@lannguyensi/harness 0.25.2 → 0.27.0

package/dist/cli/test-risk.js

@@ -0,0 +1,34 @@
+// Phase 7 #3 — `harness test-risk` CLI entrypoint.
+//
+// Debug verb for the Risk Gate. Reads a tool-event JSON file, builds
+// the Action Envelope (#2), classifies it against the manifest's
+// `risk.classifiers[]` (#3), and prints the resulting risk profile.
+// The inspection surface for the Risk Classifier, the counterpart of
+// `harness explain-action` one stage further down the pipeline.
+//
+// File read, JSON guards, and envelope build are the shared
+// `event-input` front end; manifest load + classification + rendering
+// live here.
+import { stringify as stringifyYaml } from "yaml";
+import { classifyRisk } from "../runtime/index.js";
+import { loadEventEnvelope } from "./event-input.js";
+import { loadManifest } from "./loader.js";
+/**
+ * Build the Action Envelope for a tool-event JSON file, classify it
+ * against the manifest's risk classifiers, and render the profile.
+ *
+ * Throws `HarnessExitError(EX_NOINPUT)` when the event file is missing,
+ * malformed, or not a JSON object (see `loadEventEnvelope`). A manifest
+ * with no `risk.classifiers[]` is valid: every action then classifies
+ * as unclassified ("unknown is not safe").
+ */
+export function testRisk(opts) {
+    const { envelope } = loadEventEnvelope(opts.eventPath, opts, "test-risk");
+    const manifest = opts.manifest ?? loadManifest(opts).manifest;
+    const profile = classifyRisk(envelope, manifest.risk.classifiers);
+    const output = opts.json
+        ? `${JSON.stringify(profile, null, 2)}\n`
+        : stringifyYaml(profile, { lineWidth: 0 });
+    return { output, profile };
+}
+//# sourceMappingURL=test-risk.js.map

package/dist/cli/test-risk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"test-risk.js","sourceRoot":"","sources":["../../src/cli/test-risk.ts"],"names":[],"mappings":"AAAA,mDAAmD;AACnD,EAAE;AACF,qEAAqE;AACrE,iEAAiE;AACjE,oEAAoE;AACpE,qEAAqE;AACrE,gEAAgE;AAChE,EAAE;AACF,4DAA4D;AAC5D,sEAAsE;AACtE,aAAa;AAEb,OAAO,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AAClD,OAAO,EAAE,YAAY,EAAoB,MAAM,qBAAqB,CAAC;AAErE,OAAO,EAAE,iBAAiB,EAAwB,MAAM,kBAAkB,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAsB,MAAM,aAAa,CAAC;AAgB/D;;;;;;;;GAQG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAqB;IAC5C,MAAM,EAAE,QAAQ,EAAE,GAAG,iBAAiB,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,WAAW,CAAC,CAAC;IAC1E,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC;IAC9D,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI;QACtB,CAAC,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI;QACzC,CAAC,CAAC,aAAa,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC,CAAC;IAC7C,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AAC7B,CAAC"}

