@hiro-c/agent-gate 1.1.0 → 1.3.0

package/README.md

@@ -88,7 +88,10 @@ Full options: see [docs/config.md](docs/config.md) (TODO) or `AgentGatePluginCon
 | `AGENT_GATE_LOG` | `1` writes decisions to `~/.agent-gate/log.jsonl` |
 | `AGENT_GATE_API_KEY` | Use Anthropic API directly instead of `claude` CLI |
 | `AGENT_GATE_USE_SDK` | `1` prefers the Anthropic agent SDK over API/CLI (no API key needed; works best with daemon mode) |
+| `AGENT_GATE_ON_ERROR` | `block` to fail-closed when a rule or AI client throws (default `allow`) |
 | `AGENT_GATE_DAEMON` | `1` routes through the daemon if it is running |
+| `AGENT_GATE_CACHE_TTL_SEC` | Daemon decision cache TTL in seconds (default `60`) |
+| `AGENT_GATE_CACHE_SIZE` | Daemon decision cache max entries (default `256`) |
 
 ## Supported AI tools
 

package/dist/cache/DecisionCache.d.ts

@@ -0,0 +1,36 @@
+import { ValidationResult } from '../contracts/types/ValidationResult';
+export interface CacheKey {
+    adapter: string;
+    toolName: string;
+    toolInput: Record<string, unknown>;
+    cwd: string;
+}
+export interface DecisionCacheOptions {
+    /** Time to live in seconds. Entries past this age miss. */
+    ttlSec: number;
+    /** Max entries before LRU eviction kicks in. */
+    maxEntries: number;
+    /** Clock injection for testing. Defaults to Date.now. */
+    now?: () => number;
+}
+/**
+ * In-process LRU + TTL cache of agent-gate decisions.
+ *
+ * Most useful inside `agent-gate daemon` where the cache persists
+ * across hook invocations. Same {adapter, toolName, toolInput, cwd}
+ * within the TTL skips the entire pipeline (deterministic engine,
+ * collector, AI call) and returns the prior verdict.
+ */
+export declare class DecisionCache {
+    private readonly ttlMs;
+    private readonly maxEntries;
+    private readonly now;
+    private readonly store;
+    constructor(opts: DecisionCacheOptions);
+    private hash;
+    get(key: CacheKey): ValidationResult | null;
+    set(key: CacheKey, value: ValidationResult): void;
+    get size(): number;
+    clear(): void;
+}
+//# sourceMappingURL=DecisionCache.d.ts.map

package/dist/cache/DecisionCache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"DecisionCache.d.ts","sourceRoot":"","sources":["../../src/cache/DecisionCache.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qCAAqC,CAAA;AAEtE,MAAM,WAAW,QAAQ;IACvB,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAClC,GAAG,EAAE,MAAM,CAAA;CACZ;AAED,MAAM,WAAW,oBAAoB;IACnC,2DAA2D;IAC3D,MAAM,EAAE,MAAM,CAAA;IACd,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAA;IAClB,yDAAyD;IACzD,GAAG,CAAC,EAAE,MAAM,MAAM,CAAA;CACnB;AAOD;;;;;;;GAOG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAQ;IAC9B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAQ;IACnC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAc;IAClC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgC;gBAE1C,IAAI,EAAE,oBAAoB;IAMtC,OAAO,CAAC,IAAI;IASZ,GAAG,CAAC,GAAG,EAAE,QAAQ,GAAG,gBAAgB,GAAG,IAAI;IAc3C,GAAG,CAAC,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,gBAAgB,GAAG,IAAI;IAWjD,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED,KAAK,IAAI,IAAI;CAGd"}

