npm - @codyswann/lisa - Versions diffs - 2.146.0 → 2.147.0 - Mend

@codyswann/lisa 2.146.0 → 2.147.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

package/plugins/src/wiki/scripts/validate-config.mjs CHANGED Viewed

@@ -22,6 +22,17 @@ const RETENTION = [
   "external-pointer-only",
 ];
 const SENSITIVITY = ["public", "internal", "confidential", "restricted"];
+const REDACTION_ENTITIES = [
+  "api_key",
+  "bank_account",
+  "credit_card",
+  "oauth_token",
+  "password",
+  "private_key",
+  "routing_number",
+  "ssn",
+];
+const REDACTION_SCANNERS = ["builtin", "gitleaks", "presidio"];
 const SOURCE_LAYOUT = ["by-system", "by-category"];
 const README_MODE = ["rich", "stub", "preserve"];
@@ -49,6 +60,14 @@ function checkType(value, type, label) {
     );
   }
 }
+function checkKnownKeys(object, allowed, label) {
+  if (!isObject(object)) return;
+  for (const key of Object.keys(object)) {
+    if (!allowed.includes(key)) {
+      err(`${label}.${key}: unknown field`);
+    }
+  }
+}
 if (!fs.existsSync(configPath)) {
   console.error(`✗ config not found: ${configPath}`);
@@ -123,8 +142,78 @@ if (config.readme !== undefined) {
 if (config.sensitivity !== undefined) {
   if (!isObject(config.sensitivity)) err("sensitivity: must be an object");
   else {
+    checkKnownKeys(
+      config.sensitivity,
+      ["enabled", "default", "redaction"],
+      "sensitivity"
+    );
     checkType(config.sensitivity.enabled, "boolean", "sensitivity.enabled");
     checkEnum(config.sensitivity.default, SENSITIVITY, "sensitivity.default");
+    if (config.sensitivity.redaction !== undefined) {
+      if (!isObject(config.sensitivity.redaction)) {
+        err("sensitivity.redaction: must be an object");
+      } else {
+        const redaction = config.sensitivity.redaction;
+        checkKnownKeys(
+          redaction,
+          [
+            "enabled",
+            "scanners",
+            "failClosed",
+            "requireReview",
+            "allowedEntities",
+            "blockedEntities",
+          ],
+          "sensitivity.redaction"
+        );
+        checkType(
+          redaction.enabled,
+          "boolean",
+          "sensitivity.redaction.enabled"
+        );
+        checkType(
+          redaction.failClosed,
+          "boolean",
+          "sensitivity.redaction.failClosed"
+        );
+        checkType(
+          redaction.requireReview,
+          "boolean",
+          "sensitivity.redaction.requireReview"
+        );
+        if (
+          redaction.scanners !== undefined &&
+          !(isStringArray(redaction.scanners) && redaction.scanners.length > 0)
+        ) {
+          err(
+            "sensitivity.redaction.scanners: must be a non-empty array of strings"
+          );
+        }
+        const scanners = isStringArray(redaction.scanners)
+          ? redaction.scanners
+          : [];
+        for (const scanner of scanners) {
+          checkEnum(
+            scanner,
+            REDACTION_SCANNERS,
+            "sensitivity.redaction.scanners[]"
+          );
+        }
+        for (const key of ["allowedEntities", "blockedEntities"]) {
+          if (redaction[key] !== undefined && !isStringArray(redaction[key])) {
+            err(`sensitivity.redaction.${key}: must be an array of strings`);
+          }
+          const entities = isStringArray(redaction[key]) ? redaction[key] : [];
+          for (const entity of entities) {
+            checkEnum(
+              entity,
+              REDACTION_ENTITIES,
+              `sensitivity.redaction.${key}[]`
+            );
+          }
+        }
+      }
+    }
   }
 }
 if (config.documentation !== undefined) {

package/scripts/install-claude-plugins.sh CHANGED Viewed

@@ -112,6 +112,37 @@ if changed:
 PYEOF
 fi
+# Remove the legacy cc-safety-net inline rules file (self-heal existing projects).
+#
+# Lisa historically shipped a project-root `.safety-net.json` (the cc-safety-net
+# <=0.9.0 inline-rules format) via all/copy-overwrite/. cc-safety-net 1.0.1
+# dropped that format entirely: its PreToolUse Bash guard now treats a
+# project-level `.safety-net.json` as a "legacy rules config location" and FAILS
+# CLOSED — denying EVERY Bash command (even `echo`/`ls`) with "legacy rules
+# config location is no longer used; ask the user to run `npx -y cc-safety-net
+# rule migrate`" — while `rule migrate` cannot convert it (it only looks for a
+# global ~/.cc-safety-net/config.json). The result bricks the agent, and on an
+# unattended/scheduled run there is no human to intervene.
+#
+# 1.0.1 runs fine on its built-in rules with no config file, and Lisa's own
+# block-no-verify.sh + parity-safety-net.sh hooks already enforce --no-verify and
+# destructive-command guards across every agent, so the file is now dead weight.
+# Lisa no longer ships it (removed from all/copy-overwrite/), but copy-overwrite
+# never deletes, so already-provisioned projects keep a stale copy. Remove it
+# here — but ONLY the Lisa-shipped file (identified by its marker rule name), so a
+# project's own hand-authored `.safety-net.json` is never touched.
+LEGACY_SAFETY_NET="$PROJECT_ROOT/.safety-net.json"
+if [ -f "$LEGACY_SAFETY_NET" ] && command -v jq >/dev/null 2>&1; then
+  if jq -e '
+    (.rules | type == "array")
+    and ([.rules[]?.name] | index("block-git-commit-no-verify") != null)
+    and ([.rules[]?.name] | index("block-git-push-no-verify") != null)
+  ' "$LEGACY_SAFETY_NET" >/dev/null 2>&1; then
+    rm -f "$LEGACY_SAFETY_NET" \
+      && echo "Removed legacy .safety-net.json (incompatible with cc-safety-net >=1.0.0; using built-in + Lisa-native guards)."
+  fi
+fi
 # Install plugins only when claude CLI is available
 if ! command -v claude &>/dev/null; then exit 0; fi

package/all/copy-overwrite/.safety-net.json DELETED Viewed

@@ -1,25 +0,0 @@
-{
-  "version": 1,
-  "rules": [
-    {
-      "name": "block-git-commit-no-verify",
-      "command": "git",
-      "subcommand": "commit",
-      "block_args": ["--no-verify", "-n"],
-      "reason": "--no-verify is not allowed. Fix the commit to pass all checks."
-    },
-    {
-      "name": "block-git-stash",
-      "command": "git",
-      "subcommand": "stash",
-      "reason": "Stashing changes is not allowed. Please commit or discard your changes before stashing. If a commit hook is preventing the commit, either fix whatever is preventing the commit or fail out and let the human know why."
-    },
-    {
-      "name": "block-git-push-no-verify",
-      "command": "git",
-      "subcommand": "push",
-      "block_args": ["--no-verify"],
-      "reason": "--no-verify is not allowed. Fix the push to pass all checks."
-    }
-  ]
-}