@dewtech/dare-cli 3.5.0 → 3.6.0

package/dist/hooks/__tests__/allowlist.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"allowlist.test.js","sourceRoot":"","sources":["../../../src/hooks/__tests__/allowlist.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAGvE,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,CAAC,aAAa,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;YAC1E,GAAG,EAAE,MAAM;YACX,IAAI,EAAE,CAAC,UAAU,EAAE,UAAU,CAAC;SAC/B,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,QAAQ,GAAG,aAAa,CAC5B,aAAa,EACb,EAAE,KAAK,EAAE,kBAAkB,EAAE,MAAM,EAAE,UAAU,EAAE,EACjD,EAAE,CACH,CAAC;QACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAC5C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC;IACxF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,CAAC,aAAa,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;YACpF,GAAG,EAAE,KAAK;YACV,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC;SACtB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,CAAC,GAAG,EAAE,CACV,aAAa,CAAC,OAA2B,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CACrE,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;QACjC,MAAM,CAAC,GAAG,EAAE,CACV,aAAa,CAAC,OAA2B,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CACrE,CAAC,OAAO,CAAC,6CAA6C,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,CAAC,GAAG,EAAE,CACV,aAAa,CAAC,aAAa,EAAE,EAAE,KAAK,EAAE,kBAAkB,EAAE,EAAE,EAAE,CAAC,CAChE,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/hooks/__tests__/config.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=config.test.d.ts.map

package/dist/hooks/__tests__/config.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.test.d.ts","sourceRoot":"","sources":["../../../src/hooks/__tests__/config.test.ts"],"names":[],"mappings":""}

package/dist/hooks/__tests__/config.test.js

@@ -0,0 +1,57 @@
+import { describe, it, expect } from 'vitest';
+import { HOOK_DEFAULTS, parseHookConfig, HookConfigError, seedHooksDefaultsIfAbsent, } from '../config.js';
+describe('parseHookConfig', () => {
+    it('returns inert defaults when hooks block is absent', () => {
+        expect(parseHookConfig({})).toEqual({ on: {}, trusted: false });
+        expect(parseHookConfig({ verification: { enabled: false } })).toEqual({
+            on: {},
+            trusted: false,
+        });
+        expect(parseHookConfig(undefined)).toEqual({ on: {}, trusted: false });
+    });
+    it('parses valid hooks block', () => {
+        const cfg = parseHookConfig({
+            hooks: {
+                on: { 'on-save': [{ action: 'lint' }] },
+                trusted: true,
+            },
+        });
+        expect(cfg.trusted).toBe(true);
+        expect(cfg.on['on-save']).toEqual([{ action: 'lint' }]);
+    });
+    it('rejects invalid hook event', () => {
+        expect(() => parseHookConfig({ hooks: { on: { 'on-deploy': [] } } })).toThrow(HookConfigError);
+        try {
+            parseHookConfig({ hooks: { on: { 'on-deploy': [] } } });
+        }
+        catch (err) {
+            expect(err).toBeInstanceOf(HookConfigError);
+            const issues = err.issues;
+            expect(issues.some((i) => i.path.includes('on-deploy'))).toBe(true);
+            expect(err.message).toMatch(/^Invalid hooks config:/);
+        }
+    });
+    it('rejects invalid action key', () => {
+        expect(() => parseHookConfig({
+            hooks: { on: { 'on-save': [{ action: 'rm-rf' }] } },
+        })).toThrow(HookConfigError);
+    });
+    it('rejects path-escape args', () => {
+        expect(() => parseHookConfig({
+            hooks: {
+                on: {
+                    'on-save': [{ action: 'lint', args: ['../../etc/passwd'] }],
+                },
+            },
+        })).toThrow();
+    });
+});
+describe('seedHooksDefaultsIfAbsent', () => {
+    it('inserts inert block when absent', () => {
+        const cfg = {};
+        expect(seedHooksDefaultsIfAbsent(cfg)).toBe(true);
+        expect(cfg.hooks).toEqual(HOOK_DEFAULTS);
+        expect(seedHooksDefaultsIfAbsent(cfg)).toBe(false);
+    });
+});
+//# sourceMappingURL=config.test.js.map

package/dist/hooks/__tests__/config.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.test.js","sourceRoot":"","sources":["../../../src/hooks/__tests__/config.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EACL,aAAa,EACb,eAAe,EACf,eAAe,EACf,yBAAyB,GAC1B,MAAM,cAAc,CAAC;AAEtB,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QAChE,MAAM,CAAC,eAAe,CAAC,EAAE,YAAY,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;YACpE,EAAE,EAAE,EAAE;YACN,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QACH,MAAM,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,GAAG,GAAG,eAAe,CAAC;YAC1B,KAAK,EAAE;gBACL,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,EAAE;gBACvC,OAAO,EAAE,IAAI;aACd;SACF,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/B,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CACxD,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAE3B,IAAI,CAAC;YACH,eAAe,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;QAC1D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,GAAG,CAAC,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;YAC5C,MAAM,MAAM,GAAI,GAAuB,CAAC,MAAM,CAAC;YAC/C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpE,MAAM,CAAE,GAAa,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,wBAAwB,CAAC,CAAC;QACnE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CAAC;YACd,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,EAAE,EAAE;SACpD,CAAC,CACH,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CAAC;YACd,KAAK,EAAE;gBACL,EAAE,EAAE;oBACF,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,kBAAkB,CAAC,EAAE,CAAC;iBAC5D;aACF;SACF,CAAC,CACH,CAAC,OAAO,EAAE,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,MAAM,CAAC,yBAAyB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClD,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QACzC,MAAM,CAAC,yBAAyB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/hooks/__tests__/dispatcher.security.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=dispatcher.security.test.d.ts.map