package/dist/cache/DecisionCache.js

@@ -0,0 +1,80 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DecisionCache = void 0;
+/**
+ * In-process LRU + TTL cache of agent-gate decisions.
+ *
+ * Most useful inside `agent-gate daemon` where the cache persists
+ * across hook invocations. Same {adapter, toolName, toolInput, cwd}
+ * within the TTL skips the entire pipeline (deterministic engine,
+ * collector, AI call) and returns the prior verdict.
+ */
+class DecisionCache {
+    ttlMs;
+    maxEntries;
+    now;
+    store = new Map();
+    constructor(opts) {
+        this.ttlMs = opts.ttlSec * 1000;
+        this.maxEntries = opts.maxEntries;
+        this.now = opts.now ?? Date.now;
+    }
+    hash(key) {
+        return JSON.stringify({
+            a: key.adapter,
+            t: key.toolName,
+            c: key.cwd,
+            i: canonicalize(key.toolInput),
+        });
+    }
+    get(key) {
+        const k = this.hash(key);
+        const entry = this.store.get(k);
+        if (!entry)
+            return null;
+        if (entry.expiresAt <= this.now()) {
+            this.store.delete(k);
+            return null;
+        }
+        // Refresh LRU order: re-insert.
+        this.store.delete(k);
+        this.store.set(k, entry);
+        return entry.value;
+    }
+    set(key, value) {
+        const k = this.hash(key);
+        this.store.delete(k);
+        this.store.set(k, { value, expiresAt: this.now() + this.ttlMs });
+        while (this.store.size > this.maxEntries) {
+            const oldest = this.store.keys().next().value;
+            if (oldest === undefined)
+                break;
+            this.store.delete(oldest);
+        }
+    }
+    get size() {
+        return this.store.size;
+    }
+    clear() {
+        this.store.clear();
+    }
+}
+exports.DecisionCache = DecisionCache;
+/**
+ * Stable string representation of an arbitrary JSON-like input.
+ * Sorts object keys so key-order does not affect cache hits.
+ */
+function canonicalize(value) {
+    if (Array.isArray(value)) {
+        return value.map(canonicalize);
+    }
+    if (value !== null && typeof value === 'object') {
+        const obj = value;
+        const sorted = {};
+        for (const k of Object.keys(obj).sort()) {
+            sorted[k] = canonicalize(obj[k]);
+        }
+        return sorted;
+    }
+    return value;
+}

package/dist/cli/agent-gate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"agent-gate.d.ts","sourceRoot":"","sources":["../../src/cli/agent-gate.ts"],"names":[],"mappings":";AAIA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qCAAqC,CAAA;AAYtE,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAA;AAsC7C,wBAAsB,GAAG,CACvB,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,OAAO,GAChB,OAAO,CAAC,gBAAgB,CAAC,CAE3B;AAsGD,UAAU,UAAU;IAClB,UAAU,EAAE,MAAM,EAAE,CAAA;IACpB,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,EAAE,OAAO,CAAA;IACjB,WAAW,EAAE,OAAO,CAAA;CACrB;AAED,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,UAAU,CAgCpD"}
+{"version":3,"file":"agent-gate.d.ts","sourceRoot":"","sources":["../../src/cli/agent-gate.ts"],"names":[],"mappings":";AAIA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qCAAqC,CAAA;AAYtE,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAA;AAuC7C,wBAAsB,GAAG,CACvB,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,OAAO,GAChB,OAAO,CAAC,gBAAgB,CAAC,CAE3B;AAuHD,UAAU,UAAU;IAClB,UAAU,EAAE,MAAM,EAAE,CAAA;IACpB,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,EAAE,OAAO,CAAA;IACjB,WAAW,EAAE,OAAO,CAAA;CACrB;AAED,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,UAAU,CAgCpD"}

package/dist/cli/agent-gate.js

@@ -15,6 +15,7 @@ const formatFindings_1 = require("../doctor/formatFindings");
 const server_1 = require("../daemon/server");
 const client_1 = require("../daemon/client");
 const protocol_1 = require("../daemon/protocol");
+const DecisionCache_1 = require("../cache/DecisionCache");
 const HELP_TEXT = `agent-gate — runtime enforcer for AI coding agent rules
 
