@lannguyensi/harness 0.26.0 → 0.28.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +46 -0
- package/README.md +17 -12
- package/dist/cli/apply/apply.js +12 -2
- package/dist/cli/apply/apply.js.map +1 -1
- package/dist/cli/approve/risk.d.ts +43 -0
- package/dist/cli/approve/risk.js +126 -0
- package/dist/cli/approve/risk.js.map +1 -0
- package/dist/cli/audit.js +8 -2
- package/dist/cli/audit.js.map +1 -1
- package/dist/cli/doctor/format.js +55 -0
- package/dist/cli/doctor/format.js.map +1 -1
- package/dist/cli/doctor/index.d.ts +1 -1
- package/dist/cli/doctor/index.js +89 -0
- package/dist/cli/doctor/index.js.map +1 -1
- package/dist/cli/doctor/types.d.ts +79 -0
- package/dist/cli/event-input.js +8 -7
- package/dist/cli/event-input.js.map +1 -1
- package/dist/cli/explain-policy.d.ts +54 -0
- package/dist/cli/explain-policy.js +81 -0
- package/dist/cli/explain-policy.js.map +1 -0
- package/dist/cli/explain.js +4 -0
- package/dist/cli/explain.js.map +1 -1
- package/dist/cli/index.js +70 -4
- package/dist/cli/index.js.map +1 -1
- package/dist/cli/init/composer.js +1 -1
- package/dist/cli/init/composer.js.map +1 -1
- package/dist/cli/init/dependencies.js +10 -9
- package/dist/cli/init/dependencies.js.map +1 -1
- package/dist/cli/init/profiles.d.ts +2 -2
- package/dist/cli/init/profiles.js +2 -2
- package/dist/cli/init/templates.d.ts +1 -1
- package/dist/cli/init/templates.js +99 -1
- package/dist/cli/init/templates.js.map +1 -1
- package/dist/cli/pack/hook-codex-pre-tool-use.js +6 -3
- package/dist/cli/pack/hook-codex-pre-tool-use.js.map +1 -1
- package/dist/cli/pack/hook-pre-tool-use.js +27 -3
- package/dist/cli/pack/hook-pre-tool-use.js.map +1 -1
- package/dist/cli/pack/read-only-bash.d.ts +13 -0
- package/dist/cli/pack/read-only-bash.js +177 -0
- package/dist/cli/pack/read-only-bash.js.map +1 -0
- package/dist/cli/pack/understanding-report-schema-hint.d.ts +1 -1
- package/dist/cli/pack/understanding-report-schema-hint.js +7 -1
- package/dist/cli/pack/understanding-report-schema-hint.js.map +1 -1
- package/dist/cli/policy/intercept.d.ts +10 -0
- package/dist/cli/policy/intercept.js +34 -1
- package/dist/cli/policy/intercept.js.map +1 -1
- package/dist/cli/validate/checks.d.ts +1 -1
- package/dist/cli/validate/checks.js +31 -27
- package/dist/cli/validate/checks.js.map +1 -1
- package/dist/io/version-compare.d.ts +16 -5
- package/dist/io/version-compare.js +16 -5
- package/dist/io/version-compare.js.map +1 -1
- package/dist/policy-packs/builtin/branch-protection.d.ts +38 -0
- package/dist/policy-packs/builtin/branch-protection.js +17 -0
- package/dist/policy-packs/builtin/branch-protection.js.map +1 -1
- package/dist/policy-packs/builtin/understanding-before-execution.d.ts +147 -0
- package/dist/policy-packs/builtin/understanding-before-execution.js +72 -10
- package/dist/policy-packs/builtin/understanding-before-execution.js.map +1 -1
- package/dist/policy-packs/config-check.d.ts +31 -0
- package/dist/policy-packs/config-check.js +58 -0
- package/dist/policy-packs/config-check.js.map +1 -0
- package/dist/policy-packs/expand.js +5 -4
- package/dist/policy-packs/expand.js.map +1 -1
- package/dist/policy-packs/index.d.ts +4 -1
- package/dist/policy-packs/index.js +4 -1
- package/dist/policy-packs/index.js.map +1 -1
- package/dist/policy-packs/registry.d.ts +20 -0
- package/dist/policy-packs/registry.js +39 -2
- package/dist/policy-packs/registry.js.map +1 -1
- package/dist/policy-packs/source-check.d.ts +28 -0
- package/dist/policy-packs/source-check.js +49 -0
- package/dist/policy-packs/source-check.js.map +1 -0
- package/dist/policy-packs/version-check.d.ts +37 -0
- package/dist/policy-packs/version-check.js +89 -0
- package/dist/policy-packs/version-check.js.map +1 -0
- package/dist/probes/memory.d.ts +1 -1
- package/dist/runtime/index.d.ts +2 -1
- package/dist/runtime/index.js +2 -1
- package/dist/runtime/index.js.map +1 -1
- package/dist/runtime/intercept.d.ts +60 -3
- package/dist/runtime/intercept.js +104 -6
- package/dist/runtime/intercept.js.map +1 -1
- package/dist/runtime/ledger-record.d.ts +8 -0
- package/dist/runtime/ledger-record.js +2 -0
- package/dist/runtime/ledger-record.js.map +1 -1
- package/dist/runtime/risk-classifier.js +27 -0
- package/dist/runtime/risk-classifier.js.map +1 -1
- package/dist/runtime/when-eval.d.ts +40 -0
- package/dist/runtime/when-eval.js +134 -0
- package/dist/runtime/when-eval.js.map +1 -0
- package/dist/schema/hooks.js +6 -1
- package/dist/schema/hooks.js.map +1 -1
- package/dist/schema/index.d.ts +20 -11
- package/dist/schema/memory.js +6 -1
- package/dist/schema/memory.js.map +1 -1
- package/dist/schema/policies.d.ts +13 -13
- package/dist/schema/policies.js +20 -8
- package/dist/schema/policies.js.map +1 -1
- package/dist/schema/policy-packs.d.ts +8 -0
- package/dist/schema/policy-packs.js +17 -0
- package/dist/schema/policy-packs.js.map +1 -1
- package/dist/schema/tools.js +11 -2
- package/dist/schema/tools.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,177 @@
|
|
|
1
|
+
// Read-only Bash command classifier for the understanding-gate
|
|
2
|
+
// PreToolUse blocker.
|
|
3
|
+
//
|
|
4
|
+
// The pack's hook matcher `Edit|Write|Bash` is too broad on its own:
|
|
5
|
+
// `Bash` covers commands like `git status`, `gh pr view`, `ls`, `cat`
|
|
6
|
+
// that mutate nothing. Hard-blocking them behind a full Understanding
|
|
7
|
+
// Report cycle trains the agent and operator to experience the gate
|
|
8
|
+
// as noise, which erodes its credibility on the writes that actually
|
|
9
|
+
// matter. A gate scoped exactly to what it must stop is a credible
|
|
10
|
+
// gate.
|
|
11
|
+
//
|
|
12
|
+
// Design contract:
|
|
13
|
+
// - The allowlist is intentionally conservative. Anything not on it
|
|
14
|
+
// is treated as a write (block). Better to occasionally annoy a
|
|
15
|
+
// read-only command we haven't enumerated than to let a write slip.
|
|
16
|
+
// - Any shell chaining (`;`, `&&`, `||`, `|`), redirection (`>`,
|
|
17
|
+
// `>>`, `<`), or command substitution (backticks, `$()`) makes the
|
|
18
|
+
// whole composition unclassifiable. Even if every individual piece
|
|
19
|
+
// would be read-only, a chained or substituted command can hide
|
|
20
|
+
// writes inside its construction. Refuse the whole thing.
