@lannguyensi/harness 0.31.0 → 0.33.0

package/dist/cli/pack/hook-solution-acceptance-writeguard.js

@@ -0,0 +1,187 @@
+// `harness pack hook solution-acceptance-writeguard` — PreToolUse
+// anti-forgery write-guard for the `solution-acceptance` policy pack.
+//
+// This is the load-bearing closure of the gate. The completion-gate alone
+// is forgeable: relocating the verdict dir does NOT help because
+// understanding-gate allows all Bash once approved, so an approved agent
+// could `echo '{...ready:true}' > <verdict-dir>/<id>.json` and walk the gate.
+// This hook restores the invariant that the ONLY writer of the verdict dir
+// is the producer (the operator-launched grounding-mcp MCP server, which
+// runs real preflight and does not flow through the agent's gated tools).
+//
+// It denies, on the agent's tool surface:
+//   - Write / Edit / MultiEdit / NotebookEdit whose target file resolves
+//     inside the verdict dir.
+//   - Codex `apply_patch` whose patch body references the verdict dir.
+//   - Bash that is NOT provably read-only AND references the verdict dir
+//     (covers `echo >`, `$SOLUTION_VERDICT_DIR` spellings, `tee`, `mv`/`cp`/
+//     `ln`/`install`, `python3 -c '...path...'`, and `chmod`/`chattr` that
+//     would loosen perms) — or whose shell cwd is inside the dir.
+//
+// Pure reads (`cat <dir>/x.json`) are allowed so the guard is not over-broad.
+//
+// No manifest is consulted: the decision is a pure target-vs-dir check, so
+// the guard cannot be broken by a manifest issue and never blocks a write
+// that does not target the verdict dir. The hook is only wired into settings
+// when the pack is enabled, so a disabled pack never invokes it. It yields to
+// `harness pause` like every other gate.
+//
+// Honest residual (operator decision, 2026-05-30): v1 closes the ENUMERATED
+// write paths above. A path constructed at runtime inside an interpreter
+// with no textual reference is NOT caught; marker signing (a cross-repo
+// follow-up) closes content-authenticity against an unguarded write
+// primitive.
+import { bashReferencesVerdictDir, isInsideDir, PACK_NAME, verdictDir as resolveVerdictDir, } from "../../policy-packs/builtin/solution-acceptance-runtime.js";
+import { isReadOnlyBashCommand } from "./read-only-bash.js";
+import { checkPauseFromLoader } from "../pause-check.js";
+async function readStdin(stream) {
+    return new Promise((resolve, reject) => {
+        let data = "";
+        stream.setEncoding("utf8");
+        stream.on("data", (chunk) => {
+            data += chunk;
+        });
+        stream.on("end", () => resolve(data));
+        stream.on("error", (err) => reject(err));
+    });
+}
+/** Single-file target for path-mutating tools, or null when not applicable. */
+function pathToolTarget(toolName, toolInput) {
+    if (typeof toolInput !== "object" || toolInput === null)
+        return null;
+    const input = toolInput;
+    switch (toolName) {
+        case "Write":
+        case "Edit":
+        case "MultiEdit": {
+            const fp = input["file_path"];
+            return typeof fp === "string" && fp.length > 0 ? fp : null;
+        }
+        case "NotebookEdit": {
+            const np = input["notebook_path"];
+            return typeof np === "string" && np.length > 0 ? np : null;
+        }
+        default:
+            return null;
+    }
+}
+function bashCommandOf(toolInput) {
+    if (typeof toolInput !== "object" || toolInput === null)
+        return "";
+    const cmd = toolInput["command"];
+    return typeof cmd === "string" ? cmd : "";
+}
+/**
+ * Pure write-guard decision for a tool event. Exported for direct unit
+ * testing of the full forge-attempt matrix without spinning up the CLI.
+ */
+export function evaluateWriteGuard(toolName, toolInput, dir, cwd) {
+    // Path-mutating tools: block iff the target resolves inside the dir.
+    const target = pathToolTarget(toolName, toolInput);
+    if (target !== null) {
+        if (isInsideDir(target, dir, cwd)) {
+            return {
+                blocked: true,
+                reason: `${toolName} target resolves inside the harness-protected solution-verdict dir (${dir}); the verdict marker may only be written by the grounding-mcp producer`,
+            };
+        }
+        return { blocked: false, reason: `${toolName} target is outside the verdict dir` };
+    }
+    // Codex apply_patch: best-effort textual reference check on the patch body.
+    if (toolName === "apply_patch") {
+        const input = typeof toolInput === "object" && toolInput !== null
+            ? toolInput
+            : {};
+        const body = typeof input["patch"] === "string"
+            ? input["patch"]
+            : typeof input["input"] === "string"
+                ? input["input"]
+                : JSON.stringify(toolInput ?? "");
+        if (bashReferencesVerdictDir(body, dir)) {
+            return {
+                blocked: true,
+                reason: `apply_patch references the harness-protected solution-verdict dir (${dir})`,
+            };
+        }
+        return { blocked: false, reason: "apply_patch does not reference the verdict dir" };
+    }
+    // Bash: allow provable reads; block non-read-only commands that reference
+    // the dir, or whose shell cwd is inside it.
