@mc1global/opencode-jarvis 0.1.0

package/dist/domain/environment/value-objects.d.ts

@@ -0,0 +1,127 @@
+/**
+ * Environment Management - Value Objects
+ *
+ * Immutable value objects for the environment bounded context.
+ * Environments are isolated containerized workspaces powered by container-use.
+ * The plugin tracks metadata; the agent invokes container-use MCP tools directly.
+ *
+ * DDD: Value Objects (no identity, compared by value)
+ * SOLID: SRP - value definitions and validation only
+ */
+import { EntityId, Timestamp } from "../shared/value-objects.js";
+/**
+ * Unique identifier for an environment.
+ * Format: ENV-{NNN} (sequential, zero-padded).
+ */
+export declare class EnvironmentId extends EntityId {
+    private constructor();
+    static create(sequence: number): EnvironmentId;
+    static from(value: string): EnvironmentId;
+    get sequence(): number;
+}
+/**
+ * Container-use environment name (e.g., "fancy-mallard").
+ * This is the name assigned by container-use when creating an environment.
+ * Validated: non-empty, lowercase with hyphens.
+ */
+export declare class EnvironmentName {
+    readonly value: string;
+    private constructor();
+    static create(name: string): EnvironmentName;
+    static from(value: string): EnvironmentName;
+    /** Derives the git branch name used by container-use: cu-{name} */
+    toBranchName(): string;
+    equals(other: EnvironmentName): boolean;
+    toString(): string;
+}
+/**
+ * Lifecycle status of an environment.
+ *
+ * State machine:
+ *   creating -> active (environment ready), failed (creation error)
+ *   active -> merging (merge requested), deleting (cleanup)
+ *   merging -> merged (success), active (merge conflict, needs resolution)
+ *   merged -> deleting (cleanup), (terminal - can stay for audit)
+ *   deleting -> deleted (success)
+ *   failed -> deleting (cleanup)
+ *   deleted -> (terminal)
+ */
+export declare const ENVIRONMENT_STATUSES: readonly ["creating", "active", "merging", "merged", "deleting", "deleted", "failed"];
+export type EnvironmentStatus = (typeof ENVIRONMENT_STATUSES)[number];
+export declare function isValidEnvironmentStatus(value: string): value is EnvironmentStatus;
+/** Valid environment status transitions. */
+export declare const ENVIRONMENT_TRANSITIONS: Record<EnvironmentStatus, readonly EnvironmentStatus[]>;
+/**
+ * Checks if a status transition is valid.
+ */
+export declare function isValidTransition(from: EnvironmentStatus, to: EnvironmentStatus): boolean;
+/**
+ * How environment changes should be merged back to the main branch.
+ */
+export declare const MERGE_STRATEGIES: readonly ["merge-commit", "squash", "rebase"];
+export type MergeStrategy = (typeof MERGE_STRATEGIES)[number];
+export declare function isValidMergeStrategy(value: string): value is MergeStrategy;
+/**
+ * Configuration for the container-use environment.
+ * Mirrors the config structure in .container-use/environment.json.
+ * All fields optional — container-use provides sensible defaults.
+ */
+export interface ContainerConfig {
+    readonly baseImage: string | undefined;
+    readonly setupCommands: readonly string[];
+    readonly installCommands: readonly string[];
+    readonly envVars: Readonly<Record<string, string>>;
+}
+/**
+ * Creates a validated ContainerConfig.
+ * Provides sensible defaults for empty values.
+ */
+export declare function createContainerConfig(params?: {
+    readonly baseImage?: string;
+    readonly setupCommands?: readonly string[];
+    readonly installCommands?: readonly string[];
+    readonly envVars?: Readonly<Record<string, string>>;
+}): ContainerConfig;
+/** Serializes a ContainerConfig to JSON string. */
+export declare function containerConfigToJSON(config: ContainerConfig): string;
+/** Deserializes a ContainerConfig from JSON string. */
+export declare function containerConfigFromJSON(json: string): ContainerConfig;
+/**
+ * Classification of what the environment is being used for.
+ * Helps with prioritization and resource management.