package/dist/runtime/action-envelope.d.ts

@@ -0,0 +1,64 @@
+import type { GitRepoContext } from "./git-context.js";
+import type { ToolEvent } from "./intercept.js";
+export interface ActionEnvelopeSession {
+    /** Grounding / Claude Code session id, or "" when absent. */
+    id: string;
+    /** Work-tree basename for the event's cwd, or "" when not in a repo. */
+    repo: string;
+    /** Current branch, or "" when not in a repo or HEAD is detached. */
+    branch: string;
+    /**
+     * agent-tasks task id. Not present in the Claude Code PreToolUse
+     * payload, so "" in practice; a harness-driven or synthetic event may
+     * carry one. The MVP does no agent-tasks lookup.
+     */
+    task_id: string;
+}
+export interface ActionEnvelopeRuntime {
+    /** Working directory the action runs in. */
+    cwd: string;
+    /** OS user, or "" when unavailable. */
+    user: string;
+    /** Host name, or "" when unavailable. */
+    host: string;
+}
+export interface ActionEnvelope {
+    /** Hook event name, e.g. "PreToolUse". "" when absent. */
+    event: string;
+    /** Tool name, e.g. "Bash". "" when absent. */
+    tool: string;
+    /** The tool's raw input, verbatim. `null` when the event carries none. */
+    raw_input: unknown;
+    session: ActionEnvelopeSession;
+    runtime: ActionEnvelopeRuntime;
+    /** ISO-8601 UTC timestamp the envelope was built. */
+    timestamp: string;
+}
+/**
+ * Ambient facts the builder cannot derive from the event alone. The CLI
+ * wrapper resolves these (filesystem + process reads) and hands them in,
+ * keeping `buildActionEnvelope` itself pure and I/O-free — the same
+ * resolved-by-the-wrapper pattern `intercept()` uses for the git sha and
+ * the policy builtins.
+ */
+export interface EnvelopeContext {
+    /** Final working directory: the event's cwd, or the wrapper's fallback. */
+    cwd: string;
+    /** Git context resolved against `cwd`. Empty strings when cwd is not in a repo. */
+    git: GitRepoContext;
+    /** OS user (`os.userInfo().username`), or "" when unavailable. */
+    user: string;
+    /** Host name (`os.hostname()`), or "" when unavailable. */
+    host: string;
+    /** Timestamp to stamp on the envelope. */
+    now: Date;
+}
+/**
+ * Normalize a runtime tool event into an Action Envelope.
+ *
+ * Pure: every non-deterministic input (cwd, git, user, host, now)
+ * arrives via `context`. A sparse or malformed event never throws —
+ * absent fields become "" (or `null` for `raw_input`), so a hand-probed
+ * `{}` event still yields a well-formed envelope.
+ */
+export declare function buildActionEnvelope(event: ToolEvent, context: EnvelopeContext): ActionEnvelope;

package/dist/runtime/action-envelope.js

@@ -0,0 +1,46 @@
+// Phase 7 #2 — Action Envelope.
+//
+// The normalized, stable representation of a tool call that the Risk
+// Gate pipeline reasons about. The raw runtime event (`ToolEvent`, the
+// Claude Code PreToolUse hook payload) is runtime-specific and loosely
+// shaped; every downstream Risk Gate stage — the Risk Classifier (#3),
+// Context Resolver (#4), Policy Evaluator (#5) — consumes THIS shape
+// instead, so none of them re-parse a runtime-specific payload.
+//
+// STATUS: built by `harness explain-action` (Phase 7 #2). NOT yet
+// consumed by `harness policy intercept` — routing the runtime through
+// the envelope is Phase 7 #5. See docs/risk-gate.md and docs/ROADMAP.md.
+//
+// Design source: lava-ice-logs/2026-04-30/harness-risk-gate-extension.md
+// ("Action Envelope" section).
+function asString(v) {
+    return typeof v === "string" ? v : "";
+}
+/**
+ * Normalize a runtime tool event into an Action Envelope.
+ *
+ * Pure: every non-deterministic input (cwd, git, user, host, now)
+ * arrives via `context`. A sparse or malformed event never throws —
+ * absent fields become "" (or `null` for `raw_input`), so a hand-probed
+ * `{}` event still yields a well-formed envelope.
+ */
+export function buildActionEnvelope(event, context) {
+    return {
+        event: asString(event.hook_event_name),
+        tool: asString(event.tool_name),
+        raw_input: event.tool_input ?? null,
+        session: {
+            id: asString(event.session_id),
+            repo: context.git.repo,
+            branch: context.git.branch,
+            task_id: asString(event.task_id),
+        },
+        runtime: {
+            cwd: context.cwd,
+            user: context.user,
+            host: context.host,
+        },
+        timestamp: context.now.toISOString(),
+    };
+}
+//# sourceMappingURL=action-envelope.js.map

package/dist/runtime/action-envelope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"action-envelope.js","sourceRoot":"","sources":["../../src/runtime/action-envelope.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,EAAE;AACF,qEAAqE;AACrE,uEAAuE;AACvE,uEAAuE;AACvE,uEAAuE;AACvE,qEAAqE;AACrE,gEAAgE;AAChE,EAAE;AACF,kEAAkE;AAClE,uEAAuE;AACvE,yEAAyE;AACzE,EAAE;AACF,yEAAyE;AACzE,+BAA+B;AA8D/B,SAAS,QAAQ,CAAC,CAAU;IAC1B,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACxC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAgB,EAChB,OAAwB;IAExB,OAAO;QACL,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,eAAe,CAAC;QACtC,IAAI,EAAE,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC;QAC/B,SAAS,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI;QACnC,OAAO,EAAE;YACP,EAAE,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC;YAC9B,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI;YACtB,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,MAAM;YAC1B,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC;SACjC;QACD,OAAO,EAAE;YACP,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB;QACD,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE;KACrC,CAAC;AACJ,CAAC"}

