@groundnuty/macf 0.2.8 → 0.2.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/.build-info.json +2 -2
- package/dist/cli/claude-sh.d.ts.map +1 -1
- package/dist/cli/claude-sh.js +105 -3
- package/dist/cli/claude-sh.js.map +1 -1
- package/dist/cli/commands/doctor.d.ts +86 -0
- package/dist/cli/commands/doctor.d.ts.map +1 -1
- package/dist/cli/commands/doctor.js +140 -1
- package/dist/cli/commands/doctor.js.map +1 -1
- package/dist/cli/settings-writer.d.ts +34 -0
- package/dist/cli/settings-writer.d.ts.map +1 -1
- package/dist/cli/settings-writer.js +63 -0
- package/dist/cli/settings-writer.js.map +1 -1
- package/package.json +2 -2
- package/plugin/rules/coordination.md +31 -1
- package/plugin/rules/mention-routing-hygiene.md +33 -5
- package/scripts/check-mention-routing.sh +112 -9
package/dist/.build-info.json
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"claude-sh.d.ts","sourceRoot":"","sources":["../../src/cli/claude-sh.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"claude-sh.d.ts","sourceRoot":"","sources":["../../src/cli/claude-sh.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AA8GnD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,eAAe,EACvB,GAAG,GAAE,MAAM,CAAC,UAAwB,GACnC,MAAM,EAAE,CA+DV;AA4BD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM,CA+GhE;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,GAAG,MAAM,CAUnF"}
|
package/dist/cli/claude-sh.js
CHANGED
|
@@ -41,6 +41,81 @@ function registryEnvLines(cfg) {
|
|
|
41
41
|
];
|
|
42
42
|
}
|
|
43
43
|
}
|
|
44
|
+
/**
|
|
45
|
+
* Emit the `macf_settings_get` shell function (macf#313).
|
|
46
|
+
*
|
|
47
|
+
* Reads `.env.<name>` from `<workspace>/.claude/settings.local.json`
|
|
48
|
+
* via `jq`. Returns empty string if the file/key is missing or `jq`
|
|
49
|
+
* isn't installed. Used by the settings-driven identity overrides
|
|
50
|
+
* (see `generateClaudeSh`'s identity block) and the OTel endpoint
|
|
51
|
+
* settings layer.
|
|
52
|
+
*
|
|
53
|
+
* Defined before any caller in the generated script. Idempotent —
|
|
54
|
+
* calling it with no settings.local.json present is safe (just returns
|
|
55
|
+
* empty).
|
|
56
|
+
*/
|
|
57
|
+
function settingsGetHelperLines() {
|
|
58
|
+
return [
|
|
59
|
+
'',
|
|
60
|
+
'# Settings-driven identity helper (macf#313). Reads `.env.<NAME>` from',
|
|
61
|
+
'# .claude/settings.local.json via jq; returns empty string if file/key',
|
|
62
|
+
'# missing or jq absent. Used by the identity-override block below + the',
|
|
63
|
+
'# OTel endpoint settings layer to prefer operator-edited settings.local.json',
|
|
64
|
+
'# over baked defaults, without forcing operators to edit this launcher.',
|
|
65
|
+
'macf_settings_get() {',
|
|
66
|
+
' local var_name="$1"',
|
|
67
|
+
' if [ -f "$SCRIPT_DIR/.claude/settings.local.json" ] && command -v jq >/dev/null 2>&1; then',
|
|
68
|
+
' jq -r ".env.${var_name} // empty" "$SCRIPT_DIR/.claude/settings.local.json" 2>/dev/null',
|
|
69
|
+
' fi',
|
|
70
|
+
'}',
|
|
71
|
+
];
|
|
72
|
+
}
|
|
73
|
+
/**
|
|
74
|
+
* Emit the tmux self-wrap block (macf#313).
|
|
75
|
+
*
|
|
76
|
+
* If `$TMUX` is unset (operator launched outside tmux) AND
|
|
77
|
+
* `MACF_NO_TMUX_WRAP` isn't `1`, the script `exec`s itself inside a
|
|
78
|
+
* tmux session named `<MACF_PROJECT>@<MACF_AGENT_NAME>`. Re-attach if
|
|
79
|
+
* the session already exists; otherwise create a new session and exec
|
|
80
|
+
* into it. Eliminates operator-discipline dependency for canonical
|
|
81
|
+
* session naming (coordination.md §Canonical tmux launch pattern).
|
|
82
|
+
*
|
|
83
|
+
* Path-2 promotion of the canonical-session-name rule: pre-#313, the
|
|
84
|
+
* rule existed as text-only doc that operators had to manually wrap
|
|
85
|
+
* `tmux new-session -d -s "<project>@<agent>" "./claude.sh"`. Post-#313,
|
|
86
|
+
* bare `./claude.sh` produces the same canonical session structurally.
|
|
87
|
+
*
|
|
88
|
+
* Order requirement: `MACF_PROJECT` and `MACF_AGENT_NAME` must be
|
|
89
|
+
* exported before this block (so `$SESSION_NAME` resolves correctly).
|
|
90
|
+
* `generateClaudeSh` orders accordingly.
|
|
91
|
+
*
|
|
92
|
+
* Opt-out: `MACF_NO_TMUX_WRAP=1 ./claude.sh` for operator-driven manual
|
|
93
|
+
* launches outside tmux (e.g., debug sessions, single-shot CLI use, CI).
|
|
94
|
+
* Sister convention to `MACF_OTEL_DISABLED=1`, `MACF_SKIP_TOKEN_CHECK=1`.
|
|
95
|
+
*/
|
|
96
|
+
function tmuxSelfWrapLines() {
|
|
97
|
+
return [
|
|
98
|
+
'',
|
|
99
|
+
'# Tmux self-wrap (macf#313 Path-2 promotion of coordination.md',
|
|
100
|
+
'# §Canonical tmux launch pattern). If launched outside tmux and the',
|
|
101
|
+
'# operator hasn\'t opted out, re-exec inside a tmux session named',
|
|
102
|
+
'# <MACF_PROJECT>@<MACF_AGENT_NAME>. Attach if the session exists;',
|
|
103
|
+
'# otherwise create a new one. The second invocation (inside tmux)',
|
|
104
|
+
'# has $TMUX set and skips the wrap.',
|
|
105
|
+
'#',
|
|
106
|
+
'# Opt-out: MACF_NO_TMUX_WRAP=1 ./claude.sh',
|
|
107
|
+
'# For operator-driven manual launches outside tmux, debug sessions,',
|
|
108
|
+
'# single-shot CLI use, CI environments.',
|
|
109
|
+
'if [ -z "${TMUX:-}" ] && [ "${MACF_NO_TMUX_WRAP:-}" != "1" ]; then',
|
|
110
|
+
' SESSION_NAME="${MACF_PROJECT}@${MACF_AGENT_NAME}"',
|
|
111
|
+
' if tmux has-session -t "$SESSION_NAME" 2>/dev/null; then',
|
|
112
|
+
' exec tmux attach -t "$SESSION_NAME"',
|
|
113
|
+
' else',
|
|
114
|
+
' exec tmux new-session -s "$SESSION_NAME" -c "$SCRIPT_DIR" "$0" "$@"',
|
|
115
|
+
' fi',
|
|
116
|
+
'fi',
|
|
117
|
+
];
|
|
118
|
+
}
|
|
44
119
|
/**
|
|
45
120
|
* Emit the Claude Code native OTEL telemetry env block into the
|
|
46
121
|
* generated `claude.sh`. Three mandatory gates per Claude Code docs
|
|
@@ -126,7 +201,20 @@ export function otelTelemetryLines(config, env = process.env) {
|
|
|
126
201
|
'export OTEL_TRACES_EXPORTER=otlp',
|
|
127
202
|
'export OTEL_METRICS_EXPORTER=otlp',
|
|
128
203
|
'export OTEL_LOGS_EXPORTER=otlp',
|
|
129
|
-
|
|
204
|
+
// 4-layer endpoint resolution chain (macf#313):
|
|
205
|
+
// 1. OTEL_EXPORTER_OTLP_ENDPOINT (runtime env, canonical OTel name) — wins
|
|
206
|
+
// 2. MACF_OTEL_ENDPOINT (runtime env)
|
|
207
|
+
// 3. settings.local.json `.env.MACF_OTEL_ENDPOINT` (operator-edited)
|
|
208
|
+
// 4. Baked default from macf init/update (template-time MACF_OTEL_ENDPOINT)
|
|
209
|
+
// The MACF_OTEL_ENDPOINT runtime+settings layer was added in #313 to
|
|
210
|
+
// close the gap between the existing template-time MACF_OTEL_ENDPOINT
|
|
211
|
+
// (bakes into this script at macf init/update) and the canonical
|
|
212
|
+
// runtime override (OTEL_EXPORTER_OTLP_ENDPOINT). Operators who want
|
|
213
|
+
// per-launch endpoint changes without re-running macf update now have
|
|
214
|
+
// settings.local.json `.env.MACF_OTEL_ENDPOINT` as the ergonomic path.
|
|
215
|
+
`MACF_OTEL_ENDPOINT="\${MACF_OTEL_ENDPOINT:-$(macf_settings_get MACF_OTEL_ENDPOINT)}"`,
|
|
216
|
+
`MACF_OTEL_ENDPOINT="\${MACF_OTEL_ENDPOINT:-${endpoint}}"`,
|
|
217
|
+
'export OTEL_EXPORTER_OTLP_ENDPOINT="${OTEL_EXPORTER_OTLP_ENDPOINT:-$MACF_OTEL_ENDPOINT}"',
|
|
130
218
|
'export OTEL_EXPORTER_OTLP_PROTOCOL=http/protobuf',
|
|
131
219
|
`export OTEL_SERVICE_NAME="macf-agent-${config.agent_name}"`,
|
|
132
220
|
`export OTEL_RESOURCE_ATTRIBUTES="gen_ai.agent.name=${config.agent_name},gen_ai.agent.role=${config.agent_role},service.namespace=macf"`,
|
|
@@ -179,10 +267,24 @@ export function generateClaudeSh(config) {
|
|
|
179
267
|
// cross-repo work — attribution trap fires. See #140 + the
|
|
180
268
|
// cross-repo cwd trap note in coordination.md Token & Git Hygiene.
