warnings — for use in tests only. */
+export function resetToolWarnings() {
+    warnedShims.clear();
+}
+// ---------------------------------------------------------------------------
+// Shim implementations
+// ---------------------------------------------------------------------------
+const lmstudioShim = {
+    id: 'lmstudio',
+    name: 'LM Studio',
+    description: 'Local LLM server by LM Studio (default port 1234)',
+    supportsTools: true,
+    supportsStreaming: true,
+    detect(baseUrl) {
+        return baseUrl.includes(':1234');
+    },
+    transformRequest(params) {
+        const result = { ...params };
+        if (result.max_tokens == null) {
+            result.max_tokens = 8192;
+        }
+        return result;
+    },
+};
+const anythingllmShim = {
+    id: 'anythingllm',
+    name: 'AnythingLLM',
+    description: 'All-in-one AI application (default port 3001, /api/openai path)',
+    supportsTools: false,
+    supportsStreaming: true,
+    detect(baseUrl) {
+        return baseUrl.includes(':3001') || baseUrl.includes('/api/openai');
+    },
+    transformRequest(params) {
+        const result = { ...params };
+        if ((result.tools || result.tool_choice) && !warnedShims.has('anythingllm')) {
+            warnedShims.add('anythingllm');
+            process.stderr.write('[openai-compat] AnythingLLM does not support tool_calls — stripping tools and tool_choice\n');
+        }
+        delete result.tools;
+        delete result.tool_choice;
+        return result;
+    },
+};
+const vllmShim = {
+    id: 'vllm',
+    name: 'vLLM',
+    description: 'High-throughput inference engine (default port 8000)',
+    supportsTools: true,
+    supportsStreaming: true,
+    detect(baseUrl) {
+        return baseUrl.includes(':8000');
+    },
+    transformRequest(params) {
+        const result = { ...params };
+        if (result.max_tokens == null) {
+            result.max_tokens = 4096;
+        }
+        return result;
+    },
+};
+const janShim = {
+    id: 'jan',
+    name: 'Jan',
+    description: 'Open-source local AI desktop app (default port 1337)',
+    supportsTools: false,
+    supportsStreaming: true,
+    detect(baseUrl) {
+        return baseUrl.includes(':1337');
+    },
+    transformRequest(params) {
+        const result = { ...params };
+        if ((result.tools || result.tool_choice) && !warnedShims.has('jan')) {
+            warnedShims.add('jan');
+            process.stderr.write('[openai-compat] Jan does not support tool_calls — stripping tools and tool_choice\n');
+        }
+        delete result.tools;
+        delete result.tool_choice;
+        return result;
+    },
+};
+const localaiShim = {
+    id: 'localai',
+    name: 'LocalAI',
+    description: 'Free, open-source OpenAI alternative (default port 8080)',
+    supportsTools: false,
+    supportsStreaming: true,
+    detect(baseUrl) {
+        return baseUrl.includes(':8080');
+    },
+    transformRequest(params) {
+        const result = { ...params };
+        if ((result.tools || result.tool_choice) && !warnedShims.has('localai')) {
+            warnedShims.add('localai');
+            process.stderr.write('[openai-compat] LocalAI does not support tool_calls — stripping tools and tool_choice\n');
+        }
+        delete result.tools;
+        delete result.tool_choice;
+        // Convert system role messages to user messages with [SYSTEM] prefix
+        if (result.messages) {
+            result.messages = result.messages.map((msg) => {
+                if (msg.role === 'system') {
+                    const content = typeof msg.content === 'string' ? msg.content : JSON.stringify(msg.content);
+                    return { role: 'user', content: `[SYSTEM] ${content}` };
+                }
+                return msg;
+            });
+        }
+        return result;
+    },
+};
+const noneShim = {
+    id: 'none',
+    name: 'None (pass-through)',
+    description: 'No shim applied — pass requests through unchanged',
+    supportsTools: true,
+    supportsStreaming: true,
+    detect(_baseUrl) {
+        return false;
+    },
+    transformRequest(params) {
+        return params;
+    },
+};
+// ---------------------------------------------------------------------------
+// Detection order (priority: env var → URL pattern → fallback)
+// ---------------------------------------------------------------------------
+const ALL_SHIMS = [lmstudioShim, anythingllmShim, vllmShim, janShim, localaiShim];
+const SHIM_MAP = {
+    lmstudio: lmstudioShim,
+    anythingllm: anythingllmShim,
+    vllm: vllmShim,
+    jan: janShim,
+    localai: localaiShim,
+    none: noneShim,
+};
+/**
+ * Detect which compatibility shim to use for the given base URL.
+ *
+ * Priority:
+ * 1. `OPENAI_COMPAT_SHIM` env var (exact match to shim id)
+ * 2. URL pattern matching (in order: lmstudio, anythingllm, vllm, jan, localai)
+ * 3. Fallback to pass-through (none)
+ */
+export function detectShim(baseUrl) {
+    // 1. Env var override
+    const envShim = process.env.OPENAI_COMPAT_SHIM;
+    if (envShim && envShim in SHIM_MAP) {
+        const shim = SHIM_MAP[envShim];
+        if (shim.id !== 'none') {
+            process.stderr.write(`[openai-compat] Detected ${shim.name} — applying compatibility shim\n`);
+        }
+        return shim;
+    }
+    // 2. URL pattern matching
+    for (const shim of ALL_SHIMS) {
+        if (shim.detect(baseUrl)) {
+            process.stderr.write(`[openai-compat] Detected ${shim.name} — applying compatibility shim\n`);
+            return shim;
+        }
+    }
+    // 3. Pass-through
+    return noneShim;
+}
+//# sourceMappingURL=openai-compat-shims.js.map

