@lannguyensi/harness 0.26.0 → 0.28.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +46 -0
- package/README.md +17 -12
- package/dist/cli/apply/apply.js +12 -2
- package/dist/cli/apply/apply.js.map +1 -1
- package/dist/cli/approve/risk.d.ts +43 -0
- package/dist/cli/approve/risk.js +126 -0
- package/dist/cli/approve/risk.js.map +1 -0
- package/dist/cli/audit.js +8 -2
- package/dist/cli/audit.js.map +1 -1
- package/dist/cli/doctor/format.js +55 -0
- package/dist/cli/doctor/format.js.map +1 -1
- package/dist/cli/doctor/index.d.ts +1 -1
- package/dist/cli/doctor/index.js +89 -0
- package/dist/cli/doctor/index.js.map +1 -1
- package/dist/cli/doctor/types.d.ts +79 -0
- package/dist/cli/event-input.js +8 -7
- package/dist/cli/event-input.js.map +1 -1
- package/dist/cli/explain-policy.d.ts +54 -0
- package/dist/cli/explain-policy.js +81 -0
- package/dist/cli/explain-policy.js.map +1 -0
- package/dist/cli/explain.js +4 -0
- package/dist/cli/explain.js.map +1 -1
- package/dist/cli/index.js +70 -4
- package/dist/cli/index.js.map +1 -1
- package/dist/cli/init/composer.js +1 -1
- package/dist/cli/init/composer.js.map +1 -1
- package/dist/cli/init/dependencies.js +10 -9
- package/dist/cli/init/dependencies.js.map +1 -1
- package/dist/cli/init/profiles.d.ts +2 -2
- package/dist/cli/init/profiles.js +2 -2
- package/dist/cli/init/templates.d.ts +1 -1
- package/dist/cli/init/templates.js +99 -1
- package/dist/cli/init/templates.js.map +1 -1
- package/dist/cli/pack/hook-codex-pre-tool-use.js +6 -3
- package/dist/cli/pack/hook-codex-pre-tool-use.js.map +1 -1
- package/dist/cli/pack/hook-pre-tool-use.js +27 -3
- package/dist/cli/pack/hook-pre-tool-use.js.map +1 -1
- package/dist/cli/pack/read-only-bash.d.ts +13 -0
- package/dist/cli/pack/read-only-bash.js +177 -0
- package/dist/cli/pack/read-only-bash.js.map +1 -0
- package/dist/cli/pack/understanding-report-schema-hint.d.ts +1 -1
- package/dist/cli/pack/understanding-report-schema-hint.js +7 -1
- package/dist/cli/pack/understanding-report-schema-hint.js.map +1 -1
- package/dist/cli/policy/intercept.d.ts +10 -0
- package/dist/cli/policy/intercept.js +34 -1
- package/dist/cli/policy/intercept.js.map +1 -1
- package/dist/cli/validate/checks.d.ts +1 -1
- package/dist/cli/validate/checks.js +31 -27
- package/dist/cli/validate/checks.js.map +1 -1
- package/dist/io/version-compare.d.ts +16 -5
- package/dist/io/version-compare.js +16 -5
- package/dist/io/version-compare.js.map +1 -1
- package/dist/policy-packs/builtin/branch-protection.d.ts +38 -0
- package/dist/policy-packs/builtin/branch-protection.js +17 -0
- package/dist/policy-packs/builtin/branch-protection.js.map +1 -1
- package/dist/policy-packs/builtin/understanding-before-execution.d.ts +147 -0
- package/dist/policy-packs/builtin/understanding-before-execution.js +72 -10
- package/dist/policy-packs/builtin/understanding-before-execution.js.map +1 -1
- package/dist/policy-packs/config-check.d.ts +31 -0
- package/dist/policy-packs/config-check.js +58 -0
- package/dist/policy-packs/config-check.js.map +1 -0
- package/dist/policy-packs/expand.js +5 -4
- package/dist/policy-packs/expand.js.map +1 -1
- package/dist/policy-packs/index.d.ts +4 -1
- package/dist/policy-packs/index.js +4 -1
- package/dist/policy-packs/index.js.map +1 -1
- package/dist/policy-packs/registry.d.ts +20 -0
- package/dist/policy-packs/registry.js +39 -2
- package/dist/policy-packs/registry.js.map +1 -1
- package/dist/policy-packs/source-check.d.ts +28 -0
- package/dist/policy-packs/source-check.js +49 -0
- package/dist/policy-packs/source-check.js.map +1 -0
- package/dist/policy-packs/version-check.d.ts +37 -0
- package/dist/policy-packs/version-check.js +89 -0
- package/dist/policy-packs/version-check.js.map +1 -0
- package/dist/probes/memory.d.ts +1 -1
- package/dist/runtime/index.d.ts +2 -1
- package/dist/runtime/index.js +2 -1
- package/dist/runtime/index.js.map +1 -1
- package/dist/runtime/intercept.d.ts +60 -3
- package/dist/runtime/intercept.js +104 -6
- package/dist/runtime/intercept.js.map +1 -1
- package/dist/runtime/ledger-record.d.ts +8 -0
- package/dist/runtime/ledger-record.js +2 -0
- package/dist/runtime/ledger-record.js.map +1 -1
- package/dist/runtime/risk-classifier.js +27 -0
- package/dist/runtime/risk-classifier.js.map +1 -1
- package/dist/runtime/when-eval.d.ts +40 -0
- package/dist/runtime/when-eval.js +134 -0
- package/dist/runtime/when-eval.js.map +1 -0
- package/dist/schema/hooks.js +6 -1
- package/dist/schema/hooks.js.map +1 -1
- package/dist/schema/index.d.ts +20 -11
- package/dist/schema/memory.js +6 -1
- package/dist/schema/memory.js.map +1 -1
- package/dist/schema/policies.d.ts +13 -13
- package/dist/schema/policies.js +20 -8
- package/dist/schema/policies.js.map +1 -1
- package/dist/schema/policy-packs.d.ts +8 -0
- package/dist/schema/policy-packs.js +17 -0
- package/dist/schema/policy-packs.js.map +1 -1
- package/dist/schema/tools.js +11 -2
- package/dist/schema/tools.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
// Shared pack-source / builtin-name check, used by both
|
|
2
|
+
// `harness validate` (lint-time hard error) and `harness apply`
|
|
3
|
+
// (fail-loud before expansion). Without a single source of truth here,
|
|
4
|
+
// the two paths drifted: apply silently skipped unknown packs while
|
|
5
|
+
// validate erred — so an operator who never ran `validate` would push a
|
|
6
|
+
// broken manifest, see "apply succeeded", and only discover the pack
|
|
7
|
+
// never wired up at runtime.
|
|
8
|
+
import { isBuiltinPackName } from "./registry.js";
|
|
9
|
+
import { parsePackSource } from "./source.js";
|
|
10
|
+
/**
|
|
11
|
+
* Walks `manifest.policy_packs` in declared order and returns one issue
|
|
12
|
+
* per offending enabled pack. Output order is stable and matches the
|
|
13
|
+
* manifest array order — call sites rely on this when aggregating
|
|
14
|
+
* messages, and `tests/policy-packs/source-check.test.ts` asserts it.
|
|
15
|
+
*
|
|
16
|
+
* `enabled: false` packs are skipped on both sides: an operator who has
|
|
17
|
+
* intentionally stashed an unfinished pack reference shouldn't have
|
|
18
|
+
* apply or validate red until they re-enable it.
