@lannguyensi/harness 0.25.2 → 0.27.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +36 -0
- package/dist/cli/approve/risk.d.ts +43 -0
- package/dist/cli/approve/risk.js +126 -0
- package/dist/cli/approve/risk.js.map +1 -0
- package/dist/cli/audit.js +8 -2
- package/dist/cli/audit.js.map +1 -1
- package/dist/cli/doctor/format.js +24 -0
- package/dist/cli/doctor/format.js.map +1 -1
- package/dist/cli/doctor/index.js +26 -0
- package/dist/cli/doctor/index.js.map +1 -1
- package/dist/cli/doctor/types.d.ts +23 -0
- package/dist/cli/event-input.d.ts +28 -0
- package/dist/cli/event-input.js +73 -0
- package/dist/cli/event-input.js.map +1 -0
- package/dist/cli/explain-action.d.ts +20 -0
- package/dist/cli/explain-action.js +27 -0
- package/dist/cli/explain-action.js.map +1 -0
- package/dist/cli/explain-policy.d.ts +54 -0
- package/dist/cli/explain-policy.js +81 -0
- package/dist/cli/explain-policy.js.map +1 -0
- package/dist/cli/explain.js +4 -0
- package/dist/cli/explain.js.map +1 -1
- package/dist/cli/index.js +126 -4
- package/dist/cli/index.js.map +1 -1
- package/dist/cli/init/templates.d.ts +1 -1
- package/dist/cli/init/templates.js +98 -0
- package/dist/cli/init/templates.js.map +1 -1
- package/dist/cli/pack/hook-branch-protection.js +1 -1
- package/dist/cli/pack/hook-branch-protection.js.map +1 -1
- package/dist/cli/pack/hook-codex-pre-tool-use.js +1 -1
- package/dist/cli/pack/hook-codex-pre-tool-use.js.map +1 -1
- package/dist/cli/pack/hook-post-tool-use.js +1 -1
- package/dist/cli/pack/hook-post-tool-use.js.map +1 -1
- package/dist/cli/pack/hook-pre-tool-use.js +1 -1
- package/dist/cli/pack/hook-pre-tool-use.js.map +1 -1
- package/dist/cli/pack/hook-track-active-claim.js +1 -1
- package/dist/cli/pack/hook-track-active-claim.js.map +1 -1
- package/dist/cli/{pack/pause-check.d.ts → pause-check.d.ts} +1 -1
- package/dist/cli/{pack/pause-check.js → pause-check.js} +14 -11
- package/dist/cli/pause-check.js.map +1 -0
- package/dist/cli/policy/intercept.d.ts +15 -0
- package/dist/cli/policy/intercept.js +55 -1
- package/dist/cli/policy/intercept.js.map +1 -1
- package/dist/cli/resolve-env.d.ts +32 -0
- package/dist/cli/resolve-env.js +47 -0
- package/dist/cli/resolve-env.js.map +1 -0
- package/dist/cli/test-risk.d.ts +26 -0
- package/dist/cli/test-risk.js +34 -0
- package/dist/cli/test-risk.js.map +1 -0
- package/dist/runtime/action-envelope.d.ts +64 -0
- package/dist/runtime/action-envelope.js +46 -0
- package/dist/runtime/action-envelope.js.map +1 -0
- package/dist/runtime/environment-resolver.d.ts +36 -0
- package/dist/runtime/environment-resolver.js +138 -0
- package/dist/runtime/environment-resolver.js.map +1 -0
- package/dist/runtime/index.d.ts +6 -1
- package/dist/runtime/index.js +6 -1
- package/dist/runtime/index.js.map +1 -1
- package/dist/runtime/intercept.d.ts +60 -3
- package/dist/runtime/intercept.js +104 -6
- package/dist/runtime/intercept.js.map +1 -1
- package/dist/runtime/kube-context.d.ts +16 -0
- package/dist/runtime/kube-context.js +63 -0
- package/dist/runtime/kube-context.js.map +1 -0
- package/dist/runtime/ledger-record.d.ts +8 -0
- package/dist/runtime/ledger-record.js +2 -0
- package/dist/runtime/ledger-record.js.map +1 -1
- package/dist/runtime/risk-classifier.d.ts +38 -0
- package/dist/runtime/risk-classifier.js +148 -0
- package/dist/runtime/risk-classifier.js.map +1 -0
- package/dist/runtime/when-eval.d.ts +40 -0
- package/dist/runtime/when-eval.js +134 -0
- package/dist/runtime/when-eval.js.map +1 -0
- package/dist/schema/environments.d.ts +215 -0
- package/dist/schema/environments.js +101 -0
- package/dist/schema/environments.js.map +1 -0
- package/dist/schema/index.d.ts +419 -11
- package/dist/schema/index.js +8 -0
- package/dist/schema/index.js.map +1 -1
- package/dist/schema/policies.d.ts +152 -13
- package/dist/schema/policies.js +52 -1
- package/dist/schema/policies.js.map +1 -1
- package/dist/schema/risk.d.ts +131 -0
- package/dist/schema/risk.js +87 -0
- package/dist/schema/risk.js.map +1 -0
- package/package.json +1 -1
- package/dist/cli/pack/pause-check.js.map +0 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"intercept.js","sourceRoot":"","sources":["../../src/runtime/intercept.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,6EAA6E;AAC7E,4EAA4E;AAC5E,wEAAwE;AACxE,2EAA2E;AAC3E,mBAAmB;AAEnB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,kBAAkB,GAOnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;
|
|
1
|
+
{"version":3,"file":"intercept.js","sourceRoot":"","sources":["../../src/runtime/intercept.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,6EAA6E;AAC7E,4EAA4E;AAC5E,wEAAwE;AACxE,2EAA2E;AAC3E,mBAAmB;AAEnB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,kBAAkB,GAOnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAE3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EACL,kBAAkB,GAEnB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAoB,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAuK9C;;;;;GAKG;AACH,SAAS,cAAc,CACrB,QAAkB,EAClB,KAAgB,EAChB,WAAwC,EACxC,GAAqB;IAErB,MAAM,EAAE,GAAG,WAAW,CAAC;IACvB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,KAAK,EAAE;QAC1C,GAAG,EAAE,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAChE,GAAG,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE;QACjD,IAAI,EAAE,EAAE,EAAE,IAAI,IAAI,EAAE;QACpB,IAAI,EAAE,EAAE,EAAE,IAAI,IAAI,EAAE;QACpB,GAAG,EAAE,GAAG,IAAI,IAAI,IAAI,EAAE;KACvB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,kBAAkB,CACpC,QAAQ,EACR,QAAQ,CAAC,YAAY,CAAC,SAAS,EAC/B;QACE,GAAG,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE;QAClB,WAAW,EAAE,EAAE,EAAE,WAAW,IAAI,EAAE;QAClC,aAAa,EAAE,EAAE,EAAE,aAAa,IAAI,EAAE;KACvC,CACF,CAAC;IACF,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;AAC/B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAc,EAAE,KAAgB;IACjE,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,KAAK,KAAK,CAAC,eAAe;QAAE,OAAO,KAAK,CAAC;IACjE,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QACvC,IAAI,OAAO,KAAK,CAAC,SAAS,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QACtD,MAAM,SAAS,GAAG,qBAAqB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACzD,IACE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,KAAM,CAAC,CAAC,EACvE,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QAC5C,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAC3C,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;QACnC,IAAI,EAAU,CAAC;QACf,IAAI,CAAC;YACH,EAAE,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,KAAK,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAgB;IACzC,OAAO;QACL,QAAQ,EAAE,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,KAAK;QAC5D,KAAK;QACL,OAAO,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE,EAAE;QACvC,GAAG,EAAE,EAAE;KACR,CAAC;AACJ,CAAC;AAED,6EAA6E;AAC7E,SAAS,wBAAwB,CAC/B,WAAkC;IAElC,QAAQ,WAAW,EAAE,CAAC;QACpB,KAAK,OAAO;YACV,OAAO,MAAM,CAAC;QAChB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,kBAAkB;YACrB,OAAO,kBAAkB,CAAC;IAC9B,