|
|
21
|
+
// - The classifier never short-circuits write detection: if a command
|
|
22
|
+
// is on the allowlist but a write indicator is also present, the
|
|
23
|
+
// write indicator wins. The shell-metachar check above accomplishes
|
|
24
|
+
// this without a separate write-binary deny list (the meta-chars
|
|
25
|
+
// are how a write would be smuggled into a "read-only" command in
|
|
26
|
+
// the first place).
|
|
27
|
+
//
|
|
28
|
+
// This module is the canonical home for the classification. The
|
|
29
|
+
// harness pack hook is the superset blocker today, so the classifier
|
|
30
|
+
// lives here rather than in the @lannguyensi/understanding-gate
|
|
31
|
+
// package. If the package adds a parallel classifier in the future,
|
|
32
|
+
// it should mirror this allowlist verbatim, not diverge.
|
|
33
|
+
/**
|
|
34
|
+
* Single-token read-only binaries. Each accepts arguments without
|
|
35
|
+
* changing classification: `ls -la /tmp` is still read-only.
|
|
36
|
+
*/
|
|
37
|
+
const SIMPLE_READ_ONLY_BINS = new Set([
|
|
38
|
+
"ls", "cat", "pwd", "which", "type", "command",
|
|
39
|
+
"grep", "rg", "wc",
|
|
40
|
+
"head", "tail", "file", "stat", "tree", "du", "df",
|
|
41
|
+
"ps", "whoami", "id", "date", "echo", "env", "printenv",
|
|
42
|
+
"true", "false", "uptime", "hostname", "uname", "tty",
|
|
43
|
+
"basename", "dirname", "realpath", "readlink",
|
|
44
|
+
"less", "more", "cmp", "diff", "comm",
|
|
45
|
+
"sort", "uniq", "cut", "tr", "tac", "rev",
|
|
46
|
+
]);
|
|
47
|
+
/**
|
|
48
|
+
* `find` flags that make `find` itself a write tool, regardless of
|
|
49
|
+
* shell metacharacters. `find` is the one binary in the canonical
|
|
50
|
+
* read-only set whose own arguments can mutate the filesystem
|
|
51
|
+
* (`-delete`) or shell out to a write command (`-exec`, `-execdir`,
|
|
52
|
+
* `-ok`, `-okdir`). It also has output-write flags (`-fprint`,
|
|
53
|
+
* `-fprintf`, `-fprint0`, `-fls`) that would land outside any
|
|
54
|
+
* redirection guard. Any of these tokens anywhere in the argv
|
|
55
|
+
* forfeits the read-only classification, so `find` is treated as a
|
|
56
|
+
* special case rather than included in `SIMPLE_READ_ONLY_BINS`.
|
|
57
|
+
*/
|
|
58
|
+
const FIND_WRITE_FLAGS = new Set([
|
|
59
|
+
"-delete",
|
|
60
|
+
"-exec", "-execdir", "-ok", "-okdir",
|
|
61
|
+
"-fprint", "-fprintf", "-fprint0", "-fls",
|
|
62
|
+
]);
|
|
63
|
+
/**
|
|
64
|
+
* `less` and `more` can shell out via interactive `!cmd`. The agent
|
|
65
|
+
* shell is non-interactive, so the escape is not reachable in
|
|
66
|
+
* practice today; the entry stays in the simple-read-only set with
|
|
67
|
+
* a documented caveat in case a future runtime PTYs the agent.
|
|
68
|
+
*/
|
|
69
|
+
/**
|
|
70
|
+
* `git` subcommands that do not mutate the working tree, index, or
|
|
71
|
+
* any ref. `git fetch` is included because it only writes to the
|
|
72
|
+
* remote-tracking branches, never touches local refs or the working
|
|
73
|
+
* tree; same for `git ls-remote`. `git config` is excluded: with
|
|
74
|
+
* arguments it can set values.
|
|
75
|
+
*/
|
|
76
|
+
const GIT_READ_ONLY_SUBS = new Set([
|
|
77
|
+
"status", "log", "diff", "show", "branch", "tag",
|
|
78
|
+
"fetch", "remote", "ls-files", "ls-remote", "ls-tree",
|
|
79
|
+
"rev-parse", "rev-list", "describe", "blame", "shortlog",
|
|
80
|
+
"reflog", "cat-file", "check-ref-format", "for-each-ref",
|
|
81
|
+
"name-rev", "merge-base", "show-ref",
|
|
82
|
+
]);
|
|
83
|
+
/**
|
|
84
|
+
* `gh` (GitHub CLI) noun + verb pairs that read state without writing.
|
|
85
|
+
* `gh pr view`, `gh pr checks`, `gh run view`, `gh workflow list`, etc.
|
|
86
|
+
*/
|
|
87
|
+
const GH_READ_ONLY_VERBS = new Set([
|
|
88
|
+
"view", "list", "diff", "checks", "status",
|
|
89
|
+
]);
|
|
90
|
+
const GH_READ_ONLY_NOUNS = new Set([
|
|
91
|
+
"pr", "issue", "run", "workflow", "release",
|
|
92
|
+
"repo", "label", "secret", "variable",
|
|
93
|
+
]);
|
|
94
|
+
/**
|
|
95
|
+
* `harness` subcommands that only inspect manifest or harness state.
|
|
96
|
+
* `harness preflight` and `harness approve` are excluded: preflight
|
|
97
|
+
* writes a ledger row, approve writes the approval marker. Both are
|
|
98
|
+
* legitimate, but if the gate is currently blocking, classifying them
|
|
99
|
+
* as read-only would let them bypass it silently. Operator-approval
|
|
100
|
+
* commands have their own escape path in `isEscapeCommand`.
|
|
101
|
+
*/
|
|
102
|
+
const HARNESS_READ_ONLY_SUBS = new Set([
|
|
103
|
+
"doctor", "validate", "audit", "diff", "list", "version",
|
|
104
|
+
"show", "status", "pause",
|
|
105
|
+
]);
|
|
106
|
+
/**
|
|
107
|
+
* Common single-flag read-only invocations: `<bin> --version`,
|
|
108
|
+
* `<bin> -v`, `<bin> --help`, `<bin> -h`. Token count must be 2 and
|
|
109
|
+
* the second token must be one of these flags. Restricts to a
|
|
110
|
+
* known-safe shape so a binary like `rm` cannot be smuggled past as
|
|
111
|
+
* `rm --version`.
|
|
112
|
+
*/
|
|
113
|
+
const VERSION_OR_HELP_FLAGS = new Set([
|
|
114
|
+
"--version", "-V", "-v", "--help", "-h",
|
|
115
|
+
]);
|
|
116
|
+
/**
|
|
117
|
+
* Classify a Bash command string. `true` means the command is
|
|
118
|
+
* provably read-only and the understanding-gate can allow it without
|
|
119
|
+
* an approved report. `false` means the command is either a write or
|
|
120
|
+
* unclassifiable; the gate must block (fail-closed).
|
|
121
|
+
*
|
|
122
|
+
* The classifier inspects the command as a raw shell string. It does
|
|
123
|
+
* NOT shell-parse or evaluate the command — that would introduce its
|
|
124
|
+
* own attack surface. Instead it rejects any string that contains
|
|
125
|
+
* shell metacharacters that could hide a write, then looks at the
|
|
126
|
+
* first one or two tokens.
|
|
127
|
+
*/
|
|
128
|
+
export function isReadOnlyBashCommand(command) {
|
|
129
|
+
const trimmed = command.trim();
|
|
130
|
+
if (trimmed === "")
|
|
131
|
+
return false;
|
|
132
|
+
// Reject any shell chaining, redirection, or command substitution.
|
|
133
|
+
// These make the command unclassifiable even when every visible
|
|
134
|
+
// piece would otherwise be read-only.
