@ouro.bot/cli 0.1.0-alpha.9 → 0.1.0-alpha.90

package/dist/repertoire/coding/tools.js

@@ -2,6 +2,8 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.codingToolDefinitions = void 0;
 const index_1 = require("./index");
+const identity_1 = require("../../heart/identity");
+const obligations_1 = require("../../heart/obligations");
 const runtime_1 = require("../../nerves/runtime");
 const RUNNERS = ["claude", "codex"];
 function requireArg(args, key) {
@@ -29,6 +31,35 @@ function emitCodingToolEvent(toolName) {
         meta: { toolName },
     });
 }
+function sameOriginSession(left, right) {
+    if (!left && !right)
+        return true;
+    if (!left || !right)
+        return false;
+    return left.friendId === right.friendId && left.channel === right.channel && left.key === right.key;
+}
+function matchesReusableCodingSession(session, request) {
+    if (session.status !== "spawning" && session.status !== "running" && session.status !== "waiting_input" && session.status !== "stalled") {
+        return false;
+    }
+    return (session.runner === request.runner &&
+        session.workdir === request.workdir &&
+        session.taskRef === request.taskRef &&
+        session.scopeFile === request.scopeFile &&
+        session.stateFile === request.stateFile &&
+        session.obligationId === request.obligationId &&
+        sameOriginSession(request.originSession, session.originSession));
+}
+function latestSessionFirst(left, right) {
+    const lastActivityDelta = Date.parse(right.lastActivityAt) - Date.parse(left.lastActivityAt);
+    if (lastActivityDelta !== 0)
+        return lastActivityDelta;
+    return right.id.localeCompare(left.id);
+}
+function findReusableCodingSession(sessions, request) {
+    const matches = sessions.filter((session) => matchesReusableCodingSession(session, request)).sort(latestSessionFirst);
+    return matches[0] ?? null;
+}
 const codingSpawnTool = {
     type: "function",
     function: {
@@ -61,6 +92,20 @@ const codingStatusTool = {
         },
     },
 };
+const codingTailTool = {
+    type: "function",
+    function: {
+        name: "coding_tail",
+        description: "show recent stdout/stderr tail for a coding session in a readable format",
+        parameters: {
+            type: "object",
+            properties: {
+                sessionId: { type: "string" },
+            },
+            required: ["sessionId"],
+        },
+    },
+};
 const codingSendInputTool = {
     type: "function",
     function: {
@@ -93,7 +138,7 @@ const codingKillTool = {
 exports.codingToolDefinitions = [
     {
         tool: codingSpawnTool,
-        handler: async (args) => {
+        handler: async (args, ctx) => {
             emitCodingToolEvent("coding_spawn");
             const rawRunner = requireArg(args, "runner");
             if (!rawRunner)
@@ -116,13 +161,58 @@ exports.codingToolDefinitions = [
                 prompt,
                 taskRef,
             };
+            if (ctx?.currentSession && ctx.currentSession.channel !== "inner") {
+                request.originSession = {
+                    friendId: ctx.currentSession.friendId,
+                    channel: ctx.currentSession.channel,
+                    key: ctx.currentSession.key,
+                };
+                const obligation = (0, obligations_1.findPendingObligationForOrigin)((0, identity_1.getAgentRoot)(), request.originSession);
+                if (obligation) {
+                    request.obligationId = obligation.id;
+                }
+            }
             const scopeFile = optionalArg(args, "scopeFile");
             if (scopeFile)
                 request.scopeFile = scopeFile;
             const stateFile = optionalArg(args, "stateFile");
             if (stateFile)
                 request.stateFile = stateFile;
-            const session = await (0, index_1.getCodingSessionManager)().spawnSession(request);
+            const manager = (0, index_1.getCodingSessionManager)();
+            const existingSession = findReusableCodingSession(manager.listSessions(), request);
+            if (existingSession) {
+                (0, runtime_1.emitNervesEvent)({
+                    component: "repertoire",
+                    event: "repertoire.coding_session_reused",
+                    message: "reused active coding session",
