@meetless/mla 0.1.4

package/dist/lib/rules/content-match.js

@@ -0,0 +1,56 @@
+"use strict";
+// CONTENT matcher: the pure classifier for the em-dash-ban rule class (GAP2).
+//
+// The proposal routes the BEHAVIORAL em-dash ban (over the agent's chat output,
+// emitted at Stop) to a Stop-hook detect-only check, because the output text is
+// not a tool call and so is not observable at PreToolUse. This module handles a
+// DIFFERENT, mechanically-decidable case the proposal did not cover: a forbidden
+// substring written INTO a file, i.e. literally present in a Write `content` or
+// Edit `new_string` payload field. That field is fully observable at PreToolUse,
+// so BOTH polarities are provable here:
+//
+//   needle present  -> CONTAINS_FORBIDDEN  (the bytes are right there)
+//   string, no needle -> NO_FORBIDDEN      (absence is provable: we see the whole field)
+//   non-string / no needles -> INDETERMINATE
+//
+// This is the key asymmetry versus Bash (see command-match.ts): for an opaque
+// shell string, absence of a pattern cannot prove the effect is absent, so a
+// non-match degrades to UNKNOWN. For a concrete content field, we hold the entire
+// value, so a non-match is a genuine COMPLIANT. The two checks COMPLEMENT each
+// other: Stop catches an em-dash in chat output; this catches an em-dash written
+// into a file.
+//
+// Matching is codepoint-exact with NO normalization: an em-dash needle (U+2014)
+// must never be conflated with an en-dash (U+2013) or an ASCII hyphen. The rule
+// is a byte-level ban, and normalizing would silently widen or narrow it.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.classifyContent = classifyContent;
+/**
+ * Classify a candidate content value against a set of forbidden substrings.
+ *
+ * INDETERMINATE (degrades to UNKNOWN, never a verdict) when:
+ *  - the value is not a string (the field is absent or the tool input is shaped
+ *    unexpectedly), or
+ *  - there is nothing meaningful to look for: an empty needle set, or a set whose
+ *    every needle is the empty string. An empty needle would `.includes("")`-match
+ *    every string, so empty needles are DROPPED, never allowed to flag all content.
+ *
+ * Otherwise CONTAINS_FORBIDDEN iff any non-empty needle occurs as an exact
+ * (codepoint) substring; NO_FORBIDDEN if none do. An empty content string with a
+ * real needle set is observably clean -> NO_FORBIDDEN, not indeterminate.
+ */
+function classifyContent(rawValue, forbiddenSubstrings) {
+    if (typeof rawValue !== "string") {
+        return "INDETERMINATE";
+    }
+    const needles = forbiddenSubstrings.filter((n) => typeof n === "string" && n.length > 0);
+    if (needles.length === 0) {
+        return "INDETERMINATE";
+    }
+    for (const needle of needles) {
+        if (rawValue.includes(needle)) {
+            return "CONTAINS_FORBIDDEN";
+        }
+    }
+    return "NO_FORBIDDEN";
+}

package/dist/lib/rules/deny-admission.js

@@ -0,0 +1,99 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ENFORCEMENT_GATE_REASON_CODES = void 0;
+exports.isEnforcementGateReasonCode = isEnforcementGateReasonCode;
+exports.projectEligibleEnforcement = projectEligibleEnforcement;
+exports.resolveAttestedPathRoot = resolveAttestedPathRoot;
+exports.admitEnforcement = admitEnforcement;
+exports.planDenyAccounting = planDenyAccounting;
+const path = __importStar(require("path"));
+exports.ENFORCEMENT_GATE_REASON_CODES = [
+    "RULE_ENFORCEMENT_UNAVAILABLE",
+    "NOT_LIVE_CAPS_AT_OBSERVE",
+    "UNKNOWN_EVALUATION_NEVER_DENIES",
+    "WORKSPACE_POLICY_FORBIDS_DENY",
+    "UNRESOLVED_CONFLICT_NEVER_DENIES",
+];
+function isEnforcementGateReasonCode(x) {
+    return (typeof x === "string" &&
+        exports.ENFORCEMENT_GATE_REASON_CODES.includes(x));
+}
+/*
+ * R1-3: eligibility is projected through the evaluation `result` only. The attested enforcement
+ * ceiling applies exclusively to a VIOLATION; anything else (including UNKNOWN) is OBSERVE.
