@lannguyensi/harness 0.7.0 → 0.8.0

package/dist/policy-packs/builtin/understanding-before-execution.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"understanding-before-execution.js","sourceRoot":"","sources":["../../../src/policy-packs/builtin/understanding-before-execution.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,EAAE;AACF,sEAAsE;AACtE,yEAAyE;AACzE,yEAAyE;AACzE,8EAA8E;AAC9E,0EAA0E;AAC1E,yEAAyE;AACzE,yEAAyE;AACzE,sEAAsE;AACtE,oEAAoE;AACpE,wCAAwC;AAGxC,OAAO,EAAE,4BAA4B,EAAE,MAAM,6BAA6B,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAgB,MAAM,eAAe,CAAC;AAM9D,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,mBAAmB,GACpB,MAAM,0BAA0B,CAAC;AAElC,MAAM,CAAC,MAAM,SAAS,GAAG,gCAAgC,CAAC;AAI1D,MAAM,KAAK,GAAoB,CAAC,cAAc,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;AAEtE,MAAM,CAAC,MAAM,YAAY,GAAS,UAAU,CAAC;AAE7C,MAAM,gBAAgB,GAAG,eAAe,SAAS,EAAE,CAAC;AAEpD,6EAA6E;AAC7E,sEAAsE;AACtE,sEAAsE;AACtE,qEAAqE;AACrE,oEAAoE;AACpE,6DAA6D;AAC7D,MAAM,yBAAyB,GAAG,iBAAiB,CAAC;AACpD,MAAM,wBAAwB,GAAG,wBAAwB,CAAC;AAE1D,2EAA2E;AAC3E,sEAAsE;AACtE,sEAAsE;AACtE,sEAAsE;AACtE,+BAA+B;AAC/B,MAAM,6BAA6B,GAAG,gCAAgC,CAAC;AACvE,MAAM,eAAe,GAAG,gCAAgC,CAAC;AACzD,yEAAyE;AACzE,sEAAsE;AACtE,iEAAiE;AACjE,yEAAyE;AACzE,mEAAmE;AACnE,0BAA0B;AAC1B,MAAM,2BAA2B,GAAG,gCAAgC,CAAC;AAErE,qEAAqE;AACrE,wDAAwD;AACxD,EAAE;AACF,yDAAyD;AACzD,kEAAkE;AAClE,8BAA8B;AAC9B,iEAAiE;AACjE,EAAE;AACF,sEAAsE;AACtE,iEAAiE;AACjE,mEAAmE;AACnE,oEAAoE;AACpE,oEAAoE;AACpE,0DAA0D;AAC1D,MAAM,gCAAgC,GAAG,4CAA4C,CAAC;AACtF,MAAM,kBAAkB,GAAG,8BAA8B,CAAC;AAC1D,MAAM,0BAA0B,GAAG,sCAAsC,CAAC;AAE1E,MAAM,UAAU,MAAM,CAAC,KAAc;IACnC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAK,KAA2B,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACnF,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAgB;IAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACpE,IAAI,MAAM,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACrD,MAAM,OAAO,GAAG,gBAAgB,IAAI,CAAC,IAAI,qCAAqC,IAAI,CAAC,SAAS,CAC1F,GAAG,CACJ,sBAAsB,YAAY,eAAe,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;IACtE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC;AACzC,CAAC;AAED,SAAS,UAAU,CAAC,OAAgB;IAClC,mEAAmE;IACnE,oEAAoE;IACpE,sEAAsE;IACtE,mEAAmE;IACnE,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QACxB,OAAO;YACL;gBACE,IAAI,EAAE,GAAG,gBAAgB,2BAA2B;gBACpD,KAAK,EAAE,kBAAkB;gBACzB,OAAO,EAAE,gCAAgC;gBACzC,QAAQ,EAAE,KAAK;gBACf,SAAS,EAAE,IAAI;gBACf,WAAW,EACT,sGAAsG;aACzG;YACD;gBACE,IAAI,EAAE,GAAG,gBAAgB,aAAa;gBACtC,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,kBAAkB;gBAC3B,QAAQ,EAAE,KAAK;gBACf,SAAS,EAAE,IAAI;gBACf,WAAW,EACT,4IAA4I;aAC/I;YACD;gBACE,IAAI,EAAE,GAAG,gBAAgB,qBAAqB;gBAC9C,KAAK,EAAE,YAAY;gBACnB,KAAK,EAAE,wBAAwB;gBAC/B,OAAO,EAAE,0BAA0B;gBACnC,QAAQ,EAAE,MAAM;gBAChB,SAAS,EAAE,IAAI;gBACf,WAAW,EACT,iLAAiL;aACpL;SACF,CAAC;IACJ,CAAC;IACD,OAAO;QACL;YACE,IAAI,EAAE,GAAG,gBAAgB,qBAAqB;YAC9C,KAAK,EAAE,kBAAkB;YACzB,OAAO,EAAE,6BAA6B;YACtC,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,IAAI;YACf,WAAW,EACT