@edictum/core 0.1.0 → 0.2.0

package/dist/index.cjs

@@ -81,7 +81,7 @@ function _validateToolName(toolName) {
   for (let i = 0; i < toolName.length; i++) {
     const code = toolName.charCodeAt(i);
     const ch = toolName[i];
-    if (code < 32 || code === 127 || ch === "/" || ch === "\\") {
+    if (code < 32 || code >= 127 && code <= 159 || code === 8232 || code === 8233 || ch === "/" || ch === "\\") {
       throw new EdictumConfigError(`Invalid tool_name: ${JSON.stringify(toolName)}`);
     }
   }
@@ -323,7 +323,7 @@ function _validateStorageKeyComponent(value, label) {
   }
   for (let i = 0; i < value.length; i++) {
     const code = value.charCodeAt(i);
-    if (code < 32 || code === 127) {
+    if (code < 32 || code >= 127 && code <= 159 || code === 8232 || code === 8233) {
       throw new EdictumConfigError(`Invalid ${label}: ${JSON.stringify(value)}`);
     }
   }
@@ -368,14 +368,10 @@ var init_session = __esm({
       }
       async toolExecutionCount(tool) {
         _validateStorageKeyComponent(tool, "tool_name");
-        return Number(
-          await this._backend.get(`s:${this._sid}:tool:${tool}`) ?? 0
-        );
+        return Number(await this._backend.get(`s:${this._sid}:tool:${tool}`) ?? 0);
       }
       async consecutiveFailures() {
-        return Number(
-          await this._backend.get(`s:${this._sid}:consec_fail`) ?? 0
-        );
+        return Number(await this._backend.get(`s:${this._sid}:consec_fail`) ?? 0);
       }
       /**
        * Pre-fetch multiple session counters in a single backend call.
@@ -388,10 +384,7 @@ var init_session = __esm({
        * backends without batchGet support.
        */
       async batchGetCounters(options) {
-        const keys = [
-          `s:${this._sid}:attempts`,
-          `s:${this._sid}:execs`
-        ];
+        const keys = [`s:${this._sid}:attempts`, `s:${this._sid}:execs`];
         const keyLabels = ["attempts", "execs"];
         if (options?.includeTool != null) {
           _validateStorageKeyComponent(options.includeTool, "tool_name");
@@ -448,11 +441,8 @@ var init_redaction = __esm({
         "passphrase"
       ]);
       static BASH_REDACTION_PATTERNS = [
-        [
-          String.raw`(export\s+\w*(?:KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)\w*=)\S+`,
-          "$1[REDACTED]"
-        ],
-        [String.raw`(-p\s*|--password[= ])\S+`, "$1[REDACTED]"],
+        [String.raw`(export\s+\w*(?:KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)\w*=)\S+`, "$1[REDACTED]"],
+        [String.raw`((?:^|\s)-p\s*|--password[= ])\S+`, "$1[REDACTED]"],
         [String.raw`(://\w+:)\S+(@)`, "$1[REDACTED]$2"]
       ];
       static SECRET_VALUE_PATTERNS = [
@@ -482,25 +472,18 @@ var init_redaction = __esm({
             }
           }
         }
-        this._patterns = [
-          ...customPatterns ?? [],
-          ..._RedactionPolicy.BASH_REDACTION_PATTERNS
-        ];
+        this._patterns = [...customPatterns ?? [], ..._RedactionPolicy.BASH_REDACTION_PATTERNS];
         this._compiledPatterns = this._patterns.map(
           ([pattern, replacement]) => [new RegExp(pattern, "g"), replacement]
         );
-        this._compiledSecretPatterns = _RedactionPolicy.SECRET_VALUE_PATTERNS.map(
-          (p) => new RegExp(p)
-        );
+        this._compiledSecretPatterns = _RedactionPolicy.SECRET_VALUE_PATTERNS.map((p) => new RegExp(p));
         this._detectValues = detectSecretValues;
       }
       /** Recursively redact sensitive data from tool arguments. */
       redactArgs(args) {
         if (args !== null && typeof args === "object" && !Array.isArray(args)) {
           const result = {};
-          for (const [key, value] of Object.entries(
-            args
-          )) {
+          for (const [key, value] of Object.entries(args)) {
             result[key] = this._isSensitiveKey(key) ? "[REDACTED]" : this.redactArgs(value);
           }
           return result;
@@ -512,6 +495,18 @@ var init_redaction = __esm({
           if (this._detectValues && this._looksLikeSecret(args)) {
             return "[REDACTED]";
           }
+          if (this._detectValues) {
+            const capped = args.length > _RedactionPolicy.MAX_REGEX_INPUT ? args.slice(0, _RedactionPolicy.MAX_REGEX_INPUT) : args;
+            let redacted = capped;
+            for (const [pattern, replacement] of this._compiledPatterns) {
+              pattern.lastIndex = 0;
+              redacted = redacted.replace(pattern, replacement);
+            }
+            if (redacted.length > 1e3) {
+              return redacted.slice(0, 997) + "...";
+            }
+            return redacted;
+          }
           if (args.length > 1e3) {
             return args.slice(0, 997) + "...";
           }
@@ -584,7 +579,7 @@ var init_redaction = __esm({
 
 // src/approval.ts
 function sanitizeForTerminal(s) {
-  return s.replace(/\x1b\[[0-9;]*[a-zA-Z]/g, "").replace(/[\x00-\x1f\x7f]/g, "");
+  return s.replace(/\x1b\[[0-9;]*[a-zA-Z]/g, "").replace(/[\x00-\x1f\x7f-\x9f\u2028\u2029]/g, "");
 }
 function createApprovalRequest(fields) {
   const request = {
@@ -655,9 +650,7 @@ var init_approval = __esm({
         const effectiveTimeout = timeout ?? (request ? request.timeout : 300);
         try {
           const response = await this._readStdin(approvalId, effectiveTimeout);
-          const approved = ["y", "yes", "approve"].includes(
-            response.trim().toLowerCase()
-          );
