@devinnn/docdrift 0.1.0 → 0.1.2

package/dist/src/index.js

@@ -7,6 +7,7 @@ exports.STATE_PATH = void 0;
 exports.runDetect = runDetect;
 exports.runDocDrift = runDocDrift;
 exports.runValidate = runValidate;
+exports.runSlaCheck = runSlaCheck;
 exports.runStatus = runStatus;
 exports.resolveTrigger = resolveTrigger;
 exports.parseDurationHours = parseDurationHours;
@@ -21,6 +22,7 @@ const engine_1 = require("./policy/engine");
 const state_1 = require("./policy/state");
 const log_1 = require("./utils/log");
 const prompts_1 = require("./devin/prompts");
+const glob_1 = require("./utils/glob");
 const schemas_1 = require("./devin/schemas");
 const v1_1 = require("./devin/v1");
 function parseStructured(session) {
@@ -45,30 +47,20 @@ function inferQuestions(structured) {
     }
     return [
         "Which conceptual docs should be updated for this behavior change?",
-        "What are the exact user-visible semantics after this merge?"
+        "What are the exact user-visible semantics after this merge?",
     ];
 }
-async function executeSession(input) {
+async function executeSessionSingle(input) {
     const attachmentUrls = [];
     for (const attachmentPath of input.attachmentPaths) {
         const url = await (0, v1_1.devinUploadAttachment)(input.apiKey, attachmentPath);
         attachmentUrls.push(url);
     }
-    const prompt = input.item.mode === "autogen"
-        ? (0, prompts_1.buildAutogenPrompt)({
-            item: input.item,
-            attachmentUrls,
-            verificationCommands: input.config.policy.verification.commands,
-            allowlist: input.config.policy.allowlist,
-            confidenceThreshold: input.config.policy.confidence.autopatchThreshold
-        })
-        : (0, prompts_1.buildConceptualPrompt)({
-            item: input.item,
-            attachmentUrls,
-            verificationCommands: input.config.policy.verification.commands,
-            allowlist: input.config.policy.allowlist,
-            confidenceThreshold: input.config.policy.confidence.autopatchThreshold
-        });
+    const prompt = (0, prompts_1.buildWholeDocsitePrompt)({
+        aggregated: input.aggregated,
+        config: input.config,
+        attachmentUrls,
+    });
     const session = await (0, v1_1.devinCreateSession)(input.apiKey, {
         prompt,
         unlisted: input.config.devin.unlisted,
@@ -76,13 +68,13 @@ async function executeSession(input) {
         tags: [...new Set([...(input.config.devin.tags ?? []), "docdrift", input.item.docArea])],
         attachments: attachmentUrls,
         structured_output: {
-            schema: schemas_1.PatchPlanSchema
+            schema: schemas_1.PatchPlanSchema,
         },
         metadata: {
             repository: input.repository,
             docArea: input.item.docArea,
-            mode: input.item.mode
-        }
+            mode: input.item.mode,
+        },
     });
     const finalSession = await (0, v1_1.pollUntilTerminal)(input.apiKey, session.session_id);
     const structured = parseStructured(finalSession);
@@ -96,7 +88,7 @@ async function executeSession(input) {
         : verificationCommands.map(() => "not reported");
     const verification = verificationCommands.map((command, idx) => ({
         command,
-        result: verificationResults[idx] ?? "not reported"
+        result: verificationResults[idx] ?? "not reported",
     }));
     if (prUrl) {
         return {
@@ -104,7 +96,7 @@ async function executeSession(input) {
             summary: String(structured?.summary ?? "PR opened by Devin"),
             sessionUrl: session.url,
             prUrl,
-            verification
+            verification,
         };
     }
     if (status === "blocked" || structured?.status === "BLOCKED") {