|
|
19
|
+
*/
|
|
20
|
+
export function checkPolicyPackSources(manifest) {
|
|
21
|
+
const issues = [];
|
|
22
|
+
manifest.policy_packs.forEach((pack, i) => {
|
|
23
|
+
if (!pack.enabled)
|
|
24
|
+
return;
|
|
25
|
+
const sourceParsed = parsePackSource(pack.source);
|
|
26
|
+
if (sourceParsed.kind === "unknown") {
|
|
27
|
+
issues.push({
|
|
28
|
+
packIndex: i,
|
|
29
|
+
packName: pack.name,
|
|
30
|
+
kind: "unknown-source",
|
|
31
|
+
source: pack.source,
|
|
32
|
+
field: "source",
|
|
33
|
+
message: `unknown source ${JSON.stringify(pack.source)}: only "builtin" resolves in v1; see docs/policy-packs/`,
|
|
34
|
+
});
|
|
35
|
+
return;
|
|
36
|
+
}
|
|
37
|
+
if (!isBuiltinPackName(pack.name)) {
|
|
38
|
+
issues.push({
|
|
39
|
+
packIndex: i,
|
|
40
|
+
packName: pack.name,
|
|
41
|
+
kind: "unknown-builtin",
|
|
42
|
+
field: "name",
|
|
43
|
+
message: `not a known builtin pack: ${JSON.stringify(pack.name)}. See docs/policy-packs/ for supported names.`,
|
|
44
|
+
});
|
|
45
|
+
}
|
|
46
|
+
});
|
|
47
|
+
return issues;
|
|
48
|
+
}
|
|
49
|
+
//# sourceMappingURL=source-check.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"source-check.js","sourceRoot":"","sources":["../../src/policy-packs/source-check.ts"],"names":[],"mappings":"AAAA,wDAAwD;AACxD,gEAAgE;AAChE,uEAAuE;AACvE,oEAAoE;AACpE,wEAAwE;AACxE,qEAAqE;AACrE,6BAA6B;AAE7B,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAqB9C;;;;;;;;;GASG;AACH,MAAM,UAAU,sBAAsB,CAAC,QAAkB;IACvD,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxC,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAC1B,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClD,IAAI,YAAY,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACpC,MAAM,CAAC,IAAI,CAAC;gBACV,SAAS,EAAE,CAAC;gBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,IAAI,EAAE,gBAAgB;gBACtB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE,kBAAkB,IAAI,CAAC,SAAS,CACvC,IAAI,CAAC,MAAM,CACZ,yDAAyD;aAC3D,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC;gBACV,SAAS,EAAE,CAAC;gBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,IAAI,EAAE,iBAAiB;gBACvB,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,6BAA6B,IAAI,CAAC,SAAS,CAClD,IAAI,CAAC,IAAI,CACV,+CAA+C;aACjD,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
import type { Manifest } from "../schema/index.js";
|
|
2
|
+
export type PolicyPackVersionGapKind =
|
|
3
|
+
/** Pack declares min_version but no version probe is registered (warn). */
|
|
4
|
+
"no_probe_registered"
|
|
5
|
+
/** Version probe returned null (binary missing / failed to launch). */
|
|
6
|
+
| "probe_failed"
|
|
7
|
+
/** Probe stdout did not match a `digit(.digit)*` token. */
|
|
8
|
+
| "parse_failed"
|
|
9
|
+
/** Probed version is below the declared floor. */
|
|
10
|
+
| "below_floor";
|
|
11
|
+
export interface PolicyPackVersionGap {
|
|
12
|
+
packIndex: number;
|
|
13
|
+
packName: string;
|
|
14
|
+
/** The declared floor from `policy_packs[i].min_version`. */
|
|
15
|
+
declaredMinVersion: string;
|
|
16
|
+
/**
|
|
17
|
+
* The version probe command that was (or would have been) invoked.
|
|
18
|
+
* Empty array when no probe is registered for the pack.
|
|
19
|
+
*/
|
|
20
|
+
versionCommand: readonly string[];
|
|
21
|
+
/** Parsed version string when the probe succeeded; otherwise null. */
|
|
22
|
+
actualVersion: string | null;
|
|
23
|
+
kind: PolicyPackVersionGapKind;
|
|
24
|
+
message: string;
|
|
25
|
+
}
|
|
26
|
+
/**
|
|
27
|
+
* Walks `manifest.policy_packs` in declared order. For each enabled
|
|
28
|
+
* builtin pack that carries an explicit `min_version`, runs the
|
|
29
|
+
* registered probe (or flags missing-probe), parses the version, and
|
|
30
|
+
* compares against the floor. Returns one gap per offending pack;
|
|
31
|
+
* green ones produce nothing.
|
|
32
|
+
*
|
|
33
|
+
* `enabled: false` packs are skipped (consistent with the source +
|
|
34
|
+
* config helpers). Non-builtin pack names are skipped: the source
|
|
35
|
+
* check is the source of truth for "this pack does not resolve".
|
|
36
|
+
*/
|
|
37
|
+
export declare function checkPolicyPackVersions(manifest: Manifest, versionProbe: (cmd: readonly string[]) => string | null): PolicyPackVersionGap[];
|
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
// Per-pack version-floor check. Doctor uses this to surface a warning
|
|
2
|
+
// when the operator declared `policy_packs[].min_version: x.y.z` and
|
|
3
|
+
// the installed package-side bin reports below that. Mirrors the
|
|
4
|
+
// hook-level `checkHookVersion` design (see `src/cli/doctor/index.ts`):
|
|
5
|
+
// the same warning rungs, the same parse-failure fallback, so an
|
|
6
|
+
// operator reading doctor output sees a consistent shape regardless of
|
|
7
|
+
// which layer raised the gap.
|
|
8
|
+
//
|
|
9
|
+
// The split between this and the hook-level check is deliberate: a
|
|
10
|
+
// hook-level floor covers each individual hook command, this catches a
|
|
11
|
+
// pack-level config-schema mismatch (a `config:` key only the newer
|
|
12
|
+
// package honours). Both can fire in the same doctor run.
|
|
13
|
+
import { compareNumericVersions } from "../io/version-compare.js";
|
|
14
|
+
import { isBuiltinPackName, resolveBuiltinVersionCommand } from "./registry.js";
|
|
15
|
+
/**
|
|
16
|
+
* Walks `manifest.policy_packs` in declared order. For each enabled
|
|
17
|
+
* builtin pack that carries an explicit `min_version`, runs the
|
|
18
|
+
* registered probe (or flags missing-probe), parses the version, and
|
|
19
|
+
* compares against the floor. Returns one gap per offending pack;
|
|
20
|
+
* green ones produce nothing.
|
|
21
|
+
*
|
|
22
|
+
* `enabled: false` packs are skipped (consistent with the source +
|
|
23
|
+
* config helpers). Non-builtin pack names are skipped: the source
|
|
24
|
+
* check is the source of truth for "this pack does not resolve".
