@lannguyensi/harness 0.25.2 → 0.26.0

package/dist/runtime/action-envelope.d.ts

@@ -0,0 +1,64 @@
+import type { GitRepoContext } from "./git-context.js";
+import type { ToolEvent } from "./intercept.js";
+export interface ActionEnvelopeSession {
+    /** Grounding / Claude Code session id, or "" when absent. */
+    id: string;
+    /** Work-tree basename for the event's cwd, or "" when not in a repo. */
+    repo: string;
+    /** Current branch, or "" when not in a repo or HEAD is detached. */
+    branch: string;
+    /**
+     * agent-tasks task id. Not present in the Claude Code PreToolUse
+     * payload, so "" in practice; a harness-driven or synthetic event may
+     * carry one. The MVP does no agent-tasks lookup.
+     */
+    task_id: string;
+}
+export interface ActionEnvelopeRuntime {
+    /** Working directory the action runs in. */
+    cwd: string;
+    /** OS user, or "" when unavailable. */
+    user: string;
+    /** Host name, or "" when unavailable. */
+    host: string;
+}
+export interface ActionEnvelope {
+    /** Hook event name, e.g. "PreToolUse". "" when absent. */
+    event: string;
+    /** Tool name, e.g. "Bash". "" when absent. */
+    tool: string;
+    /** The tool's raw input, verbatim. `null` when the event carries none. */
+    raw_input: unknown;
+    session: ActionEnvelopeSession;
+    runtime: ActionEnvelopeRuntime;
+    /** ISO-8601 UTC timestamp the envelope was built. */
+    timestamp: string;
+}
+/**
+ * Ambient facts the builder cannot derive from the event alone. The CLI
+ * wrapper resolves these (filesystem + process reads) and hands them in,
+ * keeping `buildActionEnvelope` itself pure and I/O-free — the same
+ * resolved-by-the-wrapper pattern `intercept()` uses for the git sha and
+ * the policy builtins.
+ */
+export interface EnvelopeContext {
+    /** Final working directory: the event's cwd, or the wrapper's fallback. */
+    cwd: string;
+    /** Git context resolved against `cwd`. Empty strings when cwd is not in a repo. */
+    git: GitRepoContext;
+    /** OS user (`os.userInfo().username`), or "" when unavailable. */
+    user: string;
+    /** Host name (`os.hostname()`), or "" when unavailable. */
+    host: string;
+    /** Timestamp to stamp on the envelope. */
+    now: Date;
+}
+/**
+ * Normalize a runtime tool event into an Action Envelope.
+ *
+ * Pure: every non-deterministic input (cwd, git, user, host, now)
+ * arrives via `context`. A sparse or malformed event never throws —
+ * absent fields become "" (or `null` for `raw_input`), so a hand-probed
+ * `{}` event still yields a well-formed envelope.
+ */
+export declare function buildActionEnvelope(event: ToolEvent, context: EnvelopeContext): ActionEnvelope;

package/dist/runtime/action-envelope.js

@@ -0,0 +1,46 @@
+// Phase 7 #2 — Action Envelope.
+//
+// The normalized, stable representation of a tool call that the Risk
+// Gate pipeline reasons about. The raw runtime event (`ToolEvent`, the
+// Claude Code PreToolUse hook payload) is runtime-specific and loosely
+// shaped; every downstream Risk Gate stage — the Risk Classifier (#3),
+// Context Resolver (#4), Policy Evaluator (#5) — consumes THIS shape
+// instead, so none of them re-parse a runtime-specific payload.
+//
+// STATUS: built by `harness explain-action` (Phase 7 #2). NOT yet
+// consumed by `harness policy intercept` — routing the runtime through
+// the envelope is Phase 7 #5. See docs/risk-gate.md and docs/ROADMAP.md.
+//
+// Design source: lava-ice-logs/2026-04-30/harness-risk-gate-extension.md
+// ("Action Envelope" section).
+function asString(v) {
+    return typeof v === "string" ? v : "";
+}
+/**
+ * Normalize a runtime tool event into an Action Envelope.
+ *
+ * Pure: every non-deterministic input (cwd, git, user, host, now)
+ * arrives via `context`. A sparse or malformed event never throws —
+ * absent fields become "" (or `null` for `raw_input`), so a hand-probed
+ * `{}` event still yields a well-formed envelope.
+ */
+export function buildActionEnvelope(event, context) {
+    return {
+        event: asString(event.hook_event_name),
+        tool: asString(event.tool_name),
+        raw_input: event.tool_input ?? null,
+        session: {
+            id: asString(event.session_id),
+            repo: context.git.repo,
+            branch: context.git.branch,
+            task_id: asString(event.task_id),
+        },
+        runtime: {
+            cwd: context.cwd,
+            user: context.user,
+            host: context.host,
+        },
+        timestamp: context.now.toISOString(),
+    };
+}
+//# sourceMappingURL=action-envelope.js.map