 Usage:
@@ -75,6 +76,14 @@ function runHookMode(adapter) {
 }
 async function runDaemon() {
     const socketPath = process.env.AGENT_GATE_SOCKET_PATH ?? (0, protocol_1.defaultSocketPath)();
+    // Shared decision cache lives for the lifetime of the daemon, so every
+    // hook invocation benefits from prior verdicts.
+    const ttlSec = parseInt(process.env.AGENT_GATE_CACHE_TTL_SEC ?? '60', 10);
+    const maxEntries = parseInt(process.env.AGENT_GATE_CACHE_SIZE ?? '256', 10);
+    const cache = new DecisionCache_1.DecisionCache({
+        ttlSec: Number.isNaN(ttlSec) ? 60 : ttlSec,
+        maxEntries: Number.isNaN(maxEntries) ? 256 : maxEntries,
+    });
     const server = new server_1.DaemonServer({
         socketPath,
         handler: async (req) => {
@@ -89,6 +98,7 @@ async function runDaemon() {
             const result = await (0, processHookData_1.processHookData)(req.payload, {
                 adapter,
                 cwd: req.cwd,
+                cache,
             });
             return { output: adapter.formatResponse(result) };
         },

package/dist/config/Config.d.ts

@@ -19,6 +19,14 @@ export type ConfigOptions = {
      * cost, so this is most useful when paired with `agent-gate daemon`.
      */
     useSdk?: boolean;
+    /**
+     * Behavior when a rule or model client throws unexpectedly.
+     * - "allow" (default): swallow the error and let the operation through.
+     *   Optimized for developer ergonomics so flaky AI does not block work.
+     * - "block": turn the error into a block verdict. Recommended for
+     *   production / enterprise pipelines that prefer fail-closed safety.
+     */
+    onError?: 'allow' | 'block';
 };
 export declare class Config {
     readonly model: string;
@@ -28,6 +36,7 @@ export declare class Config {
     readonly useSystemClaude: boolean;
     readonly reasonLang: string | undefined;
     readonly useSdk: boolean;
+    readonly onError: 'allow' | 'block';
     constructor(options?: ConfigOptions);
     get useApi(): boolean;
 }

package/dist/config/Config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"Config.d.ts","sourceRoot":"","sources":["../../src/config/Config.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,aAAa,sBAAsB,CAAA;AAEhD,MAAM,MAAM,aAAa,GAAG;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,eAAe,CAAC,EAAE,OAAO,CAAA;IACzB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;;OAKG;IACH,MAAM,CAAC,EAAE,OAAO,CAAA;CACjB,CAAA;AAED,qBAAa,MAAM;IACjB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAA;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAA;IAC1B,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAA;IACjC,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,CAAA;IACvC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAA;gBAEZ,OAAO,CAAC,EAAE,aAAa;IAWnC,IAAI,MAAM,IAAI,OAAO,CAEpB;CACF"}
+{"version":3,"file":"Config.d.ts","sourceRoot":"","sources":["../../src/config/Config.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,aAAa,sBAAsB,CAAA;AAEhD,MAAM,MAAM,aAAa,GAAG;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,eAAe,CAAC,EAAE,OAAO,CAAA;IACzB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;;OAKG;IACH,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB;;;;;;OAMG;IACH,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAA;CAC5B,CAAA;AAED,qBAAa,MAAM;IACjB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAA;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAA;IAC1B,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAA;IACjC,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,CAAA;IACvC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAA;IACxB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAA;gBAEvB,OAAO,CAAC,EAAE,aAAa;IAenC,IAAI,MAAM,IAAI,OAAO,CAEpB;CACF"}

package/dist/config/Config.js

@@ -10,6 +10,7 @@ class Config {
     useSystemClaude;
     reasonLang;
     useSdk;
+    onError;
     constructor(options) {
         this.model = options?.model ?? process.env.AGENT_GATE_MODEL ?? exports.DEFAULT_MODEL;
         this.apiKey = options?.apiKey ?? process.env.AGENT_GATE_API_KEY;
@@ -19,6 +20,10 @@ class Config {
         this.useSystemClaude = options?.useSystemClaude ?? process.env.USE_SYSTEM_CLAUDE === 'true';
         this.reasonLang = options?.reasonLang ?? process.env.AGENT_GATE_REASON_LANG;
         this.useSdk = options?.useSdk ?? process.env.AGENT_GATE_USE_SDK === '1';
+        const envOnError = process.env.AGENT_GATE_ON_ERROR;
+        this.onError =
+            options?.onError ??
+                (envOnError === 'block' ? 'block' : 'allow');
     }
     get useApi() {
         return this.apiKey !== undefined && this.apiKey !== '';