|
|
25
|
+
*/
|
|
26
|
+
export function checkPolicyPackVersions(manifest, versionProbe) {
|
|
27
|
+
const gaps = [];
|
|
28
|
+
manifest.policy_packs.forEach((pack, packIndex) => {
|
|
29
|
+
if (!pack.enabled)
|
|
30
|
+
return;
|
|
31
|
+
if (!isBuiltinPackName(pack.name))
|
|
32
|
+
return;
|
|
33
|
+
if (!pack.min_version)
|
|
34
|
+
return;
|
|
35
|
+
const versionCommand = resolveBuiltinVersionCommand(pack.name);
|
|
36
|
+
if (versionCommand === null) {
|
|
37
|
+
gaps.push({
|
|
38
|
+
packIndex,
|
|
39
|
+
packName: pack.name,
|
|
40
|
+
declaredMinVersion: pack.min_version,
|
|
41
|
+
versionCommand: [],
|
|
42
|
+
actualVersion: null,
|
|
43
|
+
kind: "no_probe_registered",
|
|
44
|
+
message: `no version probe registered for pack "${pack.name}"; the declared min_version cannot be enforced`,
|
|
45
|
+
});
|
|
46
|
+
return;
|
|
47
|
+
}
|
|
48
|
+
const stdout = versionProbe(versionCommand);
|
|
49
|
+
if (stdout === null) {
|
|
50
|
+
gaps.push({
|
|
51
|
+
packIndex,
|
|
52
|
+
packName: pack.name,
|
|
53
|
+
declaredMinVersion: pack.min_version,
|
|
54
|
+
versionCommand,
|
|
55
|
+
actualVersion: null,
|
|
56
|
+
kind: "probe_failed",
|
|
57
|
+
message: `version probe failed for ${versionCommand.join(" ")}`,
|
|
58
|
+
});
|
|
59
|
+
return;
|
|
60
|
+
}
|
|
61
|
+
const match = stdout.match(/(\d+(?:\.\d+){0,3})/);
|
|
62
|
+
if (!match || !match[1]) {
|
|
63
|
+
gaps.push({
|
|
64
|
+
packIndex,
|
|
65
|
+
packName: pack.name,
|
|
66
|
+
declaredMinVersion: pack.min_version,
|
|
67
|
+
versionCommand,
|
|
68
|
+
actualVersion: null,
|
|
69
|
+
kind: "parse_failed",
|
|
70
|
+
message: `could not parse a version from "${stdout.trim()}"`,
|
|
71
|
+
});
|
|
72
|
+
return;
|
|
73
|
+
}
|
|
74
|
+
const actual = match[1];
|
|
75
|
+
if (compareNumericVersions(actual, pack.min_version) < 0) {
|
|
76
|
+
gaps.push({
|
|
77
|
+
packIndex,
|
|
78
|
+
packName: pack.name,
|
|
79
|
+
declaredMinVersion: pack.min_version,
|
|
80
|
+
versionCommand,
|
|
81
|
+
actualVersion: actual,
|
|
82
|
+
kind: "below_floor",
|
|
83
|
+
message: `outdated: installed v${actual} < required ${pack.min_version}`,
|
|
84
|
+
});
|
|
85
|
+
}
|
|
86
|
+
});
|
|
87
|
+
return gaps;
|
|
88
|
+
}
|
|
89
|
+
//# sourceMappingURL=version-check.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"version-check.js","sourceRoot":"","sources":["../../src/policy-packs/version-check.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,qEAAqE;AACrE,iEAAiE;AACjE,wEAAwE;AACxE,iEAAiE;AACjE,uEAAuE;AACvE,8BAA8B;AAC9B,EAAE;AACF,mEAAmE;AACnE,uEAAuE;AACvE,oEAAoE;AACpE,0DAA0D;AAE1D,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,iBAAiB,EAAE,4BAA4B,EAAE,MAAM,eAAe,CAAC;AA6BhF;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CACrC,QAAkB,EAClB,YAAuD;IAEvD,MAAM,IAAI,GAA2B,EAAE,CAAC;IACxC,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,SAAS,EAAE,EAAE;QAChD,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAC1B,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO;QAC1C,IAAI,CAAC,IAAI,CAAC,WAAW;YAAE,OAAO;QAC9B,MAAM,cAAc,GAAG,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/D,IAAI,cAAc,KAAK,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC;gBACR,SAAS;gBACT,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,kBAAkB,EAAE,IAAI,CAAC,WAAW;gBACpC,cAAc,EAAE,EAAE;gBAClB,aAAa,EAAE,IAAI;gBACnB,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,yCAAyC,IAAI,CAAC,IAAI,gDAAgD;aAC5G,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,CAAC,CAAC;QAC5C,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,IAAI,CAAC,IAAI,CAAC;gBACR,SAAS;gBACT,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,kBAAkB,EAAE,IAAI,CAAC,WAAW;gBACpC,cAAc;gBACd,aAAa,EAAE,IAAI;gBACnB,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE,4BAA4B,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;aAChE,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAClD,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YACxB,IAAI,CAAC,IAAI,CAAC;gBACR,SAAS;gBACT,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,kBAAkB,EAAE,IAAI,CAAC,WAAW;gBACpC,cAAc;gBACd,aAAa,EAAE,IAAI;gBACnB,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE,mCAAmC,MAAM,CAAC,IAAI,EAAE,GAAG;aAC7D,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACxB,IAAI,sBAAsB,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACzD,IAAI,CAAC,IAAI,CAAC;gBACR,SAAS;gBACT,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,kBAAkB,EAAE,IAAI,CAAC,WAAW;gBACpC,cAAc;gBACd,aAAa,EAAE,MAAM;gBACrB,IAAI,EAAE,aAAa;gBACnB,OAAO,EAAE,wBAAwB,MAAM,eAAe,IAAI,CAAC,WAAW,EAAE;aACzE,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,IAAI,CAAC;AACd,CAAC"}
|
package/dist/probes/memory.d.ts
CHANGED
|
@@ -50,6 +50,6 @@ export interface MemoryOptions {
|
|
|
50
50
|
* spawnSync probe at CLI invocation. Returning `null` is treated as
|
|
51
51
|
* "version probe failed" and emits a warn line.
|
|
52
52
|
*/
|
|
53
|
-
versionProbe?: (cmd: string[]) => string | null;
|
|
53
|
+
versionProbe?: (cmd: readonly string[]) => string | null;
|
|
54
54
|
}
|
|
55
55
|
export declare function inspectMemory(manifest: Manifest, opts?: MemoryOptions): MemoryReport;
|
package/dist/runtime/index.d.ts
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
|
-
export { intercept, type ClaudeDenyJson, type InterceptOptions, type InterceptResult, type LedgerClient, type PolicyDecision, type PolicyOutcome, type ToolEvent, } from "./intercept.js";
|
|
1
|
+
export { intercept, policyMatchesEvent, type ClaudeDenyJson, type InterceptOptions, type InterceptResult, type LedgerClient, type PolicyDecision, type PolicyOutcome, type RiskGateContext, type ToolEvent, } from "./intercept.js";
|
|
2
|
+
export { evaluateWhen, type WhenClauseKey, type WhenClauseResult, type WhenContext, type WhenEvaluation, } from "./when-eval.js";
|
|
2
3
|
export { recordPolicyDecision, payloadFromDecision, encodeLedgerContent, decodeLedgerContent, decisionSortKey, type LedgerRecordOptions, type PolicyDecisionPayload, } from "./ledger-record.js";
|
|
3
4
|
export { resolveSessionId } from "./session-id.js";
|
|
4
5
|
export { buildAgentFacingBlock, formatAgentFacingMessage, renderAgentFacing, type AgentFacingBlock, } from "./agent-facing.js";
|
package/dist/runtime/index.js
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
|
-
export { intercept, } from "./intercept.js";
|
|
1
|
+
export { intercept, policyMatchesEvent, } from "./intercept.js";
|
|
2
|
+
export { evaluateWhen, } from "./when-eval.js";
|
|
2
3
|
export { recordPolicyDecision, payloadFromDecision, encodeLedgerContent, decodeLedgerContent, decisionSortKey, } from "./ledger-record.js";
|
|
3
4
|
export { resolveSessionId } from "./session-id.js";
|
|
4
5
|
export { buildAgentFacingBlock, formatAgentFacingMessage, renderAgentFacing, } from "./agent-facing.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,kBAAkB,GASnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,YAAY,GAKb,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,EACnB,eAAe,GAGhB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,GAElB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,iBAAiB,EAAuB,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EACL,mBAAmB,GAKpB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,YAAY,GAGb,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,kBAAkB,GAGnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,kBAAkB,GAInB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,aAAa,GAGd,MAAM,iBAAiB,CAAC"}
|
|
@@ -1,5 +1,8 @@
|
|
|
1
1
|
import { type ExtractBuiltins, type LedgerQueryResult } from "../policies/index.js";
|
|
2
|
-
import type { Manifest } from "../schema/index.js";
|
|
2
|
+
import type { Manifest, Policy } from "../schema/index.js";
|
|
3
|
+
import { type EnvironmentResolution } from "./environment-resolver.js";
|
|
4
|
+
import type { GitRepoContext } from "./git-context.js";
|
|
5
|
+
import { type RiskProfile } from "./risk-classifier.js";
|
|
3
6
|
export interface ToolEvent {
|
|
4
7
|
hook_event_name?: string;
|
|
5
8
|
tool_name?: string;
|
|
@@ -8,10 +11,10 @@ export interface ToolEvent {
|
|
|
8
11
|
cwd?: string;
|
|
9
12
|
[key: string]: unknown;
|
|
10
13
|
}
|
|
11
|
-
export type PolicyOutcome = "allow" | "deny" | "warn-degraded";
|
|
14
|
+
export type PolicyOutcome = "allow" | "warn" | "require_approval" | "deny" | "warn-degraded";
|
|
12
15
|
export interface PolicyDecision {
|
|
13
16
|
policyName: string;
|
|
14
|
-
enforcement: "
|
|
17
|
+
enforcement: Policy["enforcement"];
|
|
15
18
|
outcome: PolicyOutcome;
|
|
16
19
|
reason: string;
|
|
17
20
|
extractValues: Record<string, string>;
|
|
@@ -20,6 +23,17 @@ export interface PolicyDecision {
|
|
|
20
23
|
matchedCount: number;
|
|
21
24
|
reason: string;
|
|
22
25
|
};
|
|
26
|
+
/**
|
|
27
|
+
* Risk Classifier verdict for the action this decision was made
|
|
28
|
+
* about. Present only when the Risk Gate was active for the event
|
|
29
|
+
* (the manifest declared at least one `when:`-bearing policy); absent
|
|
30
|
+
* for a pure Phase-4 manifest, keeping its decisions byte-identical.
