@lannguyensi/harness 0.35.0 → 0.36.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +22 -0
- package/dist/cli/approve/branch-protection.js +16 -29
- package/dist/cli/approve/branch-protection.js.map +1 -1
- package/dist/cli/approve/risk.js +15 -33
- package/dist/cli/approve/risk.js.map +1 -1
- package/dist/cli/approve/understanding.js +26 -48
- package/dist/cli/approve/understanding.js.map +1 -1
- package/dist/cli/doctor/rogue-ledger.d.ts +28 -0
- package/dist/cli/doctor/rogue-ledger.js +47 -0
- package/dist/cli/doctor/rogue-ledger.js.map +1 -1
- package/dist/cli/index.d.ts +9 -0
- package/dist/cli/index.js +34 -1
- package/dist/cli/index.js.map +1 -1
- package/dist/cli/pack/hook-runtime-reality.d.ts +11 -0
- package/dist/cli/pack/hook-runtime-reality.js +20 -0
- package/dist/cli/pack/hook-runtime-reality.js.map +1 -1
- package/dist/cli/session-export/transcript.js +2 -0
- package/dist/cli/session-export/transcript.js.map +1 -1
- package/dist/policy-packs/builtin/understanding-before-execution-runtime.js +1 -16
- package/dist/policy-packs/builtin/understanding-before-execution-runtime.js.map +1 -1
- package/dist/runtime/read-only-bash.js +122 -14
- package/dist/runtime/read-only-bash.js.map +1 -1
- package/dist/runtime/reject-malformed-session-id.d.ts +8 -0
- package/dist/runtime/reject-malformed-session-id.js +16 -0
- package/dist/runtime/reject-malformed-session-id.js.map +1 -0
- package/dist/runtime/session-id.d.ts +63 -0
- package/dist/runtime/session-id.js +53 -0
- package/dist/runtime/session-id.js.map +1 -1
- package/package.json +1 -1
|
@@ -29,6 +29,15 @@
|
|
|
29
29
|
// this without a separate write-binary deny list (the meta-chars
|
|
30
30
|
// are how a write would be smuggled into a "read-only" command in
|
|
31
31
|
// the first place).
|
|
32
|
+
// - Some bins are not admitted to the simple unconditional allowlist
|
|
33
|
+
// because they can write via their own flags or operands without any
|
|
34
|
+
// shell metacharacter. `find` is the canonical example (guarded by
|
|
35
|
+
// `FIND_WRITE_FLAGS`). `sort`, `tree`, and `file` receive the same
|
|
36
|
+
// per-bin write-flag guard: their read forms are classified read-only
|
|
37
|
+
// when none of their write flags appear in the token list. `uniq`,
|
|
38
|
+
// `date`, and `hostname` are excluded entirely because their write
|
|
39
|
+
// vectors are positional operands or cluster-ambiguous flag chars
|
|
40
|
+
// that cannot be detected cleanly (see `SIMPLE_READ_ONLY_BINS`).
|
|
32
41
|
//
|
|
33
42
|
// This module is the canonical home for the classification within
|
|
34
43
|
// harness. If the @lannguyensi/understanding-gate package adds a
|
|
@@ -38,20 +47,29 @@
|
|
|
38
47
|
* Single-token read-only binaries. Each accepts arguments without
|
|
39
48
|
* changing classification: `ls -la /tmp` is still read-only.
|
|
40
49
|
*
|
|
41
|
-
* Deliberately EXCLUDED
|
|
42
|
-
*
|
|
43
|
-
*
|
|
44
|
-
*
|
|
45
|
-
*
|
|
46
|
-
*
|
|
47
|
-
*
|
|
48
|
-
*
|
|
49
|
-
*
|
|
50
|
-
*
|
|
51
|
-
*
|
|
52
|
-
*
|
|
53
|
-
*
|
|
54
|
-
*
|
|
50
|
+
* Deliberately EXCLUDED because their write vector is not a clean flag:
|
|
51
|
+
*
|
|
52
|
+
* `uniq`: a second positional operand is the output file. Detecting a
|
|
53
|
+
* write requires positional-operand counting, which is out of scope for
|
|
54
|
+
* a token-scan classifier.
|
|
55
|
+
*
|
|
56
|
+
* `date`: `-s` sets the system clock, but the `-s` character appears
|
|
57
|
+
* inside getopt clusters shared with benign flags (`-Iseconds` is parsed
|
|
58
|
+
* by GNU date as `-I FMT=seconds`, not `-I -s econds`). A char-in-
|
|
59
|
+
* cluster check would produce false positives on read-only date forms,
|
|
60
|
+
* and false negatives on combined forms like `-us`.
|
|
61
|
+
*
|
|
62
|
+
* `hostname`: `hostname NAME` sets the hostname via a positional operand,
|
|
63
|
+
* not a flag. Detecting the write requires positional-operand counting.