package/dist/runtime/environment-resolver.d.ts

@@ -0,0 +1,36 @@
+import type { EnvironmentResolver, MatchableEnvironment } from "../schema/index.js";
+import type { ActionEnvelope } from "./action-envelope.js";
+export type EnvironmentConfidence = "high" | "medium" | "low";
+export interface EnvironmentResolution {
+    /** Resolved environment, or `unknown` when no resolver matched. */
+    name: MatchableEnvironment;
+    /**
+     * `high` when two or more signals (unioned across every resolver
+     * asserting the winning environment) back the result, `medium` for a
+     * single signal, `low` for `unknown` (no signal matched at all).
+     */
+    confidence: EnvironmentConfidence;
+    /** Matched signal descriptors that back the result, for explainability. */
+    signals: string[];
+    /** Name of the resolver whose environment won, or `null` when unresolved. */
+    resolver: string | null;
+}
+/** Ambient inputs the resolver matches signals against. */
+export interface SignalInputs {
+    /** Environment variables, for `env_var_patterns`. */
+    env: Record<string, string | undefined>;
+    /** Current kube context name, for `kube_context_patterns`. "" when unknown. */
+    kubeContext: string;
+    /** Current kube namespace, for `kube_namespace_patterns`. "" when unknown. */
+    kubeNamespace: string;
+}
+/**
+ * Resolve the target environment of an Action Envelope.
+ *
+ * Pure: envelope + resolvers + ambient inputs in, resolution out, no
+ * I/O. When resolvers disagree, the most-dangerous environment wins
+ * (`ENV_PRECEDENCE`). Signals from every fired resolver that asserts the
+ * winning environment are unioned for explainability. When nothing
+ * matches, the result is `unknown` — deliberately not a safe default.
+ */
+export declare function resolveEnvironment(envelope: ActionEnvelope, resolvers: readonly EnvironmentResolver[], inputs: SignalInputs): EnvironmentResolution;

