@praxis.guard/auditor-cli 0.0.18 → 0.0.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +18 -0
- package/dist/approval/client.d.ts +1 -0
- package/dist/approval/client.d.ts.map +1 -1
- package/dist/approval/client.js +1 -0
- package/dist/approval/client.js.map +1 -1
- package/dist/approval/fingerprint.d.ts +5 -0
- package/dist/approval/fingerprint.d.ts.map +1 -0
- package/dist/approval/fingerprint.js +44 -0
- package/dist/approval/fingerprint.js.map +1 -0
- package/dist/approval/grant.d.ts +3 -1
- package/dist/approval/grant.d.ts.map +1 -1
- package/dist/approval/grant.js +37 -0
- package/dist/approval/grant.js.map +1 -1
- package/dist/approval/hook-inline-approval.d.ts +23 -0
- package/dist/approval/hook-inline-approval.d.ts.map +1 -0
- package/dist/approval/hook-inline-approval.js +61 -0
- package/dist/approval/hook-inline-approval.js.map +1 -0
- package/dist/approval/mcp-flow.d.ts +8 -1
- package/dist/approval/mcp-flow.d.ts.map +1 -1
- package/dist/approval/mcp-flow.js +38 -4
- package/dist/approval/mcp-flow.js.map +1 -1
- package/dist/approval/redeem.d.ts +6 -2
- package/dist/approval/redeem.d.ts.map +1 -1
- package/dist/approval/redeem.js +40 -14
- package/dist/approval/redeem.js.map +1 -1
- package/dist/approval/types.d.ts +17 -0
- package/dist/approval/types.d.ts.map +1 -1
- package/dist/bridge/execution-ticket.d.ts +18 -0
- package/dist/bridge/execution-ticket.d.ts.map +1 -0
- package/dist/bridge/execution-ticket.js +102 -0
- package/dist/bridge/execution-ticket.js.map +1 -0
- package/dist/bridge/guard-storage-root.d.ts +6 -0
- package/dist/bridge/guard-storage-root.d.ts.map +1 -0
- package/dist/bridge/guard-storage-root.js +24 -0
- package/dist/bridge/guard-storage-root.js.map +1 -0
- package/dist/bridge/pending-approval-index.d.ts +19 -0
- package/dist/bridge/pending-approval-index.d.ts.map +1 -0
- package/dist/bridge/pending-approval-index.js +29 -0
- package/dist/bridge/pending-approval-index.js.map +1 -0
- package/dist/bridge/shell-approval-bridge.d.ts.map +1 -1
- package/dist/bridge/shell-approval-bridge.js +8 -0
- package/dist/bridge/shell-approval-bridge.js.map +1 -1
- package/dist/cli/approvals.d.ts.map +1 -1
- package/dist/cli/approvals.js +17 -9
- package/dist/cli/approvals.js.map +1 -1
- package/dist/cli/doctor.d.ts.map +1 -1
- package/dist/cli/doctor.js +2 -0
- package/dist/cli/doctor.js.map +1 -1
- package/dist/cli/main.d.ts.map +1 -1
- package/dist/cli/main.js +4 -1
- package/dist/cli/main.js.map +1 -1
- package/dist/hooks/agent-message.d.ts +23 -0
- package/dist/hooks/agent-message.d.ts.map +1 -0
- package/dist/hooks/agent-message.js +54 -0
- package/dist/hooks/agent-message.js.map +1 -0
- package/dist/hooks/run-before-mcp.d.ts.map +1 -1
- package/dist/hooks/run-before-mcp.js +62 -20
- package/dist/hooks/run-before-mcp.js.map +1 -1
- package/dist/hooks/run-before-shell.d.ts.map +1 -1
- package/dist/hooks/run-before-shell.js +51 -20
- package/dist/hooks/run-before-shell.js.map +1 -1
- package/dist/mcp/guard-mode.d.ts +26 -0
- package/dist/mcp/guard-mode.d.ts.map +1 -0
- package/dist/mcp/guard-mode.js +27 -0
- package/dist/mcp/guard-mode.js.map +1 -0
- package/dist/mcp/server.d.ts.map +1 -1
- package/dist/mcp/server.js +85 -39
- package/dist/mcp/server.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -17,6 +17,24 @@ Legacy configs that still reference `guard-mcp` are migrated by `auditor setup a
|
|
|
17
17
|
|
|
18
18
|
Hooks **enforce** (deny without bridge). MCP **`guard`** / **`guard_wait`** **coordinate**: create `approval_requests` in Cloud Functions, human approves in the Praxis app (or dev: `auditor approvals approve` with `GUARD_APPROVAL_DEV=1`), then redeem grant and write the one-shot `.cursor/guard/bridge` file.
|
|
19
19
|
|
|
20
|
+
### MCP `mode`: shadow vs enforce
|
|
21
|
+
|
|
22
|
+
Both tools require `mode` in the JSON payload:
|
|
23
|
+
|
|
24
|
+
| `mode` | Behavior |
|
|
25
|
+
|--------|----------|
|
|
26
|
+
| **`shadow`** | Dry-run. Response `decision` is always `allow` (non-blocking). Field `shadow` carries the policy verdict (`allow` / `require_approval` / `block`). No approval requests are created. |
|
|
27
|
+
| **`enforce`** | Coordination. Response `decision` is the real outcome (may call the approval backend for MUTATE). Field `shadow` carries the policy-only verdict (what would apply before grant redemption). |
|
|
28
|
+
|
|
29
|
+
`guard_wait` always runs in **enforce** semantics (poll + redeem). Typical flow: `guard` with `mode: "enforce"` → human approves → `guard_wait` with `context.approval.request_id` and `context.wait_ms`.
