@occasiolabs/occasio 0.8.1 → 0.8.3

package/NOTICE

@@ -1,10 +1,10 @@
-LocalFirst
+Occasio
 Copyright 2026 Leonard Brauer
 
-This product includes software developed by the LocalFirst project
-(https://github.com/occasio-ai/occasio).
+This product includes software developed by the Occasio project
+(https://github.com/occasiolabs/occasio).
 
 Licensed under the Apache License, Version 2.0 (see LICENSE).
 
-Versions 0.6.6 and earlier of LocalFirst were released under the MIT License
+Versions 0.6.6 and earlier of Occasio were released under the MIT License
 and remain available under MIT in perpetuity for those releases.

package/bin/supervisor/README.md

@@ -38,12 +38,12 @@ rm ~/.config/systemd/user/occasio.service
 
 ## macOS (launchd, user scope)
 
-The plist is a template: replace `{{LOCALFIRST_BIN}}` with the absolute
+The plist is a template: replace `{{OCCASIO_BIN}}` with the absolute
 path to your `occasio` binary first.
 
 ```sh
 LF_BIN="$(command -v occasio)"
-sed "s|{{LOCALFIRST_BIN}}|$LF_BIN|g" com.occasio.proxy.plist.template \
+sed "s|{{OCCASIO_BIN}}|$LF_BIN|g" com.occasio.proxy.plist.template \
   > ~/Library/LaunchAgents/ai.occasio.proxy.plist
 launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/ai.occasio.proxy.plist
 launchctl print gui/$(id -u)/ai.occasio.proxy

package/bin/supervisor/com.occasio.proxy.plist.template

@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  LocalFirst launchd template (v0.6.4).
+  Occasio launchd template (v0.6.4).
 
-  This file is a TEMPLATE: replace {{LOCALFIRST_BIN}} with the absolute
+  This file is a TEMPLATE: replace {{OCCASIO_BIN}} with the absolute
   path to your `occasio` executable before installing. See
   bin/supervisor/README.md for the install command.
 
@@ -18,7 +18,7 @@
 
     <key>ProgramArguments</key>
     <array>
-        <string>{{LOCALFIRST_BIN}}</string>
+        <string>{{OCCASIO_BIN}}</string>
         <string>start</string>
     </array>
 

package/bin/supervisor/install-windows-task.ps1

@@ -4,7 +4,7 @@
   the current user, restarting it within 30 seconds if it exits.
 
 .DESCRIPTION
-  v0.6.4 of LocalFirst aborts with exit code 1 when it cannot append to
+  v0.6.4 of Occasio aborts with exit code 1 when it cannot append to
   its audit log. This task brings the proxy back up so the agent can
   resume work as soon as the underlying I/O issue clears.
 
@@ -12,7 +12,7 @@
   Manually validated on Windows 11 Pro (PowerShell 7.x).
   Tested-on: Windows.
 
-  The task runs at user logon, not at boot, because LocalFirst's audit
+  The task runs at user logon, not at boot, because Occasio's audit
   log lives in the user profile (~/.occasio/). Run from an elevated
   shell only if you need the task to survive logoff.
 #>
@@ -35,14 +35,14 @@ $Principal = New-ScheduledTaskPrincipal `
     -RunLevel  Limited
 
 Register-ScheduledTask `
-    -TaskName    "LocalFirst" `
-    -Description "LocalFirst — local AI-agent governance proxy (v0.6.4)" `
+    -TaskName    "Occasio" `
+    -Description "Occasio — local AI-agent governance proxy (v0.6.4)" `
     -Action      $Action `
     -Trigger     $Trigger `
     -Settings    $Settings `
     -Principal   $Principal `
     -Force
 
-Write-Host "Registered scheduled task 'LocalFirst'."
-Write-Host "It will start at next logon. To start now: Start-ScheduledTask -TaskName LocalFirst"
-Write-Host "To remove: Unregister-ScheduledTask -TaskName LocalFirst -Confirm:`$false"
+Write-Host "Registered scheduled task 'Occasio'."
+Write-Host "It will start at next logon. To start now: Start-ScheduledTask -TaskName Occasio"
+Write-Host "To remove: Unregister-ScheduledTask -TaskName Occasio -Confirm:`$false"

package/bin/supervisor/occasio.service

@@ -1,5 +1,5 @@
 [Unit]
-Description=LocalFirst — local AI-agent governance proxy
+Description=Occasio — local AI-agent governance proxy
 After=network-online.target
 Wants=network-online.target
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@occasiolabs/occasio",