+          const approved = ["y", "yes", "approve"].includes(response.trim().toLowerCase());
           const status = approved ? ApprovalStatus.APPROVED : ApprovalStatus.DENIED;
           return createApprovalDecision({
             approved,
@@ -1139,10 +1132,7 @@ var init_pipeline = __esm({
           }
         }
         const pe = hasPolicyError(contractsEvaluated);
-        const observeResults = await this._evaluateObserveContracts(
-          envelope,
-          session
-        );
+        const observeResults = await this._evaluateObserveContracts(envelope, session);
         return createPreDecision({
           action: "allow",
           hooksEvaluated,
@@ -1197,23 +1187,17 @@ var init_pipeline = __esm({
                 text = policy.redactResult(text, text.length + 100);
               }
               redactedResponse = text;
-              warnings.push(
-                `\u26A0\uFE0F Content redacted by ${contract.name}.`
-              );
+              warnings.push(`\u26A0\uFE0F Content redacted by ${contract.name}.`);
             } else if (effect === "deny" && isSafe) {
               redactedResponse = `[OUTPUT SUPPRESSED] ${verdict.message}`;
               outputSuppressed = true;
-              warnings.push(
-                `\u26A0\uFE0F Output suppressed by ${contract.name}.`
-              );
+              warnings.push(`\u26A0\uFE0F Output suppressed by ${contract.name}.`);
             } else if ((effect === "redact" || effect === "deny") && !isSafe) {
               warnings.push(
                 `\u26A0\uFE0F ${verdict.message} Tool already executed \u2014 assess before proceeding.`
               );
             } else if (isSafe) {
-              warnings.push(
-                `\u26A0\uFE0F ${verdict.message} Consider retrying.`
-              );
+              warnings.push(`\u26A0\uFE0F ${verdict.message} Consider retrying.`);
             } else {
               warnings.push(
                 `\u26A0\uFE0F ${verdict.message} Tool already executed \u2014 assess before proceeding.`
@@ -1235,10 +1219,7 @@ var init_pipeline = __esm({
           try {
             verdict = await contract.check(envelope, toolResponse);
           } catch (exc) {
-            verdict = Verdict.fail(
-              `Observe-mode postcondition error: ${exc}`,
-              { policy_error: true }
-            );
+            verdict = Verdict.fail(`Observe-mode postcondition error: ${exc}`, { policy_error: true });
           }
           const record = {
             name: contract.name,
@@ -1256,9 +1237,7 @@ var init_pipeline = __esm({
             warnings.push(`\u26A0\uFE0F [observe] ${verdict.message}`);
           }
         }
-        const postconditionsPassed = contractsEvaluated.length > 0 ? contractsEvaluated.every(
-          (c) => c["passed"] === true || c["observed"] === true
-        ) : true;
+        const postconditionsPassed = contractsEvaluated.length > 0 ? contractsEvaluated.every((c) => c["passed"] === true || c["observed"] === true) : true;
         const pe = hasPolicyError(contractsEvaluated);
         return createPostDecision({
           toolSuccess,
@@ -1279,17 +1258,12 @@ var init_pipeline = __esm({
        */
       async _evaluateObserveContracts(envelope, session) {
         const results = [];
-        for (const contract of this._guard.getObservePreconditions(
-          envelope
-        )) {
+        for (const contract of this._guard.getObservePreconditions(envelope)) {
           let verdict;
           try {
             verdict = await contract.check(envelope);
           } catch (exc) {
-            verdict = Verdict.fail(
-              `Observe-mode precondition error: ${exc}`,
-              { policy_error: true }
-            );
+            verdict = Verdict.fail(`Observe-mode precondition error: ${exc}`, { policy_error: true });
           }
           results.push({
             name: contract.name,
@@ -1299,17 +1273,12 @@ var init_pipeline = __esm({
             source: contract.source ?? "yaml_precondition"
           });
         }
-        for (const contract of this._guard.getObserveSandboxContracts(
-          envelope
-        )) {
+        for (const contract of this._guard.getObserveSandboxContracts(envelope)) {
           let verdict;
           try {
             verdict = await contract.check(envelope);
           } catch (exc) {
-            verdict = Verdict.fail(
-              `Observe-mode sandbox error: ${exc}`,
-              { policy_error: true }
-            );
+            verdict = Verdict.fail(`Observe-mode sandbox error: ${exc}`, { policy_error: true });
           }
           results.push({
             name: contract.name,
@@ -1324,10 +1293,9 @@ var init_pipeline = __esm({
           try {
             verdict = await contract.check(session);
           } catch (exc) {
-            verdict = Verdict.fail(
-              `Observe-mode session contract error: ${exc}`,
-              { policy_error: true }
-            );
+            verdict = Verdict.fail(`Observe-mode session contract error: ${exc}`, {
+              policy_error: true
+            });
           }
           results.push({
             name: contract.name,
@@ -1430,46 +1398,22 @@ async function run(guard, toolName, args, toolCallable, options) {
           principal: principalDict
         }
       );
-      await _emitRunPreAudit(
-        guard,
-        envelope,
-        session,
-        AuditAction.CALL_APPROVAL_REQUESTED,
-        pre
-      );
