@neurcode-ai/cli 0.20.22 → 0.20.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +13 -0
- package/dist/commands/pilot.d.ts.map +1 -1
- package/dist/commands/pilot.js +39 -27
- package/dist/commands/pilot.js.map +1 -1
- package/dist/commands/session-hook-recovery.d.ts +25 -0
- package/dist/commands/session-hook-recovery.d.ts.map +1 -0
- package/dist/commands/session-hook-recovery.js +94 -0
- package/dist/commands/session-hook-recovery.js.map +1 -0
- package/dist/commands/session-hook.d.ts.map +1 -1
- package/dist/commands/session-hook.js +33 -3
- package/dist/commands/session-hook.js.map +1 -1
- package/dist/runtime-build.json +4 -4
- package/dist/utils/local-first-value.d.ts +77 -0
- package/dist/utils/local-first-value.d.ts.map +1 -0
- package/dist/utils/local-first-value.js +808 -0
- package/dist/utils/local-first-value.js.map +1 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -21,6 +21,19 @@ npm install -g @neurcode-ai/cli@latest
|
|
|
21
21
|
neurcode --version
|
|
22
22
|
```
|
|
23
23
|
|
|
24
|
+
## First Run (no account)
|
|
25
|
+
|
|
26
|
+
```bash
|
|
27
|
+
cd your-project
|
|
28
|
+
neurcode pilot start
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
Runs a local first-value proof before any login: protected boundaries are
|
|
32
|
+
detected from the repo profile, a protected write is blocked, one exact path is
|
|
33
|
+
approved, and the neighboring path stays blocked. A source-free proof lands in
|
|
34
|
+
`.neurcode/eval/local-first-value.json` (+ `.md`). Log in with `neurcode login`
|
|
35
|
+
only when you want the proof in the dashboard or shared with your team.
|
|
36
|
+
|
|
24
37
|
## Primary Runtime Workflow
|
|
25
38
|
|
|
26
39
|
Start with the agent session launcher:
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pilot.d.ts","sourceRoot":"","sources":["../../src/commands/pilot.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"pilot.d.ts","sourceRoot":"","sources":["../../src/commands/pilot.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAkCpC,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAuP5D"}
|
package/dist/commands/pilot.js
CHANGED
|
@@ -18,6 +18,7 @@ const agent_adapter_setup_1 = require("../utils/agent-adapter-setup");
|
|
|
18
18
|
const runtime_connection_1 = require("../utils/runtime-connection");
|
|
19
19
|
const eval_demo_command_1 = require("../utils/eval-demo-command");
|
|
20
20
|
const activation_telemetry_1 = require("../utils/activation-telemetry");
|
|
21
|
+
const local_first_value_1 = require("../utils/local-first-value");
|
|
21
22
|
const first_value_proof_1 = require("../utils/first-value-proof");
|
|
22
23
|
const pilot_evidence_io_1 = require("../utils/pilot-evidence-io");
|
|
23
24
|
const pilot_evidence_pack_1 = require("../utils/pilot-evidence-pack");
|
|
@@ -27,44 +28,55 @@ function emitJson(value) {
|
|
|
27
28
|
function registerPilotCommands(program) {
|
|
28
29
|
const pilot = program.command('pilot').description('Self-Serve Pilot Operating System utilities');
|
|
29
30
|
// ── start (headline front door) ──────────────────────────────────────────────
|
|
30
|
-
//
|
|
31
|
-
//
|
|
32
|
-
//
|
|
33
|
-
//
|
|
34
|
-
//
|
|
31
|
+
// Local-First Aha V1: the canonical first command. It runs a complete local
|
|
32
|
+
// first-value proof in the user's own repository BEFORE any login — detect
|
|
33
|
+
// boundaries, block a protected write, approve one exact path, show the
|
|
34
|
+
// neighbor stays blocked, and write a source-free proof artifact. Login and
|
|
35
|
+
// dashboard sync are offered only after the proof exists. The fixture
|
|
36
|
+
// sandbox stays available behind `--fixture` (same engine as `eval demo`).