,oHAAoH;SACvH;QACD;YACE,IAAI,EAAE,GAAG,gBAAgB,OAAO;YAChC,KAAK,EAAE,MAAM;YACb,OAAO,EAAE,eAAe;YACxB,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,IAAI;YACf,WAAW,EACT,sHAAsH;SACzH;QACD;YACE,IAAI,EAAE,GAAG,gBAAgB,eAAe;YACxC,KAAK,EAAE,YAAY;YACnB,KAAK,EAAE,yBAAyB;YAChC,OAAO,EAAE,2BAA2B;YACpC,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,IAAI;YACf,WAAW,EACT,kMAAkM;SACrM;KACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,IAAU;IAC9B,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,cAAc;YACjB,OAAO,oIAAoI,CAAC;QAC9I,KAAK,UAAU;YACb,OAAO,wNAAwN,CAAC;QAClO,KAAK,QAAQ;YACX,OAAO,8IAA8I,CAAC;IAC1J,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAgB,EAAE,IAAU,EAAE,OAAgB;IACvE,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,OAAO,KAAK,OAAO,CAAC;IACpC,MAAM,WAAW,GAAG,OAAO,CAAC,CAAC,CAAC,gCAAgC,CAAC,CAAC,CAAC,6BAA6B,CAAC;IAC/F,MAAM,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,eAAe,CAAC;IAC/D,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,0BAA0B,CAAC,CAAC,CAAC,2BAA2B,CAAC;IACtF,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,yBAAyB,CAAC;IACpF,MAAM,gBAAgB,GAAG,OAAO;QAC9B,CAAC,CAAC,uCAAuC;QACzC,CAAC,CAAC,iCAAiC,CAAC;IACtC,MAAM,UAAU,GAAG,0BAA0B,OAAO;;;CAGrD,CAAC;IACA,MAAM,cAAc,GAAG,GAAG,CAAC;IAC3B,OAAO,kBAAkB,SAAS;;;UAG1B,WAAW;;;;;;;EAOnB,OAAO;;;;EAIP,IAAI;;EAEJ,YAAY,CAAC,IAAI,CAAC;;;;uDAImC,gBAAgB;;sCAEjC,WAAW;;EAE/C,UAAU,GAAG,cAAc,+BAA+B,UAAU;UAC5D,YAAY;;;;;;;;;;;;;;;;;EAiBpB,WAAW,CAAC,CAAC,CAAC,OAAO,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;;YAEtD,SAAS;YACT,IAAI;eACD,OAAO;;;;;;CAMrB,CAAC;AACF,CAAC;AAED,SAAS,wBAAwB,CAC/B,IAAgB;IAEhB,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAC9C,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACnE,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO;YACL,WAAW,EAAE,IAAI;YACjB,OAAO,EAAE,gBAAgB,IAAI,CAAC,IAAI,uDAAuD,OAAO,GAAG,qCAAqC;SACzI,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,WAAW,EAAE,IAAI;YACjB,OAAO,EAAE,gBAAgB,IAAI,CAAC,IAAI,qDAAqD,IAAI,CAAC,SAAS,CACnG,GAAG,CACJ,cAAc,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,qCAAqC;SACnF,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC1D,OAAO,EAAE,WAAW,EAAE,4BAA4B,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC/E,CAAC;AAED,MAAM,UAAU,OAAO,CACrB,IAAgB,EAChB,UAAmB,eAAe;IAElC,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IAC5C,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,mBAAmB,GAAG,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACnE,MAAM,KAAK,GAA2B;QACpC;YACE,YAAY,EAAE,gBAAgB,SAAS,kBAAkB;YACzD,OAAO,EAAE,mBAAmB;SAC7B;KACF,CAAC;IACF,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAEpC,MAAM,aAAa,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;IACrD,IAAI,aAAa,CAAC,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IAChE,MAAM,YAAY,GAAqB,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IACxD,IAAI,aAAa,CAAC,WAAW;QAAE,YAAY,CAAC,WAAW,GAAG,aAAa,CAAC,WAAW,CAAC;IAEpF,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAC;AACpC,CAAC"}

package/dist/policy-packs/expand.d.ts

@@ -0,0 +1,4 @@
+import type { Manifest } from "../schema/index.js";
+import { type Runtime } from "./runtime.js";
+import type { PackExpansionResult } from "./types.js";
+export declare function expandPolicyPacks(manifest: Manifest, runtime?: Runtime): PackExpansionResult;

package/dist/policy-packs/expand.js

@@ -0,0 +1,90 @@
+// Apply-time expansion of `policy_packs[]` entries.
+//
+// Walks the manifest's enabled packs, parses each `source:` string,
+// resolves builtin packs through the registry, and aggregates their
+// contributions (hooks + files). Unrecognised sources or unknown builtin
+// names produce non-fatal warnings here; `harness validate` is the
+// place that turns the same conditions into hard errors so the user
+// sees them at lint time, not silently at apply time.
+//
+// Hook-name collision handling: pack hooks are namespaced
+// (`policy-pack:<name>:<role>`) by the builtin definitions, so a user
+// hook with a colliding name is the user's mistake. We surface that as
+// a warning here rather than blowing up; the schema's duplicate-name
+// superRefine will reject it on the augmented manifest's downstream
+// re-parse if a caller re-validates.
+import { resolveBuiltin } from "./registry.js";
+import { DEFAULT_RUNTIME } from "./runtime.js";
+import { parsePackSource } from "./source.js";
+export function expandPolicyPacks(manifest, runtime = DEFAULT_RUNTIME) {
+    const out = { hooks: [], files: [], warnings: [], skipped: [] };
+    if (manifest.policy_packs.length === 0)
+        return out;
+    const existingHookNames = new Set(manifest.hooks.map((h) => h.name));
+    const seenPackHookNames = new Set();
+    const allowSet = new Set();
+    const askSet = new Set();
+    const denySet = new Set();
+    let anyPermissions = false;
+    for (const pack of manifest.policy_packs) {
+        if (!pack.enabled) {
+            out.skipped.push(pack.name);
+            continue;
+        }
+        const sourceParsed = parsePackSource(pack.source);
+        if (sourceParsed.kind === "unknown") {
+            out.warnings.push(`policy_packs[${pack.name}]: source ${JSON.stringify(pack.source)} is not recognised in v1 (only "builtin" resolves); skipping.`);
+            continue;
+        }
+        const resolved = resolveBuiltin(pack, runtime);
+        if (!resolved) {
+            out.warnings.push(`policy_packs[${pack.name}]: not a known builtin pack; skipping. See docs/policy-packs/ for supported names.`);
+            continue;
+        }
+        out.warnings.push(...resolved.warnings);
+        for (const hook of resolved.contribution.hooks) {
+            if (existingHookNames.has(hook.name)) {
+                out.warnings.push(`policy_packs[${pack.name}]: hook name "${hook.name}" collides with a manifest hooks[] entry; pack contribution dropped to avoid a duplicate-name failure.`);
+                continue;
+            }
+            if (seenPackHookNames.has(hook.name)) {
+                out.warnings.push(`policy_packs[${pack.name}]: hook name "${hook.name}" was already contributed by an earlier pack; second copy dropped.`);
+                continue;
+            }
+            seenPackHookNames.add(hook.name);
+            out.hooks.push(hook);
+        }
+        out.files.push(...resolved.contribution.files);
+        if (resolved.contribution.permissions) {
+            anyPermissions = true;
+            for (const p of resolved.contribution.permissions.allow)
+                allowSet.add(p);
+            for (const p of resolved.contribution.permissions.ask)
+                askSet.add(p);
+            for (const p of resolved.contribution.permissions.deny)
+                denySet.add(p);
+        }
+    }
+    if (anyPermissions) {
+        // Deny wins over ask wins over allow at merge time: a stricter
+        // intent from any pack should not be silently relaxed by a more
+        // permissive sibling. Concretely, a pattern present in deny is
+        // stripped from ask + allow; a pattern present in ask is stripped
+        // from allow.
+        for (const p of denySet) {
+            askSet.delete(p);
+            allowSet.delete(p);
+        }
+        for (const p of askSet) {
+            allowSet.delete(p);
+        }
+        const permissions = {
+            allow: [...allowSet].sort(),
+            ask: [...askSet].sort(),
+            deny: [...denySet].sort(),
+        };
+        out.permissions = permissions;
+    }
+    return out;
+}
+//# sourceMappingURL=expand.js.map

package/dist/policy-packs/expand.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"expand.js","sourceRoot":"","sources":["../../src/policy-packs/expand.ts"],"names":[],"mappings":"AAAA,oDAAoD;AACpD,EAAE;AACF,oEAAoE;AACpE,oEAAoE;AACpE,yEAAyE;AACzE,mEAAmE;AACnE,oEAAoE;AACpE,sDAAsD;AACtD,EAAE;AACF,0DAA0D;AAC1D,sEAAsE;AACtE,uEAAuE;AACvE,qEAAqE;AACrE,oEAAoE;AACpE,qCAAqC;AAGrC,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAgB,MAAM,cAAc,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG9C,MAAM,UAAU,iBAAiB,CAC/B,QAAkB,EAClB,UAAmB,eAAe;IAElC,MAAM,GAAG,GAAwB,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACrF,IAAI,QAAQ,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,GAAG,CAAC;IAEnD,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACrE,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC5C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,IAAI,cAAc,GAAG,KAAK,CAAC;IAE3B,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAC;QACzC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5B,SAAS;QACX,CAAC;QACD,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClD,IAAI,YAAY,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACpC,GAAG,CAAC,QAAQ,CAAC,IAAI,CACf,gBAAgB,IAAI,CAAC,IAAI,aAAa,IAAI,CAAC,SAAS,CAClD,IAAI,CAAC,MAAM,CACZ,+DAA+D,CACjE,CAAC;YACF,SAAS;QACX,CAAC;QACD,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC/C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,GAAG,CAAC,QAAQ,CAAC,IAAI,CACf,gBAAgB,IAAI,CAAC,IAAI,oFAAoF,CAC9G,CAAC;YACF,SAAS;QACX,CAAC;QACD,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACxC,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;YAC/C,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,GAAG,CAAC,QAAQ,CAAC,IAAI,CACf,gBAAgB,IAAI,CAAC,IAAI,iBAAiB,IAAI,CAAC,IAAI,wGAAwG,CAC5J,CAAC;gBACF,SAAS;YACX,CAAC;YACD,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,GAAG,CAAC,QAAQ,CAAC,IAAI,CACf,gBAAgB,IAAI,CAAC,IAAI,iBAAiB,IAAI,CAAC,IAAI,oEAAoE,CACxH,CAAC;gBACF,SAAS;YACX,CAAC;YACD,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC;QACD,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;QAC/C,IAAI,QAAQ,CAAC,YAAY,CAAC,WAAW,EAAE,CAAC;YACtC,cAAc,GAAG,IAAI,CAAC;YACtB,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,KAAK;gBAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACzE,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,GAAG;gBAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACrE,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,IAAI;gBAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,+DAA+D;QAC/D,gEAAgE;QAChE,+DAA+D;QAC/D,kEAAkE;QAClE,cAAc;QACd,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACjB,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACrB,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACrB,CAAC;QACD,MAAM,WAAW,GAAgC;YAC/C,KAAK,EAAE,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,EAAE;YAC3B,GAAG,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,EAAE;YACvB,IAAI,EAAE,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,EAAE;SAC1B,CAAC;QACF,GAAG,CAAC,WAAW,GAAG,WAAW,CAAC;IAChC,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/policy-packs/index.d.ts