package/dist/hooks/__tests__/dispatcher.security.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dispatcher.security.test.d.ts","sourceRoot":"","sources":["../../../src/hooks/__tests__/dispatcher.security.test.ts"],"names":[],"mappings":""}

package/dist/hooks/__tests__/dispatcher.security.test.js

@@ -0,0 +1,86 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import fs from 'fs-extra';
+import os from 'node:os';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { readFileSync } from 'node:fs';
+import { dispatchHook, TrustRequiredError, PathEscapeError, } from '../dispatcher.js';
+import { ActionNotAllowedError } from '../allowlist.js';
+const spawnMock = vi.fn();
+vi.mock('../../exec/safe-spawn.js', () => ({
+    safeSpawn: (...args) => spawnMock(...args),
+}));
+const HOOKS_SRC = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..');
+const STEERING_SRC = path.resolve(HOOKS_SRC, '..', 'steering');
+describe('hooks dispatcher security', () => {
+    let projectRoot;
+    beforeEach(async () => {
+        spawnMock.mockReset();
+        spawnMock.mockResolvedValue({ code: 0, stdout: '', stderr: '', timedOut: false });
+        projectRoot = await fs.mkdtemp(path.join(os.tmpdir(), 'hook-sec-'));
+        await fs.writeJson(path.join(projectRoot, 'dare.config.json'), {
+            structure: 'mcp-server',
+            mcpLanguage: 'node-ts',
+        });
+        await fs.writeFile(path.join(projectRoot, 'dare-graph.yml'), 'backend: json\njson:\n  path: .dare/graph.json\n');
+    });
+    afterEach(async () => {
+        await fs.remove(projectRoot).catch(() => undefined);
+    });
+    const trustedConfig = {
+        on: { 'on-save': [{ action: 'dare-validate' }] },
+        trusted: true,
+    };
+    it('rejects path traversal before spawn', async () => {
+        await expect(dispatchHook(trustedConfig, { event: 'on-save', file: '../../etc/passwd' }, { projectRoot })).rejects.toThrow(PathEscapeError);
+        expect(spawnMock).not.toHaveBeenCalled();
+    });
+    it('rejects absolute paths before spawn', async () => {
+        await expect(dispatchHook(trustedConfig, { event: 'on-save', file: '/etc/passwd' }, { projectRoot })).rejects.toThrow(PathEscapeError);
+        expect(spawnMock).not.toHaveBeenCalled();
+    });
+    it('passes shell-metacharacters as literal argv (shell:false)', async () => {
+        const malicious = "'; rm -rf / #";
+        await dispatchHook({
+            on: { 'on-file-create': [{ action: 'dare-validate' }] },
+            trusted: true,
+        }, { event: 'on-file-create', file: malicious }, { projectRoot });
+        expect(spawnMock).toHaveBeenCalled();
+        const [, argv, opts] = spawnMock.mock.calls[0];
+        expect(argv).not.toContain(undefined);
+        expect(opts).toMatchObject({ cwd: projectRoot });
+        expect(JSON.stringify(spawnMock.mock.calls)).not.toContain('shell":true');
+    });
+    it('enforces trust gate before spawn (RS-05)', async () => {
+        await expect(dispatchHook({ on: { 'on-save': [{ action: 'dare-validate' }] }, trusted: false }, { event: 'on-save' }, { projectRoot })).rejects.toThrow(TrustRequiredError);
+        expect(spawnMock).not.toHaveBeenCalled();
+    });
+    it('allows dispatch with trustOverride', async () => {
+        await dispatchHook({ on: { 'on-save': [{ action: 'dare-validate' }] }, trusted: false }, { event: 'on-save' }, { projectRoot, trustOverride: true });
+        expect(spawnMock).toHaveBeenCalled();
+    });
+    it('rejects actions outside allowlist', async () => {
+        await expect(dispatchHook({
+            on: { 'on-save': [{ action: 'rm-rf' }] },
+            trusted: true,
+        }, { event: 'on-save' }, { projectRoot })).rejects.toThrow(ActionNotAllowedError);
+        expect(spawnMock).not.toHaveBeenCalled();
+    });
+    it('has zero shell:true in hooks/ and steering/ sources', () => {
+        const files = [
+            path.join(HOOKS_SRC, 'dispatcher.ts'),
+            path.join(HOOKS_SRC, 'allowlist.ts'),
+            path.join(HOOKS_SRC, 'config.ts'),
+            path.join(STEERING_SRC, 'resolver.ts'),
+            path.join(STEERING_SRC, 'loader.ts'),
+        ];
+        const hits = [];
+        for (const file of files) {
+            const src = readFileSync(file, 'utf-8');
+            if (/shell:\s*true/.test(src))
+                hits.push(path.basename(file));
+        }
+        expect(hits).toEqual([]);
+    });
+});
+//# sourceMappingURL=dispatcher.security.test.js.map