|
|
35
37
|
pilot
|
|
36
38
|
.command('start')
|
|
37
|
-
.description('
|
|
39
|
+
.description('Run a local, login-free first-value proof in this repo (block → exact approval → neighbor containment)')
|
|
38
40
|
.option('--dir <path>', 'Repository root (default: current directory)')
|
|
39
|
-
.option('--agent <id>', 'Agent posture: claude | codex | cursor | vscode | copilot'
|
|
40
|
-
.option('--fixture', 'Run the safe
|
|
41
|
+
.option('--agent <id>', 'Agent posture: claude | codex | cursor | vscode | copilot')
|
|
42
|
+
.option('--fixture', 'Run the safe throwaway fixture demo instead of the real-repo proof')
|
|
41
43
|
.option('--preflight', 'Only run the buyer-friendly fixture preflight checks, then stop')
|
|
44
|
+
.option('--yes', 'Approve the demonstrated exact path without prompting')
|
|
42
45
|
.option('--json', 'Output machine-readable JSON')
|
|
43
46
|
.action(async (options) => {
|
|
44
47
|
if (options.fixture || options.preflight) {
|
|
45
48
|
(0, eval_demo_command_1.runEvalDemoCommandAction)(options);
|
|
46
49
|
return;
|
|
47
50
|
}
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
const state = await (0, first_value_proof_1.buildFirstValueCliState)({ dir: options.dir, agent: options.agent });
|
|
55
|
-
if (options.json) {
|
|
56
|
-
emitJson(state);
|
|
57
|
-
}
|
|
58
|
-
else {
|
|
59
|
-
console.log((0, first_value_proof_1.renderFirstValueStart)(state));
|
|
60
|
-
}
|
|
61
|
-
if (state.proof.missingSteps.length === 0) {
|
|
62
|
-
(0, activation_telemetry_1.trackActivationEvent)({
|
|
63
|
-
eventType: 'onboarding_step_completed',
|
|
64
|
-
commandFamily: 'pilot_start',
|
|
65
|
-
reasonCode: 'first_value.completed',
|
|
66
|
-
flush: false,
|
|
51
|
+
try {
|
|
52
|
+
const result = await (0, local_first_value_1.runLocalFirstValue)({
|
|
53
|
+
dir: options.dir,
|
|
54
|
+
agent: options.agent,
|
|
55
|
+
assumeYes: options.yes === true,
|
|
56
|
+
nonInteractive: options.json === true,
|
|
67
57
|
});
|
|
58
|
+
if (options.json) {
|
|
59
|
+
emitJson({
|
|
60
|
+
schemaVersion: result.artifact.schemaVersion,
|
|
61
|
+
ok: result.ok,
|
|
62
|
+
outcome: result.outcome,
|
|
63
|
+
artifact: result.artifact,
|
|
64
|
+
artifactFiles: result.artifactFiles,
|
|
65
|
+
});
|
|
66
|
+
}
|
|
67
|
+
else {
|
|
68
|
+
console.log(result.text);
|
|
69
|
+
}
|
|
70
|
+
}
|
|
71
|
+
catch (error) {
|
|
72
|
+
const message = error instanceof Error ? error.message : String(error);
|
|
73
|
+
if (options.json)
|
|
74
|
+
emitJson({ ok: false, error: message });
|
|
75
|
+
else {
|
|
76
|
+
console.error(`Local first-value proof failed: ${message}`);
|
|
77
|
+
console.error('Try the safe sandbox instead: neurcode pilot start --fixture');
|
|
78
|
+
}
|
|
79
|
+
process.exitCode = 1;
|
|
68
80
|
}
|
|
69
81
|
});
|
|
70
82
|
pilot
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pilot.js","sourceRoot":"","sources":["../../src/commands/pilot.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;
|
|
1
|
+
{"version":3,"file":"pilot.js","sourceRoot":"","sources":["../../src/commands/pilot.