|
|
135
|
+
if (/[;&|<>]/.test(trimmed))
|
|
136
|
+
return false;
|
|
137
|
+
if (trimmed.includes("\n"))
|
|
138
|
+
return false;
|
|
139
|
+
if (trimmed.includes("`"))
|
|
140
|
+
return false;
|
|
141
|
+
if (trimmed.includes("$("))
|
|
142
|
+
return false;
|
|
143
|
+
const tokens = trimmed.split(/\s+/);
|
|
144
|
+
const bin = tokens[0] ?? "";
|
|
145
|
+
const sub = tokens[1] ?? "";
|
|
146
|
+
if (SIMPLE_READ_ONLY_BINS.has(bin))
|
|
147
|
+
return true;
|
|
148
|
+
// `find` is read-only ONLY when none of its argv tokens are write
|
|
149
|
+
// flags. Scan the whole argv: `-delete` / `-exec` / `-execdir` /
|
|
150
|
+
// `-ok` / `-okdir` mutate the filesystem; `-fprint*` and `-fls`
|
|
151
|
+
// write to operator-supplied paths without going through shell
|
|
152
|
+
// redirection. If any such flag appears, fall through to block.
|
|
153
|
+
if (bin === "find") {
|
|
154
|
+
return !tokens.slice(1).some((t) => FIND_WRITE_FLAGS.has(t));
|
|
155
|
+
}
|
|
156
|
+
// `<bin> --version` / `<bin> --help` shape. Checked BEFORE the
|
|
157
|
+
// per-binary branches so that `git --version`, `gh --version`,
|
|
158
|
+
// `harness --version` all pass through this shape rather than
|
|
159
|
+
// falling into the per-binary subcommand allowlists (which
|
|
160
|
+
// intentionally don't list `--version` since it's not a
|
|
161
|
+
// subcommand). Must be exactly two tokens to keep the surface
|
|
162
|
+
// tight: `<bin> --version <thing>` could exfiltrate or mis-route.
|
|
163
|
+
if (tokens.length === 2 && VERSION_OR_HELP_FLAGS.has(sub))
|
|
164
|
+
return true;
|
|
165
|
+
if (bin === "git")
|
|
166
|
+
return GIT_READ_ONLY_SUBS.has(sub);
|
|
167
|
+
if (bin === "gh") {
|
|
168
|
+
if (!GH_READ_ONLY_NOUNS.has(sub))
|
|
169
|
+
return false;
|
|
170
|
+
const verb = tokens[2] ?? "";
|
|
171
|
+
return GH_READ_ONLY_VERBS.has(verb);
|
|
172
|
+
}
|
|
173
|
+
if (bin === "harness")
|
|
174
|
+
return HARNESS_READ_ONLY_SUBS.has(sub);
|
|
175
|
+
return false;
|
|
176
|
+
}
|
|
177
|
+
//# sourceMappingURL=read-only-bash.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"read-only-bash.js","sourceRoot":"","sources":["../../../src/cli/pack/read-only-bash.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,sBAAsB;AACtB,EAAE;AACF,qEAAqE;AACrE,sEAAsE;AACtE,sEAAsE;AACtE,oEAAoE;AACpE,qEAAqE;AACrE,mEAAmE;AACnE,QAAQ;AACR,EAAE;AACF,mBAAmB;AACnB,oEAAoE;AACpE,kEAAkE;AAClE,sEAAsE;AACtE,iEAAiE;AACjE,qEAAqE;AACrE,qEAAqE;AACrE,kEAAkE;AAClE,4DAA4D;AAC5D,sEAAsE;AACtE,mEAAmE;AACnE,sEAAsE;AACtE,mEAAmE;AACnE,oEAAoE;AACpE,sBAAsB;AACtB,EAAE;AACF,gEAAgE;AAChE,qEAAqE;AACrE,gEAAgE;AAChE,oEAAoE;AACpE,yDAAyD;AAEzD;;;GAGG;AACH,MAAM,qBAAqB,GAAwB,IAAI,GAAG,CAAC;IACzD,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;IAC9C,MAAM,EAAE,IAAI,EAAE,IAAI;IAClB,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI;IAClD,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU;IACvD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK;IACrD,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU;IAC7C,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM;IACrC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK;CAC1C,CAAC,CAAC;AAEH;;;;;;;;;;GAUG;AACH,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC;IACpD,SAAS;IACT,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ;IACpC,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM;CAC1C,CAAC,CAAC;AAEH;;;;;GAKG;AAEH;;;;;;GAMG;AACH,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IACtD,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK;IAChD,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS;IACrD,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU;IACxD,QAAQ,EAAE,UAAU,EAAE,kBAAkB,EAAE,cAAc;IACxD,UAAU,EAAE,YAAY,EAAE,UAAU;CACrC,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IACtD,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ;CAC3C,CAAC,CAAC;AACH,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IACtD,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS;IAC3C,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU;CACtC,CAAC,CAAC;AAEH;;;;;;;GAOG;AACH,MAAM,sBAAsB,GAAwB,IAAI,GAAG,CAAC;IAC1D,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS;IACxD,MAAM,EAAE,QAAQ,EAAE,OAAO;CAC1B,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,qBAAqB,GAAwB,IAAI,GAAG,CAAC;IACzD,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI;CACxC,CAAC,CAAC;AAEH;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAe;IACnD,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,IAAI,OAAO,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAEjC,mEAAmE;IACnE,gEAAgE;IAChE,sCAAsC;IACtC,IAAI,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACzC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAEzC,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAE5B,IAAI,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEhD,kEAAkE;IAClE,iEAAiE;IACjE,gEAAgE;IAChE,+DAA+D;IAC/D,gEAAgE;IAChE,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED,+DAA+D;IAC/D,+DAA+D;IAC/D,8DAA8D;IAC9D,2DAA2D;IAC3D,wDAAwD;IACxD,8DAA8D;IAC9D,kEAAkE;IAClE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvE,IAAI,GAAG,KAAK,KAAK;QAAE,OAAO,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAEtD,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QACjB,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAC/C,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7B,OAAO,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,sBAAsB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAE9D,OAAO,KAAK,CAAC;AACf,CAAC"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export declare const UNDERSTANDING_REPORT_REQUIRED_SECTIONS: readonly ["Current Understanding (paragraph)", "Intended Outcome (paragraph)", "Derived Todos (list)", "Acceptance Criteria (list)", "Assumptions (list)", "Open Questions (list)", "Out Of Scope (list)", "Risks (list)", "Verification Plan (list)"];
|
|
1
|
+
export declare const UNDERSTANDING_REPORT_REQUIRED_SECTIONS: readonly ["Current Understanding (paragraph)", "Intended Outcome (paragraph)", "Derived Todos (list)", "Acceptance Criteria (list)", "Assumptions (list)", "Open Questions (list)", "Out Of Scope (list)", "Risks (list)", "Verification Plan (list)", "Prior Art (list)"];
|
|
2
2
|
/**
|
|
3
3
|
* Render a compact, agent-readable hint listing the canonical sections
|
|
4
4
|
* the `@lannguyensi/understanding-gate` parser expects. Suitable for
|
|
@@ -26,6 +26,12 @@ export const UNDERSTANDING_REPORT_REQUIRED_SECTIONS = [
|
|
|
26
26
|
"Out Of Scope (list)",
|
|
27
27
|
"Risks (list)",
|
|
28
28
|
"Verification Plan (list)",
|
|
29
|
+
// Section 10 (agent-grounding 0.4.0): state what was searched for an
|
|
30
|
+
// existing solution and what was found, with an explicit
|
|
31
|
+
// adopt-or-build judgment. Required by the Stop-capture parser in
|
|
32
|
+
// grill_me / full mode; relaxed in fast_confirm. See harness task
|
|
33
|
+
// 798d7173 / agent-grounding PR #85.