package/dist/deterministic/engine.d.ts

@@ -7,5 +7,17 @@ export type EngineResult = {
     reason: string;
     ruleId: string;
 };
-export declare function runDeterministicRules(toolName: string, toolInput: Record<string, unknown>, rules: DeterministicRule[], ctx?: SessionContext): EngineResult;
+export type OnErrorPolicy = 'allow' | 'block';
+export interface RunDeterministicRulesOptions {
+    /**
+     * What to do when a rule's check function throws.
+     * - "allow" (default): swallow the exception and continue with the
+     *   next rule. Compatible with prior versions.
+     * - "block": turn the exception into a block verdict and stop the
+     *   engine. Suitable for enterprise / production use where the
+     *   safest response to a misbehaving rule is to halt.
+     */
+    onError?: OnErrorPolicy;
+}
+export declare function runDeterministicRules(toolName: string, toolInput: Record<string, unknown>, rules: DeterministicRule[], ctx?: SessionContext, options?: RunDeterministicRulesOptions): EngineResult;
 //# sourceMappingURL=engine.d.ts.map

package/dist/deterministic/engine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/deterministic/engine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAA;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAA;AAElE,MAAM,MAAM,YAAY,GACpB;IAAE,IAAI,EAAE,OAAO,CAAA;CAAE,GACjB;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAA;AAErD,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClC,KAAK,EAAE,iBAAiB,EAAE,EAC1B,GAAG,CAAC,EAAE,cAAc,GACnB,YAAY,CAQd"}
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/deterministic/engine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAA;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAA;AAElE,MAAM,MAAM,YAAY,GACpB;IAAE,IAAI,EAAE,OAAO,CAAA;CAAE,GACjB;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAA;AAErD,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,OAAO,CAAA;AAE7C,MAAM,WAAW,4BAA4B;IAC3C;;;;;;;OAOG;IACH,OAAO,CAAC,EAAE,aAAa,CAAA;CACxB;AAED,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClC,KAAK,EAAE,iBAAiB,EAAE,EAC1B,GAAG,CAAC,EAAE,cAAc,EACpB,OAAO,CAAC,EAAE,4BAA4B,GACrC,YAAY,CAuBd"}

package/dist/deterministic/engine.js

@@ -1,9 +1,24 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.runDeterministicRules = runDeterministicRules;
-function runDeterministicRules(toolName, toolInput, rules, ctx) {
+function runDeterministicRules(toolName, toolInput, rules, ctx, options) {
+    const onError = options?.onError ?? 'allow';
     for (const rule of rules) {
-        const verdict = rule.check(toolName, toolInput, ctx);
+        let verdict;
+        try {
+            verdict = rule.check(toolName, toolInput, ctx);
+        }
+        catch (e) {
+            if (onError === 'block') {
+                const reason = e instanceof Error ? e.message : String(e);
+                return {
+                    kind: 'block',
+                    reason: `Rule "${rule.id}" failed: ${reason}. Failing closed.`,
+                    ruleId: rule.id,
+                };
+            }
+            continue;
+        }
         if (verdict.kind === 'block') {
             return { kind: 'block', reason: verdict.reason, ruleId: rule.id };
         }

package/dist/hooks/processHookData.d.ts

@@ -6,6 +6,7 @@ import { Config } from '../config/Config';
 import { DeterministicRule } from '../deterministic/types';
 import { Adapter } from '../adapters/Adapter';
 import { AgentGateConfig } from '../config/AgentGateConfig';
+import { DecisionCache } from '../cache/DecisionCache';
 import { EventBus } from '../observability/eventBus';
 export interface CooldownStore {
     getLastTime(key: string): number;
@@ -32,6 +33,12 @@ export interface ProcessHookDataDeps {
         enabled: boolean;
         path?: string;
     };
+    /**
+     * Optional in-process decision cache. Most useful in daemon mode where
+     * the cache survives across hook invocations and short-circuits the
+     * entire pipeline on a hit.
+     */
+    cache?: DecisionCache;
 }
 export declare function processHookData(input: string, deps?: ProcessHookDataDeps): Promise<ValidationResult>;
 //# sourceMappingURL=processHookData.d.ts.map