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,kBAAkB,CAAC,CAAiB;IAC3C,IAAI,CAAC,CAAC,OAAO,KAAK,MAAM;QAAE,OAAO,CAAC,CAAC,WAAW,KAAK,OAAO,CAAC;IAC3D,OAAO,CAAC,CAAC,OAAO,KAAK,kBAAkB,CAAC;AAC1C,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,MAAc,EACd,OAAyB;IAEzB,MAAM,WAAW,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9D,MAAM,GAAG,GAAG,iBAAiB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,eAAe,CAC7B,MAAM,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,EAC5B,GAAG,EACH,OAAO,CAAC,QAAQ,CACjB,CAAC;IACF,MAAM,eAAe,GAAG,OAAO,CAAC,SAAS;SACtC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC;SACrC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACrB,MAAM,GAAG,GAAG,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC;IAC7B,MAAM,UAAU,GAAG,CAAC,GAAG,eAAe,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC;IAExD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,kCAAkC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACjE,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC7D,IAAI,WAA8B,CAAC;IACnC,IAAI,CAAC;QACH,WAAW,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,KAAK,CACtC,SAAS,EACT,SAAS,EACT,OAAO,CAAC,eAAe,CACxB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,WAAW,GAAG;YACZ,IAAI,EAAE,UAAU;YAChB,MAAM,EAAE,uBAAwB,GAAa,CAAC,OAAO,EAAE;SACxD,CAAC;IACJ,CAAC;IAED,IAAI,WAAW,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QACpC,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,WAAW,CAAC,MAAM;YAC1B,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,sDAAsD;IACtD,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACzC,IAAI,CAAC;YACH,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,OAAO,EAAE,eAAe;gBACxB,MAAM,EAAE,mBAAmB,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE;gBACnD,aAAa,EAAE,OAAO,CAAC,MAAM;gBAC7B,SAAS;gBACT,WAAW;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAA4B;QACxC,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QACxC,GAAG,CAAC,OAAO,CAAC,cAAc,KAAK,SAAS;YACtC,OAAO,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI;YACnC,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC;KACL,CAAC;IACF,MAAM,QAAQ,GAAG,kBAAkB,CAAC,WAAW,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACpE,IAAI,UAA8B,CAAC;IACnC,IAAI,CAAC;QACH,UAAU,GAAG,gBAAgB,CAC3B,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,EAC7C,QAAQ,EACR,QAAQ,CACT,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,wBAAyB,GAAa,CAAC,OAAO,EAAE;YACxD,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,gEAAgE;IAChE,iEAAiE;IACjE,0DAA0D;IAC1D,oEAAoE;IACpE,mCAAmC;IACnC,MAAM,OAAO,GAAkB,UAAU,CAAC,OAAO;QAC/C,CAAC,CAAC,OAAO;QACT,CAAC,CAAC,wBAAwB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACjD,OAAO;QACL,UAAU,EAAE,MAAM,CAAC,IAAI;QACvB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,OAAO;QACP,MAAM,EAAE,UAAU,CAAC,MAAM;QACzB,aAAa,EAAE,OAAO,CAAC,MAAM;QAC7B,SAAS;QACT,YAAY,EAAE;YACZ,YAAY,EAAE,UAAU,CAAC,YAAY;YACrC,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B;QACD,UAAU,EAAE,UAAU,CAAC,UAAU;QACjC,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CACzB,OAAsB,EACtB,GAAW;IAEX,0EAA0E;IAC1E,0EAA0E;IAC1E,yEAAyE;IACzE,yEAAyE;IACzE,EAAE;IACF,gEAAgE;IAChE,mEAAmE;IACnE,iEAAiE;IACjE,4DAA4D;IAC5D,6DAA6D;IAC7D,OAAO,OAAO,CAAC,MAAM,CACnB,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,IAAI,KAAK,oBAAoB;QAC/B,+DAA+D;QAC/D,+DAA+D;QAC/D,iEAAiE;QACjE,8DAA8D;QAC9D,oDAAoD;QACpD,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,oBAAoB,GAAG,CAAC;QACjD,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;YACtB,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CACxD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,OAAyB;IAEzB,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC;IAEpC,mEAAmE;IACnE,uEAAuE;IACvE,6DAA6D;IAC7D,0EAA0E;IAC1E,uEAAuE;IACvE,MAAM,cAAc,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC;IAC3E,MAAM,QAAQ,GAAiC,cAAc;QAC3D,CAAC,CAAC,cAAc,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC;QACnE,CAAC,CAAC,SAAS,CAAC;IAEd,sEAAsE;IACtE,8DAA8D;IAC9D,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC9C,IAAI,CAAC,kBAAkB,CAAC,CAAC,EAAE,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAChD,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC;QACtC,0EAA0E;QAC1E,OAAO,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,QAAS,CAAC,CAAC,OAAO,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,MAAM,SAAS,GAAqB,EAAE,CAAC;IACvC,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACtD,+DAA+D;QAC/D,gEAAgE;QAChE,2CAA2C;QAC3C,MAAM,QAAQ,GAAmB,QAAQ;YACvC,CAAC,CAAC,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE;YACrE,CAAC,CAAC,IAAI,CAAC;QACT,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,MAAM,CAAC,MAAM,CACzB,QAAQ,EACR,gBAAgB,CAAC,KAAK,CAAC,UAAU,CAAC,CACnC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,wEAAwE;QAC1E,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,sEAAsE;IACtE,4CAA4C;IAC5C,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACpD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC7D,mEAAmE;QACnE,qEAAqE;QACrE,kEAAkE;QAClE,6DAA6D;QAC7D,iEAAiE;QACjE,iEAAiE;QACjE,gEAAgE;QAChE,MAAM,UAAU,GAAG,QAAQ,CAAC,UAAU;YACpC,CAAC,CAAC,gBAAgB,QAAQ,CAAC,UAAU,eAAe,SAAS,MAAM;YACnE,CAAC,CAAC,EAAE,CAAC;QACP,kEAAkE;QAClE,mEAAmE;QACnE,kEAAkE;QAClE,+DAA+D;QAC/D,iEAAiE;QACjE,kEAAkE;QAClE,8DAA8D;QAC9D,0DAA0D;QAC1D,MAAM,cAAc,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC5E,2DAA2D;QAC3D,6DAA6D;QAC7D,+DAA+D;QAC/D,4DAA4D;QAC5D,8DAA8D;QAC9D,4DAA4D;QAC5D,kEAAkE;QAClE,oDAAoD;QACpD,IAAI,UAAkB,CAAC;QACvB,IAAI,cAAc,EAAE,EAAE,EAAE,CAAC;YACvB,UAAU,GAAG,iBAAiB,CAAC,cAAc,CAAC,EAAE,EAAE;gBAChD,GAAG,QAAQ,CAAC,aAAa;gBACzB,UAAU,EAAE,SAAS;aACtB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,cAAc,GAAG,eAAe,CACpC,cAAc,EAAE,SAAS,EACzB,QAAQ,CAAC,aAAa,CACvB,CAAC;YACF,UAAU,GAAG,GAAG,QAAQ,CAAC,UAAU,KAAK,QAAQ,CAAC,MAAM,IAAI,UAAU,GAAG,cAAc,EAAE,CAAC;QAC3F,CAAC;QACD,MAAM,KAAK,GAAmB;YAC5B,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,UAAU;SACnB,CAAC;QACF,qEAAqE;QACrE,qEAAqE;QACrE,oEAAoE;QACpE,yCAAyC;QACzC,IAAI,OAAO,CAAC,KAAK,CAAC,eAAe,KAAK,YAAY,EAAE,CAAC;YACnD,KAAK,CAAC,kBAAkB,GAAG;gBACzB,aAAa,EAAE,YAAY;gBAC3B,kBAAkB,EAAE,MAAM;gBAC1B,+DAA+D;gBAC/D,8DAA8D;gBAC9D,wBAAwB,EAAE,UAAU;aACrC,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACzC,CAAC;IACD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AACxC,CAAC"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
export interface KubeContext {
|
|
2
|
+
/** Current context name, or "" when unresolved. */
|
|
3
|
+
context: string;
|
|
4
|
+
/** Namespace of the current context, or "" when unresolved. */
|
|
5
|
+
namespace: string;
|
|
6
|
+
}
|
|
7
|
+
export interface ResolveKubeContextOptions {
|
|
8
|
+
/** Override the kubeconfig path (tests). Defaults to `~/.kube/config`. */
|
|
9
|
+
kubeconfigPath?: string;
|
|
10
|
+
}
|
|
11
|
+
/**
|
|
12
|
+
* Resolve `{ context, namespace }` from `~/.kube/config`. Returns empty
|
|
13
|
+
* strings when the file is absent, unparseable, or declares no
|
|
14
|
+
* `current-context`.
