@neurcode-ai/contracts 0.1.3 → 0.2.1

package/dist/repo-intelligence-v2.js

@@ -0,0 +1,135 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.REPO_INTELLIGENCE_OPERATIONS_SCHEMA_VERSION = exports.REPO_INTELLIGENCE_EVIDENCE_SCHEMA_VERSION = exports.SEMANTIC_ADVISORY_SCHEMA_VERSION = exports.POLICY_EVALUATION_SCHEMA_VERSION = exports.COMPILED_STRUCTURAL_POLICY_SCHEMA_VERSION = exports.PROPOSED_CHANGE_ENVELOPE_SCHEMA_VERSION = exports.REPOSITORY_GRAPH_SCHEMA_VERSION = void 0;
+exports.assertSourceFreeRepoIntelligence = assertSourceFreeRepoIntelligence;
+exports.isRepoIntelligenceEvidence = isRepoIntelligenceEvidence;
+exports.sourceFreePrivacyContract = sourceFreePrivacyContract;
+exports.REPOSITORY_GRAPH_SCHEMA_VERSION = 'neurcode.repository-graph.v2';
+exports.PROPOSED_CHANGE_ENVELOPE_SCHEMA_VERSION = 'neurcode.proposed-change.v2';
+exports.COMPILED_STRUCTURAL_POLICY_SCHEMA_VERSION = 'neurcode.compiled-structural-policy.v2';
+exports.POLICY_EVALUATION_SCHEMA_VERSION = 'neurcode.policy-evaluation.v2';
+exports.SEMANTIC_ADVISORY_SCHEMA_VERSION = 'neurcode.semantic-advisory.v2';
+exports.REPO_INTELLIGENCE_EVIDENCE_SCHEMA_VERSION = 'neurcode.repo-intelligence-evidence.v2';
+exports.REPO_INTELLIGENCE_OPERATIONS_SCHEMA_VERSION = 'neurcode.repo-intelligence-operations.v1';
+const SOURCE_LIKE_KEYS = new Set([
+    'content',
+    'source',
+    'sourcetext',
+    'sourcecode',
+    'diff',
+    'patch',
+    'before',
+    'after',
+    'rawprompt',
+    'rawchat',
+    'terminaloutput',
+    'secret',
+]);
+function normalizedKey(key) {
+    return key.toLowerCase().replace(/[^a-z0-9]/g, '');
+}
+function assertSourceFreeRepoIntelligence(value, path = 'payload') {
+    if (Array.isArray(value)) {
+        value.forEach((item, index) => assertSourceFreeRepoIntelligence(item, `${path}[${index}]`));
+        return;
+    }
+    if (!value || typeof value !== 'object')
+        return;
+    for (const [key, child] of Object.entries(value)) {
+        if (SOURCE_LIKE_KEYS.has(normalizedKey(key))) {
+            throw new Error(`source-like repository intelligence field is not allowed: ${path}.${key}`);
+        }
+        assertSourceFreeRepoIntelligence(child, `${path}.${key}`);
+    }
+}
+function isRepoIntelligenceEvidence(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value))
+        return false;
+    const record = value;
+    if (record.schemaVersion !== exports.REPO_INTELLIGENCE_EVIDENCE_SCHEMA_VERSION)
+        return false;
+    if (typeof record.evidenceId !== 'string' || typeof record.generatedAt !== 'string')
+        return false;
+    if (!['deterministic', 'backend_signed', 'advisory', 'not_evaluated'].includes(String(record.classification)))
+        return false;
+    if (!['allow', 'warn', 'block', 'not_evaluated'].includes(String(record.verdict)))
+        return false;
+    const enforcement = record.enforcement;
+    if (!enforcement || ![
+        'hard_prewrite', 'cooperative_prewrite', 'supervised_write',
+        'post_write', 'ci_only', 'not_supported',
+    ].includes(String(enforcement.capability)))
+        return false;
+    const graph = record.graph;
+    const policy = record.policy;
+    const privacy = record.privacy;
+    if (!graph || !policy || !privacy)
+        return false;