+      await _emitRunPreAudit(guard, envelope, session, AuditAction.CALL_APPROVAL_REQUESTED, pre);
       const decision = await guard._approvalBackend.waitForDecision(
         approvalRequest.approvalId,
         pre.approvalTimeout
       );
       let approved = false;
       if (decision.status === ApprovalStatus.TIMEOUT) {
-        await _emitRunPreAudit(
-          guard,
-          envelope,
-          session,
-          AuditAction.CALL_APPROVAL_TIMEOUT,
-          pre
-        );
+        await _emitRunPreAudit(guard, envelope, session, AuditAction.CALL_APPROVAL_TIMEOUT, pre);
         if (pre.approvalTimeoutEffect === "allow") {
           approved = true;
         }
       } else if (!decision.approved) {
-        await _emitRunPreAudit(
-          guard,
-          envelope,
-          session,
-          AuditAction.CALL_APPROVAL_DENIED,
-          pre
-        );
+        await _emitRunPreAudit(guard, envelope, session, AuditAction.CALL_APPROVAL_DENIED, pre);
       } else {
         approved = true;
-        await _emitRunPreAudit(
-          guard,
-          envelope,
-          session,
-          AuditAction.CALL_APPROVAL_GRANTED,
-          pre
-        );
+        await _emitRunPreAudit(guard, envelope, session, AuditAction.CALL_APPROVAL_GRANTED, pre);
       }
       if (approved) {
         if (guard._onAllow) {
@@ -1505,11 +1449,7 @@ async function run(guard, toolName, args, toolCallable, options) {
           } catch {
           }
         }
-        throw new EdictumDenied(
-          pre.reason ?? "denied",
-          pre.decisionSource,
-          pre.decisionName
-        );
+        throw new EdictumDenied(pre.reason ?? "denied", pre.decisionSource, pre.decisionName);
       }
     } else {
       for (const cr of pre.contractsEvaluated) {
@@ -1533,13 +1473,7 @@ async function run(guard, toolName, args, toolCallable, options) {
           await guard.auditSink.emit(observedEvent);
         }
       }
-      await _emitRunPreAudit(
-        guard,
-        envelope,
-        session,
-        AuditAction.CALL_ALLOWED,
-        pre
-      );
+      await _emitRunPreAudit(guard, envelope, session, AuditAction.CALL_ALLOWED, pre);
       if (guard._onAllow) {
         try {
           guard._onAllow(envelope);
@@ -1966,21 +1900,15 @@ function classifyFinding(contractId, verdictMessage) {
   const contractLower = contractId.toLowerCase();
   const messageLower = (verdictMessage || "").toLowerCase();
   const piiTerms = ["pii", "ssn", "patient", "name", "dob"];
-  if (piiTerms.some(
-    (term) => contractLower.includes(term) || messageLower.includes(term)
-  )) {
+  if (piiTerms.some((term) => contractLower.includes(term) || messageLower.includes(term))) {
     return "pii_detected";
   }
   const secretTerms = ["secret", "token", "key", "credential", "password"];
-  if (secretTerms.some(
-    (term) => contractLower.includes(term) || messageLower.includes(term)
-  )) {
+  if (secretTerms.some((term) => contractLower.includes(term) || messageLower.includes(term))) {
     return "secret_detected";
   }
   const limitTerms = ["session", "limit", "max_calls", "budget"];
-  if (limitTerms.some(
-    (term) => contractLower.includes(term) || messageLower.includes(term)
-  )) {
+  if (limitTerms.some((term) => contractLower.includes(term) || messageLower.includes(term))) {
     return "limit_exceeded";
   }
   return "policy_violation";
@@ -2127,9 +2055,7 @@ function mergeObserveAlongside(merged, layer, label, contractSources, observes)
   for (const contract of layer.contracts ?? []) {
     const cid = contract.id;
     const observeId = `${cid}:candidate`;
-    const existingIds = new Set(
-      mc.map((c) => c.id)
-    );
+    const existingIds = new Set(mc.map((c) => c.id));
     if (existingIds.has(observeId)) {
       throw new EdictumConfigError(
         `observe_alongside collision: generated ID "${observeId}" already exists in the bundle. Rename the conflicting contract or use a different ID for "${cid}".`
@@ -2276,10 +2202,7 @@ function resolveSelector(selector, envelope, outputText, customSelectors) {
     if (rest === "role") return envelope.principal.role;
     if (rest === "ticket_ref") return envelope.principal.ticketRef;
     if (rest.startsWith("claims.")) {
-      return resolveNested(
-        rest.slice(7),
-        envelope.principal.claims
-      );
+      return resolveNested(rest.slice(7), envelope.principal.claims);
     }
     return _MISSING;
   }
@@ -2293,10 +2216,7 @@ function resolveSelector(selector, envelope, outputText, customSelectors) {
     return coerceEnvValue(raw);
   }
   if (selector.startsWith("metadata.")) {
-    return resolveNested(
-      selector.slice(9),
-      envelope.metadata
-    );
+    return resolveNested(selector.slice(9), envelope.metadata);
   }
   if (customSelectors) {
     const dotPos = selector.indexOf(".");
@@ -2345,13 +2265,31 @@ function evaluateExpression(expr, envelope, outputText, options) {
   const customOps = options?.customOperators ?? null;
   const customSels = options?.customSelectors ?? null;
   if ("all" in expr) {
-    return _evalAll(expr.all, envelope, outputText, customOps, customSels);
+    return _evalAll(
+      expr.all,
+      envelope,
+      outputText,
+      customOps,
+      customSels
+    );
   }
   if ("any" in expr) {
-    return _evalAny(expr.any, envelope, outputText, customOps, customSels);
+    return _evalAny(
+      expr.any,
+      envelope,
+      outputText,
+      customOps,
+      customSels
+    );