+    if (toolName === "Bash") {
+        const command = bashCommandOf(toolInput);
+        if (command === "")
+            return { blocked: false, reason: "empty Bash command" };
+        if (isReadOnlyBashCommand(command)) {
+            return { blocked: false, reason: "read-only Bash command" };
+        }
+        if (isInsideDir(".", dir, cwd)) {
+            return {
+                blocked: true,
+                reason: `non-read-only Bash with a shell cwd inside the harness-protected solution-verdict dir (${dir})`,
+            };
+        }
+        if (bashReferencesVerdictDir(command, dir)) {
+            return {
+                blocked: true,
+                reason: `non-read-only Bash references the harness-protected solution-verdict dir (${dir}); the verdict marker may only be written by the grounding-mcp producer`,
+            };
+        }
+        return { blocked: false, reason: "non-read-only Bash does not reference the verdict dir" };
+    }
+    return { blocked: false, reason: `${toolName} is not a guarded write surface` };
+}
+function blockJson(toolName, reason) {
+    const text = `solution-acceptance write-guard: refusing ${toolName}. ${reason}.\n` +
+        `The solution-acceptance verdict marker is derived by the producer from a ` +
+        `real preflight run; hand-writing it would forge a green "done". ` +
+        `Run \`mcp__agent-grounding__solution_evaluate({ id: "<task-id>" })\` instead, ` +
+        `which writes the marker for you.\n` +
+        `Operator override: \`harness pause\`.`;
+    return JSON.stringify({
+        decision: "block",
+        reason: text,
+        hookSpecificOutput: {
+            hookEventName: "PreToolUse",
+            permissionDecision: "deny",
+            permissionDecisionReason: text,
+        },
+    });
+}
+export async function runPackHookSolutionAcceptanceWriteguardCli(opts = {}) {
+    const stdin = opts.stdin ?? process.stdin;
+    const stdout = opts.stdout ?? process.stdout;
+    const stderr = opts.stderr ?? process.stderr;
+    const note = (msg) => {
+        stderr.write(`harness pack hook solution-acceptance-writeguard: ${msg}\n`);
+    };
+    const raw = await readStdin(stdin);
+    let event = {};
+    try {
+        event = JSON.parse(raw.trim() || "{}");
+    }
+    catch {
+        /* event stays {} -> not a guarded surface -> allow */
+    }
+    if (checkPauseFromLoader({ loaderOpts: opts, hookLabel: `${PACK_NAME}-writeguard`, stderr }).paused) {
+        const diagnostic = "harness paused; write-guard allowing without evaluating.";
+        return { exitCode: 0, blocked: false, diagnostic };
+    }
+    const toolName = typeof event.tool_name === "string" ? event.tool_name : "(unknown)";
+    const cwd = typeof opts.cwd === "string" && opts.cwd.length > 0
+        ? opts.cwd
+        : typeof event.cwd === "string" && event.cwd.length > 0
+            ? event.cwd
+            : process.cwd();
+    const dir = opts.verdictDir ?? resolveVerdictDir();
+    const decision = evaluateWriteGuard(toolName, event.tool_input, dir, cwd);
+    if (!decision.blocked) {
+        const diagnostic = `allow — ${decision.reason}`;
+        note(diagnostic);
+        return { exitCode: 0, blocked: false, diagnostic };
+    }
+    const diagnostic = `BLOCK — ${decision.reason}`;
+    note(diagnostic);
+    stdout.write(`${blockJson(toolName, decision.reason)}\n`);
+    return { exitCode: 0, blocked: true, diagnostic };
+}
+//# sourceMappingURL=hook-solution-acceptance-writeguard.js.map

package/dist/cli/pack/hook-solution-acceptance-writeguard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hook-solution-acceptance-writeguard.js","sourceRoot":"","sources":["../../../src/cli/pack/hook-solution-acceptance-writeguard.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,sEAAsE;AACtE,EAAE;AACF,0EAA0E;AAC1E,iEAAiE;AACjE,yEAAyE;AACzE,8EAA8E;AAC9E,2EAA2E;AAC3E,yEAAyE;AACzE,0EAA0E;AAC1E,EAAE;AACF,0CAA0C;AAC1C,yEAAyE;AACzE,8BAA8B;AAC9B,uEAAuE;AACvE,yEAAyE;AACzE,6EAA6E;AAC7E,2EAA2E;AAC3E,kEAAkE;AAClE,EAAE;AACF,8EAA8E;AAC9E,EAAE;AACF,2EAA2E;AAC3E,0EAA0E;AAC1E,6EAA6E;AAC7E,8EAA8E;AAC9E,yCAAyC;AACzC,EAAE;AACF,4EAA4E;AAC5E,yEAAyE;AACzE,wEAAwE;AACxE,oEAAoE;AACpE,aAAa;AAEb,OAAO,EACL,wBAAwB,EACxB,WAAW,EACX,SAAS,EACT,UAAU,IAAI,iBAAiB,GAChC,MAAM,2DAA2D,CAAC;AACnE,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAE5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAwBzD,KAAK,UAAU,SAAS,CAAC,MAA6B;IACpD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAC3B,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAClC,IAAI,IAAI,KAAK,CAAC;QAChB,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACtC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC;AAED,+EAA+E;AAC/E,SAAS,cAAc,CAAC,QAAgB,EAAE,SAAkB;IAC1D,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACrE,MAAM,KAAK,GAAG,SAAoC,CAAC;IACnD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO,CAAC;QACb,KAAK,MAAM,CAAC;QACZ,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,EAAE,GAAG,KAAK,CAAC,WAAW,CAAC,CAAC;YAC9B,OAAO,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QAC7D,CAAC;QACD,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,MAAM,EAAE,GAAG,KAAK,CAAC,eAAe,CAAC,CAAC;YAClC,OAAO,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QAC7D,CAAC;QACD;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,SAAkB;IACvC,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IACnE,MAAM,GAAG,GAAI,SAAqC,CAAC,SAAS,CAAC,CAAC;IAC9D,OAAO,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;AAC5C,CAAC;AAOD;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAgB,EAChB,SAAkB,EAClB,GAAW,EACX,GAAW;IAEX,qEAAqE;IACrE,MAAM,MAAM,GAAG,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IACnD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,IAAI,WAAW,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YAClC,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,GAAG,QAAQ,uEAAuE,GAAG,yEAAyE;aACvK,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