@lannguyensi/harness 0.26.0 → 0.27.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +16 -0
- package/dist/cli/approve/risk.d.ts +43 -0
- package/dist/cli/approve/risk.js +126 -0
- package/dist/cli/approve/risk.js.map +1 -0
- package/dist/cli/audit.js +8 -2
- package/dist/cli/audit.js.map +1 -1
- package/dist/cli/doctor/format.js +24 -0
- package/dist/cli/doctor/format.js.map +1 -1
- package/dist/cli/doctor/index.js +26 -0
- package/dist/cli/doctor/index.js.map +1 -1
- package/dist/cli/doctor/types.d.ts +23 -0
- package/dist/cli/event-input.js +8 -7
- package/dist/cli/event-input.js.map +1 -1
- package/dist/cli/explain-policy.d.ts +54 -0
- package/dist/cli/explain-policy.js +81 -0
- package/dist/cli/explain-policy.js.map +1 -0
- package/dist/cli/explain.js +4 -0
- package/dist/cli/explain.js.map +1 -1
- package/dist/cli/index.js +70 -4
- package/dist/cli/index.js.map +1 -1
- package/dist/cli/init/templates.d.ts +1 -1
- package/dist/cli/init/templates.js +98 -0
- package/dist/cli/init/templates.js.map +1 -1
- package/dist/cli/policy/intercept.d.ts +10 -0
- package/dist/cli/policy/intercept.js +34 -1
- package/dist/cli/policy/intercept.js.map +1 -1
- package/dist/runtime/index.d.ts +2 -1
- package/dist/runtime/index.js +2 -1
- package/dist/runtime/index.js.map +1 -1
- package/dist/runtime/intercept.d.ts +60 -3
- package/dist/runtime/intercept.js +104 -6
- package/dist/runtime/intercept.js.map +1 -1
- package/dist/runtime/ledger-record.d.ts +8 -0
- package/dist/runtime/ledger-record.js +2 -0
- package/dist/runtime/ledger-record.js.map +1 -1
- package/dist/runtime/risk-classifier.js +27 -0
- package/dist/runtime/risk-classifier.js.map +1 -1
- package/dist/runtime/when-eval.d.ts +40 -0
- package/dist/runtime/when-eval.js +134 -0
- package/dist/runtime/when-eval.js.map +1 -0
- package/dist/schema/index.d.ts +11 -11
- package/dist/schema/policies.d.ts +13 -13
- package/dist/schema/policies.js +20 -8
- package/dist/schema/policies.js.map +1 -1
- package/package.json +1 -1
|
@@ -7,11 +7,45 @@
|
|
|
7
7
|
// that wraps this.
|
|
8
8
|
import { evaluateExtract, evaluateRequires, parseDurationSeconds, substituteTemplate, } from "../policies/index.js";
|
|
9
9
|
import { renderProducers } from "../policies/producers.js";
|
|
10
|
+
import { buildActionEnvelope } from "./action-envelope.js";
|
|
10
11
|
import { renderAgentFacing } from "./agent-facing.js";
|
|
12
|
+
import { resolveEnvironment, } from "./environment-resolver.js";
|
|
11
13
|
import { POLICY_DECISION_TYPE } from "./ledger-record.js";
|
|
14
|
+
import { classifyRisk } from "./risk-classifier.js";
|
|
12
15
|
import { resolveSessionId } from "./session-id.js";
|
|
13
16
|
import { expandToolNameAliases, extractShellCommand, } from "./tool-name-aliases.js";
|
|
14
|
-
|
|
17
|
+
import { evaluateWhen } from "./when-eval.js";
|
|
18
|
+
/**
|
|
19
|
+
* Build the Action Envelope for an event and run it through the Risk
|
|
20
|
+
* Classifier (#3) and Context Resolver (#4). Pure: every host fact
|
|
21
|
+
* arrives via `riskContext`; when it is absent the envelope is built
|
|
22
|
+
* from the event alone (unclassified risk, `unknown` environment).
|
|
23
|
+
*/
|
|
24
|
+
function enrichEnvelope(manifest, event, riskContext, now) {
|
|
25
|
+
const rc = riskContext;
|
|
26
|
+
const envelope = buildActionEnvelope(event, {
|
|
27
|
+
cwd: rc?.cwd ?? (typeof event.cwd === "string" ? event.cwd : ""),
|
|
28
|
+
git: rc?.git ?? { repo: "", branch: "", sha: "" },
|
|
29
|
+
user: rc?.user ?? "",
|
|
30
|
+
host: rc?.host ?? "",
|
|
31
|
+
now: now ?? new Date(),
|
|
32
|
+
});
|
|
33
|
+
const risk = classifyRisk(envelope, manifest.risk.classifiers);
|
|
34
|
+
const environment = resolveEnvironment(envelope, manifest.environments.resolvers, {
|
|
35
|
+
env: rc?.env ?? {},
|
|
36
|
+
kubeContext: rc?.kubeContext ?? "",
|
|
37
|
+
kubeNamespace: rc?.kubeNamespace ?? "",
|
|
38
|
+
});
|
|
39
|
+
return { risk, environment };
|
|
40
|
+
}
|
|
41
|
+
/**
|
|
42
|
+
* Does a policy's `trigger:` match this event? This is the WHICH-tool-
|
|
43
|
+
* calls filter; the WHETHER-it-applies filter is `policy.when:`,
|
|
44
|
+
* evaluated separately (`evaluateWhen`). A policy fires only when both
|
|
45
|
+
* hold. Exported so `harness explain-policy` can report the trigger
|
|
46
|
+
* verdict on its own.
|
|
47
|
+
*/
|
|
48
|
+
export function policyMatchesEvent(policy, event) {
|
|
15
49
|
if (policy.trigger.event !== event.hook_event_name)
|
|
16
50
|
return false;
|
|
17
51
|
if (policy.trigger.match !== undefined) {
|
|
@@ -46,6 +80,35 @@ function buildEventContext(event) {
|
|
|
46
80
|
git: {},
|
|
47
81
|
};
|
|
48
82
|
}
|
|
83
|
+
/** Map a failed-`requires` policy to its decision outcome by enforcement. */
|
|
84
|
+
function outcomeForFailedRequires(enforcement) {
|
|
85
|
+
switch (enforcement) {
|
|
86
|
+
case "block":
|
|
87
|
+
return "deny";
|
|
88
|
+
case "warn":
|
|
89
|
+
return "warn";
|
|
90
|
+
case "require_approval":
|
|
91
|
+
return "require_approval";
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
/**
|
|
95
|
+
* Does a decision abort the tool call? Phase 7 #6 makes the Risk Gate
|
|
96
|
+
* authoritative at the `PreToolUse` boundary:
|
|
97
|
+
* - `deny` aborts (a `block`-enforcement policy whose requires failed,
|
|
98
|
+
* the Phase 4 mechanism, unchanged).
|
|
99
|
+
* - `require_approval` aborts until the approval evidence exists. In
|
|
100
|
+
* Phase 7 #5 this outcome was returned but did not block; #6 makes
|
|
101
|
+
* it block. The approval tag is satisfiable through the policy's
|
|
102
|
+
* `requires:` (an operator runs `harness approve risk`); once the
|
|
103
|
+
* tag is on record the requires evaluation passes and the outcome
|
|
104
|
+
* is `allow` instead.
|
|
105
|
+
* - `allow` / `warn` / `warn-degraded` never abort.
