npm - @codyswann/lisa - Versions diffs - 2.146.1 → 2.147.0 - Mend

@codyswann/lisa 2.146.1 → 2.147.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

package/plugins/lisa-wiki-copilot/scripts/validate-config.mjs CHANGED Viewed

@@ -22,6 +22,17 @@ const RETENTION = [
   "external-pointer-only",
 ];
 const SENSITIVITY = ["public", "internal", "confidential", "restricted"];
+const REDACTION_ENTITIES = [
+  "api_key",
+  "bank_account",
+  "credit_card",
+  "oauth_token",
+  "password",
+  "private_key",
+  "routing_number",
+  "ssn",
+];
+const REDACTION_SCANNERS = ["builtin", "gitleaks", "presidio"];
 const SOURCE_LAYOUT = ["by-system", "by-category"];
 const README_MODE = ["rich", "stub", "preserve"];
@@ -49,6 +60,14 @@ function checkType(value, type, label) {
     );
   }
 }
+function checkKnownKeys(object, allowed, label) {
+  if (!isObject(object)) return;
+  for (const key of Object.keys(object)) {
+    if (!allowed.includes(key)) {
+      err(`${label}.${key}: unknown field`);
+    }
+  }
+}
 if (!fs.existsSync(configPath)) {
   console.error(`✗ config not found: ${configPath}`);
@@ -123,8 +142,78 @@ if (config.readme !== undefined) {
 if (config.sensitivity !== undefined) {
   if (!isObject(config.sensitivity)) err("sensitivity: must be an object");
   else {
+    checkKnownKeys(
+      config.sensitivity,
+      ["enabled", "default", "redaction"],
+      "sensitivity"
+    );
     checkType(config.sensitivity.enabled, "boolean", "sensitivity.enabled");
     checkEnum(config.sensitivity.default, SENSITIVITY, "sensitivity.default");
+    if (config.sensitivity.redaction !== undefined) {
+      if (!isObject(config.sensitivity.redaction)) {
+        err("sensitivity.redaction: must be an object");
+      } else {
+        const redaction = config.sensitivity.redaction;
+        checkKnownKeys(
+          redaction,
+          [
+            "enabled",
+            "scanners",
+            "failClosed",
+            "requireReview",
+            "allowedEntities",
+            "blockedEntities",
+          ],
+          "sensitivity.redaction"
+        );
+        checkType(
+          redaction.enabled,
+          "boolean",
+          "sensitivity.redaction.enabled"
+        );
+        checkType(
+          redaction.failClosed,
+          "boolean",
+          "sensitivity.redaction.failClosed"
+        );
+        checkType(
+          redaction.requireReview,
+          "boolean",
+          "sensitivity.redaction.requireReview"
+        );
+        if (
+          redaction.scanners !== undefined &&
+          !(isStringArray(redaction.scanners) && redaction.scanners.length > 0)
+        ) {
+          err(
+            "sensitivity.redaction.scanners: must be a non-empty array of strings"
+          );
+        }
+        const scanners = isStringArray(redaction.scanners)
+          ? redaction.scanners
+          : [];
+        for (const scanner of scanners) {
+          checkEnum(
+            scanner,
+            REDACTION_SCANNERS,
+            "sensitivity.redaction.scanners[]"
+          );
+        }
+        for (const key of ["allowedEntities", "blockedEntities"]) {
+          if (redaction[key] !== undefined && !isStringArray(redaction[key])) {
+            err(`sensitivity.redaction.${key}: must be an array of strings`);
+          }
+          const entities = isStringArray(redaction[key]) ? redaction[key] : [];
+          for (const entity of entities) {
+            checkEnum(
+              entity,
+              REDACTION_ENTITIES,
+              `sensitivity.redaction.${key}[]`
+            );
+          }
+        }
+      }
+    }
   }
 }
 if (config.documentation !== undefined) {

package/plugins/lisa-wiki-cursor/.claude-plugin/plugin.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.146.1",
+  "version": "2.147.0",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki-cursor/schema/lisa-wiki-config.schema.json CHANGED Viewed