-  "version": "0.8.1",
+  "version": "0.8.3",
   "description": "Occasio — cryptographically verifiable behavioral attestation for AI coding agents. Tool-call interception + policy enforcement + tamper-evident audit chain + Sigstore-signed in-toto attestations + windowed EDR detection. Same engine for Claude Code and MCP; Computer-Use scaffold included.",
   "main": "src/index.js",
   "files": [
@@ -47,8 +47,8 @@
     "computer-use"
   ],
   "bin": {
-    "occasio":     "bin/occasio.js",
-    "oc":          "bin/occasio.js",
+    "occasio": "bin/occasio.js",
+    "oc": "bin/occasio.js",
     "occasio-mcp": "bin/occasio-mcp.js"
   },
   "engines": {
@@ -56,7 +56,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/occasiolabs/occasio.git"
+    "url": "git+https://github.com/occasiolabs/occasio.git"
   },
   "homepage": "https://github.com/occasiolabs/occasio#readme",
   "bugs": {

package/src/attest/check-summary.js

@@ -0,0 +1,115 @@
+'use strict';
+
+/**
+ * check-summary.js — pure function that turns an attestation predicate into
+ * the GitHub Check Run body (title + Markdown summary) used by the reference
+ * Action. Lives here in `src/` so both the Action (integrations/) and the
+ * `occasio demo attest` CLI can import it without crossing the src/ ←
+ * integrations/ boundary.
+ *
+ * No I/O, no env access, no side effects. Safe to call from any context.
+ *
+ * Why it's pulled out of integrations/attest-action/scripts/post-check.js:
+ *   integrations/ is deliberately excluded from the npm tarball — it ships
+ *   as a GitHub Action artifact, not as part of the CLI package. Requiring
+ *   ../../integrations/... from src/demo/ worked in the source tree but
+ *   broke immediately on `npm install` because the path doesn't exist in
+ *   the published tarball. Pure helpers belong in src/ where they ship
+ *   with the package; the Action imports them from there.
+ */
+
+// ── Markdown escaping ───────────────────────────────────────────────────────
+// Values from the attestation come from the agent's tool calls — a malicious
+// or compromised tool name can contain Markdown control characters that
+// break out of the table cell, inject links, or smuggle raw HTML through
+// GitHub's renderer. Escape before interpolating into the Check Run summary.
+//
+// `mdCode` is for values rendered inside `` `...` `` cells: only the
+// backtick itself needs handling (we strip rather than escape, because
+// inline-code in GitHub-Flavored Markdown has no escape mechanism).
+function mdCode(s) {
+  if (s === null || s === undefined) return '';
+  return String(s)
+    .replace(/[\r\n]+/g, ' ')   // collapse newlines so cells stay one-line
+    .replace(/`/g, 'ˋ')         // backtick → ˋ (visually similar, breaks out impossible)
+    .replace(/\|/g, '\\|')      // GFM table cell separator
+    .slice(0, 256);             // truncate runaway values
+}
+
+// `mdText` is for values rendered as raw Markdown text (no code fence
+// around them). Escape the full GFM punctuation set.
+function mdText(s) {
+  if (s === null || s === undefined) return '';
+  return String(s)
+    .replace(/[\r\n]+/g, ' ')
+    .replace(/([\\`*_{}\[\]()#+\-.!|<>])/g, '\\$1')
+    .slice(0, 256);
+}
+
+function intOr0(n) { return Number.isFinite(+n) ? Math.trunc(+n) : 0; }
+
+// Only render Rekor as a link if it is the public Sigstore search domain
+// over https. Anything else → display as escaped text, no clickable link.
+function safeRekorUrl(raw) {
+  if (typeof raw !== 'string') return null;
+  try {
+    const u = new URL(raw);
+    if (u.protocol !== 'https:') return null;
+    if (u.host !== 'search.sigstore.dev') return null;
+    return u.toString();
+  } catch { return null; }
+}
+
+// ── Summary builder ─────────────────────────────────────────────────────────
+// Pure function — no env access, no I/O — so it can be unit-tested directly.
+// Returns { title, summary, signed } ready for the Checks API body.
+function buildSummary(att, rekorRaw) {