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;AAoCH,sDAuPC;AAxRD,kDAA0B;AAC1B,qCAA+D;AAC/D,yCAA0C;AAC1C,0DAAyD;AACzD,8DAAiE;AACjE,sDAIgC;AAChC,wEAAwE;AACxE,sEAAyE;AACzE,oEAAoE;AACpE,kEAAsE;AACtE,wEAAqE;AACrE,kEAAgE;AAChE,kEAIoC;AACpC,kEAAuE;AACvE,sEAKsC;AAEtC,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED,SAAgB,qBAAqB,CAAC,OAAgB;IACpD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,6CAA6C,CAAC,CAAC;IAElG,gFAAgF;IAChF,4EAA4E;IAC5E,2EAA2E;IAC3E,wEAAwE;IACxE,4EAA4E;IAC5E,sEAAsE;IACtE,2EAA2E;IAC3E,KAAK;SACF,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,wGAAwG,CAAC;SACrH,MAAM,CAAC,cAAc,EAAE,8CAA8C,CAAC;SACtE,MAAM,CAAC,cAAc,EAAE,2DAA2D,CAAC;SACnF,MAAM,CAAC,WAAW,EAAE,oEAAoE,CAAC;SACzF,MAAM,CAAC,aAAa,EAAE,iEAAiE,CAAC;SACxF,MAAM,CAAC,OAAO,EAAE,uDAAuD,CAAC;SACxE,MAAM,CAAC,QAAQ,EAAE,8BAA8B,CAAC;SAChD,MAAM,CAAC,KAAK,EAAE,OAAgH,EAAE,EAAE;QACjI,IAAI,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACzC,IAAA,4CAAwB,EAAC,OAAO,CAAC,CAAC;YAClC,OAAO;QACT,CAAC;QACD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAA,sCAAkB,EAAC;gBACtC,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,SAAS,EAAE,OAAO,CAAC,GAAG,KAAK,IAAI;gBAC/B,cAAc,EAAE,OAAO,CAAC,IAAI,KAAK,IAAI;aACtC,CAAC,CAAC;YACH,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,QAAQ,CAAC;oBACP,aAAa,EAAE,MAAM,CAAC,QAAQ,CAAC,aAAa;oBAC5C,EAAE,EAAE,MAAM,CAAC,EAAE;oBACb,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,aAAa,EAAE,MAAM,CAAC,aAAa;iBACpC,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,IAAI,OAAO,CAAC,IAAI;gBAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;iBACrD,CAAC;gBACJ,OAAO,CAAC,KAAK,CAAC,mCAAmC,OAAO,EAAE,CAAC,CAAC;gBAC5D,OAAO,CAAC,KAAK,CAAC,8DAA8D,CAAC,CAAC;YAChF,CAAC;YACD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,aAAa,CAAC;SACtB,WAAW,CAAC,6DAA6D,CAAC;SAC1E,MAAM,CAAC,cAAc,EAAE,8CAA8C,CAAC;SACtE,MAAM,CAAC,cAAc,EAAE,2DAA2D,EAAE,OAAO,CAAC;SAC5F,MAAM,CAAC,QAAQ,EAAE,8BAA8B,CAAC;SAChD,MAAM,CAAC,KAAK,EAAE,OAAyD,EAAE,EAAE;QAC1E,IAAA,2CAAoB,EAAC;YACnB,SAAS,EAAE,2BAA2B;YACtC,aAAa,EAAE,mBAAmB;YAClC,UAAU,EAAE,qBAAqB;YACjC,KAAK,EAAE,KAAK;SACb,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,IAAA,2CAAuB,EAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;QACxF,IAAI,OAAO,CAAC,IAAI;YAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;;YAC7B,OAAO,CAAC,GAAG,CAAC,IAAA,yCAAqB,EAAC,KAAK,CAAC,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,oCAAoC,CAAC;SACjD,MAAM,CAAC,eAAe,EAAE,sCAAsC,CAAC;SAC/D,MAAM,CAAC,cAAc,EAAE,8CAA8C,CAAC;SACtE,MAAM,CAAC,cAAc,EAAE,2DAA2D,EAAE,OAAO,CAAC;SAC5F,MAAM,CAAC,QAAQ,EAAE,8BAA8B,CAAC;SAChD,MAAM,CAAC,KAAK,EAAE,OAA+E,EAAE,EAAE;QAChG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,uFAAuF,CAAC,CAAC;YACrG,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACT,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,IAAA,2CAAuB,EAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;QACxF,IAAI,OAAO,CAAC,IAAI;YAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;;YAC7B,OAAO,CAAC,GAAG,CAAC,IAAA,0CAAsB,EAAC,KAAK,CAAC,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,eAAe,CAAC;SACxB,WAAW,CAAC,kEAAkE,CAAC;SAC/E,MAAM,CAAC,QAAQ,EAAE,4BAA4B,CAAC;SAC9C,MAAM,CAAC,cAAc,EAAE,iBAAiB,CAAC;SACzC,MAAM,CAAC,KAAK,EAAE,OAAyC,EAAE,EAAE;QAC1D,MAAM,QAAQ,GAAG,IAAA,+BAAe,EAAC,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QAC/D,MAAM,KAAK,GAAG,MAAM,IAAA,uCAAqB,EAAC,QAAQ,CAAC,CAAC;QACpD,MAAM,UAAU,GAAG,IAAA,yCAA6B,EAAC;YAC/C,cAAc,EAAE,KAAK,CAAC,KAAK;YAC3B,aAAa,EAAE,KAAK,CAAC,QAAQ,CAAC,KAAK;SACpC,CAAC,CAAC;QACH,MAAM,UAAU,GAAG,IAAA,0CAAqB,EAAC,QAAQ,CAAC,CAAC;QACnD,MAAM,SAAS,GAAG;YAChB,UAAU,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,IAAI;YAC1C,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,IAAI;YAClD,UAAU,KAAK,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI;YAC1F,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI;SAChD,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAElB,MAAM,OAAO,GAAG;YACd,aAAa,EAAE,uCAA2B;YAC1C,QAAQ;YACR,KAAK,EAAE;gBACL,KAAK,EAAE,UAAU;gBACjB,SAAS,EAAE,IAAA,iCAAqB,EAAC,UAAU,CAAC;gBAC5C,YAAY,EAAE,KAAK,CAAC,QAAQ,CAAC,YAAY;gBACzC,YAAY,EAAE,KAAK