|
|
181
269
|
'export MACF_WORKSPACE_DIR="$SCRIPT_DIR"',
|
|
182
|
-
`export MACF_AGENT_NAME="${config.agent_name}"`,
|
|
183
270
|
`export MACF_PROJECT="${config.project}"`,
|
|
184
271
|
`export MACF_AGENT_TYPE="${config.agent_type}"`,
|
|
185
|
-
|
|
272
|
+
...settingsGetHelperLines(),
|
|
273
|
+
'',
|
|
274
|
+
'# Settings-driven identity overrides (macf#313). Three-layer priority:',
|
|
275
|
+
'# 1. Already-set env var (operator: `MACF_AGENT_NAME=foo ./claude.sh`)',
|
|
276
|
+
'# 2. .claude/settings.local.json `env` block (operator: edit JSON;',
|
|
277
|
+
'# no script edit needed; persists across `macf update`)',
|
|
278
|
+
'# 3. Baked default from macf init/update (this template)',
|
|
279
|
+
'# Identity changes become JSON edits rather than script edits.',
|
|
280
|
+
`MACF_AGENT_NAME="\${MACF_AGENT_NAME:-$(macf_settings_get MACF_AGENT_NAME)}"`,
|
|
281
|
+
`MACF_AGENT_NAME="\${MACF_AGENT_NAME:-${config.agent_name}}"`,
|
|
282
|
+
'export MACF_AGENT_NAME',
|
|
283
|
+
`MACF_AGENT_ROLE="\${MACF_AGENT_ROLE:-$(macf_settings_get MACF_AGENT_ROLE)}"`,
|
|
284
|
+
`MACF_AGENT_ROLE="\${MACF_AGENT_ROLE:-${config.agent_role}}"`,
|
|
285
|
+
'export MACF_AGENT_ROLE',
|
|
286
|
+
...tmuxSelfWrapLines(),
|
|
287
|
+
'',
|
|
186
288
|
`export APP_ID="${config.github_app.app_id}"`,
|
|
187
289
|
`export INSTALL_ID="${config.github_app.install_id}"`,
|
|
188
290
|
`export KEY_PATH="${config.github_app.key_path}"`,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"claude-sh.js","sourceRoot":"","sources":["../../src/cli/claude-sh.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAG1C;;;;;;;;;;GAUG;AACH,SAAS,gBAAgB,CAAC,GAAoB;IAC5C,QAAQ,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC1B,KAAK,MAAM;YACT,OAAO;gBACL,kCAAkC;gBAClC,8BAA8B,GAAG,CAAC,QAAQ,CAAC,KAAK,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,GAAG;aACzE,CAAC;QACJ,KAAK,KAAK;YACR,OAAO;gBACL,iCAAiC;gBACjC,6BAA6B,GAAG,CAAC,QAAQ,CAAC,GAAG,GAAG;aACjD,CAAC;QACJ,KAAK,SAAS;YACZ,OAAO;gBACL,qCAAqC;gBACrC,8BAA8B,GAAG,CAAC,QAAQ,CAAC,IAAI,GAAG;aACnD,CAAC;IACN,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AACH,MAAM,UAAU,kBAAkB,CAChC,MAAuB,EACvB,MAAyB,OAAO,CAAC,GAAG;IAEpC,IAAI,GAAG,CAAC,oBAAoB,CAAC,KAAK,GAAG,IAAI,GAAG,CAAC,oBAAoB,CAAC,KAAK,MAAM,EAAE,CAAC;QAC9E,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,oBAAoB,CAAC,IAAI,wBAAwB,CAAC;IAEvE,+DAA+D;IAC/D,kEAAkE;IAClE,6DAA6D;IAC7D,oDAAoD;IACpD,IAAI,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CACb,wDAAwD;YACtD,QAAQ,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI;YACpC,6CAA6C,CAChD,CAAC;IACJ,CAAC;IAED,OAAO;QACL,EAAE;QACF,iFAAiF;QACjF,yEAAyE;QACzE,gFAAgF;QAChF,+EAA+E;QAC/E,mFAAmF;QACnF,uEAAuE;QACvE,wEAAwE;QACxE,qEAAqE;QACrE,wEAAwE;QACxE,yEAAyE;QACzE,sEAAsE;QACtE,yEAAyE;QACzE,kEAAkE;QAClE,2DAA2D;QAC3D,gEAAgE;QAChE,gEAAgE;QAChE,gEAAgE;QAChE,+DAA+D;QAC/D,8DAA8D;QAC9D,uCAAuC;QACvC,8CAA8C;QAC9C,kCAAkC;QAClC,mCAAmC;QACnC,gCAAgC;QAChC,uEAAuE,QAAQ,IAAI;
|
|
1
|
+
{"version":3,"file":"claude-sh.js","sourceRoot":"","sources":["../../src/cli/claude-sh.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAG1C;;;;;;;;;;GAUG;AACH,SAAS,gBAAgB,CAAC,GAAoB;IAC5C,QAAQ,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC1B,KAAK,MAAM;YACT,OAAO;gBACL,kCAAkC;gBAClC,8BAA8B,GAAG,CAAC,QAAQ,CAAC,KAAK,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,GAAG;aACzE,CAAC;QACJ,KAAK,KAAK;YACR,OAAO;gBACL,iCAAiC;gBACjC,6BAA6B,GAAG,CAAC,QAAQ,CAAC,GAAG,GAAG;aACjD,CAAC;QACJ,KAAK,SAAS;YACZ,OAAO;gBACL,qCAAqC;gBACrC,8BAA8B,GAAG,CAAC,QAAQ,CAAC,IAAI,GAAG;aACnD,CAAC;IACN,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,sBAAsB;IAC7B,OAAO;QACL,EAAE;QACF,wEAAwE;QACxE,wEAAwE;QACxE,yEAAyE;QACzE,8EAA8E;QAC9E,yEAAyE;QACzE,uBAAuB;QACvB,uBAAuB;QACvB,8FAA8F;QAC9F,6FAA6F;QAC7F,MAAM;QACN,GAAG;KACJ,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,SAAS,iBAAiB;IACxB,OAAO;QACL,EAAE;QACF,gEAAgE;QAChE,qEAAqE;QACrE,mEAAmE;QACnE,mEAAmE;QACnE,mEAAmE;QACnE,qCAAqC;QACrC,GAAG;QACH,4CAA4C;QAC5C,uEAAuE;QACvE,2CAA2C;QAC3C,oEAAoE;QACpE,qDAAqD;QACrD,4DAA4D;QAC5D,yCAAyC;QACzC,QAAQ;QACR,yEAAyE;QACzE,MAAM;QACN,IAAI;KACL,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AACH,MAAM,UAAU,kBAAkB,CAChC,MAAuB,EACvB,MAAyB,OAAO,CAAC,GAAG;IAEpC,IAAI,GAAG,CAAC,oBAAoB,CAAC,KAAK,GAAG,IAAI,GAAG,CAAC,oBAAoB,CAAC,KAAK,MAAM,EAAE,CAAC;QAC9E,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,oBAAoB,CAAC,IAAI,wBAAwB,CAAC;IAEvE,+DAA+D;IAC/D,kEAAkE;IAClE,6DAA6D;IAC7D,oDAAoD;IACpD,IAAI,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CACb,wDAAwD;YACtD,QAAQ,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI;YACpC,6CAA6C,CAChD,CAAC;IACJ,CAAC;IAED,OAAO;QACL,EAAE;QACF,iFAAiF;QACjF,yEAAyE;QACzE,gFAAgF;QAChF,+EAA+E;QAC/E,mFAAmF;QACnF,uEAAuE;QACvE,wEAAwE;QACxE,qEAAqE;QACrE,wEAAwE;QACxE,yEAAyE;QACzE,sEAAsE;QACtE,yEAAyE;QACzE,kEAAkE;QAClE,2DAA2D;QAC3D,gEAAgE;QAChE,gEAAgE;QAChE,gEAAgE;QAChE,+DAA+D;QAC/D,8DAA8D;QAC9D,uCAAuC;QACvC,8CAA8C;QAC9C,kCAAkC;QAClC,mCAAmC;QACnC,gCAAgC;QAChC,gDAAgD;QAChD,6EAA6E;QAC7E,wCAAwC;QACxC,uEAAuE;QACvE,8EAA8E;QAC9E,qEAAqE;QACrE,sEAAsE;QACtE,iEAAiE;QACjE,qEAAqE;QACrE,sEAAsE;QACtE,uEAAuE;QACvE,sFAAsF;QACtF,8CAA8C,QAAQ,IAAI;QAC1D,0FAA0F;QAC1F,kDAAkD;QAClD,wCAAwC,MAAM,CAAC,UAAU,GAAG;QAC5D,sDAAsD,MAAM,CAAC,UAAU,sBAAsB,MAAM,CAAC,UAAU,0BAA0B;KACzI,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,WAAW,CAAC,GAAoB;IACvC,QAAQ,GAAG,CAAC,UAAU,EAAE,CAAC;QACvB,KAAK,WAAW;YACd,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,KAAK,QAAQ;YACX,OAAO,EAAE,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,oBAAoB,GAAG;IAC3B,oEAAoE;IACpE,gEAAgE;IAChE,sEAAsE;IACtE,kEAAkE;CACnE,CAAC;AAEF;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAuB;IACtD,OAAO;QACL,qBAAqB;QACrB,mBAAmB;QACnB,EAAE;QACF,0BAA0B,MAAM,CAAC,UAAU,EAAE;QAC7C,GAAG,oBAAoB;QACvB,EAAE;QACF,4DAA4D;QAC5D,kBAAkB;QAClB,EAAE;QACF,uDAAuD;QACvD,6DAA6D;QAC7D,6DAA6D;QAC7D,4DAA4D;QAC5D,2DAA2D;QAC3D,mEAAmE;QACnE,yCAAyC;QACzC,wBAAwB,MAAM,CAAC,OAAO,GAAG;QACzC,2BAA2B,MAAM,CAAC,UAAU,GAAG;QAC/C,GAAG,sBAAsB,EAAE;QAC3B,EAAE;QACF,wEAAwE;QACxE,0EAA0E;QAC1E,sEAAsE;QACtE,8DAA8D;QAC9D,4DAA4D;QAC5D,gEAAgE;QAChE,6EAA6E;QAC7E,wCAAwC,MAAM,CAAC,UAAU,IAAI;QAC7D,wBAAwB;QACxB,6EAA6E;QAC7E,wCAAwC,MAAM,CAAC,UAAU,IAAI;QAC7D,wBAAwB;QACxB,GAAG,iBAAiB,EAAE;QACtB,EAAE;QACF,kBAAkB,MAAM,CAAC,UAAU,CAAC,MAAM,GAAG;QAC7C,sBAAsB,MAAM,CAAC,UAAU,CAAC,UAAU,GAAG;QACrD,oBAAoB,MAAM,CAAC,UAAU,CAAC,QAAQ,GAAG;QACjD,kEAAkE;QAClE,gEAAgE;QAChE,kEAAkE;QAClE,gEAAgE;QAChE,+DAA+D;QAC/D,kDAAkD;QAClD,qBAAqB;QACrB,8BAA8B;QAC9B,0CAA0C;QAC1C,MAAM;QACN,iBAAiB;QACjB,0CAA0C,MAAM,CAAC,OAAO,eAAe;QACvE,yCAAyC,MAAM,CAAC,OAAO,cAAc;QACrE,iEAAiE;QACjE,+DAA+D;QAC/D,2DAA2D;QAC3D,0CAA0C;QAC1C,oEAAoE;QACpE,qEAAqE;QACrE,6DAA6D;QAC7D,4DAA4D;QAC5D,4BAA4B;QAC5B,+BAA+B,MAAM,CAAC,cAAc,IAAI,WAAW,GAAG;QACtE,uDAAuD;QACvD,4DAA4D;QAC5D,4DAA4D;QAC5D,4DAA4D;QAC5D,+DAA+D;QAC/D,GAAG,CAAC,MAAM,CAAC,YAAY,KAAK,SAAS;YACnC,CAAC,CAAC,CAAC,6BAA6B,MAAM,CAAC,YAAY,GAAG,CAAC;YACvD,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,MAAM,CAAC,WAAW,KAAK,SAAS;YAClC,CAAC,CAAC,CAAC,4BAA4B,MAAM,CAAC,WAAW,GAAG,CAAC;YACrD,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,gBAAgB,CAAC,MAAM,CAAC;QAC3B,GAAG,kBAAkB,CAAC,MAAM,CAAC;QAC7B,EAAE;QACF,0EAA0E;QAC1E,0EAA0E;QAC1E,4EAA4E;QAC5E,2EAA2E;QAC3E,2EAA2E;QAC3E,oEAAoE;QACpE,8DAA8D;QAC9D,2EAA2E;QAC3E,qEAAqE;QACrE,UAAU;QACV,GAAG;QACH,iBAAiB;QACjB,EAAE;QACF,2BAA2B,MAAM,CAAC,UAAU,QAAQ;QACpD,8BAA8B,MAAM,CAAC,UAAU,QAAQ;QACvD,EAAE;QACF,kBAAkB,MAAM,CAAC,UAAU,KAAK,MAAM,CAAC,UAAU,OAAO;QAChE,sEAAsE;QACtE,oEAAoE;QACpE,kEAAkE;QAClE,oEAAoE;QACpE,uDAAuD;QACvD,EAAE;QACF,kEAAkE;QAClE,oEAAoE;QACpE,iEAAiE;QACjE,4DAA4D;QAC5D,uBAAuB;QACvB,kCAAkC;QAClC,iBAAiB,CAAC,cAAc,EAAE,4BAA4B,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO;QAChF,MAAM;QACN,iBAAiB,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,4BAA4B,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO;QACxG,IAAI;QACJ,EAAE;KACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,YAAoB,EAAE,MAAuB;IACzE,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACvC,aAAa,CAAC,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/D,uEAAuE;IACvE,qEAAqE;IACrE,kEAAkE;IAClE,oDAAoD;IACpD,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACvB,OAAO,IAAI,CAAC;AACd,CAAC"}
|
|
@@ -64,6 +64,92 @@ export interface SandboxFdCheck {
|
|
|
64
64
|
* still needs to see what broke.
|
|
65
65
|
*/
|
|
66
66
|
export declare function checkSandboxFdAllowRead(workspaceDir: string): SandboxFdCheck;
|
|
67
|
+
/**
|
|
68
|
+
* Tools whose absence from `permissions.allow` blocks autonomous
|
|
69
|
+
* coordination — Claude Code prompts the operator on each first
|
|
70
|
+
* invocation, stalling agents that can't dismiss the prompt.
|
|
71
|
+
*
|
|
72
|
+
* Surfaced empirically during cv-e2e-test rehearsal #11b
|
|
73
|
+
* (2026-04-30): cv-architect on `groundnuty/academic-resume` blocked
|
|
74
|
+
* mid-test on a Write tool prompt because the workspace's
|
|
75
|
+
* `permissions.allow` lacked `Write`. Sister CV agent
|
|
76
|
+
* `cv-project-archaeologist` had the entry; this was operator-
|
|
77
|
+
* authored drift.
|
|
78
|
+
*/
|
|
79
|
+
export declare const AUTONOMY_REQUIRED_TOOLS: readonly string[];
|
|
80
|
+
/**
|
|
81
|
+
* Returns true if `allow` grants the named tool unrestricted use:
|
|
82
|
+
* - Bare tool name (`"Write"`) — Claude Code's "tool only" form
|
|
83
|
+
* - Glob form (`"Write(*)"`)
|
|
84
|
+
*
|
|
85
|
+
* Scoped patterns like `Write(/specific/path)` are NOT considered
|
|
86
|
+
* "fully present" — they cover only that path; calls to other paths
|
|
87
|
+
* still prompt. Conservative-by-design: an operator with scoped Write
|
|
88
|
+
* still gets a warning that surfaces the partial coverage.
|
|
89
|
+
*/
|
|
90
|
+
export declare function isToolFullyAllowed(allow: readonly string[], tool: string): boolean;
|
|
91
|
+
/**
|
|
92
|
+
* Returns true if `deny` has any entry referencing the named tool —
|
|
93
|
+
* either bare (`"Write"`) or scoped (`"Write(/path)"`). Used to
|
|
94
|
+
* contextualise an allow-list gap as deliberate (security-driven,
|
|
95
|
+
* common in operator-restricted workspaces) rather than accidental
|
|
96
|
+
* drift. Soft signal — doctor still warns, just with a different
|
|
97
|
+
* framing.
|
|
98
|
+
*/
|
|
99
|
+
export declare function hasToolDeny(deny: readonly string[], tool: string): boolean;
|
|
100
|
+
/**
|
|
101
|
+
* One per-tool finding from the permissions-allow check.
|
|
102
|
+
*
|
|
103
|
+
* `severity`:
|
|
104
|
+
* - `WARN` — tool absent but Bash fallback exists (Edit absent, OR
|
|
105
|
+
* Write absent + Bash present). Autonomous coordination still works
|
|
106
|
+
* for code paths that use Bash; tool-using paths prompt.
|
|
107
|
+
* - `INFO` — tool absent AND deny rule exists. Treated as deliberate
|
|
108
|
+
* operator decision (security posture) rather than drift. Surfaces
|
|
109
|
+
* the gap so it's visible, but doesn't recommend fix.
|
|
110
|
+
* - `BLOCK` — tool absent AND no fallback (Write + Edit + Bash all
|
|
111
|
+
* absent). Autonomous coordination fails entirely on first agentic
|
|
112
|
+
* file op.
