@meetless/mla 0.1.4

package/dist/lib/rules/enforce-notes-version.js

@@ -0,0 +1,421 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.recordDenyDecision = recordDenyDecision;
+exports.evaluateAndEnforceNotesVersion = evaluateAndEnforceNotesVersion;
+exports.evaluateAndEnforceLiveRules = evaluateAndEnforceLiveRules;
+exports.evaluateEnforceOrObserveNotesRule = evaluateEnforceOrObserveNotesRule;
+const evaluation_input_hash_1 = require("./evaluation-input-hash");
+const interception_store_1 = require("./interception-store");
+const local_rule_version_repo_1 = require("./local-rule-version-repo");
+const durable_observation_1 = require("./durable-observation");
+const notes_path_1 = require("./notes-path");
+const inert_rule_families_1 = require("./inert-rule-families");
+const observe_adapter_1 = require("./observe-adapter");
+const evaluator_1 = require("./evaluator");
+const attest_notes_location_1 = require("./attest-notes-location");
+const ulid_1 = require("./ulid");
+const deny_admission_1 = require("./deny-admission");
+const version_evaluation_1 = require("./version-evaluation");
+const PASS_THROUGH = {};
+/**
+ * Build the tool_attempt + version-arm rule_evaluation_record pair for one interception. The
+ * evaluation-input-v1 snapshot carries the RUNNING evaluator's supported triple, byte-identical to
+ * slice 8's observe writer, so a snapshot-only replay reproduces the verdict. The deny accounting
+ * (aggregate decision + emission status) is derived from the effective enforcement through the slice-9
+ * kernel so this seam never re-decides what the kernel already owns.
+ */
+function buildArmRows(ids, subject, enforcement, ctx) {
+    const evaluationInput = {
+        toolName: subject.toolName,
+        target: subject.target,
+        forbiddenRootRelativePath: subject.payload.compliance.config.forbiddenRootRelativePath,
+        evaluatorContractVersion: durable_observation_1.EVALUATOR_CONTRACT_VERSION,
+        matcherSchemaVersion: durable_observation_1.MATCHER_SCHEMA_VERSION,
+        pathCanonicalizerVersion: durable_observation_1.PATH_CANONICALIZER_VERSION,
+    };
+    const accounting = (0, deny_admission_1.planDenyAccounting)(enforcement.effectiveEnforcement);
+    const attempt = {
+        attemptId: ids.attemptId,
+        runtimeScopeId: ctx.runtimeScopeId,
+        sessionId: ctx.sessionId,
+        toolName: subject.toolName,
+        evaluationInputSnapshot: (0, evaluation_input_hash_1.serializeEvaluationInput)(evaluationInput),
+        evaluationInputHash: (0, evaluation_input_hash_1.evaluationInputHash)(evaluationInput),
+        aggregateDecision: accounting.aggregateDecision,
+        denyEmissionStatus: accounting.denyEmissionStatus,
+        inputAuthorityConfigHash: enforcement.inputAuthorityConfigHash,
+        createdAt: ctx.createdAt,
+    };
+    const evaluation = {
+        evaluationId: ids.evaluationId,
+        attemptId: ids.attemptId,
+        runtimeScopeId: ctx.runtimeScopeId,
+        result: enforcement.result,
+        eligibleEnforcement: enforcement.eligibleEnforcement,
+        effectiveEnforcement: enforcement.effectiveEnforcement,
+        verdictReasonCode: enforcement.verdictReasonCode,
+        gateReasonCode: enforcement.gateReasonCode,
+        evaluatorContractVersion: durable_observation_1.EVALUATOR_CONTRACT_VERSION,
+        ruleVersionId: subject.version.versionId,
+        canonicalPayloadHash: subject.version.canonicalPayloadHash,
+        createdAt: ctx.createdAt,
+    };
+    return { attempt, evaluation };
+}
+/** Write a version-arm row pair atomically (a single BEGIN IMMEDIATE), so an interception is never
+ * half-recorded. */
+function writeArm(store, attempt, evaluation) {
+    store.db
+        .transaction(() => {
+        (0, interception_store_1.insertToolAttempt)(store, attempt);
+        (0, local_rule_version_repo_1.insertVersionEvaluationRecord)(store, evaluation);
+    })
+        .immediate();
+}
+/**
+ * Persist a would-be deny that a gate (or a generation churn) lowered to effective NONE, and report
+ * the row ids. The eligible enforcement stays DENY (the rule WOULD have denied) but the effective
+ * enforcement is NONE with the single primary gate reason RULE_ENFORCEMENT_UNAVAILABLE, the deny
+ * status is NOT_APPLICABLE, and the input-authority config hash resolved at this deny is recorded for
+ * the audit and for `mla doctor`. This is the honest record behind a fail-open.
