@dashclaw/cli 0.7.6 → 0.8.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +0 -61
- package/bin/dashclaw.js +2 -770
- package/lib/claude/install.js +411 -412
- package/lib/codex/install.js +10 -9
- package/lib/up/index.js +45 -4
- package/package.json +37 -37
- package/lib/code/apply.js +0 -164
- package/lib/code/codex-parser.vendored.js +0 -360
- package/lib/code/ingest-codex.js +0 -244
- package/lib/code/ingest.js +0 -261
- package/lib/code/memo.js +0 -57
- package/lib/code/vendored.js +0 -219
- package/lib/cost.js +0 -108
- package/lib/env.js +0 -69
- package/lib/posture.js +0 -45
package/lib/env.js
DELETED
|
@@ -1,69 +0,0 @@
|
|
|
1
|
-
// cli/lib/env.js
|
|
2
|
-
//
|
|
3
|
-
// `dashclaw env [--agent <id>] [-- <command...>]` — fetch the delivery-enabled
|
|
4
|
-
// managed-secret bundle from GET /api/secrets/env and inject it into a child
|
|
5
|
-
// process environment MEMORY-ONLY. Secret VALUES are never written to disk,
|
|
6
|
-
// never printed, and never echoed in error paths — only NAMES are ever shown.
|
|
7
|
-
// Fail-closed: if the bundle fetch fails, the child command is NOT run.
|
|
8
|
-
|
|
9
|
-
import { spawn } from 'node:child_process';
|
|
10
|
-
import { apiRequest } from './api.js';
|
|
11
|
-
import { dim } from './render.js';
|
|
12
|
-
|
|
13
|
-
/** GET /api/secrets/env for one agent. Returns { env, count, delivered }. */
|
|
14
|
-
export async function fetchAgentEnv(config, agentId) {
|
|
15
|
-
return apiRequest(config, 'GET', '/api/secrets/env', { query: { agent_id: agentId } });
|
|
16
|
-
}
|
|
17
|
-
|
|
18
|
-
/**
|
|
19
|
-
* Split the CLI argv at the `--` separator.
|
|
20
|
-
* Tokens before `--` are flags for `dashclaw env`; tokens after are the
|
|
21
|
-
* child command + its args (left untouched, including any `--print`).
|
|
22
|
-
*/
|
|
23
|
-
export function splitEnvArgv(argv) {
|
|
24
|
-
const sep = argv.indexOf('--');
|
|
25
|
-
if (sep === -1) return { flags: argv, command: [] };
|
|
26
|
-
return { flags: argv.slice(0, sep), command: argv.slice(sep + 1) };
|
|
27
|
-
}
|
|
28
|
-
|
|
29
|
-
/** Names-only listing — never values. */
|
|
30
|
-
export function formatEnvNames(bundle) {
|
|
31
|
-
const names = Array.isArray(bundle.delivered) ? bundle.delivered : Object.keys(bundle.env || {});
|
|
32
|
-
const lines = [];
|
|
33
|
-
if (names.length === 0) {
|
|
34
|
-
lines.push(dim(' No delivery-enabled secrets for this agent.'));
|
|
35
|
-
} else {
|
|
36
|
-
for (const name of names) lines.push(` ${name}`);
|
|
37
|
-
}
|
|
38
|
-
lines.push('');
|
|
39
|
-
lines.push(dim(` ${names.length} secret(s). Values are never printed — run: dashclaw env -- <command>`));
|
|
40
|
-
return lines.join('\n');
|
|
41
|
-
}
|
|
42
|
-
|
|
43
|
-
/**
|
|
44
|
-
* Spawn the child command with the secret bundle merged into its environment.
|
|
45
|
-
* Memory-only: the merged env object lives only in this process and the
|
|
46
|
-
* child's process table — nothing is written anywhere. Resolves with the
|
|
47
|
-
* exit code to assign to process.exitCode (never calls process.exit — a hard
|
|
48
|
-
* exit can trip a libuv teardown assert on Windows).
|
|
49
|
-
*/
|
|
50
|
-
export function runWithEnv(bundle, commandArgv) {
|
|
51
|
-
const [cmd, ...cmdArgs] = commandArgv;
|
|
52
|
-
// No shell: args pass through verbatim (shell:true concatenates them
|
|
53
|
-
// unescaped — mangles quoted args and is deprecated, DEP0190).