|
|
15
|
+
*/
|
|
16
|
+
export declare function resolveKubeContext(opts?: ResolveKubeContextOptions): KubeContext;
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
// Resolves the current Kubernetes context + namespace from the
|
|
2
|
+
// standard `~/.kube/config`, for the Phase 7 #4 Context Resolver's
|
|
3
|
+
// `kube_context_patterns` / `kube_namespace_patterns` signals.
|
|
4
|
+
//
|
|
5
|
+
// Like `git-context.ts`, this is a deliberate filesystem approximation:
|
|
6
|
+
// it reads `~/.kube/config` directly and does NOT consult `$KUBECONFIG`
|
|
7
|
+
// file lists or in-cluster service-account state. For classifying a
|
|
8
|
+
// target environment those exotic setups are out of the MVP's scope.
|
|
9
|
+
// Every failure path returns empty strings, never throws — callers
|
|
10
|
+
// treat "" as "unknown".
|
|
11
|
+
import * as fs from "node:fs";
|
|
12
|
+
import * as os from "node:os";
|
|
13
|
+
import * as path from "node:path";
|
|
14
|
+
import { parse as parseYaml } from "yaml";
|
|
15
|
+
const EMPTY = { context: "", namespace: "" };
|
|
16
|
+
/**
|
|
17
|
+
* Resolve `{ context, namespace }` from `~/.kube/config`. Returns empty
|
|
18
|
+
* strings when the file is absent, unparseable, or declares no
|
|
19
|
+
* `current-context`.
|
|
20
|
+
*/
|
|
21
|
+
export function resolveKubeContext(opts = {}) {
|
|
22
|
+
const configPath = opts.kubeconfigPath ?? path.join(os.homedir(), ".kube", "config");
|
|
23
|
+
let raw;
|
|
24
|
+
try {
|
|
25
|
+
raw = fs.readFileSync(configPath, "utf8");
|
|
26
|
+
}
|
|
27
|
+
catch {
|
|
28
|
+
return EMPTY;
|
|
29
|
+
}
|
|
30
|
+
let doc;
|
|
31
|
+
try {
|
|
32
|
+
doc = parseYaml(raw);
|
|
33
|
+
}
|
|
34
|
+
catch {
|
|
35
|
+
return EMPTY;
|
|
36
|
+
}
|
|
37
|
+
if (typeof doc !== "object" || doc === null)
|
|
38
|
+
return EMPTY;
|
|
39
|
+
const config = doc;
|
|
40
|
+
const context = typeof config["current-context"] === "string"
|
|
41
|
+
? config["current-context"]
|
|
42
|
+
: "";
|
|
43
|
+
if (context === "")
|
|
44
|
+
return EMPTY;
|
|
45
|
+
let namespace = "";
|
|
46
|
+
if (Array.isArray(config.contexts)) {
|
|
47
|
+
for (const entry of config.contexts) {
|
|
48
|
+
if (typeof entry !== "object" || entry === null)
|
|
49
|
+
continue;
|
|
50
|
+
const e = entry;
|
|
51
|
+
if (e.name !== context)
|
|
52
|
+
continue;
|
|
53
|
+
if (typeof e.context === "object" && e.context !== null) {
|
|
54
|
+
const ns = e.context.namespace;
|
|
55
|
+
if (typeof ns === "string")
|
|
56
|
+
namespace = ns;
|
|
57
|
+
}
|
|
58
|
+
break;
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
return { context, namespace };
|
|
62
|
+
}
|
|
63
|
+
//# sourceMappingURL=kube-context.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"kube-context.js","sourceRoot":"","sources":["../../src/runtime/kube-context.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,mEAAmE;AACnE,+DAA+D;AAC/D,EAAE;AACF,wEAAwE;AACxE,wEAAwE;AACxE,oEAAoE;AACpE,qEAAqE;AACrE,mEAAmE;AACnE,yBAAyB;AAEzB,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAS1C,MAAM,KAAK,GAAgB,EAAE,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;AAO1D;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAkC,EAAE;IAEpC,MAAM,UAAU,GACd,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAEpE,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,GAAY,CAAC;IACjB,IAAI,CAAC;QACH,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAE1D,MAAM,MAAM,GAAG,GAA0D,CAAC;IAC1E,MAAM,OAAO,GACX,OAAO,MAAM,CAAC,iBAAiB,CAAC,KAAK,QAAQ;QAC3C,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC;QAC3B,CAAC,CAAC,EAAE,CAAC;IACT,IAAI,OAAO,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAEjC,IAAI,SAAS,GAAG,EAAE,CAAC;IACnB,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;gBAAE,SAAS;YAC1D,MAAM,CAAC,GAAG,KAA8C,CAAC;YACzD,IAAI,CAAC,CAAC,IAAI,KAAK,OAAO;gBAAE,SAAS;YACjC,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,IAAI,CAAC,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;gBACxD,MAAM,EAAE,GAAI,CAAC,CAAC,OAAmC,CAAC,SAAS,CAAC;gBAC5D,IAAI,OAAO,EAAE,KAAK,QAAQ;oBAAE,SAAS,GAAG,EAAE,CAAC;YAC7C,CAAC;YACD,MAAM;QACR,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAChC,CAAC"}
|
|
@@ -25,6 +25,14 @@ export interface PolicyDecisionPayload {
|
|
|
25
25
|
matchedCount: number;
|
|
26
26
|
reason: string;
|
|
27
27
|
};
|
|
28
|
+
/**
|
|
29
|
+
* Risk Gate verdicts for the action (Phase 7 #5). Present only when
|
|
30
|
+
* the Risk Gate was active for the event; absent for a pure Phase-4
|
|
31
|
+
* manifest, and absent on any `policy_decision` row recorded before
|
|
32
|
+
* Phase 7 #5 — `harness explain --trace` renders them only when present.