@@ -35,10 +35,54 @@
     },
     "sensitivity": {
       "type": "object",
-      "additionalProperties": true,
+      "additionalProperties": false,
       "properties": {
         "enabled": { "type": "boolean" },
-        "default": { "enum": ["public", "internal", "confidential", "restricted"] }
+        "default": { "enum": ["public", "internal", "confidential", "restricted"] },
+        "redaction": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "scanners": {
+              "type": "array",
+              "items": { "enum": ["builtin", "gitleaks", "presidio"] },
+              "minItems": 1
+            },
+            "failClosed": { "type": "boolean" },
+            "requireReview": { "type": "boolean" },
+            "allowedEntities": {
+              "type": "array",
+              "items": {
+                "enum": [
+                  "api_key",
+                  "bank_account",
+                  "credit_card",
+                  "oauth_token",
+                  "password",
+                  "private_key",
+                  "routing_number",
+                  "ssn"
+                ]
+              }
+            },
+            "blockedEntities": {
+              "type": "array",
+              "items": {
+                "enum": [
+                  "api_key",
+                  "bank_account",
+                  "credit_card",
+                  "oauth_token",
+                  "password",
+                  "private_key",
+                  "routing_number",
+                  "ssn"
+                ]
+              }
+            }
+          }
+        }
       }
     },
     "sourceRetention": { "enum": ["raw-ok", "sanitized-note-only", "metadata-only", "external-pointer-only"] },

package/plugins/lisa-wiki-cursor/scripts/lint-wiki.mjs CHANGED Viewed

@@ -15,6 +15,7 @@ import { fileURLToPath } from "node:url";
 import {
   loadConfig,
   loadStructure,
+  readJsonSafe,
   pluginRootFrom,
   walkFiles,
   parseFrontmatter,
@@ -60,6 +61,14 @@ const rel = p => path.relative(process.cwd(), p);
 const wrel = p => path.relative(wikiRoot, p);
 const categories = config?.categories ?? structure.categoryDirs?.default ?? [];
 const frontmatterRequired = config?.frontmatter !== false;
+const configPath = path.resolve(
+  opt("--config") ?? "wiki/lisa-wiki.config.json"
+);
+const localConfigPath = path.join(
+  path.dirname(configPath),
+  "lisa-wiki.config.local.json"
+);
+const localConfig = readJsonSafe(localConfigPath);
 const allMd = walkFiles(wikiRoot, { ext: ".md" });
 const allFiles = walkFiles(wikiRoot);
@@ -71,6 +80,134 @@ const isUnder = (p, dir) => {
 const isSynthesisPage = p => categories.some(c => isUnder(p, c));
 const isSourceNote = p => isUnder(p, "sources");
+// --- 0. redaction policy readiness ----------------------------------------
+const availableRedactionScanners = new Set(["builtin"]);
+const committedRedaction = config?.sensitivity?.redaction;
+const localRedaction = localConfig?.sensitivity?.redaction;
+const addUnsafeLocalOverride = message =>
+  report.add(
+    "redaction-policy",
+    "unsafe-local-override",
+    "FAIL",
+    message,
+    path.relative(wikiRoot, localConfigPath)
+  );
+const isArraySubset = (candidate, baseline) =>
+  candidate.every(value => baseline.includes(value));
+if (committedRedaction?.enabled === true) {
+  const scanners = Array.isArray(committedRedaction.scanners)
+    ? committedRedaction.scanners
+    : [];
+  const missingScanners = scanners.filter(
+    scanner => !availableRedactionScanners.has(scanner)
+  );
+  if (scanners.length === 0) {
+    report.add(
+      "redaction-policy",
+      "scanner-missing",
+      committedRedaction.failClosed === false ? "WARN" : "FAIL",
+      "redaction is enabled but no scanner is selected"
+    );
+  } else if (missingScanners.length > 0) {
+    report.add(
+      "redaction-policy",
+      "scanner-unavailable",
+      committedRedaction.failClosed === false ? "WARN" : "FAIL",
+      `redaction scanner unavailable: ${missingScanners.join(", ")}`
+    );
+  } else {
+    report.add(
+      "redaction-policy",
+      "scanner-available",
+      "PASS",
+      `redaction scanner available: ${scanners.join(", ")}`
+    );
+  }
+  if (committedRedaction.failClosed !== true) {
+    report.add(
+      "redaction-policy",
+      "fail-closed",
+      "WARN",
+      "redaction is enabled without failClosed=true"
+    );
+  }
+  if (committedRedaction.requireReview !== true) {
+    report.add(
+      "redaction-policy",
+      "review-required",
+      "WARN",
+      "redaction is enabled without requireReview=true"
+    );
+  }
+  if (localRedaction?.enabled === false) {
+    addUnsafeLocalOverride("local config disables committed redaction policy");
+  }
+  if (
+    committedRedaction.failClosed === true &&
+    localRedaction?.failClosed === false
+  ) {
+    addUnsafeLocalOverride(
+      "local config disables committed redaction fail-closed policy"
+    );
+  }
+  if (
+    committedRedaction.requireReview === true &&
+    localRedaction?.requireReview === false
+  ) {
+    addUnsafeLocalOverride(
+      "local config disables committed redaction review requirement"
+    );
+  }
+  if (localRedaction && Array.isArray(localRedaction.scanners)) {
+    const localScanners = localRedaction.scanners;
+    const unavailableLocalScanners = localScanners.filter(
+      scanner => !availableRedactionScanners.has(scanner)
+    );
+    const removedScanners = scanners.filter(
+      scanner => !localScanners.includes(scanner)
+    );
+    if (scanners.length > 0 && localScanners.length === 0) {
+      addUnsafeLocalOverride(
+        "local config removes committed redaction scanners"
+      );
+    } else if (unavailableLocalScanners.length > 0) {
+      addUnsafeLocalOverride(
+        `local config selects unavailable redaction scanner: ${unavailableLocalScanners.join(", ")}`
+      );
+    } else if (removedScanners.length > 0) {
+      addUnsafeLocalOverride(
+        `local config removes committed redaction scanner: ${removedScanners.join(", ")}`
+      );
+    }
+  }
+  if (
+    localRedaction &&
+    Array.isArray(committedRedaction.allowedEntities) &&
+    Array.isArray(localRedaction.allowedEntities) &&
+    !isArraySubset(
+      localRedaction.allowedEntities,
+      committedRedaction.allowedEntities
+    )
+  ) {
+    addUnsafeLocalOverride(
+      "local config expands committed redaction allowed entities"
+    );
+  }
+  if (
+    localRedaction &&
+    Array.isArray(committedRedaction.blockedEntities) &&
+    Array.isArray(localRedaction.blockedEntities) &&
+    !isArraySubset(
+      committedRedaction.blockedEntities,
+      localRedaction.blockedEntities
+    )
+  ) {
+    addUnsafeLocalOverride(
+      "local config removes committed redaction blocked entities"
+    );
+  }
+}
 // --- A. structure conformance ---------------------------------------------
 for (const f of structure.requiredFiles ?? []) {
   report.add(