|
|
31
|
+
* Recorded to the audit ledger so `harness explain --trace` can
|
|
32
|
+
* replay the classification.
|
|
33
|
+
*/
|
|
34
|
+
risk?: RiskProfile;
|
|
35
|
+
/** Context Resolver verdict, present under the same condition as `risk`. */
|
|
36
|
+
environment?: EnvironmentResolution;
|
|
23
37
|
/**
|
|
24
38
|
* One-line "to satisfy" hint synthesised from the policy's `requires`
|
|
25
39
|
* spec. Carried on the live decision so the deny-envelope formatter
|
|
@@ -84,5 +98,48 @@ export interface InterceptOptions {
|
|
|
84
98
|
* branch falls through to the standard time-window check.
|
|
85
99
|
*/
|
|
86
100
|
currentHeadSha?: string;
|
|
101
|
+
/**
|
|
102
|
+
* Ambient context for the Risk Gate stages — the Action Envelope
|
|
103
|
+
* build (#2) and the environment resolution (#4). Resolved by the CLI
|
|
104
|
+
* wrapper (git / user / host / kube-config / env reads) and threaded
|
|
105
|
+
* in, keeping `intercept()` itself I/O-free, the same
|
|
106
|
+
* resolved-by-the-wrapper pattern as `currentHeadSha` and `builtins`.
|
|
107
|
+
*
|
|
108
|
+
* Optional: omitted by Phase-4-era callers and by unit tests that do
|
|
109
|
+
* not exercise `when:`. When omitted, the envelope is built from the
|
|
110
|
+
* event alone — risk then classifies as unclassified and the
|
|
111
|
+
* environment resolves to `unknown`. A manifest with no `when:`
|
|
112
|
+
* policy never reads any of this regardless (see `intercept`).
|
|
113
|
+
*/
|
|
114
|
+
riskContext?: RiskGateContext;
|
|
87
115
|
}
|
|
116
|
+
/**
|
|
117
|
+
* Ambient inputs the Risk Gate needs that the CLI wrapper resolves from
|
|
118
|
+
* the host (filesystem + process). Mirrors the `EnvelopeContext` /
|
|
119
|
+
* `SignalInputs` split the debug verbs already use.
|
|
120
|
+
*/
|
|
121
|
+
export interface RiskGateContext {
|
|
122
|
+
/** Git context resolved against the event's cwd. */
|
|
123
|
+
git: GitRepoContext;
|
|
124
|
+
/** Working directory the action runs in. */
|
|
125
|
+
cwd: string;
|
|
126
|
+
/** OS user, or "" when unavailable. */
|
|
127
|
+
user: string;
|
|
128
|
+
/** Host name, or "" when unavailable. */
|
|
129
|
+
host: string;
|
|
130
|
+
/** Environment variables, for resolver `env_var_patterns`. */
|
|
131
|
+
env: Record<string, string | undefined>;
|
|
132
|
+
/** Current kube context name, or "" when unknown. */
|
|
133
|
+
kubeContext: string;
|
|
134
|
+
/** Current kube namespace, or "" when unknown. */
|
|
135
|
+
kubeNamespace: string;
|
|
136
|
+
}
|
|
137
|
+
/**
|
|
138
|
+
* Does a policy's `trigger:` match this event? This is the WHICH-tool-
|
|
139
|
+
* calls filter; the WHETHER-it-applies filter is `policy.when:`,
|
|
140
|
+
* evaluated separately (`evaluateWhen`). A policy fires only when both
|
|
141
|
+
* hold. Exported so `harness explain-policy` can report the trigger
|
|
142
|
+
* verdict on its own.
|
|
143
|
+
*/
|
|
144
|
+
export declare function policyMatchesEvent(policy: Policy, event: ToolEvent): boolean;
|
|
88
145
|
export declare function intercept(options: InterceptOptions): Promise<InterceptResult>;
|
|
@@ -7,11 +7,45 @@
|
|
|
7
7
|
// that wraps this.
|
|
8
8
|
import { evaluateExtract, evaluateRequires, parseDurationSeconds, substituteTemplate, } from "../policies/index.js";
|
|
9
9
|
import { renderProducers } from "../policies/producers.js";
|
|
10
|
+
import { buildActionEnvelope } from "./action-envelope.js";
|
|
10
11
|
import { renderAgentFacing } from "./agent-facing.js";
|
|
12
|
+
import { resolveEnvironment, } from "./environment-resolver.js";
|
|
11
13
|
import { POLICY_DECISION_TYPE } from "./ledger-record.js";
|
|
14
|
+
import { classifyRisk } from "./risk-classifier.js";
|
|
12
15
|
import { resolveSessionId } from "./session-id.js";
|
|
13
16
|
import { expandToolNameAliases, extractShellCommand, } from "./tool-name-aliases.js";
|
|
14
|
-
|
|
17
|
+
import { evaluateWhen } from "./when-eval.js";
|
|
18
|
+
/**
|
|
19
|
+
* Build the Action Envelope for an event and run it through the Risk
|
|
20
|
+
* Classifier (#3) and Context Resolver (#4). Pure: every host fact
|
|
21
|
+
* arrives via `riskContext`; when it is absent the envelope is built
|
|
22
|
+
* from the event alone (unclassified risk, `unknown` environment).
|
|
23
|
+
*/
|
|
24
|
+
function enrichEnvelope(manifest, event, riskContext, now) {
|
|
25
|
+
const rc = riskContext;
|
|
26
|
+
const envelope = buildActionEnvelope(event, {
|
|
27
|
+
cwd: rc?.cwd ?? (typeof event.cwd === "string" ? event.cwd : ""),
|
|
28
|
+
git: rc?.git ?? { repo: "", branch: "", sha: "" },
|
|
29
|
+
user: rc?.user ?? "",
|
|
30
|
+
host: rc?.host ?? "",
|
|
31
|
+
now: now ?? new Date(),
|
|
32
|
+
});
|
|
33
|
+
const risk = classifyRisk(envelope, manifest.risk.classifiers);
|
|
34
|
+
const environment = resolveEnvironment(envelope, manifest.environments.resolvers, {
|
|
35
|
+
env: rc?.env ?? {},
|
|
36
|
+
kubeContext: rc?.kubeContext ?? "",
|
|
37
|
+
kubeNamespace: rc?.kubeNamespace ?? "",
|
|
38
|
+
});
|
|
39
|
+
return { risk, environment };
|
|
40
|
+
}
|
|
41
|
+
/**
|
|
42
|
+
* Does a policy's `trigger:` match this event? This is the WHICH-tool-
|
|
43
|
+
* calls filter; the WHETHER-it-applies filter is `policy.when:`,
|
|
44
|
+
* evaluated separately (`evaluateWhen`). A policy fires only when both
|
|
45
|
+
* hold. Exported so `harness explain-policy` can report the trigger
|
|
46
|
+
* verdict on its own.
|
|
47
|
+
*/
|
|
48
|
+
export function policyMatchesEvent(policy, event) {
|
|
15
49
|
if (policy.trigger.event !== event.hook_event_name)
|
|
16
50
|
return false;
|
|
17
51
|
if (policy.trigger.match !== undefined) {
|
|
@@ -46,6 +80,35 @@ function buildEventContext(event) {
|
|
|
46
80
|
git: {},
|
|
47
81
|
};
|
|
48
82
|
}
|
|
83
|
+
/** Map a failed-`requires` policy to its decision outcome by enforcement. */
|
|
84
|
+
function outcomeForFailedRequires(enforcement) {
|
|
85
|
+
switch (enforcement) {
|
|
86
|
+
case "block":
|
|
87
|
+
return "deny";
|
|
88
|
+
case "warn":
|
|
89
|
+
return "warn";
|
|
90
|
+
case "require_approval":
|
|
91
|
+
return "require_approval";
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
/**
|
|
95
|
+
* Does a decision abort the tool call? Phase 7 #6 makes the Risk Gate
|
|
96
|
+
* authoritative at the `PreToolUse` boundary:
|
|
97
|
+
* - `deny` aborts (a `block`-enforcement policy whose requires failed,
|
|
98
|
+
* the Phase 4 mechanism, unchanged).
|
|
99
|
+
* - `require_approval` aborts until the approval evidence exists. In
|
|
100
|
+
* Phase 7 #5 this outcome was returned but did not block; #6 makes
|
|
101
|
+
* it block. The approval tag is satisfiable through the policy's
|
|
102
|
+
* `requires:` (an operator runs `harness approve risk`); once the
|
|
103
|
+
* tag is on record the requires evaluation passes and the outcome
|
|
104
|
+
* is `allow` instead.
