@guilz-dev/belay 0.1.0

package/dist/core/egress-approval.js

@@ -0,0 +1,129 @@
+import { randomUUID } from 'node:crypto';
+import { compactApprovals, createApprovalRecord } from './approval.js';
+import { issueApprovalToken } from './approval-token.js';
+import { configuredControlPlaneDir } from './config.js';
+import { addDomainToAllowlist, loadEgressAllowlist, saveEgressAllowlist, } from './egress/allowlist.js';
+import { parseHostFromSummary } from './egress/fingerprint.js';
+import { notifyDeny } from './notify.js';
+export async function ensurePendingEgressApproval(params) {
+    const { config, repoRoot, policyResult, store } = params;
+    const pending = await store.loadPending();
+    pending.state = compactApprovals(pending.state);
+    const existing = pending.state.approvals.find((approval) => approval.kind === 'egress' &&
+        approval.fingerprint === policyResult.fingerprint &&
+        approval.repoRoot === repoRoot);
+    if (existing) {
+        await store.writePending(pending.filePath, pending.state);
+        return { approvalId: existing.approvalId, approval: existing, created: false };
+    }
+    const approvalId = `belay_${randomUUID().replaceAll('-', '').slice(0, 12)}`;
+    const approval = createApprovalRecord({
+        kind: 'egress',
+        fingerprint: policyResult.fingerprint,
+        repoRoot,
+        reason: policyResult.reason,
+        summary: policyResult.summary,
+        approvalTtlMinutes: config.approvalTtlMinutes,
+        approvalId,
+    });
+    pending.state.approvals.push(approval);
+    await store.writePending(pending.filePath, pending.state);
+    return { approvalId, approval, created: true };
+}
+const consumeLocks = new Map();
+async function withConsumeLock(key, fn) {
+    const previous = consumeLocks.get(key) ?? Promise.resolve();
+    let release;
+    const gate = new Promise((resolve) => {
+        release = resolve;
+    });
+    consumeLocks.set(key, previous.then(() => gate));
+    await previous;
+    try {
+        return await fn();
+    }
+    finally {
+        release();
+        if (consumeLocks.get(key) === gate) {
+            consumeLocks.delete(key);
+        }
+    }
+}
+export async function consumeApprovedEgress(params) {
+    const lockKey = `${params.repoRoot}:${params.fingerprint}`;
+    return withConsumeLock(lockKey, async () => {
+        const approved = await params.store.loadApproved();
+        approved.state = compactApprovals(approved.state);
+        const index = approved.state.approvals.findIndex((approval) => approval.kind === 'egress' &&
+            approval.fingerprint === params.fingerprint &&
+            approval.repoRoot === params.repoRoot);
+        if (index === -1) {
+            await params.store.writeApproved(approved.filePath, approved.state);
+            return null;
+        }
+        const [approval] = approved.state.approvals.splice(index, 1);
+        await params.store.writeApproved(approved.filePath, approved.state);
+        return approval;
+    });
+}
+export async function notifyEgressDeny(params) {
+    if (!params.config.notifications.webhookUrl && !params.config.notifications.commandHook) {
+        return;
+    }
+    let approvalToken;
+    if (params.config.approvalSigning.required) {
+        try {
+            approvalToken = await issueApprovalToken({
+                approvalId: params.approval.approvalId,
+                fingerprint: params.approval.fingerprint,
+                repoRoot: params.approval.repoRoot,
+                issuedAt: params.approval.createdAt,
+                expiresAt: params.approval.expiresAt,
+            }, configuredControlPlaneDir(params.config));
+        }
+        catch {
+            approvalToken = undefined;
+        }
+    }
+    await notifyDeny(params.config.notifications, {
+        approvalId: params.approval.approvalId,
+        reason: params.policyResult.reason,
+        summary: params.policyResult.summary,
+        repoRoot: params.repoRoot,
+        fingerprint: params.policyResult.fingerprint,
+        approvalToken,
+    });
+}
+export async function recordEgressApproval(params) {
+    const { recordApproval } = await import('./approval-service.js');
+    const pending = await params.store.loadPending();
+    const match = pending.state.approvals.find((approval) => approval.approvalId === params.approvalId);
+    const host = match ? parseHostFromSummary(match.summary) : null;
+    if (params.scope === 'domain' && match && !host) {
+        return {
+            ok: false,
+            message: `Cannot add domain to egress allowlist: could not parse host from summary "${match.summary}".`,
+        };
+    }
+    const result = await recordApproval({
+        approvalId: params.approvalId,
+        config: params.config,
+        token: params.token,
+        requireSignedToken: params.requireSignedToken ?? false,
+        store: params.store,
+    });
+    if (!result.ok || params.scope !== 'domain' || !host) {
+        return { ok: result.ok, message: result.message };
+    }
+    const allowlist = await loadEgressAllowlist(params.store.allowlistPath);
+    const updated = addDomainToAllowlist(allowlist, {
+        host,
+        approvedAt: new Date().toISOString(),
+        approvalId: params.approvalId,
+    });
+    await saveEgressAllowlist(params.store.allowlistPath, updated);
+    return {
+        ok: true,
+        message: `${result.message} Domain ${host} added to egress allowlist.`,
+    };
+}

