@lannguyensi/harness 0.14.0 → 0.16.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +45 -0
- package/README.md +20 -2
- package/dist/cli/doctor/format.js +24 -0
- package/dist/cli/doctor/format.js.map +1 -1
- package/dist/cli/doctor/index.d.ts +7 -0
- package/dist/cli/doctor/index.js +10 -0
- package/dist/cli/doctor/index.js.map +1 -1
- package/dist/cli/doctor/rogue-ledger.d.ts +25 -0
- package/dist/cli/doctor/rogue-ledger.js +106 -0
- package/dist/cli/doctor/rogue-ledger.js.map +1 -0
- package/dist/cli/doctor/types.d.ts +10 -1
- package/dist/cli/doctor/types.js.map +1 -1
- package/dist/cli/index.js +177 -0
- package/dist/cli/index.js.map +1 -1
- package/dist/cli/init/composer.d.ts +29 -0
- package/dist/cli/init/composer.js +377 -0
- package/dist/cli/init/composer.js.map +1 -0
- package/dist/cli/init/dependencies.d.ts +25 -0
- package/dist/cli/init/dependencies.js +100 -10
- package/dist/cli/init/dependencies.js.map +1 -1
- package/dist/cli/init/index.d.ts +18 -1
- package/dist/cli/init/index.js +17 -7
- package/dist/cli/init/index.js.map +1 -1
- package/dist/cli/init/interactive.d.ts +31 -2
- package/dist/cli/init/interactive.js +321 -79
- package/dist/cli/init/interactive.js.map +1 -1
- package/dist/cli/init/templates.d.ts +1 -1
- package/dist/cli/init/templates.js +60 -9
- package/dist/cli/init/templates.js.map +1 -1
- package/dist/cli/pack/hook-branch-protection.d.ts +30 -0
- package/dist/cli/pack/hook-branch-protection.js +279 -0
- package/dist/cli/pack/hook-branch-protection.js.map +1 -0
- package/dist/cli/pack/hook-codex-pre-tool-use.js +3 -1
- package/dist/cli/pack/hook-codex-pre-tool-use.js.map +1 -1
- package/dist/cli/pack/hook-pre-tool-use.d.ts +1 -1
- package/dist/cli/pack/hook-pre-tool-use.js +42 -3
- package/dist/cli/pack/hook-pre-tool-use.js.map +1 -1
- package/dist/cli/pack/understanding-report-schema-hint.d.ts +13 -0
- package/dist/cli/pack/understanding-report-schema-hint.js +54 -0
- package/dist/cli/pack/understanding-report-schema-hint.js.map +1 -0
- package/dist/cli/session-start/branch-check.d.ts +44 -0
- package/dist/cli/session-start/branch-check.js +165 -0
- package/dist/cli/session-start/branch-check.js.map +1 -0
- package/dist/cli/uninstall/index.d.ts +68 -0
- package/dist/cli/uninstall/index.js +586 -0
- package/dist/cli/uninstall/index.js.map +1 -0
- package/dist/cli/uninstall/snapshot.d.ts +40 -0
- package/dist/cli/uninstall/snapshot.js +34 -0
- package/dist/cli/uninstall/snapshot.js.map +1 -0
- package/dist/cli/validate/checks.d.ts +1 -1
- package/dist/cli/validate/checks.js +1 -7
- package/dist/cli/validate/checks.js.map +1 -1
- package/dist/io/harness-lock.js +1 -9
- package/dist/io/harness-lock.js.map +1 -1
- package/dist/policies/ledger-client.js +3 -9
- package/dist/policies/ledger-client.js.map +1 -1
- package/dist/policies/producers.d.ts +12 -0
- package/dist/policies/producers.js +61 -0
- package/dist/policies/producers.js.map +1 -0
- package/dist/policy-packs/builtin/branch-protection-runtime.d.ts +47 -0
- package/dist/policy-packs/builtin/branch-protection-runtime.js +92 -0
- package/dist/policy-packs/builtin/branch-protection-runtime.js.map +1 -0
- package/dist/policy-packs/builtin/branch-protection.d.ts +9 -0
- package/dist/policy-packs/builtin/branch-protection.js +146 -0
- package/dist/policy-packs/builtin/branch-protection.js.map +1 -0
- package/dist/policy-packs/registry.d.ts +1 -1
- package/dist/policy-packs/registry.js +10 -3
- package/dist/policy-packs/registry.js.map +1 -1
- package/dist/runtime/expand-home.d.ts +14 -0
- package/dist/runtime/expand-home.js +54 -0
- package/dist/runtime/expand-home.js.map +1 -0
- package/dist/runtime/intercept.js +13 -2
- package/dist/runtime/intercept.js.map +1 -1
- package/dist/runtime/ledger-add.js +10 -3
- package/dist/runtime/ledger-add.js.map +1 -1
- package/dist/runtime/ledger-record.js +11 -10
- package/dist/runtime/ledger-record.js.map +1 -1
- package/dist/schema/index.d.ts +281 -101
- package/dist/schema/permission-profiles.d.ts +125 -125
- package/dist/schema/policies.d.ts +261 -0
- package/dist/schema/policies.js +50 -0
- package/dist/schema/policies.js.map +1 -1
- package/package.json +2 -1
|
@@ -0,0 +1,146 @@
|
|
|
1
|
+
// Builtin Policy Pack: `branch-protection`.
|
|
2
|
+
//
|
|
3
|
+
// Blocks Write/Edit (and the codex `apply_patch` equivalent) when the
|
|
4
|
+
// agent is on a protected branch (default: master, main, develop). The
|
|
5
|
+
// gate fires at the FIRST source mutation, complementing the existing
|
|
6
|
+
// `preflight-before-push` gate which fires at the LAST reversible step.
|
|
7
|
+
//
|
|
8
|
+
// Mechanics, mirroring `understanding-before-execution`:
|
|
9
|
+
//
|
|
10
|
+
// 1. SessionStart producer (`harness session-start branch-check`) reads
|
|
11
|
+
// `.git/HEAD` for the cwd and, if the branch is NOT protected,
|
|
12
|
+
// writes a `branch:non-protected:<branch>` fact to the evidence
|
|
13
|
+
// ledger for the current session.
|
|
14
|
+
//
|
|
15
|
+
// 2. PreToolUse blocker (`harness pack hook branch-protection`)
|
|
16
|
+
// consults the ledger on every Write/Edit (or `apply_patch`) and
|
|
17
|
+
// emits a Claude Code deny envelope unless either:
|
|
18
|
+
// - a fresh (<5m) `branch:non-protected` tag exists, OR
|
|
19
|
+
// - a `branch-protection-ack:` override tag exists (any age,
|
|
20
|
+
// written by the operator via `mcp__agent-grounding__ledger_add`
|
|
21
|
+
// since Bash is gated by this same pack).
|
|
22
|
+
//
|
|
23
|
+
// The producer is also runnable on-demand from the operator's `!` shell
|
|
24
|
+
// — same CLI verb, no SessionStart event piped on stdin — so an agent
|
|
25
|
+
// that just branched can refresh the gate without restarting the
|
|
26
|
+
// session.
