@guilz-dev/belay 0.1.0 → 0.2.0

package/dist/core/approval.js

@@ -1,13 +1,21 @@
+/** Cursor may invoke the same shell gate more than once per retry; lease covers that window. */
+export const APPROVAL_EXECUTION_LEASE_MS = 60_000;
 export function nowIso() {
     return new Date().toISOString();
 }
 export function isExpired(approval) {
     return Date.parse(approval.expiresAt) <= Date.now();
 }
+export function isExecutionLeaseExpired(approval) {
+    if (!approval.executionLeaseExpiresAt) {
+        return false;
+    }
+    return Date.parse(approval.executionLeaseExpiresAt) <= Date.now();
+}
 export function compactApprovals(state) {
     return {
         version: state.version,
-        approvals: state.approvals.filter((approval) => !isExpired(approval)),
+        approvals: state.approvals.filter((approval) => !isExpired(approval) && !isExecutionLeaseExpired(approval)),
     };
 }
 export function mergeApprovalStates(target, source) {
@@ -31,8 +39,15 @@ export function escapeRegex(value) {
 }
 export function approvalCommandMatch(prompt, tokenPrefix) {
     const escapedPrefix = escapeRegex(tokenPrefix);
-    const match = prompt.match(new RegExp(`^\\s*${escapedPrefix}\\s+(\\S+)\\s*$`, 'i'));
-    return match?.[1] ?? null;
+    const linePattern = new RegExp(`^\\s*${escapedPrefix}\\s+(\\S+)\\s*$`, 'i');
+    for (const line of prompt.split(/\r?\n/)) {
+        if (!line.trim()) {
+            continue;
+        }
+        const match = line.match(linePattern);
+        return match?.[1] ?? null;
+    }
+    return null;
 }
 export function buildRetryInstruction(tokenPrefix, approvalId) {
     return `To allow the next matching action once, send ${tokenPrefix} ${approvalId} and then retry the original action unchanged.`;

package/dist/core/audit-query.js

@@ -1,6 +1,10 @@
 import { GATE_EVENTS } from './audit-types.js';
 export function toAuditRecord(value) {
-    return value;
+    const record = { ...value };
+    if (record.by === 'v2') {
+        record.by = 'verdict';
+    }
+    return record;
 }
 export function parseTimestamp(value) {
     if (!value) {

package/dist/core/classify-tool.js

@@ -3,7 +3,7 @@ import { canonicalStringify, toolFingerprint } from './fingerprint.js';
 import { matchesSensitivePath } from './glob.js';
 import { pathWithinRoot, relativeWithinRepo } from './path-utils.js';
 import { scrubValue } from './scrub.js';
-import { classifyShell } from './v2/adapter.js';
+import { classifyShell } from './verdict/adapter.js';
 const DEFAULT_SENSITIVE_PATHS = ['.env', '.env.*', '**/credentials/**'];
 const FILE_WRITE_TOOL_NAMES = new Set(['write']);
 const FILE_EDIT_TOOL_NAMES = new Set([

package/dist/core/config.d.ts

@@ -155,7 +155,7 @@ export declare const DEFAULT_CONFIDENCE_THRESHOLDS: BelayConfidenceThresholds;
 export declare const DEFAULT_MODEL_ASSIST: BelayModelAssistConfig;
 export declare const DEFAULT_TRANSACTIONAL_V3: BelayTransactionalConfig;
 export declare const LEGACY_POLICY_V3: BelayPolicyConfig;
-/** Fresh v0.4+ install defaults (fail-closed). */
+/** Fresh install defaults: recoverable-first with opaque/unparseable fail-closed. */
 export declare const DEFAULT_POLICY_V3: BelayPolicyConfig;
 export declare const DEFAULT_OVERRIDES_V3: BelayOverridesConfig;
 export declare const DEFAULT_REDACTION_V3: BelayRedactionConfig;

