@lannguyensi/harness 0.25.2 → 0.27.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +36 -0
- package/dist/cli/approve/risk.d.ts +43 -0
- package/dist/cli/approve/risk.js +126 -0
- package/dist/cli/approve/risk.js.map +1 -0
- package/dist/cli/audit.js +8 -2
- package/dist/cli/audit.js.map +1 -1
- package/dist/cli/doctor/format.js +24 -0
- package/dist/cli/doctor/format.js.map +1 -1
- package/dist/cli/doctor/index.js +26 -0
- package/dist/cli/doctor/index.js.map +1 -1
- package/dist/cli/doctor/types.d.ts +23 -0
- package/dist/cli/event-input.d.ts +28 -0
- package/dist/cli/event-input.js +73 -0
- package/dist/cli/event-input.js.map +1 -0
- package/dist/cli/explain-action.d.ts +20 -0
- package/dist/cli/explain-action.js +27 -0
- package/dist/cli/explain-action.js.map +1 -0
- package/dist/cli/explain-policy.d.ts +54 -0
- package/dist/cli/explain-policy.js +81 -0
- package/dist/cli/explain-policy.js.map +1 -0
- package/dist/cli/explain.js +4 -0
- package/dist/cli/explain.js.map +1 -1
- package/dist/cli/index.js +126 -4
- package/dist/cli/index.js.map +1 -1
- package/dist/cli/init/templates.d.ts +1 -1
- package/dist/cli/init/templates.js +98 -0
- package/dist/cli/init/templates.js.map +1 -1
- package/dist/cli/pack/hook-branch-protection.js +1 -1
- package/dist/cli/pack/hook-branch-protection.js.map +1 -1
- package/dist/cli/pack/hook-codex-pre-tool-use.js +1 -1
- package/dist/cli/pack/hook-codex-pre-tool-use.js.map +1 -1
- package/dist/cli/pack/hook-post-tool-use.js +1 -1
- package/dist/cli/pack/hook-post-tool-use.js.map +1 -1
- package/dist/cli/pack/hook-pre-tool-use.js +1 -1
- package/dist/cli/pack/hook-pre-tool-use.js.map +1 -1
- package/dist/cli/pack/hook-track-active-claim.js +1 -1
- package/dist/cli/pack/hook-track-active-claim.js.map +1 -1
- package/dist/cli/{pack/pause-check.d.ts → pause-check.d.ts} +1 -1
- package/dist/cli/{pack/pause-check.js → pause-check.js} +14 -11
- package/dist/cli/pause-check.js.map +1 -0
- package/dist/cli/policy/intercept.d.ts +15 -0
- package/dist/cli/policy/intercept.js +55 -1
- package/dist/cli/policy/intercept.js.map +1 -1
- package/dist/cli/resolve-env.d.ts +32 -0
- package/dist/cli/resolve-env.js +47 -0
- package/dist/cli/resolve-env.js.map +1 -0
- package/dist/cli/test-risk.d.ts +26 -0
- package/dist/cli/test-risk.js +34 -0
- package/dist/cli/test-risk.js.map +1 -0
- package/dist/runtime/action-envelope.d.ts +64 -0
- package/dist/runtime/action-envelope.js +46 -0
- package/dist/runtime/action-envelope.js.map +1 -0
- package/dist/runtime/environment-resolver.d.ts +36 -0
- package/dist/runtime/environment-resolver.js +138 -0
- package/dist/runtime/environment-resolver.js.map +1 -0
- package/dist/runtime/index.d.ts +6 -1
- package/dist/runtime/index.js +6 -1
- package/dist/runtime/index.js.map +1 -1
- package/dist/runtime/intercept.d.ts +60 -3
- package/dist/runtime/intercept.js +104 -6
- package/dist/runtime/intercept.js.map +1 -1
- package/dist/runtime/kube-context.d.ts +16 -0
- package/dist/runtime/kube-context.js +63 -0
- package/dist/runtime/kube-context.js.map +1 -0
- package/dist/runtime/ledger-record.d.ts +8 -0
- package/dist/runtime/ledger-record.js +2 -0
- package/dist/runtime/ledger-record.js.map +1 -1
- package/dist/runtime/risk-classifier.d.ts +38 -0
- package/dist/runtime/risk-classifier.js +148 -0
- package/dist/runtime/risk-classifier.js.map +1 -0
- package/dist/runtime/when-eval.d.ts +40 -0
- package/dist/runtime/when-eval.js +134 -0
- package/dist/runtime/when-eval.js.map +1 -0
- package/dist/schema/environments.d.ts +215 -0
- package/dist/schema/environments.js +101 -0
- package/dist/schema/environments.js.map +1 -0
- package/dist/schema/index.d.ts +419 -11
- package/dist/schema/index.js +8 -0
- package/dist/schema/index.js.map +1 -1
- package/dist/schema/policies.d.ts +152 -13
- package/dist/schema/policies.js +52 -1
- package/dist/schema/policies.js.map +1 -1
- package/dist/schema/risk.d.ts +131 -0
- package/dist/schema/risk.js +87 -0
- package/dist/schema/risk.js.map +1 -0
- package/package.json +1 -1
- package/dist/cli/pack/pause-check.js.map +0 -1
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
// Shared tool-event input handling for the Risk Gate verbs that take a
|
|
2
|
+
// tool-event JSON file: `harness explain-action`, `harness test-risk`,
|
|
3
|
+
// `harness resolve-env`, and `harness explain-policy`.
|
|
4
|
+
//
|
|
5
|
+
// Each applies the same not-found / malformed / non-object guards,
|
|
6
|
+
// resolves the same ambient `EnvelopeContext` (git, host, user, now),
|
|
7
|
+
// and builds the Action Envelope. This module is that shared front end
|
|
8
|
+
// so every verb stays byte-identical in how it reads and normalizes
|
|
9
|
+
// its input.