|
|
64
|
+
*
|
|
65
|
+
* `sort`, `tree`, and `file` are NOT in this set but each gets a per-bin
|
|
66
|
+
* write-flag guard below (like `find`): each has an enumerable set of
|
|
67
|
+
* write/exec flags detectable by scanning tokens without counting
|
|
68
|
+
* positional operands. The guard must cover EVERY write/exec vector, not
|
|
69
|
+
* just output redirection: sort guards `-o` / `--output` (output),
|
|
70
|
+
* `--compress-program` (runs an arbitrary program on spill files), and
|
|
71
|
+
* `-T` / `--temporary-directory` (scratch write); tree guards `-o` /
|
|
72
|
+
* `--output`; file guards `-C` / `--compile`.
|
|
55
73
|
*/
|
|
56
74
|
const SIMPLE_READ_ONLY_BINS = new Set([
|
|
57
75
|
"ls", "cat", "pwd", "which", "type",
|
|
@@ -200,6 +218,72 @@ export function isReadOnlyBashCommand(command) {
|
|
|
200
218
|
return false;
|
|
201
219
|
return classifyTokens(trimmed.split(/\s+/));
|
|
202
220
|
}
|
|
221
|
+
/**
|
|
222
|
+
* Returns true when a token is the output-redirect write flag shared by
|
|
223
|
+
* `sort` and `tree`: `-o` / `--output`. Cluster detection: in a cluster
|
|
224
|
+
* like `-rno`, getopt assigns the cluster remainder (or the next argv
|
|
225
|
+
* token when nothing follows within the cluster) as the output-file
|
|
226
|
+
* path, so any short cluster containing lowercase `o` after the leading
|
|
227
|
+
* dash is a write vector. Conservative: a filename token like `foo.txt`
|
|
228
|
+
* does not start with `-` and is therefore never matched.
|
|
229
|
+
*/
|
|
230
|
+
function isOutputWriteToken(t) {
|
|
231
|
+
if (t === "--output" || t.startsWith("--output="))
|
|
232
|
+
return true;
|
|
233
|
+
// Short flag or cluster: single leading '-' (not '--'), containing
|
|
234
|
+
// lowercase 'o'. Catches -o, -oFILE, -no, -rno, -rnofoo, etc.
|
|
235
|
+
return t.startsWith("-") && !t.startsWith("--") && t.slice(1).includes("o");
|
|
236
|
+
}
|
|
237
|
+
/**
|
|
238
|
+
* Returns true when a token is a write flag for `tree`. tree's only
|
|
239
|
+
* file-writing vector is the output redirect `-o` / `--output`; it has
|
|
240
|
+
* no exec or temp-dir flags, so this delegates to `isOutputWriteToken`.
|
|
241
|
+
*/
|
|
242
|
+
function isTreeWriteToken(t) {
|
|
243
|
+
return isOutputWriteToken(t);
|
|
244
|
+
}
|
|
245
|
+
/**
|
|
246
|
+
* Returns true when a token is a write OR exec flag for `sort`.
|
|
247
|
+
*
|
|
248
|
+
* sort's write surface is larger than output redirection, and the guard
|
|
249
|
+
* MUST enumerate all of it, not just `-o`. An output-only guard silently
|
|
250
|
+
* laundered `--compress-program`, which makes sort spawn an arbitrary
|
|
251
|
+
* program on its spill temp files (an arbitrary-code-execution vector
|
|
252
|
+
* with no shell metacharacter). The vectors:
|
|
253
|
+
* - output: `-o` / `--output` (see `isOutputWriteToken`).
|
|
254
|
+
* - exec: `--compress-program=PROG` runs PROG on spill files.
|
|
255
|
+
* - temp write: `--temporary-directory=DIR` / `-T DIR` writes scratch
|
|
256
|
+
* files to a caller-chosen path.
|
|
257
|
+
* Short `-T` is detected like `-o`: any short cluster containing `o`
|
|
258
|
+
* (output) or uppercase `T` (temp dir) is a write vector. This can
|
|
259
|
+
* over-block a few benign size values (e.g. `-S2T`); over-blocking a
|
|
260
|
+
* read is acceptable, under-blocking a write is not.
|
|
261
|
+
*/
|
|
262
|
+
function isSortWriteToken(t) {
|
|
263
|
+
if (t === "--compress-program" || t.startsWith("--compress-program="))
|
|
264
|
+
return true;
|
|
265
|
+
if (t === "--temporary-directory" || t.startsWith("--temporary-directory="))
|
|
266
|
+
return true;
|
|
267
|
+
if (t === "--output" || t.startsWith("--output="))
|
|
268
|
+
return true;
|
|
269
|
+
// Short flag or cluster: '-' (not '--') containing 'o' (output) or
|
|
270
|
+
// uppercase 'T' (temp dir).
|
|
271
|
+
return t.startsWith("-") && !t.startsWith("--") && /[oT]/.test(t.slice(1));
|
|
272
|
+
}
|
|
273
|
+
/**
|
|
274
|
+
* Returns true when a token is a write flag for `file`.