   }
   if ("not" in expr) {
-    return _evalNot(expr.not, envelope, outputText, customOps, customSels);
+    return _evalNot(
+      expr.not,
+      envelope,
+      outputText,
+      customOps,
+      customSels
+    );
   }
   const leafKeys = Object.keys(expr);
   if (leafKeys.length !== 1) {
@@ -2406,7 +2344,8 @@ function _applyOperator(op, fieldValue, opValue, selector, customOperators) {
   }
   if (fieldValue === _MISSING || fieldValue == null) return false;
   try {
-    if (Object.hasOwn(OPERATORS, op)) return OPERATORS[op](fieldValue, opValue);
+    if (Object.hasOwn(OPERATORS, op))
+      return OPERATORS[op](fieldValue, opValue);
     if (customOperators && Object.hasOwn(customOperators, op)) {
       return Boolean(customOperators[op](fieldValue, opValue));
     }
@@ -2433,10 +2372,7 @@ function expandMessage(template, envelope, outputText, customSelectors) {
   });
 }
 function validateOperators(bundle, customOperators) {
-  const known = /* @__PURE__ */ new Set([
-    ...BUILTIN_OPERATOR_NAMES,
-    ...Object.keys(customOperators ?? {})
-  ]);
+  const known = /* @__PURE__ */ new Set([...BUILTIN_OPERATOR_NAMES, ...Object.keys(customOperators ?? {})]);
   const contracts = bundle.contracts ?? [];
   for (const contract of contracts) {
     const when = contract.when;
@@ -2468,9 +2404,7 @@ function _validateExpressionOperators(expr, known, contractId) {
     if (operator != null && typeof operator === "object") {
       for (const opName of Object.keys(operator)) {
         if (!known.has(opName)) {
-          throw new EdictumConfigError(
-            `Contract '${contractId}': unknown operator '${opName}'`
-          );
+          throw new EdictumConfigError(`Contract '${contractId}': unknown operator '${opName}'`);
         }
       }
     }
@@ -2607,7 +2541,16 @@ function compilePost(contract, mode, customOps, customSels) {
   const meta = then.metadata ?? {};
   const check = (envelope, response) => {
     const outputText = response != null ? String(response) : void 0;
-    return _evalAndVerdict(whenExpr, envelope, outputText, msgTpl, tags, meta, customOps, customSels);
+    return _evalAndVerdict(
+      whenExpr,
+      envelope,
+      outputText,
+      msgTpl,
+      tags,
+      meta,
+      customOps,
+      customSels
+    );
   };
   const effectValue = then.effect ?? "warn";
   const result = {
@@ -2672,14 +2615,18 @@ function mergeSessionLimits(contract, existing) {
   if ("max_tool_calls" in sessionLimits) {
     const raw = sessionLimits.max_tool_calls;
     if (typeof raw !== "number" || !Number.isFinite(raw)) {
-      throw new EdictumConfigError(`Session limit max_tool_calls must be a finite number, got: ${String(raw)}`);
+      throw new EdictumConfigError(
+        `Session limit max_tool_calls must be a finite number, got: ${String(raw)}`
+      );
     }
     maxToolCalls = Math.min(maxToolCalls, raw);
   }
   if ("max_attempts" in sessionLimits) {
     const raw = sessionLimits.max_attempts;
     if (typeof raw !== "number" || !Number.isFinite(raw)) {
-      throw new EdictumConfigError(`Session limit max_attempts must be a finite number, got: ${String(raw)}`);
+      throw new EdictumConfigError(
+        `Session limit max_attempts must be a finite number, got: ${String(raw)}`
+      );
     }
     maxAttempts = Math.min(maxAttempts, raw);
   }
@@ -2704,10 +2651,6 @@ function mergeSessionLimits(contract, existing) {
 // src/yaml-engine/sandbox-compile-fn.ts
 init_contracts();
 
-// src/yaml-engine/sandbox-compiler.ts
-var import_node_fs = require("fs");
-var import_node_path = require("path");
-
 // src/fnmatch.ts
 function fnmatch(name, pattern) {
   if (pattern === "*") return true;
@@ -2732,6 +2675,36 @@ function fnmatch(name, pattern) {
   return new RegExp("^" + regex + "$").test(safeName);
 }
 
+// src/yaml-engine/resolve-path.ts
+var import_node_fs = require("fs");
+var import_node_path = require("path");
+function resolvePath(p) {
+  const cleaned = p.replace(/\0/g, "");
+  const resolved = (0, import_node_path.resolve)(cleaned);
+  try {
+    return (0, import_node_fs.realpathSync)(resolved);
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      return resolved;
+    }
+    const parts = resolved.split(import_node_path.sep);
+    for (let i = parts.length - 1; i > 0; i--) {
+      const prefix = parts.slice(0, i).join(import_node_path.sep) || "/";
+      try {
+        const realPrefix = (0, import_node_fs.realpathSync)(prefix);
+        const rest = parts.slice(i).join(import_node_path.sep);
+        return (0, import_node_path.join)(realPrefix, rest);
+      } catch (innerErr) {
+        if (innerErr.code !== "ENOENT") {
+          return resolved;
+        }
+        continue;
+      }
+    }
+    return resolved;
+  }
+}
+
 // src/yaml-engine/sandbox-compiler.ts
 var _REDIRECT_PREFIX_RE = /^(?:\d*>>|>>|\d*>|>|<<|<)/;
 var _SHELL_SEPARATOR_RE = /[;|&\n\r`]|\$\(|\$\{|<\(/;
@@ -2807,21 +2780,25 @@ var _PATH_ARG_KEYS = /* @__PURE__ */ new Set([
   "destination",
   "source",
   "src",
-  "dst"
+  "dst",
+  // Common path-like arg names from AI framework tool calls.
+  // IMPORTANT: Only include keys that are unambiguously path-related.
+  // Generic keys like 'name', 'input', 'output', 'from', 'to' are excluded
+  // because they frequently hold non-path values (e.g., { from: "English" }),
+  // and resolvePath() would produce false positives. The heuristic loop below
+  // catches path-like VALUES in any key (containing '..', '~', or '/').