package/dist/providers/openai-compat-shims.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"openai-compat-shims.js","sourceRoot":"","sources":["../../src/providers/openai-compat-shims.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAcH,8EAA8E;AAC9E,kDAAkD;AAClD,mDAAmD;AACnD,8EAA8E;AAE9E,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;AAEtC,yDAAyD;AACzD,MAAM,UAAU,iBAAiB;IAC/B,WAAW,CAAC,KAAK,EAAE,CAAC;AACtB,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,MAAM,YAAY,GAAe;IAC/B,EAAE,EAAE,UAAU;IACd,IAAI,EAAE,WAAW;IACjB,WAAW,EAAE,mDAAmD;IAChE,aAAa,EAAE,IAAI;IACnB,iBAAiB,EAAE,IAAI;IACvB,MAAM,CAAC,OAAe;QACpB,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IACD,gBAAgB,CAAC,MAAsC;QACrD,MAAM,MAAM,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,UAAU,IAAI,IAAI,EAAE,CAAC;YAC9B,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QAC3B,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF,CAAC;AAEF,MAAM,eAAe,GAAe;IAClC,EAAE,EAAE,aAAa;IACjB,IAAI,EAAE,aAAa;IACnB,WAAW,EAAE,iEAAiE;IAC9E,aAAa,EAAE,KAAK;IACpB,iBAAiB,EAAE,IAAI;IACvB,MAAM,CAAC,OAAe;QACpB,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;IACtE,CAAC;IACD,gBAAgB,CAAC,MAAsC;QACrD,MAAM,MAAM,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;QAC7B,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC;YAC5E,WAAW,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAC/B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,6FAA6F,CAC9F,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC,KAAK,CAAC;QACpB,OAAO,MAAM,CAAC,WAAW,CAAC;QAC1B,OAAO,MAAM,CAAC;IAChB,CAAC;CACF,CAAC;AAEF,MAAM,QAAQ,GAAe;IAC3B,EAAE,EAAE,MAAM;IACV,IAAI,EAAE,MAAM;IACZ,WAAW,EAAE,sDAAsD;IACnE,aAAa,EAAE,IAAI;IACnB,iBAAiB,EAAE,IAAI;IACvB,MAAM,CAAC,OAAe;QACpB,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IACD,gBAAgB,CAAC,MAAsC;QACrD,MAAM,MAAM,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,UAAU,IAAI,IAAI,EAAE,CAAC;YAC9B,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QAC3B,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF,CAAC;AAEF,MAAM,OAAO,GAAe;IAC1B,EAAE,EAAE,KAAK;IACT,IAAI,EAAE,KAAK;IACX,WAAW,EAAE,sDAAsD;IACnE,aAAa,EAAE,KAAK;IACpB,iBAAiB,EAAE,IAAI;IACvB,MAAM,CAAC,OAAe;QACpB,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IACD,gBAAgB,CAAC,MAAsC;QACrD,MAAM,MAAM,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;QAC7B,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACpE,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,qFAAqF,CACtF,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC,KAAK,CAAC;QACpB,OAAO,MAAM,CAAC,WAAW,CAAC;QAC1B,OAAO,MAAM,CAAC;IAChB,CAAC;CACF,CAAC;AAEF,MAAM,WAAW,GAAe;IAC9B,EAAE,EAAE,SAAS;IACb,IAAI,EAAE,SAAS;IACf,WAAW,EAAE,0DAA0D;IACvE,aAAa,EAAE,KAAK;IACpB,iBAAiB,EAAE,IAAI;IACvB,MAAM,CAAC,OAAe;QACpB,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IACD,gBAAgB,CAAC,MAAsC;QACrD,MAAM,MAAM,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;QAC7B,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACxE,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAC3B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,yFAAyF,CAC1F,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC,KAAK,CAAC;QACpB,OAAO,MAAM,CAAC,WAAW,CAAC;QAC1B,qEAAqE;QACrE,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;gBAC5C,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAC1B,MAAM,OAAO,GAAG,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;oBAC5F,OAAO,EAAE,IAAI,EAAE,MAAe,EAAE,OAAO,EAAE,YAAY,OAAO,EAAE,EAAE,CAAC;gBACnE,CAAC;gBACD,OAAO,GAAG,CAAC;YACb,CAAC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF,CAAC;AAEF,MAAM,QAAQ,GAAe;IAC3B,EAAE,EAAE,MAAM;IACV,IAAI,EAAE,qBAAqB;IAC3B,WAAW,EAAE,mDAAmD;IAChE,aAAa,EAAE,IAAI;IACnB,iBAAiB,EAAE,IAAI;IACvB,MAAM,CAAC,QAAgB;QACrB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,gBAAgB,CAAC,MAAsC;QACrD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF,CAAC;AAEF,8EAA8E;AAC9E,+DAA+D;AAC/D,8EAA8E;AAE9E,MAAM,SAAS,GAAiB,CAAC,YAAY,EAAE,eAAe,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;AAEhG,MAAM,QAAQ,GAA+B;IAC3C,QAAQ,EAAE,YAAY;IACtB,WAAW,EAAE,eAAe;IAC5B,IAAI,EAAE,QAAQ;IACd,GAAG,EAAE,OAAO;IACZ,OAAO,EAAE,WAAW;IACpB,IAAI,EAAE,QAAQ;CACf,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,UAAU,CAAC,OAAe;IACxC,sBAAsB;IACtB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAC/C,IAAI,OAAO,IAAI,OAAO,IAAI,QAAQ,EAAE,CAAC;QACnC,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC/B,IAAI,IAAI,CAAC,EAAE,KAAK,MAAM,EAAE,CAAC;YACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,IAAI,CAAC,IAAI,kCAAkC,CAAC,CAAC;QAChG,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,0BAA0B;IAC1B,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,IAAI,CAAC,IAAI,kCAAkC,CAAC,CAAC;YAC9F,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/providers/openai.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"openai.d.ts","sourceRoot":"","sources":["../../src/providers/openai.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAe,cAAc,EAAE,MAAM,aAAa,CAAC;AACrG,OAAO,EAAgC,KAAK,cAAc,EAAE,MAAM,YAAY,CAAC;AAM/E;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,cAAc,GAAG,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,yBAAyB,EAAE,CAkBrH;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;UAkC9B,QAAQ,GAAG,MAAM,GAAG,WAAW;;;;KAIpD;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,IAAI,EAAE;;;;;;;;;;oBAjCzB,CAAC;qBAAuB,CAAC;;;;;;;IA0C1C;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,6BAA6B,EAAE,GAAG,SAAS,GAAG,QAAQ,EAAE,CAmB/H;AAMD,4CAA4C;AAC5C,KAAK,kBAAkB,GACnB;IAAE,IAAI,EAAE,WAAW,GAAG,MAAM,GAAG,WAAW,CAAC;IAAC,OAAO,EAAE,MAAM,GAAG,oBAAoB,EAAE,CAAA;CAAE,GACtF;IAAE,IAAI,EAAE,eAAe,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GAC3E;IAAE,IAAI,EAAE,sBAAsB,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAEtE,KAAK,oBAAoB,GACrB;IAAE,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,SAAS,EAAE;QAAE,GAAG,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CAAC;AAExD,wCAAwC;AACxC,UAAU,aAAa;IACrB,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACpC,MAAM,EAAE,OAAO,CAAC;CACjB;AAqED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,kBAAkB,EAAE,CAqE1E;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,aAAa,EAAE,CAQ/D;AA0JD;;GAEG;AACH,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,OAAO,EAAE,EACnB,KAAK,EAAE,IAAI,EAAE,EACb,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,WAAW,CAAC,CAqItB"}
+{"version":3,"file":"openai.d.ts","sourceRoot":"","sources":["../../src/providers/openai.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAe,cAAc,EAAE,MAAM,aAAa,CAAC;AACrG,OAAO,EAAgC,KAAK,cAAc,EAAE,MAAM,YAAY,CAAC;AAM/E;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,cAAc,GAAG,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,yBAAyB,EAAE,CAkBrH;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;UAkC9B,QAAQ,GAAG,MAAM,GAAG,WAAW;;;;KAIpD;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,IAAI,EAAE;;;;;;;;;;oBA/BjC,CAAC;qBAAuB,CAAC;;;;;;;IAwClC;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,6BAA6B,EAAE,GAAG,SAAS,GAAG,QAAQ,EAAE,CAmB/H;AAMD,4CAA4C;AAC5C,KAAK,kBAAkB,GACnB;IAAE,IAAI,EAAE,WAAW,GAAG,MAAM,GAAG,WAAW,CAAC;IAAC,OAAO,EAAE,MAAM,GAAG,oBAAoB,EAAE,CAAA;CAAE,GACtF;IAAE,IAAI,EAAE,eAAe,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GAC3E;IAAE,IAAI,EAAE,sBAAsB,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAEtE,KAAK,oBAAoB,GACrB;IAAE,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,SAAS,EAAE;QAAE,GAAG,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CAAC;AAExD,wCAAwC;AACxC,UAAU,aAAa;IACrB,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACpC,MAAM,EAAE,OAAO,CAAC;CACjB;AAqED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,kBAAkB,EAAE,CAqE1E;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,aAAa,EAAE,CAQ/D;AA0JD;;GAEG;AACH,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,OAAO,EAAE,EACnB,KAAK,EAAE,IAAI,EAAE,EACb,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,WAAW,CAAC,CAqItB"}

package/dist/providers/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/providers/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAe,MAAM,aAAa,CAAC;AAGxF,eAAO,MAAM,UAAU,OAAO,CAAC;AAC/B,eAAO,MAAM,iBAAiB,OAAO,CAAC;AACtC,eAAO,MAAM,sBAAsB,OAAO,CAAC;AAC3C,eAAO,MAAM,kBAAkB,OAAO,CAAC;AAEvC,oEAAoE;AACpE,eAAO,MAAM,kBAAkB,QAAc,CAAC;AAI9C,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAElE;AAED;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;AAErD;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;AAErF;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,GAAG,MAAM,CAQlE;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,MAAM,CAiC9E;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,WAAW,EACrB,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,OAAO,EAAE,EACnB,KAAK,EAAE,IAAI,EAAE,GACZ,MAAM,CAgBR;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,WAAW,EACrB,KAAK,EAAE,MAAM,EACb,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAIT;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,WAAW,EACrB,KAAK,EAAE,MAAM,EACb,iBAAiB,EAAE,MAAM,GACxB;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,kBAAkB,EAAE,OAAO,CAAA;CAAE,CAS/E;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,WAAW,EACrB,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,OAAO,EAAE,EACnB,KAAK,EAAE,IAAI,EAAE,GACZ;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,kBAAkB,EAAE,OAAO,CAAA;CAAE,CAUpF;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,WAAW,GAAG,WAAW,CA0CtE"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/providers/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAe,MAAM,aAAa,CAAC;AAGxF,eAAO,MAAM,UAAU,OAAO,CAAC;AAC/B,eAAO,MAAM,iBAAiB,OAAO,CAAC;AACtC,eAAO,MAAM,sBAAsB,OAAO,CAAC;AAC3C,eAAO,MAAM,kBAAkB,OAAO,CAAC;AAEvC,oEAAoE;AACpE,eAAO,MAAM,kBAAkB,QAAc,CAAC;AAM9C,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAOlE;AAED;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;AAErD;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;AAErF;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,GAAG,MAAM,CAQlE;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,MAAM,CAiC9E;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,WAAW,EACrB,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,OAAO,EAAE,EACnB,KAAK,EAAE,IAAI,EAAE,GACZ,MAAM,CAkBR;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,WAAW,EACrB,KAAK,EAAE,MAAM,EACb,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAIT;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,WAAW,EACrB,KAAK,EAAE,MAAM,EACb,iBAAiB,EAAE,MAAM,GACxB;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,kBAAkB,EAAE,OAAO,CAAA;CAAE,CAS/E;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,WAAW,EACrB,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,OAAO,EAAE,EACnB,KAAK,EAAE,IAAI,EAAE,GACZ;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,kBAAkB,EAAE,OAAO,CAAA;CAAE,CAUpF;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,WAAW,GAAG,WAAW,CA0CtE"}

