npm - @guilz-dev/belay - Versions diffs - 0.1.0 - Mend

@guilz-dev/belay 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (266) hide show

package/LICENSE +21 -0
package/README.md +268 -0
package/agent-belay-logo.png +0 -0
package/dist/adapters/claude/adapter.d.ts +7 -0
package/dist/adapters/claude/adapter.js +114 -0
package/dist/adapters/claude/hooks.d.ts +13 -0
package/dist/adapters/claude/hooks.js +49 -0
package/dist/adapters/claude/runtime-entry.d.ts +4 -0
package/dist/adapters/claude/runtime-entry.js +260 -0
package/dist/adapters/codex/adapter.d.ts +7 -0
package/dist/adapters/codex/adapter.js +73 -0
package/dist/adapters/codex/hooks.d.ts +21 -0
package/dist/adapters/codex/hooks.js +78 -0
package/dist/adapters/codex/runtime-entry.d.ts +4 -0
package/dist/adapters/codex/runtime-entry.js +237 -0
package/dist/adapters/cursor/adapter.d.ts +7 -0
package/dist/adapters/cursor/adapter.js +29 -0
package/dist/adapters/cursor/hooks.d.ts +2 -0
package/dist/adapters/cursor/hooks.js +26 -0
package/dist/adapters/cursor/runtime-entry.d.ts +4 -0
package/dist/adapters/cursor/runtime-entry.js +143 -0
package/dist/adapters/layouts/claude.d.ts +2 -0
package/dist/adapters/layouts/claude.js +40 -0
package/dist/adapters/layouts/codex.d.ts +2 -0
package/dist/adapters/layouts/codex.js +43 -0
package/dist/adapters/layouts/cursor.d.ts +2 -0
package/dist/adapters/layouts/cursor.js +40 -0
package/dist/adapters/layouts/index.d.ts +7 -0
package/dist/adapters/layouts/index.js +23 -0
package/dist/adapters/layouts/protected-paths.d.ts +3 -0
package/dist/adapters/layouts/protected-paths.js +15 -0
package/dist/adapters/layouts/scope.d.ts +19 -0
package/dist/adapters/layouts/scope.js +86 -0
package/dist/adapters/layouts/types.d.ts +14 -0
package/dist/adapters/layouts/types.js +1 -0
package/dist/adapters/registry.d.ts +4 -0
package/dist/adapters/registry.js +14 -0
package/dist/adapters/shared/gate-runtime.d.ts +51 -0
package/dist/adapters/shared/gate-runtime.js +518 -0
package/dist/adapters/shared/repo-root.d.ts +2 -0
package/dist/adapters/shared/repo-root.js +17 -0
package/dist/adapters/types.d.ts +19 -0
package/dist/adapters/types.js +1 -0
package/dist/branding.d.ts +3 -0
package/dist/branding.js +3 -0
package/dist/bundle/claude-runtime.mjs +5323 -0
package/dist/bundle/codex-runtime.mjs +5310 -0
package/dist/bundle/cursor-runtime.mjs +5208 -0
package/dist/cleanup-orphans.d.ts +7 -0
package/dist/cleanup-orphans.js +59 -0
package/dist/cli.d.ts +2 -0
package/dist/cli.js +631 -0
package/dist/commands/approve.d.ts +14 -0
package/dist/commands/approve.js +65 -0
package/dist/commands/audit.d.ts +59 -0
package/dist/commands/audit.js +132 -0
package/dist/commands/classify-for-report.d.ts +9 -0
package/dist/commands/classify-for-report.js +85 -0
package/dist/commands/doctor.d.ts +3 -0
package/dist/commands/doctor.js +366 -0
package/dist/commands/dogfood.d.ts +5 -0
package/dist/commands/dogfood.js +71 -0
package/dist/commands/explain.d.ts +3 -0
package/dist/commands/explain.js +133 -0
package/dist/commands/health-snapshot.d.ts +2 -0
package/dist/commands/health-snapshot.js +166 -0
package/dist/commands/init-wizard.d.ts +16 -0
package/dist/commands/init-wizard.js +50 -0
package/dist/commands/metrics.d.ts +7 -0
package/dist/commands/metrics.js +89 -0
package/dist/commands/recover.d.ts +3 -0
package/dist/commands/recover.js +105 -0
package/dist/commands/report.d.ts +3 -0
package/dist/commands/report.js +65 -0
package/dist/commands/revoke.d.ts +5 -0
package/dist/commands/revoke.js +22 -0
package/dist/commands/simulate.d.ts +14 -0
package/dist/commands/simulate.js +55 -0
package/dist/commands/status.d.ts +5 -0
package/dist/commands/status.js +107 -0
package/dist/config-io.d.ts +23 -0
package/dist/config-io.js +180 -0
package/dist/conformance/guarantee-table.d.ts +14 -0
package/dist/conformance/guarantee-table.js +95 -0
package/dist/conformance/types.d.ts +6 -0