package/dist/hooks/__tests__/dispatcher.security.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dispatcher.security.test.js","sourceRoot":"","sources":["../../../src/hooks/__tests__/dispatcher.security.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,MAAM,UAAU,CAAC;AAC1B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAExD,MAAM,SAAS,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;AAE1B,EAAE,CAAC,IAAI,CAAC,0BAA0B,EAAE,GAAG,EAAE,CAAC,CAAC;IACzC,SAAS,EAAE,CAAC,GAAG,IAAe,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;CACtD,CAAC,CAAC,CAAC;AAEJ,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAC5B,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAC5C,IAAI,CACL,CAAC;AACF,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;AAE/D,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,IAAI,WAAmB,CAAC;IAExB,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,SAAS,CAAC,SAAS,EAAE,CAAC;QACtB,SAAS,CAAC,iBAAiB,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;QAElF,WAAW,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,WAAW,CAAC,CAAC,CAAC;QACpE,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,EAAE;YAC7D,SAAS,EAAE,YAAY;YACvB,WAAW,EAAE,SAAS;SACvB,CAAC,CAAC;QACH,MAAM,EAAE,CAAC,SAAS,CAChB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,gBAAgB,CAAC,EACxC,kDAAkD,CACnD,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,MAAM,aAAa,GAAG;QACpB,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,eAAwB,EAAE,CAAC,EAAE;QACzD,OAAO,EAAE,IAAI;KACd,CAAC;IAEF,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,MAAM,CACV,YAAY,CACV,aAAa,EACb,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,kBAAkB,EAAE,EAC9C,EAAE,WAAW,EAAE,CAChB,CACF,CAAC,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QACnC,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,MAAM,CACV,YAAY,CACV,aAAa,EACb,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,aAAa,EAAE,EACzC,EAAE,WAAW,EAAE,CAChB,CACF,CAAC,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QACnC,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,SAAS,GAAG,eAAe,CAAC;QAClC,MAAM,YAAY,CAChB;YACE,EAAE,EAAE,EAAE,gBAAgB,EAAE,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC,EAAE;YACvD,OAAO,EAAE,IAAI;SACd,EACD,EAAE,KAAK,EAAE,gBAAgB,EAAE,IAAI,EAAE,SAAS,EAAE,EAC5C,EAAE,WAAW,EAAE,CAChB,CAAC;QAEF,MAAM,CAAC,SAAS,CAAC,CAAC,gBAAgB,EAAE,CAAC;QACrC,MAAM,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC;QAChD,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACtC,MAAM,CAAC,IAAI,CAAC,CAAC,aAAa,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC,CAAC;QACjD,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,MAAM,MAAM,CACV,YAAY,CACV,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,EACpE,EAAE,KAAK,EAAE,SAAS,EAAE,EACpB,EAAE,WAAW,EAAE,CAChB,CACF,CAAC,OAAO,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;QACtC,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,YAAY,CAChB,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,EACpE,EAAE,KAAK,EAAE,SAAS,EAAE,EACpB,EAAE,WAAW,EAAE,aAAa,EAAE,IAAI,EAAE,CACrC,CAAC;QACF,MAAM,CAAC,SAAS,CAAC,CAAC,gBAAgB,EAAE,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,MAAM,CACV,YAAY,CACV;YACE,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,OAAiB,EAAE,CAAC,EAAE;YAClD,OAAO,EAAE,IAAI;SACd,EACD,EAAE,KAAK,EAAE,SAAS,EAAE,EACpB,EAAE,WAAW,EAAE,CAChB,CACF,CAAC,OAAO,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;QACzC,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,KAAK,GAAG;YACZ,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;YACrC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC;YACpC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,aAAa,CAAC;YACtC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC;SACrC,CAAC;QACF,MAAM,IAAI,GAAa,EAAE,CAAC;QAC1B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACxC,IAAI,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC;gBAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QAChE,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/hooks/__tests__/dispatcher.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=dispatcher.test.d.ts.map

package/dist/hooks/__tests__/dispatcher.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dispatcher.test.d.ts","sourceRoot":"","sources":["../../../src/hooks/__tests__/dispatcher.test.ts"],"names":[],"mappings":""}

package/dist/hooks/__tests__/dispatcher.test.js

@@ -0,0 +1,69 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import fs from 'fs-extra';
+import os from 'node:os';
+import path from 'node:path';
+import { dispatchHook, TrustRequiredError, ActionNotAllowedError, } from '../dispatcher.js';
+const spawnMock = vi.fn();
+vi.mock('../../exec/safe-spawn.js', () => ({
+    safeSpawn: (...args) => spawnMock(...args),
+}));
+describe('hooks dispatcher', () => {
+    let projectRoot;
+    beforeEach(async () => {
+        spawnMock.mockReset();
+        spawnMock.mockResolvedValue({ code: 0, stdout: '', stderr: '', timedOut: false });
+        projectRoot = await fs.mkdtemp(path.join(os.tmpdir(), 'hook-dispatch-'));
+        await fs.writeJson(path.join(projectRoot, 'dare.config.json'), {
+            structure: 'mcp-server',
+            mcpLanguage: 'node-ts',
+        });
+        await fs.writeFile(path.join(projectRoot, 'dare-graph.yml'), 'backend: json\njson:\n  path: .dare/graph.json\n');
+    });
+    afterEach(async () => {
+        await fs.remove(projectRoot).catch(() => undefined);
+    });
+    it('rejects untrusted config without trustOverride', async () => {
+        await expect(dispatchHook({ on: { 'on-save': [{ action: 'lint' }] }, trusted: false }, { event: 'on-save' }, { projectRoot })).rejects.toThrow(TrustRequiredError);
+        expect(spawnMock).not.toHaveBeenCalled();
+    });
+    it('dispatches dare-review via safeSpawn with argv (shell:false path)', async () => {
+        const results = await dispatchHook({
+            on: { 'on-task-complete': [{ action: 'dare-review' }] },
+            trusted: true,
+        }, { event: 'on-task-complete', taskId: 'task-101' }, { projectRoot });
+        expect(spawnMock).toHaveBeenCalledTimes(1);
+        const [cmd, argv, opts] = spawnMock.mock.calls[0];
+        expect(cmd).toBe('dare');
+        expect(argv).toEqual(['review', 'task-101', '--strict', '--format', 'json']);
+        expect(opts).toMatchObject({ cwd: projectRoot, timeoutSeconds: 600 });
+        expect(results[0]).toMatchObject({
+            action: 'dare-review',
+            exitCode: 0,
+            skipped: false,
+            verdict: 'pass',
+        });
+    });
+    it('skips duplicate dispatch via idempotency', async () => {
+        const config = {
+            on: { 'on-save': [{ action: 'dare-validate' }] },
+            trusted: true,
+        };
+        const payload = { event: 'on-save' };
+        await dispatchHook(config, payload, { projectRoot });
+        const second = await dispatchHook(config, payload, { projectRoot });
+        expect(spawnMock).toHaveBeenCalledTimes(1);
+        expect(second[0]?.skipped).toBe(true);
+    });
+    it('rejects disallowed action keys at resolve time', async () => {
+        await expect(dispatchHook({
+            on: { 'on-save': [{ action: 'rm-rf' }] },
+            trusted: true,
+        }, { event: 'on-save' }, { projectRoot })).rejects.toThrow(ActionNotAllowedError);
+    });
+    it('returns empty array when no actions configured', async () => {
+        const results = await dispatchHook({ on: {}, trusted: true }, { event: 'pre-commit' }, { projectRoot });
+        expect(results).toEqual([]);
+        expect(spawnMock).not.toHaveBeenCalled();
+    });
+});
+//# sourceMappingURL=dispatcher.test.js.map