package/plugins/lisa-wiki-cursor/scripts/validate-config.mjs CHANGED Viewed

@@ -22,6 +22,17 @@ const RETENTION = [
   "external-pointer-only",
 ];
 const SENSITIVITY = ["public", "internal", "confidential", "restricted"];
+const REDACTION_ENTITIES = [
+  "api_key",
+  "bank_account",
+  "credit_card",
+  "oauth_token",
+  "password",
+  "private_key",
+  "routing_number",
+  "ssn",
+];
+const REDACTION_SCANNERS = ["builtin", "gitleaks", "presidio"];
 const SOURCE_LAYOUT = ["by-system", "by-category"];
 const README_MODE = ["rich", "stub", "preserve"];
@@ -49,6 +60,14 @@ function checkType(value, type, label) {
     );
   }
 }
+function checkKnownKeys(object, allowed, label) {
+  if (!isObject(object)) return;
+  for (const key of Object.keys(object)) {
+    if (!allowed.includes(key)) {
+      err(`${label}.${key}: unknown field`);
+    }
+  }
+}
 if (!fs.existsSync(configPath)) {
   console.error(`✗ config not found: ${configPath}`);
@@ -123,8 +142,78 @@ if (config.readme !== undefined) {
 if (config.sensitivity !== undefined) {
   if (!isObject(config.sensitivity)) err("sensitivity: must be an object");
   else {
+    checkKnownKeys(
+      config.sensitivity,
+      ["enabled", "default", "redaction"],
+      "sensitivity"
+    );
     checkType(config.sensitivity.enabled, "boolean", "sensitivity.enabled");
     checkEnum(config.sensitivity.default, SENSITIVITY, "sensitivity.default");
+    if (config.sensitivity.redaction !== undefined) {
+      if (!isObject(config.sensitivity.redaction)) {
+        err("sensitivity.redaction: must be an object");
+      } else {
+        const redaction = config.sensitivity.redaction;
+        checkKnownKeys(
+          redaction,
+          [
+            "enabled",
+            "scanners",
+            "failClosed",
+            "requireReview",
+            "allowedEntities",
+            "blockedEntities",
+          ],
+          "sensitivity.redaction"
+        );
+        checkType(
+          redaction.enabled,
+          "boolean",
+          "sensitivity.redaction.enabled"
+        );
+        checkType(
+          redaction.failClosed,
+          "boolean",
+          "sensitivity.redaction.failClosed"
+        );
+        checkType(
+          redaction.requireReview,
+          "boolean",
+          "sensitivity.redaction.requireReview"
+        );
+        if (
+          redaction.scanners !== undefined &&
+          !(isStringArray(redaction.scanners) && redaction.scanners.length > 0)
+        ) {
+          err(
+            "sensitivity.redaction.scanners: must be a non-empty array of strings"
+          );
+        }
+        const scanners = isStringArray(redaction.scanners)
+          ? redaction.scanners
+          : [];
+        for (const scanner of scanners) {
+          checkEnum(
+            scanner,
+            REDACTION_SCANNERS,
+            "sensitivity.redaction.scanners[]"
+          );
+        }
+        for (const key of ["allowedEntities", "blockedEntities"]) {
+          if (redaction[key] !== undefined && !isStringArray(redaction[key])) {
+            err(`sensitivity.redaction.${key}: must be an array of strings`);
+          }
+          const entities = isStringArray(redaction[key]) ? redaction[key] : [];
+          for (const entity of entities) {
+            checkEnum(
+              entity,
+              REDACTION_ENTITIES,
+              `sensitivity.redaction.${key}[]`
+            );
+          }
+        }
+      }
+    }
   }
 }
 if (config.documentation !== undefined) {