+ */
+function recordEnforcementUnavailable(store, subject, verdict, inputAuthorityConfigHash, ctx) {
+    const ids = { attemptId: (0, ulid_1.ulid)(ctx.now, ctx.rand), evaluationId: (0, ulid_1.ulid)(ctx.now, ctx.rand) };
+    const { attempt, evaluation } = buildArmRows(ids, subject, {
+        result: verdict.result,
+        verdictReasonCode: verdict.verdictReasonCode,
+        eligibleEnforcement: "DENY",
+        effectiveEnforcement: "NONE",
+        gateReasonCode: "RULE_ENFORCEMENT_UNAVAILABLE",
+        inputAuthorityConfigHash,
+    }, ctx);
+    writeArm(store, attempt, evaluation);
+    return ids;
+}
+/**
+ * The linearized deny commit (P0.52). Mints the two ULIDs and builds the DENY / DECISION_RECORDED row
+ * pair OUTSIDE any write transaction, then opens a single BEGIN IMMEDIATE and RE-READS the LIVE version
+ * for the deny's (scope, rule). It persists ONLY when that is still the exact generation the deny was
+ * evaluated against; if a concurrent attest superseded it in the window, the deny is inadmissible, the
+ * transaction writes nothing, and it fails open with GENERATION_CHURN.
+ *
+ * This is the minimal safe floor of the contract: the spec permits one retry, but we treat the first
+ * observed churn as inadmissible (no retry loop), which is strictly more conservative. `beforeCommit`
+ * is the test seam that lands a supersede in the window; it runs BEFORE the IMMEDIATE acquires the
+ * write lock, exactly as a real concurrent attest that commits ahead of our deny-commit would.
+ */
+function recordDenyDecision(store, subject, ctx, opts = {}) {
+    const attemptId = (0, ulid_1.ulid)(ctx.now, ctx.rand);
+    const evaluationId = (0, ulid_1.ulid)(ctx.now, ctx.rand);
+    const { attempt, evaluation } = buildArmRows({ attemptId, evaluationId }, subject, {
+        result: subject.result,
+        verdictReasonCode: subject.verdictReasonCode,
+        eligibleEnforcement: "DENY",
+        effectiveEnforcement: "DENY",
+        gateReasonCode: null,
+        inputAuthorityConfigHash: subject.inputAuthorityConfigHash,
+    }, ctx);
+    // The concurrent attest, if any, commits ahead of our write lock (it cannot land once BEGIN IMMEDIATE
+    // holds the lock, so the realistic race is "it committed in the window before us").
+    opts.beforeCommit?.();
+    let churned = false;
+    store.db
+        .transaction(() => {
+        const live = (0, local_rule_version_repo_1.getLiveLocalRuleVersion)(store, subject.version.runtimeScopeId, subject.version.ruleId);
+        if (!live || live.versionId !== subject.version.versionId) {
+            churned = true;
+            return;
+        }
+        (0, interception_store_1.insertToolAttempt)(store, attempt);
+        (0, local_rule_version_repo_1.insertVersionEvaluationRecord)(store, evaluation);
+    })
+        .immediate();
+    if (churned) {
+        return { committed: false, cause: "GENERATION_CHURN" };
+    }
+    return { committed: true, attemptId, evaluationId };
+}
+/** Describe the blocked target for the deny reason; a non-relative target degrades to a generic phrase
+ * rather than leaking an unclassified path shape. */
+function describeTarget(target) {
+    return target.kind === "RUNTIME_RELATIVE" ? target.path : "the requested file";
+}
+/**
+ * Build the human-facing deny reason for any PROHIBIT forbidden-root rule. It is grounded in the
+ * attested prose (`payload.text`, the human-attested directive) plus the concrete blocked target and
+ * the configured forbidden root, and it names the violated rule id so the block is self-explaining in
+ * the Claude Code surface. No rule-specific copy is hard-coded here: the attested prose carries the
+ * steer (where the file SHOULD go), so the one reason builder serves the whole family, not just the
+ * notes pilot.
+ */
+function buildDenyReason(ruleId, payload, target) {
+    const where = describeTarget(target);
+    const forbidden = payload.compliance.config.forbiddenRootRelativePath;
+    return (`Blocked by Meetless rule ${ruleId}. Writing ${where} under the forbidden ` +
+        `"${forbidden}/" root is prohibited. ${payload.text}`);
+}
+/**
+ * The enforced version-backed PreToolUse seam for the notes-location pilot. See the module header for
+ * the full pipeline. Returns the hook response (pass-through, or the one admitted deny) plus the
+ * durable outcome on the side channel. Skip semantics match slice 8 exactly: malformed payload or
+ * absent session id is INFRA, no LIVE version is NO_LIVE_VERSION, a non-Write/Edit tool or a glob
+ * non-match is NOT_APPLICABLE, and none of those persist a row.