+  "filename",
+  "file",
+  "filepath",
+  "read_path",
+  "write_path"
 ]);
-function _realpath(p) {
-  try {
-    return (0, import_node_fs.realpathSync)(p);
-  } catch {
-    return (0, import_node_path.resolve)(p);
-  }
-}
 function extractPaths(envelope) {
   const paths = [];
   const seen = /* @__PURE__ */ new Set();
   function add(p) {
     if (!p) return;
-    const resolved = _realpath(p);
+    const resolved = resolvePath(p);
     if (!seen.has(resolved)) {
       seen.add(resolved);
       paths.push(resolved);
@@ -2835,6 +2812,17 @@ function extractPaths(envelope) {
   for (const [key, value] of Object.entries(args)) {
     if (typeof value === "string" && value.startsWith("/") && !_PATH_ARG_KEYS.has(key)) add(value);
   }
+  for (const [key, value] of Object.entries(args)) {
+    if (typeof value === "string" && !_PATH_ARG_KEYS.has(key)) {
+      const isUrl = value.includes("://");
+      if (!isUrl && value.includes("../") || // embedded traversal: foo/../etc/passwd
+      value === ".." || // bare parent reference
+      value.startsWith("../") || // parent traversal prefix: ../../etc/passwd
+      value.startsWith("~") || value.startsWith("./") && !isUrl) {
+        add(value);
+      }
+    }
+  }
   const cmd = envelope.bashCommand ?? args.command ?? "";
   if (cmd) {
     for (const token of tokenizeCommand(cmd)) {
@@ -2887,23 +2875,14 @@ function domainMatches(hostname, patterns) {
 }
 
 // src/yaml-engine/sandbox-compile-fn.ts
-var import_node_fs2 = require("fs");
-var import_node_path2 = require("path");
-function _realpath2(p) {
-  try {
-    return (0, import_node_fs2.realpathSync)(p);
-  } catch {
-    return (0, import_node_path2.resolve)(p);
-  }
-}
 function _pathWithin(filePath, prefix) {
   return filePath === prefix || filePath.startsWith(prefix.replace(/\/+$/, "") + "/");
 }
 function compileSandbox(contract, mode) {
   const contractId = contract.id;
   const toolPatterns = "tools" in contract ? contract.tools : [contract.tool];
-  const within = (contract.within ?? []).map(_realpath2);
-  const notWithin = (contract.not_within ?? []).map(_realpath2);
+  const within = (contract.within ?? []).map(resolvePath);
+  const notWithin = (contract.not_within ?? []).map(resolvePath);
   const allows = contract.allows ?? {};
   const notAllows = contract.not_allows ?? {};
   const allowedCommands = allows.commands ?? [];
@@ -2916,6 +2895,11 @@ function compileSandbox(contract, mode) {
   const check = (envelope) => {
     if (within.length > 0 || notWithin.length > 0) {
       const paths = extractPaths(envelope);
+      if (paths.length === 0 && within.length > 0) {
+        return Verdict.fail(
+          expandMessage(messageTemplate, envelope) + " (no extractable paths \u2014 sandbox cannot verify boundary compliance)"
+        );
+      }
       if (paths.length > 0) {
         for (const p of paths) {
           for (const excluded of notWithin) {
@@ -2982,9 +2966,7 @@ function compileContracts(bundle, options = {}) {
   const customSels = options?.customSelectors ?? null;
   validateOperators(bundle, customOps);
   if (bundle.defaults == null || typeof bundle.defaults !== "object") {
-    throw new EdictumConfigError(
-      "Bundle missing required 'defaults' section with 'mode' field"
-    );
+    throw new EdictumConfigError("Bundle missing required 'defaults' section with 'mode' field");
   }
   const defaults = bundle.defaults;
   const defaultMode = defaults.mode;
@@ -3030,7 +3012,8 @@ function compileContracts(bundle, options = {}) {
 
 // src/yaml-engine/loader.ts
 var import_node_crypto3 = require("crypto");
-var import_node_fs3 = require("fs");
+var import_node_fs2 = require("fs");
+var import_js_yaml = __toESM(require("js-yaml"), 1);
 init_errors();
 
 // src/yaml-engine/loader-validators.ts
@@ -3053,13 +3036,22 @@ function validateSchema(data) {
     throw new EdictumConfigError("Schema validation failed: contracts must be an array");
   }
 }
-var CONTROL_CHAR_RE = /[\x00-\x1f\x7f-\x9f]/;
+var CONTROL_CHAR_RE = /[\x00-\x1f\x7f-\x9f\u2028\u2029]/;
+var CONTRACT_ID_RE = /^[a-z0-9][a-z0-9_-]*$/;
 function validateContractId(contractId) {
+  if (contractId.length > 1e4) {
+    throw new EdictumConfigError("Contract id exceeds maximum length");
+  }
   if (CONTROL_CHAR_RE.test(contractId)) {
     throw new EdictumConfigError(
       `Contract id contains control characters: '${contractId.replace(CONTROL_CHAR_RE, "\\x??")}'`
     );
   }
+  if (!CONTRACT_ID_RE.test(contractId)) {
+    throw new EdictumConfigError(
+      `Contract id '${contractId}' must match pattern ^[a-z0-9][a-z0-9_-]*$`
+    );
+  }
 }
 function validateUniqueIds(data) {
   const ids = /* @__PURE__ */ new Set();
@@ -3160,26 +3152,231 @@ function validateSandboxContracts(data) {
   }
 }
 
+// src/yaml-engine/loader-field-validators.ts
+init_errors();
+var VALID_CONTRACT_TYPES = /* @__PURE__ */ new Set(["pre", "post", "session", "sandbox"]);
+var PRE_EFFECTS = /* @__PURE__ */ new Set(["deny", "approve"]);
+var POST_EFFECTS = /* @__PURE__ */ new Set(["warn", "redact", "deny"]);
+var VALID_MODES = /* @__PURE__ */ new Set(["enforce", "observe"]);