|
|
10
|
+
import * as fs from "node:fs";
|
|
11
|
+
import * as os from "node:os";
|
|
12
|
+
import { buildActionEnvelope, resolveGitContext, } from "../runtime/index.js";
|
|
13
|
+
import { EX_NOINPUT, HarnessExitError } from "./exit-codes.js";
|
|
14
|
+
function safeUser() {
|
|
15
|
+
try {
|
|
16
|
+
return os.userInfo().username;
|
|
17
|
+
}
|
|
18
|
+
catch {
|
|
19
|
+
return "";
|
|
20
|
+
}
|
|
21
|
+
}
|
|
22
|
+
function safeHost() {
|
|
23
|
+
try {
|
|
24
|
+
return os.hostname();
|
|
25
|
+
}
|
|
26
|
+
catch {
|
|
27
|
+
return "";
|
|
28
|
+
}
|
|
29
|
+
}
|
|
30
|
+
/**
|
|
31
|
+
* Read a tool-event JSON file and build its Action Envelope.
|
|
32
|
+
*
|
|
33
|
+
* Throws `HarnessExitError(EX_NOINPUT)` when the file is missing, is not
|
|
34
|
+
* valid JSON, or does not decode to a JSON object. A well-formed but
|
|
35
|
+
* sparse event (e.g. `{}`) is accepted: the envelope builder fills
|
|
36
|
+
* absent fields with empty values rather than throwing. `verb` only
|
|
37
|
+
* prefixes the error messages so the operator sees which command failed.
|
|
38
|
+
*/
|
|
39
|
+
export function loadEventEnvelope(eventPath, seams = {}, verb = "explain-action") {
|
|
40
|
+
let raw;
|
|
41
|
+
try {
|
|
42
|
+
raw = fs.readFileSync(eventPath, "utf8");
|
|
43
|
+
}
|
|
44
|
+
catch {
|
|
45
|
+
throw new HarnessExitError(`${verb}: event file not found or unreadable: ${eventPath}`, EX_NOINPUT);
|
|
46
|
+
}
|
|
47
|
+
let parsed;
|
|
48
|
+
try {
|
|
49
|
+
parsed = JSON.parse(raw);
|
|
50
|
+
}
|
|
51
|
+
catch (err) {
|
|
52
|
+
throw new HarnessExitError(`${verb}: malformed event JSON in ${eventPath}: ${err.message}`, EX_NOINPUT);
|
|
53
|
+
}
|
|
54
|
+
if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
|
|
55
|
+
const got = parsed === null ? "null" : Array.isArray(parsed) ? "array" : typeof parsed;
|
|
56
|
+
throw new HarnessExitError(`${verb}: event JSON must be an object, got ${got}`, EX_NOINPUT);
|
|
57
|
+
}
|
|
58
|
+
const event = parsed;
|
|
59
|
+
const fallbackCwd = seams.cwdFallback ?? process.cwd();
|
|
60
|
+
const cwd = typeof event.cwd === "string" && event.cwd.length > 0
|
|
61
|
+
? event.cwd
|
|
62
|
+
: fallbackCwd;
|
|
63
|
+
const resolveGit = seams.resolveGit ?? resolveGitContext;
|
|
64
|
+
const envelope = buildActionEnvelope(event, {
|
|
65
|
+
cwd,
|
|
66
|
+
git: resolveGit(cwd),
|
|
67
|
+
user: seams.user ?? safeUser(),
|
|
68
|
+
host: seams.host ?? safeHost(),
|
|
69
|
+
now: seams.now ?? new Date(),
|
|
70
|
+
});
|
|
71
|
+
return { event, envelope };
|
|
72
|
+
}
|
|
73
|
+
//# sourceMappingURL=event-input.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"event-input.js","sourceRoot":"","sources":["../../src/cli/event-input.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,uEAAuE;AACvE,uDAAuD;AACvD,EAAE;AACF,mEAAmE;AACnE,sEAAsE;AACtE,uEAAuE;AACvE,oEAAoE;AACpE,aAAa;AAEb,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EACL,mBAAmB,EACnB,iBAAiB,GAIlB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAqB/D,SAAS,QAAQ;IACf,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,QAAQ;IACf,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAC/B,SAAiB,EACjB,QAAyB,EAAE,EAC3B,IAAI,GAAG,gBAAgB;IAEvB,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,gBAAgB,CACxB,GAAG,IAAI,yCAAyC,SAAS,EAAE,EAC3D,UAAU,CACX,CAAC;IACJ,CAAC;IAED,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,gBAAgB,CACxB,GAAG,IAAI,6BAA6B,SAAS,KAAM,GAAa,CAAC,OAAO,EAAE,EAC1E,UAAU,CACX,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3E,MAAM,GAAG,GACP,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,MAAM,CAAC;QAC7E,MAAM,IAAI,gBAAgB,CACxB,GAAG,IAAI,uCAAuC,GAAG,EAAE,EACnD,UAAU,CACX,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAG,MAAmB,CAAC;IAElC,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACvD,MAAM,GAAG,GACP,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC;QACnD,CAAC,CAAC,KAAK,CAAC,GAAG;QACX,CAAC,CAAC,WAAW,CAAC;IAClB,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,iBAAiB,CAAC;IAEzD,MAAM,QAAQ,GAAG,mBAAmB,CAAC,KAAK,EAAE;QAC1C,GAAG;QACH,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC;QACpB,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,QAAQ,EAAE;QAC9B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,QAAQ,EAAE;QAC9B,GAAG,EAAE,KAAK,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE;KAC7B,CAAC,CAAC;IAEH,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;AAC7B,CAAC"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import type { ActionEnvelope } from "../runtime/index.js";
|
|
2
|
+
import { type EventInputSeams } from "./event-input.js";
|
|
3
|
+
export interface ExplainActionOptions extends EventInputSeams {
|
|
4
|
+
/** Path to the tool-event JSON file. */
|
|
5
|
+
eventPath: string;
|
|
6
|
+
/** Emit JSON instead of YAML. */
|
|
7
|
+
json?: boolean;
|
|
8
|
+
}
|
|
9
|
+
export interface ExplainActionResult {
|
|
10
|
+
output: string;
|
|
11
|
+
envelope: ActionEnvelope;
|
|
12
|
+
}
|
|
13
|
+
/**
|
|
14
|
+
* Build and render the Action Envelope for a tool-event JSON file.