package/dist/runtime/action-envelope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"action-envelope.js","sourceRoot":"","sources":["../../src/runtime/action-envelope.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,EAAE;AACF,qEAAqE;AACrE,uEAAuE;AACvE,uEAAuE;AACvE,uEAAuE;AACvE,qEAAqE;AACrE,gEAAgE;AAChE,EAAE;AACF,kEAAkE;AAClE,uEAAuE;AACvE,yEAAyE;AACzE,EAAE;AACF,yEAAyE;AACzE,+BAA+B;AA8D/B,SAAS,QAAQ,CAAC,CAAU;IAC1B,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACxC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAgB,EAChB,OAAwB;IAExB,OAAO;QACL,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,eAAe,CAAC;QACtC,IAAI,EAAE,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC;QAC/B,SAAS,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI;QACnC,OAAO,EAAE;YACP,EAAE,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC;YAC9B,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI;YACtB,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,MAAM;YAC1B,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC;SACjC;QACD,OAAO,EAAE;YACP,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB;QACD,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE;KACrC,CAAC;AACJ,CAAC"}

package/dist/runtime/environment-resolver.d.ts

@@ -0,0 +1,36 @@
+import type { EnvironmentResolver, MatchableEnvironment } from "../schema/index.js";
+import type { ActionEnvelope } from "./action-envelope.js";
+export type EnvironmentConfidence = "high" | "medium" | "low";
+export interface EnvironmentResolution {
+    /** Resolved environment, or `unknown` when no resolver matched. */
+    name: MatchableEnvironment;
+    /**
+     * `high` when two or more signals (unioned across every resolver
+     * asserting the winning environment) back the result, `medium` for a
+     * single signal, `low` for `unknown` (no signal matched at all).
+     */
+    confidence: EnvironmentConfidence;
+    /** Matched signal descriptors that back the result, for explainability. */
+    signals: string[];
+    /** Name of the resolver whose environment won, or `null` when unresolved. */
+    resolver: string | null;
+}
+/** Ambient inputs the resolver matches signals against. */
+export interface SignalInputs {
+    /** Environment variables, for `env_var_patterns`. */
+    env: Record<string, string | undefined>;
+    /** Current kube context name, for `kube_context_patterns`. "" when unknown. */
+    kubeContext: string;
+    /** Current kube namespace, for `kube_namespace_patterns`. "" when unknown. */
+    kubeNamespace: string;
+}
+/**
+ * Resolve the target environment of an Action Envelope.
+ *
+ * Pure: envelope + resolvers + ambient inputs in, resolution out, no
+ * I/O. When resolvers disagree, the most-dangerous environment wins
+ * (`ENV_PRECEDENCE`). Signals from every fired resolver that asserts the
+ * winning environment are unioned for explainability. When nothing
+ * matches, the result is `unknown` — deliberately not a safe default.
+ */
+export declare function resolveEnvironment(envelope: ActionEnvelope, resolvers: readonly EnvironmentResolver[], inputs: SignalInputs): EnvironmentResolution;