package/dist/core/config.js

@@ -45,9 +45,9 @@ export const LEGACY_POLICY_V3 = {
     transactional: { ...DEFAULT_TRANSACTIONAL_V3 },
     fenceWarnThreshold: DEFAULT_FENCE_WARN_THRESHOLD,
 };
-/** Fresh v0.4+ install defaults (fail-closed). */
+/** Fresh install defaults: recoverable-first with opaque/unparseable fail-closed. */
 export const DEFAULT_POLICY_V3 = {
-    unknownLocalEffect: 'deny',
+    unknownLocalEffect: 'allow_flagged',
     unparseableShell: 'deny',
     codexUnmappedTool: 'deny',
     confidenceThresholds: { ...DEFAULT_CONFIDENCE_THRESHOLDS },

package/dist/core/gate-contract.d.ts

@@ -28,7 +28,7 @@ export interface GateVerdict extends GatePermissionResponse {
     approvalId?: string;
     wouldBlock: boolean;
     mode: 'enforce' | 'audit';
-    v2?: ClassifyResult['v2'];
+    axes?: ClassifyResult['axes'];
 }
 export declare function isGatedAction(value: unknown): value is GatedAction;
 export declare function classifyResultToGateVerdict(params: {

package/dist/core/gate-contract.js

@@ -25,7 +25,7 @@ export function classifyResultToGateVerdict(params) {
         approvalId,
         user_message,
         agent_message,
-        v2: result.v2,
+        axes: result.axes,
     };
 }
 export function unnormalizedGateVerdict(params) {

package/dist/core/gate-engine.js

@@ -5,7 +5,7 @@ import { classifyToolUse } from './classify-tool.js';
 import { classifierOptionsFromConfig } from './config.js';
 import { GATE_CONTRACT_VERSION } from './gate-contract.js';
 import { mergeAgentAssessment } from './judgment.js';
-import { classifyShell } from './v2/adapter.js';
+import { classifyShell } from './verdict/adapter.js';
 export class GateNormalizationError extends Error {
     reason = 'normalization_failed';
     constructor(message) {
@@ -98,7 +98,7 @@ function applyShellPeripheralPolicy(command, action, result, options) {
         (result.reason === 'outside_repo_mutation' ||
             result.reason === 'outside_repo_redirect' ||
             result.reason === 'repo_outside_mutation' ||
-            result.v2?.location === 'repo_outside')) {
+            result.axes?.location === 'repo_outside')) {
         const outsideRepoPaths = collectOutsideRepoPaths(command, action.cwd, action.repoRoot);
         if (outsideRepoPaths.length > 0 &&
             options.fsScopeAllowlist &&

package/dist/core/index.d.ts

@@ -1,4 +1,4 @@
-export { approvalCommandMatch, buildRetryInstruction, compactApprovals, createApprovalRecord, isExpired, mergeApprovalStates, nowIso, } from './approval.js';
+export { APPROVAL_EXECUTION_LEASE_MS, approvalCommandMatch, buildRetryInstruction, compactApprovals, createApprovalRecord, isExecutionLeaseExpired, isExpired, mergeApprovalStates, nowIso, } from './approval.js';
 export type { AuditMetricsReport } from './audit-metrics.js';
 export { computeAuditMetrics, parseAuditNdjson } from './audit-metrics.js';
 export { classifySubagent } from './classify-subagent.js';
@@ -16,4 +16,4 @@ export { findCommandSubstitutions, MAX_SUBSTITUTION_DEPTH } from './shell-substi
 export type { TransactionalDiffEvaluation, TransactionalExecutionResult, } from './transactional/index.js';
 export { isTransactionalEligible, runTransactionalExecution } from './transactional/index.js';
 export type { ApprovalRecord, ApprovalStateFile, Assessment, ClassifierOptions, ClassifyResult, HookVerdict, Reversibility, ScrubOptions, UnknownLocalEffectPolicy, } from './types.js';
-export { buildVerdictContext, classifyShell, verdict, verdictToClassifyResult, } from './v2/index.js';
+export { buildVerdictContext, classifyShell, verdict, verdictToClassifyResult, } from './verdict/index.js';

