@fusengine/harness 0.1.9 → 0.1.10

package/dist/adapters/claude/index.mjs

@@ -1,2 +1,2 @@
-import { a as readClaudeInput, i as guard, n as denyResponse, o as toClaudeResponse, r as fileSizeGuard, t as contextResponse } from "../../claude-DbzjbxmO.mjs";
+import { a as readClaudeInput, i as guard, n as denyResponse, o as toClaudeResponse, r as fileSizeGuard, t as contextResponse } from "../../claude-B3aJwu6O.mjs";
 export { contextResponse, denyResponse, fileSizeGuard, guard, readClaudeInput, toClaudeResponse };

package/dist/adapters/cline/index.mjs

@@ -1,4 +1,4 @@
-import { t as evaluate } from "../../evaluate-CsYyUucy.mjs";
+import { t as evaluate } from "../../evaluate-DkTgwHNh.mjs";
 import { t as formatPrompt } from "../../types-ernB1Dy3.mjs";
 //#region src/adapters/cline/index.ts
 /**

package/dist/adapters/codex/index.mjs

@@ -1,2 +1,2 @@
-import { a as readClaudeInput, i as guard, n as denyResponse, t as contextResponse } from "../../claude-DbzjbxmO.mjs";
+import { a as readClaudeInput, i as guard, n as denyResponse, t as contextResponse } from "../../claude-B3aJwu6O.mjs";
 export { contextResponse, denyResponse, guard, readClaudeInput as readCodexInput };

package/dist/adapters/cursor/index.mjs

@@ -1,4 +1,4 @@
-import { t as evaluate } from "../../evaluate-CsYyUucy.mjs";
+import { t as evaluate } from "../../evaluate-DkTgwHNh.mjs";
 import { t as formatPrompt } from "../../types-ernB1Dy3.mjs";
 //#region src/adapters/cursor/index.ts
 /**

package/dist/adapters/gemini/index.mjs

@@ -1,4 +1,4 @@
-import { t as evaluate } from "../../evaluate-CsYyUucy.mjs";
+import { t as evaluate } from "../../evaluate-DkTgwHNh.mjs";
 import { t as formatPrompt } from "../../types-ernB1Dy3.mjs";
 //#region src/adapters/gemini/index.ts
 /**

package/dist/{claude-DbzjbxmO.mjs → claude-B3aJwu6O.mjs}

@@ -1,4 +1,4 @@
-import { t as evaluate } from "./evaluate-CsYyUucy.mjs";
+import { t as evaluate } from "./evaluate-DkTgwHNh.mjs";
 import { t as formatPrompt } from "./types-ernB1Dy3.mjs";
 //#region src/adapters/claude/index.ts
 /**

package/dist/cli/bin.mjs

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 import { t as detectHarness } from "../harness-C8Nxxyn_.mjs";
-import { n as stagedContent, r as stagedFiles, t as checkStaged } from "../run-h_2LNEA8.mjs";
+import { n as stagedContent, r as stagedFiles, t as checkStaged } from "../run-D2na7Z2Z.mjs";
 import { n as writeInitFile, t as initFor } from "../run-Cdp2Ef9B.mjs";
-import { t as handleHook } from "../handle-Lz_thVKr.mjs";
+import { t as handleHook } from "../handle-BUyS6NU6.mjs";
 //#region src/cli/bin.ts
 /**
 * harness — CLI for @fusengine/harness.

package/dist/cli/index.mjs

@@ -1,2 +1,2 @@
-import { n as stagedContent, r as stagedFiles, t as checkStaged } from "../run-h_2LNEA8.mjs";
+import { n as stagedContent, r as stagedFiles, t as checkStaged } from "../run-D2na7Z2Z.mjs";
 export { checkStaged, stagedContent, stagedFiles };