package/dist/hooks/processHookData.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"processHookData.d.ts","sourceRoot":"","sources":["../../src/hooks/processHookData.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qCAAqC,CAAA;AACtE,OAAO,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAA;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAA;AAE7D,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAA;AACnD,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAA;AAKzC,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAG1D,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAA;AAE7C,OAAO,EACL,eAAe,EAEhB,MAAM,2BAA2B,CAAA;AAMlC,OAAO,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAA;AAWpD,MAAM,WAAW,aAAa;IAC5B,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;IAChC,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAAA;CAC7C;AA4BD,MAAM,WAAW,mBAAmB;IAClC,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,eAAe,CAAC,EAAE,eAAe,CAAA;IACjC,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,UAAU,EAAE,CAAA;IACzC,WAAW,CAAC,EAAE,OAAO,SAAS,CAAA;IAC9B,cAAc,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,YAAY,CAAA;IACjD,aAAa,CAAC,EAAE,aAAa,CAAA;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,kBAAkB,CAAC,EAAE,iBAAiB,EAAE,CAAA;IACxC,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,QAAQ,CAAA;IACnB,wEAAwE;IACxE,OAAO,CAAC,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAC9C;AAaD,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,IAAI,CAAC,EAAE,mBAAmB,GACzB,OAAO,CAAC,gBAAgB,CAAC,CAoI3B"}
+{"version":3,"file":"processHookData.d.ts","sourceRoot":"","sources":["../../src/hooks/processHookData.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qCAAqC,CAAA;AACtE,OAAO,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAA;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAA;AAE7D,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAA;AACnD,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAA;AAKzC,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAG1D,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAA;AAE7C,OAAO,EACL,eAAe,EAEhB,MAAM,2BAA2B,CAAA;AAMlC,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAA;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAA;AAWpD,MAAM,WAAW,aAAa;IAC5B,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;IAChC,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAAA;CAC7C;AA4BD,MAAM,WAAW,mBAAmB;IAClC,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,eAAe,CAAC,EAAE,eAAe,CAAA;IACjC,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,UAAU,EAAE,CAAA;IACzC,WAAW,CAAC,EAAE,OAAO,SAAS,CAAA;IAC9B,cAAc,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,YAAY,CAAA;IACjD,aAAa,CAAC,EAAE,aAAa,CAAA;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,kBAAkB,CAAC,EAAE,iBAAiB,EAAE,CAAA;IACxC,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,QAAQ,CAAA;IACnB,wEAAwE;IACxE,OAAO,CAAC,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;IAC7C;;;;OAIG;IACH,KAAK,CAAC,EAAE,aAAa,CAAA;CACtB;AAaD,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,IAAI,CAAC,EAAE,mBAAmB,GACzB,OAAO,CAAC,gBAAgB,CAAC,CA0K3B"}