,CAAC,QAAQ,CAAC,YAAY;gBACzC,OAAO,EAAE,KAAK,CAAC,QAAQ,CAAC,OAAO;gBAC/B,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;aACzC;YACD,OAAO,EAAE,UAAU;gBACjB,CAAC,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE;gBACzD,CAAC,CAAC,EAAE,MAAM,EAAE,YAAY,EAAE;YAC5B,kBAAkB,EAAE,SAAS;YAC7B,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACtC,CAAC;QAEF,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,QAAQ,CAAC,OAAO,CAAC,CAAC;YAClB,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,YAAY,UAAU,KAAK,KAAK,CAAC,QAAQ,CAAC,YAAY,IAAI,KAAK,CAAC,QAAQ,CAAC,YAAY,IAAI,GAAG,SAAS,CAAC,CAAC;QACnH,OAAO,CAAC,GAAG,CAAC,YAAY,UAAU,CAAC,CAAC,CAAC,cAAc,UAAU,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC;QAC7F,IAAI,KAAK,CAAC,WAAW,CAAC,MAAM;YAAE,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtF,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,gBAAgB,CAAC,OAAO,EAAE,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,gBAAgB,CAAC;SACzB,WAAW,CAAC,uDAAuD,CAAC;SACpE,QAAQ,CAAC,SAAS,EAAE,yCAAyC,CAAC;SAC9D,MAAM,CAAC,QAAQ,EAAE,4BAA4B,EAAE,IAAI,CAAC;SACpD,MAAM,CAAC,cAAc,EAAE,iBAAiB,CAAC;SACzC,MAAM,CAAC,CAAC,KAAyB,EAAE,OAAyC,EAAE,EAAE;QAC/E,MAAM,QAAQ,GAAG,IAAA,+BAAe,EAAC,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,IAAA,+CAAyB,EAAC,KAAK,CAAC,CAAC;QAChD,MAAM,QAAQ,GAAG,IAAA,8CAAuB,EAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACtE,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK;YAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;aAC1C,CAAC;YACJ,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,0BAA0B,MAAM,EAAE,CAAC,CAAC,CAAC;YAC5D,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;gBAClC,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;YAClD,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,CAAC,eAAe,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,gFAAgF;IAChF,+EAA+E;IAC/E,wEAAwE;IACxE,6EAA6E;IAC7E,oEAAoE;IACpE,sEAAsE;IACtE,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,sFAAsF,CAAC;SACnG,MAAM,CAAC,cAAc,EAAE,8CAA8C,CAAC;SACtE,MAAM,CAAC,aAAa,EAAE,sDAAsD,CAAC;SAC7E,MAAM,CAAC,mBAAmB,EAAE,+CAA+C,EAAE,MAAM,CAAC;SACpF,MAAM,CAAC,YAAY,EAAE,qCAAqC,CAAC;SAC3D,MAAM,CAAC,QAAQ,EAAE,wDAAwD,CAAC;SAC1E,MAAM,CAAC,KAAK,EAAE,OAAuF,EAAE,EAAE;QACxG,MAAM,QAAQ,GAAG,IAAA,+BAAe,EAAC,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QAE/D,+DAA+D;QAC/D,IAAI,cAAc,GAAG,IAEb,CAAC;QACT,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,IAAA,uCAAqB,EAAC,QAAQ,CAAC,CAAC;YACpD,cAAc,GAAG;gBACf,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,IAAI;gBAC1B,YAAY,EAAE,KAAK,CAAC,QAAQ,EAAE,YAAY,IAAI,IAAI;gBAClD,YAAY,EAAE,KAAK,CAAC,QAAQ,EAAE,YAAY,IAAI,IAAI;gBAClD,OAAO,EAAE,KAAK,CAAC,QAAQ,EAAE,OAAO,IAAI,IAAI;aACzC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,cAAc,GAAG,IAAI,CAAC;QACxB,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;QAC3D,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QAE5E,MAAM,MAAM,GAAG,IAAA,6CAAyB,EAAC,QAAQ,EAAE;YACjD,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,IAAI;YACJ,cAAc;SACf,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,IAAA,4CAAsB,EAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,IAAA,qDAA+B,EAAC,IAAI,CAAC,CAAC;QACvD,MAAM,IAAI,GAAG,IAAA,iDAA2B,EAAC,IAAI,CAAC,CAAC;QAE/C,8DAA8D;QAC9D,IAAA,uDAAiC,EAAC,IAAI,EAAE,4BAA4B,CAAC,CAAC;QACtE,IAAA,uDAAiC,EAAC,QAAQ,EAAE,gCAAgC,CAAC,CAAC;QAC9E,IAAA,uDAAiC,EAAC,IAAI,EAAE,4BAA4B,CAAC,CAAC;QAEtE,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,QAAQ,CAAC,IAAI,CAAC,CAAC;YACf,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAA,mBAAO,EAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAA,gBAAI,