package/dist/core/index.js

@@ -1,4 +1,4 @@
-export { approvalCommandMatch, buildRetryInstruction, compactApprovals, createApprovalRecord, isExpired, mergeApprovalStates, nowIso, } from './approval.js';
+export { APPROVAL_EXECUTION_LEASE_MS, approvalCommandMatch, buildRetryInstruction, compactApprovals, createApprovalRecord, isExecutionLeaseExpired, isExpired, mergeApprovalStates, nowIso, } from './approval.js';
 export { computeAuditMetrics, parseAuditNdjson } from './audit-metrics.js';
 export { classifySubagent } from './classify-subagent.js';
 export { classifyToolUse } from './classify-tool.js';
@@ -12,4 +12,4 @@ export { canonicalPath, hasOutsideRepoPath, normalizeToken, pathWithinRoot, rela
 export { scrubString, scrubValue } from './scrub.js';
 export { findCommandSubstitutions, MAX_SUBSTITUTION_DEPTH } from './shell-substitution.js';
 export { isTransactionalEligible, runTransactionalExecution } from './transactional/index.js';
-export { buildVerdictContext, classifyShell, verdict, verdictToClassifyResult, } from './v2/index.js';
+export { buildVerdictContext, classifyShell, verdict, verdictToClassifyResult, } from './verdict/index.js';

package/dist/core/judge-config.d.ts

@@ -1,6 +1,9 @@
 import type { BelayJudgeConfig } from './config.js';
-export type JudgeProfileName = 'local-ollama';
+export type JudgeProfileName = 'local-ollama' | 'cursor' | 'claude' | 'codex';
 export declare const JUDGE_PROFILE_LOCAL_OLLAMA: BelayJudgeConfig;
+export declare const JUDGE_PROFILE_CURSOR: BelayJudgeConfig;
+export declare const JUDGE_PROFILE_CLAUDE: BelayJudgeConfig;
+export declare const JUDGE_PROFILE_CODEX: BelayJudgeConfig;
 export declare const JUDGE_PROFILES: Record<JudgeProfileName, BelayJudgeConfig>;
 export interface ResolveJudgeConfigInput {
     judgeProfile?: JudgeProfileName;
@@ -26,4 +29,5 @@ export declare function resolveInitJudgeConfig(input: {
     judgeEndpoint?: string;
     acceptCloudJudge?: boolean;
     existingJudge?: BelayJudgeConfig;
+    defaultJudgeProfile?: JudgeProfileName;
 }): BelayJudgeConfig;

package/dist/core/judge-config.js

@@ -6,8 +6,24 @@ export const JUDGE_PROFILE_LOCAL_OLLAMA = {
     timeoutMs: 25000,
     keepAlive: '30m',
 };
+export const JUDGE_PROFILE_CURSOR = {
+    provider: 'openai-compatible',
+    model: 'auto',
+    endpoint: 'https://api.openai.com/v1',
+    timeoutMs: 8000,
+    keepAlive: null,
+};
+export const JUDGE_PROFILE_CLAUDE = {
+    ...JUDGE_PROFILE_CURSOR,
+};
+export const JUDGE_PROFILE_CODEX = {
+    ...JUDGE_PROFILE_CURSOR,
+};
 export const JUDGE_PROFILES = {
     'local-ollama': JUDGE_PROFILE_LOCAL_OLLAMA,
+    cursor: JUDGE_PROFILE_CURSOR,
+    claude: JUDGE_PROFILE_CLAUDE,
+    codex: JUDGE_PROFILE_CODEX,
 };
 export function resolveJudgeConfig(input = {}) {
     if (input.judgeProvider) {
@@ -81,5 +97,5 @@ export function resolveInitJudgeConfig(input) {
         assertJudgeEndpoint(judge);
         return judge;
     }
-    return resolveJudgeConfig({ judgeProfile: 'local-ollama' });
+    return resolveJudgeConfig({ judgeProfile: input.defaultJudgeProfile ?? 'cursor' });
 }

package/dist/core/judge-doctor.js

@@ -1,8 +1,8 @@
 import { normalizeJudgeProvider, scrubOptionsFromConfig } from './config.js';
 import { resolveJudgeApiKey } from './judge-api-key.js';
 import { assertJudgeEndpoint } from './judge-config.js';
-import { createOllamaJudge, createOpenAiCompatibleJudge } from './v2/judge.js';
-import { loadPinnedJudgeModels, resolveCloudModel } from './v2/judge-factory.js';
+import { createOllamaJudge, createOpenAiCompatibleJudge } from './verdict/judge.js';
+import { loadPinnedJudgeModels, resolveCloudModel } from './verdict/judge-factory.js';
 export async function diagnoseJudge(config) {
     const issues = [];
     const warnings = [];