package/dist/runtime/environment-resolver.js

@@ -0,0 +1,138 @@
+// Phase 7 #4 — Context Resolver.
+//
+// Classifies an Action Envelope's target environment by matching the
+// manifest's `environments.resolvers[]` signals. The Risk Gate stage
+// that reads the `environments:` schema vocabulary shipped in
+// Phase 7 #1.
+//
+// STATUS: invoked by `harness resolve-env` (Phase 7 #4). NOT yet
+// consumed by `harness policy intercept` — wiring the runtime through
+// the resolver is Phase 7 #5. See docs/risk-gate.md and docs/ROADMAP.md.
+//
+// "Unknown is not safe": when no resolver matches, the environment is
+// `unknown` — not a safe default. The Phase 7 #5 policy evaluator must
+// treat `unknown` as risk-bearing. `MatchableEnvironmentSchema` already
+// admits `unknown` so a `policy.when.environment.name` clause can gate
+// on it.
+//
+// Design source: lava-ice-logs/2026-04-30/harness-risk-gate-extension.md
+// (design phase C).
+// Most-dangerous-wins precedence: when resolvers disagree, the earlier
+// entry here is the resolved environment. `unknown` is the implicit
+// fallback and is not a resolver-assertable value.
+const ENV_PRECEDENCE = [
+    "production",
+    "staging",
+    "dev",
+    "local",
+];
+/**
+ * Convert a `*`-glob to an anchored RegExp. Only `*` is special (the
+ * Phase 7 #1 signal patterns are simple, e.g. `main`, `release/*`); all
+ * other regex metacharacters are escaped literally.
+ */
+function globToRegExp(glob) {
+    const escaped = glob
+        .replace(/[.+^${}()|[\]\\?]/g, "\\$&")
+        .replace(/\*/g, ".*");
+    return new RegExp(`^${escaped}$`);
+}
+/**
+ * Match one resolver's signals against the envelope + ambient inputs.
+ * Signals are OR-ed: a resolver fires when ANY signal matches. Returns
+ * the matched signal descriptors (empty when the resolver did not fire).
+ *
+ * Per-signal-kind semantics: `branch_patterns` and
+ * `kube_namespace_patterns` are globs, `kube_context_patterns` are
+ * regexes, `env_var_patterns` are substrings of the variable's value.
+ */
+function matchResolver(resolver, envelope, inputs) {
+    const matched = [];
+    const sig = resolver.signals;
+    const branch = envelope.session.branch;
+    if (sig.branch_patterns !== undefined && branch !== "") {
+        for (const p of sig.branch_patterns) {
+            if (globToRegExp(p).test(branch)) {
+                matched.push(`branch:${branch} ~ ${p}`);
+            }
+        }
+    }
+    if (sig.env_var_patterns !== undefined) {
+        for (const evp of sig.env_var_patterns) {
+            const value = inputs.env[evp.var];
+            if (typeof value !== "string")
+                continue;
+            for (const p of evp.patterns) {
+                if (value.includes(p)) {
+                    matched.push(`env:${evp.var} contains "${p}"`);
+                }
+            }
+        }
+    }
+    if (sig.kube_context_patterns !== undefined && inputs.kubeContext !== "") {
+        for (const p of sig.kube_context_patterns) {
+            let re;
+            try {
+                re = new RegExp(p);
+            }
+            catch {
+                continue;
+            }
+            if (re.test(inputs.kubeContext)) {
+                matched.push(`kube-context:${inputs.kubeContext} ~ /${p}/`);
+            }
+        }
+    }
+    if (sig.kube_namespace_patterns !== undefined &&
+        inputs.kubeNamespace !== "") {
+        for (const p of sig.kube_namespace_patterns) {
+            if (globToRegExp(p).test(inputs.kubeNamespace)) {
+                matched.push(`kube-namespace:${inputs.kubeNamespace} ~ ${p}`);
+            }
+        }
+    }
+    return matched;
+}
+/**
+ * Resolve the target environment of an Action Envelope.
+ *
+ * Pure: envelope + resolvers + ambient inputs in, resolution out, no
+ * I/O. When resolvers disagree, the most-dangerous environment wins
+ * (`ENV_PRECEDENCE`). Signals from every fired resolver that asserts the
+ * winning environment are unioned for explainability. When nothing
+ * matches, the result is `unknown` — deliberately not a safe default.
+ */
+export function resolveEnvironment(envelope, resolvers, inputs) {
+    const fired = [];
+    for (const resolver of resolvers) {
+        const signals = matchResolver(resolver, envelope, inputs);
+        if (signals.length > 0)
+            fired.push({ resolver, signals });
+    }
+    if (fired.length === 0) {
+        return { name: "unknown", confidence: "low", signals: [], resolver: null };
+    }
+    let best = fired[0];
+    for (const f of fired) {
+        if (ENV_PRECEDENCE.indexOf(f.resolver.environment) <
+            ENV_PRECEDENCE.indexOf(best.resolver.environment)) {
+            best = f;
+        }
+    }
+    // Union the signals of every fired resolver that asserts the winning
+    // environment, so the explanation is complete when several resolvers
+    // agree. `resolver` names the highest-precedence (first-found) one.
+    const winningEnv = best.resolver.environment;
+    const signals = [
+        ...new Set(fired
+            .filter((f) => f.resolver.environment === winningEnv)
+            .flatMap((f) => f.signals)),
+    ].sort();
+    return {
+        name: winningEnv,
+        confidence: signals.length >= 2 ? "high" : "medium",
+        signals,
+        resolver: best.resolver.name,
+    };
+}
+//# sourceMappingURL=environment-resolver.js.map