|
|
27
|
+
//
|
|
28
|
+
// Pack is OFF by default: it must be enabled per-installation via
|
|
29
|
+
// `harness pack add branch-protection`. The `full` init template does
|
|
30
|
+
// NOT wire it (revisit after one cycle of operator feedback).
|
|
31
|
+
import { DEFAULT_RUNTIME } from "../runtime.js";
|
|
32
|
+
import { ACK_TAG_PREFIX, DEFAULT_PROTECTED_BRANCHES, NON_PROTECTED_TAG_PREFIX, PACK_NAME, PRODUCER_FRESHNESS_MS, resolveProtectedBranches, } from "./branch-protection-runtime.js";
|
|
33
|
+
export { PACK_NAME };
|
|
34
|
+
const HOOK_NAME_PREFIX = `policy-pack:${PACK_NAME}`;
|
|
35
|
+
const PRE_TOOL_USE_MATCH_CLAUDE = "Write|Edit";
|
|
36
|
+
const PRE_TOOL_USE_MATCH_CODEX = "apply_patch";
|
|
37
|
+
const PRODUCER_COMMAND = "harness session-start branch-check";
|
|
38
|
+
const BLOCKER_COMMAND = "harness pack hook branch-protection";
|
|
39
|
+
function buildHooks(runtime) {
|
|
40
|
+
const isCodex = runtime === "codex";
|
|
41
|
+
const blockerMatch = isCodex ? PRE_TOOL_USE_MATCH_CODEX : PRE_TOOL_USE_MATCH_CLAUDE;
|
|
42
|
+
return [
|
|
43
|
+
{
|
|
44
|
+
name: `${HOOK_NAME_PREFIX}:session-start`,
|
|
45
|
+
event: "SessionStart",
|
|
46
|
+
command: PRODUCER_COMMAND,
|
|
47
|
+
blocking: false,
|
|
48
|
+
budget_ms: 5000,
|
|
49
|
+
description: "Producer: write `branch:non-protected:<branch>` to the evidence ledger when the session opens on a non-protected branch. Non-blocking; failures leave the gate closed.",
|
|
50
|
+
},
|
|
51
|
+
{
|
|
52
|
+
name: `${HOOK_NAME_PREFIX}:pre-tool-use`,
|
|
53
|
+
event: "PreToolUse",
|
|
54
|
+
match: blockerMatch,
|
|
55
|
+
command: BLOCKER_COMMAND,
|
|
56
|
+
blocking: "hard",
|
|
57
|
+
budget_ms: 5000,
|
|
58
|
+
description: `Blocker: deny ${blockerMatch} on protected branches unless a fresh branch:non-protected tag or a branch-protection-ack override exists in the ledger.`,
|
|
59
|
+
},
|
|
60
|
+
];
|
|
61
|
+
}
|
|
62
|
+
function buildInstructions(pack, branches, runtime) {
|
|
63
|
+
const description = pack.description?.trim() ?? "";
|
|
64
|
+
const isCodex = runtime === "codex";
|
|
65
|
+
const blockerMatch = isCodex ? PRE_TOOL_USE_MATCH_CODEX : PRE_TOOL_USE_MATCH_CLAUDE;
|
|
66
|
+
const settingsArtefact = isCodex
|
|
67
|
+
? "`harness.generated/codex/config.toml`"
|
|
68
|
+
: "harness-managed `settings.json`";
|
|
69
|
+
const minutes = Math.round(PRODUCER_FRESHNESS_MS / 60000);
|
|
70
|
+
return `# Policy Pack: ${PACK_NAME}
|
|
71
|
+
|
|
72
|
+
> Operator audit copy. This pack blocks source-mutating tool calls when
|
|
73
|
+
> the agent is on a protected branch, closing the loop on the
|
|
74
|
+
> "edit-on-master" incident pattern.
|
|
75
|
+
|
|
76
|
+
## Runtime
|
|
77
|
+
|
|
78
|
+
${runtime}
|
|
79
|
+
|
|
80
|
+
## Protected branches
|
|
81
|
+
|
|
82
|
+
${branches.map((b) => `- \`${b}\``).join("\n")}
|
|
83
|
+
|
|
84
|
+
Set \`config.protected_branches\` in your manifest to override.
|
|
85
|
+
|
|
86
|
+
## Effect
|
|
87
|
+
|
|
88
|
+
While this pack is enabled, hooks are wired into the ${settingsArtefact}:
|
|
89
|
+
|
|
90
|
+
1. \`SessionStart\` producer (\`${PRODUCER_COMMAND}\`, blocking: false):
|
|
91
|
+
reads the cwd's \`.git/HEAD\`. If the branch is NOT in the protected
|
|
92
|
+
list, writes \`${NON_PROTECTED_TAG_PREFIX}:<branch>\` to the evidence
|
|
93
|
+
ledger for the current session.
|
|
94
|
+
|
|
95
|
+
2. \`PreToolUse\` blocker (\`${BLOCKER_COMMAND}\`, blocking: hard) on
|
|
96
|
+
\`${blockerMatch}\`: refuses the tool call unless EITHER
|
|
97
|
+
- a \`${NON_PROTECTED_TAG_PREFIX}\` tag exists in the ledger from
|
|
98
|
+
within the last ${minutes} minutes, OR
|
|
99
|
+
- a \`${ACK_TAG_PREFIX}:<reason>\` override tag exists (any age).
|
|
100
|
+
|
|
101
|
+
## Escape hatches
|
|
102
|
+
|
|
103
|
+
- **Refresh after branching**: the producer is runnable on demand from
|
|
104
|
+
the operator's \`!\` shell as \`${PRODUCER_COMMAND}\`. The agent's Bash
|
|
105
|
+
is gated by the Understanding Gate but the producer command is itself
|
|
106
|
+
a \`harness ...\` invocation that the gate's allowlist accepts.
|
|
107
|
+
|
|
108
|
+
- **Explicit override** (any age, lasts the session): write the ack tag
|
|
109
|
+
via \`mcp__agent-grounding__ledger_add\` with
|
|
110
|
+
\`content: "${ACK_TAG_PREFIX}:<reason>"\`. Use this when you have a
|
|
111
|
+
deliberate reason to edit a protected branch — version bumps, CI
|
|
112
|
+
workflow patches, etc. The override survives session restarts only as
|
|
113
|
+
long as the ledger row does.
|
|
114
|
+
|
|
115
|
+
## Out of scope (v1)
|
|
116
|
+
|
|
117
|
+
- Locking down \`git\` itself (would create false-positive churn on
|
|
118
|
+
read-only commands like \`git status\`).
|
|
119
|
+
- Auto-branching on Write attempt (silent autocorrect is wrong; the
|
|
120
|
+
agent should be the one who notices and branches).
|
|
121
|
+
- Path-allowlist for safe-on-master files (CHANGELOG.md, version
|
|
122
|
+
bumps). Open for v2 if operators report friction.