|
|
105
|
+
* - `allow` / `warn` / `warn-degraded` never abort.
|
|
106
|
+
*/
|
|
107
|
+
function isBlockingDecision(d) {
|
|
108
|
+
if (d.outcome === "deny")
|
|
109
|
+
return d.enforcement === "block";
|
|
110
|
+
return d.outcome === "require_approval";
|
|
111
|
+
}
|
|
49
112
|
async function evaluateOnePolicy(policy, options) {
|
|
50
113
|
const evaluatedAt = (options.now ?? new Date()).toISOString();
|
|
51
114
|
const ctx = buildEventContext(options.event);
|
|
@@ -130,7 +193,14 @@ async function evaluateOnePolicy(policy, options) {
|
|
|
130
193
|
evaluatedAt,
|
|
131
194
|
};
|
|
132
195
|
}
|
|
133
|
-
|
|
196
|
+
// Four-way decision (Phase 7 #5). A satisfied `requires` always
|
|
197
|
+
// `allow`s; a failed one is mapped by the policy's enforcement —
|
|
198
|
+
// `block` → `deny`, `warn` → `warn`, `require_approval` →
|
|
199
|
+
// `require_approval`. The evaluator only RETURNS `require_approval`
|
|
200
|
+
// here; Phase 7 #6 makes it block.
|
|
201
|
+
const outcome = evaluation.allowed
|
|
202
|
+
? "allow"
|
|
203
|
+
: outcomeForFailedRequires(policy.enforcement);
|
|
134
204
|
return {
|
|
135
205
|
policyName: policy.name,
|
|
136
206
|
enforcement: policy.enforcement,
|
|
@@ -168,19 +238,47 @@ function filterEntriesByTag(entries, tag) {
|
|
|
168
238
|
(e.source !== undefined && e.source.includes(tag))));
|
|
169
239
|
}
|
|
170
240
|
export async function intercept(options) {
|
|
171
|
-
const
|
|
241
|
+
const { manifest, event } = options;
|
|
242
|
+
// The Risk Gate is active only when some policy declares a `when:`
|
|
243
|
+
// block. A manifest with none — every Phase 4 / 5 / 6 manifest — skips
|
|
244
|
+
// envelope enrichment entirely: no `buildActionEnvelope`, no
|
|
245
|
+
// classifier, no resolver, and decisions carry no `risk` / `environment`.
|
|
246
|
+
// That keeps such manifests byte-for-byte identical to pre-Phase-7-#5.
|
|
247
|
+
const riskGateActive = manifest.policies.some((p) => p.when !== undefined);
|
|
248
|
+
const enriched = riskGateActive
|
|
249
|
+
? enrichEnvelope(manifest, event, options.riskContext, options.now)
|
|
250
|
+
: undefined;
|
|
251
|
+
// A policy fires only when its `trigger:` matches AND — when declared
|
|
252
|
+
// — every `when:` clause holds against the enriched envelope.
|
|
253
|
+
const matching = manifest.policies.filter((p) => {
|
|
254
|
+
if (!policyMatchesEvent(p, event))
|
|
255
|
+
return false;
|
|
256
|
+
if (p.when === undefined)
|
|
257
|
+
return true;
|
|
258
|
+
// `enriched` is defined here: a policy with `when:` set `riskGateActive`.
|
|
259
|
+
return evaluateWhen(p.when, enriched).matched;
|
|
260
|
+
});
|
|
172
261
|
const decisions = [];
|
|
173
262
|
for (const policy of matching) {
|
|
174
|
-
const
|
|
263
|
+
const base = await evaluateOnePolicy(policy, options);
|
|
264
|
+
// Attach the per-event Risk Gate verdicts so `harness audit` /
|
|
265
|
+
// `explain --trace` can replay the classification + environment
|
|
266
|
+
// that the `when:` match was made against.
|
|
267
|
+
const decision = enriched
|
|
268
|
+
? { ...base, risk: enriched.risk, environment: enriched.environment }
|
|
269
|
+
: base;
|
|
175
270
|
decisions.push(decision);
|
|
176
271
|
try {
|
|
177
|
-
await options.ledger.record(decision, resolveSessionId(
|
|
272
|
+
await options.ledger.record(decision, resolveSessionId(event.session_id));
|
|
178
273
|
}
|
|
179
274
|
catch {
|
|
180
275
|
/* audit-write failure must not block; the decision is still applied. */
|
|
181
276
|
}
|
|
182
277
|
}
|
|
183
|
-
|
|
278
|
+
// First blocking decision wins the envelope. `deny` and
|
|
279
|
+
// `require_approval` both abort (Phase 7 #6); the search order is the
|
|
280
|
+
// manifest's policy order, same as Phase 4.
|
|
281
|
+
const blocking = decisions.find(isBlockingDecision);
|
|
184
282
|
if (blocking) {
|
|
185
283
|
const sessionId = resolveSessionId(options.event.session_id);
|
|
186
284
|
// Append the "to satisfy" hint so Claude Code's deny message tells
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"intercept.js","sourceRoot":"","sources":["../../src/runtime/intercept.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,6EAA6E;AAC7E,4EAA4E;AAC5E,wEAAwE;AACxE,2EAA2E;AAC3E,mBAAmB;AAEnB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,kBAAkB,GAOnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;
|
|
1
|
+
{"version":3,"file":"intercept.js","sourceRoot":"","sources":["../../src/runtime/intercept.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,EAAE;AACF,6EAA6E;AAC7E,4EAA4E;AAC5E,wEAAwE;AACxE,2EAA2E;AAC3E,mBAAmB;AAEnB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,kBAAkB,GAOnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAE3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EACL,kBAAkB,GAEnB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAoB,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAuK9C;;;;;GAKG;AACH,SAAS,cAAc,CACrB,QAAkB,EAClB,KAAgB,EAChB,WAAwC,EACxC,GAAqB;IAErB,MAAM,EAAE,GAAG,WAAW,CAAC;IACvB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,KAAK,EAAE;QAC1C,GAAG,EAAE,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAChE,GAAG,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE;QACjD,IAAI,EAAE,EAAE,EAAE,IAAI,IAAI,EAAE;QACpB,IAAI,EAAE,EAAE,EAAE,IAAI,IAAI,EAAE;QACpB,GAAG,EAAE,GAAG,IAAI,IAAI,IAAI,EAAE;KACvB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,kBAAkB,CACpC,QAAQ,EACR,QAAQ,CAAC,YAAY,CAAC,SAAS,EAC/B;QACE,GAAG,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE;QAClB,WAAW,EAAE,EAAE,EAAE,WAAW,IAAI,EAAE;QAClC,aAAa,EAAE,EAAE,EAAE,aAAa,IAAI,EAAE;KACvC,CACF,CAAC;IACF,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;AAC/B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAc,EAAE,KAAgB;IACjE,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,KAAK,KAAK,CAAC,eAAe;QAAE,OAAO,KAAK,CAAC;IACjE,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QACvC,IAAI,OAAO,KAAK,CAAC,SAAS,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QACtD,MAAM,SAAS,GAAG,qBAAqB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACzD,IACE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,KAAM,CAAC,CAAC,EACvE,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QAC5C,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAC3C,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;QACnC,IAAI,EAAU,CAAC;QACf,IAAI,CAAC;YACH,EAAE,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,KAAK,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAgB;IACzC,OAAO;QACL,QAAQ,EAAE,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,KAAK;QAC5D,KAAK;QACL,OAAO,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE,EAAE;QACvC,GAAG,EAAE,EAAE;KACR,CAAC;AACJ,CAAC;AAED,6EAA6E;AAC7E,SAAS,wBAAwB,CAC/B,WAAkC;IAElC,QAAQ,WAAW,EAAE,CAAC;QACpB,KAAK,OAAO;YACV,OAAO,MAAM,CAAC;QAChB