npm - @lannguyensi/harness - Versions diffs - 0.25.2 → 0.27.0 - Mend

@lannguyensi/harness 0.25.2 → 0.27.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (87) hide show

package/CHANGELOG.md +36 -0
package/dist/cli/approve/risk.d.ts +43 -0
package/dist/cli/approve/risk.js +126 -0
package/dist/cli/approve/risk.js.map +1 -0
package/dist/cli/audit.js +8 -2
package/dist/cli/audit.js.map +1 -1
package/dist/cli/doctor/format.js +24 -0
package/dist/cli/doctor/format.js.map +1 -1
package/dist/cli/doctor/index.js +26 -0
package/dist/cli/doctor/index.js.map +1 -1
package/dist/cli/doctor/types.d.ts +23 -0
package/dist/cli/event-input.d.ts +28 -0
package/dist/cli/event-input.js +73 -0
package/dist/cli/event-input.js.map +1 -0
package/dist/cli/explain-action.d.ts +20 -0
package/dist/cli/explain-action.js +27 -0
package/dist/cli/explain-action.js.map +1 -0
package/dist/cli/explain-policy.d.ts +54 -0
package/dist/cli/explain-policy.js +81 -0
package/dist/cli/explain-policy.js.map +1 -0
package/dist/cli/explain.js +4 -0
package/dist/cli/explain.js.map +1 -1
package/dist/cli/index.js +126 -4
package/dist/cli/index.js.map +1 -1
package/dist/cli/init/templates.d.ts +1 -1
package/dist/cli/init/templates.js +98 -0
package/dist/cli/init/templates.js.map +1 -1
package/dist/cli/pack/hook-branch-protection.js +1 -1
package/dist/cli/pack/hook-branch-protection.js.map +1 -1
package/dist/cli/pack/hook-codex-pre-tool-use.js +1 -1
package/dist/cli/pack/hook-codex-pre-tool-use.js.map +1 -1
package/dist/cli/pack/hook-post-tool-use.js +1 -1
package/dist/cli/pack/hook-post-tool-use.js.map +1 -1
package/dist/cli/pack/hook-pre-tool-use.js +1 -1
package/dist/cli/pack/hook-pre-tool-use.js.map +1 -1
package/dist/cli/pack/hook-track-active-claim.js +1 -1
package/dist/cli/pack/hook-track-active-claim.js.map +1 -1
package/dist/cli/{pack/pause-check.d.ts → pause-check.d.ts} +1 -1
package/dist/cli/{pack/pause-check.js → pause-check.js} +14 -11
package/dist/cli/pause-check.js.map +1 -0
package/dist/cli/policy/intercept.d.ts +15 -0
package/dist/cli/policy/intercept.js +55 -1
package/dist/cli/policy/intercept.js.map +1 -1
package/dist/cli/resolve-env.d.ts +32 -0
package/dist/cli/resolve-env.js +47 -0
package/dist/cli/resolve-env.js.map +1 -0
package/dist/cli/test-risk.d.ts +26 -0
package/dist/cli/test-risk.js +34 -0
package/dist/cli/test-risk.js.map +1 -0
package/dist/runtime/action-envelope.d.ts +64 -0
package/dist/runtime/action-envelope.js +46 -0
package/dist/runtime/action-envelope.js.map +1 -0
package/dist/runtime/environment-resolver.d.ts +36 -0
package/dist/runtime/environment-resolver.js +138 -0
package/dist/runtime/environment-resolver.js.map +1 -0
package/dist/runtime/index.d.ts +6 -1
package/dist/runtime/index.js +6 -1
package/dist/runtime/index.js.map +1 -1
package/dist/runtime/intercept.d.ts +60 -3
package/dist/runtime/intercept.js +104 -6
package/dist/runtime/intercept.js.map +1 -1
package/dist/runtime/kube-context.d.ts +16 -0
package/dist/runtime/kube-context.js +63 -0
package/dist/runtime/kube-context.js.map +1 -0
package/dist/runtime/ledger-record.d.ts +8 -0
package/dist/runtime/ledger-record.js +2 -0
package/dist/runtime/ledger-record.js.map +1 -1
package/dist/runtime/risk-classifier.d.ts +38 -0
package/dist/runtime/risk-classifier.js +148 -0
package/dist/runtime/risk-classifier.js.map +1 -0
package/dist/runtime/when-eval.d.ts +40 -0
package/dist/runtime/when-eval.js +134 -0
package/dist/runtime/when-eval.js.map +1 -0
package/dist/schema/environments.d.ts +215 -0
package/dist/schema/environments.js +101 -0
package/dist/schema/environments.js.map +1 -0
package/dist/schema/index.d.ts +419 -11
package/dist/schema/index.js +8 -0
package/dist/schema/index.js.map +1 -1
package/dist/schema/policies.d.ts +152 -13
package/dist/schema/policies.js +52 -1
package/dist/schema/policies.js.map +1 -1
package/dist/schema/risk.d.ts +131 -0
package/dist/schema/risk.js +87 -0
package/dist/schema/risk.js.map +1 -0
package/package.json +1 -1
package/dist/cli/pack/pause-check.js.map +0 -1