+ */
+export declare const ENVIRONMENT_PURPOSES: readonly ["feature", "bugfix", "experiment", "refactor", "spike", "hotfix"];
+export type EnvironmentPurpose = (typeof ENVIRONMENT_PURPOSES)[number];
+export declare function isValidEnvironmentPurpose(value: string): value is EnvironmentPurpose;
+/**
+ * Data required to create a new environment.
+ * Provided by the agent when requesting env-create.
+ */
+export interface EnvironmentCreationData {
+    readonly id: EnvironmentId;
+    readonly name: EnvironmentName;
+    readonly cardId: string | undefined;
+    readonly purpose: EnvironmentPurpose;
+    readonly description: string;
+    readonly containerConfig: ContainerConfig;
+    readonly mergeStrategy: MergeStrategy;
+}
+/**
+ * Data required to reconstitute an Environment from persistence.
+ */
+export interface EnvironmentData {
+    readonly id: EnvironmentId;
+    readonly name: EnvironmentName;
+    readonly cardId: string | undefined;
+    readonly purpose: EnvironmentPurpose;
+    readonly description: string;
+    readonly status: EnvironmentStatus;
+    readonly containerConfig: ContainerConfig;
+    readonly mergeStrategy: MergeStrategy;
+    readonly mergeCommitSha: string | undefined;
+    readonly errorMessage: string | undefined;
+    readonly metadata: Record<string, unknown>;
+    readonly createdAt: Timestamp;
+    readonly updatedAt: Timestamp;
+}
+//# sourceMappingURL=value-objects.d.ts.map

package/dist/domain/environment/value-objects.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"value-objects.d.ts","sourceRoot":"","sources":["../../../src/domain/environment/value-objects.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAIjE;;;GAGG;AACH,qBAAa,aAAc,SAAQ,QAAQ;IACzC,OAAO;IAIP,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa;IAO9C,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa;IAIzC,IAAI,QAAQ,IAAI,MAAM,CAGrB;CACF;AAID;;;;GAIG;AACH,qBAAa,eAAe;aACU,KAAK,EAAE,MAAM;IAAjD,OAAO;IAEP,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe;IAa5C,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,eAAe;IAI3C,mEAAmE;IACnE,YAAY,IAAI,MAAM;IAItB,MAAM,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO;IAIvC,QAAQ,IAAI,MAAM;CAGnB;AAID;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,oBAAoB,uFAQvB,CAAC;AAEX,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,oBAAoB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEtE,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,MAAM,GACZ,KAAK,IAAI,iBAAiB,CAE5B;AAED,4CAA4C;AAC5C,eAAO,MAAM,uBAAuB,EAAE,MAAM,CAC1C,iBAAiB,EACjB,SAAS,iBAAiB,EAAE,CAS7B,CAAC;AAEF;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,iBAAiB,EACvB,EAAE,EAAE,iBAAiB,GACpB,OAAO,CAGT;AAID;;GAEG;AACH,eAAO,MAAM,gBAAgB,+CAAgD,CAAC;AAE9E,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC;AAE9D,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,KAAK,IAAI,aAAa,CAE1E;AAID;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IACvC,QAAQ,CAAC,aAAa,EAAE,SAAS,MAAM,EAAE,CAAC;IAC1C,QAAQ,CAAC,eAAe,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5C,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACpD;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,CAAC,EAAE;IAC7C,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3C,QAAQ,CAAC,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC7C,QAAQ,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACrD,GAAG,eAAe,CAOlB;AAED,mDAAmD;AACnD,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM,CAOrE;AAED,uDAAuD;AACvD,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CAoBrE;AAID;;;GAGG;AACH,eAAO,MAAM,oBAAoB,6EAOvB,CAAC;AAEX,MAAM,MAAM,kBAAkB,GAAG,CAAC,OAAO,oBAAoB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEvE,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,MAAM,GACZ,KAAK,IAAI,kBAAkB,CAE7B;AAID;;;GAGG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,EAAE,EAAE,aAAa,CAAC;IAC3B,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC;IAC/B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;IACpC,QAAQ,CAAC,OAAO,EAAE,kBAAkB,CAAC;IACrC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAC;IAC1C,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;CACvC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,EAAE,aAAa,CAAC;IAC3B,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC;IAC/B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;IACpC,QAAQ,CAAC,OAAO,EAAE,kBAAkB,CAAC;IACrC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,MAAM,EAAE,iBAAiB,CAAC;IACnC,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAC;IAC1C,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;IAC5C,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS,CAAC;IAC1C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC3C,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;CAC/B"}

package/dist/domain/environment/value-objects.js

@@ -0,0 +1,179 @@
+/**
+ * Environment Management - Value Objects
+ *
+ * Immutable value objects for the environment bounded context.