+ */
+async function evaluateAndEnforceNotesVersion(store, input) {
+    const parsed = (0, observe_adapter_1.parsePreToolUseInput)(input.rawStdin);
+    if (!parsed) {
+        return { response: PASS_THROUGH, outcome: { kind: "INFRA", diagnostic: "malformed hook input" } };
+    }
+    if (parsed.session_id === undefined) {
+        return { response: PASS_THROUGH, outcome: { kind: "INFRA", diagnostic: "missing session_id" } };
+    }
+    const ruleId = input.ruleId ?? attest_notes_location_1.NOTES_LOCATION_RULE_ID;
+    const version = (0, local_rule_version_repo_1.getLiveLocalRuleVersion)(store, input.runtimeScopeId, ruleId);
+    if (!version) {
+        return { response: PASS_THROUGH, outcome: { kind: "NO_LIVE_VERSION" } };
+    }
+    const payload = JSON.parse(version.rulePayload);
+    const call = { toolName: parsed.tool_name, toolInput: parsed.tool_input };
+    if ((0, evaluator_1.selectRule)(call, payload.applicability) === "NOT_APPLICABLE" || payload.applicability.mode !== "action") {
+        return { response: PASS_THROUGH, outcome: { kind: "NOT_APPLICABLE" } };
+    }
+    // The selector proved the tool is in the version's {Write, Edit} list and the matcher field holds a
+    // matching string, so this narrowing is sound (mirrors slice 8).
+    const toolName = parsed.tool_name;
+    const rawFilePath = parsed.tool_input[payload.applicability.matcher.field];
+    const classify = input.classifyRuntime ?? notes_path_1.classifyRuntimeTarget;
+    const target = await classify(rawFilePath, input.runtimeProjectRoot);
+    const verdict = (0, version_evaluation_1.versionBackedVerdict)(payload, target);
+    const eligible = (0, deny_admission_1.projectEligibleEnforcement)(verdict.result, payload.enforcementCeiling);
+    const ctx = {
+        runtimeScopeId: input.runtimeScopeId,
+        sessionId: parsed.session_id,
+        createdAt: input.createdAt,
+        now: input.now,
+        rand: input.rand,
+    };
+    const subject = { toolName, target, version, payload };
+    // Not a would-be deny (COMPLIANT, UNKNOWN, or a non-DENY ceiling): OBSERVE and pass through, WITHOUT
+    // resolving input authority. This is byte-identical to slice 8's writer.
+    if (eligible !== "DENY") {
+        const persisted = (0, version_evaluation_1.recordVersionEvaluation)(store, { toolName, target, version }, ctx);
+        return {
+            response: PASS_THROUGH,
+            outcome: {
+                kind: "OBSERVED",
+                attemptId: persisted.attemptId,
+                evaluationId: persisted.evaluationId,
+                result: persisted.result,
+                verdictReasonCode: persisted.verdictReasonCode,
+                ruleVersionId: persisted.ruleVersionId,
+                canonicalPayloadHash: persisted.canonicalPayloadHash,
+            },
+        };
+    }
+    // A would-be deny. Re-resolve the input authority (P0.58) and the attested path root (P0.63) at THIS
+    // deny, then run the pure admission kernel (slice 9).
+    const inputAuthority = input.resolveInputAuthority();
+    const pathRoot = (0, deny_admission_1.resolveAttestedPathRoot)({
+        configuredRelativeForbiddenPath: payload.compliance.config.forbiddenRootRelativePath,
+        activeRuntimeProjectRoot: input.runtimeProjectRoot,
+    });
+    const admission = (0, deny_admission_1.admitEnforcement)({ eligibleEnforcement: eligible, inputAuthority, pathRoot });
+    if (admission.effectiveEnforcement !== "DENY") {
+        // A gate lowered the deny to NONE: record the honest NONE arm and fail open. The cause distinguishes
+        // a non-sole input authority (P0.58) from an unresolved path root (P0.63); both are recorded as the
+        // single gate reason RULE_ENFORCEMENT_UNAVAILABLE.
+        const ids = recordEnforcementUnavailable(store, subject, verdict, inputAuthority.configHash, ctx);
+        const cause = inputAuthority.kind !== "MLA_SOLE_AUTHORITY" ? "INPUT_AUTHORITY" : "PATH_ROOT";
+        return {
+            response: PASS_THROUGH,
+            outcome: { kind: "ENFORCEMENT_UNAVAILABLE", cause, attemptId: ids.attemptId, evaluationId: ids.evaluationId },
+        };
+    }
+    // Admitted DENY. Linearize the durable commit against the LIVE generation (P0.52).
+    const deny = recordDenyDecision(store, {
+        toolName,
+        target,
+        version,
+        payload,
+        result: verdict.result,
+        verdictReasonCode: verdict.verdictReasonCode,
+        inputAuthorityConfigHash: inputAuthority.configHash,
+    }, ctx, { beforeCommit: input.beforeDenyCommit });
+    if (!deny.committed) {
+        // The LIVE generation churned in the deny window: inadmissible. Record the NONE arm and fail open.