package/dist/runtime/environment-resolver.js

@@ -0,0 +1,138 @@
+// Phase 7 #4 — Context Resolver.
+//
+// Classifies an Action Envelope's target environment by matching the
+// manifest's `environments.resolvers[]` signals. The Risk Gate stage
+// that reads the `environments:` schema vocabulary shipped in
+// Phase 7 #1.
+//
+// STATUS: invoked by `harness resolve-env` (Phase 7 #4). NOT yet
+// consumed by `harness policy intercept` — wiring the runtime through
+// the resolver is Phase 7 #5. See docs/risk-gate.md and docs/ROADMAP.md.
+//
+// "Unknown is not safe": when no resolver matches, the environment is
+// `unknown` — not a safe default. The Phase 7 #5 policy evaluator must
+// treat `unknown` as risk-bearing. `MatchableEnvironmentSchema` already
+// admits `unknown` so a `policy.when.environment.name` clause can gate
+// on it.
+//
+// Design source: lava-ice-logs/2026-04-30/harness-risk-gate-extension.md
+// (design phase C).
+// Most-dangerous-wins precedence: when resolvers disagree, the earlier
+// entry here is the resolved environment. `unknown` is the implicit
+// fallback and is not a resolver-assertable value.
+const ENV_PRECEDENCE = [
+    "production",
+    "staging",
+    "dev",
+    "local",
+];
+/**
+ * Convert a `*`-glob to an anchored RegExp. Only `*` is special (the
+ * Phase 7 #1 signal patterns are simple, e.g. `main`, `release/*`); all
+ * other regex metacharacters are escaped literally.
+ */
+function globToRegExp(glob) {
+    const escaped = glob
+        .replace(/[.+^${}()|[\]\\?]/g, "\\$&")
+        .replace(/\*/g, ".*");
+    return new RegExp(`^${escaped}$`);
+}
+/**
+ * Match one resolver's signals against the envelope + ambient inputs.
+ * Signals are OR-ed: a resolver fires when ANY signal matches. Returns
+ * the matched signal descriptors (empty when the resolver did not fire).
+ *
+ * Per-signal-kind semantics: `branch_patterns` and
+ * `kube_namespace_patterns` are globs, `kube_context_patterns` are
+ * regexes, `env_var_patterns` are substrings of the variable's value.
+ */
+function matchResolver(resolver, envelope, inputs) {
+    const matched = [];
+    const sig = resolver.signals;
+    const branch = envelope.session.branch;
+    if (sig.branch_patterns !== undefined && branch !== "") {
+        for (const p of sig.branch_patterns) {
+            if (globToRegExp(p).test(branch)) {
+                matched.push(`branch:${branch} ~ ${p}`);
+            }
+        }
+    }
+    if (sig.env_var_patterns !== undefined) {
+        for (const evp of sig.env_var_patterns) {
+            const value = inputs.env[evp.var];
+            if (typeof value !== "string")
+                continue;
+            for (const p of evp.patterns) {
+                if (value.includes(p)) {
+                    matched.push(`env:${evp.var} contains "${p}"`);
+                }
+            }
+        }
+    }
+    if (sig.kube_context_patterns !== undefined && inputs.kubeContext !== "") {
+        for (const p of sig.kube_context_patterns) {
+            let re;
+            try {
+                re = new RegExp(p);
+            }
+            catch {
+                continue;
+            }
+            if (re.test(inputs.kubeContext)) {
+                matched.push(`kube-context:${inputs.kubeContext} ~ /${p}/`);
+            }
+        }
+    }
+    if (sig.kube_namespace_patterns !== undefined &&
+        inputs.kubeNamespace !== "") {
+        for (const p of sig.kube_namespace_patterns) {
+            if (globToRegExp(p).test(inputs.kubeNamespace)) {
+                matched.push(`kube-namespace:${inputs.kubeNamespace} ~ ${p}`);
+            }
+        }
+    }
+    return matched;
+}
+/**
+ * Resolve the target environment of an Action Envelope.
+ *
+ * Pure: envelope + resolvers + ambient inputs in, resolution out, no
+ * I/O. When resolvers disagree, the most-dangerous environment wins
+ * (`ENV_PRECEDENCE`). Signals from every fired resolver that asserts the
+ * winning environment are unioned for explainability. When nothing
+ * matches, the result is `unknown` — deliberately not a safe default.
+ */
+export function resolveEnvironment(envelope, resolvers, inputs) {
+    const fired = [];
+    for (const resolver of resolvers) {
+        const signals = matchResolver(resolver, envelope, inputs);
+        if (signals.length > 0)
+            fired.push({ resolver, signals });
+    }
+    if (fired.length === 0) {
+        return { name: "unknown", confidence: "low", signals: [], resolver: null };
+    }
+    let best = fired[0];
+    for (const f of fired) {
+        if (ENV_PRECEDENCE.indexOf(f.resolver.environment) <
+            ENV_PRECEDENCE.indexOf(best.resolver.environment)) {
+            best = f;
+        }
+    }
+    // Union the signals of every fired resolver that asserts the winning
+    // environment, so the explanation is complete when several resolvers
+    // agree. `resolver` names the highest-precedence (first-found) one.
+    const winningEnv = best.resolver.environment;
+    const signals = [
+        ...new Set(fired
+            .filter((f) => f.resolver.environment === winningEnv)
+            .flatMap((f) => f.signals)),
+    ].sort();
+    return {
+        name: winningEnv,
+        confidence: signals.length >= 2 ? "high" : "medium",
+        signals,
+        resolver: best.resolver.name,
+    };
+}
+//# sourceMappingURL=environment-resolver.js.map