+ */
+function projectEligibleEnforcement(result, enforcementCeiling) {
+    return result === "VIOLATION" ? enforcementCeiling : "OBSERVE";
+}
+function resolveAttestedPathRoot(input) {
+    const relative = (input.configuredRelativeForbiddenPath ?? "").trim();
+    const root = (input.activeRuntimeProjectRoot ?? "").trim();
+    if (relative.length === 0) {
+        return { admitted: false, reason: "ATTESTED_ROOT_CONTENT_MISSING" };
+    }
+    if (root.length === 0) {
+        return { admitted: false, reason: "ACTIVE_RUNTIME_ROOT_UNRESOLVED" };
+    }
+    return { admitted: true, forbiddenRoot: path.join(root, relative) };
+}
+/*
+ * R1-5: lower the eligible enforcement to effective enforcement through the deny-admission gates.
+ * Only a DENY eligibility is gated; OBSERVE and ASK pass through untouched with no gate reason.
+ * A DENY is admitted only when MLA is the sole effective input authority AND the attested path
+ * root is admissible; otherwise it fails open to NONE with the single primary gate reason
+ * RULE_ENFORCEMENT_UNAVAILABLE. The decision is gated by admissibility, never by deny "strength".
+ */
+function admitEnforcement(args) {
+    if (args.eligibleEnforcement !== "DENY") {
+        return { effectiveEnforcement: args.eligibleEnforcement, gateReasonCode: null };
+    }
+    if (args.inputAuthority.kind !== "MLA_SOLE_AUTHORITY" || !args.pathRoot.admitted) {
+        return { effectiveEnforcement: "NONE", gateReasonCode: "RULE_ENFORCEMENT_UNAVAILABLE" };
+    }
+    return { effectiveEnforcement: "DENY", gateReasonCode: null };
+}
+/*
+ * P0.60: honest deny-emission accounting. An effective DENY is planned as an aggregate DENY whose
+ * emission state begins at DECISION_RECORDED: slice 10 persists and commits this row BEFORE
+ * emitting the deny response, so a crash after the commit but before emission leaves an honest
+ * DECISION_RECORDED (recoverable, never NO_DECISION). Any non-deny effective enforcement plans no
+ * decision at all.
+ */
+function planDenyAccounting(effective) {
+    return effective === "DENY"
+        ? { aggregateDecision: "DENY", denyEmissionStatus: "DECISION_RECORDED" }
+        : { aggregateDecision: "NO_DECISION", denyEmissionStatus: "NOT_APPLICABLE" };
+}

package/dist/lib/rules/durable-observation.js

@@ -0,0 +1,190 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PATH_CANONICALIZER_VERSION = exports.MATCHER_SCHEMA_VERSION = exports.EVALUATOR_CONTRACT_VERSION = void 0;
+exports.verdictFromEvaluationInput = verdictFromEvaluationInput;
+exports.replayVerdictFromSnapshot = replayVerdictFromSnapshot;
+exports.recordR0Observation = recordR0Observation;
+exports.observeAndRecordNotesRule = observeAndRecordNotesRule;
+const evaluation_input_hash_1 = require("./evaluation-input-hash");
+const interception_store_1 = require("./interception-store");
+const observed_rule_hash_1 = require("./observed-rule-hash");
+const notes_rule_1 = require("./notes-rule");
+const notes_path_1 = require("./notes-path");
+const observe_adapter_1 = require("./observe-adapter");
+const evaluator_1 = require("./evaluator");
+const ulid_1 = require("./ulid");
+// Persistence slice 3 (proposal §10.1): the durable R0 observation seam. The observe-only
+// pipeline computed a verdict in process but persisted NOTHING; this module gives an applicable
+// interception a durable home. On an applicable Write/Edit of a Markdown file it mints two local
+// ULIDs and writes, in ONE transaction, a tool_attempt (carrying the canonical evaluation-input-v1
+// snapshot + hash) and one observed-arm rule_evaluation_record. Then it returns the same empty,
+// decision-free hook response the observe slice always returned.
+//
+// Two invariants make the durable record trustworthy, both load-bearing for the Slice 6 replay:
+//   - The persisted verdict is derived PURELY from the stored target + forbidden root by
+//     verdictFromEvaluationInput. The host-aware classifyTargetPath stays a side channel; only this
+//     snapshot-pure verdict is persisted, so a replay over the stored snapshot reproduces it exactly.
+//   - Observe never grants: the attempt is NO_DECISION / NOT_APPLICABLE deny status and the
+//     evaluation arm is OBSERVE/OBSERVE with no attested version (rule_version_id NULL).
+//
+// NOT_APPLICABLE (no rule, wrong tool, glob non-match) and INFRA (malformed payload, missing
+// session id, misconfigured pilot) persist nothing: an absent rule is not an observation, and an
+// MLA infrastructure-health fact is never a rule verdict.