|
|
15
|
+
*
|
|
16
|
+
* Throws `HarnessExitError(EX_NOINPUT)` when the file is missing, is not
|
|
17
|
+
* valid JSON, or does not decode to a JSON object (see
|
|
18
|
+
* `loadEventEnvelope`). A well-formed but sparse event is accepted.
|
|
19
|
+
*/
|
|
20
|
+
export declare function explainAction(opts: ExplainActionOptions): ExplainActionResult;
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
// Phase 7 #2 — `harness explain-action` CLI entrypoint.
|
|
2
|
+
//
|
|
3
|
+
// Debug verb for the Risk Gate. Reads a tool-event JSON file (the
|
|
4
|
+
// Claude Code PreToolUse hook payload shape), builds the Action
|
|
5
|
+
// Envelope, and prints it. This is the inspection surface for the
|
|
6
|
+
// envelope normalization that Phase 7 #3-#5 build the classifier,
|
|
7
|
+
// resolver, and policy evaluator on top of.
|
|
8
|
+
//
|
|
9
|
+
// File read, JSON guards, and envelope build live in the shared
|
|
10
|
+
// `event-input` front end; this module only renders the result.
|
|
11
|
+
import { stringify as stringifyYaml } from "yaml";
|
|
12
|
+
import { loadEventEnvelope } from "./event-input.js";
|
|
13
|
+
/**
|
|
14
|
+
* Build and render the Action Envelope for a tool-event JSON file.
|
|
15
|
+
*
|
|
16
|
+
* Throws `HarnessExitError(EX_NOINPUT)` when the file is missing, is not
|
|
17
|
+
* valid JSON, or does not decode to a JSON object (see
|
|
18
|
+
* `loadEventEnvelope`). A well-formed but sparse event is accepted.
|
|
19
|
+
*/
|
|
20
|
+
export function explainAction(opts) {
|
|
21
|
+
const { envelope } = loadEventEnvelope(opts.eventPath, opts, "explain-action");
|
|
22
|
+
const output = opts.json
|
|
23
|
+
? `${JSON.stringify(envelope, null, 2)}\n`
|
|
24
|
+
: stringifyYaml(envelope, { lineWidth: 0 });
|
|
25
|
+
return { output, envelope };
|
|
26
|
+
}
|
|
27
|
+
//# sourceMappingURL=explain-action.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"explain-action.js","sourceRoot":"","sources":["../../src/cli/explain-action.ts"],"names":[],"mappings":"AAAA,wDAAwD;AACxD,EAAE;AACF,kEAAkE;AAClE,gEAAgE;AAChE,kEAAkE;AAClE,kEAAkE;AAClE,4CAA4C;AAC5C,EAAE;AACF,gEAAgE;AAChE,gEAAgE;AAEhE,OAAO,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AAElD,OAAO,EAAE,iBAAiB,EAAwB,MAAM,kBAAkB,CAAC;AAc3E;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,IAA0B;IACtD,MAAM,EAAE,QAAQ,EAAE,GAAG,iBAAiB,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,gBAAgB,CAAC,CAAC;IAC/E,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI;QACtB,CAAC,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI;QAC1C,CAAC,CAAC,aAAa,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC,CAAC;IAC9C,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AAC9B,CAAC"}
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
import { type EnvironmentResolution, type RiskProfile, type WhenClauseResult } from "../runtime/index.js";
|
|
2
|
+
import type { Manifest } from "../schema/index.js";
|
|
3
|
+
import { type EventInputSeams } from "./event-input.js";
|
|
4
|
+
import { type LoaderOptions } from "./loader.js";
|
|
5
|
+
export interface ExplainPolicyOptions extends EventInputSeams, LoaderOptions {
|
|
6
|
+
/** Path to the tool-event JSON file (the `--event` argument). */
|
|
7
|
+
eventPath: string;
|
|
8
|
+
/** Emit JSON instead of YAML. */
|
|
9
|
+
json?: boolean;
|
|
10
|
+
/** Inject the resolved manifest (tests); bypasses `loadManifest`. */
|
|
11
|
+
manifest?: Manifest;
|
|
12
|
+
/** Inject env vars for `env_var_patterns` (tests); defaults to `process.env`. */
|
|
13
|
+
env?: Record<string, string | undefined>;
|
|
14
|
+
/** Inject the kube context (tests); bypasses `~/.kube/config`. */
|
|
15
|
+
kubeContext?: string;
|
|
16
|
+
/** Inject the kube namespace (tests); bypasses `~/.kube/config`. */
|
|
17
|
+
kubeNamespace?: string;
|
|
18
|
+
}
|
|
19
|
+
interface ExplainPolicyProjection {
|
|
20
|
+
policy: string;
|
|
21
|
+
description: string;
|
|
22
|
+
trigger: {
|
|
23
|
+
event: string;
|
|
24
|
+
match?: string;
|
|
25
|
+
path_match?: string;
|
|
26
|
+
bash_match?: string;
|
|
27
|
+
matched: boolean;
|
|
28
|
+
};
|
|
29
|
+
classifier: RiskProfile;
|
|
30
|
+
environment: EnvironmentResolution;
|
|
31
|
+
when: {
|
|
32
|
+
declared: false;
|
|
33
|
+
} | {
|
|
34
|
+
declared: true;
|
|
35
|
+
matched: boolean;
|
|
36
|
+
clauses: WhenClauseResult[];
|
|
37
|
+
unclassifiedFallback: boolean;
|
|
38
|
+
};
|
|
39
|
+
/** trigger AND when — would this policy fire on this event? */
|
|
40
|
+
applies: boolean;
|
|
41
|
+
}
|
|
42
|
+
export interface ExplainPolicyResult {
|
|
43
|
+
output: string;
|
|
44
|
+
projection: ExplainPolicyProjection;
|
|
45
|
+
}
|
|
46
|
+
/**
|
|
47
|
+
* Explain whether `policyName` applies to the event at `opts.eventPath`.