package/dist/runtime/environment-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"environment-resolver.js","sourceRoot":"","sources":["../../src/runtime/environment-resolver.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,EAAE;AACF,qEAAqE;AACrE,qEAAqE;AACrE,8DAA8D;AAC9D,cAAc;AACd,EAAE;AACF,iEAAiE;AACjE,sEAAsE;AACtE,yEAAyE;AACzE,EAAE;AACF,sEAAsE;AACtE,uEAAuE;AACvE,wEAAwE;AACxE,uEAAuE;AACvE,SAAS;AACT,EAAE;AACF,yEAAyE;AACzE,oBAAoB;AAmCpB,uEAAuE;AACvE,oEAAoE;AACpE,mDAAmD;AACnD,MAAM,cAAc,GAAoC;IACtD,YAAY;IACZ,SAAS;IACT,KAAK;IACL,OAAO;CACR,CAAC;AAEF;;;;GAIG;AACH,SAAS,YAAY,CAAC,IAAY;IAChC,MAAM,OAAO,GAAG,IAAI;SACjB,OAAO,CAAC,oBAAoB,EAAE,MAAM,CAAC;SACrC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACxB,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC;AACpC,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,aAAa,CACpB,QAA6B,EAC7B,QAAwB,EACxB,MAAoB;IAEpB,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC;IAE7B,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC;IACvC,IAAI,GAAG,CAAC,eAAe,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;QACvD,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,eAAe,EAAE,CAAC;YACpC,IAAI,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,OAAO,CAAC,IAAI,CAAC,UAAU,MAAM,MAAM,CAAC,EAAE,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,GAAG,CAAC,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACvC,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,gBAAgB,EAAE,CAAC;YACvC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,OAAO,KAAK,KAAK,QAAQ;gBAAE,SAAS;YACxC,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;gBAC7B,IAAI,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;oBACtB,OAAO,CAAC,IAAI,CAAC,OAAO,GAAG,CAAC,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,GAAG,CAAC,qBAAqB,KAAK,SAAS,IAAI,MAAM,CAAC,WAAW,KAAK,EAAE,EAAE,CAAC;QACzE,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,qBAAqB,EAAE,CAAC;YAC1C,IAAI,EAAU,CAAC;YACf,IAAI,CAAC;gBACH,EAAE,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC;YACrB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,IAAI,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;gBAChC,OAAO,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,WAAW,OAAO,CAAC,GAAG,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAED,IACE,GAAG,CAAC,uBAAuB,KAAK,SAAS;QACzC,MAAM,CAAC,aAAa,KAAK,EAAE,EAC3B,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,uBAAuB,EAAE,CAAC;YAC5C,IAAI,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC/C,OAAO,CAAC,IAAI,CAAC,kBAAkB,MAAM,CAAC,aAAa,MAAM,CAAC,EAAE,CAAC,CAAC;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAwB,EACxB,SAAyC,EACzC,MAAoB;IAEpB,MAAM,KAAK,GAAgE,EAAE,CAAC;IAC9E,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,aAAa,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC7E,CAAC;IAED,IAAI,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;IACrB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IACE,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC9C,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EACjD,CAAC;YACD,IAAI,GAAG,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,qEAAqE;IACrE,oEAAoE;IACpE,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;IAC7C,MAAM,OAAO,GAAG;QACd,GAAG,IAAI,GAAG,CACR,KAAK;aACF,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,KAAK,UAAU,CAAC;aACpD,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAC7B;KACF,CAAC,IAAI,EAAE,CAAC;IAET,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;QACnD,OAAO;QACP,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;KAC7B,CAAC;AACJ,CAAC"}

package/dist/runtime/index.d.ts

@@ -1,6 +1,11 @@
-export { intercept, type ClaudeDenyJson, type InterceptOptions, type InterceptResult, type LedgerClient, type PolicyDecision, type PolicyOutcome, type ToolEvent, } from "./intercept.js";
+export { intercept, policyMatchesEvent, type ClaudeDenyJson, type InterceptOptions, type InterceptResult, type LedgerClient, type PolicyDecision, type PolicyOutcome, type RiskGateContext, type ToolEvent, } from "./intercept.js";
+export { evaluateWhen, type WhenClauseKey, type WhenClauseResult, type WhenContext, type WhenEvaluation, } from "./when-eval.js";
 export { recordPolicyDecision, payloadFromDecision, encodeLedgerContent, decodeLedgerContent, decisionSortKey, type LedgerRecordOptions, type PolicyDecisionPayload, } from "./ledger-record.js";
 export { resolveSessionId } from "./session-id.js";
 export { buildAgentFacingBlock, formatAgentFacingMessage, renderAgentFacing, type AgentFacingBlock, } from "./agent-facing.js";
 export { resolveGitContext, type GitRepoContext } from "./git-context.js";
+export { buildActionEnvelope, type ActionEnvelope, type ActionEnvelopeRuntime, type ActionEnvelopeSession, type EnvelopeContext, } from "./action-envelope.js";
+export { classifyRisk, type RiskConfidence, type RiskProfile, } from "./risk-classifier.js";
+export { resolveKubeContext, type KubeContext, type ResolveKubeContextOptions, } from "./kube-context.js";
+export { resolveEnvironment, type EnvironmentConfidence, type EnvironmentResolution, type SignalInputs, } from "./environment-resolver.js";
 export { addLedgerFact, type AddLedgerFactOptions, type AddLedgerFactResult, } from "./ledger-add.js";