+        const ids = recordEnforcementUnavailable(store, subject, verdict, inputAuthority.configHash, ctx);
+        return {
+            response: PASS_THROUGH,
+            outcome: { kind: "ENFORCEMENT_UNAVAILABLE", cause: "GENERATION_CHURN", attemptId: ids.attemptId, evaluationId: ids.evaluationId },
+        };
+    }
+    // The deny is committed durably at DECISION_RECORDED. Produce the emission, then advance the row to
+    // RESPONSE_EMITTED (R1-4). The DECISION_RECORDED commit is durable before this point, so a crash in
+    // the post-commit window leaves an honest DECISION_RECORDED, never NO_DECISION; the actual stdout
+    // write of this response is the runtime caller's, immediately after the seam returns.
+    const response = {
+        permissionDecision: "deny",
+        reason: buildDenyReason(ruleId, payload, target),
+    };
+    (0, interception_store_1.advanceDenyEmissionToResponseEmitted)(store, deny.attemptId);
+    return {
+        response,
+        outcome: {
+            kind: "DENIED",
+            attemptId: deny.attemptId,
+            evaluationId: deny.evaluationId,
+            ruleVersionId: version.versionId,
+            canonicalPayloadHash: version.canonicalPayloadHash,
+            inputAuthorityConfigHash: inputAuthority.configHash,
+        },
+    };
+}
+/**
+ * The PROHIBIT forbidden-root family: the one rule shape R1's evaluator and deny-admission kernel can
+ * enforce today, and (proposal §2.0) the shape that is conflict-free BY CONSTRUCTION. A rule is in the
+ * family when it PROHIBITs (never an effect that could effectively REQUIRE an action, which is the
+ * precondition for a conflict), is action-scoped (ambient rules are prompt-time grounding, not action
+ * gates), and carries a non-empty forbidden root for the path evaluator to face. Everything else is the
+ * R4 frontier the dispatch refuses to reason about.
+ */
+function isProhibitForbiddenRootFamily(payload) {
+    return (payload.effect === "PROHIBIT" &&
+        payload.applicability.mode === "action" &&
+        typeof payload.compliance?.config?.forbiddenRootRelativePath === "string" &&
+        payload.compliance.config.forbiddenRootRelativePath.length > 0);
+}
+/**
+ * The rule-driven enforce dispatch (R4, conflict mechanization P0.13). Faces ONE tool attempt against
+ * EVERY LIVE rule in the scope, not just the notes pilot, by delegating per rule to the proven
+ * single-rule seam ({@link evaluateAndEnforceNotesVersion}) with that rule's id. Each delegated face
+ * writes its own attempt+eval arm, so the 1-attempt:N-evaluations schema is realized as N attempts that
+ * each record their own rule's verdict (the deliberately conservative reuse of the armed-deny machinery
+ * over a risky single-attempt linearization refactor).
+ *
+ * Two invariants make this safe:
+ *
+ *   1. R4 conflict-safety guard (three-class partition, P0.13). We can prove the absence of conflicts in
+ *      two cases, and only those. (a) WITHIN the PROHIBIT forbidden-root family (§2.0: a conflict needs an
+ *      effect that effectively REQUIRES an action, which PROHIBIT never does, so any number of PROHIBIT
+ *      forbidden-root rules are mutually compatible) the rule is enforceable and we face it. (b) A
+ *      provably INERT rule (one whose response ceiling is RECORD_ONLY, per {@link isInertNonEnforcingRule})
+ *      imposes no effect at all on the attempt; no effect cannot be incompatible with a PROHIBIT deny, so
+ *      it is non-conflicting by construction and we SKIP it. The moment a LIVE rule is NEITHER (an effect
+ *      that could require an action, an unrecognized schema, a payload that will not parse) we cannot rule
+ *      out a conflict, so we fail OPEN for the WHOLE attempt (R4_UNSUPPORTED_RULE_KIND) rather than enforce
+ *      a deny we cannot reason about. The inert-skip is what lets a CE0 consult-evidence rule coexist in
+ *      the same scope as the deny pilot without disarming it; the fail-open boundary for the genuinely
+ *      unrecognized is unchanged.
+ *
+ *   2. Deterministic single block. Rules are faced in ruleId order (the repo returns them ordered by
+ *      rule_id). The dispatch STOPS at the first deny: the family is conflict-free, so the lowest-ruleId
+ *      deny is a deterministic, sufficient single block (the action is blocked once; the remaining rules
+ *      need not run). Rules faced before the winner have already recorded their honest OBSERVE arms.