|
|
106
|
+
*/
|
|
107
|
+
function isBlockingDecision(d) {
|
|
108
|
+
if (d.outcome === "deny")
|
|
109
|
+
return d.enforcement === "block";
|
|
110
|
+
return d.outcome === "require_approval";
|
|
111
|
+
}
|
|
49
112
|
async function evaluateOnePolicy(policy, options) {
|
|
50
113
|
const evaluatedAt = (options.now ?? new Date()).toISOString();
|
|
51
114
|
const ctx = buildEventContext(options.event);
|
|
@@ -130,7 +193,14 @@ async function evaluateOnePolicy(policy, options) {
|
|
|
130
193
|
evaluatedAt,
|
|
131
194
|
};
|
|
132
195
|
}
|
|
133
|
-
|
|
196
|
+
// Four-way decision (Phase 7 #5). A satisfied `requires` always
|
|
197
|
+
// `allow`s; a failed one is mapped by the policy's enforcement —
|
|
198
|
+
// `block` → `deny`, `warn` → `warn`, `require_approval` →
|
|
199
|
+
// `require_approval`. The evaluator only RETURNS `require_approval`
|
|
200
|
+
// here; Phase 7 #6 makes it block.
|
|
201
|
+
const outcome = evaluation.allowed
|
|
202
|
+
? "allow"
|
|
203
|
+
: outcomeForFailedRequires(policy.enforcement);
|
|
134
204
|
return {
|
|
135
205
|
policyName: policy.name,
|
|
136
206
|
enforcement: policy.enforcement,
|
|
@@ -168,19 +238,47 @@ function filterEntriesByTag(entries, tag) {
|
|
|
168
238
|
(e.source !== undefined && e.source.includes(tag))));
|
|
169
239
|
}
|
|
170
240
|
export async function intercept(options) {
|
|
171
|
-
const
|
|
241
|
+
const { manifest, event } = options;
|
|
242
|
+
// The Risk Gate is active only when some policy declares a `when:`
|
|
243
|
+
// block. A manifest with none — every Phase 4 / 5 / 6 manifest — skips
|
|
244
|
+
// envelope enrichment entirely: no `buildActionEnvelope`, no
|
|
245
|
+
// classifier, no resolver, and decisions carry no `risk` / `environment`.
|
|
246
|
+
// That keeps such manifests byte-for-byte identical to pre-Phase-7-#5.
|
|
247
|
+
const riskGateActive = manifest.policies.some((p) => p.when !== undefined);
|
|
248
|
+
const enriched = riskGateActive
|
|
249
|
+
? enrichEnvelope(manifest, event, options.riskContext, options.now)
|
|
250
|
+
: undefined;
|
|
251
|
+
// A policy fires only when its `trigger:` matches AND — when declared
|
|
252
|
+
// — every `when:` clause holds against the enriched envelope.
|
|
253
|
+
const matching = manifest.policies.filter((p) => {
|
|
254
|
+
if (!policyMatchesEvent(p, event))
|
|
255
|
+
return false;
|
|
256
|
+
if (p.when === undefined)
|
|
257
|
+
return true;
|
|
258
|
+
// `enriched` is defined here: a policy with `when:` set `riskGateActive`.
|
|
259
|
+
return evaluateWhen(p.when, enriched).matched;
|
|
260
|
+
});
|
|
172
261
|
const decisions = [];
|
|
173
262
|
for (const policy of matching) {
|
|
174
|
-
const
|
|
263
|
+
const base = await evaluateOnePolicy(policy, options);
|
|
264
|
+
// Attach the per-event Risk Gate verdicts so `harness audit` /
|
|
265
|
+
// `explain --trace` can replay the classification + environment
|
|
266
|
+
// that the `when:` match was made against.
|
|
267
|
+
const decision = enriched
|
|
268
|
+
? { ...base, risk: enriched.risk, environment: enriched.environment }
|
|
269
|
+
: base;
|
|
175
270
|
decisions.push(decision);
|
|
176
271
|
try {
|
|
177
|
-
await options.ledger.record(decision, resolveSessionId(
|
|
272
|
+
await options.ledger.record(decision, resolveSessionId(event.session_id));
|
|
178
273
|
}
|
|
179
274
|
catch {
|
|
180
275
|
/* audit-write failure must not block; the decision is still applied. */
|
|
181
276
|
}
|
|
182
277
|
}
|
|
183
|
-
|
|
278
|
+
// First blocking decision wins the envelope. `deny` and
|
|
279
|
+
// `require_approval` both abort (Phase 7 #6); the search order is the
|
|
280
|
+
// manifest's policy order, same as Phase 4.
|
|
281
|
+
const blocking = decisions.find(isBlockingDecision);
|
|
184
282
|
if (blocking) {
|
|
185
283
|
const sessionId = resolveSessionId(options.event.session_id);
|
|
186
284
|
// Append the "to satisfy" hint so Claude Code's deny message tells
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"intercept.js","sourceRoot":"","sources":["../../src/runtime/intercept.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,6EAA6E;AAC7E,4EAA4E;AAC5E,wEAAwE;AACxE,2EAA2E;AAC3E,mBAAmB;AAEnB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,kBAAkB,GAOnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;
|
|
1
|
+
{"version":3,"file":"intercept.js","sourceRoot":"","sources":["../../src/runtime/intercept.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,6EAA6E;AAC7E,4EAA4E;AAC5E,wEAAwE;AACxE,2EAA2E;AAC3E,mBAAmB;AAEnB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,kBAAkB,GAOnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAE3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EACL,kBAAkB,GAEnB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAoB,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAuK9C;;;;;GAKG;AACH,SAAS,cAAc,CACrB,QAAkB,EAClB,KAAgB,EAChB,WAAwC,EACxC,GAAqB;IAErB,MAAM,EAAE,GAAG,WAAW,CAAC;IACvB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,KAAK,EAAE;QAC1C,GAAG,EAAE,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAChE,GAAG,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE;QACjD,IAAI,EAAE,EAAE,EAAE,IAAI,IAAI,EAAE;QACpB,IAAI,EAAE,EAAE,EAAE,IAAI,IAAI,EAAE;QACpB,GAAG,EAAE,GAAG,IAAI,IAAI,IAAI,EAAE;KACvB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,kBAAkB,CACpC,QAAQ,EACR,QAAQ,CAAC,YAAY,CAAC,SAAS,EAC/B;QACE,GAAG,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE;QAClB,WAAW,EAAE,EAAE,EAAE,WAAW,IAAI,EAAE;QAClC,aAAa,EAAE,EAAE,EAAE,aAAa,IAAI,EAAE;KACvC,CACF,CAAC;IACF,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;AAC/B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAc,EAAE,KAAgB;IACjE,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,KAAK,KAAK,CAAC,eAAe;QAAE,OAAO,KAAK,CAAC;IACjE,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QACvC,IAAI,OAAO,KAAK,CAAC,SAAS,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QACtD,MAAM,SAAS,GAAG,qBAAqB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACzD,IACE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,KAAM,CAAC,CAAC,EACvE,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QAC5C,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAC3C,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;QACnC,IAAI,EAAU,CAAC;QACf,IAAI,CAAC;YACH,EAAE,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,KAAK,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAgB;IACzC,OAAO;QACL,QAAQ,EAAE,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,KAAK;QAC5D,KAAK;QACL,OAAO,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE,EAAE;QACvC,GAAG,EAAE,EAAE;KACR,CAAC;AACJ,CAAC;AAED,6EAA6E;AAC7E,SAAS,wBAAwB,CAC/B,WAAkC;IAElC,QAAQ,WAAW,EAAE,CAAC;QACpB,KAAK,OAAO;YACV,OAAO,MAAM,CAAC;QAChB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,kBAAkB;YACrB,OAAO,kBAAkB,CAAC;IAC9B,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,kBAAkB,CAAC,CAAiB;IAC3C,IAAI,CAAC,CAAC,OAAO,KAAK,MAAM;QAAE,OAAO,CAAC,CAAC,WAAW,KAAK,OAAO,CAAC;IAC3D,OAAO,CAAC,CAAC,OAAO,KAAK,kBAAkB,CAAC;AAC1C,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,MAAc,EACd,OAAyB;IAEzB,MAAM,WAAW,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9D,MAAM,GAAG,GAAG,iBAAiB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,eAAe,CAC7B,MAAM,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,EAC5B,GAAG,EACH,OAAO,CAAC,QAAQ,CACjB,CAAC;IACF,MAAM,eAAe,GAAG,OAAO,CAAC,SAAS;SACtC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC;SACrC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACrB,MAAM,GAAG,GAAG,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC;IAC7B,MAAM,UAAU,GAAG,CAAC,GAAG,eAAe,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC;IAExD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,kCAAkC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACjE,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC7D,IAAI,WAA8B,CAAC;IACnC,IAAI,CAAC;QACH,WAAW,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,KAAK,CACtC,SAAS,EACT,SAAS,EACT,OAAO,CAAC,eAAe,CACxB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,WAAW,GAAG;YACZ,IAAI,EAAE,UAAU;YAChB,MAAM,EAAE,uBAAwB,GAAa,CAAC,OAAO,EAAE;SACxD,CAAC;IACJ,CAAC;IAED,IAAI,WAAW,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QACpC,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,WAAW,CAAC,MAAM;YAC1B,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,sDAAsD;IACtD,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACzC,IAAI,CAAC;YACH,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,OAAO,EAAE,eAAe;gBACxB,MAAM,EAAE,mBAAmB,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE;gBACnD,aAAa,EAAE,OAAO,CAAC,MAAM;gBAC7B,SAAS;gBACT,WAAW;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAA4B;QACxC,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QACxC,GAAG,CAAC,OAAO,CAAC,cAAc,KAAK,SAAS;YACtC,OAAO,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI;YACnC,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC;KACL,CAAC;IACF,MAAM,QAAQ,GAAG,kBAAkB,CAAC,WAAW,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACpE,IAAI,UAA8B,CAAC;IACnC,IAAI,CAAC;QACH,UAAU,GAAG,gBAAgB,CAC3B,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,EAC7C,QAAQ,EACR,QAAQ,CACT,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,wBAAyB,GAAa,CAAC,OAAO,EAAE;YACxD,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,gEAAgE;IAChE,iEAAiE;IACjE,0DAA0D;IAC1D,oEAAoE;IACpE,mCAAmC;IACnC,MAAM,OAAO,GAAkB,UAAU,CAAC,OAAO;QAC/C,CAAC,CAAC,OAAO;QACT,CAAC,CAAC,wBAAwB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACjD,OAAO;QACL,UAAU,EAAE,MAAM,CAAC,IAAI;QACvB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,OAAO;QACP,MAAM,EAAE,UAAU,CAAC,MAAM;QACzB,aAAa,EAAE,OAAO,CAAC,MAAM;QAC7B,SAAS;QACT,YAAY,EAAE;YACZ,YAAY,EAAE,UAAU,CAAC,YAAY;YACrC,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B;QACD,UAAU,EAAE,UAAU,CAAC,UAAU;QACjC,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CACzB,OAAsB,EACtB,GAAW;IAEX,0EAA0E;IAC1E,0EAA0E;IAC1E,yEAAyE;IACzE,yEAAyE;IACzE,EAAE;IACF,gEAAgE;IAChE,mEAAmE;IACnE,iEAAiE;IACjE,4DAA4D;IAC5D,6DAA6D;IAC7D,OAAO,OAAO,CAAC,MAAM,CACnB,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,IAAI,KAAK,oBAAoB;QAC/B,+DAA+D;QAC/D,+DAA+D;QAC/D,iEAAiE;QACjE,8DAA8D;QAC9D,oDAAoD;QACpD,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,oBAAoB,GAAG,CAAC;QACjD,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;YACtB,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CACxD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,OAAyB;IAEzB,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC;IAEpC,mEAAmE;IACnE,uEAAuE;IACvE,6DAA6D;IAC7D,0EAA0E;IAC1E,uEAAuE;IACvE,MAAM,cAAc,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC;IAC3E,MAAM,QAAQ,GAAiC,cAAc;QAC3D,CAAC,CAAC,cAAc,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC;QACnE,CAAC,CAAC,SAAS,CAAC;IAEd,sEAAsE;IACtE,8DAA8D;IAC9D,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC9C,IAAI,CAAC,kBAAkB,CAAC,CAAC,EAAE,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAChD,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC;QACtC,0EAA0E;QAC1E,OAAO,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,QAAS,CAAC,CAAC,OAAO,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,MAAM,SAAS,GAAqB,EAAE,CAAC;IACvC,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACtD,+DAA+D;QAC/D,gEAAgE;QAChE,2CAA2C;QAC3C,MAAM,QAAQ,GAAmB,QAAQ;YACvC,CAAC,CAAC,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE;YACrE,CAAC,CAAC,IAAI,CAAC;QACT,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,MAAM,CAAC,MAAM,CACzB,QAAQ,EACR,gBAAgB,CAAC,KAAK,CAAC,UAAU,CAAC,CACnC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,wEAAwE;QAC1E,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,sEAAsE;IACtE,4CAA4C;IAC5C,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACpD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC7D,mEAAmE;QACnE,qEAAqE;QACrE,kEAAkE;QAClE,6DAA6D;QAC7D,iEAAiE;QACjE,iEAAiE;QACjE,gEAAgE;QAChE,MAAM,UAAU,GAAG,QAAQ,CAAC,UAAU;YACpC,CAAC,CAAC,gBAAgB,QAAQ,CAAC,UAAU,eAAe,SAAS,MAAM;YACnE,CAAC,CAAC,EAAE,CAAC;QACP,kEAAkE;QAClE,mEAAmE;QACnE,kEAAkE;QAClE,+DAA+D;QAC/D,iEAAiE;QACjE,kEAAkE;QAClE,8DAA8D;QAC9D,0DAA0D;QAC1D,MAAM,cAAc,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC5E,2DAA2D;QAC3D,6DAA6D;QAC7D,+DAA+D;QAC/D,4DAA4D;QAC5D,8DAA8D;QAC9D,4DAA4D;QAC5D,kEAAkE;QAClE,oDAAoD;QACpD,IAAI,UAAkB,CAAC;QACvB,IAAI,cAAc,EAAE,EAAE,EAAE,CAAC;YACvB,UAAU,GAAG,iBAAiB,CAAC,cAAc,CAAC,EAAE,EAAE;gBAChD,GAAG,QAAQ,CAAC,aAAa;gBACzB,UAAU,EAAE,SAAS;aACtB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,cAAc,GAAG,eAAe,CACpC,cAAc,EAAE,SAAS,EACzB,QAAQ,CAAC,aAAa,CACvB,CAAC;YACF,UAAU,GAAG,GAAG,QAAQ,CAAC,UAAU,KAAK,QAAQ,CAAC,MAAM,IAAI,UAAU,GAAG,cAAc,EAAE,CAAC;QAC3F,CAAC;QACD,MAAM,KAAK,GAAmB;YAC5B,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,UAAU;SACnB,CAAC;QACF,qEAAqE;QACrE,qEAAqE;QACrE,oEAAoE;QACpE,yCAAyC;QACzC,IAAI,OAAO,CAAC,KAAK,CAAC,eAAe,KAAK,YAAY,EAAE,CAAC;YACnD,KAAK,CAAC,kBAAkB,GAAG;gBACzB,aAAa,EAAE,YAAY;gBAC3B,kBAAkB,EAAE,MAAM;gBAC1B,+DAA+D;gBAC/D,8DAA8D;gBAC9D,wBAAwB,EAAE,UAAU;aACrC,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACzC,CAAC;IACD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AACxC,CAAC"}
|
|
@@ -25,6 +25,14 @@ export interface PolicyDecisionPayload {
|
|
|
25
25
|
matchedCount: number;
|
|
26
26
|
reason: string;
|
|
27
27
|
};
|
|
28
|
+
/**
|
|
29
|
+
* Risk Gate verdicts for the action (Phase 7 #5). Present only when
|
|
30
|
+
* the Risk Gate was active for the event; absent for a pure Phase-4
|
|
31
|
+
* manifest, and absent on any `policy_decision` row recorded before
|
|
32
|
+
* Phase 7 #5 — `harness explain --trace` renders them only when present.