|
|
48
|
+
*
|
|
49
|
+
* Throws `HarnessExitError(EX_USAGE)` when the named policy is not
|
|
50
|
+
* declared in the manifest, and `HarnessExitError(EX_NOINPUT)` (via
|
|
51
|
+
* `loadEventEnvelope`) when the event file is missing or malformed.
|
|
52
|
+
*/
|
|
53
|
+
export declare function explainPolicy(policyName: string, opts: ExplainPolicyOptions): ExplainPolicyResult;
|
|
54
|
+
export {};
|
|
@@ -0,0 +1,81 @@
|
|
|
1
|
+
// Phase 7 #5 — `harness explain-policy` CLI entrypoint.
|
|
2
|
+
//
|
|
3
|
+
// Risk Gate debug verb: given a policy name and a tool-event JSON file,
|
|
4
|
+
// explain whether the policy would APPLY to that event, and why. A
|
|
5
|
+
// policy applies only when its `trigger:` matches AND — when declared —
|
|
6
|
+
// every `when:` clause holds against the enriched Action Envelope. This
|
|
7
|
+
// verb shows both verdicts side by side: the trigger match, the Risk
|
|
8
|
+
// Classifier profile, the resolved environment, and a per-clause `when:`
|
|
9
|
+
// breakdown, so an operator authoring a risk policy sees exactly which
|
|
10
|
+
// clause admitted an action or held it back.
|
|
11
|
+
//
|
|
12
|
+
// Distinct from `harness explain <policy> --trace`: that replays the
|
|
13
|
+
// LAST recorded decision from the evidence ledger; `explain-policy`
|
|
14
|
+
// evaluates a hypothetical event live and reads nothing from the ledger.
|
|
15
|
+
import { stringify as stringifyYaml } from "yaml";
|
|
16
|
+
import { classifyRisk, evaluateWhen, policyMatchesEvent, resolveEnvironment, resolveKubeContext, } from "../runtime/index.js";
|
|
17
|
+
import { loadEventEnvelope } from "./event-input.js";
|
|
18
|
+
import { EX_USAGE, HarnessExitError } from "./exit-codes.js";
|
|
19
|
+
import { loadManifest } from "./loader.js";
|
|
20
|
+
/**
|
|
21
|
+
* Explain whether `policyName` applies to the event at `opts.eventPath`.
|
|
22
|
+
*
|
|
23
|
+
* Throws `HarnessExitError(EX_USAGE)` when the named policy is not
|
|
24
|
+
* declared in the manifest, and `HarnessExitError(EX_NOINPUT)` (via
|
|
25
|
+
* `loadEventEnvelope`) when the event file is missing or malformed.
|
|
26
|
+
*/
|
|
27
|
+
export function explainPolicy(policyName, opts) {
|
|
28
|
+
const manifest = opts.manifest ?? loadManifest(opts).manifest;
|
|
29
|
+
const policy = manifest.policies.find((p) => p.name === policyName);
|
|
30
|
+
if (!policy) {
|
|
31
|
+
const available = manifest.policies.map((p) => p.name).join(", ") || "(none)";
|
|
32
|
+
throw new HarnessExitError(`no policy named "${policyName}" declared; available: ${available}`, EX_USAGE);
|
|
33
|
+
}
|
|
34
|
+
const { event, envelope } = loadEventEnvelope(opts.eventPath, opts, "explain-policy");
|
|
35
|
+
// Kube seams resolve together: if either is injected, skip the
|
|
36
|
+
// `~/.kube/config` read entirely — same contract as `resolve-env`.
|
|
37
|
+
const kube = opts.kubeContext !== undefined || opts.kubeNamespace !== undefined
|
|
38
|
+
? { context: opts.kubeContext ?? "", namespace: opts.kubeNamespace ?? "" }
|
|
39
|
+
: resolveKubeContext();
|
|
40
|
+
const classifier = classifyRisk(envelope, manifest.risk.classifiers);
|
|
41
|
+
const environment = resolveEnvironment(envelope, manifest.environments.resolvers, {
|
|
42
|
+
env: opts.env ?? process.env,
|
|
43
|
+
kubeContext: kube.context,
|
|
44
|
+
kubeNamespace: kube.namespace,
|
|
45
|
+
});
|
|
46
|
+
const triggerMatched = policyMatchesEvent(policy, event);
|
|
47
|
+
const whenEval = policy.when !== undefined
|
|
48
|
+
? evaluateWhen(policy.when, { risk: classifier, environment })
|
|
49
|
+
: undefined;
|
|
50
|
+
const projection = {
|
|
51
|
+
policy: policy.name,
|
|
52
|
+
description: policy.description,
|
|
53
|
+
trigger: {
|
|
54
|
+
event: policy.trigger.event,
|
|
55
|
+
...(policy.trigger.match !== undefined && { match: policy.trigger.match }),
|
|
56
|
+
...(policy.trigger.path_match !== undefined && {
|
|
57
|
+
path_match: policy.trigger.path_match,
|
|
58
|
+
}),
|
|
59
|
+
...(policy.trigger.bash_match !== undefined && {
|
|
60
|
+
bash_match: policy.trigger.bash_match,
|
|
61
|
+
}),
|
|
62
|
+
matched: triggerMatched,
|
|
63
|
+
},
|
|
64
|
+
classifier,
|
|
65
|
+
environment,
|
|
66
|
+
when: whenEval
|
|
67
|
+
? {
|
|
68
|
+
declared: true,
|
|
69
|
+
matched: whenEval.matched,
|
|
70
|
+
clauses: whenEval.clauses,
|
|
71
|
+
unclassifiedFallback: whenEval.unclassifiedFallback,
|
|
72
|
+
}
|
|
73
|
+
: { declared: false },
|
|
74
|
+
applies: triggerMatched && (whenEval ? whenEval.matched : true),
|
|
75
|
+
};
|
|
76
|
+
const output = opts.json
|
|
77
|
+
? `${JSON.stringify(projection, null, 2)}\n`
|
|
78
|
+
: stringifyYaml(projection, { lineWidth: 0 });
|
|
79
|
+
return { output, projection };
|
|
80
|
+
}
|
|
81
|
+