+// The evaluation-input-v1 version triple. These pin the exact contract the four-state evaluator,
+// the action-applicability matcher, and the notes-path canonicalizer agreed on; they are part of
+// the persisted snapshot and MUST equal the Slice 4 golden-vector corpus values byte-for-byte.
+exports.EVALUATOR_CONTRACT_VERSION = "four-state-evaluator-v1";
+exports.MATCHER_SCHEMA_VERSION = "action-applicability-v1";
+exports.PATH_CANONICALIZER_VERSION = "notes-path-v1";
+/** The snapshot-pure verdict: the SOLE rule by which a stored observation (and its later replay)
+ * derives a three-state result from the stored target + forbidden root. It is a pure string
+ * comparison over the already-canonicalized posix relative path, with no filesystem probe, so a
+ * replay from the snapshot alone is deterministic. The prefix test is boundary-correct: a sibling
+ * of the forbidden root (e.g. "notes-archive/x.md" against "notes") is NOT under it. */
+function verdictFromEvaluationInput(target, forbiddenRootRelativePath) {
+    switch (target.kind) {
+        case "UNKNOWN":
+            return { result: "UNKNOWN", verdictReasonCode: "CANONICALIZATION_FAILED" };
+        case "OUTSIDE_RUNTIME_SCOPE":
+            return { result: "COMPLIANT", verdictReasonCode: "COMPLIANT_OUTSIDE_FORBIDDEN_ROOT" };
+        case "RUNTIME_RELATIVE": {
+            const underForbidden = target.path === forbiddenRootRelativePath ||
+                target.path.startsWith(forbiddenRootRelativePath + "/");
+            return underForbidden
+                ? { result: "VIOLATION", verdictReasonCode: "FORBIDDEN_PATH_MATCH" }
+                : { result: "COMPLIANT", verdictReasonCode: "COMPLIANT_OUTSIDE_FORBIDDEN_ROOT" };
+        }
+    }
+}
+/**
+ * Replay the durable R0 verdict from a tool_attempt's stored evaluation_input_snapshot ALONE
+ * (proposal §10.2 R0-5). Parses the canonical evaluation-input-v1 JSON and re-derives the verdict
+ * via verdictFromEvaluationInput over its `target` + `forbiddenRootRelativePath`. It reads no
+ * version table, no rule_evaluation_record, and never touches the filesystem: the snapshot is the
+ * whole replay basis. Because recordR0Observation persisted the verdict by this very same pure rule
+ * over the very same fields, a replay reproduces the stored result by construction, so a stored row
+ * can be audited for tamper by re-deriving its verdict from its own snapshot.
+ */
+function replayVerdictFromSnapshot(evaluationInputSnapshot) {
+    const input = JSON.parse(evaluationInputSnapshot);
+    return verdictFromEvaluationInput(input.target, input.forbiddenRootRelativePath);
+}
+/**
+ * Persist one R0 observation as the two-record pair, atomically. Mints two distinct ULIDs (one
+ * attempt, one evaluation), builds the canonical evaluation-input-v1 snapshot + hash and the inline
+ * observed-rule snapshot + hash, derives the snapshot-pure verdict, and writes both rows inside a
+ * single BEGIN IMMEDIATE transaction so an interception is never half-recorded. Pure of I/O beyond
+ * the local store: no filesystem, no network.