+                    meta: { id: existingSession.id, runner: existingSession.runner, taskRef: existingSession.taskRef },
+                });
+                if (ctx?.codingFeedback) {
+                    (0, index_1.attachCodingSessionFeedback)(manager, existingSession, ctx.codingFeedback);
+                }
+                return JSON.stringify({ ...existingSession, reused: true });
+            }
+            const session = await manager.spawnSession(request);
+            if (session.obligationId) {
+                (0, obligations_1.advanceObligation)((0, identity_1.getAgentRoot)(), session.obligationId, {
+                    status: "investigating",
+                    currentSurface: { kind: "coding", label: `${session.runner} ${session.id}` },
+                    latestNote: session.originSession
+                        ? `coding session started for ${session.originSession.channel}/${session.originSession.key}`
+                        : "coding session started",
+                });
+            }
+            if (args.runner === "codex" && args.taskRef) {
+                (0, runtime_1.emitNervesEvent)({
+                    component: "repertoire",
+                    event: "repertoire.coding_codex_spawned",
+                    message: "spawned codex coding session",
+                    meta: { sessionId: session.id, taskRef: args.taskRef },
+                });
+            }
+            if (ctx?.codingFeedback) {
+                (0, index_1.attachCodingSessionFeedback)(manager, session, ctx.codingFeedback);
+            }
             return JSON.stringify(session);
         },
     },
@@ -141,6 +231,19 @@ exports.codingToolDefinitions = [
             return JSON.stringify(session);
         },
     },
+    {
+        tool: codingTailTool,
+        handler: (args) => {
+            emitCodingToolEvent("coding_tail");
+            const sessionId = requireArg(args, "sessionId");
+            if (!sessionId)
+                return "sessionId is required";
+            const session = (0, index_1.getCodingSessionManager)().getSession(sessionId);
+            if (!session)
+                return `session not found: ${sessionId}`;
+            return (0, index_1.formatCodingTail)(session);
+        },
+    },
     {
         tool: codingSendInputTool,
         handler: (args) => {

package/dist/repertoire/data/ado-endpoints.json

@@ -35,6 +35,12 @@
         "description": "Delete a work item (moves to recycle bin)",
         "params": "destroy (boolean, permanently delete)"
     },
+    {
+        "path": "/{project}/_apis/wit/workitemtypes",
+        "method": "GET",
+        "description": "List all work item types available in a project (Bug, Task, Epic, User Story, etc.)",
+        "params": ""
+    },
     {
         "path": "/_apis/git/repositories",
         "method": "GET",
@@ -118,5 +124,187 @@
         "method": "GET",
         "description": "List saved work item queries (shared and personal)",
         "params": "$depth, $expand"
+    },
+    {
+        "path": "/_apis/groupentitlements?api-version=7.1",
+        "method": "GET",
+        "host": "vsaex.dev.azure.com",
+        "description": "List group entitlements (group rules that auto-assign licenses). Use host vsaex.dev.azure.com.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/groupentitlements?api-version=7.1",
+        "method": "POST",
+        "host": "vsaex.dev.azure.com",
+        "description": "Create a group entitlement rule — maps an AAD group to an access level (e.g. Basic) and project membership. All members of the AAD group automatically get the specified license. Use host vsaex.dev.azure.com. This is the best way to bulk-provision users.",
+        "params": "body: { group: { origin: 'aad', originId: '<AAD-group-object-id>', subjectKind: 'group' }, licenseRule: { licensingSource: 'account', accountLicenseType: 'express', licenseDisplayName: 'Basic' }, projectEntitlements: [{ group: { groupType: 'projectContributor' }, projectRef: { id: '<project-id>' } }] }"
+    },
+    {
+        "path": "/_apis/groupentitlements/{groupId}?api-version=7.1",
+        "method": "GET",
+        "host": "vsaex.dev.azure.com",
+        "description": "Get a specific group entitlement by ID. Use host vsaex.dev.azure.com.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/groupentitlements/{groupId}?api-version=7.1",