//# sourceMappingURL=explain-policy.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"explain-policy.js","sourceRoot":"","sources":["../../src/cli/explain-policy.ts"],"names":[],"mappings":"AAAA,wDAAwD;AACxD,EAAE;AACF,wEAAwE;AACxE,mEAAmE;AACnE,wEAAwE;AACxE,wEAAwE;AACxE,qEAAqE;AACrE,yEAAyE;AACzE,uEAAuE;AACvE,6CAA6C;AAC7C,EAAE;AACF,qEAAqE;AACrE,oEAAoE;AACpE,yEAAyE;AAEzE,OAAO,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AAClD,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,GAInB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,iBAAiB,EAAwB,MAAM,kBAAkB,CAAC;AAC3E,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAsB,MAAM,aAAa,CAAC;AA8C/D;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAC3B,UAAkB,EAClB,IAA0B;IAE1B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC;IAC9D,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;IACpE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC;QAC9E,MAAM,IAAI,gBAAgB,CACxB,oBAAoB,UAAU,0BAA0B,SAAS,EAAE,EACnE,QAAQ,CACT,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,iBAAiB,CAC3C,IAAI,CAAC,SAAS,EACd,IAAI,EACJ,gBAAgB,CACjB,CAAC;IAEF,+DAA+D;IAC/D,mEAAmE;IACnE,MAAM,IAAI,GACR,IAAI,CAAC,WAAW,KAAK,SAAS,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS;QAChE,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,aAAa,IAAI,EAAE,EAAE;QAC1E,CAAC,CAAC,kBAAkB,EAAE,CAAC;IAE3B,MAAM,UAAU,GAAG,YAAY,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACrE,MAAM,WAAW,GAAG,kBAAkB,CACpC,QAAQ,EACR,QAAQ,CAAC,YAAY,CAAC,SAAS,EAC/B;QACE,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG;QAC5B,WAAW,EAAE,IAAI,CAAC,OAAO;QACzB,aAAa,EAAE,IAAI,CAAC,SAAS;KAC9B,CACF,CAAC;IAEF,MAAM,cAAc,GAAG,kBAAkB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACzD,MAAM,QAAQ,GACZ,MAAM,CAAC,IAAI,KAAK,SAAS;QACvB,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC;IAEhB,MAAM,UAAU,GAA4B;QAC1C,MAAM,EAAE,MAAM,CAAC,IAAI;QACnB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,OAAO,EAAE;YACP,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK;YAC3B,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,KAAK,SAAS,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YAC1E,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,KAAK,SAAS,IAAI;gBAC7C,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,UAAU;aACtC,CAAC;YACF,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,KAAK,SAAS,IAAI;gBAC7C,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,UAAU;aACtC,CAAC;YACF,OAAO,EAAE,cAAc;SACxB;QACD,UAAU;QACV,WAAW;QACX,IAAI,EAAE,QAAQ;YACZ,CAAC,CAAC;gBACE,QAAQ,EAAE,IAAI;gBACd,OAAO,EAAE,QAAQ,CAAC,OAAO;gBACzB,OAAO,EAAE,QAAQ,CAAC,OAAO;gBACzB,oBAAoB,EAAE,QAAQ,CAAC,oBAAoB;aACpD;YACH,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE;QACvB,OAAO,EAAE,cAAc,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;KAChE,CAAC;IAEF,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI;QACtB,CAAC,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI;QAC5C,CAAC,CAAC,aAAa,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC,CAAC;IAChD,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;AAChC,CAAC"}
|
package/dist/cli/explain.js
CHANGED
|
@@ -121,6 +121,10 @@ function renderTrace(latest, manifest, sessionId, json) {
|
|
|
121
121
|
...(trigger?.match !== undefined && { match: trigger.match }),
|
|
122
122
|
...(trigger?.bash_match !== undefined && { bashMatch: trigger.bash_match }),
|
|
123
123
|
},
|
|
124
|
+
...(latest.payload.risk && { classifier: latest.payload.risk }),
|
|
125
|
+
...(latest.payload.environment && {
|
|
126
|
+
environment: latest.payload.environment,
|
|
127
|
+
}),
|
|
124
128
|
extract: latest.payload.extractValues,
|
|
125
129
|
...(latest.payload.requiresEval && { requiresEval: latest.payload.requiresEval }),
|
|
126
130
|
...(policy && {
|
package/dist/cli/explain.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"explain.js","sourceRoot":"","sources":["../../src/cli/explain.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AAClD,OAAO,EACL,eAAe,EACf,gBAAgB,GAGjB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,eAAe,EACf,mBAAmB,GAEpB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,oBAAoB,GAErB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACtE,OAAO,EAAE,YAAY,EAAsB,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"explain.js","sourceRoot":"","sources":["../../src/cli/explain.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AAClD,OAAO,EACL,eAAe,EACf,gBAAgB,GAGjB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,eAAe,EACf,mBAAmB,GAEpB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,oBAAoB,GAErB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACtE,OAAO,EAAE,YAAY,EAAsB,MAAM,aAAa,CAAC;AA4D/D,SAAS,cAAc,CAAC,IAAoB;IAC1C,OAAO,KAAK,EAAE,SAAiB,EAA8B,EAAE;QAC7D,MAAM,EAAE,QAAQ,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;QACxC,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC,CAAC;QAC1E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,wCAAwC,EAAE,CAAC;QAChF,CAAC;QACD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC;YAC3C,CAAC,CAAC,MAAM,CAAC,OAAO;YAChB,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACvC,OAAO,gBAAgB,CAAC;YACtB,UAAU,EAAE,OAAO;YACnB,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC;YACzC,SAAS;YACT,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,IAAI,KAAK;SAC9C,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAID,SAAS,SAAS,CAAC,OAAsB;IACvC,MAAM,GAAG,GAAc,EAAE,CAAC;IAC1B,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnD,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,qBAAqB,CAC5B,OAAsB,EACtB,UAAkB;IAElB,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;IAChF,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,OAAO,CAAC,IAAI,CACV,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,eAAe,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC,CACpF,CAAC;IACF,OAAO,OAAO,CAAC,CAAC,CAAE,CAAC;AACrB,CAAC;AAED,SAAS,eAAe,CACtB,OAAsB,EACtB,cAAsC;IAEtC,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC,MAAM,CACvC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,KAAK,SAAS,IAAI,CAAC,CAAC,OAAO,CAAC,OAAO,KAAK,cAAc,CAC5E,CAAC;IACF,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,OAAO,CAAC,IAAI,CACV,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,eAAe,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC,CACpF,CAAC;IACF,OAAO,OAAO,CAAC,CAAC,CAAE,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,UAA8B,EAC9B,OAAuB,EAAE;IAEzB,MAAM,EAAE,QAAQ,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAExC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,SAAS,GAAG,oBAAoB,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC9E,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,CAAC;QACtC,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC/B,MAAM,IAAI,gBAAgB,CACxB,0BAA0B,MAAM,CAAC,MAAM,EAAE,EACzC,OAAO,CACR,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;QACpE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,YAAY,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,mBAAmB,IAAI,CAAC,cAAc,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3F,MAAM,IAAI,gBAAgB,CACxB,+BAA+B,YAAY,kBAAkB,SAAS,6DAA6D,EACnI,OAAO,CACR,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;IACzE,CAAC;IAED,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,gBAAgB,CACxB,4EAA4E,EAC5E,QAAQ,CACT,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;IACpE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC;QAC9E,MAAM,IAAI,gBAAgB,CACxB,oBAAoB,UAAU,0BAA0B,SAAS,EAAE,EACnE,QAAQ,CACT,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,UAAU,GAAG;YACjB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,mEAAmE;YACnE,iEAAiE;YACjE,8DAA8D;YAC9D,gEAAgE;YAChE,kEAAkE;YAClE,6CAA6C;YAC7C,SAAS,EAAE,eAAe,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;YACvE,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,IAAI,EAAE,mEAAmE;SAC1E,CAAC;QACF,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI;YACtB,CAAC,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI;YAC5C,CAAC,CAAC,aAAa,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC,CAAC;QAChD,OAAO,EAAE,MAAM,EAAE,CAAC;IACpB,CAAC;IAED,MAAM,SAAS,GAAG,oBAAoB,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC9E,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,CAAC;IACtC,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QAC/B,MAAM,IAAI,gBAAgB,CACxB,0BAA0B,MAAM,CAAC,MAAM,EAAE,EACzC,OAAO,CACR,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IACjE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,gBAAgB,CACxB,wCAAwC,UAAU,mBAAmB,SAAS,MAAM;YAClF,0EAA0E;YAC1E,kEAAkE,EACpE,OAAO,CACR,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;AACzE,CAAC;AAED,SAAS,WAAW,CAClB,MAAe,EACf,QAAqD,EACrD,SAAiB,EACjB,IAAyB;IAEzB,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,MAAM,EAAE,OAAO,CAAC;IAChC,MAAM,UAAU,GAAoB;QAClC,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI;QACzB,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO;QAChC,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW;QACvC,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM;QAC7B,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS;QACnC,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW;QACvC,cAAc,EAAE;YACd,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,oDAAoD;YAC7E,GAAG,CAAC,OAAO,EAAE,KAAK,KAAK,SAAS,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;YAC7D,GAAG,CAAC,OAAO,EAAE,UAAU,KAAK,SAAS,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC;SAC5E;QACD,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAC/D,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,IAAI;YAChC,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW;SACxC,CAAC;QACF,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,aAAa;QACrC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,IAAI,EAAE,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;QACjF,GAAG,CAAC,MAAM,IAAI;YACZ,SAAS,EAAE,eAAe,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC;SACtE,CAAC;QACF,WAAW,EAAE,EAAE,IAAI,EAAE,gBAAgB,EAAE,SAAS,EAAE;KACnD,CAAC;IAEF,OAAO,IAAI;QACT,CAAC,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI;QAC5C,CAAC,CAAC,aAAa,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC,CAAC;AAClD,CAAC"}
|
package/dist/cli/index.js
CHANGED
|
@@ -32,6 +32,7 @@ import { runPackHookCodexPreToolUseCli } from "./pack/hook-codex-pre-tool-use.js
|
|
|
32
32
|
import { runPackHookCodexStopCli } from "./pack/hook-codex-stop.js";
|
|
33
33
|
import { runPackHookCodexUserPromptSubmitCli } from "./pack/hook-codex-user-prompt-submit.js";
|
|
34
34
|
import { isRuntime, KNOWN_RUNTIMES } from "../policy-packs/index.js";
|
|
35
|
+
import { approveRisk } from "./approve/risk.js";
|
|
35
36
|
import { approveUnderstanding } from "./approve/understanding.js";
|
|
36
37
|
import { describe, isPillar } from "./describe.js";
|
|
37
38
|
import { diff as diffRun } from "./diff/index.js";
|
|
@@ -41,6 +42,10 @@ import { doctor, isDoctorTarget, KNOWN_DOCTOR_TARGETS } from "./doctor/index.js"
|
|
|
41
42
|
import { format as formatDoctor } from "./doctor/format.js";
|
|
42
43
|
import { EX_FAIL, EX_USAGE, HarnessExitError } from "./exit-codes.js";
|
|
43
44
|
import { explain } from "./explain.js";
|
|
45
|
+
import { explainAction } from "./explain-action.js";
|
|
46
|
+
import { explainPolicy } from "./explain-policy.js";
|
|
47
|
+
import { testRisk } from "./test-risk.js";
|
|
48
|
+
import { resolveEnv } from "./resolve-env.js";
|
|
44
49
|
import { detect as detectInit } from "./init/detect.js";
|
|
45
50
|
import { init, isTemplate, KNOWN_TEMPLATES } from "./init/index.js";
|
|
46
51
|
import { runInteractive } from "./init/interactive.js";
|
|
@@ -986,7 +991,49 @@ export function buildProgram(opts = {}) {
|
|
|
986
991
|
}
|
|
987
992
|
stdout(`${lines.join("\n")}\n`);
|
|
988
993
|
});
|
|
989
|
-
|
|
994
|
+
approveCmd
|
|
995
|
+
.command("risk")
|
|
996
|
+
.description("Grant a Risk Gate require_approval decision: write the " +
|
|
997
|
+
"risk-approved:${SESSION_ID} evidence-ledger tag the blocked policy's " +
|
|
998
|
+
"requires consults. Operator action — run it after reviewing the blocked action.")