package/dist/hooks/__tests__/dispatcher.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dispatcher.test.js","sourceRoot":"","sources":["../../../src/hooks/__tests__/dispatcher.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,MAAM,UAAU,CAAC;AAC1B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,qBAAqB,GACtB,MAAM,kBAAkB,CAAC;AAE1B,MAAM,SAAS,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;AAE1B,EAAE,CAAC,IAAI,CAAC,0BAA0B,EAAE,GAAG,EAAE,CAAC,CAAC;IACzC,SAAS,EAAE,CAAC,GAAG,IAAe,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;CACtD,CAAC,CAAC,CAAC;AAEJ,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,IAAI,WAAmB,CAAC;IAExB,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,SAAS,CAAC,SAAS,EAAE,CAAC;QACtB,SAAS,CAAC,iBAAiB,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;QAElF,WAAW,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,gBAAgB,CAAC,CAAC,CAAC;QACzE,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,EAAE;YAC7D,SAAS,EAAE,YAAY;YACvB,WAAW,EAAE,SAAS;SACvB,CAAC,CAAC;QACH,MAAM,EAAE,CAAC,SAAS,CAChB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,gBAAgB,CAAC,EACxC,kDAAkD,CACnD,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,MAAM,CACV,YAAY,CACV,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,EAC3D,EAAE,KAAK,EAAE,SAAS,EAAE,EACpB,EAAE,WAAW,EAAE,CAChB,CACF,CAAC,OAAO,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;QACtC,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mEAAmE,EAAE,KAAK,IAAI,EAAE;QACjF,MAAM,OAAO,GAAG,MAAM,YAAY,CAChC;YACE,EAAE,EAAE,EAAE,kBAAkB,EAAE,CAAC,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,EAAE;YACvD,OAAO,EAAE,IAAI;SACd,EACD,EAAE,KAAK,EAAE,kBAAkB,EAAE,MAAM,EAAE,UAAU,EAAE,EACjD,EAAE,WAAW,EAAE,CAChB,CAAC;QAEF,MAAM,CAAC,SAAS,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC;QACnD,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC;QAC7E,MAAM,CAAC,IAAI,CAAC,CAAC,aAAa,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE,cAAc,EAAE,GAAG,EAAE,CAAC,CAAC;QACtE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC;YAC/B,MAAM,EAAE,aAAa;YACrB,QAAQ,EAAE,CAAC;YACX,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,MAAM;SAChB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,MAAM,MAAM,GAAG;YACb,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,eAAwB,EAAE,CAAC,EAAE;YACzD,OAAO,EAAE,IAAI;SACd,CAAC;QACF,MAAM,OAAO,GAAG,EAAE,KAAK,EAAE,SAAkB,EAAE,CAAC;QAE9C,MAAM,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC;QAEpE,MAAM,CAAC,SAAS,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QAC3C,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,MAAM,CACV,YAAY,CACV;YACE,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,OAAiB,EAAE,CAAC,EAAE;YAClD,OAAO,EAAE,IAAI;SACd,EACD,EAAE,KAAK,EAAE,SAAS,EAAE,EACpB,EAAE,WAAW,EAAE,CAChB,CACF,CAAC,OAAO,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,OAAO,GAAG,MAAM,YAAY,CAChC,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,EACzB,EAAE,KAAK,EAAE,YAAY,EAAE,EACvB,EAAE,WAAW,EAAE,CAChB,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC5B,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/hooks/__tests__/idempotency.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=idempotency.test.d.ts.map

package/dist/hooks/__tests__/idempotency.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"idempotency.test.d.ts","sourceRoot":"","sources":["../../../src/hooks/__tests__/idempotency.test.ts"],"names":[],"mappings":""}