package/dist/core/fingerprint.d.ts

@@ -0,0 +1,6 @@
+export declare function canonicalStringify(value: unknown): string;
+export declare function hashValue(value: string): string;
+export declare function shellFingerprint(cwdRelative: string, normalizedCommand: string): string;
+export declare function subagentFingerprint(kind: string, scrubbed: unknown, repoRoot: string): string;
+export declare function toolFingerprint(toolName: string, scrubbed: unknown, repoRoot: string): string;
+export { egressFingerprint } from './egress/fingerprint.js';

package/dist/core/fingerprint.js

@@ -0,0 +1,24 @@
+import { createHash } from 'node:crypto';
+export function canonicalStringify(value) {
+    if (value === null || typeof value !== 'object') {
+        return JSON.stringify(value);
+    }
+    if (Array.isArray(value)) {
+        return `[${value.map((item) => canonicalStringify(item)).join(',')}]`;
+    }
+    const entries = Object.entries(value).sort(([left], [right]) => left.localeCompare(right));
+    return `{${entries.map(([key, child]) => `${JSON.stringify(key)}:${canonicalStringify(child)}`).join(',')}}`;
+}
+export function hashValue(value) {
+    return createHash('sha256').update(value).digest('hex');
+}
+export function shellFingerprint(cwdRelative, normalizedCommand) {
+    return hashValue(`shell:${cwdRelative}:${normalizedCommand}`);
+}
+export function subagentFingerprint(kind, scrubbed, repoRoot) {
+    return hashValue(`subagent:${kind}:${canonicalStringify(scrubbed)}:${repoRoot}`);
+}
+export function toolFingerprint(toolName, scrubbed, repoRoot) {
+    return hashValue(`tool:${toolName}:${canonicalStringify(scrubbed)}:${repoRoot}`);
+}
+export { egressFingerprint } from './egress/fingerprint.js';