|
|
999
|
+
.option("--config <path>", "manifest path (default: ~/.harness/harness.yaml; legacy fallback ~/.claude/harness.yaml)")
|
|
1000
|
+
.option("--project <name>", "apply per-project overrides")
|
|
1001
|
+
.option("--session <id>", "explicit session id (default: $CLAUDE_SESSION_ID, then $CODEX_SESSION_ID, then staged .pending-approval)")
|
|
1002
|
+
.action(async (options) => {
|
|
1003
|
+
const cliOpts = {};
|
|
1004
|
+
if (options.config)
|
|
1005
|
+
cliOpts.configPath = options.config;
|
|
1006
|
+
if (options.project)
|
|
1007
|
+
cliOpts.project = options.project;
|
|
1008
|
+
if (options.session)
|
|
1009
|
+
cliOpts.session = options.session;
|
|
1010
|
+
const result = await approveRisk(cliOpts);
|
|
1011
|
+
const lines = [];
|
|
1012
|
+
const sourceNote = result.sessionSource === "pending-approval"
|
|
1013
|
+
? " (resolved from .pending-approval staged by the gate hook)"
|
|
1014
|
+
: result.sessionSource === "env-claude"
|
|
1015
|
+
? " (from $CLAUDE_SESSION_ID)"
|
|
1016
|
+
: result.sessionSource === "env-codex"
|
|
1017
|
+
? " (from $CODEX_SESSION_ID)"
|
|
1018
|
+
: "";
|
|
1019
|
+
lines.push(`session: ${result.sessionId}${sourceNote}`);
|
|
1020
|
+
if (result.ledger.ok) {
|
|
1021
|
+
lines.push(`ledger: ✓ wrote ${result.ledger.tag}`);
|
|
1022
|
+
lines.push(" the Risk Gate require_approval policy now passes for this session.");
|
|
1023
|
+
}
|
|
1024
|
+
else {
|
|
1025
|
+
lines.push(`ledger: ✗ FAILED (${result.ledger.reason ?? "unknown"})`);
|
|
1026
|
+
lines.push(" the require_approval gate stays blocked until the tag is recorded.");
|
|
1027
|
+
}
|
|
1028
|
+
stdout(`${lines.join("\n")}\n`);
|
|
1029
|
+
});
|
|
1030
|
+
const VALID_DECISION_FILTERS = [
|
|
1031
|
+
"allow",
|
|
1032
|
+
"warn",
|
|
1033
|
+
"require_approval",
|
|
1034
|
+
"deny",
|
|
1035
|
+
"warn-degraded",
|
|
1036
|
+
];
|
|
990
1037
|
const isDecisionFilter = (v) => VALID_DECISION_FILTERS.includes(v);
|
|
991
1038
|
program
|
|
992
1039
|
.command("explain [policy]")
|
|
@@ -996,7 +1043,7 @@ export function buildProgram(opts = {}) {
|
|
|
996
1043
|
.option("--json", "emit JSON instead of YAML")
|
|
997
1044
|
.option("--trace", "include the full decision trail from the most recent evaluation")
|
|
998
1045
|
.option("--last", "trace the most recent policy decision in the ledger (any policy); mutually exclusive with <policy>")
|
|
999
|
-
.option("--decision <outcome>",
|
|
1046
|
+
.option("--decision <outcome>", `with --last, restrict to decisions of this outcome (${VALID_DECISION_FILTERS.join(" / ")})`)
|
|
1000
1047
|
.option("--session <id>", "grounding session whose audit log to read (default: $CLAUDE_SESSION_ID, then 'default')")
|
|
1001
1048
|
.action(async (policyName, options) => {
|
|
1002
1049
|
if (options.last && policyName !== undefined) {
|
|
@@ -1006,7 +1053,7 @@ export function buildProgram(opts = {}) {
|
|
|
1006
1053
|
throw new HarnessExitError("explain: --decision requires --last", EX_USAGE);
|
|
1007
1054
|
}
|
|
1008
1055
|
if (options.decision !== undefined && !isDecisionFilter(options.decision)) {
|
|
1009
|
-
throw new HarnessExitError(`explain: --decision must be one of
|
|
1056
|
+
throw new HarnessExitError(`explain: --decision must be one of ${VALID_DECISION_FILTERS.join(", ")} (got "${options.decision}")`, EX_USAGE);
|
|
1010
1057
|
}
|
|
1011
1058
|
const explainOpts = {};
|
|
1012
1059
|
if (options.config)
|
|
@@ -1027,12 +1074,87 @@ export function buildProgram(opts = {}) {
|
|
|
1027
1074
|
const result = await explain(policyName, explainOpts);
|
|
1028
1075
|
stdout(result.output);
|
|
1029
1076
|
});
|
|
1077
|
+
program
|
|
1078
|
+
.command("explain-action <event.json>")
|
|
1079
|
+
.description("Risk Gate debug verb (Phase 7): read a tool-event JSON file (the Claude Code PreToolUse hook payload shape: " +
|
|
1080
|
+
"{ hook_event_name, tool_name, tool_input, session_id, cwd }) and print the normalized Action Envelope. " +
|
|
1081
|
+
"Inspection surface for the envelope that downstream Risk Gate stages consume; does not evaluate policies.")
