@lannguyensi/harness 0.31.0 → 0.33.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +33 -0
- package/dist/cli/approve/branch-protection.d.ts +69 -0
- package/dist/cli/approve/branch-protection.js +157 -0
- package/dist/cli/approve/branch-protection.js.map +1 -0
- package/dist/cli/index.js +101 -1
- package/dist/cli/index.js.map +1 -1
- package/dist/cli/init/composer.js +11 -5
- package/dist/cli/init/composer.js.map +1 -1
- package/dist/cli/init/profiles.d.ts +2 -2
- package/dist/cli/init/profiles.js +2 -2
- package/dist/cli/init/templates.d.ts +1 -1
- package/dist/cli/init/templates.js +23 -4
- package/dist/cli/init/templates.js.map +1 -1
- package/dist/cli/pack/hook-branch-protection.d.ts +8 -0
- package/dist/cli/pack/hook-branch-protection.js +59 -15
- package/dist/cli/pack/hook-branch-protection.js.map +1 -1
- package/dist/cli/pack/hook-pre-tool-use.js +31 -2
- package/dist/cli/pack/hook-pre-tool-use.js.map +1 -1
- package/dist/cli/pack/hook-solution-acceptance-writeguard.d.ts +26 -0
- package/dist/cli/pack/hook-solution-acceptance-writeguard.js +187 -0
- package/dist/cli/pack/hook-solution-acceptance-writeguard.js.map +1 -0
- package/dist/cli/pack/hook-solution-acceptance.d.ts +28 -0
- package/dist/cli/pack/hook-solution-acceptance.js +251 -0
- package/dist/cli/pack/hook-solution-acceptance.js.map +1 -0
- package/dist/cli/pack/read-only-bash.js +127 -4
- package/dist/cli/pack/read-only-bash.js.map +1 -1
- package/dist/cli/validate/checks.js +38 -0
- package/dist/cli/validate/checks.js.map +1 -1
- package/dist/policy-packs/builtin/branch-protection-runtime.d.ts +47 -6
- package/dist/policy-packs/builtin/branch-protection-runtime.js +53 -6
- package/dist/policy-packs/builtin/branch-protection-runtime.js.map +1 -1
- package/dist/policy-packs/builtin/branch-protection.js +21 -11
- package/dist/policy-packs/builtin/branch-protection.js.map +1 -1
- package/dist/policy-packs/builtin/solution-acceptance-runtime.d.ts +137 -0
- package/dist/policy-packs/builtin/solution-acceptance-runtime.js +321 -0
- package/dist/policy-packs/builtin/solution-acceptance-runtime.js.map +1 -0
- package/dist/policy-packs/builtin/solution-acceptance.d.ts +44 -0
- package/dist/policy-packs/builtin/solution-acceptance.js +185 -0
- package/dist/policy-packs/builtin/solution-acceptance.js.map +1 -0
- package/dist/policy-packs/builtin/understanding-before-execution.d.ts +11 -0
- package/dist/policy-packs/builtin/understanding-before-execution.js +15 -0
- package/dist/policy-packs/builtin/understanding-before-execution.js.map +1 -1
- package/dist/policy-packs/registry.d.ts +1 -1
- package/dist/policy-packs/registry.js +10 -0
- package/dist/policy-packs/registry.js.map +1 -1
- package/package.json +3 -3
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"read-only-bash.js","sourceRoot":"","sources":["../../../src/cli/pack/read-only-bash.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,sBAAsB;AACtB,EAAE;AACF,qEAAqE;AACrE,sEAAsE;AACtE,sEAAsE;AACtE,oEAAoE;AACpE,qEAAqE;AACrE,mEAAmE;AACnE,QAAQ;AACR,EAAE;AACF,mBAAmB;AACnB,oEAAoE;AACpE,kEAAkE;AAClE,sEAAsE;AACtE,iEAAiE;AACjE,qEAAqE;AACrE,qEAAqE;AACrE,kEAAkE;AAClE,4DAA4D;AAC5D,sEAAsE;AACtE,mEAAmE;AACnE,sEAAsE;AACtE,mEAAmE;AACnE,oEAAoE;AACpE,sBAAsB;AACtB,EAAE;AACF,gEAAgE;AAChE,qEAAqE;AACrE,gEAAgE;AAChE,oEAAoE;AACpE,yDAAyD;AAEzD;;;GAGG;AACH,MAAM,qBAAqB,GAAwB,IAAI,GAAG,CAAC;IACzD,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM
|
|
1
|
+
{"version":3,"file":"read-only-bash.js","sourceRoot":"","sources":["../../../src/cli/pack/read-only-bash.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,sBAAsB;AACtB,EAAE;AACF,qEAAqE;AACrE,sEAAsE;AACtE,sEAAsE;AACtE,oEAAoE;AACpE,qEAAqE;AACrE,mEAAmE;AACnE,QAAQ;AACR,EAAE;AACF,mBAAmB;AACnB,oEAAoE;AACpE,kEAAkE;AAClE,sEAAsE;AACtE,iEAAiE;AACjE,qEAAqE;AACrE,qEAAqE;AACrE,kEAAkE;AAClE,4DAA4D;AAC5D,sEAAsE;AACtE,mEAAmE;AACnE,sEAAsE;AACtE,mEAAmE;AACnE,oEAAoE;AACpE,sBAAsB;AACtB,EAAE;AACF,gEAAgE;AAChE,qEAAqE;AACrE,gEAAgE;AAChE,oEAAoE;AACpE,yDAAyD;AAEzD;;;GAGG;AACH,MAAM,qBAAqB,GAAwB,IAAI,GAAG,CAAC;IACzD,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM;IACnC,MAAM,EAAE,IAAI,EAAE,IAAI;IAClB,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI;IAClD,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU;IAChD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK;IACrD,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU;IAC7C,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM;IACrC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK;CAC1C,CAAC,CAAC;AAEH;;;;;;;;;;GAUG;AACH,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC;IACpD,SAAS;IACT,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ;IACpC,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM;CAC1C,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,iBAAiB,GAAwB,IAAI,GAAG,CAAC;IACrD,IAAI,EAAE,sBAAsB,EAAE,GAAG,EAAE,IAAI;CACxC,CAAC,CAAC;AACH,mEAAmE;AACnE,MAAM,eAAe,GAAwB,IAAI,GAAG,CAAC;IACnD,IAAI,EAAE,SAAS;IACf,IAAI,EAAE,SAAS;CAChB,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,sBAAsB,GAAG,+BAA+B,CAAC;AAE/D;;;;;GAKG;AAEH;;;;;;GAMG;AACH,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IACtD,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK;IAChD,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS;IACrD,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU;IACxD,QAAQ,EAAE,UAAU,EAAE,kBAAkB,EAAE,cAAc;IACxD,UAAU,EAAE,YAAY,EAAE,UAAU;CACrC,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IACtD,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ;CAC3C,CAAC,CAAC;AACH,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IACtD,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS;IAC3C,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU;CACtC,CAAC,CAAC;AAEH;;;;;;;GAOG;AACH,MAAM,sBAAsB,GAAwB,IAAI,GAAG,CAAC;IAC1D,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS;IACxD,MAAM,EAAE,QAAQ,EAAE,OAAO;CAC1B,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,qBAAqB,GAAwB,IAAI,GAAG,CAAC;IACzD,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI;CACxC,CAAC,CAAC;AAEH;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAe;IACnD,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,IAAI,OAAO,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAEjC,mEAAmE;IACnE,gEAAgE;IAChE,gEAAgE;IAChE,0DAA0D;IAC1D,gEAAgE;IAChE,kDAAkD;IAClD,IAAI,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACzC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAEzC,OAAO,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;GAKG;AACH,SAAS,cAAc,CAAC,MAAyB;IAC/C,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAE5B,IAAI,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEhD,qEAAqE;IACrE,mEAAmE;IACnE,mEAAmE;IACnE,oEAAoE;IACpE,kEAAkE;IAClE,6DAA6D;IAC7D,iDAAiD;IACjD,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YACpB,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI;gBAAE,MAAM;YAC/D,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;gBAAE,UAAU,GAAG,IAAI,CAAC;QACxC,CAAC;QACD,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI;YAAE,CAAC,IAAI,CAAC,CAAC;QACpD,IAAI,UAAU;YAAE,OAAO,IAAI,CAAC;QAC5B,IAAI,CAAC,IAAI,MAAM,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