+ * Environments are isolated containerized workspaces powered by container-use.
+ * The plugin tracks metadata; the agent invokes container-use MCP tools directly.
+ *
+ * DDD: Value Objects (no identity, compared by value)
+ * SOLID: SRP - value definitions and validation only
+ */
+import { EntityId, Timestamp } from "../shared/value-objects.js";
+// ── Environment Id ───────────────────────────────────────────────────
+/**
+ * Unique identifier for an environment.
+ * Format: ENV-{NNN} (sequential, zero-padded).
+ */
+export class EnvironmentId extends EntityId {
+    constructor(value) {
+        super(value);
+    }
+    static create(sequence) {
+        if (!Number.isInteger(sequence) || sequence <= 0) {
+            throw new Error("EnvironmentId: sequence must be a positive integer");
+        }
+        return new EnvironmentId(`ENV-${String(sequence).padStart(3, "0")}`);
+    }
+    static from(value) {
+        return new EnvironmentId(value);
+    }
+    get sequence() {
+        const parts = this.value.split("-");
+        return Number(parts[1] ?? 0);
+    }
+}
+// ── Environment Name ─────────────────────────────────────────────────
+/**
+ * Container-use environment name (e.g., "fancy-mallard").
+ * This is the name assigned by container-use when creating an environment.
+ * Validated: non-empty, lowercase with hyphens.
+ */
+export class EnvironmentName {
+    value;
+    constructor(value) {
+        this.value = value;
+    }
+    static create(name) {
+        const trimmed = name.trim().toLowerCase();
+        if (trimmed.length === 0) {
+            throw new Error("EnvironmentName: name cannot be empty");
+        }
+        if (!/^[a-z][a-z0-9-]*$/.test(trimmed)) {
+            throw new Error(`EnvironmentName: invalid format "${trimmed}" (must be lowercase alphanumeric with hyphens)`);
+        }
+        return new EnvironmentName(trimmed);
+    }
+    static from(value) {
+        return new EnvironmentName(value);
+    }
+    /** Derives the git branch name used by container-use: cu-{name} */
+    toBranchName() {
+        return `cu-${this.value}`;
+    }
+    equals(other) {
+        return this.value === other.value;
+    }
+    toString() {
+        return this.value;
+    }
+}
+// ── Environment Status ───────────────────────────────────────────────
+/**
+ * Lifecycle status of an environment.
+ *
+ * State machine:
+ *   creating -> active (environment ready), failed (creation error)
+ *   active -> merging (merge requested), deleting (cleanup)
+ *   merging -> merged (success), active (merge conflict, needs resolution)
+ *   merged -> deleting (cleanup), (terminal - can stay for audit)
+ *   deleting -> deleted (success)
+ *   failed -> deleting (cleanup)
+ *   deleted -> (terminal)
+ */
+export const ENVIRONMENT_STATUSES = [
+    "creating",
+    "active",
+    "merging",
+    "merged",
+    "deleting",
+    "deleted",
+    "failed",
+];
+export function isValidEnvironmentStatus(value) {
+    return ENVIRONMENT_STATUSES.includes(value);
+}
+/** Valid environment status transitions. */
+export const ENVIRONMENT_TRANSITIONS = {
+    creating: ["active", "failed"],
+    active: ["merging", "deleting"],
+    merging: ["merged", "active"],
+    merged: ["deleting"],
+    deleting: ["deleted"],
+    deleted: [],
+    failed: ["deleting"],
+};
+/**
+ * Checks if a status transition is valid.
+ */
+export function isValidTransition(from, to) {
+    const allowed = ENVIRONMENT_TRANSITIONS[from];
+    return allowed.includes(to);
+}
+// ── Merge Strategy ───────────────────────────────────────────────────
+/**
+ * How environment changes should be merged back to the main branch.