,QAAQ,oCAAoC,EAAE,CAAC;IACrF,CAAC;IAED,4EAA4E;IAC5E,IAAI,QAAQ,KAAK,aAAa,EAAE,CAAC;QAC/B,MAAM,KAAK,GACT,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,IAAI;YACjD,CAAC,CAAE,SAAqC;YACxC,CAAC,CAAC,EAAE,CAAC;QACT,MAAM,IAAI,GACR,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,QAAQ;YAChC,CAAC,CAAE,KAAK,CAAC,OAAO,CAAY;YAC5B,CAAC,CAAC,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,QAAQ;gBAClC,CAAC,CAAE,KAAK,CAAC,OAAO,CAAY;gBAC5B,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;QACxC,IAAI,wBAAwB,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,CAAC;YACxC,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,sEAAsE,GAAG,GAAG;aACrF,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,gDAAgD,EAAE,CAAC;IACtF,CAAC;IAED,0EAA0E;IAC1E,4CAA4C;IAC5C,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;QACzC,IAAI,OAAO,KAAK,EAAE;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;QAC5E,IAAI,qBAAqB,CAAC,OAAO,CAAC,EAAE,CAAC;YACnC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC;QAC9D,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,0FAA0F,GAAG,GAAG;aACzG,CAAC;QACJ,CAAC;QACD,IAAI,wBAAwB,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC;YAC3C,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,6EAA6E,GAAG,yEAAyE;aAClK,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,uDAAuD,EAAE,CAAC;IAC7F,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,QAAQ,iCAAiC,EAAE,CAAC;AAClF,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB,EAAE,MAAc;IACjD,MAAM,IAAI,GACR,6CAA6C,QAAQ,KAAK,MAAM,KAAK;QACrE,2EAA2E;QAC3E,kEAAkE;QAClE,gFAAgF;QAChF,oCAAoC;QACpC,uCAAuC,CAAC;IAC1C,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,QAAQ,EAAE,OAAO;QACjB,MAAM,EAAE,IAAI;QACZ,kBAAkB,EAAE;YAClB,aAAa,EAAE,YAAY;YAC3B,kBAAkB,EAAE,MAAM;YAC1B,wBAAwB,EAAE,IAAI;SAC/B;KACF,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0CAA0C,CAC9D,OAAoD,EAAE;IAEtD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC;IAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,IAAI,GAAG,CAAC,GAAW,EAAQ,EAAE;QACjC,MAAM,CAAC,KAAK,CAAC,qDAAqD,GAAG,IAAI,CAAC,CAAC;IAC7E,CAAC,CAAC;IAEF,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC;IACnC,IAAI,KAAK,GAAkB,EAAE,CAAC;IAC9B,IAAI,CAAC;QACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,IAAI,CAAkB,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,sDAAsD;IACxD,CAAC;IAED,IAAI,oBAAoB,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,SAAS,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;QACpG,MAAM,UAAU,GAAG,0DAA0D,CAAC;QAC9E,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IACrD,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,KAAK,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC;IACrF,MAAM,GAAG,GACP,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC;QACjD,CAAC,CAAC,IAAI,CAAC,GAAG;QACV,CAAC,CAAC,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC;YACrD,CAAC,CAAC,KAAK,CAAC,GAAG;YACX,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;IACtB,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,IAAI,iBAAiB,EAAE,CAAC;IAEnD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,QAAQ,EAAE,KAAK,CAAC,UAAU,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAC1E,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QACtB,MAAM,UAAU,GAAG,WAAW,QAAQ,CAAC,MAAM,EAAE,CAAC;QAChD,IAAI,CAAC,UAAU,CAAC,CAAC;QACjB,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IACrD,CAAC;IAED,MAAM,UAAU,GAAG,WAAW,QAAQ,CAAC,MAAM,EAAE,CAAC;IAChD,IAAI,CAAC,UAAU,CAAC,CAAC;IACjB,MAAM,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC1D,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AACpD,CAAC"}

package/dist/cli/pack/hook-solution-acceptance.d.ts

@@ -0,0 +1,28 @@
+import { type Manifest } from "../../schema/index.js";
+import { type LoaderOptions } from "../loader.js";
+export interface PackHookSolutionAcceptanceOptions extends LoaderOptions {
+    /** Defaults to process.stdin. */
+    stdin?: NodeJS.ReadableStream;
+    /** Defaults to process.stdout. */
+    stdout?: NodeJS.WritableStream;
+    /** Defaults to process.stderr. */
+    stderr?: NodeJS.WritableStream;
+    /** Override cwd resolution (test injection). */
+    cwd?: string;
+    /** Inject a manifest (test). */
+    manifest?: Manifest;
+    /** Override the harness.generated/ directory (test injection). */
+    generatedDir?: string;
+    /** Override the verdict directory (test injection; default = producer default). */
+    verdictDir?: string;
+    /** Override the active-claim resolution (test injection). */
+    activeClaim?: string | null;
+    /** Override process.env (test injection); defaults to process.env. */
+    env?: NodeJS.ProcessEnv;
+}
+export interface PackHookSolutionAcceptanceResult {
+    exitCode: number;
+    blocked: boolean;
+    diagnostic: string;
+}
+export declare function runPackHookSolutionAcceptanceCli(opts?: PackHookSolutionAcceptanceOptions): Promise<PackHookSolutionAcceptanceResult>;

package/dist/cli/pack/hook-solution-acceptance.js

@@ -0,0 +1,251 @@
+// `harness pack hook solution-acceptance` — PreToolUse completion-gate for
+// the `solution-acceptance` policy pack.
+//
+// Receives Claude Code's PreToolUse event JSON on stdin and emits a
+// `{ decision: "block" }` envelope when the agent is about to FINISH a task
+// (agent-tasks completion verb, or a `git push` / `gh pr merge` bash
+// command) without a READY solution-acceptance verdict at the current git
+// HEAD.
+//
+// The verdict id is the active-claim task id (the same `active-claim` file
+// `harness approve understanding` consumes). For solo / non-agent-tasks
+// sessions that never call `task_start`, the `SOLUTION_VERDICT_ID` env knob
+// supplies the id instead; it is consulted only when no active claim is
+// present, so a claimed session's id stays authoritative (an env var cannot
+// redirect a claimed task's verdict). With neither source the gate fails
+// CLOSED — a sessionId fallback would reopen the wrong-scope bug class
+// understanding-gate already fixed.