|
|
34
|
+
"Prior Art (list)",
|
|
29
35
|
];
|
|
30
36
|
/**
|
|
31
37
|
* Render a compact, agent-readable hint listing the canonical sections
|
|
@@ -47,7 +53,7 @@ export function renderReportSchemaHint() {
|
|
|
47
53
|
// one pair implied exhaustiveness. The bullets below show the canonical
|
|
48
54
|
// names; the parser's alias-tolerance is a quiet bonus, not something
|
|
49
55
|
// the agent needs to choose between.
|
|
50
|
-
const intro = "Report format (parsed by `@lannguyensi/understanding-gate`): markdown with these
|
|
56
|
+
const intro = "Report format (parsed by `@lannguyensi/understanding-gate`): markdown with these ten sections, any heading level (#, ##, ###), names case-insensitive. Missing any section produces a parse-error under `.understanding-gate/parse-errors/` and the audit trail is empty even though the gate-approval marker still gets written.";
|
|
51
57
|
const bullets = UNDERSTANDING_REPORT_REQUIRED_SECTIONS.map((s) => ` - ${s}`).join("\n");
|
|
52
58
|
return `${intro}\n${bullets}`;
|
|
53
59
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"understanding-report-schema-hint.js","sourceRoot":"","sources":["../../../src/cli/pack/understanding-report-schema-hint.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,wEAAwE;AACxE,EAAE;AACF,kEAAkE;AAClE,qEAAqE;AACrE,sEAAsE;AACtE,wEAAwE;AACxE,uEAAuE;AACvE,+CAA+C;AAC/C,EAAE;AACF,kEAAkE;AAClE,wDAAwD;AACxD,qEAAqE;AACrE,qEAAqE;AACrE,qEAAqE;AACrE,oEAAoE;AACpE,oEAAoE;AACpE,mEAAmE;AAEnE,MAAM,CAAC,MAAM,sCAAsC,GAAG;IACpD,mCAAmC;IACnC,8BAA8B;IAC9B,sBAAsB;IACtB,4BAA4B;IAC5B,oBAAoB;IACpB,uBAAuB;IACvB,qBAAqB;IACrB,cAAc;IACd,0BAA0B;
|
|
1
|
+
{"version":3,"file":"understanding-report-schema-hint.js","sourceRoot":"","sources":["../../../src/cli/pack/understanding-report-schema-hint.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,wEAAwE;AACxE,EAAE;AACF,kEAAkE;AAClE,qEAAqE;AACrE,sEAAsE;AACtE,wEAAwE;AACxE,uEAAuE;AACvE,+CAA+C;AAC/C,EAAE;AACF,kEAAkE;AAClE,wDAAwD;AACxD,qEAAqE;AACrE,qEAAqE;AACrE,qEAAqE;AACrE,oEAAoE;AACpE,oEAAoE;AACpE,mEAAmE;AAEnE,MAAM,CAAC,MAAM,sCAAsC,GAAG;IACpD,mCAAmC;IACnC,8BAA8B;IAC9B,sBAAsB;IACtB,4BAA4B;IAC5B,oBAAoB;IACpB,uBAAuB;IACvB,qBAAqB;IACrB,cAAc;IACd,0BAA0B;IAC1B,qEAAqE;IACrE,yDAAyD;IACzD,kEAAkE;IAClE,kEAAkE;IAClE,qCAAqC;IACrC,kBAAkB;CACV,CAAC;AAEX;;;;;;;;;;GAUG;AACH,MAAM,UAAU,sBAAsB;IACpC,uEAAuE;IACvE,wEAAwE;IACxE,+DAA+D;IAC/D,yEAAyE;IACzE,oEAAoE;IACpE,wEAAwE;IACxE,sEAAsE;IACtE,qCAAqC;IACrC,MAAM,KAAK,GACT,mUAAmU,CAAC;IACtU,MAAM,OAAO,GAAG,sCAAsC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzF,OAAO,GAAG,KAAK,KAAK,OAAO,EAAE,CAAC;AAChC,CAAC"}
|
|
@@ -29,6 +29,16 @@ export interface InterceptCliOptions extends LoaderOptions {
|
|
|
29
29
|
* is preserved. Phase 5 #3 — opt-in only.
|
|
30
30
|
*/
|
|
31
31
|
verbose?: boolean;
|
|
32
|
+
/**
|
|
33
|
+
* Risk Gate seams (Phase 7 #5). Override the ambient inputs the
|
|
34
|
+
* Context Resolver matches `environments.resolvers[]` signals
|
|
35
|
+
* against, so a test exercising a `when:` policy stays hermetic.
|
|
36
|
+
* `env` defaults to `process.env`; the kube seams bypass the
|
|
37
|
+
* `~/.kube/config` read when either is supplied.
|
|
38
|
+
*/
|
|
39
|
+
env?: Record<string, string | undefined>;
|
|
40
|
+
kubeContext?: string;
|
|
41
|
+
kubeNamespace?: string;
|
|
32
42
|
}
|
|
33
43
|
export interface InterceptCliResult {
|
|
34
44
|
exitCode: number;
|
|
@@ -4,7 +4,8 @@
|
|
|
4
4
|
// the PreToolUse hook. Reads the event JSON from stdin, runs the runtime
|
|
5
5
|
// interceptor, writes Claude Code's deny JSON to stdout on block.
|
|
6
6
|
import { queryLedgerByTag, } from "../../policies/index.js";
|
|
7
|
-
import
|
|
7
|
+
import * as os from "node:os";
|
|
8
|
+
import { intercept, recordPolicyDecision, resolveGitContext, resolveKubeContext, } from "../../runtime/index.js";
|
|
8
9
|
import { loadManifest } from "../loader.js";
|
|
9
10
|
import { checkPauseFromLoader } from "../pause-check.js";
|
|
10
11
|
async function readStdin(stream) {
|
|
@@ -21,6 +22,15 @@ async function readStdin(stream) {
|
|
|
21
22
|
function findGroundingMcp(manifest) {
|
|
22
23
|
return manifest.tools.mcp.find((m) => m.name === "grounding-mcp") ?? null;
|
|
23
24
|
}
|
|
25
|
+
/** Resolve an `os` fact, returning "" on the (rare) lookup failure. */
|
|
26
|
+
function safeOs(fn) {
|
|
27
|
+
try {
|
|
28
|
+
return fn();
|
|
29
|
+
}
|
|
30
|
+
catch {
|
|
31
|
+
return "";
|
|
32
|
+
}
|
|
33
|
+
}
|
|
24
34
|
/**
|
|
25
35
|
* Phase 5 #3 — render a deny / warn-degraded decision as a stderr
|
|
26
36
|
* diagnostic block. Multiline, indented; each block is bounded by the
|
|
@@ -188,6 +198,28 @@ export async function runInterceptCli(opts = {}) {
|
|
|
188
198
|
TOOL_NAME: typeof event.tool_name === "string" ? event.tool_name : "",
|
|
189
199
|
CWD: cwd,
|
|
190
200
|
};
|
|
201
|
+
// Risk Gate ambient context — resolved only when the manifest
|
|
202
|
+
// declares a `when:`-bearing policy, so a pure Phase-4 manifest pays
|
|
203
|
+
// no kube-config read. `intercept()` applies the same gate; this just
|
|
204
|
+
// avoids the host I/O when nothing would consume it.