package/dist/core/gate-contract.d.ts

@@ -0,0 +1,48 @@
+import type { Assessment, ClassifyResult, HookVerdict } from './types.js';
+export declare const GATE_CONTRACT_VERSION: 1;
+export type GatedActionKind = 'shell' | 'subagent' | 'tool';
+export interface GatedAction {
+    contractVersion: typeof GATE_CONTRACT_VERSION;
+    kind: GatedActionKind;
+    repoRoot: string;
+    cwd: string;
+    command?: string;
+    payload?: Record<string, unknown>;
+    toolName?: string;
+    /** Reserved for v0.5 agent-side assessment ingestion. */
+    agentAssessment?: Assessment;
+}
+export interface GatePermissionResponse {
+    permission: 'allow' | 'deny';
+    user_message?: string;
+    agent_message?: string;
+}
+export interface GateVerdict extends GatePermissionResponse {
+    contractVersion: typeof GATE_CONTRACT_VERSION;
+    verdict: HookVerdict;
+    reason: string;
+    fingerprint: string;
+    assessment: Assessment;
+    normalizedCommand?: string;
+    summary?: string;
+    approvalId?: string;
+    wouldBlock: boolean;
+    mode: 'enforce' | 'audit';
+    v2?: ClassifyResult['v2'];
+}
+export declare function isGatedAction(value: unknown): value is GatedAction;
+export declare function classifyResultToGateVerdict(params: {
+    result: ClassifyResult;
+    mode: 'enforce' | 'audit';
+    permission: 'allow' | 'deny';
+    wouldBlock: boolean;
+    approvalId?: string;
+    user_message?: string;
+    agent_message?: string;
+}): GateVerdict;
+export declare function unnormalizedGateVerdict(params: {
+    reason: string;
+    mode: 'enforce' | 'audit';
+    user_message: string;
+    agent_message?: string;
+}): GateVerdict;

package/dist/core/gate-contract.js

@@ -0,0 +1,50 @@
+export const GATE_CONTRACT_VERSION = 1;
+export function isGatedAction(value) {
+    if (typeof value !== 'object' || value === null) {
+        return false;
+    }
+    const record = value;
+    return (record.contractVersion === GATE_CONTRACT_VERSION &&
+        (record.kind === 'shell' || record.kind === 'subagent' || record.kind === 'tool') &&
+        typeof record.repoRoot === 'string' &&
+        typeof record.cwd === 'string');
+}
+export function classifyResultToGateVerdict(params) {
+    const { result, mode, permission, wouldBlock, approvalId, user_message, agent_message } = params;
+    return {
+        contractVersion: GATE_CONTRACT_VERSION,
+        verdict: result.verdict,
+        reason: result.reason,
+        fingerprint: result.fingerprint,
+        assessment: result.assessment,
+        normalizedCommand: result.normalizedCommand,
+        summary: result.summary,
+        permission,
+        wouldBlock,
+        mode,
+        approvalId,
+        user_message,
+        agent_message,
+        v2: result.v2,
+    };
+}
+export function unnormalizedGateVerdict(params) {
+    return {
+        contractVersion: GATE_CONTRACT_VERSION,
+        verdict: 'deny_pending_approval',
+        reason: params.reason,
+        fingerprint: 'unnormalized',
+        assessment: {
+            reversibility: 'irreversible',
+            external: true,
+            blastRadius: 'unknown',
+            confidence: 0,
+            signals: ['normalization_failed'],
+        },
+        permission: 'deny',
+        wouldBlock: true,
+        mode: params.mode,
+        user_message: params.user_message,
+        agent_message: params.agent_message,
+    };
+}

package/dist/core/gate-engine.d.ts

@@ -0,0 +1,20 @@
+import type { BelayConfigV3 } from './config.js';
+import type { GatedAction, GatedActionKind } from './gate-contract.js';
+import type { Assessment, ClassifierOptions, ClassifyResult } from './types.js';
+export declare class GateNormalizationError extends Error {
+    readonly reason = "normalization_failed";
+    constructor(message: string);
+}
+export declare function extractAgentAssessment(payload?: Record<string, unknown>): Assessment | undefined;
+export declare function normalizeGatedAction(params: {
+    kind: GatedActionKind;
+    repoRoot: string;
+    cwd: string;
+    command?: string;
+    payload?: Record<string, unknown>;
+    toolName?: string;
+    agentAssessment?: GatedAction['agentAssessment'];
+}): GatedAction;
+export declare function classifyGatedAction(action: GatedAction, config: BelayConfigV3, extraOptions?: ClassifierOptions): Promise<ClassifyResult>;
+export declare function classifyGatedActionAsync(action: GatedAction, config: BelayConfigV3, extraOptions?: ClassifierOptions): Promise<ClassifyResult>;
+export declare function gateEnabledForAction(config: BelayConfigV3, action: GatedAction): boolean;