package/dist/runtime/environment-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"environment-resolver.js","sourceRoot":"","sources":["../../src/runtime/environment-resolver.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,EAAE;AACF,qEAAqE;AACrE,qEAAqE;AACrE,8DAA8D;AAC9D,cAAc;AACd,EAAE;AACF,iEAAiE;AACjE,sEAAsE;AACtE,yEAAyE;AACzE,EAAE;AACF,sEAAsE;AACtE,uEAAuE;AACvE,wEAAwE;AACxE,uEAAuE;AACvE,SAAS;AACT,EAAE;AACF,yEAAyE;AACzE,oBAAoB;AAmCpB,uEAAuE;AACvE,oEAAoE;AACpE,mDAAmD;AACnD,MAAM,cAAc,GAAoC;IACtD,YAAY;IACZ,SAAS;IACT,KAAK;IACL,OAAO;CACR,CAAC;AAEF;;;;GAIG;AACH,SAAS,YAAY,CAAC,IAAY;IAChC,MAAM,OAAO,GAAG,IAAI;SACjB,OAAO,CAAC,oBAAoB,EAAE,MAAM,CAAC;SACrC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACxB,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC;AACpC,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,aAAa,CACpB,QAA6B,EAC7B,QAAwB,EACxB,MAAoB;IAEpB,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC;IAE7B,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC;IACvC,IAAI,GAAG,CAAC,eAAe,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;QACvD,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,eAAe,EAAE,CAAC;YACpC,IAAI,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,OAAO,CAAC,IAAI,CAAC,UAAU,MAAM,MAAM,CAAC,EAAE,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,GAAG,CAAC,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACvC,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,gBAAgB,EAAE,CAAC;YACvC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,OAAO,KAAK,KAAK,QAAQ;gBAAE,SAAS;YACxC,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;gBAC7B,IAAI,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;oBACtB,OAAO,CAAC,IAAI,CAAC,OAAO,GAAG,CAAC,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,GAAG,CAAC,qBAAqB,KAAK,SAAS,IAAI,MAAM,CAAC,WAAW,KAAK,EAAE,EAAE,CAAC;QACzE,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,qBAAqB,EAAE,CAAC;YAC1C,IAAI,EAAU,CAAC;YACf,IAAI,CAAC;gBACH,EAAE,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC;YACrB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,IAAI,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;gBAChC,OAAO,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,WAAW,OAAO,CAAC,GAAG,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAED,IACE,GAAG,CAAC,uBAAuB,KAAK,SAAS;QACzC,MAAM,CAAC,aAAa,KAAK,EAAE,EAC3B,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,uBAAuB,EAAE,CAAC;YAC5C,IAAI,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC/C,OAAO,CAAC,IAAI,CAAC,kBAAkB,MAAM,CAAC,aAAa,MAAM,CAAC,EAAE,CAAC,CAAC;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAwB,EACxB,SAAyC,EACzC,MAAoB;IAEpB,MAAM,KAAK,GAAgE,EAAE,CAAC;IAC9E,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,aAAa,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC7E,CAAC;IAED,IAAI,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;IACrB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IACE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC9C,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EACjD,CAAC;YACD,IAAI,GAAG,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,qEAAqE;IACrE,oEAAoE;IACpE,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;IAC7C,MAAM,OAAO,GAAG;QACd,GAAG,IAAI,GAAG,CACR,KAAK;aACF,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,KAAK,UAAU,CAAC;aACpD,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAC7B;KACF,CAAC,IAAI,EAAE,CAAC;IAET,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;QACnD,OAAO;QACP,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;KAC7B,CAAC;AACJ,CAAC"}

