@google/gemini-cli-core 0.15.0-preview.3 → 0.16.0-nightly.20251113.ad1f0d99

package/dist/src/safety/checker-runner.d.ts

@@ -0,0 +1,48 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import type { FunctionCall } from '@google/genai';
+import type { SafetyCheckerConfig } from '../policy/types.js';
+import type { SafetyCheckResult } from './protocol.js';
+import type { CheckerRegistry } from './registry.js';
+import type { ContextBuilder } from './context-builder.js';
+/**
+ * Configuration for the checker runner.
+ */
+export interface CheckerRunnerConfig {
+    /**
+     * Maximum time (in milliseconds) to wait for a checker to complete.
+     * Default: 5000 (5 seconds)
+     */
+    timeout?: number;
+    /**
+     * Path to the directory containing external checkers.
+     */
+    checkersPath: string;
+}
+/**
+ * Service for executing safety checker processes.
+ */
+export declare class CheckerRunner {
+    private static readonly DEFAULT_TIMEOUT;
+    private readonly registry;
+    private readonly contextBuilder;
+    private readonly timeout;
+    constructor(contextBuilder: ContextBuilder, registry: CheckerRegistry, config: CheckerRunnerConfig);
+    /**
+     * Runs a safety checker and returns the result.
+     */
+    runChecker(toolCall: FunctionCall, checkerConfig: SafetyCheckerConfig): Promise<SafetyCheckResult>;
+    private runInProcessChecker;
+    private runExternalChecker;
+    /**
+     * Executes an external checker process and handles its lifecycle.
+     */
+    private executeCheckerProcess;
+    /**
+     * Executes a promise with a timeout.
+     */
+    private executeWithTimeout;
+}

package/dist/src/safety/checker-runner.js

@@ -0,0 +1,208 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { spawn } from 'node:child_process';
+import { SafetyCheckDecision } from './protocol.js';
+/**
+ * Service for executing safety checker processes.
+ */
+export class CheckerRunner {
+    static DEFAULT_TIMEOUT = 5000; // 5 seconds
+    registry;
+    contextBuilder;
+    timeout;
+    constructor(contextBuilder, registry, config) {
+        this.contextBuilder = contextBuilder;
+        this.registry = registry;
+        this.timeout = config.timeout ?? CheckerRunner.DEFAULT_TIMEOUT;
+    }
+    /**
+     * Runs a safety checker and returns the result.
+     */
+    async runChecker(toolCall, checkerConfig) {
+        if (checkerConfig.type === 'in-process') {
+            return this.runInProcessChecker(toolCall, checkerConfig);
+        }
+        return this.runExternalChecker(toolCall, checkerConfig);
+    }
+    async runInProcessChecker(toolCall, checkerConfig) {
+        try {
+            const checker = this.registry.resolveInProcess(checkerConfig.name);
+            const context = checkerConfig.required_context
+                ? this.contextBuilder.buildMinimalContext(checkerConfig.required_context)
+                : this.contextBuilder.buildFullContext();
+            const input = {
+                protocolVersion: '1.0.0',
+                toolCall,
+                context,
+                config: checkerConfig.config,
+            };
+            // In-process checkers can be async, but we'll also apply a timeout
+            // for safety, in case of infinite loops or unexpected delays.
+            return await this.executeWithTimeout(checker.check(input));
+        }
+        catch (error) {
+            return {
+                decision: SafetyCheckDecision.DENY,
+                reason: `Failed to run in-process checker "${checkerConfig.name}": ${error instanceof Error ? error.message : String(error)}`,
+            };
+        }
+    }
+    async runExternalChecker(toolCall, checkerConfig) {
+        try {
+            // Resolve the checker executable path
+            const checkerPath = this.registry.resolveExternal(checkerConfig.name);
+            // Build the appropriate context
+            const context = checkerConfig.required_context
+                ? this.contextBuilder.buildMinimalContext(checkerConfig.required_context)
+                : this.contextBuilder.buildFullContext();
+            // Create the input payload
+            const input = {
+                protocolVersion: '1.0.0',
+                toolCall,
+                context,
+                config: checkerConfig.config,
+            };
+            // Run the checker process
+            return await this.executeCheckerProcess(checkerPath, input, checkerConfig.name);
+        }
+        catch (error) {
+            // If anything goes wrong, deny the operation
+            return {
+                decision: SafetyCheckDecision.DENY,
+                reason: `Failed to run safety checker "${checkerConfig.name}": ${error instanceof Error ? error.message : String(error)}`,
+            };
+        }
+    }
+    /**
+     * Executes an external checker process and handles its lifecycle.
+     */
+    executeCheckerProcess(checkerPath, input, checkerName) {