,CAAC,iBAAiB;QACtD,OAAO,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,mEAAmE;IACnE,+DAA+D;IAC/D,gEAAgE;IAChE,oEAAoE;IACpE,qEAAqE;IACrE,mCAAmC;IACnC,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;QAClB,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;YACzB,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YACpB,IAAI,CAAC,KAAK,SAAS;gBAAE,MAAM;YAC3B,iEAAiE;YACjE,kDAAkD;YAClD,IAAI,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC;gBAAE,OAAO,KAAK,CAAC;YACjD,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;gBAAC,CAAC,IAAI,CAAC,CAAC;gBAAC,MAAM;YAAC,CAAC;YAClC,IAAI,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAC,CAAC,IAAI,CAAC,CAAC;gBAAC,SAAS;YAAC,CAAC;YACjD,IAAI,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAC,CAAC,IAAI,CAAC,CAAC;gBAAC,SAAS;YAAC,CAAC;YACnD,gEAAgE;YAChE,yBAAyB;YACzB,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAAC,CAAC,IAAI,CAAC,CAAC;gBAAC,SAAS;YAAC,CAAC;YAChE,4DAA4D;YAC5D,kBAAkB;YAClB,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAC,CAAC,IAAI,CAAC,CAAC;gBAAC,SAAS;YAAC,CAAC;YAC5C,+DAA+D;YAC/D,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,0BAA0B,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAC,CAAC,IAAI,CAAC,CAAC;gBAAC,SAAS;YAAC,CAAC;YACnF,MAAM;QACR,CAAC;QACD,IAAI,CAAC,IAAI,MAAM,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,CAAC,gCAAgC;QACrE,OAAO,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,kEAAkE;IAClE,iEAAiE;IACjE,gEAAgE;IAChE,+DAA+D;IAC/D,gEAAgE;IAChE,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED,+DAA+D;IAC/D,+DAA+D;IAC/D,8DAA8D;IAC9D,2DAA2D;IAC3D,wDAAwD;IACxD,8DAA8D;IAC9D,kEAAkE;IAClE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvE,IAAI,GAAG,KAAK,KAAK;QAAE,OAAO,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAEtD,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QACjB,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAC/C,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7B,OAAO,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,sBAAsB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAE9D,OAAO,KAAK,CAAC;AACf,CAAC"}
|
|
@@ -226,6 +226,43 @@ function checkPolicyGroundingMcp(manifest) {
|
|
|
226
226
|
},
|
|
227
227
|
];
|
|
228
228
|
}
|
|
229
|
+
// solution-acceptance is a pure CONSUMER: it reads the verdict marker the
|
|
230
|
+
// grounding-mcp producer writes. Two misconfigurations silently turn the
|
|
231
|
+
// completion-gate into a permanent deny (a No-Op that LOOKS protective):
|
|
232
|
+
// 1. grounding-mcp absent from tools.mcp -> the producer (solution_evaluate)
|
|
233
|
+
// is unreachable, so no verdict can ever be written -> deadlock.
|
|
234
|
+
// 2. grounding-mcp declares a non-default SOLUTION_VERDICT_DIR env -> the
|
|
235
|
+
// consumer reads the producer DEFAULT dir and does not see the override
|
|
236
|
+
// (harness does not project tools.mcp env into the hook), so the gate
|
|
237
|
+
// always denies.
|
|
238
|
+
// Warning-tier in v1; escalation to error is a tracked follow-up.
|
|
239
|
+
function checkSolutionAcceptanceProducer(manifest) {
|
|
240
|
+
const pack = manifest.policy_packs.find((p) => p.name === "solution-acceptance");
|
|
241
|
+
if (!pack || !pack.enabled)
|
|
242
|
+
return [];
|
|
243
|
+
const grounding = manifest.tools.mcp.find((m) => m.name === "grounding-mcp");
|
|
244
|
+
if (!grounding) {
|
|
245
|
+
return [
|
|
246
|
+
{
|
|
247
|
+
severity: "warning",
|
|
248
|
+
path: "policy_packs",
|
|
249
|
+
message: "solution-acceptance is enabled but grounding-mcp is not wired under tools.mcp: the producer (solution_evaluate) is unreachable, so the completion-gate can never see a verdict and will deadlock on a permanent deny. Add grounding-mcp (>= 0.3.2) to tools.mcp.",
|
|
250
|
+
},
|
|
251
|
+
];
|
|
252
|
+
}
|
|
253
|
+
const env = (grounding.env ?? {});
|
|
254
|
+
const dir = env["SOLUTION_VERDICT_DIR"];
|
|
255
|
+
if (typeof dir === "string" && dir.trim().length > 0) {
|
|
256
|
+
return [
|
|
257
|
+
{
|
|
258
|
+
severity: "warning",
|
|
259
|
+
path: "tools.mcp",
|
|
260
|
+
message: "solution-acceptance: grounding-mcp declares a non-default SOLUTION_VERDICT_DIR; the harness completion-gate reads the producer default location and does not see this override, so the gate would always deny. Unset it or mirror the same value into the hook environment.",
|
|
261
|
+
},
|
|
262
|
+
];
|
|
263
|
+
}
|
|
264
|
+
return [];
|
|
265
|
+
}
|
|
229
266
|
// Phase 6 #2: surface pack-resolution problems at lint time, not at
|
|
230
267
|
// `harness apply` time. Delegates to the shared `checkPolicyPackSources`
|
|
231
268
|
// so the apply path (which now also fails loudly on these conditions)
|
|
@@ -268,6 +305,7 @@ export function runAssetChecks(manifest, opts = {}) {
|
|
|
268
305
|
...checkHooks(manifest, home),
|
|
269
306
|
...checkBuiltinDrift(manifest, opts),
|
|
270
307
|
...checkPolicyGroundingMcp(manifest),
|
|
308
|
+
...checkSolutionAcceptanceProducer(manifest),
|
|
271
309
|
...checkPolicyPacks(manifest),
|
|
272
310
|
...checkPolicyPackConfigsAsDiagnostics(manifest),
|
|
273
311
|
];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"checks.js","sourceRoot":"","sources":["../../../src/cli/validate/checks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAW1D,MAAM,wBAAwB,GAAG;IAC/B,MAAM;IACN,MAAM;IACN,OAAO;IACP,MAAM;IACN,OAAO;IACP,OAAO;IACP,YAAY;IACZ,MAAM;IACN,MAAM;CACP,CAAC;AAEF,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,UAAU,CAAC,OAAe;IACjC,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;AAC9C,CAAC;AAED,SAAS,YAAY,CAAC,QAAgB;IACpC,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,QAAgB;IAClC,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,MAAc,EAAE,OAAe;IACpD,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/D,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACzC,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,YAAY,CAAC,SAAS,CAAC;YAAE,OAAO,SAAS,CAAC;IAC5E,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,SAAS,GAAG,qBAAqB,CAAC;AAExC,SAAS,eAAe,CAAC,MAAc,EAAE,QAAgB;IACvD,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAC/D,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IACzC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACrB,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACrB,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YAAE,OAAO,CAAC,CAAC;QACnD,IAAI,EAAE,GAAG,EAAE;YAAE,OAAO,CAAC,CAAC;QACtB,IAAI,EAAE,GAAG,EAAE;YAAE,OAAO,CAAC,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,QAAQ,CAAC,QAAkB,EAAE,IAAY;IAChD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACjC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1F,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;YAAE,OAAO;QACjC,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACzC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,WAAW;gBACtC,OAAO,EAAE,wBAAwB,QAAQ,EAAE;aAC5C,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,QAAQ,CAAC,QAAkB,EAAE,IAAkB;IACtD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;IACvD,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAEvD,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACjC,IAAI,QAAuB,CAAC;QAC5B,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAChC,QAAQ,GAAG,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;QACvF,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;gBAC5C,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,UAAU;gBACrC,OAAO,EAAE,GAAG,CAAC,QAAQ;oBACnB,CAAC,CAAC,8BAA8B,GAAG,CAAC,MAAM,EAAE;oBAC5C,CAAC,CAAC,6BAA6B,GAAG,CAAC,MAAM,EAAE;aAC9C,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,WAAW;YAAE,OAAO;QAC7B,MAAM,cAAc,GAAG,GAAG,CAAC,eAAe,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QACtE,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,CAAC,CAAC;QAC5C,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,SAAS;gBACnB,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,eAAe;gBAC1C,OAAO,EAAE,4BAA4B,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;aAChE,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YACxB,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,SAAS;gBACnB,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,eAAe;gBAC1C,OAAO,EAAE,mCAAmC,MAAM,CAAC,IAAI,EAAE,GAAG;aAC7D,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACnD,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,eAAe;gBAC1C,OAAO,EAAE,qBAAqB,KAAK,CAAC,CAAC,CAAC,0BAA0B,GAAG,CAAC,WAAW,EAAE;aAClF,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,QAAkB,EAAE,IAAY;IACnD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;IACtD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,KAAK,MAAM,SAAS,IAAI,QAAQ,EAAE,CAAC;QACjC,IAAI,KAAK,GAAG,KAAK,CAAC;QAClB,KAAK,MAAM,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACpD,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YACvC,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;YAC7D,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC7B,KAAK,GAAG,IAAI,CAAC;gBACb,MAAM;YACR,CAAC;QACH,CAAC;QACD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,yBAAyB,SAAS,GAAG;gBAC3C,OAAO,EAAE,0DAA0D;aACpE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,UAAU,CAAC,QAAkB,EAAE,IAAY;IAClD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;QAC9B,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;YAAE,OAAO;QACjC,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACzC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,SAAS,IAAI,CAAC,IAAI,WAAW;gBACnC,OAAO,EAAE,wBAAwB,QAAQ,EAAE;aAC5C,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;YACnB,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,SAAS,IAAI,CAAC,IAAI,WAAW;gBACnC,OAAO,EAAE,uBAAuB,QAAQ,EAAE;aAC3C,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,SAAS,IAAI,CAAC,IAAI,WAAW;gBACnC,OAAO,EAAE,8BAA8B,QAAQ,EAAE;aAClD,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAkB,EAAE,IAAkB;IAC/D,MAAM,KAAK,GAAG,IAAI,CAAC,mBAAmB,IAAI,CAAC,GAAG,EAAE,CAAC,wBAAwB,CAAC,CAAC;IAC3E,MAAM,OAAO,GAAG,KAAK,EAAE,CAAC;IACxB,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACpD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAClB,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,SAAS;gBACnB,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,gCAAgC,CAAC,qCAAqC;aAChF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAkB;IACjD,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAC9C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC,CAAC;IACzE,IAAI,KAAK;QAAE,OAAO,EAAE,CAAC;IACrB,OAAO;QACL;YACE,QAAQ,EAAE,SAAS;YACnB,IAAI,EAAE,UAAU;YAChB,OAAO,EACL,qIAAqI;SACxI;KACF,CAAC;AACJ,CAAC;AAED,oEAAoE;AACpE,yEAAyE;AACzE,sEAAsE;AACtE,wEAAwE;AACxE,iBAAiB;AACjB,SAAS,gBAAgB,CAAC,QAAkB;IAC1C,OAAO,sBAAsB,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACtD,QAAQ,EAAE,OAAO;QACjB,IAAI,EAAE,gBAAgB,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,KAAK,EAAE;QACvD,OAAO,EAAE,KAAK,CAAC,OAAO;KACvB,CAAC,CAAC,CAAC;AACN,CAAC;AAED,qEAAqE;AACrE,gEAAgE;AAChE,mEAAmE;AACnE,oEAAoE;AACpE,mEAAmE;AACnE,mEAAmE;AACnE,oEAAoE;AACpE,oEAAoE;AACpE,yEAAyE;AACzE,SAAS,mCAAmC,CAAC,QAAkB;IAC7D,OAAO,sBAAsB,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACpD,MAAM,IAAI,GACR,KAAK,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;YACzB,CAAC,CAAC,gBAAgB,KAAK,CAAC,SAAS,YAAY,KAAK,CAAC,UAAU,EAAE;YAC/D,CAAC,CAAC,gBAAgB,KAAK,CAAC,SAAS,UAAU,CAAC;QAChD,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,IAAI;YACJ,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,QAAkB,EAClB,OAAqB,EAAE;IAEvB,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,OAAO,EAAE,CAAC;IAC1C,OAAO;QACL,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC3B,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC3B,GAAG,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC9B,GAAG,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC7B,GAAG,iBAAiB,CAAC,QAAQ,EAAE,IAAI,CAAC;QACpC,GAAG,uBAAuB,CAAC,QAAQ,CAAC;QACpC,GAAG,gBAAgB,CAAC,QAAQ,CAAC;QAC7B,GAAG,mCAAmC,CAAC,QAAQ,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,UAAU;IACV,YAAY;IACZ,UAAU;IACV,eAAe;IACf,aAAa;IACb,wBAAwB;CACzB,CAAC"}
|
|
1
|
+
{"version":3,"file":"checks.js","sourceRoot":"","sources":["../../../src/cli/validate/checks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAW1D,MAAM,wBAAwB,GAAG;IAC/B,MAAM;IACN,MAAM;IACN,OAAO;IACP,MAAM;IACN,OAAO;IACP,OAAO;IACP,YAAY;IACZ,MAAM;IACN,MAAM;CACP,CAAC;AAEF,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,UAAU,CAAC,OAAe;IACjC,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;AAC9C,CAAC;AAED,SAAS,YAAY,CAAC,QAAgB;IACpC,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,QAAgB;IAClC,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,MAAc,EAAE,OAAe;IACpD,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/D,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACzC,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,YAAY,CAAC,SAAS,CAAC;YAAE,OAAO,SAAS,CAAC;IAC5E,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,SAAS,GAAG,qBAAqB,CAAC;AAExC,SAAS,eAAe,CAAC,MAAc,EAAE,QAAgB;IACvD,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAC/D,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IACzC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACrB,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACrB,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YAAE,OAAO,CAAC,CAAC;QACnD,IAAI,EAAE,GAAG,EAAE;YAAE,OAAO,CAAC,CAAC;QACtB,IAAI,EAAE,GAAG,EAAE;YAAE,OAAO,CAAC,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,QAAQ,CAAC,QAAkB,EAAE,IAAY;IAChD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACjC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1F,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;YAAE,OAAO;QACjC,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACzC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,WAAW;gBACtC,OAAO,EAAE,wBAAwB,QAAQ,EAAE;aAC5C,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,QAAQ,CAAC,QAAkB,EAAE,IAAkB;IACtD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;IACvD,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAEvD,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACjC,IAAI,QAAuB,CAAC;QAC5B,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAChC,QAAQ,GAAG,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;QACvF,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;gBAC5