package/dist/runtime/index.d.ts

@@ -3,4 +3,8 @@ export { recordPolicyDecision, payloadFromDecision, encodeLedgerContent, decodeL
 export { resolveSessionId } from "./session-id.js";
 export { buildAgentFacingBlock, formatAgentFacingMessage, renderAgentFacing, type AgentFacingBlock, } from "./agent-facing.js";
 export { resolveGitContext, type GitRepoContext } from "./git-context.js";
+export { buildActionEnvelope, type ActionEnvelope, type ActionEnvelopeRuntime, type ActionEnvelopeSession, type EnvelopeContext, } from "./action-envelope.js";
+export { classifyRisk, type RiskConfidence, type RiskProfile, } from "./risk-classifier.js";
+export { resolveKubeContext, type KubeContext, type ResolveKubeContextOptions, } from "./kube-context.js";
+export { resolveEnvironment, type EnvironmentConfidence, type EnvironmentResolution, type SignalInputs, } from "./environment-resolver.js";
 export { addLedgerFact, type AddLedgerFactOptions, type AddLedgerFactResult, } from "./ledger-add.js";

package/dist/runtime/index.js

@@ -3,5 +3,9 @@ export { recordPolicyDecision, payloadFromDecision, encodeLedgerContent, decodeL
 export { resolveSessionId } from "./session-id.js";
 export { buildAgentFacingBlock, formatAgentFacingMessage, renderAgentFacing, } from "./agent-facing.js";
 export { resolveGitContext } from "./git-context.js";
+export { buildActionEnvelope, } from "./action-envelope.js";
+export { classifyRisk, } from "./risk-classifier.js";
+export { resolveKubeContext, } from "./kube-context.js";
+export { resolveEnvironment, } from "./environment-resolver.js";
 export { addLedgerFact, } from "./ledger-add.js";
 //# sourceMappingURL=index.js.map

package/dist/runtime/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAQV,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,EACnB,eAAe,GAGhB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,GAElB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,iBAAiB,EAAuB,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EACL,aAAa,GAGd,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAQV,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,EACnB,eAAe,GAGhB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,GAElB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,iBAAiB,EAAuB,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EACL,mBAAmB,GAKpB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,YAAY,GAGb,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,kBAAkB,GAGnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,kBAAkB,GAInB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,aAAa,GAGd,MAAM,iBAAiB,CAAC"}

package/dist/runtime/kube-context.d.ts

@@ -0,0 +1,16 @@
+export interface KubeContext {
+    /** Current context name, or "" when unresolved. */
+    context: string;
+    /** Namespace of the current context, or "" when unresolved. */
+    namespace: string;
+}
+export interface ResolveKubeContextOptions {
+    /** Override the kubeconfig path (tests). Defaults to `~/.kube/config`. */
+    kubeconfigPath?: string;
+}
+/**
+ * Resolve `{ context, namespace }` from `~/.kube/config`. Returns empty
+ * strings when the file is absent, unparseable, or declares no
+ * `current-context`.
+ */
+export declare function resolveKubeContext(opts?: ResolveKubeContextOptions): KubeContext;

package/dist/runtime/kube-context.js

@@ -0,0 +1,63 @@
+// Resolves the current Kubernetes context + namespace from the
+// standard `~/.kube/config`, for the Phase 7 #4 Context Resolver's
+// `kube_context_patterns` / `kube_namespace_patterns` signals.
+//
+// Like `git-context.ts`, this is a deliberate filesystem approximation:
+// it reads `~/.kube/config` directly and does NOT consult `$KUBECONFIG`
+// file lists or in-cluster service-account state. For classifying a
+// target environment those exotic setups are out of the MVP's scope.
+// Every failure path returns empty strings, never throws — callers
+// treat "" as "unknown".
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import { parse as parseYaml } from "yaml";
+const EMPTY = { context: "", namespace: "" };
+/**
+ * Resolve `{ context, namespace }` from `~/.kube/config`. Returns empty
+ * strings when the file is absent, unparseable, or declares no
+ * `current-context`.
+ */
+export function resolveKubeContext(opts = {}) {
+    const configPath = opts.kubeconfigPath ?? path.join(os.homedir(), ".kube", "config");
+    let raw;
+    try {
+        raw = fs.readFileSync(configPath, "utf8");
+    }
+    catch {
+        return EMPTY;
+    }
+    let doc;
+    try {
+        doc = parseYaml(raw);
+    }
+    catch {
+        return EMPTY;
+    }
+    if (typeof doc !== "object" || doc === null)
+        return EMPTY;
+    const config = doc;
+    const context = typeof config["current-context"] === "string"
+        ? config["current-context"]
+        : "";
+    if (context === "")
+        return EMPTY;
+    let namespace = "";
+    if (Array.isArray(config.contexts)) {
+        for (const entry of config.contexts) {
+            if (typeof entry !== "object" || entry === null)
+                continue;
+            const e = entry;
+            if (e.name !== context)
+                continue;
+            if (typeof e.context === "object" && e.context !== null) {
+                const ns = e.context.namespace;
+                if (typeof ns === "string")
+                    namespace = ns;
+            }
+            break;
+        }
+    }
+    return { context, namespace };
+}
+//# sourceMappingURL=kube-context.js.map