|
|
113
|
+
*
|
|
114
|
+
* Doctor exit code is unchanged by this check (per #296 AC: warn-only,
|
|
115
|
+
* no error). Severity drives output formatting + remediation suggestion.
|
|
116
|
+
*/
|
|
117
|
+
export interface PermissionFinding {
|
|
118
|
+
readonly tool: string;
|
|
119
|
+
readonly severity: 'WARN' | 'INFO' | 'BLOCK';
|
|
120
|
+
readonly hasBashFallback: boolean;
|
|
121
|
+
readonly hasDenyRule: boolean;
|
|
122
|
+
readonly message: string;
|
|
123
|
+
readonly remediation: string;
|
|
124
|
+
}
|
|
125
|
+
/**
|
|
126
|
+
* Result of the permissions-allow check (macf#296). `findings` lists
|
|
127
|
+
* one entry per missing autonomy-required tool; `status` summarises
|
|
128
|
+
* across them — `PASS` if no findings, `WARN` if any non-INFO finding,
|
|
129
|
+
* `INFO` if all findings are deliberate-deny cases.
|
|
130
|
+
*/
|
|
131
|
+
export interface PermissionsAllowCheckResult {
|
|
132
|
+
readonly status: 'PASS' | 'WARN' | 'INFO';
|
|
133
|
+
readonly findings: readonly PermissionFinding[];
|
|
134
|
+
/** Set when the JSON was malformed; `findings` will be empty. */
|
|
135
|
+
readonly readError?: string;
|
|
136
|
+
}
|
|
137
|
+
/**
|
|
138
|
+
* Check that `permissions.allow` grants the autonomy-required tools
|
|
139
|
+
* (`Write`, `Edit`). For each absent tool, build a `PermissionFinding`
|
|
140
|
+
* with severity tuned to the failure mode (BLOCK if no Bash fallback,
|
|
141
|
+
* WARN if Bash works, INFO if a deny rule signals deliberate scope).
|
|
142
|
+
*
|
|
143
|
+
* Sister CV reference: cv-project-archaeologist's settings.json has
|
|
144
|
+
* Write+Edit; academic-resume drifted without them. Surfaces here at
|
|
145
|
+
* health-check time rather than mid-coordination block.
|
|
146
|
+
*
|
|
147
|
+
* Schema reference: Claude Code permissions.allow accepts both bare
|
|
148
|
+
* tool names ("Write") and patterned forms ("Write(*)", "Write(/path)").
|
|
149
|
+
* Verified against the canonical settings.json schema documented in
|
|
150
|
+
* Claude Code's update-config skill (stable form across recent versions).
|
|
151
|
+
*/
|
|
152
|
+
export declare function checkPermissionsAllow(workspaceDir: string): PermissionsAllowCheckResult;
|
|
67
153
|
/**
|
|
68
154
|
* Format a non-leaking error message when `gh token generate --jwt` returns
|
|
69
155
|
* output that doesn't look like a JWT. Shows only the first 6 characters
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/doctor.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/doctor.ts"],"names":[],"mappings":"AAyBA;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IACjC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,yBAAyB,EAAE,SAAS,kBAAkB,EAQlE,CAAC;AAEF,MAAM,WAAW,aAAa;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,OAAO,EAAE,SAAS,kBAAkB,EAAE,CAAC;IAChD,iFAAiF;IACjF,QAAQ,CAAC,YAAY,EAAE,SAAS;QAC9B,QAAQ,CAAC,QAAQ,EAAE,kBAAkB,CAAC;QACtC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;KACzB,EAAE,CAAC;CACL;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,GAAG,aAAa,CAgBvF;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,GAAG,EAAE,kBAAkB,EACvB,MAAM,EAAE,MAAM,GAAG,SAAS,GACzB,MAAM,CAWR;AAED;;;;;;;;;GASG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,gFAAgF;IAChF,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,uBAAuB,CAAC,YAAY,EAAE,MAAM,GAAG,cAAc,CAc5E;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,uBAAuB,EAAE,SAAS,MAAM,EAAsB,CAAC;AAE5E;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAElF;AAED;;;;;;;GAOG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAK1E;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC7C,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC;IAClC,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;GAKG;AACH,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IAC1C,QAAQ,CAAC,QAAQ,EAAE,SAAS,iBAAiB,EAAE,CAAC;IAChD,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,2BAA2B,CAgEvF;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAMxD;AAED;;;;;;;;GAQG;AACH,wBAAsB,4BAA4B,CAChD,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CA6CjC;AAED;;;GAGG;AACH,wBAAsB,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA0FnE"}
|
|
@@ -16,7 +16,7 @@
|
|
|
16
16
|
*/
|
|
17
17
|
import { execFileSync } from 'node:child_process';
|
|
18
18
|
import { readAgentConfig, tokenSourceFromConfig } from '../config.js';
|
|
19
|
-
import { getSandboxAllowRead, SANDBOX_FD_READ_PATTERN } from '../settings-writer.js';
|
|
19
|
+
import { getPermissionsAllow, getPermissionsDeny, getSandboxAllowRead, SANDBOX_FD_READ_PATTERN, } from '../settings-writer.js';
|
|
20
20
|
/**
|
|
21
21
|
* DR-019 permission doctrine. Keep in sync with
|
|
22
22
|
* design/decisions/DR-019-app-permissions.md and
|
|
@@ -101,6 +101,124 @@ export function checkSandboxFdAllowRead(workspaceDir) {
|
|
|
101
101
|
detail: `allowRead does not contain ${SANDBOX_FD_READ_PATTERN} — run \`macf update\` to refresh`,
|
|
102
102
|
};
|
|
103
103
|
}
|
|
104
|
+
/**
|
|
105
|
+
* Tools whose absence from `permissions.allow` blocks autonomous
|
|
106
|
+
* coordination — Claude Code prompts the operator on each first
|
|
107
|
+
* invocation, stalling agents that can't dismiss the prompt.
|
|
108
|
+
*
|
|
109
|
+
* Surfaced empirically during cv-e2e-test rehearsal #11b
|
|
110
|
+
* (2026-04-30): cv-architect on `groundnuty/academic-resume` blocked
|
|
111
|
+
* mid-test on a Write tool prompt because the workspace's
|
|
112
|
+
* `permissions.allow` lacked `Write`. Sister CV agent
|
|
113
|
+
* `cv-project-archaeologist` had the entry; this was operator-
|
|
114
|
+
* authored drift.
|
|
115
|
+
*/
|
|
116
|
+
export const AUTONOMY_REQUIRED_TOOLS = ['Write', 'Edit'];
|
|
117
|
+
/**
|
|
118
|
+
* Returns true if `allow` grants the named tool unrestricted use:
|
|
119
|
+
* - Bare tool name (`"Write"`) — Claude Code's "tool only" form
|
|
120
|
+
* - Glob form (`"Write(*)"`)
|
|
121
|
+
*
|
|
122
|
+
* Scoped patterns like `Write(/specific/path)` are NOT considered
|
|
123
|
+
* "fully present" — they cover only that path; calls to other paths
|
|
124
|
+
* still prompt. Conservative-by-design: an operator with scoped Write
|
|
125
|
+
* still gets a warning that surfaces the partial coverage.
|
|
126
|
+
*/
|
|
127
|
+
export function isToolFullyAllowed(allow, tool) {
|
|
128
|
+
return allow.includes(tool) || allow.includes(`${tool}(*)`);
|
|
129
|
+
}
|
|
130
|
+
/**
|
|
131
|
+
* Returns true if `deny` has any entry referencing the named tool —
|
|
132
|
+
* either bare (`"Write"`) or scoped (`"Write(/path)"`). Used to
|
|
133
|
+
* contextualise an allow-list gap as deliberate (security-driven,
|
|
134
|
+
* common in operator-restricted workspaces) rather than accidental
|
|
135
|
+
* drift. Soft signal — doctor still warns, just with a different
|
|
136
|
+
* framing.
|
|
137
|
+
*/
|
|
138
|
+
export function hasToolDeny(deny, tool) {
|
|
139
|
+
for (const entry of deny) {
|
|
140
|
+
if (entry === tool || entry.startsWith(`${tool}(`))
|
|
141
|
+
return true;
|
|
142
|
+
}
|
|
143
|
+
return false;
|
|
144
|
+
}
|
|
145
|
+
/**
|
|
146
|
+
* Check that `permissions.allow` grants the autonomy-required tools
|
|
147
|
+
* (`Write`, `Edit`). For each absent tool, build a `PermissionFinding`
|
|
148
|
+
* with severity tuned to the failure mode (BLOCK if no Bash fallback,
|
|
149
|
+
* WARN if Bash works, INFO if a deny rule signals deliberate scope).
|
|
150
|
+
*
|
|
151
|
+
* Sister CV reference: cv-project-archaeologist's settings.json has
|
|
152
|
+
* Write+Edit; academic-resume drifted without them. Surfaces here at
|
|
153
|
+
* health-check time rather than mid-coordination block.
|
|
154
|
+
*
|
|
155
|
+
* Schema reference: Claude Code permissions.allow accepts both bare
|
|
156
|
+
* tool names ("Write") and patterned forms ("Write(*)", "Write(/path)").
|
|
157
|
+
* Verified against the canonical settings.json schema documented in
|
|
158
|
+
* Claude Code's update-config skill (stable form across recent versions).
|
|
159
|
+
*/
|
|
160
|
+
export function checkPermissionsAllow(workspaceDir) {
|
|
161
|
+
let allow;
|
|
162
|
+
let deny;
|
|
163
|
+
try {
|
|
164
|
+
allow = getPermissionsAllow(workspaceDir);
|
|
165
|
+
deny = getPermissionsDeny(workspaceDir);
|
|
166
|
+
}
|
|
167
|
+
catch (err) {
|
|
168
|
+
return {
|
|
169
|
+
status: 'WARN',
|
|
170
|
+
findings: [],
|
|
171
|
+
readError: err instanceof Error ? err.message : String(err),
|
|
172
|
+
};
|
|
173
|
+
}
|
|
174
|
+
const hasBashFallback = isToolFullyAllowed(allow, 'Bash');
|
|
175
|
+
const findings = [];
|
|
176
|
+
for (const tool of AUTONOMY_REQUIRED_TOOLS) {
|
|
177
|
+
if (isToolFullyAllowed(allow, tool))
|
|
178
|
+
continue;
|
|
179
|
+
const hasDenyRule = hasToolDeny(deny, tool);
|
|
180
|
+
const isWrite = tool === 'Write';
|
|
181
|
+
let severity;
|
|
182
|
+
let message;
|
|
183
|
+
if (hasDenyRule) {
|
|
184
|
+
severity = 'INFO';
|
|
185
|
+
message =
|
|
186
|
+
`${tool} absent from permissions.allow; deny rule present — likely deliberate scope ` +
|
|
187
|
+
`(security posture). Autonomous file ops via ${tool} will prompt; agents can fall ` +
|
|
188
|
+
`back to Bash where allowed.`;
|
|
189
|
+
}
|
|
190
|
+
else if (isWrite && !hasBashFallback) {
|
|
191
|
+
severity = 'BLOCK';
|
|
192
|
+
message =
|
|
193
|
+
`Write absent AND Bash absent — autonomous file creation impossible. ` +
|
|
194
|
+
`Agents will block on every Write/Bash invocation waiting for operator click-through.`;
|
|
195
|
+
}
|
|
196
|
+
else {
|
|
197
|
+
severity = 'WARN';
|
|
198
|
+
message =
|
|
199
|
+
`${tool} absent from permissions.allow — autonomous ${tool} tool calls fire interactive ` +
|
|
200
|
+
`permission prompts. Sister CV agent cv-project-archaeologist has this entry; if this ` +
|
|
201
|
+
`workspace is also a CV/coordination consumer, the gap is likely operator-authored drift ` +
|
|
202
|
+
`(empirical incident: cv-e2e-test rehearsal #11b 2026-04-30).` +
|
|
203
|
+
(isWrite ? ' Bash fallback is present, so file-write via shell still works (degraded autonomy).' : '');
|
|
204
|
+
}
|
|
205
|
+
const remediation = `Add to .claude/settings.json under permissions.allow: "${tool}" (bare; allows all paths) ` +
|
|
206
|
+
`OR "${tool}(*)" (glob form). For scoped use, prefer "${tool}(/path/*)" patterns + matching ` +
|
|
207
|
+
`deny rules for sensitive paths.`;
|
|
208
|
+
findings.push({
|
|
209
|
+
tool,
|
|
210
|
+
severity,
|
|
211
|
+
hasBashFallback,
|
|
212
|
+
hasDenyRule,
|
|
213
|
+
message,
|
|
214
|
+
remediation,
|
|
215
|
+
});
|
|
216
|
+
}
|
|
217
|
+
if (findings.length === 0)
|
|
218
|
+
return { status: 'PASS', findings: [] };
|
|
219
|
+
const allInfo = findings.every((f) => f.severity === 'INFO');
|
|
220
|
+
return { status: allInfo ? 'INFO' : 'WARN', findings };
|
|
221
|
+
}
|
|
104
222
|
/**
|
|
105
223
|
* Format a non-leaking error message when `gh token generate --jwt` returns
|
|
106
224
|
* output that doesn't look like a JWT. Shows only the first 6 characters
|
|
@@ -228,6 +346,27 @@ export async function runDoctor(projectDir) {
|
|
|
228
346
|
if (sandboxCheck.detail)
|
|
229
347
|
console.log(` ${sandboxCheck.detail}`);
|
|
230
348
|
}
|
|
349
|
+
console.log('');
|
|
350
|
+
console.log('Workspace permissions (macf#296)');
|
|
351
|
+
console.log('──────────────────────────────────────────────────────────────');
|
|
352
|
+
const permsCheck = checkPermissionsAllow(projectDir);
|
|
353
|
+
if (permsCheck.readError) {
|
|
354
|
+
console.log(` ⚠ could not parse .claude/settings.json: ${permsCheck.readError}`);
|
|
355
|
+
}
|
|
356
|
+
else if (permsCheck.status === 'PASS') {
|
|
357
|
+
console.log(` ✓ permissions.allow grants Write + Edit (autonomous coordination unblocked) [PASS]`);
|
|
358
|
+
}
|
|
359
|
+
else {
|
|
360
|
+
const summary = permsCheck.status === 'INFO'
|
|
361
|
+
? `ℹ ${permsCheck.findings.length} autonomy-required tool(s) absent (deny rules present — likely deliberate) [INFO]`
|
|
362
|
+
: `⚠ ${permsCheck.findings.length} autonomy-required tool(s) absent or scoped [WARN]`;
|
|
363
|
+
console.log(` ${summary}`);
|
|
364
|
+
for (const f of permsCheck.findings) {
|
|
365
|
+
const symbol = f.severity === 'BLOCK' ? '✗' : (f.severity === 'WARN' ? '⚠' : 'ℹ');
|
|
366
|
+
console.log(` ${symbol} ${f.tool}: ${f.message}`);
|
|
367
|
+
console.log(` Fix: ${f.remediation}`);
|
|
368
|
+
}
|
|
369
|
+
}
|
|
231
370
|
const permissionsFailed = finding.missing.length > 0 || finding.insufficient.length > 0;
|
|
232
371
|
const sandboxFailed = sandboxCheck.status === 'FAIL';
|
|
233
372
|