package/dist/conformance/types.js +1 -0
package/dist/core/approval-service.d.ts +26 -0
package/dist/core/approval-service.js +41 -0
package/dist/core/approval-token.d.ts +11 -0
package/dist/core/approval-token.js +61 -0
package/dist/core/approval.d.ts +19 -0
package/dist/core/approval.js +58 -0
package/dist/core/audit-analysis.d.ts +10 -0
package/dist/core/audit-analysis.js +147 -0
package/dist/core/audit-metrics.d.ts +51 -0
package/dist/core/audit-metrics.js +155 -0
package/dist/core/audit-query.d.ts +11 -0
package/dist/core/audit-query.js +142 -0
package/dist/core/audit-summary.d.ts +33 -0
package/dist/core/audit-summary.js +111 -0
package/dist/core/audit-types.d.ts +65 -0
package/dist/core/audit-types.js +2 -0
package/dist/core/capability/allowlist.d.ts +10 -0
package/dist/core/capability/allowlist.js +53 -0
package/dist/core/capability/broker.d.ts +17 -0
package/dist/core/capability/broker.js +29 -0
package/dist/core/capability/index.d.ts +5 -0
package/dist/core/capability/index.js +4 -0
package/dist/core/capability/paths.d.ts +1 -0
package/dist/core/capability/paths.js +20 -0
package/dist/core/capability/reasons.d.ts +2 -0
package/dist/core/capability/reasons.js +4 -0
package/dist/core/capability/types.d.ts +10 -0
package/dist/core/capability/types.js +1 -0
package/dist/core/capability-approval.d.ts +28 -0
package/dist/core/capability-approval.js +43 -0
package/dist/core/classify-subagent.d.ts +2 -0
package/dist/core/classify-subagent.js +69 -0
package/dist/core/classify-tool.d.ts +3 -0
package/dist/core/classify-tool.js +311 -0
package/dist/core/config-layers.d.ts +23 -0
package/dist/core/config-layers.js +59 -0
package/dist/core/config.d.ts +219 -0
package/dist/core/config.js +720 -0
package/dist/core/control-plane-isolation.d.ts +10 -0
package/dist/core/control-plane-isolation.js +83 -0
package/dist/core/custom-command-match.d.ts +2 -0
package/dist/core/custom-command-match.js +8 -0
package/dist/core/egress/allowlist.d.ts +7 -0
package/dist/core/egress/allowlist.js +33 -0
package/dist/core/egress/env.d.ts +3 -0
package/dist/core/egress/env.js +17 -0
package/dist/core/egress/fingerprint.d.ts +3 -0
package/dist/core/egress/fingerprint.js +35 -0
package/dist/core/egress/policy.d.ts +8 -0
package/dist/core/egress/policy.js +47 -0
package/dist/core/egress/proxy-server.d.ts +21 -0
package/dist/core/egress/proxy-server.js +263 -0
package/dist/core/egress/types.d.ts +25 -0
package/dist/core/egress/types.js +1 -0
package/dist/core/egress-approval.d.ts +48 -0
package/dist/core/egress-approval.js +129 -0
package/dist/core/fingerprint.d.ts +6 -0
package/dist/core/fingerprint.js +24 -0
package/dist/core/gate-contract.d.ts +48 -0
package/dist/core/gate-contract.js +50 -0
package/dist/core/gate-engine.d.ts +20 -0
package/dist/core/gate-engine.js +172 -0
package/dist/core/glob.d.ts +1 -0
package/dist/core/glob.js +39 -0
package/dist/core/index.d.ts +19 -0
package/dist/core/index.js +15 -0
package/dist/core/integrity.d.ts +15 -0
package/dist/core/integrity.js +68 -0
package/dist/core/judge-api-key.d.ts +4 -0
package/dist/core/judge-api-key.js +11 -0
package/dist/core/judge-config.d.ts +29 -0
package/dist/core/judge-config.js +85 -0
package/dist/core/judge-doctor.d.ts +7 -0
package/dist/core/judge-doctor.js +124 -0
package/dist/core/judgment.d.ts +6 -0
package/dist/core/judgment.js +38 -0
package/dist/core/notify.d.ts +13 -0
package/dist/core/notify.js +44 -0
package/dist/core/path-utils.d.ts +12 -0
package/dist/core/path-utils.js +107 -0
package/dist/core/reclassify.d.ts +15 -0
package/dist/core/reclassify.js +82 -0
package/dist/core/recover-advice.d.ts +30 -0
package/dist/core/recover-advice.js +177 -0
package/dist/core/recover-git-probe.d.ts +8 -0
package/dist/core/recover-git-probe.js +50 -0
package/dist/core/recover-select.d.ts +10 -0
package/dist/core/recover-select.js +60 -0
package/dist/core/scrub.d.ts +3 -0