package/dist/runtime/kube-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kube-context.js","sourceRoot":"","sources":["../../src/runtime/kube-context.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,mEAAmE;AACnE,+DAA+D;AAC/D,EAAE;AACF,wEAAwE;AACxE,wEAAwE;AACxE,oEAAoE;AACpE,qEAAqE;AACrE,mEAAmE;AACnE,yBAAyB;AAEzB,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAS1C,MAAM,KAAK,GAAgB,EAAE,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;AAO1D;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAkC,EAAE;IAEpC,MAAM,UAAU,GACd,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAEpE,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,GAAY,CAAC;IACjB,IAAI,CAAC;QACH,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAE1D,MAAM,MAAM,GAAG,GAA0D,CAAC;IAC1E,MAAM,OAAO,GACX,OAAO,MAAM,CAAC,iBAAiB,CAAC,KAAK,QAAQ;QAC3C,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC;QAC3B,CAAC,CAAC,EAAE,CAAC;IACT,IAAI,OAAO,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAEjC,IAAI,SAAS,GAAG,EAAE,CAAC;IACnB,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;gBAAE,SAAS;YAC1D,MAAM,CAAC,GAAG,KAA8C,CAAC;YACzD,IAAI,CAAC,CAAC,IAAI,KAAK,OAAO;gBAAE,SAAS;YACjC,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,IAAI,CAAC,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;gBACxD,MAAM,EAAE,GAAI,CAAC,CAAC,OAAmC,CAAC,SAAS,CAAC;gBAC5D,IAAI,OAAO,EAAE,KAAK,QAAQ;oBAAE,SAAS,GAAG,EAAE,CAAC;YAC7C,CAAC;YACD,MAAM;QACR,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAChC,CAAC"}

package/dist/runtime/risk-classifier.d.ts

@@ -0,0 +1,38 @@
+import type { RiskCategory, RiskClassifier, RiskSeverity } from "../schema/index.js";
+import type { ActionEnvelope } from "./action-envelope.js";
+export type RiskConfidence = "high" | "low";
+export interface RiskProfile {
+    /** Did any classifier pattern match the action? */
+    classified: boolean;
+    /**
+     * Highest matched severity, or `null` when unclassified. `null` is
+     * NOT "low" — see the module header on "unknown is not safe".
+     */
+    severity: RiskSeverity | null;
+    /** Union of every matched pattern's categories, sorted and deduplicated. */
+    categories: RiskCategory[];
+    /**
+     * `false` when a matched category marks the action irreversible,
+     * `true` when classified and nothing marks it irreversible, `null`
+     * when unclassified (reversibility is unknown, not assumed).
+     */
+    reversible: boolean | null;
+    /**
+     * `high` for any deterministic rule match, `low` when unclassified.
+     * A regex classifier has no real probability; the field is a
+     * placeholder for the v2 LLM-assisted classifier, where a graded
+     * confidence becomes meaningful.
+     */
+    confidence: RiskConfidence;
+    /** One human-readable line per matched pattern, or the no-match note. */
+    reasons: string[];
+}
+/**
+ * Classify an Action Envelope against the manifest's risk classifiers.
+ *
+ * Pure: envelope + classifiers in, profile out, no I/O. Multiple
+ * matching patterns compose — highest severity wins, categories union,
+ * one `reasons` line per hit. An envelope no pattern matches yields the
+ * honest unclassified profile (`classified: false`, `severity: null`).
+ */
+export declare function classifyRisk(envelope: ActionEnvelope, classifiers: readonly RiskClassifier[]): RiskProfile;