|
|
33
|
+
*/
|
|
34
|
+
risk?: PolicyDecision["risk"];
|
|
35
|
+
environment?: PolicyDecision["environment"];
|
|
28
36
|
evaluatedAt: string;
|
|
29
37
|
}
|
|
30
38
|
export declare function payloadFromDecision(decision: PolicyDecision): PolicyDecisionPayload;
|
|
@@ -29,6 +29,8 @@ export function payloadFromDecision(decision) {
|
|
|
29
29
|
ledgerTag: decision.ledgerTag,
|
|
30
30
|
extractValues: decision.extractValues,
|
|
31
31
|
...(decision.requiresEval && { requiresEval: decision.requiresEval }),
|
|
32
|
+
...(decision.risk && { risk: decision.risk }),
|
|
33
|
+
...(decision.environment && { environment: decision.environment }),
|
|
32
34
|
evaluatedAt: decision.evaluatedAt,
|
|
33
35
|
};
|
|
34
36
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ledger-record.js","sourceRoot":"","sources":["../../src/runtime/ledger-record.ts"],"names":[],"mappings":"AAAA,mDAAmD;AACnD,EAAE;AACF,kEAAkE;AAClE,8EAA8E;AAC9E,6EAA6E;AAC7E,8DAA8D;AAC9D,sDAAsD;AAEtD,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAE/D,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AASxC,MAAM,kBAAkB,GAAG,KAAK,CAAC;AACjC,MAAM,MAAM,GAAG,0BAA0B,CAAC;AAE1C;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,iBAAiB,CAAC;AACtD,MAAM,MAAM,GAAG,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"ledger-record.js","sourceRoot":"","sources":["../../src/runtime/ledger-record.ts"],"names":[],"mappings":"AAAA,mDAAmD;AACnD,EAAE;AACF,kEAAkE;AAClE,8EAA8E;AAC9E,6EAA6E;AAC7E,8DAA8D;AAC9D,sDAAsD;AAEtD,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAE/D,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AASxC,MAAM,kBAAkB,GAAG,KAAK,CAAC;AACjC,MAAM,MAAM,GAAG,0BAA0B,CAAC;AAE1C;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,iBAAiB,CAAC;AACtD,MAAM,MAAM,GAAG,oBAAoB,CAAC;AAqBpC,MAAM,UAAU,mBAAmB,CACjC,QAAwB;IAExB,OAAO;QACL,IAAI,EAAE,QAAQ,CAAC,UAAU;QACzB,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,aAAa,EAAE,QAAQ,CAAC,aAAa;QACrC,GAAG,CAAC,QAAQ,CAAC,YAAY,IAAI,EAAE,YAAY,EAAE,QAAQ,CAAC,YAAY,EAAE,CAAC;QACrE,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC7C,GAAG,CAAC,QAAQ,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE,CAAC;QAClE,WAAW,EAAE,QAAQ,CAAC,WAAW;KAClC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAA8B;IAChE,OAAO,GAAG,MAAM,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;AACnF,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,eAAe,CAC7B,KAAkB,EAClB,OAA8B;IAE9B,MAAM,WAAW,GAAG,oBAAoB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC9D,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC;QAAE,OAAO,WAAW,CAAC;IACnD,IAAI,KAAK,CAAC,SAAS,YAAY,IAAI;QAAE,OAAO,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;IACtE,OAAO,oBAAoB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAe;IACjD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,KAAK,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAA0B,CAAC;QAC1E,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,QAAwB,EACxB,SAAiB,EACjB,IAAyB;IAEzB,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC;IAC7B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IACjE,CAAC;IACD,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IACvD,MAAM,OAAO,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IAC9C,MAAM,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAC7C,kEAAkE;IAClE,mEAAmE;IACnE,mEAAmE;IACnE,iEAAiE;IACjE,6DAA6D;IAC7D,2DAA2D;IAC3D,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAEjD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,KAAK,CAAC;QACV,IAAI,CAAC;YACH,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE;gBACvB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,EAAE;gBAC/C,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAkB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAC1E,OAAO;QACT,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,MAAM,GAAG,CAAC,CAAmC,EAAQ,EAAE;YAC3D,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,IAAI,CAAC;gBACH,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,YAAY;YACd,CAAC;YACD,OAAO,CAAC,CAAC,CAAC,CAAC;QACb,CAAC,CAAC;QAEF,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,IAAI,YAAY,GAAG,KAAK,CAAC;QAEzB;;;;;WAKG;QACH,MAAM,cAAc,GAAG,GAAS,EAAE;YAChC,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,IAAI,EAAE,YAAY;oBAClB,SAAS,EAAE;wBACT,SAAS;wBACT,IAAI,EAAE,oBAAoB;wBAC1B,OAAO;wBACP,MAAM,EAAE,MAAM;qBACf;iBACF;aACF,CAAC,IAAI,CACP,CAAC;QACJ,CAAC,CAAC;QAEF,MAAM,eAAe,GAAG,GAAS,EAAE;YACjC,YAAY,GAAG,IAAI,CAAC;YACpB,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,IAAI,EAAE,YAAY;oBAClB,SAAS,EAAE;wBACT,SAAS;wBACT,IAAI,EAAE,MAAM;wBACZ,OAAO;wBACP,MAAM,EAAE,MAAM;qBACf;iBACF;aACF,CAAC,IAAI,CACP,CAAC;QACJ,CAAC,CAAC;QAEF,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACxC,SAAS,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACpC,IAAI,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACjC,OAAO,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3C,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;gBACpC,IAAI,IAAI,EAAE,CAAC;oBACT,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAG1B,CAAC;wBACF,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;4BAChC,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gCAChB,OAAO,EAAE,KAAK;gCACd,MAAM,EAAE,2BAA2B;6BACpC,CAAC,IAAI,CACP,CAAC;4BACF,cAAc,EAAE,CAAC;4BACjB,UAAU,GAAG,IAAI,CAAC;wBACpB,CAAC;6BAAM,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;4BACxB,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;gCACd,0CAA0C;gCAC1C,mDAAmD;gCACnD,oCAAoC;gCACpC,IAAI,CAAC,YAAY,EAAE,CAAC;oCAClB,eAAe,EAAE,CAAC;oCAClB,OAAO;gCACT,CAAC;gCACD,MAAM,CAAC;oCACL,EAAE,EAAE,KAAK;oCACT,MAAM,EAAE,qBAAqB,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,SAAS,EAAE;iCAC9D,CAAC,CAAC;gCACH,OAAO;4BACT,CAAC;4BACD,MAAM,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;4BACrB,OAAO;wBACT,CAAC;6BAAM,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;4BACxB,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;gCACd,MAAM,CAAC;oCACL,EAAE,EAAE,KAAK;oCACT,MAAM,EAAE,qBAAqB,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,SAAS,EAAE;iCAC9D,CAAC,CAAC;gCACH,OAAO;4BACT,CAAC;4BACD,MAAM,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;4BACrB,OAAO;wBACT,CAAC;oBACH,CAAC;oBAAC,MAAM,CAAC;wBACP,qBAAqB;oBACvB,CAAC;gBACH,CAAC;gBACD,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;YACpC,SAAS,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YAC/B,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;YACpB,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,IAAI,aAAa,CAAC;YACzE,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,IAAI,EAAE,EAAE,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAC3B,kCAAkC;QACpC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,eAAe,EAAE,YAAY;oBAC7B,YAAY,EAAE,EAAE;oBAChB,UAAU,EAAE,EAAE,IAAI,EAAE,0BAA0B,EAAE,OAAO,EAAE,OAAO,EAAE;iBACnE;aACF,CAAC,IAAI,CACP,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAuB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAC9E,OAAO;QACT,CAAC;QAED,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE;YACxB,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,SAAS,IAAI,EAAE,CAAC,CAAC;QAC9E,CAAC,EAAE,SAAS,CAAC,CAAC;QACd,CAAC,CAAC,KAAK,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
import type { RiskCategory, RiskClassifier, RiskSeverity } from "../schema/index.js";
|
|
2
|
+
import type { ActionEnvelope } from "./action-envelope.js";
|
|
3
|
+
export type RiskConfidence = "high" | "low";
|
|
4
|
+
export interface RiskProfile {
|
|
5
|
+
/** Did any classifier pattern match the action? */
|
|
6
|
+
classified: boolean;
|
|
7
|
+
/**
|
|
8
|
+
* Highest matched severity, or `null` when unclassified. `null` is
|
|
9
|
+
* NOT "low" — see the module header on "unknown is not safe".