package/dist/hooks/processHookData.js

@@ -68,6 +68,18 @@ async function processHookData(input, deps) {
     const { toolName, toolInput } = parsed.action;
     // Resolve cwd early so the agent-gate config can be loaded relative to it.
     const cwd = deps?.cwd ?? process.cwd();
+    // Cache lookup: if a recent verdict for the exact same (adapter, tool,
+    // input, cwd) is still valid, return it without re-running the pipeline.
+    if (deps?.cache) {
+        const cached = deps.cache.get({
+            adapter: adapter.id,
+            toolName,
+            toolInput,
+            cwd,
+        });
+        if (cached)
+            return cached;
+    }
     const agentGateConfig = deps?.agentGateConfig ?? (0, AgentGateConfig_1.loadAgentGateConfig)(cwd);
     // Build SessionContext (history from adapter, projectRoot defaults to cwd
     // for v1; future work can detect the actual project root).
@@ -89,7 +101,7 @@ async function processHookData(input, deps) {
     // any cooldown or AI check.
     const deterministicRules = deps?.deterministicRules ??
         (0, defaultRules_1.buildDefaultDeterministicRules)(agentGateConfig);
-    const ruleVerdict = (0, engine_1.runDeterministicRules)(toolName, toolInput, deterministicRules, sessionContext);
+    const ruleVerdict = (0, engine_1.runDeterministicRules)(toolName, toolInput, deterministicRules, sessionContext, { onError: config.onError });
     if (ruleVerdict.kind === 'block') {
         bus.emit({
             type: 'rule.fired',
@@ -108,7 +120,14 @@ async function processHookData(input, deps) {
             source: 'deterministic',
             ruleId: ruleVerdict.ruleId,
         });
-        return { decision: 'block', reason: ruleVerdict.reason };
+        const verdict = {
+            decision: 'block',
+            reason: ruleVerdict.reason,
+        };
+        if (deps?.cache) {
+            deps.cache.set({ adapter: adapter.id, toolName, toolInput, cwd }, verdict);
+        }
+        return verdict;
     }
     // Cooldown check (file-based, persists across process invocations)
     const cooldownStore = config.cooldown > 0
@@ -125,6 +144,9 @@ async function processHookData(input, deps) {
     const collect = deps?.collectFn ?? collectRuleSources_1.collectRuleSources;
     const rules = collect(cwd);
     if (rules.length === 0) {
+        if (deps?.cache) {
+            deps.cache.set({ adapter: adapter.id, toolName, toolInput, cwd }, PASS);
+        }
         return PASS;
     }
     // Get model client
@@ -139,7 +161,9 @@ async function processHookData(input, deps) {
         rulesCount: rules.length,
     });
     const aiStart = Date.now();
-    const result = await validate(rules, toolName, toolInput, modelClient);
+    const result = await validate(rules, toolName, toolInput, modelClient, {
+        onError: config.onError,
+    });
     const aiLatency = Date.now() - aiStart;
     // Update cooldown timestamp AFTER successful validation
     if (cooldownStore) {
@@ -163,6 +187,9 @@ async function processHookData(input, deps) {
         reason: result.reason,
         source,
     });
+    if (deps?.cache) {
+        deps.cache.set({ adapter: adapter.id, toolName, toolInput, cwd }, result);
+    }
     return result;
 }
 function createModelClient(config, cwd) {