package/dist/evaluate-DkTgwHNh.mjs

@@ -0,0 +1,316 @@
+import { i as splitTarget, r as resolveMaxLines } from "./limits-CHn8AIL1.mjs";
+import { t as isCodeFile } from "./project-root-C4ks_q1G.mjs";
+//#region src/policy/detect-framework.ts
+/**
+* Detect the framework from a file path extension + content patterns.
+* Aligned with the fusengine require-solid-read detection (distinct from
+* {@link detectProjectType}, which scans config files on disk).
+*/
+function detectFramework(filePath, content) {
+	if (/\.(tsx?|jsx?|vue|svelte)$/.test(filePath) || /from ['"]react|useState|className=/.test(content)) {
+		if (/(page|layout|loading|error|route)\.(ts|tsx)$/.test(filePath) || /use client|use server/.test(content)) return "nextjs";
+		return "react";
+	}
+	if (/\.swift$/.test(filePath)) return "swift";
+	if (/\.php$/.test(filePath)) return "laravel";
+	if (/\.java$/.test(filePath)) return "java";
+	if (/\.go$/.test(filePath)) return "go";
+	if (/\.rb$/.test(filePath)) return "ruby";
+	if (/\.rs$/.test(filePath)) return "rust";
+	if (/\.css$/.test(filePath) || /@tailwind|@apply/.test(content)) return "tailwind";
+	return "generic";
+}
+//#endregion
+//#region src/policy/file-size.ts
+/** Count lines in file content (empty string = 0). */
+function countLines(content) {
+	return content === "" ? 0 : content.split("\n").length;
+}
+/**
+* Evaluate a file's line count against the SOLID limit.
+* @param lines - the file's line count
+* @param max - the limit (defaults to `resolveMaxLines()`)
+*/
+function evaluateFileSize(lines, max = resolveMaxLines()) {
+	if (lines <= max) return {
+		ok: true,
+		lines,
+		max,
+		message: null
+	};
+	return {
+		ok: false,
+		lines,
+		max,
+		message: `File has ${lines} lines (max: ${max}). Split into modules under ${splitTarget(max)} lines (Single Responsibility).`
+	};
+}
+//#endregion
+//#region src/policy/patterns.ts
+/**
+* Guard pattern data, ported verbatim from the fusengine git/install guards.
+* Note (faithful): `git push.*--force` also matches `--force-with-lease` —
+* preserved from the source guard.
+*/
+/** Destructive git operations to block outright. */
+const GIT_BLOCKED = [
+	/git push.*--force/,
+	/git push.*-f/,
+	/git reset.*--hard/,
+	/git clean.*-fd/,
+	/git branch.*-D/,
+	/git rebase.*--force/
+];
+/** Git operations that warrant a confirmation prompt. */
+const GIT_ASK = [
+	/git push/,
+	/git checkout/,
+	/git reset/,
+	/git rebase/,
+	/git merge/,
+	/git stash/,
+	/git clean/,
+	/git rm/,
+	/git mv/,
+	/git restore/,
+	/git revert/,
+	/git cherry-pick/
+];
+/** System-level package installs (need confirmation). */
+const SYSTEM_INSTALL = [
+	/brew install/,
+	/brew upgrade/,
+	/brew cask/,
+	/apt install/,
+	/apt-get install/
+];
+/** Project-level package installs. */
+const PROJECT_INSTALL = [
+	/npm install/,
+	/npm i /,
+	/yarn add/,
+	/pnpm add/,
+	/pip install/,
+	/pip3 install/,
+	/composer require/,
+	/bun add/,
+	/bun install/,
+	/cargo install/,
+	/go install/,
+	/gem install/,
+	/pipx install/
+];
+/** True when `cmd` matches any pattern in `patterns`. */
+function matchPatterns(cmd, patterns) {
+	return patterns.some((re) => re.test(cmd));
+}
+//#endregion
+//#region src/policy/guards/security.ts
+/** Critical patterns that must always be blocked. */
+const CRITICAL_PATTERNS = [
+	/\brm\s+(?:-[a-z]*\s+)*-[a-z]*[rf][a-z]*\s+(?:-[a-z]+\s+)*(?:\/|~)(?:\s|$)/,
+	/:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:/,
+	/\b(?:curl|wget)\b[^|]*\|\s*(?:sudo\s+)?(?:ba|z|da|k)?sh\b/,
+	/\bchmod\s+(?:-[a-zA-Z]+\s+)*777\s+\//,
+	/\bmkfs(?:\.[a-z0-9]+)?\b/,
+	/\bdd\b[^\n]*\bif=\/dev\/zero\b[^\n]*\bof=\/dev\//
+];
+/** Patterns that warrant explicit confirmation before running. */
+const ASK_PATTERNS = [
+	/\bsudo\s/,
+	/\bchmod\s+(?:-[a-zA-Z]+\s+)*777\b/,
+	/\bchown\s+-R\b/,
+	/\beval\s/,
+	/(?:>|>>|\btee\b)\s*\/etc\//
+];
+/** Guards against dangerous Bash commands (critical → block, sensitive → ask). */
+function securityGuard(ctx) {
+	if (ctx.tool !== "Bash" || !ctx.command) return null;
+	const cmd = ctx.command;
+	for (const re of CRITICAL_PATTERNS) if (re.test(cmd)) return {
+		kind: "block",
+		title: "Dangerous command",
+		reason: "Command matches a destructive pattern (recursive root delete, fork bomb, remote-script piped to a shell, world-writable root, filesystem format, or disk overwrite).",
+		actions: ["Remove the destructive command", "Scope the operation to a specific safe path"]
+	};
+	for (const re of ASK_PATTERNS) if (re.test(cmd)) return {
+		kind: "ask",
+		title: "Dangerous command",
+		reason: "Command requests elevated privileges or alters sensitive targets (sudo, chmod 777, recursive chown, eval, or writing to /etc).",
+		actions: ["Confirm this command is intended", "Run with least privilege"]
+	};
+	return null;
+}
+//#endregion
+//#region src/policy/guards/protected-path.ts
+/** Path fragments that mark a location as internal/generated state (off-limits to Write/Edit). */
+const PROTECTED_FRAGMENTS = [
+	".claude/plugins/marketplaces",
+	".claude/plugins/cache",
+	".claude/logs/00-apex",
+	".claude/fusengine-cache",
+	".git/"
+];
+/** Blocks direct edits to internal/generated state directories. */
+function protectedPathGuard(ctx) {
+	if ((ctx.tool === "Write" || ctx.tool === "Edit") && ctx.filePath) {
+		const path = ctx.filePath;
+		if (PROTECTED_FRAGMENTS.some((fragment) => path.includes(fragment))) return {
+			kind: "block",
+			title: "Protected path",
+			reason: "This is internal/generated state — do not edit it directly.",
+			actions: ["Edit the source, not the generated/cache copy"]
+		};
+	}
+	return null;
+}
+//#endregion
+//#region src/policy/guards/bash-write.ts
+/** Redirect (`>`/`>>`) targeting a code-file extension. */
+const CODE_REDIRECT = /(?:>>?)\s*[^\s|;&]*\.(?:ts|tsx|js|jsx|py|go|rb|rs|java|kt|php|swift|vue|svelte|c|cpp|h)\b/;
+/** Interpreters / tools that mutate source in place, plus heredoc-into-file. */
+const CODE_MUTATORS = /\bpython3?\s+-c\b|\bsed\s+-i\b|\bperl\s+-i\b|\bawk\s+-i\s+inplace\b|\bpatch\s+|<<[-~]?\s*['"]?\w+['"]?[\s\S]*?>/;
+/** Redirect to a non-code file, or other ambiguous file writers (ASK). */