package/dist/core/types.d.ts

@@ -9,7 +9,7 @@ export interface Assessment {
     confidence: number;
     signals: string[];
 }
-export interface V2TraceFields {
+export interface VerdictAxes {
     location: string;
     opacity: string;
     effect: string;
@@ -33,7 +33,7 @@ export interface ClassifyResult {
     assessment: Assessment;
     normalizedCommand?: string;
     summary?: string;
-    v2?: V2TraceFields;
+    axes?: VerdictAxes;
 }
 export type UnknownLocalEffectPolicy = 'allow_flagged' | 'deny';
 export type UnparseableShellPolicy = 'allow_flagged' | 'deny';
@@ -68,7 +68,7 @@ export interface ClassifierOptions {
     brokerFsScope?: boolean;
     fsScopeAllowlist?: FsScopeAllowlistFile;
     /** Test override: inject Tier1 judge without changing config.judge. */
-    tier1Judge?: import('./v2/types.js').Tier1Judge;
+    tier1Judge?: import('./verdict/types.js').Tier1Judge;
 }
 export interface ApprovalRecord {
     approvalId: string;
@@ -80,6 +80,8 @@ export interface ApprovalRecord {
     createdAt: string;
     expiresAt: string;
     approvedAt?: string;
+    /** Short-lived lease so duplicate hook invocations for one retry can share approval. */
+    executionLeaseExpiresAt?: string;
     /** Original gated input for explain-last-ask (ApprovalState v2). */
     input?: string;
     inputKind?: 'shell' | 'tool' | 'subagent';

package/dist/core/{v2 → verdict}/adapter.js

@@ -48,6 +48,12 @@ function mapLegacyReason(result) {
     if (result.reason === 'repo_local_mutation') {
         return 'local_mutation';
     }
+    if (result.reason === 'tier1_not_restorable') {
+        return 'tier1_catastrophic';
+    }
+    if (result.reason === 'tier0_restorable' || result.reason === 'tier1_restorable') {
+        return result.effect === 'local_mutation' ? 'local_mutation' : result.reason;
+    }
     return result.reason;
 }
 export function verdictToClassifyResult(result) {
@@ -87,13 +93,13 @@ export function verdictToClassifyResult(result) {
         assessment,
         normalizedCommand: result.commandRedacted,
         summary: result.commandRedacted,
-        v2: {
+        axes: {
             location: result.location,
             opacity: result.opacity,
             effect: result.effect,
             confidence: result.confidence,
             would: result.permission,
-            by: 'v2',
+            by: 'verdict',
             commandRedacted: result.commandRedacted,
             commandFingerprint: result.fingerprint,
             signals: result.signals,
@@ -111,7 +117,7 @@ export function verdictAuditFields(result) {
         effect: result.effect,
         confidence: result.confidence,
         would: result.permission,
-        by: 'v2',
+        by: 'verdict',
         signals: result.signals,
         ...judgeTraceAuditFields(result.judgeTrace),
     };

package/dist/core/{v2 → verdict}/egress-classify.js

@@ -102,6 +102,9 @@ function classifyAws(tokens) {
     if (/\bs3\s+rm\b/.test(joined)) {
         return 'destructive';
     }
+    if (/\bs3\s+mb\b/.test(joined)) {
+        return 'destructive';
+    }
     if (/\bs3\s+sync\b/.test(joined)) {
         return 'destructive';
     }

package/dist/core/{v2 → verdict}/judge.js

@@ -2,12 +2,12 @@ import { scrubOutboundForJudge } from './judge-outbound.js';
 const SECRET_PATTERNS = [/\.env\b/i, /\.pem\b/i, /id_rsa\b/i, /credentials/i, /secrets?\b/i];
 const DESTRUCTIVE_VERBS = /\b(rm|rmtree|unlink|delete|truncate|shred|destroy|drop)\b/i;
 const GIT_PATTERNS = /\.git\b/i;
-const TIER1_PROMPT = `Answer ONLY with JSON: {"external_change":boolean,"destroys_outside_repo":boolean,"destroys_history_or_secrets":boolean,"reason":string}
-Default all three booleans to true when unsure. reason should be a short snake_case label.
+const TIER1_PROMPT = `Answer ONLY with JSON: {"external_change":boolean,"reason":string}
+reason should be a short snake_case label.
 