+//
+// Failure mode: any error in load / parse / HEAD-resolution / verdict-read
+// resolves to BLOCK (branch-protection's fail-closed posture, not
+// understanding-gate's fail-open). The gate's whole job is to prevent
+// completion without earned acceptance, so a bug that silently allowed a
+// finish through would defeat the purpose. The block envelope always names
+// `solution_evaluate` as the recovery path so the operator is never wedged;
+// `harness pause` (honored first) is the operator's hard override.
+import { readActiveClaim, } from "../../policy-packs/builtin/understanding-before-execution-runtime.js";
+import { DEFAULT_PUSH_BASH_RE, evaluateGate, PACK_NAME, readVerdict, resolveExplicitVerdictId, resolveProtectedCompletionTools, VERDICT_ID_ENV, verdictDir as resolveVerdictDir, } from "../../policy-packs/builtin/solution-acceptance-runtime.js";
+import { resolveGeneratedDir } from "../../io/generated-dir.js";
+import { resolveGitContext } from "../../runtime/git-context.js";
+import { renderAgentFacing } from "../../runtime/agent-facing.js";
+import { PolicyUxSchema } from "../../schema/index.js";
+import { loadManifest } from "../loader.js";
+import { checkPauseFromLoader } from "../pause-check.js";
+const MCP_AGENT_TASKS_PREFIX = "mcp__agent-tasks__";
+async function readStdin(stream) {
+    return new Promise((resolve, reject) => {
+        let data = "";
+        stream.setEncoding("utf8");
+        stream.on("data", (chunk) => {
+            data += chunk;
+        });
+        stream.on("end", () => resolve(data));
+        stream.on("error", (err) => reject(err));
+    });
+}
+function bashCommandOf(toolInput) {
+    if (typeof toolInput !== "object" || toolInput === null)
+        return "";
+    const cmd = toolInput["command"];
+    return typeof cmd === "string" ? cmd : "";
+}
+/**
+ * Decide whether this PreToolUse call is a gated completion action. Returns
+ * the human label of the action when gated, or null when this call should
+ * pass through (the hook matches all Bash, but only push/merge bash commands
+ * are completion actions).
+ */
+function completionActionLabel(toolName, toolInput, protectedVerbs) {
+    if (toolName.startsWith(MCP_AGENT_TASKS_PREFIX)) {
+        const verb = toolName.slice(MCP_AGENT_TASKS_PREFIX.length);
+        if (protectedVerbs.includes(verb))
+            return `agent-tasks ${verb}`;
+        return null;
+    }
+    if (toolName === "Bash") {
+        const command = bashCommandOf(toolInput);
+        if (command && DEFAULT_PUSH_BASH_RE.test(command))
+            return "git push / gh pr merge";
+        return null;
+    }
+    return null;
+}
+function parseConfigUx(raw, stderr) {
+    if (raw === undefined)
+        return undefined;
+    const result = PolicyUxSchema.safeParse(raw);
+    if (!result.success) {
+        stderr.write(`harness pack hook solution-acceptance: config.ux ignored (${result.error.issues
+            .map((i) => `${i.path.join(".") || "<root>"}: ${i.message}`)
+            .join("; ")})\n`);
+        return undefined;
+    }
+    return result.data;
+}
+function blockJson(actionLabel, toolName, taskId, detail, ux, sessionId) {
+    let reasonText;
+    if (ux) {
+        reasonText = renderAgentFacing(ux, {
+            TOOL_NAME: toolName,
+            SESSION_ID: sessionId,
+        });
+    }
+    else {
+        reasonText =
+            `solution-acceptance: refusing ${actionLabel} (${toolName}). ${detail}\n` +
+                `Completion must be EARNED from a real preflight run, not claimed.\n` +
+                `Run the producer for this task, then retry:\n` +
+                `  mcp__agent-grounding__solution_evaluate({ id: "${taskId}" })\n` +
+                `It runs \`preflight run --json\` (lint/typecheck/test/audit/secret) and records a HEAD-pinned verdict. ` +
+                `A clean run at the current HEAD unblocks this tool; a failing run lists the blockers to fix.\n` +
+                `\n` +
+                `Operator override: \`harness pause\` (yields this and every other gate).`;
+    }
+    return JSON.stringify({
+        decision: "block",
+        reason: reasonText,
+        hookSpecificOutput: {
+            hookEventName: "PreToolUse",
+            permissionDecision: "deny",
+            permissionDecisionReason: reasonText,
+        },
+    });
+}
+export async function runPackHookSolutionAcceptanceCli(opts = {}) {
+    const stdin = opts.stdin ?? process.stdin;
+    const stdout = opts.stdout ?? process.stdout;
+    const stderr = opts.stderr ?? process.stderr;
+    const note = (msg) => {
+        stderr.write(`harness pack hook solution-acceptance: ${msg}\n`);
+    };
+    const env = opts.env ?? process.env;
+    const raw = await readStdin(stdin);
+    let event = {};
+    try {
+        event = JSON.parse(raw.trim() || "{}");
+    }
+    catch {
+        /* event stays {} */
+    }
+    // Operator pause yields even this gate.
+    if (checkPauseFromLoader({ loaderOpts: opts, hookLabel: PACK_NAME, stderr }).paused) {
+        const diagnostic = "harness paused; solution-acceptance allowing without evaluating.";
+        return { exitCode: 0, blocked: false, diagnostic };
+    }
+    const sessionId = (typeof event.session_id === "string" ? event.session_id : undefined) ??
+        env["CLAUDE_CODE_SESSION_ID"] ??
+        env["CLAUDE_SESSION_ID"] ??