C,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,UAAU;gBACrC,OAAO,EAAE,GAAG,CAAC,QAAQ;oBACnB,CAAC,CAAC,8BAA8B,GAAG,CAAC,MAAM,EAAE;oBAC5C,CAAC,CAAC,6BAA6B,GAAG,CAAC,MAAM,EAAE;aAC9C,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,WAAW;YAAE,OAAO;QAC7B,MAAM,cAAc,GAAG,GAAG,CAAC,eAAe,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QACtE,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,CAAC,CAAC;QAC5C,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,SAAS;gBACnB,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,eAAe;gBAC1C,OAAO,EAAE,4BAA4B,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;aAChE,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YACxB,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,SAAS;gBACnB,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,eAAe;gBAC1C,OAAO,EAAE,mCAAmC,MAAM,CAAC,IAAI,EAAE,GAAG;aAC7D,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACnD,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,aAAa,GAAG,CAAC,IAAI,eAAe;gBAC1C,OAAO,EAAE,qBAAqB,KAAK,CAAC,CAAC,CAAC,0BAA0B,GAAG,CAAC,WAAW,EAAE;aAClF,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,QAAkB,EAAE,IAAY;IACnD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;IACtD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,KAAK,MAAM,SAAS,IAAI,QAAQ,EAAE,CAAC;QACjC,IAAI,KAAK,GAAG,KAAK,CAAC;QAClB,KAAK,MAAM,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACpD,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YACvC,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;YAC7D,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC7B,KAAK,GAAG,IAAI,CAAC;gBACb,MAAM;YACR,CAAC;QACH,CAAC;QACD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,yBAAyB,SAAS,GAAG;gBAC3C,OAAO,EAAE,0DAA0D;aACpE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,UAAU,CAAC,QAAkB,EAAE,IAAY;IAClD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;QAC9B,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;YAAE,OAAO;QACjC,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACzC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,SAAS,IAAI,CAAC,IAAI,WAAW;gBACnC,OAAO,EAAE,wBAAwB,QAAQ,EAAE;aAC5C,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;YACnB,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,SAAS,IAAI,CAAC,IAAI,WAAW;gBACnC,OAAO,EAAE,uBAAuB,QAAQ,EAAE;aAC3C,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,SAAS,IAAI,CAAC,IAAI,WAAW;gBACnC,OAAO,EAAE,8BAA8B,QAAQ,EAAE;aAClD,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAkB,EAAE,IAAkB;IAC/D,MAAM,KAAK,GAAG,IAAI,CAAC,mBAAmB,IAAI,CAAC,GAAG,EAAE,CAAC,wBAAwB,CAAC,CAAC;IAC3E,MAAM,OAAO,GAAG,KAAK,EAAE,CAAC;IACxB,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACpD,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAClB,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,SAAS;gBACnB,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,gCAAgC,CAAC,qCAAqC;aAChF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAkB;IACjD,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAC9C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC,CAAC;IACzE,IAAI,KAAK;QAAE,OAAO,EAAE,CAAC;IACrB,OAAO;QACL;YACE,QAAQ,EAAE,SAAS;YACnB,IAAI,EAAE,UAAU;YAChB,OAAO,EACL,qIAAqI;SACxI;KACF,CAAC;AACJ,CAAC;AAED,0EAA0E;AAC1E,yEAAyE;AACzE,yEAAyE;AACzE,+EAA+E;AAC/E,sEAAsE;AACtE,4EAA4E;AAC5E,6EAA6E;AAC7E,2EAA2E;AAC3E,sBAAsB;AACtB,kEAAkE;AAClE,SAAS,+BAA+B,CAAC,QAAkB;IACzD,MAAM,IAAI,GAAG,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC;IACjF,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IACtC,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC,CAAC;IAC7E,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO;YACL;gBACE,QAAQ,EAAE,SAAS;gBACnB,IAAI,EAAE,cAAc;gBACpB,OAAO,EACL,kQAAkQ;aACrQ;SACF,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,CAA4B,CAAC;IAC7D,MAAM,GAAG,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrD,OAAO;YACL;gBACE,QAAQ,EAAE,SAAS;gBACnB,IAAI,EAAE,WAAW;gBACjB,OAAO,EACL,6QAA6Q;aAChR;SACF,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,oEAAoE;AACpE,yEAAyE;AACzE,sEAAsE;AACtE,wEAAwE;AACxE,iBAAiB;AACjB,SAAS,gBAAgB,CAAC,QAAkB;IAC1C,OAAO,sBAAsB,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACtD,QAAQ,EAAE,OAAO;QACjB,IAAI,EAAE,gBAAgB,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,KAAK,EAAE;QACvD,OAAO,EAAE,KAAK,CAAC,OAAO;KACvB,CAAC,CAAC,CAAC;AACN,CAAC;AAED,qEAAqE;AACrE,gEAAgE;AAChE,mEAAmE;AACnE,oEAAoE;AACpE,mEAAmE;AACnE,mEAAmE;AACnE,oEAAoE;AACpE,oEAAoE;AACpE,yEAAyE;AACzE,SAAS,mCAAmC,CAAC,QAAkB;IAC7D,OAAO,sBAAsB,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACpD,MAAM,IAAI,GACR,KAAK,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;YACzB,CAAC,CAAC,gBAAgB,KAAK,CAAC,SAAS,YAAY,KAAK,CAAC,UAAU,EAAE;YAC/D,CAAC,CAAC,gBAAgB,KAAK,CAAC,SAAS,UAAU,CAAC;QAChD,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,IAAI;YACJ,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,QAAkB,EAClB,OAAqB,EAAE;IAEvB,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,OAAO,EAAE,CAAC;IAC1C,OAAO;QACL,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC3B,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC3B,GAAG,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC9B,GAAG,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC7B,GAAG,iBAAiB,CAAC,QAAQ,EAAE,IAAI,CAAC;QACpC,GAAG,uBAAuB,CAAC,QAAQ,CAAC;QACpC,GAAG,+BAA+B,CAAC,QAAQ,CAAC;QAC5C,GAAG,gBAAgB,CAAC,QAAQ,CAAC;QAC7B,GAAG,mCAAmC,CAAC,QAAQ,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,UAAU;IACV,YAAY;IACZ,UAAU;IACV,eAAe;IACf,aAAa;IACb,wBAAwB;CACzB,CAAC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import type { PolicyPack } from "../../schema/index.js";
|
|
2
|
+
import { type ApprovalMarker, type CheckApprovalMarkerOptions, type MarkerCheck } from "./understanding-before-execution-runtime.js";
|
|
2
3
|
export declare const PACK_NAME = "branch-protection";
|
|
3
4
|
/**
|
|
4
5
|
* Ledger tag written by the producer when the current branch is NOT in
|
|
@@ -8,14 +9,54 @@ export declare const PACK_NAME = "branch-protection";
|
|
|
8
9
|
*/
|
|
9
10
|
export declare const NON_PROTECTED_TAG_PREFIX = "branch:non-protected";
|
|
10
11
|
/**
|
|
11
|
-
* Operator escape-hatch tag
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
16
|
-
*
|
|
12
|
+
* Operator escape-hatch tag, kept as a best-effort AUDIT echo only.
|
|
13
|
+
*
|
|
14
|
+
* SECURITY (audit finding #39): this tag is NO LONGER a trusted override
|
|
15
|
+
* signal. The agent has direct `mcp__agent-grounding__ledger_add` access,
|
|
16
|
+
* so it could self-write `branch-protection-ack:<anything>` and bless its
|
|
17
|
+
* own protected-branch edit — exactly the self-approval backdoor the
|
|
18
|
+
* understanding gate closed in agent-tasks/88ca4bb3 by moving the
|
|
19
|
+
* canonical approval to a filesystem marker. The blocker now consults the
|
|
20
|
+
* operator-only marker file (see `checkBranchProtectionMarker` below); the
|
|
21
|
+
* `harness approve branch-protection` verb still records this ledger tag
|
|
22
|
+
* so `harness audit` / forensics keep a trail, but its presence alone
|
|
23
|
+
* never satisfies the gate. The trailing `:<reason>` stays free-form.
