@lannguyensi/harness 0.29.0 → 0.30.1

package/dist/runtime/bash-prefix-parse.js

@@ -0,0 +1,172 @@
+// Risk Gate resolver input — Bash command-prefix parser.
+//
+// Two normal POSIX shell idioms slip past the production environment
+// resolver when only `process.env` and the hook's starting cwd are
+// inspected:
+//
+//   DATABASE_URL=postgres://prod terraform destroy   # inline env
+//   cd /repos/prod-infra && terraform destroy        # working-dir hop
+//
+// The hook intercept sees Claude Code's process env and starting cwd, so
+// `env_var_patterns` and `branch_patterns` miss both signals and the
+// gate silently treats a prod mutation as non-prod.
+//
+// This parser extracts the leading idioms from a Bash command string so
+// the resolver layer can merge them into its inputs before
+// `environments.resolvers[]` runs. Two POSIX forms are supported in v1
+// (kept narrow on purpose, see follow-up scope in the originating task):
+//
+//   1. Inline env: leading `\w+=value` tokens. Values may be unquoted,
+//      single-quoted (literal), or double-quoted (literal, no $
+//      interpolation in v1).
+//   2. cd prefix: a single leading `cd <path> [&&|;] ...`. Quoted paths
+//      supported. No `pushd`, no subshell `(cd X && ...)`, no `bash -c`.
+//
+// The two clauses may appear in either order (`cd /x && VAR=v cmd` and
+// `VAR=v cd /x && cmd` both parse); the parser walks up to two passes
+// before giving up.
+//
+// On a syntactically broken prefix (unterminated quote, missing `&&`
+// after `cd <path>`) the parser falls through cleanly: the malformed
+// prefix is not consumed, the resolver-side fallback to process env /
+// hook cwd holds. There are no thrown errors from this module.
+/**
+ * Parse leading inline-env and `cd <path>` idioms from a Bash command
+ * string. Returns an empty `inlineEnv` and `cdTarget:null` when neither
+ * idiom matches. Never throws.
+ */
+export function parseBashPrefix(command) {
+    if (typeof command !== "string" || command.length === 0) {
+        return { inlineEnv: {}, cdTarget: null };
+    }
+    const inlineEnv = {};
+    let cdTarget = null;
+    let cursor = 0;
+    // Two passes catch `cd /x && VAR=v cmd` and `VAR=v cd /x && cmd`. A
+    // third pass would only fire on a redundant prefix; bail to keep this
+    // bounded.
+    for (let pass = 0; pass < 2; pass++) {
+        const before = cursor;
+        cursor = consumeInlineEnv(command, cursor, inlineEnv);
+        if (cdTarget === null) {
+            const cd = consumeLeadingCd(command, cursor);
+            if (cd !== null) {
+                cdTarget = cd.path;
+                cursor = cd.next;
+            }
+        }
+        if (cursor === before)
+            break;
+    }
+    return { inlineEnv, cdTarget };
+}
+const WS = /\s/;
+const VAR_START = /[A-Za-z_]/;
+const VAR_CONT = /[A-Za-z0-9_]/;
+function skipWs(s, i) {
+    while (i < s.length && WS.test(s[i]))
+        i++;
+    return i;
+}
+/**
+ * Consume zero or more leading `VAR=value` tokens. Each successful
+ * consumption registers into `into`. Returns the cursor position after
+ * the last consumed token, or the original cursor when nothing parsed
+ * (so the caller can try another prefix kind).
+ *
+ * On a syntactically broken token (e.g. unterminated quote) the broken
+ * token is NOT consumed and the function returns the cursor at the
+ * start of that token, preserving the rest of the command for fallback.
+ */
+function consumeInlineEnv(s, start, into) {
+    let i = skipWs(s, start);
+    let lastGood = i;
+    while (i < s.length) {
+        const nameStart = i;
+        if (!VAR_START.test(s[i]))
+            break;
+        i++;
+        while (i < s.length && VAR_CONT.test(s[i]))
+            i++;
+        if (s[i] !== "=")
+            break;
+        const name = s.slice(nameStart, i);
+        i++;
+        // Read value: quoted (single/double, literal) or unquoted (to ws).
+        let value;
+        if (s[i] === "'") {
+            const end = s.indexOf("'", i + 1);
+            if (end < 0)
+                return lastGood;
+            value = s.slice(i + 1, end);
+            i = end + 1;
+        }
+        else if (s[i] === '"') {
+            const end = s.indexOf('"', i + 1);
+            if (end < 0)
+                return lastGood;
+            value = s.slice(i + 1, end);
+            i = end + 1;
+        }
+        else {
+            const vStart = i;
+            while (i < s.length && !WS.test(s[i]))
+                i++;
+            value = s.slice(vStart, i);
+        }
+        into[name] = value;
+        i = skipWs(s, i);
+        lastGood = i;
+    }
+    return lastGood;
+}
+/**
+ * Consume a single leading `cd <path> [&&|;]` clause. Returns
+ * `{path, next}` on success (where `next` is the cursor after the
+ * separator), or null when the prefix does not match. A path that is
+ * missing the trailing `&&` / `;` separator is treated as not-a-prefix
+ * (the operator typed `cd <path>` and nothing else — no useful resolver
+ * override).
+ */
+function consumeLeadingCd(s, start) {
+    let i = skipWs(s, start);
+    // Match `cd` followed by whitespace; do NOT match `cd&&` or `cdx`.
+    if (s[i] !== "c" || s[i + 1] !== "d")
+        return null;
+    if (i + 2 >= s.length || !WS.test(s[i + 2]))
+        return null;
+    i = skipWs(s, i + 2);
+    // Path: quoted or unquoted.
+    let path;
+    if (s[i] === "'") {
+        const end = s.indexOf("'", i + 1);
+        if (end < 0)
+            return null;
+        path = s.slice(i + 1, end);
+        i = end + 1;
+    }
+    else if (s[i] === '"') {
+        const end = s.indexOf('"', i + 1);
+        if (end < 0)
+            return null;
+        path = s.slice(i + 1, end);
+        i = end + 1;
+    }
+    else {
+        const pStart = i;
+        while (i < s.length && !WS.test(s[i]) && s[i] !== ";" && s[i] !== "&")
+            i++;
+        path = s.slice(pStart, i);
+    }
+    if (path.length === 0)
+        return null;
+    i = skipWs(s, i);
+    if (s[i] === "&" && s[i + 1] === "&") {
+        return { path, next: i + 2 };
+    }
+    if (s[i] === ";") {
+        return { path, next: i + 1 };
+    }
+    return null;
+}
+//# sourceMappingURL=bash-prefix-parse.js.map