+  const sum    = att.execution_summary || {};
+  const signed = !!(att.signature && att.signature.type);
+
+  const title = String(
+    `Occasio Attested · ${intOr0(sum.tool_calls)} calls · ${intOr0(sum.blocked)} blocked`
+  ).slice(0, 255);
+
+  const lines = [];
+  lines.push(`**Predicate:** \`${mdCode(att.predicate_type)}\``);
+  lines.push('');
+  lines.push(`| Field | Value |`);
+  lines.push(`|---|---|`);
+  lines.push(`| Agent | \`${mdCode(att.agent?.platform || 'unknown')}\` ${att.agent?.model ? '· `' + mdCode(att.agent.model) + '`' : ''} |`);
+  lines.push(`| run_id | \`${mdCode(att.subject?.run_id || 'unknown')}\` |`);
+  if (att.subject?.git_commit) {
+    lines.push(`| commit | \`${mdCode(String(att.subject.git_commit).slice(0,12))}\` |`);
+  }
+  lines.push(`| Policy hash | \`${mdCode((att.policy?.file_hash || '').slice(0,16))}…\` (${mdText(att.policy?.source || 'unknown')}) |`);
+  lines.push(`| Tool calls | **${intOr0(sum.tool_calls)}** (LOCAL ${intOr0(sum.local)} · PASS ${intOr0(sum.passed)} · BLOCK ${intOr0(sum.blocked)} · TRANSFORM ${intOr0(sum.transformed)}) |`);
+  lines.push(`| Secrets redacted | ${intOr0(sum.secrets_redacted)} |`);
+  lines.push(`| Chain | \`${mdCode((att.audit_chain?.first_hash || '').slice(0,12) || '∅')}…${mdCode((att.audit_chain?.last_hash || '').slice(0,12) || '∅')}\` · ${intOr0(att.audit_chain?.event_count)} events |`);
+  lines.push(`| Signature | ${signed ? `✓ \`${mdCode(att.signature.type)}\`` : '— unsigned (informational only)'} |`);
+  const rekorSafe = safeRekorUrl(rekorRaw);
+  if (rekorSafe)       lines.push(`| Rekor | [search.sigstore.dev](${rekorSafe}) |`);
+  else if (rekorRaw)   lines.push(`| Rekor | \`${mdCode(rekorRaw)}\` (non-Rekor URL — not linked) |`);
+  lines.push('');
+
+  if (Array.isArray(sum.blocked_events) && sum.blocked_events.length) {
+    lines.push('### Blocked attempts');
+    lines.push('');
+    lines.push('| Tool | Target | Rule | When |');
+    lines.push('|---|---|---|---|');
+    for (const b of sum.blocked_events.slice(0, 25)) {
+      lines.push(`| \`${mdCode(b.tool)}\` | \`${mdCode((b.target || '').slice(0, 80))}\` | \`${mdCode(b.rule)}\` | T+${intOr0(b.at_offset_s)}s |`);
+    }
+    if (sum.blocked_events.length > 25) {
+      lines.push(`| … | (${intOr0(sum.blocked_events.length - 25)} more in artifact) | | |`);
+    }
+    lines.push('');
+  }
+
+  lines.push(`<sub>Spec: <a href="https://github.com/occasiolabs/occasio/blob/main/spec/agent-attestation/v1/README.md">agent-attestation/v1</a> · Independent verifier: <code>occasio attest verify</code> · Artifacts attached to this workflow run.</sub>`);
+
+  return { title, summary: lines.join('\n'), signed };
+}
+
+module.exports = {
+  mdCode, mdText, intOr0, safeRekorUrl, buildSummary,
+};

package/src/demo/attest-demo.js

@@ -39,7 +39,7 @@ const crypto = require('crypto');
 const { buildAttestation }      = require('../attest');
 const { verifyFile }            = require('../audit/verifier');
 const { canonicalize }          = require('../attest/canonicalize');
-const { buildSummary }          = require('../../integrations/attest-action/scripts/post-check');
+const { buildSummary }          = require('../attest/check-summary');
 
 const C = {
   r: s => `\x1b[31m${s}\x1b[0m`,

package/src/harness.js

@@ -538,9 +538,9 @@ function runScenarioChild(scenarioName, ctx, opts = {}) {
 
     const env = {
       ...process.env,
-      LOCALFIRST_PORT:         String(port),
-      LOCALFIRST_AUDIT_FILE:   ctx.auditPath,
-      LOCALFIRST_POLICY_FILE:  ctx.policyPath,
+      OCCASIO_PORT:         String(port),
+      OCCASIO_AUDIT_FILE:   ctx.auditPath,
+      OCCASIO_POLICY_FILE:  ctx.policyPath,
     };
     // Only set ANTHROPIC_API_KEY if we actually have one. Empty/undefined
     // would override the user's Claude Code bundled auth, which is the
@@ -598,8 +598,8 @@ function runMcpScenario(scenarioName, ctx, opts = {}) {
   return new Promise((resolve) => {
     const env = {
       ...process.env,