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,kBAAkB;YACrB,OAAO,kBAAkB,CAAC;IAC9B,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,kBAAkB,CAAC,CAAiB;IAC3C,IAAI,CAAC,CAAC,OAAO,KAAK,MAAM;QAAE,OAAO,CAAC,CAAC,WAAW,KAAK,OAAO,CAAC;IAC3D,OAAO,CAAC,CAAC,OAAO,KAAK,kBAAkB,CAAC;AAC1C,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,MAAc,EACd,OAAyB;IAEzB,MAAM,WAAW,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9D,MAAM,GAAG,GAAG,iBAAiB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,eAAe,CAC7B,MAAM,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,EAC5B,GAAG,EACH,OAAO,CAAC,QAAQ,CACjB,CAAC;IACF,MAAM,eAAe,GAAG,OAAO,CAAC,SAAS;SACtC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC;SACrC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACrB,MAAM,GAAG,GAAG,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC;IAC7B,MAAM,UAAU,GAAG,CAAC,GAAG,eAAe,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC;IAExD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,kCAAkC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACjE,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC7D,IAAI,WAA8B,CAAC;IACnC,IAAI,CAAC;QACH,WAAW,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,KAAK,CACtC,SAAS,EACT,SAAS,EACT,OAAO,CAAC,eAAe,CACxB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,WAAW,GAAG;YACZ,IAAI,EAAE,UAAU;YAChB,MAAM,EAAE,uBAAwB,GAAa,CAAC,OAAO,EAAE;SACxD,CAAC;IACJ,CAAC;IAED,IAAI,WAAW,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QACpC,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,WAAW,CAAC,MAAM;YAC1B,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,sDAAsD;IACtD,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACzC,IAAI,CAAC;YACH,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,OAAO,EAAE,eAAe;gBACxB,MAAM,EAAE,mBAAmB,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE;gBACnD,aAAa,EAAE,OAAO,CAAC,MAAM;gBAC7B,SAAS;gBACT,WAAW;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAA4B;QACxC,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QACxC,GAAG,CAAC,OAAO,CAAC,cAAc,KAAK,SAAS;YACtC,OAAO,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI;YACnC,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC;KACL,CAAC;IACF,MAAM,QAAQ,GAAG,kBAAkB,CAAC,WAAW,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACpE,IAAI,UAA8B,CAAC;IACnC,IAAI,CAAC;QACH,UAAU,GAAG,gBAAgB,CAC3B,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,EAC7C,QAAQ,EACR,QAAQ,CACT,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,wBAAyB,GAAa,CAAC,OAAO,EAAE;YACxD,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,gEAAgE;IAChE,iEAAiE;IACjE,0DAA0D;IAC1D,oEAAoE;IACpE,mCAAmC;IACnC,MAAM,OAAO,GAAkB,UAAU,CAAC,OAAO;QAC/C,CAAC,CAAC,OAAO;QACT,CAAC,CAAC,wBAAwB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACjD,OAAO;QACL,UAAU,EAAE,MAAM,CAAC,IAAI;QACvB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,OAAO;QACP,MAAM,EAAE,UAAU,CAAC,MAAM;QACzB,aAAa,EAAE,OAAO,CAAC,MAAM;QAC7B,SAAS;QACT,YAAY,EAAE;YACZ,YAAY,EAAE,UAAU,CAAC,YAAY;YACrC,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B;QACD,UAAU,EAAE,UAAU,CAAC,UAAU;QACjC,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CACzB,OAAsB,EACtB,GAAW;IAEX,0EAA0E;IAC1E,0EAA0E;IAC1E,yEAAyE;IACzE,yEAAyE;IACzE,EAAE;IACF,gEAAgE;IAChE,mEAAmE;IACnE,iEAAiE;IACjE,4DAA4D;IAC5D,6DAA6D;IAC7D,OAAO,OAAO,CAAC,MAAM,CACnB,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,IAAI,KAAK,oBAAoB;QAC/B,+DAA+D;QAC/D,+DAA+D;QAC/D,iEAAiE;QACjE,8DAA8D;QAC9D,oDAAoD;QACpD,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,oBAAoB,GAAG,CAAC;QACjD,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;YACtB,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CACxD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,OAAyB;IAEzB,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC;IAEpC,mEAAmE;IACnE,uEAAuE;IACvE,6DAA6D;IAC7D,0EAA0E;IAC1E,uEAAuE;IACvE,MAAM,cAAc,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC;IAC3E,MAAM,QAAQ,GAAiC,cAAc;QAC3D,CAAC,CAAC,cAAc,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC;QACnE,CAAC,CAAC,SAAS,CAAC;IAEd,sEAAsE;IACtE,8DAA8D;IAC9D,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC9C,IAAI,CAAC,kBAAkB,CAAC,CAAC,EAAE,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAChD,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC;QACtC,0EAA0E;QAC1E,OAAO,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,QAAS,CAAC,CAAC,OAAO,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,MAAM,SAAS,GAAqB,EAAE,CAAC;IACvC,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACtD,+DAA+D;QAC/D,gEAAgE;QAChE,2CAA2C;QAC3C,MAAM,QAAQ,GAAmB,QAAQ;YACvC,CAAC,CAAC,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE;YACrE,CAAC,CAAC,IAAI,CAAC;QACT,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,MAAM,CAAC,MAAM,CACzB,QAAQ,EACR,gBAAgB,CAAC,KAAK,CAAC,UAAU,CAAC,CACnC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,wEAAwE;QAC1E,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,sEAAsE;IACtE,4CAA4C;IAC5C,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACpD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC7D,mEAAmE;QACnE,qEAAqE;QACrE,kEAAkE;QAClE,6DAA6D;QAC7D,iEAAiE;QACjE,iEAAiE;QACjE,gEAAgE;QAChE,MAAM,UAAU,GAAG,QAAQ,CAAC,UAAU;YACpC,CAAC,CAAC,gBAAgB,QAAQ,CAAC,UAAU,eAAe,SAAS,MAAM;YACnE,CAAC,CAAC,EAAE,CAAC;QACP,kEAAkE;QAClE,mEAAmE;QACnE,kEAAkE;QAClE,+DAA+D;QAC/D,iEAAiE;QACjE,kEAAkE;QAClE,8DAA8D;QAC9D,0DAA0D;QAC1D,MAAM,cAAc,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC5E,2DAA2D;QAC3D,6DAA6D;QAC7D,+DAA+D;QAC/D,4DAA4D;QAC5D,8DAA8D;QAC9D,4DAA4D;QAC5D,kEAAkE;QAClE,oDAAoD;QACpD,IAAI,UAAkB,CAAC;QACvB,IAAI,cAAc,EAAE,EAAE,EAAE,CAAC;YACvB,UAAU,GAAG,iBAAiB,CAAC,cAAc,CAAC,EAAE,EAAE;gBAChD,GAAG,QAAQ,CAAC,aAAa;gBACzB,UAAU,EAAE,SAAS;aACtB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,cAAc,GAAG,eAAe,CACpC,cAAc,EAAE,SAAS,EACzB,QAAQ,CAAC,aAAa,CACvB,CAAC;YACF,UAAU,GAAG,GAAG,QAAQ,CAAC,UAAU,KAAK,QAAQ,CAAC,MAAM,IAAI,UAAU,GAAG,cAAc,EAAE,CAAC;QAC3F,CAAC;QACD,MAAM,KAAK,GAAmB;YAC5B,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,UAAU;SACnB,CAAC;QACF,qEAAqE;QACrE,qEAAqE;QACrE,oEAAoE;QACpE,yCAAyC;QACzC,IAAI,OAAO,CAAC,KAAK,CAAC,eAAe,KAAK,YAAY,EAAE,CAAC;YACnD,KAAK,CAAC,kBAAkB,GAAG;gBACzB,aAAa,EAAE,YAAY;gBAC3B,kBAAkB,EAAE,MAAM;gBAC1B,+DAA+D;gBAC/D,8DAA8D;gBAC9D,wBAAwB,EAAE,UAAU;aACrC,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACzC,CAAC;IACD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AACxC,CAAC"}
|
|
@@ -25,6 +25,14 @@ export interface PolicyDecisionPayload {
|
|
|
25
25
|
matchedCount: number;
|
|
26
26
|
reason: string;
|
|
27
27
|
};
|
|
28
|
+
/**
|
|
29
|
+
* Risk Gate verdicts for the action (Phase 7 #5). Present only when
|
|
30
|
+
* the Risk Gate was active for the event; absent for a pure Phase-4
|
|
31
|
+
* manifest, and absent on any `policy_decision` row recorded before
|
|
32
|
+
* Phase 7 #5 — `harness explain --trace` renders them only when present.