+const ASK_WRITERS = /(?:>>?\s*[^\s|;&]+)|\btee\s+|\bdd\s+of=|\bnode\s+-e\b.*(?:writeFile|appendFile)|\bruby\s+-e\b.*File\.write/;
+/**
+* Blocks shell commands that mutate code files in place (and heredocs/redirects
+* to source files); asks before other file-writing shell commands. Forces use
+* of the Write/Edit tool so APEX/SOLID checks are not bypassed.
+*/
+function bashWriteGuard(ctx) {
+	if (ctx.tool !== "Bash" || !ctx.command) return null;
+	const cmd = ctx.command;
+	if (CODE_MUTATORS.test(cmd) || CODE_REDIRECT.test(cmd)) return {
+		kind: "block",
+		title: "Bash write to code file",
+		reason: "Shell in-place edits / redirects to source files bypass APEX/SOLID checks.",
+		actions: ["Use the Write/Edit tool instead"]
+	};
+	if (ASK_WRITERS.test(cmd)) return {
+		kind: "ask",
+		title: "Bash file write",
+		reason: "This command writes a file from the shell; confirm it is intended.",
+		actions: ["Use the Write/Edit tool instead"]
+	};
+	return null;
+}
+//#endregion
+//#region src/policy/guards/interface-separation.ts
+/** TS/JS component files: top-level `interface`/`type Foo`. */
+const TS_DECL_RE = /^\s*(export\s+)?(interface|type)\s+[A-Z]/m;
+/** Python view models: class subclassing a schema/protocol base. */
+const PY_MODEL_RE = /^\s*class\s+\w+\((BaseModel|TypedDict|Protocol)\)/m;
+/** PHP controllers: top-level `interface` / `abstract class`. */
+const PHP_DECL_RE = /^\s*(interface|abstract class)\b/m;
+/** Swift views: top-level `protocol Foo`. */
+const SWIFT_PROTO_RE = /^\s*protocol\s+[A-Z]/m;
+/**
+* Blocks top-level interface/type/protocol declarations in component, view or
+* controller files (Interface Segregation). Fires only when BOTH the path
+* category AND the content pattern match.
+*/
+function interfaceSeparationGuard(ctx) {
+	if (ctx.tool !== "Write" && ctx.tool !== "Edit") return null;
+	const path = ctx.filePath;
+	const content = ctx.content;
+	if (!path || !content) return null;
+	const block = {
+		kind: "block",
+		title: "Separate the interface",
+		reason: "Top-level interface/type/protocol declarations belong in their own file, not in a component/view/controller.",
+		actions: ["Move the interface/type to its own file (Interface Segregation)"]
+	};
+	if (/\.(tsx|jsx|vue|svelte)$/.test(path) && TS_DECL_RE.test(content)) return block;
+	if (path.includes("views/") && /\.py$/.test(path) && PY_MODEL_RE.test(content)) return block;
+	if (path.includes("Controllers/") && /\.php$/.test(path) && PHP_DECL_RE.test(content)) return block;
+	if (path.includes("Views/") && /\.swift$/.test(path) && SWIFT_PROTO_RE.test(content)) return block;
+	return null;
+}
+//#endregion
+//#region src/policy/guards/install.ts
+/** Project-level dependency installs (npm/yarn/pnpm/bun/pip/cargo/go/gem/composer). */
+const PROJECT_INSTALL_RE = /\b(?:npm\s+(?:install|i)|(?:yarn|pnpm|bun)\s+add|pip3?\s+install|cargo\s+install|go\s+install|gem\s+install|composer\s+require)\b/;
+/** System-level package installs (brew/apt/apt-get/dnf/pacman). */
+const SYSTEM_INSTALL_RE = /\b(?:brew\s+install|apt(?:-get)?\s+install|dnf\s+install|pacman\s+-S)\b/;
+/** Asks for confirmation before a dependency or system package install. */
+function installGuard(ctx) {
+	if (ctx.tool !== "Bash" || !ctx.command) return null;
+	const cmd = ctx.command;
+	if (PROJECT_INSTALL_RE.test(cmd) || SYSTEM_INSTALL_RE.test(cmd)) return {
+		kind: "ask",
+		title: "Dependency install",
+		reason: `This command installs packages: ${cmd.trim()}`,
+		actions: ["Confirm this install is intended"]
+	};
+	return null;
+}
+//#endregion
+//#region src/policy/guards/index.ts
+/** Ordered guard chain: critical/security + protected first, then writes/installs. */
+const GUARDS = [
+	securityGuard,
+	protectedPathGuard,
+	bashWriteGuard,
+	interfaceSeparationGuard,
+	installGuard
+];
+/** Run the guard chain; the first firing guard's Prompt wins, else null. */
+function runGuards(ctx) {
+	for (const guard of GUARDS) {
+		const hit = guard(ctx);
+		if (hit) return hit;
+	}
+	return null;
+}
+//#endregion
+//#region src/policy/evaluate.ts
+/**
+* Evaluate a single tool-use against the bundled policies, returning a pure
+* decision plus a portable {@link Prompt}. Adapters translate the prompt into
+* their harness's native response (Claude `permissionDecision`, etc.).
+*/
+function evaluate(ctx) {
+	const guard = runGuards(ctx);
+	if (guard) return {
+		decision: "deny",
+		message: guard.reason,
+		prompt: guard
+	};
+	if (ctx.command && matchPatterns(ctx.command, GIT_BLOCKED)) {
+		const reason = `Destructive git command: ${ctx.command}`;
+		return {
+			decision: "deny",
+			message: reason,
+			prompt: {
+				kind: "block",
+				title: "Destructive git command",
+				reason,
+				actions: ["Use a non-destructive alternative (e.g. --force-with-lease; avoid --hard / -D)"]
+			}
+		};
+	}
+	if (ctx.filePath && isCodeFile(ctx.filePath) && ctx.content !== void 0) {
+		const verdict = evaluateFileSize(countLines(ctx.content), ctx.maxLines);
+		if (!verdict.ok) return {
+			decision: "deny",
+			message: verdict.message,
+			prompt: {
+				kind: "block",
+				title: "SOLID file-size limit",
+				reason: verdict.message ?? "",
+				actions: [`Split into modules under ${verdict.max} lines (Single Responsibility)`, "Then re-run the write"]
+			},
+			meta: {
+				framework: detectFramework(ctx.filePath, ctx.content),
+				lines: verdict.lines,
+				max: verdict.max
+			}
+		};
+	}
+	return {
+		decision: "allow",
+		message: null
+	};
+}
+//#endregion
+export { PROJECT_INSTALL as C, evaluateFileSize as D, countLines as E, detectFramework as O, GIT_BLOCKED as S, matchPatterns as T, protectedPathGuard as _, SYSTEM_INSTALL_RE as a, securityGuard as b, PY_MODEL_RE as c, interfaceSeparationGuard as d, ASK_WRITERS as f, PROTECTED_FRAGMENTS as g, bashWriteGuard as h, PROJECT_INSTALL_RE as i, SWIFT_PROTO_RE as l, CODE_REDIRECT as m, GUARDS as n, installGuard as o, CODE_MUTATORS as p, runGuards as r, PHP_DECL_RE as s, evaluate as t, TS_DECL_RE as u, ASK_PATTERNS as v, SYSTEM_INSTALL as w, GIT_ASK as x, CRITICAL_PATTERNS as y };