|
|
10
|
+
*/
|
|
11
|
+
severity: RiskSeverity | null;
|
|
12
|
+
/** Union of every matched pattern's categories, sorted and deduplicated. */
|
|
13
|
+
categories: RiskCategory[];
|
|
14
|
+
/**
|
|
15
|
+
* `false` when a matched category marks the action irreversible,
|
|
16
|
+
* `true` when classified and nothing marks it irreversible, `null`
|
|
17
|
+
* when unclassified (reversibility is unknown, not assumed).
|
|
18
|
+
*/
|
|
19
|
+
reversible: boolean | null;
|
|
20
|
+
/**
|
|
21
|
+
* `high` for any deterministic rule match, `low` when unclassified.
|
|
22
|
+
* A regex classifier has no real probability; the field is a
|
|
23
|
+
* placeholder for the v2 LLM-assisted classifier, where a graded
|
|
24
|
+
* confidence becomes meaningful.
|
|
25
|
+
*/
|
|
26
|
+
confidence: RiskConfidence;
|
|
27
|
+
/** One human-readable line per matched pattern, or the no-match note. */
|
|
28
|
+
reasons: string[];
|
|
29
|
+
}
|
|
30
|
+
/**
|
|
31
|
+
* Classify an Action Envelope against the manifest's risk classifiers.
|
|
32
|
+
*
|
|
33
|
+
* Pure: envelope + classifiers in, profile out, no I/O. Multiple
|
|
34
|
+
* matching patterns compose — highest severity wins, categories union,
|
|
35
|
+
* one `reasons` line per hit. An envelope no pattern matches yields the
|
|
36
|
+
* honest unclassified profile (`classified: false`, `severity: null`).
|
|
37
|
+
*/
|
|
38
|
+
export declare function classifyRisk(envelope: ActionEnvelope, classifiers: readonly RiskClassifier[]): RiskProfile;
|
|
@@ -0,0 +1,148 @@
|
|
|
1
|
+
// Phase 7 #3 — Risk Classifier.
|
|
2
|
+
//
|
|
3
|
+
// Assigns an Action Envelope a risk profile by regex-matching the
|
|
4
|
+
// manifest's `risk.classifiers[]` against the action. The first Risk
|
|
5
|
+
// Gate stage that reads the `risk:` schema vocabulary shipped in
|
|
6
|
+
// Phase 7 #1.
|
|
7
|
+
//
|
|
8
|
+
// STATUS: invoked by `harness test-risk` (Phase 7 #3). NOT yet consumed
|
|
9
|
+
// by `harness policy intercept` — wiring the runtime through the
|
|
10
|
+
// classifier is Phase 7 #5. See docs/risk-gate.md and docs/ROADMAP.md.
|
|
11
|
+
//
|
|
12
|
+
// "Unknown is not safe": an envelope no pattern matches yields a
|
|
13
|
+
// profile with `classified: false` and `severity: null`, deliberately
|
|
14
|
+
// NOT a low/zero-risk profile. The Phase 7 #5 policy evaluator must
|
|
15
|
+
// treat an unclassified action as risk-bearing rather than allow it by
|
|
16
|
+
// default; this module's job is only to report the unclassified state
|
|
17
|
+
// honestly.
|
|
18
|
+
//
|
|
19
|
+
// Design source: lava-ice-logs/2026-04-30/harness-risk-gate-extension.md
|
|
20
|
+
// (design phase B).
|
|
21
|
+
import { RiskSeveritySchema } from "../schema/index.js";
|
|
22
|
+
import { expandToolNameAliases, extractShellCommand } from "./tool-name-aliases.js";
|
|
23
|
+
// Ordered severity scale: a value's index here is the comparison key
|
|
24
|
+
// for "highest matched severity wins". Sourced from the schema enum so
|
|
25
|
+
// a future reordering there flows through unchanged.
|
|
26
|
+
const SEVERITY_ORDER = RiskSeveritySchema.options;
|
|
27
|
+
// Categories that mean the action does not cleanly undo itself. When a
|
|
28
|
+
// matched pattern carries any of these the profile is `reversible:
|
|
29
|
+
// false`. `destructive` and `data_loss` are included alongside the
|
|
30
|
+
// explicit `irreversible_action`: a regex classifier cannot prove an
|
|
31
|
+
// action is safely undoable, and the Risk Gate exists to err toward
|
|
32
|
+
// caution. A genuinely destructive-but-reversible action simply should
|
|
33
|
+
// not be tagged `destructive` by its classifier author.
|
|
34
|
+
const IRREVERSIBLE_CATEGORIES = new Set(["irreversible_action", "data_loss", "destructive"]);
|
|
35
|
+
// Hot-path ReDoS guard (Phase 7 #6). As of Phase 7 #5/#6 the classifier
|
|
36
|
+
// runs operator-authored regexes against tool input on EVERY PreToolUse
|
|
37
|
+
// call inside `harness policy intercept`. Catastrophic-backtracking cost
|
|
38
|
+
// scales with input length, so the match subject is capped before any
|
|
39
|
+
// pattern runs. This bounds the input-length-driven blow-up — the common
|
|
40
|
+
// failure mode for a tool call that pipes a large blob through Bash.
|
|
41
|
+
//
|
|
42
|
+
// It is a mitigation, not a complete fix: harness does NOT screen the
|
|
43
|
+
// classifier patterns themselves for catastrophic backtracking. A
|
|
44
|
+
// manifest is operator-trusted config — the same contract already stated
|
|
45
|
+
// for `environments.resolvers[].kube_context_patterns` in
|
|
46
|
+
// docs/risk-gate.md. A pathological *pattern* is a self-inflicted hazard.
|
|
47
|
+
//
|
|
48
|
+
// 16 KiB comfortably covers any real shell command or serialized tool
|
|
49
|
+
// input. A genuinely dangerous command longer than the cap still does
|
|
50
|
+
// not slip the gate: its head (where `rm -rf` / `terraform destroy` /
|
|
51
|
+
// `kubectl delete` live) is within the cap, and an action that ends up
|
|
52
|
+
// unclassified is treated as risk-bearing by the `when:` evaluator.
|
|
53
|
+
const MAX_SUBJECT_LENGTH = 16 * 1024;
|
|
54
|
+
/**
|
|
55
|
+
* The string a classifier's patterns are regex-matched against. For a
|
|
56
|
+
* shell-class tool (or any tool whose input carries a `command` / `cmd`
|
|
57
|
+
* field) it is that command. For other tools it is the serialized raw
|
|
58
|
+
* input — blunt, but it keeps non-shell classifiers usable in the MVP.
|
|
59
|
+
*
|
|
60
|
+
* The result is capped at `MAX_SUBJECT_LENGTH` (ReDoS guard, see above).