|
|
275
|
+
* `-C` / `--compile` writes a compiled magic-cache file (`<name>.mgc`).
|
|
276
|
+
* Lowercase `-c` checks the magic file without writing; only uppercase
|
|
277
|
+
* `C` triggers a write. Cluster detection: `-bC`, `-Cb`, and `-bCx`
|
|
278
|
+
* all contain uppercase `C` after the leading dash and are write vectors.
|
|
279
|
+
*/
|
|
280
|
+
function isFileWriteToken(t) {
|
|
281
|
+
if (t === "--compile" || t.startsWith("--compile="))
|
|
282
|
+
return true;
|
|
283
|
+
// Short flag or cluster: single leading '-' (not '--'), containing
|
|
284
|
+
// uppercase 'C'. Lowercase 'c' is intentionally not matched.
|
|
285
|
+
return t.startsWith("-") && !t.startsWith("--") && t.slice(1).includes("C");
|
|
286
|
+
}
|
|
203
287
|
/**
|
|
204
288
|
* Classify an already-tokenized, metachar-cleared argv. Factored out
|
|
205
289
|
* of `isReadOnlyBashCommand` so the command-runner special cases
|
|
@@ -295,6 +379,30 @@ function classifyTokens(tokens) {
|
|
|
295
379
|
if (bin === "find") {
|
|
296
380
|
return !tokens.slice(1).some((t) => FIND_WRITE_FLAGS.has(t));
|
|
297
381
|
}
|
|
382
|
+
// `sort` is read-only ONLY when none of its argv tokens are write or
|
|
383
|
+
// exec flags: `-o`/`--output` (file output), `--compress-program`
|
|
384
|
+
// (runs an arbitrary program on spill files), and
|
|
385
|
+
// `-T`/`--temporary-directory` (scratch write). See `isSortWriteToken`
|
|
386
|
+
// for the exact detection rules and why the enumeration must cover the
|
|
387
|
+
// exec vector, not just output redirection.
|
|
388
|
+
if (bin === "sort") {
|
|
389
|
+
return !tokens.slice(1).some(isSortWriteToken);
|
|
390
|
+
}
|
|
391
|
+
// `tree` is read-only ONLY when none of its argv tokens are output
|
|
392
|
+
// write flags: `-o FILE` / `--output=FILE` / `--output FILE`, or a
|
|
393
|
+
// short-flag cluster containing lowercase `o` (e.g. `-rno`). tree has
|
|
394
|
+
// no exec or temp-dir flags. See `isTreeWriteToken`.
|
|
395
|
+
if (bin === "tree") {
|
|
396
|
+
return !tokens.slice(1).some(isTreeWriteToken);
|
|
397
|
+
}
|
|
398
|
+
// `file` is read-only ONLY when none of its argv tokens are compile
|
|
399
|
+
// flags. `-C` / `--compile` writes a compiled magic-cache file;
|
|
400
|
+
// lowercase `-c` is benign (magic-file check). Any short cluster
|
|
401
|
+
// containing uppercase `C` (e.g. `-bC`) is a write vector. See
|
|
402
|
+
// `isFileWriteToken` for the exact detection rules.
|
|
403
|
+
if (bin === "file") {
|
|
404
|
+
return !tokens.slice(1).some(isFileWriteToken);
|
|
405
|
+
}
|
|
298
406
|
// `<bin> --version` / `<bin> --help` shape. Checked BEFORE the
|
|
299
407
|
// per-binary branches so that `git --version`, `gh --version`,
|
|
300
408
|
// `harness --version` all pass through this shape rather than
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"read-only-bash.js","sourceRoot":"","sources":["../../src/runtime/read-only-bash.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,uEAAuE;AACvE,uEAAuE;AACvE,gEAAgE;AAChE,uEAAuE;AACvE,oEAAoE;AACpE,yDAAyD;AACzD,EAAE;AACF,qEAAqE;AACrE,sEAAsE;AACtE,sEAAsE;AACtE,oEAAoE;AACpE,qEAAqE;AACrE,mEAAmE;AACnE,QAAQ;AACR,EAAE;AACF,mBAAmB;AACnB,oEAAoE;AACpE,kEAAkE;AAClE,sEAAsE;AACtE,iEAAiE;AACjE,qEAAqE;AACrE,qEAAqE;AACrE,kEAAkE;AAClE,4DAA4D;AAC5D,sEAAsE;AACtE,mEAAmE;AACnE,sEAAsE;AACtE,mEAAmE;AACnE,oEAAoE;AACpE,sBAAsB;AACtB,EAAE;AACF,kEAAkE;AAClE,iEAAiE;AACjE,qEAAqE;AACrE,yBAAyB;AAEzB
|
|
1
|
+
{"version":3,"file":"read-only-bash.js","sourceRoot":"","sources":["../../src/runtime/read-only-bash.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,uEAAuE;AACvE,uEAAuE;AACvE,gEAAgE;AAChE,uEAAuE;AACvE,oEAAoE;AACpE,yDAAyD;AACzD,EAAE;AACF,qEAAqE;AACrE,sEAAsE;AACtE,sEAAsE;AACtE,oEAAoE;AACpE,qEAAqE;AACrE,mEAAmE;AACnE,QAAQ;AACR,EAAE;AACF,mBAAmB;AACnB,oEAAoE;AACpE,kEAAkE;AAClE,sEAAsE;AACtE,iEAAiE;AACjE,qEAAqE;AACrE,qEAAqE;AACrE,kEAAkE;AAClE,4DAA4D;AAC5D,sEAAsE;AACtE,mEAAmE;AACnE,sEAAsE;AACtE,mEAAmE;AACnE,oEAAoE;AACpE,sBAAsB;AACtB,qEAAqE;AACrE,uEAAuE;AACvE,qEAAqE;AACrE,qEAAqE;AACrE,wEAAwE;AACxE,qEAAqE;AACrE,qEAAqE;AACrE,oEAAoE;AACpE,mEAAmE;AACnE,EAAE;AACF,kEAAkE;AAClE,iEAAiE;AACjE,qEAAqE;AACrE,yBAAyB;AAEzB;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,qBAAqB,GAAwB,IAAI,GAAG,CAAC;IACzD,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM;IACnC,MAAM,EAAE,IAAI,EAAE,IAAI;IAClB,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI;IAClC,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU;IACxC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK;IACzC,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU;IAC7C,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM;IACrC,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK;CAC1B,CAAC,CAAC;AAEH;;;;;;;;;;GAUG;AACH,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC;IACpD,SAAS;IACT,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ;IACpC,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM;CAC1C,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,iBAAiB,GAAwB,IAAI,GAAG,CAAC;IACrD,IAAI,EAAE,sBAAsB,EAAE,GAAG,EAAE,IAAI;CACxC,CAAC,CAAC;AACH,mEAAmE;AACnE,MAAM,eAAe,GAAwB,IAAI,GAAG,CAAC;IACnD,IAAI,EAAE,SAAS;IACf,IAAI,EAAE,SAAS;CAChB,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,sBAAsB,GAAG,+BAA+B,CAAC;AAE/D;;;;;GAKG;AAEH;;;;;;GAMG;AACH,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IACtD,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK;IAChD,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS;IACrD,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU;IACxD,QAAQ,EAAE,UAAU,EAAE,kBAAkB,EAAE,cAAc;IACxD,UAAU,EAAE,YAAY,EAAE,UAAU;CACrC,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IACtD,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ;CAC3C,CAAC,CAAC;AACH,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IACtD,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS;IAC3C,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU;CACtC,CAAC,CAAC;AAEH;;;;;;;GAOG;AACH,MAAM,sBAAsB,GAAwB,IAAI,GAAG,CAAC;IAC1D,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS;IACxD,MAAM,EAAE,QAAQ,EAAE,OAAO;CAC1B,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,qBAAqB,GAAwB,IAAI,GAAG,CAAC;IACzD,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI;CACxC,CAAC,CAAC;AAEH;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAe;IACnD,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,IAAI,OAAO,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAEjC,mEAAmE;IACnE,gEAAgE;IAChE,gEAAgE;IAChE,0DAA0D;IAC1D,gEAAgE;IAChE,kDAAkD;IAClD,IAAI,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACzC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAEzC,OAAO,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,kBAAkB,CAAC,CAAS;IACnC,IAAI,CAAC,KAAK,UAAU,IAAI,CAAC,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/D,mEAAmE;IACnE,8DAA8D;IAC9D,OAAO,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAC9E,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,CAAS;IACjC,OAAO,kBAAkB,CAAC,CAAC,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,SAAS,gBAAgB,CAAC,CAAS;IACjC,IAAI,CAAC,KAAK,oBAAoB,IAAI,CAAC,CAAC,UAAU,CAAC,qBAAqB,CAAC;QAAE,OAAO,IAAI,CAAC;IACnF,IAAI,CAAC,KAAK,uBAAuB,IAAI,CAAC,CAAC,UAAU,CAAC,wBAAwB,CAAC;QAAE,OAAO,IAAI,CAAC;IACzF,IAAI,CAAC,KAAK,UAAU,IAAI,CAAC,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/D,mEAAmE;IACnE,4BAA4B;IAC5B,OAAO,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED;;;;;;GAMG;AACH,SAAS,gBAAgB,CAAC,CAAS;IACjC,IAAI,CAAC,KAAK,WAAW,IAAI,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC;QAAE,OAAO,IAAI,CAAC;IACjE,mEAAmE;IACnE,6DAA6D;IAC7D,OAAO,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAC9E,CAAC;AAED;;;;;GAKG;AACH,SAAS,cAAc,CAAC,MAAyB;IAC/C,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAE5B,IAAI,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEhD,qEAAqE;IACrE,mEAAmE;IACnE,mEAAmE;IACnE,oEAAoE;IACpE,kEAAkE;IAClE,6DAA6D;IAC7D,iDAAiD;IACjD,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YACpB,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI;gBAAE,MAAM;YAC/D,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;gBAAE,UAAU,GAAG,IAAI,CAAC;QACxC,CAAC;QACD,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI;YAAE,CAAC,IAAI,CAAC,CAAC;QACpD,IAAI,UAAU;YAAE,OAAO,IAAI,CAAC;QAC5B,IAAI,CAAC,IAAI,MAAM,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,CAAC,iBAAiB;QACtD,OAAO,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,mEAAmE;IACnE,+DAA+D;IAC/D,gEAAgE;IAChE,oEAAoE;IACpE,qEAAqE;IACrE,mCAAmC;IACnC,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;QAClB,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