package/dist/runtime/index.js

@@ -1,7 +1,12 @@
-export { intercept, } from "./intercept.js";
+export { intercept, policyMatchesEvent, } from "./intercept.js";
+export { evaluateWhen, } from "./when-eval.js";
 export { recordPolicyDecision, payloadFromDecision, encodeLedgerContent, decodeLedgerContent, decisionSortKey, } from "./ledger-record.js";
 export { resolveSessionId } from "./session-id.js";
 export { buildAgentFacingBlock, formatAgentFacingMessage, renderAgentFacing, } from "./agent-facing.js";
 export { resolveGitContext } from "./git-context.js";
+export { buildActionEnvelope, } from "./action-envelope.js";
+export { classifyRisk, } from "./risk-classifier.js";
+export { resolveKubeContext, } from "./kube-context.js";
+export { resolveEnvironment, } from "./environment-resolver.js";
 export { addLedgerFact, } from "./ledger-add.js";
 //# sourceMappingURL=index.js.map

package/dist/runtime/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAQV,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,EACnB,eAAe,GAGhB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,GAElB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,iBAAiB,EAAuB,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EACL,aAAa,GAGd,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,kBAAkB,GASnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,YAAY,GAKb,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,EACnB,eAAe,GAGhB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,GAElB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,iBAAiB,EAAuB,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EACL,mBAAmB,GAKpB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,YAAY,GAGb,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,kBAAkB,GAGnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,kBAAkB,GAInB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,aAAa,GAGd,MAAM,iBAAiB,CAAC"}

package/dist/runtime/intercept.d.ts

@@ -1,5 +1,8 @@
 import { type ExtractBuiltins, type LedgerQueryResult } from "../policies/index.js";
-import type { Manifest } from "../schema/index.js";
+import type { Manifest, Policy } from "../schema/index.js";
+import { type EnvironmentResolution } from "./environment-resolver.js";
+import type { GitRepoContext } from "./git-context.js";
+import { type RiskProfile } from "./risk-classifier.js";
 export interface ToolEvent {
     hook_event_name?: string;
     tool_name?: string;
@@ -8,10 +11,10 @@ export interface ToolEvent {
     cwd?: string;
     [key: string]: unknown;
 }
-export type PolicyOutcome = "allow" | "deny" | "warn-degraded";
+export type PolicyOutcome = "allow" | "warn" | "require_approval" | "deny" | "warn-degraded";
 export interface PolicyDecision {
     policyName: string;
-    enforcement: "block" | "warn";
+    enforcement: Policy["enforcement"];
     outcome: PolicyOutcome;
     reason: string;
     extractValues: Record<string, string>;
@@ -20,6 +23,17 @@ export interface PolicyDecision {
         matchedCount: number;
         reason: string;
     };
+    /**
+     * Risk Classifier verdict for the action this decision was made
+     * about. Present only when the Risk Gate was active for the event
+     * (the manifest declared at least one `when:`-bearing policy); absent
+     * for a pure Phase-4 manifest, keeping its decisions byte-identical.
+     * Recorded to the audit ledger so `harness explain --trace` can
+     * replay the classification.
+     */
+    risk?: RiskProfile;
+    /** Context Resolver verdict, present under the same condition as `risk`. */
+    environment?: EnvironmentResolution;
     /**
      * One-line "to satisfy" hint synthesised from the policy's `requires`
      * spec. Carried on the live decision so the deny-envelope formatter
@@ -84,5 +98,48 @@ export interface InterceptOptions {
      * branch falls through to the standard time-window check.
      */
     currentHeadSha?: string;
+    /**
+     * Ambient context for the Risk Gate stages — the Action Envelope
+     * build (#2) and the environment resolution (#4). Resolved by the CLI
+     * wrapper (git / user / host / kube-config / env reads) and threaded
+     * in, keeping `intercept()` itself I/O-free, the same
+     * resolved-by-the-wrapper pattern as `currentHeadSha` and `builtins`.
+     *
+     * Optional: omitted by Phase-4-era callers and by unit tests that do
+     * not exercise `when:`. When omitted, the envelope is built from the
+     * event alone — risk then classifies as unclassified and the
+     * environment resolves to `unknown`. A manifest with no `when:`
+     * policy never reads any of this regardless (see `intercept`).
+     */
+    riskContext?: RiskGateContext;
 }
+/**
+ * Ambient inputs the Risk Gate needs that the CLI wrapper resolves from
+ * the host (filesystem + process). Mirrors the `EnvelopeContext` /
+ * `SignalInputs` split the debug verbs already use.
+ */
+export interface RiskGateContext {
+    /** Git context resolved against the event's cwd. */
+    git: GitRepoContext;
+    /** Working directory the action runs in. */
+    cwd: string;
+    /** OS user, or "" when unavailable. */
+    user: string;
+    /** Host name, or "" when unavailable. */
+    host: string;
+    /** Environment variables, for resolver `env_var_patterns`. */
+    env: Record<string, string | undefined>;
+    /** Current kube context name, or "" when unknown. */
+    kubeContext: string;
+    /** Current kube namespace, or "" when unknown. */
+    kubeNamespace: string;
+}
+/**
+ * Does a policy's `trigger:` match this event? This is the WHICH-tool-
+ * calls filter; the WHETHER-it-applies filter is `policy.when:`,
+ * evaluated separately (`evaluateWhen`). A policy fires only when both
+ * hold. Exported so `harness explain-policy` can report the trigger
+ * verdict on its own.
+ */
+export declare function policyMatchesEvent(policy: Policy, event: ToolEvent): boolean;
 export declare function intercept(options: InterceptOptions): Promise<InterceptResult>;