|
|
123
|
+
|
|
124
|
+
## Pack metadata
|
|
125
|
+
${description ? `\n> ${description.replace(/\n/g, "\n> ")}\n` : ""}
|
|
126
|
+
- Source: \`builtin\`
|
|
127
|
+
- Pack: \`${PACK_NAME}\`
|
|
128
|
+
- Runtime: \`${runtime}\`
|
|
129
|
+
- Defaults: ${DEFAULT_PROTECTED_BRANCHES.join(", ")}
|
|
130
|
+
`;
|
|
131
|
+
}
|
|
132
|
+
export function resolve(pack, runtime = DEFAULT_RUNTIME) {
|
|
133
|
+
const { branches, warning } = resolveProtectedBranches(pack);
|
|
134
|
+
const hooks = buildHooks(runtime);
|
|
135
|
+
const files = [
|
|
136
|
+
{
|
|
137
|
+
relativePath: `policy-packs/${PACK_NAME}/instructions.md`,
|
|
138
|
+
content: buildInstructions(pack, branches, runtime),
|
|
139
|
+
},
|
|
140
|
+
];
|
|
141
|
+
const warnings = [];
|
|
142
|
+
if (warning)
|
|
143
|
+
warnings.push(warning);
|
|
144
|
+
return { contribution: { hooks, files }, warnings };
|
|
145
|
+
}
|
|
146
|
+
//# sourceMappingURL=branch-protection.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"branch-protection.js","sourceRoot":"","sources":["../../../src/policy-packs/builtin/branch-protection.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAC5C,EAAE;AACF,sEAAsE;AACtE,uEAAuE;AACvE,sEAAsE;AACtE,wEAAwE;AACxE,EAAE;AACF,yDAAyD;AACzD,EAAE;AACF,0EAA0E;AAC1E,oEAAoE;AACpE,qEAAqE;AACrE,uCAAuC;AACvC,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,wDAAwD;AACxD,+DAA+D;AAC/D,oEAAoE;AACpE,0EAA0E;AAC1E,mDAAmD;AACnD,EAAE;AACF,wEAAwE;AACxE,sEAAsE;AACtE,iEAAiE;AACjE,WAAW;AACX,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,8DAA8D;AAG9D,OAAO,EAAE,eAAe,EAAgB,MAAM,eAAe,CAAC;AAE9D,OAAO,EACL,cAAc,EACd,0BAA0B,EAC1B,wBAAwB,EACxB,SAAS,EACT,qBAAqB,EACrB,wBAAwB,GACzB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EAAE,SAAS,EAAE,CAAC;AAErB,MAAM,gBAAgB,GAAG,eAAe,SAAS,EAAE,CAAC;AAEpD,MAAM,yBAAyB,GAAG,YAAY,CAAC;AAC/C,MAAM,wBAAwB,GAAG,aAAa,CAAC;AAE/C,MAAM,gBAAgB,GAAG,oCAAoC,CAAC;AAC9D,MAAM,eAAe,GAAG,qCAAqC,CAAC;AAE9D,SAAS,UAAU,CAAC,OAAgB;IAClC,MAAM,OAAO,GAAG,OAAO,KAAK,OAAO,CAAC;IACpC,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,yBAAyB,CAAC;IACpF,OAAO;QACL;YACE,IAAI,EAAE,GAAG,gBAAgB,gBAAgB;YACzC,KAAK,EAAE,cAAc;YACrB,OAAO,EAAE,gBAAgB;YACzB,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,IAAI;YACf,WAAW,EACT,wKAAwK;SAC3K;QACD;YACE,IAAI,EAAE,GAAG,gBAAgB,eAAe;YACxC,KAAK,EAAE,YAAY;YACnB,KAAK,EAAE,YAAY;YACnB,OAAO,EAAE,eAAe;YACxB,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,IAAI;YACf,WAAW,EAAE,iBAAiB,YAAY,0HAA0H;SACrK;KACF,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAgB,EAAE,QAA2B,EAAE,OAAgB;IACxF,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,OAAO,KAAK,OAAO,CAAC;IACpC,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,yBAAyB,CAAC;IACpF,MAAM,gBAAgB,GAAG,OAAO;QAC9B,CAAC,CAAC,uCAAuC;QACzC,CAAC,CAAC,iCAAiC,CAAC;IACtC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,qBAAqB,GAAG,KAAK,CAAC,CAAC;IAC1D,OAAO,kBAAkB,SAAS;;;;;;;;EAQlC,OAAO;;;;EAIP,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;;;;;;uDAMS,gBAAgB;;kCAErC,gBAAgB;;oBAE9B,wBAAwB;;;+BAGb,eAAe;OACvC,YAAY;WACR,wBAAwB;uBACZ,OAAO;WACnB,cAAc;;;;;oCAKW,gBAAgB;;;;;;gBAMpC,cAAc;;;;;;;;;;;;;;;EAe5B,WAAW,CAAC,CAAC,CAAC,OAAO,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;;YAEtD,SAAS;eACN,OAAO;cACR,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC;CAClD,CAAC;AACF,CAAC;AAED,MAAM,UAAU,OAAO,CACrB,IAAgB,EAChB,UAAmB,eAAe;IAElC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;IAC7D,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,KAAK,GAA2B;QACpC;YACE,YAAY,EAAE,gBAAgB,SAAS,kBAAkB;YACzD,OAAO,EAAE,iBAAiB,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC;SACpD;KACF,CAAC;IACF,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,CAAC;AACtD,CAAC"}
|
|
@@ -2,7 +2,7 @@ import type { PolicyPack } from "../schema/index.js";
|
|
|
2
2
|
import { type ResolvePackOptions } from "./builtin/understanding-before-execution.js";
|
|
3
3
|
import { type Runtime } from "./runtime.js";
|
|
4
4
|
import type { PackContribution } from "./types.js";
|
|
5
|
-
export declare const KNOWN_BUILTIN_PACKS: readonly ["understanding-before-execution"];
|
|
5
|
+
export declare const KNOWN_BUILTIN_PACKS: readonly ["understanding-before-execution", "branch-protection"];
|
|
6
6
|
export type BuiltinPackName = (typeof KNOWN_BUILTIN_PACKS)[number];
|
|
7
7
|
export declare function isBuiltinPackName(name: string): name is BuiltinPackName;
|
|
8
8
|
export interface ResolveBuiltinResult {
|
|
@@ -1,11 +1,16 @@
|
|
|
1
1
|
// Registry of builtin policy-pack names.
|
|
2
2
|
//
|
|
3
|
-
// Phase 6 #2
|
|
4
|
-
//
|
|
3
|
+
// Phase 6 #2 shipped `understanding-before-execution`; subsequent
|
|
4
|
+
// builtins are added by appending to `KNOWN_BUILTIN_PACKS` and a case
|
|
5
|
+
// arm in `resolveBuiltin()`. Non-builtin sources (path/npm/git) are
|
|
5
6
|
// out of scope for v1; their resolution lands in a later sub-task.