package/dist/index.d.ts

@@ -25,6 +25,8 @@ export type { AgentSdkClientOptions, AgentSdkQueryFn, } from './validation/model
 export { lintRuleSources } from './doctor/lintRuleSources';
 export { formatFindings } from './doctor/formatFindings';
 export type { Finding, FindingCode, Severity, } from './doctor/findings';
+export { DecisionCache } from './cache/DecisionCache';
+export type { CacheKey, DecisionCacheOptions, } from './cache/DecisionCache';
 export { DaemonServer } from './daemon/server';
 export type { DaemonServerOptions, DaemonHandler } from './daemon/server';
 export { sendToDaemon } from './daemon/client';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAA;AACxC,YAAY,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AACpD,YAAY,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAA;AAClE,YAAY,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAA;AAC/D,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAA;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAA;AAG9D,YAAY,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAA;AAC1E,YAAY,EAAE,QAAQ,EAAE,MAAM,4BAA4B,CAAA;AAC1D,YAAY,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAA;AACjE,YAAY,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC9E,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAClE,YAAY,EACV,cAAc,EACd,YAAY,GACb,MAAM,kCAAkC,CAAA;AAGzC,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAA;AAGnE,YAAY,EACV,iBAAiB,EACjB,WAAW,GACZ,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,2BAA2B,CAAA;AAClC,OAAO,EACL,yBAAyB,EACzB,8BAA8B,GAC/B,MAAM,8BAA8B,CAAA;AAGrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAA;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAA;AACzD,YAAY,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAA;AAGrE,OAAO,EAAE,oBAAoB,EAAE,MAAM,0CAA0C,CAAA;AAC/E,YAAY,EAAE,2BAA2B,EAAE,MAAM,0CAA0C,CAAA;AAC3F,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAA;AACnE,YAAY,EACV,qBAAqB,EACrB,eAAe,GAChB,MAAM,oCAAoC,CAAA;AAG3C,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAA;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAA;AACxD,YAAY,EACV,OAAO,EACP,WAAW,EACX,QAAQ,GACT,MAAM,mBAAmB,CAAA;AAG1B,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAC9C,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AACzE,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAC9C,YAAY,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAA;AAC1D,OAAO,EACL,iBAAiB,IAAI,uBAAuB,GAC7C,MAAM,mBAAmB,CAAA;AAC1B,YAAY,EACV,aAAa,EACb,cAAc,EACd,mBAAmB,GACpB,MAAM,mBAAmB,CAAA;AAG1B,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAA;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAA;AACnE,YAAY,EACV,aAAa,EACb,cAAc,EACd,gBAAgB,EAChB,gBAAgB,EAChB,mBAAmB,EACnB,kBAAkB,EAClB,IAAI,GACL,MAAM,4BAA4B,CAAA;AAGnC,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAA;AACnE,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAA;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAA;AACxC,YAAY,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AACpD,YAAY,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAA;AAClE,YAAY,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAA;AAC/D,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAA;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAA;AAG9D,YAAY,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAA;AAC1E,YAAY,EAAE,QAAQ,EAAE,MAAM,4BAA4B,CAAA;AAC1D,YAAY,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAA;AACjE,YAAY,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC9E,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAClE,YAAY,EACV,cAAc,EACd,YAAY,GACb,MAAM,kCAAkC,CAAA;AAGzC,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAA;AAGnE,YAAY,EACV,iBAAiB,EACjB,WAAW,GACZ,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,2BAA2B,CAAA;AAClC,OAAO,EACL,yBAAyB,EACzB,8BAA8B,GAC/B,MAAM,8BAA8B,CAAA;AAGrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAA;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAA;AACzD,YAAY,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAA;AAGrE,OAAO,EAAE,oBAAoB,EAAE,MAAM,0CAA0C,CAAA;AAC/E,YAAY,EAAE,2BAA2B,EAAE,MAAM,0CAA0C,CAAA;AAC3F,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAA;AACnE,YAAY,EACV,qBAAqB,EACrB,eAAe,GAChB,MAAM,oCAAoC,CAAA;AAG3C,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAA;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAA;AACxD,YAAY,EACV,OAAO,EACP,WAAW,EACX,QAAQ,GACT,MAAM,mBAAmB,CAAA;AAG1B,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAA;AACrD,YAAY,EACV,QAAQ,EACR,oBAAoB,GACrB,MAAM,uBAAuB,CAAA;AAG9B,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAC9C,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AACzE,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAC9C,YAAY,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAA;AAC1D,OAAO,EACL,iBAAiB,IAAI,uBAAuB,GAC7C,MAAM,mBAAmB,CAAA;AAC1B,YAAY,EACV,aAAa,EACb,cAAc,EACd,mBAAmB,GACpB,MAAM,mBAAmB,CAAA;AAG1B,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAA;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAA;AACnE,YAAY,EACV,aAAa,EACb,cAAc,EACd,gBAAgB,EAChB,gBAAgB,EAChB,mBAAmB,EACnB,kBAAkB,EAClB,IAAI,GACL,MAAM,4BAA4B,CAAA;AAGnC,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAA;AACnE,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAA;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAA"}