package/dist/runtime/intercept.js

@@ -7,11 +7,45 @@
 // that wraps this.
 import { evaluateExtract, evaluateRequires, parseDurationSeconds, substituteTemplate, } from "../policies/index.js";
 import { renderProducers } from "../policies/producers.js";
+import { buildActionEnvelope } from "./action-envelope.js";
 import { renderAgentFacing } from "./agent-facing.js";
+import { resolveEnvironment, } from "./environment-resolver.js";
 import { POLICY_DECISION_TYPE } from "./ledger-record.js";
+import { classifyRisk } from "./risk-classifier.js";
 import { resolveSessionId } from "./session-id.js";
 import { expandToolNameAliases, extractShellCommand, } from "./tool-name-aliases.js";
-function policyMatchesEvent(policy, event) {
+import { evaluateWhen } from "./when-eval.js";
+/**
+ * Build the Action Envelope for an event and run it through the Risk
+ * Classifier (#3) and Context Resolver (#4). Pure: every host fact
+ * arrives via `riskContext`; when it is absent the envelope is built
+ * from the event alone (unclassified risk, `unknown` environment).
+ */
+function enrichEnvelope(manifest, event, riskContext, now) {
+    const rc = riskContext;
+    const envelope = buildActionEnvelope(event, {
+        cwd: rc?.cwd ?? (typeof event.cwd === "string" ? event.cwd : ""),
+        git: rc?.git ?? { repo: "", branch: "", sha: "" },
+        user: rc?.user ?? "",
+        host: rc?.host ?? "",
+        now: now ?? new Date(),
+    });
+    const risk = classifyRisk(envelope, manifest.risk.classifiers);
+    const environment = resolveEnvironment(envelope, manifest.environments.resolvers, {
+        env: rc?.env ?? {},
+        kubeContext: rc?.kubeContext ?? "",
+        kubeNamespace: rc?.kubeNamespace ?? "",
+    });
+    return { risk, environment };
+}
+/**
+ * Does a policy's `trigger:` match this event? This is the WHICH-tool-
+ * calls filter; the WHETHER-it-applies filter is `policy.when:`,
+ * evaluated separately (`evaluateWhen`). A policy fires only when both
+ * hold. Exported so `harness explain-policy` can report the trigger
+ * verdict on its own.
+ */
+export function policyMatchesEvent(policy, event) {
     if (policy.trigger.event !== event.hook_event_name)
         return false;
     if (policy.trigger.match !== undefined) {
@@ -46,6 +80,35 @@ function buildEventContext(event) {
         git: {},
     };
 }
+/** Map a failed-`requires` policy to its decision outcome by enforcement. */
+function outcomeForFailedRequires(enforcement) {
+    switch (enforcement) {
+        case "block":
+            return "deny";
+        case "warn":
+            return "warn";
+        case "require_approval":
+            return "require_approval";
+    }
+}
+/**
+ * Does a decision abort the tool call? Phase 7 #6 makes the Risk Gate
+ * authoritative at the `PreToolUse` boundary:
+ *   - `deny` aborts (a `block`-enforcement policy whose requires failed,
+ *     the Phase 4 mechanism, unchanged).
+ *   - `require_approval` aborts until the approval evidence exists. In
+ *     Phase 7 #5 this outcome was returned but did not block; #6 makes
+ *     it block. The approval tag is satisfiable through the policy's
+ *     `requires:` (an operator runs `harness approve risk`); once the
+ *     tag is on record the requires evaluation passes and the outcome
+ *     is `allow` instead.
+ *   - `allow` / `warn` / `warn-degraded` never abort.
+ */
+function isBlockingDecision(d) {
+    if (d.outcome === "deny")
+        return d.enforcement === "block";
+    return d.outcome === "require_approval";
+}
 async function evaluateOnePolicy(policy, options) {