+        return new Promise((resolve) => {
+            const child = spawn(checkerPath, [], {
+                stdio: ['pipe', 'pipe', 'pipe'],
+            });
+            let stdout = '';
+            let stderr = '';
+            let timeoutHandle = null;
+            let killed = false;
+            let exited = false;
+            // Set up timeout
+            timeoutHandle = setTimeout(() => {
+                killed = true;
+                child.kill('SIGTERM');
+                resolve({
+                    decision: SafetyCheckDecision.DENY,
+                    reason: `Safety checker "${checkerName}" timed out after ${this.timeout}ms`,
+                });
+                // Fallback: if process doesn't exit after 5s, force kill
+                setTimeout(() => {
+                    if (!exited) {
+                        child.kill('SIGKILL');
+                    }
+                }, 5000).unref();
+            }, this.timeout);
+            // Collect output
+            if (child.stdout) {
+                child.stdout.on('data', (data) => {
+                    stdout += data.toString();
+                });
+            }
+            if (child.stderr) {
+                child.stderr.on('data', (data) => {
+                    stderr += data.toString();
+                });
+            }
+            // Handle process completion
+            child.on('close', (code) => {
+                exited = true;
+                if (timeoutHandle) {
+                    clearTimeout(timeoutHandle);
+                }
+                // If we already killed it due to timeout, don't process the result
+                if (killed) {
+                    return;
+                }
+                // Non-zero exit code is a failure
+                if (code !== 0) {
+                    resolve({
+                        decision: SafetyCheckDecision.DENY,
+                        reason: `Safety checker "${checkerName}" exited with code ${code}${stderr ? `: ${stderr}` : ''}`,
+                    });
+                    return;
+                }
+                // Try to parse the output
+                try {
+                    const result = JSON.parse(stdout);
+                    // Validate the result structure
+                    if (!result.decision ||
+                        !Object.values(SafetyCheckDecision).includes(result.decision)) {
+                        throw new Error('Invalid result: missing or invalid "decision" field');
+                    }
+                    resolve(result);
+                }
+                catch (parseError) {
+                    resolve({
+                        decision: SafetyCheckDecision.DENY,
+                        reason: `Failed to parse output from safety checker "${checkerName}": ${parseError instanceof Error
+                            ? parseError.message
+                            : String(parseError)}`,
+                    });
+                }
+            });
+            // Handle process errors
+            child.on('error', (error) => {
+                if (timeoutHandle) {
+                    clearTimeout(timeoutHandle);
+                }
+                if (!killed) {
+                    resolve({
+                        decision: SafetyCheckDecision.DENY,
+                        reason: `Failed to spawn safety checker "${checkerName}": ${error.message}`,
+                    });
+                }
+            });
+            // Send input to the checker
+            try {
+                if (child.stdin) {
+                    child.stdin.write(JSON.stringify(input));
+                    child.stdin.end();
+                }
+                else {
+                    throw new Error('Failed to open stdin for checker process');
+                }
+            }
+            catch (writeError) {
+                if (timeoutHandle) {
+                    clearTimeout(timeoutHandle);
+                }
+                child.kill();
+                resolve({
+                    decision: SafetyCheckDecision.DENY,
+                    reason: `Failed to write to stdin of safety checker "${checkerName}": ${writeError instanceof Error
+                        ? writeError.message
+                        : String(writeError)}`,
+                });
+            }
+        });
+    }
+    /**
+     * Executes a promise with a timeout.
+     */
+    executeWithTimeout(promise) {
+        return new Promise((resolve, reject) => {
+            const timeoutHandle = setTimeout(() => {
+                reject(new Error(`Checker timed out after ${this.timeout}ms`));
+            }, this.timeout);
+            promise
+                .then(resolve)
+                .catch(reject)
+                .finally(() => {
+                clearTimeout(timeoutHandle);
+            });
+        });
+    }
+}
+//# sourceMappingURL=checker-runner.js.map

