@grwnd/pi-governance 1.2.0 → 1.3.0

package/dist/extensions/index.js

@@ -0,0 +1,1146 @@
+// src/lib/config/loader.ts
+import { existsSync, readFileSync } from "fs";
+import { parse as parseYaml } from "yaml";
+import { Value } from "@sinclair/typebox/value";
+
+// src/lib/config/schema.ts
+import { Type } from "@sinclair/typebox";
+var AuthEnvConfig = Type.Object({
+  user_var: Type.String({ default: "GRWND_USER" }),
+  role_var: Type.String({ default: "GRWND_ROLE" }),
+  org_unit_var: Type.String({ default: "GRWND_ORG_UNIT" })
+});
+var AuthLocalConfig = Type.Object({
+  users_file: Type.String({ default: "./users.yaml" })
+});
+var AuthConfig = Type.Object({
+  provider: Type.Union([Type.Literal("env"), Type.Literal("local"), Type.Literal("oidc")], {
+    default: "env"
+  }),
+  env: Type.Optional(AuthEnvConfig),
+  local: Type.Optional(AuthLocalConfig)
+});
+var YamlPolicyConfig = Type.Object({
+  rules_file: Type.String({ default: "./governance-rules.yaml" })
+});
+var OsoPolicyConfig = Type.Object({
+  polar_files: Type.Array(Type.String(), {
+    default: ["./policies/base.polar", "./policies/tools.polar"]
+  })
+});
+var PolicyConfig = Type.Object({
+  engine: Type.Union([Type.Literal("yaml"), Type.Literal("oso")], { default: "yaml" }),
+  yaml: Type.Optional(YamlPolicyConfig),
+  oso: Type.Optional(OsoPolicyConfig)
+});
+var TemplatesConfig = Type.Object({
+  directory: Type.String({ default: "./templates/" }),
+  default: Type.String({ default: "project-lead" })
+});
+var HitlWebhookConfig = Type.Object({
+  url: Type.String()
+});
+var HitlConfig = Type.Object({
+  default_mode: Type.Union(
+    [Type.Literal("autonomous"), Type.Literal("supervised"), Type.Literal("dry_run")],
+    { default: "supervised" }
+  ),
+  approval_channel: Type.Union([Type.Literal("cli"), Type.Literal("webhook")], { default: "cli" }),
+  timeout_seconds: Type.Number({ default: 300, minimum: 10, maximum: 3600 }),
+  webhook: Type.Optional(HitlWebhookConfig)
+});
+var JsonlSinkConfig = Type.Object({
+  type: Type.Literal("jsonl"),
+  path: Type.String({ default: "~/.pi/agent/audit.jsonl" })
+});
+var WebhookSinkConfig = Type.Object({
+  type: Type.Literal("webhook"),
+  url: Type.String()
+});
+var PostgresSinkConfig = Type.Object({
+  type: Type.Literal("postgres"),
+  connection: Type.String()
+});
+var AuditSinkConfig = Type.Union([JsonlSinkConfig, WebhookSinkConfig, PostgresSinkConfig]);
+var AuditConfig = Type.Object({
+  sinks: Type.Array(AuditSinkConfig, {
+    default: [{ type: "jsonl", path: "~/.pi/agent/audit.jsonl" }]
+  })
+});
+var OrgUnitOverride = Type.Object({
+  hitl: Type.Optional(Type.Partial(HitlConfig)),
+  policy: Type.Optional(
+    Type.Object({
+      extra_polar: Type.Optional(Type.String()),
+      extra_rules: Type.Optional(Type.String())
+    })
+  )
+});
+var GovernanceConfigSchema = Type.Object({
+  auth: Type.Optional(AuthConfig),
+  policy: Type.Optional(PolicyConfig),
+  templates: Type.Optional(TemplatesConfig),
+  hitl: Type.Optional(HitlConfig),
+  audit: Type.Optional(AuditConfig),
+  org_units: Type.Optional(Type.Record(Type.String(), OrgUnitOverride))
+});
+
+// src/lib/config/defaults.ts
+var DEFAULTS = {
+  auth: {
+    provider: "env",
+    env: {
+      user_var: "GRWND_USER",
+      role_var: "GRWND_ROLE",
+      org_unit_var: "GRWND_ORG_UNIT"
+    }
+  },
+  policy: {
+    engine: "yaml",
+    yaml: {
+      rules_file: "./governance-rules.yaml"
+    }
+  },
+  templates: {
+    directory: "./templates/",
+    default: "project-lead"
+  },
+  hitl: {
+    default_mode: "supervised",
+    approval_channel: "cli",
+    timeout_seconds: 300
+  },
+  audit: {
+    sinks: [{ type: "jsonl", path: "~/.pi/agent/audit.jsonl" }]
+  }
+};
+
+// src/lib/config/loader.ts
+function getConfigPaths() {
+  return [
+    process.env["GRWND_GOVERNANCE_CONFIG"],
+    ".pi/governance.yaml",
+    `${process.env["HOME"]}/.pi/agent/governance.yaml`
+  ];
+}
+function loadConfig() {
+  for (const path of getConfigPaths()) {
+    if (path && existsSync(path)) {
+      const raw = readFileSync(path, "utf-8");
+      const parsed = parseYaml(raw);
+      const resolved = resolveEnvVars(parsed);
+      const errors = [...Value.Errors(GovernanceConfigSchema, resolved)];
+      if (errors.length > 0) {
+        throw new ConfigValidationError(
+          path,
+          errors.map((e) => ({ path: e.path, message: e.message }))