+ *
+ * Returns one of two distinct observe-fallback triggers when no enforceable rule is armed: NO_LIVE_VERSION
+ * when the scope is literally empty, or ONLY_INERT_RULES when live rules exist but every one is provably
+ * inert (RECORD_ONLY). Both are kept distinct from NOT_APPLICABLE (enforceable rules exist but none selected
+ * this call), and from each other so the audit never claims "no live version" when an inert rule is live.
+ */
+async function evaluateAndEnforceLiveRules(store, input) {
+    const liveVersions = (0, local_rule_version_repo_1.listLiveLocalRuleVersions)(store, input.runtimeScopeId);
+    if (liveVersions.length === 0) {
+        return { response: PASS_THROUGH, outcome: { kind: "NO_LIVE_VERSION" } };
+    }
+    // Invariant 1: partition the LIVE rules into THREE classes (generalized-R4, P0.13). (a) An ENFORCEABLE
+    // family rule (PROHIBIT forbidden-root) is collected to be faced. (b) A provably INERT rule (one whose
+    // response ceiling is RECORD_ONLY, so it imposes no effect on the attempt and CANNOT conflict with a
+    // PROHIBIT deny) is SKIPPED: its presence neither enforces nor poisons the attempt, which is exactly
+    // what lets a CE0 consult-evidence rule coexist with the live deny pilot instead of disarming it. (c)
+    // Anything else is the R4 frontier we cannot reason about, so we fail OPEN for the whole attempt. A
+    // payload that will not even parse is, a fortiori, one we cannot reason about: fail open.
+    const enforceable = [];
+    for (const version of liveVersions) {
+        let payload = null;
+        try {
+            payload = JSON.parse(version.rulePayload);
+        }
+        catch {
+            payload = null;
+        }
+        if (payload && isProhibitForbiddenRootFamily(payload)) {
+            enforceable.push(version);
+            continue;
+        }
+        if ((0, inert_rule_families_1.isInertNonEnforcingRule)(payload)) {
+            continue;
+        }
+        return {
+            response: PASS_THROUGH,
+            outcome: { kind: "R4_UNSUPPORTED_RULE_KIND", ruleId: version.ruleId },
+        };
+    }
+    // Only inert rules were live: no ENFORCEABLE armed rule exists, so the enforce path has nothing to
+    // enforce and hands off to the R0 observe substrate exactly as an empty scope would. ONLY_INERT_RULES (not
+    // NO_LIVE_VERSION) records that the scope was NOT empty: a live inert rule existed but imposed no effect.
+    // The composed seam folds it into the observe fallback identically; the distinct tag keeps the audit honest.
+    if (enforceable.length === 0) {
+        return { response: PASS_THROUGH, outcome: { kind: "ONLY_INERT_RULES" } };
+    }
+    // Invariant 2: face each in-family rule in ruleId order; stop at the first deny.
+    let firstNonDeny = null;
+    for (const version of enforceable) {
+        const perRule = await evaluateAndEnforceNotesVersion(store, { ...input, ruleId: version.ruleId });
+        switch (perRule.outcome.kind) {
+            case "DENIED":
+                return perRule;
+            case "INFRA":
+                // Input-level (malformed hook payload / missing session): identical for every rule, so the
+                // first rule's diagnosis is the attempt's diagnosis.
+                return perRule;
+            case "OBSERVED":
+            case "ENFORCEMENT_UNAVAILABLE":
+                // Applicable but did not (could not) deny. Remember the first such outcome so the aggregate
+                // reports an applicable-but-not-denied attempt rather than a spurious NOT_APPLICABLE.
+                if (!firstNonDeny)
+                    firstNonDeny = perRule;
+                break;
+            case "NOT_APPLICABLE":
+            case "NO_LIVE_VERSION":
+                // NOT_APPLICABLE: this rule's matcher did not select the call. NO_LIVE_VERSION: the version was
+                // revoked between the list and the face (a benign race). Both are skips for this rule.
+                break;
+            case "R4_UNSUPPORTED_RULE_KIND":
+                // Unreachable (the guard above already rejected any out-of-family rule); fail open defensively.
+                return perRule;
+        }
+    }
+    // No rule denied. Surface the first applicable rule's outcome if any; otherwise no matcher selected
+    // this call and the attempt is NOT_APPLICABLE.
+    return firstNonDeny ?? { response: PASS_THROUGH, outcome: { kind: "NOT_APPLICABLE" } };
+}
+/**
+ * The composed PreToolUse seam the live hook calls (proposal §3.6: observe is the always-on R0
+ * substrate, enforce layers on the human-attested LIVE version). It ENFORCES against the LIVE attested
+ * version when one exists; otherwise (NO_LIVE_VERSION) it records the R0 observed substrate so a rule
+ * that has never been attested still leaves an attestable observed snapshot. This closes the bootstrap
+ * gap: enforce-only writes nothing when unarmed, so an empty store could never produce the snapshot an
+ * operator attests from. Observe never grants, so the fallback's response stays pass-through; the deny
+ * path is reached only through the enforce seam against an attested version, never through observe.