package/dist/src/safety/checker-runner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"checker-runner.js","sourceRoot":"","sources":["../../../src/safety/checker-runner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAQ3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAoBpD;;GAEG;AACH,MAAM,OAAO,aAAa;IAChB,MAAM,CAAU,eAAe,GAAG,IAAI,CAAC,CAAC,YAAY;IAE3C,QAAQ,CAAkB;IAC1B,cAAc,CAAiB;IAC/B,OAAO,CAAS;IAEjC,YACE,cAA8B,EAC9B,QAAyB,EACzB,MAA2B;QAE3B,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,aAAa,CAAC,eAAe,CAAC;IACjE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,QAAsB,EACtB,aAAkC;QAElC,IAAI,aAAa,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,IAAI,CAAC,kBAAkB,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAC1D,CAAC;IAEO,KAAK,CAAC,mBAAmB,CAC/B,QAAsB,EACtB,aAAqC;QAErC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,OAAO,GAAG,aAAa,CAAC,gBAAgB;gBAC5C,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,mBAAmB,CACrC,aAAa,CAAC,gBAAgB,CAC/B;gBACH,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,gBAAgB,EAAE,CAAC;YAE3C,MAAM,KAAK,GAAqB;gBAC9B,eAAe,EAAE,OAAO;gBACxB,QAAQ;gBACR,OAAO;gBACP,MAAM,EAAE,aAAa,CAAC,MAAM;aAC7B,CAAC;YAEF,mEAAmE;YACnE,8DAA8D;YAC9D,OAAO,MAAM,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;QAC7D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,QAAQ,EAAE,mBAAmB,CAAC,IAAI;gBAClC,MAAM,EAAE,qCAAqC,aAAa,CAAC,IAAI,MAC7D,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE;aACH,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,kBAAkB,CAC9B,QAAsB,EACtB,aAAoC;QAEpC,IAAI,CAAC;YACH,sCAAsC;YACtC,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;YAEtE,gCAAgC;YAChC,MAAM,OAAO,GAAG,aAAa,CAAC,gBAAgB;gBAC5C,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,mBAAmB,CACrC,aAAa,CAAC,gBAAgB,CAC/B;gBACH,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,gBAAgB,EAAE,CAAC;YAE3C,2BAA2B;YAC3B,MAAM,KAAK,GAAqB;gBAC9B,eAAe,EAAE,OAAO;gBACxB,QAAQ;gBACR,OAAO;gBACP,MAAM,EAAE,aAAa,CAAC,MAAM;aAC7B,CAAC;YAEF,0BAA0B;YAC1B,OAAO,MAAM,IAAI,CAAC,qBAAqB,CACrC,WAAW,EACX,KAAK,EACL,aAAa,CAAC,IAAI,CACnB,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,6CAA6C;YAC7C,OAAO;gBACL,QAAQ,EAAE,mBAAmB,CAAC,IAAI;gBAClC,MAAM,EAAE,iCAAiC,aAAa,CAAC,IAAI,MACzD,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE;aACH,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACK,qBAAqB,CAC3B,WAAmB,EACnB,KAAuB,EACvB,WAAmB;QAEnB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,EAAE,EAAE;gBACnC,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;YAEH,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,aAAa,GAA0B,IAAI,CAAC;YAChD,IAAI,MAAM,GAAG,KAAK,CAAC;YAEnB,IAAI,MAAM,GAAG,KAAK,CAAC;YAEnB,iBAAiB;YACjB,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC9B,MAAM,GAAG,IAAI,CAAC;gBACd,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBACtB,OAAO,CAAC;oBACN,QAAQ,EAAE,mBAAmB,CAAC,IAAI;oBAClC,MAAM,EAAE,mBAAmB,WAAW,qBAAqB,IAAI,CAAC,OAAO,IAAI;iBAC5E,CAAC,CAAC;gBAEH,yDAAyD;gBACzD,UAAU,CAAC,GAAG,EAAE;oBACd,IAAI,CAAC,MAAM,EAAE,CAAC;wBACZ,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;oBACxB,CAAC;gBACH,CAAC,EAAE,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YACnB,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;YAEjB,iBAAiB;YACjB,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACjB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;oBACvC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC5B,CAAC,CAAC,CAAC;YACL,CAAC;YAED,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACjB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;oBACvC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC5B,CAAC,CAAC,CAAC;YACL,CAAC;YAED,4BAA4B;YAC5B,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAmB,EAAE,EAAE;gBACxC,MAAM,GAAG,IAAI,CAAC;gBACd,IAAI,aAAa,EAAE,CAAC;oBAClB,YAAY,CAAC,aAAa,CAAC,CAAC;gBAC9B,CAAC;gBAED,mEAAmE;gBACnE,IAAI,MAAM,EAAE,CAAC;oBACX,OAAO;gBACT,CAAC;gBAED,kCAAkC;gBAClC,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;oBACf,OAAO,CAAC;wBACN,QAAQ,EAAE,mBAAmB,CAAC,IAAI;wBAClC,MAAM,EAAE,mBAAmB,WAAW,sBAAsB,IAAI,GAC9D,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC,CAAC,CAAC,EAC3B,EAAE;qBACH,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,0BAA0B;gBAC1B,IAAI,CAAC;oBACH,MAAM,MAAM,GAAsB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;oBAErD,gCAAgC;oBAChC,IACE,CAAC,MAAM,CAAC,QAAQ;wBAChB,CAAC,MAAM,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAC7D,CAAC;wBACD,MAAM,IAAI,KAAK,CACb,qDAAqD,CACtD,CAAC;oBACJ,CAAC;oBAED,OAAO,CAAC,MAAM,CAAC,CAAC;gBAClB,CAAC;gBAAC,OAAO,UAAU,EAAE,CAAC;oBACpB,OAAO,CAAC;wBACN,QAAQ,EAAE,mBAAmB,CAAC,IAAI;wBAClC,MAAM,EAAE,+CAA+C,WAAW,MAChE,UAAU,YAAY,KAAK;4BACzB,CAAC,CAAC,UAAU,CAAC,OAAO;4BACpB,CAAC,CAAC,MAAM,CAAC,UAAU,CACvB,EAAE;qBACH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,wBAAwB;YACxB,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAY,EAAE,EAAE;gBACjC,IAAI,aAAa,EAAE,CAAC;oBAClB,YAAY,CAAC,aAAa,CAAC,CAAC;gBAC9B,CAAC;gBAED,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,OAAO,CAAC;wBACN,QAAQ,EAAE,mBAAmB,CAAC,IAAI;wBAClC,MAAM,EAAE,mCAAmC,WAAW,MAAM,KAAK,CAAC,OAAO,EAAE;qBAC5E,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,4BAA4B;YAC5B,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;oBAChB,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;oBACzC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;gBACpB,CAAC;qBAAM,CAAC;oBACN,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;gBAC9D,CAAC;YACH,CAAC;YAAC,OAAO,UAAU,EAAE,CAAC;gBACpB,IAAI,aAAa,EAAE,CAAC;oBAClB,YAAY,CAAC,aAAa,CAAC,CAAC;gBAC9B,CAAC;gBAED,KAAK,CAAC,IAAI,EAAE,CAAC;gBACb,OAAO,CAAC;oBACN,QAAQ,EAAE,mBAAmB,CAAC,IAAI;oBAClC,MAAM,EAAE,+CAA+C,WAAW,MAChE,UAAU,YAAY,KAAK;wBACzB,CAAC,CAAC,UAAU,CAAC,OAAO;wBACpB,CAAC,CAAC,MAAM,CAAC,UAAU,CACvB,EAAE;iBACH,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,kBAAkB,CAAI,OAAmB;QAC/C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;gBACpC,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC;YACjE,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;YAEjB,OAAO;iBACJ,IAAI,CAAC,OAAO,CAAC;iBACb,KAAK,CAAC,MAAM,CAAC;iBACb,OAAO,CAAC,GAAG,EAAE;gBACZ,YAAY,CAAC,aAAa,CAAC,CAAC;YAC9B,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;IACL,CAAC"}