EAAC,QAAQ,EAAE,WAAW,EAAE,gBAAgB,CAAC,CAAC;QAC5G,IAAI,CAAC,IAAA,oBAAU,EAAC,MAAM,CAAC;YAAE,IAAA,mBAAS,EAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChE,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,MAAM,EAAE,0BAA0B,CAAC,CAAC;QAC1D,IAAA,uBAAa,EAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;QACtE,MAAM,OAAO,GAAG,CAAC,QAAQ,CAAC,CAAC;QAE3B,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;QACrD,IAAI,GAAG,KAAK,UAAU,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;YACzD,MAAM,MAAM,GAAG,IAAA,gBAAI,EAAC,MAAM,EAAE,wBAAwB,CAAC,CAAC;YACtD,IAAA,uBAAa,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;YACxC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;QACD,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;YACrC,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,MAAM,EAAE,0BAA0B,CAAC,CAAC;YAC1D,IAAA,uBAAa,EAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;YACtC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,KAAK,CAAC,8CAA8C,IAAI,CAAC,YAAY,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC;QACrG,KAAK,MAAM,CAAC,IAAI,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,KAAK,eAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC3D,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;QAC9D,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAC5C,OAAO,CAAC,GAAG,CACT,eAAK,CAAC,MAAM,CAAC,+BAA+B,IAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,EAAE,CAAC,CACtG,CAAC;QACJ,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,GAAG,CAAC,6FAA6F,CAAC,CAAC,CAAC;QACtH,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Strict recognizer for runtime recovery commands (Local-First Aha V1, P5).
|
|
3
|
+
*
|
|
4
|
+
* When the runtime identity guard denies protected operations (stale or
|
|
5
|
+
* missing runtime manifest), the only way out used to be a human terminal:
|
|
6
|
+
* the PreToolUse guard denied every Bash call — including the exact recovery
|
|
7
|
+
* command it printed. That is the recurring identity deadlock. This
|
|
8
|
+
* recognizer lets `session-hook check` allow precisely the documented
|
|
9
|
+
* recovery commands and nothing else, so recovery is possible from inside the
|
|
10
|
+
* governed agent while every other operation stays blocked.
|
|
11
|
+
*
|
|
12
|
+
* Deny-by-default posture:
|
|
13
|
+
* - single command only (no chaining, substitution, redirection, or globs)
|
|
14
|
+
* - `neurcode` (bare or path-suffixed) with `runtime repair`,
|
|
15
|
+
* `runtime identity`, or `doctor`, plus a small flag allowlist
|
|
16
|
+
* - `node <entrypoint> …` only when <entrypoint> resolves to the SAME file
|
|
17
|
+
* as the currently executing CLI — a foreign script is never allowed
|
|
18
|
+
*/
|
|
19
|
+
/**
|
|
20
|
+
* True only for a single, argument-safe invocation of a documented runtime
|
|
21
|
+
* recovery command. `currentEntrypoint` is the realpath of the executing CLI
|
|
22
|
+
* bundle; a `node <script>` form is accepted only when the script is that file.
|
|
23
|
+
*/
|
|
24
|
+
export declare function isRuntimeRecoveryCommand(command: string, currentEntrypoint: string): boolean;
|
|
25
|
+
//# sourceMappingURL=session-hook-recovery.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"session-hook-recovery.d.ts","sourceRoot":"","sources":["../../src/commands/session-hook-recovery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAkDH;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,GAAG,OAAO,CAoB5F"}
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Strict recognizer for runtime recovery commands (Local-First Aha V1, P5).