|
|
7
|
+
import { PACK_NAME as BRANCH_PROTECTION, resolve as resolveBranchProtection, } from "./builtin/branch-protection.js";
|
|
6
8
|
import { PACK_NAME as UNDERSTANDING_BEFORE_EXECUTION, resolve as resolveUnderstandingBeforeExecution, } from "./builtin/understanding-before-execution.js";
|
|
7
9
|
import { DEFAULT_RUNTIME } from "./runtime.js";
|
|
8
|
-
export const KNOWN_BUILTIN_PACKS = [
|
|
10
|
+
export const KNOWN_BUILTIN_PACKS = [
|
|
11
|
+
UNDERSTANDING_BEFORE_EXECUTION,
|
|
12
|
+
BRANCH_PROTECTION,
|
|
13
|
+
];
|
|
9
14
|
export function isBuiltinPackName(name) {
|
|
10
15
|
return KNOWN_BUILTIN_PACKS.includes(name);
|
|
11
16
|
}
|
|
@@ -15,6 +20,8 @@ export function resolveBuiltin(pack, runtime = DEFAULT_RUNTIME, opts = {}) {
|
|
|
15
20
|
switch (pack.name) {
|
|
16
21
|
case UNDERSTANDING_BEFORE_EXECUTION:
|
|
17
22
|
return resolveUnderstandingBeforeExecution(pack, runtime, opts);
|
|
23
|
+
case BRANCH_PROTECTION:
|
|
24
|
+
return resolveBranchProtection(pack, runtime);
|
|
18
25
|
}
|
|
19
26
|
}
|
|
20
27
|
//# sourceMappingURL=registry.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/policy-packs/registry.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,EAAE;AACF,
|
|
1
|
+
{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/policy-packs/registry.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,oEAAoE;AACpE,mEAAmE;AAGnE,OAAO,EACL,SAAS,IAAI,iBAAiB,EAC9B,OAAO,IAAI,uBAAuB,GACnC,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,SAAS,IAAI,8BAA8B,EAC3C,OAAO,IAAI,mCAAmC,GAE/C,MAAM,6CAA6C,CAAC;AACrD,OAAO,EAAE,eAAe,EAAgB,MAAM,cAAc,CAAC;AAG7D,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,8BAA8B;IAC9B,iBAAiB;CACT,CAAC;AAGX,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,OAAQ,mBAAyC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACnE,CAAC;AAOD,MAAM,UAAU,cAAc,CAC5B,IAAgB,EAChB,UAAmB,eAAe,EAClC,OAA2B,EAAE;IAE7B,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,QAAQ,IAAI,CAAC,IAAuB,EAAE,CAAC;QACrC,KAAK,8BAA8B;YACjC,OAAO,mCAAmC,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QAClE,KAAK,iBAAiB;YACpB,OAAO,uBAAuB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAClD,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Expand `~` / `~/...` in `value` against `home`. Returns `value`
|
|
3
|
+
* unchanged when no leading tilde is present. `home` defaults to
|
|
4
|
+
* `os.homedir()` so callers don't need to pass it; tests inject a
|
|
5
|
+
* fixed home for determinism.
|
|
6
|
+
*/
|
|
7
|
+
export declare function expandHome(value: string, home?: string): string;
|
|
8
|
+
/**
|
|
9
|
+
* Map every value in an env-style record through {@link expandHome}.
|
|
10
|
+
* Returns a new object; the input is not mutated. `undefined` input
|
|
11
|
+
* returns `undefined` so callers can pass through optional configs
|
|
12
|
+
* without a guard.
|
|
13
|
+
*/
|
|
14
|
+
export declare function expandHomeInEnv(env: Record<string, string> | undefined, home?: string): Record<string, string> | undefined;
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
// Expand a leading `~/` (or bare `~`) to the operator's HOME directory.
|
|
2
|
+
// Defense-in-depth: MCP `env:` values and `command:` array entries in
|
|
3
|
+
// the manifest are passed verbatim to Node's `spawn`, which does NOT
|
|
4
|
+
// shell-interpolate. A literal `~/.evidence-ledger/ledger.db` in env
|
|
5
|
+
// scatters a cwd-relative `./~/...` rogue path; the
|
|
6
|
+
// agent-tasks/42d224a6 incident was caused by exactly this. The
|
|
7
|
+
// validate-time warning (src/cli/validate/checks.ts) catches the
|
|
8
|
+
// common case at apply, but a manifest that bypasses validate (or
|
|
9
|
+
// that the operator ignored the warning on) still has the footgun.
|
|
10
|
+
// Expanding here turns it into a non-issue.
|
|
11
|
+
//
|
|
12
|
+
// Scope:
|
|
13
|
+
// - Leading `~/` substring or bare `~` expands.
|
|
14
|
+
// - Anywhere-else `~/` in the middle of a string stays literal
|
|
15
|
+
// (e.g. an SSH-style `git@github.com:user/repo~/tag` would not
|
|
16
|
+
// be touched, though such shapes don't appear in practice).
|
|
17
|
+
// - `${HOME}` shell-style interpolation is NOT supported here; that
|
|
18
|
+
// is a separate scope (shell-style would invite further surprises
|
|
19
|
+
// like `${USER}` and unset-var ambiguity).
|
|
20
|
+
// - Inherited `process.env` values are NOT expanded by callers
|
|
21
|
+
// (only the manifest's `mcpEnv` overrides are). The operator's
|
|
22
|
+
// shell owns its own exports; harness only owns what the manifest
|
|
23
|
+
// declares.
|
|
24
|
+
import * as os from "node:os";
|
|
25
|
+
import * as path from "node:path";
|
|
26
|
+
/**
|
|
27
|
+
* Expand `~` / `~/...` in `value` against `home`. Returns `value`
|
|
28
|
+
* unchanged when no leading tilde is present. `home` defaults to
|
|
29
|
+
* `os.homedir()` so callers don't need to pass it; tests inject a
|
|
30
|
+
* fixed home for determinism.
|
|
31
|
+
*/
|
|
32
|
+
export function expandHome(value, home = os.homedir()) {
|
|
33
|
+
if (value === "~")
|
|
34
|
+
return home;
|
|
35
|
+
if (value.startsWith("~/"))
|
|
36
|
+
return path.join(home, value.slice(2));
|
|
37
|
+
return value;
|
|
38
|
+
}
|
|
39
|
+
/**
|
|
40
|
+
* Map every value in an env-style record through {@link expandHome}.
|
|
41
|
+
* Returns a new object; the input is not mutated. `undefined` input
|
|
42
|
+
* returns `undefined` so callers can pass through optional configs
|
|
43
|
+
* without a guard.