;YACzB,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YACpB,IAAI,CAAC,KAAK,SAAS;gBAAE,MAAM;YAC3B,iEAAiE;YACjE,kDAAkD;YAClD,IAAI,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC;gBAAE,OAAO,KAAK,CAAC;YACjD,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;gBAAC,CAAC,IAAI,CAAC,CAAC;gBAAC,MAAM;YAAC,CAAC;YAClC,IAAI,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAC,CAAC,IAAI,CAAC,CAAC;gBAAC,SAAS;YAAC,CAAC;YACjD,IAAI,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAC,CAAC,IAAI,CAAC,CAAC;gBAAC,SAAS;YAAC,CAAC;YACnD,gEAAgE;YAChE,yBAAyB;YACzB,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAAC,CAAC,IAAI,CAAC,CAAC;gBAAC,SAAS;YAAC,CAAC;YAChE,4DAA4D;YAC5D,kBAAkB;YAClB,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAC,CAAC,IAAI,CAAC,CAAC;gBAAC,SAAS;YAAC,CAAC;YAC5C,+DAA+D;YAC/D,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,0BAA0B,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAC,CAAC,IAAI,CAAC,CAAC;gBAAC,SAAS;YAAC,CAAC;YACnF,MAAM;QACR,CAAC;QACD,IAAI,CAAC,IAAI,MAAM,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,CAAC,gCAAgC;QACrE,OAAO,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,kEAAkE;IAClE,iEAAiE;IACjE,gEAAgE;IAChE,+DAA+D;IAC/D,gEAAgE;IAChE,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED,qEAAqE;IACrE,kEAAkE;IAClE,kDAAkD;IAClD,uEAAuE;IACvE,uEAAuE;IACvE,4CAA4C;IAC5C,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACjD,CAAC;IAED,mEAAmE;IACnE,mEAAmE;IACnE,sEAAsE;IACtE,qDAAqD;IACrD,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACjD,CAAC;IAED,oEAAoE;IACpE,gEAAgE;IAChE,iEAAiE;IACjE,+DAA+D;IAC/D,oDAAoD;IACpD,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACjD,CAAC;IAED,+DAA+D;IAC/D,+DAA+D;IAC/D,8DAA8D;IAC9D,2DAA2D;IAC3D,wDAAwD;IACxD,8DAA8D;IAC9D,kEAAkE;IAClE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvE,IAAI,GAAG,KAAK,KAAK;QAAE,OAAO,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAEtD,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QACjB,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAC/C,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7B,OAAO,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,sBAAsB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAE9D,OAAO,KAAK,CAAC;AACf,CAAC"}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Reject sessionIds that would escape their intended namespace via path
|
|
3
|
+
* traversal or directory separators. The value lands in a path.join verbatim;
|
|
4
|
+
* an accidental `..` or `/` would otherwise reach a sibling directory. This is
|
|
5
|
+
* defensive (session ids come from the Claude Code runtime, not direct user
|
|
6
|
+
* input) but pins the trust boundary.
|
|
7
|
+
*/
|
|
8
|
+
export declare function rejectMalformedSessionId(sessionId: string): void;
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Reject sessionIds that would escape their intended namespace via path
|
|
3
|
+
* traversal or directory separators. The value lands in a path.join verbatim;
|
|
4
|
+
* an accidental `..` or `/` would otherwise reach a sibling directory. This is
|
|
5
|
+
* defensive (session ids come from the Claude Code runtime, not direct user
|
|
6
|
+
* input) but pins the trust boundary.
|
|
7
|
+
*/
|
|
8
|
+
export function rejectMalformedSessionId(sessionId) {
|
|
9
|
+
if (sessionId.trim().length === 0) {
|
|
10
|
+
throw new Error("sessionId is empty or blank");
|
|
11
|
+
}
|
|
12
|
+
if (sessionId.includes("/") || sessionId.includes("\\") || sessionId.includes("..")) {
|
|
13
|
+
throw new Error(`sessionId contains path-separator or traversal characters: ${JSON.stringify(sessionId)}`);
|
|
14
|
+
}
|
|
15
|
+
}
|
|
16
|
+
//# sourceMappingURL=reject-malformed-session-id.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"reject-malformed-session-id.js","sourceRoot":"","sources":["../../src/runtime/reject-malformed-session-id.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,UAAU,wBAAwB,CAAC,SAAiB;IACxD,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpF,MAAM,IAAI,KAAK,CACb,8DAA8D,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAC1F,CAAC;IACJ,CAAC;AACH,CAAC"}
|
|
@@ -48,3 +48,66 @@ export interface ResolveReadSessionOptions extends DiscoverSessionOptions {
|
|
|
48
48
|
* per-hook-event filesystem scan would be wasteful.
