npm - @guilz-dev/belay - Versions diffs - 0.1.1 → 0.2.0 - Mend

@guilz-dev/belay 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

package/README.md +16 -3
package/dist/adapters/shared/gate-runtime.js +12 -4
package/dist/bundle/claude-runtime.mjs +155 -36
package/dist/bundle/codex-runtime.mjs +155 -36
package/dist/bundle/cursor-runtime.mjs +155 -36
package/dist/cli.js +4 -4
package/dist/commands/classify-for-report.js +3 -3
package/dist/commands/doctor.js +1 -1
package/dist/commands/explain.js +14 -14
package/dist/commands/init-wizard.d.ts +5 -0
package/dist/commands/init-wizard.js +24 -11
package/dist/commands/recover.js +2 -2
package/dist/core/approval.d.ts +3 -0
package/dist/core/approval.js +18 -3
package/dist/core/audit-query.js +5 -1
package/dist/core/classify-tool.js +1 -1
package/dist/core/config.d.ts +1 -1
package/dist/core/config.js +2 -2
package/dist/core/gate-contract.d.ts +1 -1
package/dist/core/gate-contract.js +1 -1
package/dist/core/gate-engine.js +2 -2
package/dist/core/index.d.ts +2 -2
package/dist/core/index.js +2 -2
package/dist/core/judge-config.d.ts +5 -1
package/dist/core/judge-config.js +17 -1
package/dist/core/judge-doctor.js +2 -2
package/dist/core/types.d.ts +5 -3
package/dist/core/{v2 → verdict}/adapter.js +9 -3
package/dist/core/{v2 → verdict}/egress-classify.js +3 -0
package/dist/core/{v2 → verdict}/judge.js +10 -12
package/dist/core/{v2 → verdict}/launcher-resolve.js +72 -1
package/dist/core/{v2 → verdict}/verdict.js +16 -0
package/dist/corpus/evaluate.js +2 -2
package/dist/installer.js +1 -0
package/dist/types.d.ts +1 -1
package/dist/version.d.ts +1 -1
package/dist/version.js +1 -1
package/package.json +2 -1
/package/dist/core/{v2 → verdict}/adapter.d.ts +0 -0
/package/dist/core/{v2 → verdict}/containment.d.ts +0 -0
/package/dist/core/{v2 → verdict}/containment.js +0 -0
/package/dist/core/{v2 → verdict}/egress-classify.d.ts +0 -0
/package/dist/core/{v2 → verdict}/fingerprint.d.ts +0 -0
/package/dist/core/{v2 → verdict}/fingerprint.js +0 -0
/package/dist/core/{v2 → verdict}/index.d.ts +0 -0
/package/dist/core/{v2 → verdict}/index.js +0 -0
/package/dist/core/{v2 → verdict}/judge-audit.d.ts +0 -0
/package/dist/core/{v2 → verdict}/judge-audit.js +0 -0
/package/dist/core/{v2 → verdict}/judge-factory.d.ts +0 -0
/package/dist/core/{v2 → verdict}/judge-factory.js +0 -0
/package/dist/core/{v2 → verdict}/judge-outbound.d.ts +0 -0
/package/dist/core/{v2 → verdict}/judge-outbound.js +0 -0
/package/dist/core/{v2 → verdict}/judge.d.ts +0 -0
/package/dist/core/{v2 → verdict}/launcher-resolve.d.ts +0 -0
/package/dist/core/{v2 → verdict}/overrides.d.ts +0 -0
/package/dist/core/{v2 → verdict}/overrides.js +0 -0
/package/dist/core/{v2 → verdict}/parser.d.ts +0 -0
/package/dist/core/{v2 → verdict}/parser.js +0 -0
/package/dist/core/{v2 → verdict}/types.d.ts +0 -0
/package/dist/core/{v2 → verdict}/types.js +0 -0
/package/dist/core/{v2 → verdict}/verdict.d.ts +0 -0

package/dist/bundle/codex-runtime.mjs CHANGED Viewed

@@ -86,7 +86,7 @@ var LEGACY_POLICY_V3 = {
   fenceWarnThreshold: DEFAULT_FENCE_WARN_THRESHOLD
 };
 var DEFAULT_POLICY_V3 = {
-  unknownLocalEffect: "deny",
+  unknownLocalEffect: "allow_flagged",
   unparseableShell: "deny",
   codexUnmappedTool: "deny",
   confidenceThresholds: { ...DEFAULT_CONFIDENCE_THRESHOLDS },
@@ -704,16 +704,25 @@ import { mkdir as mkdir3, readFile as readFile2, writeFile as writeFile2 } from
 import path16 from "node:path";
 // src/core/approval.ts