+        "";
+    const toolName = typeof event.tool_name === "string" ? event.tool_name : "(unknown)";
+    const cwd = typeof opts.cwd === "string" && opts.cwd.length > 0
+        ? opts.cwd
+        : typeof event.cwd === "string" && event.cwd.length > 0
+            ? event.cwd
+            : process.cwd();
+    // Load manifest to resolve the pack config. A load failure forces BLOCK
+    // only if this turns out to be a completion action; resolve it first.
+    // `manifestPath` (the resolved manifest base) feeds the harness.generated/
+    // lookup below — it is populated whether the operator passed --config or
+    // the default (~/.harness/harness.yaml) was resolved, so the bare
+    // production hook command still resolves the active-claim id.
+    let manifest = null;
+    let manifestPath;
+    if (opts.manifest) {
+        manifest = opts.manifest;
+    }
+    else {
+        try {
+            const loaded = loadManifest(opts);
+            manifest = loaded.manifest;
+            manifestPath = loaded.resolved.base;
+        }
+        catch (err) {
+            // We cannot tell if this is a gated action without the config, but a
+            // manifest load failure should not block unrelated tool calls. Only
+            // the completion verbs / push commands are ever gated, so classify
+            // by tool name with the DEFAULT verb set as a failsafe.
+            const label = completionActionLabel(toolName, event.tool_input, [
+                "task_finish",
+                "task_submit_pr",
+                "task_merge",
+                "pull_requests_merge",
+            ]);
+            if (label === null) {
+                const diagnostic = `manifest load failed (${err.message}) but ${toolName} is not a completion action; allowing`;
+                note(diagnostic);
+                return { exitCode: 0, blocked: false, diagnostic };
+            }
+            const reason = `manifest load failed (${err.message}); refusing ${label} on failsafe`;
+            const diagnostic = `BLOCK — ${reason}`;
+            note(diagnostic);
+            stdout.write(`${blockJson(label, toolName, "<unknown>", reason, undefined, sessionId)}\n`);
+            return { exitCode: 0, blocked: true, diagnostic };
+        }
+    }
+    const pack = manifest.policy_packs.find((p) => p.name === PACK_NAME);
+    if (!pack) {
+        const diagnostic = `pack "${PACK_NAME}" not declared in manifest, allowing`;
+        note(diagnostic);
+        return { exitCode: 0, blocked: false, diagnostic };
+    }
+    if (!pack.enabled) {
+        const diagnostic = `pack "${PACK_NAME}" is enabled:false, allowing`;
+        note(diagnostic);
+        return { exitCode: 0, blocked: false, diagnostic };
+    }
+    const protectedVerbs = resolveProtectedCompletionTools(pack);
+    const actionLabel = completionActionLabel(toolName, event.tool_input, protectedVerbs);
+    if (actionLabel === null) {
+        const diagnostic = `${toolName} is not a gated completion action; allowing`;
+        note(diagnostic);
+        return { exitCode: 0, blocked: false, diagnostic };
+    }
+    const configUx = parseConfigUx(pack.config["ux"], stderr);
+    // Resolve the verdict id. Precedence: the agent-tasks active-claim task id
+    // first (authoritative for claimed sessions — an env var must not redirect a
+    // claimed task's verdict), then the SOLUTION_VERDICT_ID env knob for solo /
+    // non-agent-tasks sessions, then fail CLOSED. A sessionId fallback is
+    // intentionally NOT a source (it would reopen the wrong-scope bug class).
+    const generatedDir = opts.generatedDir ??
+        (manifestPath !== undefined
+            ? resolveGeneratedDir({
+                ...(opts.homeDir !== undefined ? { homeDir: opts.homeDir } : {}),
+                manifestPath,
+            })
+            : undefined);
+    const activeClaim = opts.activeClaim !== undefined
+        ? opts.activeClaim
+        : generatedDir !== undefined
+            ? readActiveClaim(generatedDir)
+            : null;
+    const taskId = activeClaim ?? resolveExplicitVerdictId(env);
+    if (!taskId) {
+        const detail = opts.activeClaim === undefined && generatedDir === undefined
+            ? " (could not resolve harness.generated/; pass --config)"
+            : "";
+        const reason = `no verdict id: no active-claim task id recorded${detail} and ${VERDICT_ID_ENV} is unset or invalid. ` +
+            `Call mcp__agent-tasks__task_start first (agent-tasks workflow; the verdict id is the active task), ` +
+            `or set ${VERDICT_ID_ENV} to the verdict id for a solo / non-agent-tasks session.`;
+        const diagnostic = `BLOCK — ${reason}`;
+        note(diagnostic);
+        stdout.write(`${blockJson(actionLabel, toolName, "<no-verdict-id>", reason, configUx, sessionId)}\n`);
+        return { exitCode: 0, blocked: true, diagnostic };
+    }
+    // The verdict DIR still resolves SOLUTION_VERDICT_DIR from process.env (the
+    // `env` seam above covers the verdict id + sessionId, not the dir); in
+    // production both see the same process.env, and tests inject opts.verdictDir.