package/dist/hooks/__tests__/idempotency.test.js

@@ -0,0 +1,45 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import fs from 'fs-extra';
+import os from 'node:os';
+import path from 'node:path';
+import { markSeen, shouldSkip, stateKey } from '../idempotency.js';
+describe('hooks idempotency', () => {
+    let projectRoot;
+    const ctx = () => ({
+        projectRoot,
+        statePath: '.dare/hooks-state.json',
+    });
+    beforeEach(async () => {
+        projectRoot = await fs.mkdtemp(path.join(os.tmpdir(), 'hooks-idem-'));
+        await fs.ensureDir(path.join(projectRoot, '.dare'));
+    });
+    afterEach(async () => {
+        await fs.remove(projectRoot).catch(() => undefined);
+    });
+    it('skips after markSeen for same file event', async () => {
+        const payload = { event: 'on-save', file: 'src/a.ts' };
+        expect(await shouldSkip('on-save', 'lint', payload, ctx())).toBe(false);
+        await markSeen('on-save', 'lint', payload, ctx());
+        expect(await shouldSkip('on-save', 'lint', payload, ctx())).toBe(true);
+    });
+    it('does not skip for different files', async () => {
+        const a = { event: 'on-save', file: 'src/a.ts' };
+        const b = { event: 'on-save', file: 'src/b.ts' };
+        await markSeen('on-save', 'lint', a, ctx());
+        expect(await shouldSkip('on-save', 'lint', b, ctx())).toBe(false);
+    });
+    it('on-task-complete uses stable key regardless of file order', () => {
+        const payload = { event: 'on-task-complete', taskId: 'task-101' };
+        const k1 = stateKey('on-task-complete', 'dare-review', payload, {
+            touchedFiles: ['src/b.ts', 'src/a.ts'],
+        });
+        const k2 = stateKey('on-task-complete', 'dare-review', payload, {
+            touchedFiles: ['src/a.ts', 'src/b.ts'],
+        });
+        expect(k1).toBe(k2);
+    });
+    it('rejects unsafe paths', async () => {
+        await expect(shouldSkip('on-save', 'lint', { event: 'on-save', file: '../escape.ts' }, ctx())).rejects.toThrow();
+    });
+});
+//# sourceMappingURL=idempotency.test.js.map

package/dist/hooks/__tests__/idempotency.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"idempotency.test.js","sourceRoot":"","sources":["../../../src/hooks/__tests__/idempotency.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,MAAM,UAAU,CAAC;AAC1B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAEnE,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,IAAI,WAAmB,CAAC;IACxB,MAAM,GAAG,GAAG,GAAG,EAAE,CAAC,CAAC;QACjB,WAAW;QACX,SAAS,EAAE,wBAAwB;KACpC,CAAC,CAAC;IAEH,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,WAAW,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,aAAa,CAAC,CAAC,CAAC;QACtE,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,MAAM,OAAO,GAAG,EAAE,KAAK,EAAE,SAAkB,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;QAChE,MAAM,CAAC,MAAM,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxE,MAAM,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;QAClD,MAAM,CAAC,MAAM,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,CAAC,GAAG,EAAE,KAAK,EAAE,SAAkB,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;QAC1D,MAAM,CAAC,GAAG,EAAE,KAAK,EAAE,SAAkB,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;QAC1D,MAAM,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,MAAM,OAAO,GAAG,EAAE,KAAK,EAAE,kBAA2B,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;QAC3E,MAAM,EAAE,GAAG,QAAQ,CAAC,kBAAkB,EAAE,aAAa,EAAE,OAAO,EAAE;YAC9D,YAAY,EAAE,CAAC,UAAU,EAAE,UAAU,CAAC;SACvC,CAAC,CAAC;QACH,MAAM,EAAE,GAAG,QAAQ,CAAC,kBAAkB,EAAE,aAAa,EAAE,OAAO,EAAE;YAC9D,YAAY,EAAE,CAAC,UAAU,EAAE,UAAU,CAAC;SACvC,CAAC,CAAC;QACH,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;QACpC,MAAM,MAAM,CACV,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,cAAc,EAAE,EAAE,GAAG,EAAE,CAAC,CACjF,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;IACtB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/hooks/__tests__/telemetry.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=telemetry.test.d.ts.map

package/dist/hooks/__tests__/telemetry.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"telemetry.test.d.ts","sourceRoot":"","sources":["../../../src/hooks/__tests__/telemetry.test.ts"],"names":[],"mappings":""}

package/dist/hooks/__tests__/telemetry.test.js

@@ -0,0 +1,52 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import os from 'node:os';
+import path from 'node:path';
+import { JsonGraph } from '../../graphrag/json-graph.js';
+import { recordHookTrigger } from '../telemetry.js';
+describe('hooks telemetry', () => {
+    let graph;
+    beforeEach(async () => {
+        const file = path.join(os.tmpdir(), `hook-tel-${Date.now()}.json`);
+        graph = new JsonGraph(file);
+        await graph.init();
+    });
+    afterEach(() => graph.close());
+    it('records hook node and triggered_by edge', () => {
+        recordHookTrigger(graph, {
+            event: 'on-save',
+            action: 'lint',
+            exitCode: 0,
+            skipped: false,
+            triggeredAt: '2026-06-07T12:00:00.000Z',
+        });
+        const edges = graph.getEdges('concept:hook:on-save:lint:2026-06-07T12:00:00.000Z', 'out');
+        expect(edges.some((e) => e.type === 'references' && e.metadata?.relation === 'triggered_by')).toBe(true);
+    });
+    it('records produced edge when verdict is present', () => {
+        recordHookTrigger(graph, {
+            event: 'on-task-complete',
+            action: 'dare-review',
+            exitCode: 0,
+            skipped: false,
+            verdict: 'pass',
+            triggeredAt: '2026-06-07T12:00:01.000Z',
+        });
+        const hookId = 'concept:hook:on-task-complete:dare-review:2026-06-07T12:00:01.000Z';
+        const edges = graph.getEdges(hookId, 'out');
+        expect(edges.some((e) => e.type === 'related_to' && e.metadata?.relation === 'produced')).toBe(true);
+    });
+    it('upserts without duplicating nodes on re-register', () => {
+        const record = {
+            event: 'pre-commit',
+            action: 'dare-validate',
+            exitCode: 0,
+            skipped: false,
+            triggeredAt: '2026-06-07T12:00:02.000Z',
+        };
+        recordHookTrigger(graph, record);
+        recordHookTrigger(graph, record);
+        const stats = graph.getStatistics();
+        expect(stats.totalNodes).toBeLessThanOrEqual(3);
+    });
+});
+//# sourceMappingURL=telemetry.test.js.map