|
|
17
24
|
*/
|
|
18
25
|
export declare const ACK_TAG_PREFIX = "branch-protection-ack";
|
|
26
|
+
/**
|
|
27
|
+
* Marker-name namespace for an operator-written branch-protection
|
|
28
|
+
* override. The marker lives in the shared `.approvals/` directory under
|
|
29
|
+
* `harness.generated/` (the same directory the understanding gate uses),
|
|
30
|
+
* prefixed so it can never be confused with an understanding-gate session
|
|
31
|
+
* marker (`.approvals/<sessionId>`) or a task marker (`.approvals/task-<id>`):
|
|
32
|
+
* Claude Code / Codex session ids are UUIDs and never start with this
|
|
33
|
+
* literal, so the three namespaces stay disjoint.
|
|
34
|
+
*
|
|
35
|
+
* Why a marker and not the `branch-protection-ack` ledger tag: only a
|
|
36
|
+
* process the operator launched (their `!`-shell or any un-hooked
|
|
37
|
+
* terminal) can write under `harness.generated/` — Edit / Write / Bash
|
|
38
|
+
* are all gated, and the configured MCP servers expose no filesystem
|
|
39
|
+
* write. So the marker is the canonical override signal; the ledger row
|
|
40
|
+
* is a best-effort audit echo only.
|
|
41
|
+
*/
|
|
42
|
+
export declare const BRANCH_PROTECTION_MARKER_PREFIX = "branch-protection-";
|
|
43
|
+
/** Marker filename (inside `.approvals/`) for a session's branch-protection override. */
|
|
44
|
+
export declare function branchProtectionMarkerName(sessionId: string): string;
|
|
45
|
+
/**
|
|
46
|
+
* Operator-side: write the canonical branch-protection override marker for
|
|
47
|
+
* `sessionId`. Atomic (delegates to `writeApprovalMarker`). Caller is
|
|
48
|
+
* `harness approve branch-protection`, run from the operator's un-hooked
|
|
49
|
+
* shell; if the agent could reach this path the gate's value would
|
|
50
|
+
* collapse, so it lives behind the approve CLI.
|
|
51
|
+
*/
|
|
52
|
+
export declare function writeBranchProtectionMarker(generatedDir: string, sessionId: string, marker: ApprovalMarker): string;
|
|
53
|
+
/**
|
|
54
|
+
* Gate-side: is the operator's branch-protection override marker present
|
|
55
|
+
* for `sessionId`? Inherits `checkApprovalMarker`'s contract
|
|
56
|
+
* (existence-is-enough, symlink rejection, optional freshness via
|
|
57
|
+
* `maxAgeMs`); only the namespaced filename differs.
|
|
58
|
+
*/
|
|
59
|
+
export declare function checkBranchProtectionMarker(generatedDir: string, sessionId: string, opts?: CheckApprovalMarkerOptions): MarkerCheck;
|
|
19
60
|
/**
|
|
20
61
|
* Freshness window for the producer tag. Five minutes lets a single
|
|
21
62
|
* branch-check satisfy a whole edit batch without re-running for every
|
|
@@ -6,6 +6,7 @@
|
|
|
6
6
|
// hook branch-protection` (blocker) — both under `src/cli/`. This module
|
|
7
7
|
// is the small shared surface they pull from: tag formats, default
|
|
8
8
|
// protected list, config parsing.
|
|
9
|
+
import { checkApprovalMarker, writeApprovalMarker, } from "./understanding-before-execution-runtime.js";
|
|
9
10
|
export const PACK_NAME = "branch-protection";
|
|
10
11
|
/**
|
|
11
12
|
* Ledger tag written by the producer when the current branch is NOT in
|
|
@@ -15,14 +16,60 @@ export const PACK_NAME = "branch-protection";
|
|
|
15
16
|
*/
|
|
16
17
|
export const NON_PROTECTED_TAG_PREFIX = "branch:non-protected";
|
|
17
18
|
/**
|
|
18
|
-
* Operator escape-hatch tag
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
23
|
-
*
|
|
19
|
+
* Operator escape-hatch tag, kept as a best-effort AUDIT echo only.
|
|
20
|
+
*
|
|
21
|
+
* SECURITY (audit finding #39): this tag is NO LONGER a trusted override
|
|
22
|
+
* signal. The agent has direct `mcp__agent-grounding__ledger_add` access,
|
|
23
|
+
* so it could self-write `branch-protection-ack:<anything>` and bless its
|
|
24
|
+
* own protected-branch edit — exactly the self-approval backdoor the
|
|
25
|
+
* understanding gate closed in agent-tasks/88ca4bb3 by moving the
|
|
26
|
+
* canonical approval to a filesystem marker. The blocker now consults the
|
|
27
|
+
* operator-only marker file (see `checkBranchProtectionMarker` below); the
|
|
28
|
+
* `harness approve branch-protection` verb still records this ledger tag
|
|
29
|
+
* so `harness audit` / forensics keep a trail, but its presence alone
|
|
30
|
+
* never satisfies the gate. The trailing `:<reason>` stays free-form.
|
|
24
31
|
*/
|
|
25
32
|
export const ACK_TAG_PREFIX = "branch-protection-ack";
|
|
33
|
+
/**
|
|
34
|
+
* Marker-name namespace for an operator-written branch-protection
|
|
35
|
+
* override. The marker lives in the shared `.approvals/` directory under
|
|
36
|
+
* `harness.generated/` (the same directory the understanding gate uses),
|
|
37
|
+
* prefixed so it can never be confused with an understanding-gate session
|
|
38
|
+
* marker (`.approvals/<sessionId>`) or a task marker (`.approvals/task-<id>`):
|
|
39
|
+
* Claude Code / Codex session ids are UUIDs and never start with this
|
|
40
|
+
* literal, so the three namespaces stay disjoint.
|
|
41
|
+
*
|
|
42
|
+
* Why a marker and not the `branch-protection-ack` ledger tag: only a
|
|
43
|
+
* process the operator launched (their `!`-shell or any un-hooked
|
|
44
|
+
* terminal) can write under `harness.generated/` — Edit / Write / Bash
|
|
45
|
+
* are all gated, and the configured MCP servers expose no filesystem
|
|
46
|
+
* write. So the marker is the canonical override signal; the ledger row
|
|
47
|
+
* is a best-effort audit echo only.
|
|
48
|
+
*/
|
|
49
|
+
export const BRANCH_PROTECTION_MARKER_PREFIX = "branch-protection-";
|
|
50
|
+
/** Marker filename (inside `.approvals/`) for a session's branch-protection override. */
|
|
51
|
+
export function branchProtectionMarkerName(sessionId) {
|
|
52
|
+
return `${BRANCH_PROTECTION_MARKER_PREFIX}${sessionId}`;
|
|
53
|
+
}
|
|
54
|
+
/**
|
|
55
|
+
* Operator-side: write the canonical branch-protection override marker for
|
|
56
|
+
* `sessionId`. Atomic (delegates to `writeApprovalMarker`). Caller is
|
|
57
|
+
* `harness approve branch-protection`, run from the operator's un-hooked
|
|
58
|
+
* shell; if the agent could reach this path the gate's value would
|
|
59
|
+
* collapse, so it lives behind the approve CLI.
|
|
60
|
+
*/
|
|
61
|
+
export function writeBranchProtectionMarker(generatedDir, sessionId, marker) {
|
|
62
|
+
return writeApprovalMarker(generatedDir, branchProtectionMarkerName(sessionId), marker);
|
|
63
|
+
}
|
|
64
|
+
/**
|
|
65
|
+
* Gate-side: is the operator's branch-protection override marker present
|
|
66
|
+
* for `sessionId`? Inherits `checkApprovalMarker`'s contract
|
|
67
|
+
* (existence-is-enough, symlink rejection, optional freshness via
|
|
68
|
+
* `maxAgeMs`); only the namespaced filename differs.