+    const dir = opts.verdictDir ?? resolveVerdictDir();
+    const currentHead = resolveGitContext(cwd).sha || null;
+    const verdict = readVerdict(dir, taskId);
+    const gate = evaluateGate(verdict, currentHead, taskId);
+    if (gate.allowed) {
+        const diagnostic = `${gate.reason}; allowing ${actionLabel}`;
+        note(diagnostic);
+        return { exitCode: 0, blocked: false, diagnostic };
+    }
+    const diagnostic = `BLOCK — ${gate.reason}`;
+    note(diagnostic);
+    stdout.write(`${blockJson(actionLabel, toolName, taskId, gate.reason, configUx, sessionId)}\n`);
+    return { exitCode: 0, blocked: true, diagnostic };
+}
+//# sourceMappingURL=hook-solution-acceptance.js.map

package/dist/cli/pack/hook-solution-acceptance.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hook-solution-acceptance.js","sourceRoot":"","sources":["../../../src/cli/pack/hook-solution-acceptance.ts"],"names":[],"mappings":"AAAA,2EAA2E;AAC3E,yCAAyC;AACzC,EAAE;AACF,oEAAoE;AACpE,4EAA4E;AAC5E,qEAAqE;AACrE,0EAA0E;AAC1E,QAAQ;AACR,EAAE;AACF,2EAA2E;AAC3E,wEAAwE;AACxE,4EAA4E;AAC5E,wEAAwE;AACxE,4EAA4E;AAC5E,yEAAyE;AACzE,uEAAuE;AACvE,oCAAoC;AACpC,EAAE;AACF,2EAA2E;AAC3E,kEAAkE;AAClE,sEAAsE;AACtE,yEAAyE;AACzE,2EAA2E;AAC3E,4EAA4E;AAC5E,mEAAmE;AAEnE,OAAO,EACL,eAAe,GAChB,MAAM,sEAAsE,CAAC;AAC9E,OAAO,EACL,oBAAoB,EACpB,YAAY,EACZ,SAAS,EACT,WAAW,EACX,wBAAwB,EACxB,+BAA+B,EAC/B,cAAc,EACd,UAAU,IAAI,iBAAiB,GAChC,MAAM,2DAA2D,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,cAAc,EAAgC,MAAM,uBAAuB,CAAC;AACrF,OAAO,EAAE,YAAY,EAAsB,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAEzD,MAAM,sBAAsB,GAAG,oBAAoB,CAAC;AAoCpD,KAAK,UAAU,SAAS,CAAC,MAA6B;IACpD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAC3B,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAClC,IAAI,IAAI,KAAK,CAAC;QAChB,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACtC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,aAAa,CAAC,SAAkB;IACvC,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IACnE,MAAM,GAAG,GAAI,SAAqC,CAAC,SAAS,CAAC,CAAC;IAC9D,OAAO,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;AAC5C,CAAC;AAED;;;;;GAKG;AACH,SAAS,qBAAqB,CAC5B,QAAgB,EAChB,SAAkB,EAClB,cAAiC;IAEjC,IAAI,QAAQ,CAAC,UAAU,CAAC,sBAAsB,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC;QAC3D,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,OAAO,eAAe,IAAI,EAAE,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;QACzC,IAAI,OAAO,IAAI,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,wBAAwB,CAAC;QACnF,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,aAAa,CAAC,GAAY,EAAE,MAA6B;IAChE,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IACxC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,CAAC,KAAK,CACV,6DAA6D,MAAM,CAAC,KAAK,CAAC,MAAM;aAC7E,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC3D,IAAI,CAAC,IAAI,CAAC,KAAK,CACnB,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED,SAAS,SAAS,CAChB,WAAmB,EACnB,QAAgB,EAChB,MAAc,EACd,MAAc,EACd,EAAwB,EACxB,SAAiB;IAEjB,IAAI,UAAkB,CAAC;IACvB,IAAI,EAAE,EAAE,CAAC;QACP,UAAU,GAAG,iBAAiB,CAAC,EAAE,EAAE;YACjC,SAAS,EAAE,QAAQ;YACnB,UAAU,EAAE,SAAS;SACtB,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,UAAU;YACR,iCAAiC,WAAW,KAAK,QAAQ,MAAM,MAAM,IAAI;gBACzE,qEAAqE;gBACrE,+CAA+C;gBAC/C,oDAAoD,MAAM,QAAQ;gBAClE,yGAAyG;gBACzG,gGAAgG;gBAChG,IAAI;gBACJ,0EAA0E,CAAC;IAC/E,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,QAAQ,EAAE,OAAO;QACjB,MAAM,EAAE,UAAU;QAClB,kBAAkB,EAAE;YAClB,aAAa,EAAE,YAAY;YAC3B,kBAAkB,EAAE,MAAM;YAC1B,wBAAwB,EAAE,UAAU;SACrC;KACF,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,OAA0C,EAAE;IAE5C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC;IAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC7C,MAAM,IAAI,GAAG,CAAC,GAAW,EAAQ,EAAE;QACjC,MAAM,CAAC,KAAK,CAAC,0CAA0C,GAAG,IAAI,CAAC,CAAC;IAClE,CAAC,CAAC;IACF,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC;IAEpC,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC;IACnC,IAAI,KAAK,GAAkB,EAAE,CAAC;IAC9B,IAAI,CAAC;QACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,IAAI,CAAkB,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,oBAAoB;IACtB,CAAC;IAED,wCAAwC;IACxC,IAAI,oBAAoB,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;QACpF,MAAM,UAAU,GAAG,kEAAkE,CAAC;QACtF,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IACrD,CAAC;IAED,MAAM,SAAS,GACb,CAAC,OAAO,KAAK,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;QACrE,GAAG,CAAC,wBAAwB,CAAC;QAC7B,GAAG,CAAC,mBAAmB,CAAC;QACxB,EAAE,CAAC;IACL,MAAM,QAAQ,GAAG,OAAO,KAAK,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC;IACrF,MAAM,GAAG,GACP,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC;QACjD,CAAC,CAAC,IAAI,CAAC,GAAG;QACV,CAAC,CAAC,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC;YACrD,CAAC,CAAC,KAAK,CAAC,GAAG;YACX,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;IAEtB,wEAAwE;IACxE,sEAAsE;IACtE,2EAA2E;IAC3E,yEAAyE;IACzE,kEAAkE;IAClE,8DAA8D;IAC9D,IAAI,QAAQ,GAAoB,IAAI,CAAC;IACrC,IAAI,YAAgC,CAAC;IACrC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClB,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;IAC