+ */
+export const MERGE_STRATEGIES = ["merge-commit", "squash", "rebase"];
+export function isValidMergeStrategy(value) {
+    return MERGE_STRATEGIES.includes(value);
+}
+/**
+ * Creates a validated ContainerConfig.
+ * Provides sensible defaults for empty values.
+ */
+export function createContainerConfig(params) {
+    return {
+        baseImage: params?.baseImage?.trim() || undefined,
+        setupCommands: params?.setupCommands ?? [],
+        installCommands: params?.installCommands ?? [],
+        envVars: params?.envVars ?? {},
+    };
+}
+/** Serializes a ContainerConfig to JSON string. */
+export function containerConfigToJSON(config) {
+    return JSON.stringify({
+        ...(config.baseImage !== undefined ? { baseImage: config.baseImage } : {}),
+        setupCommands: config.setupCommands,
+        installCommands: config.installCommands,
+        envVars: config.envVars,
+    });
+}
+/** Deserializes a ContainerConfig from JSON string. */
+export function containerConfigFromJSON(json) {
+    const parsed = JSON.parse(json);
+    if (typeof parsed !== "object" || parsed === null) {
+        throw new Error("ContainerConfig: expected JSON object");
+    }
+    const obj = parsed;
+    return createContainerConfig({
+        ...(typeof obj["baseImage"] === "string"
+            ? { baseImage: obj["baseImage"] }
+            : {}),
+        ...(Array.isArray(obj["setupCommands"])
+            ? { setupCommands: obj["setupCommands"] }
+            : {}),
+        ...(Array.isArray(obj["installCommands"])
+            ? { installCommands: obj["installCommands"] }
+            : {}),
+        ...(typeof obj["envVars"] === "object" && obj["envVars"] !== null
+            ? { envVars: obj["envVars"] }
+            : {}),
+    });
+}
+// ── Environment Purpose ──────────────────────────────────────────────
+/**
+ * Classification of what the environment is being used for.
+ * Helps with prioritization and resource management.
+ */
+export const ENVIRONMENT_PURPOSES = [
+    "feature",
+    "bugfix",
+    "experiment",
+    "refactor",
+    "spike",
+    "hotfix",
+];
+export function isValidEnvironmentPurpose(value) {
+    return ENVIRONMENT_PURPOSES.includes(value);
+}
+//# sourceMappingURL=value-objects.js.map

package/dist/domain/environment/value-objects.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"value-objects.js","sourceRoot":"","sources":["../../../src/domain/environment/value-objects.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAEjE,wEAAwE;AAExE;;;GAGG;AACH,MAAM,OAAO,aAAc,SAAQ,QAAQ;IACzC,YAAoB,KAAa;QAC/B,KAAK,CAAC,KAAK,CAAC,CAAC;IACf,CAAC;IAED,MAAM,CAAC,MAAM,CAAC,QAAgB;QAC5B,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;YACjD,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;QACD,OAAO,IAAI,aAAa,CAAC,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,KAAa;QACvB,OAAO,IAAI,aAAa,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;IAED,IAAI,QAAQ;QACV,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/B,CAAC;CACF;AAED,wEAAwE;AAExE;;;;GAIG;AACH,MAAM,OAAO,eAAe;IACU;IAApC,YAAoC,KAAa;QAAb,UAAK,GAAL,KAAK,CAAQ;IAAG,CAAC;IAErD,MAAM,CAAC,MAAM,CAAC,IAAY;QACxB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC1C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