package/dist/providers/types.js

@@ -3,7 +3,7 @@
  *
  * Constants, token estimation, context health, validation, and shared helpers.
  */
-import { getModelContextLimit } from '../model-detection.js';
+import { getModelContextLimit, getModelMaxOutput } from '../model-detection.js';
 // Constants
 export const MAX_TOKENS = 8192;
 export const MIN_OUTPUT_TOKENS = 1024; // Minimum output tokens to request
@@ -11,11 +11,18 @@ export const CONTEXT_BUFFER_PERCENT = 0.08; // 8% of context as safety buffer
 export const CONTEXT_BUFFER_MIN = 1024; // Minimum buffer (scales with context size)
 /** Maximum allowed content length (1MB) to prevent memory issues */
 export const MAX_CONTENT_LENGTH = 1024 * 1024;
-// Debug logging helper
-const DEBUG = process.env.CALLIOPE_DEBUG === '1';
+// Debug logging helper. Writes to /tmp/calliope-debug.log (file, not stdout)
+// so it doesn't corrupt the Ink TUI. Enable via --debug CLI flag or
+// CALLIOPE_DEBUG=1 env var.
+const DEBUG_FILE = '/tmp/calliope-debug.log';
 export function debugLog(message, ...args) {
-    if (DEBUG)
-        console.log(`[DEBUG] ${message}`, ...args);
+    if (process.env.CALLIOPE_DEBUG !== '1')
+        return;
+    const line = args.length
+        ? `${new Date().toISOString()} ${message} ${args.map(a => typeof a === 'string' ? a : JSON.stringify(a)).join(' ')}\n`
+        : `${new Date().toISOString()} ${message}\n`;
+    // Async best-effort append; swallow errors.
+    import('fs').then(fs => fs.appendFile(DEBUG_FILE, line, () => { })).catch(() => { });
 }
 /**
  * Extract text from MessageContent
@@ -75,12 +82,14 @@ export function calculateMaxTokens(provider, model, messages, tools) {
     const buffer = Math.max(CONTEXT_BUFFER_MIN, Math.ceil(contextLimit * CONTEXT_BUFFER_PERCENT));
     const available = contextLimit - estimatedInput - buffer;
     debugLog(`Context calculation: limit=${contextLimit}, input≈${estimatedInput}, buffer=${buffer}, available=${available}`);
-    // Ensure we have at least MIN_OUTPUT_TOKENS, up to MAX_TOKENS
+    // Ensure we have at least MIN_OUTPUT_TOKENS, up to the model's real output ceiling
     if (available < MIN_OUTPUT_TOKENS) {
         debugLog(`WARNING: Very limited output space (${available}), using minimum ${MIN_OUTPUT_TOKENS}`);
         return MIN_OUTPUT_TOKENS;
     }
-    return Math.min(MAX_TOKENS, available);
+    // Cap by the model's actual max output (capability-derived), not a global 8192.
+    const maxOutput = getModelMaxOutput(provider, model);
+    return Math.min(maxOutput, available);
 }
 /**
  * Check if context needs summarization based on actual token usage
@@ -88,7 +97,7 @@ export function calculateMaxTokens(provider, model, messages, tools) {
  */
 export function needsSummarization(provider, model, actualInputTokens) {
     const contextLimit = getModelContextLimit(provider, model);
-    const threshold = contextLimit * 0.75; // Trigger summarization at 75% full
+    const threshold = contextLimit * 0.80; // Trigger summarization at 80% full
     return actualInputTokens >= threshold;
 }
 /**
@@ -101,7 +110,7 @@ export function getContextHealth(provider, model, actualInputTokens) {
         limit,
         used: actualInputTokens,
         percent,
-        needsSummarization: actualInputTokens >= limit * 0.75,
+        needsSummarization: actualInputTokens >= limit * 0.80,
     };
 }
 /**
@@ -116,7 +125,7 @@ export function estimateContextUsage(provider, model, messages, tools) {
         estimated,
         limit,
         percent,
-        needsSummarization: estimated >= limit * 0.75, // Trigger auto-compact at 75%
+        needsSummarization: estimated >= limit * 0.80, // Trigger auto-compact at 80%
     };
 }
 /**

package/dist/providers/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/providers/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAG7D,YAAY;AACZ,MAAM,CAAC,MAAM,UAAU,GAAG,IAAI,CAAC;AAC/B,MAAM,CAAC,MAAM,iBAAiB,GAAG,IAAI,CAAC,CAAC,mCAAmC;AAC1E,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,CAAC,CAAC,iCAAiC;AAC7E,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,CAAC,CAAC,4CAA4C;AAEpF,oEAAoE;AACpE,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,GAAG,IAAI,CAAC;AAE9C,uBAAuB;AACvB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,GAAG,CAAC;AACjD,MAAM,UAAU,QAAQ,CAAC,OAAe,EAAE,GAAG,IAAe;IAC1D,IAAI,KAAK;QAAE,OAAO,CAAC,GAAG,CAAC,WAAW,OAAO,EAAE,EAAE,GAAG,IAAI,CAAC,CAAC;AACxD,CAAC;AAYD;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAA2B;IACxD,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,OAAO,OAAO;SACX,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,MAAM,CAAC;SACtC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAE,KAAqB,CAAC,IAAI,CAAC;SACzC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAmB,EAAE,KAAa;IACpE,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,mDAAmD;QACnD,UAAU,IAAI,EAAE,CAAC;QAEjB,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YACpC,UAAU,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;QACnC,CAAC;aAAM,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YACtC,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;gBAChC,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;oBAC1B,UAAU,IAAK,KAAqB,CAAC,IAAI,CAAC,MAAM,CAAC;gBACnD,CAAC;qBAAM,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;oBAClC,uEAAuE;oBACvE,UAAU,IAAI,IAAI,CAAC;gBACrB,CAAC;YACH,CAAC;QACH,CAAC;QACD,oDAAoD;QACpD,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;YAClB,UAAU,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;QACrD,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,UAAU,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;IAC7C,CAAC;IAED,uDAAuD;IACvD,yEAAyE;IACzE,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAqB,EACrB,KAAa,EACb,QAAmB,EACnB,KAAa;IAEb,MAAM,YAAY,GAAG,oBAAoB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC3D,MAAM,cAAc,GAAG,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC5D,iDAAiD;IACjD,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,GAAG,sBAAsB,CAAC,CAAC,CAAC;IAC9F,MAAM,SAAS,GAAG,YAAY,GAAG,cAAc,GAAG,MAAM,CAAC;IAEzD,QAAQ,CAAC,8BAA8B,YAAY,WAAW,cAAc,YAAY,MAAM,eAAe,SAAS,EAAE,CAAC,CAAC;IAE1H,8DAA8D;IAC9D,IAAI,SAAS,GAAG,iBAAiB,EAAE,CAAC;QAClC,QAAQ,CAAC,uCAAuC,SAAS,oBAAoB,iBAAiB,EAAE,CAAC,CAAC;QAClG,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;AACzC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAqB,EACrB,KAAa,EACb,iBAAyB;IAEzB,MAAM,YAAY,GAAG,oBAAoB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC3D,MAAM,SAAS,GAAG,YAAY,GAAG,IAAI,CAAC,CAAC,oCAAoC;IAC3E,OAAO,iBAAiB,IAAI,SAAS,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAqB,EACrB,KAAa,EACb,iBAAyB;IAEzB,MAAM,KAAK,GAAG,oBAAoB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,iBAAiB,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC;IAC9D,OAAO;QACL,KAAK;QACL,IAAI,EAAE,iBAAiB;QACvB,OAAO;QACP,kBAAkB,EAAE,iBAAiB,IAAI,KAAK,GAAG,IAAI;KACtD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,QAAqB,EACrB,KAAa,EACb,QAAmB,EACnB,KAAa;IAEb,MAAM,SAAS,GAAG,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACvD,MAAM,KAAK,GAAG,oBAAoB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC;IACtD,OAAO;QACL,SAAS;QACT,KAAK;QACL,OAAO;QACP,kBAAkB,EAAE,SAAS,IAAI,KAAK,GAAG,IAAI,EAAE,8BAA8B;KAC9E,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAqB;IACvD,6BAA6B;IAC7B,IAAI,QAAQ,CAAC,OAAO,KAAK,IAAI,IAAI,QAAQ,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAChE,QAAQ,CAAC,OAAO,GAAG,EAAE,CAAC;IACxB,CAAC;SAAM,IAAI,OAAO,QAAQ,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChD,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAED,gDAAgD;IAChD,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,GAAG,kBAAkB,EAAE,CAAC;QACjD,QAAQ,CAAC,iCAAiC,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC;QAC/F,QAAQ,CAAC,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,kBAAkB,CAAC,GAAG,mBAAmB,CAAC;IACzF,CAAC;IAED,iCAAiC;IACjC,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;QACvB,QAAQ,CAAC,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;YACpD,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ,EAAE,CAAC;gBAC5C,QAAQ,CAAC,0CAA0C,EAAE,IAAI,CAAC,CAAC;gBAC3D,OAAO,KAAK,CAAC;YACf,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAChD,QAAQ,CAAC,4CAA4C,EAAE,IAAI,CAAC,CAAC;gBAC7D,OAAO,KAAK,CAAC;YACf,CAAC;YACD,IAAI,IAAI,CAAC,SAAS,KAAK,IAAI,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBAC5D,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC;YACtB,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpC,QAAQ,CAAC,SAAS,GAAG,SAAS,CAAC;QACjC,CAAC;IACH,CAAC;IAED,6BAA6B;IAC7B,IAAI,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAC7E,QAAQ,CAAC,YAAY,GAAG,MAAM,CAAC;IACjC,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/providers/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAGhF,YAAY;AACZ,MAAM,CAAC,MAAM,UAAU,GAAG,IAAI,CAAC;AAC/B,MAAM,CAAC,MAAM,iBAAiB,GAAG,IAAI,CAAC,CAAC,mCAAmC;AAC1E,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,CAAC,CAAC,iCAAiC;AAC7E,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,CAAC,CAAC,4CAA4C;AAEpF,oEAAoE;AACpE,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,GAAG,IAAI,CAAC;AAE9C,6EAA6E;AAC7E,oEAAoE;AACpE,4BAA4B;AAC5B,MAAM,UAAU,GAAG,yBAAyB,CAAC;AAC7C,MAAM,UAAU,QAAQ,CAAC,OAAe,EAAE,GAAG,IAAe;IAC1D,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,GAAG;QAAE,OAAO;IAC/C,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM;QACtB,CAAC,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,IAAI,OAAO,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI;QACtH,CAAC,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,IAAI,OAAO,IAAI,CAAC;IAC/C,4CAA4C;IAC5C,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,EAAE,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;AACrF,CAAC;AAYD;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAA2B;IACxD,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,OAAO,OAAO;SACX,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,MAAM,CAAC;SACtC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAE,KAAqB,CAAC,IAAI,CAAC;SACzC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAmB,EAAE,KAAa;IACpE,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,mDAAmD;QACnD,UAAU,IAAI,EAAE,CAAC;QAEjB,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YACpC,UAAU,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;QACnC,CAAC;aAAM,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YACtC,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;gBAChC,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;oBAC1B,UAAU,IAAK,KAAqB,CAAC,IAAI,CAAC,MAAM,CAAC;gBACnD,CAAC;qBAAM,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;oBAClC,uEAAuE;oBACvE,UAAU,IAAI,IAAI,CAAC;gBACrB,CAAC;YACH,CAAC;QACH,CAAC;QACD,oDAAoD;QACpD,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;YAClB,UAAU,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;QACrD,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,UAAU,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;IAC7C,CAAC;IAED,uDAAuD;IACvD,yEAAyE;IACzE,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAqB,EACrB,KAAa,EACb,QAAmB,EACnB,KAAa;IAEb,MAAM,YAAY,GAAG,oBAAoB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC3D,MAAM,cAAc,GAAG,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC5D,iDAAiD;IACjD,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,GAAG,sBAAsB,CAAC,CAAC,CAAC;IAC9F,MAAM,SAAS,GAAG,YAAY,GAAG,cAAc,GAAG,MAAM,CAAC;IAEzD,QAAQ,CAAC,8BAA8B,YAAY,WAAW,cAAc,YAAY,MAAM,eAAe,SAAS,EAAE,CAAC,CAAC;IAE1H,mFAAmF;IACnF,IAAI,SAAS,GAAG,iBAAiB,EAAE,CAAC;QAClC,QAAQ,CAAC,uCAAuC,SAAS,oBAAoB,iBAAiB,EAAE,CAAC,CAAC;QAClG,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED,gFAAgF;IAChF,MAAM,SAAS,GAAG,iBAAiB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACrD,OAAO,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;AACxC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAqB,EACrB,KAAa,EACb,iBAAyB;IAEzB,MAAM,YAAY,GAAG,oBAAoB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC3D,MAAM,SAAS,GAAG,YAAY,GAAG,IAAI,CAAC,CAAC,oCAAoC;IAC3E,OAAO,iBAAiB,IAAI,SAAS,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAqB,EACrB,KAAa,EACb,iBAAyB;IAEzB,MAAM,KAAK,GAAG,oBAAoB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,iBAAiB,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC;IAC9D,OAAO;QACL,KAAK;QACL,IAAI,EAAE,iBAAiB;QACvB,OAAO;QACP,kBAAkB,EAAE,iBAAiB,IAAI,KAAK,GAAG,IAAI;KACtD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,QAAqB,EACrB,KAAa,EACb,QAAmB,EACnB,KAAa;IAEb,MAAM,SAAS,GAAG,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACvD,MAAM,KAAK,GAAG,oBAAoB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC;IACtD,OAAO;QACL,SAAS;QACT,KAAK;QACL,OAAO;QACP,kBAAkB,EAAE,SAAS,IAAI,KAAK,GAAG,IAAI,EAAE,8BAA8B;KAC9E,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAqB;IACvD,6BAA6B;IAC7B,IAAI,QAAQ,CAAC,OAAO,KAAK,IAAI,IAAI,QAAQ,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAChE,QAAQ,CAAC,OAAO,GAAG,EAAE,CAAC;IACxB,CAAC;SAAM,IAAI,OAAO,QAAQ,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChD,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAED,gDAAgD;IAChD,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,GAAG,kBAAkB,EAAE,CAAC;QACjD,QAAQ,CAAC,iCAAiC,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC;QAC/F,QAAQ,CAAC,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,kBAAkB,CAAC,GAAG,mBAAmB,CAAC;IACzF,CAAC;IAED,iCAAiC;IACjC,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;QACvB,QAAQ,CAAC,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;YACpD,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ,EAAE,CAAC;gBAC5C,QAAQ,CAAC,0CAA0C,EAAE,IAAI,CAAC,CAAC;gBAC3D,OAAO,KAAK,CAAC;YACf,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAChD,QAAQ,CAAC,4CAA4C,EAAE,IAAI,CAAC,CAAC;gBAC7D,OAAO,KAAK,CAAC;YACf,CAAC;YACD,IAAI,IAAI,CAAC,SAAS,KAAK,IAAI,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBAC5D,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC;YACtB,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpC,QAAQ,CAAC,SAAS,GAAG,SAAS,CAAC;QACjC,CAAC;IACH,CAAC;IAED,6BAA6B;IAC7B,IAAI,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAC7E,QAAQ,CAAC,YAAY,GAAG,MAAM,CAAC;IACjC,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/risk.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"risk.d.ts","sourceRoot":"","sources":["../src/risk.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AA6ItE;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,CAoE/D;AAaD;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,QAAQ,GAAG,cAAc,CAgDjE;AAsBD;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,CAStD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAapF;AAsCD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG;IAChD,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAwBA"}
+{"version":3,"file":"risk.d.ts","sourceRoot":"","sources":["../src/risk.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAqJtE;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,CAsE/D;AAaD;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,QAAQ,GAAG,cAAc,CAgDjE;AAsBD;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,CAStD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAapF;AAsCD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG;IAChD,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAwBA"}