|
|
205
|
+
let riskContext;
|
|
206
|
+
if (manifest.policies.some((p) => p.when !== undefined)) {
|
|
207
|
+
const kube = opts.kubeContext !== undefined || opts.kubeNamespace !== undefined
|
|
208
|
+
? {
|
|
209
|
+
context: opts.kubeContext ?? "",
|
|
210
|
+
namespace: opts.kubeNamespace ?? "",
|
|
211
|
+
}
|
|
212
|
+
: resolveKubeContext();
|
|
213
|
+
riskContext = {
|
|
214
|
+
git: gitContext,
|
|
215
|
+
cwd,
|
|
216
|
+
user: safeOs(() => os.userInfo().username),
|
|
217
|
+
host: safeOs(() => os.hostname()),
|
|
218
|
+
env: opts.env ?? process.env,
|
|
219
|
+
kubeContext: kube.context,
|
|
220
|
+
kubeNamespace: kube.namespace,
|
|
221
|
+
};
|
|
222
|
+
}
|
|
191
223
|
const result = await intercept({
|
|
192
224
|
manifest,
|
|
193
225
|
event,
|
|
@@ -196,6 +228,7 @@ export async function runInterceptCli(opts = {}) {
|
|
|
196
228
|
...(opts.ledgerTimeoutMs !== undefined && { ledgerTimeoutMs: opts.ledgerTimeoutMs }),
|
|
197
229
|
...(opts.now && { now: opts.now }),
|
|
198
230
|
...(gitContext.sha.length > 0 && { currentHeadSha: gitContext.sha }),
|
|
231
|
+
...(riskContext && { riskContext }),
|
|
199
232
|
});
|
|
200
233
|
if (result.blockJson) {
|
|
201
234
|
stdout.write(`${JSON.stringify(result.blockJson)}\n`);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"intercept.js","sourceRoot":"","sources":["../../../src/cli/policy/intercept.ts"],"names":[],"mappings":"AAAA,0DAA0D;AAC1D,EAAE;AACF,2EAA2E;AAC3E,yEAAyE;AACzE,kEAAkE;AAElE,OAAO,EACL,gBAAgB,GAGjB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,SAAS,EACT,oBAAoB,EACpB,iBAAiB,
|
|
1
|
+
{"version":3,"file":"intercept.js","sourceRoot":"","sources":["../../../src/cli/policy/intercept.ts"],"names":[],"mappings":"AAAA,0DAA0D;AAC1D,EAAE;AACF,2EAA2E;AAC3E,yEAAyE;AACzE,kEAAkE;AAElE,OAAO,EACL,gBAAgB,GAGjB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EACL,SAAS,EACT,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,GAKnB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,YAAY,EAAsB,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AA+CzD,KAAK,UAAU,SAAS,CAAC,MAA6B;IACpD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAC3B,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAClC,IAAI,IAAI,KAAK,CAAC;QAChB,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACtC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAkB;IAC1C,OAAO,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC,IAAI,IAAI,CAAC;AAC5E,CAAC;AAED,uEAAuE;AACvE,SAAS,MAAM,CAAC,EAAgB;IAC9B,IAAI,CAAC;QACH,OAAO,EAAE,EAAE,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,wBAAwB,CAAC,QAAwB;IACxD,MAAM,MAAM,GAAG,6BAA6B,QAAQ,CAAC,UAAU,KAAK,QAAQ,CAAC,OAAO,GAClF,QAAQ,CAAC,OAAO,KAAK,eAAe,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,EACnE,EAAE,CAAC;IACH,MAAM,KAAK,GAAa,CAAC,MAAM,CAAC,CAAC;IACjC,KAAK,CAAC,IAAI,CAAC,iBAAiB,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;IAClD,IAAI,QAAQ,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QACxC,KAAK,CAAC,IAAI,CAAC,cAAc,QAAQ,CAAC,YAAY,CAAC,YAAY,EAAE,CAAC,CAAC;IACjE,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,aAAa,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3C,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;IACxD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzB,KAAK,MAAM,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC;YACnC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IACD,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;AACjC,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAyB;IACjD,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACvC,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IACzC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;IAC/C,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACnC,0EAA0E;IAC1E,OAAO,CAAC,qBAAqB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,MAAiB,EACjB,IAAyB;IAEzB,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC;QAC3C,CAAC,CAAC,MAAM,CAAC,OAAO;QAChB,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,SAAS,CAAC;IACpC,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,MAAM,EAAE,UAAU,IAAI,KAAK,CAAC;IAC7E,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,SAAS;YACzB,OAAO,gBAAgB,CAAC;gBACtB,UAAU,EAAE,OAAO;gBACnB,GAAG,CAAC,GAAG,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;gBAC3B,SAAS;gBACT,SAAS;aACV,CAAC,CAAC;QACL,CAAC;QACD,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS;YAC9B,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,SAAS,EAAE;gBAC7D,UAAU,EAAE,OAAO;gBACnB,GAAG,CAAC,GAAG,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;gBAC3B,SAAS;aACV,CAAC,CAAC;YACH,iEAAiE;YACjE,kEAAkE;YAClE,gEAAgE;YAChE,mEAAmE;YACnE,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;gBACf,MAAM,CAAC,KAAK,CACV,mDAAmD;oBACjD,GAAG,QAAQ,CAAC,UAAU,KAAK,MAAM,CAAC,MAAM,IAAI,eAAe,IAAI,CAClE,CAAC;YACJ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAc;IAC1C,OAAO;QACL,KAAK,CAAC,KAAK;YACT,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;QACtC,CAAC;QACD,KAAK,CAAC,MAAM;YACV,sCAAsC;QACxC,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAA4B,EAAE;IAE9B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC;IAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC;IACnC,IAAI,KAAgB,CAAC;IACrB,IAAI,CAAC;QACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,IAAI,CAAc,CAAC;IACtD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,mDAAoD,GAAa,CAAC,OAAO,IAAI,CAC9E,CAAC;QACF,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IACxD,CAAC;IAED,uEAAuE;IACvE,wEAAwE;IACxE,yEAAyE;IACzE,yEAAyE;IACzE,yEAAyE;IACzE,qEAAqE;IACrE,CAAC;QACC,MAAM,SAAS,GAA+C;YAC5D,UAAU,EAAE,IAAI;YAChB,SAAS,EAAE,kBAAkB;YAC7B,MAAM;SACP,CAAC;QACF,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS;YAAE,SAAS,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;QAChF,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS;YAAE,SAAS,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;QACrD,IAAI,oBAAoB,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;YAC3C,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QACxD,CAAC;IACH,CAAC;IAED,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC;IAC1D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,mDAAoD,GAAa,CAAC,OAAO,IAAI