package/dist/hooks/__tests__/telemetry.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"telemetry.test.js","sourceRoot":"","sources":["../../../src/hooks/__tests__/telemetry.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEpD,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,IAAI,KAAgB,CAAC;IAErB,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,YAAY,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACnE,KAAK,GAAG,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC;QAC5B,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;IAE/B,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,iBAAiB,CAAC,KAAK,EAAE;YACvB,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,CAAC;YACX,OAAO,EAAE,KAAK;YACd,WAAW,EAAE,0BAA0B;SACxC,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,CAAC,oDAAoD,EAAE,KAAK,CAAC,CAAC;QAC1F,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAChG,IAAI,CACL,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,iBAAiB,CAAC,KAAK,EAAE;YACvB,KAAK,EAAE,kBAAkB;YACzB,MAAM,EAAE,aAAa;YACrB,QAAQ,EAAE,CAAC;YACX,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,MAAM;YACf,WAAW,EAAE,0BAA0B;SACxC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,oEAAoE,CAAC;QACpF,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC5C,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAC5F,IAAI,CACL,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,MAAM,GAAG;YACb,KAAK,EAAE,YAAqB;YAC5B,MAAM,EAAE,eAAwB;YAChC,QAAQ,EAAE,CAAC;YACX,OAAO,EAAE,KAAK;YACd,WAAW,EAAE,0BAA0B;SACxC,CAAC;QACF,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACjC,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,KAAK,CAAC,aAAa,EAAE,CAAC;QACpC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/hooks/allowlist.d.ts

@@ -0,0 +1,24 @@
+import type { HookEventPayload } from './types.js';
+/** Chaves FECHADAS de ação (A-3 / RS-01 / RS-06). Editável só via diff versionado. */
+export type AllowedActionKey = 'dare-validate' | 'dare-review' | 'graph-register' | 'lint' | 'test';
+/** Conjunto fechado materializado — fonte única para validação Zod (task-303). */
+export declare const ALLOWED_ACTION_KEYS: readonly AllowedActionKey[];
+export interface ResolvedCommand {
+    readonly cmd: string;
+    readonly argv: readonly string[];
+}
+/** Veredito de que a ação é "interna" (não spawna) — graph-register (RF-12). */
+export declare const INTERNAL_ACTIONS: readonly AllowedActionKey[];
+export declare class ActionNotAllowedError extends Error {
+    readonly code: "ACTION_NOT_ALLOWED";
+    constructor(key: string);
+}
+/**
+ * Resolve uma ação da allowlist para (cmd, argv). Único ponto que decide o que roda.
+ * Determinístico; payload entra como argv por elemento, nunca interpolado (RS-02).
+ */
+export declare function resolveAction(action: AllowedActionKey, payload: HookEventPayload, stack: {
+    lint?: string;
+    test?: string;
+}): ResolvedCommand;
+//# sourceMappingURL=allowlist.d.ts.map

package/dist/hooks/allowlist.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"allowlist.d.ts","sourceRoot":"","sources":["../../src/hooks/allowlist.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAEnD,sFAAsF;AACtF,MAAM,MAAM,gBAAgB,GACxB,eAAe,GACf,aAAa,GACb,gBAAgB,GAChB,MAAM,GACN,MAAM,CAAC;AAEX,kFAAkF;AAClF,eAAO,MAAM,mBAAmB,EAAE,SAAS,gBAAgB,EAMjD,CAAC;AAEX,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;CAClC;AAED,gFAAgF;AAChF,eAAO,MAAM,gBAAgB,EAAE,SAAS,gBAAgB,EAAgC,CAAC;AAEzF,qBAAa,qBAAsB,SAAQ,KAAK;IAC9C,QAAQ,CAAC,IAAI,EAAG,oBAAoB,CAAU;gBAClC,GAAG,EAAE,MAAM;CAIxB;AAWD;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,gBAAgB,EACxB,OAAO,EAAE,gBAAgB,EACzB,KAAK,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,GACtC,eAAe,CA4BjB"}

package/dist/hooks/allowlist.js

@@ -0,0 +1,61 @@
+/** Conjunto fechado materializado — fonte única para validação Zod (task-303). */
+export const ALLOWED_ACTION_KEYS = [
+    'dare-validate',
+    'dare-review',
+    'graph-register',
+    'lint',
+    'test',
+];
+/** Veredito de que a ação é "interna" (não spawna) — graph-register (RF-12). */
+export const INTERNAL_ACTIONS = ['graph-register'];
+export class ActionNotAllowedError extends Error {
+    constructor(key) {
+        super(`Hook action '${key}' is not in the allowlist`);
+        this.code = 'ACTION_NOT_ALLOWED';
+        this.name = 'ActionNotAllowedError';
+    }
+}
+function splitStackCommand(command) {
+    const parts = command.trim().split(/\s+/).filter(Boolean);
+    if (parts.length === 0) {
+        throw new ActionNotAllowedError('lint/test (empty stack command)');
+    }
+    const [cmd, ...argv] = parts;
+    return { cmd: cmd, argv };
+}
+/**
+ * Resolve uma ação da allowlist para (cmd, argv). Único ponto que decide o que roda.
+ * Determinístico; payload entra como argv por elemento, nunca interpolado (RS-02).
+ */
+export function resolveAction(action, payload, stack) {
+    switch (action) {
+        case 'dare-validate':
+            return { cmd: 'dare', argv: ['validate', '--strict'] };
+        case 'dare-review': {
+            if (!payload.taskId) {
+                throw new ActionNotAllowedError('dare-review');
+            }
+            return {
+                cmd: 'dare',
+                argv: ['review', payload.taskId, '--strict', '--format', 'json'],
+            };
+        }
+        case 'graph-register':
+            return { cmd: '', argv: [] };
+        case 'lint': {
+            const cmd = stack.lint;
+            if (!cmd)
+                throw new ActionNotAllowedError('lint');
+            return splitStackCommand(cmd);
+        }
+        case 'test': {
+            const cmd = stack.test;
+            if (!cmd)
+                throw new ActionNotAllowedError('test');
+            return splitStackCommand(cmd);
+        }
+        default:
+            throw new ActionNotAllowedError(String(action));
+    }
+}
+//# sourceMappingURL=allowlist.js.map