+        );
+      }
+      const config = Value.Default(GovernanceConfigSchema, resolved);
+      return { config, source: path };
+    }
+  }
+  return { config: DEFAULTS, source: "built-in" };
+}
+function resolveEnvVars(obj) {
+  if (typeof obj === "string") {
+    return obj.replace(/\$\{(\w+)\}/g, (_, name) => process.env[name] ?? "");
+  }
+  if (Array.isArray(obj)) return obj.map(resolveEnvVars);
+  if (obj && typeof obj === "object") {
+    return Object.fromEntries(
+      Object.entries(obj).map(([k, v]) => [k, resolveEnvVars(v)])
+    );
+  }
+  return obj;
+}
+var ConfigValidationError = class extends Error {
+  constructor(path, errors) {
+    const details = errors.map((e) => `  ${e.path}: ${e.message}`).join("\n");
+    super(`Invalid governance config at ${path}:
+${details}`);
+    this.name = "ConfigValidationError";
+  }
+};
+
+// src/lib/identity/env-provider.ts
+var EnvIdentityProvider = class {
+  constructor(userVar = "GRWND_USER", roleVar = "GRWND_ROLE", orgUnitVar = "GRWND_ORG_UNIT") {
+    this.userVar = userVar;
+    this.roleVar = roleVar;
+    this.orgUnitVar = orgUnitVar;
+  }
+  name = "env";
+  async resolve() {
+    const userId = process.env[this.userVar];
+    const role = process.env[this.roleVar];
+    const orgUnit = process.env[this.orgUnitVar];
+    if (!userId || !role) return null;
+    return {
+      userId,
+      role,
+      orgUnit: orgUnit ?? "default",
+      source: "env"
+    };
+  }
+};
+
+// src/lib/identity/local-provider.ts
+import { readFileSync as readFileSync2 } from "fs";
+import { parse as parseYaml2 } from "yaml";
+var LocalIdentityProvider = class {
+  name = "local";
+  users;
+  constructor(usersFilePath) {
+    const raw = readFileSync2(usersFilePath, "utf-8");
+    this.users = parseYaml2(raw);
+  }
+  async resolve() {
+    const username = process.env.USER || process.env.USERNAME;
+    if (!username) return null;
+    const entry = this.users[username];
+    if (!entry) return null;
+    return {
+      userId: username,
+      role: entry.role,
+      orgUnit: entry.org_unit ?? "default",
+      source: "local"
+    };
+  }
+};
+
+// src/lib/identity/chain.ts
+var IdentityChain = class {
+  providers;
+  constructor(providers) {
+    this.providers = providers;
+  }
+  async resolve() {
+    for (const provider of this.providers) {
+      const identity = await provider.resolve();
+      if (identity) return identity;
+    }
+    return {
+      userId: "unknown",
+      role: "analyst",
+      // most restrictive role by default
+      orgUnit: "default",
+      source: "fallback"
+    };
+  }
+};
+function createIdentityChain(config) {
+  const providers = [];
+  providers.push(
+    new EnvIdentityProvider(
+      config?.env?.user_var,
+      config?.env?.role_var,
+      config?.env?.org_unit_var
+    )
+  );
+  if (config?.provider === "local" && config.local?.users_file) {
+    try {
+      providers.push(new LocalIdentityProvider(config.local.users_file));
+    } catch {
+    }
+  }
+  return new IdentityChain(providers);
+}
+
+// src/lib/policy/yaml-engine.ts
+import { readFileSync as readFileSync3 } from "fs";
+import { parse as parseYaml3 } from "yaml";
+import { minimatch } from "minimatch";
+var YamlPolicyEngine = class {
+  rules;
+  constructor(rulesFilePathOrRules) {
+    if (typeof rulesFilePathOrRules === "string") {
+      const raw = readFileSync3(rulesFilePathOrRules, "utf-8");
+      this.rules = parseYaml3(raw);
+    } else {
+      this.rules = rulesFilePathOrRules;
+    }
+  }
+  getRole(role) {
+    const r = this.rules.roles[role];
+    if (!r) {
+      throw new Error(
+        `Unknown role: ${role}. Available roles: ${Object.keys(this.rules.roles).join(", ")}`
+      );
+    }
+    return r;
+  }
+  evaluateTool(role, tool) {
+    const r = this.getRole(role);
+    if (r.blocked_tools.includes(tool)) return "deny";
+    if (r.allowed_tools.includes("all") || r.allowed_tools.includes(tool)) {
+      return "allow";
+    }
+    return "deny";
+  }
+  evaluatePath(role, _orgUnit, _operation, path) {
+    const r = this.getRole(role);
+    for (const pattern of r.blocked_paths) {
+      if (minimatch(path, pattern, { dot: true })) {
+        return "deny";
+      }
+    }
+    for (const pattern of r.allowed_paths) {
+      const resolved = pattern.replace("{{project_path}}", process.cwd());
+      if (minimatch(path, resolved, { dot: true })) {