+var VALID_SIDE_EFFECTS = /* @__PURE__ */ new Set(["pure", "read", "write", "irreversible"]);
+var KNOWN_TOP_LEVEL = /* @__PURE__ */ new Set([
+  "apiVersion",
+  "kind",
+  "metadata",
+  "defaults",
+  "contracts",
+  "tools",
+  "observability",
+  "observe_alongside"
+]);
+var METADATA_NAME_RE = /^[a-z0-9][a-z0-9._-]*$/;
+var MAX_MESSAGE_LENGTH = 500;
+function fail(msg) {
+  throw new EdictumConfigError(`Schema validation failed: ${msg}`);
+}
+function validateContractFields(data) {
+  for (const key of Object.keys(data)) {
+    if (!KNOWN_TOP_LEVEL.has(key)) fail(`unknown top-level field '${key}'`);
+  }
+  if (data.metadata == null || typeof data.metadata !== "object" || Array.isArray(data.metadata)) {
+    fail("'metadata' is required and must be an object");
+  }
+  const meta = data.metadata;
+  if (meta.name == null || typeof meta.name !== "string") fail("metadata.name is required");
+  const metaName = meta.name;
+  if (metaName.length > 1e4) fail("metadata.name exceeds maximum length");
+  if (!METADATA_NAME_RE.test(metaName)) {
+    fail(
+      `metadata.name must be a lowercase slug (^[a-z0-9][a-z0-9._-]*$), got '${metaName.slice(0, 100)}'`
+    );
+  }
+  if (data.defaults == null || typeof data.defaults !== "object" || Array.isArray(data.defaults)) {
+    fail("'defaults' is required and must be an object");
+  }
+  const mode = data.defaults.mode;
+  if (!VALID_MODES.has(mode)) {
+    fail(`defaults.mode must be 'enforce' or 'observe', got '${String(mode)}'`);
+  }
+  const contracts = data.contracts;
+  if (contracts.length === 0) fail("contracts must contain at least 1 item");
+  if (data.tools != null) {
+    if (typeof data.tools !== "object" || Array.isArray(data.tools)) {
+      fail("'tools' must be a mapping of tool names to descriptors, not an array");
+    }
+    for (const [tn, td] of Object.entries(data.tools)) {
+      if (td == null || typeof td !== "object" || Array.isArray(td)) {
+        fail(`tools.${tn} must be an object with a 'side_effect' field`);
+      }
+      const se = td.side_effect;
+      if (!VALID_SIDE_EFFECTS.has(se)) {
+        fail(
+          `tools.${tn}.side_effect must be 'pure', 'read', 'write', or 'irreversible', got '${String(se)}'`
+        );
+      }
+    }
+  }
+  for (const c of contracts) {
+    if (c == null || typeof c !== "object" || Array.isArray(c)) {
+      fail("every contract must be an object (got null or non-object array element)");
+    }
+    if (c.id == null || typeof c.id !== "string" || c.id.length === 0) {
+      fail("every contract requires a non-empty 'id' string");
+    }
+    const cid = c.id;
+    if (!VALID_CONTRACT_TYPES.has(c.type)) {
+      fail(`contract '${cid}': invalid type '${String(c.type)}'`);
+    }
+    const t = c.type;
+    if (t === "pre" || t === "post") validatePrePost(c, t, cid);
+    else if (t === "session") validateSession(c, cid);
+    else if (t === "sandbox") validateSandboxStructure(c, cid);
+  }
+}
+function validatePrePost(c, t, cid) {
+  if (c.tool == null || typeof c.tool !== "string") {
+    fail(`${t} contract '${cid}' requires 'tool' to be a string`);
+  }
+  if (c.when == null || typeof c.when !== "object" || Array.isArray(c.when)) {
+    fail(
+      `${t} contract '${cid}' requires 'when' to be a mapping (got ${Array.isArray(c.when) ? "array" : typeof c.when})`
+    );
+  }
+  if (c.then == null || typeof c.then !== "object" || Array.isArray(c.then)) {
+    fail(`${t} contract '${cid}' requires 'then' to be a mapping`);
+  }
+  const then = c.then;
+  if (then.effect == null) fail(`${t} contract '${cid}' requires 'then.effect'`);
+  if (then.message == null) fail(`${t} contract '${cid}' requires 'then.message'`);
+  validateMessageLength(then.message, `${t} contract '${cid}'`);
+  const effect = then.effect;
+  if (t === "pre" && !PRE_EFFECTS.has(effect)) {
+    fail(`pre contract '${cid}': effect must be 'deny' or 'approve', got '${effect}'`);
+  }
+  if (t === "post" && !POST_EFFECTS.has(effect)) {
+    fail(`post contract '${cid}': effect must be 'warn', 'redact', or 'deny', got '${effect}'`);
+  }
+}
+function validateSession(c, cid) {
+  if (c.limits == null || typeof c.limits !== "object" || Array.isArray(c.limits)) {
+    fail(`session contract '${cid}' requires 'limits' to be a mapping`);
+  }
+  const lim = c.limits;
+  if (!("max_tool_calls" in lim) && !("max_attempts" in lim) && !("max_calls_per_tool" in lim)) {
+    fail(
+      `session contract '${cid}': limits must have max_tool_calls, max_attempts, or max_calls_per_tool`
+    );
+  }
+  if (c.then == null || typeof c.then !== "object" || Array.isArray(c.then)) {
+    fail(`session contract '${cid}' requires 'then' to be a mapping`);
+  }
+  const then = c.then;
+  if (then.effect !== "deny") {
+    fail(`session contract '${cid}': effect must be 'deny', got '${String(then.effect)}'`);
+  }
+  if (then.message == null) fail(`session contract '${cid}' requires 'then.message'`);
+  validateMessageLength(then.message, `session contract '${cid}'`);
+}
+function validateSandboxStructure(c, cid) {
+  if (c.tool == null && c.tools == null) {