|
|
33
|
+
*/
|
|
34
|
+
risk?: PolicyDecision["risk"];
|
|
35
|
+
environment?: PolicyDecision["environment"];
|
|
28
36
|
evaluatedAt: string;
|
|
29
37
|
}
|
|
30
38
|
export declare function payloadFromDecision(decision: PolicyDecision): PolicyDecisionPayload;
|
|
@@ -29,6 +29,8 @@ export function payloadFromDecision(decision) {
|
|
|
29
29
|
ledgerTag: decision.ledgerTag,
|
|
30
30
|
extractValues: decision.extractValues,
|
|
31
31
|
...(decision.requiresEval && { requiresEval: decision.requiresEval }),
|
|
32
|
+
...(decision.risk && { risk: decision.risk }),
|
|
33
|
+
...(decision.environment && { environment: decision.environment }),
|
|
32
34
|
evaluatedAt: decision.evaluatedAt,
|
|
33
35
|
};
|
|
34
36
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ledger-record.js","sourceRoot":"","sources":["../../src/runtime/ledger-record.ts"],"names":[],"mappings":"AAAA,mDAAmD;AACnD,EAAE;AACF,kEAAkE;AAClE,8EAA8E;AAC9E,6EAA6E;AAC7E,8DAA8D;AAC9D,sDAAsD;AAEtD,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAE/D,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AASxC,MAAM,kBAAkB,GAAG,KAAK,CAAC;AACjC,MAAM,MAAM,GAAG,0BAA0B,CAAC;AAE1C;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,iBAAiB,CAAC;AACtD,MAAM,MAAM,GAAG,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"ledger-record.js","sourceRoot":"","sources":["../../src/runtime/ledger-record.ts"],"names":[],"mappings":"AAAA,mDAAmD;AACnD,EAAE;AACF,kEAAkE;AAClE,8EAA8E;AAC9E,6EAA6E;AAC7E,8DAA8D;AAC9D,sDAAsD;AAEtD,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAE/D,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AASxC,MAAM,kBAAkB,GAAG,KAAK,CAAC;AACjC,MAAM,MAAM,GAAG,0BAA0B,CAAC;AAE1C;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,iBAAiB,CAAC;AACtD,MAAM,MAAM,GAAG,oBAAoB,CAAC;AAqBpC,MAAM,UAAU,mBAAmB,CACjC,QAAwB;IAExB,OAAO;QACL,IAAI,EAAE,QAAQ,CAAC,UAAU;QACzB,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,aAAa,EAAE,QAAQ,CAAC,aAAa;QACrC,GAAG,CAAC,QAAQ,CAAC,YAAY,IAAI,EAAE,YAAY,EAAE,QAAQ,CAAC,YAAY,EAAE,CAAC;QACrE,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC7C,GAAG,CAAC,QAAQ,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE,CAAC;QAClE,WAAW,EAAE,QAAQ,CAAC,WAAW;KAClC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAA8B;IAChE,OAAO,GAAG,MAAM,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;AACnF,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,eAAe,CAC7B,KAAkB,EAClB,OAA8B;IAE9B,MAAM,WAAW,GAAG,oBAAoB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC9D,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC;QAAE,OAAO,WAAW,CAAC;IACnD,IAAI,KAAK,CAAC,SAAS,YAAY,IAAI;QAAE,OAAO,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;IACtE,OAAO,oBAAoB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAe;IACjD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,KAAK,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAA0B,CAAC;QAC1E,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,QAAwB,EACxB,SAAiB,EACjB,IAAyB;IAEzB,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC;IAC7B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IACjE,CAAC;IACD,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IACvD,MAAM,OAAO,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IAC9C,MAAM,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAC7C,kEAAkE;IAClE,mEAAmE;IACnE,mEAAmE;IACnE,iEAAiE;IACjE,6DAA6D;IAC7D,2DAA2D;IAC3D,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAEjD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,KAAK,CAAC;QACV,IAAI,CAAC;YACH,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE;gBACvB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,EAAE;gBAC/C,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAkB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAC1E,OAAO;QACT,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,MAAM,GAAG,CAAC,CAAmC,EAAQ,EAAE;YAC3D,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,IAAI,CAAC;gBACH,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,YAAY;YACd,CAAC;YACD,OAAO,CAAC,CAAC,CAAC,CAAC;QACb,CAAC,CAAC;QAEF,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,IAAI,YAAY,GAAG,KAAK,CAAC;QAEzB;;;;;WAKG;QACH,MAAM,cAAc,GAAG,GAAS,EAAE;YAChC,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,IAAI,EAAE,YAAY;oBAClB,SAAS,EAAE;wBACT,SAAS;wBACT,IAAI,EAAE,oBAAoB;wBAC1B,OAAO;wBACP,MAAM,EAAE,MAAM;qBACf;iBACF;aACF,CAAC,IAAI,CACP,CAAC;QACJ,CAAC,CAAC;QAEF,MAAM,eAAe,GAAG,GAAS,EAAE;YACjC,YAAY,GAAG,IAAI,CAAC;YACpB,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,IAAI,EAAE,YAAY;oBAClB,SAAS,EAAE;wBACT,SAAS;wBACT,IAAI,EAAE,MAAM;wBACZ,OAAO;wBACP,MAAM,EAAE,MAAM;qBACf;iBACF;aACF,CAAC,IAAI,CACP,CAAC;QACJ,CAAC,CAAC;QAEF,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACxC,SAAS,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACpC,IAAI,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACjC,OAAO,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3C,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;gBACpC,IAAI,IAAI,EAAE,CAAC;oBACT,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAG1B,CAAC;wBACF,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;4BAChC,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gCAChB,OAAO,EAAE,KAAK;gCACd,MAAM,EAAE,2BAA2B;6BACpC,CAAC,IAAI,CACP,CAAC;4BACF,cAAc,EAAE,CAAC;4BACjB,UAAU,GAAG,IAAI,CAAC;wBACpB,CAAC;6BAAM,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;4BACxB,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;gCACd,0CAA0C;gCAC1C,mDAAmD;gCACnD,oCAAoC;gCACpC,IAAI,CAAC,YAAY,EAAE,CAAC;oCAClB,eAAe,EAAE,CAAC;oCAClB,OAAO;gCACT,CAAC;gCACD,MAAM,CAAC;oCACL,EAAE,EAAE,KAAK;oCACT,MAAM,EAAE,qBAAqB,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,SAAS,EAAE;iCAC9D,CAAC,CAAC;gCACH,OAAO;4BACT,CAAC;4BACD,MAAM,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;4BACrB,OAAO;wBACT,CAAC;6BAAM,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;4BACxB,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;gCACd,MAAM,CAAC;oCACL,EAAE,EAAE,KAAK;oCACT,MAAM,EAAE,qBAAqB,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,SAAS,EAAE;iCAC9D,CAAC,CAAC;gCACH,OAAO;4BACT,CAAC;4BACD,MAAM,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;4BACrB,OAAO;wBACT,CAAC;oBACH,CAAC;oBAAC,MAAM,CAAC;wBACP,qBAAqB;oBACvB,CAAC;gBACH,CAAC;gBACD,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;YACpC,SAAS,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YAC/B,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;YACpB,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,IAAI,aAAa,CAAC;YACzE,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,IAAI,EAAE,EAAE,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAC3B,kCAAkC;QACpC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,KAAK,CAAC,KAAK,CAAC,KAAK,CACf,GAAG,IAAI,CAAC,SAAS,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,eAAe,EAAE,YAAY;oBAC7B,YAAY,EAAE,EAAE;oBAChB,UAAU,EAAE,EAAE,IAAI,EAAE,0BAA0B,EAAE,OAAO,EAAE,OAAO,EAAE;iBACnE;aACF,CAAC,IAAI,CACP,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAuB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAC9E,OAAO;QACT,CAAC;QAED,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE;YACxB,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,SAAS,IAAI,EAAE,CAAC,CAAC;QAC9E,CAAC,EAAE,SAAS,CAAC,CAAC;QACd,CAAC,CAAC,KAAK,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -32,13 +32,40 @@ const SEVERITY_ORDER = RiskSeveritySchema.options;
|
|
|
32
32
|
// caution. A genuinely destructive-but-reversible action simply should
|
|
33
33
|
// not be tagged `destructive` by its classifier author.