|
|
30
|
+
|
|
31
|
+
Smoke examples (after `pnpm -C packages/auditor-cli build`):
|
|
32
|
+
|
|
33
|
+
```bash
|
|
34
|
+
node scripts/guard-smoke.mjs shadow gcloud compute instances list
|
|
35
|
+
node scripts/guard-smoke.mjs enforce gcloud compute instances delete example-vm
|
|
36
|
+
```
|
|
37
|
+
|
|
20
38
|
## Policy source of truth
|
|
21
39
|
|
|
22
40
|
Classification rules live in **`@praxis/auditor-policy`** (`loadPoliciesV1`, `classifyArgv`, `policies.v1.json` via the path resolved from the built policy package). This package re-exports `loadPoliciesV1` for convenience; hooks may still import `classifyArgv` from `@praxis/auditor-policy` when they need hook-specific tier handling.
|
|
@@ -17,6 +17,7 @@ export declare function redeemApprovalGrant(input: {
|
|
|
17
17
|
}): Promise<{
|
|
18
18
|
redeemed: boolean;
|
|
19
19
|
approved_by: string | null;
|
|
20
|
+
execution_ticket: string | null;
|
|
20
21
|
}>;
|
|
21
22
|
export declare function listApprovalRequests(status?: string): Promise<Array<{
|
|
22
23
|
request_id: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/approval/client.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,qBAAqB,EAAE,0BAA0B,EAAE,MAAM,YAAY,CAAC;AAyBpF,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,0BAA0B,GAChC,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,CAcvE;AAED,wBAAsB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAS1F;AAED,wBAAsB,iBAAiB,CACrC,SAAS,EAAE,MAAM,EACjB,IAAI,CAAC,EAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GACjD,OAAO,CAAC,qBAAqB,CAAC,CAahC;AAED,wBAAsB,mBAAmB,CAAC,KAAK,EAAE;IAC/C,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB,GAAG,OAAO,CAAC;
|
|
1
|
+
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/approval/client.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,qBAAqB,EAAE,0BAA0B,EAAE,MAAM,YAAY,CAAC;AAyBpF,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,0BAA0B,GAChC,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,CAcvE;AAED,wBAAsB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAS1F;AAED,wBAAsB,iBAAiB,CACrC,SAAS,EAAE,MAAM,EACjB,IAAI,CAAC,EAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GACjD,OAAO,CAAC,qBAAqB,CAAC,CAahC;AAED,wBAAsB,mBAAmB,CAAC,KAAK,EAAE;IAC/C,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB,GAAG,OAAO,CAAC;IACV,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;CACjC,CAAC,CAeD;AAED,wBAAsB,oBAAoB,CAAC,MAAM,SAAY,GAAG,OAAO,CACrE,KAAK,CAAC;IACJ,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC,CACH,CAeA;AAED,wBAAsB,qBAAqB,CACzC,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,UAAU,GAAG,QAAQ,EAC/B,IAAI,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,GAC1B,OAAO,CAAC;IAAE,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAqB7C"}
|
package/dist/approval/client.js
CHANGED
|
@@ -73,6 +73,7 @@ export async function redeemApprovalGrant(input) {
|
|
|
73
73
|
return {
|
|
74
74
|
redeemed: Boolean(data.redeemed),
|
|
75
75
|
approved_by: typeof data.approved_by === "string" ? data.approved_by : null,
|
|
76
|
+
execution_ticket: typeof data.execution_ticket === "string" ? data.execution_ticket : null,
|
|
76
77
|
};
|
|
77
78
|
}
|
|
78
79
|
export async function listApprovalRequests(status = "pending") {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/approval/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAGzD,SAAS,WAAW,CAAC,IAAY;IAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAChF,IAAI,QAAQ,EAAE,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC7C,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC;AAED,KAAK,UAAU,SAAS,CACtB,GAAW,EACX,IAAsC;IAEtC,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAClC,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;IACjG,OAAO,KAAK,CAAC,GAAG,EAAE;QAChB,GAAG,IAAI;QACP,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,KAAK,EAAE;YAChC,cAAc,EAAE,kBAAkB;YAClC,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;SACxB;QACD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;KAClC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,KAAiC;IAEjC,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,WAAW,CAAC,sBAAsB,CAAC,EAAE;QAC/D,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;KAC5B,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAA4B,CAAC;IAC7E,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,kBAAkB,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IACjG,CAAC;IACD,OAAO;QACL,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QACnC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC/B,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,SAAiB;IACxD,MAAM,GAAG,GAAG,GAAG,WAAW,CAAC,kBAAkB,CAAC,OAAO,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;IACrF,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACpD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAA4B,CAAC;IAC7E,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,eAAe,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IAC9F,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAgC,CAAC;IAClD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,SAAiB,EACjB,IAAkD;IAElD,MAAM,SAAS,GAAG,IAAI,EAAE,SAAS,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IACnD,MAAM,UAAU,GAAG,IAAI,EAAE,UAAU,IAAI,IAAI,CAAC;IAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;IAExC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,GAAG,CAAC,MAAM,KAAK,QAAQ;YAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAChE,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAClE,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU;YAAE,OAAO,GAAG,CAAC;QAC1C,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;AACtC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,KAKzC;