+    fail(`sandbox contract '${cid}' requires either 'tool' or 'tools'`);
+  }
+  if (c.tool != null && typeof c.tool !== "string") {
+    fail(`sandbox contract '${cid}': 'tool' must be a string`);
+  }
+  if (c.tools != null && (!Array.isArray(c.tools) || c.tools.length === 0)) {
+    fail(`sandbox contract '${cid}': 'tools' must be a non-empty array`);
+  }
+  if (c.within == null && c.allows == null) {
+    fail(`sandbox contract '${cid}' requires either 'within' or 'allows'`);
+  }
+  if (c.within != null && (!Array.isArray(c.within) || c.within.length === 0)) {
+    fail(`sandbox contract '${cid}': 'within' must be a non-empty array`);
+  }
+  if (c.message == null) fail(`sandbox contract '${cid}' requires 'message'`);
+  validateMessageLength(c.message, `sandbox contract '${cid}'`);
+}
+function validateMessageLength(msg, context) {
+  if (typeof msg !== "string") {
+    fail(`${context}: message must be a string`);
+  }
+  if (msg.length > MAX_MESSAGE_LENGTH) {
+    fail(`${context}: message exceeds ${MAX_MESSAGE_LENGTH} characters`);
+  }
+}
+
+// src/yaml-engine/loader-expression-validators.ts
+init_errors();
+var NUMERIC_OPS = /* @__PURE__ */ new Set(["gt", "gte", "lt", "lte"]);
+var STRING_OPS = /* @__PURE__ */ new Set(["contains", "starts_with", "ends_with"]);
+var ARRAY_MIN1_OPS = /* @__PURE__ */ new Set(["in", "not_in", "contains_any", "matches_any"]);
+function fail2(msg) {
+  throw new EdictumConfigError(`Schema validation failed: ${msg}`);
+}
+function validateExpressionShapes(data) {
+  for (const c of data.contracts ?? []) {
+    if (c == null || typeof c !== "object") continue;
+    const contract = c;
+    if (contract.when != null) checkExprShape(contract.when, contract.id ?? "?");
+  }
+}
+var MAX_EXPR_DEPTH = 50;
+function checkExprShape(expr, cid, depth = 0) {
+  if (depth > MAX_EXPR_DEPTH)
+    fail2(`contract '${cid}': expression nesting exceeds maximum depth (${MAX_EXPR_DEPTH})`);
+  if (expr == null || typeof expr !== "object") return;
+  const e = expr;
+  if ("all" in e) {
+    const a = e.all;
+    if (!Array.isArray(a) || a.length === 0)
+      fail2(`contract '${cid}': 'all' requires a non-empty array`);
+    for (const s of a) checkExprShape(s, cid, depth + 1);
+    return;
+  }
+  if ("any" in e) {
+    const a = e.any;
+    if (!Array.isArray(a) || a.length === 0)
+      fail2(`contract '${cid}': 'any' requires a non-empty array`);
+    for (const s of a) checkExprShape(s, cid, depth + 1);
+    return;
+  }
+  if ("not" in e) {
+    if (e.not == null || typeof e.not !== "object" || Array.isArray(e.not)) {
+      fail2(
+        `contract '${cid}': 'not' requires an expression mapping (got ${e.not === null ? "null" : Array.isArray(e.not) ? "array" : typeof e.not})`
+      );
+    }
+    checkExprShape(e.not, cid, depth + 1);
+    return;
+  }
+  for (const v of Object.values(e)) {
+    if (v == null || typeof v !== "object") continue;
+    if (Array.isArray(v)) {
+      fail2(`contract '${cid}': selector value must be an operator mapping, not an array`);
+    }
+    const op = v;
+    for (const [name, val] of Object.entries(op)) {
+      if (NUMERIC_OPS.has(name) && typeof val !== "number") {
+        fail2(`contract '${cid}': operator '${name}' requires a number, got ${typeof val}`);
+      }
+      if (STRING_OPS.has(name) && typeof val !== "string") {
+        fail2(`contract '${cid}': operator '${name}' requires a string, got ${typeof val}`);
+      }
+      if (ARRAY_MIN1_OPS.has(name) && (!Array.isArray(val) || val.length === 0)) {
+        fail2(`contract '${cid}': operator '${name}' requires a non-empty array`);
+      }
+    }
+  }
+}
+
 // src/yaml-engine/loader.ts
 var MAX_BUNDLE_SIZE = 1048576;
 function computeHash(rawBytes) {
   return { hex: (0, import_node_crypto3.createHash)("sha256").update(rawBytes).digest("hex") };
 }
-function requireYaml() {
-  try {
-    const yaml = require("js-yaml");
-    return yaml;
-  } catch {
-    throw new EdictumConfigError(
-      "The YAML engine requires js-yaml. Install it with: npm install js-yaml"
-    );
-  }
-}
 function parseYaml(content) {
-  const yaml = requireYaml();
   let data;
   try {
-    data = yaml.load(content);
+    data = import_js_yaml.default.load(content, { schema: import_js_yaml.default.CORE_SCHEMA });
   } catch (e) {
     throw new EdictumConfigError(`YAML parse error: ${String(e)}`);
   }
@@ -3190,20 +3387,22 @@ function parseYaml(content) {
 }
 function validateBundle(data) {
   validateSchema(data);
+  validateContractFields(data);
   validateUniqueIds(data);
+  validateExpressionShapes(data);
   validateRegexes(data);
   validatePreSelectors(data);
   validateSandboxContracts(data);
 }
 function loadBundle(source) {
-  const resolved = (0, import_node_fs3.realpathSync)(source);
-  const fileSize = (0, import_node_fs3.statSync)(resolved).size;
+  const resolved = (0, import_node_fs2.realpathSync)(source);
+  const fileSize = (0, import_node_fs2.statSync)(resolved).size;
   if (fileSize > MAX_BUNDLE_SIZE) {
     throw new EdictumConfigError(
       `Bundle file too large (${fileSize} bytes, max ${MAX_BUNDLE_SIZE})`
     );
   }