|
|
44
|
+
*/
|
|
45
|
+
export function expandHomeInEnv(env, home = os.homedir()) {
|
|
46
|
+
if (!env)
|
|
47
|
+
return env;
|
|
48
|
+
const out = {};
|
|
49
|
+
for (const [k, v] of Object.entries(env)) {
|
|
50
|
+
out[k] = expandHome(v, home);
|
|
51
|
+
}
|
|
52
|
+
return out;
|
|
53
|
+
}
|
|
54
|
+
//# sourceMappingURL=expand-home.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"expand-home.js","sourceRoot":"","sources":["../../src/runtime/expand-home.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,sEAAsE;AACtE,qEAAqE;AACrE,qEAAqE;AACrE,oDAAoD;AACpD,gEAAgE;AAChE,iEAAiE;AACjE,kEAAkE;AAClE,mEAAmE;AACnE,4CAA4C;AAC5C,EAAE;AACF,SAAS;AACT,kDAAkD;AAClD,iEAAiE;AACjE,mEAAmE;AACnE,gEAAgE;AAChE,sEAAsE;AACtE,sEAAsE;AACtE,+CAA+C;AAC/C,iEAAiE;AACjE,mEAAmE;AACnE,sEAAsE;AACtE,gBAAgB;AAEhB,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,KAAa,EAAE,OAAe,EAAE,CAAC,OAAO,EAAE;IACnE,IAAI,KAAK,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAC/B,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACnE,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAC7B,GAAuC,EACvC,OAAe,EAAE,CAAC,OAAO,EAAE;IAE3B,IAAI,CAAC,GAAG;QAAE,OAAO,GAAG,CAAC;IACrB,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,GAAG,CAAC,CAAC,CAAC,GAAG,UAAU,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
|
|
@@ -6,6 +6,7 @@
|
|
|
6
6
|
// Side effects (stdin, stdout, ledger I/O) live in the thin CLI entrypoint
|
|
7
7
|
// that wraps this.
|
|
8
8
|
import { evaluateExtract, evaluateRequires, parseDurationSeconds, substituteTemplate, } from "../policies/index.js";
|
|
9
|
+
import { renderProducers } from "../policies/producers.js";
|
|
9
10
|
import { POLICY_DECISION_TYPE } from "./ledger-record.js";
|
|
10
11
|
import { resolveSessionId } from "./session-id.js";
|
|
11
12
|
function policyMatchesEvent(policy, event) {
|
|
@@ -177,11 +178,21 @@ export async function intercept(options) {
|
|
|
177
178
|
// The hint is content + window only; it does not prescribe a
|
|
178
179
|
// recording verb so the deny path stays neutral on producer (see
|
|
179
180
|
// agent-tasks/88ca4bb3 for why "use mcp__..." would be the wrong
|
|
180
|
-
// suggestion).
|
|
181
|
+
// suggestion when the engine is the source of that suggestion).
|
|
181
182
|
const hintSuffix = blocking.recordHint
|
|
182
183
|
? ` To satisfy: ${blocking.recordHint} (session \`${sessionId}\`).`
|
|
183
184
|
: "";
|
|
184
|
-
|
|
185
|
+
// Opt-in producer block: when the policy declares `producers:` in
|
|
186
|
+
// the manifest, render the structured remediation list (bash / mcp
|
|
187
|
+
// / ask recipes) with ${VAR} placeholders substituted against the
|
|
188
|
+
// same extract.values the ledger_tag was resolved with. Schema
|
|
189
|
+
// validation guarantees at least one `mcp` producer per declared
|
|
190
|
+
// list, so an agent stuck in a Bash lockout always has an ungated
|
|
191
|
+
// recovery path. Policies without `producers:` get the legacy
|
|
192
|
+
// neutral deny envelope unchanged (agent-tasks/3804b785).
|
|
193
|
+
const blockingPolicy = matching.find((p) => p.name === blocking.policyName);
|
|
194
|
+
const producersBlock = renderProducers(blockingPolicy?.producers, blocking.extractValues);
|
|
195
|
+
const reasonText = `${blocking.policyName}: ${blocking.reason}.${hintSuffix}${producersBlock}`;
|
|
185
196
|
const block = {
|
|
186
197
|
decision: "block",
|
|
187
198
|
reason: reasonText,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"intercept.js","sourceRoot":"","sources":["../../src/runtime/intercept.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,6EAA6E;AAC7E,4EAA4E;AAC5E,wEAAwE;AACxE,2EAA2E;AAC3E,mBAAmB;AAEnB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,kBAAkB,GAOnB,MAAM,sBAAsB,CAAC;
|
|
1
|
+
{"version":3,"file":"intercept.js","sourceRoot":"","sources":["../../src/runtime/intercept.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,6EAA6E;AAC7E,4EAA4E;AAC5E,wEAAwE;AACxE,2EAA2E;AAC3E,mBAAmB;AAEnB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,kBAAkB,GAOnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAE3D,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAmFnD,SAAS,kBAAkB,CAAC,MAAc,EAAE,KAAgB;IAC1D,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,KAAK,KAAK,CAAC,eAAe;QAAE,OAAO,KAAK,CAAC;IACjE,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QACvC,IAAI,OAAO,KAAK,CAAC,SAAS,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QACtD,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IACpE,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QAC5C,MAAM,IAAI,GAAG,KAAK,CAAC,UAA+C,CAAC;QACnE,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC5D,IAAI,EAAU,CAAC;QACf,IAAI,CAAC;YACH,EAAE,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,KAAK,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAgB;IACzC,OAAO;QACL,QAAQ,EAAE,KAAK,CAAC,UAAU;QAC1B,KAAK;QACL,OAAO,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE,EAAE;QACvC,GAAG,EAAE,EAAE;KACR,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,MAAc,EACd,OAAyB;IAEzB,MAAM,WAAW,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9D,MAAM,GAAG,GAAG,iBAAiB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,eAAe,CAC7B,MAAM,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,EAC5