@@ -0,0 +1,5 @@
+export { expandPolicyPacks } from "./expand.js";
+export { KNOWN_BUILTIN_PACKS, isBuiltinPackName, resolveBuiltin, type BuiltinPackName, type ResolveBuiltinResult, } from "./registry.js";
+export { KNOWN_RUNTIMES, DEFAULT_RUNTIME, isRuntime, parseRuntime, type Runtime, } from "./runtime.js";
+export { parsePackSource, type PackSourceKind, type PackSourceParseResult } from "./source.js";
+export type { PackContribution, PackContributionFile, PackExpansionResult, } from "./types.js";

package/dist/policy-packs/index.js

@@ -0,0 +1,5 @@
+export { expandPolicyPacks } from "./expand.js";
+export { KNOWN_BUILTIN_PACKS, isBuiltinPackName, resolveBuiltin, } from "./registry.js";
+export { KNOWN_RUNTIMES, DEFAULT_RUNTIME, isRuntime, parseRuntime, } from "./runtime.js";
+export { parsePackSource } from "./source.js";
+//# sourceMappingURL=index.js.map

package/dist/policy-packs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/policy-packs/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,cAAc,GAGf,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,cAAc,EACd,eAAe,EACf,SAAS,EACT,YAAY,GAEb,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,eAAe,EAAmD,MAAM,aAAa,CAAC"}

package/dist/policy-packs/permission-translator.d.ts

@@ -0,0 +1,9 @@
+import type { PermissionActionKey, PermissionProfile } from "../schema/permission-profiles.js";
+export interface SettingsPermissions {
+    allow: string[];
+    ask: string[];
+    deny: string[];
+}
+export declare function profileToSettingsPermissions(profile: PermissionProfile): SettingsPermissions;
+/** Test seam — exposed for unit coverage of the action→pattern map. */
+export declare function _internalPatternMap(): Record<PermissionActionKey, string[]>;

package/dist/policy-packs/permission-translator.js

@@ -0,0 +1,76 @@
+// Phase 6 #5 — translate abstract permission profile actions into
+// Claude Code's settings.json permissions vocabulary.
+//
+// Mapping rules:
+//
+//   Action key  →  tool patterns                                   (matcher style)
+//   ----------     ----------------------------------------------- ----------------
+//   read           ["Read", "Glob", "Grep"]                        bare tool names
+//   edit           ["Edit", "Write", "MultiEdit"]                  bare tool names
+//   bash           ["Bash"]                                        bare tool name
+//   commit         ["Bash(git commit*)"]                           Bash-prefix syntax
+//   push           ["Bash(git push*)"]                             Bash-prefix syntax
+//   pr             ["mcp__agent-tasks__pull_requests_create",      MCP + bare gh
+//                   "Bash(gh pr create*)"]
+//   deploy         ["Bash(kubectl*)", "Bash(terraform destroy*)",  Bash-prefix syntax
+//                   "Bash(npm publish*)"]
+//
+// `allow` enum mapping:
+//
+//   "true"  / true   → permissions.allow
+//   "false" / false  → permissions.deny
+//   "ask"            → permissions.ask
+//   "limited"        → permissions.ask  (v1 fallback — distinct
+//                                        semantics deferred to a
+//                                        Phase 6 #5 follow-up)
+//   "ask_or_deny"    → permissions.ask  (same fallback rationale)
+const ACTION_TO_PATTERNS = {
+    read: ["Read", "Glob", "Grep"],
+    edit: ["Edit", "Write", "MultiEdit"],
+    bash: ["Bash"],
+    commit: ["Bash(git commit*)"],
+    push: ["Bash(git push*)"],
+    pr: ["mcp__agent-tasks__pull_requests_create", "Bash(gh pr create*)"],
+    deploy: ["Bash(kubectl*)", "Bash(terraform destroy*)", "Bash(npm publish*)"],
+};
+function bucketForAllow(value) {
+    switch (value) {
+        case "true":
+            return "allow";
+        case "false":
+            return "deny";
+        case "ask":
+        case "limited":
+        case "ask_or_deny":
+            return "ask";
+    }
+}
+export function profileToSettingsPermissions(profile) {
+    const allow = new Set();
+    const ask = new Set();
+    const deny = new Set();
+    const buckets = {
+        allow,
+        ask,
+        deny,
+    };
+    for (const key of Object.keys(profile.actions)) {
+        const rule = profile.actions[key];
+        if (!rule)
+            continue;
+        const target = bucketForAllow(rule.allow);
+        for (const pattern of ACTION_TO_PATTERNS[key]) {
+            buckets[target].add(pattern);
+        }
+    }
+    return {
+        allow: [...allow].sort(),
+        ask: [...ask].sort(),
+        deny: [...deny].sort(),
+    };
+}
+/** Test seam — exposed for unit coverage of the action→pattern map. */
+export function _internalPatternMap() {
+    return ACTION_TO_PATTERNS;
+}
+//# sourceMappingURL=permission-translator.js.map