+var APPROVAL_EXECUTION_LEASE_MS = 6e4;
 function nowIso() {
   return (/* @__PURE__ */ new Date()).toISOString();
 }
 function isExpired(approval) {
   return Date.parse(approval.expiresAt) <= Date.now();
 }
+function isExecutionLeaseExpired(approval) {
+  if (!approval.executionLeaseExpiresAt) {
+    return false;
+  }
+  return Date.parse(approval.executionLeaseExpiresAt) <= Date.now();
+}
 function compactApprovals(state) {
   return {
     version: state.version,
-    approvals: state.approvals.filter((approval) => !isExpired(approval))
+    approvals: state.approvals.filter(
+      (approval) => !isExpired(approval) && !isExecutionLeaseExpired(approval)
+    )
   };
 }
 function escapeRegex(value) {
@@ -722,8 +731,15 @@ function escapeRegex(value) {
 }
 function approvalCommandMatch(prompt, tokenPrefix) {
   const escapedPrefix = escapeRegex(tokenPrefix);
-  const match = prompt.match(new RegExp(`^\\s*${escapedPrefix}\\s+(\\S+)\\s*$`, "i"));
-  return match?.[1] ?? null;
+  const linePattern = new RegExp(`^\\s*${escapedPrefix}\\s+(\\S+)\\s*$`, "i");
+  for (const line of prompt.split(/\r?\n/)) {
+    if (!line.trim()) {
+      continue;
+    }
+    const match = line.match(linePattern);
+    return match?.[1] ?? null;
+  }
+  return null;
 }
 function buildRetryInstruction(tokenPrefix, approvalId) {
   return `To allow the next matching action once, send ${tokenPrefix} ${approvalId} and then retry the original action unchanged.`;
@@ -1250,7 +1266,7 @@ function classifyResultToGateVerdict(params) {
     approvalId,
     user_message,
     agent_message,
-    v2: result.v2
+    axes: result.axes
   };
 }
 function unnormalizedGateVerdict(params) {
@@ -1504,7 +1520,7 @@ function matchesSensitivePath(filePath, patterns) {
   return false;
 }
-// src/core/v2/judge-audit.ts
+// src/core/verdict/judge-audit.ts
 function judgeTraceAuditFields(trace) {
   if (!trace) {
     return {};
@@ -1519,7 +1535,7 @@ function judgeTraceAuditFields(trace) {
   };
 }
-// src/core/v2/judge-outbound.ts
+// src/core/verdict/judge-outbound.ts
 var PATH_LIKE = /(?:^|[\s"'`=])(~\/[^\s"'`]+|\/[^\s"'`]+|\.\/[^\s"'`]+|\.\.\/[^\s"'`]+|[A-Za-z]:\\[^\s"'`]+)/g;
 var REDACTED_PLACEHOLDER = /^(?:<redacted>|\[REDACTED\]|<secret>|<high-entropy>|<approval-id>)$/i;
 var URL_CREDENTIALS_PATTERN2 = /\b[A-Za-z][A-Za-z0-9+.-]*:\/\/([^/\s:@]+):([^@\s/]+)@/gi;
@@ -1588,16 +1604,16 @@ function scrubOutboundForJudge(text, options) {
   }
 }
-// src/core/v2/judge.ts
+// src/core/verdict/judge.ts
 var SECRET_PATTERNS = [/\.env\b/i, /\.pem\b/i, /id_rsa\b/i, /credentials/i, /secrets?\b/i];
 var DESTRUCTIVE_VERBS = /\b(rm|rmtree|unlink|delete|truncate|shred|destroy|drop)\b/i;
 var GIT_PATTERNS = /\.git\b/i;
-var TIER1_PROMPT = `Answer ONLY with JSON: {"external_change":boolean,"destroys_outside_repo":boolean,"destroys_history_or_secrets":boolean,"reason":string}
-Default all three booleans to true when unsure. reason should be a short snake_case label.
+var TIER1_PROMPT = `Answer ONLY with JSON: {"external_change":boolean,"reason":string}
+reason should be a short snake_case label.
-external_change: CREATE/MODIFY/DELETE on database, network endpoint, cloud, remote git, registry, queue. READ/QUERY/GET is NOT a change.
-destroys_outside_repo: DELETE/OVERWRITE files OUTSIDE the current repository working tree.
-destroys_history_or_secrets: DELETE/OVERWRITE .git directory OR secret/credential files (.env, *.pem, id_rsa, credentials).