package/dist/core/scrub.js +87 -0
package/dist/core/shell-substitution.d.ts +6 -0
package/dist/core/shell-substitution.js +130 -0
package/dist/core/shell-tokenizer.d.ts +5 -0
package/dist/core/shell-tokenizer.js +129 -0
package/dist/core/shell-unparseable.d.ts +4 -0
package/dist/core/shell-unparseable.js +96 -0
package/dist/core/transactional/diff-evaluator.d.ts +2 -0
package/dist/core/transactional/diff-evaluator.js +84 -0
package/dist/core/transactional/eligibility.d.ts +4 -0
package/dist/core/transactional/eligibility.js +44 -0
package/dist/core/transactional/git-worktree.d.ts +13 -0
package/dist/core/transactional/git-worktree.js +189 -0
package/dist/core/transactional/index.d.ts +5 -0
package/dist/core/transactional/index.js +4 -0
package/dist/core/transactional/reasons.d.ts +4 -0
package/dist/core/transactional/reasons.js +8 -0
package/dist/core/transactional/runner.d.ts +2 -0
package/dist/core/transactional/runner.js +113 -0
package/dist/core/transactional/types.d.ts +46 -0
package/dist/core/transactional/types.js +1 -0
package/dist/core/types.d.ts +90 -0
package/dist/core/types.js +1 -0
package/dist/core/v2/adapter.d.ts +14 -0
package/dist/core/v2/adapter.js +118 -0
package/dist/core/v2/containment.d.ts +19 -0
package/dist/core/v2/containment.js +91 -0
package/dist/core/v2/egress-classify.d.ts +7 -0
package/dist/core/v2/egress-classify.js +216 -0
package/dist/core/v2/fingerprint.d.ts +1 -0
package/dist/core/v2/fingerprint.js +4 -0
package/dist/core/v2/index.d.ts +12 -0
package/dist/core/v2/index.js +10 -0
package/dist/core/v2/judge-audit.d.ts +2 -0
package/dist/core/v2/judge-audit.js +15 -0
package/dist/core/v2/judge-factory.d.ts +25 -0
package/dist/core/v2/judge-factory.js +75 -0
package/dist/core/v2/judge-outbound.d.ts +12 -0
package/dist/core/v2/judge-outbound.js +73 -0
package/dist/core/v2/judge.d.ts +47 -0
package/dist/core/v2/judge.js +264 -0
package/dist/core/v2/launcher-resolve.d.ts +12 -0
package/dist/core/v2/launcher-resolve.js +190 -0
package/dist/core/v2/overrides.d.ts +7 -0
package/dist/core/v2/overrides.js +37 -0
package/dist/core/v2/parser.d.ts +21 -0
package/dist/core/v2/parser.js +213 -0
package/dist/core/v2/types.d.ts +67 -0
package/dist/core/v2/types.js +1 -0
package/dist/core/v2/verdict.d.ts +2 -0
package/dist/core/v2/verdict.js +699 -0
package/dist/corpus/evaluate.d.ts +24 -0
package/dist/corpus/evaluate.js +69 -0
package/dist/defaults.d.ts +18 -0
package/dist/defaults.js +155 -0
package/dist/egress-daemon.d.ts +1 -0
package/dist/egress-daemon.js +52 -0
package/dist/index.d.ts +17 -0
package/dist/index.js +15 -0
package/dist/installer/bootstrap.d.ts +5 -0
package/dist/installer/bootstrap.js +61 -0
package/dist/installer/runtime-artifacts.d.ts +3 -0
package/dist/installer/runtime-artifacts.js +23 -0
package/dist/installer/scope-config.d.ts +8 -0
package/dist/installer/scope-config.js +25 -0
package/dist/installer.d.ts +22 -0
package/dist/installer.js +169 -0
package/dist/node-resolution.d.ts +8 -0
package/dist/node-resolution.js +237 -0
package/dist/operational-insights.d.ts +19 -0
package/dist/operational-insights.js +24 -0
package/dist/presets.d.ts +4 -0
package/dist/presets.js +95 -0
package/dist/services/egress-service.d.ts +57 -0
package/dist/services/egress-service.js +334 -0
package/dist/services/sandbox-service.d.ts +38 -0
package/dist/services/sandbox-service.js +95 -0
package/dist/templates.d.ts +7 -0
package/dist/templates.js +56 -0
package/dist/types.d.ts +230 -0
package/dist/types.js +1 -0
package/dist/version.d.ts +1 -0
package/dist/version.js +1 -0
package/package.json +65 -0
package/skills/belay/SKILL.md +52 -0
package/skills/belay/belay-approve.md +7 -0
package/skills/belay/belay-explain.md +11 -0
package/skills/belay/belay-recover.md +13 -0
package/skills/belay/belay-report.md +7 -0
package/skills/belay/belay-status.md +9 -0
package/skills/belay/belay-why.md +11 -0