@@ -113,14 +105,14 @@ async function executeSession(input) {
             summary: String(structured?.blocked?.reason ?? structured?.summary ?? "Session blocked"),
             sessionUrl: session.url,
             questions: inferQuestions(structured),
-            verification
+            verification,
         };
     }
     return {
         outcome: "NO_CHANGE",
         summary: String(structured?.summary ?? "Session completed without PR"),
         sessionUrl: session.url,
-        verification
+        verification,
     };
 }
 async function runDetect(options) {
@@ -130,14 +122,15 @@ async function runDetect(options) {
         throw new Error(`Config validation failed:\n${runtimeValidation.errors.join("\n")}`);
     }
     const repo = process.env.GITHUB_REPOSITORY ?? "local/docdrift";
-    const { report } = await (0, detect_1.buildDriftReport)({
-        config,
+    const normalized = (0, load_1.loadNormalizedConfig)();
+    const { report, hasOpenApiDrift } = await (0, detect_1.buildDriftReport)({
+        config: normalized,
         repo,
         baseSha: options.baseSha,
         headSha: options.headSha,
-        trigger: options.trigger ?? "manual"
+        trigger: options.trigger ?? "manual",
     });
-    (0, log_1.logInfo)(`Drift items detected: ${report.items.length}`);
+    (0, log_1.logInfo)(`Drift items detected: ${report.items.length} (hasOpenApiDrift: ${hasOpenApiDrift})`);
     return { hasDrift: report.items.length > 0 };
 }
 async function runDocDrift(options) {
@@ -146,172 +139,234 @@ async function runDocDrift(options) {
     if (runtimeValidation.errors.length) {
         throw new Error(`Config validation failed:\n${runtimeValidation.errors.join("\n")}`);
     }
+    const normalized = (0, load_1.loadNormalizedConfig)();
     const repo = process.env.GITHUB_REPOSITORY ?? "local/docdrift";
     const commitSha = process.env.GITHUB_SHA ?? options.headSha;
     const githubToken = process.env.GITHUB_TOKEN;
     const devinApiKey = process.env.DEVIN_API_KEY;
-    const { report, runInfo, evidenceRoot } = await (0, detect_1.buildDriftReport)({
-        config,
+    const { report, aggregated, runInfo, evidenceRoot, hasOpenApiDrift } = await (0, detect_1.buildDriftReport)({
+        config: normalized,
         repo,
         baseSha: options.baseSha,
         headSha: options.headSha,
-        trigger: options.trigger ?? "manual"
+        trigger: options.trigger ?? "manual",
     });
-    const docAreaByName = new Map(config.docAreas.map((area) => [area.name, area]));
+    // Gate: no OpenAPI drift — exit early, no session
+    if (!hasOpenApiDrift || report.items.length === 0) {
+        (0, log_1.logInfo)("No OpenAPI drift; skipping session");
+        return [];
+    }
+    const item = report.items[0];
+    const docAreaConfig = {
+        name: "docsite",
+        mode: "autogen",
+        owners: { reviewers: [] },
+        detect: { openapi: { exportCmd: normalized.openapi.export, generatedPath: normalized.openapi.generated, publishedPath: normalized.openapi.published }, paths: [] },
+        patch: { targets: [], requireHumanConfirmation: false },
+    };
     let state = (0, state_1.loadState)();
     const startedAt = Date.now();
     const results = [];
     const metrics = {
-        driftItemsDetected: report.items.length,
+        driftItemsDetected: 1,
         prsOpened: 0,
         issuesOpened: 0,
         blockedCount: 0,
         timeToSessionTerminalMs: [],
-        docAreaCounts: {},
-        noiseRateProxy: 0
+        docAreaCounts: { docsite: 1 },
+        noiseRateProxy: 0,
     };
-    for (const item of report.items) {
-        metrics.docAreaCounts[item.docArea] = (metrics.docAreaCounts[item.docArea] ?? 0) + 1;