+        return "allow";
+      }
+    }
+    return "deny";
+  }
+  requiresApproval(role, tool) {
+    const r = this.getRole(role);
+    if (r.human_approval.auto_approve?.includes(tool)) return false;
+    if (r.human_approval.required_for.includes("all")) return true;
+    return r.human_approval.required_for.includes(tool);
+  }
+  getExecutionMode(role) {
+    return this.getRole(role).execution_mode;
+  }
+  getTemplateName(role) {
+    return this.getRole(role).prompt_template;
+  }
+  getBashOverrides(role) {
+    const r = this.getRole(role);
+    const overrides = r.bash_overrides;
+    if (!overrides) return {};
+    return {
+      additionalBlocked: overrides.additional_blocked?.map((p) => new RegExp(p)),
+      additionalAllowed: overrides.additional_allowed?.map((p) => new RegExp(p))
+    };
+  }
+  getTokenBudget(role) {
+    return this.getRole(role).token_budget_daily;
+  }
+};
+
+// src/lib/bash/patterns.ts
+var SAFE_PATTERNS = [
+  // File viewing
+  /^(cat|head|tail|less|more)\s/,
+  /^(file|stat|wc|md5sum|sha256sum)\s/,
+  // Directory listing
+  /^(ls|ll|la|tree|du|df)\b/,
+  /^(pwd|cd)\b/,
+  // Searching
+  /^(grep|rg|ag|ack|find|fd|locate)\s/,
+  /^(which|whereis|type|command)\s/,
+  // Text processing (read-only)
+  /^(sort|uniq|cut|awk|sed)\s.*(?!-i)/,
+  // sed without -i (in-place)
+  /^(tr|diff|comm|join|paste)\s/,
+  /^(jq|yq|xmlstarlet)\s/,
+  // Git (read-only operations)
+  /^git\s+(log|status|diff|show|blame|branch|tag|remote|stash list)\b/,
+  /^git\s+(ls-files|ls-tree|rev-parse|describe)\b/,
+  // System info
+  /^(whoami|id|groups|uname|hostname|date|uptime|env|printenv)\b/,
+  /^(echo|printf)\s/,
+  // Package info (not install)
+  /^(npm|yarn|pnpm)\s+(list|ls|info|show|view|outdated|audit)\b/,
+  /^pip\s+(list|show|freeze)\b/,
+  /^(node|python|ruby|go)\s+--version\b/,
+  /^(node|python|ruby)\s+-e\s/,
+  // Networking (read-only)
+  /^(ping|dig|nslookup|host|traceroute|tracepath)\s/,
+  /^curl\s.*--head\b/,
+  /^curl\s.*-I\b/,
+  // Additional file viewing / inspection
+  /^(basename|dirname|realpath|readlink)\s/,
+  /^(xxd|od|hexdump)\s/,
+  /^(strings|nm|objdump)\s/,
+  // Additional search / navigation
+  /^(xargs)\s/,
+  /^(tee)\s/,
+  // Additional text processing (read-only)
+  /^(fmt|fold|column|expand|unexpand)\s/,
+  /^(tac|rev|nl)\s/,
+  /^(yes|seq|shuf)\s/,
+  // Additional system info
+  /^(lsof|ps|top|htop|vmstat|iostat|free|df)\b/,
+  /^(lscpu|lsblk|lsusb|lspci)\b/,
+  /^(nproc|getconf)\b/,
+  // Additional git read-only
+  /^git\s+(config\s+--get|config\s+-l|shortlog|reflog|cherry)\b/,
+  /^git\s+(cat-file|count-objects|fsck|verify-pack)\b/
+];
+var DANGEROUS_PATTERNS = [
+  // Destructive file operations
+  /\brm\s+(-[a-zA-Z]*r|-[a-zA-Z]*f|--recursive|--force)\b/,
+  /\brm\s+-[a-zA-Z]*rf\b/,
+  /\bshred\b/,
+  // Privilege escalation
+  /\bsudo\b/,
+  /\bsu\s+-?\s*\w/,
+  /\bdoas\b/,
+  // Permission/ownership changes
+  /\bchmod\b/,
+  /\bchown\b/,
+  /\bchgrp\b/,
+  // Disk/partition operations
+  /\bdd\b.*\bof=/,
+  /\bmkfs\b/,
+  /\bfdisk\b/,
+  /\bparted\b/,
+  /\bmount\b/,
+  /\bumount\b/,
+  // Remote code execution
+  /\bcurl\b.*\|\s*(bash|sh|zsh|python|perl|ruby)\b/,
+  /\bwget\b.*\|\s*(bash|sh|zsh|python|perl|ruby)\b/,
+  /\bcurl\b.*>\s*.*\.sh\s*&&/,
+  // Remote access
+  /\bssh\b/,
+  /\bscp\b/,
+  /\brsync\b.*:\//,
+  /\bnc\s+(-[a-zA-Z]*l|-[a-zA-Z]*p|--listen)\b/,
+  /\bncat\b/,
+  /\bsocat\b/,
+  /\btelnet\b/,
+  // System modification
+  /\bsystemctl\s+(start|stop|restart|enable|disable)\b/,
+  /\bservice\s+\w+\s+(start|stop|restart)\b/,
+  /\biptables\b/,
+  /\bufw\b/,
+  /\bfirewall-cmd\b/,
+  // Package installation (can run arbitrary post-install scripts)
+  /\bnpm\s+(install|i|add|ci)\b/,
+  /\byarn\s+(add|install)\b/,
+  /\bpnpm\s+(add|install|i)\b/,
+  /\bpip\s+install\b/,
+  /\bapt(-get)?\s+install\b/,
+  /\bbrew\s+install\b/,
+  /\bcargo\s+install\b/,
+  // Environment variable manipulation (can leak secrets)
+  /\bexport\b.*(KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)/i,
+  // Cron / scheduled tasks
+  /\bcrontab\b/,
+  /\bat\s+/,
+  // Container escape vectors
+  /\bdocker\s+(run|exec|build|push|pull)\b/,
+  /\bkubectl\s+(exec|run|apply|delete)\b/,
+  // Process manipulation
+  /\bkill\b/,
+  /\bkillall\b/,
+  /\bpkill\b/,
+  // History manipulation
+  /\bhistory\s+-c\b/,
+  /\bunset\s+HISTFILE\b/,