|
|
61
|
+
*/
|
|
62
|
+
function subjectFor(envelope) {
|
|
63
|
+
const subject = rawSubjectFor(envelope);
|
|
64
|
+
return subject.length > MAX_SUBJECT_LENGTH
|
|
65
|
+
? subject.slice(0, MAX_SUBJECT_LENGTH)
|
|
66
|
+
: subject;
|
|
67
|
+
}
|
|
68
|
+
function rawSubjectFor(envelope) {
|
|
69
|
+
const command = extractShellCommand({ raw_input: envelope.raw_input });
|
|
70
|
+
if (command !== null)
|
|
71
|
+
return command;
|
|
72
|
+
const raw = envelope.raw_input;
|
|
73
|
+
if (raw === null || raw === undefined)
|
|
74
|
+
return "";
|
|
75
|
+
if (typeof raw === "string")
|
|
76
|
+
return raw;
|
|
77
|
+
try {
|
|
78
|
+
return JSON.stringify(raw);
|
|
79
|
+
}
|
|
80
|
+
catch {
|
|
81
|
+
return "";
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
/** A classifier applies when its `tool` is an alias of the envelope's tool. */
|
|
85
|
+
function classifierApplies(classifier, envelope) {
|
|
86
|
+
return expandToolNameAliases(envelope.tool).includes(classifier.tool);
|
|
87
|
+
}
|
|
88
|
+
/**
|
|
89
|
+
* Classify an Action Envelope against the manifest's risk classifiers.
|
|
90
|
+
*
|
|
91
|
+
* Pure: envelope + classifiers in, profile out, no I/O. Multiple
|
|
92
|
+
* matching patterns compose — highest severity wins, categories union,
|
|
93
|
+
* one `reasons` line per hit. An envelope no pattern matches yields the
|
|
94
|
+
* honest unclassified profile (`classified: false`, `severity: null`).
|
|
95
|
+
*/
|
|
96
|
+
export function classifyRisk(envelope, classifiers) {
|
|
97
|
+
const applicable = classifiers.filter((c) => classifierApplies(c, envelope));
|
|
98
|
+
const subject = subjectFor(envelope);
|
|
99
|
+
const categories = new Set();
|
|
100
|
+
const reasons = [];
|
|
101
|
+
let severityIdx = -1;
|
|
102
|
+
for (const classifier of applicable) {
|
|
103
|
+
for (const pat of classifier.patterns) {
|
|
104
|
+
let re;
|
|
105
|
+
try {
|
|
106
|
+
re = new RegExp(pat.pattern);
|
|
107
|
+
}
|
|
108
|
+
catch {
|
|
109
|
+
// The schema regex-validates patterns at parse time; this guard
|
|
110
|
+
// only covers a manifest that bypassed `harness validate`.
|
|
111
|
+
continue;
|
|
112
|
+
}
|
|
113
|
+
if (!re.test(subject))
|
|
114
|
+
continue;
|
|
115
|
+
for (const cat of pat.categories)
|
|
116
|
+
categories.add(cat);
|
|
117
|
+
const idx = SEVERITY_ORDER.indexOf(pat.severity);
|
|
118
|
+
if (idx > severityIdx)
|
|
119
|
+
severityIdx = idx;
|
|
120
|
+
reasons.push(`classifier "${classifier.name}" pattern /${pat.pattern}/ matched: ` +
|
|
121
|
+
`severity ${pat.severity}, categories [${pat.categories.join(", ")}]`);
|
|
122
|
+
}
|
|
123
|
+
}
|
|
124
|
+
if (severityIdx === -1) {
|
|
125
|
+
return {
|
|
126
|
+
classified: false,
|
|
127
|
+
severity: null,
|
|
128
|
+
categories: [],
|
|
129
|
+
reversible: null,
|
|
130
|
+
confidence: "low",
|
|
131
|
+
reasons: [
|
|
132
|
+
applicable.length === 0
|
|
133
|
+
? `no risk classifier is declared for tool "${envelope.tool}"`
|
|
134
|
+
: `no classifier pattern matched the action for tool "${envelope.tool}"`,
|
|
135
|
+
],
|
|
136
|
+
};
|
|
137
|
+
}
|
|
138
|
+
const sortedCategories = [...categories].sort();
|
|
139
|
+
return {
|
|
140
|
+
classified: true,
|
|
141
|
+
severity: SEVERITY_ORDER[severityIdx],
|
|
142
|
+
categories: sortedCategories,
|
|
143
|
+
reversible: !sortedCategories.some((c) => IRREVERSIBLE_CATEGORIES.has(c)),
|
|
144
|
+
confidence: "high",
|
|
145
|
+
reasons,
|
|
146
|
+
};
|
|
147
|
+
}
|
|
148
|
+
//# sourceMappingURL=risk-classifier.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"risk-classifier.js","sourceRoot":"","sources":["../../src/runtime/risk-classifier.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,EAAE;AACF,kEAAkE;AAClE,qEAAqE;AACrE,iEAAiE;AACjE,cAAc;AACd,EAAE;AACF,wEAAwE;AACxE,iEAAiE;AACjE,uEAAuE;AACvE,EAAE;AACF,iEAAiE;AACjE,sEAAsE;AACtE,oEAAoE;AACpE,uEAAuE;AACvE,sEAAsE;AACtE,YAAY;AACZ,EAAE;AACF,yEAAyE;AACzE,oBAAoB;AAOpB,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAEpF,qEAAqE;AACrE,uEAAuE;AACvE,qDAAqD;AACrD,MAAM,cAAc,GAA4B,kBAAkB,CAAC,OAAO,CAAC;AAE3E,uEAAuE;AACvE,mEAAmE;AACnE,mEAAmE;AACnE,qEAAqE;AACrE,oEAAoE;AACpE,uEAAuE;AACvE,wDAAwD;AACxD,MAAM,uBAAuB,GAA8B,IAAI,GAAG,CAChE,CAAC,qBAAqB,EAAE,WAAW,EAAE,aAAa,CAAC,CACpD,CAAC;AA+BF,wEAAwE;AACxE,wEAAwE;AACxE,yEAAyE;AACzE,sEAAsE;AACtE,yEAAyE;AACzE,qEAAqE;AACrE,EAAE;AACF,sEAAsE;AACtE,kEAAkE;AAClE,yEAAyE;AACzE,0DAA0D;AAC1D,0EAA0E;AAC1E,EAAE;AACF,sEAAsE;AACtE,sEAAsE;AACtE,sEAAsE;AACtE,uEAAuE;AACvE,oEAAoE;AACpE,MAAM,kBAAkB,GAAG,EAAE,GAAG,IAAI,CAAC;AAErC;;;;;;;GAOG;AACH,SAAS,UAAU,CAAC,QAAwB;IAC1C,MAAM,OAAO,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IACxC,OAAO,OAAO,CAAC,MAAM,GAAG,kBAAkB;QACxC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,kBAAkB,CAAC;QACtC,CAAC,CAAC,OAAO,CAAC;AACd,CAAC;AAED,SAAS,aAAa,CAAC,QAAwB;IAC7C,MAAM,OAAO,GAAG,mBAAmB,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;IACvE,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,OAAO,CAAC;IACrC,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAAC;IAC/B,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACjD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACxC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,SAAS,iBAAiB,CACxB,UAA0B,EAC1B,QAAwB;IAExB,OAAO,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;AACxE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,QAAwB,EACxB,WAAsC;IAEtC,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAErC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAgB,CAAC;IAC3C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,WAAW,GAAG,CAAC,CAAC,CAAC;IAErB,KAAK,MAAM,UAAU,IAAI,UAAU,EAAE,CAAC;QACpC,KAAK,MAAM,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;YACtC,IAAI,EAAU,CAAC;YACf,IAAI,CAAC;gBACH,EAAE,GAAG,IAAI,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC/B,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;gBAChE,2DAA2D;gBAC3D,SAAS;YACX,CAAC;YACD,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,SAAS;YAChC,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU;gBAAE,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACjD,IAAI,GAAG,GAAG,WAAW;gBAAE,WAAW,GAAG,GAAG,CAAC;YACzC,OAAO,CAAC,IAAI,CACV,eAAe,UAAU,CAAC,IAAI,cAAc,GAAG,CAAC,OAAO,aAAa;gBAClE,YAAY,GAAG,CAAC,QAAQ,iBAAiB,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACxE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,WAAW,KAAK,CAAC,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,EAAE;YACd,UAAU,EAAE,IAAI;YAChB,UAAU,EAAE,KAAK;YACjB,OAAO,EAAE;gBACP,UAAU,CAAC,MAAM,KAAK,CAAC;oBACrB,CAAC,CAAC,4CAA4C,QAAQ,CAAC,IAAI,GAAG;oBAC9D,CAAC,CAAC,sDAAsD,QAAQ,CAAC,IAAI,GAAG;aAC3E;SACF,CAAC;IACJ,CAAC;IAED,MAAM,gBAAgB,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;IAChD,OAAO;QACL,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,cAAc,CAAC,WAAW,CAAE;QACtC,UAAU,EAAE,gBAAgB;QAC5B,UAAU,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACzE,UAAU,EAAE,MAAM;QAClB,OAAO;KACR,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