+        "method": "PATCH",
+        "host": "vsaex.dev.azure.com",
+        "description": "Update a group entitlement (change license rule, project access). Use host vsaex.dev.azure.com.",
+        "params": "JSON Patch array: [{op, path, value}]"
+    },
+    {
+        "path": "/_apis/groupentitlements/{groupId}?api-version=7.1",
+        "method": "DELETE",
+        "host": "vsaex.dev.azure.com",
+        "description": "Delete a group entitlement rule. Use host vsaex.dev.azure.com.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/memberentitlementmanagement/memberentitlements?api-version=7.1-preview.3",
+        "method": "GET",
+        "host": "vsapm.dev.azure.com",
+        "description": "List individual member entitlements (users and their access levels). Use host vsapm.dev.azure.com. For bulk provisioning, prefer the Group Entitlements API on vsaex.dev.azure.com instead.",
+        "params": "$top, $skip, $filter, $orderBy, $select"
+    },
+    {
+        "path": "/_apis/memberentitlementmanagement/memberentitlements?api-version=7.1-preview.3",
+        "method": "POST",
+        "host": "vsapm.dev.azure.com",
+        "description": "Add a single member entitlement. Use host vsapm.dev.azure.com. For bulk provisioning, prefer the Group Entitlements API on vsaex.dev.azure.com instead.",
+        "params": "body: { accessLevel: { accountLicenseType: 'express'|'stakeholder', licensingSource: 'account' }, user: { principalName: 'user@domain.com', subjectKind: 'user' }, projectEntitlements: [{ group: { groupType: 'projectContributor' }, projectRef: { id: projectId } }] }"
+    },
+    {
+        "path": "/_apis/memberentitlementmanagement/memberentitlements/{memberId}?api-version=7.1-preview.3",
+        "method": "PATCH",
+        "host": "vsapm.dev.azure.com",
+        "description": "Update a member entitlement (change access level, project access). Use host vsapm.dev.azure.com.",
+        "params": "JSON Patch array: [{op, path, value}]"
+    },
+    {
+        "path": "/_apis/memberentitlementmanagement/memberentitlements/{memberId}?api-version=7.1-preview.3",
+        "method": "DELETE",
+        "host": "vsapm.dev.azure.com",
+        "description": "Remove a member entitlement (revoke user access). Use host vsapm.dev.azure.com.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/graph/users?api-version=7.1-preview.1",
+        "method": "GET",
+        "host": "vssps.dev.azure.com",
+        "description": "List users in the organization (Graph API). Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": "subjectTypes (aad, msa, etc.), continuationToken"
+    },
+    {
+        "path": "/_apis/graph/groups?api-version=7.1-preview.1",
+        "method": "GET",
+        "host": "vssps.dev.azure.com",
+        "description": "List groups in the organization. Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": "subjectTypes, continuationToken"
+    },
+    {
+        "path": "/_apis/graph/memberships/{subjectDescriptor}?api-version=7.1-preview.1",
+        "method": "GET",
+        "host": "vssps.dev.azure.com",
+        "description": "List group memberships for a user or group. Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": "direction (up = groups user belongs to, down = members of group)"
+    },
+    {
+        "path": "/_apis/graph/memberships/{subjectDescriptor}/{containerDescriptor}?api-version=7.1-preview.1",
+        "method": "PUT",
+        "host": "vssps.dev.azure.com",
+        "description": "Add a user to a group. Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/graph/memberships/{subjectDescriptor}/{containerDescriptor}?api-version=7.1-preview.1",
+        "method": "DELETE",
+        "host": "vssps.dev.azure.com",
+        "description": "Remove a user from a group. Use host vssps.dev.azure.com. IMPORTANT: include the full path with api-version as shown.",
+        "params": ""
+    },
+    {
+        "path": "/_apis/projects/{projectId}/teams",
+        "method": "GET",
+        "description": "List teams in a project",
+        "params": "$top, $skip"
+    },
+    {
+        "path": "/_apis/projects/{projectId}/teams/{teamId}",
+        "method": "GET",
+        "description": "Get a specific team by ID",