package/dist/core/gate-engine.js

@@ -0,0 +1,172 @@
+import { allPathsAllowlisted } from './capability/allowlist.js';
+import { collectOutsideRepoPaths } from './capability/paths.js';
+import { classifySubagent } from './classify-subagent.js';
+import { classifyToolUse } from './classify-tool.js';
+import { classifierOptionsFromConfig } from './config.js';
+import { GATE_CONTRACT_VERSION } from './gate-contract.js';
+import { mergeAgentAssessment } from './judgment.js';
+import { classifyShell } from './v2/adapter.js';
+export class GateNormalizationError extends Error {
+    reason = 'normalization_failed';
+    constructor(message) {
+        super(message);
+        this.name = 'GateNormalizationError';
+    }
+}
+function parseAssessment(value) {
+    if (!value || typeof value !== 'object') {
+        return undefined;
+    }
+    const record = value;
+    if ((record.reversibility === 'reversible' ||
+        record.reversibility === 'recoverable_with_cost' ||
+        record.reversibility === 'irreversible') &&
+        typeof record.external === 'boolean' &&
+        typeof record.blastRadius === 'string' &&
+        typeof record.confidence === 'number' &&
+        Array.isArray(record.signals) &&
+        record.signals.every((signal) => typeof signal === 'string')) {
+        return {
+            reversibility: record.reversibility,
+            external: record.external,
+            blastRadius: record.blastRadius,
+            confidence: record.confidence,
+            signals: record.signals,
+        };
+    }
+    return undefined;
+}
+export function extractAgentAssessment(payload) {
+    if (!payload) {
+        return undefined;
+    }
+    for (const key of ['agentAssessment', 'assessment']) {
+        const parsed = parseAssessment(payload[key]);
+        if (parsed) {
+            return parsed;
+        }
+    }
+    const toolInput = payload.tool_input;
+    if (toolInput && typeof toolInput === 'object') {
+        return extractAgentAssessment(toolInput);
+    }
+    return undefined;
+}
+function shellCommandFromPayload(payload) {
+    const direct = payload.command;
+    if (typeof direct === 'string' && direct.trim()) {
+        return direct.trim();
+    }
+    const toolInput = payload.tool_input;
+    if (toolInput && typeof toolInput === 'object') {
+        const command = toolInput.command;
+        if (typeof command === 'string' && command.trim()) {
+            return command.trim();
+        }
+    }
+    return '';
+}
+export function normalizeGatedAction(params) {
+    const { kind, repoRoot, cwd, payload, toolName, agentAssessment } = params;
+    let command = params.command?.trim() ?? '';
+    if (kind === 'shell' && !command && payload) {
+        command = shellCommandFromPayload(payload);
+    }
+    if (kind === 'shell' && !command) {
+        throw new GateNormalizationError('Shell gated action requires a command.');
+    }
+    if (kind === 'tool' && !payload) {
+        throw new GateNormalizationError('Tool gated action requires a payload.');
+    }
+    if (kind === 'subagent' && !payload) {
+        throw new GateNormalizationError('Subagent gated action requires a payload.');
+    }
+    return {
+        contractVersion: GATE_CONTRACT_VERSION,
+        kind,
+        repoRoot,
+        cwd,
+        command: command || undefined,
+        payload,
+        toolName,
+        agentAssessment,
+    };
+}
+function applyShellPeripheralPolicy(command, action, result, options) {
+    if (options.brokerFsScope &&
+        result.verdict === 'deny_pending_approval' &&
+        (result.reason === 'outside_repo_mutation' ||
+            result.reason === 'outside_repo_redirect' ||
+            result.reason === 'repo_outside_mutation' ||
+            result.v2?.location === 'repo_outside')) {
+        const outsideRepoPaths = collectOutsideRepoPaths(command, action.cwd, action.repoRoot);
+        if (outsideRepoPaths.length > 0 &&
+            options.fsScopeAllowlist &&
+            allPathsAllowlisted(outsideRepoPaths, options.fsScopeAllowlist)) {
+            return {
+                ...result,
+                verdict: 'allow_flagged',
+                reason: 'capability_fs_hint',
+                assessment: {
+                    ...result.assessment,
+                    signals: [
+                        ...result.assessment.signals,
+                        'capability_fs_hint',
+                        'sandbox_boundary_expected',
+                    ],
+                },
+            };
+        }
+    }
+    return result;
+}
+export async function classifyGatedAction(action, config, extraOptions = {}) {
+    const options = { ...classifierOptionsFromConfig(config), ...extraOptions };
+    if (action.kind === 'shell') {
+        const command = action.command ?? shellCommandFromPayload(action.payload ?? {});
+        if (!command) {
+            throw new GateNormalizationError('Shell gated action requires a command.');
+        }
+        let result = await classifyShell(command, action.cwd, action.repoRoot, config, options);
+        result = applyShellPeripheralPolicy(command, action, result, options);
+        if (!action.agentAssessment) {
+            return result;
+        }
+        const merged = mergeAgentAssessment(result.assessment, action.agentAssessment);
+        if (!merged.mismatch) {
+            return { ...result, assessment: merged.assessment };
+        }
+        return {
+            ...result,
+            verdict: 'deny_pending_approval',
+            reason: 'agent_assessment_mismatch',
+            assessment: merged.assessment,
+        };
+    }
+    if (action.kind === 'subagent') {
+        return classifySubagent(action.payload ?? {}, action.repoRoot, options);
+    }
+    return classifyToolUse(action.payload ?? {}, action.repoRoot, action.cwd, config, options);
+}
+export async function classifyGatedActionAsync(action, config, extraOptions = {}) {
+    return classifyGatedAction(action, config, extraOptions);
+}
+export function gateEnabledForAction(config, action) {
+    if (action.kind === 'shell') {
+        return config.gates.shell;
+    }
+    if (action.kind === 'subagent') {
+        return config.gates.subagent;
+    }
+    const toolName = action.toolName ?? String(action.payload?.tool_name ?? '');
+    if (toolName === 'Shell') {
+        return config.gates.toolShell;
+    }
+    if (toolName === 'Write' || toolName === 'StrReplace' || toolName === 'Delete') {
+        return config.gates.fileMutation;
+    }
+    if (toolName === 'Task') {
+        return config.gates.subagent;
+    }
+    return true;
+}