|
|
1
|
+
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/approval/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAGzD,SAAS,WAAW,CAAC,IAAY;IAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAChF,IAAI,QAAQ,EAAE,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC7C,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC;AAED,KAAK,UAAU,SAAS,CACtB,GAAW,EACX,IAAsC;IAEtC,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAClC,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;IACjG,OAAO,KAAK,CAAC,GAAG,EAAE;QAChB,GAAG,IAAI;QACP,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,KAAK,EAAE;YAChC,cAAc,EAAE,kBAAkB;YAClC,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;SACxB;QACD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;KAClC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,KAAiC;IAEjC,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,WAAW,CAAC,sBAAsB,CAAC,EAAE;QAC/D,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;KAC5B,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAA4B,CAAC;IAC7E,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,kBAAkB,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IACjG,CAAC;IACD,OAAO;QACL,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QACnC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC/B,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,SAAiB;IACxD,MAAM,GAAG,GAAG,GAAG,WAAW,CAAC,kBAAkB,CAAC,OAAO,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;IACrF,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACpD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAA4B,CAAC;IAC7E,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,eAAe,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IAC9F,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAgC,CAAC;IAClD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,SAAiB,EACjB,IAAkD;IAElD,MAAM,SAAS,GAAG,IAAI,EAAE,SAAS,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IACnD,MAAM,UAAU,GAAG,IAAI,EAAE,UAAU,IAAI,IAAI,CAAC;IAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;IAExC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,GAAG,CAAC,MAAM,KAAK,QAAQ;YAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAChE,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAClE,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU;YAAE,OAAO,GAAG,CAAC;QAC1C,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;AACtC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,KAKzC;IAKC,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,WAAW,CAAC,qBAAqB,CAAC,EAAE;QAC9D,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;KAC5B,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAA4B,CAAC;IAC7E,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,kBAAkB,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IACjG,CAAC;IACD,OAAO;QACL,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QAChC,WAAW,EAAE,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI;QAC3E,gBAAgB,EACd,OAAO,IAAI,CAAC,gBAAgB,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI;KAC3E,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,MAAM,GAAG,SAAS;IAS3D,MAAM,GAAG,GAAG,GAAG,WAAW,CAAC,mBAAmB,CAAC,WAAW,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC;IACvF,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACpD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAA4B,CAAC;IAC7E,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,gBAAgB,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IAC/F,CAAC;IACD,MAAM,GAAG,GAAI,IAAI,CAAC,QAA2C,IAAI,EAAE,CAAC;IACpE,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;QAChC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;QACxB,WAAW,EAAE,OAAO,CAAC,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;QAC1E,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;QACjE,UAAU,EAAE,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;KACxE,CAAC,CAAC,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,SAAiB,EACjB,QAA+B,EAC/B,IAA2B;IAE3B,MAAM,KAAK,GAAG,IAAI,EAAE,OAAO,IAAI,iBAAiB,EAAE,CAAC;IACnD,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IAEjD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,oBAAoB,CAAC,EAAE;QACzD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,KAAK,EAAE;YAChC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;QACzD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;KAClC,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAA4B,CAAC;IAC7E,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,iBAAiB,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IAChG,CAAC;IACD,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;QAC3B,KAAK,EAAE,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;KAC/D,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
/** Stable hash for MCP tool_input JSON (sorted keys, no whitespace). */
|
|
2
|
+
export declare function toolInputSha256(toolInput: unknown): string | null;
|
|
3
|
+
/** Canonical argv for approval binding (shell + MCP). */
|
|
4
|
+
export declare function canonicalArgv(argv: readonly string[]): string[];
|
|
5
|
+
//# sourceMappingURL=fingerprint.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"fingerprint.d.ts","sourceRoot":"","sources":["../../src/approval/fingerprint.ts"],"names":[],"mappings":"AAEA,wEAAwE;AACxE,wBAAgB,eAAe,CAAC,SAAS,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAmBjE;AAaD,yDAAyD;AACzD,wBAAgB,aAAa,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,EAAE,CAE/D"}
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