-external_change: CREATE/MODIFY/DELETE on database, network endpoint, cloud, remote git, registry, queue. READ/QUERY/GET is NOT a change.
-destroys_outside_repo: DELETE/OVERWRITE files OUTSIDE the current repository working tree.
-destroys_history_or_secrets: DELETE/OVERWRITE .git directory OR secret/credential files (.env, *.pem, id_rsa, credentials).
+external_change: true if this operation CREATEs, MODIFYs, DELETEs, or SENDs data to any system outside the local machine and its git repository working tree.
+READ/QUERY/GET/list/describe/SELECT/HTTP GET is NOT a change. Local build, test, and package install inside the repo are NOT external changes.
+If unsure, answer true.
 
 Command/code:
 `;
@@ -22,15 +22,13 @@ function failClosedVerdict(reason) {
 function parseTier1Json(raw) {
     try {
         const parsed = JSON.parse(raw);
-        if (typeof parsed.external_change !== 'boolean' ||
-            typeof parsed.destroys_outside_repo !== 'boolean' ||
-            typeof parsed.destroys_history_or_secrets !== 'boolean') {
+        if (typeof parsed.external_change !== 'boolean') {
             return null;
         }
         return {
-            external_change: parsed.external_change !== false,
-            destroys_outside_repo: parsed.destroys_outside_repo !== false,
-            destroys_history_or_secrets: parsed.destroys_history_or_secrets !== false,
+            external_change: parsed.external_change,
+            destroys_outside_repo: false,
+            destroys_history_or_secrets: false,
             reason: typeof parsed.reason === 'string' ? parsed.reason : 'tier1_llm',
         };
     }
@@ -260,5 +258,5 @@ export function createOpenAiCompatibleJudge(options) {
 /** @deprecated Use createOpenAiCompatibleJudge */
 export const createCursorJudge = createOpenAiCompatibleJudge;
 export function tier1RequiresAsk(verdict) {
-    return (verdict.external_change || verdict.destroys_outside_repo || verdict.destroys_history_or_secrets);
+    return verdict.external_change || verdict.destroys_history_or_secrets;
 }