+    if (graph.canonicalModel !== undefined && graph.canonicalModel !== 'repository_graph_v2')
+        return false;
+    if (graph.storageSchemaVersion !== undefined && graph.storageSchemaVersion !== null
+        && (typeof graph.storageSchemaVersion !== 'number'
+            || !Number.isInteger(graph.storageSchemaVersion) || graph.storageSchemaVersion < 0))
+        return false;
+    for (const key of ['lastSuccessfulIndexAt', 'lastAttemptedIndexAt']) {
+        if (graph[key] !== undefined && graph[key] !== null && typeof graph[key] !== 'string')
+            return false;
+    }
+    for (const key of ['deterministicEvidenceEligible', 'deterministicEnforcementEligible']) {
+        if (graph[key] !== undefined && typeof graph[key] !== 'boolean')
+            return false;
+    }
+    if (graph.enforcementIneligibilityReasons !== undefined && (!Array.isArray(graph.enforcementIneligibilityReasons)
+        || graph.enforcementIneligibilityReasons.length > 64
+        || !graph.enforcementIneligibilityReasons.every((item) => typeof item === 'string' && item.length > 0 && item.length <= 128)))
+        return false;
+    if (graph.recoveryCommand !== undefined
+        && !['neurcode brain repo-index', 'neurcode brain repo-recover'].includes(String(graph.recoveryCommand)))
+        return false;
+    if (graph.coverage !== undefined && graph.coverage !== null) {
+        if (typeof graph.coverage !== 'object' || Array.isArray(graph.coverage))
+            return false;
+        const coverage = graph.coverage;
+        for (const key of ['filesSeen', 'filesIndexed', 'filesAnalyzed', 'filesSkipped', 'filesUnsupported', 'filesDegraded', 'filesFailed']) {
+            if (typeof coverage[key] !== 'number' || !Number.isInteger(coverage[key]) || Number(coverage[key]) < 0)
+                return false;
+        }
+    }
+    if (graph.runtimeCompatibility !== undefined) {
+        if (!graph.runtimeCompatibility || typeof graph.runtimeCompatibility !== 'object' || Array.isArray(graph.runtimeCompatibility))
+            return false;
+        const compatibility = graph.runtimeCompatibility;
+        if (compatibility.component !== 'cli')
+            return false;
+        for (const key of ['contractId', 'runtimeContractVersion', 'manifestVersion']) {
+            if (typeof compatibility[key] !== 'string' || compatibility[key].length === 0)
+                return false;
+        }
+    }
+    if (!Array.isArray(policy.evaluatedRuleIds) || !Array.isArray(policy.notEvaluatedRuleIds) || !Array.isArray(policy.findings))
+        return false;
+    if (!Array.isArray(record.advisory))
+        return false;
+    if (privacy.sourceUploaded !== false || privacy.sourceStored !== false ||
+        privacy.diffUploaded !== false || privacy.promptUploaded !== false ||
+        privacy.chatUploaded !== false || privacy.rawContentRetained !== false)
+        return false;
+    try {
+        assertSourceFreeRepoIntelligence(value);
+    }
+    catch {
+        return false;
+    }
+    return true;
+}
+function sourceFreePrivacyContract() {
+    return {
+        sourceUploaded: false,
+        sourceStored: false,
+        diffUploaded: false,
+        promptUploaded: false,
+        chatUploaded: false,
+        rawContentRetained: false,
+    };
+}
+//# sourceMappingURL=repo-intelligence-v2.js.map