CACb,oCAAoC,OAAO,iDAAiD,CAC7F,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,KAAa;QACvB,OAAO,IAAI,eAAe,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;IAED,mEAAmE;IACnE,YAAY;QACV,OAAO,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;IAC5B,CAAC;IAED,MAAM,CAAC,KAAsB;QAC3B,OAAO,IAAI,CAAC,KAAK,KAAK,KAAK,CAAC,KAAK,CAAC;IACpC,CAAC;IAED,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;CACF;AAED,wEAAwE;AAExE;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,UAAU;IACV,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,UAAU;IACV,SAAS;IACT,QAAQ;CACA,CAAC;AAIX,MAAM,UAAU,wBAAwB,CACtC,KAAa;IAEb,OAAO,oBAAoB,CAAC,QAAQ,CAAC,KAA0B,CAAC,CAAC;AACnE,CAAC;AAED,4CAA4C;AAC5C,MAAM,CAAC,MAAM,uBAAuB,GAGhC;IACF,QAAQ,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC9B,MAAM,EAAE,CAAC,SAAS,EAAE,UAAU,CAAC;IAC/B,OAAO,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC7B,MAAM,EAAE,CAAC,UAAU,CAAC;IACpB,QAAQ,EAAE,CAAC,SAAS,CAAC;IACrB,OAAO,EAAE,EAAE;IACX,MAAM,EAAE,CAAC,UAAU,CAAC;CACrB,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,IAAuB,EACvB,EAAqB;IAErB,MAAM,OAAO,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC;IAC9C,OAAO,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;AAC9B,CAAC;AAED,wEAAwE;AAExE;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,cAAc,EAAE,QAAQ,EAAE,QAAQ,CAAU,CAAC;AAI9E,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,OAAO,gBAAgB,CAAC,QAAQ,CAAC,KAAsB,CAAC,CAAC;AAC3D,CAAC;AAgBD;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAKrC;IACC,OAAO;QACL,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,SAAS;QACjD,aAAa,EAAE,MAAM,EAAE,aAAa,IAAI,EAAE;QAC1C,eAAe,EAAE,MAAM,EAAE,eAAe,IAAI,EAAE;QAC9C,OAAO,EAAE,MAAM,EAAE,OAAO,IAAI,EAAE;KAC/B,CAAC;AACJ,CAAC;AAED,mDAAmD;AACnD,MAAM,UAAU,qBAAqB,CAAC,MAAuB;IAC3D,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,GAAG,CAAC,MAAM,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CAAC;AACL,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,uBAAuB,CAAC,IAAY;IAClD,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACzC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,GAAG,GAAG,MAAiC,CAAC;IAC9C,OAAO,qBAAqB,CAAC;QAC3B,GAAG,CAAC,OAAO,GAAG,CAAC,WAAW,CAAC,KAAK,QAAQ;YACtC,CAAC,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,WAAW,CAAC,EAAE;YACjC,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YACrC,CAAC,CAAC,EAAE,aAAa,EAAE,GAAG,CAAC,eAAe,CAAa,EAAE;YACrD,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;YACvC,CAAC,CAAC,EAAE,eAAe,EAAE,GAAG,CAAC,iBAAiB,CAAa,EAAE;YACzD,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,OAAO,GAAG,CAAC,SAAS,CAAC,KAAK,QAAQ,IAAI,GAAG,CAAC,SAAS,CAAC,KAAK,IAAI;YAC/D,CAAC,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,SAAS,CAA2B,EAAE;YACvD,CAAC,CAAC,EAAE,CAAC;KACR,CAAC,CAAC;AACL,CAAC;AAED,wEAAwE;AAExE;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,SAAS;IACT,QAAQ;IACR,YAAY;IACZ,UAAU;IACV,OAAO;IACP,QAAQ;CACA,CAAC;AAIX,MAAM,UAAU,yBAAyB,CACvC,KAAa;IAEb,OAAO,oBAAoB,CAAC,QAAQ,CAAC,KAA2B,CAAC,CAAC;AACpE,CAAC"}

package/dist/domain/governance/policies.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Governance Policies
+ *
+ * Defines the rules that govern tool execution at runtime.
+ * Policies are pure data + predicates with zero external dependencies.