|
|
1082
|
+
.option("--json", "emit the envelope as JSON instead of YAML")
|
|
1083
|
+
.action((eventPath, options) => {
|
|
1084
|
+
const result = explainAction({
|
|
1085
|
+
eventPath,
|
|
1086
|
+
...(options.json === true && { json: true }),
|
|
1087
|
+
});
|
|
1088
|
+
stdout(result.output);
|
|
1089
|
+
if (!result.output.endsWith("\n"))
|
|
1090
|
+
stdout("\n");
|
|
1091
|
+
});
|
|
1092
|
+
program
|
|
1093
|
+
.command("test-risk <event.json>")
|
|
1094
|
+
.description("Risk Gate debug verb (Phase 7): read a tool-event JSON file, build its Action Envelope, and classify it " +
|
|
1095
|
+
"against the manifest's risk.classifiers[]. Prints the risk profile (severity, categories, reversibility, " +
|
|
1096
|
+
"confidence, reasons). An action no pattern matches reports as unclassified, not as safe.")
|
|
1097
|
+
.option("--config <path>", "manifest path (default: ~/.harness/harness.yaml; legacy fallback ~/.claude/harness.yaml)")
|
|
1098
|
+
.option("--project <name>", "apply per-project overrides")
|
|
1099
|
+
.option("--json", "emit the risk profile as JSON instead of YAML")
|
|
1100
|
+
.action((eventPath, options) => {
|
|
1101
|
+
const result = testRisk({
|
|
1102
|
+
eventPath,
|
|
1103
|
+
...(options.config !== undefined && { configPath: options.config }),
|
|
1104
|
+
...(options.project !== undefined && { project: options.project }),
|
|
1105
|
+
...(options.json === true && { json: true }),
|
|
1106
|
+
});
|
|
1107
|
+
stdout(result.output);
|
|
1108
|
+
if (!result.output.endsWith("\n"))
|
|
1109
|
+
stdout("\n");
|
|
1110
|
+
});
|
|
1111
|
+
program
|
|
1112
|
+
.command("resolve-env <event.json>")
|
|
1113
|
+
.description("Risk Gate debug verb (Phase 7): read a tool-event JSON file, build its Action Envelope, and resolve its " +
|
|
1114
|
+
"target environment against the manifest's environments.resolvers[] (branch / env-var / kube-context / " +
|
|
1115
|
+
"kube-namespace signals). An action no resolver matches resolves to `unknown`, not to a safe default.")
|
|
1116
|
+
.option("--config <path>", "manifest path (default: ~/.harness/harness.yaml; legacy fallback ~/.claude/harness.yaml)")
|
|
1117
|
+
.option("--project <name>", "apply per-project overrides")
|
|
1118
|
+
.option("--json", "emit the environment resolution as JSON instead of YAML")
|
|
1119
|
+
.action((eventPath, options) => {
|
|
1120
|
+
const result = resolveEnv({
|
|
1121
|
+
eventPath,
|
|
1122
|
+
...(options.config !== undefined && { configPath: options.config }),
|
|
1123
|
+
...(options.project !== undefined && { project: options.project }),
|
|
1124
|
+
...(options.json === true && { json: true }),
|
|
1125
|
+
});
|
|
1126
|
+
stdout(result.output);
|
|
1127
|
+
if (!result.output.endsWith("\n"))
|
|
1128
|
+
stdout("\n");
|
|
1129
|
+
});
|
|
1130
|
+
program
|
|
1131
|
+
.command("explain-policy <policy>")
|
|
1132
|
+
.description("Risk Gate debug verb (Phase 7): explain whether <policy> would APPLY to a tool event. " +
|
|
1133
|
+
"Reads the event from --event, builds and enriches the Action Envelope, and shows the " +
|
|
1134
|
+
"trigger match, the risk classification, the resolved environment, and a per-clause " +
|
|
1135
|
+
"`when:` breakdown. Evaluates a hypothetical event live and reads nothing from the " +
|
|
1136
|
+
"ledger (use `harness explain <policy> --trace` for the last recorded decision).")
|
|
1137
|
+
.requiredOption("--event <event.json>", "path to the tool-event JSON file")
|
|
1138
|
+
.option("--config <path>", "manifest path (default: ~/.harness/harness.yaml; legacy fallback ~/.claude/harness.yaml)")
|
|
1139
|
+
.option("--project <name>", "apply per-project overrides")
|
|
1140
|
+
.option("--json", "emit the explanation as JSON instead of YAML")
|
|
1141
|
+
.action((policyName, options) => {
|
|
1142
|
+
const result = explainPolicy(policyName, {
|
|
1143
|
+
eventPath: options.event,
|
|
1144
|
+
...(options.config !== undefined && { configPath: options.config }),
|
|
1145
|
+
...(options.project !== undefined && { project: options.project }),
|
|
1146
|
+
...(options.json === true && { json: true }),
|
|
1147
|
+
});
|
|
1148
|
+
stdout(result.output);
|
|
1149
|
+
if (!result.output.endsWith("\n"))
|
|
1150
|
+
stdout("\n");
|
|
1151
|
+
});
|
|
1030
1152
|
program
|
|
1031
1153
|
.command("audit")
|
|
1032
1154
|
.description("Replay policy decisions from the evidence ledger for a time window")
|
|
1033
1155
|
.option("--since <duration>", "time window (default: 24h)")
|
|
1034
1156
|
.option("--policy <name>", "filter to a single policy by name")
|
|
1035
|
-
.option("--outcome <outcome>", "filter by decision outcome (allow / deny / warn-degraded)")
|
|
1157
|
+
.option("--outcome <outcome>", "filter by decision outcome (allow / warn / require_approval / deny / warn-degraded)")
|
|
1036
1158
|
.option("--config <path>", "manifest path (default: ~/.harness/harness.yaml; legacy fallback ~/.claude/harness.yaml)")
|
|
1037
1159
|
.option("--project <name>", "apply per-project overrides")
|
|
1038
1160
|
.option("--session <id>", "grounding session whose audit log to read (default: $CLAUDE_SESSION_ID, then 'default')")
|