package/dist/repo-intelligence-v2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"repo-intelligence-v2.js","sourceRoot":"","sources":["../src/repo-intelligence-v2.ts"],"names":[],"mappings":";;;AAuvBA,4EAYC;AAED,gEA6DC;AAED,8DASC;AA70BY,QAAA,+BAA+B,GAAG,8BAAuC,CAAC;AAC1E,QAAA,uCAAuC,GAAG,6BAAsC,CAAC;AACjF,QAAA,yCAAyC,GAAG,wCAAiD,CAAC;AAC9F,QAAA,gCAAgC,GAAG,+BAAwC,CAAC;AAC5E,QAAA,gCAAgC,GAAG,+BAAwC,CAAC;AAC5E,QAAA,yCAAyC,GAAG,wCAAiD,CAAC;AAC9F,QAAA,2CAA2C,GAAG,0CAAmD,CAAC;AA8tB/G,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,SAAS;IACT,QAAQ;IACR,YAAY;IACZ,YAAY;IACZ,MAAM;IACN,OAAO;IACP,QAAQ;IACR,OAAO;IACP,WAAW;IACX,SAAS;IACT,gBAAgB;IAChB,QAAQ;CACT,CAAC,CAAC;AAEH,SAAS,aAAa,CAAC,GAAW;IAChC,OAAO,GAAG,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;AACrD,CAAC;AAED,SAAgB,gCAAgC,CAAC,KAAc,EAAE,IAAI,GAAG,SAAS;IAC/E,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,gCAAgC,CAAC,IAAI,EAAE,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC;QAC5F,OAAO;IACT,CAAC;IACD,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO;IAChD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,EAAE,CAAC;QAC5E,IAAI,gBAAgB,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YAC7C,MAAM,IAAI,KAAK,CAAC,6DAA6D,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC;QAC9F,CAAC;QACD,gCAAgC,CAAC,KAAK,EAAE,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED,SAAgB,0BAA0B,CAAC,KAAc;IACvD,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9E,MAAM,MAAM,GAAG,KAAgC,CAAC;IAChD,IAAI,MAAM,CAAC,aAAa,KAAK,iDAAyC;QAAE,OAAO,KAAK,CAAC;IACrF,IAAI,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,IAAI,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAClG,IAAI,CAAC,CAAC,eAAe,EAAE,gBAAgB,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5H,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAChG,MAAM,WAAW,GAAG,MAAM,CAAC,WAA6C,CAAC;IACzE,IAAI,CAAC,WAAW,IAAI,CAAC;QACnB,eAAe,EAAE,sBAAsB,EAAE,kBAAkB;QAC3D,YAAY,EAAE,SAAS,EAAE,eAAe;KACzC,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACzD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAuC,CAAC;IAC7D,MAAM,MAAM,GAAG,MAAM,CAAC,MAAwC,CAAC;IAC/D,MAAM,OAAO,GAAG,MAAM,CAAC,OAAyC,CAAC;IACjE,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAChD,IAAI,KAAK,CAAC,cAAc,KAAK,SAAS,IAAI,KAAK,CAAC,cAAc,KAAK,qBAAqB;QAAE,OAAO,KAAK,CAAC;IACvG,IAAI,KAAK,CAAC,oBAAoB,KAAK,SAAS,IAAI,KAAK,CAAC,oBAAoB,KAAK,IAAI;WAC9E,CAAC,OAAO,KAAK,CAAC,oBAAoB,KAAK,QAAQ;eAC7C,