+        "params": ""
+    },
+    {
+        "path": "/_apis/projects/{projectId}/teams",
+        "method": "POST",
+        "description": "Create a new team in a project",
+        "params": "name, description"
+    },
+    {
+        "path": "/_apis/projects/{projectId}/teams/{teamId}/members",
+        "method": "GET",
+        "description": "List members of a team",
+        "params": "$top, $skip"
+    },
+    {
+        "path": "/{project}/{team}/_apis/work/teamsettings/iterations",
+        "method": "GET",
+        "description": "List iterations (sprints) for a team",
+        "params": "$timeframe (current, past, future)"
+    },
+    {
+        "path": "/{project}/{team}/_apis/work/teamsettings/iterations",
+        "method": "POST",
+        "description": "Add an iteration to a team's sprint schedule",
+        "params": "id (iteration node ID)"
+    },
+    {
+        "path": "/{project}/{team}/_apis/work/teamsettings/iterations/{iterationId}",
+        "method": "DELETE",
+        "description": "Remove an iteration from a team's sprint schedule",
+        "params": ""
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/iterations",
+        "method": "GET",
+        "description": "List iteration path tree (project-level iteration nodes)",
+        "params": "$depth"
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/iterations",
+        "method": "POST",
+        "description": "Create a new iteration node (sprint)",
+        "params": "name, attributes: { startDate, finishDate }"
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/areas",
+        "method": "GET",
+        "description": "List area path tree (project-level area nodes)",
+        "params": "$depth"
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/areas",
+        "method": "POST",
+        "description": "Create a new area path node",
+        "params": "name"
+    },
+    {
+        "path": "/{project}/_apis/wit/classificationnodes/{structureGroup}/{path}",
+        "method": "DELETE",
+        "description": "Delete a classification node (area or iteration). structureGroup is 'areas' or 'iterations'.",
+        "params": "$reclassifyId (move items to this node before deleting)"
+    },
+    {
+        "path": "/_apis/hooks/subscriptions",
+        "method": "GET",
+        "description": "List service hook subscriptions (webhooks for events)",
+        "params": ""
+    },
+    {
+        "path": "/_apis/hooks/subscriptions",
+        "method": "POST",
+        "description": "Create a service hook subscription (webhook)",
+        "params": "publisherId, eventType, consumerId, consumerActionId, publisherInputs, consumerInputs"
     }
 ]

package/dist/repertoire/guardrails.js

@@ -0,0 +1,290 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OURO_CLI_TRUST_MANIFEST = void 0;
+exports.guardInvocation = guardInvocation;
+const fs = __importStar(require("node:fs"));
+const os = __importStar(require("node:os"));
+const types_1 = require("../mind/friends/types");
+const runtime_1 = require("../nerves/runtime");
+const deny = (reason) => ({ allowed: false, reason });
+const allow = { allowed: true };
+// --- reason templates ---
+// Structural reasons (always-on, apply to everyone)
+const REASONS = {
+    readBeforeEdit: "i need to read that file first before i can edit it.",
+    readBeforeOverwrite: "i need to read that file first before i can overwrite it.",
+    protectedPath: "that path is protected — i can read it but not modify it.",
+    destructiveCommand: "that command is too dangerous to run — it could cause irreversible damage.",
+    // Trust reasons (vary by relationship)
+    needsTrust: "i'd need a closer friend to vouch for you before i can do that.",
+    needsTrustForWrite: "i'd need a closer friend to vouch for you before i can write files outside my home.",
+};
+// --- read-only tools that never need guardrails ---
+const READ_ONLY_TOOLS = new Set(["read_file", "glob", "grep"]);
+// --- protected path detection ---
+const PROTECTED_PATH_SEGMENTS = [".git/"];
+function getProtectedAbsolutePrefixes() {
+    return [`${os.homedir()}/.agentsecrets/`];
+}
+function isProtectedPath(filePath) {
+    for (const segment of PROTECTED_PATH_SEGMENTS) {
+        if (filePath.includes(`/${segment}`) || filePath.startsWith(segment))