|
|
34
34
|
const IRREVERSIBLE_CATEGORIES = new Set(["irreversible_action", "data_loss", "destructive"]);
|
|
35
|
+
// Hot-path ReDoS guard (Phase 7 #6). As of Phase 7 #5/#6 the classifier
|
|
36
|
+
// runs operator-authored regexes against tool input on EVERY PreToolUse
|
|
37
|
+
// call inside `harness policy intercept`. Catastrophic-backtracking cost
|
|
38
|
+
// scales with input length, so the match subject is capped before any
|
|
39
|
+
// pattern runs. This bounds the input-length-driven blow-up — the common
|
|
40
|
+
// failure mode for a tool call that pipes a large blob through Bash.
|
|
41
|
+
//
|
|
42
|
+
// It is a mitigation, not a complete fix: harness does NOT screen the
|
|
43
|
+
// classifier patterns themselves for catastrophic backtracking. A
|
|
44
|
+
// manifest is operator-trusted config — the same contract already stated
|
|
45
|
+
// for `environments.resolvers[].kube_context_patterns` in
|
|
46
|
+
// docs/risk-gate.md. A pathological *pattern* is a self-inflicted hazard.
|
|
47
|
+
//
|
|
48
|
+
// 16 KiB comfortably covers any real shell command or serialized tool
|
|
49
|
+
// input. A genuinely dangerous command longer than the cap still does
|
|
50
|
+
// not slip the gate: its head (where `rm -rf` / `terraform destroy` /
|
|
51
|
+
// `kubectl delete` live) is within the cap, and an action that ends up
|
|
52
|
+
// unclassified is treated as risk-bearing by the `when:` evaluator.
|
|
53
|
+
const MAX_SUBJECT_LENGTH = 16 * 1024;
|
|
35
54
|
/**
|
|
36
55
|
* The string a classifier's patterns are regex-matched against. For a
|
|
37
56
|
* shell-class tool (or any tool whose input carries a `command` / `cmd`
|
|
38
57
|
* field) it is that command. For other tools it is the serialized raw
|
|
39
58
|
* input — blunt, but it keeps non-shell classifiers usable in the MVP.
|
|
59
|
+
*
|
|
60
|
+
* The result is capped at `MAX_SUBJECT_LENGTH` (ReDoS guard, see above).
|
|
40
61
|
*/
|
|
41
62
|
function subjectFor(envelope) {
|
|
63
|
+
const subject = rawSubjectFor(envelope);
|
|
64
|
+
return subject.length > MAX_SUBJECT_LENGTH
|
|
65
|
+
? subject.slice(0, MAX_SUBJECT_LENGTH)
|
|
66
|
+
: subject;
|
|
67
|
+
}
|
|
68
|
+
function rawSubjectFor(envelope) {
|
|
42
69
|
const command = extractShellCommand({ raw_input: envelope.raw_input });
|
|
43
70
|
if (command !== null)
|
|
44
71
|
return command;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"risk-classifier.js","sourceRoot":"","sources":["../../src/runtime/risk-classifier.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,EAAE;AACF,kEAAkE;AAClE,qEAAqE;AACrE,iEAAiE;AACjE,cAAc;AACd,EAAE;AACF,wEAAwE;AACxE,iEAAiE;AACjE,uEAAuE;AACvE,EAAE;AACF,iEAAiE;AACjE,sEAAsE;AACtE,oEAAoE;AACpE,uEAAuE;AACvE,sEAAsE;AACtE,YAAY;AACZ,EAAE;AACF,yEAAyE;AACzE,oBAAoB;AAOpB,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAEpF,qEAAqE;AACrE,uEAAuE;AACvE,qDAAqD;AACrD,MAAM,cAAc,GAA4B,kBAAkB,CAAC,OAAO,CAAC;AAE3E,uEAAuE;AACvE,mEAAmE;AACnE,mEAAmE;AACnE,qEAAqE;AACrE,oEAAoE;AACpE,uEAAuE;AACvE,wDAAwD;AACxD,MAAM,uBAAuB,GAA8B,IAAI,GAAG,CAChE,CAAC,qBAAqB,EAAE,WAAW,EAAE,aAAa,CAAC,CACpD,CAAC;AA+BF
|
|
1
|
+
{"version":3,"file":"risk-classifier.js","sourceRoot":"","sources":["../../src/runtime/risk-classifier.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,EAAE;AACF,kEAAkE;AAClE,qEAAqE;AACrE,iEAAiE;AACjE,cAAc;AACd,EAAE;AACF,wEAAwE;AACxE,iEAAiE;AACjE,uEAAuE;AACvE,EAAE;AACF,iEAAiE;AACjE,sEAAsE;AACtE,oEAAoE;AACpE,uEAAuE;AACvE,sEAAsE;AACtE,YAAY;AACZ,EAAE;AACF,yEAAyE;AACzE,oBAAoB;AAOpB,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAEpF,qEAAqE;AACrE,uEAAuE;AACvE,qDAAqD;AACrD,MAAM,cAAc,GAA4B,kBAAkB,CAAC,OAAO,CAAC;AAE3E,uEAAuE;AACvE,mEAAmE;AACnE,mEAAmE;AACnE,qEAAqE;AACrE,oEAAoE;AACpE,uEAAuE;AACvE,wDAAwD;AACxD,MAAM,uBAAuB,GAA8B,IAAI,GAAG,CAChE,CAAC,qBAAqB,EAAE,WAAW,EAAE,aAAa,CAAC,CACpD,CAAC;AA+BF,wEAAwE;AACxE,wEAAwE;AACxE,yEAAyE;AACzE,sEAAsE;AACtE,yEAAyE;AACzE,qEAAqE;AACrE,EAAE;AACF,sEAAsE;AACtE,kEAAkE;AAClE,yEAAyE;AACzE,0DAA0D;AAC1D,0EAA0E;AAC1E,EAAE;AACF,sEAAsE;AACtE,sEAAsE;AACtE,sEAAsE;AACtE,uEAAuE;AACvE,oEAAoE;AACpE,MAAM,kBAAkB,GAAG,EAAE,GAAG,IAAI,CAAC;AAErC;;;;;;;GAOG;AACH,SAAS,UAAU,CAAC,QAAwB;IAC1C,MAAM,OAAO,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IACxC,OAAO,OAAO,CAAC,MAAM,GAAG,kBAAkB;QACxC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,kBAAkB,CAAC;QACtC,CAAC,CAAC,OAAO,CAAC;AACd,CAAC;AAED,SAAS,aAAa,CAAC,QAAwB;IAC7C,MAAM,OAAO,GAAG,mBAAmB,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;IACvE,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,OAAO,CAAC;IACrC,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAAC;IAC/B,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACjD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACxC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,SAAS,iBAAiB,CACxB,UAA0B,EAC1B,QAAwB;IAExB,OAAO,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;AACxE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,QAAwB,EACxB,WAAsC;IAEtC,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAErC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAgB,CAAC;IAC3C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,WAAW,GAAG,CAAC,CAAC,CAAC;IAErB,KAAK,MAAM,UAAU,IAAI,UAAU,EAAE,CAAC;QACpC,KAAK,MAAM,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;YACtC,IAAI,EAAU,CAAC;YACf,IAAI,CAAC;gBACH,EAAE,GAAG,IAAI,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC/B,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;gBAChE,2DAA2D;gBAC3D,SAAS;YACX,CAAC;YACD,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,SAAS;YAChC,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU;gBAAE,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACjD,IAAI,GAAG,GAAG,WAAW;gBAAE,WAAW,GAAG,GAAG,CAAC;YACzC,OAAO,CAAC,IAAI,CACV,eAAe,UAAU,CAAC,IAAI,cAAc,GAAG,CAAC,OAAO,aAAa;gBAClE,YAAY,GAAG,CAAC,QAAQ,iBAAiB,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACxE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,WAAW,KAAK,CAAC,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,EAAE;YACd,UAAU,EAAE,IAAI;YAChB,UAAU,EAAE,KAAK;YACjB,OAAO,EAAE;gBACP,UAAU,CAAC,MAAM,KAAK,CAAC;oBACrB,CAAC,CAAC,4CAA4C,QAAQ,CAAC,IAAI,GAAG;oBAC9D,CAAC,CAAC,sDAAsD,QAAQ,CAAC,IAAI,GAAG;aAC3E;SACF,CAAC;IACJ,CAAC;IAED,MAAM,gBAAgB,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;IAChD,OAAO;QACL,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,cAAc,CAAC,WAAW,CAAE;QACtC,UAAU,EAAE,gBAAgB;QAC5B,UAAU,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACzE,UAAU,EAAE,MAAM;QAClB,OAAO;KACR,CAAC;AACJ,CAAC"}
|