package/dist/{handle-Lz_thVKr.mjs → handle-BUyS6NU6.mjs}

@@ -1,4 +1,4 @@
-import { l as detectFramework, t as evaluate } from "./evaluate-CsYyUucy.mjs";
+import { O as detectFramework, t as evaluate } from "./evaluate-DkTgwHNh.mjs";
 import { r as evaluateApex } from "./apex-gGrHzvM2.mjs";
 import { t as formatPrompt } from "./types-ernB1Dy3.mjs";
 import { t as loadRefs } from "./loader-BephwI8n.mjs";

package/dist/{index-BbJucvaG.d.mts → index-uEteukGR.d.mts}

@@ -115,4 +115,73 @@ declare const APEX_GATES: ReadonlyArray<ApexGate>;
 */
 declare function evaluateApex(ctx: ApexContext, gates?: ReadonlyArray<ApexGate>): Prompt | null;
 //#endregion
-export { isApexCommand as C, detectProjectType as S, countLines as _, evaluateApex as a, DEV_KEYWORDS as b, PolicyContext as c, GIT_ASK as d, GIT_BLOCKED as f, FileSizeVerdict as g, matchPatterns as h, docConsultedGate as i, PolicyResult as l, SYSTEM_INSTALL as m, ApexContext as n, freshnessGate as o, PROJECT_INSTALL as p, ApexGate as r, solidReadGate as s, APEX_GATES as t, evaluate as u, evaluateFileSize as v, ProjectType as x, detectFramework as y };
+//#region src/policy/guards/context.d.ts
+/** Context handed to every guard in the chain. */
+interface GuardContext {
+  tool: string;
+  filePath?: string;
+  content?: string;
+  command?: string;
+}
+/** A single guard: returns a blocking/asking Prompt, or null to continue. */
+type Guard = (ctx: GuardContext) => Prompt | null;
+//#endregion
+//#region src/policy/guards/security.d.ts
+/** Critical patterns that must always be blocked. */
+declare const CRITICAL_PATTERNS: RegExp[];
+/** Patterns that warrant explicit confirmation before running. */
+declare const ASK_PATTERNS: RegExp[];
+/** Guards against dangerous Bash commands (critical → block, sensitive → ask). */
+declare function securityGuard(ctx: GuardContext): Prompt | null;
+//#endregion
+//#region src/policy/guards/protected-path.d.ts
+/** Path fragments that mark a location as internal/generated state (off-limits to Write/Edit). */
+declare const PROTECTED_FRAGMENTS: readonly string[];
+/** Blocks direct edits to internal/generated state directories. */
+declare function protectedPathGuard(ctx: GuardContext): Prompt | null;
+//#endregion
+//#region src/policy/guards/bash-write.d.ts
+/** Redirect (`>`/`>>`) targeting a code-file extension. */
+declare const CODE_REDIRECT: RegExp;
+/** Interpreters / tools that mutate source in place, plus heredoc-into-file. */
+declare const CODE_MUTATORS: RegExp;
+/** Redirect to a non-code file, or other ambiguous file writers (ASK). */
+declare const ASK_WRITERS: RegExp;
+/**
+* Blocks shell commands that mutate code files in place (and heredocs/redirects
+* to source files); asks before other file-writing shell commands. Forces use
+* of the Write/Edit tool so APEX/SOLID checks are not bypassed.
+*/
+declare function bashWriteGuard(ctx: GuardContext): Prompt | null;
+//#endregion
+//#region src/policy/guards/interface-separation.d.ts
+/** TS/JS component files: top-level `interface`/`type Foo`. */
+declare const TS_DECL_RE: RegExp;
+/** Python view models: class subclassing a schema/protocol base. */
+declare const PY_MODEL_RE: RegExp;
+/** PHP controllers: top-level `interface` / `abstract class`. */
+declare const PHP_DECL_RE: RegExp;
+/** Swift views: top-level `protocol Foo`. */
+declare const SWIFT_PROTO_RE: RegExp;
+/**
+* Blocks top-level interface/type/protocol declarations in component, view or
+* controller files (Interface Segregation). Fires only when BOTH the path
+* category AND the content pattern match.
+*/
+declare function interfaceSeparationGuard(ctx: GuardContext): Prompt | null;
+//#endregion
+//#region src/policy/guards/install.d.ts
+/** Project-level dependency installs (npm/yarn/pnpm/bun/pip/cargo/go/gem/composer). */
+declare const PROJECT_INSTALL_RE: RegExp;
+/** System-level package installs (brew/apt/apt-get/dnf/pacman). */
+declare const SYSTEM_INSTALL_RE: RegExp;
+/** Asks for confirmation before a dependency or system package install. */
+declare function installGuard(ctx: GuardContext): Prompt | null;
+//#endregion
+//#region src/policy/guards/index.d.ts
+/** Ordered guard chain: critical/security + protected first, then writes/installs. */
+declare const GUARDS: ReadonlyArray<Guard>;
+/** Run the guard chain; the first firing guard's Prompt wins, else null. */
+declare function runGuards(ctx: GuardContext): Prompt | null;
+//#endregion
+export { PolicyResult as A, detectFramework as B, ApexContext as C, freshnessGate as D, evaluateApex as E, SYSTEM_INSTALL as F, ProjectType as H, matchPatterns as I, FileSizeVerdict as L, GIT_ASK as M, GIT_BLOCKED as N, solidReadGate as O, PROJECT_INSTALL as P, countLines as R, APEX_GATES as S, docConsultedGate as T, detectProjectType as U, DEV_KEYWORDS as V, isApexCommand as W, ASK_PATTERNS as _, installGuard as a, Guard as b, SWIFT_PROTO_RE as c, ASK_WRITERS as d, CODE_MUTATORS as f, protectedPathGuard as g, PROTECTED_FRAGMENTS as h, SYSTEM_INSTALL_RE as i, evaluate as j, PolicyContext as k, TS_DECL_RE as l, bashWriteGuard as m, runGuards as n, PHP_DECL_RE as o, CODE_REDIRECT as p, PROJECT_INSTALL_RE as r, PY_MODEL_RE as s, GUARDS as t, interfaceSeparationGuard as u, CRITICAL_PATTERNS as v, ApexGate as w, GuardContext as x, securityGuard as y, evaluateFileSize as z };