,CAC9E,CAAC;QACF,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IACxD,CAAC;IAED,IAAI,MAAoB,CAAC;IACzB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IACvB,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,GAAG,MAAM;YACb,CAAC,CAAC,gBAAgB,CAAC,MAAM,EAAE,IAAI,CAAC;YAChC,CAAC,CAAC,oBAAoB,CAAC,wCAAwC,CAAC,CAAC;IACrE,CAAC;IAED,sEAAsE;IACtE,oEAAoE;IACpE,mEAAmE;IACnE,2DAA2D;IAC3D,iEAAiE;IACjE,mEAAmE;IACnE,mEAAmE;IACnE,qEAAqE;IACrE,mEAAmE;IACnE,kEAAkE;IAClE,iEAAiE;IACjE,8DAA8D;IAC9D,uDAAuD;IACvD,sEAAsE;IACtE,mDAAmD;IACnD,MAAM,cAAc,GAAG,OAAO,KAAK,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;IAC3F,MAAM,gBAAgB,GAAG,cAAc,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;IAC/E,uEAAuE;IACvE,0EAA0E;IAC1E,qEAAqE;IACrE,yEAAyE;IACzE,kEAAkE;IAClE,uDAAuD;IACvD,MAAM,GAAG,GAAG,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;IACtE,MAAM,UAAU,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG;QACf,UAAU,EAAE,gBAAgB;QAC5B,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,UAAU,CAAC,IAAI;QACjD,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,UAAU,CAAC,MAAM;QACvD,SAAS,EAAE,OAAO,KAAK,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;QACrE,GAAG,EAAE,GAAG;KACT,CAAC;IAEF,8DAA8D;IAC9D,qEAAqE;IACrE,sEAAsE;IACtE,qDAAqD;IACrD,IAAI,WAAwC,CAAC;IAC7C,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,GACR,IAAI,CAAC,WAAW,KAAK,SAAS,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS;YAChE,CAAC,CAAC;gBACE,OAAO,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE;gBAC/B,SAAS,EAAE,IAAI,CAAC,aAAa,IAAI,EAAE;aACpC;YACH,CAAC,CAAC,kBAAkB,EAAE,CAAC;QAC3B,WAAW,GAAG;YACZ,GAAG,EAAE,UAAU;YACf,GAAG;YACH,IAAI,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC;YAC1C,IAAI,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC;YACjC,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG;YAC5B,WAAW,EAAE,IAAI,CAAC,OAAO;YACzB,aAAa,EAAE,IAAI,CAAC,SAAS;SAC9B,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC;QAC7B,QAAQ;QACR,KAAK;QACL,MAAM;QACN,QAAQ;QACR,GAAG,CAAC,IAAI,CAAC,eAAe,KAAK,SAAS,IAAI,EAAE,eAAe,EAAE,IAAI,CAAC,eAAe,EAAE,CAAC;QACpF,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;QAClC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,cAAc,EAAE,UAAU,CAAC,GAAG,EAAE,CAAC;QACpE,GAAG,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,CAAC;KACpC,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACxD,CAAC;IAED,gEAAgE;IAChE,iEAAiE;IACjE,mEAAmE;IACnE,oEAAoE;IACpE,iEAAiE;IACjE,oEAAoE;IACpE,gEAAgE;IAChE,wCAAwC;IACxC,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClE,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACxC,IAAI,QAAQ,CAAC,OAAO,KAAK,OAAO;gBAAE,SAAS;YAC3C,MAAM,CAAC,KAAK,CAAC,wBAAwB,CAAC,QAAQ,CAAC,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,CAAC;QACX,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,OAAO,EAAE,MAAM,CAAC,SAAS,KAAK,IAAI;KACnC,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAgB,EAAE,QAAkB;IAC7D,MAAM,aAAa,GACjB,OAAO,KAAK,CAAC,eAAe,KAAK,QAAQ,IAAI,KAAK,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC;QAC3E,CAAC,CAAC,IAAI,KAAK,CAAC,eAAe,GAAG;QAC9B,CAAC,CAAC,WAAW,CAAC;IAClB,MAAM,YAAY,GAChB,OAAO,KAAK,CAAC,SAAS,KAAK,QAAQ,IAAI,KAAK,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;QAC/D,CAAC,CAAC,IAAI,KAAK,CAAC,SAAS,GAAG;QACxB,CAAC,CAAC,WAAW,CAAC;IAClB,MAAM,gBAAgB,GAAG,KAAK,CAAC,IAAI,CACjC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CACvD,CAAC,IAAI,EAAE,CAAC;IACT,OAAO,CACL,oDAAoD;QACpD,mBAAmB,aAAa,cAAc,YAAY,GAAG;QAC7D,8BAA8B,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK;QAC9D,iGAAiG,CAClG,CAAC;AACJ,CAAC"}
|
|
@@ -5,7 +5,7 @@ export interface CheckOptions {
|
|
|
5
5
|
homeDir?: string;
|
|
6
6
|
pathEnv?: string;
|
|
7
7
|
builtinRuntimeProbe?: () => string[];
|
|
8
|
-
versionProbe?: (cmd: string[]) => string | null;
|
|
8
|
+
versionProbe?: (cmd: readonly string[]) => string | null;
|
|
9
9
|
}
|
|
10
10
|
declare function isRootedPath(p: string): boolean;
|
|
11
11
|
declare function firstToken(command: string): string;
|
|
@@ -1,8 +1,7 @@
|
|
|
1
1
|
import * as fs from "node:fs";
|
|
2
2
|
import * as os from "node:os";
|
|
3
3
|
import * as path from "node:path";
|
|
4
|
-
import {
|
|
5
|
-
import { parsePackSource } from "../../policy-packs/source.js";
|
|
4
|
+
import { checkPolicyPackConfigs, checkPolicyPackSources, } from "../../policy-packs/index.js";
|
|
6
5
|
import { expandHome } from "../../runtime/expand-home.js";
|
|
7
6
|
const DEFAULT_RUNTIME_BUILTINS = [
|
|
8
7
|
"Read",
|
|
@@ -228,33 +227,37 @@ function checkPolicyGroundingMcp(manifest) {
|
|
|
228
227
|
];
|
|
229
228
|
}
|
|
230
229
|
// Phase 6 #2: surface pack-resolution problems at lint time, not at
|
|
231
|
-
// `harness apply` time.
|
|
232
|
-
//
|
|
233
|
-
//
|
|
234
|
-
//
|
|
230
|
+
// `harness apply` time. Delegates to the shared `checkPolicyPackSources`
|
|
231
|
+
// so the apply path (which now also fails loudly on these conditions)
|
|
232
|
+
// stays bit-identical with validate. `enabled: false` packs are skipped
|
|
233
|
+
// on both sides.
|
|
235
234
|
function checkPolicyPacks(manifest) {
|
|
236
|
-
|
|
237
|
-
|
|
238
|
-
|
|
239
|
-
|
|
240
|
-
|
|
241
|
-
|
|
242
|
-
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
}
|
|
255
|
-
|
|
235
|
+
return checkPolicyPackSources(manifest).map((issue) => ({
|
|
236
|
+
severity: "error",
|
|
237
|
+
path: `policy_packs[${issue.packIndex}].${issue.field}`,
|
|
238
|
+
message: issue.message,
|
|
239
|
+
}));
|
|
240
|
+
}
|
|
241
|
+
// Phase 6 follow-up (task d78fb3c7): per-pack `config:` shape check.
|
|
242
|
+
// Each builtin pack registers a zod `configSchema` consumed via
|
|
243
|
+
// `checkPolicyPackConfigs`; this turns the strict-mode issues into
|
|
244
|
+
// validate Diagnostics so typo'd keys (`permision_profile`) and bad
|
|
245
|
+
// enum values (`mode: "fastConfirm"`) fail loud at lint time. Runs
|
|
246
|
+
// AFTER the source / name check above; an unknown pack name has no
|
|
247
|
+
// registered schema and would be skipped silently here even without
|
|
248
|
+
// the source check, but emitting both diagnostics in one run is the
|
|
249
|
+
// point — the operator should see every issue per `validate` invocation.