package/plugins/src/wiki/schema/lisa-wiki-config.schema.json CHANGED Viewed

@@ -35,10 +35,54 @@
     },
     "sensitivity": {
       "type": "object",
-      "additionalProperties": true,
+      "additionalProperties": false,
       "properties": {
         "enabled": { "type": "boolean" },
-        "default": { "enum": ["public", "internal", "confidential", "restricted"] }
+        "default": { "enum": ["public", "internal", "confidential", "restricted"] },
+        "redaction": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "scanners": {
+              "type": "array",
+              "items": { "enum": ["builtin", "gitleaks", "presidio"] },
+              "minItems": 1
+            },
+            "failClosed": { "type": "boolean" },
+            "requireReview": { "type": "boolean" },
+            "allowedEntities": {
+              "type": "array",
+              "items": {
+                "enum": [
+                  "api_key",
+                  "bank_account",
+                  "credit_card",
+                  "oauth_token",
+                  "password",
+                  "private_key",
+                  "routing_number",
+                  "ssn"
+                ]
+              }
+            },
+            "blockedEntities": {
+              "type": "array",
+              "items": {
+                "enum": [
+                  "api_key",
+                  "bank_account",
+                  "credit_card",
+                  "oauth_token",
+                  "password",
+                  "private_key",
+                  "routing_number",
+                  "ssn"
+                ]
+              }
+            }
+          }
+        }
       }
     },
     "sourceRetention": { "enum": ["raw-ok", "sanitized-note-only", "metadata-only", "external-pointer-only"] },