package/dist/src/safety/checker-runner.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export {};

package/dist/src/safety/checker-runner.test.js

@@ -0,0 +1,238 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { spawn } from 'node:child_process';
+import { CheckerRunner } from './checker-runner.js';
+import { ContextBuilder } from './context-builder.js';
+import { CheckerRegistry } from './registry.js';
+import { InProcessCheckerType, } from '../policy/types.js';
+import { SafetyCheckDecision } from './protocol.js';
+// Mock dependencies
+vi.mock('./registry.js');
+vi.mock('./context-builder.js');
+vi.mock('node:child_process');
+describe('CheckerRunner', () => {
+    let runner;
+    let mockContextBuilder;
+    let mockRegistry;
+    const mockToolCall = { name: 'test_tool', args: {} };
+    const mockInProcessConfig = {
+        type: 'in-process',
+        name: InProcessCheckerType.ALLOWED_PATH,
+    };
+    beforeEach(() => {
+        mockContextBuilder = new ContextBuilder({});
+        mockRegistry = new CheckerRegistry('/mock/dist');
+        CheckerRegistry.prototype.resolveInProcess = vi.fn();
+        runner = new CheckerRunner(mockContextBuilder, mockRegistry, {
+            checkersPath: '/mock/dist',
+        });
+    });
+    afterEach(() => {
+        vi.restoreAllMocks();
+    });
+    it('should run in-process checker successfully', async () => {
+        const mockResult = {
+            decision: SafetyCheckDecision.ALLOW,
+        };
+        const mockChecker = {
+            check: vi.fn().mockResolvedValue(mockResult),
+        };
+        vi.mocked(mockRegistry.resolveInProcess).mockReturnValue(mockChecker);
+        vi.mocked(mockContextBuilder.buildFullContext).mockReturnValue({
+            environment: { cwd: '/tmp', workspaces: [] },
+        });
+        const result = await runner.runChecker(mockToolCall, mockInProcessConfig);
+        expect(result).toEqual(mockResult);
+        expect(mockRegistry.resolveInProcess).toHaveBeenCalledWith(InProcessCheckerType.ALLOWED_PATH);
+        expect(mockChecker.check).toHaveBeenCalled();
+    });
+    it('should handle in-process checker errors', async () => {
+        const mockChecker = {
+            check: vi.fn().mockRejectedValue(new Error('Checker failed')),
+        };
+        vi.mocked(mockRegistry.resolveInProcess).mockReturnValue(mockChecker);
+        vi.mocked(mockContextBuilder.buildFullContext).mockReturnValue({
+            environment: { cwd: '/tmp', workspaces: [] },
+        });
+        const result = await runner.runChecker(mockToolCall, mockInProcessConfig);
+        expect(result.decision).toBe(SafetyCheckDecision.DENY);
+        expect(result.reason).toContain('Failed to run in-process checker');
+        expect(result.reason).toContain('Checker failed');
+    });
+    it('should respect timeout for in-process checkers', async () => {
+        vi.useFakeTimers();
+        const mockChecker = {
+            check: vi.fn().mockImplementation(async () => {
+                await new Promise((resolve) => setTimeout(resolve, 6000)); // Longer than default 5s timeout
+                return { decision: SafetyCheckDecision.ALLOW };
+            }),
+        };
+        vi.mocked(mockRegistry.resolveInProcess).mockReturnValue(mockChecker);
+        vi.mocked(mockContextBuilder.buildFullContext).mockReturnValue({
+            environment: { cwd: '/tmp', workspaces: [] },
+        });
+        const runPromise = runner.runChecker(mockToolCall, mockInProcessConfig);
+        vi.advanceTimersByTime(5001);
+        const result = await runPromise;
+        expect(result.decision).toBe(SafetyCheckDecision.DENY);
+        expect(result.reason).toContain('timed out');
+        vi.useRealTimers();
+    });
+    it('should use minimal context when requested', async () => {
+        const configWithContext = {
+            ...mockInProcessConfig,
+            required_context: ['environment'],
+        };
+        const mockChecker = {
+            check: vi.fn().mockResolvedValue({ decision: SafetyCheckDecision.ALLOW }),
+        };
+        vi.mocked(mockRegistry.resolveInProcess).mockReturnValue(mockChecker);
+        vi.mocked(mockContextBuilder.buildMinimalContext).mockReturnValue({
+            environment: { cwd: '/tmp', workspaces: [] },
+        });
+        await runner.runChecker(mockToolCall, configWithContext);
+        expect(mockContextBuilder.buildMinimalContext).toHaveBeenCalledWith([
+            'environment',
+        ]);
+        expect(mockContextBuilder.buildFullContext).not.toHaveBeenCalled();
+    });
+    it('should pass config to in-process checker via toolCall', async () => {
+        const mockConfig = { included_args: ['foo'] };
+        const configWithConfig = {
+            ...mockInProcessConfig,
+            config: mockConfig,
+        };
+        const mockResult = {
+            decision: SafetyCheckDecision.ALLOW,
+        };
+        const mockChecker = {
+            check: vi.fn().mockResolvedValue(mockResult),
+        };
+        vi.mocked(mockRegistry.resolveInProcess).mockReturnValue(mockChecker);
+        vi.mocked(mockContextBuilder.buildFullContext).mockReturnValue({
+            environment: { cwd: '/tmp', workspaces: [] },
+        });
+        await runner.runChecker(mockToolCall, configWithConfig);
+        expect(mockChecker.check).toHaveBeenCalledWith(expect.objectContaining({
+            toolCall: mockToolCall,
+            config: mockConfig,
+        }));
+    });
+    describe('External Checkers', () => {
+        const mockExternalConfig = {
+            type: 'external',