|
|
69
|
+
*/
|
|
70
|
+
export function checkBranchProtectionMarker(generatedDir, sessionId, opts = {}) {
|
|
71
|
+
return checkApprovalMarker(generatedDir, branchProtectionMarkerName(sessionId), opts);
|
|
72
|
+
}
|
|
26
73
|
/**
|
|
27
74
|
* Freshness window for the producer tag. Five minutes lets a single
|
|
28
75
|
* branch-check satisfy a whole edit batch without re-running for every
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"branch-protection-runtime.js","sourceRoot":"","sources":["../../../src/policy-packs/builtin/branch-protection-runtime.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,EAAE;AACF,kEAAkE;AAClE,yEAAyE;AACzE,sEAAsE;AACtE,yEAAyE;AACzE,mEAAmE;AACnE,kCAAkC;
|
|
1
|
+
{"version":3,"file":"branch-protection-runtime.js","sourceRoot":"","sources":["../../../src/policy-packs/builtin/branch-protection-runtime.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,EAAE;AACF,kEAAkE;AAClE,yEAAyE;AACzE,sEAAsE;AACtE,yEAAyE;AACzE,mEAAmE;AACnE,kCAAkC;AAGlC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,GAIpB,MAAM,6CAA6C,CAAC;AAErD,MAAM,CAAC,MAAM,SAAS,GAAG,mBAAmB,CAAC;AAE7C;;;;;GAKG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,sBAAsB,CAAC;AAE/D;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,uBAAuB,CAAC;AAEtD;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAAG,oBAAoB,CAAC;AAEpE,yFAAyF;AACzF,MAAM,UAAU,0BAA0B,CAAC,SAAiB;IAC1D,OAAO,GAAG,+BAA+B,GAAG,SAAS,EAAE,CAAC;AAC1D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,2BAA2B,CACzC,YAAoB,EACpB,SAAiB,EACjB,MAAsB;IAEtB,OAAO,mBAAmB,CAAC,YAAY,EAAE,0BAA0B,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC;AAC1F,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CACzC,YAAoB,EACpB,SAAiB,EACjB,OAAmC,EAAE;IAErC,OAAO,mBAAmB,CAAC,YAAY,EAAE,0BAA0B,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,CAAC;AACxF,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnD,4EAA4E;AAC5E,MAAM,CAAC,MAAM,0BAA0B,GAAsB;IAC3D,QAAQ;IACR,MAAM;IACN,SAAS;CACV,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,UAAU,wBAAwB,CAAC,IAAgB;IAIvD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAC9C,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,OAAO,EAAE,QAAQ,EAAE,CAAC,GAAG,0BAA0B,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACtE,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,OAAO;YACL,QAAQ,EAAE,CAAC,GAAG,0BAA0B,CAAC;YACzC,OAAO,EAAE,gBAAgB,IAAI,CAAC,IAAI,kEAAkE,OAAO,GAAG,+BAA+B,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;SACvL,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,GAAa,EAAE,CAAC;IACxB,MAAM,GAAG,GAAc,EAAE,CAAC;IAC1B,KAAK,MAAM,KAAK,IAAI,GAAG,EAAE,CAAC;QACxB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;;YAC7D,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACvB,CAAC;IACD,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpB,OAAO;YACL,QAAQ,EAAE,CAAC,GAAG,0BAA0B,CAAC;YACzC,OAAO,EAAE,gBAAgB,IAAI,CAAC,IAAI,6GAA6G,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;SACzL,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnB,OAAO;YACL,QAAQ,EAAE,EAAE;YACZ,OAAO,EAAE,gBAAgB,IAAI,CAAC,IAAI,wCAAwC,GAAG,CAAC,MAAM,mBAAmB,GAAG,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,WAAW,EAAE,CAAC,MAAM,aAAa,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;SACvN,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AACzC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAc,EAAE,aAAgC;IAChF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACrC,OAAO,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACxC,CAAC"}
|
|
@@ -16,9 +16,14 @@
|
|
|
16
16
|
// consults the ledger on every Write/Edit (or `apply_patch`) and
|
|
17
17
|
// emits a Claude Code deny envelope unless either:
|
|
18
18
|
// - a fresh (<5m) `branch:non-protected` tag exists, OR
|
|
19
|
-
// -
|
|
20
|
-
//
|
|
21
|
-
//
|
|
19
|
+
// - the operator-only override marker exists at
|
|
20
|
+
// `harness.generated/.approvals/branch-protection-<sessionId>`,
|
|
21
|
+
// written by `harness approve branch-protection`. The legacy
|
|
22
|
+
// `branch-protection-ack:` ledger tag is no longer trusted as an
|
|
23
|
+
// override (audit finding #39): it is agent-writable via
|
|
24
|
+
// `mcp__agent-grounding__ledger_add`, so it could self-bless an
|
|
25
|
+
// edit. The marker lives under `harness.generated/`, which Edit /
|
|
26
|
+
// Write / Bash are all gated from writing.
|
|
22
27
|
//
|
|
23
28
|
// The producer is also runnable on-demand from the operator's `!` shell
|
|
24
29
|
// — same CLI verb, no SessionStart event piped on stdin — so an agent
|
|
@@ -72,7 +77,7 @@ function buildHooks(runtime) {
|
|
|
72
77
|
command: BLOCKER_COMMAND,
|
|
73
78
|
blocking: "hard",
|
|
74
79
|
budget_ms: 5000,
|
|
75
|
-
description: `Blocker: deny ${blockerMatch} on protected branches unless a fresh branch:non-protected tag or
|
|
80
|
+
description: `Blocker: deny ${blockerMatch} on protected branches unless a fresh branch:non-protected tag exists in the ledger or the operator-only override marker (harness approve branch-protection) is present.`,
|
|
76
81
|
},
|
|
77
82
|
];
|
|
78
83
|
}
|
|
@@ -113,7 +118,8 @@ While this pack is enabled, hooks are wired into the ${settingsArtefact}:
|
|
|
113
118
|
\`${blockerMatch}\`: refuses the tool call unless EITHER
|
|
114
119
|
- a \`${NON_PROTECTED_TAG_PREFIX}\` tag exists in the ledger from
|
|
115
120
|
within the last ${minutes} minutes, OR
|
|
116
|
-
-
|
|
121
|
+
- the operator-only override marker exists at
|
|
122
|
+
\`harness.generated/.approvals/branch-protection-<sessionId>\`.
|
|
117
123
|
|
|
118
124
|
## Escape hatches
|
|
119
125
|
|
|
@@ -122,12 +128,16 @@ While this pack is enabled, hooks are wired into the ${settingsArtefact}:
|
|
|
122
128
|
is gated by the Understanding Gate but the producer command is itself
|
|
123
129
|
a \`harness ...\` invocation that the gate's allowlist accepts.
|
|
124
130
|
|
|
125
|
-
- **Explicit override** (
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
deliberate reason to edit a protected branch
|
|
129
|
-
workflow patches,
|
|
130
|
-
|
|
131
|
+
- **Explicit override** (operator only): from an un-hooked shell run
|
|
132
|
+
\`harness approve branch-protection --session <sessionId>\`. This writes
|
|
133
|
+
the canonical approval marker the blocker consults. Use it when you have
|
|
134
|
+
a deliberate reason to edit a protected branch (version bumps, CI
|
|
135
|
+
workflow patches, hotfixes). SECURITY (audit finding #39): a
|
|
136
|
+
\`${ACK_TAG_PREFIX}:<reason>\` ledger tag is NO LONGER sufficient on its
|
|
137
|
+
own — it is agent-writable via \`mcp__agent-grounding__ledger_add\`, so
|
|
138
|
+
the gate would otherwise be self-approvable. The approve verb still
|
|
139
|
+
records that ledger tag for audit, but only the marker file (which the
|
|
140
|
+
agent cannot write) opens the gate.