package/dist/core/types.d.ts ADDED Viewed

@@ -0,0 +1,90 @@
+import type { FsScopeAllowlistFile } from './capability/types.js';
+export type BelayMode = 'enforce' | 'audit';
+export type HookVerdict = 'allow' | 'allow_flagged' | 'deny_pending_approval';
+export type Reversibility = 'reversible' | 'recoverable_with_cost' | 'irreversible';
+export interface Assessment {
+    reversibility: Reversibility;
+    external: boolean;
+    blastRadius: string;
+    confidence: number;
+    signals: string[];
+}
+export interface V2TraceFields {
+    location: string;
+    opacity: string;
+    effect: string;
+    confidence: string;
+    would: string;
+    by: string;
+    commandRedacted?: string;
+    commandFingerprint?: string;
+    signals?: string[];
+    judgeProvider?: 'openai-compatible' | 'ollama' | 'fallback';
+    judgeModelRequested?: string;
+    judgeModelResolved?: string;
+    judgeLatencyMs?: number;
+    judgeOutboundRedacted?: boolean;
+    judgeFallbackReason?: string;
+}
+export interface ClassifyResult {
+    verdict: HookVerdict;
+    reason: string;
+    fingerprint: string;
+    assessment: Assessment;
+    normalizedCommand?: string;
+    summary?: string;
+    v2?: V2TraceFields;
+}
+export type UnknownLocalEffectPolicy = 'allow_flagged' | 'deny';
+export type UnparseableShellPolicy = 'allow_flagged' | 'deny';
+export type ControlPlaneIntegrity = 'hash-pinned' | 'none';
+export interface ScrubOptions {
+    maskApprovalIds?: boolean;
+    maskBearerTokens?: boolean;
+    maskAuthHeaders?: boolean;
+    maskKeyValueSecrets?: boolean;
+    maskHighEntropyStrings?: boolean;
+}
+export interface ConfidenceThresholds {
+    allow: number;
+    flag: number;
+}
+export interface ClassifierOptions {
+    strictChains?: boolean;
+    customExternalCommands?: string[];
+    customAllowCommands?: string[];
+    sensitivePaths?: string[];
+    unknownLocalEffect?: UnknownLocalEffectPolicy;
+    unparseableShell?: UnparseableShellPolicy;
+    controlPlaneDir?: string | null;
+    protectedArtifactRoots?: string[];
+    confidenceThresholds?: ConfidenceThresholds;
+    scrubOptions?: ScrubOptions;
+    /** When true, L1 egress proxy is the external-effect boundary. */
+    egressEnabled?: boolean;
+    /** When true with egress enabled, external command rules become early warnings only. */
+    demoteL3External?: boolean;
+    /** When true with sandbox enabled, outside-repo rules defer to fs-scope allowlist. */
+    brokerFsScope?: boolean;
+    fsScopeAllowlist?: FsScopeAllowlistFile;
+    /** Test override: inject Tier1 judge without changing config.judge. */
+    tier1Judge?: import('./v2/types.js').Tier1Judge;
+}
+export interface ApprovalRecord {
+    approvalId: string;
+    kind: 'shell' | 'subagent' | 'tool' | 'egress' | 'capability';
+    fingerprint: string;
+    repoRoot: string;
+    reason: string;
+    summary: string;
+    createdAt: string;
+    expiresAt: string;
+    approvedAt?: string;
+    /** Original gated input for explain-last-ask (ApprovalState v2). */
+    input?: string;
+    inputKind?: 'shell' | 'tool' | 'subagent';
+}
+export interface ApprovalStateFile {
+    version: 1 | 2;
+    approvals: ApprovalRecord[];
+}

package/dist/core/types.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/core/v2/adapter.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import type { BelayConfigV4 } from '../config.js';
+import type { ClassifierOptions, ClassifyResult } from '../types.js';
+import type { Tier1Judge, VerdictContext, VerdictResult } from './types.js';
+export declare function buildVerdictContext(params: {
+    cwd: string;
+    repoRoot: string;
+    config: BelayConfigV4;
+    options?: ClassifierOptions;
+    judge?: Tier1Judge;
+    trustedCwd?: boolean;
+}): VerdictContext;
+export declare function classifyShell(command: string, cwd: string, repoRoot: string, config: BelayConfigV4, options?: ClassifierOptions, judge?: Tier1Judge): Promise<ClassifyResult>;
+export declare function verdictToClassifyResult(result: VerdictResult): ClassifyResult;
+export declare function verdictAuditFields(result: VerdictResult): Record<string, unknown>;