+            return true;
+    }
+    for (const prefix of getProtectedAbsolutePrefixes()) {
+        if (filePath.startsWith(prefix))
+            return true;
+    }
+    return false;
+}
+// --- destructive shell patterns ---
+const DESTRUCTIVE_PATTERNS = [
+    /\brm\s+(-\w*\s+)*-\w*r\w*\s+(-\w+\s+)*[/~]/, // rm -rf / or rm -rf ~
+    /\bchmod\s+(-\w*\s+)*-\w*R\w*\s+\d+\s+\//, // chmod -R 777 /
+    /\bmkfs\b/, // mkfs.*
+    /\bdd\s+if=/, // dd if=
+];
+function isDestructiveShellCommand(command) {
+    return DESTRUCTIVE_PATTERNS.some((p) => p.test(command));
+}
+// --- compound command splitting ---
+// Shell operators that chain commands: &&, ||, ;, |, $(), backticks
+const COMPOUND_SEPARATORS = /\s*(?:&&|\|\||;|\|)\s*/;
+const SUBSHELL_PATTERN = /\$\(|`/;
+function splitShellCommands(command) {
+    if (SUBSHELL_PATTERN.test(command))
+        return [command];
+    return command.split(COMPOUND_SEPARATORS).filter(Boolean);
+}
+// --- shell commands that write to protected paths ---
+function shellWritesToProtectedPath(command) {
+    const redirectMatch = command.match(/>\s*(\S+)/);
+    if (redirectMatch && isProtectedPath(redirectMatch[1]))
+        return true;
+    const teeMatch = command.match(/tee\s+(?:-\w+\s+)*(\S+)/);
+    if (teeMatch && isProtectedPath(teeMatch[1]))
+        return true;
+    return false;
+}
+// --- structural guardrail checks (always on, all trust levels) ---
+function checkReadBeforeWrite(toolName, args, context) {
+    if (toolName === "edit_file") {
+        const filePath = args.path || "";
+        if (!context.readPaths.has(filePath))
+            return deny(REASONS.readBeforeEdit);
+    }
+    if (toolName === "write_file") {
+        const filePath = args.path || "";
+        if (context.readPaths.has(filePath))
+            return allow;
+        if (!fs.existsSync(filePath))
+            return allow;
+        return deny(REASONS.readBeforeOverwrite);
+    }
+    return allow;
+}
+function checkDestructiveShellPatterns(toolName, args) {
+    if (toolName !== "shell")
+        return allow;
+    const command = args.command || "";
+    // Check each subcommand in compound commands for destructive patterns
+    for (const sub of splitShellCommands(command)) {
+        if (isDestructiveShellCommand(sub))
+            return deny(REASONS.destructiveCommand);
+    }
+    return allow;
+}
+function checkProtectedPaths(toolName, args) {
+    if (toolName === "write_file" || toolName === "edit_file") {
+        const filePath = args.path || "";
+        if (isProtectedPath(filePath))
+            return deny(REASONS.protectedPath);
+    }
+    if (toolName === "shell") {
+        const command = args.command || "";
+        if (shellWritesToProtectedPath(command))
+            return deny(REASONS.protectedPath);
+    }
+    return allow;
+}
+function checkStructuralGuardrails(toolName, args, context) {
+    const protectedResult = checkProtectedPaths(toolName, args);
+    if (!protectedResult.allowed)
+        return protectedResult;
+    const destructiveResult = checkDestructiveShellPatterns(toolName, args);
+    if (!destructiveResult.allowed)
+        return destructiveResult;
+    return checkReadBeforeWrite(toolName, args, context);
+}
+// --- ouro CLI trust manifest ---
+/** Minimum trust level required for each ouro CLI subcommand. */
+exports.OURO_CLI_TRUST_MANIFEST = {
+    whoami: "acquaintance",
+    changelog: "acquaintance",
+    "session list": "acquaintance",
+    "task board": "friend",
+    "task create": "friend",
+    "task update": "friend",
+    "task show": "friend",
+    "task actionable": "friend",
+    "task deps": "friend",
+    "task sessions": "friend",
+    "friend list": "friend",
+    "friend show": "friend",
+    "friend create": "friend",
+    "friend update": "family",
+    "reminder create": "friend",
+    "config model": "friend",
+    "config models": "friend",
+    "mcp list": "acquaintance",
+    "mcp call": "friend",
+    auth: "family",
+    "auth verify": "family",
+    "auth switch": "family",
+    rollback: "family",
+    versions: "acquaintance",
+};
+// --- trust level comparison ---
+const LEVEL_ORDER = {
+    stranger: 0,
+    acquaintance: 1,
+    friend: 2,
+    family: 3,
+};
+function trustLevelSatisfied(required, actual) {
+    return LEVEL_ORDER[actual] >= LEVEL_ORDER[required];