package/dist/policy-packs/permission-translator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-translator.js","sourceRoot":"","sources":["../../src/policy-packs/permission-translator.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,sDAAsD;AACtD,EAAE;AACF,iBAAiB;AACjB,EAAE;AACF,mFAAmF;AACnF,oFAAoF;AACpF,mFAAmF;AACnF,mFAAmF;AACnF,kFAAkF;AAClF,sFAAsF;AACtF,sFAAsF;AACtF,iFAAiF;AACjF,2CAA2C;AAC3C,sFAAsF;AACtF,0CAA0C;AAC1C,EAAE;AACF,wBAAwB;AACxB,EAAE;AACF,yCAAyC;AACzC,wCAAwC;AACxC,uCAAuC;AACvC,gEAAgE;AAChE,iEAAiE;AACjE,+DAA+D;AAC/D,kEAAkE;AAclE,MAAM,kBAAkB,GAA0C;IAChE,IAAI,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;IAC9B,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,WAAW,CAAC;IACpC,IAAI,EAAE,CAAC,MAAM,CAAC;IACd,MAAM,EAAE,CAAC,mBAAmB,CAAC;IAC7B,IAAI,EAAE,CAAC,iBAAiB,CAAC;IACzB,EAAE,EAAE,CAAC,wCAAwC,EAAE,qBAAqB,CAAC;IACrE,MAAM,EAAE,CAAC,gBAAgB,EAAE,0BAA0B,EAAE,oBAAoB,CAAC;CAC7E,CAAC;AAEF,SAAS,cAAc,CAAC,KAAsB;IAC5C,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,MAAM;YACT,OAAO,OAAO,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,MAAM,CAAC;QAChB,KAAK,KAAK,CAAC;QACX,KAAK,SAAS,CAAC;QACf,KAAK,aAAa;YAChB,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,OAA0B;IAE1B,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,MAAM,OAAO,GAAmD;QAC9D,KAAK;QACL,GAAG;QACH,IAAI;KACL,CAAC;IAEF,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAA0B,EAAE,CAAC;QACxE,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC1C,KAAK,MAAM,OAAO,IAAI,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9C,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,EAAE;QACxB,GAAG,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE;QACpB,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE;KACvB,CAAC;AACJ,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,mBAAmB;IACjC,OAAO,kBAAkB,CAAC;AAC5B,CAAC"}

package/dist/policy-packs/registry.d.ts

@@ -0,0 +1,11 @@
+import type { PolicyPack } from "../schema/index.js";
+import { type Runtime } from "./runtime.js";
+import type { PackContribution } from "./types.js";
+export declare const KNOWN_BUILTIN_PACKS: readonly ["understanding-before-execution"];
+export type BuiltinPackName = (typeof KNOWN_BUILTIN_PACKS)[number];
+export declare function isBuiltinPackName(name: string): name is BuiltinPackName;
+export interface ResolveBuiltinResult {
+    contribution: PackContribution;
+    warnings: string[];
+}
+export declare function resolveBuiltin(pack: PolicyPack, runtime?: Runtime): ResolveBuiltinResult | null;

package/dist/policy-packs/registry.js

@@ -0,0 +1,20 @@
+// Registry of builtin policy-pack names.
+//
+// Phase 6 #2 ships exactly one builtin: `understanding-before-execution`.
+// Future builtins are added here. Non-builtin sources (path/npm/git) are
+// out of scope for v1; their resolution lands in a later sub-task.
+import { PACK_NAME as UNDERSTANDING_BEFORE_EXECUTION, resolve as resolveUnderstandingBeforeExecution, } from "./builtin/understanding-before-execution.js";
+import { DEFAULT_RUNTIME } from "./runtime.js";
+export const KNOWN_BUILTIN_PACKS = [UNDERSTANDING_BEFORE_EXECUTION];
+export function isBuiltinPackName(name) {
+    return KNOWN_BUILTIN_PACKS.includes(name);
+}
+export function resolveBuiltin(pack, runtime = DEFAULT_RUNTIME) {
+    if (!isBuiltinPackName(pack.name))
+        return null;
+    switch (pack.name) {
+        case UNDERSTANDING_BEFORE_EXECUTION:
+            return resolveUnderstandingBeforeExecution(pack, runtime);
+    }
+}
+//# sourceMappingURL=registry.js.map

package/dist/policy-packs/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/policy-packs/registry.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,EAAE;AACF,0EAA0E;AAC1E,yEAAyE;AACzE,mEAAmE;AAGnE,OAAO,EACL,SAAS,IAAI,8BAA8B,EAC3C,OAAO,IAAI,mCAAmC,GAC/C,MAAM,6CAA6C,CAAC;AACrD,OAAO,EAAE,eAAe,EAAgB,MAAM,cAAc,CAAC;AAG7D,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,8BAA8B,CAAU,CAAC;AAG7E,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,OAAQ,mBAAyC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACnE,CAAC;AAOD,MAAM,UAAU,cAAc,CAC5B,IAAgB,EAChB,UAAmB,eAAe;IAElC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,QAAQ,IAAI,CAAC,IAAuB,EAAE,CAAC;QACrC,KAAK,8BAA8B;YACjC,OAAO,mCAAmC,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC"}

package/dist/policy-packs/runtime.d.ts

@@ -0,0 +1,8 @@
+export declare const KNOWN_RUNTIMES: readonly ["claude-code", "codex"];
+export type Runtime = (typeof KNOWN_RUNTIMES)[number];
+export declare const DEFAULT_RUNTIME: Runtime;
+export declare function isRuntime(value: unknown): value is Runtime;
+export declare function parseRuntime(raw: string | undefined): {
+    runtime: Runtime;
+    warning: string | null;
+};