import { createHash } from "node:crypto";
|
|
2
|
+
/** Stable hash for MCP tool_input JSON (sorted keys, no whitespace). */
|
|
3
|
+
export function toolInputSha256(toolInput) {
|
|
4
|
+
if (toolInput === undefined || toolInput === null)
|
|
5
|
+
return null;
|
|
6
|
+
let normalized;
|
|
7
|
+
if (typeof toolInput === "string") {
|
|
8
|
+
const t = toolInput.trim();
|
|
9
|
+
if (!t)
|
|
10
|
+
return null;
|
|
11
|
+
try {
|
|
12
|
+
normalized = JSON.stringify(sortJson(JSON.parse(t)));
|
|
13
|
+
}
|
|
14
|
+
catch {
|
|
15
|
+
normalized = t;
|
|
16
|
+
}
|
|
17
|
+
}
|
|
18
|
+
else {
|
|
19
|
+
try {
|
|
20
|
+
normalized = JSON.stringify(sortJson(toolInput));
|
|
21
|
+
}
|
|
22
|
+
catch {
|
|
23
|
+
return null;
|
|
24
|
+
}
|
|
25
|
+
}
|
|
26
|
+
return createHash("sha256").update(normalized, "utf8").digest("hex");
|
|
27
|
+
}
|
|
28
|
+
function sortJson(value) {
|
|
29
|
+
if (value === null || typeof value !== "object")
|
|
30
|
+
return value;
|
|
31
|
+
if (Array.isArray(value))
|
|
32
|
+
return value.map(sortJson);
|
|
33
|
+
const obj = value;
|
|
34
|
+
const sorted = {};
|
|
35
|
+
for (const key of Object.keys(obj).sort()) {
|
|
36
|
+
sorted[key] = sortJson(obj[key]);
|
|
37
|
+
}
|
|
38
|
+
return sorted;
|
|
39
|
+
}
|
|
40
|
+
/** Canonical argv for approval binding (shell + MCP). */
|
|
41
|
+
export function canonicalArgv(argv) {
|
|
42
|
+
return argv.map((t) => (typeof t === "string" ? t.trim() : String(t)));
|
|
43
|
+
}
|
|
44
|
+
//# sourceMappingURL=fingerprint.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"fingerprint.js","sourceRoot":"","sources":["../../src/approval/fingerprint.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,wEAAwE;AACxE,MAAM,UAAU,eAAe,CAAC,SAAkB;IAChD,IAAI,SAAS,KAAK,SAAS,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC/D,IAAI,UAAkB,CAAC;IACvB,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;QAC3B,IAAI,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACpB,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,UAAU,GAAG,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc;IAC9B,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC9D,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACrD,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QAC1C,MAAM,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,aAAa,CAAC,IAAuB;IACnD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACzE,CAAC"}
|
package/dist/approval/grant.d.ts
CHANGED
|
@@ -1,4 +1,6 @@
|
|
|
1
|
-
import type { ApprovalGrantClaims } from "./types.js";
|
|
1
|
+
import type { ApprovalGrantClaims, ExecutionTicketClaims } from "./types.js";
|
|
2
2
|
/** Verify a server-issued approval grant JWT (HS256). */
|
|
3
3
|
export declare function verifyApprovalGrant(token: string): ApprovalGrantClaims | null;
|
|
4
|
+
/** Verify a server-issued execution ticket JWT (HS256) for hook one-shot allow. */
|
|
5
|
+
export declare function verifyExecutionTicket(token: string): ExecutionTicketClaims | null;
|
|
4
6
|
//# sourceMappingURL=grant.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/approval/grant.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/approval/grant.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAoB7E,yDAAyD;AACzD,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,mBAAmB,GAAG,IAAI,CAkB7E;AAED,mFAAmF;AACnF,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,qBAAqB,GAAG,IAAI,CA4BjF"}
|
package/dist/approval/grant.js
CHANGED
|
@@ -43,4 +43,41 @@ export function verifyApprovalGrant(token) {
|
|
|
43
43
|
return null;
|
|
44
44
|
return payload;
|
|
45
45
|
}
|
|
46
|
+
/** Verify a server-issued execution ticket JWT (HS256) for hook one-shot allow. */
|
|
47
|
+
export function verifyExecutionTicket(token) {
|
|
48
|
+
const parts = token.split(".");
|
|
49
|
+
if (parts.length !== 3)
|
|
50
|
+
return null;
|
|
51
|
+
const secret = approvalJwtSecret();
|
|
52
|
+
if (!secret)
|
|
53
|
+
return null;
|
|
54
|
+
const [header, body, sig] = parts;
|
|
55
|
+
const expected = createHmac("sha256", secret).update(`${header}.${body}`).digest("base64url");
|
|
56
|
+
try {
|
|
57
|
+
const a = Buffer.from(sig, "utf8");
|
|
58
|
+
const b = Buffer.from(expected, "utf8");
|
|
59
|
+
if (a.length !== b.length || !timingSafeEqual(a, b))
|
|
60
|
+
return null;
|
|
61
|
+
}
|
|
62
|
+
catch {
|
|
63
|
+
return null;
|
|
64
|
+
}
|
|
65
|
+
const payload = base64urlDecodeJson(body);
|
|
66
|
+
if (!payload || payload.typ !== "execution")
|
|
67
|
+
return null;
|
|
68
|
+
if (typeof payload.exp !== "number" || payload.exp * 1000 < Date.now())
|
|
69
|
+
return null;
|
|
70
|
+
if (payload.kind !== "shell" && payload.kind !== "mcp")
|
|
71
|
+
return null;
|
|
72
|
+
if (typeof payload.request_id !== "string" || typeof payload.argv_sha256 !== "string")
|
|
73
|
+
return null;
|
|
74
|
+
if (typeof payload.install_id !== "string" || typeof payload.jti !== "string")
|
|
75
|
+
return null;
|
|
76
|
+
if (payload.tool_input_sha256 !== undefined &&
|
|
77
|
+
payload.tool_input_sha256 !== null &&
|
|
78
|
+
typeof payload.tool_input_sha256 !== "string") {
|
|
79
|
+
return null;
|
|
80
|
+
}
|
|
81
|
+
return payload;
|
|
82
|
+
}
|
|
46
83
|