package/dist/risk.js

@@ -14,7 +14,6 @@ const SHELL_PATTERNS = {
         /^head\s/,
         /^tail\s/,
         /^grep\s/,
-        /^find\s/,
         /^pwd$/,
         /^echo\s/,
         /^wc\s/,
@@ -68,6 +67,11 @@ const SHELL_PATTERNS = {
         /^rm\s/,
         /^rmdir\s/,
         /^mv\s/,
+        /^find\s.*\s-delete(\s|$)/,
+        /^find\s.*\s-exec\s/,
+        /^find\s.*\s-execdir\s/,
+        /^shred(\s|$)/,
+        /^truncate(\s|$)/,
         /^chmod\s/,
         /^chown\s/,
         /^git\s+push/,
@@ -88,6 +92,10 @@ const SHELL_PATTERNS = {
         /^kill\s/,
         /^pkill\s/,
         /^killall\s/,
+        // Output redirection to a file (> truncate or >> append). The critical
+        // >/dev/ rule is checked earlier; everything else writing via redirect
+        // requires confirmation. Allows an optional leading fd (e.g. 2>).
+        /\d?>>?\s*\S/,
     ],
     critical: [
         /^sudo\s/,
@@ -195,11 +203,13 @@ export function assessShellRisk(command) {
             };
         }
     }
-    // Default to medium for unknown commands
+    // Default to high-with-confirmation for unknown commands (allowlist-by-default).
+    // Anything not explicitly enumerated above could be destructive, so prompt
+    // unless god mode is on.
     return {
-        level: 'medium',
-        reason: 'Unknown command - defaulting to medium risk',
-        requiresConfirmation: false,
+        level: 'high',
+        reason: 'Unknown command - requires confirmation',
+        requiresConfirmation: true,
     };
 }
 /**