package/dist/index.d.mts

@@ -5,10 +5,10 @@ import { a as detectHarness, i as HarnessVia, n as HarnessInfo, o as detectMode,
 import { a as isDocConsulted, i as formatDocSatisfactionStatus, n as DocSatisfactionStatus, o as resolveSessions, r as formatDocDeny, t as AuthEntry } from "./doc-helpers-CG1nuf-c.mjs";
 import { t as incrementTrivialEditCounter } from "./index-BOBXQ91y.mjs";
 import { i as compactJson, n as projectRoot, r as projectRootOrNull, t as isCodeFile } from "./index-C1vLIMwN.mjs";
-import { C as isApexCommand, S as detectProjectType, _ as countLines, a as evaluateApex, b as DEV_KEYWORDS, c as PolicyContext, d as GIT_ASK, f as GIT_BLOCKED, g as FileSizeVerdict, h as matchPatterns, i as docConsultedGate, l as PolicyResult, m as SYSTEM_INSTALL, n as ApexContext, o as freshnessGate, p as PROJECT_INSTALL, r as ApexGate, s as solidReadGate, t as APEX_GATES, u as evaluate, v as evaluateFileSize, x as ProjectType, y as detectFramework } from "./index-BbJucvaG.mjs";
+import { A as PolicyResult, B as detectFramework, C as ApexContext, D as freshnessGate, E as evaluateApex, F as SYSTEM_INSTALL, H as ProjectType, I as matchPatterns, L as FileSizeVerdict, M as GIT_ASK, N as GIT_BLOCKED, O as solidReadGate, P as PROJECT_INSTALL, R as countLines, S as APEX_GATES, T as docConsultedGate, U as detectProjectType, V as DEV_KEYWORDS, W as isApexCommand, _ as ASK_PATTERNS, a as installGuard, b as Guard, c as SWIFT_PROTO_RE, d as ASK_WRITERS, f as CODE_MUTATORS, g as protectedPathGuard, h as PROTECTED_FRAGMENTS, i as SYSTEM_INSTALL_RE, j as evaluate, k as PolicyContext, l as TS_DECL_RE, m as bashWriteGuard, n as runGuards, o as PHP_DECL_RE, p as CODE_REDIRECT, r as PROJECT_INSTALL_RE, s as PY_MODEL_RE, t as GUARDS, u as interfaceSeparationGuard, v as CRITICAL_PATTERNS, w as ApexGate, x as GuardContext, y as securityGuard, z as evaluateFileSize } from "./index-uEteukGR.mjs";
 import { n as RouteResult, r as ScoredRef, t as RefMeta } from "./types-CY5qT2X1.mjs";
 import { a as ReminderState, c as setStateField, i as registryFile, l as stateFileFor, n as addRoot, o as nowStamp, r as readRoots, s as readState, t as ensureMemoryGitignore, u as throttleMs } from "./index-BEM-mQMC.mjs";
 import { a as globToRe, i as scoreReferences, n as toRefMeta, o as parseFrontmatter, r as routeReferences, t as loadRefs } from "./index-hL_r6tlc.mjs";
 import { a as taskStart, c as ensureStateDir, d as stateFilePath, f as acquireLock, i as taskCreate, l as loadState, n as ApexTaskFile, o as ApexState, r as taskComplete, s as apexStateDir, t as ApexTask, u as saveState } from "./index-CPoF_hLP.mjs";
 import { _ as TIME_INTERVALS, a as formatCost, c as formatTokens, d as colors, f as progressiveColor, g as PROGRESS_CHARS, h as PROGRESS_BAR_DEFAULTS, i as formatBasename, l as ColorFn, m as GRADIENT_BLOCKS, n as generateGradientBar, o as formatPath, p as COLOR_THRESHOLDS, r as generateProgressBar, s as formatTimeLeft, t as ProgressBarOptions, u as Palette } from "./index-BWK8slRi.mjs";
-export { APEX_GATES, ApexContext, ApexGate, ApexState, ApexTask, ApexTaskFile, AuthEntry, COLOR_THRESHOLDS, ColorFn, DEFAULT_MAX_LINES, DEFAULT_TTL_SEC, DEV_KEYWORDS, DocSatisfactionStatus, FileSizeVerdict, GIT_ASK, GIT_BLOCKED, GRADIENT_BLOCKS, HarnessId, HarnessInfo, HarnessMode, HarnessVia, IndexSummary, MAX_LINES_ENV_KEY, PROGRESS_BAR_DEFAULTS, PROGRESS_CHARS, PROJECT_INSTALL, Palette, PolicyContext, PolicyResult, ProgressBarOptions, ProjectType, Prompt, PromptKind, RefMeta, ReminderState, RouteResult, SYSTEM_INSTALL, ScoredRef, TIME_INTERVALS, TTL_ENV_KEY, acquireLock, addRoot, apexStateDir, colors, compactJson, compactMarkdown, countLines, detectFramework, detectHarness, detectMode, detectProjectType, docConsultedGate, ensureMemoryGitignore, ensureStateDir, evaluate, evaluateApex, evaluateFileSize, extractText, formatBasename, formatCost, formatDocDeny, formatDocSatisfactionStatus, formatPath, formatPrompt, formatTimeLeft, formatTokens, freshnessGate, generateGradientBar, generateProgressBar, globToRe, incrementTrivialEditCounter, isApexCommand, isCodeFile, isDocConsulted, jaccardSimilar, loadIndex, loadRefs, loadState, matchPatterns, modeFor, nowStamp, parseEnvInt, parseFrontmatter, progressiveColor, projectRoot, projectRootOrNull, queryHash, readRoots, readState, registryFile, resolveMaxLines, resolveSessions, resolveTtlSec, routeReferences, saveState, scoreReferences, setStateField, solidReadGate, splitTarget, stateFileFor, stateFilePath, summarizeIndex, taskComplete, taskCreate, taskStart, throttleMs, toRefMeta, ttlLabel };
+export { APEX_GATES, ASK_PATTERNS, ASK_WRITERS, ApexContext, ApexGate, ApexState, ApexTask, ApexTaskFile, AuthEntry, CODE_MUTATORS, CODE_REDIRECT, COLOR_THRESHOLDS, CRITICAL_PATTERNS, ColorFn, DEFAULT_MAX_LINES, DEFAULT_TTL_SEC, DEV_KEYWORDS, DocSatisfactionStatus, FileSizeVerdict, GIT_ASK, GIT_BLOCKED, GRADIENT_BLOCKS, GUARDS, Guard, GuardContext, HarnessId, HarnessInfo, HarnessMode, HarnessVia, IndexSummary, MAX_LINES_ENV_KEY, PHP_DECL_RE, PROGRESS_BAR_DEFAULTS, PROGRESS_CHARS, PROJECT_INSTALL, PROJECT_INSTALL_RE, PROTECTED_FRAGMENTS, PY_MODEL_RE, Palette, PolicyContext, PolicyResult, ProgressBarOptions, ProjectType, Prompt, PromptKind, RefMeta, ReminderState, RouteResult, SWIFT_PROTO_RE, SYSTEM_INSTALL, SYSTEM_INSTALL_RE, ScoredRef, TIME_INTERVALS, TS_DECL_RE, TTL_ENV_KEY, acquireLock, addRoot, apexStateDir, bashWriteGuard, colors, compactJson, compactMarkdown, countLines, detectFramework, detectHarness, detectMode, detectProjectType, docConsultedGate, ensureMemoryGitignore, ensureStateDir, evaluate, evaluateApex, evaluateFileSize, extractText, formatBasename, formatCost, formatDocDeny, formatDocSatisfactionStatus, formatPath, formatPrompt, formatTimeLeft, formatTokens, freshnessGate, generateGradientBar, generateProgressBar, globToRe, incrementTrivialEditCounter, installGuard, interfaceSeparationGuard, isApexCommand, isCodeFile, isDocConsulted, jaccardSimilar, loadIndex, loadRefs, loadState, matchPatterns, modeFor, nowStamp, parseEnvInt, parseFrontmatter, progressiveColor, projectRoot, projectRootOrNull, protectedPathGuard, queryHash, readRoots, readState, registryFile, resolveMaxLines, resolveSessions, resolveTtlSec, routeReferences, runGuards, saveState, scoreReferences, securityGuard, setStateField, solidReadGate, splitTarget, stateFileFor, stateFilePath, summarizeIndex, taskComplete, taskCreate, taskStart, throttleMs, toRefMeta, ttlLabel };