+  // Compiler/build (can execute arbitrary code)
+  /\bmake\s/,
+  /\bgcc\b/,
+  /\bg\+\+/
+];
+
+// src/lib/bash/classifier.ts
+var BashClassifier = class {
+  safePatterns;
+  dangerousPatterns;
+  constructor(overrides) {
+    this.safePatterns = [...SAFE_PATTERNS, ...overrides?.additionalAllowed ?? []];
+    this.dangerousPatterns = [...DANGEROUS_PATTERNS, ...overrides?.additionalBlocked ?? []];
+  }
+  classify(command) {
+    const trimmed = command.trim();
+    for (const pattern of this.dangerousPatterns) {
+      if (pattern.test(trimmed)) return "dangerous";
+    }
+    const segments = this.splitCommand(trimmed);
+    if (segments.length > 1) {
+      const classifications = segments.map((s) => this.classifySingle(s));
+      if (classifications.includes("dangerous")) return "dangerous";
+      if (classifications.includes("needs_review")) return "needs_review";
+      return "safe";
+    }
+    return this.classifySingle(trimmed);
+  }
+  classifySingle(command) {
+    const trimmed = command.trim();
+    for (const pattern of this.dangerousPatterns) {
+      if (pattern.test(trimmed)) return "dangerous";
+    }
+    for (const pattern of this.safePatterns) {
+      if (pattern.test(trimmed)) return "safe";
+    }
+    return "needs_review";
+  }
+  splitCommand(command) {
+    const segments = [];
+    let current = "";
+    let inSingleQuote = false;
+    let inDoubleQuote = false;
+    let escaped = false;
+    for (let i = 0; i < command.length; i++) {
+      const char = command[i];
+      if (escaped) {
+        current += char;
+        escaped = false;
+        continue;
+      }
+      if (char === "\\") {
+        escaped = true;
+        current += char;
+        continue;
+      }
+      if (char === "'" && !inDoubleQuote) {
+        inSingleQuote = !inSingleQuote;
+        current += char;
+        continue;
+      }
+      if (char === '"' && !inSingleQuote) {
+        inDoubleQuote = !inDoubleQuote;
+        current += char;
+        continue;
+      }
+      if (!inSingleQuote && !inDoubleQuote) {
+        if (char === "|" && command[i + 1] !== "|") {
+          segments.push(current.trim());
+          current = "";
+          continue;
+        }
+        if (char === ";") {
+          segments.push(current.trim());
+          current = "";
+          continue;
+        }
+        if (char === "&" && command[i + 1] === "&") {
+          segments.push(current.trim());
+          current = "";
+          i++;
+          continue;
+        }
+        if (char === "|" && command[i + 1] === "|") {
+          segments.push(current.trim());
+          current = "";
+          i++;
+          continue;
+        }
+      }
+      current += char;
+    }
+    if (current.trim()) segments.push(current.trim());
+    return segments.filter((s) => s.length > 0);
+  }
+};
+
+// src/lib/audit/logger.ts
+import { randomUUID } from "crypto";
+
+// src/lib/audit/sinks/jsonl.ts
+import { appendFile, mkdir } from "fs/promises";
+import { dirname } from "path";
+import { homedir } from "os";
+var JsonlAuditSink = class {
+  path;
+  buffer = [];
+  flushThreshold = 10;
+  constructor(path) {
+    this.path = path.replace(/^~/, homedir());
+  }
+  async write(record) {
+    this.buffer.push(record);
+    if (this.buffer.length >= this.flushThreshold) {
+      await this.flush();
+    }
+  }
+  async flush() {
+    if (this.buffer.length === 0) return;
+    const lines = this.buffer.map((r) => JSON.stringify(r)).join("\n") + "\n";
+    this.buffer = [];
+    await mkdir(dirname(this.path), { recursive: true });
+    await appendFile(this.path, lines, "utf-8");
+  }
+};
+
+// src/lib/audit/sinks/webhook.ts
+var WebhookAuditSink = class {
+  url;
+  buffer = [];
+  flushThreshold = 10;
+  constructor(url) {
+    this.url = url;
+  }
+  async write(record) {
+    this.buffer.push(record);
+    if (this.buffer.length >= this.flushThreshold) {
+      await this.flush();
+    }
+  }
+  async flush() {
+    if (this.buffer.length === 0) return;
+    const records = [...this.buffer];
+    this.buffer = [];
+    try {
+      await this.send(records);
+    } catch {
+      try {
+        await this.send(records);
+      } catch {
+      }
+    }
+  }
+  async send(records) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 1e4);
+    try {
+      const response = await fetch(this.url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(records),