package/dist/core/glob.d.ts

@@ -0,0 +1 @@
+export declare function matchesSensitivePath(filePath: string, patterns: string[]): boolean;

package/dist/core/glob.js

@@ -0,0 +1,39 @@
+export function matchesSensitivePath(filePath, patterns) {
+    const normalized = filePath.replaceAll('\\', '/');
+    const segments = normalized.split('/');
+    const baseName = segments.at(-1) ?? normalized;
+    for (const pattern of patterns) {
+        const normalizedPattern = pattern.replaceAll('\\', '/');
+        if (normalizedPattern.includes('**')) {
+            const parts = normalizedPattern.split('**').map((part) => part.replace(/^\/+|\/+$/g, ''));
+            const prefix = parts[0]?.replace(/\/+$/, '') ?? '';
+            const suffix = parts[1]?.replace(/^\/+/, '') ?? '';
+            if (prefix && !normalized.startsWith(prefix)) {
+                continue;
+            }
+            if (suffix && !normalized.includes(suffix)) {
+                continue;
+            }
+            if (prefix || suffix) {
+                return true;
+            }
+        }
+        if (normalizedPattern.includes('*')) {
+            const regex = new RegExp(`^${normalizedPattern.replaceAll('.', '\\.').replaceAll('*', '.*')}$`);
+            if (regex.test(normalized) || regex.test(baseName)) {
+                return true;
+            }
+            continue;
+        }
+        if (normalized === normalizedPattern || baseName === normalizedPattern) {
+            return true;
+        }
+        if (normalized.endsWith(`/${normalizedPattern}`)) {
+            return true;
+        }
+        if (segments.includes(normalizedPattern)) {
+            return true;
+        }
+    }
+    return false;
+}