package/dist/index.mjs

@@ -4,7 +4,7 @@ import { t as compactJson } from "./compact-json-DK2nX-MK.mjs";
 import { n as projectRoot, r as projectRootOrNull, t as isCodeFile } from "./project-root-C4ks_q1G.mjs";
 import { n as detectMode, r as modeFor, t as detectHarness } from "./harness-C8Nxxyn_.mjs";
 import { n as detectProjectType, r as isApexCommand, t as DEV_KEYWORDS } from "./policy-C_pXmeNB.mjs";
-import { a as SYSTEM_INSTALL, c as evaluateFileSize, i as PROJECT_INSTALL, l as detectFramework, n as GIT_ASK, o as matchPatterns, r as GIT_BLOCKED, s as countLines, t as evaluate } from "./evaluate-CsYyUucy.mjs";
+import { C as PROJECT_INSTALL, D as evaluateFileSize, E as countLines, O as detectFramework, S as GIT_BLOCKED, T as matchPatterns, _ as protectedPathGuard, a as SYSTEM_INSTALL_RE, b as securityGuard, c as PY_MODEL_RE, d as interfaceSeparationGuard, f as ASK_WRITERS, g as PROTECTED_FRAGMENTS, h as bashWriteGuard, i as PROJECT_INSTALL_RE, l as SWIFT_PROTO_RE, m as CODE_REDIRECT, n as GUARDS, o as installGuard, p as CODE_MUTATORS, r as runGuards, s as PHP_DECL_RE, t as evaluate, u as TS_DECL_RE, v as ASK_PATTERNS, w as SYSTEM_INSTALL, x as GIT_ASK, y as CRITICAL_PATTERNS } from "./evaluate-DkTgwHNh.mjs";
 import { i as resolveSessions, n as formatDocSatisfactionStatus, r as isDocConsulted, t as formatDocDeny } from "./doc-helpers-Dd_x1-tZ.mjs";
 import { i as parseFrontmatter, n as scoreReferences, r as globToRe, t as routeReferences } from "./router-Dj3AfgBE.mjs";
 import { a as solidReadGate, i as freshnessGate, n as docConsultedGate, r as evaluateApex, t as APEX_GATES } from "./apex-gGrHzvM2.mjs";
@@ -15,4 +15,4 @@ import { t as incrementTrivialEditCounter } from "./freshness-BK9Xg6oG.mjs";
 import { n as toRefMeta, t as loadRefs } from "./loader-BephwI8n.mjs";
 import { a as ensureStateDir, c as stateFilePath, i as apexStateDir, l as acquireLock, n as taskCreate, o as loadState, r as taskStart, s as saveState, t as taskComplete } from "./state-Bc4wdnCG.mjs";
 import { a as formatPath, c as colors, d as GRADIENT_BLOCKS, f as PROGRESS_BAR_DEFAULTS, i as formatCost, l as progressiveColor, m as TIME_INTERVALS, n as generateProgressBar, o as formatTimeLeft, p as PROGRESS_CHARS, r as formatBasename, s as formatTokens, t as generateGradientBar, u as COLOR_THRESHOLDS } from "./statusline-D87eUNXl.mjs";
-export { APEX_GATES, COLOR_THRESHOLDS, DEFAULT_MAX_LINES, DEFAULT_TTL_SEC, DEV_KEYWORDS, GIT_ASK, GIT_BLOCKED, GRADIENT_BLOCKS, MAX_LINES_ENV_KEY, PROGRESS_BAR_DEFAULTS, PROGRESS_CHARS, PROJECT_INSTALL, SYSTEM_INSTALL, TIME_INTERVALS, TTL_ENV_KEY, acquireLock, addRoot, apexStateDir, colors, compactJson, compactMarkdown, countLines, detectFramework, detectHarness, detectMode, detectProjectType, docConsultedGate, ensureMemoryGitignore, ensureStateDir, evaluate, evaluateApex, evaluateFileSize, extractText, formatBasename, formatCost, formatDocDeny, formatDocSatisfactionStatus, formatPath, formatPrompt, formatTimeLeft, formatTokens, freshnessGate, generateGradientBar, generateProgressBar, globToRe, incrementTrivialEditCounter, isApexCommand, isCodeFile, isDocConsulted, jaccardSimilar, loadIndex, loadRefs, loadState, matchPatterns, modeFor, nowStamp, parseEnvInt, parseFrontmatter, progressiveColor, projectRoot, projectRootOrNull, queryHash, readRoots, readState, registryFile, resolveMaxLines, resolveSessions, resolveTtlSec, routeReferences, saveState, scoreReferences, setStateField, solidReadGate, splitTarget, stateFileFor, stateFilePath, summarizeIndex, taskComplete, taskCreate, taskStart, throttleMs, toRefMeta, ttlLabel };
+export { APEX_GATES, ASK_PATTERNS, ASK_WRITERS, CODE_MUTATORS, CODE_REDIRECT, COLOR_THRESHOLDS, CRITICAL_PATTERNS, DEFAULT_MAX_LINES, DEFAULT_TTL_SEC, DEV_KEYWORDS, GIT_ASK, GIT_BLOCKED, GRADIENT_BLOCKS, GUARDS, MAX_LINES_ENV_KEY, PHP_DECL_RE, PROGRESS_BAR_DEFAULTS, PROGRESS_CHARS, PROJECT_INSTALL, PROJECT_INSTALL_RE, PROTECTED_FRAGMENTS, PY_MODEL_RE, SWIFT_PROTO_RE, SYSTEM_INSTALL, SYSTEM_INSTALL_RE, TIME_INTERVALS, TS_DECL_RE, TTL_ENV_KEY, acquireLock, addRoot, apexStateDir, bashWriteGuard, colors, compactJson, compactMarkdown, countLines, detectFramework, detectHarness, detectMode, detectProjectType, docConsultedGate, ensureMemoryGitignore, ensureStateDir, evaluate, evaluateApex, evaluateFileSize, extractText, formatBasename, formatCost, formatDocDeny, formatDocSatisfactionStatus, formatPath, formatPrompt, formatTimeLeft, formatTokens, freshnessGate, generateGradientBar, generateProgressBar, globToRe, incrementTrivialEditCounter, installGuard, interfaceSeparationGuard, isApexCommand, isCodeFile, isDocConsulted, jaccardSimilar, loadIndex, loadRefs, loadState, matchPatterns, modeFor, nowStamp, parseEnvInt, parseFrontmatter, progressiveColor, projectRoot, projectRootOrNull, protectedPathGuard, queryHash, readRoots, readState, registryFile, resolveMaxLines, resolveSessions, resolveTtlSec, routeReferences, runGuards, saveState, scoreReferences, securityGuard, setStateField, solidReadGate, splitTarget, stateFileFor, stateFilePath, summarizeIndex, taskComplete, taskCreate, taskStart, throttleMs, toRefMeta, ttlLabel };