+            name: 'python-checker',
+        };
+        it('should spawn external checker directly', async () => {
+            const mockCheckerPath = '/mock/dist/python-checker';
+            vi.mocked(mockRegistry.resolveExternal).mockReturnValue(mockCheckerPath);
+            vi.mocked(mockContextBuilder.buildFullContext).mockReturnValue({
+                environment: { cwd: '/tmp', workspaces: [] },
+            });
+            const mockStdout = {
+                on: vi.fn().mockImplementation((event, callback) => {
+                    if (event === 'data') {
+                        callback(Buffer.from(JSON.stringify({ decision: SafetyCheckDecision.ALLOW })));
+                    }
+                }),
+            };
+            const mockChildProcess = {
+                stdin: { write: vi.fn(), end: vi.fn() },
+                stdout: mockStdout,
+                stderr: { on: vi.fn() },
+                on: vi.fn().mockImplementation((event, callback) => {
+                    if (event === 'close') {
+                        // Defer the close callback slightly to allow stdout 'data' to be registered
+                        setTimeout(() => callback(0), 0);
+                    }
+                }),
+                kill: vi.fn(),
+            };
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            vi.mocked(spawn).mockReturnValue(mockChildProcess);
+            const result = await runner.runChecker(mockToolCall, mockExternalConfig);
+            expect(result.decision).toBe(SafetyCheckDecision.ALLOW);
+            expect(spawn).toHaveBeenCalledWith(mockCheckerPath, [], expect.anything());
+        });
+        it('should include checker name in timeout error message', async () => {
+            vi.useFakeTimers();
+            const mockCheckerPath = '/mock/dist/python-checker';
+            vi.mocked(mockRegistry.resolveExternal).mockReturnValue(mockCheckerPath);
+            vi.mocked(mockContextBuilder.buildFullContext).mockReturnValue({
+                environment: { cwd: '/tmp', workspaces: [] },
+            });
+            const mockChildProcess = {
+                stdin: { write: vi.fn(), end: vi.fn() },
+                stdout: { on: vi.fn() },
+                stderr: { on: vi.fn() },
+                on: vi.fn(), // Never calls 'close'
+                kill: vi.fn(),
+            };
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            vi.mocked(spawn).mockReturnValue(mockChildProcess);
+            const runPromise = runner.runChecker(mockToolCall, mockExternalConfig);
+            vi.advanceTimersByTime(5001);
+            const result = await runPromise;
+            expect(result.decision).toBe(SafetyCheckDecision.DENY);
+            expect(result.reason).toContain('Safety checker "python-checker" timed out');
+            vi.useRealTimers();
+        });
+        it('should send SIGKILL if process ignores SIGTERM', async () => {
+            vi.useFakeTimers();
+            const mockCheckerPath = '/mock/dist/python-checker';
+            vi.mocked(mockRegistry.resolveExternal).mockReturnValue(mockCheckerPath);
+            vi.mocked(mockContextBuilder.buildFullContext).mockReturnValue({
+                environment: { cwd: '/tmp', workspaces: [] },
+            });
+            const mockChildProcess = {
+                stdin: { write: vi.fn(), end: vi.fn() },
+                stdout: { on: vi.fn() },
+                stderr: { on: vi.fn() },
+                on: vi.fn(), // Never calls 'close' automatically
+                kill: vi.fn(),
+            };
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            vi.mocked(spawn).mockReturnValue(mockChildProcess);
+            const runPromise = runner.runChecker(mockToolCall, mockExternalConfig);
+            // Trigger main timeout
+            vi.advanceTimersByTime(5001);
+            // Should have sent SIGTERM
+            expect(mockChildProcess.kill).toHaveBeenCalledWith('SIGTERM');
+            // Advance past cleanup timeout (5000ms)
+            vi.advanceTimersByTime(5000);
+            // Should have sent SIGKILL
+            expect(mockChildProcess.kill).toHaveBeenCalledWith('SIGKILL');
+            // Clean up promise
+            await runPromise;
+            vi.useRealTimers();
+        });
+        it('should include checker name in non-zero exit code error message', async () => {
+            const mockCheckerPath = '/mock/dist/python-checker';
+            vi.mocked(mockRegistry.resolveExternal).mockReturnValue(mockCheckerPath);
+            vi.mocked(mockContextBuilder.buildFullContext).mockReturnValue({
+                environment: { cwd: '/tmp', workspaces: [] },
+            });
+            const mockChildProcess = {
+                stdin: { write: vi.fn(), end: vi.fn() },
+                stdout: { on: vi.fn() },
+                stderr: { on: vi.fn() },
+                on: vi.fn().mockImplementation((event, callback) => {
+                    if (event === 'close') {
+                        callback(1); // Exit code 1
+                    }
+                }),
+                kill: vi.fn(),
+            };
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            vi.mocked(spawn).mockReturnValue(mockChildProcess);
+            const result = await runner.runChecker(mockToolCall, mockExternalConfig);
+            expect(result.decision).toBe(SafetyCheckDecision.DENY);
+            expect(result.reason).toContain('Safety checker "python-checker" exited with code 1');
+        });
+    });
+});
+//# sourceMappingURL=checker-runner.test.js.map