|
|
250
|
+
function checkPolicyPackConfigsAsDiagnostics(manifest) {
|
|
251
|
+
return checkPolicyPackConfigs(manifest).map((issue) => {
|
|
252
|
+
const path = issue.configPath.length > 0
|
|
253
|
+
? `policy_packs[${issue.packIndex}].config.${issue.configPath}`
|
|
254
|
+
: `policy_packs[${issue.packIndex}].config`;
|
|
255
|
+
return {
|
|
256
|
+
severity: "error",
|
|
257
|
+
path,
|
|
258
|
+
message: issue.message,
|
|
259
|
+
};
|
|
256
260
|
});
|
|
257
|
-
return diags;
|
|
258
261
|
}
|
|
259
262
|
export function runAssetChecks(manifest, opts = {}) {
|
|
260
263
|
const home = opts.homeDir ?? os.homedir();
|
|
@@ -266,6 +269,7 @@ export function runAssetChecks(manifest, opts = {}) {
|
|
|
266
269
|
...checkBuiltinDrift(manifest, opts),
|
|
267
270
|
...checkPolicyGroundingMcp(manifest),
|
|
268
271
|
...checkPolicyPacks(manifest),
|
|
272
|
+
...checkPolicyPackConfigsAsDiagnostics(manifest),
|
|
269
273
|
];
|
|
270
274
|
}
|
|
271
275
|
export const __testables = {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"checks.js","sourceRoot":"","sources":["../../../src/cli/validate/checks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,
|
|
1
|
+
{"version":3,"file":"checks.js","sourceRoot":"","sources":["../../../src/cli/validate/checks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAW1D,MAAM,wBAAwB,GAAG;IAC/B,MAAM;IACN,MAAM;IACN,OAAO;IACP,MAAM;IACN,OAAO;IACP,OAAO;IACP,YAAY;IACZ,MAAM;IACN,MAAM;CACP,CAAC;AAEF,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,UAAU,CAAC,OAAe;IACjC,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;AAC9C,CAAC;AAED,SAAS,YAAY,CAAC,QAAgB;IACpC,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,QAAgB;IAClC,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,MAAc,EAAE,OAAe;IACpD,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/D,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACzC,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,YAAY,CAAC,SAAS,CAAC;YAAE,OAAO,SAAS,CAAC;IAC5E,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,SAAS,GAAG,qBAAqB,CAAC;AAExC,SAAS,eAAe,CAAC,MAAc,EAAE,QAAgB;IACvD,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAC/D,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IACzC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACrB,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACrB,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YAAE,OAAO,CAAC,CAAC;QACnD,IAAI,EAAE,GAAG,EAAE;YAAE,OAAO,CAAC,CAAC;QACtB,IAAI,EAAE,GAAG,EAAE;YAAE,OAAO,CAAC,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,QAAQ,CAAC,QAAkB,EAAE,IAAY;IAChD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACjC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1F,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;YAAE,OAAO;QACjC,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACzC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,WAAW;gBACtC,OAAO,EAAE,wBAAwB,QAAQ,EAAE;aAC5C,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,QAAQ,CAAC,QAAkB,EAAE,IAAkB;IACtD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;IACvD,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAEvD,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACjC,IAAI,QAAuB,CAAC;QAC5B,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAChC,QAAQ,GAAG,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;QACvF,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;gBAC5C,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,UAAU;gBACrC,OAAO,EAAE,GAAG,CAAC,QAAQ;oBACnB,CAAC,CAAC,8BAA8B,GAAG,CAAC,MAAM,EAAE;oBAC5C,CAAC,CAAC,6BAA6B,GAAG,CAAC,MAAM,EAAE;aAC9C,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,WAAW;YAAE,OAAO;QAC7B,MAAM,cAAc,GAAG,GAAG,CAAC,eAAe,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QACtE,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,CAAC,CAAC;QAC5C,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,SAAS;gBACnB,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,eAAe;gBAC1C,OAAO,EAAE,4BAA4B,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;aAChE,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YACxB,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,SAAS;gBACnB,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,eAAe;gBAC1C,OAAO,EAAE,mCAAmC,MAAM,CAAC,IAAI,EAAE,GAAG;aAC7D,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACnD,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,eAAe;gBAC1C,OAAO,EAAE,qBAAqB,KAAK,CAAC,CAAC,CAAC,0BAA0B,GAAG,CAAC,WAAW,EAAE;aAClF,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,QAAkB,EAAE,IAAY;IACnD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;IACtD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,KAAK,MAAM,SAAS,IAAI,QAAQ,EAAE,CAAC;QACjC,IAAI,KAAK,GAAG,KAAK,CAAC;QAClB,KAAK,MAAM,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACpD,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YACvC,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;YAC7D,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC7B,KAAK,GAAG,IAAI,CAAC;gBACb,MAAM;YACR,CAAC;QACH,CAAC;QACD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,yBAAyB,SAAS,GAAG;gBAC3C,OAAO,EAAE,0DAA0D;aACpE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,UAAU,CAAC,QAAkB,EAAE,IAAY;IAClD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;QAC9B,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;YAAE,OAAO;QACjC,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACzC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,SAAS,IAAI,CAAC,IAAI,WAAW;gBACnC,OAAO,EAAE,wBAAwB,QAAQ,EAAE;aAC5C,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;YACnB,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,SAAS,IAAI,CAAC,IAAI,WAAW;gBACnC,OAAO,EAAE,uBAAuB,QAAQ,EAAE;aAC3C,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,SAAS,IAAI,CAAC,IAAI,WAAW;gBACnC,OAAO,EAAE,8BAA8B,QAAQ,EAAE;aAClD,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAkB,EAAE,IAAkB;IAC/D,MAAM,KAAK,GAAG,IAAI,CAAC,mBAAmB,IAAI,CAAC,GAAG,EAAE,CAAC,wBAAwB,CAAC,CAAC;IAC3E,MAAM,OAAO,GAAG,KAAK,EAAE,CAAC;IACxB,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACpD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAClB,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,SAAS;gBACnB,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,gCAAgC,CAAC,qCAAqC;aAChF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAkB;IACjD,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAC9C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC,CAAC;IACzE,IAAI,KAAK;QAAE,OAAO,EAAE,CAAC;IACrB,OAAO;QACL;YACE,QAAQ,EAAE,SAAS;YACnB,IAAI,EAAE,UAAU;YAChB,OAAO,EACL,qIAAqI;SACxI;KACF,CAAC;AACJ,CAAC;AAED,oEAAoE;AACpE,yEAAyE;AACzE,sEAAsE;AACtE,wEAAwE;AACxE,iBAAiB;AACjB,SAAS,gBAAgB,CAAC,QAAkB;IAC1C,OAAO,sBAAsB,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACtD,QAAQ,EAAE,OAAO;QACjB,IAAI,EAAE,gBAAgB,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,KAAK,EAAE;QACvD,OAAO,EAAE,KAAK,CAAC,OAAO;KACvB,CAAC,CAAC,CAAC;AACN,CAAC;AAED,qEAAqE;AACrE,gEAAgE;AAChE,mEAAmE;AACnE,oEAAoE;AACpE,mEAAmE;AACnE,mEAAmE;AACnE,oEAAoE;AACpE,oEAAoE;AACpE,yEAAyE;AACzE,SAAS,mCAAmC,CAAC,QAAkB;IAC7D,OAAO,sBAAsB,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACpD,MAAM,IAAI,GACR,KAAK,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;YACzB,CAAC,CAAC,gBAAgB,KAAK,CAAC,SAAS,YAAY,KAAK,CAAC,UAAU,EAAE;YAC/D,CAAC,CAAC,gBAAgB,KAAK,CAAC,SAAS,UAAU,CAAC;QAChD,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,IAAI;YACJ,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,QAAkB,EAClB,OAAqB,EAAE;IAEvB,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,OAAO,EAAE,CAAC;IAC1C,OAAO;QACL,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC3B,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC3B,GAAG,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC9B,GAAG,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC7B,GAAG,iBAAiB,CAAC,QAAQ,EAAE,IAAI,CAAC;QACpC,GAAG,uBAAuB,CAAC,QAAQ,CAAC;QACpC,GAAG,gBAAgB,CAAC,QAAQ,CAAC;QAC7B,GAAG,mCAAmC,CAAC,QAAQ,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,UAAU;IACV,YAAY;IACZ,UAAU;IACV,eAAe;IACf,aAAa;IACb,wBAAwB;CACzB,CAAC"}
|
|
@@ -1,13 +1,24 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Numeric semver compare for `min_version` gates in `harness doctor`.
|
|
3
|
-
* Used by the `tools.mcp[]`, `memory.router`,
|
|
4
|
-
* checks. Lives in `src/io/` (a leaf
|
|
5
|
-
* `runtime/`-, `policies/`-, and
|
|
6
|
-
* on it without re-creating the
|
|
7
|
-
* task 1272feb6 just broke.
|
|
3
|
+
* Used by the `tools.mcp[]`, `tools.cli[]`, `memory.router`, `hooks[]`,
|
|
4
|
+
* and `policy_packs[]` version checks. Lives in `src/io/` (a leaf
|
|
5
|
+
* module with no domain imports) so `runtime/`-, `policies/`-, and
|
|
6
|
+
* `cli/`-side consumers can all depend on it without re-creating the
|
|
7
|
+
* runtime/policies module-init cycle that task 1272feb6 just broke.