package/dist/core/{v2 → verdict}/launcher-resolve.js

@@ -1,6 +1,50 @@
 import { existsSync, readFileSync } from 'node:fs';
 import path from 'node:path';
 const MAX_RESOLVE_DEPTH = 8;
+const PNPM_BUILTIN_COMMANDS = new Set([
+    'add',
+    'audit',
+    'cache',
+    'config',
+    'deploy',
+    'dlx',
+    'exec',
+    'fetch',
+    'help',
+    'import',
+    'init',
+    'install',
+    'i',
+    'licenses',
+    'link',
+    'list',
+    'outdated',
+    'pack',
+    'patch',
+    'patch-commit',
+    'patch-remove',
+    'publish',
+    'prune',
+    'rebuild',
+    'remove',
+    'rm',
+    'store',
+    'unlink',
+    'update',
+    'up',
+    'why',
+]);
+const PNPM_EXEC_LIKE_HEADS = new Set([
+    'vitest',
+    'vite',
+    'biome',
+    'eslint',
+    'jest',
+    'mocha',
+    'tsc',
+    'tsx',
+    'node',
+]);
 function readPackageJson(dir) {
     const packagePath = path.join(dir, 'package.json');
     if (!existsSync(packagePath)) {
@@ -57,6 +101,15 @@ function npmScriptName(tokens) {
     if (launcher[0] === 'pnpm' && launcher[1] === 'run' && launcher[2]) {
         return launcher[2];
     }
+    if (launcher[0] === 'pnpm' && launcher[1] === 'test') {
+        return 'test';
+    }
+    if (launcher[0] === 'pnpm' &&
+        launcher[1] &&
+        !launcher[1].startsWith('-') &&
+        !PNPM_BUILTIN_COMMANDS.has(launcher[1])) {
+        return launcher[1];
+    }
     if (launcher[0] === 'npm' && launcher[1] && launcher[1] !== 'run' && launcher[1] !== 'install') {
         return null;
     }
@@ -176,11 +229,29 @@ export function resolveLauncherRecipe(params) {
     const tokens = params.tokens;
     const scriptName = npmScriptName(tokens);
     if (scriptName) {
-        return resolveNpmRecipe(params.cwd, params.repoRoot, scriptName, forwardedArgs(tokens));
+        const resolution = resolveNpmRecipe(params.cwd, params.repoRoot, scriptName, forwardedArgs(tokens));
+        if (tokens[0] === 'pnpm' &&
+            tokens[1] &&
+            PNPM_EXEC_LIKE_HEADS.has(tokens[1]) &&
+            resolution.reason === 'npm_script_undefined') {
+            return {
+                recipes: [tokens.slice(1).join(' ')],
+                opaque: false,
+                reason: 'pnpm_exec_like',
+            };
+        }
+        return resolution;
     }
     if (tokens[0] === 'make' && tokens[1] && !tokens[1].startsWith('-')) {
         return resolveMakeRecipe(params.cwd, params.repoRoot, tokens[1]);
     }
+    if (tokens[0] === 'pnpm' && tokens[1] && PNPM_EXEC_LIKE_HEADS.has(tokens[1])) {
+        return {
+            recipes: [tokens.slice(1).join(' ')],
+            opaque: false,
+            reason: 'pnpm_exec_like',
+        };
+    }
     return null;
 }
 export function isRoutineLauncher(tokens) {

package/dist/core/{v2 → verdict}/verdict.js

@@ -91,6 +91,7 @@ const LOCAL_ROUTINE_HEADS = new Set([
     'make',
     'cmake',
 ]);
+const BELAY_SELF_COMMANDS = new Set(['approve', 'revoke']);
 const FIND_DANGEROUS_FLAGS = new Set(['-delete', '-exec', '-execdir', '-ok', '-okdir']);
 function isFindDangerous(tokens) {
     return tokens.some((token) => FIND_DANGEROUS_FLAGS.has(token) || token.startsWith('-exec') || token.startsWith('-ok'));
@@ -256,6 +257,11 @@ function tier0ExternalMatch(key, head, tokens) {
     }
     return false;
 }
+function isBelaySelfCommand(tokens) {
+    const head = tokens[0] ?? '';
+    const subcommand = tokens[1] ?? '';
+    return head === 'belay' && BELAY_SELF_COMMANDS.has(subcommand);
+}
 function tier0HighStakesRm(tokens, context) {
     const head = tokens[0] ?? '';
     if (head !== 'rm') {
@@ -488,6 +494,16 @@ async function evaluateSegment(command, context, depth) {
     if (rmVerdict) {
         return rmVerdict;
     }
+    if (isBelaySelfCommand(peeled)) {
+        return allowVerdict({
+            location: 'unknown',
+            opacity: 'transparent',
+            effect: 'local_mutation',
+            confidence: 'deterministic',
+            reason: 'belay_control_plane_command',
+            signals: ['belay_control_plane_command', segment.head],
+        });
+    }
     let effect = 'unknown';
     if (READ_ONLY_KEYS.has(segment.key) || READ_ONLY_KEYS.has(segment.head)) {
         effect = 'read_only';

package/dist/corpus/evaluate.js

@@ -2,8 +2,8 @@ import { readFile } from 'node:fs/promises';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { classifierOptionsFromConfig, DEFAULT_CONFIG_V3 } from '../core/config.js';
-import { classifyShell } from '../core/v2/adapter.js';
-import { createDeterministicJudgeStub } from '../core/v2/judge.js';
+import { classifyShell } from '../core/verdict/adapter.js';
+import { createDeterministicJudgeStub } from '../core/verdict/judge.js';
 export function assessmentsDiverge(predicted, observed) {
     return (predicted.reversibility !== observed.reversibility ||
         predicted.external !== observed.external ||