package/dist/runtime/bash-prefix-parse.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bash-prefix-parse.js","sourceRoot":"","sources":["../../src/runtime/bash-prefix-parse.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,EAAE;AACF,qEAAqE;AACrE,mEAAmE;AACnE,aAAa;AACb,EAAE;AACF,kEAAkE;AAClE,uEAAuE;AACvE,EAAE;AACF,yEAAyE;AACzE,qEAAqE;AACrE,oDAAoD;AACpD,EAAE;AACF,wEAAwE;AACxE,2DAA2D;AAC3D,uEAAuE;AACvE,yEAAyE;AACzE,EAAE;AACF,uEAAuE;AACvE,gEAAgE;AAChE,6BAA6B;AAC7B,wEAAwE;AACxE,yEAAyE;AACzE,EAAE;AACF,uEAAuE;AACvE,sEAAsE;AACtE,oBAAoB;AACpB,EAAE;AACF,qEAAqE;AACrE,qEAAqE;AACrE,sEAAsE;AACtE,+DAA+D;AAU/D;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxD,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC3C,CAAC;IACD,MAAM,SAAS,GAA2B,EAAE,CAAC;IAC7C,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,oEAAoE;IACpE,sEAAsE;IACtE,WAAW;IACX,KAAK,IAAI,IAAI,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,IAAI,EAAE,EAAE,CAAC;QACpC,MAAM,MAAM,GAAG,MAAM,CAAC;QACtB,MAAM,GAAG,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;QACtD,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,MAAM,EAAE,GAAG,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC7C,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;gBAChB,QAAQ,GAAG,EAAE,CAAC,IAAI,CAAC;gBACnB,MAAM,GAAG,EAAE,CAAC,IAAI,CAAC;YACnB,CAAC;QACH,CAAC;QACD,IAAI,MAAM,KAAK,MAAM;YAAE,MAAM;IAC/B,CAAC;IACD,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AACjC,CAAC;AAED,MAAM,EAAE,GAAG,IAAI,CAAC;AAChB,MAAM,SAAS,GAAG,WAAW,CAAC;AAC9B,MAAM,QAAQ,GAAG,cAAc,CAAC;AAEhC,SAAS,MAAM,CAAC,CAAS,EAAE,CAAS;IAClC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAE,CAAC;QAAE,CAAC,EAAE,CAAC;IAC3C,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,gBAAgB,CAAC,CAAS,EAAE,KAAa,EAAE,IAA4B;IAC9E,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACzB,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;QACpB,MAAM,SAAS,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAE,CAAC;YAAE,MAAM;QAClC,CAAC,EAAE,CAAC;QACJ,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAE,CAAC;YAAE,CAAC,EAAE,CAAC;QACjD,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG;YAAE,MAAM;QACxB,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QACnC,CAAC,EAAE,CAAC;QACJ,mEAAmE;QACnE,IAAI,KAAa,CAAC;QAClB,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACjB,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;YAClC,IAAI,GAAG,GAAG,CAAC;gBAAE,OAAO,QAAQ,CAAC;YAC7B,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;YAC5B,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;QACd,CAAC;aAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;YAClC,IAAI,GAAG,GAAG,CAAC;gBAAE,OAAO,QAAQ,CAAC;YAC7B,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;YAC5B,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;QACd,CAAC;aAAM,CAAC;YACN,MAAM,MAAM,GAAG,CAAC,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAE,CAAC;gBAAE,CAAC,EAAE,CAAC;YAC5C,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAC7B,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;QACnB,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACjB,QAAQ,GAAG,CAAC,CAAC;IACf,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,gBAAgB,CAAC,CAAS,EAAE,KAAa;IAChD,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACzB,mEAAmE;IACnE,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1D,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,4BAA4B;IAC5B,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;QACjB,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAClC,IAAI,GAAG,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACzB,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;QAC3B,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;IACd,CAAC;SAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAClC,IAAI,GAAG,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACzB,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;QAC3B,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;IACd,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,GAAG,CAAC,CAAC;QACjB,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG;YAAE,CAAC,EAAE,CAAC;QAC5E,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC5B,CAAC;IACD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACjB,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;QACrC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;IAC/B,CAAC;IACD,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;QACjB,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;IAC/B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lannguyensi/harness",
-  "version": "0.29.0",
+  "version": "0.30.1",
   "description": "Declarative control plane for agent harnesses — one YAML for grounding, tools, memory, and hooks.",
   "license": "MIT",
   "homepage": "https://github.com/LanNguyenSi/harness",