|
|
131
141
|
|
|
132
142
|
## Out of scope (v1)
|
|
133
143
|
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"branch-protection.js","sourceRoot":"","sources":["../../../src/policy-packs/builtin/branch-protection.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAC5C,EAAE;AACF,sEAAsE;AACtE,uEAAuE;AACvE,sEAAsE;AACtE,wEAAwE;AACxE,EAAE;AACF,yDAAyD;AACzD,EAAE;AACF,0EAA0E;AAC1E,oEAAoE;AACpE,qEAAqE;AACrE,uCAAuC;AACvC,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,wDAAwD;AACxD,+DAA+D;AAC/D,
|
|
1
|
+
{"version":3,"file":"branch-protection.js","sourceRoot":"","sources":["../../../src/policy-packs/builtin/branch-protection.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAC5C,EAAE;AACF,sEAAsE;AACtE,uEAAuE;AACvE,sEAAsE;AACtE,wEAAwE;AACxE,EAAE;AACF,yDAAyD;AACzD,EAAE;AACF,0EAA0E;AAC1E,oEAAoE;AACpE,qEAAqE;AACrE,uCAAuC;AACvC,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,wDAAwD;AACxD,+DAA+D;AAC/D,uDAAuD;AACvD,yEAAyE;AACzE,sEAAsE;AACtE,0EAA0E;AAC1E,kEAAkE;AAClE,yEAAyE;AACzE,2EAA2E;AAC3E,oDAAoD;AACpD,EAAE;AACF,wEAAwE;AACxE,sEAAsE;AACtE,iEAAiE;AACjE,WAAW;AACX,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,8DAA8D;AAE9D,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE1D,OAAO,EAAE,eAAe,EAAgB,MAAM,eAAe,CAAC;AAE9D,OAAO,EACL,cAAc,EACd,0BAA0B,EAC1B,wBAAwB,EACxB,SAAS,EACT,qBAAqB,EACrB,wBAAwB,GACzB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EAAE,SAAS,EAAE,CAAC;AAErB;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC;KAC1B,MAAM,CAAC;IACN,kBAAkB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACzD,0DAA0D;IAC1D,sDAAsD;IACtD,EAAE,EAAE,cAAc,CAAC,QAAQ,EAAE;CAC9B,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,MAAM,gBAAgB,GAAG,eAAe,SAAS,EAAE,CAAC;AAEpD,MAAM,yBAAyB,GAAG,YAAY,CAAC;AAC/C,MAAM,wBAAwB,GAAG,aAAa,CAAC;AAE/C,MAAM,gBAAgB,GAAG,oCAAoC,CAAC;AAC9D,MAAM,eAAe,GAAG,qCAAqC,CAAC;AAE9D,SAAS,UAAU,CAAC,OAAgB;IAClC,MAAM,OAAO,GAAG,OAAO,KAAK,OAAO,CAAC;IACpC,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,yBAAyB,CAAC;IACpF,OAAO;QACL;YACE,IAAI,EAAE,GAAG,gBAAgB,gBAAgB;YACzC,KAAK,EAAE,cAAc;YACrB,OAAO,EAAE,gBAAgB;YACzB,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,IAAI;YACf,WAAW,EACT,wKAAwK;SAC3K;QACD;YACE,IAAI,EAAE,GAAG,gBAAgB,eAAe;YACxC,KAAK,EAAE,YAAY;YACnB,KAAK,EAAE,YAAY;YACnB,OAAO,EAAE,eAAe;YACxB,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,IAAI;YACf,WAAW,EAAE,iBAAiB,YAAY,0KAA0K;SACrN;KACF,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAgB,EAAE,QAA2B,EAAE,OAAgB;IACxF,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,OAAO,KAAK,OAAO,CAAC;IACpC,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,yBAAyB,CAAC;IACpF,MAAM,gBAAgB,GAAG,OAAO;QAC9B,CAAC,CAAC,uCAAuC;QACzC,CAAC,CAAC,iCAAiC,CAAC;IACtC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,qBAAqB,GAAG,KAAK,CAAC,CAAC;IAC1D,OAAO,kBAAkB,SAAS;;;;;;;;EAQlC,OAAO;;;;EAIP,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;;;;;;uDAMS,gBAAgB;;kCAErC,gBAAgB;;oBAE9B,wBAAwB;;;+BAGb,eAAe;OACvC,YAAY;WACR,wBAAwB;uBACZ,OAAO;;;;;;;oCAOM,gBAAgB;;;;;;;;;MAS9C,cAAc;;;;;;;;;;;;;;;;EAgBlB,WAAW,CAAC,CAAC,CAAC,OAAO,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;;YAEtD,SAAS;eACN,OAAO;cACR,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC;CAClD,CAAC;AACF,CAAC;AAED,MAAM,UAAU,OAAO,CACrB,IAAgB,EAChB,UAAmB,eAAe;IAElC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;IAC7D,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,KAAK,GAA2B;QACpC;YACE,YAAY,EAAE,gBAAgB,SAAS,kBAAkB;YACzD,OAAO,EAAE,iBAAiB,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC;SACpD;KACF,CAAC;IACF,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,CAAC;AACtD,CAAC"}
|
|
@@ -0,0 +1,137 @@
|
|
|
1
|
+
import type { PolicyPack } from "../../schema/index.js";
|
|
2
|
+
export declare const PACK_NAME = "solution-acceptance";
|
|
3
|
+
/**
|
|
4
|
+
* agent-tasks MCP verbs that mark a completion boundary. The gate fires on
|
|
5
|
+
* these (matched by exact tool name `mcp__agent-tasks__<verb>`). These MCP
|
|
6
|
+
* choke points are reliable: unlike the bash matcher they cannot be evaded
|
|
7
|
+
* by shell indirection.
|
|
8
|
+
*/
|
|
9
|
+
export declare const DEFAULT_PROTECTED_COMPLETION_TOOLS: readonly ["task_finish", "task_submit_pr", "task_merge", "pull_requests_merge"];
|
|
10
|
+
/**
|
|
11
|
+
* Belt-and-suspenders bash matcher for `git push` / `gh pr merge`. Regex on
|
|
12
|
+
* the typed command, so an env-var indirection
|
|
13
|
+
* (`B=main && git push origin $B`) evades it — the MCP verbs above are the
|
|
14
|
+
* load-bearing choke points; hardening this is follow-up `7207d8f9`.
|
|
15
|
+
* Tolerates a leading `cd … &&`, inline `VAR=val` assignments, and `git -C
|
|
16
|
+
* <path> push`.
|
|
17
|
+
*/
|
|
18
|
+
export declare const DEFAULT_PUSH_BASH_RE: RegExp;
|
|
19
|
+
/**
|
|
20
|
+
* Resolve the completion verbs the gate fires on: the pack's
|
|
21
|
+
* `config.protected_completion_tools` override, else the default set.
|
|
22
|
+
* Always non-empty. Lives here (not in the pack module) so the
|
|
23
|
+
* completion-gate hook can share it without importing the pack's zod
|
|
24
|
+
* surface (mirrors `resolveProtectedBranches` in branch-protection-runtime).
|
|
25
|
+
*/
|
|
26
|
+
export declare function resolveProtectedCompletionTools(pack: PolicyPack): string[];
|
|
27
|
+
/** The verdict marker the producer writes. Keep field-for-field with grounding-mcp. */
|
|
28
|
+
export interface Verdict {
|
|
29
|
+
id: string;
|
|
30
|
+
head: string;
|
|
31
|
+
ready: boolean;
|
|
32
|
+
confidence: number;
|
|
33
|
+
blockers: string[];
|
|
34
|
+
timestamp: string;
|
|
35
|
+
source: string;
|
|
36
|
+
}
|
|
37
|
+
/** Env knob that overrides the verdict directory (mirrors the producer). */
|
|
38
|
+
export declare const VERDICT_DIR_ENV = "SOLUTION_VERDICT_DIR";
|
|
39
|
+
/**
|
|
40
|
+
* Env knob that supplies the verdict id for SOLO / non-agent-tasks sessions.