package/dist/policy-packs/runtime.js

@@ -0,0 +1,30 @@
+// Phase 6 #6 — runtime target identifier threaded through policy-pack
+// expansion. Selects which adapter shape a pack emits.
+//
+// `claude-code` (default): hook commands point at the `@lannguyensi/understanding-gate`
+// claude-code bins and the harness PreToolUse blocker. Output of
+// `harness apply` is the Claude Code `settings.json` shape under
+// `harness.generated/settings.json`.
+//
+// `codex`: hook commands point at the harness-shipped Codex adapter
+// subcommands (`harness pack hook codex-*`). Output of `harness apply`
+// is a Codex-flavoured config artefact under
+// `harness.generated/codex/`. Phase 6 #6 ships block + allow for the
+// understanding-before-execution pack; cross-pack and additional
+// runtimes are out of v1 scope.
+export const KNOWN_RUNTIMES = ["claude-code", "codex"];
+export const DEFAULT_RUNTIME = "claude-code";
+export function isRuntime(value) {
+    return typeof value === "string" && KNOWN_RUNTIMES.includes(value);
+}
+export function parseRuntime(raw) {
+    if (raw === undefined)
+        return { runtime: DEFAULT_RUNTIME, warning: null };
+    if (isRuntime(raw))
+        return { runtime: raw, warning: null };
+    return {
+        runtime: DEFAULT_RUNTIME,
+        warning: `unrecognised runtime ${JSON.stringify(raw)}, falling back to "${DEFAULT_RUNTIME}". Allowed: ${KNOWN_RUNTIMES.join(", ")}.`,
+    };
+}
+//# sourceMappingURL=runtime.js.map

package/dist/policy-packs/runtime.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime.js","sourceRoot":"","sources":["../../src/policy-packs/runtime.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,uDAAuD;AACvD,EAAE;AACF,wFAAwF;AACxF,iEAAiE;AACjE,iEAAiE;AACjE,qCAAqC;AACrC,EAAE;AACF,oEAAoE;AACpE,uEAAuE;AACvE,6CAA6C;AAC7C,qEAAqE;AACrE,iEAAiE;AACjE,gCAAgC;AAEhC,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,aAAa,EAAE,OAAO,CAAU,CAAC;AAEhE,MAAM,CAAC,MAAM,eAAe,GAAY,aAAa,CAAC;AAEtD,MAAM,UAAU,SAAS,CAAC,KAAc;IACtC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAK,cAAoC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC5F,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,GAAuB;IAIlD,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC1E,IAAI,SAAS,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3D,OAAO;QACL,OAAO,EAAE,eAAe;QACxB,OAAO,EAAE,wBAAwB,IAAI,CAAC,SAAS,CAC7C,GAAG,CACJ,sBAAsB,eAAe,eAAe,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;KAClF,CAAC;AACJ,CAAC"}

package/dist/policy-packs/source.d.ts

@@ -0,0 +1,6 @@
+export type PackSourceKind = "builtin" | "unknown";
+export interface PackSourceParseResult {
+    kind: PackSourceKind;
+    raw: string;
+}
+export declare function parsePackSource(source: string): PackSourceParseResult;

package/dist/policy-packs/source.js

@@ -0,0 +1,10 @@
+// Pack `source:` strings parse here. v1 only resolves `builtin`; future
+// values (`path:./foo`, `npm:@scope/pack@1.0.0`, `git:https://...`) are
+// reserved for community-authored packs and surface as `kind: "unknown"`
+// today, with the canonical-doc-pointer in the warning.
+export function parsePackSource(source) {
+    if (source === "builtin")
+        return { kind: "builtin", raw: source };
+    return { kind: "unknown", raw: source };
+}
+//# sourceMappingURL=source.js.map

package/dist/policy-packs/source.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"source.js","sourceRoot":"","sources":["../../src/policy-packs/source.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,wEAAwE;AACxE,yEAAyE;AACzE,wDAAwD;AASxD,MAAM,UAAU,eAAe,CAAC,MAAc;IAC5C,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;IAClE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;AAC1C,CAAC"}

package/dist/policy-packs/types.d.ts

@@ -0,0 +1,41 @@
+import type { Hook } from "../schema/index.js";
+export interface PackContributionFile {
+    /** Relative path under `harness.generated/`, including the policy-packs/ prefix. */
+    relativePath: string;
+    content: string;
+}
+/**
+ * Phase 6 #5 — permissions contributed by a pack's selected
+ * permission profile. Translated downstream into the Claude Code
+ * settings.json `permissions` block.
+ */
+export interface PackPermissionsContribution {
+    allow: string[];
+    ask: string[];
+    deny: string[];
+}
+export interface PackContribution {
+    /** Hooks to merge into the manifest before settings.json generation. */
+    hooks: Hook[];
+    /** Files to write under `harness.generated/`. */
+    files: PackContributionFile[];
+    /** Optional permission contribution (Phase 6 #5). */
+    permissions?: PackPermissionsContribution;
+}
+export interface PackExpansionResult {
+    /** Combined hooks contributed by every enabled, resolvable pack. */
+    hooks: Hook[];
+    /** Combined files contributed by every enabled, resolvable pack. */
+    files: PackContributionFile[];
+    /**
+     * Combined permissions contributed by every enabled, resolvable
+     * pack (set-union per bucket; later contributions cannot relax a
+     * deny from an earlier pack). undefined when no pack contributed
+     * any permission entries.
+     */
+    permissions?: PackPermissionsContribution;
+    /** Non-fatal expansion warnings (e.g. unknown source, unknown name on a non-strict path). */
+    warnings: string[];
+    /** Names of packs that were skipped because `enabled: false`. */
+    skipped: string[];
+}

package/dist/policy-packs/types.js

@@ -0,0 +1,11 @@
+// Shared types for the policy-pack expansion pipeline.
+//
+// A pack contribution is the data a builtin pack produces at apply time:
+// a list of hooks to merge into the in-memory manifest before settings
+// generation, plus a list of files to write under
+// `harness.generated/policy-packs/<name>/`.
+//
+// The `Hook` shape mirrors the manifest's hooks[] entry exactly (so the
+// existing generate-settings projection picks them up unchanged).
+export {};
+//# sourceMappingURL=types.js.map