B,GAAG,EACH,OAAO,CAAC,QAAQ,CACjB,CAAC;IACF,MAAM,eAAe,GAAG,OAAO,CAAC,SAAS;SACtC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC;SACrC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACrB,MAAM,GAAG,GAAG,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC;IAC7B,MAAM,UAAU,GAAG,CAAC,GAAG,eAAe,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC;IAExD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,kCAAkC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACjE,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC7D,IAAI,WAA8B,CAAC;IACnC,IAAI,CAAC;QACH,WAAW,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,KAAK,CACtC,SAAS,EACT,SAAS,EACT,OAAO,CAAC,eAAe,CACxB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,WAAW,GAAG;YACZ,IAAI,EAAE,UAAU;YAChB,MAAM,EAAE,uBAAwB,GAAa,CAAC,OAAO,EAAE;SACxD,CAAC;IACJ,CAAC;IAED,IAAI,WAAW,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QACpC,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,WAAW,CAAC,MAAM;YAC1B,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,sDAAsD;IACtD,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACzC,IAAI,CAAC;YACH,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,OAAO,EAAE,eAAe;gBACxB,MAAM,EAAE,mBAAmB,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE;gBACnD,aAAa,EAAE,OAAO,CAAC,MAAM;gBAC7B,SAAS;gBACT,WAAW;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAA4B,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAClF,MAAM,QAAQ,GAAG,kBAAkB,CAAC,WAAW,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACpE,IAAI,UAA8B,CAAC;IACnC,IAAI,CAAC;QACH,UAAU,GAAG,gBAAgB,CAC3B,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,EAC7C,QAAQ,EACR,QAAQ,CACT,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,wBAAyB,GAAa,CAAC,OAAO,EAAE;YACxD,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAkB,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;IACrE,OAAO;QACL,UAAU,EAAE,MAAM,CAAC,IAAI;QACvB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,OAAO;QACP,MAAM,EAAE,UAAU,CAAC,MAAM;QACzB,aAAa,EAAE,OAAO,CAAC,MAAM;QAC7B,SAAS;QACT,YAAY,EAAE;YACZ,YAAY,EAAE,UAAU,CAAC,YAAY;YACrC,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B;QACD,UAAU,EAAE,UAAU,CAAC,UAAU;QACjC,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAsB,EAAE,GAAW;IAC7D,0EAA0E;IAC1E,0EAA0E;IAC1E,yEAAyE;IACzE,yEAAyE;IACzE,EAAE;IACF,gEAAgE;IAChE,mEAAmE;IACnE,iEAAiE;IACjE,4DAA4D;IAC5D,6DAA6D;IAC7D,OAAO,OAAO,CAAC,MAAM,CACnB,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,IAAI,KAAK,oBAAoB;QAC/B,+DAA+D;QAC/D,+DAA+D;QAC/D,iEAAiE;QACjE,8DAA8D;QAC9D,oDAAoD;QACpD,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,oBAAoB,GAAG,CAAC;QACjD,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAClF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,OAAyB;IAEzB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACtD,kBAAkB,CAAC,CAAC,EAAE,OAAO,CAAC,KAAK,CAAC,CACrC,CAAC;IACF,MAAM,SAAS,GAAqB,EAAE,CAAC;IACvC,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC1D,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC;QACpF,CAAC;QAAC,MAAM,CAAC;YACP,wEAAwE;QAC1E,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAC7B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,OAAO,IAAI,CAAC,CAAC,OAAO,KAAK,MAAM,CACzD,CAAC;IACF,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC7D,mEAAmE;QACnE,qEAAqE;QACrE,kEAAkE;QAClE,6DAA6D;QAC7D,iEAAiE;QACjE,iEAAiE;QACjE,gEAAgE;QAChE,MAAM,UAAU,GAAG,QAAQ,CAAC,UAAU;YACpC,CAAC,CAAC,gBAAgB,QAAQ,CAAC,UAAU,eAAe,SAAS,MAAM;YACnE,CAAC,CAAC,EAAE,CAAC;QACP,kEAAkE;QAClE,mEAAmE;QACnE,kEAAkE;QAClE,+DAA+D;QAC/D,iEAAiE;QACjE,kEAAkE;QAClE,8DAA8D;QAC9D,0DAA0D;QAC1D,MAAM,cAAc,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC5E,MAAM,cAAc,GAAG,eAAe,CACpC,cAAc,EAAE,SAAS,EACzB,QAAQ,CAAC,aAAa,CACvB,CAAC;QACF,MAAM,UAAU,GAAG,GAAG,QAAQ,CAAC,UAAU,KAAK,QAAQ,CAAC,MAAM,IAAI,UAAU,GAAG,cAAc,EAAE,CAAC;QAC/F,MAAM,KAAK,GAAmB;YAC5B,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,UAAU;SACnB,CAAC;QACF,qEAAqE;QACrE,qEAAqE;QACrE,oEAAoE;QACpE,yCAAyC;QACzC,IAAI,OAAO,CAAC,KAAK,CAAC,eAAe,KAAK,YAAY,EAAE,CAAC;YACnD,KAAK,CAAC,kBAAkB,GAAG;gBACzB,aAAa,EAAE,YAAY;gBAC3B,kBAAkB,EAAE,MAAM;gBAC1B,+DAA+D;gBAC/D,8DAA8D;gBAC9D,wBAAwB,EAAE,UAAU;aACrC,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACzC,CAAC;IACD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AACxC,CAAC"}
|
|
@@ -8,14 +8,21 @@
|
|
|
8
8
|
// All failure paths resolve to `{ ok: false, reason }` so callers can
|
|
9
9
|
// degrade gracefully rather than throw mid-CLI.
|
|
10
10
|
import { spawn } from "node:child_process";
|
|
11
|
+
import { expandHome, expandHomeInEnv } from "./expand-home.js";
|
|
11
12
|
import { VERSION } from "../version.js";
|
|
12
13
|
const DEFAULT_TIMEOUT_MS = 5_000;
|
|
13
14
|
export async function addLedgerFact(opts) {
|
|
14
15
|
if (opts.mcpCommand.length === 0) {
|
|
15
16
|
return { ok: false, reason: "grounding-mcp command is empty" };
|
|
16
17
|
}
|
|
17
|
-
|
|
18
|
-
|
|
18
|
+
// Defense-in-depth (agent-tasks/973596d7): expand leading `~/` in
|
|
19
|
+
// command tokens AND env values. Node's `spawn` does not
|
|
20
|
+
// shell-interpolate; a literal `~/...` would otherwise become a
|
|
21
|
+
// cwd-relative rogue path. ledger-record.ts does the same; the
|
|
22
|
+
// shared helper lives in ./expand-home.ts.