|
|
49
49
|
*/
|
|
50
50
|
export declare function resolveReadSessionId(explicit?: string, opts?: ResolveReadSessionOptions): string;
|
|
51
|
+
/** Session-id source for the `harness approve` verbs. */
|
|
52
|
+
export type ApprovalSessionSource = "flag" | "env-claude-code" | "env-claude" | "env-codex" | "pending-approval" | "newest-report";
|
|
53
|
+
export interface ResolveApprovalSessionIdOptions {
|
|
54
|
+
/** Explicit --session flag value. Empty string is treated as absent. */
|
|
55
|
+
session?: string;
|
|
56
|
+
/** Path to the harness.generated/ directory; used to read .pending-approval. */
|
|
57
|
+
generatedDir: string;
|
|
58
|
+
/**
|
|
59
|
+
* Optional 6th-tier callback. When provided and reached, it is called
|
|
60
|
+
* once and should return the session id plus the file path of the
|
|
61
|
+
* freshest qualifying persisted report, or null when none qualifies.
|
|
62
|
+
* Only `approve understanding` supplies this; `approve risk` and
|
|
63
|
+
* `approve branch-protection` omit it (they produce no persisted reports).
|
|
64
|
+
*/
|
|
65
|
+
newestReportFallback?: () => {
|
|
66
|
+
sessionId: string;
|
|
67
|
+
filePath: string;
|
|
68
|
+
} | null;
|
|
69
|
+
/**
|
|
70
|
+
* Test seam: override the .pending-approval reader. Defaults to
|
|
71
|
+
* `readPendingApproval` from pending-approval.ts. Verb-level tests use
|
|
72
|
+
* real tmp directories and do not need this; unit tests for the resolver
|
|
73
|
+
* itself use it to avoid creating directories.
|
|
74
|
+
*/
|
|
75
|
+
readPending?: (dir: string) => string | null;
|
|
76
|
+
}
|
|
77
|
+
export interface ResolveApprovalSessionIdResult {
|
|
78
|
+
/**
|
|
79
|
+
* The resolved session id, or an empty string when no tier matched.
|
|
80
|
+
* Callers MUST check for the empty string and throw a verb-specific
|
|
81
|
+
* error. The empty-string path is intentional: it lets callers produce
|
|
82
|
+
* messages that name their own gate hook, approve subcommand, and
|
|
83
|
+
* recovery steps without the resolver needing to know about them.
|
|
84
|
+
*/
|
|
85
|
+
sessionId: string;
|
|
86
|
+
/**
|
|
87
|
+
* Where the session id came from. When `sessionId` is empty this field
|
|
88
|
+
* is meaningless (callers throw before returning it to the operator).
|
|
89
|
+
*/
|
|
90
|
+
sessionSource: ApprovalSessionSource;
|
|
91
|
+
/**
|
|
92
|
+
* Set only when `sessionSource === "newest-report"`. The absolute path
|
|
93
|
+
* of the persisted report whose `sessionId` field was adopted. Surfaced
|
|
94
|
+
* in the `approve understanding` CLI warning so the operator can verify
|
|
95
|
+
* the report belongs to their live session.
|
|
96
|
+
*/
|
|
97
|
+
newestReportPath?: string;
|
|
98
|
+
}
|
|
99
|
+
/**
|
|
100
|
+
* Shared session-id resolver for the `harness approve` verbs.
|
|
101
|
+
*
|
|
102
|
+
* Precedence:
|
|
103
|
+
* 1. explicit --session flag
|
|
104
|
+
* 2. $CLAUDE_CODE_SESSION_ID (the var Claude Code exports into the agent shell)
|
|
105
|
+
* 3. $CLAUDE_SESSION_ID (legacy / docs name; kept for older operator recipes)
|
|
106
|
+
* 4. $CODEX_SESSION_ID (set inside a live Codex session)
|
|
107
|
+
* 5. .pending-approval staging file (written by the gate hook or preflight)
|
|
108
|
+
* 6. newestReportFallback() result -- only understanding.ts uses this tier
|
|
109
|
+
*
|
|
110
|
+
* Returns `{ sessionId: "" }` when no tier resolves. The caller is
|
|
111
|
+
* responsible for throwing a verb-specific HarnessExitError in that case.