package/dist/policy-packs/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/policy-packs/types.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,EAAE;AACF,yEAAyE;AACzE,uEAAuE;AACvE,kDAAkD;AAClD,4CAA4C;AAC5C,EAAE;AACF,wEAAwE;AACxE,kEAAkE"}

package/dist/runtime/index.d.ts

@@ -1,3 +1,4 @@
 export { intercept, type ClaudeDenyJson, type InterceptOptions, type InterceptResult, type LedgerClient, type PolicyDecision, type PolicyOutcome, type ToolEvent, } from "./intercept.js";
 export { recordPolicyDecision, payloadFromDecision, encodeLedgerContent, decodeLedgerContent, decisionSortKey, type LedgerRecordOptions, type PolicyDecisionPayload, } from "./ledger-record.js";
 export { resolveSessionId } from "./session-id.js";
+export { addLedgerFact, type AddLedgerFactOptions, type AddLedgerFactResult, } from "./ledger-add.js";

package/dist/runtime/index.js

@@ -1,4 +1,5 @@
 export { intercept, } from "./intercept.js";
 export { recordPolicyDecision, payloadFromDecision, encodeLedgerContent, decodeLedgerContent, decisionSortKey, } from "./ledger-record.js";
 export { resolveSessionId } from "./session-id.js";
+export { addLedgerFact, } from "./ledger-add.js";
 //# sourceMappingURL=index.js.map

package/dist/runtime/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAQV,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,EACnB,eAAe,GAGhB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAQV,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,EACnB,eAAe,GAGhB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EACL,aAAa,GAGd,MAAM,iBAAiB,CAAC"}

package/dist/runtime/ledger-add.d.ts

@@ -0,0 +1,16 @@
+export interface AddLedgerFactOptions {
+    mcpCommand: string[];
+    mcpEnv?: Record<string, string>;
+    cwd?: string;
+    timeoutMs?: number;
+    sessionId: string;
+    content: string;
+    source: string;
+}
+export type AddLedgerFactResult = {
+    ok: true;
+} | {
+    ok: false;
+    reason: string;
+};
+export declare function addLedgerFact(opts: AddLedgerFactOptions): Promise<AddLedgerFactResult>;

package/dist/runtime/ledger-add.js

@@ -0,0 +1,139 @@
+// Phase 6 #4 — generic `ledger_add` writer for harness-side runtime tags.
+//
+// Smaller cousin of `recordPolicyDecision`: writes one fact-typed
+// ledger row via grounding-mcp's `ledger_add` verb, with a caller-
+// supplied content string and source. The pack-side approval flow
+// uses this to write `understanding-approved:${SESSION_ID}` tags.
+//
+// All failure paths resolve to `{ ok: false, reason }` so callers can
+// degrade gracefully rather than throw mid-CLI.
+import { spawn } from "node:child_process";
+import { VERSION } from "../version.js";
+const DEFAULT_TIMEOUT_MS = 5_000;
+export async function addLedgerFact(opts) {
+    if (opts.mcpCommand.length === 0) {
+        return { ok: false, reason: "grounding-mcp command is empty" };
+    }
+    const exe = opts.mcpCommand[0];
+    const args = opts.mcpCommand.slice(1);
+    const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    return new Promise((resolve) => {
+        let settled = false;
+        const settle = (result) => {
+            if (settled)
+                return;
+            settled = true;
+            try {
+                child.kill("SIGTERM");
+            }
+            catch {
+                /* ignore */
+            }
+            resolve(result);
+        };
+        let child;
+        try {
+            child = spawn(exe, args, {
+                cwd: opts.cwd,
+                env: { ...process.env, ...(opts.mcpEnv ?? {}) },
+                stdio: ["pipe", "pipe", "pipe"],
+            });
+        }
+        catch (err) {
+            resolve({ ok: false, reason: `spawn failed: ${err.message}` });
+            return;
+        }
+        let stdoutBuf = "";
+        let stderrBuf = "";
+        child.stdout.setEncoding("utf8");
+        child.stderr.setEncoding("utf8");
+        child.stdout.on("data", (chunk) => {
+            stdoutBuf += chunk;
+            let nl = stdoutBuf.indexOf("\n");
+            while (nl !== -1) {
+                const line = stdoutBuf.slice(0, nl).trim();
+                stdoutBuf = stdoutBuf.slice(nl + 1);
+                if (line) {
+                    try {
+                        const msg = JSON.parse(line);
+                        if (msg.id === 1) {
+                            // Initialize done; send notifications/initialized + add.
+                            try {
+                                child.stdin.write(`${JSON.stringify({
+                                    jsonrpc: "2.0",
+                                    method: "notifications/initialized",
+                                })}\n`);
+                                child.stdin.write(`${JSON.stringify({
+                                    jsonrpc: "2.0",
+                                    id: 2,
+                                    method: "tools/call",
+                                    params: {
+                                        name: "ledger_add",
+                                        arguments: {
+                                            sessionId: opts.sessionId,
+                                            type: "fact",
+                                            content: opts.content,
+                                            source: opts.source,
+                                        },
+                                    },
+                                })}\n`);
+                            }
+                            catch (err) {
+                                settle({ ok: false, reason: `add write failed: ${err.message}` });
+                            }
+                        }
+                        else if (msg.id === 2) {
+                            if (msg.error) {
+                                settle({
+                                    ok: false,
+                                    reason: `ledger_add error: ${msg.error.message ?? "unknown"}`,
+                                });
+                                return;
+                            }
+                            settle({ ok: true });
+                            return;
+                        }
+                    }
+                    catch {
+                        /* ignore non-JSON */
+                    }
+                }
+                nl = stdoutBuf.indexOf("\n");
+            }
+        });
+        child.stderr.on("data", (chunk) => {
+            stderrBuf += chunk;
+        });
+        child.on("error", (err) => {
+            settle({ ok: false, reason: `spawn failed: ${err.message}` });
+        });
+        child.on("exit", () => {
+            const tail = stderrBuf.trim().split("\n").pop()?.trim() || "(no stderr)";
+            settle({ ok: false, reason: `grounding-mcp exited: ${tail}` });
+        });
+        child.stdin.on("error", () => {
+            /* EPIPE handled by exit listener */
+        });
+        try {
+            child.stdin.write(`${JSON.stringify({
+                jsonrpc: "2.0",
+                id: 1,
+                method: "initialize",
+                params: {
+                    protocolVersion: "2024-11-05",
+                    capabilities: {},
+                    clientInfo: { name: "harness-ledger-add", version: VERSION },
+                },
+            })}\n`);
+        }
+        catch (err) {
+            settle({ ok: false, reason: `init write failed: ${err.message}` });
+            return;
+        }
+        const t = setTimeout(() => {
+            settle({ ok: false, reason: `grounding-mcp timeout after ${timeoutMs}ms` });
+        }, timeoutMs);
+        t.unref();
+    });
+}
+//# sourceMappingURL=ledger-add.js.map