+external_change: true if this operation CREATEs, MODIFYs, DELETEs, or SENDs data to any system outside the local machine and its git repository working tree.
+READ/QUERY/GET/list/describe/SELECT/HTTP GET is NOT a change. Local build, test, and package install inside the repo are NOT external changes.
+If unsure, answer true.
 Command/code:
 `;
@@ -1612,13 +1628,13 @@ function failClosedVerdict(reason) {
 function parseTier1Json(raw) {
   try {
     const parsed = JSON.parse(raw);
-    if (typeof parsed.external_change !== "boolean" || typeof parsed.destroys_outside_repo !== "boolean" || typeof parsed.destroys_history_or_secrets !== "boolean") {
+    if (typeof parsed.external_change !== "boolean") {
       return null;
     }
     return {
-      external_change: parsed.external_change !== false,
-      destroys_outside_repo: parsed.destroys_outside_repo !== false,
-      destroys_history_or_secrets: parsed.destroys_history_or_secrets !== false,
+      external_change: parsed.external_change,
+      destroys_outside_repo: false,
+      destroys_history_or_secrets: false,
       reason: typeof parsed.reason === "string" ? parsed.reason : "tier1_llm"
     };
   } catch {
@@ -1841,10 +1857,10 @@ function createOpenAiCompatibleJudge(options) {
   return judge;
 }
 function tier1RequiresAsk(verdict2) {
-  return verdict2.external_change || verdict2.destroys_outside_repo || verdict2.destroys_history_or_secrets;
+  return verdict2.external_change || verdict2.destroys_history_or_secrets;
 }
-// src/core/v2/judge-factory.ts
+// src/core/verdict/judge-factory.ts
 var FIXTURE_MODELS_URL = new URL("../../../fixtures/judge-models.json", import.meta.url);
 function resolveCloudModel(requested, pinned) {
   if (requested === "auto") {
@@ -1891,10 +1907,10 @@ function createJudgeFromConfig(config, options = {}) {
   return createDeterministicJudgeStub();
 }
-// src/core/v2/verdict.ts
+// src/core/verdict/verdict.ts
 import path11 from "node:path";
-// src/core/v2/containment.ts
+// src/core/verdict/containment.ts
 import path8 from "node:path";
 function expandHome(token) {
   if (token === "~" || token.startsWith("~/")) {
@@ -1986,7 +2002,7 @@ function cwdRelative(repoRoot, cwd) {
   return relativeWithinRepo(repoRoot, cwd) ?? cwd;
 }
-// src/core/v2/egress-classify.ts
+// src/core/verdict/egress-classify.ts
 var EGRESS_TOOL_HEADS = /* @__PURE__ */ new Set([
   "aws",
   "curl",
@@ -2084,6 +2100,9 @@ function classifyAws(tokens) {
   if (/\bs3\s+rm\b/.test(joined)) {
     return "destructive";
   }
+  if (/\bs3\s+mb\b/.test(joined)) {
+    return "destructive";
+  }
   if (/\bs3\s+sync\b/.test(joined)) {
     return "destructive";
   }
@@ -2194,15 +2213,59 @@ function classifyNetlify(tokens) {
   return "ambiguous";
 }
-// src/core/v2/fingerprint.ts
+// src/core/verdict/fingerprint.ts
 function verdictFingerprint(cwdRelative2, commandRedacted) {
   return hashValue(`v2:${cwdRelative2}:${commandRedacted}`);
 }
-// src/core/v2/launcher-resolve.ts
+// src/core/verdict/launcher-resolve.ts
 import { existsSync as existsSync4, readFileSync as readFileSync2 } from "node:fs";
 import path9 from "node:path";
 var MAX_RESOLVE_DEPTH = 8;
+var PNPM_BUILTIN_COMMANDS = /* @__PURE__ */ new Set([
+  "add",
+  "audit",
+  "cache",
+  "config",
+  "deploy",
+  "dlx",
+  "exec",
+  "fetch",
+  "help",
+  "import",
+  "init",
+  "install",
+  "i",
+  "licenses",
+  "link",
+  "list",
+  "outdated",
+  "pack",
+  "patch",
+  "patch-commit",
+  "patch-remove",
+  "publish",
+  "prune",
+  "rebuild",
+  "remove",
+  "rm",
+  "store",
+  "unlink",
+  "update",
+  "up",
+  "why"
+]);
+var PNPM_EXEC_LIKE_HEADS = /* @__PURE__ */ new Set([
+  "vitest",
+  "vite",
+  "biome",
+  "eslint",
+  "jest",
+  "mocha",
+  "tsc",
+  "tsx",
+  "node"
+]);