|
|
112
|
+
*/
|
|
113
|
+
export declare function resolveApprovalSessionId(opts: ResolveApprovalSessionIdOptions): ResolveApprovalSessionIdResult;
|
|
@@ -33,6 +33,7 @@
|
|
|
33
33
|
import * as fs from "node:fs";
|
|
34
34
|
import * as os from "node:os";
|
|
35
35
|
import * as path from "node:path";
|
|
36
|
+
import { readPendingApproval } from "./pending-approval.js";
|
|
36
37
|
const FALLBACK = "default";
|
|
37
38
|
/**
|
|
38
39
|
* Resolve the active grounding session id (WRITE path).
|
|
@@ -137,4 +138,56 @@ export function resolveReadSessionId(explicit, opts = {}) {
|
|
|
137
138
|
return discovered;
|
|
138
139
|
return FALLBACK;
|
|
139
140
|
}
|
|
141
|
+
/**
|
|
142
|
+
* Shared session-id resolver for the `harness approve` verbs.
|
|
143
|
+
*
|
|
144
|
+
* Precedence:
|
|
145
|
+
* 1. explicit --session flag
|
|
146
|
+
* 2. $CLAUDE_CODE_SESSION_ID (the var Claude Code exports into the agent shell)
|
|
147
|
+
* 3. $CLAUDE_SESSION_ID (legacy / docs name; kept for older operator recipes)
|
|
148
|
+
* 4. $CODEX_SESSION_ID (set inside a live Codex session)
|
|
149
|
+
* 5. .pending-approval staging file (written by the gate hook or preflight)
|
|
150
|
+
* 6. newestReportFallback() result -- only understanding.ts uses this tier
|
|
151
|
+
*
|
|
152
|
+
* Returns `{ sessionId: "" }` when no tier resolves. The caller is
|
|
153
|
+
* responsible for throwing a verb-specific HarnessExitError in that case.
|
|
154
|
+
*/
|
|
155
|
+
export function resolveApprovalSessionId(opts) {
|
|
156
|
+
const readPending = opts.readPending ?? readPendingApproval;
|
|
157
|
+
if (typeof opts.session === "string" && opts.session.length > 0) {
|
|
158
|
+
return { sessionId: opts.session, sessionSource: "flag" };
|
|
159
|
+
}
|
|
160
|
+
if (typeof process.env.CLAUDE_CODE_SESSION_ID === "string" &&
|
|
161
|
+
process.env.CLAUDE_CODE_SESSION_ID.length > 0) {
|
|
162
|
+
return {
|
|
163
|
+
sessionId: process.env.CLAUDE_CODE_SESSION_ID,
|
|
164
|
+
sessionSource: "env-claude-code",
|
|
165
|
+
};
|
|
166
|
+
}
|
|
167
|
+
if (typeof process.env.CLAUDE_SESSION_ID === "string" &&
|
|
168
|
+
process.env.CLAUDE_SESSION_ID.length > 0) {
|
|
169
|
+
return { sessionId: process.env.CLAUDE_SESSION_ID, sessionSource: "env-claude" };
|
|
170
|
+
}
|
|
171
|
+
if (typeof process.env.CODEX_SESSION_ID === "string" &&
|
|
172
|
+
process.env.CODEX_SESSION_ID.length > 0) {
|
|
173
|
+
return { sessionId: process.env.CODEX_SESSION_ID, sessionSource: "env-codex" };
|
|
174
|
+
}
|
|
175
|
+
const staged = readPending(opts.generatedDir);
|
|
176
|
+
if (staged !== null) {
|
|
177
|
+
return { sessionId: staged, sessionSource: "pending-approval" };
|
|
178
|
+
}
|
|
179
|
+
if (opts.newestReportFallback !== undefined) {
|
|
180
|
+
const newest = opts.newestReportFallback();
|
|
181
|
+
if (newest !== null) {
|
|
182
|
+
return {
|
|
183
|
+
sessionId: newest.sessionId,
|
|
184
|
+
sessionSource: "newest-report",
|
|
185
|
+
newestReportPath: newest.filePath,
|
|
186
|
+
};
|
|
187
|
+
}
|
|
188
|
+
}
|
|
189
|
+
// Nothing resolved. Callers check sessionId === "" and throw their own
|
|
190
|
+
// verb-specific error messages.