package/dist/runtime/ledger-add.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ledger-add.js","sourceRoot":"","sources":["../../src/runtime/ledger-add.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,EAAE;AACF,kEAAkE;AAClE,mEAAmE;AACnE,kEAAkE;AAClE,kEAAkE;AAClE,EAAE;AACF,sEAAsE;AACtE,gDAAgD;AAEhD,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAExC,MAAM,kBAAkB,GAAG,KAAK,CAAC;AAcjC,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAA0B;IAE1B,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IACjE,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAE,CAAC;IAChC,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACtC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IAEvD,OAAO,IAAI,OAAO,CAAsB,CAAC,OAAO,EAAE,EAAE;QAClD,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,MAAM,GAAG,CAAC,MAA2B,EAAQ,EAAE;YACnD,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,IAAI,CAAC;gBACH,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,YAAY;YACd,CAAC;YACD,OAAO,CAAC,MAAM,CAAC,CAAC;QAClB,CAAC,CAAC;QAEF,IAAI,KAA+B,CAAC;QACpC,IAAI,CAAC;YACH,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE;gBACvB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,EAAE;gBAC/C,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAkB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAC1E,OAAO;QACT,CAAC;QAED,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,KAAK,CAAC,MAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAClC,KAAK,CAAC,MAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAClC,KAAK,CAAC,MAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACzC,SAAS,IAAI,KAAK,CAAC;YACnB,IAAI,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACjC,OAAO,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3C,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;gBACpC,IAAI,IAAI,EAAE,CAAC;oBACT,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAG1B,CAAC;wBACF,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;4BACjB,yDAAyD;4BACzD,IAAI,CAAC;gCACH,KAAK,CAAC,KAAM,CAAC,KAAK,CAChB,GAAG,IAAI,CAAC,SAAS,CAAC;oCAChB,OAAO,EAAE,KAAK;oCACd,MAAM,EAAE,2BAA2B;iCACpC,CAAC,IAAI,CACP,CAAC;gCACF,KAAK,CAAC,KAAM,CAAC,KAAK,CAChB,GAAG,IAAI,CAAC,SAAS,CAAC;oCAChB,OAAO,EAAE,KAAK;oCACd,EAAE,EAAE,CAAC;oCACL,MAAM,EAAE,YAAY;oCACpB,MAAM,EAAE;wCACN,IAAI,EAAE,YAAY;wCAClB,SAAS,EAAE;4CACT,SAAS,EAAE,IAAI,CAAC,SAAS;4CACzB,IAAI,EAAE,MAAM;4CACZ,OAAO,EAAE,IAAI,CAAC,OAAO;4CACrB,MAAM,EAAE,IAAI,CAAC,MAAM;yCACpB;qCACF;iCACF,CAAC,IAAI,CACP,CAAC;4BACJ,CAAC;4BAAC,OAAO,GAAG,EAAE,CAAC;gCACb,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAsB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;4BAC/E,CAAC;wBACH,CAAC;6BAAM,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;4BACxB,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;gCACd,MAAM,CAAC;oCACL,EAAE,EAAE,KAAK;oCACT,MAAM,EAAE,qBAAqB,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,SAAS,EAAE;iCAC9D,CAAC,CAAC;gCACH,OAAO;4BACT,CAAC;4BACD,MAAM,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;4BACrB,OAAO;wBACT,CAAC;oBACH,CAAC;oBAAC,MAAM,CAAC;wBACP,qBAAqB;oBACvB,CAAC;gBACH,CAAC;gBACD,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,MAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACzC,SAAS,IAAI,KAAK,CAAC;QACrB,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YAC/B,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;YACpB,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,IAAI,aAAa,CAAC;YACzE,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,IAAI,EAAE,EAAE,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,KAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAC5B,oCAAoC;QACtC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,KAAK,CAAC,KAAM,CAAC,KAAK,CAChB,GAAG,IAAI,CAAC,SAAS,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,eAAe,EAAE,YAAY;oBAC7B,YAAY,EAAE,EAAE;oBAChB,UAAU,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,OAAO,EAAE;iBAC7D;aACF,CAAC,IAAI,CACP,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAuB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAC9E,OAAO;QACT,CAAC;QAED,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE;YACxB,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,SAAS,IAAI,EAAE,CAAC,CAAC;QAC9E,CAAC,EAAE,SAAS,CAAC,CAAC;QACd,CAAC,CAAC,KAAK,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC"}