//# sourceMappingURL=grant.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/approval/grant.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAI1D,SAAS,mBAAmB,CAAI,OAAe;IAC7C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAM,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB;IACxB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,EAAE,IAAI,EAAE,CAAC;IAC9D,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAC5B,IAAI,OAAO,CAAC,GAAG,CAAC,uCAAuC,EAAE,IAAI,EAAE,EAAE,CAAC;QAChE,OAAO,kCAAkC,CAAC;IAC5C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,mBAAmB,CAAC,KAAa;IAC/C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,MAAM,GAAG,iBAAiB,EAAE,CAAC;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC;IAClC,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC9F,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACnC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACxC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,OAAO,GAAG,mBAAmB,CAAsB,IAAI,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACxD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE;QAAE,OAAO,IAAI,CAAC;IACpF,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
1
|
+
{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/approval/grant.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAI1D,SAAS,mBAAmB,CAAI,OAAe;IAC7C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAM,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB;IACxB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,EAAE,IAAI,EAAE,CAAC;IAC9D,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAC5B,IAAI,OAAO,CAAC,GAAG,CAAC,uCAAuC,EAAE,IAAI,EAAE,EAAE,CAAC;QAChE,OAAO,kCAAkC,CAAC;IAC5C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,mBAAmB,CAAC,KAAa;IAC/C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,MAAM,GAAG,iBAAiB,EAAE,CAAC;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC;IAClC,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC9F,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACnC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACxC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,OAAO,GAAG,mBAAmB,CAAsB,IAAI,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACxD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE;QAAE,OAAO,IAAI,CAAC;IACpF,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,mFAAmF;AACnF,MAAM,UAAU,qBAAqB,CAAC,KAAa;IACjD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,MAAM,GAAG,iBAAiB,EAAE,CAAC;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC;IAClC,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC9F,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACnC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACxC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,OAAO,GAAG,mBAAmB,CAAwB,IAAI,CAAC,CAAC;IACjE,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,KAAK,WAAW;QAAE,OAAO,IAAI,CAAC;IACzD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE;QAAE,OAAO,IAAI,CAAC;IACpF,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IACpE,IAAI,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ,IAAI,OAAO,OAAO,CAAC,WAAW,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACnG,IAAI,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3F,IACE,OAAO,CAAC,iBAAiB,KAAK,SAAS;QACvC,OAAO,CAAC,iBAAiB,KAAK,IAAI;QAClC,OAAO,OAAO,CAAC,iBAAiB,KAAK,QAAQ,EAC7C,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
export type HookInlineApprovalInput = {
|
|
2
|
+
argv: string[];
|
|
3
|
+
kind: "shell" | "mcp";
|
|
4
|
+
rawDisplay: string;
|
|
5
|
+
policyRevision: number | null;
|
|
6
|
+
reasons: unknown[];
|
|
7
|
+
eventId: string;
|
|
8
|
+
storageRoot?: string;
|
|
9
|
+
tool_input_sha256?: string | null;
|
|
10
|
+
sessionId?: string | null;
|
|
11
|
+
environment?: string | null;
|
|
12
|
+
};
|
|
13
|
+
export type HookInlineApprovalResult = {
|
|
14
|
+
request_id: string;
|
|
15
|
+
open_url: string;
|
|
16
|
+
expires_at: string;
|
|
17
|
+
};
|
|
18
|
+
export declare function hookInlineApprovalEnabled(): boolean;
|
|
19
|
+
/**
|
|
20
|
+
* Phase 2: on first MUTATE deny, create approval request with bounded HTTP (fail-closed on error).
|
|
21
|
+
*/
|
|
22
|
+
export declare function tryHookInlineApprovalRequest(input: HookInlineApprovalInput): Promise<HookInlineApprovalResult | null>;
|
|
23
|
+
//# sourceMappingURL=hook-inline-approval.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hook-inline-approval.d.ts","sourceRoot":"","sources":["../../src/approval/hook-inline-approval.ts"],"names":[],"mappings":"AAOA,MAAM,MAAM,uBAAuB,GAAG;IACpC,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,IAAI,EAAE,OAAO,GAAG,KAAK,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,OAAO,EAAE,OAAO,EAAE,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B,CAAC;AAEF,MAAM,MAAM,wBAAwB,GAAG;IACrC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,wBAAgB,yBAAyB,IAAI,OAAO,CAEnD;AAOD;;GAEG;AACH,wBAAsB,4BAA4B,CAChD,KAAK,EAAE,uBAAuB,GAC7B,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAiD1C"}
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
import { getInstallId } from "../cli/install-id.js";
|
|
2
|
+
import { resolveGuardToken } from "../cli/credentials.js";
|
|
3
|
+
import { createApprovalRequest } from "./client.js";
|
|
4
|
+
import { argvSha256 } from "./argv-fingerprint.js";
|
|
5
|
+
import { writePendingApprovalIndex } from "../bridge/pending-approval-index.js";
|
|
6
|
+
import { resolveGuardStorageRoot } from "../bridge/guard-storage-root.js";
|
|
7
|
+
export function hookInlineApprovalEnabled() {
|
|
8
|
+
return process.env.PRAXIS_HOOK_INLINE_APPROVAL !== "0";
|
|
9
|
+
}
|
|
10
|
+
function inlineTimeoutMs() {
|
|
11
|
+
const n = Number(process.env.PRAXIS_HOOK_INLINE_APPROVAL_TIMEOUT_MS);
|
|
12
|
+
return Number.isFinite(n) && n > 0 ? Math.min(n, 5000) : 1200;
|
|
13
|
+
}
|
|
14
|
+
/**
|
|
15
|
+
* Phase 2: on first MUTATE deny, create approval request with bounded HTTP (fail-closed on error).