 function readPackageJson(dir) {
   const packagePath = path9.join(dir, "package.json");
   if (!existsSync4(packagePath)) {
@@ -2257,6 +2320,12 @@ function npmScriptName(tokens) {
   if (launcher[0] === "pnpm" && launcher[1] === "run" && launcher[2]) {
     return launcher[2];
   }
+  if (launcher[0] === "pnpm" && launcher[1] === "test") {
+    return "test";
+  }
+  if (launcher[0] === "pnpm" && launcher[1] && !launcher[1].startsWith("-") && !PNPM_BUILTIN_COMMANDS.has(launcher[1])) {
+    return launcher[1];
+  }
   if (launcher[0] === "npm" && launcher[1] && launcher[1] !== "run" && launcher[1] !== "install") {
     return null;
   }
@@ -2378,11 +2447,31 @@ function resolveLauncherRecipe(params) {
   const tokens = params.tokens;
   const scriptName = npmScriptName(tokens);
   if (scriptName) {
-    return resolveNpmRecipe(params.cwd, params.repoRoot, scriptName, forwardedArgs(tokens));
+    const resolution = resolveNpmRecipe(
+      params.cwd,
+      params.repoRoot,
+      scriptName,
+      forwardedArgs(tokens)
+    );
+    if (tokens[0] === "pnpm" && tokens[1] && PNPM_EXEC_LIKE_HEADS.has(tokens[1]) && resolution.reason === "npm_script_undefined") {
+      return {
+        recipes: [tokens.slice(1).join(" ")],
+        opaque: false,
+        reason: "pnpm_exec_like"
+      };
+    }
+    return resolution;
   }
   if (tokens[0] === "make" && tokens[1] && !tokens[1].startsWith("-")) {
     return resolveMakeRecipe(params.cwd, params.repoRoot, tokens[1]);
   }
+  if (tokens[0] === "pnpm" && tokens[1] && PNPM_EXEC_LIKE_HEADS.has(tokens[1])) {
+    return {
+      recipes: [tokens.slice(1).join(" ")],
+      opaque: false,
+      reason: "pnpm_exec_like"
+    };
+  }
   return null;
 }
 function isRoutineLauncher(tokens) {
@@ -2398,7 +2487,7 @@ function matchesCustomCommand(normalizedCommand, key, pattern) {
   return normalizedCommand === trimmed || key === trimmed;
 }
-// src/core/v2/overrides.ts
+// src/core/verdict/overrides.ts
 function matchesCustomPatterns(command, segment, patterns) {
   if (!patterns || patterns.length === 0) {
     return false;
@@ -2437,7 +2526,7 @@ function askFromCustomExternal(opacity) {
   };
 }
-// src/core/v2/parser.ts
+// src/core/verdict/parser.ts
 import path10 from "node:path";
 // src/core/shell-substitution.ts
@@ -2661,7 +2750,7 @@ function hasUnbalancedDollarParen(command) {
   return depth > 0;
 }
-// src/core/v2/parser.ts
+// src/core/verdict/parser.ts
 var ENV_PREFIX_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*=(?:'[^']*'|"[^"]*"|\S+)$/;
 var TRANSPARENT_WRAPPERS = /* @__PURE__ */ new Set([
   "sudo",
@@ -2861,7 +2950,7 @@ function redactCommand(command) {
   return command.replace(/Bearer\s+[A-Za-z0-9._~+/=-]+/gi, "Bearer [REDACTED]").replace(/sk-[A-Za-z0-9]{8,}/g, "sk-[REDACTED]").trim();
 }
-// src/core/v2/verdict.ts
+// src/core/verdict/verdict.ts
 var DEFAULT_MAX_DEPTH = 8;
 var TIER0_EXTERNAL_KEYS = /* @__PURE__ */ new Set([
   "git push",
@@ -2944,6 +3033,7 @@ var LOCAL_ROUTINE_HEADS = /* @__PURE__ */ new Set([
   "make",
   "cmake"
 ]);
+var BELAY_SELF_COMMANDS = /* @__PURE__ */ new Set(["approve", "revoke"]);
 var FIND_DANGEROUS_FLAGS = /* @__PURE__ */ new Set(["-delete", "-exec", "-execdir", "-ok", "-okdir"]);
 function isFindDangerous(tokens) {
   return tokens.some(
@@ -3091,6 +3181,11 @@ function tier0ExternalMatch(key, head, tokens) {
   }
   return false;
 }
+function isBelaySelfCommand(tokens) {
+  const head = tokens[0] ?? "";
+  const subcommand = tokens[1] ?? "";
+  return head === "belay" && BELAY_SELF_COMMANDS.has(subcommand);
+}
 function tier0HighStakesRm(tokens, context) {
   const head = tokens[0] ?? "";
   if (head !== "rm") {
@@ -3322,6 +3417,16 @@ async function evaluateSegment(command, context, depth) {
   if (rmVerdict) {
     return rmVerdict;