|
|
33
|
+
*/
|
|
34
|
+
risk?: PolicyDecision["risk"];
|
|
35
|
+
environment?: PolicyDecision["environment"];
|
|
28
36
|
evaluatedAt: string;
|
|
29
37
|
}
|
|
30
38
|
export declare function payloadFromDecision(decision: PolicyDecision): PolicyDecisionPayload;
|
|
@@ -29,6 +29,8 @@ export function payloadFromDecision(decision) {
|
|
|
29
29
|
ledgerTag: decision.ledgerTag,
|
|
30
30
|
extractValues: decision.extractValues,
|
|
31
31
|
...(decision.requiresEval && { requiresEval: decision.requiresEval }),
|
|
32
|
+
...(decision.risk && { risk: decision.risk }),
|
|
33
|
+
...(decision.environment && { environment: decision.environment }),
|
|
32
34
|
evaluatedAt: decision.evaluatedAt,
|
|
33
35
|
};
|
|
34
36
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ledger-record.js","sourceRoot":"","sources":["../../src/runtime/ledger-record.ts"],"names":[],"mappings":"AAAA,mDAAmD;AACnD,EAAE;AACF,kEAAkE;AAClE,8EAA8E;AAC9E,6EAA6E;AAC7E,8DAA8D;AAC9D,sDAAsD;AAEtD,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAE/D,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AASxC,MAAM,kBAAkB,GAAG,KAAK,CAAC;AACjC,MAAM,MAAM,GAAG,0BAA0B,CAAC;AAE1C;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,iBAAiB,CAAC;AACtD,MAAM,MAAM,GAAG,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"ledger-record.js","sourceRoot":"","sources":["../../src/runtime/ledger-record.ts"],"names":[],"mappings":"AAAA,mDAAmD;AACnD,EAAE;AACF,kEAAkE;AAClE,8EAA8E;AAC9E,6EAA6E;AAC7E,8DAA8D;AAC9D,sDAAsD;AAEtD,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAE/D,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AASxC,MAAM,kBAAkB,GAAG,KAAK,CAAC;AACjC,MAAM,MAAM,GAAG,0BAA0B,CAAC;AAE1C;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,iBAAiB,CAAC;AACtD,MAAM,MAAM,GAAG,oBAAoB,CAAC;AAqBpC,MAAM,UAAU,mBAAmB,CACjC,QAAwB;IAExB,OAAO;QACL,IAAI,EAAE,QAAQ,CAAC,UAAU;QACzB,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,aAAa,EAAE,QAAQ,CAAC,aAAa;QACrC,GAAG,CAAC,QAAQ,CAAC,YAAY,IAAI,EAAE,YAAY,EAAE,QAAQ,CAAC,YAAY,EAAE,CAAC;QACrE,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC7C,GAAG,CAAC,QAAQ,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE,CAAC;QAClE,WAAW,EAAE,QAAQ,CAAC,WAAW;KAClC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAA8B;IAChE,OAAO,GAAG,MAAM,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;AACnF,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,eAAe,CAC7B,KAAkB,EAClB,OAA8B;IAE9B,MAAM,WAAW,GAAG,oBAAoB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC9D,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC;QAAE,OAAO,WAAW,CAAC;IACnD,IAAI,KAAK,CAAC,SAAS,YAAY,IAAI;QAAE,OAAO,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;IACtE,OAAO,oBAAoB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAe;IACjD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,KAAK,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAA0B,CAAC;QAC1E,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,QAAwB,EACxB,SAAiB,EACjB,IAAyB;IAEzB,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC;IAC7B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IACjE,CAAC;IACD,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IACvD,MAAM,OAAO,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IAC9C,MAAM,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAC7C,kEAAkE;IAClE,mEAAmE;IACnE,mEAAmE;IACnE,iEAAiE;IACjE,6DAA6D;IAC7D,2DAA2D;IAC3D,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAEjD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,KAAK,CAAC;QACV,IAAI,CAAC;YACH,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE;gBACvB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,EAAE;gBAC/C,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAkB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAC1E,OAAO;QACT,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,MAAM,GAAG,CAAC,CAAmC,EAAQ,EAAE;YAC3D,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,IAAI,CAAC;gBACH,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,YAAY;YACd,CAAC;YACD,OAAO,CAAC,CAAC,CAAC,CAAC;QACb,CAAC,CAAC;QAEF,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,IAAI,YAAY,GAAG,KAAK,CAAC;QAEzB;;;;;WAKG;QACH,MAAM,cAAc,GAAG,GAAS,EAAE;YAChC,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,IAAI,EAAE,YAAY;oBAClB,SAAS,EAAE;wBACT,SAAS;wBACT,IAAI,EAAE,oBAAoB;wBAC1B,OAAO;wBACP,MAAM,EAAE,MAAM;qBACf;iBACF;aACF,CAAC,IAAI,CACP,CAAC;QACJ,CAAC,CAAC;QAEF,MAAM,eAAe,GAAG,GAAS,EAAE;YACjC,YAAY,GAAG,IAAI,CAAC;YACpB,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,IAAI,EAAE,YAAY;oBAClB,SAAS,EAAE;wBACT,SAAS;wBACT,IAAI,EAAE,MAAM;wBACZ,OAAO;wBACP,MAAM,EAAE,MAAM;qBACf;iBACF;aACF,CAAC,IAAI,CACP,CAAC;QACJ,CAAC,CAAC;QAEF,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACxC,SAAS,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACpC,IAAI,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACjC,OAAO,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3C,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;gBACpC,IAAI,IAAI,EAAE,CAAC;oBACT,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAG1B,CAAC;wBACF,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;4BAChC,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gCAChB,OAAO,EAAE,KAAK;gCACd,MAAM,EAAE,2BAA2B;6BACpC,CAAC,IAAI,CACP,CAAC;4BACF,cAAc,EAAE,CAAC;4BACjB,UAAU,GAAG,IAAI,CAAC;wBACpB,CAAC;6BAAM,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;4BACxB,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;gCACd,0CAA0C;gCAC1C,mDAAmD;gCACnD,oCAAoC;gCACpC,IAAI,CAAC,YAAY,EAAE,CAAC;oCAClB,eAAe,EAAE,CAAC;oCAClB,OAAO;gCACT,CAAC;gCACD,MAAM,CAAC;oCACL,EAAE,EAAE,KAAK;oCACT,MAAM,EAAE,qBAAqB,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,SAAS,EAAE;iCAC9D,CAAC,CAAC;gCACH,OAAO;4BACT,CAAC;4BACD,MAAM,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;4BACrB,OAAO;wBACT,CAAC;6BAAM,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;4BACxB,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;gCACd,MAAM,CAAC;oCACL,EAAE,EAAE,KAAK;oCACT,MAAM,EAAE,qBAAqB,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,SAAS,EAAE;iCAC9D,CAAC,CAAC;gCACH,OAAO;4BACT,CAAC;4BACD,MAAM,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;4BACrB,OAAO;wBACT,CAAC;oBACH,CAAC;oBAAC,MAAM,CAAC;wBACP,qBAAqB;oBACvB,CAAC;gBACH,CAAC;gBACD,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;YACpC,SAAS,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YAC/B,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;YACpB,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,IAAI,aAAa,CAAC;YACzE,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,IAAI,EAAE,EAAE,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAC3B,kCAAkC;QACpC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,eAAe,EAAE,YAAY;oBAC7B,YAAY,EAAE,EAAE;oBAChB,UAAU,EAAE,EAAE,IAAI,EAAE,0BAA0B,EAAE,OAAO,EAAE,OAAO,EAAE;iBACnE;aACF,CAAC,IAAI,CACP,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAuB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAC9E,OAAO;QACT,CAAC;QAED,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE;YACxB,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,SAAS,IAAI,EAAE,CAAC,CAAC;QAC9E,CAAC,EAAE,SAAS,CAAC,CAAC;QACd,CAAC,CAAC,KAAK,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -32,13 +32,40 @@ const SEVERITY_ORDER = RiskSeveritySchema.options;
|
|
|
32
32
|
// caution. A genuinely destructive-but-reversible action simply should
|
|
33
33
|
// not be tagged `destructive` by its classifier author.