package/dist/src/safety/checker-runner.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"checker-runner.test.js","sourceRoot":"","sources":["../../../src/safety/checker-runner.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAEL,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAGpD,oBAAoB;AACpB,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;AACzB,EAAE,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;AAChC,EAAE,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;AAE9B,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,IAAI,MAAqB,CAAC;IAC1B,IAAI,kBAAkC,CAAC;IACvC,IAAI,YAA6B,CAAC;IAElC,MAAM,YAAY,GAAG,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACrD,MAAM,mBAAmB,GAA2B;QAClD,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,oBAAoB,CAAC,YAAY;KACxC,CAAC;IAEF,UAAU,CAAC,GAAG,EAAE;QACd,kBAAkB,GAAG,IAAI,cAAc,CAAC,EAAY,CAAC,CAAC;QACtD,YAAY,GAAG,IAAI,eAAe,CAAC,YAAY,CAAC,CAAC;QACjD,eAAe,CAAC,SAAS,CAAC,gBAAgB,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAErD,MAAM,GAAG,IAAI,aAAa,CAAC,kBAAkB,EAAE,YAAY,EAAE;YAC3D,YAAY,EAAE,YAAY;SAC3B,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,eAAe,EAAE,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,UAAU,GAAsB;YACpC,QAAQ,EAAE,mBAAmB,CAAC,KAAK;SACpC,CAAC;QACF,MAAM,WAAW,GAAG;YAClB,KAAK,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC;SAC7C,CAAC;QACF,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QACtE,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,gBAAgB,CAAC,CAAC,eAAe,CAAC;YAC7D,WAAW,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE;SAC7C,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC;QAE1E,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QACnC,MAAM,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC,oBAAoB,CACxD,oBAAoB,CAAC,YAAY,CAClC,CAAC;QACF,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,gBAAgB,EAAE,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,WAAW,GAAG;YAClB,KAAK,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;SAC9D,CAAC;QACF,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QACtE,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,gBAAgB,CAAC,CAAC,eAAe,CAAC;YAC7D,WAAW,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE;SAC7C,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC;QAE1E,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,kCAAkC,CAAC,CAAC;QACpE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,EAAE,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,WAAW,GAAG;YAClB,KAAK,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,KAAK,IAAI,EAAE;gBAC3C,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,iCAAiC;gBAC5F,OAAO,EAAE,QAAQ,EAAE,mBAAmB,CAAC,KAAK,EAAE,CAAC;YACjD,CAAC,CAAC;SACH,CAAC;QACF,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QACtE,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,gBAAgB,CAAC,CAAC,eAAe,CAAC;YAC7D,WAAW,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE;SAC7C,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC;QACxE,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAE7B,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC;QAChC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAE7C,EAAE,CAAC,aAAa,EAAE,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,iBAAiB,GAA2B;YAChD,GAAG,mBAAmB;YACtB,gBAAgB,EAAE,CAAC,aAAa,CAAC;SAClC,CAAC;QACF,MAAM,WAAW,GAAG;YAClB,KAAK,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,QAAQ,EAAE,mBAAmB,CAAC,KAAK,EAAE,CAAC;SAC1E,CAAC;QACF,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QACtE,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,mBAAmB,CAAC,CAAC,eAAe,CAAC;YAChE,WAAW,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE;SAC7C,CAAC,CAAC;QAEH,MAAM,MAAM,CAAC,UAAU,CAAC,YAAY,EAAE,iBAAiB,CAAC,CAAC;QAEzD,MAAM,CAAC,kBAAkB,CAAC,mBAAmB,CAAC,CAAC,oBAAoB,CAAC;YAClE,aAAa;SACd,CAAC,CAAC;QACH,MAAM,CAAC,kBAAkB,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,UAAU,GAAG,EAAE,aAAa,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9C,MAAM,gBAAgB,GAA2B;YAC/C,GAAG,mBAAmB;YACtB,MAAM,EAAE,UAAU;SACnB,CAAC;QACF,MAAM,UAAU,GAAsB;YACpC,QAAQ,EAAE,mBAAmB,CAAC,KAAK;SACpC,CAAC;QACF,MAAM,WAAW,GAAG;YAClB,KAAK,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC;SAC7C,CAAC;QACF,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QACtE,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,gBAAgB,CAAC,CAAC,eAAe,CAAC;YAC7D,WAAW,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE;SAC7C,CAAC,CAAC;QAEH,MAAM,MAAM,CAAC,UAAU,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAC;QAExD,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,oBAAoB,CAC5C,MAAM,CAAC,gBAAgB,CAAC;YACtB,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,UAAU;SACnB,CAAC,CACH,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;QACjC,MAAM,kBAAkB,GAAG;YACzB,IAAI,EAAE,UAAmB;YACzB,IAAI,EAAE,gBAAgB;SACvB,CAAC;QAEF,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,eAAe,GAAG,2BAA2B,CAAC;YACpD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,eAAe,CAAC,eAAe,CAAC,CAAC;YACzE,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,gBAAgB,CAAC,CAAC,eAAe,CAAC;gBAC7D,WAAW,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE;aAC7C,CAAC,CAAC;YAEH,MAAM,UAAU,GAAG;gBACjB,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE;oBACjD,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;wBACrB,QAAQ,CACN,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,mBAAmB,CAAC,KAAK,EAAE,CAAC,CACxD,CACF,CAAC;oBACJ,CAAC;gBACH,CAAC,CAAC;aACH,CAAC;YACF,MAAM,gBAAgB,GAAG;gBACvB,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE;gBACvC,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE;gBACvB,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE;oBACjD,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;wBACtB,4EAA4E;wBAC5E,UAAU,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;oBACnC,CAAC;gBACH,CAAC,CAAC;gBACF,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE;aACd,CAAC;YACF,8DAA8D;YAC9D,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,eAAe,CAAC,gBAAuB,CAAC,CAAC;YAE1D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;YAEzE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;YACxD,MAAM,CAAC,KAAK,CAAC,CAAC,oBAAoB,CAChC,eAAe,EACf,EAAE,EACF,MAAM,CAAC,QAAQ,EAAE,CAClB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;YACpE,EAAE,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,eAAe,GAAG,2BAA2B,CAAC;YACpD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,eAAe,CAAC,eAAe,CAAC,CAAC;YACzE,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,gBAAgB,CAAC,CAAC,eAAe,CAAC;gBAC7D,WAAW,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE;aAC7C,CAAC,CAAC;YAEH,MAAM,gBAAgB,GAAG;gBACvB,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE;gBACvC,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE;gBACvB,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE;gBACvB,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,sBAAsB;gBACnC,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE;aACd,CAAC;YACF,8DAA8D;YAC9D,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,eAAe,CAAC,gBAAuB,CAAC,CAAC;YAE1D,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;YACvE,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAE7B,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC;YAChC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;YACvD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAC7B,2CAA2C,CAC5C,CAAC;YAEF,EAAE,CAAC,aAAa,EAAE,CAAC;QACrB,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,EAAE,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,eAAe,GAAG,2BAA2B,CAAC;YACpD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,eAAe,CAAC,eAAe,CAAC,CAAC;YACzE,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,gBAAgB,CAAC,CAAC,eAAe,CAAC;gBAC7D,WAAW,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE;aAC7C,CAAC,CAAC;YAEH,MAAM,gBAAgB,GAAG;gBACvB,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE;gBACvC,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE;gBACvB,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE;gBACvB,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,oCAAoC;gBACjD,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE;aACd,CAAC;YACF,8DAA8D;YAC9D,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,eAAe,CAAC,gBAAuB,CAAC,CAAC;YAE1D,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;YAEvE,uBAAuB;YACvB,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAE7B,2BAA2B;YAC3B,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,oBAAoB,CAAC,SAAS,CAAC,CAAC;YAE9D,wCAAwC;YACxC,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAE7B,2BAA2B;YAC3B,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,oBAAoB,CAAC,SAAS,CAAC,CAAC;YAE9D,mBAAmB;YACnB,MAAM,UAAU,CAAC;YACjB,EAAE,CAAC,aAAa,EAAE,CAAC;QACrB,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;YAC/E,MAAM,eAAe,GAAG,2BAA2B,CAAC;YACpD,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,eAAe,CAAC,eAAe,CAAC,CAAC;YACzE,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,gBAAgB,CAAC,CAAC,eAAe,CAAC;gBAC7D,WAAW,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE;aAC7C,CAAC,CAAC;YAEH,MAAM,gBAAgB,GAAG;gBACvB,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE;gBACvC,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE;gBACvB,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE;gBACvB,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE;oBACjD,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;wBACtB,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc;oBAC7B,CAAC;gBACH,CAAC,CAAC;gBACF,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE;aACd,CAAC;YACF,8DAA8D;YAC9D,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,eAAe,CAAC,gBAAuB,CAAC,CAAC;YAE1D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;YAEzE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;YACvD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAC7B,oDAAoD,CACrD,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/safety/context-builder.d.ts