package/plugins/src/wiki/scripts/lint-wiki.mjs CHANGED Viewed

@@ -15,6 +15,7 @@ import { fileURLToPath } from "node:url";
 import {
   loadConfig,
   loadStructure,
+  readJsonSafe,
   pluginRootFrom,
   walkFiles,
   parseFrontmatter,
@@ -60,6 +61,14 @@ const rel = p => path.relative(process.cwd(), p);
 const wrel = p => path.relative(wikiRoot, p);
 const categories = config?.categories ?? structure.categoryDirs?.default ?? [];
 const frontmatterRequired = config?.frontmatter !== false;
+const configPath = path.resolve(
+  opt("--config") ?? "wiki/lisa-wiki.config.json"
+);
+const localConfigPath = path.join(
+  path.dirname(configPath),
+  "lisa-wiki.config.local.json"
+);
+const localConfig = readJsonSafe(localConfigPath);
 const allMd = walkFiles(wikiRoot, { ext: ".md" });
 const allFiles = walkFiles(wikiRoot);
@@ -71,6 +80,134 @@ const isUnder = (p, dir) => {
 const isSynthesisPage = p => categories.some(c => isUnder(p, c));
 const isSourceNote = p => isUnder(p, "sources");
+// --- 0. redaction policy readiness ----------------------------------------
+const availableRedactionScanners = new Set(["builtin"]);
+const committedRedaction = config?.sensitivity?.redaction;
+const localRedaction = localConfig?.sensitivity?.redaction;
+const addUnsafeLocalOverride = message =>
+  report.add(
+    "redaction-policy",
+    "unsafe-local-override",
+    "FAIL",
+    message,
+    path.relative(wikiRoot, localConfigPath)
+  );
+const isArraySubset = (candidate, baseline) =>
+  candidate.every(value => baseline.includes(value));
+if (committedRedaction?.enabled === true) {
+  const scanners = Array.isArray(committedRedaction.scanners)
+    ? committedRedaction.scanners
+    : [];
+  const missingScanners = scanners.filter(
+    scanner => !availableRedactionScanners.has(scanner)
+  );
+  if (scanners.length === 0) {
+    report.add(
+      "redaction-policy",
+      "scanner-missing",
+      committedRedaction.failClosed === false ? "WARN" : "FAIL",
+      "redaction is enabled but no scanner is selected"
+    );
+  } else if (missingScanners.length > 0) {
+    report.add(
+      "redaction-policy",
+      "scanner-unavailable",
+      committedRedaction.failClosed === false ? "WARN" : "FAIL",
+      `redaction scanner unavailable: ${missingScanners.join(", ")}`
+    );
+  } else {
+    report.add(
+      "redaction-policy",
+      "scanner-available",
+      "PASS",
+      `redaction scanner available: ${scanners.join(", ")}`
+    );
+  }
+  if (committedRedaction.failClosed !== true) {
+    report.add(
+      "redaction-policy",
+      "fail-closed",
+      "WARN",
+      "redaction is enabled without failClosed=true"
+    );
+  }
+  if (committedRedaction.requireReview !== true) {
+    report.add(
+      "redaction-policy",
+      "review-required",
+      "WARN",
+      "redaction is enabled without requireReview=true"
+    );
+  }
+  if (localRedaction?.enabled === false) {
+    addUnsafeLocalOverride("local config disables committed redaction policy");
+  }
+  if (
+    committedRedaction.failClosed === true &&
+    localRedaction?.failClosed === false
+  ) {
+    addUnsafeLocalOverride(
+      "local config disables committed redaction fail-closed policy"
+    );
+  }
+  if (
+    committedRedaction.requireReview === true &&
+    localRedaction?.requireReview === false
+  ) {
+    addUnsafeLocalOverride(
+      "local config disables committed redaction review requirement"
+    );
+  }
+  if (localRedaction && Array.isArray(localRedaction.scanners)) {
+    const localScanners = localRedaction.scanners;
+    const unavailableLocalScanners = localScanners.filter(
+      scanner => !availableRedactionScanners.has(scanner)
+    );
+    const removedScanners = scanners.filter(
+      scanner => !localScanners.includes(scanner)
+    );
+    if (scanners.length > 0 && localScanners.length === 0) {
+      addUnsafeLocalOverride(
+        "local config removes committed redaction scanners"
+      );
+    } else if (unavailableLocalScanners.length > 0) {
+      addUnsafeLocalOverride(
+        `local config selects unavailable redaction scanner: ${unavailableLocalScanners.join(", ")}`
+      );
+    } else if (removedScanners.length > 0) {
+      addUnsafeLocalOverride(
+        `local config removes committed redaction scanner: ${removedScanners.join(", ")}`
+      );
+    }
+  }
+  if (
+    localRedaction &&
+    Array.isArray(committedRedaction.allowedEntities) &&
+    Array.isArray(localRedaction.allowedEntities) &&
+    !isArraySubset(
+      localRedaction.allowedEntities,
+      committedRedaction.allowedEntities
+    )
+  ) {
+    addUnsafeLocalOverride(
+      "local config expands committed redaction allowed entities"
+    );
+  }
+  if (
+    localRedaction &&
+    Array.isArray(committedRedaction.blockedEntities) &&
+    Array.isArray(localRedaction.blockedEntities) &&
+    !isArraySubset(
+      committedRedaction.blockedEntities,
+      localRedaction.blockedEntities
+    )
+  ) {
+    addUnsafeLocalOverride(
+      "local config removes committed redaction blocked entities"
+    );
+  }
+}
 // --- A. structure conformance ---------------------------------------------
 for (const f of structure.requiredFiles ?? []) {
   report.add(