3B,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;YAClC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC3B,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;QACtC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,qEAAqE;YACrE,oEAAoE;YACpE,mEAAmE;YACnE,wDAAwD;YACxD,MAAM,KAAK,GAAG,qBAAqB,CAAC,QAAQ,EAAE,KAAK,CAAC,UAAU,EAAE;gBAC9D,aAAa;gBACb,gBAAgB;gBAChB,YAAY;gBACZ,qBAAqB;aACtB,CAAC,CAAC;YACH,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;gBACnB,MAAM,UAAU,GAAG,yBAA0B,GAAa,CAAC,OAAO,SAAS,QAAQ,uCAAuC,CAAC;gBAC3H,IAAI,CAAC,UAAU,CAAC,CAAC;gBACjB,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;YACrD,CAAC;YACD,MAAM,MAAM,GAAG,yBAA0B,GAAa,CAAC,OAAO,eAAe,KAAK,cAAc,CAAC;YACjG,MAAM,UAAU,GAAG,WAAW,MAAM,EAAE,CAAC;YACvC,IAAI,CAAC,UAAU,CAAC,CAAC;YACjB,MAAM,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;YAC3F,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;QACpD,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC;IACrE,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,UAAU,GAAG,SAAS,SAAS,sCAAsC,CAAC;QAC5E,IAAI,CAAC,UAAU,CAAC,CAAC;QACjB,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IACrD,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,UAAU,GAAG,SAAS,SAAS,8BAA8B,CAAC;QACpE,IAAI,CAAC,UAAU,CAAC,CAAC;QACjB,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IACrD,CAAC;IAED,MAAM,cAAc,GAAG,+BAA+B,CAAC,IAAI,CAAC,CAAC;IAC7D,MAAM,WAAW,GAAG,qBAAqB,CAAC,QAAQ,EAAE,KAAK,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;IACtF,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;QACzB,MAAM,UAAU,GAAG,GAAG,QAAQ,6CAA6C,CAAC;QAC5E,IAAI,CAAC,UAAU,CAAC,CAAC;QACjB,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IACrD,CAAC;IAED,MAAM,QAAQ,GAAG,aAAa,CAAE,IAAI,CAAC,MAAkC,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;IAEvF,2EAA2E;IAC3E,6EAA6E;IAC7E,4EAA4E;IAC5E,sEAAsE;IACtE,0EAA0E;IAC1E,MAAM,YAAY,GAChB,IAAI,CAAC,YAAY;QACjB,CAAC,YAAY,KAAK,SAAS;YACzB,CAAC,CAAC,mBAAmB,CAAC;gBAClB,GAAG,CAAC,IAAI,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAChE,YAAY;aACb,CAAC;YACJ,CAAC,CAAC,SAAS,CAAC,CAAC;IACjB,MAAM,WAAW,GACf,IAAI,CAAC,WAAW,KAAK,SAAS;QAC5B,CAAC,CAAC,IAAI,CAAC,WAAW;QAClB,CAAC,CAAC,YAAY,KAAK,SAAS;YAC1B,CAAC,CAAC,eAAe,CAAC,YAAY,CAAC;YAC/B,CAAC,CAAC,IAAI,CAAC;IACb,MAAM,MAAM,GAAG,WAAW,IAAI,wBAAwB,CAAC,GAAG,CAAC,CAAC;IAC5D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,MAAM,GACV,IAAI,CAAC,WAAW,KAAK,SAAS,IAAI,YAAY,KAAK,SAAS;YAC1D,CAAC,CAAC,wDAAwD;YAC1D,CAAC,CAAC,EAAE,CAAC;QACT,MAAM,MAAM,GACV,kDAAkD,MAAM,QAAQ,cAAc,wBAAwB;YACtG,qGAAqG;YACrG,UAAU,cAAc,0DAA0D,CAAC;QACrF,MAAM,UAAU,GAAG,WAAW,MAAM,EAAE,CAAC;QACvC,IAAI,CAAC,UAAU,CAAC,CAAC;QACjB,MAAM,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,WAAW,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;QACtG,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;IACpD,CAAC;IAED,4EAA4E;IAC5E,uEAAuE;IACvE,8EAA8E;IAC9E,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,IAAI,iBAAiB,EAAE,CAAC;IACnD,MAAM,WAAW,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,IAAI,CAAC;IACvD,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACzC,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;IAExD,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,MAAM,UAAU,GAAG,GAAG,IAAI,CAAC,MAAM,cAAc,WAAW,EAAE,CAAC;QAC7D,IAAI,CAAC,UAAU,CAAC,CAAC;QACjB,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IACrD,CAAC;IAED,MAAM,UAAU,GAAG,WAAW,IAAI,CAAC,MAAM,EAAE,CAAC;IAC5C,IAAI,CAAC,UAAU,CAAC,CAAC;IACjB,MAAM,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;IAChG,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AACpD,CAAC"}

package/dist/cli/pack/read-only-bash.js

@@ -35,10 +35,10 @@
  * changing classification: `ls -la /tmp` is still read-only.
  */
 const SIMPLE_READ_ONLY_BINS = new Set([
-    "ls", "cat", "pwd", "which", "type", "command",
+    "ls", "cat", "pwd", "which", "type",
     "grep", "rg", "wc",
     "head", "tail", "file", "stat", "tree", "du", "df",
-    "ps", "whoami", "id", "date", "echo", "env", "printenv",
+    "ps", "whoami", "id", "date", "echo", "printenv",
     "true", "false", "uptime", "hostname", "uname", "tty",
     "basename", "dirname", "realpath", "readlink",
     "less", "more", "cmp", "diff", "comm",
@@ -60,6 +60,42 @@ const FIND_WRITE_FLAGS = new Set([
     "-exec", "-execdir", "-ok", "-okdir",
     "-fprint", "-fprintf", "-fprint0", "-fls",
 ]);
+/**
+ * Command-runner binaries: their argv is itself a nested command to
+ * execute, so the "each accepts arguments without changing
+ * classification" rule does NOT hold for them. `command rm -rf /tmp/x`
+ * runs `rm`, and `env FOO=bar rm -rf /tmp/x` runs `rm` too. Including
+ * them in `SIMPLE_READ_ONLY_BINS` would classify the WRAPPER as
+ * read-only while the wrapped command does the write, a hard gate
+ * bypass. Each runner gets a `find`-style special case below that
+ * strips the runner's own leading flags/assignments and recurse-
+ * classifies the residual underlying command. Bare `env` /
+ * `command` (no underlying command) stay read-only: they only print
+ * the environment or resolve a name.