package/dist/schema/risk.js ADDED Viewed

@@ -0,0 +1,87 @@
+import { z } from "zod";
+// Risk Gate vocabulary — Phase 7 #1 anchor.
+//
+// STATUS: schema vocabulary only. `harness validate` parses and
+// validates a `risk:` block, but no runtime surface reads it yet. The
+// Risk Classifier that consumes `risk.classifiers[]` to assign an
+// Action Envelope a severity + categories lands in Phase 7 #3 (see
+// docs/ROADMAP.md and docs/risk-gate.md). Until then a `risk:` block is
+// inert, validated config.
+//
+// Design source: lava-ice-logs/2026-04-30/harness-risk-gate-extension.md.
+// Severity is an ordered scale: a future `when.risk.severity_at_least:
+// high` clause matches `high` and `critical`. The ordering is the enum
+// declaration order — the Phase 7 #5 evaluator derives the comparison
+// from `RiskSeveritySchema.options`. This anchor only fixes the set.
+export const RiskSeveritySchema = z.enum(["low", "medium", "high", "critical"]);
+// Closed category vocabulary. Phase 7 #1 deliberately ships a fixed set
+// rather than a free-form string: a typo (`data-loss` for `data_loss`)
+// is then a validate-time error instead of a clause that silently never
+// matches, and `when.risk.category_in` stays statically checkable. New
+// categories are a schema addition, not operator config — see
+// docs/risk-gate.md for the rationale and the v2 escape hatch.
+export const RiskCategorySchema = z.enum([
+    "destructive",
+    "data_loss",
+    "production_mutation",
+    "credential_access",
+    "secret_exfiltration",
+    "network_exfiltration",
+    "deployment_change",
+    "infrastructure_change",
+    "privilege_escalation",
+    "irreversible_action",
+    "mass_update",
+]);
+// One pattern → (categories, severity) assignment. `pattern` is a
+// regular expression matched against the classified tool's raw input
+// (the exact field and match semantics are the Phase 7 #3 classifier's
+// concern; the anchor only stores and regex-validates the string).
+const RiskPatternSchema = z
+    .object({
+    pattern: z.string().min(1),
+    categories: z.array(RiskCategorySchema).min(1),
+    severity: RiskSeveritySchema,
+})
+    .strict()
+    .superRefine((rule, ctx) => {
+    try {
+        new RegExp(rule.pattern);
+    }
+    catch (err) {
+        ctx.addIssue({
+            code: z.ZodIssueCode.custom,
+            path: ["pattern"],
+            message: `invalid regex: ${err.message}`,
+        });
+    }
+});
+export const RiskClassifierSchema = z
+    .object({
+    name: z.string().min(1),
+    // The tool name whose input the classifier's patterns run against
+    // (e.g. `Bash`). The matcher that binds a classifier to a live tool
+    // event is Phase 7 #3; the anchor only records the binding.
+    tool: z.string().min(1),
+    patterns: z.array(RiskPatternSchema).min(1),
+})
+    .strict();
+export const RiskSchema = z
+    .object({
+    classifiers: z.array(RiskClassifierSchema).default([]),
+})
+    .strict()
+    .superRefine((risk, ctx) => {
+    const seen = new Set();
+    risk.classifiers.forEach((c, i) => {
+        if (seen.has(c.name)) {
+            ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                path: ["classifiers", i, "name"],
+                message: `duplicate risk classifier name: ${c.name}`,
+            });
+        }
+        seen.add(c.name);
+    });
+});
+//# sourceMappingURL=risk.js.map