import type { PolicyWhen } from "../schema/index.js";
|
|
2
|
+
import type { EnvironmentResolution } from "./environment-resolver.js";
|
|
3
|
+
import type { RiskProfile } from "./risk-classifier.js";
|
|
4
|
+
/** The enriched-envelope inputs a `when:` block is evaluated against. */
|
|
5
|
+
export interface WhenContext {
|
|
6
|
+
risk: RiskProfile;
|
|
7
|
+
environment: EnvironmentResolution;
|
|
8
|
+
}
|
|
9
|
+
/** The four `when:` clause keys, exactly as they appear in the manifest. */
|
|
10
|
+
export type WhenClauseKey = "risk.severity_at_least" | "risk.category_in" | "environment.name" | "action.reversible";
|
|
11
|
+
/** One declared clause's verdict, carried for explainability. */
|
|
12
|
+
export interface WhenClauseResult {
|
|
13
|
+
clause: WhenClauseKey;
|
|
14
|
+
/** Human-readable expected value, as written in the manifest. */
|
|
15
|
+
expected: string;
|
|
16
|
+
/** Human-readable observed value, from the enriched envelope. */
|
|
17
|
+
actual: string;
|
|
18
|
+
matched: boolean;
|
|
19
|
+
}
|
|
20
|
+
export interface WhenEvaluation {
|
|
21
|
+
/** AND of every declared clause. A `when:` with no clauses cannot be
|
|
22
|
+
* constructed (the schema rejects `when: {}`), so an evaluated
|
|
23
|
+
* `when:` always has at least one clause. */
|
|
24
|
+
matched: boolean;
|
|
25
|
+
/** One entry per DECLARED clause, in manifest-key order. */
|
|
26
|
+
clauses: WhenClauseResult[];
|
|
27
|
+
/** True when at least one clause matched only because the action was
|
|
28
|
+
* unclassified ("unknown is not safe"). Surfaced so `explain-policy`
|
|
29
|
+
* can tell an operator a match was fail-closed, not a real hit. */
|
|
30
|
+
unclassifiedFallback: boolean;
|
|
31
|
+
}
|
|
32
|
+
/**
|
|
33
|
+
* Evaluate a policy's `when:` block against the enriched envelope.
|
|
34
|
+
*
|
|
35
|
+
* Every clause is optional; only declared clauses are evaluated, and
|
|
36
|
+
* `matched` is their AND. An unclassified risk profile (`classified:
|
|
37
|
+
* false`) satisfies the three risk-derived clauses by the "unknown is
|
|
38
|
+
* not safe" rule; `environment.name` is always a plain equality test.
|
|
39
|
+
*/
|
|
40
|
+
export declare function evaluateWhen(when: PolicyWhen, ctx: WhenContext): WhenEvaluation;
|
|
@@ -0,0 +1,134 @@
|
|
|
1
|
+
// Phase 7 #5 — `policy.when:` evaluator.
|
|
2
|
+
//
|
|
3
|
+
// A policy's `trigger:` decides WHICH tool calls it inspects; its
|
|
4
|
+
// optional `when:` block decides whether — given the enriched Action
|
|
5
|
+
// Envelope — the policy actually applies to this particular call. The
|
|
6
|
+
// runtime ANDs the two: a policy fires only when `trigger:` AND every
|
|
7
|
+
// declared `when:` clause hold.
|
|
8
|
+
//
|
|
9
|
+
// Pure: the risk profile (#3) + environment resolution (#4) come in, a
|
|
10
|
+
// match verdict with a per-clause breakdown comes out, no I/O. The
|
|
11
|
+
// breakdown is what `harness explain-policy` renders.
|
|
12
|
+
//
|
|
13
|
+
// "Unknown is not safe" — the load-bearing decision in this module.
|
|
14
|
+
// The Risk Classifier emits `severity: null` / `reversible: null` /
|
|
15
|
+
// `categories: []` for an action no pattern matched (`classified:
|
|
16
|
+
// false`). A null does not silently fail to satisfy a clause: an
|
|
17
|
+
// UNCLASSIFIED action satisfies every `risk.*` / `action.reversible`
|
|
18
|
+
// clause, so a risk-gating policy treats "we could not classify this"
|
|
19
|
+
// as risk-bearing rather than letting it slip the gate. A *classified*
|
|
20
|
+
// action is compared on its real values. `environment.name` needs no
|
|
21
|
+
// such rule: the resolver always returns a concrete environment, with
|
|
22
|
+
// `unknown` as the matchable no-resolver-fired case.
|
|
23
|
+
//
|
|
24
|
+
// Design source: lava-ice-logs/2026-04-30/harness-risk-gate-extension.md
|
|
25
|
+
// (design phase D); the null-handling steer is the Phase 7 #3 review
|
|
26
|
+
// note on agent-tasks task harness-phase-7-5.
|
|
27
|
+
import { RiskSeveritySchema } from "../schema/index.js";
|
|
28
|
+
// Ordered severity scale; an index is the comparison key for
|
|
29
|
+
// `severity_at_least`. Sourced from the schema enum so a reordering
|
|
30
|
+
// there flows through unchanged — same pattern as the Risk Classifier.
|
|
31
|
+
const SEVERITY_ORDER = RiskSeveritySchema.options;
|
|
32
|
+
function severityIndex(severity) {
|
|
33
|
+
return SEVERITY_ORDER.indexOf(severity);
|
|
34
|
+
}
|
|
35
|
+
/**
|
|
36
|
+
* Evaluate a policy's `when:` block against the enriched envelope.
|
|
37
|
+
*
|
|
38
|
+
* Every clause is optional; only declared clauses are evaluated, and
|
|
39
|
+
* `matched` is their AND. An unclassified risk profile (`classified:
|
|
40
|
+
* false`) satisfies the three risk-derived clauses by the "unknown is
|
|
41
|
+
* not safe" rule; `environment.name` is always a plain equality test.
|
|
42
|
+
*/
|
|
43
|
+
export function evaluateWhen(when, ctx) {
|
|
44
|
+
const clauses = [];
|
|
45
|
+
let unclassifiedFallback = false;
|
|
46
|
+
const unclassified = !ctx.risk.classified;
|
|
47
|
+
const sevAtLeast = when["risk.severity_at_least"];
|
|
48
|
+
if (sevAtLeast !== undefined) {
|
|
49
|
+
let matched;
|
|
50
|
+
let actual;
|
|
51
|
+
if (unclassified) {
|
|
52
|
+
// severity is null — treat as risk-bearing: satisfies any threshold.