package/dist/policy/index.d.mts

@@ -1,2 +1,2 @@
-import { C as isApexCommand, S as detectProjectType, _ as countLines, a as evaluateApex, b as DEV_KEYWORDS, c as PolicyContext, d as GIT_ASK, f as GIT_BLOCKED, g as FileSizeVerdict, h as matchPatterns, i as docConsultedGate, l as PolicyResult, m as SYSTEM_INSTALL, n as ApexContext, o as freshnessGate, p as PROJECT_INSTALL, r as ApexGate, s as solidReadGate, t as APEX_GATES, u as evaluate, v as evaluateFileSize, x as ProjectType, y as detectFramework } from "../index-BbJucvaG.mjs";
-export { APEX_GATES, ApexContext, ApexGate, DEV_KEYWORDS, FileSizeVerdict, GIT_ASK, GIT_BLOCKED, PROJECT_INSTALL, PolicyContext, PolicyResult, ProjectType, SYSTEM_INSTALL, countLines, detectFramework, detectProjectType, docConsultedGate, evaluate, evaluateApex, evaluateFileSize, freshnessGate, isApexCommand, matchPatterns, solidReadGate };
+import { A as PolicyResult, B as detectFramework, C as ApexContext, D as freshnessGate, E as evaluateApex, F as SYSTEM_INSTALL, H as ProjectType, I as matchPatterns, L as FileSizeVerdict, M as GIT_ASK, N as GIT_BLOCKED, O as solidReadGate, P as PROJECT_INSTALL, R as countLines, S as APEX_GATES, T as docConsultedGate, U as detectProjectType, V as DEV_KEYWORDS, W as isApexCommand, _ as ASK_PATTERNS, a as installGuard, b as Guard, c as SWIFT_PROTO_RE, d as ASK_WRITERS, f as CODE_MUTATORS, g as protectedPathGuard, h as PROTECTED_FRAGMENTS, i as SYSTEM_INSTALL_RE, j as evaluate, k as PolicyContext, l as TS_DECL_RE, m as bashWriteGuard, n as runGuards, o as PHP_DECL_RE, p as CODE_REDIRECT, r as PROJECT_INSTALL_RE, s as PY_MODEL_RE, t as GUARDS, u as interfaceSeparationGuard, v as CRITICAL_PATTERNS, w as ApexGate, x as GuardContext, y as securityGuard, z as evaluateFileSize } from "../index-uEteukGR.mjs";
+export { APEX_GATES, ASK_PATTERNS, ASK_WRITERS, ApexContext, ApexGate, CODE_MUTATORS, CODE_REDIRECT, CRITICAL_PATTERNS, DEV_KEYWORDS, FileSizeVerdict, GIT_ASK, GIT_BLOCKED, GUARDS, Guard, GuardContext, PHP_DECL_RE, PROJECT_INSTALL, PROJECT_INSTALL_RE, PROTECTED_FRAGMENTS, PY_MODEL_RE, PolicyContext, PolicyResult, ProjectType, SWIFT_PROTO_RE, SYSTEM_INSTALL, SYSTEM_INSTALL_RE, TS_DECL_RE, bashWriteGuard, countLines, detectFramework, detectProjectType, docConsultedGate, evaluate, evaluateApex, evaluateFileSize, freshnessGate, installGuard, interfaceSeparationGuard, isApexCommand, matchPatterns, protectedPathGuard, runGuards, securityGuard, solidReadGate };

package/dist/policy/index.mjs

@@ -1,4 +1,4 @@
 import { n as detectProjectType, r as isApexCommand, t as DEV_KEYWORDS } from "../policy-C_pXmeNB.mjs";
-import { a as SYSTEM_INSTALL, c as evaluateFileSize, i as PROJECT_INSTALL, l as detectFramework, n as GIT_ASK, o as matchPatterns, r as GIT_BLOCKED, s as countLines, t as evaluate } from "../evaluate-CsYyUucy.mjs";
+import { C as PROJECT_INSTALL, D as evaluateFileSize, E as countLines, O as detectFramework, S as GIT_BLOCKED, T as matchPatterns, _ as protectedPathGuard, a as SYSTEM_INSTALL_RE, b as securityGuard, c as PY_MODEL_RE, d as interfaceSeparationGuard, f as ASK_WRITERS, g as PROTECTED_FRAGMENTS, h as bashWriteGuard, i as PROJECT_INSTALL_RE, l as SWIFT_PROTO_RE, m as CODE_REDIRECT, n as GUARDS, o as installGuard, p as CODE_MUTATORS, r as runGuards, s as PHP_DECL_RE, t as evaluate, u as TS_DECL_RE, v as ASK_PATTERNS, w as SYSTEM_INSTALL, x as GIT_ASK, y as CRITICAL_PATTERNS } from "../evaluate-DkTgwHNh.mjs";
 import { a as solidReadGate, i as freshnessGate, n as docConsultedGate, r as evaluateApex, t as APEX_GATES } from "../apex-gGrHzvM2.mjs";
-export { APEX_GATES, DEV_KEYWORDS, GIT_ASK, GIT_BLOCKED, PROJECT_INSTALL, SYSTEM_INSTALL, countLines, detectFramework, detectProjectType, docConsultedGate, evaluate, evaluateApex, evaluateFileSize, freshnessGate, isApexCommand, matchPatterns, solidReadGate };
+export { APEX_GATES, ASK_PATTERNS, ASK_WRITERS, CODE_MUTATORS, CODE_REDIRECT, CRITICAL_PATTERNS, DEV_KEYWORDS, GIT_ASK, GIT_BLOCKED, GUARDS, PHP_DECL_RE, PROJECT_INSTALL, PROJECT_INSTALL_RE, PROTECTED_FRAGMENTS, PY_MODEL_RE, SWIFT_PROTO_RE, SYSTEM_INSTALL, SYSTEM_INSTALL_RE, TS_DECL_RE, bashWriteGuard, countLines, detectFramework, detectProjectType, docConsultedGate, evaluate, evaluateApex, evaluateFileSize, freshnessGate, installGuard, interfaceSeparationGuard, isApexCommand, matchPatterns, protectedPathGuard, runGuards, securityGuard, solidReadGate };

package/dist/{run-h_2LNEA8.mjs → run-D2na7Z2Z.mjs}

@@ -1,5 +1,5 @@
 import { t as isCodeFile } from "./project-root-C4ks_q1G.mjs";
-import { t as evaluate } from "./evaluate-CsYyUucy.mjs";
+import { t as evaluate } from "./evaluate-DkTgwHNh.mjs";
 import { t as formatPrompt } from "./types-ernB1Dy3.mjs";
 import { execSync } from "node:child_process";
 //#region src/cli/run.ts