|
|
4
|
+
*
|
|
5
|
+
* When the runtime identity guard denies protected operations (stale or
|
|
6
|
+
* missing runtime manifest), the only way out used to be a human terminal:
|
|
7
|
+
* the PreToolUse guard denied every Bash call — including the exact recovery
|
|
8
|
+
* command it printed. That is the recurring identity deadlock. This
|
|
9
|
+
* recognizer lets `session-hook check` allow precisely the documented
|
|
10
|
+
* recovery commands and nothing else, so recovery is possible from inside the
|
|
11
|
+
* governed agent while every other operation stays blocked.
|
|
12
|
+
*
|
|
13
|
+
* Deny-by-default posture:
|
|
14
|
+
* - single command only (no chaining, substitution, redirection, or globs)
|
|
15
|
+
* - `neurcode` (bare or path-suffixed) with `runtime repair`,
|
|
16
|
+
* `runtime identity`, or `doctor`, plus a small flag allowlist
|
|
17
|
+
* - `node <entrypoint> …` only when <entrypoint> resolves to the SAME file
|
|
18
|
+
* as the currently executing CLI — a foreign script is never allowed
|
|
19
|
+
*/
|
|
20
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
21
|
+
exports.isRuntimeRecoveryCommand = isRuntimeRecoveryCommand;
|
|
22
|
+
const node_fs_1 = require("node:fs");
|
|
23
|
+
const SHELL_METACHARACTERS = /[;&|`$<>(){}*?!\n\r\\"']/;
|
|
24
|
+
const ALLOWED_SUBCOMMANDS = [
|
|
25
|
+
{ tokens: ['runtime', 'repair'] },
|
|
26
|
+
{ tokens: ['runtime', 'identity'] },
|
|
27
|
+
{ tokens: ['doctor'] },
|
|
28
|
+
];
|
|
29
|
+
const VALUE_FLAGS = new Set(['--dir']);
|
|
30
|
+
const BOOLEAN_FLAGS = new Set(['--json', '--runtime']);
|
|
31
|
+
function safeRealpath(path) {
|
|
32
|
+
try {
|
|
33
|
+
return (0, node_fs_1.realpathSync)(path);
|
|
34
|
+
}
|
|
35
|
+
catch {
|
|
36
|
+
return path;
|
|
37
|
+
}
|
|
38
|
+
}
|
|
39
|
+
function tokenize(command) {
|
|
40
|
+
const trimmed = command.trim();
|
|
41
|
+
if (!trimmed || trimmed.length > 400)
|
|
42
|
+
return null;
|
|
43
|
+
if (SHELL_METACHARACTERS.test(trimmed))
|
|
44
|
+
return null;
|
|
45
|
+
return trimmed.split(/\s+/);
|
|
46
|
+
}
|
|
47
|
+
function matchesSubcommandGrammar(tokens) {
|
|
48
|
+
const matched = ALLOWED_SUBCOMMANDS.find(({ tokens: expected }) => expected.every((expectedToken, index) => tokens[index] === expectedToken));
|
|
49
|
+
if (!matched)
|
|
50
|
+
return false;
|
|
51
|
+
let index = matched.tokens.length;
|
|
52
|
+
while (index < tokens.length) {
|
|
53
|
+
const flag = tokens[index];
|
|
54
|
+
if (BOOLEAN_FLAGS.has(flag)) {
|
|
55
|
+
index += 1;
|
|
56
|
+
continue;
|
|
57
|
+
}
|
|
58
|
+
if (VALUE_FLAGS.has(flag)) {
|
|
59
|
+
const value = tokens[index + 1];
|
|
60
|
+
if (!value || value.startsWith('-'))
|
|
61
|
+
return false;
|
|
62
|
+
index += 2;
|
|
63
|
+
continue;
|
|
64
|
+
}
|
|
65
|
+
return false;
|
|
66
|
+
}
|
|
67
|
+
return true;
|
|
68
|
+
}
|
|
69
|
+
/**
|
|
70
|
+
* True only for a single, argument-safe invocation of a documented runtime
|
|
71
|
+
* recovery command. `currentEntrypoint` is the realpath of the executing CLI
|
|
72
|
+
* bundle; a `node <script>` form is accepted only when the script is that file.