+        signal: controller.signal
+      });
+      if (!response.ok) {
+        throw new Error(`Webhook returned ${response.status}`);
+      }
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+};
+
+// src/lib/audit/logger.ts
+var AuditLogger = class {
+  sinks;
+  counts = /* @__PURE__ */ new Map();
+  constructor(config) {
+    const sinkConfigs = config?.sinks ?? [
+      { type: "jsonl", path: "~/.pi/agent/audit.jsonl" }
+    ];
+    this.sinks = [];
+    for (const sc of sinkConfigs) {
+      if (sc.type === "jsonl") {
+        this.sinks.push(new JsonlAuditSink(sc.path ?? "~/.pi/agent/audit.jsonl"));
+      } else if (sc.type === "webhook" && sc.url) {
+        this.sinks.push(new WebhookAuditSink(sc.url));
+      }
+    }
+    if (this.sinks.length === 0) {
+      this.sinks.push(new JsonlAuditSink("~/.pi/agent/audit.jsonl"));
+    }
+  }
+  async log(record) {
+    const full = {
+      ...record,
+      id: randomUUID(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.counts.set(full.event, (this.counts.get(full.event) ?? 0) + 1);
+    await Promise.all(this.sinks.map((s) => s.write(full)));
+  }
+  async flush() {
+    await Promise.all(this.sinks.map((s) => s.flush()));
+  }
+  getSummary() {
+    return new Map(this.counts);
+  }
+};
+
+// src/lib/hitl/cli-approver.ts
+var CliApprover = class {
+  ui;
+  timeoutSeconds;
+  constructor(ui, timeoutSeconds = 300) {
+    this.ui = ui;
+    this.timeoutSeconds = timeoutSeconds;
+  }
+  async requestApproval(toolCall, context) {
+    const title = `Approval Required: ${toolCall.toolName}`;
+    const inputSummary = Object.entries(toolCall.input).map(
+      ([k, v]) => `  ${k}: ${typeof v === "string" ? v.slice(0, 200) : JSON.stringify(v).slice(0, 200)}`
+    ).join("\n");
+    const message = `User: ${context.userId} (${context.role})
+Org: ${context.orgUnit}
+
+Tool: ${toolCall.toolName}
+Input:
+${inputSummary}`;
+    const start = Date.now();
+    try {
+      const approved = await this.ui.confirm(title, message, {
+        timeout: this.timeoutSeconds * 1e3
+      });
+      return {
+        approved,
+        approver: "cli",
+        duration: Date.now() - start,
+        reason: approved ? void 0 : "Denied by user"
+      };
+    } catch {
+      return {
+        approved: false,
+        approver: "cli",
+        duration: Date.now() - start,
+        reason: "Approval timed out"
+      };
+    }
+  }
+};
+
+// src/lib/hitl/webhook-approver.ts
+var WebhookApprover = class {
+  url;
+  timeoutMs;
+  constructor(url, timeoutSeconds = 300) {
+    this.url = url;
+    this.timeoutMs = timeoutSeconds * 1e3;
+  }
+  async requestApproval(toolCall, context) {
+    const start = Date.now();
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
+    try {
+      const response = await fetch(this.url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          toolCall: { toolName: toolCall.toolName, input: toolCall.input },
+          context
+        }),
+        signal: controller.signal
+      });
+      if (!response.ok) {
+        return {
+          approved: false,
+          approver: "webhook",
+          duration: Date.now() - start,
+          reason: `Webhook returned ${response.status}`
+        };
+      }
+      const body = await response.json();
+      return {
+        approved: body.approved,
+        approver: "webhook",
+        duration: Date.now() - start,
+        reason: body.reason
+      };
+    } catch (err) {
+      return {
+        approved: false,
+        approver: "webhook",
+        duration: Date.now() - start,
+        reason: err instanceof Error && err.name === "AbortError" ? "Webhook timed out" : "Webhook request failed"
+      };
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+};
+
+// src/lib/hitl/approval.ts
+function createApprovalFlow(config, ui) {
+  if (config.approval_channel === "webhook" && config.webhook?.url) {
+    return new WebhookApprover(config.webhook.url, config.timeout_seconds);
+  }
+  if (!ui) {
+    throw new Error("CLI approval channel requires a ConfirmUI (ExtensionContext.ui)");
+  }
+  return new CliApprover(ui, config.timeout_seconds);
+}
+
+// src/lib/budget/tracker.ts
+var BudgetTracker = class {
+  _used = 0;
+  _budget;
+  constructor(budget) {
+    this._budget = budget;
+  }
+  /** Returns false if consuming would exceed the budget. On success, increments the counter. */