package/dist/core/index.d.ts

@@ -0,0 +1,19 @@
+export { approvalCommandMatch, buildRetryInstruction, compactApprovals, createApprovalRecord, isExpired, mergeApprovalStates, nowIso, } from './approval.js';
+export type { AuditMetricsReport } from './audit-metrics.js';
+export { computeAuditMetrics, parseAuditNdjson } from './audit-metrics.js';
+export { classifySubagent } from './classify-subagent.js';
+export { classifyToolUse } from './classify-tool.js';
+export { approvedApprovalsFile, type BelayConfig, type BelayConfigV1, type BelayConfigV2, type BelayConfigV3, type BelayConfigV4, type BelayControlPlaneConfig, type BelayJudgeConfig, type BelayOverridesConfig, type BelayPolicyConfig, type BelayRedactionConfig, belayStateDir, classifierOptionsFromConfig, configuredControlPlaneDir, DEFAULT_CONFIG_V2, DEFAULT_CONFIG_V3, DEFAULT_CONFIG_V4, DEFAULT_JUDGE_CURSOR_COMPOSER, DEFAULT_JUDGE_LOCAL_OLLAMA, defaultControlPlaneDir, isConfigV4, isFreshConfigInput, LEGACY_POLICY_V3, mapLegacyClassifierToOverrides, mergeConfig, migrateConfig, migrateV2ToV3, normalizeConfig, normalizeJudgeConfig, pendingApprovalsFile, resolveControlPlaneDir, scrubOptionsFromConfig, } from './config.js';
+export { matchesCustomCommand } from './custom-command-match.js';
+export { canonicalStringify, hashValue, shellFingerprint, subagentFingerprint, toolFingerprint, } from './fingerprint.js';
+export type { GatedAction, GatedActionKind, GatePermissionResponse, GateVerdict, } from './gate-contract.js';
+export { classifyResultToGateVerdict, GATE_CONTRACT_VERSION, isGatedAction, unnormalizedGateVerdict, } from './gate-contract.js';
+export { classifyGatedAction, GateNormalizationError, gateEnabledForAction, normalizeGatedAction, } from './gate-engine.js';
+export { matchesSensitivePath } from './glob.js';
+export { canonicalPath, hasOutsideRepoPath, normalizeToken, pathWithinRoot, relativeWithinRepo, resolveMutationTarget, } from './path-utils.js';
+export { scrubString, scrubValue } from './scrub.js';
+export { findCommandSubstitutions, MAX_SUBSTITUTION_DEPTH } from './shell-substitution.js';
+export type { TransactionalDiffEvaluation, TransactionalExecutionResult, } from './transactional/index.js';
+export { isTransactionalEligible, runTransactionalExecution } from './transactional/index.js';
+export type { ApprovalRecord, ApprovalStateFile, Assessment, ClassifierOptions, ClassifyResult, HookVerdict, Reversibility, ScrubOptions, UnknownLocalEffectPolicy, } from './types.js';
+export { buildVerdictContext, classifyShell, verdict, verdictToClassifyResult, } from './v2/index.js';