+ */
+function recordR0Observation(store, subject, ctx) {
+    const attemptId = (0, ulid_1.ulid)(ctx.now, ctx.rand);
+    const evaluationId = (0, ulid_1.ulid)(ctx.now, ctx.rand);
+    const evaluationInput = {
+        toolName: subject.toolName,
+        target: subject.target,
+        forbiddenRootRelativePath: subject.spec.forbiddenRootRelativePath,
+        evaluatorContractVersion: exports.EVALUATOR_CONTRACT_VERSION,
+        matcherSchemaVersion: exports.MATCHER_SCHEMA_VERSION,
+        pathCanonicalizerVersion: exports.PATH_CANONICALIZER_VERSION,
+    };
+    const verdict = verdictFromEvaluationInput(subject.target, subject.spec.forbiddenRootRelativePath);
+    const attempt = {
+        attemptId,
+        runtimeScopeId: ctx.runtimeScopeId,
+        sessionId: ctx.sessionId,
+        toolName: subject.toolName,
+        evaluationInputSnapshot: (0, evaluation_input_hash_1.serializeEvaluationInput)(evaluationInput),
+        evaluationInputHash: (0, evaluation_input_hash_1.evaluationInputHash)(evaluationInput),
+        aggregateDecision: "NO_DECISION",
+        denyEmissionStatus: "NOT_APPLICABLE",
+        inputAuthorityConfigHash: null,
+        createdAt: ctx.createdAt,
+    };
+    const evaluation = {
+        evaluationId,
+        attemptId,
+        runtimeScopeId: ctx.runtimeScopeId,
+        result: verdict.result,
+        eligibleEnforcement: "OBSERVE",
+        effectiveEnforcement: "OBSERVE",
+        verdictReasonCode: verdict.verdictReasonCode,
+        gateReasonCode: null,
+        evaluatorContractVersion: exports.EVALUATOR_CONTRACT_VERSION,
+        observedRuleSnapshot: (0, observed_rule_hash_1.serializeObservedRule)(subject.spec),
+        observedRuleHash: (0, observed_rule_hash_1.observedRuleHash)(subject.spec),
+        ruleVersionId: null,
+        canonicalPayloadHash: null,
+        createdAt: ctx.createdAt,
+    };
+    store.db
+        .transaction(() => {
+        (0, interception_store_1.insertToolAttempt)(store, attempt);
+        (0, interception_store_1.insertRuleEvaluationRecord)(store, evaluation);
+    })
+        .immediate();
+    return {
+        attemptId,
+        evaluationId,
+        result: verdict.result,
+        verdictReasonCode: verdict.verdictReasonCode,
+    };
+}
+const NO_DECISION = {};
+/**
+ * The durable PreToolUse seam for the notes-location pilot. Parses the hook payload, selects the
+ * pilot directive, runs the pure selector, classifies the target, and on an applicable call persists
+ * the two-record observation. Always returns the empty, decision-free hook response; the durable
+ * outcome travels on the side channel.
+ *
+ * Skip semantics (persist nothing): a malformed payload or a missing session id is INFRA (a hook
+ * without a session id is malformed; we refuse to fabricate the NOT NULL session_id); no declared
+ * rule, a non-Write/Edit tool, or a glob non-match is NOT_APPLICABLE; a misconfigured pilot
+ * descriptor is INFRA.
+ */
+async function observeAndRecordNotesRule(store, input) {
+    const parsed = (0, observe_adapter_1.parsePreToolUseInput)(input.rawStdin);
+    if (!parsed) {
+        return { response: NO_DECISION, outcome: { kind: "INFRA", diagnostic: "malformed hook input" } };
+    }
+    // tool_attempt.session_id is NOT NULL and we never fabricate identity: a payload without one is
+    // an infrastructure fault, not an observation.
+    if (parsed.session_id === undefined) {
+        return { response: NO_DECISION, outcome: { kind: "INFRA", diagnostic: "missing session_id" } };
+    }
+    const directive = (0, notes_rule_1.selectNotesLocationDirective)(input.directives);
+    if (!directive) {
+        return { response: NO_DECISION, outcome: { kind: "NOT_APPLICABLE" } };
+    }
+    const built = (0, notes_rule_1.buildObservedNotesRuleSpec)(directive);
+    if (!built.ok) {
+        return { response: NO_DECISION, outcome: { kind: "INFRA", diagnostic: built.diagnostic } };
+    }
+    const spec = built.spec;
+    const call = { toolName: parsed.tool_name, toolInput: parsed.tool_input };
+    if ((0, evaluator_1.selectRule)(call, spec.applicability) === "NOT_APPLICABLE" || spec.applicability.mode !== "action") {
+        return { response: NO_DECISION, outcome: { kind: "NOT_APPLICABLE" } };
+    }
+    // The selector proved the tool is in the pilot's {Write, Edit} list and the matcher field holds a
+    // *.md string, so this narrowing is sound.
+    const toolName = parsed.tool_name;
+    const rawFilePath = parsed.tool_input[spec.applicability.matcher.field];
+    const classify = input.classifyRuntime ?? notes_path_1.classifyRuntimeTarget;
+    const target = await classify(rawFilePath, input.runtimeProjectRoot);
+    const persisted = recordR0Observation(store, { toolName, target, spec }, {
+        runtimeScopeId: input.runtimeScopeId,
+        sessionId: parsed.session_id,
+        createdAt: input.createdAt,
+        now: input.now,
+        rand: input.rand,
+    });
+    return {
+        response: NO_DECISION,
+        outcome: {
+            kind: "PERSISTED",
+            attemptId: persisted.attemptId,
+            evaluationId: persisted.evaluationId,
+            result: persisted.result,
+            verdictReasonCode: persisted.verdictReasonCode,
+        },
+    };
+}