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACtG,KAAK,MAAM,GAAG,IAAI,CAAC,uBAAuB,EAAE,sBAAsB,CAAU,EAAE,CAAC;QAC7E,IAAI,KAAK,CAAC,GAAG,CAAC,KAAK,SAAS,IAAI,KAAK,CAAC,GAAG,CAAC,KAAK,IAAI,IAAI,OAAO,KAAK,CAAC,GAAG,CAAC,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;IACtG,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,CAAC,+BAA+B,EAAE,kCAAkC,CAAU,EAAE,CAAC;QACjG,IAAI,KAAK,CAAC,GAAG,CAAC,KAAK,SAAS,IAAI,OAAO,KAAK,CAAC,GAAG,CAAC,KAAK,SAAS;YAAE,OAAO,KAAK,CAAC;IAChF,CAAC;IACD,IAAI,KAAK,CAAC,+BAA+B,KAAK,SAAS,IAAI,CACzD,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC;WAClD,KAAK,CAAC,+BAA+B,CAAC,MAAM,GAAG,EAAE;WACjD,CAAC,KAAK,CAAC,+BAA+B,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM,IAAI,GAAG,CAAC,CAC7H;QAAE,OAAO,KAAK,CAAC;IAChB,IAAI,KAAK,CAAC,eAAe,KAAK,SAAS;WAClC,CAAC,CAAC,2BAA2B,EAAE,6BAA6B,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACzH,IAAI,KAAK,CAAC,QAAQ,KAAK,SAAS,IAAI,KAAK,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;QAC5D,IAAI,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC;YAAE,OAAO,KAAK,CAAC;QACtF,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAmC,CAAC;QAC3D,KAAK,MAAM,GAAG,IAAI,CAAC,WAAW,EAAE,cAAc,EAAE,eAAe,EAAE,cAAc,EAAE,kBAAkB,EAAE,eAAe,EAAE,aAAa,CAAC,EAAE,CAAC;YACrI,IAAI,OAAO,QAAQ,CAAC,GAAG,CAAC,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC;gBAAE,OAAO,KAAK,CAAC;QACvH,CAAC;IACH,CAAC;IACD,IAAI,KAAK,CAAC,oBAAoB,KAAK,SAAS,EAAE,CAAC;QAC7C,IAAI,CAAC,KAAK,CAAC,oBAAoB,IAAI,OAAO,KAAK,CAAC,oBAAoB,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC;YAAE,OAAO,KAAK,CAAC;QAC7I,MAAM,aAAa,GAAG,KAAK,CAAC,oBAA+C,CAAC;QAC5E,IAAI,aAAa,CAAC,SAAS,KAAK,KAAK;YAAE,OAAO,KAAK,CAAC;QACpD,KAAK,MAAM,GAAG,IAAI,CAAC,YAAY,EAAE,wBAAwB,EAAE,iBAAiB,CAAC,EAAE,CAAC;YAC9E,IAAI,OAAO,aAAa,CAAC,GAAG,CAAC,KAAK,QAAQ,IAAI,aAAa,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;QAC9F,CAAC;IACH,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3I,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAClD,IACE,OAAO,CAAC,cAAc,KAAK,KAAK,IAAI,OAAO,CAAC,YAAY,KAAK,KAAK;QAClE,OAAO,CAAC,YAAY,KAAK,KAAK,IAAI,OAAO,CAAC,cAAc,KAAK,KAAK;QAClE,OAAO,CAAC,YAAY,KAAK,KAAK,IAAI,OAAO,CAAC,kBAAkB,KAAK,KAAK;QACtE,OAAO,KAAK,CAAC;IACf,IAAI,CAAC;QACH,gCAAgC,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAgB,yBAAyB;IACvC,OAAO;QACL,cAAc,EAAE,KAAK;QACrB,YAAY,EAAE,KAAK;QACnB,YAAY,EAAE,KAAK;QACnB,cAAc,EAAE,KAAK;QACrB,YAAY,EAAE,KAAK;QACnB,kBAAkB,EAAE,KAAK;KAC1B,CAAC;AACJ,CAAC"}