package/dist/schema/risk.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"risk.js","sourceRoot":"","sources":["../../src/schema/risk.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,4CAA4C;AAC5C,EAAE;AACF,gEAAgE;AAChE,sEAAsE;AACtE,kEAAkE;AAClE,mEAAmE;AACnE,wEAAwE;AACxE,2BAA2B;AAC3B,EAAE;AACF,0EAA0E;AAE1E,uEAAuE;AACvE,uEAAuE;AACvE,sEAAsE;AACtE,qEAAqE;AACrE,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;AAEhF,wEAAwE;AACxE,uEAAuE;AACvE,wEAAwE;AACxE,uEAAuE;AACvE,8DAA8D;AAC9D,+DAA+D;AAC/D,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,IAAI,CAAC;IACvC,aAAa;IACb,WAAW;IACX,qBAAqB;IACrB,mBAAmB;IACnB,qBAAqB;IACrB,sBAAsB;IACtB,mBAAmB;IACnB,uBAAuB;IACvB,sBAAsB;IACtB,qBAAqB;IACrB,aAAa;CACd,CAAC,CAAC;AAEH,kEAAkE;AAClE,qEAAqE;AACrE,uEAAuE;AACvE,mEAAmE;AACnE,MAAM,iBAAiB,GAAG,CAAC;KACxB,MAAM,CAAC;IACN,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9C,QAAQ,EAAE,kBAAkB;CAC7B,CAAC;KACD,MAAM,EAAE;KACR,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,IAAI,CAAC;QACH,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,IAAI,EAAE,CAAC,SAAS,CAAC;YACjB,OAAO,EAAE,kBAAmB,GAAa,CAAC,OAAO,EAAE;SACpD,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC;KAClC,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,kEAAkE;IAClE,oEAAoE;IACpE,4DAA4D;IAC5D,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;CAC5C,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC;KACxB,MAAM,CAAC;IACN,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CACvD,CAAC;KACD,MAAM,EAAE;KACR,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAChC,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;YACrB,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,aAAa,EAAE,CAAC,EAAE,MAAM,CAAC;gBAChC,OAAO,EAAE,mCAAmC,CAAC,CAAC,IAAI,EAAE;aACrD,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lannguyensi/harness",
-  "version": "0.25.2",
+  "version": "0.27.0",
   "description": "Declarative control plane for agent harnesses — one YAML for grounding, tools, memory, and hooks.",
   "license": "MIT",
   "homepage": "https://github.com/LanNguyenSi/harness",

package/dist/cli/pack/pause-check.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"pause-check.js","sourceRoot":"","sources":["../../../src/cli/pack/pause-check.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,uEAAuE;AACvE,sEAAsE;AACtE,uEAAuE;AACvE,qEAAqE;AACrE,sCAAsC;AACtC,EAAE;AACF,uEAAuE;AACvE,uEAAuE;AACvE,qEAAqE;AACrE,2BAA2B;AAE3B,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,OAAO,EAAE,YAAY,EAAsB,MAAM,cAAc,CAAC;AAehE;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAuB;IAC1D,IAAI,YAAoB,CAAC;IACzB,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QACpC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;IACnC,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC;YACrC,YAAY,GAAG,mBAAmB,CAAC;gBACjC,GAAG,CAAC,MAAM,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpE,YAAY,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI;aACxC,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;YAClE,mEAAmE;YACnE,oCAAoC;YACpC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,MAAM,YAAY,GAA6C;QAC7D,YAAY;QACZ,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC;IACF,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS;QAAE,YAAY,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IACjE,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS;QAAE,YAAY,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;IACxD,OAAO,kBAAkB,CAAC,YAAY,CAAC,CAAC;AAC1C,CAAC"}