+ *
+ * `env` leading flags that take no command and do not change the fact
+ * that what follows is still a command to run. `-i` / `--ignore-
+ * environment` and `-u NAME` / `--unset=NAME` scrub the environment
+ * but still execute the residual command; `-` is the historical
+ * synonym for `-i`. `--` ends option parsing. We skip these (and any
+ * `NAME=VALUE` assignment tokens) to find the real underlying command.
+ */
+const ENV_LEADING_FLAGS = new Set([
+    "-i", "--ignore-environment", "-", "--",
+]);
+/** `env` flags that consume the following token as their value. */
+const ENV_VALUE_FLAGS = new Set([
+    "-u", "--unset",
+    "-C", "--chdir",
+]);
+/**
+ * `env -S` / `--split-string` re-parses its single string argument
+ * into a fresh argv, which defeats our whitespace tokenization: the
+ * write would live inside one quoted token. Any appearance of the
+ * split-string flag (bare, glued, or long-form) forfeits the
+ * read-only classification. Fail closed.
+ */
+const ENV_SPLIT_STRING_FLAGS = /^(-S.*|--split-string(=.*)?)$/;
 /**
  * `less` and `more` can shell out via interactive `!cmd`. The agent
  * shell is non-interactive, so the escape is not reachable in
@@ -131,7 +167,10 @@ export function isReadOnlyBashCommand(command) {
         return false;
     // Reject any shell chaining, redirection, or command substitution.
     // These make the command unclassifiable even when every visible
-    // piece would otherwise be read-only.
+    // piece would otherwise be read-only. Applied once to the whole
+    // string, so it also covers any residual command a runner
+    // (`env` / `command`) wraps: those are classified from the same
+    // token slice, never from a re-read of the shell.
     if (/[;&|<>]/.test(trimmed))
         return false;
     if (trimmed.includes("\n"))
@@ -140,11 +179,95 @@ export function isReadOnlyBashCommand(command) {
         return false;
     if (trimmed.includes("$("))
         return false;
-    const tokens = trimmed.split(/\s+/);
+    return classifyTokens(trimmed.split(/\s+/));
+}
+/**
+ * Classify an already-tokenized, metachar-cleared argv. Factored out
+ * of `isReadOnlyBashCommand` so the command-runner special cases
+ * (`command` / `env`) can recurse on the residual underlying command
+ * without re-parsing a reconstructed string.
+ */
+function classifyTokens(tokens) {
     const bin = tokens[0] ?? "";
     const sub = tokens[1] ?? "";
     if (SIMPLE_READ_ONLY_BINS.has(bin))
         return true;
+    // `command <cmd> ...` runs <cmd>, bypassing shell functions/aliases.
+    // It is read-only ONLY if the command it wraps is read-only. Strip
+    // `command`'s own option flags (`-p`, `-v`, `-V`, and any combined
+    // short flags like `-pv`), then recurse-classify the residual argv.
+    // Bare `command` (no residual) and the lookup-only forms `command
+    // -v <name>` / `command -V <name>` (which print where a name
+    // resolves without executing it) stay read-only.
+    if (bin === "command") {
+        let i = 1;
+        let lookupOnly = false;
+        for (; i < tokens.length; i += 1) {
+            const t = tokens[i];
+            if (t === undefined || !t.startsWith("-") || t === "--")
+                break;
+            if (/[vV]/.test(t))
+                lookupOnly = true;
+        }
+        if (i < tokens.length && tokens[i] === "--")
+            i += 1;
+        if (lookupOnly)
+            return true;
+        if (i >= tokens.length)
+            return true; // bare `command`
+        return classifyTokens(tokens.slice(i));
+    }
+    // `env [NAME=VALUE...] [flags] <cmd> ...` runs <cmd> in a modified
+    // environment. It is read-only ONLY if the command it wraps is
+    // read-only. Skip leading env-assignment tokens (`FOO=bar`) and
+    // env's own flags, then recurse-classify the residual command. Bare
+    // `env`, `env -u X`, `env FOO=bar` (no residual command, just prints
+    // the environment) stay read-only.
+    if (bin === "env") {
+        let i = 1;
+        while (i < tokens.length) {
+            const t = tokens[i];
+            if (t === undefined)
+                break;
+            // `env -S` / `--split-string` re-parses a string into a command:
+            // forfeit read-only classification (fail closed).
+            if (ENV_SPLIT_STRING_FLAGS.test(t))
+                return false;
+            if (t === "--") {
+                i += 1;
+                break;
+            }
+            if (ENV_VALUE_FLAGS.has(t)) {
+                i += 2;
+                continue;
+            }
+            if (ENV_LEADING_FLAGS.has(t)) {
+                i += 1;
+                continue;
+            }
+            // Long flag with a glued value (`--unset=NAME`, `--chdir=DIR`):
+            // single token, skip it.
+            if (t.startsWith("--") && t.includes("=")) {
+                i += 1;
+                continue;
+            }
+            // Short flag with a glued value (`-uNAME`, `-CDIR`): single
+            // token, skip it.
+            if (/^-[uC]./.test(t)) {
+                i += 1;
+                continue;
+            }
+            // `NAME=VALUE` environment assignment (no leading dash): skip.
+            if (!t.startsWith("-") && /^[A-Za-z_][A-Za-z0-9_]*=/.test(t)) {
+                i += 1;
+                continue;
+            }
+            break;
+        }
+        if (i >= tokens.length)
+            return true; // bare `env` / only assignments
+        return classifyTokens(tokens.slice(i));
+    }
     // `find` is read-only ONLY when none of its argv tokens are write
     // flags. Scan the whole argv: `-delete` / `-exec` / `-execdir` /
     // `-ok` / `-okdir` mutate the filesystem; `-fprint*` and `-fls`