package/package.json

@@ -1,9 +1,12 @@
 {
   "name": "@neurcode-ai/contracts",
-  "version": "0.1.3",
+  "version": "0.2.1",
   "description": "Shared JSON contracts for Neurcode CLI, API, action, IDE, and MCP surfaces",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
   "scripts": {
     "build": "tsc",
     "dev": "tsc --watch",
@@ -12,6 +15,9 @@
   },
   "license": "MIT",
   "dependencies": {},
+  "publishConfig": {
+    "access": "public"
+  },
   "devDependencies": {
     "@types/node": "^20.10.0",
     "tsx": "^4.20.6",

package/src/admission/admission-framing.test.ts

@@ -1,93 +0,0 @@
-/**
- * Runtime Admission framing + privacy contract tests (Phase A).
- *
- * Covers:
- *  - length-prefixed framing is byte-deterministic
- *  - delimiter/path ambiguity cannot collide
- *  - source-free privacy guard rejects source-like keys
- *  - object-format helpers (sha1 vs sha256 widths)
- */
-
-import test from 'node:test';
-import assert from 'node:assert/strict';
-
-import {
-  ADMISSION_SOURCE_LIKE_KEYS,
-  AdmissionSourceLeakError,
-  assertSourceFreeAdmissionValue,
-  frameFields,
-  frameRecordSet,
-  objectIdHexLength,
-  objectTypeForMode,
-  zeroObjectId,
-} from './index';
-
-function toHex(bytes: Uint8Array): string {
-  return Array.from(bytes, (b) => b.toString(16).padStart(2, '0')).join('');
-}
-
-test('frameFields is deterministic for identical input', () => {
-  const a = frameFields(['src/auth/login.ts', 'modified', 'blob']);
-  const b = frameFields(['src/auth/login.ts', 'modified', 'blob']);
-  assert.equal(toHex(a), toHex(b));
-});
-
-test('length-prefixed fields cannot collide across boundaries', () => {
-  // ["a","b"] must never produce the same bytes as ["ab"] or ["a\tb"].
-  const split = toHex(frameFields(['a', 'b']));
-  const joined = toHex(frameFields(['ab']));
-  const tabbed = toHex(frameFields(['a\tb']));
-  const nulled = toHex(frameFields(['a\0b']));
-  assert.notEqual(split, joined);
-  assert.notEqual(split, tabbed);
-  assert.notEqual(split, nulled);
-  assert.notEqual(joined, tabbed);
-});
-
-test('record boundaries cannot be forged by field content', () => {
-  // Two records [["a"],["b"]] vs one record [["a","b"]] must differ.
-  const twoRecords = toHex(frameRecordSet(['h'], [['a'], ['b']]));
-  const oneRecord = toHex(frameRecordSet(['h'], [['a', 'b']]));
-  assert.notEqual(twoRecords, oneRecord);
-});
-
-test('header participates in the framed bytes (domain separation)', () => {
-  const delta = toHex(frameRecordSet(['delta'], [['x']]));
-  const coverage = toHex(frameRecordSet(['coverage'], [['x']]));
-  assert.notEqual(delta, coverage);
-});
-
-test('object id helpers respect format width', () => {
-  assert.equal(objectIdHexLength('sha1'), 40);
-  assert.equal(objectIdHexLength('sha256'), 64);
-  assert.equal(zeroObjectId('sha1').length, 40);
-  assert.equal(zeroObjectId('sha256').length, 64);
-  assert.equal(objectTypeForMode('160000'), 'submodule');
-  assert.equal(objectTypeForMode('120000'), 'symlink');
-  assert.equal(objectTypeForMode('100755'), 'blob');
-  assert.equal(objectTypeForMode('000000'), 'absent');
-  assert.throws(() => objectTypeForMode('040000'));
-});
-
-test('source-free guard permits provenance keys', () => {
-  const safe = {
-    path: 'src/auth/login.ts',
-    objectId: 'a'.repeat(40),
-    mode: '100644',
-    classification: 'governed_prewrite',
-    sessions: ['abc123'],
-    coverageSetHash: 'f'.repeat(64),
-    capturedAt: '2026-06-02T00:00:00.000Z',
-  };
-  assert.doesNotThrow(() => assertSourceFreeAdmissionValue(safe));
-});
-
-test('source-free guard rejects planted source content keys', () => {
-  for (const key of ['content', 'diff', 'patch', 'sourceText', 'sourceCode', 'rawPrompt', 'commandBody', 'secret', 'token']) {
-    assert.ok(ADMISSION_SOURCE_LIKE_KEYS.has(key), `expected ${key} in denylist`);
-    assert.throws(
-      () => assertSourceFreeAdmissionValue({ manifest: { coverage: [{ [key]: 'leak' }] } }),
-      AdmissionSourceLeakError,
-    );
-  }
-});