+ *
+ * Three categories:
+ * 1. File access policies - block direct reads of data files
+ * 2. Shell command policies - block dangerous bash commands
+ * 3. Workflow policies - enforce kanban pipeline rules
+ *
+ * DDD: Value Objects (immutable policy rules)
+ * SOLID: OCP - new policies can be added without modifying existing ones
+ * SOLID: SRP - policy definition only (enforcement in services.ts)
+ */
+/** Severity of a governance violation. */
+export declare enum ViolationSeverity {
+    /** Blocks the operation entirely. */
+    Error = "error",
+    /** Allows the operation but logs a warning. */
+    Warning = "warning"
+}
+/** A single governance violation result. */
+export interface Violation {
+    readonly rule: string;
+    readonly message: string;
+    readonly severity: ViolationSeverity;
+}
+/** Context for evaluating a policy against a tool invocation. */
+export interface ToolInvocationContext {
+    readonly toolName: string;
+    readonly args: Record<string, unknown>;
+}
+/** A policy rule that can be evaluated against a tool invocation. */
+export interface PolicyRule {
+    readonly id: string;
+    readonly description: string;
+    readonly evaluate: (ctx: ToolInvocationContext) => Violation | null;
+}
+/** All built-in governance policies. */
+export declare const DEFAULT_POLICIES: readonly PolicyRule[];
+//# sourceMappingURL=policies.d.ts.map

package/dist/domain/governance/policies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policies.d.ts","sourceRoot":"","sources":["../../../src/domain/governance/policies.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,0CAA0C;AAC1C,oBAAY,iBAAiB;IAC3B,qCAAqC;IACrC,KAAK,UAAU;IACf,+CAA+C;IAC/C,OAAO,YAAY;CACpB;AAED,4CAA4C;AAC5C,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,iBAAiB,CAAC;CACtC;AAED,iEAAiE;AACjE,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACxC;AAED,qEAAqE;AACrE,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,EAAE,CAAC,GAAG,EAAE,qBAAqB,KAAK,SAAS,GAAG,IAAI,CAAC;CACrE;AAuRD,wCAAwC;AACxC,eAAO,MAAM,gBAAgB,EAAE,SAAS,UAAU,EAcjD,CAAC"}

package/dist/domain/governance/policies.js

@@ -0,0 +1,304 @@
+/**
+ * Governance Policies
+ *
+ * Defines the rules that govern tool execution at runtime.
+ * Policies are pure data + predicates with zero external dependencies.
+ *
+ * Three categories:
+ * 1. File access policies - block direct reads of data files
+ * 2. Shell command policies - block dangerous bash commands
+ * 3. Workflow policies - enforce kanban pipeline rules
+ *
+ * DDD: Value Objects (immutable policy rules)
+ * SOLID: OCP - new policies can be added without modifying existing ones
+ * SOLID: SRP - policy definition only (enforcement in services.ts)
+ */
+/** Severity of a governance violation. */
+export var ViolationSeverity;
+(function (ViolationSeverity) {
+    /** Blocks the operation entirely. */
+    ViolationSeverity["Error"] = "error";
+    /** Allows the operation but logs a warning. */
+    ViolationSeverity["Warning"] = "warning";
+})(ViolationSeverity || (ViolationSeverity = {}));
+// ── File Access Policies ──────────────────────────────────────────────
+function getFilePath(args) {
+    const fp = args["filePath"] ?? args["file_path"] ?? args["path"];
+    return typeof fp === "string" ? fp.toLowerCase() : null;
+}
+const blockCsvDirectRead = {
+    id: "file.block-csv-read",
+    description: "Block direct reading of CSV files; use csv-query tool instead",
+    evaluate(ctx) {
+        if (ctx.toolName !== "read")
+            return null;
+        const path = getFilePath(ctx.args);
+        if (path !== null && path.endsWith(".csv")) {
+            return {
+                rule: this.id,
+                message: "Use the csv-query tool instead of reading CSV files directly",
+                severity: ViolationSeverity.Error,
+            };
+        }
+        return null;
+    },
+};
+const blockYamlDirectRead = {
+    id: "file.block-yaml-read",
+    description: "Block direct reading of YAML files; use yaml-get tool instead",
+    evaluate(ctx) {
+        if (ctx.toolName !== "read")
+            return null;
+        const path = getFilePath(ctx.args);
+        if (path !== null && (path.endsWith(".yaml") || path.endsWith(".yml"))) {
+            return {
+                rule: this.id,
+                message: "Use the yaml-get tool instead of reading YAML files directly",
+                severity: ViolationSeverity.Error,
+            };
+        }
+        return null;
+    },
+};
+const blockEnvFileRead = {
+    id: "file.block-env-read",