package/dist/risk.js.map

@@ -1 +1 @@
-{"version":3,"file":"risk.js","sourceRoot":"","sources":["../src/risk.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;GAEG;AACH,MAAM,cAAc,GAAgC;IAClD,IAAI,EAAE,EAAE,EAAE,uCAAuC;IAEjD,GAAG,EAAE;QACH,WAAW;QACX,QAAQ;QACR,SAAS;QACT,SAAS;QACT,SAAS;QACT,SAAS;QACT,OAAO;QACP,SAAS;QACT,OAAO;QACP,SAAS;QACT,SAAS;QACT,SAAS;QACT,UAAU;QACV,UAAU;QACV,QAAQ;QACR,YAAY;QACZ,eAAe;QACf,YAAY;QACZ,aAAa;QACb,eAAe;QACf,aAAa;QACb,oBAAoB;QACpB,aAAa;QACb,aAAa;QACb,eAAe;QACf,mBAAmB;QACnB,kBAAkB;QAClB,kBAAkB;QAClB,qBAAqB;QACrB,OAAO;QACP,WAAW;KACZ;IAED,MAAM,EAAE;QACN,YAAY;QACZ,eAAe;QACf,iBAAiB;QACjB,uBAAuB;QACvB,cAAc;QACd,cAAc;QACd,eAAe;QACf,gBAAgB;QAChB,gBAAgB;QAChB,eAAe;QACf,WAAW;QACX,oBAAoB;QACpB,iBAAiB;QACjB,gBAAgB;QAChB,UAAU;QACV,UAAU;QACV,OAAO;QACP,YAAY;QACZ,QAAQ;QACR,SAAS;QACT,WAAW;KACZ;IAED,IAAI,EAAE;QACJ,OAAO;QACP,UAAU;QACV,OAAO;QACP,UAAU;QACV,UAAU;QACV,aAAa;QACb,cAAc;QACd,eAAe;QACf,cAAc;QACd,uBAAuB;QACvB,gBAAgB;QAChB,kBAAkB;QAClB,kBAAkB;QAClB,aAAa;QACb,kBAAkB;QAClB,kBAAkB;QAClB,cAAc;QACd,eAAe;QACf,gBAAgB;QAChB,gBAAgB;QAChB,SAAS;QACT,UAAU;QACV,YAAY;KACb;IAED,QAAQ,EAAE;QACR,SAAS;QACT,OAAO;QACP,WAAW;QACX,WAAW;QACX,aAAa;QACb,aAAa;QACb,eAAe;QACf,cAAc;QACd,aAAa;QACb,aAAa;QACb,OAAO;QACP,OAAO;QACP,QAAQ;QACR,SAAS;QACT,SAAS;QACT,aAAa;QACb,sBAAsB;QACtB,iBAAiB;QACjB,uBAAuB;QACvB,aAAa;QACb,SAAS;QACT,eAAe;QACf,iBAAiB;QACjB,sBAAsB;QACtB,sBAAsB;KACvB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAAG;IACrB,MAAM;IACN,MAAM;IACN,MAAM;IACN,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,MAAM;IACN,QAAQ;IACR,UAAU;IACV,WAAW;CACZ,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAE/B,oCAAoC;IACpC,KAAK,MAAM,OAAO,IAAI,cAAc,CAAC,QAAQ,EAAE,CAAC;QAC9C,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO;gBACL,KAAK,EAAE,UAAU;gBACjB,MAAM,EAAE,oDAAoD;gBAC5D,oBAAoB,EAAE,IAAI;aAC3B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;QAC1C,MAAM,YAAY,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACvE,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YACrE,yCAAyC;YACzC,IAAI,0CAA0C,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC7D,OAAO;oBACL,KAAK,EAAE,UAAU;oBACjB,MAAM,EAAE,qCAAqC,YAAY,EAAE;oBAC3D,oBAAoB,EAAE,IAAI;iBAC3B,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,KAAK,MAAM,OAAO,IAAI,cAAc,CAAC,IAAI,EAAE,CAAC;QAC1C,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO;gBACL,KAAK,EAAE,MAAM;gBACb,MAAM,EAAE,6CAA6C;gBACrD,oBAAoB,EAAE,IAAI;aAC3B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,KAAK,MAAM,OAAO,IAAI,cAAc,CAAC,MAAM,EAAE,CAAC;QAC5C,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO;gBACL,KAAK,EAAE,QAAQ;gBACf,MAAM,EAAE,mCAAmC;gBAC3C,oBAAoB,EAAE,KAAK;aAC5B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,KAAK,MAAM,OAAO,IAAI,cAAc,CAAC,GAAG,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,oCAAoC;gBAC5C,oBAAoB,EAAE,KAAK;aAC5B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,yCAAyC;IACzC,OAAO;QACL,KAAK,EAAE,QAAQ;QACf,MAAM,EAAE,6CAA6C;QACrD,oBAAoB,EAAE,KAAK;KAC5B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,cAAc,GAA8B;IAChD,KAAK,EAAE,MAAM;IACb,SAAS,EAAE,MAAM;IACjB,UAAU,EAAE,MAAM;IAClB,UAAU,EAAE,QAAQ;IACpB,KAAK,EAAE,KAAK,EAAE,yCAAyC;CACxD,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAAkB;IAC/C,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,QAAQ,CAAC;IAE3C,sCAAsC;IACtC,IAAI,IAAI,KAAK,OAAO,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzD,OAAO,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;IAED,mDAAmD;IACnD,IAAI,IAAI,KAAK,YAAY,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC3D,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC;QAE3B,2BAA2B;QAC3B,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;YAC1C,MAAM,YAAY,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;YACvE,IAAI,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC3E,OAAO;oBACL,KAAK,EAAE,UAAU;oBACjB,MAAM,EAAE,8BAA8B,YAAY,EAAE;oBACpD,oBAAoB,EAAE,IAAI;iBAC3B,CAAC;YACJ,CAAC;QACH,CAAC;QAED,iCAAiC;QACjC,IAAI,+BAA+B,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnD,OAAO;gBACL,KAAK,EAAE,MAAM;gBACb,MAAM,EAAE,gCAAgC;gBACxC,oBAAoB,EAAE,IAAI;aAC3B,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,QAAQ;YACf,MAAM,EAAE,sBAAsB;YAC9B,oBAAoB,EAAE,KAAK;SAC5B,CAAC;IACJ,CAAC;IAED,kCAAkC;IAClC,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC;IAElD,OAAO;QACL,KAAK,EAAE,QAAQ;QACf,MAAM,EAAE,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC;QACrC,oBAAoB,EAAE,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,UAAU;KACrE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,QAAgB,EAAE,KAAgB;IACvD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,iCAAiC,CAAC;QAC3C,KAAK,WAAW;YACd,OAAO,uBAAuB,CAAC;QACjC,KAAK,YAAY;YACf,OAAO,6BAA6B,CAAC;QACvC,KAAK,YAAY;YACf,OAAO,sBAAsB,CAAC;QAChC,KAAK,OAAO;YACV,OAAO,yBAAyB,CAAC;QACnC;YACE,OAAO,mBAAmB,QAAQ,EAAE,CAAC;IACzC,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,KAAgB;IAC5C,MAAM,IAAI,GAA8B;QACtC,IAAI,EAAE,OAAO;QACb,GAAG,EAAE,OAAO;QACZ,MAAM,EAAE,OAAO;QACf,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,OAAO;KAClB,CAAC;IACF,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAoB,EAAE,OAAgB;IACzE,kDAAkD;IAClD,IAAI,IAAI,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,kDAAkD;IAClD,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,KAAK,CAAC;IACf,CAAC;IAED,0CAA0C;IAC1C,OAAO,IAAI,CAAC,oBAAoB,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,mBAAmB,GAAG;IAC1B,UAAU;IACV,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,aAAa;IACb,YAAY;IACZ,UAAU;IACV,aAAa;IACb,YAAY;IACZ,YAAY;IACZ,YAAY;IACZ,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,iBAAiB;IACjB,eAAe;IACf,YAAY;CACb,CAAC;AAEF,MAAM,kBAAkB,GAAG;IACzB,UAAU;IACV,YAAY;IACZ,UAAU;IACV,SAAS;IACT,aAAa;IACb,UAAU;IACV,QAAQ;IACR,WAAW;IACX,UAAU;CACX,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAI7C,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IAEnC,gCAAgC;IAChC,KAAK,MAAM,OAAO,IAAI,mBAAmB,EAAE,CAAC;QAC1C,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,OAAO;gBACL,SAAS,EAAE,IAAI;gBACf,MAAM,EAAE,gCAAgC,OAAO,GAAG;aACnD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,OAAO;gBACL,SAAS,EAAE,IAAI;gBACf,MAAM,EAAE,8CAA8C,OAAO,GAAG;aACjE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AAC9B,CAAC"}
+{"version":3,"file":"risk.js","sourceRoot":"","sources":["../src/risk.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;GAEG;AACH,MAAM,cAAc,GAAgC;IAClD,IAAI,EAAE,EAAE,EAAE,uCAAuC;IAEjD,GAAG,EAAE;QACH,WAAW;QACX,QAAQ;QACR,SAAS;QACT,SAAS;QACT,SAAS;QACT,OAAO;QACP,SAAS;QACT,OAAO;QACP,SAAS;QACT,SAAS;QACT,SAAS;QACT,UAAU;QACV,UAAU;QACV,QAAQ;QACR,YAAY;QACZ,eAAe;QACf,YAAY;QACZ,aAAa;QACb,eAAe;QACf,aAAa;QACb,oBAAoB;QACpB,aAAa;QACb,aAAa;QACb,eAAe;QACf,mBAAmB;QACnB,kBAAkB;QAClB,kBAAkB;QAClB,qBAAqB;QACrB,OAAO;QACP,WAAW;KACZ;IAED,MAAM,EAAE;QACN,YAAY;QACZ,eAAe;QACf,iBAAiB;QACjB,uBAAuB;QACvB,cAAc;QACd,cAAc;QACd,eAAe;QACf,gBAAgB;QAChB,gBAAgB;QAChB,eAAe;QACf,WAAW;QACX,oBAAoB;QACpB,iBAAiB;QACjB,gBAAgB;QAChB,UAAU;QACV,UAAU;QACV,OAAO;QACP,YAAY;QACZ,QAAQ;QACR,SAAS;QACT,WAAW;KACZ;IAED,IAAI,EAAE;QACJ,OAAO;QACP,UAAU;QACV,OAAO;QACP,0BAA0B;QAC1B,oBAAoB;QACpB,uBAAuB;QACvB,cAAc;QACd,iBAAiB;QACjB,UAAU;QACV,UAAU;QACV,aAAa;QACb,cAAc;QACd,eAAe;QACf,cAAc;QACd,uBAAuB;QACvB,gBAAgB;QAChB,kBAAkB;QAClB,kBAAkB;QAClB,aAAa;QACb,kBAAkB;QAClB,kBAAkB;QAClB,cAAc;QACd,eAAe;QACf,gBAAgB;QAChB,gBAAgB;QAChB,SAAS;QACT,UAAU;QACV,YAAY;QACZ,uEAAuE;QACvE,uEAAuE;QACvE,kEAAkE;QAClE,aAAa;KACd;IAED,QAAQ,EAAE;QACR,SAAS;QACT,OAAO;QACP,WAAW;QACX,WAAW;QACX,aAAa;QACb,aAAa;QACb,eAAe;QACf,cAAc;QACd,aAAa;QACb,aAAa;QACb,OAAO;QACP,OAAO;QACP,QAAQ;QACR,SAAS;QACT,SAAS;QACT,aAAa;QACb,sBAAsB;QACtB,iBAAiB;QACjB,uBAAuB;QACvB,aAAa;QACb,SAAS;QACT,eAAe;QACf,iBAAiB;QACjB,sBAAsB;QACtB,sBAAsB;KACvB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAAG;IACrB,MAAM;IACN,MAAM;IACN,MAAM;IACN,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,MAAM;IACN,QAAQ;IACR,UAAU;IACV,WAAW;CACZ,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAE/B,oCAAoC;IACpC,KAAK,MAAM,OAAO,IAAI,cAAc,CAAC,QAAQ,EAAE,CAAC;QAC9C,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO;gBACL,KAAK,EAAE,UAAU;gBACjB,MAAM,EAAE,oDAAoD;gBAC5D,oBAAoB,EAAE,IAAI;aAC3B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;QAC1C,MAAM,YAAY,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACvE,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YACrE,yCAAyC;YACzC,IAAI,0CAA0C,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC7D,OAAO;oBACL,KAAK,EAAE,UAAU;oBACjB,MAAM,EAAE,qCAAqC,YAAY,EAAE;oBAC3D,oBAAoB,EAAE,IAAI;iBAC3B,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,KAAK,MAAM,OAAO,IAAI,cAAc,CAAC,IAAI,EAAE,CAAC;QAC1C,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO;gBACL,KAAK,EAAE,MAAM;gBACb,MAAM,EAAE,6CAA6C;gBACrD,oBAAoB,EAAE,IAAI;aAC3B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,KAAK,MAAM,OAAO,IAAI,cAAc,CAAC,MAAM,EAAE,CAAC;QAC5C,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO;gBACL,KAAK,EAAE,QAAQ;gBACf,MAAM,EAAE,mCAAmC;gBAC3C,oBAAoB,EAAE,KAAK;aAC5B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,KAAK,MAAM,OAAO,IAAI,cAAc,CAAC,GAAG,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,oCAAoC;gBAC5C,oBAAoB,EAAE,KAAK;aAC5B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,2EAA2E;IAC3E,yBAAyB;IACzB,OAAO;QACL,KAAK,EAAE,MAAM;QACb,MAAM,EAAE,yCAAyC;QACjD,oBAAoB,EAAE,IAAI;KAC3B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,cAAc,GAA8B;IAChD,KAAK,EAAE,MAAM;IACb,SAAS,EAAE,MAAM;IACjB,UAAU,EAAE,MAAM;IAClB,UAAU,EAAE,QAAQ;IACpB,KAAK,EAAE,KAAK,EAAE,yCAAyC;CACxD,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAAkB;IAC/C,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,QAAQ,CAAC;IAE3C,sCAAsC;IACtC,IAAI,IAAI,KAAK,OAAO,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzD,OAAO,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;IAED,mDAAmD;IACnD,IAAI,IAAI,KAAK,YAAY,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC3D,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC;QAE3B,2BAA2B;QAC3B,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;YAC1C,MAAM,YAAY,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;YACvE,IAAI,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC3E,OAAO;oBACL,KAAK,EAAE,UAAU;oBACjB,MAAM,EAAE,8BAA8B,YAAY,EAAE;oBACpD,oBAAoB,EAAE,IAAI;iBAC3B,CAAC;YACJ,CAAC;QACH,CAAC;QAED,iCAAiC;QACjC,IAAI,+BAA+B,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnD,OAAO;gBACL,KAAK,EAAE,MAAM;gBACb,MAAM,EAAE,gCAAgC;gBACxC,oBAAoB,EAAE,IAAI;aAC3B,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,QAAQ;YACf,MAAM,EAAE,sBAAsB;YAC9B,oBAAoB,EAAE,KAAK;SAC5B,CAAC;IACJ,CAAC;IAED,kCAAkC;IAClC,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC;IAElD,OAAO;QACL,KAAK,EAAE,QAAQ;QACf,MAAM,EAAE,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC;QACrC,oBAAoB,EAAE,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,UAAU;KACrE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,QAAgB,EAAE,KAAgB;IACvD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,iCAAiC,CAAC;QAC3C,KAAK,WAAW;YACd,OAAO,uBAAuB,CAAC;QACjC,KAAK,YAAY;YACf,OAAO,6BAA6B,CAAC;QACvC,KAAK,YAAY;YACf,OAAO,sBAAsB,CAAC;QAChC,KAAK,OAAO;YACV,OAAO,yBAAyB,CAAC;QACnC;YACE,OAAO,mBAAmB,QAAQ,EAAE,CAAC;IACzC,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,KAAgB;IAC5C,MAAM,IAAI,GAA8B;QACtC,IAAI,EAAE,OAAO;QACb,GAAG,EAAE,OAAO;QACZ,MAAM,EAAE,OAAO;QACf,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,OAAO;KAClB,CAAC;IACF,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAoB,EAAE,OAAgB;IACzE,kDAAkD;IAClD,IAAI,IAAI,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,kDAAkD;IAClD,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,KAAK,CAAC;IACf,CAAC;IAED,0CAA0C;IAC1C,OAAO,IAAI,CAAC,oBAAoB,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,mBAAmB,GAAG;IAC1B,UAAU;IACV,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,aAAa;IACb,YAAY;IACZ,UAAU;IACV,aAAa;IACb,YAAY;IACZ,YAAY;IACZ,YAAY;IACZ,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,iBAAiB;IACjB,eAAe;IACf,YAAY;CACb,CAAC;AAEF,MAAM,kBAAkB,GAAG;IACzB,UAAU;IACV,YAAY;IACZ,UAAU;IACV,SAAS;IACT,aAAa;IACb,UAAU;IACV,QAAQ;IACR,WAAW;IACX,UAAU;CACX,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAI7C,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IAEnC,gCAAgC;IAChC,KAAK,MAAM,OAAO,IAAI,mBAAmB,EAAE,CAAC;QAC1C,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,OAAO;gBACL,SAAS,EAAE,IAAI;gBACf,MAAM,EAAE,gCAAgC,OAAO,GAAG;aACnD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,OAAO;gBACL,SAAS,EAAE,IAAI;gBACf,MAAM,EAAE,8CAA8C,OAAO,GAAG;aACjE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AAC9B,CAAC"}