package/dist/hooks/allowlist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"allowlist.js","sourceRoot":"","sources":["../../src/hooks/allowlist.ts"],"names":[],"mappings":"AAUA,kFAAkF;AAClF,MAAM,CAAC,MAAM,mBAAmB,GAAgC;IAC9D,eAAe;IACf,aAAa;IACb,gBAAgB;IAChB,MAAM;IACN,MAAM;CACE,CAAC;AAOX,gFAAgF;AAChF,MAAM,CAAC,MAAM,gBAAgB,GAAgC,CAAC,gBAAgB,CAAU,CAAC;AAEzF,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAE9C,YAAY,GAAW;QACrB,KAAK,CAAC,gBAAgB,GAAG,2BAA2B,CAAC,CAAC;QAF/C,SAAI,GAAG,oBAA6B,CAAC;QAG5C,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,OAAe;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC1D,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,qBAAqB,CAAC,iCAAiC,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,KAAK,CAAC;IAC7B,OAAO,EAAE,GAAG,EAAE,GAAI,EAAE,IAAI,EAAE,CAAC;AAC7B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,MAAwB,EACxB,OAAyB,EACzB,KAAuC;IAEvC,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,eAAe;YAClB,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,CAAC;QACzD,KAAK,aAAa,CAAC,CAAC,CAAC;YACnB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;gBACpB,MAAM,IAAI,qBAAqB,CAAC,aAAa,CAAC,CAAC;YACjD,CAAC;YACD,OAAO;gBACL,GAAG,EAAE,MAAM;gBACX,IAAI,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC;aACjE,CAAC;QACJ,CAAC;QACD,KAAK,gBAAgB;YACnB,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC;YACvB,IAAI,CAAC,GAAG;gBAAE,MAAM,IAAI,qBAAqB,CAAC,MAAM,CAAC,CAAC;YAClD,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC;YACvB,IAAI,CAAC,GAAG;gBAAE,MAAM,IAAI,qBAAqB,CAAC,MAAM,CAAC,CAAC;YAClD,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC;QACD;YACE,MAAM,IAAI,qBAAqB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IACpD,CAAC;AACH,CAAC"}

package/dist/hooks/config.d.ts

@@ -0,0 +1,24 @@
+import type { HookConfig } from './types.js';
+export declare const HOOK_DEFAULTS: HookConfig;
+export declare class HookConfigError extends Error {
+    readonly issues: ReadonlyArray<{
+        path: string;
+        message: string;
+    }>;
+    constructor(issues: ReadonlyArray<{
+        path: string;
+        message: string;
+    }>);
+}
+/**
+ * Parse and validate `hooks` from an already-parsed dare.config.json object.
+ */
+export declare function parseHookConfig(raw: unknown): HookConfig;
+/** Serializable defaults for dare.config.json (new projects + migrations). */
+export declare function defaultHookConfigForProject(): HookConfig;
+/**
+ * Inserts the hooks block when absent (opt-in: trusted stays false).
+ * Returns true when the block was added.
+ */
+export declare function seedHooksDefaultsIfAbsent(cfg: Record<string, unknown>): boolean;
+//# sourceMappingURL=config.d.ts.map

package/dist/hooks/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/hooks/config.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAI7C,eAAO,MAAM,aAAa,EAAE,UAAuC,CAAC;AAyBpE,qBAAa,eAAgB,SAAQ,KAAK;IACxC,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;gBAEtD,MAAM,EAAE,aAAa,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAOrE;AAsBD;;GAEG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,OAAO,GAAG,UAAU,CAoBxD;AAED,8EAA8E;AAC9E,wBAAgB,2BAA2B,IAAI,UAAU,CAExD;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CACvC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC3B,OAAO,CAIT"}