+}
+// --- general CLI allowlists for acquaintance ---
+const ACQUAINTANCE_SHELL_ALLOWLIST = new Set([
+    "cat", "ls", "head", "tail", "wc", "file", "stat", "which", "echo",
+    "pwd", "env", "printenv", "whoami", "date", "uname",
+]);
+const ACQUAINTANCE_GIT_ALLOWLIST = new Set([
+    "status", "log", "show", "diff", "branch",
+]);
+// --- trust-level shell guardrails ---
+function resolveOuroSubcommand(command) {
+    const afterOuro = command.replace(/^ouro\s+/, "").trim();
+    /* v8 ignore next -- bare "ouro" is caught upstream by checkShellTrustGuardrails @preserve */
+    if (!afterOuro)
+        return null;
+    const tokens = afterOuro.split(/\s+/);
+    const twoWord = tokens.length >= 2 ? `${tokens[0]} ${tokens[1]}` : null;
+    // Two-word match first (e.g. "task board"), then one-word (e.g. "whoami")
+    if (twoWord && exports.OURO_CLI_TRUST_MANIFEST[twoWord])
+        return twoWord;
+    if (exports.OURO_CLI_TRUST_MANIFEST[tokens[0]])
+        return tokens[0];
+    return null;
+}
+function checkSingleShellCommandTrust(command, trustLevel) {
+    const trimmed = command.trim();
+    const tokens = trimmed.split(/\s+/);
+    const firstToken = tokens[0] || "";
+    // ouro CLI — check per-subcommand trust manifest
+    if (firstToken === "ouro") {
+        const subcommand = resolveOuroSubcommand(trimmed);
+        const requiredLevel = subcommand ? exports.OURO_CLI_TRUST_MANIFEST[subcommand] : "friend";
+        if (trustLevelSatisfied(requiredLevel, trustLevel))
+            return allow;
+        return deny(REASONS.needsTrust);
+    }
+    // git — check subcommand allowlist
+    if (firstToken === "git") {
+        const gitSub = tokens[1] || "";
+        if (ACQUAINTANCE_GIT_ALLOWLIST.has(gitSub))
+            return allow;
+        return deny(REASONS.needsTrust);
+    }
+    // General CLI — check allowlist
+    if (ACQUAINTANCE_SHELL_ALLOWLIST.has(firstToken))
+        return allow;
+    return deny(REASONS.needsTrust);
+}
+function checkShellTrustGuardrails(command, trustLevel) {
+    // Subshell patterns ($(), backticks) can't be reliably split — check as single command
+    /* v8 ignore next -- subshell branch: tested via guardrails.test.ts @preserve */
+    if (SUBSHELL_PATTERN.test(command)) {
+        return checkSingleShellCommandTrust(command, trustLevel);
+    }
+    // Compound commands: check each subcommand individually
+    const subcommands = splitShellCommands(command);
+    if (subcommands.length === 0)
+        return checkSingleShellCommandTrust(command, trustLevel);
+    for (const sub of subcommands) {
+        const result = checkSingleShellCommandTrust(sub, trustLevel);
+        if (!result.allowed)
+            return result;
+    }
+    return allow;
+}
+function checkWriteTrustGuardrails(toolName, args, context) {
+    if (toolName !== "write_file" && toolName !== "edit_file")
+        return allow;
+    const filePath = args.path || "";
+    if (context.agentRoot && filePath.startsWith(context.agentRoot))
+        return allow;
+    if (!context.agentRoot)
+        return allow;
+    return deny(REASONS.needsTrustForWrite);
+}
+function checkTrustLevelGuardrails(toolName, args, context) {
+    // Trusted levels (family/friend) — no trust guardrails. Undefined defaults to friend.
+    if ((0, types_1.isTrustedLevel)(context.trustLevel))
+        return allow;
+    if (toolName === "shell") {
+        return checkShellTrustGuardrails(args.command || "", context.trustLevel);
+    }
+    return checkWriteTrustGuardrails(toolName, args, context);
+}
+// --- main entry point ---
+function guardInvocation(toolName, args, context) {
+    (0, runtime_1.emitNervesEvent)({
+        component: "tools",
+        event: "tools.guard_check",
+        message: "guardrail check",
+        meta: { toolName },
+    });
+    // Read-only tools are always allowed (no structural or trust guardrails)
+    if (READ_ONLY_TOOLS.has(toolName))
+        return allow;
+    // Layer 1: structural guardrails (always on)
+    const structuralResult = checkStructuralGuardrails(toolName, args, context);
+    if (!structuralResult.allowed)
+        return structuralResult;
+    // Layer 2: trust-level guardrails (varies by friend's trust)
+    return checkTrustLevelGuardrails(toolName, args, context);
+}