package/dist/core/index.js

@@ -0,0 +1,15 @@
+export { approvalCommandMatch, buildRetryInstruction, compactApprovals, createApprovalRecord, isExpired, mergeApprovalStates, nowIso, } from './approval.js';
+export { computeAuditMetrics, parseAuditNdjson } from './audit-metrics.js';
+export { classifySubagent } from './classify-subagent.js';
+export { classifyToolUse } from './classify-tool.js';
+export { approvedApprovalsFile, belayStateDir, classifierOptionsFromConfig, configuredControlPlaneDir, DEFAULT_CONFIG_V2, DEFAULT_CONFIG_V3, DEFAULT_CONFIG_V4, DEFAULT_JUDGE_CURSOR_COMPOSER, DEFAULT_JUDGE_LOCAL_OLLAMA, defaultControlPlaneDir, isConfigV4, isFreshConfigInput, LEGACY_POLICY_V3, mapLegacyClassifierToOverrides, mergeConfig, migrateConfig, migrateV2ToV3, normalizeConfig, normalizeJudgeConfig, pendingApprovalsFile, resolveControlPlaneDir, scrubOptionsFromConfig, } from './config.js';
+export { matchesCustomCommand } from './custom-command-match.js';
+export { canonicalStringify, hashValue, shellFingerprint, subagentFingerprint, toolFingerprint, } from './fingerprint.js';
+export { classifyResultToGateVerdict, GATE_CONTRACT_VERSION, isGatedAction, unnormalizedGateVerdict, } from './gate-contract.js';
+export { classifyGatedAction, GateNormalizationError, gateEnabledForAction, normalizeGatedAction, } from './gate-engine.js';
+export { matchesSensitivePath } from './glob.js';
+export { canonicalPath, hasOutsideRepoPath, normalizeToken, pathWithinRoot, relativeWithinRepo, resolveMutationTarget, } from './path-utils.js';
+export { scrubString, scrubValue } from './scrub.js';
+export { findCommandSubstitutions, MAX_SUBSTITUTION_DEPTH } from './shell-substitution.js';
+export { isTransactionalEligible, runTransactionalExecution } from './transactional/index.js';
+export { buildVerdictContext, classifyShell, verdict, verdictToClassifyResult, } from './v2/index.js';

package/dist/core/integrity.d.ts

@@ -0,0 +1,15 @@
+import type { ScopedPaths } from '../adapters/layouts/scope.js';
+import type { AdapterLayout } from '../adapters/layouts/types.js';
+export interface IntegrityManifest {
+    version: 1;
+    generatedAt: string;
+    files: Record<string, string>;
+}
+export declare function sha256File(filePath: string): Promise<string>;
+export declare function integrityManifestPath(layout: AdapterLayout, repoRoot: string): string;
+export declare function runtimeIntegrityFiles(_layout: AdapterLayout, paths: ScopedPaths): string[];
+export declare function writeIntegrityManifest(repoRoot: string, layout: AdapterLayout, filePaths: string[]): Promise<void>;
+export declare function verifyIntegrityManifest(repoRoot: string, layout: AdapterLayout): Promise<{
+    ok: boolean;
+    mismatches: string[];
+}>;