-        const areaConfig = docAreaByName.get(item.docArea);
-        if (!areaConfig) {
-            continue;
-        }
-        const decision = (0, engine_1.decidePolicy)({
-            item,
-            docAreaConfig: areaConfig,
-            config,
+    const decision = (0, engine_1.decidePolicy)({
+        item,
+        docAreaConfig,
+        config,
+        state,
+        repo,
+        baseSha: options.baseSha,
+        headSha: options.headSha,
+    });
+    if (decision.action === "NOOP") {
+        results.push({
+            docArea: item.docArea,
+            decision,
+            outcome: "NO_CHANGE",
+            summary: decision.reason,
+        });
+        (0, bundle_1.writeMetrics)(metrics);
+        return results;
+    }
+    if (decision.action === "UPDATE_EXISTING_PR") {
+        const existingPr = state.areaLatestPr["docsite"];
+        results.push({
+            docArea: item.docArea,
+            decision,
+            outcome: existingPr ? "NO_CHANGE" : "BLOCKED",
+            summary: existingPr ? `Bundled into existing PR: ${existingPr}` : "PR cap reached",
+            prUrl: existingPr,
+        });
+        state = (0, engine_1.applyDecisionToState)({
             state,
-            repo,
-            baseSha: options.baseSha,
-            headSha: options.headSha
+            decision,
+            docArea: "docsite",
+            outcome: existingPr ? "NO_CHANGE" : "BLOCKED",
+            link: existingPr,
         });
-        if (decision.action === "NOOP") {
-            results.push({
-                docArea: item.docArea,
-                decision,
-                outcome: "NO_CHANGE",
-                summary: decision.reason
-            });
-            continue;
-        }
-        if (decision.action === "UPDATE_EXISTING_PR") {
-            const existingPr = state.areaLatestPr[item.docArea];
-            const summary = existingPr
-                ? `Bundled into existing PR: ${existingPr}`
-                : "PR cap reached and no existing area PR; escalated";
-            const outcome = existingPr ? "NO_CHANGE" : "BLOCKED";
-            results.push({
-                docArea: item.docArea,
-                decision,
-                outcome,
-                summary,
-                prUrl: existingPr
-            });
-            state = (0, engine_1.applyDecisionToState)({
-                state,
-                decision,
-                docArea: item.docArea,
-                outcome,
-                link: existingPr
-            });
-            continue;
-        }
-        const bundle = await (0, bundle_1.buildEvidenceBundle)({ runInfo, item, evidenceRoot });
-        const attachmentPaths = [...new Set([bundle.archivePath, ...bundle.attachmentPaths])];
-        let sessionOutcome = {
-            outcome: "NO_CHANGE",
-            summary: "Skipped Devin session",
-            verification: config.policy.verification.commands.map((command) => ({ command, result: "not run" }))
+        (0, state_1.saveState)(state);
+        (0, bundle_1.writeMetrics)(metrics);
+        return results;
+    }
+    const bundle = await (0, bundle_1.buildEvidenceBundle)({ runInfo, item, evidenceRoot });
+    const attachmentPaths = [...new Set([bundle.archivePath, ...bundle.attachmentPaths])];
+    let sessionOutcome = {
+        outcome: "NO_CHANGE",
+        summary: "Skipped Devin session",
+        verification: normalized.policy.verification.commands.map((command) => ({
+            command,
+            result: "not run",
+        })),
+    };
+    if (devinApiKey) {
+        const sessionStart = Date.now();
+        sessionOutcome = await executeSessionSingle({
+            apiKey: devinApiKey,
+            repository: repo,
+            item,