|
|
73
|
+
*/
|
|
74
|
+
function isRuntimeRecoveryCommand(command, currentEntrypoint) {
|
|
75
|
+
const tokens = tokenize(command);
|
|
76
|
+
if (!tokens || tokens.length < 2)
|
|
77
|
+
return false;
|
|
78
|
+
const [head, ...rest] = tokens;
|
|
79
|
+
const headBase = head.split('/').pop() || head;
|
|
80
|
+
if (headBase === 'neurcode') {
|
|
81
|
+
return matchesSubcommandGrammar(rest);
|
|
82
|
+
}
|
|
83
|
+
if (headBase === 'node') {
|
|
84
|
+
const script = rest[0];
|
|
85
|
+
if (!script || script.startsWith('-'))
|
|
86
|
+
return false;
|
|
87
|
+
const resolvedEntry = safeRealpath(currentEntrypoint);
|
|
88
|
+
if (safeRealpath(script) !== resolvedEntry)
|
|
89
|
+
return false;
|
|
90
|
+
return matchesSubcommandGrammar(rest.slice(1));
|
|
91
|
+
}
|
|
92
|
+
return false;
|
|
93
|
+
}
|
|
94
|
+
//# sourceMappingURL=session-hook-recovery.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"session-hook-recovery.js","sourceRoot":"","sources":["../../src/commands/session-hook-recovery.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;GAiBG;;AAuDH,4DAoBC;AAzED,qCAAuC;AAEvC,MAAM,oBAAoB,GAAG,0BAA0B,CAAC;AACxD,MAAM,mBAAmB,GAAgC;IACvD,EAAE,MAAM,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,EAAE;IACjC,EAAE,MAAM,EAAE,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE;IACnC,EAAE,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE;CACvB,CAAC;AACF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;AACvC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC;AAEvD,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC;QACH,OAAO,IAAA,sBAAY,EAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,OAAe;IAC/B,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,GAAG;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,wBAAwB,CAAC,MAAgB;IAChD,MAAM,OAAO,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE,CAChE,QAAQ,CAAC,KAAK,CAAC,CAAC,aAAa,EAAE,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,aAAa,CAAC,CAAC,CAAC;IAC7E,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,IAAI,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC;IAClC,OAAO,KAAK,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAC3B,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,KAAK,IAAI,CAAC,CAAC;YACX,SAAS;QACX,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YAChC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,OAAO,KAAK,CAAC;YAClD,KAAK,IAAI,CAAC,CAAC;YACX,SAAS;QACX,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,SAAgB,wBAAwB,CAAC,OAAe,EAAE,iBAAyB;IACjF,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;IACjC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAE/C,MAAM,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,GAAG,MAAM,CAAC;IAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC;IAE/C,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;QAC5B,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC;IAED,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACvB,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QACpD,MAAM,aAAa,GAAG,YAAY,CAAC,iBAAiB,CAAC,CAAC;QACtD,IAAI,YAAY,CAAC,MAAM,CAAC,KAAK,aAAa;YAAE,OAAO,KAAK,CAAC;QACzD,OAAO,wBAAwB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"session-hook.d.ts","sourceRoot":"","sources":["../../src/commands/session-hook.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAKzC,OAAO,EACL,iBAAiB,EAsBjB,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EAErB,KAAK,uBAAuB,EAG7B,MAAM,iCAAiC,CAAC;AA0BzC,OAAO,KAAK,EAEV,8BAA8B,EAC/B,MAAM,wBAAwB,CAAC;
|
|
1
|
+
{"version":3,"file":"session-hook.d.ts","sourceRoot":"","sources":["../../src/commands/session-hook.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAKzC,OAAO,EACL,iBAAiB,EAsBjB,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EAErB,KAAK,uBAAuB,EAG7B,MAAM,iCAAiC,CAAC;AA0BzC,OAAO,KAAK,EAEV,8BAA8B,EAC/B,MAAM,wBAAwB,CAAC;AA0FhC,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,iBAAiB,GAAG,IAAI,CAAC;IAClC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,kBAAkB,EAAE,OAAO,CAAC;CAC7B;AAED,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,kBAAkB,CAAC,EAAE,MAAM,GAAG,qBAAqB,CAiB1G;AAeD,wBAAgB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CAuBtF;AAED,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAQjF;AAgSD,wBAAgB,sBAAsB,