-  const rawBytes = (0, import_node_fs3.readFileSync)(resolved);
+  const rawBytes = (0, import_node_fs2.readFileSync)(resolved);
   const bundleHash = computeHash(rawBytes);
   const data = parseYaml(rawBytes.toString("utf-8"));
   validateBundle(data);
@@ -3251,9 +3450,10 @@ function fromYaml(...args) {
     policyVersion = entry[1].hex;
     report = { overriddenContracts: [], observeContracts: [] };
   } else {
-    const bundleTuples = loaded.map(
-      ([data], i) => [data, paths[i]]
-    );
+    const bundleTuples = loaded.map(([data], i) => [
+      data,
+      paths[i]
+    ]);
     const composed = composeBundles(...bundleTuples);
     bundleData = composed.bundle;
     report = composed.report;
@@ -3378,15 +3578,9 @@ var Edictum = class _Edictum {
     this._approvalBackend = options.approvalBackend ?? null;
     this._localSink = new CollectingAuditSink();
     if (Array.isArray(options.auditSink)) {
-      this.auditSink = new CompositeSink([
-        this._localSink,
-        ...options.auditSink
-      ]);
+      this.auditSink = new CompositeSink([this._localSink, ...options.auditSink]);
     } else if (options.auditSink != null) {
-      this.auditSink = new CompositeSink([
-        this._localSink,
-        options.auditSink
-      ]);
+      this.auditSink = new CompositeSink([this._localSink, options.auditSink]);
     } else {
       this.auditSink = this._localSink;
     }
@@ -3484,24 +3678,16 @@ var Edictum = class _Edictum {
   }
   getHooks(phase, envelope) {
     const hooks = phase === "before" ? this._beforeHooks : this._afterHooks;
-    return hooks.filter(
-      (h) => h.tool === "*" || fnmatch(envelope.toolName, h.tool)
-    );
+    return hooks.filter((h) => h.tool === "*" || fnmatch(envelope.toolName, h.tool));
   }
   // -----------------------------------------------------------------------
   // Contract accessors -- enforce mode
   // -----------------------------------------------------------------------
   getPreconditions(envelope) {
-    return _Edictum._filterByTool(
-      this._state.preconditions,
-      envelope
-    );
+    return _Edictum._filterByTool(this._state.preconditions, envelope);
   }
   getPostconditions(envelope) {
-    return _Edictum._filterByTool(
-      this._state.postconditions,
-      envelope
-    );
+    return _Edictum._filterByTool(this._state.postconditions, envelope);
   }
   getSessionContracts() {
     return [...this._state.sessionContracts];
@@ -3561,12 +3747,16 @@ var Edictum = class _Edictum {
       const edictumType = raw._edictum_type;
       const isObserve = raw._edictum_observe ?? raw._edictum_shadow ?? false;
       if (edictumType != null) {
-        _Edictum._classifyInternal(
-          raw,
-          edictumType,
-          isObserve,
-          { pre, post, session, sandbox, oPre, oPost, oSession, oSandbox }
-        );
+        _Edictum._classifyInternal(raw, edictumType, isObserve, {
+          pre,
+          post,
+          session,
+          sandbox,
+          oPre,
+          oPost,
+          oSession,
+          oSandbox
+        });
       } else if (isSessionContract(item)) {
         const name = raw.name ?? "anonymous";
         session.push({
@@ -3624,9 +3814,12 @@ var Edictum = class _Edictum {
   static _classifyInternal(raw, edictumType, isObserve, lists) {
     const target = isObserve ? { pre: lists.oPre, post: lists.oPost, session: lists.oSession, sandbox: lists.oSandbox } : { pre: lists.pre, post: lists.post, session: lists.session, sandbox: lists.sandbox };
     if (edictumType === "precondition") target.pre.push(raw);
-    else if (edictumType === "postcondition") target.post.push(raw);
-    else if (edictumType === "session_contract") target.session.push(raw);
-    else if (edictumType === "sandbox") target.sandbox.push(raw);
+    else if (edictumType === "postcondition")
+      target.post.push(raw);
+    else if (edictumType === "session_contract")
+      target.session.push(raw);
+    else if (edictumType === "sandbox")
+      target.sandbox.push(raw);
     else {
       throw new EdictumConfigError(
         `Unknown _edictum_type "${edictumType}". Expected "precondition", "postcondition", "session_contract", or "sandbox".`
@@ -3678,15 +3871,11 @@ var Edictum = class _Edictum {
    * Session contracts are skipped.
    */
   evaluate(toolName, args, options) {
-    return Promise.resolve().then(() => (init_dry_run(), dry_run_exports)).then(
-      ({ evaluate: evaluate2 }) => evaluate2(this, toolName, args, options)
-    );
+    return Promise.resolve().then(() => (init_dry_run(), dry_run_exports)).then(({ evaluate: evaluate2 }) => evaluate2(this, toolName, args, options));
   }
   /** Evaluate a batch of tool calls. Thin wrapper over evaluate(). */
   evaluateBatch(calls) {
-    return Promise.resolve().then(() => (init_dry_run(), dry_run_exports)).then(
-      ({ evaluateBatch: evaluateBatch2 }) => evaluateBatch2(this, calls)
-    );
+    return Promise.resolve().then(() => (init_dry_run(), dry_run_exports)).then(({ evaluateBatch: evaluateBatch2 }) => evaluateBatch2(this, calls));
   }
   static fromYaml(...args) {
     return fromYaml(...args);