package/dist/core/v2/adapter.js ADDED Viewed

@@ -0,0 +1,118 @@
+import { judgeTraceAuditFields } from './judge-audit.js';
+import { createJudgeFromConfig } from './judge-factory.js';
+import { verdict } from './verdict.js';
+export function buildVerdictContext(params) {
+    const protectedArtifactRoots = [
+        ...(params.options?.protectedArtifactRoots ?? []),
+        ...(params.options?.controlPlaneDir ? [params.options.controlPlaneDir] : []),
+    ];
+    return {
+        cwd: params.cwd,
+        repoRoot: params.repoRoot,
+        trustedCwd: params.trustedCwd ?? Boolean(params.cwd),
+        sensitivePaths: params.options?.sensitivePaths ?? params.config.classifier.sensitivePaths,
+        protectedArtifactRoots: protectedArtifactRoots.length > 0 ? [...new Set(protectedArtifactRoots)] : undefined,
+        customAllowCommands: params.options?.customAllowCommands ?? params.config.overrides.allow,
+        customExternalCommands: params.options?.customExternalCommands ?? params.config.overrides.external,
+        judge: params.judge ?? params.options?.tier1Judge ?? createJudgeFromConfig(params.config),
+        mode: params.config.mode,
+        unknownLocalEffect: params.options?.unknownLocalEffect ?? params.config.policy.unknownLocalEffect,
+        unparseableShell: params.options?.unparseableShell ?? params.config.policy.unparseableShell,
+    };
+}
+export async function classifyShell(command, cwd, repoRoot, config, options = {}, judge) {
+    const context = buildVerdictContext({ cwd, repoRoot, config, options, judge });
+    const result = await verdict(command, context);
+    return verdictToClassifyResult(result);
+}
+function mapLegacyReason(result) {
+    if (result.reason === 'repo_outside_mutation') {
+        return result.effect === 'read_only' ? 'outside_repo_redirect' : 'outside_repo_mutation';
+    }
+    if (result.reason === 'tier0_external') {
+        return 'external_effect';
+    }
+    if (result.reason === 'high_stakes_path') {
+        return 'protected_artifact';
+    }
+    if (result.reason === 'opaque_execution' &&
+        /\|\s*(bash|sh|zsh|dash|fish)\b/.test(result.commandRedacted)) {
+        return 'pipe_to_shell';
+    }
+    if (result.reason === 'launcher_unresolved' || result.reason === 'makefile_missing') {
+        return 'unknown_local_effect';
+    }
+    if (result.reason === 'npm_script_undefined' || result.reason === 'package_json_missing') {
+        return 'unknown_local_effect';
+    }
+    if (result.reason === 'repo_local_mutation') {
+        return 'local_mutation';
+    }
+    return result.reason;
+}
+export function verdictToClassifyResult(result) {
+    const external = result.location === 'external' ||
+        result.location === 'repo_outside' ||
+        result.effect === 'remote_mutation';
+    const legacyReason = mapLegacyReason(result);
+    const hookVerdict = result.permission === 'ask'
+        ? 'deny_pending_approval'
+        : legacyReason === 'command_substitution' ||
+            legacyReason === 'unknown_local_effect' ||
+            legacyReason === 'unparseable_shell' ||
+            result.effect === 'local_mutation'
+            ? 'allow_flagged'
+            : 'allow';
+    const assessment = {
+        reversibility: result.effect === 'read_only'
+            ? 'reversible'
+            : result.permission === 'allow'
+                ? 'recoverable_with_cost'
+                : 'irreversible',
+        external,
+        blastRadius: result.location,
+        confidence: result.confidence === 'deterministic'
+            ? 0.95
+            : result.confidence === 'llm'
+                ? 0.75
+                : hookVerdict === 'allow_flagged'
+                    ? 0.75
+                    : 0.7,
+        signals: result.signals,
+    };
+    return {
+        verdict: hookVerdict,
+        reason: legacyReason,
+        fingerprint: result.fingerprint,
+        assessment,
+        normalizedCommand: result.commandRedacted,
+        summary: result.commandRedacted,
+        v2: {
+            location: result.location,
+            opacity: result.opacity,
+            effect: result.effect,
+            confidence: result.confidence,
+            would: result.permission,
+            by: 'v2',
+            commandRedacted: result.commandRedacted,
+            commandFingerprint: result.fingerprint,
+            signals: result.signals,
+            ...judgeTraceAuditFields(result.judgeTrace),
+        },
+    };
+}
+export function verdictAuditFields(result) {
+    return {
+        schemaVersion: 2,
+        commandRedacted: result.commandRedacted,
+        commandFingerprint: result.fingerprint,
+        location: result.location,
+        opacity: result.opacity,
+        effect: result.effect,
+        confidence: result.confidence,
+        would: result.permission,
+        by: 'v2',
+        signals: result.signals,
+        ...judgeTraceAuditFields(result.judgeTrace),
+    };
+}

package/dist/core/v2/containment.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import type { VerdictLocation } from './types.js';
+export interface PathTargetAnalysis {
+    location: VerdictLocation;
+    isHighStakes: boolean;
+    signals: string[];
+}
+export declare function resolveTrustedPath(token: string, trustedCwd: string, trusted: boolean): string | null;
+export declare function locationForPath(resolvedPath: string | null, repoRoot: string): VerdictLocation;
+export declare function isGitPath(resolvedPath: string, repoRoot: string): boolean;
+export declare function isHighStakesPath(resolvedPath: string, repoRoot: string, sensitivePaths: string[], protectedRoots?: string[]): boolean;
+export declare function analyzePathTargets(params: {
+    targets: string[];
+    cwd: string;
+    repoRoot: string;
+    trustedCwd: boolean;
+    sensitivePaths: string[];
+    protectedArtifactRoots?: string[];
+}): PathTargetAnalysis;
+export declare function cwdRelative(repoRoot: string, cwd: string): string;