@@ -0,0 +1,23 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import type { SafetyCheckInput, ConversationTurn } from './protocol.js';
+import type { Config } from '../config/config.js';
+/**
+ * Builds context objects for safety checkers, ensuring sensitive data is filtered.
+ */
+export declare class ContextBuilder {
+    private readonly config;
+    private readonly conversationHistory;
+    constructor(config: Config, conversationHistory?: ConversationTurn[]);
+    /**
+     * Builds the full context object with all available data.
+     */
+    buildFullContext(): SafetyCheckInput['context'];
+    /**
+     * Builds a minimal context with only the specified keys.
+     */
+    buildMinimalContext(requiredKeys: Array<keyof SafetyCheckInput['context']>): SafetyCheckInput['context'];
+}

package/dist/src/safety/context-builder.js

@@ -0,0 +1,47 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+/**
+ * Builds context objects for safety checkers, ensuring sensitive data is filtered.
+ */
+export class ContextBuilder {
+    config;
+    conversationHistory;
+    constructor(config, conversationHistory = []) {
+        this.config = config;
+        this.conversationHistory = conversationHistory;
+    }
+    /**
+     * Builds the full context object with all available data.
+     */
+    buildFullContext() {
+        return {
+            environment: {
+                cwd: process.cwd(),
+                workspaces: this.config
+                    .getWorkspaceContext()
+                    .getDirectories(),
+            },
+            history: {
+                turns: this.conversationHistory,
+            },
+        };
+    }
+    /**
+     * Builds a minimal context with only the specified keys.
+     */
+    buildMinimalContext(requiredKeys) {
+        const fullContext = this.buildFullContext();
+        const minimalContext = {};
+        for (const key of requiredKeys) {
+            if (key in fullContext) {
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                minimalContext[key] = fullContext[key];
+            }
+        }
+        return minimalContext;
+    }
+}
+//# sourceMappingURL=context-builder.js.map

package/dist/src/safety/context-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context-builder.js","sourceRoot":"","sources":["../../../src/safety/context-builder.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH;;GAEG;AACH,MAAM,OAAO,cAAc;IAEN;IACA;IAFnB,YACmB,MAAc,EACd,sBAA0C,EAAE;QAD5C,WAAM,GAAN,MAAM,CAAQ;QACd,wBAAmB,GAAnB,mBAAmB,CAAyB;IAC5D,CAAC;IAEJ;;OAEG;IACH,gBAAgB;QACd,OAAO;YACL,WAAW,EAAE;gBACX,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE;gBAClB,UAAU,EAAE,IAAI,CAAC,MAAM;qBACpB,mBAAmB,EAAE;qBACrB,cAAc,EAAc;aAChC;YACD,OAAO,EAAE;gBACP,KAAK,EAAE,IAAI,CAAC,mBAAmB;aAChC;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,mBAAmB,CACjB,YAAsD;QAEtD,MAAM,WAAW,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC5C,MAAM,cAAc,GAAyC,EAAE,CAAC;QAEhE,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;YAC/B,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC;gBACvB,8DAA8D;gBAC7D,cAAsB,CAAC,GAAG,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;QAED,OAAO,cAA6C,CAAC;IACvD,CAAC;CACF"}

package/dist/src/safety/context-builder.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export {};

package/dist/src/safety/context-builder.test.js

@@ -0,0 +1,49 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { ContextBuilder } from './context-builder.js';
+describe('ContextBuilder', () => {
+    let contextBuilder;
+    let mockConfig;
+    const mockHistory = [
+        { user: { text: 'hello' }, model: { text: 'hi' } },
+    ];
+    const mockCwd = '/home/user/project';
+    const mockWorkspaces = ['/home/user/project'];
+    beforeEach(() => {
+        vi.spyOn(process, 'cwd').mockReturnValue(mockCwd);
+        mockConfig = {
+            getWorkspaceContext: vi.fn().mockReturnValue({
+                getDirectories: vi.fn().mockReturnValue(mockWorkspaces),
+            }),
+            apiKey: 'secret-api-key',
+            somePublicConfig: 'public-value',
+            nested: {
+                secretToken: 'hidden',
+                public: 'visible',
+            },
+        };
+        contextBuilder = new ContextBuilder(mockConfig, mockHistory);
+    });
+    it('should build full context with all fields', () => {
+        const context = contextBuilder.buildFullContext();
+        expect(context.environment.cwd).toBe(mockCwd);
+        expect(context.environment.workspaces).toEqual(mockWorkspaces);
+        expect(context.history?.turns).toEqual(mockHistory);
+    });
+    it('should build minimal context with only required keys', () => {
+        const context = contextBuilder.buildMinimalContext(['environment']);
+        expect(context).toHaveProperty('environment');
+        expect(context).not.toHaveProperty('config');
+        expect(context).not.toHaveProperty('history');
+    });
+    it('should handle missing history', () => {
+        contextBuilder = new ContextBuilder(mockConfig);
+        const context = contextBuilder.buildFullContext();
+        expect(context.history?.turns).toEqual([]);
+    });
+});
+//# sourceMappingURL=context-builder.test.js.map