|
|
41
|
+
* The completion-gate consults it ONLY when no agent-tasks `active-claim` is
|
|
42
|
+
* recorded (resolution order: active-claim first, then this env, then
|
|
43
|
+
* fail-closed), so a claimed session's id stays authoritative and cannot be
|
|
44
|
+
* redirected by an env var. A sessionId fallback is intentionally still NOT a
|
|
45
|
+
* source (the wrong-scope bug class understanding-gate closed).
|
|
46
|
+
*/
|
|
47
|
+
export declare const VERDICT_ID_ENV = "SOLUTION_VERDICT_ID";
|
|
48
|
+
/**
|
|
49
|
+
* Stable tail of the default verdict dir. The write-guard's reference
|
|
50
|
+
* detection matches on this so ANY spelling of the home prefix is caught
|
|
51
|
+
* (`~/.local/state/...`, `$HOME/...`, `$XDG_STATE_HOME/...`, the literal
|
|
52
|
+
* absolute path).
|
|
53
|
+
*/
|
|
54
|
+
export declare const VERDICT_DIR_TAIL: string;
|
|
55
|
+
/**
|
|
56
|
+
* Resolve the verdict directory. Resolution order MUST match grounding-mcp's
|
|
57
|
+
* `verdictDir()` so the consumer reads exactly where the producer writes
|
|
58
|
+
* (operator decision B: both sides use the producer default; no apply-time
|
|
59
|
+
* env threading, no divergence risk):
|
|
60
|
+
* 1. SOLUTION_VERDICT_DIR
|
|
61
|
+
* 2. $XDG_STATE_HOME/agent-grounding/solution-verdicts
|
|
62
|
+
* 3. ~/.local/state/agent-grounding/solution-verdicts
|
|
63
|
+
*/
|
|
64
|
+
export declare function verdictDir(env?: NodeJS.ProcessEnv, homedir?: () => string): string;
|
|
65
|
+
/**
|
|
66
|
+
* Reduce a verdict id to a single safe path segment. Mirrors the producer's
|
|
67
|
+
* `sanitizeVerdictId`: non-portable chars collapse to `_`, `path.basename`
|
|
68
|
+
* strips any residual separator (path-traversal guard), empty / dot-only ids
|
|
69
|
+
* are rejected.
|
|
70
|
+
*/
|
|
71
|
+
export declare function sanitizeVerdictId(id: string): string;
|
|
72
|
+
export declare function verdictPathFor(dir: string, id: string): string;
|
|
73
|
+
/**
|
|
74
|
+
* Resolve the explicit verdict id from `SOLUTION_VERDICT_ID`, or null when it
|
|
75
|
+
* is unset, blank, or not a safe single path segment. Validated through
|
|
76
|
+
* `sanitizeVerdictId` so a traversal-y or empty value fails closed here
|
|
77
|
+
* (returns null -> the gate denies) rather than reaching the marker read. This
|
|
78
|
+
* is the solo / non-agent-tasks fallback the completion-gate uses only when no
|
|
79
|
+
* active-claim is present.
|
|
80
|
+
*/
|
|
81
|
+
export declare function resolveExplicitVerdictId(env?: NodeJS.ProcessEnv): string | null;
|
|
82
|
+
/**
|
|
83
|
+
* Read + validate the verdict marker for `id`, or null when it is absent,
|
|
84
|
+
* unparseable, a symlink, or not a regular file. The lstat + symlink reject
|
|
85
|
+
* mirrors `checkApprovalMarker`: defense-in-depth against a symlink planted
|
|
86
|
+
* at the marker path pointing at agent-controlled content.
|
|
87
|
+
*/
|
|
88
|
+
export declare function readVerdict(dir: string, id: string): Verdict | null;
|
|
89
|
+
export interface GateResult {
|
|
90
|
+
allowed: boolean;
|
|
91
|
+
reason: string;
|
|
92
|
+
verdict: Verdict | null;
|
|
93
|
+
}
|
|
94
|
+
/**
|
|
95
|
+
* Evaluate the gate for `id` at `currentHead`. Mirrors grounding-mcp
|
|
96
|
+
* `evaluateGate` EXACTLY: allow iff `verdict.ready === true` AND
|
|
97
|
+
* `verdict.head === currentHead`. `confidence` is INFORMATIONAL ONLY and
|
|
98
|
+
* never gates — a `ready:true confidence:0` verdict at HEAD passes — so the
|
|
99
|
+
* harness consumer stays byte-parity with the producer's `solution_gate`
|
|
100
|
+
* (an operator running `solution_gate` and the harness gate must agree).
|
|
101
|
+
*/
|
|
102
|
+
export declare function evaluateGate(verdict: Verdict | null, currentHead: string | null, id: string): GateResult;
|
|
103
|
+
/**
|
|
104
|
+
* Is `target` inside `dir` after resolution? Used for the path-tool arm
|
|
105
|
+
* (Write/Edit/MultiEdit/NotebookEdit `file_path`) and for a Bash shell whose
|
|
106
|
+
* cwd is the protected dir. A relative `target` resolves against `cwd`
|
|
107
|
+
* (falling back to process.cwd()).
|
|
108
|
+
*/
|
|
109
|
+
export declare function isInsideDir(target: string, dir: string, cwd?: string): boolean;
|
|
110
|
+
/**
|
|
111
|
+
* Does a Bash command TEXTUALLY reference the verdict dir? Catches the
|
|
112
|
+
* enumerated spellings without shell-evaluating (same contract as
|
|
113
|
+
* read-only-bash):
|
|
114
|
+
* - the literal absolute dir,
|
|
115
|
+
* - the `$SOLUTION_VERDICT_DIR` env token,
|
|
116
|
+
* - the stable tail `agent-grounding/solution-verdicts` (covers `~/...`,
|
|
117
|
+
* `$HOME/...`, `$XDG_STATE_HOME/...`, and absolute spellings), and
|
|
118
|
+
* - the dir's LEAF segment (`solution-verdicts` for the default).
|
|
119
|
+
*
|
|
120
|
+
* The leaf segment closes the `cd <parent> && write <relative-into-dir>`
|
|
121
|
+
* descent (where the parent path and the child redirect never form the
|
|
122
|
+
* contiguous tail): ANY relative write into the dir from a cwd that is not
|
|
123
|
+
* the dir itself must name the leaf somewhere in the command, and a
|
|
124
|
+
* `cd <…/leaf>` to first make cwd==dir would itself contain the leaf. The
|
|
125
|
+
* write-guard's cwd-inside check covers the only remaining case (cwd already
|
|
126
|
+
* inside the dir). The leaf needle is length-guarded so a short custom
|
|
127
|
+
* basename does not over-block; the default leaf is distinctive, and a
|
|
128
|
+
* non-default dir already warns at validate time.
|
|
129
|
+
*
|
|
130
|
+
* `chmod`/`chattr` that target the dir are caught the same way, so the
|
|
131
|
+
* FS-perm-loosening attack is covered.
|
|
132
|
+
*
|
|
133
|
+
* Honest residual: a path constructed at runtime inside an interpreter with
|
|
134
|
+
* no textual reference (e.g. base64-decoded inside `python3 -c`) is NOT
|
|
135
|
+
* caught. That is what marker signing (follow-up) closes.
|
|
136
|
+
*/
|
|
137
|
+
export declare function bashReferencesVerdictDir(command: string, dir: string): boolean;
|