package/dist/core/v2/containment.js ADDED Viewed

@@ -0,0 +1,91 @@
+import path from 'node:path';
+import { matchesSensitivePath } from '../glob.js';
+import { canonicalPath, pathWithinRoot, relativeWithinRepo, resolveMutationTarget, } from '../path-utils.js';
+function expandHome(token) {
+    if (token === '~' || token.startsWith('~/')) {
+        const home = process.env.HOME ?? process.env.USERPROFILE ?? '';
+        if (!home) {
+            return token;
+        }
+        return token === '~' ? home : path.join(home, token.slice(2));
+    }
+    return token;
+}
+export function resolveTrustedPath(token, trustedCwd, trusted) {
+    if (!token || token === '--' || token.startsWith('-')) {
+        return null;
+    }
+    if (!trusted || !trustedCwd) {
+        return null;
+    }
+    const expanded = expandHome(token);
+    if (path.isAbsolute(expanded)) {
+        return canonicalPath(expanded);
+    }
+    return canonicalPath(path.resolve(trustedCwd, expanded));
+}
+export function locationForPath(resolvedPath, repoRoot) {
+    if (!resolvedPath) {
+        return 'unknown';
+    }
+    if (pathWithinRoot(repoRoot, resolvedPath)) {
+        return 'repo_local';
+    }
+    return 'repo_outside';
+}
+export function isGitPath(resolvedPath, repoRoot) {
+    const relative = relativeWithinRepo(repoRoot, resolvedPath);
+    if (!relative) {
+        return false;
+    }
+    const normalized = relative.replaceAll('\\', '/');
+    return normalized === '.git' || normalized.startsWith('.git/');
+}
+export function isHighStakesPath(resolvedPath, repoRoot, sensitivePaths, protectedRoots = []) {
+    if (isGitPath(resolvedPath, repoRoot)) {
+        return true;
+    }
+    const relative = relativeWithinRepo(repoRoot, resolvedPath);
+    const checkPath = relative ?? resolvedPath;
+    if (matchesSensitivePath(checkPath.replaceAll('\\', '/'), sensitivePaths)) {
+        return true;
+    }
+    return protectedRoots.some((root) => pathWithinRoot(root, resolvedPath));
+}
+export function analyzePathTargets(params) {
+    const signals = [];
+    if (!params.trustedCwd || !params.cwd) {
+        return {
+            location: 'unknown',
+            isHighStakes: false,
+            signals: ['missing_trusted_cwd'],
+        };
+    }
+    const locations = new Set();
+    let isHighStakes = false;
+    for (const target of params.targets) {
+        const resolved = resolveTrustedPath(target, params.cwd, params.trustedCwd) ??
+            resolveMutationTarget(target, params.cwd);
+        const location = locationForPath(resolved, params.repoRoot);
+        locations.add(location);
+        if (resolved &&
+            isHighStakesPath(resolved, params.repoRoot, params.sensitivePaths, params.protectedArtifactRoots)) {
+            isHighStakes = true;
+            signals.push('high_stakes_path');
+        }
+    }
+    let location = 'unknown';
+    if (locations.size === 0) {
+        location = 'unknown';
+    }
+    else if (locations.size === 1) {
+        location = [...locations][0] ?? 'unknown';
+    }
+    else {
+        location = 'mixed';
+    }
+    return { location, isHighStakes, signals };
+}
+export function cwdRelative(repoRoot, cwd) {
+    return relativeWithinRepo(repoRoot, cwd) ?? cwd;
+}

package/dist/core/v2/egress-classify.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * Tier0 egress tool classification (SPEC v2.1.3 R33–R34).
+ * destructive → Tier0 ask | read → Tier0 allow | ambiguous → Tier1 (fail-closed)
+ */
+export type EgressClassification = 'destructive' | 'read' | 'ambiguous';
+export declare function isEgressToolHead(head: string): boolean;
+export declare function classifyEgressTool(head: string, tokens: string[]): EgressClassification | null;