package/dist/sandbox-native.d.ts

@@ -23,6 +23,7 @@ export interface NativeSandboxOptions {
     /** Additional read-write paths to allow */
     readWritePaths?: string[];
 }
+export declare function buildSeatbeltProfile(cwd: string, options?: NativeSandboxOptions): string;
 /**
  * Check if macOS Seatbelt (sandbox-exec) is available
  */

package/dist/sandbox-native.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sandbox-native.d.ts","sourceRoot":"","sources":["../src/sandbox-native.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AASH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,UAAU,GAAG,MAAM,CAAC;AAE9D,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,cAAc,CAAC;CACzB;AAED,MAAM,WAAW,oBAAoB;IACnC,+CAA+C;IAC/C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,0CAA0C;IAC1C,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AA+FD;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAiB7C;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAa7C;AAED;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,OAAO,CAElD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,cAAc,CAIpD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,cAAc,CAAC;IACxB,SAAS,EAAE,OAAO,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB,CAyBA;AAcD;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,mBAAmB,CAAC,CAyB9B;AA0FD;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAG1C"}
+{"version":3,"file":"sandbox-native.d.ts","sourceRoot":"","sources":["../src/sandbox-native.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AASH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,UAAU,GAAG,MAAM,CAAC;AAE9D,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,cAAc,CAAC;CACzB;AAED,MAAM,WAAW,oBAAoB;IACnC,+CAA+C;IAC/C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,0CAA0C;IAC1C,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAoDD,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,oBAAyB,GACjC,MAAM,CAkER;AASD;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAiB7C;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAa7C;AAED;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,OAAO,CAElD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,cAAc,CAIpD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,cAAc,CAAC;IACxB,SAAS,EAAE,OAAO,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB,CAyBA;AAcD;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,mBAAmB,CAAC,CAyB9B;AA0FD;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAG1C"}

package/dist/sandbox-native.js

@@ -16,11 +16,32 @@ import * as os from 'os';
  * Defaults:
  *  - deny everything by default
  *  - allow process execution and forking
- *  - allow all file reads (safe; write restriction is the enforcement point)
+ *  - allow broad file reads BUT explicitly deny common secret locations
+ *    (~/.ssh, ~/.aws, ~/.config, ~/.gnupg, ~/.gcloud, *.env) so that even with
+ *    network off a poisoned command cannot read credentials (#133). Seatbelt
+ *    applies the most-specific matching rule, so a (deny file-read*) subpath
+ *    overrides the broad (allow file-read*).
  *  - allow file writes only in: project cwd, /dev (stdout/stderr), temp dirs
  *  - allow file-ioctl (terminal I/O), sysctl-read, mach-lookup, signal
- *  - optionally allow outbound HTTP/HTTPS
+ *  - network is DENIED by default; outbound HTTP/HTTPS is only added when the
+ *    caller explicitly opts in via options.networkEnabled (#133).
  */
+/**
+ * Common secret/credential locations that must never be readable from inside the
+ * sandbox, expressed relative to the user's home directory plus a literal .env
+ * regex. Read denials for these override the broad (allow file-read*).
+ */
+const SECRET_READ_DENY_SUBPATHS = [
+    '.ssh',
+    '.aws',
+    '.config',
+    '.gnupg',
+    '.gcloud',
+    '.config/gcloud',
+    '.kube',
+    '.docker',
+    '.netrc',
+];
 /**
  * Sanitize a path for safe embedding in a Seatbelt profile string.
  * Escapes characters that are significant in the Scheme-like DSL
@@ -34,17 +55,27 @@ function sanitizeSeatbeltPath(p) {
     // Escape backslashes first, then double quotes
     return p.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
 }
-function buildSeatbeltProfile(cwd, options = {}) {
+export function buildSeatbeltProfile(cwd, options = {}) {
     const extraReadWrite = options.readWritePaths || [];
     const safeCwd = sanitizeSeatbeltPath(cwd);
     // Build read-write subpath rules for extra paths
     const extraRwRules = extraReadWrite
         .map((p) => `(allow file-write* (subpath "${sanitizeSeatbeltPath(p)}"))`)
         .join('\n');
-    // Network rules
+    // Network rules — DENIED by default; only enabled on explicit opt-in (#133)
     const networkRules = options.networkEnabled
         ? `(allow network-outbound (remote ip "*:443") (remote ip "*:80"))\n(allow network-outbound (remote unix-socket))`
         : '';
+    // Deny reads of well-known secret locations even though reads are broadly
+    // allowed (#133). Seatbelt resolves the most-specific subpath rule, so these
+    // denials win over the broad (allow file-read*) below. We also deny *.env via
+    // a regex so credential files anywhere on disk are not readable.
+    const home = os.homedir();
+    const secretDenyRules = [
+        ...SECRET_READ_DENY_SUBPATHS.map((sub) => `(deny file-read* (subpath "${sanitizeSeatbeltPath(`${home}/${sub}`)}"))`),
+        // Any file whose name ends in .env (e.g. .env, foo.env, .env.production)
+        `(deny file-read* (regex #"\\.env($|\\.)"))`,
+    ].join('\n');
     const profile = `(version 1)
 (deny default)
 