-      LOCALFIRST_AUDIT_FILE:  ctx.auditPath,
-      LOCALFIRST_POLICY_FILE: ctx.policyPath,
+      OCCASIO_AUDIT_FILE:  ctx.auditPath,
+      OCCASIO_POLICY_FILE: ctx.policyPath,
     };
     const child = spawnFn('node', [mcpBin], {
       cwd: ctx.workspace, env, stdio: ['pipe', 'pipe', 'pipe'],
@@ -749,7 +749,7 @@ async function runHarness(opts = {}) {
       v.workspace = ctx.workspace;
       results.push(v);
     } finally {
-      if (!opts.keepScratch && !process.env.LF_HARNESS_KEEP) {
+      if (!opts.keepScratch && !process.env.OCC_HARNESS_KEEP) {
         cleanupWorkspace(ctx);
       }
     }

package/src/index.js

@@ -48,12 +48,18 @@ const { runInspectCli }   = require('./inspect');
 const { runAuditCli }     = require('./audit/verifier');
 const { budgetStatus, fmtBudget, BUDGET_EXCEEDED_EVENT } = require('./budget');
 
-const VERSION = '0.8.0';
+// Source of truth: package.json. Read at startup so `occasio --version`
+// can't drift from what npm reports — the previous hardcoded constant
+// caused 0.8.1's CLI to mis-report itself as 0.8.0.
+const VERSION = (() => {
+  try { return require('../package.json').version; }
+  catch { return '0.0.0-unknown'; }
+})();
 const LOG_SCHEMA_VERSION = 2;
 // Port override via env var (used by `occasio harness` and redteam to
 // run isolated proxies against scratch audit chains on free ports). Default
 // is 8081 to preserve existing user-facing behaviour.
-let PORT = parseInt(process.env.LOCALFIRST_PORT, 10) || 8081;
+let PORT = parseInt(process.env.OCCASIO_PORT, 10) || 8081;
 const ANTHROPIC_REAL = 'api.anthropic.com';
 const LOG_DIR      = path.join(os.homedir(), '.occasio');
 const SESSION_FILE = path.join(LOG_DIR, 'session.json');
@@ -920,7 +926,7 @@ const { createAuditor: _createAuditor } = require('./audit/jsonl-auditor');
 // Audit-file override via env var. Used by `occasio harness` to run
 // against a scratch chain so the user's real ~/.occasio/pipeline-events
 // .jsonl is never touched. When unset, the auditor uses its default location.
-const sessionAuditor = _createAuditor(process.env.LOCALFIRST_AUDIT_FILE || undefined);
+const sessionAuditor = _createAuditor(process.env.OCCASIO_AUDIT_FILE || undefined);
 
 // v0.6.6: register a policy-change listener that emits a `policy_loaded`
 // audit row whenever the active policy hash transitions to a new value

package/src/mcp-server.js

@@ -44,7 +44,7 @@ const LOG_FILE = path.join(os.homedir(), '.occasio', 'mcp-experiment.jsonl');
 // Audit-file override via env var (symmetric with the Claude Code proxy
 // in src/index.js). Used by `occasio harness --scenario mcp-*` to
 // keep MCP test traffic out of the user's real ~/.occasio chain.
-let mcpAuditor = createAuditor(process.env.LOCALFIRST_AUDIT_FILE || undefined);
+let mcpAuditor = createAuditor(process.env.OCCASIO_AUDIT_FILE || undefined);
 
 // v0.6.6: emit a policy_loaded row on first policy load and on every
 // hot-reload that changes the policy file's bytes. The MCP server is a

package/src/policy/loader.js

@@ -26,10 +26,10 @@ function resolveConfigPath(p) {
   return path.resolve(expanded);
 }
 
-// Default path can be overridden via LOCALFIRST_POLICY_FILE — used by the
+// Default path can be overridden via OCCASIO_POLICY_FILE — used by the
 // harness/redteam commands to point the proxy at a scratch policy.yml so
 // the user's real ~/.occasio/policy.yml is never read.
-const DEFAULT_PATH = process.env.LOCALFIRST_POLICY_FILE
+const DEFAULT_PATH = process.env.OCCASIO_POLICY_FILE
   || path.join(os.homedir(), '.occasio', 'policy.yml');
 
 // Default tool routing matches the pre-Stage-3 hardcoded behavior.

package/src/redteam.js

@@ -410,7 +410,7 @@ async function runRedteamCli(args = []) {
     process.stdout.write('\n');
     return result;
   } finally {
-    if (!keepScratch && !process.env.LF_REDTEAM_KEEP) {
+    if (!keepScratch && !process.env.OCC_REDTEAM_KEEP) {
       try { fs.rmSync(ctx.workspace, { recursive: true, force: true }); } catch {}
     }
   }