package/dist/runtime/index.mjs

@@ -1,2 +1,2 @@
-import { a as trackFile, c as REQUIRED_AGENTS, i as recordActivity, l as gate, n as harnessTrackDir, o as normalizeEvent, r as respond, s as DEFAULT_WINDOW_MS, t as handleHook, u as activityFor } from "../handle-Lz_thVKr.mjs";
+import { a as trackFile, c as REQUIRED_AGENTS, i as recordActivity, l as gate, n as harnessTrackDir, o as normalizeEvent, r as respond, s as DEFAULT_WINDOW_MS, t as handleHook, u as activityFor } from "../handle-BUyS6NU6.mjs";
 export { DEFAULT_WINDOW_MS, REQUIRED_AGENTS, activityFor, gate, handleHook, harnessTrackDir, normalizeEvent, recordActivity, respond, trackFile };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fusengine/harness",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "Harness-agnostic toolkit for AI coding agents: runtime harness detection (Claude Code, Codex, Cursor, Cline, Gemini, Aider...), pure policy core (env config, project/framework detection, SOLID/file-size limits, APEX freshness, guard patterns, portable prompts), cache, project memory, ref routing, state/locks, statusline, per-harness adapters (Claude/Cursor/Cline/Gemini) and a cli-mode harness-check binary. Bun-native, with a built dist for Node + bundlers.",
   "type": "module",
   "module": "src/index.ts",

package/dist/evaluate-CsYyUucy.mjs

@@ -1,152 +0,0 @@
-import { i as splitTarget, r as resolveMaxLines } from "./limits-CHn8AIL1.mjs";
-import { t as isCodeFile } from "./project-root-C4ks_q1G.mjs";
-//#region src/policy/detect-framework.ts
-/**
-* Detect the framework from a file path extension + content patterns.
-* Aligned with the fusengine require-solid-read detection (distinct from
-* {@link detectProjectType}, which scans config files on disk).
-*/
-function detectFramework(filePath, content) {
-	if (/\.(tsx?|jsx?|vue|svelte)$/.test(filePath) || /from ['"]react|useState|className=/.test(content)) {
-		if (/(page|layout|loading|error|route)\.(ts|tsx)$/.test(filePath) || /use client|use server/.test(content)) return "nextjs";
-		return "react";
-	}
-	if (/\.swift$/.test(filePath)) return "swift";
-	if (/\.php$/.test(filePath)) return "laravel";
-	if (/\.java$/.test(filePath)) return "java";
-	if (/\.go$/.test(filePath)) return "go";
-	if (/\.rb$/.test(filePath)) return "ruby";
-	if (/\.rs$/.test(filePath)) return "rust";
-	if (/\.css$/.test(filePath) || /@tailwind|@apply/.test(content)) return "tailwind";
-	return "generic";
-}
-//#endregion
-//#region src/policy/file-size.ts
-/** Count lines in file content (empty string = 0). */
-function countLines(content) {
-	return content === "" ? 0 : content.split("\n").length;
-}
-/**
-* Evaluate a file's line count against the SOLID limit.
-* @param lines - the file's line count
-* @param max - the limit (defaults to `resolveMaxLines()`)
-*/
-function evaluateFileSize(lines, max = resolveMaxLines()) {
-	if (lines <= max) return {
-		ok: true,
-		lines,
-		max,
-		message: null
-	};
-	return {
-		ok: false,
-		lines,
-		max,
-		message: `File has ${lines} lines (max: ${max}). Split into modules under ${splitTarget(max)} lines (Single Responsibility).`
-	};
-}
-//#endregion
-//#region src/policy/patterns.ts
-/**
-* Guard pattern data, ported verbatim from the fusengine git/install guards.
-* Note (faithful): `git push.*--force` also matches `--force-with-lease` —
-* preserved from the source guard.
-*/
-/** Destructive git operations to block outright. */
-const GIT_BLOCKED = [
-	/git push.*--force/,
-	/git push.*-f/,
-	/git reset.*--hard/,
-	/git clean.*-fd/,
-	/git branch.*-D/,
-	/git rebase.*--force/
-];
-/** Git operations that warrant a confirmation prompt. */
-const GIT_ASK = [
-	/git push/,
-	/git checkout/,
-	/git reset/,
-	/git rebase/,
-	/git merge/,
-	/git stash/,
-	/git clean/,
-	/git rm/,
-	/git mv/,
-	/git restore/,
-	/git revert/,
-	/git cherry-pick/
-];
-/** System-level package installs (need confirmation). */
-const SYSTEM_INSTALL = [
-	/brew install/,
-	/brew upgrade/,
-	/brew cask/,
-	/apt install/,
-	/apt-get install/
-];
-/** Project-level package installs. */
-const PROJECT_INSTALL = [
-	/npm install/,
-	/npm i /,
-	/yarn add/,
-	/pnpm add/,
-	/pip install/,
-	/pip3 install/,
-	/composer require/,
-	/bun add/,
-	/bun install/,
-	/cargo install/,
-	/go install/,
-	/gem install/,
-	/pipx install/
-];
-/** True when `cmd` matches any pattern in `patterns`. */
-function matchPatterns(cmd, patterns) {
-	return patterns.some((re) => re.test(cmd));
-}
-//#endregion
-//#region src/policy/evaluate.ts
-/**
-* Evaluate a single tool-use against the bundled policies, returning a pure
-* decision plus a portable {@link Prompt}. Adapters translate the prompt into
-* their harness's native response (Claude `permissionDecision`, etc.).
-*/
-function evaluate(ctx) {
-	if (ctx.command && matchPatterns(ctx.command, GIT_BLOCKED)) {
-		const reason = `Destructive git command: ${ctx.command}`;
-		return {
-			decision: "deny",
-			message: reason,
-			prompt: {
-				kind: "block",
-				title: "Destructive git command",
-				reason,
-				actions: ["Use a non-destructive alternative (e.g. --force-with-lease; avoid --hard / -D)"]
-			}
-		};
-	}
-	if (ctx.filePath && isCodeFile(ctx.filePath) && ctx.content !== void 0) {
-		const verdict = evaluateFileSize(countLines(ctx.content), ctx.maxLines);
-		if (!verdict.ok) return {
-			decision: "deny",
-			message: verdict.message,
-			prompt: {
-				kind: "block",
-				title: "SOLID file-size limit",
-				reason: verdict.message ?? "",
-				actions: [`Split into modules under ${verdict.max} lines (Single Responsibility)`, "Then re-run the write"]
-			},
-			meta: {
-				framework: detectFramework(ctx.filePath, ctx.content),
-				lines: verdict.lines,
-				max: verdict.max
-			}
-		};
-	}
-	return {
-		decision: "allow",
-		message: null
-	};
-}
-//#endregion
-export { SYSTEM_INSTALL as a, evaluateFileSize as c, PROJECT_INSTALL as i, detectFramework as l, GIT_ASK as n, matchPatterns as o, GIT_BLOCKED as r, countLines as s, evaluate as t };