@@ -52,8 +83,9 @@ function buildSeatbeltProfile(cwd, options = {}) {
 (allow process-exec)
 (allow process-fork)
 
-;; File reads: allow broadly (read-only is safe; write restrictions are the enforcement point)
+;; File reads: allow broadly, then deny known secret locations (#133)
 (allow file-read*)
+${secretDenyRules}
 
 ;; File writes: restricted to project directory, temp dirs, and stdout/stderr devices
 (allow file-write*

package/dist/sandbox-native.js.map

@@ -1 +1 @@
-{"version":3,"file":"sandbox-native.js","sourceRoot":"","sources":["../src/sandbox-native.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AA2BzB,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;;;;;;;;;GAUG;AACH;;;;GAIG;AACH,SAAS,oBAAoB,CAAC,CAAS;IACrC,qCAAqC;IACrC,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IACD,+CAA+C;IAC/C,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,oBAAoB,CAC3B,GAAW,EACX,UAAgC,EAAE;IAElC,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC;IAEpD,MAAM,OAAO,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;IAE1C,iDAAiD;IACjD,MAAM,YAAY,GAAG,cAAc;SAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gCAAgC,oBAAoB,CAAC,CAAC,CAAC,KAAK,CAAC;SACxE,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,gBAAgB;IAChB,MAAM,YAAY,GAAG,OAAO,CAAC,cAAc;QACzC,CAAC,CAAC,gHAAgH;QAClH,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,OAAO,GAAG;;;;;;;;;;;;;;;;;;cAkBJ,OAAO;;;;EAInB,YAAY;;;;;;;;;;;EAWZ,YAAY;CACb,CAAC;IAEA,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,IAAI,kBAAkB,GAAmB,IAAI,CAAC;AAC9C,IAAI,kBAAkB,GAAmB,IAAI,CAAC;AAE9C;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,kBAAkB,KAAK,IAAI;QAAE,OAAO,kBAAkB,CAAC;IAE3D,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC/B,kBAAkB,GAAG,KAAK,CAAC;QAC3B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC;QACH,6EAA6E;QAC7E,YAAY,CAAC,OAAO,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAC3D,kBAAkB,GAAG,IAAI,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB,GAAG,KAAK,CAAC;IAC7B,CAAC;IAED,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,kBAAkB,KAAK,IAAI;QAAE,OAAO,kBAAkB,CAAC;IAE3D,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,OAAO,EAAE,CAAC;QAC9B,kBAAkB,GAAG,KAAK,CAAC;QAC3B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4EAA4E;IAC5E,4EAA4E;IAC5E,2DAA2D;IAC3D,kBAAkB,GAAG,KAAK,CAAC;IAC3B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,mBAAmB,EAAE,IAAI,mBAAmB,EAAE,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,mBAAmB,EAAE;QAAE,OAAO,UAAU,CAAC;IAC7C,IAAI,mBAAmB,EAAE;QAAE,OAAO,UAAU,CAAC;IAC7C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB;IAM9B,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG,mBAAmB,EAAE,CAAC;IACtC,MAAM,SAAS,GAAG,OAAO,KAAK,MAAM,CAAC;IAErC,IAAI,WAAmB,CAAC;IACxB,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,UAAU;YACb,WAAW,GAAG,kFAAkF,CAAC;YACjG,MAAM;QACR,KAAK,UAAU;YACb,WAAW,GAAG,qDAAqD,CAAC;YACpE,MAAM;QACR,KAAK,MAAM;YACT,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC1B,WAAW,GAAG,6CAA6C,CAAC;YAC9D,CAAC;iBAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;gBAChC,WAAW,GAAG,oEAAoE,CAAC;YACrF,CAAC;iBAAM,CAAC;gBACN,WAAW,GAAG,mCAAmC,QAAQ,EAAE,CAAC;YAC9D,CAAC;YACD,MAAM;IACV,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC;AACvD,CAAC;AAED,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E,uFAAuF;AACvF,MAAM,eAAe,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AACzC,MAAM,kBAAkB,GAAG,sCAAsC,CAAC;AAElE,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,sBAAsB,CACpC,OAAe,EACf,GAAW,EACX,UAAgC,EAAE;IAElC,MAAM,OAAO,GAAG,mBAAmB,EAAE,CAAC;IAEtC,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,UAAU;YACb,OAAO,mBAAmB,CAAC,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QACpD,KAAK,UAAU;YACb,6DAA6D;YAC7D,OAAO,OAAO,CAAC,OAAO,CAAC;gBACrB,MAAM,EAAE,EAAE;gBACV,MAAM,EAAE,oEAAoE;gBAC5E,QAAQ,EAAE,CAAC;gBACX,SAAS,EAAE,KAAK;gBAChB,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;QACL,KAAK,MAAM,CAAC;QACZ;YACE,OAAO,OAAO,CAAC,OAAO,CAAC;gBACrB,MAAM,EAAE,EAAE;gBACV,MAAM,EAAE,gEAAgE;gBACxE,QAAQ,EAAE,CAAC;gBACX,SAAS,EAAE,KAAK;gBAChB,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;IACP,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAC1B,OAAe,EACf,GAAW,EACX,UAAgC,EAAE;IAElC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC;IACzC,MAAM,OAAO,GAAG,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAEnD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,eAAe,GAAG,KAAK,CAAC;QAC5B,IAAI,eAAe,GAAG,KAAK,CAAC;QAE5B,MAAM,KAAK,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,EAAE;YAC1E,GAAG;YACH,OAAO;YACP,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE;YACrC,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,QAAQ,GAAG,IAAI,CAAC;YAChB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACxB,CAAC,EAAE,OAAO,CAAC,CAAC;QAEZ,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YAC/B,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC1B,IAAI,MAAM,CAAC,MAAM,GAAG,eAAe,EAAE,CAAC;oBACpC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC;oBAC1C,eAAe,GAAG,IAAI,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YAC/B,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC1B,IAAI,MAAM,CAAC,MAAM,GAAG,eAAe,EAAE,CAAC;oBACpC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC;oBAC1C,eAAe,GAAG,IAAI,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YAEpB,IAAI,eAAe;gBAAE,MAAM,IAAI,kBAAkB,CAAC;YAClD,IAAI,eAAe;gBAAE,MAAM,IAAI,kBAAkB,CAAC;YAElD,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,CAAC;oBACN,MAAM;oBACN,MAAM,EAAE,MAAM,GAAG,uBAAuB;oBACxC,QAAQ,EAAE,GAAG;oBACb,SAAS,EAAE,IAAI;oBACf,OAAO,EAAE,UAAU;iBACpB,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC;oBACN,MAAM;oBACN,MAAM;oBACN,QAAQ,EAAE,IAAI,IAAI,CAAC;oBACnB,SAAS,EAAE,IAAI;oBACf,OAAO,EAAE,UAAU;iBACpB,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,CAAC;gBACN,MAAM,EAAE,EAAE;gBACV,MAAM,EAAE,GAAG,CAAC,OAAO;gBACnB,QAAQ,EAAE,CAAC;gBACX,SAAS,EAAE,KAAK;gBAChB,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,kBAAkB,GAAG,IAAI,CAAC;IAC1B,kBAAkB,GAAG,IAAI,CAAC;AAC5B,CAAC"}
+{"version":3,"file":"sandbox-native.js","sourceRoot":"","sources":["../src/sandbox-native.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AA2BzB,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;;;;;;;;;;;;;;GAeG;AACH;;;;GAIG;AACH,MAAM,yBAAyB,GAAG;IAChC,MAAM;IACN,MAAM;IACN,SAAS;IACT,QAAQ;IACR,SAAS;IACT,gBAAgB;IAChB,OAAO;IACP,SAAS;IACT,QAAQ;CACT,CAAC;AACF;;;;GAIG;AACH,SAAS,oBAAoB,CAAC,CAAS;IACrC,qCAAqC;IACrC,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IACD,+CAA+C;IAC/C,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,GAAW,EACX,UAAgC,EAAE;IAElC,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC;IAEpD,MAAM,OAAO,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;IAE1C,iDAAiD;IACjD,MAAM,YAAY,GAAG,cAAc;SAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gCAAgC,oBAAoB,CAAC,CAAC,CAAC,KAAK,CAAC;SACxE,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,4EAA4E;IAC5E,MAAM,YAAY,GAAG,OAAO,CAAC,cAAc;QACzC,CAAC,CAAC,gHAAgH;QAClH,CAAC,CAAC,EAAE,CAAC;IAEP,0EAA0E;IAC1E,6EAA6E;IAC7E,8EAA8E;IAC9E,iEAAiE;IACjE,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;IAC1B,MAAM,eAAe,GAAG;QACtB,GAAG,yBAAyB,CAAC,GAAG,CAC9B,CAAC,GAAG,EAAE,EAAE,CAAC,8BAA8B,oBAAoB,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,KAAK,CACnF;QACD,yEAAyE;QACzE,4CAA4C;KAC7C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,MAAM,OAAO,GAAG;;;;;;;;;EAShB,eAAe;;;;;;;;;;cAUH,OAAO;;;;EAInB,YAAY;;;;;;;;;;;EAWZ,YAAY;CACb,CAAC;IAEA,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,IAAI,kBAAkB,GAAmB,IAAI,CAAC;AAC9C,IAAI,kBAAkB,GAAmB,IAAI,CAAC;AAE9C;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,kBAAkB,KAAK,IAAI;QAAE,OAAO,kBAAkB,CAAC;IAE3D,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC/B,kBAAkB,GAAG,KAAK,CAAC;QAC3B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC;QACH,6EAA6E;QAC7E,YAAY,CAAC,OAAO,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAC3D,kBAAkB,GAAG,IAAI,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB,GAAG,KAAK,CAAC;IAC7B,CAAC;IAED,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,kBAAkB,KAAK,IAAI;QAAE,OAAO,kBAAkB,CAAC;IAE3D,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,OAAO,EAAE,CAAC;QAC9B,kBAAkB,GAAG,KAAK,CAAC;QAC3B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4EAA4E;IAC5E,4EAA4E;IAC5E,2DAA2D;IAC3D,kBAAkB,GAAG,KAAK,CAAC;IAC3B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,mBAAmB,EAAE,IAAI,mBAAmB,EAAE,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,mBAAmB,EAAE;QAAE,OAAO,UAAU,CAAC;IAC7C,IAAI,mBAAmB,EAAE;QAAE,OAAO,UAAU,CAAC;IAC7C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB;IAM9B,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG,mBAAmB,EAAE,CAAC;IACtC,MAAM,SAAS,GAAG,OAAO,KAAK,MAAM,CAAC;IAErC,IAAI,WAAmB,CAAC;IACxB,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,UAAU;YACb,WAAW,GAAG,kFAAkF,CAAC;YACjG,MAAM;QACR,KAAK,UAAU;YACb,WAAW,GAAG,qDAAqD,CAAC;YACpE,MAAM;QACR,KAAK,MAAM;YACT,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC1B,WAAW,GAAG,6CAA6C,CAAC;YAC9D,CAAC;iBAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;gBAChC,WAAW,GAAG,oEAAoE,CAAC;YACrF,CAAC;iBAAM,CAAC;gBACN,WAAW,GAAG,mCAAmC,QAAQ,EAAE,CAAC;YAC9D,CAAC;YACD,MAAM;IACV,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC;AACvD,CAAC;AAED,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E,uFAAuF;AACvF,MAAM,eAAe,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AACzC,MAAM,kBAAkB,GAAG,sCAAsC,CAAC;AAElE,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,sBAAsB,CACpC,OAAe,EACf,GAAW,EACX,UAAgC,EAAE;IAElC,MAAM,OAAO,GAAG,mBAAmB,EAAE,CAAC;IAEtC,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,UAAU;YACb,OAAO,mBAAmB,CAAC,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QACpD,KAAK,UAAU;YACb,6DAA6D;YAC7D,OAAO,OAAO,CAAC,OAAO,CAAC;gBACrB,MAAM,EAAE,EAAE;gBACV,MAAM,EAAE,oEAAoE;gBAC5E,QAAQ,EAAE,CAAC;gBACX,SAAS,EAAE,KAAK;gBAChB,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;QACL,KAAK,MAAM,CAAC;QACZ;YACE,OAAO,OAAO,CAAC,OAAO,CAAC;gBACrB,MAAM,EAAE,EAAE;gBACV,MAAM,EAAE,gEAAgE;gBACxE,QAAQ,EAAE,CAAC;gBACX,SAAS,EAAE,KAAK;gBAChB,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;IACP,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAC1B,OAAe,EACf,GAAW,EACX,UAAgC,EAAE;IAElC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC;IACzC,MAAM,OAAO,GAAG,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAEnD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,eAAe,GAAG,KAAK,CAAC;QAC5B,IAAI,eAAe,GAAG,KAAK,CAAC;QAE5B,MAAM,KAAK,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,EAAE;YAC1E,GAAG;YACH,OAAO;YACP,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE;YACrC,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,QAAQ,GAAG,IAAI,CAAC;YAChB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACxB,CAAC,EAAE,OAAO,CAAC,CAAC;QAEZ,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YAC/B,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC1B,IAAI,MAAM,CAAC,MAAM,GAAG,eAAe,EAAE,CAAC;oBACpC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC;oBAC1C,eAAe,GAAG,IAAI,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YAC/B,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC1B,IAAI,MAAM,CAAC,MAAM,GAAG,eAAe,EAAE,CAAC;oBACpC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC;oBAC1C,eAAe,GAAG,IAAI,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YAEpB,IAAI,eAAe;gBAAE,MAAM,IAAI,kBAAkB,CAAC;YAClD,IAAI,eAAe;gBAAE,MAAM,IAAI,kBAAkB,CAAC;YAElD,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,CAAC;oBACN,MAAM;oBACN,MAAM,EAAE,MAAM,GAAG,uBAAuB;oBACxC,QAAQ,EAAE,GAAG;oBACb,SAAS,EAAE,IAAI;oBACf,OAAO,EAAE,UAAU;iBACpB,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC;oBACN,MAAM;oBACN,MAAM;oBACN,QAAQ,EAAE,IAAI,IAAI,CAAC;oBACnB,SAAS,EAAE,IAAI;oBACf,OAAO,EAAE,UAAU;iBACpB,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,CAAC;gBACN,MAAM,EAAE,EAAE;gBACV,MAAM,EAAE,GAAG,CAAC,OAAO;gBACnB,QAAQ,EAAE,CAAC;gBACX,SAAS,EAAE,KAAK;gBAChB,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,kBAAkB,GAAG,IAAI,CAAC;IAC1B,kBAAkB,GAAG,IAAI,CAAC;AAC5B,CAAC"}