+ */
+async function evaluateEnforceOrObserveNotesRule(store, input) {
+    const enforced = await evaluateAndEnforceLiveRules(store, input);
+    // Both NO_LIVE_VERSION (empty scope) and ONLY_INERT_RULES (live rules exist but all are inert) mean no
+    // enforceable version is armed, so both hand off to the R0 observe substrate. The two tags are kept
+    // distinct in the dispatch outcome for audit honesty, but the fallback decision is identical here.
+    const k = enforced.outcome.kind;
+    if (k !== "NO_LIVE_VERSION" && k !== "ONLY_INERT_RULES") {
+        return enforced;
+    }
+    const observed = await (0, durable_observation_1.observeAndRecordNotesRule)(store, {
+        rawStdin: input.rawStdin,
+        directives: input.directives,
+        runtimeProjectRoot: input.runtimeProjectRoot,
+        runtimeScopeId: input.runtimeScopeId,
+        createdAt: input.createdAt,
+        now: input.now,
+        rand: input.rand,
+        classifyRuntime: input.classifyRuntime,
+    });
+    return { response: observed.response, outcome: observed.outcome };
+}

package/dist/lib/rules/evaluation-input-hash.js

@@ -0,0 +1,126 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EvaluationInputHashError = exports.CANONICALIZATION_FAILED = exports.EVALUATION_INPUT_HASH_DOMAIN = void 0;
+exports.buildEvaluationInputPayload = buildEvaluationInputPayload;
+exports.serializeEvaluationInput = serializeEvaluationInput;
+exports.evaluationInputHash = evaluationInputHash;
+const crypto_1 = require("crypto");
+const canonical_json_1 = require("./canonical-json");
+/**
+ * The `evaluation-input-v1` canonical hash domain (proposal §10.1 step 2, decision 4).
+ *
+ * It computes the content identity of the ACTION-SIDE replay basis: the
+ * post-canonicalization compliance-replay input the R0 build persists as
+ * tool_attempt.evaluation_input_snapshot. This is NOT a rule hash; it is the exact input the
+ * four-state evaluator judged, so a later replay can recompute the verdict from the stored
+ * snapshot alone, with no re-read of CLAUDE.md and no second filesystem probe. The digest is
+ *
+ *     SHA-256( domainTag || 0x00 || JCS(payload) )   (lowercase hex)
+ *
+ * where JCS is the repo's existing RFC 8785 canonicalizer (canonical-json.ts) and the domain
+ * tag + single 0x00 separator (decision 6) guarantee this digest can NEVER collide with the
+ * observed snapshot (`observed-rule-v1`), an attested version (`rule-version-v1`), or any other
+ * hashed artifact, even when two normalized bodies are byte-identical. JCS escapes control
+ * characters, so the only raw 0x00 byte in the hash input is the separator; the boundary
+ * between tag and payload is unambiguous.
+ *
+ * LOCKED SHAPE (proposal §10.1 step 2): exactly these JSON names, and `target` is the
+ * discriminated three-arm union. An in-scope target is a runtime-root-RELATIVE `path` (never an
+ * absolute home path); an out-of-scope target carries no path; an uncanonicalizable target is
+ * `UNKNOWN` with the single locked `reasonCode: "CANONICALIZATION_FAILED"`. The payload
+ * deliberately EXCLUDES file contents, tool output, and any unrestricted absolute home path. No
+ * unknown fields (fail-closed); no floats (float-free by construction).
+ *
+ * Universal-NFC caveat (honest). Unlike `observed-rule-v1`, this payload has NO prose field:
+ * `toolName` is an enum, `path` and `forbiddenRootRelativePath` are filesystem-derived, and the
+ * three version tags are opaque. The proposal's per-field rule says filesystem-derived and opaque
+ * values stay byte-for-byte; the vendored JCS primitive applies NFC to EVERY string. For the
+ * all-ASCII notes-location pilot every field is NFC-stable, so universal NFC is byte-identical to
+ * the per-field rule and the golden vectors are contract-correct. When a future evaluation input
+ * can carry a non-NFC `path` (for instance a target path with combining marks), this domain must
+ * switch to a per-field-NFC encoder so those bytes are preserved verbatim. That boundary is
+ * recorded in the ledger.
+ */
+exports.EVALUATION_INPUT_HASH_DOMAIN = "evaluation-input-v1";
+/** The locked reasonCode for an uncanonicalizable target. */
+exports.CANONICALIZATION_FAILED = "CANONICALIZATION_FAILED";
+/** Thrown when an input carries a field or value outside the evaluation-input-v1 schema. */
+class EvaluationInputHashError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "EvaluationInputHashError";
+    }
+}
+exports.EvaluationInputHashError = EvaluationInputHashError;
+// The closed key sets for each object in the payload schema. Unknown fields are an error
+// (decision 6), so a forward-incompatible producer cannot silently mint a hash a consumer
+// would compute differently.