package/dist/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.processHookData = exports.validator = exports.collectRuleSources = exports.JsonlFileSink = exports.EventBus = exports.defaultDaemonSocketPath = exports.sendToDaemon = exports.DaemonServer = exports.formatFindings = exports.lintRuleSources = exports.AgentSdkClient = exports.CompositeModelClient = exports.cursorAdapter = exports.claudeCodeAdapter = exports.buildDefaultDeterministicRules = exports.defaultDeterministicRules = exports.forbidFilePathPattern = exports.forbidContentPattern = exports.forbidCommandPattern = exports.HookDataSchema = exports.loadPluginConfig = exports.loadAgentGateConfig = exports.defineConfig = exports.Config = void 0;
+exports.processHookData = exports.validator = exports.collectRuleSources = exports.JsonlFileSink = exports.EventBus = exports.defaultDaemonSocketPath = exports.sendToDaemon = exports.DaemonServer = exports.DecisionCache = exports.formatFindings = exports.lintRuleSources = exports.AgentSdkClient = exports.CompositeModelClient = exports.cursorAdapter = exports.claudeCodeAdapter = exports.buildDefaultDeterministicRules = exports.defaultDeterministicRules = exports.forbidFilePathPattern = exports.forbidContentPattern = exports.forbidCommandPattern = exports.HookDataSchema = exports.loadPluginConfig = exports.loadAgentGateConfig = exports.defineConfig = exports.Config = void 0;
 // Config
 var Config_1 = require("./config/Config");
 Object.defineProperty(exports, "Config", { enumerable: true, get: function () { return Config_1.Config; } });
@@ -35,6 +35,9 @@ var lintRuleSources_1 = require("./doctor/lintRuleSources");
 Object.defineProperty(exports, "lintRuleSources", { enumerable: true, get: function () { return lintRuleSources_1.lintRuleSources; } });
 var formatFindings_1 = require("./doctor/formatFindings");
 Object.defineProperty(exports, "formatFindings", { enumerable: true, get: function () { return formatFindings_1.formatFindings; } });
+// Cache
+var DecisionCache_1 = require("./cache/DecisionCache");
+Object.defineProperty(exports, "DecisionCache", { enumerable: true, get: function () { return DecisionCache_1.DecisionCache; } });
 // Daemon
 var server_1 = require("./daemon/server");
 Object.defineProperty(exports, "DaemonServer", { enumerable: true, get: function () { return server_1.DaemonServer; } });

package/dist/validation/validator.d.ts

@@ -1,5 +1,9 @@
 import { ValidationResult } from '../contracts/types/ValidationResult';
 import { RuleSource } from '../contracts/types/RuleSource';
 import { IModelClient } from '../contracts/types/ModelClient';
-export declare function validator(rules: RuleSource[], toolName: string, toolInput: Record<string, unknown>, modelClient: IModelClient): Promise<ValidationResult>;
+export interface ValidatorOptions {
+    /** Fail-closed behavior on model client failures. Default: "allow". */
+    onError?: 'allow' | 'block';
+}
+export declare function validator(rules: RuleSource[], toolName: string, toolInput: Record<string, unknown>, modelClient: IModelClient, options?: ValidatorOptions): Promise<ValidationResult>;
 //# sourceMappingURL=validator.d.ts.map

package/dist/validation/validator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../../src/validation/validator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qCAAqC,CAAA;AACtE,OAAO,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAA;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAA;AAQ7D,wBAAsB,SAAS,CAC7B,KAAK,EAAE,UAAU,EAAE,EACnB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClC,WAAW,EAAE,YAAY,GACxB,OAAO,CAAC,gBAAgB,CAAC,CAa3B"}
+{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../../src/validation/validator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,qCAAqC,CAAA;AACtE,OAAO,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAA;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAA;AAQ7D,MAAM,WAAW,gBAAgB;IAC/B,uEAAuE;IACvE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAA;CAC5B;AAED,wBAAsB,SAAS,CAC7B,KAAK,EAAE,UAAU,EAAE,EACnB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClC,WAAW,EAAE,YAAY,EACzB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,gBAAgB,CAAC,CAmB3B"}

package/dist/validation/validator.js

@@ -2,7 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.validator = validator;
 const context_1 = require("./prompts/context");
-async function validator(rules, toolName, toolInput, modelClient) {
+async function validator(rules, toolName, toolInput, modelClient, options) {
     try {
         const prompt = (0, context_1.buildPrompt)(rules, toolName, toolInput);
         const response = await modelClient.ask(prompt);
@@ -10,6 +10,12 @@ async function validator(rules, toolName, toolInput, modelClient) {
     }
     catch (error) {
         const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+        if (options?.onError === 'block') {
+            return {
+                decision: 'block',
+                reason: `Validation failed (failing closed): ${errorMessage}`,
+            };
+        }
         return {
             decision: undefined,
             reason: `Validation error (allowing operation): ${errorMessage}`,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hiro-c/agent-gate",
-  "version": "1.1.0",
+  "version": "1.3.0",
   "description": "Runtime rule enforcer for AI coding agents. Reads CLAUDE.md / AGENTS.md / .cursorrules and enforces them via Claude Code and Cursor hooks, with a deterministic safety baseline.",
   "author": "Hiro-Chiba",
   "license": "MIT",