|
|
34
34
|
const IRREVERSIBLE_CATEGORIES = new Set(["irreversible_action", "data_loss", "destructive"]);
|
|
35
|
+
// Hot-path ReDoS guard (Phase 7 #6). As of Phase 7 #5/#6 the classifier
|
|
36
|
+
// runs operator-authored regexes against tool input on EVERY PreToolUse
|
|
37
|
+
// call inside `harness policy intercept`. Catastrophic-backtracking cost
|
|
38
|
+
// scales with input length, so the match subject is capped before any
|
|
39
|
+
// pattern runs. This bounds the input-length-driven blow-up — the common
|
|
40
|
+
// failure mode for a tool call that pipes a large blob through Bash.
|
|
41
|
+
//
|
|
42
|
+
// It is a mitigation, not a complete fix: harness does NOT screen the
|
|
43
|
+
// classifier patterns themselves for catastrophic backtracking. A
|
|
44
|
+
// manifest is operator-trusted config — the same contract already stated
|
|
45
|
+
// for `environments.resolvers[].kube_context_patterns` in
|
|
46
|
+
// docs/risk-gate.md. A pathological *pattern* is a self-inflicted hazard.
|
|
47
|
+
//
|
|
48
|
+
// 16 KiB comfortably covers any real shell command or serialized tool
|
|
49
|
+
// input. A genuinely dangerous command longer than the cap still does
|
|
50
|
+
// not slip the gate: its head (where `rm -rf` / `terraform destroy` /
|
|
51
|
+
// `kubectl delete` live) is within the cap, and an action that ends up
|
|
52
|
+
// unclassified is treated as risk-bearing by the `when:` evaluator.
|
|
53
|
+
const MAX_SUBJECT_LENGTH = 16 * 1024;
|
|
35
54
|
/**
|
|
36
55
|
* The string a classifier's patterns are regex-matched against. For a
|
|
37
56
|
* shell-class tool (or any tool whose input carries a `command` / `cmd`
|
|
38
57
|
* field) it is that command. For other tools it is the serialized raw
|
|
39
58
|
* input — blunt, but it keeps non-shell classifiers usable in the MVP.
|
|
59
|
+
*
|
|
60
|
+
* The result is capped at `MAX_SUBJECT_LENGTH` (ReDoS guard, see above).
|
|
40
61
|
*/
|
|
41
62
|
function subjectFor(envelope) {
|
|
63
|
+
const subject = rawSubjectFor(envelope);
|
|
64
|
+
return subject.length > MAX_SUBJECT_LENGTH
|
|
65
|
+
? subject.slice(0, MAX_SUBJECT_LENGTH)
|
|
66
|
+
: subject;
|
|
67
|
+
}
|
|
68
|
+
function rawSubjectFor(envelope) {
|
|
42
69
|
const command = extractShellCommand({ raw_input: envelope.raw_input });
|
|
43
70
|
if (command !== null)
|
|
44
71
|
return command;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"risk-classifier.js","sourceRoot":"","sources":["../../src/runtime/risk-classifier.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,EAAE;AACF,kEAAkE;AAClE,qEAAqE;AACrE,iEAAiE;AACjE,cAAc;AACd,EAAE;AACF,wEAAwE;AACxE,iEAAiE;AACjE,uEAAuE;AACvE,EAAE;AACF,iEAAiE;AACjE,sEAAsE;AACtE,oEAAoE;AACpE,uEAAuE;AACvE,sEAAsE;AACtE,YAAY;AACZ,EAAE;AACF,yEAAyE;AACzE,oBAAoB;AAOpB,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAEpF,qEAAqE;AACrE,uEAAuE;AACvE,qDAAqD;AACrD,MAAM,cAAc,GAA4B,kBAAkB,CAAC,OAAO,CAAC;AAE3E,uEAAuE;AACvE,mEAAmE;AACnE,mEAAmE;AACnE,qEAAqE;AACrE,oEAAoE;AACpE,uEAAuE;AACvE,wDAAwD;AACxD,MAAM,uBAAuB,GAA8B,IAAI,GAAG,CAChE,CAAC,qBAAqB,EAAE,WAAW,EAAE,aAAa,CAAC,CACpD,CAAC;AA+BF
|
|
1
|
+
{"version":3,"file":"risk-classifier.js","sourceRoot":"","sources":["../../src/runtime/risk-classifier.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,EAAE;AACF,kEAAkE;AAClE,qEAAqE;AACrE,iEAAiE;AACjE,cAAc;AACd,EAAE;AACF,wEAAwE;AACxE,iEAAiE;AACjE,uEAAuE;AACvE,EAAE;AACF,iEAAiE;AACjE,sEAAsE;AACtE,oEAAoE;AACpE,uEAAuE;AACvE,sEAAsE;AACtE,YAAY;AACZ,EAAE;AACF,yEAAyE;AACzE,oBAAoB;AAOpB,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAEpF,qEAAqE;AACrE,uEAAuE;AACvE,qDAAqD;AACrD,MAAM,cAAc,GAA4B,kBAAkB,CAAC,OAAO,CAAC;AAE3E,uEAAuE;AACvE,mEAAmE;AACnE,mEAAmE;AACnE,qEAAqE;AACrE,oEAAoE;AACpE,uEAAuE;AACvE,wDAAwD;AACxD,MAAM,uBAAuB,GAA8B,IAAI,GAAG,CAChE,CAAC,qBAAqB,EAAE,WAAW,EAAE,aAAa,CAAC,CACpD,CAAC;AA+BF,wEAAwE;AACxE,wEAAwE;AACxE,yEAAyE;AACzE,sEAAsE;AACtE,yEAAyE;AACzE,qEAAqE;AACrE,EAAE;AACF,sEAAsE;AACtE,kEAAkE;AAClE,yEAAyE;AACzE,0DAA0D;AAC1D,0EAA0E;AAC1E,EAAE;AACF,sEAAsE;AACtE,sEAAsE;AACtE,sEAAsE;AACtE,uEAAuE;AACvE,oEAAoE;AACpE,MAAM,kBAAkB,GAAG,EAAE,GAAG,IAAI,CAAC;AAErC;;;;;;;GAOG;AACH,SAAS,UAAU,CAAC,QAAwB;IAC1C,MAAM,OAAO,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IACxC,OAAO,OAAO,CAAC,MAAM,GAAG,kBAAkB;QACxC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,kBAAkB,CAAC;QACtC,CAAC,CAAC,OAAO,CAAC;AACd,CAAC;AAED,SAAS,aAAa,CAAC,QAAwB;IAC7C,MAAM,OAAO,GAAG,mBAAmB,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;IACvE,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,OAAO,CAAC;IACrC,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAAC;IAC/B,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACjD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACxC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,SAAS,iBAAiB,CACxB,UAA0B,EAC1B,QAAwB;IAExB,OAAO,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;AACxE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,QAAwB,EACxB,WAAsC;IAEtC,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAErC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAgB,CAAC;IAC3C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,WAAW,GAAG,CAAC,CAAC,CAAC;IAErB,KAAK,MAAM,UAAU,IAAI,UAAU,EAAE,CAAC;QACpC,KAAK,MAAM,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;YACtC,IAAI,EAAU,CAAC;YACf,IAAI,CAAC;gBACH,EAAE,GAAG,IAAI,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC/B,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;gBAChE,2DAA2D;gBAC3D,SAAS;YACX,CAAC;YACD,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,SAAS;YAChC,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU;gBAAE,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACjD,IAAI,GAAG,GAAG,WAAW;gBAAE,WAAW,GAAG,GAAG,CAAC;YACzC,OAAO,CAAC,IAAI,CACV,eAAe,UAAU,CAAC,IAAI,cAAc,GAAG,CAAC,OAAO,aAAa;gBAClE,YAAY,GAAG,CAAC,QAAQ,iBAAiB,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACxE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,WAAW,KAAK,CAAC,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,EAAE;YACd,UAAU,EAAE,IAAI;YAChB,UAAU,EAAE,KAAK;YACjB,OAAO,EAAE;gBACP,UAAU,CAAC,MAAM,KAAK,CAAC;oBACrB,CAAC,CAAC,4CAA4C,QAAQ,CAAC,IAAI,GAAG;oBAC9D,CAAC,CAAC,sDAAsD,QAAQ,CAAC,IAAI,GAAG;aAC3E;SACF,CAAC;IACJ,CAAC;IAED,MAAM,gBAAgB,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;IAChD,OAAO;QACL,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,cAAc,CAAC,WAAW,CAAE;QACtC,UAAU,EAAE,gBAAgB;QAC5B,UAAU,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACzE,UAAU,EAAE,MAAM;QAClB,OAAO;KACR,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
import type { PolicyWhen } from "../schema/index.js";
|
|
2
|
+
import type { EnvironmentResolution } from "./environment-resolver.js";
|
|
3
|
+
import type { RiskProfile } from "./risk-classifier.js";
|
|
4
|
+
/** The enriched-envelope inputs a `when:` block is evaluated against. */
|
|
5
|
+
export interface WhenContext {
|
|
6
|
+
risk: RiskProfile;
|
|
7
|
+
environment: EnvironmentResolution;
|
|
8
|
+
}
|
|
9
|
+
/** The four `when:` clause keys, exactly as they appear in the manifest. */
|
|
10
|
+
export type WhenClauseKey = "risk.severity_at_least" | "risk.category_in" | "environment.name" | "action.reversible";
|
|
11
|
+
/** One declared clause's verdict, carried for explainability. */
|
|
12
|
+
export interface WhenClauseResult {
|
|
13
|
+
clause: WhenClauseKey;
|
|
14
|
+
/** Human-readable expected value, as written in the manifest. */
|
|
15
|
+
expected: string;
|
|
16
|
+
/** Human-readable observed value, from the enriched envelope. */
|
|
17
|
+
actual: string;
|
|
18
|
+
matched: boolean;
|
|
19
|
+
}
|
|
20
|
+
export interface WhenEvaluation {
|
|
21
|
+
/** AND of every declared clause. A `when:` with no clauses cannot be
|
|
22
|
+
* constructed (the schema rejects `when: {}`), so an evaluated
|
|
23
|
+
* `when:` always has at least one clause. */
|
|
24
|
+
matched: boolean;
|
|
25
|
+
/** One entry per DECLARED clause, in manifest-key order. */
|
|
26
|
+
clauses: WhenClauseResult[];
|
|
27
|
+
/** True when at least one clause matched only because the action was
|
|
28
|
+
* unclassified ("unknown is not safe"). Surfaced so `explain-policy`
|
|
29
|
+
* can tell an operator a match was fail-closed, not a real hit. */
|
|
30
|
+
unclassifiedFallback: boolean;
|
|
31
|
+
}
|
|
32
|
+
/**
|
|
33
|
+
* Evaluate a policy's `when:` block against the enriched envelope.
|
|
34
|
+
*
|
|
35
|
+
* Every clause is optional; only declared clauses are evaluated, and
|
|
36
|
+
* `matched` is their AND. An unclassified risk profile (`classified:
|
|
37
|
+
* false`) satisfies the three risk-derived clauses by the "unknown is
|
|
38
|
+
* not safe" rule; `environment.name` is always a plain equality test.
|
|
39
|
+
*/
|
|
40
|
+
export declare function evaluateWhen(when: PolicyWhen, ctx: WhenContext): WhenEvaluation;
|
|
@@ -0,0 +1,134 @@
|
|
|
1
|
+
// Phase 7 #5 — `policy.when:` evaluator.
|
|
2
|
+
//
|
|
3
|
+
// A policy's `trigger:` decides WHICH tool calls it inspects; its
|
|
4
|
+
// optional `when:` block decides whether — given the enriched Action
|
|
5
|
+
// Envelope — the policy actually applies to this particular call. The
|
|
6
|
+
// runtime ANDs the two: a policy fires only when `trigger:` AND every
|
|
7
|
+
// declared `when:` clause hold.
|
|
8
|
+
//
|
|
9
|
+
// Pure: the risk profile (#3) + environment resolution (#4) come in, a
|
|
10
|
+
// match verdict with a per-clause breakdown comes out, no I/O. The
|
|
11
|
+
// breakdown is what `harness explain-policy` renders.
|
|
12
|
+
//
|
|
13
|
+
// "Unknown is not safe" — the load-bearing decision in this module.
|
|
14
|
+
// The Risk Classifier emits `severity: null` / `reversible: null` /
|
|
15
|
+
// `categories: []` for an action no pattern matched (`classified:
|
|
16
|
+
// false`). A null does not silently fail to satisfy a clause: an
|
|
17
|
+
// UNCLASSIFIED action satisfies every `risk.*` / `action.reversible`
|
|
18
|
+
// clause, so a risk-gating policy treats "we could not classify this"
|
|
19
|
+
// as risk-bearing rather than letting it slip the gate. A *classified*
|
|
20
|
+
// action is compared on its real values. `environment.name` needs no
|
|
21
|
+
// such rule: the resolver always returns a concrete environment, with
|
|
22
|
+
// `unknown` as the matchable no-resolver-fired case.
|
|
23
|
+
//
|
|
24
|
+
// Design source: lava-ice-logs/2026-04-30/harness-risk-gate-extension.md
|
|
25
|
+
// (design phase D); the null-handling steer is the Phase 7 #3 review
|
|
26
|
+
// note on agent-tasks task harness-phase-7-5.