package/dist/core/integrity.js

@@ -0,0 +1,68 @@
+import { createHash } from 'node:crypto';
+import { existsSync } from 'node:fs';
+import { mkdir, readFile, writeFile } from 'node:fs/promises';
+import path from 'node:path';
+export async function sha256File(filePath) {
+    const content = await readFile(filePath);
+    return createHash('sha256').update(content).digest('hex');
+}
+export function integrityManifestPath(layout, repoRoot) {
+    return path.join(layout.repoLocalStateDir(repoRoot), 'integrity-manifest.json');
+}
+export function runtimeIntegrityFiles(_layout, paths) {
+    const files = [paths.configPath];
+    if (paths.scope !== 'project') {
+        return files;
+    }
+    const hooksDir = paths.hooksDir;
+    const runtimeDir = paths.runtimeDir;
+    return [
+        ...files,
+        paths.hooksSettingsPath,
+        path.join(hooksDir, 'belay-before-submit.mjs'),
+        path.join(hooksDir, 'belay-shell-gate.mjs'),
+        path.join(hooksDir, 'belay-tool-gate.mjs'),
+        path.join(hooksDir, 'belay-audit.mjs'),
+        path.join(hooksDir, 'belay-runner'),
+        path.join(hooksDir, 'belay-runner.cmd'),
+        path.join(runtimeDir, 'core.mjs'),
+    ];
+}
+export async function writeIntegrityManifest(repoRoot, layout, filePaths) {
+    const files = {};
+    for (const filePath of filePaths) {
+        if (!existsSync(filePath)) {
+            continue;
+        }
+        const relativePath = path.relative(repoRoot, filePath);
+        files[relativePath] = await sha256File(filePath);
+    }
+    const manifest = {
+        version: 1,
+        generatedAt: new Date().toISOString(),
+        files,
+    };
+    const manifestPath = integrityManifestPath(layout, repoRoot);
+    await mkdir(path.dirname(manifestPath), { recursive: true });
+    await writeFile(manifestPath, `${JSON.stringify(manifest, null, 2)}\n`, 'utf8');
+}
+export async function verifyIntegrityManifest(repoRoot, layout) {
+    const manifestPath = integrityManifestPath(layout, repoRoot);
+    if (!existsSync(manifestPath)) {
+        return { ok: false, mismatches: ['missing integrity-manifest.json'] };
+    }
+    const manifest = JSON.parse(await readFile(manifestPath, 'utf8'));
+    const mismatches = [];
+    for (const [relativePath, expectedHash] of Object.entries(manifest.files ?? {})) {
+        const absolutePath = path.join(repoRoot, relativePath);
+        if (!existsSync(absolutePath)) {
+            mismatches.push(`missing ${relativePath}`);
+            continue;
+        }
+        const actualHash = await sha256File(absolutePath);
+        if (actualHash !== expectedHash) {
+            mismatches.push(`hash mismatch ${relativePath}`);
+        }
+    }
+    return { ok: mismatches.length === 0, mismatches };
+}

package/dist/core/judge-api-key.d.ts

@@ -0,0 +1,4 @@
+export declare function resolveJudgeApiKey(env?: NodeJS.ProcessEnv): {
+    key: string | null;
+    source: 'BELAY_JUDGE_API_KEY' | 'OPENAI_API_KEY' | null;
+};

package/dist/core/judge-api-key.js

@@ -0,0 +1,11 @@
+export function resolveJudgeApiKey(env = process.env) {
+    const belay = env.BELAY_JUDGE_API_KEY?.trim();
+    if (belay) {
+        return { key: belay, source: 'BELAY_JUDGE_API_KEY' };
+    }
+    const openai = env.OPENAI_API_KEY?.trim();
+    if (openai) {
+        return { key: openai, source: 'OPENAI_API_KEY' };
+    }
+    return { key: null, source: null };
+}

package/dist/core/judge-config.d.ts

@@ -0,0 +1,29 @@
+import type { BelayJudgeConfig } from './config.js';
+export type JudgeProfileName = 'local-ollama';
+export declare const JUDGE_PROFILE_LOCAL_OLLAMA: BelayJudgeConfig;
+export declare const JUDGE_PROFILES: Record<JudgeProfileName, BelayJudgeConfig>;
+export interface ResolveJudgeConfigInput {
+    judgeProfile?: JudgeProfileName;
+    judgeProvider?: 'ollama' | 'openai-compatible' | 'cursor';
+    judgeModel?: string;
+    judgeEndpoint?: string;
+    existingJudge?: BelayJudgeConfig;
+}
+export declare function resolveJudgeConfig(input?: ResolveJudgeConfigInput): BelayJudgeConfig;
+export declare class CloudJudgeConsentRequiredError extends Error {
+    constructor();
+}
+export declare class JudgeEndpointRequiredError extends Error {
+    constructor();
+}
+export declare function assertJudgeEndpoint(judge: BelayJudgeConfig): void;
+export declare function resolveInitJudgeConfig(input: {
+    isFresh: boolean;
+    hasExplicitJudgeFlags: boolean;
+    judgeProfile?: JudgeProfileName;
+    judgeProvider?: 'ollama' | 'openai-compatible' | 'cursor';
+    judgeModel?: string;
+    judgeEndpoint?: string;
+    acceptCloudJudge?: boolean;
+    existingJudge?: BelayJudgeConfig;
+}): BelayJudgeConfig;