|
|
53
|
+
matched = true;
|
|
54
|
+
actual = "null (unclassified)";
|
|
55
|
+
unclassifiedFallback = true;
|
|
56
|
+
}
|
|
57
|
+
else {
|
|
58
|
+
matched =
|
|
59
|
+
severityIndex(ctx.risk.severity) >= severityIndex(sevAtLeast);
|
|
60
|
+
actual = ctx.risk.severity;
|
|
61
|
+
}
|
|
62
|
+
clauses.push({
|
|
63
|
+
clause: "risk.severity_at_least",
|
|
64
|
+
expected: `>= ${sevAtLeast}`,
|
|
65
|
+
actual,
|
|
66
|
+
matched,
|
|
67
|
+
});
|
|
68
|
+
}
|
|
69
|
+
const categoryIn = when["risk.category_in"];
|
|
70
|
+
if (categoryIn !== undefined) {
|
|
71
|
+
let matched;
|
|
72
|
+
let actual;
|
|
73
|
+
if (unclassified) {
|
|
74
|
+
// categories is [] — treat as risk-bearing, consistent with the
|
|
75
|
+
// severity clause: an unclassified action satisfies every risk
|
|
76
|
+
// clause so a multi-clause `when:` cannot be slipped by one
|
|
77
|
+
// clause matching null while another fails an empty set.
|
|
78
|
+
matched = true;
|
|
79
|
+
actual = "[] (unclassified)";
|
|
80
|
+
unclassifiedFallback = true;
|
|
81
|
+
}
|
|
82
|
+
else {
|
|
83
|
+
matched = categoryIn.some((c) => ctx.risk.categories.includes(c));
|
|
84
|
+
actual =
|
|
85
|
+
ctx.risk.categories.length > 0
|
|
86
|
+
? `[${ctx.risk.categories.join(", ")}]`
|
|
87
|
+
: "[]";
|
|
88
|
+
}
|
|
89
|
+
clauses.push({
|
|
90
|
+
clause: "risk.category_in",
|
|
91
|
+
expected: `any of [${categoryIn.join(", ")}]`,
|
|
92
|
+
actual,
|
|
93
|
+
matched,
|
|
94
|
+
});
|
|
95
|
+
}
|
|
96
|
+
const envName = when["environment.name"];
|
|
97
|
+
if (envName !== undefined) {
|
|
98
|
+
clauses.push({
|
|
99
|
+
clause: "environment.name",
|
|
100
|
+
expected: envName,
|
|
101
|
+
actual: ctx.environment.name,
|
|
102
|
+
matched: ctx.environment.name === envName,
|
|
103
|
+
});
|
|
104
|
+
}
|
|
105
|
+
const reversible = when["action.reversible"];
|
|
106
|
+
if (reversible !== undefined) {
|
|
107
|
+
let matched;
|
|
108
|
+
let actual;
|
|
109
|
+
if (unclassified) {
|
|
110
|
+
// reversible is null — reversibility unknown. "Unknown is not
|
|
111
|
+
// safe": the clause matches whichever value the policy gates on,
|
|
112
|
+
// so an unclassified action never escapes a reversibility gate.
|
|
113
|
+
matched = true;
|
|
114
|
+
actual = "null (unclassified)";
|
|
115
|
+
unclassifiedFallback = true;
|
|
116
|
+
}
|
|
117
|
+
else {
|
|
118
|
+
matched = ctx.risk.reversible === reversible;
|
|
119
|
+
actual = String(ctx.risk.reversible);
|
|
120
|
+
}
|
|
121
|
+
clauses.push({
|
|
122
|
+
clause: "action.reversible",
|
|
123
|
+
expected: String(reversible),
|
|
124
|
+
actual,
|
|
125
|
+
matched,
|
|
126
|
+
});
|
|
127
|
+
}
|
|
128
|
+
return {
|
|
129
|
+
matched: clauses.every((c) => c.matched),
|
|
130
|
+
clauses,
|
|
131
|
+
unclassifiedFallback,
|
|
132
|
+
};
|
|
133
|
+
}
|
|
134
|
+
//# sourceMappingURL=when-eval.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"when-eval.js","sourceRoot":"","sources":["../../src/runtime/when-eval.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,EAAE;AACF,kEAAkE;AAClE,qEAAqE;AACrE,sEAAsE;AACtE,sEAAsE;AACtE,gCAAgC;AAChC,EAAE;AACF,uEAAuE;AACvE,mEAAmE;AACnE,sDAAsD;AACtD,EAAE;AACF,oEAAoE;AACpE,oEAAoE;AACpE,kEAAkE;AAClE,iEAAiE;AACjE,qEAAqE;AACrE,sEAAsE;AACtE,uEAAuE;AACvE,qEAAqE;AACrE,sEAAsE;AACtE,qDAAqD;AACrD,EAAE;AACF,yEAAyE;AACzE,qEAAqE;AACrE,8CAA8C;AAG9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAIxD,6DAA6D;AAC7D,oEAAoE;AACpE,uEAAuE;AACvE,MAAM,cAAc,GAAsB,kBAAkB,CAAC,OAAO,CAAC;AAsCrE,SAAS,aAAa,CAAC,QAAgB;IACrC,OAAO,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,IAAgB,EAChB,GAAgB;IAEhB,MAAM,OAAO,GAAuB,EAAE,CAAC;IACvC,IAAI,oBAAoB,GAAG,KAAK,CAAC;IACjC,MAAM,YAAY,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC;IAE1C,MAAM,UAAU,GAAG,IAAI,CAAC,wBAAwB,CAAC,CAAC;IAClD,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAgB,CAAC;QACrB,IAAI,MAAc,CAAC;QACnB,IAAI,YAAY,EAAE,CAAC;YACjB,qEAAqE;YACrE,OAAO,GAAG,IAAI,CAAC;YACf,MAAM,GAAG,qBAAqB,CAAC;YAC/B,oBAAoB,GAAG,IAAI,CAAC;QAC9B,CAAC;aAAM,CAAC;YACN,OAAO;gBACL,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,QAAS,CAAC,IAAI,aAAa,CAAC,UAAU,CAAC,CAAC;YACjE,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,QAAS,CAAC;QAC9B,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,MAAM,EAAE,wBAAwB;YAChC,QAAQ,EAAE,MAAM,UAAU,EAAE;YAC5B,MAAM;YACN,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC5C,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAgB,CAAC;QACrB,IAAI,MAAc,CAAC;QACnB,IAAI,YAAY,EAAE,CAAC;YACjB,gEAAgE;YAChE,+DAA+D;YAC/D,4DAA4D;YAC5D,yDAAyD;YACzD,OAAO,GAAG,IAAI,CAAC;YACf,MAAM,GAAG,mBAAmB,CAAC;YAC7B,oBAAoB,GAAG,IAAI,CAAC;QAC9B,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YAClE,MAAM;gBACJ,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;oBAC5B,CAAC,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;oBACvC,CAAC,CAAC,IAAI,CAAC;QACb,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,WAAW,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;YAC7C,MAAM;YACN,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACzC,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,CAAC,IAAI,CAAC;YACX,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,GAAG,CAAC,WAAW,CAAC,IAAI;YAC5B,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,IAAI,KAAK,OAAO;SAC1C,CAAC,CAAC;IACL,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAC7C,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAgB,CAAC;QACrB,IAAI,MAAc,CAAC;QACnB,IAAI,YAAY,EAAE,CAAC;YACjB,8DAA8D;YAC9D,iEAAiE;YACjE,gEAAgE;YAChE,OAAO,GAAG,IAAI,CAAC;YACf,MAAM,GAAG,qBAAqB,CAAC;YAC/B,oBAAoB,GAAG,IAAI,CAAC;QAC9B,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC,UAAU,KAAK,UAAU,CAAC;YAC7C,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,MAAM,EAAE,mBAAmB;YAC3B,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC;YAC5B,MAAM;YACN,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;QACxC,OAAO;QACP,oBAAoB;KACrB,CAAC;AACJ,CAAC"}
|