package/dist/runtime/risk-classifier.js

@@ -0,0 +1,121 @@
+// Phase 7 #3 — Risk Classifier.
+//
+// Assigns an Action Envelope a risk profile by regex-matching the
+// manifest's `risk.classifiers[]` against the action. The first Risk
+// Gate stage that reads the `risk:` schema vocabulary shipped in
+// Phase 7 #1.
+//
+// STATUS: invoked by `harness test-risk` (Phase 7 #3). NOT yet consumed
+// by `harness policy intercept` — wiring the runtime through the
+// classifier is Phase 7 #5. See docs/risk-gate.md and docs/ROADMAP.md.
+//
+// "Unknown is not safe": an envelope no pattern matches yields a
+// profile with `classified: false` and `severity: null`, deliberately
+// NOT a low/zero-risk profile. The Phase 7 #5 policy evaluator must
+// treat an unclassified action as risk-bearing rather than allow it by
+// default; this module's job is only to report the unclassified state
+// honestly.
+//
+// Design source: lava-ice-logs/2026-04-30/harness-risk-gate-extension.md
+// (design phase B).
+import { RiskSeveritySchema } from "../schema/index.js";
+import { expandToolNameAliases, extractShellCommand } from "./tool-name-aliases.js";
+// Ordered severity scale: a value's index here is the comparison key
+// for "highest matched severity wins". Sourced from the schema enum so
+// a future reordering there flows through unchanged.
+const SEVERITY_ORDER = RiskSeveritySchema.options;
+// Categories that mean the action does not cleanly undo itself. When a
+// matched pattern carries any of these the profile is `reversible:
+// false`. `destructive` and `data_loss` are included alongside the
+// explicit `irreversible_action`: a regex classifier cannot prove an
+// action is safely undoable, and the Risk Gate exists to err toward
+// caution. A genuinely destructive-but-reversible action simply should
+// not be tagged `destructive` by its classifier author.
+const IRREVERSIBLE_CATEGORIES = new Set(["irreversible_action", "data_loss", "destructive"]);
+/**
+ * The string a classifier's patterns are regex-matched against. For a
+ * shell-class tool (or any tool whose input carries a `command` / `cmd`
+ * field) it is that command. For other tools it is the serialized raw
+ * input — blunt, but it keeps non-shell classifiers usable in the MVP.
+ */
+function subjectFor(envelope) {
+    const command = extractShellCommand({ raw_input: envelope.raw_input });
+    if (command !== null)
+        return command;
+    const raw = envelope.raw_input;
+    if (raw === null || raw === undefined)
+        return "";
+    if (typeof raw === "string")
+        return raw;
+    try {
+        return JSON.stringify(raw);
+    }
+    catch {
+        return "";
+    }
+}
+/** A classifier applies when its `tool` is an alias of the envelope's tool. */
+function classifierApplies(classifier, envelope) {
+    return expandToolNameAliases(envelope.tool).includes(classifier.tool);
+}
+/**
+ * Classify an Action Envelope against the manifest's risk classifiers.
+ *
+ * Pure: envelope + classifiers in, profile out, no I/O. Multiple
+ * matching patterns compose — highest severity wins, categories union,
+ * one `reasons` line per hit. An envelope no pattern matches yields the
+ * honest unclassified profile (`classified: false`, `severity: null`).
+ */
+export function classifyRisk(envelope, classifiers) {
+    const applicable = classifiers.filter((c) => classifierApplies(c, envelope));
+    const subject = subjectFor(envelope);
+    const categories = new Set();
+    const reasons = [];
+    let severityIdx = -1;
+    for (const classifier of applicable) {
+        for (const pat of classifier.patterns) {
+            let re;
+            try {
+                re = new RegExp(pat.pattern);
+            }
+            catch {
+                // The schema regex-validates patterns at parse time; this guard
+                // only covers a manifest that bypassed `harness validate`.
+                continue;
+            }
+            if (!re.test(subject))
+                continue;
+            for (const cat of pat.categories)
+                categories.add(cat);
+            const idx = SEVERITY_ORDER.indexOf(pat.severity);
+            if (idx > severityIdx)
+                severityIdx = idx;
+            reasons.push(`classifier "${classifier.name}" pattern /${pat.pattern}/ matched: ` +
+                `severity ${pat.severity}, categories [${pat.categories.join(", ")}]`);
+        }
+    }
+    if (severityIdx === -1) {
+        return {
+            classified: false,
+            severity: null,
+            categories: [],
+            reversible: null,
+            confidence: "low",
+            reasons: [
+                applicable.length === 0
+                    ? `no risk classifier is declared for tool "${envelope.tool}"`
+                    : `no classifier pattern matched the action for tool "${envelope.tool}"`,
+            ],
+        };
+    }
+    const sortedCategories = [...categories].sort();
+    return {
+        classified: true,
+        severity: SEVERITY_ORDER[severityIdx],
+        categories: sortedCategories,
+        reversible: !sortedCategories.some((c) => IRREVERSIBLE_CATEGORIES.has(c)),
+        confidence: "high",
+        reasons,
+    };
+}
+//# sourceMappingURL=risk-classifier.js.map