package/dist/core/v2/egress-classify.js ADDED Viewed

@@ -0,0 +1,216 @@
+/**
+ * Tier0 egress tool classification (SPEC v2.1.3 R33–R34).
+ * destructive → Tier0 ask | read → Tier0 allow | ambiguous → Tier1 (fail-closed)
+ */
+const EGRESS_TOOL_HEADS = new Set([
+    'aws',
+    'curl',
+    'gh',
+    'gcloud',
+    'heroku',
+    'kubectl',
+    'netlify',
+    'vercel',
+    'wget',
+]);
+const READ_VERB_PATTERN = /\b(ls|list|describe|get|view|logs|status|top|head|explain)\b/;
+const CURL_DATA_FLAGS = new Set(['-d', '-F', '-T', '--post-data', '--post-file', '--upload-file']);
+const CURL_DATA_PREFIXES = ['--data', '--form', '--upload-file', '--post-'];
+const KUBECTL_DESTRUCTIVE = new Set([
+    'apply',
+    'cordon',
+    'create',
+    'delete',
+    'drain',
+    'exec',
+    'patch',
+    'replace',
+    'rollout',
+    'scale',
+]);
+const KUBECTL_READ = new Set(['describe', 'get', 'logs', 'top']);
+export function isEgressToolHead(head) {
+    return EGRESS_TOOL_HEADS.has(head);
+}
+export function classifyEgressTool(head, tokens) {
+    if (!EGRESS_TOOL_HEADS.has(head)) {
+        return null;
+    }
+    if (head === 'curl' || head === 'wget') {
+        return classifyCurlWget(tokens);
+    }
+    if (head === 'aws') {
+        return classifyAws(tokens);
+    }
+    if (head === 'gh') {
+        return classifyGh(tokens);
+    }
+    if (head === 'gcloud') {
+        return classifyGcloud(tokens);
+    }
+    if (head === 'kubectl') {
+        return classifyKubectl(tokens);
+    }
+    if (head === 'heroku') {
+        return classifyHeroku(tokens);
+    }
+    if (head === 'vercel') {
+        return classifyVercel(tokens);
+    }
+    if (head === 'netlify') {
+        return classifyNetlify(tokens);
+    }
+    return 'ambiguous';
+}
+function classifyCurlWget(tokens) {
+    const args = tokens.slice(1);
+    for (let index = 0; index < args.length; index += 1) {
+        const token = args[index];
+        if (!token) {
+            continue;
+        }
+        if (CURL_DATA_FLAGS.has(token)) {
+            return 'destructive';
+        }
+        if (CURL_DATA_PREFIXES.some((prefix) => token.startsWith(prefix))) {
+            return 'destructive';
+        }
+        if (token.startsWith('--method=')) {
+            const method = token.slice('--method='.length).toUpperCase();
+            if (method !== 'GET' && method !== 'HEAD') {
+                return 'destructive';
+            }
+        }
+        if (token === '-X' || token === '--request') {
+            const method = (args[index + 1] ?? '').toUpperCase();
+            if (method && method !== 'GET' && method !== 'HEAD') {
+                return 'destructive';
+            }
+        }
+        if (token.startsWith('@')) {
+            return 'destructive';
+        }
+        if (token.includes('@') && /(^|[^\\])@/.test(token)) {
+            return 'destructive';
+        }
+    }
+    return 'read';
+}
+function classifyAws(tokens) {
+    const rest = tokens.slice(1);
+    const joined = rest.join(' ').toLowerCase();
+    if (/\bs3\s+rm\b/.test(joined)) {
+        return 'destructive';
+    }
+    if (/\bs3\s+sync\b/.test(joined)) {
+        return 'destructive';
+    }
+    if (/\bs3\s+cp\b/.test(joined)) {
+        const s3Args = rest.filter((token) => token.startsWith('s3://'));
+        if (s3Args.length >= 2) {
+            return 'ambiguous';
+        }
+        const lastToken = rest[rest.length - 1] ?? '';
+        if (lastToken.startsWith('s3://')) {
+            return 'destructive';
+        }
+        if (s3Args.length === 1 && !lastToken.startsWith('s3://')) {
+            return 'read';
+        }
+        return 'ambiguous';
+    }
+    if (/\b(delete|terminate)\b/.test(joined)) {
+        return 'destructive';
+    }
+    if (/\b(put|create|update)\b/.test(joined)) {
+        return 'destructive';
+    }
+    if (READ_VERB_PATTERN.test(joined)) {
+        return 'read';
+    }
+    return 'ambiguous';
+}
+function classifyGh(tokens) {
+    const joined = tokens.slice(1).join(' ').toLowerCase();
+    if (/\brelease\s+create\b/.test(joined)) {
+        return 'destructive';
+    }
+    if (/\brepo\s+(delete|create)\b/.test(joined)) {
+        return 'destructive';
+    }
+    if (/\bpr\s+merge\b/.test(joined)) {
+        return 'destructive';
+    }
+    if (/\bsecret\s+set\b/.test(joined)) {
+        return 'destructive';
+    }
+    if (/\bworkflow\s+run\b/.test(joined)) {
+        return 'destructive';
+    }
+    if (/\bapi\b/.test(joined) && /\s(-x|--method)\s+(post|put|patch|delete)\b/.test(joined)) {
+        return 'destructive';
+    }
+    if (/\bpr\s+list\b/.test(joined)) {
+        return 'read';
+    }
+    if (READ_VERB_PATTERN.test(joined)) {
+        return 'read';
+    }
+    return 'ambiguous';
+}
+function classifyGcloud(tokens) {
+    const joined = tokens.slice(1).join(' ').toLowerCase();
+    if (/\b(delete|create|update|deploy)\b/.test(joined)) {
+        return 'destructive';
+    }
+    if (/\bset-/.test(joined)) {
+        return 'destructive';
+    }
+    if (READ_VERB_PATTERN.test(joined)) {
+        return 'read';
+    }
+    return 'ambiguous';
+}
+function classifyKubectl(tokens) {
+    const sub = (tokens[1] ?? '').toLowerCase();
+    if (KUBECTL_DESTRUCTIVE.has(sub)) {
+        return 'destructive';
+    }
+    if (KUBECTL_READ.has(sub)) {
+        return 'read';
+    }
+    return 'ambiguous';
+}
+function classifyHeroku(tokens) {
+    const joined = tokens.slice(1).join(' ').toLowerCase();
+    if (/\bdeploy\b/.test(joined) ||
+        /pg:reset/.test(joined) ||
+        /ps:scale/.test(joined) ||
+        /\bdestroy\b/.test(joined)) {
+        return 'destructive';
+    }
+    if (READ_VERB_PATTERN.test(joined)) {
+        return 'read';
+    }
+    return 'ambiguous';
+}
+function classifyVercel(tokens) {
+    const joined = tokens.slice(1).join(' ').toLowerCase();
+    if (/\bdeploy\b/.test(joined) || /--prod\b/.test(joined) || /\bdestroy\b/.test(joined)) {
+        return 'destructive';
+    }
+    if (READ_VERB_PATTERN.test(joined)) {
+        return 'read';
+    }
+    return 'ambiguous';
+}
+function classifyNetlify(tokens) {
+    const joined = tokens.slice(1).join(' ').toLowerCase();
+    if (/\bdeploy\b/.test(joined) || /--prod\b/.test(joined)) {
+        return 'destructive';
+    }
+    if (READ_VERB_PATTERN.test(joined)) {
+        return 'read';
+    }
+    return 'ambiguous';
+}