|
|
54
|
-
const child = spawn(cmd, cmdArgs, {
|
|
55
|
-
stdio: 'inherit',
|
|
56
|
-
env: { ...process.env, ...(bundle.env || {}) },
|
|
57
|
-
});
|
|
58
|
-
return new Promise((resolve) => {
|
|
59
|
-
child.on('error', (err) => {
|
|
60
|
-
// err.message is a spawn error (ENOENT/EINVAL etc.) — never contains values.
|
|
61
|
-
console.error(`Error: could not start "${cmd}": ${err.message}`);
|
|
62
|
-
if (process.platform === 'win32' && (err.code === 'EINVAL' || err.code === 'ENOENT')) {
|
|
63
|
-
console.error(`Hint: Windows .cmd shims (npm, npx) cannot be spawned directly — try: dashclaw env -- cmd /c ${cmd} ...`);
|
|
64
|
-
}
|
|
65
|
-
resolve(1);
|
|
66
|
-
});
|
|
67
|
-
child.on('exit', (code, signal) => resolve(signal ? 1 : code ?? 1));
|
|
68
|
-
});
|
|
69
|
-
}
|
package/lib/posture.js
DELETED
|
@@ -1,45 +0,0 @@
|
|
|
1
|
-
// cli/lib/posture.js
|
|
2
|
-
//
|
|
3
|
-
// Direct-API helpers for the `dashclaw posture` / `dashclaw next` commands.
|
|
4
|
-
// Like the other CLI command groups, these call the live endpoints via
|
|
5
|
-
// apiRequest (fetch + x-api-key) rather than the published SDK, so the CLI never
|
|
6
|
-
// depends on a possibly-stale `dashclaw` package for newly-added routes.
|
|
7
|
-
//
|
|
8
|
-
// Resolve is DRAFT-ONLY: the CLI can create an inactive policy draft, snooze, or
|
|
9
|
-
// accept risk — it can NEVER activate enforcement. An operator (or agent) can
|
|
10
|
-
// prepare a fix; only a human activates it at /policies. Mirrors the API + MCP
|
|
11
|
-
// ceiling so agents can never self-escalate their own governance.
|
|
12
|
-
|
|
13
|
-
import { apiRequest } from './api.js';
|
|
14
|
-
|
|
15
|
-
/** GET /api/posture — score + dimensions + findings + summary + trend. */
|
|
16
|
-
export async function fetchPosture(config) {
|
|
17
|
-
return apiRequest(config, 'GET', '/api/posture');
|
|
18
|
-
}
|
|
19
|
-
|
|
20
|
-
/** GET /api/posture/findings — the prioritized queue (+ optional filters). */
|
|
21
|
-
export async function fetchFindings(config, { status, dimension } = {}) {
|
|
22
|
-
return apiRequest(config, 'GET', '/api/posture/findings', { query: { status, dimension } });
|
|
23
|
-
}
|
|
24
|
-
|
|
25
|
-
/** The single top open finding (the `next` gap), or null when the queue is clear. */
|
|
26
|
-
export async function fetchNext(config) {
|
|
27
|
-
const data = await fetchFindings(config);
|
|
28
|
-
return (data && Array.isArray(data.findings) && data.findings[0]) || null;
|
|
29
|
-
}
|
|
30
|
-
|
|
31
|
-
const RESOLVE_ACTIONS = new Set(['create_draft', 'snooze', 'accept_risk']);
|
|
32
|
-
|
|
33
|
-
/**
|
|
34
|
-
* POST /api/posture/findings/<key>/resolve — DRAFT-ONLY actions.
|
|
35
|
-
* `create_draft` (default) inserts an inactive policy draft; snooze/accept_risk
|
|
36
|
-
* record state. None of these activate enforcement.
|
|
37
|
-
*/
|
|
38
|
-
export async function resolveFinding(config, key, action = 'create_draft', note) {
|
|
39
|
-
if (!RESOLVE_ACTIONS.has(action)) {
|
|
40
|
-
throw new Error(`Invalid resolve action "${action}". Draft-only: ${[...RESOLVE_ACTIONS].join(', ')}.`);
|
|
41
|
-
}
|
|
42
|
-
return apiRequest(config, 'POST', `/api/posture/findings/${encodeURIComponent(key)}/resolve`, {
|
|
43
|
-
body: { action, note },
|
|
44
|
-
});
|
|
45
|
-
}
|