return permissionsFailed || sandboxFailed ? 1 : 0;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../../../src/cli/commands/doctor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACtE,OAAO,EAAE,mBAAmB,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAWrF;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAkC;IACtE,EAAE,IAAI,EAAE,UAAU,EAAW,KAAK,EAAE,MAAM,EAAG,GAAG,EAAE,yCAAyC,EAAE;IAC7F,EAAE,IAAI,EAAE,UAAU,EAAW,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,uCAAuC,EAAE;IAC3F,EAAE,IAAI,EAAE,QAAQ,EAAa,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,4DAA4D,EAAE;IAChH,EAAE,IAAI,EAAE,eAAe,EAAM,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,kCAAkC,EAAE;IACtF,EAAE,IAAI,EAAE,mBAAmB,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,uEAAuE,EAAE;IAC3H,EAAE,IAAI,EAAE,WAAW,EAAU,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,0CAA0C,EAAE;IAC9F,EAAE,IAAI,EAAE,SAAS,EAAY,KAAK,EAAE,MAAM,EAAG,GAAG,EAAE,gDAAgD,EAAE;CACrG,CAAC;AAYF;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,MAAwC;IACtE,MAAM,OAAO,GAAyB,EAAE,CAAC;IACzC,MAAM,YAAY,GAAuD,EAAE,CAAC;IAC5E,KAAK,MAAM,GAAG,IAAI,yBAAyB,EAAE,CAAC;QAC5C,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAClB,SAAS;QACX,CAAC;QACD,iEAAiE;QACjE,iEAAiE;QACjE,IAAI,GAAG,CAAC,KAAK,KAAK,OAAO,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;YACpD,YAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,GAAuB,EACvB,MAA0B;IAE1B,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,KAAK,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,KAAK,IAAI,aAAa,QAAQ,wBAAwB,GAAG,CAAC,GAAG,EAAE,CAAC;IACzE,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,GAAG,CAAC,KAAK,KAAK,OAAO,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/C,OAAO,KAAK,IAAI,aAAa,QAAQ,WAAW,SAAS,0BAA0B,CAAC;IACtF,CAAC;IACD,OAAO,KAAK,IAAI,aAAa,QAAQ,WAAW,SAAS,EAAE,CAAC;AAC9D,CAAC;AAkBD;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CAAC,YAAoB;IAC1D,IAAI,SAA4B,CAAC;IACjC,IAAI,CAAC;QACH,SAAS,GAAG,mBAAmB,CAAC,YAAY,CAAC,CAAC;IAChD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IACtF,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAChD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IACxC,CAAC;IACD,OAAO;QACL,MAAM,EAAE,MAAM;QACd,MAAM,EAAE,8BAA8B,uBAAuB,mCAAmC;KACjG,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAW;IAC9C,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAChE,OAAO,CACL,qDAAqD;QACrD,YAAY,UAAU,aAAa,GAAG,CAAC,MAAM,GAAG,CACjD,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,KAAa,EACb,SAAiB,EACjB,OAAe;IAEf,yEAAyE;IACzE,0EAA0E;IAC1E,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE;YACvB,OAAO,EAAE,UAAU;YACnB,UAAU,EAAE,KAAK;YACjB,OAAO,EAAE,OAAO;YAChB,OAAO;YACP,cAAc;SACf,EAAE;YACD,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC,IAAI,EAAE,CAAC;IACZ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CACb,mCAAmC,GAAG,IAAI;YAC1C,0DAA0D,EAC1D,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,4CAA4C,SAAS,EAAE,EAAE;QACpF,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,GAAG,EAAE;YAC9B,MAAM,EAAE,6BAA6B;YACrC,sBAAsB,EAAE,YAAY;SACrC;KACF,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;QAC5D,MAAM,IAAI,KAAK,CACb,0BAA0B,SAAS,aAAa,QAAQ,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CACzF,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8B,CAAC;IACpE,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;IACD,OAAO,MAAM,CAAC,WAAqC,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,UAAkB;IAChD,MAAM,MAAM,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QAClE,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,MAAM,GAAG,qBAAqB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACzD,IAAI,WAAmC,CAAC;IACxC,IAAI,CAAC;QACH,WAAW,GAAG,MAAM,4BAA4B,CAC9C,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,OAAO,CAC/C,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC5E,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,OAAO,GAAG,eAAe,CAAC,WAAW,CAAC,CAAC;IAE7C,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;IAC9E,KAAK,MAAM,GAAG,IAAI,yBAAyB,EAAE,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,KAAK,mBAAmB,CAAC,GAAG,EAAE,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC;IACtE,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,MAAM,aAAa,GAAG,yBAAyB,CAAC,MAAM,CAAC;IACvD,MAAM,SAAS,GAAG,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC;IACvF,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC;QAC9E,CAAC,CAAC,oCAAoC;QACtC,CAAC,CAAC,KAAK,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,MAAM,OAAO,aAAa,+CAA+C,CAAC;IACjI,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,KAAK,SAAS,IAAI,aAAa,aAAa,CAAC,CAAC;IAErE,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACxB,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAClC,OAAO,CAAC,GAAG,CAAC,OAAO,GAAG,CAAC,IAAI,KAAK,GAAG,CAAC,KAAK,MAAM,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,KAAK,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACxD,OAAO,CAAC,GAAG,CAAC,OAAO,QAAQ,CAAC,IAAI,UAAU,MAAM,UAAU,QAAQ,CAAC,KAAK,MAAM,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC;QAChG,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAC;QACrF,OAAO,CAAC,GAAG,CAAC,qFAAqF,CAAC,CAAC;QACnG,OAAO,CAAC,GAAG,CAAC,kFAAkF,CAAC,CAAC;IAClG,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;IAC9E,MAAM,YAAY,GAAG,uBAAuB,CAAC,UAAU,CAAC,CAAC;IACzD,IAAI,YAAY,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,6CAA6C,uBAAuB,UAAU,CAAC,CAAC;IAC9F,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,4CAA4C,uBAAuB,wCAAwC,CAAC,CAAC;QACzH,IAAI,YAAY,CAAC,MAAM;YAAE,OAAO,CAAC,GAAG,CAAC,OAAO,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;IACxF,MAAM,aAAa,GAAG,YAAY,CAAC,MAAM,KAAK,MAAM,CAAC;IACrD,OAAO,iBAAiB,IAAI,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACpD,CAAC"}
|
|
1
|
+
{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../../../src/cli/commands/doctor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACtE,OAAO,EACL,mBAAmB,EACnB,kBAAkB,EAClB,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,uBAAuB,CAAC;AAW/B;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAkC;IACtE,EAAE,IAAI,EAAE,UAAU,EAAW,KAAK,EAAE,MAAM,EAAG,GAAG,EAAE,yCAAyC,EAAE;IAC7F,EAAE,IAAI,EAAE,UAAU,EAAW,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,uCAAuC,EAAE;IAC3F,EAAE,IAAI,EAAE,QAAQ,EAAa,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,4DAA4D,EAAE;IAChH,EAAE,IAAI,EAAE,eAAe,EAAM,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,kCAAkC,EAAE;IACtF,EAAE,IAAI,EAAE,mBAAmB,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,uEAAuE,EAAE;IAC3H,EAAE,IAAI,EAAE,WAAW,EAAU,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,0CAA0C,EAAE;IAC9F,EAAE,IAAI,EAAE,SAAS,EAAY,KAAK,EAAE,MAAM,EAAG,GAAG,EAAE,gDAAgD,EAAE;CACrG,CAAC;AAYF;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,MAAwC;IACtE,MAAM,OAAO,GAAyB,EAAE,CAAC;IACzC,MAAM,YAAY,GAAuD,EAAE,CAAC;IAC5E,KAAK,MAAM,GAAG,IAAI,yBAAyB,EAAE,CAAC;QAC5C,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAClB,SAAS;QACX,CAAC;QACD,iEAAiE;QACjE,iEAAiE;QACjE,IAAI,GAAG,CAAC,KAAK,KAAK,OAAO,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;YACpD,YAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,GAAuB,EACvB,MAA0B;IAE1B,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,KAAK,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,KAAK,IAAI,aAAa,QAAQ,wBAAwB,GAAG,CAAC,GAAG,EAAE,CAAC;IACzE,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,GAAG,CAAC,KAAK,KAAK,OAAO,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/C,OAAO,KAAK,IAAI,aAAa,QAAQ,WAAW,SAAS,0BAA0B,CAAC;IACtF,CAAC;IACD,OAAO,KAAK,IAAI,aAAa,QAAQ,WAAW,SAAS,EAAE,CAAC;AAC9D,CAAC;AAkBD;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CAAC,YAAoB;IAC1D,IAAI,SAA4B,CAAC;IACjC,IAAI,CAAC;QACH,SAAS,GAAG,mBAAmB,CAAC,YAAY,CAAC,CAAC;IAChD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IACtF,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAChD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IACxC,CAAC;IACD,OAAO;QACL,MAAM,EAAE,MAAM;QACd,MAAM,EAAE,8BAA8B,uBAAuB,mCAAmC;KACjG,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAsB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AAE5E;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAwB,EAAE,IAAY;IACvE,OAAO,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,IAAI,KAAK,CAAC,CAAC;AAC9D,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,WAAW,CAAC,IAAuB,EAAE,IAAY;IAC/D,KAAK,MAAM,KAAK,IAAI,IAAI,EAAE,CAAC;QACzB,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IAClE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAyCD;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,qBAAqB,CAAC,YAAoB;IACxD,IAAI,KAAwB,CAAC;IAC7B,IAAI,IAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,KAAK,GAAG,mBAAmB,CAAC,YAAY,CAAC,CAAC;QAC1C,IAAI,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,EAAE;YACZ,SAAS,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SAC5D,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,kBAAkB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC1D,MAAM,QAAQ,GAAwB,EAAE,CAAC;IAEzC,KAAK,MAAM,IAAI,IAAI,uBAAuB,EAAE,CAAC;QAC3C,IAAI,kBAAkB,CAAC,KAAK,EAAE,IAAI,CAAC;YAAE,SAAS;QAE9C,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC5C,MAAM,OAAO,GAAG,IAAI,KAAK,OAAO,CAAC;QAEjC,IAAI,QAAuC,CAAC;QAC5C,IAAI,OAAe,CAAC;QACpB,IAAI,WAAW,EAAE,CAAC;YAChB,QAAQ,GAAG,MAAM,CAAC;YAClB,OAAO;gBACL,GAAG,IAAI,8EAA8E;oBACrF,+CAA+C,IAAI,gCAAgC;oBACnF,6BAA6B,CAAC;QAClC,CAAC;aAAM,IAAI,OAAO,IAAI,CAAC,eAAe,EAAE,CAAC;YACvC,QAAQ,GAAG,OAAO,CAAC;YACnB,OAAO;gBACL,sEAAsE;oBACtE,sFAAsF,CAAC;QAC3F,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,MAAM,CAAC;YAClB,OAAO;gBACL,GAAG,IAAI,+CAA+C,IAAI,+BAA+B;oBACzF,uFAAuF;oBACvF,0FAA0F;oBAC1F,8DAA8D;oBAC9D,CAAC,OAAO,CAAC,CAAC,CAAC,qFAAqF,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC3G,CAAC;QAED,MAAM,WAAW,GACf,0DAA0D,IAAI,6BAA6B;YAC3F,OAAO,IAAI,6CAA6C,IAAI,iCAAiC;YAC7F,iCAAiC,CAAC;QAEpC,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI;YACJ,QAAQ;YACR,eAAe;YACf,WAAW;YACX,OAAO;YACP,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IACnE,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC;IAC7D,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC;AACzD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAW;IAC9C,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAChE,OAAO,CACL,qDAAqD;QACrD,YAAY,UAAU,aAAa,GAAG,CAAC,MAAM,GAAG,CACjD,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,KAAa,EACb,SAAiB,EACjB,OAAe;IAEf,yEAAyE;IACzE,0EAA0E;IAC1E,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE;YACvB,OAAO,EAAE,UAAU;YACnB,UAAU,EAAE,KAAK;YACjB,OAAO,EAAE,OAAO;YAChB,OAAO;YACP,cAAc;SACf,EAAE;YACD,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC,IAAI,EAAE,CAAC;IACZ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CACb,mCAAmC,GAAG,IAAI;YAC1C,0DAA0D,EAC1D,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,4CAA4C,SAAS,EAAE,EAAE;QACpF,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,GAAG,EAAE;YAC9B,MAAM,EAAE,6BAA6B;YACrC,sBAAsB,EAAE,YAAY;SACrC;KACF,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;QAC5D,MAAM,IAAI,KAAK,CACb,0BAA0B,SAAS,aAAa,QAAQ,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CACzF,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8B,CAAC;IACpE,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;IACD,OAAO,MAAM,CAAC,WAAqC,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,UAAkB;IAChD,MAAM,MAAM,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QAClE,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,MAAM,GAAG,qBAAqB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACzD,IAAI,WAAmC,CAAC;IACxC,IAAI,CAAC;QACH,WAAW,GAAG,MAAM,4BAA4B,CAC9C,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,OAAO,CAC/C,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC5E,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,OAAO,GAAG,eAAe,CAAC,WAAW,CAAC,CAAC;IAE7C,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;IAC9E,KAAK,MAAM,GAAG,IAAI,yBAAyB,EAAE,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,KAAK,mBAAmB,CAAC,GAAG,EAAE,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC;IACtE,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,MAAM,aAAa,GAAG,yBAAyB,CAAC,MAAM,CAAC;IACvD,MAAM,SAAS,GAAG,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC;IACvF,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC;QAC9E,CAAC,CAAC,oCAAoC;QACtC,CAAC,CAAC,KAAK,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,MAAM,OAAO,aAAa,+CAA+C,CAAC;IACjI,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,KAAK,SAAS,IAAI,aAAa,aAAa,CAAC,CAAC;IAErE,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACxB,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAClC,OAAO,CAAC,GAAG,CAAC,OAAO,GAAG,CAAC,IAAI,KAAK,GAAG,CAAC,KAAK,MAAM,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,KAAK,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACxD,OAAO,CAAC,GAAG,CAAC,OAAO,QAAQ,CAAC,IAAI,UAAU,MAAM,UAAU,QAAQ,CAAC,KAAK,MAAM,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC;QAChG,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAC;QACrF,OAAO,CAAC,GAAG,CAAC,qFAAqF,CAAC,CAAC;QACnG,OAAO,CAAC,GAAG,CAAC,kFAAkF,CAAC,CAAC;IAClG,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;IAC9E,MAAM,YAAY,GAAG,uBAAuB,CAAC,UAAU,CAAC,CAAC;IACzD,IAAI,YAAY,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,6CAA6C,uBAAuB,UAAU,CAAC,CAAC;IAC9F,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,4CAA4C,uBAAuB,wCAAwC,CAAC,CAAC;QACzH,IAAI,YAAY,CAAC,MAAM;YAAE,OAAO,CAAC,GAAG,CAAC,OAAO,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;IAChD,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;IAC9E,MAAM,UAAU,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC;IACrD,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,8CAA8C,UAAU,CAAC,SAAS,EAAE,CAAC,CAAC;IACpF,CAAC;SAAM,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,uFAAuF,CAAC,CAAC;IACvG,CAAC;SAAM,CAAC;QACN,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,KAAK,MAAM;YAC1C,CAAC,CAAC,KAAK,UAAU,CAAC,QAAQ,CAAC,MAAM,oFAAoF;YACrH,CAAC,CAAC,KAAK,UAAU,CAAC,QAAQ,CAAC,MAAM,qDAAqD,CAAC;QACzF,OAAO,CAAC,GAAG,CAAC,KAAK,OAAO,EAAE,CAAC,CAAC;QAC5B,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;YACpC,MAAM,MAAM,GAAG,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YAClF,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;IACxF,MAAM,aAAa,GAAG,YAAY,CAAC,MAAM,KAAK,MAAM,CAAC;IACrD,OAAO,iBAAiB,IAAI,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACpD,CAAC"}
|
|
@@ -84,6 +84,40 @@ export declare const SANDBOX_FD_READ_PATTERN = "/proc/self/fd";
|
|
|
84
84
|
* JSON-read + deep-narrow logic in two places.