   }
+  if (isBelaySelfCommand(peeled)) {
+    return allowVerdict({
+      location: "unknown",
+      opacity: "transparent",
+      effect: "local_mutation",
+      confidence: "deterministic",
+      reason: "belay_control_plane_command",
+      signals: ["belay_control_plane_command", segment.head]
+    });
+  }
   let effect = "unknown";
   if (READ_ONLY_KEYS.has(segment.key) || READ_ONLY_KEYS.has(segment.head)) {
     effect = "read_only";
@@ -3542,7 +3647,7 @@ async function verdict(command, context) {
   );
 }
-// src/core/v2/adapter.ts
+// src/core/verdict/adapter.ts
 function buildVerdictContext(params) {
   const protectedArtifactRoots2 = [
     ...params.options?.protectedArtifactRoots ?? [],
@@ -3589,6 +3694,12 @@ function mapLegacyReason(result) {
   if (result.reason === "repo_local_mutation") {
     return "local_mutation";
   }
+  if (result.reason === "tier1_not_restorable") {
+    return "tier1_catastrophic";
+  }
+  if (result.reason === "tier0_restorable" || result.reason === "tier1_restorable") {
+    return result.effect === "local_mutation" ? "local_mutation" : result.reason;
+  }
   return result.reason;
 }
 function verdictToClassifyResult(result) {
@@ -3609,13 +3720,13 @@ function verdictToClassifyResult(result) {
     assessment,
     normalizedCommand: result.commandRedacted,
     summary: result.commandRedacted,
-    v2: {
+    axes: {
       location: result.location,
       opacity: result.opacity,
       effect: result.effect,
       confidence: result.confidence,
       would: result.permission,
-      by: "v2",
+      by: "verdict",
       commandRedacted: result.commandRedacted,
       commandFingerprint: result.fingerprint,
       signals: result.signals,
@@ -4065,7 +4176,7 @@ function normalizeGatedAction(params) {
   };
 }
 function applyShellPeripheralPolicy(command, action, result, options) {
-  if (options.brokerFsScope && result.verdict === "deny_pending_approval" && (result.reason === "outside_repo_mutation" || result.reason === "outside_repo_redirect" || result.reason === "repo_outside_mutation" || result.v2?.location === "repo_outside")) {
+  if (options.brokerFsScope && result.verdict === "deny_pending_approval" && (result.reason === "outside_repo_mutation" || result.reason === "outside_repo_redirect" || result.reason === "repo_outside_mutation" || result.axes?.location === "repo_outside")) {
     const outsideRepoPaths = collectOutsideRepoPaths(command, action.cwd, action.repoRoot);
     if (outsideRepoPaths.length > 0 && options.fsScopeAllowlist && allPathsAllowlisted(outsideRepoPaths, options.fsScopeAllowlist)) {
       return {
@@ -4744,7 +4855,15 @@ async function consumeApprovedApproval(ctx, deps, kind, fingerprint) {
     await deps.writeApprovals(approved.filePath, approved.state);
     return null;
   }
-  const [approval] = approved.state.approvals.splice(index, 1);
+  const approval = approved.state.approvals[index];
+  if (approval.executionLeaseExpiresAt) {
+    await deps.writeApprovals(approved.filePath, approved.state);
+    return approval;
+  }
+  approved.state.approvals[index] = {
+    ...approval,
+    executionLeaseExpiresAt: new Date(Date.now() + APPROVAL_EXECUTION_LEASE_MS).toISOString()
+  };
   await deps.writeApprovals(approved.filePath, approved.state);
   return approval;
 }
@@ -4882,8 +5001,8 @@ async function gateDecisionToVerdict(ctx, deps, kind, result, auditExtras = {})
     predictedAssessment: auditExtras.predictedAssessment,
     observedAssessment: auditExtras.observedAssessment,
     mode: ctx.config.mode,
-    schemaVersion: result.v2 ? 2 : 1,
-    ...result.v2 ?? {},
+    schemaVersion: result.axes ? 2 : 1,
+    ...result.axes ?? {},
     ...auditExtras.transactionalLayer
   };
   if (result.reason === TRANSACTIONAL_ALREADY_APPLIED) {