+            aggregated: aggregated,
+            attachmentPaths,
+            config: normalized,
+        });
+        metrics.timeToSessionTerminalMs.push(Date.now() - sessionStart);
+    }
+    else {
+        (0, log_1.logWarn)("DEVIN_API_KEY not set; running fallback behavior", { docArea: item.docArea });
+        sessionOutcome = {
+            outcome: "BLOCKED",
+            summary: "DEVIN_API_KEY missing; cannot start Devin session",
+            questions: ["Set DEVIN_API_KEY in environment or GitHub Actions secrets"],
+            verification: normalized.policy.verification.commands.map((command) => ({
+                command,
+                result: "not run",
+            })),
         };
-        if (devinApiKey) {
-            const sessionStart = Date.now();
-            sessionOutcome = await executeSession({
-                apiKey: devinApiKey,
-                repository: repo,
-                item,
-                attachmentPaths,
-                config
-            });
-            metrics.timeToSessionTerminalMs.push(Date.now() - sessionStart);
-        }
-        else {
-            (0, log_1.logWarn)("DEVIN_API_KEY not set; running fallback behavior", { docArea: item.docArea });
-            sessionOutcome = {
-                outcome: "BLOCKED",
-                summary: "DEVIN_API_KEY missing; cannot start Devin session",
-                questions: ["Set DEVIN_API_KEY in environment or GitHub Actions secrets"],
-                verification: config.policy.verification.commands.map((command) => ({ command, result: "not run" }))
-            };
-        }
-        let issueUrl;
-        if (githubToken &&
-            (decision.action === "OPEN_ISSUE" || sessionOutcome.outcome === "BLOCKED" || sessionOutcome.outcome === "NO_CHANGE")) {
+    }
+    let issueUrl;
+    if (sessionOutcome.outcome === "PR_OPENED" && sessionOutcome.prUrl) {
+        metrics.prsOpened += 1;
+        state.lastDocDriftPrUrl = sessionOutcome.prUrl;
+        state.lastDocDriftPrOpenedAt = new Date().toISOString();
+        const touchedRequireReview = (item.impactedDocs ?? []).filter((p) => normalized.requireHumanReview.some((glob) => (0, glob_1.matchesGlob)(glob, p)));
+        if (githubToken && touchedRequireReview.length > 0) {
             issueUrl = await (0, client_1.createIssue)({
                 token: githubToken,
                 repository: repo,
                 issue: {
-                    title: `[docdrift] ${item.docArea}: docs drift requires input`,
-                    body: (0, client_1.renderBlockedIssueBody)({
-                        docArea: item.docArea,
-                        evidenceSummary: item.summary,
-                        questions: sessionOutcome.questions ?? ["Please confirm intended behavior and doc wording."],
-                        sessionUrl: sessionOutcome.sessionUrl
+                    title: "[docdrift] Docs out of sync — review doc drift PR",
+                    body: (0, client_1.renderRequireHumanReviewIssueBody)({
+                        prUrl: sessionOutcome.prUrl,
+                        touchedPaths: touchedRequireReview,
                     }),
-                    labels: ["docdrift"]
-                }
+                    labels: ["docdrift"],
+                },
             });
             metrics.issuesOpened += 1;
-            sessionOutcome.outcome = "ISSUE_OPENED";
-        }
-        if (sessionOutcome.outcome === "PR_OPENED") {
-            metrics.prsOpened += 1;
         }
-        if (sessionOutcome.outcome === "BLOCKED") {
-            metrics.blockedCount += 1;
+    }
+    else if (githubToken &&
+        (decision.action === "OPEN_ISSUE" ||
+            sessionOutcome.outcome === "BLOCKED" ||