|
|
85
85
|
*/
|
|
86
86
|
export declare function getSandboxAllowRead(workspaceDir: string): readonly string[];
|
|
87
|
+
/**
|
|
88
|
+
* Read the workspace-effective `permissions.allow` array — merge of
|
|
89
|
+
* `.claude/settings.json` + `.claude/settings.local.json` (macf#305).
|
|
90
|
+
*
|
|
91
|
+
* Per Claude Code's canonical settings semantics, `permissions.allow` /
|
|
92
|
+
* `deny` / `ask` arrays MERGE/concatenate across scopes (not replace —
|
|
93
|
+
* opposite to scalar settings which higher-priority scopes replace).
|
|
94
|
+
* The doctor's effective-permissions check therefore unions both
|
|
95
|
+
* scopes; an entry present in EITHER file counts as granted.
|
|
96
|
+
*
|
|
97
|
+
* Duplicates are removed. Empty array if neither file exists. Throws
|
|
98
|
+
* on malformed JSON in either file (the path is in the error message,
|
|
99
|
+
* surfacing which file failed to parse).
|
|
100
|
+
*
|
|
101
|
+
* Used by `macf doctor` (macf#296 / #298) to surface allow-list gaps
|
|
102
|
+
* that would block autonomous coordination — specifically Write/Edit
|
|
103
|
+
* absence causing interactive permission prompts mid-test. Pre-#305
|
|
104
|
+
* the helper read settings.json only; this caused false-positive WARNs
|
|
105
|
+
* on workspaces where operators canonically placed Write/Edit in
|
|
106
|
+
* settings.local.json (as cv-architect / cv-project-archaeologist did
|
|
107
|
+
* after the macf#302 substrate-side drift workaround).
|
|
108
|
+
*/
|
|
109
|
+
export declare function getPermissionsAllow(workspaceDir: string): readonly string[];
|
|
110
|
+
/**
|
|
111
|
+
* Read the workspace-effective `permissions.deny` array — sister to
|
|
112
|
+
* `getPermissionsAllow`. Same merge semantics: union of
|
|
113
|
+
* settings.json + settings.local.json deny arrays, deduped (macf#305).
|
|
114
|
+
*
|
|
115
|
+
* Used to detect operator-authored deny rules that contextualise an
|
|
116
|
+
* allow-list gap as deliberate (security-driven) rather than
|
|
117
|
+
* accidental drift. A deny rule in EITHER scope counts; the doctor's
|
|
118
|
+
* INFO-severity classification fires on the union.
|
|
119
|
+
*/
|
|
120
|
+
export declare function getPermissionsDeny(workspaceDir: string): readonly string[];
|
|
87
121
|
/**
|
|
88
122
|
* Install (or refresh) the `/proc/self/fd` entry in
|
|
89
123
|
* `.claude/settings.json`'s `sandbox.filesystem.allowRead` array.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"settings-writer.d.ts","sourceRoot":"","sources":["../../src/cli/settings-writer.ts"],"names":[],"mappings":"AAuBA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,iBAAiB,0DAA0D,CAAC;AAEzF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,iEAAiE,CAAC;AA6DxG;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,wBAAwB,EAAE,SAAS,MAAM,EAKrD,CAAC;AAEF;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,uBAAuB,kBAAkB,CAAC;AAEvD;;;;;;;;;;;GAWG;AACH,wBAAgB,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAS3E;AAaD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,yBAAyB,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CA+CpE;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,eAAO,MAAM,yBAAyB,EAAE,SAAS,MAAM,EA0CtD,CAAC;AAWF;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,8BAA8B,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CA8CzE;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAQlF;AASD;;;;;;;;GAQG;AACH,wBAAgB,6BAA6B,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CA+BxE;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CA0C7D"}
|
|
1
|
+
{"version":3,"file":"settings-writer.d.ts","sourceRoot":"","sources":["../../src/cli/settings-writer.ts"],"names":[],"mappings":"AAuBA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,iBAAiB,0DAA0D,CAAC;AAEzF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,iEAAiE,CAAC;AA6DxG;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,wBAAwB,EAAE,SAAS,MAAM,EAKrD,CAAC;AAEF;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,uBAAuB,kBAAkB,CAAC;AAEvD;;;;;;;;;;;GAWG;AACH,wBAAgB,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAS3E;AAmBD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAM3E;AAED;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAM1E;AAaD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,yBAAyB,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CA+CpE;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,eAAO,MAAM,yBAAyB,EAAE,SAAS,MAAM,EA0CtD,CAAC;AAWF;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,8BAA8B,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CA8CzE;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAQlF;AASD;;;;;;;;GAQG;AACH,wBAAgB,6BAA6B,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CA+BxE;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CA0C7D"}
|
|
@@ -157,6 +157,69 @@ export function getSandboxAllowRead(workspaceDir) {
|
|
|
157
157
|
return [];
|
|
158
158
|
return list.filter((v) => typeof v === 'string');
|
|
159
159
|
}
|
|
160
|
+
/**
|
|
161
|
+
* Read `permissions.<key>` from a single settings file path. Returns an
|
|
162
|
+
* empty array if the file is absent, no `permissions` block, or the array
|
|
163
|
+
* isn't a string list. Throws on malformed JSON via `readSettings`.
|
|
164
|
+
*
|
|
165
|
+
* Internal helper — `getPermissionsAllow` / `getPermissionsDeny` use this
|
|
166
|
+
* to read each scope (settings.json + settings.local.json) before
|
|
167
|
+
* merging.
|
|
168
|
+
*/
|
|
169
|
+
function readPermissionsArray(filePath, key) {
|
|
170
|
+
const settings = readSettings(filePath);
|
|
171
|
+
const permissionsRaw = settings['permissions'] ?? {};
|
|
172
|
+
const list = permissionsRaw[key];
|
|
173
|
+
if (!Array.isArray(list))
|
|
174
|
+
return [];
|
|
175
|
+
return list.filter((v) => typeof v === 'string');
|
|
176
|
+
}
|
|
177
|
+
/**
|
|
178
|
+
* Read the workspace-effective `permissions.allow` array — merge of
|
|
179
|
+
* `.claude/settings.json` + `.claude/settings.local.json` (macf#305).
|
|
180
|
+
*
|
|
181
|
+
* Per Claude Code's canonical settings semantics, `permissions.allow` /
|
|
182
|
+
* `deny` / `ask` arrays MERGE/concatenate across scopes (not replace —
|
|
183
|
+
* opposite to scalar settings which higher-priority scopes replace).
|
|
184
|
+
* The doctor's effective-permissions check therefore unions both
|
|
185
|
+
* scopes; an entry present in EITHER file counts as granted.
|
|
186
|
+
*
|
|
187
|
+
* Duplicates are removed. Empty array if neither file exists. Throws
|
|
188
|
+
* on malformed JSON in either file (the path is in the error message,
|
|
189
|
+
* surfacing which file failed to parse).
|
|
190
|
+
*
|
|
191
|
+
* Used by `macf doctor` (macf#296 / #298) to surface allow-list gaps
|
|
192
|
+
* that would block autonomous coordination — specifically Write/Edit
|
|
193
|
+
* absence causing interactive permission prompts mid-test. Pre-#305
|
|
194
|
+
* the helper read settings.json only; this caused false-positive WARNs
|
|
195
|
+
* on workspaces where operators canonically placed Write/Edit in
|
|
196
|
+
* settings.local.json (as cv-architect / cv-project-archaeologist did
|
|
197
|
+
* after the macf#302 substrate-side drift workaround).
|
|
198
|
+
*/
|
|
199
|
+
export function getPermissionsAllow(workspaceDir) {
|
|
200
|
+
const absDir = resolve(workspaceDir);
|
|
201
|
+
const claudeDir = join(absDir, '.claude');
|
|
202
|
+
const main = readPermissionsArray(join(claudeDir, 'settings.json'), 'allow');
|
|
203
|
+
const local = readPermissionsArray(join(claudeDir, 'settings.local.json'), 'allow');
|
|
204
|
+
return Array.from(new Set([...main, ...local]));
|
|
205
|
+
}
|
|
206
|
+
/**
|
|
207
|
+
* Read the workspace-effective `permissions.deny` array — sister to
|
|
208
|
+
* `getPermissionsAllow`. Same merge semantics: union of
|
|
209
|
+
* settings.json + settings.local.json deny arrays, deduped (macf#305).
|
|
210
|
+
*
|
|
211
|
+
* Used to detect operator-authored deny rules that contextualise an
|
|
212
|
+
* allow-list gap as deliberate (security-driven) rather than
|
|
213
|
+
* accidental drift. A deny rule in EITHER scope counts; the doctor's
|
|
214
|
+
* INFO-severity classification fires on the union.