+  consume(amount = 1) {
+    if (this._budget === -1) {
+      this._used += amount;
+      return true;
+    }
+    if (this._used + amount > this._budget) return false;
+    this._used += amount;
+    return true;
+  }
+  remaining() {
+    if (this._budget === -1) return Infinity;
+    return Math.max(0, this._budget - this._used);
+  }
+  used() {
+    return this._used;
+  }
+  isUnlimited() {
+    return this._budget === -1;
+  }
+};
+
+// src/lib/config/watcher.ts
+import { watch, readFileSync as readFileSync4 } from "fs";
+import { parse as parseYaml4 } from "yaml";
+import { Value as Value2 } from "@sinclair/typebox/value";
+var ConfigWatcher = class {
+  watcher;
+  debounceTimer;
+  configPath;
+  onChange;
+  onError;
+  constructor(configPath, onChange, onError) {
+    this.configPath = configPath;
+    this.onChange = onChange;
+    this.onError = onError;
+  }
+  start() {
+    if (this.watcher) return;
+    this.watcher = watch(this.configPath, () => this.handleChange());
+  }
+  stop() {
+    if (this.debounceTimer) {
+      clearTimeout(this.debounceTimer);
+      this.debounceTimer = void 0;
+    }
+    if (this.watcher) {
+      this.watcher.close();
+      this.watcher = void 0;
+    }
+  }
+  handleChange() {
+    if (this.debounceTimer) clearTimeout(this.debounceTimer);
+    this.debounceTimer = setTimeout(() => this.reload(), 500);
+  }
+  reload() {
+    try {
+      const raw = readFileSync4(this.configPath, "utf-8");
+      const parsed = parseYaml4(raw);
+      const errors = [...Value2.Errors(GovernanceConfigSchema, parsed)];
+      if (errors.length > 0) {
+        const msg = errors.map((e) => `${e.path}: ${e.message}`).join("; ");
+        this.onError?.(new Error(`Config validation failed: ${msg}`));
+        return;
+      }
+      const config = Value2.Default(GovernanceConfigSchema, parsed);
+      this.onChange(config);
+    } catch (err) {
+      this.onError?.(err instanceof Error ? err : new Error(String(err)));
+    }
+  }
+};
+
+// src/extensions/index.ts
+var PATH_TOOLS = {
+  read: "path",
+  write: "path",
+  edit: "file_path",
+  grep: "path",
+  find: "path",
+  ls: "path"
+};
+var WRITE_TOOLS = /* @__PURE__ */ new Set(["write", "edit"]);
+function summarizeParams(toolName, input) {
+  switch (toolName) {
+    case "bash": {
+      const cmd = typeof input["command"] === "string" ? input["command"] : "";
+      return { command: cmd.slice(0, 100) + (cmd.length > 100 ? "..." : "") };
+    }
+    case "read":
+      return { path: input["path"] };
+    case "write":
+      return { path: input["path"] };
+    case "edit":
+      return { file_path: input["file_path"] };
+    case "grep":
+      return { pattern: input["pattern"], path: input["path"] };
+    case "find":
+    case "ls":
+      return { path: input["path"] };
+    default:
+      return {};
+  }
+}
+function extractPath(toolName, input) {
+  const key = PATH_TOOLS[toolName];
+  if (!key) return void 0;
+  const val = input[key];
+  return typeof val === "string" ? val : void 0;
+}
+var piGovernance = (pi) => {
+  let config;
+  let policyEngine;
+  let audit;
+  let approvalFlow;
+  let bashClassifier;
+  let identity;
+  let executionMode;
+  let sessionId;
+  let budgetTracker;
+  let configWatcher;
+  const stats = { allowed: 0, denied: 0, approvals: 0, dryRun: 0, budgetExceeded: 0 };
+  pi.on("session_start", async (_event, ctx) => {
+    sessionId = ctx.sessionId;
+    const loaded = loadConfig();
+    config = loaded.config;
+    const chain = createIdentityChain(config.auth);
+    identity = await chain.resolve();
+    const rulesFile = config.policy?.yaml?.rules_file ?? "./governance-rules.yaml";
+    policyEngine = new YamlPolicyEngine(rulesFile);
+    executionMode = policyEngine.getExecutionMode(identity.role);
+    const bashOverrides = policyEngine.getBashOverrides(identity.role);
+    bashClassifier = new BashClassifier(bashOverrides);
+    audit = new AuditLogger(config.audit);
+    if (executionMode === "supervised") {
+      try {
+        approvalFlow = createApprovalFlow(
+          {
+            default_mode: config.hitl?.default_mode ?? "supervised",
+            approval_channel: config.hitl?.approval_channel ?? "cli",
+            timeout_seconds: config.hitl?.timeout_seconds ?? 300,
+            webhook: config.hitl?.webhook
+          },
+          ctx.ui
+        );
+      } catch {