+            sessionOutcome.outcome === "NO_CHANGE")) {
+        issueUrl = await (0, client_1.createIssue)({
+            token: githubToken,
+            repository: repo,
+            issue: {
+                title: "[docdrift] docsite: docs drift requires input",
+                body: (0, client_1.renderBlockedIssueBody)({
+                    docArea: item.docArea,
+                    evidenceSummary: item.summary,
+                    questions: sessionOutcome.questions ?? [
+                        "Please confirm intended behavior and doc wording.",
+                    ],
+                    sessionUrl: sessionOutcome.sessionUrl,
+                }),
+                labels: ["docdrift"],
+            },
+        });
+        metrics.issuesOpened += 1;
+        if (sessionOutcome.outcome !== "PR_OPENED") {
+            sessionOutcome.outcome = "ISSUE_OPENED";
         }
-        const result = {
+    }
+    if (sessionOutcome.outcome === "BLOCKED") {
+        metrics.blockedCount += 1;
+    }
+    const result = {
+        docArea: item.docArea,
+        decision,
+        outcome: sessionOutcome.outcome,
+        summary: sessionOutcome.summary,
+        sessionUrl: sessionOutcome.sessionUrl,
+        prUrl: sessionOutcome.prUrl,
+        issueUrl,
+    };
+    results.push(result);
+    state = (0, engine_1.applyDecisionToState)({
+        state,
+        decision,
+        docArea: "docsite",
+        outcome: sessionOutcome.outcome,
+        link: sessionOutcome.prUrl ?? issueUrl,
+    });
+    if (sessionOutcome.outcome === "PR_OPENED" && sessionOutcome.prUrl) {
+        state.lastDocDriftPrUrl = sessionOutcome.prUrl;
+        state.lastDocDriftPrOpenedAt = new Date().toISOString();
+    }
+    (0, state_1.saveState)(state);
+    if (githubToken) {
+        const body = (0, client_1.renderRunComment)({
             docArea: item.docArea,
-            decision,
-            outcome: sessionOutcome.outcome,
             summary: sessionOutcome.summary,
+            decision: decision.action,
+            outcome: sessionOutcome.outcome,
             sessionUrl: sessionOutcome.sessionUrl,
             prUrl: sessionOutcome.prUrl,
-            issueUrl
-        };
-        results.push(result);
-        if (githubToken) {
-            const body = (0, client_1.renderRunComment)({
-                docArea: item.docArea,
-                summary: sessionOutcome.summary,
-                decision: decision.action,
-                outcome: sessionOutcome.outcome,
-                sessionUrl: sessionOutcome.sessionUrl,
-                prUrl: sessionOutcome.prUrl,
-                issueUrl,
-                validation: sessionOutcome.verification
-            });
-            await (0, client_1.postCommitComment)({
+            issueUrl,
+            validation: sessionOutcome.verification,
+        });
+        await (0, client_1.postCommitComment)({
+            token: githubToken,
+            repository: repo,
+            commitSha,
+            body,
+        });
+    }
+    const slaDays = normalized.policy.slaDays ?? 0;
+    if (githubToken && slaDays > 0 && state.lastDocDriftPrUrl && state.lastDocDriftPrOpenedAt) {
+        const openedAt = Date.parse(state.lastDocDriftPrOpenedAt);
+        const daysOld = (Date.now() - openedAt) / (24 * 60 * 60 * 1000);
+        const lastSla = state.lastSlaIssueOpenedAt ? Date.parse(state.lastSlaIssueOpenedAt) : 0;
+        const slaCooldown = 6 * 24 * 60 * 60 * 1000;
+        if (daysOld >= slaDays && Date.now() - lastSla > slaCooldown) {
+            const slaIssueUrl = await (0, client_1.createIssue)({
                 token: githubToken,
                 repository: repo,
-                commitSha,
-                body
+                issue: {