|
|
215
|
+
*/
|
|
216
|
+
export function getPermissionsDeny(workspaceDir) {
|
|
217
|
+
const absDir = resolve(workspaceDir);
|
|
218
|
+
const claudeDir = join(absDir, '.claude');
|
|
219
|
+
const main = readPermissionsArray(join(claudeDir, 'settings.json'), 'deny');
|
|
220
|
+
const local = readPermissionsArray(join(claudeDir, 'settings.local.json'), 'deny');
|
|
221
|
+
return Array.from(new Set([...main, ...local]));
|
|
222
|
+
}
|
|
160
223
|
/**
|
|
161
224
|
* Legacy MACF-managed patterns that earlier CLI versions wrote to
|
|
162
225
|
* `allowRead`. Dropped from the array before installing the current
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"settings-writer.js","sourceRoot":"","sources":["../../src/cli/settings-writer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE1C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,uDAAuD,CAAC;AAEzF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,8DAA8D,CAAC;AAExG;;;;GAIG;AACH,MAAM,mBAAmB,GAAsB;IAC7C,mBAAmB;IACnB,0BAA0B;CAC3B,CAAC;AAEF;;;;;;GAMG;AACH,SAAS,oBAAoB,CAAC,OAAe;IAC3C,iEAAiE;IACjE,6EAA6E;IAC7E,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,QAAQ,GAAG,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IACjE,OAAO,mBAAmB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAChD,CAAC;AAqBD,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACjC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACxC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAC;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,4DAA4D,IAAI,KAAM,GAAa,CAAC,OAAO,IAAI;YAC7F,gDAAgD,EAClD,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAsB;IACzD,+BAA+B;IAC/B,+BAA+B;IAC/B,8BAA8B;IAC9B,6BAA6B;CAC9B,CAAC;AAEF;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,eAAe,CAAC;AAEvD;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,mBAAmB,CAAC,YAAoB;IACtD,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,UAAU,GAAI,QAAQ,CAAC,SAAS,CAAyC,IAAI,EAAE,CAAC;IACtF,MAAM,aAAa,GAAI,UAAU,CAAC,YAAY,CAAyC,IAAI,EAAE,CAAC;IAC9F,MAAM,IAAI,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;IACxC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACpC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;AAChE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,uBAAuB,GAAsB;IACjD,kBAAkB;CACnB,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,yBAAyB,CAAC,YAAoB;IAC5D,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IACrD,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO;IAE5C,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAE9C,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,iEAAiE;IACjE,kEAAkE;IAClE,MAAM,UAAU,GAAI,QAAQ,CAAC,SAAS,CAAyC,IAAI,EAAE,CAAC;IACtF,MAAM,aAAa,GAAI,UAAU,CAAC,YAAY,CAAyC,IAAI,EAAE,CAAC;IAC9F,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;QAC7D,CAAC,CAAE,aAAa,CAAC,WAAW,CAAwB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;QACtG,CAAC,CAAC,EAAE,CAAC;IAEP,iEAAiE;IACjE,kEAAkE;IAClE,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,CACpC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,uBAAuB,CAAC,QAAQ,CAAC,KAAK,CAAC,CACpD,CAAC;IAEF,gEAAgE;IAChE,6DAA6D;IAC7D,IAAI,SAAS,CAAC,MAAM,KAAK,aAAa,CAAC,MAAM,IAAI,SAAS,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAC7F,OAAO;IACT,CAAC;IAED,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,uBAAuB,CAAC;QAC3D,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,CAAC,GAAG,SAAS,EAAE,uBAAuB,CAAC,CAAC;IAE5C,MAAM,OAAO,GAAa;QACxB,GAAG,QAAQ;QACX,OAAO,EAAE;YACP,GAAG,UAAU;YACb,UAAU,EAAE;gBACV,GAAG,aAAa;gBAChB,SAAS;aACV;SACF;KACF,CAAC;IAEF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAsB;IAC1D,0BAA0B;IAC1B,OAAO;IACP,OAAO;IACP,SAAS;IACT,UAAU;IACV,OAAO;IACP,OAAO;IACP,OAAO;IACP,aAAa;IACb,MAAM;IACN,OAAO;IACP,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,WAAW;IACX,uBAAuB;IACvB,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,MAAM;IACN,MAAM;IACN,QAAQ;IACR,OAAO;IACP,OAAO;IACP,QAAQ;IACR,SAAS;IACT,0DAA0D;IAC1D,qDAAqD;IACrD,QAAQ;IACR,MAAM;IACN,SAAS;IACT,yDAAyD;IACzD,2DAA2D;IAC3D,SAAS;IACT,MAAM;IACN,SAAS;CACV,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,6BAA6B,GAAsB,EAAE,CAAC;AAE5D;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,8BAA8B,CAAC,YAAoB;IACjE,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;IAChE,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO;IAE5C,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAE9C,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,mEAAmE;IACnE,yDAAyD;IACzD,MAAM,UAAU,GAAI,QAAQ,CAAC,SAAS,CAAyC,IAAI,EAAE,CAAC;IACtF,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;QAC5D,CAAC,CAAE,UAAU,CAAC,kBAAkB,CAAwB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;QAC1G,CAAC,CAAC,EAAE,CAAC;IAEP,6DAA6D;IAC7D,gEAAgE;IAChE,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAC/B,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,6BAA6B,CAAC,QAAQ,CAAC,KAAK,CAAC,CAC1D,CAAC;IAEF,4DAA4D;IAC5D,gEAAgE;IAChE,4CAA4C;IAC5C,MAAM,MAAM,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;IAC9B,KAAK,MAAM,KAAK,IAAI,yBAAyB,EAAE,CAAC;QAC9C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClD,CAAC;IAED,8DAA8D;IAC9D,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM,CAAC;IACrD,MAAM,WAAW,GAAG,UAAU,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5E,IAAI,WAAW;QAAE,OAAO;IAExB,MAAM,OAAO,GAAa;QACxB,GAAG,QAAQ;QACX,OAAO,EAAE;YACP,GAAG,UAAU;YACb,gBAAgB,EAAE,MAAM;SACzB;KACF,CAAC;IAEF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,YAAoB;IAC7D,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,UAAU,GAAI,QAAQ,CAAC,SAAS,CAAyC,IAAI,EAAE,CAAC;IACtF,MAAM,IAAI,GAAG,UAAU,CAAC,kBAAkB,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACpC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;AAChE,CAAC;AAED;;;;GAIG;AACH,MAAM,yBAAyB,GAAG,mBAAmB,CAAC;AAEtD;;;;;;;;GAQG;AACH,MAAM,UAAU,6BAA6B,CAAC,YAAoB;IAChE,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAE9C,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAK,QAAQ,CAAC,aAAa,CAAyB,CAAC,OAAO,CAAC,CAAC;QACvH,CAAC,CAAC,CAAE,QAAQ,CAAC,aAAa,CAAkC,CAAC,KAAK,CAAC;QACnE,CAAC,CAAC,EAAE,CAAC;IAEP,+DAA+D;IAC/D,mEAAmE;IACnE,4DAA4D;IAC5D,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,CACpC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,yBAAyB,CAAC,CACrF,CAAC;IAEF,MAAM,KAAK,GAAa,CAAC,GAAG,SAAS,EAAE,GAAG,wBAAwB,CAAC,CAAC;IAEpE,MAAM,mBAAmB,GAAI,QAAQ,CAAC,aAAa,CAAyC,IAAI,EAAE,CAAC;IACnG,MAAM,OAAO,GAAa;QACxB,GAAG,QAAQ;QACX,WAAW,EAAE;YACX,GAAG,mBAAmB;YACtB,KAAK;SACN;KACF,CAAC;IAEF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,kBAAkB,CAAC,YAAoB;IACrD,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAE9C,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC;IACnC,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC;IAE1C,wDAAwD;IACxD,uEAAuE;IACvE,qEAAqE;IACrE,2DAA2D;IAC3D,0DAA0D;IAC1D,oEAAoE;IACpE,sCAAsC;IACtC,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CACjC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,oBAAoB,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CACrE,CAAC;IAEF,MAAM,WAAW,GAAyB;QACxC;YACE,OAAO,EAAE,MAAM;YACf,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC;SACzD;QACD;YACE,OAAO,EAAE,MAAM;YACf,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC;SACjE;KACF,CAAC;IAEF,MAAM,OAAO,GAAa;QACxB,GAAG,QAAQ;QACX,KAAK,EAAE;YACL,GAAG,KAAK;YACR,UAAU,EAAE,CAAC,GAAG,SAAS,EAAE,GAAG,WAAW,CAAC;SAC3C;KACF,CAAC;IAEF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC/D,CAAC"}
|
|
1
|
+
{"version":3,"file":"settings-writer.js","sourceRoot":"","sources":["../../src/cli/settings-writer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE1C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,uDAAuD,CAAC;AAEzF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,8DAA8D,CAAC;AAExG;;;;GAIG;AACH,MAAM,mBAAmB,GAAsB;IAC7C,mBAAmB;IACnB,0BAA0B;CAC3B,CAAC;AAEF;;;;;;GAMG;AACH,SAAS,oBAAoB,CAAC,OAAe;IAC3C,iEAAiE;IACjE,6EAA6E;IAC7E,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,QAAQ,GAAG,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IACjE,OAAO,mBAAmB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAChD,CAAC;AAqBD,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACjC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACxC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAC;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,4DAA4D,IAAI,KAAM,GAAa,CAAC,OAAO,IAAI;YAC7F,gDAAgD,EAClD,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAsB;IACzD,+BAA+B;IAC/B,+BAA+B;IAC/B,8BAA8B;IAC9B,6BAA6B;CAC9B,CAAC;AAEF;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,eAAe,CAAC;AAEvD;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,mBAAmB,CAAC,YAAoB;IACtD,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,UAAU,GAAI,QAAQ,CAAC,SAAS,CAAyC,IAAI,EAAE,CAAC;IACtF,MAAM,aAAa,GAAI,UAAU,CAAC,YAAY,CAAyC,IAAI,EAAE,CAAC;IAC9F,MAAM,IAAI,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;IACxC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACpC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;AAChE,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,oBAAoB,CAAC,QAAgB,EAAE,GAAqB;IACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IACxC,MAAM,cAAc,GAAI,QAAQ,CAAC,aAAa,CAAyC,IAAI,EAAE,CAAC;IAC9F,MAAM,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACpC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;AAChE,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,mBAAmB,CAAC,YAAoB;IACtD,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,oBAAoB,CAAC,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,EAAE,OAAO,CAAC,CAAC;IAC7E,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,SAAS,EAAE,qBAAqB,CAAC,EAAE,OAAO,CAAC,CAAC;IACpF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;AAClD,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB,CAAC,YAAoB;IACrD,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,oBAAoB,CAAC,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,EAAE,MAAM,CAAC,CAAC;IAC5E,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,SAAS,EAAE,qBAAqB,CAAC,EAAE,MAAM,CAAC,CAAC;IACnF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;AAClD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,uBAAuB,GAAsB;IACjD,kBAAkB;CACnB,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,yBAAyB,CAAC,YAAoB;IAC5D,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IACrD,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO;IAE5C,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAE9C,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,iEAAiE;IACjE,kEAAkE;IAClE,MAAM,UAAU,GAAI,QAAQ,CAAC,SAAS,CAAyC,IAAI,EAAE,CAAC;IACtF,MAAM,aAAa,GAAI,UAAU,CAAC,YAAY,CAAyC,IAAI,EAAE,CAAC;IAC9F,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;QAC7D,CAAC,CAAE,aAAa,CAAC,WAAW,CAAwB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;QACtG,CAAC,CAAC,EAAE,CAAC;IAEP,iEAAiE;IACjE,kEAAkE;IAClE,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,CACpC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,uBAAuB,CAAC,QAAQ,CAAC,KAAK,CAAC,CACpD,CAAC;IAEF,gEAAgE;IAChE,6DAA6D;IAC7D,IAAI,SAAS,CAAC,MAAM,KAAK,aAAa,CAAC,MAAM,IAAI,SAAS,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAC7F,OAAO;IACT,CAAC;IAED,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,uBAAuB,CAAC;QAC3D,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,CAAC,GAAG,SAAS,EAAE,uBAAuB,CAAC,CAAC;IAE5C,MAAM,OAAO,GAAa;QACxB,GAAG,QAAQ;QACX,OAAO,EAAE;YACP,GAAG,UAAU;YACb,UAAU,EAAE;gBACV,GAAG,aAAa;gBAChB,SAAS;aACV;SACF;KACF,CAAC;IAEF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAsB;IAC1D,0BAA0B;IAC1B,OAAO;IACP,OAAO;IACP,SAAS;IACT,UAAU;IACV,OAAO;IACP,OAAO;IACP,OAAO;IACP,aAAa;IACb,MAAM;IACN,OAAO;IACP,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,WAAW;IACX,uBAAuB;IACvB,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,MAAM;IACN,MAAM;IACN,QAAQ;IACR,OAAO;IACP,OAAO;IACP,QAAQ;IACR,SAAS;IACT,0DAA0D;IAC1D,qDAAqD;IACrD,QAAQ;IACR,MAAM;IACN,SAAS;IACT,yDAAyD;IACzD,2DAA2D;IAC3D,SAAS;IACT,MAAM;IACN,SAAS;CACV,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,6BAA6B,GAAsB,EAAE,CAAC;AAE5D;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,8BAA8B,CAAC,YAAoB;IACjE,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;IAChE,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO;IAE5C,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAE9C,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,mEAAmE;IACnE,yDAAyD;IACzD,MAAM,UAAU,GAAI,QAAQ,CAAC,SAAS,CAAyC,IAAI,EAAE,CAAC;IACtF,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;QAC5D,CAAC,CAAE,UAAU,CAAC,kBAAkB,CAAwB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;QAC1G,CAAC,CAAC,EAAE,CAAC;IAEP,6DAA6D;IAC7D,gEAAgE;IAChE,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAC/B,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,6BAA6B,CAAC,QAAQ,CAAC,KAAK,CAAC,CAC1D,CAAC;IAEF,4DAA4D;IAC5D,gEAAgE;IAChE,4CAA4C;IAC5C,MAAM,MAAM,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC;IAC9B,KAAK,MAAM,KAAK,IAAI,yBAAyB,EAAE,CAAC;QAC9C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClD,CAAC;IAED,8DAA8D;IAC9D,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM,CAAC;IACrD,MAAM,WAAW,GAAG,UAAU,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5E,IAAI,WAAW;QAAE,OAAO;IAExB,MAAM,OAAO,GAAa;QACxB,GAAG,QAAQ;QACX,OAAO,EAAE;YACP,GAAG,UAAU;YACb,gBAAgB,EAAE,MAAM;SACzB;KACF,CAAC;IAEF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,YAAoB;IAC7D,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,UAAU,GAAI,QAAQ,CAAC,SAAS,CAAyC,IAAI,EAAE,CAAC;IACtF,MAAM,IAAI,GAAG,UAAU,CAAC,kBAAkB,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACpC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;AAChE,CAAC;AAED;;;;GAIG;AACH,MAAM,yBAAyB,GAAG,mBAAmB,CAAC;AAEtD;;;;;;;;GAQG;AACH,MAAM,UAAU,6BAA6B,CAAC,YAAoB;IAChE,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAE9C,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAK,QAAQ,CAAC,aAAa,CAAyB,CAAC,OAAO,CAAC,CAAC;QACvH,CAAC,CAAC,CAAE,QAAQ,CAAC,aAAa,CAAkC,CAAC,KAAK,CAAC;QACnE,CAAC,CAAC,EAAE,CAAC;IAEP,+DAA+D;IAC/D,mEAAmE;IACnE,4DAA4D;IAC5D,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,CACpC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,yBAAyB,CAAC,CACrF,CAAC;IAEF,MAAM,KAAK,GAAa,CAAC,GAAG,SAAS,EAAE,GAAG,wBAAwB,CAAC,CAAC;IAEpE,MAAM,mBAAmB,GAAI,QAAQ,CAAC,aAAa,CAAyC,IAAI,EAAE,CAAC;IACnG,MAAM,OAAO,GAAa;QACxB,GAAG,QAAQ;QACX,WAAW,EAAE;YACX,GAAG,mBAAmB;YACtB,KAAK;SACN;KACF,CAAC;IAEF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,kBAAkB,CAAC,YAAoB;IACrD,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAE9C,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC;IACnC,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC;IAE1C,wDAAwD;IACxD,uEAAuE;IACvE,qEAAqE;IACrE,2DAA2D;IAC3D,0DAA0D;IAC1D,oEAAoE;IACpE,sCAAsC;IACtC,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CACjC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,oBAAoB,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CACrE,CAAC;IAEF,MAAM,WAAW,GAAyB;QACxC;YACE,OAAO,EAAE,MAAM;YACf,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC;SACzD;QACD;YACE,OAAO,EAAE,MAAM;YACf,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC;SACjE;KACF,CAAC;IAEF,MAAM,OAAO,GAAa;QACxB,GAAG,QAAQ;QACX,KAAK,EAAE;YACL,GAAG,KAAK;YACR,UAAU,EAAE,CAAC,GAAG,SAAS,EAAE,GAAG,WAAW,CAAC;SAC3C;KACF,CAAC;IAEF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC/D,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@groundnuty/macf",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.10",
|
|
4
4
|
"description": "Multi-Agent Coordination Framework CLI — coordinate Claude Code agents via GitHub. Installs as `macf` binary; use `macf init` to set up an agent workspace, `macf update` to refresh rules + version pins.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -35,7 +35,7 @@
|
|
|
35
35
|
"test:watch": "vitest"
|
|
36
36
|
},
|
|
37
37
|
"dependencies": {
|
|
38
|
-
"@groundnuty/macf-core": "0.2.