|
|
8
8
|
*
|
|
9
9
|
* Returns +1 if `a > b`, -1 if `a < b`, 0 on equality or on any parse
|
|
10
10
|
* failure. Pads short components with zeros (`1.2` is treated as
|
|
11
11
|
* `1.2.0` for the purposes of comparison with `1.2.0`).
|
|
12
|
+
*
|
|
13
|
+
* NUMERIC_VERSION_PATTERN is the schema-level guard that ensures
|
|
14
|
+
* `min_version` values feeding this comparator are well-formed numeric
|
|
15
|
+
* semver. Without it, a malformed value (`"latest"`, `"v1.0"`,
|
|
16
|
+
* `"1.0.0-alpha"`) parses to `NaN` components below, which the NaN
|
|
17
|
+
* branch then maps to 0 (equality), silently swallowing the version
|
|
18
|
+
* floor. Schema fields that feed `compareNumericVersions` must wear
|
|
19
|
+
* this pattern, and `NUMERIC_VERSION_MESSAGE` provides a stable
|
|
20
|
+
* operator-facing error string shared across schemas.
|
|
12
21
|
*/
|
|
22
|
+
export declare const NUMERIC_VERSION_PATTERN: RegExp;
|
|
23
|
+
export declare const NUMERIC_VERSION_MESSAGE = "min_version must be numeric semver-shape: digits separated by up to three dots (e.g. \"1\", \"1.2\", \"1.2.3\", \"1.2.3.4\"). Pre-release suffixes and leading \"v\" are rejected.";
|
|
13
24
|
export declare function compareNumericVersions(a: string, b: string): number;
|
|
@@ -1,15 +1,26 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Numeric semver compare for `min_version` gates in `harness doctor`.
|
|
3
|
-
* Used by the `tools.mcp[]`, `memory.router`,
|
|
4
|
-
* checks. Lives in `src/io/` (a leaf
|
|
5
|
-
* `runtime/`-, `policies/`-, and
|
|
6
|
-
* on it without re-creating the
|
|
7
|
-
* task 1272feb6 just broke.
|
|
3
|
+
* Used by the `tools.mcp[]`, `tools.cli[]`, `memory.router`, `hooks[]`,
|
|
4
|
+
* and `policy_packs[]` version checks. Lives in `src/io/` (a leaf
|
|
5
|
+
* module with no domain imports) so `runtime/`-, `policies/`-, and
|
|
6
|
+
* `cli/`-side consumers can all depend on it without re-creating the
|
|
7
|
+
* runtime/policies module-init cycle that task 1272feb6 just broke.
|
|
8
8
|
*
|
|
9
9
|
* Returns +1 if `a > b`, -1 if `a < b`, 0 on equality or on any parse
|
|
10
10
|
* failure. Pads short components with zeros (`1.2` is treated as
|
|
11
11
|
* `1.2.0` for the purposes of comparison with `1.2.0`).
|
|
12
|
+
*
|
|
13
|
+
* NUMERIC_VERSION_PATTERN is the schema-level guard that ensures
|
|
14
|
+
* `min_version` values feeding this comparator are well-formed numeric
|
|
15
|
+
* semver. Without it, a malformed value (`"latest"`, `"v1.0"`,
|
|
16
|
+
* `"1.0.0-alpha"`) parses to `NaN` components below, which the NaN
|
|
17
|
+
* branch then maps to 0 (equality), silently swallowing the version
|
|
18
|
+
* floor. Schema fields that feed `compareNumericVersions` must wear
|
|
19
|
+
* this pattern, and `NUMERIC_VERSION_MESSAGE` provides a stable
|
|
20
|
+
* operator-facing error string shared across schemas.
|
|
12
21
|
*/
|
|
22
|
+
export const NUMERIC_VERSION_PATTERN = /^\d+(?:\.\d+){0,3}$/;
|
|
23
|
+
export const NUMERIC_VERSION_MESSAGE = 'min_version must be numeric semver-shape: digits separated by up to three dots (e.g. "1", "1.2", "1.2.3", "1.2.3.4"). Pre-release suffixes and leading "v" are rejected.';
|
|
13
24
|
export function compareNumericVersions(a, b) {
|
|
14
25
|
const aa = a.split(".").map((n) => Number.parseInt(n, 10));
|
|
15
26
|
const bb = b.split(".").map((n) => Number.parseInt(n, 10));
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"version-compare.js","sourceRoot":"","sources":["../../src/io/version-compare.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"version-compare.js","sourceRoot":"","sources":["../../src/io/version-compare.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,qBAAqB,CAAC;AAE7D,MAAM,CAAC,MAAM,uBAAuB,GAClC,0KAA0K,CAAC;AAE7K,MAAM,UAAU,sBAAsB,CAAC,CAAS,EAAE,CAAS;IACzD,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAC3D,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YAAE,OAAO,CAAC,CAAC;QACnD,IAAI,EAAE,GAAG,EAAE;YAAE,OAAO,CAAC,CAAC;QACtB,IAAI,EAAE,GAAG,EAAE;YAAE,OAAO,CAAC,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC"}
|
|
@@ -1,8 +1,46 @@
|
|
|
1
|
+
import { z } from "zod";
|
|
1
2
|
import type { PolicyPack } from "../../schema/index.js";
|
|
2
3
|
import { type Runtime } from "../runtime.js";
|
|
3
4
|
import type { PackContribution } from "../types.js";
|
|
4
5
|
import { PACK_NAME } from "./branch-protection-runtime.js";
|
|
5
6
|
export { PACK_NAME };
|
|
7
|
+
/**
|
|
8
|
+
* Zod schema for this pack's `config:` block. See sibling pack
|
|
9
|
+
* `understanding-before-execution.configSchema` for rationale: strict
|
|
10
|
+
* by design so typo'd keys fail loud at lint time. `protected_branches`
|
|
11
|
+
* is the only operator-tunable key today; new keys land here first,
|
|
12
|
+
* then in `resolveProtectedBranches`.
|
|
13
|
+
*/
|
|
14
|
+
export declare const configSchema: z.ZodObject<{
|
|
15
|
+
protected_branches: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
16
|
+
ux: z.ZodOptional<z.ZodObject<{
|
|
17
|
+
cannot: z.ZodString;
|
|
18
|
+
required: z.ZodArray<z.ZodString, "many">;
|
|
19
|
+
run: z.ZodArray<z.ZodString, "many">;
|
|
20
|
+
}, "strict", z.ZodTypeAny, {
|
|
21
|
+
cannot: string;
|
|
22
|
+
required: string[];
|
|
23
|
+
run: string[];
|
|
24
|
+
}, {
|
|
25
|
+
cannot: string;
|
|
26
|
+
required: string[];
|
|
27
|
+
run: string[];
|
|
28
|
+
}>>;
|
|
29
|
+
}, "strict", z.ZodTypeAny, {
|
|
30
|
+
ux?: {
|
|
31
|
+
cannot: string;
|
|
32
|
+
required: string[];
|
|
33
|
+
run: string[];
|
|
34
|
+
} | undefined;
|
|
35
|
+
protected_branches?: string[] | undefined;
|
|
36
|
+
}, {
|
|
37
|
+
ux?: {
|
|
38
|
+
cannot: string;
|
|
39
|
+
required: string[];
|
|
40
|
+
run: string[];
|
|
41
|
+
} | undefined;
|
|
42
|
+
protected_branches?: string[] | undefined;
|
|
43
|
+
}>;
|
|
6
44
|
export declare function resolve(pack: PolicyPack, runtime?: Runtime): {
|
|
7
45
|
contribution: PackContribution;
|
|
8
46
|
warnings: string[];
|