+                    title: "[docdrift] Docs out of sync — merge doc drift PR(s)",
+                    body: (0, client_1.renderSlaIssueBody)({
+                        prUrls: [state.lastDocDriftPrUrl],
+                        slaDays,
+                    }),
+                    labels: ["docdrift"],
+                },
             });
+            state.lastSlaIssueOpenedAt = new Date().toISOString();
+            (0, state_1.saveState)(state);
         }
-        state = (0, engine_1.applyDecisionToState)({
-            state,
-            decision,
-            docArea: item.docArea,
-            outcome: sessionOutcome.outcome,
-            link: sessionOutcome.prUrl ?? issueUrl
-        });
     }
-    (0, state_1.saveState)(state);
-    metrics.noiseRateProxy =
-        metrics.driftItemsDetected === 0 ? 0 : Number((metrics.prsOpened / metrics.driftItemsDetected).toFixed(4));
+    metrics.noiseRateProxy = metrics.prsOpened;
     (0, bundle_1.writeMetrics)(metrics);
     (0, log_1.logInfo)("Run complete", {
-        items: report.items.length,
-        elapsedMs: Date.now() - startedAt
+        items: 1,
+        elapsedMs: Date.now() - startedAt,
     });
     return results;
 }
@@ -324,6 +379,54 @@ async function runValidate() {
     runtimeValidation.warnings.forEach((warning) => (0, log_1.logWarn)(warning));
     (0, log_1.logInfo)("Config is valid");
 }
+async function runSlaCheck() {
+    const githubToken = process.env.GITHUB_TOKEN;
+    if (!githubToken) {
+        throw new Error("GITHUB_TOKEN is required for sla-check command");
+    }
+    const repo = process.env.GITHUB_REPOSITORY;
+    if (!repo) {
+        throw new Error("GITHUB_REPOSITORY is required for sla-check command");
+    }
+    const normalized = (0, load_1.loadNormalizedConfig)();
+    const slaDays = normalized.policy.slaDays ?? 0;
+    const slaLabel = normalized.policy.slaLabel ?? "docdrift";
+    if (slaDays <= 0) {
+        (0, log_1.logInfo)("SLA check disabled (slaDays <= 0)");
+        return { issueOpened: false };
+    }
+    const cutoff = new Date(Date.now() - slaDays * 24 * 60 * 60 * 1000);
+    const openPrs = await (0, client_1.listOpenPrsWithLabel)(githubToken, repo, slaLabel);
+    const stalePrs = openPrs.filter((pr) => {
+        const created = pr.created_at ? Date.parse(pr.created_at) : Date.now();
+        return Number.isFinite(created) && created <= cutoff.getTime();
+    });
+    if (stalePrs.length === 0) {
+        (0, log_1.logInfo)("No doc-drift PRs open longer than slaDays; nothing to do");
+        return { issueOpened: false };
+    }
+    let state = (0, state_1.loadState)();
+    const lastSla = state.lastSlaIssueOpenedAt ? Date.parse(state.lastSlaIssueOpenedAt) : 0;
+    const slaCooldown = 6 * 24 * 60 * 60 * 1000;
+    if (Date.now() - lastSla < slaCooldown) {
+        (0, log_1.logInfo)("SLA issue cooldown; skipping");
+        return { issueOpened: false };
+    }
+    const prUrls = stalePrs.map((p) => p.url).filter(Boolean);
+    await (0, client_1.createIssue)({
+        token: githubToken,
+        repository: repo,
+        issue: {
+            title: "[docdrift] Docs out of sync — merge doc drift PR(s)",
+            body: (0, client_1.renderSlaIssueBody)({ prUrls, slaDays }),
+            labels: ["docdrift"],
+        },
+    });
+    state.lastSlaIssueOpenedAt = new Date().toISOString();
+    (0, state_1.saveState)(state);
+    (0, log_1.logInfo)(`Opened SLA issue for ${prUrls.length} stale PR(s)`);
+    return { issueOpened: true };
+}
 async function runStatus(sinceHours = 24) {
     const apiKey = process.env.DEVIN_API_KEY;
     if (!apiKey) {

package/dist/src/model/state.js

@@ -5,6 +5,6 @@ const emptyState = () => ({
     idempotency: {},
     dailyPrCount: {},