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,EAAE,CAqBnF;AAUD,wBAAgB,2BAA2B,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG;IAC/E,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,eAAe,GAAG,iBAAiB,GAAG,wBAAwB,GAAG,eAAe,CAAC;CAC9F,CAuBA;AAyJD;;;;GAIG;AACH,MAAM,MAAM,qBAAqB,GAAG,uBAAuB,CAAC;AAE5D,MAAM,WAAW,4BAA4B;IAC3C,KAAK,EAAE,OAAO,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,UAAU,CAAC,OAAO,iBAAiB,CAAC,CAAC;IAC7C,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,qBAAqB,CAAC;CACrC;AAID;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAS/D;AAgBD,wBAAgB,4BAA4B,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,4BAA4B,CAgE7G;AA2ED,wBAAgB,yCAAyC,CACvD,OAAO,EAAE,iBAAiB,EAC1B,eAAe,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,qBAAqB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,SAAS,CAAC,EAAE,gBAAgB,CAAA;CAAE,GAAG,IAAI,GAChH,OAAO,CAaT;AAsjBD;;;;;;;GAOG;AACH,wBAAgB,8BAA8B,CAC5C,QAAQ,EAAE,8BAA8B,EACxC,QAAQ,EAAE,8BAA8B,GAAG,SAAS,GACnD;IAAE,SAAS,EAAE,8BAA8B,CAAC;IAAC,UAAU,EAAE,OAAO,CAAA;CAAE,CAMpE;AAqoCD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA+IzD"}
|
|
@@ -50,6 +50,7 @@ const consequence_nudges_1 = require("../utils/consequence-nudges");
|
|
|
50
50
|
const agent_guard_supervisor_1 = require("../utils/agent-guard-supervisor");
|
|
51
51
|
const local_repo_brain_1 = require("../utils/local-repo-brain");
|
|
52
52
|
const runtime_authority_1 = require("../utils/runtime-authority");
|
|
53
|
+
const session_hook_recovery_1 = require("./session-hook-recovery");
|
|
53
54
|
const brain_lifecycle_1 = require("../utils/brain-lifecycle");
|
|
54
55
|
const proposed_change_analysis_1 = require("../utils/proposed-change-analysis");
|
|
55
56
|
const repo_intelligence_v2_1 = require("../utils/repo-intelligence-v2");
|
|
@@ -1293,12 +1294,41 @@ async function handleCheck(cmdCwd, trustedAdapterId, trustedTiming) {
|
|
|
1293
1294
|
(0, runtime_authority_1.assertProtectedRuntimeAuthority)(repoRoot, trustedAdapterId);
|
|
1294
1295
|
}
|
|
1295
1296
|
catch (error) {
|
|
1296
|
-
|
|
1297
|
+
const message = error instanceof Error ? error.message : String(error);
|
|
1298
|
+
// P5 (Local-First Aha V1): this guard used to deny EVERY tool call on a
|
|
1299
|
+
// stale/missing runtime manifest — including the recovery command printed
|
|
1300
|
+
// in its own message — wedging the agent until a human found an unhooked
|
|
1301
|
+
// terminal. Allow exactly the documented recovery commands through the
|
|
1302
|
+
// guard; every other operation stays denied until identity is repaired.
|
|
1303
|
+
const guardToolName = hookInput['tool_name'] ||
|
|
1304
|
+
hookInput['toolName'] ||
|
|
1305
|
+
'';
|
|
1306
|
+
if (/^(bash|shell|runCommand|run_command|runInTerminal|run_in_terminal|terminal)$/i.test(guardToolName)) {
|
|
1307
|
+
const guardToolInput = hookInput['tool_input'] ??
|
|
1308
|
+
hookInput['toolInput'] ??
|
|
1309
|
+
{};
|
|
1310
|
+
const guardCommand = guardToolInput['command'] ||
|
|
1311
|
+
guardToolInput['cmd'] ||
|
|
1312
|
+
hookInput['command'] ||
|
|
1313
|
+
'';
|
|
1314
|
+
if ((0, session_hook_recovery_1.isRuntimeRecoveryCommand)(guardCommand, (0, runtime_authority_1.activeRuntimeEntrypoint)())) {
|
|
1315
|
+
diagnostic('runtime identity is stale; allowing the documented recovery command through the guard');
|
|
1316
|
+
process.stdout.write(JSON.stringify({
|
|
1317
|
+
hookSpecificOutput: {
|
|
1318
|
+
hookEventName: 'PreToolUse',
|
|
1319
|
+
permissionDecision: 'allow',
|
|
1320
|
+
reason: '⚠️ Neurcode runtime identity is stale; this recovery command is allowed so governance can repair itself. All other operations stay blocked until repair completes.',
|
|
1321
|
+
},
|
|
1322
|
+
}) + '\n');
|
|
1323
|
+
process.exit(0);
|
|
1324
|
+
}
|
|
1325
|
+
}
|
|
1326
|
+
denyPreToolUse(message, {
|
|
1297
1327
|
blockContext: blockContext({
|
|
1298
1328
|
blockType: 'profile_or_runtime_health_block',
|
|
1299
|
-
message
|
|
1329
|
+
message,
|
|
1300
1330
|
runtimeMode: 'strict',
|
|
1301
|
-
nextAction: 'Run `neurcode runtime repair
|
|
1331
|
+
nextAction: 'Run `neurcode runtime repair` (allowed through this guard), restart the agent integration if requested, and retry.',
|
|
1302
1332
|
}),
|
|
1303
1333
|
});
|
|
1304
1334
|
return;
|