package/dist/scope.d.ts

@@ -32,6 +32,16 @@ declare class ScopeManager {
      * to prevent scope leakage across sessions.
      */
     reset(cwd?: string): void;
+    /**
+     * Resolve a path to its canonical (symlink-free) form before scope checks (#139).
+     *
+     * - If the path exists, returns fs.realpathSync(path). On a realpath error for
+     *   an existing path we fail closed by returning null.
+     * - If the path does not yet exist (e.g. a write target), we canonicalize the
+     *   nearest existing ancestor directory and re-append the remaining segments,
+     *   so a write whose parent dir is a symlink out of scope is screened too.
+     */
+    private canonicalize;
     /**
      * Add a directory to the allowed scope
      */

package/dist/scope.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scope.d.ts","sourceRoot":"","sources":["../src/scope.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,MAAM,WAAW,WAAW;IAC1B,4CAA4C;IAC5C,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,gDAAgD;IAChD,SAAS,EAAE,OAAO,CAAC;IACnB,sCAAsC;IACtC,QAAQ,EAAE,OAAO,CAAC;IAClB,uDAAuD;IACvD,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,oDAAoD;IACpD,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAgCD,cAAM,YAAY;IAChB,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,MAAM,CAAS;;IAcvB;;;;OAIG;IACH,KAAK,CAAC,GAAG,GAAE,MAAsB,GAAG,IAAI;IAQxC;;OAEG;IACH,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;IAyBpE;;OAEG;IACH,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;IAgBvE;;OAEG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,qBAAqB;IAoDpE;;OAEG;IACH,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM;IAkBnD;;OAEG;IACH,cAAc,IAAI,MAAM,EAAE;IAI1B;;OAEG;IACH,eAAe,IAAI,MAAM;IAqBzB;;OAEG;IACH,eAAe,IAAI,MAAM;IAyBzB;;;OAGG;IACH,OAAO,CAAC,cAAc;CAkBvB;AAMD,eAAO,MAAM,YAAY,cAAqB,CAAC;AAM/C,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAEjF;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAEtF;AAED,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAEjE;AAED,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAElE;AAED,wBAAgB,eAAe,IAAI,MAAM,CAExC;AAED,wBAAgB,eAAe,IAAI,MAAM,CAExC;AAED,wBAAgB,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAE7C;AAED,wBAAgB,cAAc,IAAI,MAAM,EAAE,CAEzC"}
+{"version":3,"file":"scope.d.ts","sourceRoot":"","sources":["../src/scope.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,MAAM,WAAW,WAAW;IAC1B,4CAA4C;IAC5C,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,gDAAgD;IAChD,SAAS,EAAE,OAAO,CAAC;IACnB,sCAAsC;IACtC,QAAQ,EAAE,OAAO,CAAC;IAClB,uDAAuD;IACvD,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,oDAAoD;IACpD,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAgCD,cAAM,YAAY;IAChB,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,MAAM,CAAS;;IAcvB;;;;OAIG;IACH,KAAK,CAAC,GAAG,GAAE,MAAsB,GAAG,IAAI;IAQxC;;;;;;;;OAQG;IACH,OAAO,CAAC,YAAY;IA2BpB;;OAEG;IACH,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;IAyBpE;;OAEG;IACH,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;IAgBvE;;OAEG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,qBAAqB;IAiFpE;;OAEG;IACH,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM;IAkBnD;;OAEG;IACH,cAAc,IAAI,MAAM,EAAE;IAI1B;;OAEG;IACH,eAAe,IAAI,MAAM;IAqBzB;;OAEG;IACH,eAAe,IAAI,MAAM;IAyBzB;;;OAGG;IACH,OAAO,CAAC,cAAc;CAkBvB;AAMD,eAAO,MAAM,YAAY,cAAqB,CAAC;AAM/C,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAEjF;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAEtF;AAED,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAEjE;AAED,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAElE;AAED,wBAAgB,eAAe,IAAI,MAAM,CAExC;AAED,wBAAgB,eAAe,IAAI,MAAM,CAExC;AAED,wBAAgB,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAE7C;AAED,wBAAgB,cAAc,IAAI,MAAM,EAAE,CAEzC"}