package/dist/runtime/risk-classifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"risk-classifier.js","sourceRoot":"","sources":["../../src/runtime/risk-classifier.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,EAAE;AACF,kEAAkE;AAClE,qEAAqE;AACrE,iEAAiE;AACjE,cAAc;AACd,EAAE;AACF,wEAAwE;AACxE,iEAAiE;AACjE,uEAAuE;AACvE,EAAE;AACF,iEAAiE;AACjE,sEAAsE;AACtE,oEAAoE;AACpE,uEAAuE;AACvE,sEAAsE;AACtE,YAAY;AACZ,EAAE;AACF,yEAAyE;AACzE,oBAAoB;AAOpB,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAEpF,qEAAqE;AACrE,uEAAuE;AACvE,qDAAqD;AACrD,MAAM,cAAc,GAA4B,kBAAkB,CAAC,OAAO,CAAC;AAE3E,uEAAuE;AACvE,mEAAmE;AACnE,mEAAmE;AACnE,qEAAqE;AACrE,oEAAoE;AACpE,uEAAuE;AACvE,wDAAwD;AACxD,MAAM,uBAAuB,GAA8B,IAAI,GAAG,CAChE,CAAC,qBAAqB,EAAE,WAAW,EAAE,aAAa,CAAC,CACpD,CAAC;AA+BF;;;;;GAKG;AACH,SAAS,UAAU,CAAC,QAAwB;IAC1C,MAAM,OAAO,GAAG,mBAAmB,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;IACvE,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,OAAO,CAAC;IACrC,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAAC;IAC/B,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACjD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACxC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,SAAS,iBAAiB,CACxB,UAA0B,EAC1B,QAAwB;IAExB,OAAO,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;AACxE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,QAAwB,EACxB,WAAsC;IAEtC,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAErC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAgB,CAAC;IAC3C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,WAAW,GAAG,CAAC,CAAC,CAAC;IAErB,KAAK,MAAM,UAAU,IAAI,UAAU,EAAE,CAAC;QACpC,KAAK,MAAM,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;YACtC,IAAI,EAAU,CAAC;YACf,IAAI,CAAC;gBACH,EAAE,GAAG,IAAI,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC/B,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;gBAChE,2DAA2D;gBAC3D,SAAS;YACX,CAAC;YACD,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,SAAS;YAChC,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU;gBAAE,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACjD,IAAI,GAAG,GAAG,WAAW;gBAAE,WAAW,GAAG,GAAG,CAAC;YACzC,OAAO,CAAC,IAAI,CACV,eAAe,UAAU,CAAC,IAAI,cAAc,GAAG,CAAC,OAAO,aAAa;gBAClE,YAAY,GAAG,CAAC,QAAQ,iBAAiB,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACxE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,WAAW,KAAK,CAAC,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,EAAE;YACd,UAAU,EAAE,IAAI;YAChB,UAAU,EAAE,KAAK;YACjB,OAAO,EAAE;gBACP,UAAU,CAAC,MAAM,KAAK,CAAC;oBACrB,CAAC,CAAC,4CAA4C,QAAQ,CAAC,IAAI,GAAG;oBAC9D,CAAC,CAAC,sDAAsD,QAAQ,CAAC,IAAI,GAAG;aAC3E;SACF,CAAC;IACJ,CAAC;IAED,MAAM,gBAAgB,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;IAChD,OAAO;QACL,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,cAAc,CAAC,WAAW,CAAE;QACtC,UAAU,EAAE,gBAAgB;QAC5B,UAAU,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACzE,UAAU,EAAE,MAAM;QAClB,OAAO;KACR,CAAC;AACJ,CAAC"}