+const TOP_LEVEL_KEYS = new Set([
+    "toolName",
+    "target",
+    "forbiddenRootRelativePath",
+    "evaluatorContractVersion",
+    "matcherSchemaVersion",
+    "pathCanonicalizerVersion",
+]);
+const TARGET_RUNTIME_RELATIVE_KEYS = new Set(["kind", "path"]);
+const TARGET_OUTSIDE_KEYS = new Set(["kind"]);
+const TARGET_UNKNOWN_KEYS = new Set(["kind", "reasonCode"]);
+function rejectUnknownKeys(obj, allowed, context) {
+    for (const key of Object.keys(obj)) {
+        if (!allowed.has(key)) {
+            throw new EvaluationInputHashError(`unknown field '${key}' in ${context} is outside the ${exports.EVALUATION_INPUT_HASH_DOMAIN} schema`);
+        }
+    }
+}
+function buildTargetPayload(target) {
+    switch (target.kind) {
+        case "RUNTIME_RELATIVE":
+            rejectUnknownKeys(target, TARGET_RUNTIME_RELATIVE_KEYS, "target(RUNTIME_RELATIVE)");
+            return { kind: "RUNTIME_RELATIVE", path: target.path };
+        case "OUTSIDE_RUNTIME_SCOPE":
+            rejectUnknownKeys(target, TARGET_OUTSIDE_KEYS, "target(OUTSIDE_RUNTIME_SCOPE)");
+            return { kind: "OUTSIDE_RUNTIME_SCOPE" };
+        case "UNKNOWN":
+            rejectUnknownKeys(target, TARGET_UNKNOWN_KEYS, "target(UNKNOWN)");
+            if (target.reasonCode !== exports.CANONICALIZATION_FAILED) {
+                throw new EvaluationInputHashError(`target(UNKNOWN).reasonCode must be '${exports.CANONICALIZATION_FAILED}', got '${String(target.reasonCode)}'`);
+            }
+            return { kind: "UNKNOWN", reasonCode: exports.CANONICALIZATION_FAILED };
+        default: {
+            const unexpected = target;
+            throw new EvaluationInputHashError(`unknown target kind '${String(unexpected.kind)}' is outside the ${exports.EVALUATION_INPUT_HASH_DOMAIN} schema`);
+        }
+    }
+}
+/**
+ * Build the closed canonical payload for an EvaluationInputV1: the exact object that gets
+ * canonicalized and hashed. Rejects unknown fields and an unknown target arm, and locks the
+ * UNKNOWN reasonCode. Field NFC is applied by the JCS encoder on the way out; see the
+ * universal-NFC caveat in the file header.
+ */
+function buildEvaluationInputPayload(input) {
+    rejectUnknownKeys(input, TOP_LEVEL_KEYS, "evaluation input");
+    return {
+        toolName: input.toolName,
+        target: buildTargetPayload(input.target),
+        forbiddenRootRelativePath: input.forbiddenRootRelativePath,
+        evaluatorContractVersion: input.evaluatorContractVersion,
+        matcherSchemaVersion: input.matcherSchemaVersion,
+        pathCanonicalizerVersion: input.pathCanonicalizerVersion,
+    };
+}
+/** The exact RFC 8785 canonical JSON string that is hashed (UTF-8). Exposed for golden
+ * vectors and debugging; the digest is over these bytes prefixed by the domain. */
+function serializeEvaluationInput(input) {
+    return (0, canonical_json_1.canonicalize)(buildEvaluationInputPayload(input));
+}
+/** The evaluation-input-v1 content hash: SHA-256(domainTag || 0x00 || JCS(payload)), lowercase hex. */
+function evaluationInputHash(input) {
+    const jcs = serializeEvaluationInput(input);
+    const h = (0, crypto_1.createHash)("sha256");
+    h.update(exports.EVALUATION_INPUT_HASH_DOMAIN, "utf8");
+    h.update(Buffer.from([0x00]));
+    h.update(jcs, "utf8");
+    return h.digest("hex");
+}

package/dist/lib/rules/evaluator.js

@@ -0,0 +1,108 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.selectRule = selectRule;
+exports.verdictForForbiddenRoot = verdictForForbiddenRoot;
+exports.verdictForForbiddenContent = verdictForForbiddenContent;
+exports.verdictForForbiddenCommand = verdictForForbiddenCommand;
+exports.isEnforcementEligible = isEnforcementEligible;
+/**
+ * Minimal R0 glob: an optional literal prefix (before the first "*") and an
+ * optional literal suffix (after the last "*"). Covers "*.md", "** /*.md",
+ * "foo*", "*bar", and "*". Anything between the first and last "*" is ignored,
+ * which is sufficient for the configured "*.md" matcher and keeps the surface
+ * tiny on purpose.