     const evaluatedAt = (options.now ?? new Date()).toISOString();
     const ctx = buildEventContext(options.event);
@@ -130,7 +193,14 @@ async function evaluateOnePolicy(policy, options) {
             evaluatedAt,
         };
     }
-    const outcome = evaluation.allowed ? "allow" : "deny";
+    // Four-way decision (Phase 7 #5). A satisfied `requires` always
+    // `allow`s; a failed one is mapped by the policy's enforcement —
+    // `block` → `deny`, `warn` → `warn`, `require_approval` →
+    // `require_approval`. The evaluator only RETURNS `require_approval`
+    // here; Phase 7 #6 makes it block.
+    const outcome = evaluation.allowed
+        ? "allow"
+        : outcomeForFailedRequires(policy.enforcement);
     return {
         policyName: policy.name,
         enforcement: policy.enforcement,
@@ -168,19 +238,47 @@ function filterEntriesByTag(entries, tag) {
             (e.source !== undefined && e.source.includes(tag))));
 }
 export async function intercept(options) {
-    const matching = options.manifest.policies.filter((p) => policyMatchesEvent(p, options.event));
+    const { manifest, event } = options;
+    // The Risk Gate is active only when some policy declares a `when:`
+    // block. A manifest with none — every Phase 4 / 5 / 6 manifest — skips
+    // envelope enrichment entirely: no `buildActionEnvelope`, no
+    // classifier, no resolver, and decisions carry no `risk` / `environment`.
+    // That keeps such manifests byte-for-byte identical to pre-Phase-7-#5.
+    const riskGateActive = manifest.policies.some((p) => p.when !== undefined);
+    const enriched = riskGateActive
+        ? enrichEnvelope(manifest, event, options.riskContext, options.now)
+        : undefined;
+    // A policy fires only when its `trigger:` matches AND — when declared
+    // — every `when:` clause holds against the enriched envelope.
+    const matching = manifest.policies.filter((p) => {
+        if (!policyMatchesEvent(p, event))
+            return false;
+        if (p.when === undefined)
+            return true;
+        // `enriched` is defined here: a policy with `when:` set `riskGateActive`.
+        return evaluateWhen(p.when, enriched).matched;
+    });
     const decisions = [];
     for (const policy of matching) {
-        const decision = await evaluateOnePolicy(policy, options);
+        const base = await evaluateOnePolicy(policy, options);
+        // Attach the per-event Risk Gate verdicts so `harness audit` /
+        // `explain --trace` can replay the classification + environment
+        // that the `when:` match was made against.
+        const decision = enriched
+            ? { ...base, risk: enriched.risk, environment: enriched.environment }
+            : base;
         decisions.push(decision);
         try {
-            await options.ledger.record(decision, resolveSessionId(options.event.session_id));
+            await options.ledger.record(decision, resolveSessionId(event.session_id));
         }
         catch {
             /* audit-write failure must not block; the decision is still applied. */
         }
     }
-    const blocking = decisions.find((d) => d.enforcement === "block" && d.outcome === "deny");
+    // First blocking decision wins the envelope. `deny` and
+    // `require_approval` both abort (Phase 7 #6); the search order is the
+    // manifest's policy order, same as Phase 4.
+    const blocking = decisions.find(isBlockingDecision);
     if (blocking) {
         const sessionId = resolveSessionId(options.event.session_id);
         // Append the "to satisfy" hint so Claude Code's deny message tells