|
|
38
|
+
"@groundnuty/macf-core": "0.2.10",
|
|
39
39
|
"commander": "^14.0.3",
|
|
40
40
|
"reflect-metadata": "^0.2.2",
|
|
41
41
|
"zod": "^4.0.0"
|
|
@@ -36,6 +36,26 @@ The rules here are topology-agnostic: they work whether the project uses a scien
|
|
|
36
36
|
|
|
37
37
|
**Why this rule matters:** Reporter-owns-closure gives the reporter a chance to verify the fix matches their intent before the issue disappears from their queue. In a multi-agent workflow, the reporter often has context the implementer doesn't (why it was filed at that priority, what the acceptance criteria really meant, what adjacent work it blocks). Auto-close strips that context; reflexive handoff on self-filed issues wastes it.
|
|
38
38
|
|
|
39
|
+
**Inversion warning — closure direction is independent of who implemented the fix.** A common failure mode after PR-merge handoffs: the reporter mistakes the implementer for the closer because the implementer just finished the work. Rule 1A says **reporter** owns closure, NOT **fix-author**:
|
|
40
|
+
|
|
41
|
+
*(The 4 cases below assume merge-by-implementer per `pr-discipline.md` — `implementer == merger`. Different topologies expand the table accordingly.)*
|
|
42
|
+
|
|
43
|
+
- **You filed the issue + you implemented the PR + you merged it** → **you close** (you're both reporter AND implementer).
|
|
44
|
+
- **You filed the issue + a peer implemented the PR + the peer merged it** → **you still close** (you're the reporter; the peer is implementer-but-not-reporter; their action ends at "post handoff comment + stop" per failure mode A).
|
|
45
|
+
- **A peer filed the issue + you implemented + you merged the PR** → **the peer closes** (they're the reporter; you @mention them with `ready for you to close when verified` per failure mode A).
|
|
46
|
+
- **A peer filed the issue + a peer implemented + a peer merged the PR** → **reporter closes**; you're observer.
|
|
47
|
+
|
|
48
|
+
The trap is symmetric to failure mode A. Failure mode A is "I close someone else's issue because I implemented the fix" (forgetting that fix-author ≠ reporter); the inverse is "I tell the implementer to self-close my issue because they merged the fix" (same forgetting, opposite direction). Both are the same conceptual mistake — substituting fix-authorship for issue-reportership.
|
|
49
|
+
|
|
50
|
+
**Reinforced self-check after any PR-merge that addresses an issue:**
|
|
51
|
+
|
|
52
|
+
gh issue view <N> --json author --jq '.author.login'
|
|
53
|
+
|
|
54
|
+
- Output is YOUR login → **YOU close** with verification comment (regardless of who implemented). Run `gh issue close <N> --reason completed --comment "..."`.
|
|
55
|
+
- Output is the peer's login → **THEY close**. Post `@<author> PR #M merged, ready for you to close when verified.` and STOP. Don't try to delegate the closure mechanics back to yourself.
|
|
56
|
+
|
|
57
|
+
This check is one cheap shell command; the inversion is silent (the recipient may not catch it if they're not paying attention to attribution).
|
|
58
|
+
|
|
39
59
|
2. **Work through the queue without prompting.** When an issue is complete, check your assigned-label queue and pick up the next one immediately. Do NOT ask the reporter to ping you or reply "continue" before starting. Only wait when (a) your PR is in review, or (b) the queue is empty. If an issue is ambiguous, ask clarifying questions on that issue and move to the next queued one while waiting.
|
|
40
60
|
|
|
41
61
|
3. **Never remove your own agent label.** Status labels (`in-progress`, `in-review`, `blocked`) swap as work moves; assignment labels stay.
|
|
@@ -154,8 +174,14 @@ The helper is distributed to every agent workspace by `macf init` and refreshed
|
|
|
154
174
|
|
|
155
175
|
### Canonical tmux launch pattern
|
|
156
176
|
|
|
157
|
-
**One session per agent, named `<project>@<agent>`.**
|
|
177
|
+
**One session per agent, named `<project>@<agent>`.** Post-v0.2.10, `claude.sh` self-wraps in tmux with this naming structurally — bare `./claude.sh` produces the canonical session. Pre-v0.2.10 consumers (and operators wanting manual launch) use the explicit form:
|
|
158
178
|
|
|
179
|
+
# Post-v0.2.10 (canonical, structural — recommended for new consumers):
|
|
180
|
+
cd /path/to/academic-resume && ./claude.sh
|
|
181
|
+
# Self-wraps in tmux session "academic-resume@cv-architect" automatically.
|
|
182
|
+
# Re-attaches if the session exists; creates new if not.
|
|
183
|
+
|
|
184
|
+
# Pre-v0.2.10 (manual wrap, still works post-v0.2.10 with MACF_NO_TMUX_WRAP=1):
|
|
159
185
|
tmux new-session -d -s "academic-resume@cv-architect" \
|
|
160
186
|
"cd /path/to/academic-resume && ./claude.sh"
|
|
161
187
|
|
|
@@ -172,6 +198,10 @@ The helper is distributed to every agent workspace by `macf init` and refreshed
|
|
|
172
198
|
|
|
173
199
|
**Migration** from a single-session multi-window setup: `tmux rename-session -t <old-name> <new-name>` per agent.
|
|
174
200
|
|
|
201
|
+
**Path-2 promotion (macf#313, v0.2.10):** the canonical session-naming rule is now structurally enforced by `claude.sh` itself. Consumer workspaces converging on v0.2.10+ via `macf update --plugin` get the self-wrap automatically; substrate launchers (operator-authored, NOT generated by `claude-sh.ts` template) are unaffected. For mixed-version fleets, pre-v0.2.10 consumers continue to need the explicit `tmux new-session` wrap until they update.
|
|
202
|
+
|
|
203
|
+
**Opt-out (post-v0.2.10):** `MACF_NO_TMUX_WRAP=1 ./claude.sh` skips the self-wrap. For operator-driven manual launches outside tmux, debug sessions, single-shot CLI use, CI environments. Sister convention to `MACF_OTEL_DISABLED=1`, `MACF_SKIP_TOKEN_CHECK=1`, `MACF_SKIP_MENTION_CHECK=1`.
|
|
204
|
+
|
|
175
205
|
---
|
|
176
206
|
|
|
177
207
|
## Token & Git Hygiene
|
|
@@ -58,7 +58,9 @@ If a comment contains both describing and addressing references to the same agen
|
|
|
58
58
|
|
|
59
59
|
For any comment or PR body that contains agent handles, grep the draft:
|
|
60
60
|
|
|
61
|
-
grep -nE '@
|
|
61
|
+
grep -nE '@[a-zA-Z][a-zA-Z0-9_-]*\[bot\]' <draft-file>
|
|
62
|
+
|
|
63
|
+
(This pattern matches the broadened `HANDLE_PATTERN` documented in §7 — covers macf-* fleet, future CV fleet, and third-party bots like `dependabot[bot]` / `github-actions[bot]`.)
|
|
62
64
|
|
|
63
65
|
For each line returned: is this line an action ask (raw stays) or a content reference (backticks wrap)?
|
|
64
66
|
|
|
@@ -108,15 +110,41 @@ The rule is cheap to apply, symmetric across the fleet, and eliminates a class o
|
|
|
108
110
|
|
|
109
111
|
## 7. Structural enforcement — `check-mention-routing.sh` PreToolUse hook
|
|
110
112
|
|
|
111
|
-
Per `groundnuty/macf#244` + `#272
|
|
113
|
+
Per `groundnuty/macf#244` + `#272`, this rule is enforced by a Claude Code PreToolUse hook on `Bash` tool calls. The hook intercepts `gh issue comment` / `gh pr comment` / `gh issue close --comment` / `gh pr close --comment` invocations, parses the `--body` content, and runs **two checks** that BLOCK (`exit 2` with stderr explanation):
|
|
114
|
+
|
|
115
|
+
- **Check B — must-not-leak (macf#272, shipped PR #275):** raw `@<bot>[bot]` patterns in describing-context positions (mid-line, not backticked, not at line-start) would fire false-positive routing per §5. Applies to all comment-emit subcommands including `gh (issue|pr) close --comment` (leak prevention is independent of recipient semantics).
|
|
116
|
+
- **Check A — must-have-mention (macf#244):** comment bodies with zero routing-active `@<bot>[bot]` mentions silently fail to reach the recipient peer agent per §Communication 2 ("a comment without @mention is invisible to the recipient agent"). Routing-active = NOT wrapped in backticks; both line-start addressing AND mid-line describing-leaks count toward the active total. Applies only to `gh (issue|pr) comment` — close subcommands are bypassed because self-close verification comments are canonically reporter-internal (no recipient).
|
|
112
117
|
|
|
113
118
|
The hook is the same shape as `check-gh-token.sh` (#140 attribution-trap defense) — bash command-type hook distributed via `macf init` / `macf update` / `macf rules refresh` to every workspace's `.claude/scripts/check-mention-routing.sh` with the entry registered in `.claude/settings.json` `hooks.PreToolUse`. Substrate workspaces, tester agents, CV consumers, and future MACF-consumer projects all get the protection uniformly.
|
|
114
119
|
|
|
115
120
|
**Heuristic** (subject to refinement; documented for transparency):
|
|
116
121
|
|
|
117
|
-
- Already wrapped in backticks (`` `@<bot>[bot]` ``) → allowed (canonical describing form §5)
|
|
118
|
-
- At line-start (after optional whitespace, blockquote `>`, or list-item markers `* ` / `- ` / `1. `) → allowed (canonical addressing form §3)
|
|
119
|
-
-
|
|
122
|
+
- Already wrapped in backticks (`` `@<bot>[bot]` ``) → routing-suppressed; allowed (canonical describing form §5); does NOT count toward Check A
|
|
123
|
+
- At line-start (after optional whitespace, blockquote `>`, or list-item markers `* ` / `- ` / `1. `) → routing-active; allowed by Check B (canonical addressing form §3); counts toward Check A
|
|
124
|
+
- Mid-line raw mention → routing-active; Check B BLOCK with stderr citing this rule + the offending line + the `MACF_SKIP_MENTION_CHECK=1` operator override
|
|
125
|
+
- Zero routing-active mentions in body (Check A) → BLOCK; only fires when neither line-start addressing nor (any other) routing-active mention is present
|
|
126
|
+
|
|
127
|
+
**Pattern scope (broadened per macf#276):** the hook's `HANDLE_PATTERN` matches ANY `@<handle>[bot]` shape — not just `@macf-*-agent[bot]`. Specifically:
|
|
128
|
+
|
|
129
|
+
```
|
|
130
|
+
HANDLE_PATTERN='@[a-zA-Z][a-zA-Z0-9_-]*[[]bot[]]'
|
|
131
|
+
```
|
|
132
|
+
|
|
133
|
+
Coverage:
|
|
134
|
+
|
|
135
|
+
- **macf-* fleet** (`macf-code-agent`, `macf-science-agent`, `macf-tester-N-agent`, `macf-devops-agent`) — original target.
|
|
136
|
+
- **Future CV fleet** (`cv-architect`, `academic-resume-author`, similar shapes) — naming convention may not follow `<prefix>-*-agent`; the broadened pattern accommodates whatever shapes consumer projects choose.
|
|
137
|
+
- **Future MACF-consumer fleets** — same logic; durable across naming conventions.