|
|
27
|
+
import { RiskSeveritySchema } from "../schema/index.js";
|
|
28
|
+
// Ordered severity scale; an index is the comparison key for
|
|
29
|
+
// `severity_at_least`. Sourced from the schema enum so a reordering
|
|
30
|
+
// there flows through unchanged — same pattern as the Risk Classifier.
|
|
31
|
+
const SEVERITY_ORDER = RiskSeveritySchema.options;
|
|
32
|
+
function severityIndex(severity) {
|
|
33
|
+
return SEVERITY_ORDER.indexOf(severity);
|
|
34
|
+
}
|
|
35
|
+
/**
|
|
36
|
+
* Evaluate a policy's `when:` block against the enriched envelope.
|
|
37
|
+
*
|
|
38
|
+
* Every clause is optional; only declared clauses are evaluated, and
|
|
39
|
+
* `matched` is their AND. An unclassified risk profile (`classified:
|
|
40
|
+
* false`) satisfies the three risk-derived clauses by the "unknown is
|
|
41
|
+
* not safe" rule; `environment.name` is always a plain equality test.
|
|
42
|
+
*/
|
|
43
|
+
export function evaluateWhen(when, ctx) {
|
|
44
|
+
const clauses = [];
|
|
45
|
+
let unclassifiedFallback = false;
|
|
46
|
+
const unclassified = !ctx.risk.classified;
|
|
47
|
+
const sevAtLeast = when["risk.severity_at_least"];
|
|
48
|
+
if (sevAtLeast !== undefined) {
|
|
49
|
+
let matched;
|
|
50
|
+
let actual;
|
|
51
|
+
if (unclassified) {
|
|
52
|
+
// severity is null — treat as risk-bearing: satisfies any threshold.
|
|
53
|
+
matched = true;
|
|
54
|
+
actual = "null (unclassified)";
|
|
55
|
+
unclassifiedFallback = true;
|
|
56
|
+
}
|
|
57
|
+
else {
|
|
58
|
+
matched =
|
|
59
|
+
severityIndex(ctx.risk.severity) >= severityIndex(sevAtLeast);
|
|
60
|
+
actual = ctx.risk.severity;
|
|
61
|
+
}
|
|
62
|
+
clauses.push({
|
|
63
|
+
clause: "risk.severity_at_least",
|
|
64
|
+
expected: `>= ${sevAtLeast}`,
|
|
65
|
+
actual,
|
|
66
|
+
matched,
|
|
67
|
+
});
|
|
68
|
+
}
|
|
69
|
+
const categoryIn = when["risk.category_in"];
|
|
70
|
+
if (categoryIn !== undefined) {
|
|
71
|
+
let matched;
|
|
72
|
+
let actual;
|
|
73
|
+
if (unclassified) {
|
|
74
|
+
// categories is [] — treat as risk-bearing, consistent with the
|
|
75
|
+
// severity clause: an unclassified action satisfies every risk
|
|
76
|
+
// clause so a multi-clause `when:` cannot be slipped by one
|
|
77
|
+
// clause matching null while another fails an empty set.
|
|
78
|
+
matched = true;
|
|
79
|
+
actual = "[] (unclassified)";
|
|
80
|
+
unclassifiedFallback = true;
|
|
81
|
+
}
|
|
82
|
+
else {
|
|
83
|
+
matched = categoryIn.some((c) => ctx.risk.categories.includes(c));
|
|
84
|
+
actual =
|
|
85
|
+
ctx.risk.categories.length > 0
|
|
86
|
+
? `[${ctx.risk.categories.join(", ")}]`
|
|
87
|
+
: "[]";
|
|
88
|
+
}
|
|
89
|
+
clauses.push({
|
|
90
|
+
clause: "risk.category_in",
|
|
91
|
+
expected: `any of [${categoryIn.join(", ")}]`,
|
|
92
|
+
actual,
|
|
93
|
+
matched,
|
|
94
|
+
});
|
|
95
|
+
}
|
|
96
|
+
const envName = when["environment.name"];
|
|
97
|
+
if (envName !== undefined) {
|
|
98
|
+
clauses.push({
|
|
99
|
+
clause: "environment.name",
|
|
100
|
+
expected: envName,
|
|
101
|
+
actual: ctx.environment.name,
|
|
102
|
+
matched: ctx.environment.name === envName,
|
|
103
|
+
});
|
|
104
|
+
}
|
|
105
|
+
const reversible = when["action.reversible"];
|
|
106
|
+
if (reversible !== undefined) {
|
|
107
|
+
let matched;
|
|
108
|
+
let actual;
|
|
109
|
+
if (unclassified) {
|
|
110
|
+
// reversible is null — reversibility unknown. "Unknown is not
|
|
111
|
+
// safe": the clause matches whichever value the policy gates on,
|
|
112
|
+
// so an unclassified action never escapes a reversibility gate.
|
|
113
|
+
matched = true;
|
|
114
|
+
actual = "null (unclassified)";
|
|
115
|
+
unclassifiedFallback = true;
|
|
116
|
+
}
|
|
117
|
+
else {
|
|
118
|
+
matched = ctx.risk.reversible === reversible;
|
|
119
|
+
actual = String(ctx.risk.reversible);
|
|
120
|
+
}
|
|
121
|
+
clauses.push({
|
|
122
|
+
clause: "action.reversible",
|
|
123
|
+
expected: String(reversible),
|
|
124
|
+
actual,
|
|
125
|
+
matched,
|
|
126
|
+
});
|
|
127
|
+
}
|
|
128
|
+
return {
|
|
129
|
+
matched: clauses.every((c) => c.matched),
|
|
130
|
+
clauses,
|
|
131
|
+
unclassifiedFallback,
|
|
132
|
+
};
|
|
133
|
+
}
|
|
134
|
+
//# sourceMappingURL=when-eval.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"when-eval.js","sourceRoot":"","sources":["../../src/runtime/when-eval.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,EAAE;AACF,kEAAkE;AAClE,qEAAqE;AACrE,sEAAsE;AACtE,sEAAsE;AACtE,gCAAgC;AAChC,EAAE;AACF,uEAAuE;AACvE,mEAAmE;AACnE,sDAAsD;AACtD,EAAE;AACF,oEAAoE;AACpE,oEAAoE;AACpE,kEAAkE;AAClE,iEAAiE;AACjE,qEAAqE;AACrE,sEAAsE;AACtE,uEAAuE;AACvE,qEAAqE;AACrE,sEAAsE;AACtE,qDAAqD;AACrD,EAAE;AACF,yEAAyE;AACzE,qEAAqE;AACrE,8CAA8C;AAG9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAIxD,6DAA6D;AAC7D,oEAAoE;AACpE,uEAAuE;AACvE,MAAM,cAAc,GAAsB,kBAAkB,CAAC,OAAO,CAAC;AAsCrE,SAAS,aAAa,CAAC,QAAgB;IACrC,OAAO,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,IAAgB,EAChB,GAAgB;IAEhB,MAAM,OAAO,GAAuB,EAAE,CAAC;IACvC,IAAI,oBAAoB,GAAG,KAAK,CAAC;IACjC,MAAM,YAAY,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC;IAE1C,MAAM,UAAU,GAAG,IAAI,CAAC,wBAAwB,CAAC,CAAC;IAClD,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAgB,CAAC;QACrB,IAAI,MAAc,CAAC;QACnB,IAAI,YAAY,EAAE,CAAC;YACjB,qEAAqE;YACrE,OAAO,GAAG,IAAI,CAAC;YACf,MAAM,GAAG,qBAAqB,CAAC;YAC/B,oBAAoB,GAAG,IAAI,CAAC;QAC9B,CAAC;aAAM,CAAC;YACN,OAAO;gBACL,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,QAAS,CAAC,IAAI,aAAa,CAAC,UAAU,CAAC,CAAC;YACjE,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,QAAS,CAAC;QAC9B,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,MAAM,EAAE,wBAAwB;YAChC,QAAQ,EAAE,MAAM,UAAU,EAAE;YAC5B,MAAM;YACN,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC5C,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAgB,CAAC;QACrB,IAAI,MAAc,CAAC;QACnB,IAAI,YAAY,EAAE,CAAC;YACjB,gEAAgE;YAChE,+DAA+D;YAC/D,4DAA4D;YAC5D,yDAAyD;YACzD,OAAO,GAAG,IAAI,CAAC;YACf,MAAM,GAAG,mBAAmB,CAAC;YAC7B,oBAAoB,GAAG,IAAI,CAAC;QAC9B,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YAClE,MAAM;gBACJ,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;oBAC5B,CAAC,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;oBACvC,CAAC,CAAC,IAAI,CAAC;QACb,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,WAAW,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;YAC7C,MAAM;YACN,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACzC,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,CAAC,IAAI,CAAC;YACX,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,GAAG,CAAC,WAAW,CAAC,IAAI;YAC5B,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,IAAI,KAAK,OAAO;SAC1C,CAAC,CAAC;IACL,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAC7C,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAgB,CAAC;QACrB,IAAI,MAAc,CAAC;QACnB,IAAI,YAAY,EAAE,CAAC;YACjB,8DAA8D;YAC9D,iEAAiE;YACjE,gEAAgE;YAChE,OAAO,GAAG,IAAI,CAAC;YACf,MAAM,GAAG,qBAAqB,CAAC;YAC/B,oBAAoB,GAAG,IAAI,CAAC;QAC9B,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC,UAAU,KAAK,UAAU,CAAC;YAC7C,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,MAAM,EAAE,mBAAmB;YAC3B,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC;YAC5B,MAAM;YACN,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;QACxC,OAAO;QACP,oBAAoB;KACrB,CAAC;AACJ,CAAC"}
|
package/dist/schema/index.d.ts
CHANGED
|
@@ -514,7 +514,7 @@ export declare const ManifestSchema: z.ZodEffects<z.ZodObject<{
|
|
|
514
514
|
at_head?: boolean | undefined;
|
|
515
515
|
}>;
|
|
516
516
|
hook: z.ZodString;
|
|
517
|
-
enforcement: z.ZodEnum<["block", "warn"]>;
|
|
517
|
+
enforcement: z.ZodEnum<["block", "warn", "require_approval"]>;
|
|
518
518
|
producers: z.ZodOptional<z.ZodArray<z.ZodDiscriminatedUnion<"kind", [z.ZodObject<{
|
|
519
519
|
kind: z.ZodLiteral<"bash">;
|
|
520
520
|
command: z.ZodString;
|
|
@@ -615,7 +615,7 @@ export declare const ManifestSchema: z.ZodEffects<z.ZodObject<{
|
|
|
615
615
|
at_head?: boolean | undefined;
|
|
616
616
|
};
|
|
617
617
|
hook: string;
|
|
618
|
-
enforcement: "warn" | "block";
|
|
618
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
619
619
|
producers?: ({
|
|
620
620
|
command: string;
|
|
621
621
|
description: string;
|
|
@@ -662,7 +662,7 @@ export declare const ManifestSchema: z.ZodEffects<z.ZodObject<{
|
|
|
662
662
|
at_head?: boolean | undefined;
|
|
663
663
|
};
|
|
664
664
|
hook: string;
|
|
665
|
-
enforcement: "warn" | "block";
|
|
665
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
666
666
|
producers?: ({
|
|
667
667
|
command: string;
|
|
668
668
|
description: string;
|
|
@@ -709,7 +709,7 @@ export declare const ManifestSchema: z.ZodEffects<z.ZodObject<{
|
|
|
709
709
|
at_head?: boolean | undefined;
|
|
710
710
|
};
|
|
711
711
|
hook: string;
|
|
712
|
-
enforcement: "warn" | "block";
|
|
712
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
713
713
|
producers?: ({
|
|
714
714
|
command: string;
|
|
715
715
|
description: string;
|
|
@@ -756,7 +756,7 @@ export declare const ManifestSchema: z.ZodEffects<z.ZodObject<{
|
|
|
756
756
|
at_head?: boolean | undefined;
|
|
757
757
|
};
|
|
758
758
|
hook: string;
|
|
759
|
-
enforcement: "warn" | "block";
|
|
759
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
760
760
|
producers?: ({
|
|
761
761
|
command: string;
|
|
762
762
|
description: string;
|
|
@@ -803,7 +803,7 @@ export declare const ManifestSchema: z.ZodEffects<z.ZodObject<{
|
|
|
803
803
|
at_head?: boolean | undefined;
|
|
804
804
|
};
|
|
805
805
|
hook: string;
|
|
806
|
-
enforcement: "warn" | "block";
|
|
806
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
807
807
|
producers?: ({
|
|
808
808
|
command: string;
|
|
809
809
|
description: string;
|
|
@@ -850,7 +850,7 @@ export declare const ManifestSchema: z.ZodEffects<z.ZodObject<{
|
|
|
850
850
|
at_head?: boolean | undefined;
|
|
851
851
|
};
|
|
852
852
|
hook: string;
|
|
853
|
-
enforcement: "warn" | "block";
|
|
853
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
854
854
|
producers?: ({
|
|
855
855
|
command: string;
|
|
856
856
|
description: string;
|
|
@@ -2575,7 +2575,7 @@ export declare const ManifestSchema: z.ZodEffects<z.ZodObject<{
|
|
|
2575
2575
|
at_head?: boolean | undefined;
|
|
2576
2576
|
};
|
|
2577
2577
|
hook: string;
|
|
2578
|
-
enforcement: "warn" | "block";
|
|
2578
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
2579
2579
|
producers?: ({
|
|
2580
2580
|
command: string;
|
|
2581
2581
|
description: string;
|
|
@@ -2870,7 +2870,7 @@ export declare const ManifestSchema: z.ZodEffects<z.ZodObject<{
|
|
|
2870
2870
|
at_head?: boolean | undefined;
|
|
2871
2871
|
};
|
|
2872
2872
|
hook: string;
|
|
2873
|
-
enforcement: "warn" | "block";
|
|
2873
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
2874
2874
|
producers?: ({
|
|
2875
2875
|
command: string;
|
|
2876
2876
|
description: string;
|
|
@@ -3165,7 +3165,7 @@ export declare const ManifestSchema: z.ZodEffects<z.ZodObject<{
|
|
|
3165
3165
|
at_head?: boolean | undefined;
|
|
3166
3166
|
};
|
|
3167
3167
|
hook: string;
|
|
3168
|
-
enforcement: "warn" | "block";
|
|
3168
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
3169
3169
|
producers?: ({
|
|
3170
3170
|
command: string;
|
|
3171
3171
|
description: string;
|
|
@@ -3460,7 +3460,7 @@ export declare const ManifestSchema: z.ZodEffects<z.ZodObject<{
|
|
|
3460
3460
|
at_head?: boolean | undefined;
|
|
3461
3461
|
};
|
|
3462
3462
|
hook: string;
|
|
3463
|
-
enforcement: "warn" | "block";
|
|
3463
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
3464
3464
|
producers?: ({
|
|
3465
3465
|
command: string;
|
|
3466
3466
|
description: string;
|