|
|
23
|
+
const exe = expandHome(opts.mcpCommand[0]);
|
|
24
|
+
const args = opts.mcpCommand.slice(1).map((p) => expandHome(p));
|
|
25
|
+
const expandedEnv = expandHomeInEnv(opts.mcpEnv);
|
|
19
26
|
const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
|
|
20
27
|
return new Promise((resolve) => {
|
|
21
28
|
let settled = false;
|
|
@@ -35,7 +42,7 @@ export async function addLedgerFact(opts) {
|
|
|
35
42
|
try {
|
|
36
43
|
child = spawn(exe, args, {
|
|
37
44
|
cwd: opts.cwd,
|
|
38
|
-
env: { ...process.env, ...(
|
|
45
|
+
env: { ...process.env, ...(expandedEnv ?? {}) },
|
|
39
46
|
stdio: ["pipe", "pipe", "pipe"],
|
|
40
47
|
});
|
|
41
48
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ledger-add.js","sourceRoot":"","sources":["../../src/runtime/ledger-add.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,EAAE;AACF,kEAAkE;AAClE,mEAAmE;AACnE,kEAAkE;AAClE,kEAAkE;AAClE,EAAE;AACF,sEAAsE;AACtE,gDAAgD;AAEhD,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAExC,MAAM,kBAAkB,GAAG,KAAK,CAAC;AAcjC,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAA0B;IAE1B,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IACjE,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAE,CAAC;
|
|
1
|
+
{"version":3,"file":"ledger-add.js","sourceRoot":"","sources":["../../src/runtime/ledger-add.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,EAAE;AACF,kEAAkE;AAClE,mEAAmE;AACnE,kEAAkE;AAClE,kEAAkE;AAClE,EAAE;AACF,sEAAsE;AACtE,gDAAgD;AAEhD,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAExC,MAAM,kBAAkB,GAAG,KAAK,CAAC;AAcjC,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAA0B;IAE1B,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IACjE,CAAC;IACD,kEAAkE;IAClE,yDAAyD;IACzD,gEAAgE;IAChE,+DAA+D;IAC/D,2CAA2C;IAC3C,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAE,CAAC,CAAC;IAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IAChE,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IAEvD,OAAO,IAAI,OAAO,CAAsB,CAAC,OAAO,EAAE,EAAE;QAClD,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,MAAM,GAAG,CAAC,MAA2B,EAAQ,EAAE;YACnD,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,IAAI,CAAC;gBACH,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,YAAY;YACd,CAAC;YACD,OAAO,CAAC,MAAM,CAAC,CAAC;QAClB,CAAC,CAAC;QAEF,IAAI,KAA+B,CAAC;QACpC,IAAI,CAAC;YACH,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE;gBACvB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,EAAE;gBAC/C,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAkB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAC1E,OAAO;QACT,CAAC;QAED,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,KAAK,CAAC,MAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAClC,KAAK,CAAC,MAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAClC,KAAK,CAAC,MAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACzC,SAAS,IAAI,KAAK,CAAC;YACnB,IAAI,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACjC,OAAO,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3C,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;gBACpC,IAAI,IAAI,EAAE,CAAC;oBACT,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAG1B,CAAC;wBACF,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;4BACjB,yDAAyD;4BACzD,IAAI,CAAC;gCACH,KAAK,CAAC,KAAM,CAAC,KAAK,CAChB,GAAG,IAAI,CAAC,SAAS,CAAC;oCAChB,OAAO,EAAE,KAAK;oCACd,MAAM,EAAE,2BAA2B;iCACpC,CAAC,IAAI,CACP,CAAC;gCACF,KAAK,CAAC,KAAM,CAAC,KAAK,CAChB,GAAG,IAAI,CAAC,SAAS,CAAC;oCAChB,OAAO,EAAE,KAAK;oCACd,EAAE,EAAE,CAAC;oCACL,MAAM,EAAE,YAAY;oCACpB,MAAM,EAAE;wCACN,IAAI,EAAE,YAAY;wCAClB,SAAS,EAAE;4CACT,SAAS,EAAE,IAAI,CAAC,SAAS;4CACzB,IAAI,EAAE,MAAM;4CACZ,OAAO,EAAE,IAAI,CAAC,OAAO;4CACrB,MAAM,EAAE,IAAI,CAAC,MAAM;yCACpB;qCACF;iCACF,CAAC,IAAI,CACP,CAAC;4BACJ,CAAC;4BAAC,OAAO,GAAG,EAAE,CAAC;gCACb,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAsB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;4BAC/E,CAAC;wBACH,CAAC;6BAAM,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;4BACxB,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;gCACd,MAAM,CAAC;oCACL,EAAE,EAAE,KAAK;oCACT,MAAM,EAAE,qBAAqB,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,SAAS,EAAE;iCAC9D,CAAC,CAAC;gCACH,OAAO;4BACT,CAAC;4BACD,MAAM,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;4BACrB,OAAO;wBACT,CAAC;oBACH,CAAC;oBAAC,MAAM,CAAC;wBACP,qBAAqB;oBACvB,CAAC;gBACH,CAAC;gBACD,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,MAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACzC,SAAS,IAAI,KAAK,CAAC;QACrB,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YAC/B,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;YACpB,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,IAAI,aAAa,CAAC;YACzE,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,IAAI,EAAE,EAAE,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,KAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAC5B,oCAAoC;QACtC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,KAAK,CAAC,KAAM,CAAC,KAAK,CAChB,GAAG,IAAI,CAAC,SAAS,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,eAAe,EAAE,YAAY;oBAC7B,YAAY,EAAE,EAAE;oBAChB,UAAU,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,OAAO,EAAE;iBAC7D;aACF,CAAC,IAAI,CACP,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAuB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAC9E,OAAO;QACT,CAAC;QAED,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE;YACxB,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,SAAS,IAAI,EAAE,CAAC,CAAC;QAC9E,CAAC,EAAE,SAAS,CAAC,CAAC;QACd,CAAC,CAAC,KAAK,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -7,6 +7,7 @@
|
|
|
7
7
|
// `harness explain --trace` (Phase 4 #6/#7) grep for.
|
|
8
8
|
import { spawn } from "node:child_process";
|
|
9
9
|
import { parseLedgerTimestamp } from "../policies/timestamp.js";
|
|
10
|
+
import { expandHome, expandHomeInEnv } from "./expand-home.js";
|
|
10
11
|
import { VERSION } from "../version.js";
|
|
11
12
|
const DEFAULT_TIMEOUT_MS = 5_000;
|
|
12
13
|
const SOURCE = "harness-policy-intercept";
|
|
@@ -19,13 +20,6 @@ const SOURCE = "harness-policy-intercept";
|
|
|
19
20
|
*/
|
|
20
21
|
export const POLICY_DECISION_TYPE = "policy_decision";
|
|
21
22
|
const PREFIX = POLICY_DECISION_TYPE;
|
|
22
|
-
function expandHomePath(p) {
|
|
23
|
-
if (p === "~")
|
|
24
|
-
return process.env.HOME ?? "";
|
|
25
|
-
if (p.startsWith("~/"))
|
|
26
|
-
return `${process.env.HOME ?? ""}/${p.slice(2)}`;
|
|
27
|
-
return p;
|
|
28
|
-
}
|
|
29
23
|
export function payloadFromDecision(decision) {
|
|
30
24
|
return {
|
|
31
25
|
name: decision.policyName,
|
|
@@ -82,17 +76,24 @@ export async function recordPolicyDecision(decision, sessionId, opts) {
|
|
|
82
76
|
if (!list || list.length === 0) {
|
|
83
77
|
return { ok: false, reason: "grounding-mcp command is empty" };
|
|
84
78
|
}
|
|
85
|
-
const exe =
|
|
86
|
-
const args = list.slice(1).map(
|
|
79
|
+
const exe = expandHome(list[0]);
|
|
80
|
+
const args = list.slice(1).map((p) => expandHome(p));
|
|
87
81
|
const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
|
|
88
82
|
const payload = payloadFromDecision(decision);
|
|
89
83
|
const content = encodeLedgerContent(payload);
|
|
84
|
+
// Defense-in-depth (agent-tasks/973596d7): expand leading `~/` in
|
|
85
|
+
// every env value before merging into the spawned process env. The
|
|
86
|
+
// validate-time warning still fires for operators with the literal
|
|
87
|
+
// tilde in their manifest, but a manifest that bypassed validate
|
|
88
|
+
// (or the warning was ignored on) cannot now scatter a rogue
|
|
89
|
+
// cwd-relative `./~/…` path. See expandHome doc for scope.