|
|
16
|
+
*/
|
|
17
|
+
export async function tryHookInlineApprovalRequest(input) {
|
|
18
|
+
if (!hookInlineApprovalEnabled())
|
|
19
|
+
return null;
|
|
20
|
+
if (!resolveGuardToken())
|
|
21
|
+
return null;
|
|
22
|
+
const storageRoot = resolveGuardStorageRoot(input.storageRoot);
|
|
23
|
+
const hash = argvSha256(input.argv);
|
|
24
|
+
const timeoutMs = inlineTimeoutMs();
|
|
25
|
+
try {
|
|
26
|
+
const created = await Promise.race([
|
|
27
|
+
createApprovalRequest({
|
|
28
|
+
kind: input.kind,
|
|
29
|
+
tier: "MUTATE",
|
|
30
|
+
argv: [...input.argv],
|
|
31
|
+
install_id: getInstallId(),
|
|
32
|
+
session_id: input.sessionId ?? null,
|
|
33
|
+
environment: input.environment ?? null,
|
|
34
|
+
raw_display: input.rawDisplay,
|
|
35
|
+
event_id: input.eventId,
|
|
36
|
+
policy_revision: input.policyRevision,
|
|
37
|
+
reasons: input.reasons,
|
|
38
|
+
tool_input_sha256: input.tool_input_sha256 ?? null,
|
|
39
|
+
approval_scope: "exact",
|
|
40
|
+
}),
|
|
41
|
+
new Promise((_, reject) => setTimeout(() => reject(new Error("inline_approval_timeout")), timeoutMs)),
|
|
42
|
+
]);
|
|
43
|
+
await writePendingApprovalIndex({
|
|
44
|
+
request_id: created.request_id,
|
|
45
|
+
argv_sha256: hash,
|
|
46
|
+
argv: [...input.argv],
|
|
47
|
+
install_id: getInstallId(),
|
|
48
|
+
open_url: created.open_url,
|
|
49
|
+
expires_at: created.expires_at,
|
|
50
|
+
event_id: input.eventId,
|
|
51
|
+
tool_input_sha256: input.tool_input_sha256 ?? null,
|
|
52
|
+
kind: input.kind,
|
|
53
|
+
created_at: new Date().toISOString(),
|
|
54
|
+
}, { storageRoot });
|
|
55
|
+
return created;
|
|
56
|
+
}
|
|
57
|
+
catch {
|
|
58
|
+
return null;
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
//# sourceMappingURL=hook-inline-approval.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hook-inline-approval.js","sourceRoot":"","sources":["../../src/approval/hook-inline-approval.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,yBAAyB,EAAE,MAAM,qCAAqC,CAAC;AAChF,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAqB1E,MAAM,UAAU,yBAAyB;IACvC,OAAO,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,GAAG,CAAC;AACzD,CAAC;AAED,SAAS,eAAe;IACtB,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;IACrE,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,KAA8B;IAE9B,IAAI,CAAC,yBAAyB,EAAE;QAAE,OAAO,IAAI,CAAC;IAC9C,IAAI,CAAC,iBAAiB,EAAE;QAAE,OAAO,IAAI,CAAC;IAEtC,MAAM,WAAW,GAAG,uBAAuB,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAC/D,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,SAAS,GAAG,eAAe,EAAE,CAAC;IAEpC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;YACjC,qBAAqB,CAAC;gBACtB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC;gBACrB,UAAU,EAAE,YAAY,EAAE;gBAC1B,UAAU,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;gBACnC,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;gBACtC,WAAW,EAAE,KAAK,CAAC,UAAU;gBAC7B,QAAQ,EAAE,KAAK,CAAC,OAAO;gBACvB,eAAe,EAAE,KAAK,CAAC,cAAc;gBACrC,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,iBAAiB,EAAE,KAAK,CAAC,iBAAiB,IAAI,IAAI;gBAClD,cAAc,EAAE,OAAO;aACtB,CAAC;YACF,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC,EAAE,SAAS,CAAC,CAC1E;SACF,CAAC,CAAC;QAEH,MAAM,yBAAyB,CAC7B;YACE,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,WAAW,EAAE,IAAI;YACjB,IAAI,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC;YACrB,UAAU,EAAE,YAAY,EAAE;YAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,QAAQ,EAAE,KAAK,CAAC,OAAO;YACvB,iBAAiB,EAAE,KAAK,CAAC,iBAAiB,IAAI,IAAI;YAClD,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACrC,EACD,EAAE,WAAW,EAAE,CAChB,CAAC;QAEF,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
|
|
@@ -13,7 +13,12 @@ export type McpApprovalOutcome = {
|
|
|
13
13
|
redeemed: boolean;
|
|
14
14
|
approved_by: string | null;
|
|
15
15
|
bridgeRecorded: boolean;
|
|
16
|
+
ticketRecorded: boolean;
|
|
16
17
|
request_id: string;
|
|
18
|
+
} | {
|
|
19
|
+
kind: "credential_not_recorded";
|
|
20
|
+
request_id: string;
|
|
21
|
+
message: string;
|
|
17
22
|
} | {
|
|
18
23
|
kind: "backend_unavailable";
|
|
19
24
|
message: string;
|
|
@@ -21,7 +26,8 @@ export type McpApprovalOutcome = {
|
|
|
21
26
|
export declare function resolveMutateApproval(input: {
|
|
22
27
|
argv: string[];
|
|
23
28
|
proposalKind: "shell" | "mcp";
|
|
24
|
-
|
|
29
|
+
/** Workspace root for hook credentials (resolved if omitted). */
|
|
30
|
+
storageRoot?: string;
|
|
25
31
|
rawDisplay?: string;
|
|
26
32
|
eventId: string;
|
|
27
33
|
policyRevision: number | null;
|
|
@@ -30,6 +36,7 @@ export declare function resolveMutateApproval(input: {
|
|
|
30
36
|
environment?: string | null;
|
|
31
37
|
approval?: McpApprovalContext | null;
|
|
32
38
|
waitMs?: number | null;
|
|
39
|
+
tool_input_sha256?: string | null;
|
|
33
40
|
}): Promise<McpApprovalOutcome>;
|
|
34
41
|
export declare function argvFingerprint(argv: readonly string[]): string;
|
|
35
42
|
export { argvSha256 };