package/dist/hooks/config.js

@@ -0,0 +1,82 @@
+import { z } from 'zod';
+import { assertRelativeSafe } from '../utils/path-safety.js';
+import { HOOK_EVENTS } from './types.js';
+import { ALLOWED_ACTION_KEYS } from './allowlist.js';
+export const HOOK_DEFAULTS = { on: {}, trusted: false };
+const hookEventEnum = z.enum(HOOK_EVENTS);
+const actionKeyEnum = z.enum(ALLOWED_ACTION_KEYS);
+const hookActionSchema = z
+    .object({
+    action: actionKeyEnum,
+    args: z.array(z.string()).optional(),
+})
+    .strict();
+const hookConfigSchema = z
+    .object({
+    on: z
+        .record(hookEventEnum, z.array(hookActionSchema))
+        .default({}),
+    trusted: z.boolean().default(false),
+})
+    .strict();
+export class HookConfigError extends Error {
+    constructor(issues) {
+        super(`Invalid hooks config: ${issues.map((i) => `${i.path}: ${i.message}`).join('; ')}`);
+        this.name = 'HookConfigError';
+        this.issues = issues;
+    }
+}
+function isHooksBlockAbsent(raw) {
+    if (raw === undefined || raw === null)
+        return true;
+    if (typeof raw !== 'object')
+        return false;
+    const rec = raw;
+    return !('hooks' in rec) || rec.hooks === undefined;
+}
+function zodIssues(error) {
+    return error.issues.map((issue) => ({
+        path: issue.path.length > 0 ? issue.path.join('.') : '(root)',
+        message: issue.message,
+    }));
+}
+function looksLikePath(arg) {
+    return arg.includes('/') || arg.includes('\\') || arg.includes('..');
+}
+/**
+ * Parse and validate `hooks` from an already-parsed dare.config.json object.
+ */
+export function parseHookConfig(raw) {
+    if (isHooksBlockAbsent(raw)) {
+        return { on: {}, trusted: false };
+    }
+    const block = raw.hooks;
+    const result = hookConfigSchema.safeParse(block);
+    if (!result.success) {
+        throw new HookConfigError(zodIssues(result.error));
+    }
+    for (const actions of Object.values(result.data.on)) {
+        for (const a of actions ?? []) {
+            for (const arg of a.args ?? []) {
+                if (looksLikePath(arg))
+                    assertRelativeSafe(arg);
+            }
+        }
+    }
+    return result.data;
+}
+/** Serializable defaults for dare.config.json (new projects + migrations). */
+export function defaultHookConfigForProject() {
+    return structuredClone(HOOK_DEFAULTS);
+}
+/**
+ * Inserts the hooks block when absent (opt-in: trusted stays false).
+ * Returns true when the block was added.
+ */
+export function seedHooksDefaultsIfAbsent(cfg) {
+    if (cfg.hooks !== undefined)
+        return false;
+    cfg.hooks = defaultHookConfigForProject();
+    return true;
+}
+//# sourceMappingURL=config.js.map

package/dist/hooks/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/hooks/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAE7D,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAErD,MAAM,CAAC,MAAM,aAAa,GAAe,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAEpE,MAAM,aAAa,GAAG,CAAC,CAAC,IAAI,CAC1B,WAA+C,CAChD,CAAC;AACF,MAAM,aAAa,GAAG,CAAC,CAAC,IAAI,CAC1B,mBAAuD,CACxD,CAAC;AAEF,MAAM,gBAAgB,GAAG,CAAC;KACvB,MAAM,CAAC;IACN,MAAM,EAAE,aAAa;IACrB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACrC,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,MAAM,gBAAgB,GAAG,CAAC;KACvB,MAAM,CAAC;IACN,EAAE,EAAE,CAAC;SACF,MAAM,CAAC,aAAa,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;SAChD,OAAO,CAAC,EAAE,CAAC;IACd,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACpC,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,MAAM,OAAO,eAAgB,SAAQ,KAAK;IAGxC,YAAY,MAAwD;QAClE,KAAK,CACH,yBAAyB,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACnF,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;QAC9B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;CACF;AAED,SAAS,kBAAkB,CAAC,GAAY;IACtC,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACnD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,OAAO,CAAC,CAAC,OAAO,IAAI,GAAG,CAAC,IAAI,GAAG,CAAC,KAAK,KAAK,SAAS,CAAC;AACtD,CAAC;AAED,SAAS,SAAS,CAChB,KAAiB;IAEjB,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAClC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ;QAC7D,OAAO,EAAE,KAAK,CAAC,OAAO;KACvB,CAAC,CAAC,CAAC;AACN,CAAC;AAED,SAAS,aAAa,CAAC,GAAW;IAChC,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACvE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,GAAY;IAC1C,IAAI,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IACpC,CAAC;IAED,MAAM,KAAK,GAAI,GAA+B,CAAC,KAAK,CAAC;IACrD,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACjD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,eAAe,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;QACpD,KAAK,MAAM,CAAC,IAAI,OAAO,IAAI,EAAE,EAAE,CAAC;YAC9B,KAAK,MAAM,GAAG,IAAI,CAAC,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;gBAC/B,IAAI,aAAa,CAAC,GAAG,CAAC;oBAAE,kBAAkB,CAAC,GAAG,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC,IAAkB,CAAC;AACnC,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,2BAA2B;IACzC,OAAO,eAAe,CAAC,aAAa,CAAC,CAAC;AACxC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,yBAAyB,CACvC,GAA4B;IAE5B,IAAI,GAAG,CAAC,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC1C,GAAG,CAAC,KAAK,GAAG,2BAA2B,EAAE,CAAC;IAC1C,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/hooks/dispatcher.d.ts

@@ -0,0 +1,17 @@
+import { ActionNotAllowedError } from './allowlist.js';
+import { PathEscapeError } from '../utils/path-safety.js';
+import type { HookConfig, HookEventPayload, HookResult } from './types.js';
+export declare class TrustRequiredError extends Error {
+    readonly code: "TRUST_REQUIRED";
+    constructor(message?: string);
+}
+export declare class InvalidHookEventError extends Error {
+    readonly code: "INVALID_HOOK_EVENT";
+    constructor(event: string);
+}
+export declare function dispatchHook(config: HookConfig, payload: HookEventPayload, ctx: {
+    projectRoot: string;
+    trustOverride?: boolean;
+}): Promise<HookResult[]>;
+export { ActionNotAllowedError, PathEscapeError };
+//# sourceMappingURL=dispatcher.d.ts.map