+      }
+    }
+    const budget = policyEngine.getTokenBudget(identity.role);
+    budgetTracker = new BudgetTracker(budget);
+    if (loaded.source !== "built-in") {
+      configWatcher = new ConfigWatcher(
+        loaded.source,
+        (newConfig) => {
+          config = newConfig;
+          const newRulesFile = newConfig.policy?.yaml?.rules_file ?? "./governance-rules.yaml";
+          policyEngine = new YamlPolicyEngine(newRulesFile);
+          const newOverrides = policyEngine.getBashOverrides(identity.role);
+          bashClassifier = new BashClassifier(newOverrides);
+          audit.log({
+            sessionId,
+            event: "config_reloaded",
+            userId: identity.userId,
+            role: identity.role,
+            orgUnit: identity.orgUnit,
+            metadata: { source: loaded.source }
+          });
+          ctx.ui.notify("Governance config reloaded", "info");
+        },
+        (error) => {
+          ctx.ui.notify(`Config reload failed: ${error.message}`, "warning");
+        }
+      );
+      configWatcher.start();
+    }
+    await audit.log({
+      sessionId,
+      event: "session_start",
+      userId: identity.userId,
+      role: identity.role,
+      orgUnit: identity.orgUnit,
+      metadata: { source: loaded.source, executionMode }
+    });
+    ctx.ui.setStatus("governance", `Governance: ${identity.role} (${executionMode})`);
+    ctx.ui.notify(
+      `Governance active \u2014 Role: ${identity.role} | Mode: ${executionMode} | Org: ${identity.orgUnit}`,
+      "info"
+    );
+  });
+  pi.on("tool_call", async (event, _ctx) => {
+    const { toolName, input } = event;
+    const params = summarizeParams(toolName, input);
+    const baseRecord = {
+      sessionId,
+      userId: identity.userId,
+      role: identity.role,
+      orgUnit: identity.orgUnit,
+      tool: toolName,
+      input: params
+    };
+    if (executionMode === "dry_run") {
+      stats.dryRun++;
+      await audit.log({
+        ...baseRecord,
+        event: "tool_dry_run",
+        decision: "blocked",
+        reason: "Dry-run mode"
+      });
+      return { block: true, reason: "Dry-run mode: tool execution blocked for observation" };
+    }
+    if (!budgetTracker.consume()) {
+      stats.budgetExceeded++;
+      await audit.log({
+        ...baseRecord,
+        event: "budget_exceeded",
+        decision: "denied",
+        reason: `Budget exhausted (${budgetTracker.used()} invocations used)`
+      });
+      return {
+        block: true,
+        reason: `Tool invocation budget exhausted (${budgetTracker.used()} used). Session limit reached.`
+      };
+    }
+    const toolDecision = policyEngine.evaluateTool(identity.role, toolName);
+    if (toolDecision === "deny") {
+      stats.denied++;
+      await audit.log({
+        ...baseRecord,
+        event: "tool_denied",
+        decision: "denied",
+        reason: "Policy denied tool"
+      });
+      return { block: true, reason: `Policy denies ${identity.role} from using ${toolName}` };
+    }
+    if (toolName === "bash") {
+      const command = typeof input["command"] === "string" ? input["command"] : "";
+      const classification = bashClassifier.classify(command);
+      if (classification === "dangerous") {
+        stats.denied++;
+        await audit.log({
+          ...baseRecord,
+          event: "bash_denied",
+          decision: "denied",
+          reason: "Dangerous command"
+        });
+        return { block: true, reason: `Dangerous bash command blocked: ${command.slice(0, 80)}` };
+      }
+      if (classification === "needs_review" && policyEngine.requiresApproval(identity.role, "bash")) {
+        if (approvalFlow) {
+          stats.approvals++;
+          await audit.log({ ...baseRecord, event: "approval_requested" });
+          const result = await approvalFlow.requestApproval(
+            { toolName, input },
+            { userId: identity.userId, role: identity.role, orgUnit: identity.orgUnit }
+          );
+          if (result.approved) {
+            await audit.log({
+              ...baseRecord,
+              event: "approval_granted",
+              duration: result.duration
+            });
+          } else {
+            stats.denied++;
+            await audit.log({
+              ...baseRecord,
+              event: "approval_denied",
+              reason: result.reason,