|
|
90
|
+
const expandedEnv = expandHomeInEnv(opts.mcpEnv);
|
|
90
91
|
return new Promise((resolve) => {
|
|
91
92
|
let child;
|
|
92
93
|
try {
|
|
93
94
|
child = spawn(exe, args, {
|
|
94
95
|
cwd: opts.cwd,
|
|
95
|
-
env: { ...process.env, ...(
|
|
96
|
+
env: { ...process.env, ...(expandedEnv ?? {}) },
|
|
96
97
|
stdio: ["pipe", "pipe", "pipe"],
|
|
97
98
|
});
|
|
98
99
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ledger-record.js","sourceRoot":"","sources":["../../src/runtime/ledger-record.ts"],"names":[],"mappings":"AAAA,mDAAmD;AACnD,EAAE;AACF,kEAAkE;AAClE,8EAA8E;AAC9E,6EAA6E;AAC7E,8DAA8D;AAC9D,sDAAsD;AAEtD,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;
|
|
1
|
+
{"version":3,"file":"ledger-record.js","sourceRoot":"","sources":["../../src/runtime/ledger-record.ts"],"names":[],"mappings":"AAAA,mDAAmD;AACnD,EAAE;AACF,kEAAkE;AAClE,8EAA8E;AAC9E,6EAA6E;AAC7E,8DAA8D;AAC9D,sDAAsD;AAEtD,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAE/D,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AASxC,MAAM,kBAAkB,GAAG,KAAK,CAAC;AACjC,MAAM,MAAM,GAAG,0BAA0B,CAAC;AAE1C;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,iBAAiB,CAAC;AACtD,MAAM,MAAM,GAAG,oBAAoB,CAAC;AAapC,MAAM,UAAU,mBAAmB,CACjC,QAAwB;IAExB,OAAO;QACL,IAAI,EAAE,QAAQ,CAAC,UAAU;QACzB,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,aAAa,EAAE,QAAQ,CAAC,aAAa;QACrC,GAAG,CAAC,QAAQ,CAAC,YAAY,IAAI,EAAE,YAAY,EAAE,QAAQ,CAAC,YAAY,EAAE,CAAC;QACrE,WAAW,EAAE,QAAQ,CAAC,WAAW;KAClC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAA8B;IAChE,OAAO,GAAG,MAAM,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;AACnF,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,eAAe,CAC7B,KAAkB,EAClB,OAA8B;IAE9B,MAAM,WAAW,GAAG,oBAAoB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC9D,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC;QAAE,OAAO,WAAW,CAAC;IACnD,IAAI,KAAK,CAAC,SAAS,YAAY,IAAI;QAAE,OAAO,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;IACtE,OAAO,oBAAoB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAe;IACjD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,KAAK,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAA0B,CAAC;QAC1E,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,QAAwB,EACxB,SAAiB,EACjB,IAAyB;IAEzB,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC;IAC7B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IACjE,CAAC;IACD,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IACvD,MAAM,OAAO,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IAC9C,MAAM,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAC7C,kEAAkE;IAClE,mEAAmE;IACnE,mEAAmE;IACnE,iEAAiE;IACjE,6DAA6D;IAC7D,2DAA2D;IAC3D,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAEjD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,KAAK,CAAC;QACV,IAAI,CAAC;YACH,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE;gBACvB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,EAAE;gBAC/C,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAkB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAC1E,OAAO;QACT,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,MAAM,GAAG,CAAC,CAAmC,EAAQ,EAAE;YAC3D,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,IAAI,CAAC;gBACH,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,YAAY;YACd,CAAC;YACD,OAAO,CAAC,CAAC,CAAC,CAAC;QACb,CAAC,CAAC;QAEF,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,IAAI,YAAY,GAAG,KAAK,CAAC;QAEzB;;;;;WAKG;QACH,MAAM,cAAc,GAAG,GAAS,EAAE;YAChC,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,IAAI,EAAE,YAAY;oBAClB,SAAS,EAAE;wBACT,SAAS;wBACT,IAAI,EAAE,oBAAoB;wBAC1B,OAAO;wBACP,MAAM,EAAE,MAAM;qBACf;iBACF;aACF,CAAC,IAAI,CACP,CAAC;QACJ,CAAC,CAAC;QAEF,MAAM,eAAe,GAAG,GAAS,EAAE;YACjC,YAAY,GAAG,IAAI,CAAC;YACpB,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,IAAI,EAAE,YAAY;oBAClB,SAAS,EAAE;wBACT,SAAS;wBACT,IAAI,EAAE,MAAM;wBACZ,OAAO;wBACP,MAAM,EAAE,MAAM;qBACf;iBACF;aACF,CAAC,IAAI,CACP,CAAC;QACJ,CAAC,CAAC;QAEF,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACxC,SAAS,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACpC,IAAI,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACjC,OAAO,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3C,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;gBACpC,IAAI,IAAI,EAAE,CAAC;oBACT,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAG1B,CAAC;wBACF,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;4BAChC,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gCAChB,OAAO,EAAE,KAAK;gCACd,MAAM,EAAE,2BAA2B;6BACpC,CAAC,IAAI,CACP,CAAC;4BACF,cAAc,EAAE,CAAC;4BACjB,UAAU,GAAG,IAAI,CAAC;wBACpB,CAAC;6BAAM,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;4BACxB,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;gCACd,0CAA0C;gCAC1C,mDAAmD;gCACnD,oCAAoC;gCACpC,IAAI,CAAC,YAAY,EAAE,CAAC;oCAClB,eAAe,EAAE,CAAC;oCAClB,OAAO;gCACT,CAAC;gCACD,MAAM,CAAC;oCACL,EAAE,EAAE,KAAK;oCACT,MAAM,EAAE,qBAAqB,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,SAAS,EAAE;iCAC9D,CAAC,CAAC;gCACH,OAAO;4BACT,CAAC;4BACD,MAAM,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;4BACrB,OAAO;wBACT,CAAC;6BAAM,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;4BACxB,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;gCACd,MAAM,CAAC;oCACL,EAAE,EAAE,KAAK;oCACT,MAAM,EAAE,qBAAqB,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,SAAS,EAAE;iCAC9D,CAAC,CAAC;gCACH,OAAO;4BACT,CAAC;4BACD,MAAM,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;4BACrB,OAAO;wBACT,CAAC;oBACH,CAAC;oBAAC,MAAM,CAAC;wBACP,qBAAqB;oBACvB,CAAC;gBACH,CAAC;gBACD,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;YACpC,SAAS,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YAC/B,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;YACpB,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,IAAI,aAAa,CAAC;YACzE,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,IAAI,EAAE,EAAE,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAC3B,kCAAkC;QACpC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,eAAe,EAAE,YAAY;oBAC7B,YAAY,EAAE,EAAE;oBAChB,UAAU,EAAE,EAAE,IAAI,EAAE,0BAA0B,EAAE,OAAO,EAAE,OAAO,EAAE;iBACnE;aACF,CAAC,IAAI,CACP,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAuB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAC9E,OAAO;QACT,CAAC;QAED,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE;YACxB,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,SAAS,IAAI,EAAE,CAAC,CAAC;QAC9E,CAAC,EAAE,SAAS,CAAC,CAAC;QACd,CAAC,CAAC,KAAK,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC"}
|