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"mcp-flow.d.ts","sourceRoot":"","sources":["../../src/approval/mcp-flow.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"mcp-flow.d.ts","sourceRoot":"","sources":["../../src/approval/mcp-flow.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AASnD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAC1B;IACE,IAAI,EAAE,kBAAkB,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,IAAI,EAAE,OAAO,CAAC;IACd,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,cAAc,EAAE,OAAO,CAAC;IACxB,cAAc,EAAE,OAAO,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,IAAI,EAAE,yBAAyB,CAAC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;CACjB,GACD;IAAE,IAAI,EAAE,qBAAqB,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAMrD,wBAAsB,qBAAqB,CAAC,KAAK,EAAE;IACjD,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,YAAY,EAAE,OAAO,GAAG,KAAK,CAAC;IAC9B,iEAAiE;IACjE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,OAAO,EAAE,OAAO,EAAE,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,QAAQ,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACnC,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAqI9B;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,CAE/D;AAED,OAAO,EAAE,UAAU,EAAE,CAAC"}
|
|
@@ -1,4 +1,6 @@
|
|
|
1
1
|
import { getInstallId } from "../cli/install-id.js";
|
|
2
|
+
import { resolveGuardStorageRoot } from "../bridge/guard-storage-root.js";
|
|
3
|
+
import { writePendingApprovalIndex } from "../bridge/pending-approval-index.js";
|
|
2
4
|
import { argvSha256 } from "./argv-fingerprint.js";
|
|
3
5
|
import { createApprovalRequest, getApprovalRequest, pollUntilApproved, } from "./client.js";
|
|
4
6
|
import { redeemApprovalAndRecordBridge } from "./redeem.js";
|
|
@@ -8,6 +10,7 @@ function defaultAppUrl() {
|
|
|
8
10
|
}
|
|
9
11
|
export async function resolveMutateApproval(input) {
|
|
10
12
|
const installId = getInstallId();
|
|
13
|
+
const storageRoot = resolveGuardStorageRoot(input.storageRoot);
|
|
11
14
|
const requestId = input.approval?.request_id?.trim() || null;
|
|
12
15
|
const grant = input.approval?.grant?.trim() || null;
|
|
13
16
|
try {
|
|
@@ -38,16 +41,24 @@ export async function resolveMutateApproval(input) {
|
|
|
38
41
|
request_id: requestId,
|
|
39
42
|
argv: input.argv,
|
|
40
43
|
kind: input.proposalKind,
|
|
41
|
-
|
|
44
|
+
storageRoot,
|
|
42
45
|
grant,
|
|
43
46
|
environment: input.environment,
|
|
44
47
|
session_id: input.sessionId,
|
|
45
48
|
});
|
|
49
|
+
if (!redeem.ticketRecorded) {
|
|
50
|
+
return {
|
|
51
|
+
kind: "credential_not_recorded",
|
|
52
|
+
request_id: requestId,
|
|
53
|
+
message: "Approval redeemed but no execution ticket was written for hooks. Check workspace permissions under .cursor/guard/tickets.",
|
|
54
|
+
};
|
|
55
|
+
}
|
|
46
56
|
return {
|
|
47
57
|
kind: "allow",
|
|
48
58
|
redeemed: redeem.redeemed,
|
|
49
59
|
approved_by: redeem.approved_by,
|
|
50
|
-
bridgeRecorded:
|
|
60
|
+
bridgeRecorded: false,
|
|
61
|
+
ticketRecorded: redeem.ticketRecorded,
|
|
51
62
|
request_id: requestId,
|
|
52
63
|
};
|
|
53
64
|
}
|
|
@@ -62,6 +73,8 @@ export async function resolveMutateApproval(input) {
|
|
|
62
73
|
event_id: input.eventId,
|
|
63
74
|
policy_revision: input.policyRevision,
|
|
64
75
|
reasons: input.reasons,
|
|
76
|
+
tool_input_sha256: input.tool_input_sha256 ?? null,
|
|
77
|
+
approval_scope: "exact",
|
|
65
78
|
});
|
|
66
79
|
if (input.waitMs && input.waitMs > 0) {
|
|
67
80
|
await pollUntilApproved(created.request_id, { timeoutMs: input.waitMs });
|
|
@@ -69,18 +82,39 @@ export async function resolveMutateApproval(input) {
|
|
|
69
82
|
request_id: created.request_id,
|
|
70
83
|
argv: input.argv,
|
|
71
84
|
kind: input.proposalKind,
|
|
72
|
-
|
|
85
|
+
storageRoot,
|
|
73
86
|
environment: input.environment,
|
|
74
87
|
session_id: input.sessionId,
|
|
75
88
|
});
|
|
89
|
+
if (!redeem.ticketRecorded) {
|
|
90
|
+
return {
|
|
91
|
+
kind: "credential_not_recorded",
|
|
92
|
+
request_id: created.request_id,
|
|
93
|
+
message: "Approval redeemed but no execution ticket was written for hooks. Check workspace permissions under .cursor/guard/tickets.",
|
|
94
|
+
};
|
|
95
|
+
}
|
|
76
96
|
return {
|
|
77
97
|
kind: "allow",
|
|
78
98
|
redeemed: redeem.redeemed,
|
|
79
99
|
approved_by: redeem.approved_by,
|
|
80
|
-
bridgeRecorded:
|
|
100
|
+
bridgeRecorded: false,
|
|
101
|
+
ticketRecorded: redeem.ticketRecorded,
|
|
81
102
|
request_id: created.request_id,
|
|
82
103
|
};
|
|
83
104
|
}
|
|
105
|
+
const hash = argvSha256(input.argv);
|
|
106
|
+
await writePendingApprovalIndex({
|
|
107
|
+
request_id: created.request_id,
|
|
108
|
+
argv_sha256: hash,
|
|
109
|
+
argv: [...input.argv],
|
|
110
|
+
install_id: installId,
|
|
111
|
+
open_url: created.open_url,
|
|
112
|
+
expires_at: created.expires_at,
|
|
113
|
+
event_id: input.eventId,
|
|
114
|
+
tool_input_sha256: input.tool_input_sha256 ?? null,
|
|
115
|
+
kind: input.proposalKind,
|
|
116
|
+
created_at: new Date().toISOString(),
|
|
117
|
+
}, { storageRoot });
|
|
84
118
|
return {
|
|
85
119
|
kind: "require_approval",
|
|
86
120
|