+              duration: result.duration
+            });
+            return { block: true, reason: result.reason ?? "Approval denied" };
+          }
+        } else {
+          stats.denied++;
+          await audit.log({
+            ...baseRecord,
+            event: "tool_denied",
+            decision: "denied",
+            reason: "Requires approval but no approval channel"
+          });
+          return {
+            block: true,
+            reason: "Bash command requires approval but no approval channel is configured"
+          };
+        }
+      }
+    }
+    const path = extractPath(toolName, input);
+    if (path) {
+      const operation = WRITE_TOOLS.has(toolName) ? "write" : "read";
+      const pathDecision = policyEngine.evaluatePath(
+        identity.role,
+        identity.orgUnit,
+        operation,
+        path
+      );
+      if (pathDecision === "deny") {
+        stats.denied++;
+        await audit.log({
+          ...baseRecord,
+          event: "path_denied",
+          decision: "denied",
+          reason: `Path denied: ${path}`
+        });
+        return { block: true, reason: `Access denied to path: ${path}` };
+      }
+    }
+    if (toolName !== "bash" && policyEngine.requiresApproval(identity.role, toolName)) {
+      if (approvalFlow) {
+        stats.approvals++;
+        await audit.log({ ...baseRecord, event: "approval_requested" });
+        const result = await approvalFlow.requestApproval(
+          { toolName, input },
+          { userId: identity.userId, role: identity.role, orgUnit: identity.orgUnit }
+        );
+        if (result.approved) {
+          await audit.log({ ...baseRecord, event: "approval_granted", duration: result.duration });
+        } else {
+          stats.denied++;
+          await audit.log({
+            ...baseRecord,
+            event: "approval_denied",
+            reason: result.reason,
+            duration: result.duration
+          });
+          return { block: true, reason: result.reason ?? "Approval denied" };
+        }
+      }
+    }
+    stats.allowed++;
+    await audit.log({ ...baseRecord, event: "tool_allowed", decision: "allowed" });
+    return void 0;
+  });
+  pi.on("tool_result", async (event, _ctx) => {
+    await audit.log({
+      sessionId,
+      event: "tool_result",
+      userId: identity.userId,
+      role: identity.role,
+      orgUnit: identity.orgUnit,
+      tool: event.toolName,
+      input: summarizeParams(event.toolName, event.input),
+      metadata: { isError: event.isError }
+    });
+  });
+  pi.on("session_shutdown", async (_event, _ctx) => {
+    configWatcher?.stop();
+    await audit.log({
+      sessionId,
+      event: "session_end",
+      userId: identity.userId,
+      role: identity.role,
+      orgUnit: identity.orgUnit,
+      metadata: {
+        stats: { ...stats },
+        budget: { used: budgetTracker.used(), remaining: budgetTracker.remaining() },
+        summary: Object.fromEntries(audit.getSummary())
+      }
+    });
+    await audit.flush();
+  });
+  pi.registerCommand("governance", {
+    description: "Governance status and controls",
+    handler: async (args, ctx) => {
+      const subcommand = args.trim().split(/\s+/)[0] ?? "";
+      if (subcommand === "status") {
+        const summary = audit.getSummary();
+        const budgetInfo = budgetTracker.isUnlimited() ? "unlimited" : `${budgetTracker.used()} / ${budgetTracker.used() + budgetTracker.remaining()} (${budgetTracker.remaining()} remaining)`;
+        const lines = [
+          `Role: ${identity.role}`,
+          `Org Unit: ${identity.orgUnit}`,
+          `Mode: ${executionMode}`,
+          `Session: ${sessionId}`,
+          `Budget: ${budgetInfo}`,
+          "",
+          "Session Stats:",
+          `  Allowed: ${stats.allowed}`,
+          `  Denied: ${stats.denied}`,
+          `  Approvals: ${stats.approvals}`,
+          `  Dry-run blocks: ${stats.dryRun}`,
+          `  Budget exceeded: ${stats.budgetExceeded}`,
+          "",
+          "Audit Events:",
+          ...[...summary.entries()].map(([k, v]) => `  ${k}: ${v}`)
+        ];
+        ctx.ui.notify(lines.join("\n"), "info");
+      } else {
+        ctx.ui.notify("Usage: /governance status", "info");
+      }
+    }
+  });
+};
+var extensions_default = piGovernance;
+export {
+  extensions_default as default
+};
+//# sourceMappingURL=index.js.map