package/src/admission/framing.ts

@@ -1,78 +0,0 @@
-/**
- * Runtime Admission — canonical byte-safe framing (Phase A).
- *
- * Deterministic, length-prefixed framing for the delta and coverage hashes.
- * Web-safe: uses Uint8Array + TextEncoder only (this package is imported by
- * the dashboard and other non-Node surfaces). No Node Buffer, no crypto here —
- * hashing of the framed bytes happens in the governance-runtime core.
- *
- * Why length-prefixed framing (and not a delimiter join):
- *   A delimiter such as "\0" or "\t" can appear inside a path, so a delimiter
- *   join lets two distinct field sets collapse to the same byte stream
- *   (e.g. ["a\tb"] vs ["a","b"]). Every field and every record here is prefixed
- *   with its exact byte length, so field and record boundaries are
- *   unambiguous and no path content can forge a boundary.
- */
-
-/** Schema/domain version for the framing contract. Bump only on a breaking framing change. */
-export const ADMISSION_FRAMING_VERSION = 'neurcode.admission-framing.v1' as const;
-
-/** Domain separators so delta and coverage hashes can never alias each other. */
-export const ADMISSION_DELTA_HASH_DOMAIN = 'neurcode.admission.delta.v1' as const;
-export const ADMISSION_COVERAGE_SET_HASH_DOMAIN = 'neurcode.admission.coverage-set.v1' as const;
-
-const textEncoder = new TextEncoder();
-
-function u32be(value: number): Uint8Array {
-  if (!Number.isInteger(value) || value < 0 || value > 0xffffffff) {
-    throw new Error(`admission framing: length out of range: ${value}`);
-  }
-  const out = new Uint8Array(4);
-  const view = new DataView(out.buffer);
-  view.setUint32(0, value, false);
-  return out;
-}
-
-function concatBytes(parts: Uint8Array[]): Uint8Array {
-  let total = 0;
-  for (const part of parts) total += part.length;
-  const out = new Uint8Array(total);
-  let offset = 0;
-  for (const part of parts) {
-    out.set(part, offset);
-    offset += part.length;
-  }
-  return out;
-}
-
-/** Frame a single field as: u32be(byteLength) ‖ utf8(value). */
-export function frameField(value: string): Uint8Array {
-  const bytes = textEncoder.encode(value);
-  return concatBytes([u32be(bytes.length), bytes]);
-}
-
-/** Frame an ordered list of fields. Order is preserved; the caller sorts records. */
-export function frameFields(fields: readonly string[]): Uint8Array {
-  return concatBytes(fields.map((field) => frameField(field)));
-}
-
-/**
- * Frame a header plus an ordered set of records into one canonical byte stream.
- *
- * Layout:
- *   frameFields(header)
- *   for each record: u32be(recordByteLength) ‖ frameFields(record)
- *
- * Records must already be canonically sorted by the caller (the hash functions
- * sort before calling this, which is what makes shuffled input produce an
- * identical hash). Double length-prefixing (record length + per-field length)
- * makes both record and field boundaries unambiguous.
- */
-export function frameRecordSet(header: readonly string[], records: readonly (readonly string[])[]): Uint8Array {
-  const parts: Uint8Array[] = [frameFields(header)];
-  for (const record of records) {
-    const recordBytes = frameFields(record);
-    parts.push(u32be(recordBytes.length), recordBytes);
-  }
-  return concatBytes(parts);
-}

package/src/admission/index.ts

@@ -1,58 +0,0 @@
-export {
-  ADMISSION_COVERAGE_MANIFEST_SCHEMA_VERSION,
-  ADMISSION_CONSISTENCY_DECISION_SCHEMA_VERSION,
-  SELF_ATTESTED_ADMISSION_RECORD_SCHEMA_VERSION,
-  SELF_ATTESTED_ADMISSION_DISCLAIMER,
-  GIT_MODE_ABSENT,
-  GIT_MODE_BLOB,
-  GIT_MODE_EXEC,
-  GIT_MODE_SUBMODULE,
-  GIT_MODE_SYMLINK,
-  coverageEntryCanonicalFields,
-  coverageEntryIdentityKey,
-  deltaEntryCanonicalFields,
-  isAdmissibleClassification,
-  isGovernedClassification,
-  isKnownGitMode,
-  isStrictlyAdmissible,
-  isValidObjectId,
-  isZeroObjectId,
-  objectIdHexLength,
-  objectTypeForMode,
-  zeroObjectId,
-  type AdmissionCaptureDescriptor,
-  type AdmissionCaptureMode,
-  type AdmissionChangeType,
-  type AdmissionEligibilityMode,
-  type AdmissionEligibilityOptions,
-  type AdmissionConsistencyDecision,
-  type AdmissionConsistencyVerdict,
-  type AdmissionCoverageClassification,
-  type AdmissionCoverageEntry,
-  type AdmissionCoverageManifest,
-  type AdmissionDeltaEntry,
-  type AdmissionObjectType,
-  type AdmissionRepoIdentifiers,
-  type AdmissionSessionRef,
-  type GitObjectFormat,
-  type RuntimeAdmissionAgentHost,
-  type RuntimeAdmissionContext,
-  type RuntimeAdmissionReceiptSummary,
-  type RuntimeAdmissionTrustLevel,
-  type SelfAttestedAdmissionRecord,
-} from './schema';
-
-export {
-  ADMISSION_COVERAGE_SET_HASH_DOMAIN,
-  ADMISSION_DELTA_HASH_DOMAIN,
-  ADMISSION_FRAMING_VERSION,
-  frameField,
-  frameFields,
-  frameRecordSet,
-} from './framing';
-
-export {
-  ADMISSION_SOURCE_LIKE_KEYS,
-  AdmissionSourceLeakError,
-  assertSourceFreeAdmissionValue,
-} from './privacy';