|
|
191
|
+
return { sessionId: "", sessionSource: "flag" };
|
|
192
|
+
}
|
|
140
193
|
//# sourceMappingURL=session-id.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"session-id.js","sourceRoot":"","sources":["../../src/runtime/session-id.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,EAAE;AACF,uEAAuE;AACvE,iEAAiE;AACjE,qEAAqE;AACrE,8DAA8D;AAC9D,wEAAwE;AACxE,iEAAiE;AACjE,oEAAoE;AACpE,aAAa;AACb,EAAE;AACF,uEAAuE;AACvE,mEAAmE;AACnE,sBAAsB;AACtB,yDAAyD;AACzD,4EAA4E;AAC5E,kDAAkD;AAClD,2BAA2B;AAC3B,EAAE;AACF,oEAAoE;AACpE,mEAAmE;AACnE,uEAAuE;AACvE,wEAAwE;AACxE,mEAAmE;AACnE,sEAAsE;AACtE,qEAAqE;AACrE,qEAAqE;AACrE,sCAAsC;AACtC,EAAE;AACF,4EAA4E;AAC5E,+DAA+D;AAC/D,uEAAuE;AAEvE,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"session-id.js","sourceRoot":"","sources":["../../src/runtime/session-id.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,EAAE;AACF,uEAAuE;AACvE,iEAAiE;AACjE,qEAAqE;AACrE,8DAA8D;AAC9D,wEAAwE;AACxE,iEAAiE;AACjE,oEAAoE;AACpE,aAAa;AACb,EAAE;AACF,uEAAuE;AACvE,mEAAmE;AACnE,sBAAsB;AACtB,yDAAyD;AACzD,4EAA4E;AAC5E,kDAAkD;AAClD,2BAA2B;AAC3B,EAAE;AACF,oEAAoE;AACpE,mEAAmE;AACnE,uEAAuE;AACvE,wEAAwE;AACxE,mEAAmE;AACnE,sEAAsE;AACtE,qEAAqE;AACrE,qEAAqE;AACrE,sCAAsC;AACtC,EAAE;AACF,4EAA4E;AAC5E,+DAA+D;AAC/D,uEAAuE;AAEvE,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAE5D,MAAM,QAAQ,GAAG,SAAS,CAAC;AAE3B;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAiB;IAChD,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,QAAQ,CAAC;IACzE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;IACnD,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IACtE,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC1C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IAC1D,OAAO,QAAQ,CAAC;AAClB,CAAC;AASD,uEAAuE;AACvE,yEAAyE;AACzE,MAAM,qBAAqB,GACzB,0EAA0E,CAAC;AAE7E;;;;;;;;GAQG;AACH,MAAM,UAAU,uBAAuB,CACrC,OAA+B,EAAE;IAEjC,MAAM,YAAY,GAChB,IAAI,CAAC,YAAY;QACjB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IACjE,IAAI,WAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,WAAW,GAAG,EAAE,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,MAAM,GAA2C,IAAI,CAAC;IAC1D,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;QACjD,IAAI,KAAe,CAAC;QACpB,IAAI,CAAC;YACH,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,SAAS,CAAC,wCAAwC;QACpD,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/C,IAAI,CAAC,KAAK;gBAAE,SAAS;YACrB,IAAI,OAAe,CAAC;YACpB,IAAI,CAAC;gBACH,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;YAC9D,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,IAAI,MAAM,KAAK,IAAI,IAAI,OAAO,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;gBAChD,MAAM,GAAG,EAAE,EAAE,EAAE,KAAK,CAAC,CAAC,CAAE,EAAE,OAAO,EAAE,CAAC;YACtC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;AAC5C,CAAC;AAWD;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,oBAAoB,CAClC,QAAiB,EACjB,OAAkC,EAAE;IAEpC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,QAAQ,CAAC;IACzE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;IACnD,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IACtE,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC1C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,uBAAuB,CAAC;IAC1D,MAAM,UAAU,GAAG,QAAQ,CAAC;QAC1B,GAAG,CAAC,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;QAC3E,GAAG,CAAC,IAAI,CAAC,OAAO,KAAK,SAAS,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;KAC7D,CAAC,CAAC;IACH,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC;IAC/E,OAAO,QAAQ,CAAC;AAClB,CAAC;AAqED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,wBAAwB,CACtC,IAAqC;IAErC,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,mBAAmB,CAAC;IAE5D,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChE,OAAO,EAAE,SAAS,EAAE,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC;IAC5D,CAAC;IACD,IACE,OAAO,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,QAAQ;QACtD,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,MAAM,GAAG,CAAC,EAC7C,CAAC;QACD,OAAO;YACL,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,sBAAsB;YAC7C,aAAa,EAAE,iBAAiB;SACjC,CAAC;IACJ,CAAC;IACD,IACE,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,QAAQ;QACjD,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC,EACxC,CAAC;QACD,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC;IACnF,CAAC;IACD,IACE,OAAO,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,QAAQ;QAChD,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EACvC,CAAC;QACD,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,EAAE,WAAW,EAAE,CAAC;IACjF,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC9C,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,kBAAkB,EAAE,CAAC;IAClE,CAAC;IAED,IAAI,IAAI,CAAC,oBAAoB,KAAK,SAAS,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC3C,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,OAAO;gBACL,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,aAAa,EAAE,eAAe;gBAC9B,gBAAgB,EAAE,MAAM,CAAC,QAAQ;aAClC,CAAC;QACJ,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,gCAAgC;IAChC,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC;AAClD,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@lannguyensi/harness",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.36.0",
|
|
4
4
|
"description": "Declarative control plane for agent harnesses — one YAML for grounding, tools, memory, and hooks.",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"homepage": "https://github.com/LanNguyenSi/harness",
|