package/dist/installer.js

@@ -126,6 +126,7 @@ async function applyInitJudgeConfig(repoRoot, adapterName, options) {
         judgeEndpoint: options.judgeEndpoint,
         acceptCloudJudge: options.acceptCloudJudge,
         existingJudge: mergedConfig.judge,
+        defaultJudgeProfile: adapterName,
     });
     const configWithJudge = normalizeConfig({ ...mergedConfig, version: 4, judge });
     await writeConfigFile(repoRoot, configWithJudge, adapterName);

package/dist/types.d.ts

@@ -20,7 +20,7 @@ export interface InitOptions {
     adapter?: AdapterName;
     scope?: InstallScope;
     preset?: import('./presets.js').ConfigPresetName;
-    judgeProfile?: 'local-ollama';
+    judgeProfile?: 'local-ollama' | 'cursor' | 'claude' | 'codex';
     judgeProvider?: 'ollama' | 'openai-compatible' | 'cursor';
     judgeModel?: string;
     judgeEndpoint?: string;

package/dist/version.d.ts

@@ -1 +1 @@
-export declare const PACKAGE_VERSION = "0.0.1";
+export declare const PACKAGE_VERSION = "0.2.0";

package/dist/version.js

@@ -1 +1,2 @@
-export const PACKAGE_VERSION = '0.0.1';
+// Generated by scripts/sync-version.mjs — do not edit.
+export const PACKAGE_VERSION = '0.2.0';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@guilz-dev/belay",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Belay-style approval and audit gating for agent runtimes.",
   "type": "module",
   "license": "MIT",
@@ -48,10 +48,13 @@
     "agent-belay-logo.png"
   ],
   "scripts": {
-    "build": "rm -rf dist && tsc -p tsconfig.build.json && node scripts/build-runtime.mjs",
+    "build": "rm -rf dist && node scripts/sync-version.mjs && tsc -p tsconfig.build.json && node scripts/build-runtime.mjs",
+    "check:version": "node scripts/check-cli-version.mjs",
+    "prepublishOnly": "pnpm build && node scripts/check-cli-version.mjs",
     "lint": "biome check src package.json README.md CHANGELOG.md CONTRIBUTING.md SECURITY.md tsconfig.json tsconfig.build.json vitest.config.ts scripts docs",
     "typecheck": "tsc --noEmit",
     "test": "pnpm build && vitest run",
+    "test:structural": "pnpm build && vitest run src/__tests__/verdict/structural-suite.test.ts",
     "test:stable": "pnpm build && vitest run && vitest run && vitest run",
     "corpus": "pnpm build && node scripts/corpus.mjs"
   },

package/skills/belay/SKILL.md

@@ -2,16 +2,30 @@
 name: belay
 description: >-
   Guides approval when belay blocks a high-risk shell command, subagent launch,
-  or tool action. Use when an action is denied, blocked, or needs belay-approve, or when
-  installing or checking belay hook health in a repository.
+  or tool action across Cursor, Claude Code, and Codex. Use when an action is
+  denied, blocked, or needs belay-approve, or when installing or checking belay
+  hook health in a repository.
 disable-model-invocation: true
 ---
 
 # Belay
 
-Belay installs repo-local hooks that gate high-risk shell commands, tool actions, and
-subagent launches. Enforcement lives in hooks; this skill only explains the flow and
-routes you to the CLI. It does not classify commands itself.
+Belay is a safety gate for coding agents: it inspects each shell command,
+subagent launch, and file mutation *before* it runs, lets safe-and-local actions
+through, and holds back only the irreversible-and-catastrophic ones for one-shot
+human approval. Every decision is written to an audit log.
+
+It runs on **Cursor**, **Claude Code**, and **Codex (experimental)**, wiring the
+same classifier into each agent through its native hooks:
+
+| Agent | Hook config |
+| --- | --- |
+| Cursor | `.cursor/hooks.json` |
+| Claude Code | `.claude/settings.json` |
+| Codex | `.codex/config.toml` |
+
+Enforcement lives in those hooks; this skill only explains the flow and routes
+you to the CLI. It does not classify commands itself.
 
 ## Prerequisites