package/src/admission/privacy.ts

@@ -1,93 +0,0 @@
-/**
- * Runtime Admission — source-free privacy guard (Phase A).
- *
- * The admission artifact may contain only: paths, object ids, modes, hashes,
- * classifications, timestamps, session ids, and version strings. It must never
- * contain file content, diff hunks, patch text, excerpts, or secrets.
- *
- * This guard is a denylist on key names (mirrors the runtime-sync upload guard)
- * plus a value-shape check. It is intentionally conservative: any source-like
- * key anywhere in the structure throws.
- */
-
-/** Keys that would indicate source content / diffs / secrets leaked into the artifact. */
-export const ADMISSION_SOURCE_LIKE_KEYS: ReadonlySet<string> = new Set([
-  'content',
-  'fileContent',
-  'file_content',
-  'sourceText',
-  'source_text',
-  'sourceCode',
-  'source_code',
-  'source',
-  'body',
-  'text',
-  'diff',
-  'diffText',
-  'diff_text',
-  'diffHunk',
-  'diffHunks',
-  'patch',
-  'patchText',
-  'patchBody',
-  'patch_body',
-  'hunk',
-  'hunks',
-  'excerpt',
-  'snippet',
-  'before',
-  'after',
-  'blobContent',
-  'contents',
-  'prompt',
-  'rawPrompt',
-  'raw_prompt',
-  'promptWithSource',
-  'prompt_with_source',
-  'commandBody',
-  'command_body',
-  'shellCommand',
-  'shell_command',
-  'secret',
-  'secrets',
-  'token',
-  'password',
-]);
-
-export class AdmissionSourceLeakError extends Error {
-  constructor(public readonly keyPath: string) {
-    super(`admission artifact contains source-like key: ${keyPath}`);
-    this.name = 'AdmissionSourceLeakError';
-  }
-}
-
-function isSourceLikeAdmissionKey(key: string): boolean {
-  if (ADMISSION_SOURCE_LIKE_KEYS.has(key)) return true;
-  const normalized = key.toLowerCase().replace(/[^a-z0-9_]/g, '');
-  const compact = normalized.replace(/_/g, '');
-  for (const blocked of ADMISSION_SOURCE_LIKE_KEYS) {
-    const blockedNormalized = blocked.toLowerCase().replace(/[^a-z0-9_]/g, '');
-    if (normalized === blockedNormalized || compact === blockedNormalized.replace(/_/g, '')) {
-      return true;
-    }
-  }
-  return false;
-}
-
-/**
- * Walk a value and throw AdmissionSourceLeakError if any object key is a
- * source-like key. Arrays and nested objects are walked recursively.
- */
-export function assertSourceFreeAdmissionValue(value: unknown, path = 'admission'): void {
-  if (Array.isArray(value)) {
-    value.forEach((item, index) => assertSourceFreeAdmissionValue(item, `${path}[${index}]`));
-    return;
-  }
-  if (!value || typeof value !== 'object') return;
-  for (const [key, child] of Object.entries(value as Record<string, unknown>)) {
-    if (isSourceLikeAdmissionKey(key)) {
-      throw new AdmissionSourceLeakError(`${path}.${key}`);
-    }
-    assertSourceFreeAdmissionValue(child, `${path}.${key}`);
-  }
-}