+ */
+function matchesGlob(value, glob) {
+    const firstStar = glob.indexOf("*");
+    if (firstStar === -1) {
+        return value === glob;
+    }
+    const lastStar = glob.lastIndexOf("*");
+    const prefix = glob.slice(0, firstStar);
+    const suffix = glob.slice(lastStar + 1);
+    return (value.length >= prefix.length + suffix.length &&
+        value.startsWith(prefix) &&
+        value.endsWith(suffix));
+}
+/**
+ * Pure selection. Ambient rules are prompt-time grounding, not action gates:
+ * they never produce a per-call verdict, so at an action point they are
+ * NOT_APPLICABLE. An action rule applies when the tool is in its list and,
+ * if the matcher carries a glob, the named field holds a string matching it.
+ */
+function selectRule(call, applicability) {
+    if (applicability.mode === "ambient") {
+        return "NOT_APPLICABLE";
+    }
+    if (!applicability.tools.includes(call.toolName)) {
+        return "NOT_APPLICABLE";
+    }
+    const { matcher } = applicability;
+    if (matcher.glob !== undefined) {
+        const value = call.toolInput[matcher.field];
+        if (typeof value !== "string" || !matchesGlob(value, matcher.glob)) {
+            return "NOT_APPLICABLE";
+        }
+    }
+    return "APPLIES";
+}
+/**
+ * Pure verdict for a PROHIBIT forbidden-root rule. Maps the path classification
+ * (or the "UNSUPPORTED" sentinel from an evaluator that cannot handle the input)
+ * to a four-state verdict. The only enforcement-eligible outcome is VIOLATION;
+ * every uncertainty degrades to UNKNOWN.
+ */
+function verdictForForbiddenRoot(classification) {
+    switch (classification) {
+        case "UNDER_FORBIDDEN_ROOT":
+            return { result: "VIOLATION", reasonCode: "FORBIDDEN_PATH_MATCH" };
+        case "OUTSIDE_FORBIDDEN_ROOT":
+            return { result: "COMPLIANT", reasonCode: "COMPLIANT_OUTSIDE_FORBIDDEN_ROOT" };
+        case "INDETERMINATE":
+            return { result: "UNKNOWN", reasonCode: "CANONICALIZATION_FAILED" };
+        case "UNSUPPORTED":
+            return { result: "UNKNOWN", reasonCode: "EVALUATOR_UNSUPPORTED" };
+    }
+}
+/**
+ * Pure verdict for a PROHIBIT forbidden-content rule (the em-dash-ban class).
+ * Unlike the path/command matchers, a content field is fully observable, so a
+ * "no needle" result is a genuine COMPLIANT rather than an UNKNOWN: we hold the
+ * entire payload, so absence of the forbidden bytes is proven, not merely
+ * unobserved. INDETERMINATE (non-string field or empty needle set) degrades to
+ * UNKNOWN, which never asks or denies.
+ */
+function verdictForForbiddenContent(classification) {
+    switch (classification) {
+        case "CONTAINS_FORBIDDEN":
+            return { result: "VIOLATION", reasonCode: "FORBIDDEN_CONTENT_MATCH" };
+        case "NO_FORBIDDEN":
+            return { result: "COMPLIANT", reasonCode: "COMPLIANT_NO_FORBIDDEN_CONTENT" };
+        case "INDETERMINATE":
+            return { result: "UNKNOWN", reasonCode: "CONTENT_INDETERMINATE" };
+    }
+}
+/**
+ * Pure verdict for a PROHIBIT forbidden-command rule (the git/prisma class). The
+ * inverse of the content verdict: because a shell string is opaque, there is NO
+ * COMPLIANT outcome. Only a positive literal token-run match is a verdict
+ * (VIOLATION); both NO_MATCH and INDETERMINATE degrade to UNKNOWN, since a
+ * non-match cannot prove the command will not perform the operation (an alias, a
+ * wrapper script, eval, or $VAR expansion could). The distinct UNKNOWN reason
+ * codes keep "tokenized, found nothing" observably separate from "could not
+ * evaluate".
+ */
+function verdictForForbiddenCommand(classification) {
+    switch (classification) {
+        case "MATCHES_FORBIDDEN":
+            return { result: "VIOLATION", reasonCode: "FORBIDDEN_COMMAND_MATCH" };
+        case "NO_MATCH":
+            return { result: "UNKNOWN", reasonCode: "COMMAND_NO_MATCH_OPAQUE" };
+        case "INDETERMINATE":
+            return { result: "UNKNOWN", reasonCode: "COMMAND_INDETERMINATE" };
+    }
+}
+/** Only VIOLATION is potentially enforcement-eligible. */
+function isEnforcementEligible(result) {
+    return result === "VIOLATION";
+}