package/dist/core/v2/fingerprint.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function verdictFingerprint(cwdRelative: string, commandRedacted: string): string;

package/dist/core/v2/fingerprint.js ADDED Viewed

@@ -0,0 +1,4 @@
+import { hashValue } from '../fingerprint.js';
+export function verdictFingerprint(cwdRelative, commandRedacted) {
+    return hashValue(`v2:${cwdRelative}:${commandRedacted}`);
+}

package/dist/core/v2/index.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+export { buildVerdictContext, classifyShell, verdictAuditFields, verdictToClassifyResult, } from './adapter.js';
+export { analyzePathTargets, cwdRelative, resolveTrustedPath } from './containment.js';
+export { verdictFingerprint } from './fingerprint.js';
+export type { Tier1JudgeTrace, TracedTier1Judge } from './judge.js';
+export { createCursorJudge, createDeterministicJudgeStub, createFailClosedJudge, createOllamaJudge, createOpenAiCompatibleJudge, prescanInterpreterCode, tier1RequiresAsk, } from './judge.js';
+export { judgeTraceAuditFields } from './judge-audit.js';
+export { createJudgeFromConfig, judgeConfigSummary, loadPinnedJudgeModels, resetPinnedJudgeModelsCache, resolveCloudModel, } from './judge-factory.js';
+export { scrubOutboundForJudge } from './judge-outbound.js';
+export { isRoutineLauncher, resolveLauncherRecipe } from './launcher-resolve.js';
+export { parseSegment, peelTransparentWrappers, segmentOpacity, splitTopLevelSegments, } from './parser.js';
+export type { JudgeTrace, Tier1EvaluateInput, Tier1Judge, Tier1Verdict, VerdictConfidence, VerdictContext, VerdictEffect, VerdictLocation, VerdictOpacity, VerdictPermission, VerdictResult, } from './types.js';
+export { verdict } from './verdict.js';

package/dist/core/v2/index.js ADDED Viewed

@@ -0,0 +1,10 @@
+export { buildVerdictContext, classifyShell, verdictAuditFields, verdictToClassifyResult, } from './adapter.js';
+export { analyzePathTargets, cwdRelative, resolveTrustedPath } from './containment.js';
+export { verdictFingerprint } from './fingerprint.js';
+export { createCursorJudge, createDeterministicJudgeStub, createFailClosedJudge, createOllamaJudge, createOpenAiCompatibleJudge, prescanInterpreterCode, tier1RequiresAsk, } from './judge.js';
+export { judgeTraceAuditFields } from './judge-audit.js';
+export { createJudgeFromConfig, judgeConfigSummary, loadPinnedJudgeModels, resetPinnedJudgeModelsCache, resolveCloudModel, } from './judge-factory.js';
+export { scrubOutboundForJudge } from './judge-outbound.js';
+export { isRoutineLauncher, resolveLauncherRecipe } from './launcher-resolve.js';
+export { parseSegment, peelTransparentWrappers, segmentOpacity, splitTopLevelSegments, } from './parser.js';
+export { verdict } from './verdict.js';

package/dist/core/v2/judge-audit.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { JudgeTrace } from './types.js';
2	+ export declare function judgeTraceAuditFields(trace?: JudgeTrace): Record<string, unknown>;

package/dist/core/v2/judge-audit.js ADDED Viewed

@@ -0,0 +1,15 @@
+export function judgeTraceAuditFields(trace) {
+    if (!trace) {
+        return {};
+    }
+    return {
+        judgeProvider: trace.provider,
+        judgeModelRequested: trace.modelRequested,
+        judgeModelResolved: trace.modelResolved,
+        judgeLatencyMs: trace.latencyMs,
+        ...(trace.outboundRedacted !== undefined
+            ? { judgeOutboundRedacted: trace.outboundRedacted }
+            : {}),
+        ...(trace.fallbackReason ? { judgeFallbackReason: trace.fallbackReason } : {}),
+    };
+}

package/dist/core/v2/judge-factory.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import type { BelayConfigV4, BelayJudgeConfig } from '../config.js';
+import { type TracedTier1Judge } from './judge.js';
+export declare function resetPinnedJudgeModelsCache(): void;
+export declare function loadPinnedJudgeModels(): Promise<{
+    'openai-compatible': {
+        autoResolved: string;
+    };
+    ollama: {
+        ciPin: string;
+    };
+}>;
+export declare function resolveCloudModel(requested: string, pinned: {
+    autoResolved: string;
+}): {
+    requested: string;
+    resolved: string;
+};
+/** @deprecated Use resolveCloudModel */
+export declare const resolveCursorModel: typeof resolveCloudModel;
+export declare function createJudgeFromConfig(config: BelayConfigV4, options?: {
+    pinnedModels?: {
+        autoResolved: string;
+    };
+}): TracedTier1Judge;
+export declare function judgeConfigSummary(judge: BelayJudgeConfig): string;