     areaDailyPrOpened: {},
-    areaLatestPr: {}
+    areaLatestPr: {},
 });
 exports.emptyState = emptyState;

package/dist/src/policy/confidence.js

@@ -6,7 +6,7 @@ const tierWeight = {
     0: 1,
     1: 0.9,
     2: 0.6,
-    3: 0.35
+    3: 0.35,
 };
 function clamp01(value) {
     return Math.max(0, Math.min(1, value));

package/dist/src/policy/engine.js

@@ -21,7 +21,8 @@ function decidePolicy(input) {
     const capReached = prCountToday >= config.policy.prCaps.maxPrsPerDay;
     const areaDailyKey = `${today}:${item.docArea}`;
     const exceedsFileCap = item.impactedDocs.length > config.policy.prCaps.maxFilesTouched;
-    const hasPathOutsideAllowlist = item.impactedDocs.some((filePath) => filePath && !(0, glob_1.isPathAllowed)(filePath, config.policy.allowlist));
+    const exclude = "exclude" in config && Array.isArray(config.exclude) ? config.exclude : [];
+    const hasPathOutsideAllowlist = item.impactedDocs.some((filePath) => filePath && !(0, glob_1.isPathAllowedAndNotExcluded)(filePath, config.policy.allowlist, exclude));
     let action = "NOOP";
     let reason = "No action needed";
     if (hasPathOutsideAllowlist) {
@@ -70,21 +71,21 @@ function decidePolicy(input) {
         docArea: item.docArea,
         baseSha: input.baseSha,
         headSha: input.headSha,
-        action
+        action,
     });
     if (state.idempotency[idempotencyKey]) {
         return {
             action: "NOOP",
             confidence,
             reason: "Idempotency key already processed",
-            idempotencyKey
+            idempotencyKey,
         };
     }
     return {
         action,
         confidence,
         reason,
-        idempotencyKey
+        idempotencyKey,
     };
 }
 function applyDecisionToState(input) {
@@ -94,7 +95,7 @@ function applyDecisionToState(input) {
         createdAt: new Date().toISOString(),
         action: input.decision.action,
         outcome: input.outcome,
-        link: input.link
+        link: input.link,
     };
     next.idempotency[input.decision.idempotencyKey] = record;
     if (input.outcome === "PR_OPENED") {

package/dist/src/utils/exec.js

@@ -8,7 +8,7 @@ async function execCommand(command, cwd = process.cwd()) {
     try {
         const { stdout, stderr } = await exec(command, {
             cwd,
-            maxBuffer: 10 * 1024 * 1024
+            maxBuffer: 10 * 1024 * 1024,
         });
         return { command, stdout, stderr, exitCode: 0 };
     }
@@ -18,7 +18,7 @@ async function execCommand(command, cwd = process.cwd()) {
             command,
             stdout: e.stdout ?? "",
             stderr: e.stderr ?? String(error),
-            exitCode: typeof e.code === "number" ? e.code : 1
+            exitCode: typeof e.code === "number" ? e.code : 1,
         };
     }
 }

package/dist/src/utils/glob.js

@@ -3,6 +3,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.globToRegExp = globToRegExp;
 exports.matchesGlob = matchesGlob;
 exports.isPathAllowed = isPathAllowed;
+exports.isPathExcluded = isPathExcluded;
+exports.isPathAllowedAndNotExcluded = isPathAllowedAndNotExcluded;
 function escapeRegex(input) {
     return input.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
 }
@@ -19,3 +21,14 @@ function matchesGlob(glob, value) {
 function isPathAllowed(path, allowlist) {
     return allowlist.some((glob) => matchesGlob(glob, path));
 }
+function isPathExcluded(path, exclude) {
+    if (!exclude?.length)
+        return false;
+    return exclude.some((glob) => matchesGlob(glob, path));
+}
+/** Path is allowed by allowlist AND not excluded */
+function isPathAllowedAndNotExcluded(path, allowlist, exclude = []) {
+    if (isPathExcluded(path, exclude))
+        return false;
+    return isPathAllowed(path, allowlist);
+}