+    description: "Block direct reading of .env files",
+    evaluate(ctx) {
+        if (ctx.toolName !== "read")
+            return null;
+        const path = getFilePath(ctx.args);
+        if (path !== null && (path.endsWith(".env") || path.includes(".env."))) {
+            return {
+                rule: this.id,
+                message: "Never read .env files directly -- they may contain secrets",
+                severity: ViolationSeverity.Error,
+            };
+        }
+        return null;
+    },
+};
+// ── Shell Command Policies ────────────────────────────────────────────
+function getCommand(args) {
+    const cmd = args["command"];
+    return typeof cmd === "string" ? cmd.toLowerCase() : null;
+}
+const blockForcePush = {
+    id: "shell.block-force-push",
+    description: "Block git force push operations",
+    evaluate(ctx) {
+        if (ctx.toolName !== "bash")
+            return null;
+        const cmd = getCommand(ctx.args);
+        if (cmd !== null && cmd.includes("git push") && (cmd.includes("--force") || cmd.includes("-f"))) {
+            return {
+                rule: this.id,
+                message: "Force push is forbidden by governance policy",
+                severity: ViolationSeverity.Error,
+            };
+        }
+        return null;
+    },
+};
+const blockDirectSqlite = {
+    id: "shell.block-direct-sqlite",
+    description: "Block direct SQLite CLI access; use repository tools",
+    evaluate(ctx) {
+        if (ctx.toolName !== "bash")
+            return null;
+        const cmd = getCommand(ctx.args);
+        if (cmd !== null && cmd.includes("sqlite3")) {
+            return {
+                rule: this.id,
+                message: "Use repository tools instead of direct SQLite CLI access",
+                severity: ViolationSeverity.Error,
+            };
+        }
+        return null;
+    },
+};
+const warnDestructiveOps = {
+    id: "shell.warn-destructive",
+    description: "Warn on destructive file operations",
+    evaluate(ctx) {
+        if (ctx.toolName !== "bash")
+            return null;
+        const cmd = getCommand(ctx.args);
+        if (cmd !== null && cmd.includes("rm -rf")) {
+            return {
+                rule: this.id,
+                message: "Destructive operation detected (rm -rf). Proceed with caution.",
+                severity: ViolationSeverity.Warning,
+            };
+        }
+        return null;
+    },
+};
+// ── Security Policies: Secret Leakage Prevention ──────────────────────
+/**
+ * Patterns that indicate a shell command is trying to read, echo, or
+ * expand environment variables that may contain secrets. These commands
+ * would send secret values to the AI provider via tool output.
+ */
+const ENV_ACCESS_PATTERNS = [
+    /\benv\b(?!\s+[\w-]+=)/, // bare `env` (not `env VAR=val cmd`)
+    /\bprintenv\b/, // printenv (with or without args)
+    /\bexport\s+-p\b/, // export -p (dumps all exports)
+    /\bdeclare\s+-x\b/, // declare -x (dumps all exports)
+    /\bcompgen\s+-e\b/, // compgen -e (lists env var names)
+    /\becho\b.*\$\{?\w*(KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|AUTH)/i, // echo $*SECRET*
+    /\bprintf\b.*\$\{?\w*(KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|AUTH)/i,
+    /\bcat\b.*\/proc\/self\/environ/, // Linux proc environ
+    /\bnode\b.*process\.env/, // node -e "...process.env..."
+    /\bpython\b.*os\.\w*environ/, // python -c "...os.environ..."
+];
+const blockEnvDump = {
+    id: "security.block-env-dump",
+    description: "Block shell commands that dump or leak environment variables",
+    evaluate(ctx) {
+        if (ctx.toolName !== "bash")
+            return null;
+        const cmd = getCommand(ctx.args);
+        if (cmd === null)
+            return null;
+        for (const pattern of ENV_ACCESS_PATTERNS) {
+            if (pattern.test(cmd)) {
+                return {
+                    rule: this.id,
+                    message: "Blocked: command would expose environment variables that may " +
+                        "contain secrets. Environment variable values must never appear " +
+                        "in tool outputs sent to AI providers.",
+                    severity: ViolationSeverity.Error,
+                };
+            }
+        }
+        return null;
+    },
+};
+/**
+ * Block shell commands that read .env files via cat, grep, less, head,
+ * tail, strings, xxd, etc. The existing `file.block-env-read` policy
+ * only blocks the OpenCode `read` tool — this catches shell-level access.