|
|
138
|
+
- **Third-party bots** (`dependabot`, `github-actions`) — these don't fire MACF routing (not in the agent registry, so the routing-Action workflow drops them silently), but blocking their describing-context use is consistent style. Operators can use `MACF_SKIP_MENTION_CHECK=1` for the rare legitimate describing-context use of a third-party bot handle.
|
|
139
|
+
|
|
140
|
+
The first-character-must-be-letter constraint excludes `@1bot[bot]` / `@_bot[bot]` / `@-bot[bot]` / `@[bot]` (no handle body) — none of which are valid GitHub handles anyway.
|
|
141
|
+
|
|
142
|
+
**Note on code blocks (clarification per macf#277):** The hook does NOT parse Markdown structure. Triple-backtick fences and 4-space-indent code blocks are both currently passed by the hook, but the *mechanism* differs:
|
|
143
|
+
|
|
144
|
+
- **Triple-backtick code blocks** — pass via the *adjacent-backtick check* in the heuristic (the `` ` `` characters bracketing the block satisfy the "already wrapped in backticks" predicate at the handle's character positions).
|
|
145
|
+
- **4-space-indented code blocks** — pass via the *line-start addressing allowance*, not via code-block recognition. The leading whitespace satisfies the line-start regex `^[[:space:]>]*([0-9]+\.[[:space:]]+|[-*][[:space:]]+)?` ahead of `@<bot>[bot]`, so the line is treated as addressing form (§3) and allowed. Same outcome as the triple-backtick case, different reasoning.
|
|
146
|
+
|
|
147
|
+
This is a heuristic side-effect, not an explicit code-block parser. If a future refinement tightens the line-start allowance (e.g., requires the FIRST non-whitespace character on the line to be `@`), 4-space-indented examples would need explicit backtick-wrapping or the `MACF_SKIP_MENTION_CHECK=1` override on the affected `gh ... comment` invocation. GitHub's renderer parses code blocks correctly regardless — the documented routing-firing risk (§2) is unaffected by the hook's heuristic.
|
|
120
148
|
|
|
121
149
|
**False-positive trade-off:** The heuristic leans toward false-positive over false-negative. Edge cases the heuristic flags:
|
|
122
150
|
|
|
@@ -57,6 +57,20 @@ if [[ "$COMMAND" =~ gh[[:space:]]+(issue|pr)[[:space:]]+close ]] && [[ ! "$COMMA
|
|
|
57
57
|
exit 0
|
|
58
58
|
fi
|
|
59
59
|
|
|
60
|
+
# Track whether this is a `close` subcommand. Check A
|
|
61
|
+
# (must-have-mention; macf#244) does NOT apply to close subcommands —
|
|
62
|
+
# self-close verification comments are canonically no-recipient
|
|
63
|
+
# (reporter-internal verification per coordination.md §Issue Lifecycle 1
|
|
64
|
+
# case 2 self-close pattern: "Verified on main after PR #M merged.
|
|
65
|
+
# Closing as reporter."). The close action itself is the routing-end
|
|
66
|
+
# signal, not a routing-active comment requiring an addressed @mention.
|
|
67
|
+
# Check B (must-not-leak; describing-context) still applies on close
|
|
68
|
+
# subcommands — leak prevention is independent of recipient semantics.
|
|
69
|
+
IS_CLOSE_SUBCOMMAND=false
|
|
70
|
+
if [[ "$COMMAND" =~ gh[[:space:]]+(issue|pr)[[:space:]]+close ]]; then
|
|
71
|
+
IS_CLOSE_SUBCOMMAND=true
|
|
72
|
+
fi
|
|
73
|
+
|
|
60
74
|
# `--body-file` reads content from a file path; we don't lint file
|
|
61
75
|
# contents (the file may not exist at hook-fire time, or may be
|
|
62
76
|
# regenerated). Accept the trade-off and allow. The canonical rule
|
|
@@ -85,12 +99,43 @@ fi
|
|
|
85
99
|
# inside prose, not at line-start. Operator discipline catches the residual.
|
|
86
100
|
# awk regex: `[[]` and `[]]` express literal `[` and `]` in a char class
|
|
87
101
|
# context (awk's `\[` escape would either warn-and-strip or be ambiguous
|
|
88
|
-
# across awk variants).
|
|
89
|
-
#
|
|
90
|
-
|
|
102
|
+
# across awk variants).
|
|
103
|
+
#
|
|
104
|
+
# Pattern scope (broadened per macf#276): matches ANY `@<handle>[bot]`
|
|
105
|
+
# rather than only `@macf-*-agent[bot]`. First char must be a letter
|
|
106
|
+
# (excludes leading digit/underscore/hyphen forms which aren't valid
|
|
107
|
+
# GitHub handles anyway); body accepts alphanumeric / underscore /
|
|
108
|
+
# hyphen so digit-suffixed and multi-segment handles match.
|
|
109
|
+
#
|
|
110
|
+
# Covers: macf-* fleet (`macf-code-agent`, `macf-science-agent`,
|
|
111
|
+
# `macf-tester-N-agent`, `macf-devops-agent`); future CV fleet
|
|
112
|
+
# (`cv-architect`, `academic-resume-author`, similar shapes); future
|
|
113
|
+
# MACF-consumer fleets that may not follow the `macf-*-agent` naming
|
|
114
|
+
# convention; AND third-party bots (`dependabot`, `github-actions`).
|
|
115
|
+
# Third-party bots don't fire MACF routing (not in agent registry),
|
|
116
|
+
# but blocking their describing-context use is consistent style — and
|
|
117
|
+
# operators can use `MACF_SKIP_MENTION_CHECK=1` for the rare legitimate
|
|
118
|
+
# describing reference. The cost of generalization is small; the
|
|
119
|
+
# benefit (fleet-agnostic protection) is durable.
|
|
120
|
+
HANDLE_PATTERN='@[a-zA-Z][a-zA-Z0-9_-]*[[]bot[]]'
|
|
91
121
|
|
|
92
|
-
|
|
122
|
+
# Single AWK pass produces TWO outputs (line-prefix-discriminated):
|
|
123
|
+
# - `LEAK:<line_no>: <line>` — describing-context leaks (Check B,
|
|
124
|
+
# groundnuty/macf#272). Reported once per offending line.
|
|
125
|
+
# - `ACTIVE_COUNT:<n>` — total routing-active @mentions across the
|
|
126
|
+
# entire body (Check A, groundnuty/macf#244). Routing-active =
|
|
127
|
+
# NOT wrapped in backticks. Both line-start addressing AND mid-line
|
|
128
|
+
# describing-leaks are routing-active; only the backticked form is
|
|
129
|
+
# routing-suppressed. If this count is 0, the comment has no
|
|
130
|
+
# recipient — Check A blocks.
|
|
131
|
+
AWK_OUTPUT="$(awk -v pat="$HANDLE_PATTERN" '
|
|
132
|
+
BEGIN { active_count = 0 }
|
|
93
133
|
{
|
|
134
|
+
# Track which lines we have already reported a leak for, so a line
|
|
135
|
+
# with multiple offenders surfaces once (existing Check B behavior
|
|
136
|
+
# — preserved verbatim across the Check A extension).
|
|
137
|
+
line_already_reported = 0
|
|
138
|
+
|
|
94
139
|
# Process every match on this line. After each match, advance the
|
|
95
140
|
# search-substring past it (RSTART+RLENGTH from the original line $0
|
|
96
141
|
# tracked via abs_offset).
|
|
@@ -104,15 +149,22 @@ OFFENDING="$(awk -v pat="$HANDLE_PATTERN" '
|
|
|
104
149
|
char_before = (abs_start - 1 >= 1) ? substr($0, abs_start - 1, 1) : ""
|
|
105
150
|
char_after = substr($0, abs_end, 1)
|
|
106
151
|
|
|
107
|
-
# Already-backticked? Allowed describing form (§5).
|
|
152
|
+
# Already-backticked? Allowed describing form (§5). Routing-suppressed
|
|
153
|
+
# — does NOT count toward Check A active-mention total.
|
|
108
154
|
if (char_before == "`" && char_after == "`") {
|
|
109
155
|
line = substr(line, RSTART + RLENGTH)
|
|
110
156
|
abs_offset = abs_start + RLENGTH - 1
|
|
111
157
|
continue
|
|
112
158
|
}
|
|
113
159
|
|
|
160
|
+
# Routing-active (NOT backticked). Counts toward Check A regardless
|
|
161
|
+
# of position (line-start addressing AND mid-line describing both
|
|
162
|
+
# fire routing — the backtick suppression is the only routing-mute).
|
|
163
|
+
active_count++
|
|
164
|
+
|
|
114
165
|
# Line-start (after optional whitespace, blockquote, or list-item
|
|
115
|
-
# markers)? Allowed addressing form (§3)
|
|
166
|
+
# markers)? Allowed addressing form (§3) — Check B passes; Check A
|
|
167
|
+
# already incremented above.
|
|
116
168
|
prefix = substr($0, 1, abs_start - 1)
|
|
117
169
|
if (prefix ~ /^[[:space:]>]*([0-9]+\.[[:space:]]+|[-*][[:space:]]+)?$/) {
|
|
118
170
|
line = substr(line, RSTART + RLENGTH)
|
|
@@ -120,13 +172,27 @@ OFFENDING="$(awk -v pat="$HANDLE_PATTERN" '
|
|
|
120
172
|
continue
|
|
121
173
|
}
|
|
122
174
|
|
|
123
|
-
# Mid-line raw mention — describing-context leak.
|
|
124
|
-
|
|
125
|
-
|
|
175
|
+
# Mid-line raw mention — describing-context leak (Check B BLOCK).
|
|
176
|
+
# Report once per line; counter still increments for additional
|
|
177
|
+
# matches on the same line so Check A sees the complete picture.
|
|
178
|
+
if (!line_already_reported) {
|
|
179
|
+
print "LEAK:" NR ": " $0
|
|
180
|
+
line_already_reported = 1
|
|
181
|
+
}
|
|
182
|
+
line = substr(line, RSTART + RLENGTH)
|
|
183
|
+
abs_offset = abs_start + RLENGTH - 1
|
|
126
184
|
}
|
|
127
185
|
}
|
|
186
|
+
END { print "ACTIVE_COUNT:" active_count }
|
|
128
187
|
' <<<"$COMMAND")"
|
|
129
188
|
|
|
189
|
+
# `grep` returns 1 when no matches; under `set -euo pipefail` that
|
|
190
|
+
# propagates as the script's exit code without `|| true`. The Check A
|
|
191
|
+
# happy-path (no leaks) needs OFFENDING to be empty without the hook
|
|
192
|
+
# itself dying — the explicit fall-through is required.
|
|
193
|
+
OFFENDING="$(grep '^LEAK:' <<<"$AWK_OUTPUT" | sed 's/^LEAK://' || true)"
|
|
194
|
+
ACTIVE_COUNT="$(grep '^ACTIVE_COUNT:' <<<"$AWK_OUTPUT" | sed 's/^ACTIVE_COUNT://' || true)"
|
|
195
|
+
|
|
130
196
|
if [[ -n "$OFFENDING" ]]; then
|
|
131
197
|
cat >&2 <<ERR
|
|
132
198
|
BLOCKED by MACF mention-routing-hygiene hook: this comment contains raw
|
|
@@ -157,4 +223,41 @@ ERR
|
|
|
157
223
|
exit 2
|
|
158
224
|
fi
|
|
159
225
|
|
|
226
|
+
# Check A (groundnuty/macf#244): must-have-mention. Comment-emit commands
|
|
227
|
+
# must contain at least one routing-active @<bot>[bot] mention. Without
|
|
228
|
+
# one, the comment is "invisible" to other agents — coordination.md
|
|
229
|
+
# §Communication 2 names this as the silent-failure mode.
|
|
230
|
+
#
|
|
231
|
+
# Bypassed for `gh (issue|pr) close --comment` — self-close verification
|
|
232
|
+
# comments are canonically no-recipient (reporter-internal). The close
|
|
233
|
+
# action itself signals routing-end; no addressed mention required.
|
|
234
|
+
if [[ "$IS_CLOSE_SUBCOMMAND" == "false" ]] && [[ "$ACTIVE_COUNT" == "0" ]]; then
|
|
235
|
+
cat >&2 <<ERR
|
|
236
|
+
BLOCKED by MACF mention-routing-hygiene hook: this comment has zero
|
|
237
|
+
routing-active @<bot>[bot] mentions. Per coordination.md §Communication 2:
|
|
238
|
+
|
|
239
|
+
"@mention in EVERY comment. Routing depends on it. A comment without
|
|
240
|
+
@mention is invisible to the recipient agent."
|
|
241
|
+
|
|
242
|
+
Without a routing-active mention, the comment is silently invisible to
|
|
243
|
+
peer agents — they have no notification that you posted, even if the
|
|
244
|
+
issue/PR is on their assigned-label queue.
|
|
245
|
+
|
|
246
|
+
Fix: add an addressing mention naming the recipient:
|
|
247
|
+
@<recipient-handle>[bot] <your message>
|
|
248
|
+
|
|
249
|
+
Examples (where <recipient> is the issue reporter, PR reviewer, etc.):
|
|
250
|
+
@macf-science-agent[bot] PR #N ready for review.
|
|
251
|
+
@macf-code-agent[bot] LGTM, you can merge.
|
|
252
|
+
|
|
253
|
+
Override (ONLY for legitimate no-recipient cases — rare; status posts
|
|
254
|
+
on self-filed-self-closed issues, or test-orchestration scratch comments):
|
|
255
|
+
export MACF_SKIP_MENTION_CHECK=1
|
|
256
|
+
|
|
257
|
+
Refs: groundnuty/macf#244 (this check); coordination.md §Communication 2
|
|
258
|
+
(canonical rule, distributed via \`macf rules refresh\`).
|
|
259
|
+
ERR
|
|
260
|
+
exit 2
|
|
261
|
+
fi
|
|
262
|
+
|
|
160
263
|
exit 0
|