+ */
+const SHELL_ENV_FILE_PATTERNS = [
+    /\b(?:cat|less|more|head|tail|strings|xxd|od|bat)\b.*\.env\b/,
+    /\b(?:grep|rg|ag|ack)\b.*\.env\b/,
+    /\bsource\b.*\.env\b/,
+    /\b\.\s+.*\.env\b/, // `. .env` (source shorthand)
+];
+const blockShellEnvFileRead = {
+    id: "security.block-shell-env-file",
+    description: "Block shell commands that read .env files",
+    evaluate(ctx) {
+        if (ctx.toolName !== "bash")
+            return null;
+        const cmd = getCommand(ctx.args);
+        if (cmd === null)
+            return null;
+        for (const pattern of SHELL_ENV_FILE_PATTERNS) {
+            if (pattern.test(cmd)) {
+                return {
+                    rule: this.id,
+                    message: "Blocked: command would read .env file contents that may " +
+                        "contain secrets. Never read .env files via shell commands.",
+                    severity: ViolationSeverity.Error,
+                };
+            }
+        }
+        return null;
+    },
+};
+/**
+ * Sensitive file extensions and patterns that should never be read
+ * directly — private keys, certificates, credential files, keystores.
+ */
+const SENSITIVE_FILE_PATTERNS = [
+    /\.pem$/,
+    /\.key$/,
+    /\.p12$/,
+    /\.pfx$/,
+    /\.jks$/,
+    /\.keystore$/,
+    /\bid_rsa\b/,
+    /\bid_ecdsa\b/,
+    /\bid_ed25519\b/,
+    /\bcredentials\.\w+$/,
+    /\bsecrets\.\w+$/,
+    /\bservice[-_]?account.*\.json$/,
+    /\.kube\/config$/,
+    /\.docker\/config\.json$/,
+    /\.aws\/credentials$/,
+    /\.npmrc$/,
+    /\.pypirc$/,
+    /\.netrc$/,
+];
+const blockSensitiveFileRead = {
+    id: "security.block-sensitive-file-read",
+    description: "Block reading of private keys, certificates, and credential files",
+    evaluate(ctx) {
+        if (ctx.toolName !== "read")
+            return null;
+        const path = getFilePath(ctx.args);
+        if (path === null)
+            return null;
+        for (const pattern of SENSITIVE_FILE_PATTERNS) {
+            if (pattern.test(path)) {
+                return {
+                    rule: this.id,
+                    message: "Blocked: file may contain private keys or credentials. " +
+                        "Reading this file would send sensitive data to the AI provider.",
+                    severity: ViolationSeverity.Error,
+                };
+            }
+        }
+        return null;
+    },
+};
+/**
+ * Block shell commands that attempt to read sensitive credential files.
+ * Complements `security.block-sensitive-file-read` which only covers
+ * the OpenCode `read` tool.
+ */
+const blockShellSensitiveFileRead = {
+    id: "security.block-shell-sensitive-file",
+    description: "Block shell commands reading credential files",
+    evaluate(ctx) {
+        if (ctx.toolName !== "bash")
+            return null;
+        const cmd = getCommand(ctx.args);
+        if (cmd === null)
+            return null;
+        // Check for cat/less/head/etc. on sensitive file patterns
+        const readCmds = /\b(?:cat|less|more|head|tail|strings|xxd|od|bat|base64)\b/;
+        if (!readCmds.test(cmd))
+            return null;
+        for (const pattern of SENSITIVE_FILE_PATTERNS) {
+            if (pattern.test(cmd)) {
+                return {
+                    rule: this.id,
+                    message: "Blocked: command would read a file containing private keys " +
+                        "or credentials. This data must never be sent to AI providers.",
+                    severity: ViolationSeverity.Error,
+                };
+            }
+        }
+        return null;
+    },
+};
+// ── Default Policy Set ────────────────────────────────────────────────
+/** All built-in governance policies. */
+export const DEFAULT_POLICIES = [
+    // File access
+    blockCsvDirectRead,
+    blockYamlDirectRead,
+    blockEnvFileRead,
+    // Shell safety
+    blockForcePush,
+    blockDirectSqlite,
+    warnDestructiveOps,
+    // Security: secret leakage prevention
+    blockEnvDump,
+    blockShellEnvFileRead,
+    blockSensitiveFileRead,
+    blockShellSensitiveFileRead,
+];
+//# sourceMappingURL=policies.js.map