request_id: created.request_id,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"mcp-flow.js","sourceRoot":"","sources":["../../src/approval/mcp-flow.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,6BAA6B,EAAE,MAAM,aAAa,CAAC;AAC5D,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"mcp-flow.js","sourceRoot":"","sources":["../../src/approval/mcp-flow.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,yBAAyB,EAAE,MAAM,qCAAqC,CAAC;AAChF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EACL,qBAAqB,EACrB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,6BAA6B,EAAE,MAAM,aAAa,CAAC;AAC5D,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AA6BjD,SAAS,aAAa;IACpB,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE,IAAI,4BAA4B,CAAC;AAC5E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,KAc3C;IACC,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,MAAM,WAAW,GAAG,uBAAuB,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,KAAK,CAAC,QAAQ,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,IAAI,CAAC;IAC7D,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,IAAI,CAAC;IAEpD,IAAI,CAAC;QACH,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,MAAM,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;gBAC1C,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;oBAC/C,OAAO,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;gBACnE,CAAC;YACH,CAAC;YAED,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,kBAAkB,CAAC,SAAS,CAAC,CAAC;YAC/D,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC;YAEhD,IAAI,MAAM,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7D,MAAM,iBAAiB,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;YAClE,CAAC;iBAAM,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBAChC,OAAO;oBACL,IAAI,EAAE,kBAAkB;oBACxB,UAAU,EAAE,SAAS;oBACrB,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,GAAG,aAAa,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,kBAAkB,SAAS,EAAE;oBAC7F,UAAU,EAAE,GAAG,EAAE,UAAU,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;iBACnF,CAAC;YACJ,CAAC;YAED,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;gBACxB,OAAO,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC;YACrE,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,6BAA6B,CAAC;gBACjD,UAAU,EAAE,SAAS;gBACrB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,YAAY;gBACxB,WAAW;gBACX,KAAK;gBACL,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,UAAU,EAAE,KAAK,CAAC,SAAS;aAC5B,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;gBAC3B,OAAO;oBACL,IAAI,EAAE,yBAAyB;oBAC/B,UAAU,EAAE,SAAS;oBACrB,OAAO,EACL,2HAA2H;iBAC9H,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,IAAI,EAAE,OAAO;gBACb,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,cAAc,EAAE,KAAK;gBACrB,cAAc,EAAE,MAAM,CAAC,cAAc;gBACrC,UAAU,EAAE,SAAS;aACtB,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,qBAAqB,CAAC;YAC1C,IAAI,EAAE,KAAK,CAAC,YAAY;YACxB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC;YACrB,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;YACnC,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;YACtC,WAAW,EAAE,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;YACrD,QAAQ,EAAE,KAAK,CAAC,OAAO;YACvB,eAAe,EAAE,KAAK,CAAC,cAAc;YACrC,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,iBAAiB,EAAE,KAAK,CAAC,iBAAiB,IAAI,IAAI;YAClD,cAAc,EAAE,OAAO;SACxB,CAAC,CAAC;QAEH,IAAI,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrC,MAAM,iBAAiB,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;YACzE,MAAM,MAAM,GAAG,MAAM,6BAA6B,CAAC;gBACjD,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,YAAY;gBACxB,WAAW;gBACX,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,UAAU,EAAE,KAAK,CAAC,SAAS;aAC5B,CAAC,CAAC;YACH,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;gBAC3B,OAAO;oBACL,IAAI,EAAE,yBAAyB;oBAC/B,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,OAAO,EACL,2HAA2H;iBAC9H,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,IAAI,EAAE,OAAO;gBACb,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,cAAc,EAAE,KAAK;gBACrB,cAAc,EAAE,MAAM,CAAC,cAAc;gBACrC,UAAU,EAAE,OAAO,CAAC,UAAU;aAC/B,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACpC,MAAM,yBAAyB,CAC7B;YACE,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,WAAW,EAAE,IAAI;YACjB,IAAI,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC;YACrB,UAAU,EAAE,SAAS;YACrB,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,QAAQ,EAAE,KAAK,CAAC,OAAO;YACvB,iBAAiB,EAAE,KAAK,CAAC,iBAAiB,IAAI,IAAI;YAClD,IAAI,EAAE,KAAK,CAAC,YAAY;YACxB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACrC,EACD,EAAE,WAAW,EAAE,CAChB,CAAC;QAEF,OAAO;YACL,IAAI,EAAE,kBAAkB;YACxB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;SAC/B,CAAC;IACJ,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IACvD,CAAC;AACH,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,IAAuB;IACrD,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,OAAO,EAAE,UAAU,EAAE,CAAC"}
|
|
@@ -2,7 +2,8 @@ export type RedeemAndBridgeInput = {
|
|
|
2
2
|
request_id: string;
|
|
3
3
|
argv: string[];
|
|
4
4
|
kind: "shell" | "mcp";
|
|
5
|
-
cwd
|
|
5
|
+
/** Workspace / hook storage root (not subprocess cwd). */
|
|
6
|
+
storageRoot?: string;
|
|
6
7
|
grant?: string | null;
|
|
7
8
|
environment?: string | null;
|
|
8
9
|
session_id?: string | null;
|
|
@@ -10,10 +11,13 @@ export type RedeemAndBridgeInput = {
|
|
|
10
11
|
export type RedeemAndBridgeResult = {
|
|
11
12
|
redeemed: boolean;
|
|
12
13
|
approved_by: string | null;
|
|
14
|
+
/** @deprecated Phase 5 — bridge removed; always false. */
|
|
13
15
|
bridgeRecorded: boolean;
|
|
16
|
+
ticketRecorded: boolean;
|
|
17
|
+
execution_ticket: string | null;
|
|
14
18
|
};
|
|
15
19
|
/**
|
|
16
|
-
* After backend status is `approved`, redeem the one-shot grant and record
|
|
20
|
+
* After backend status is `approved`, redeem the one-shot grant and record execution ticket for hooks.
|
|
17
21
|
*/
|
|
18
22
|
export declare function redeemApprovalAndRecordBridge(input: RedeemAndBridgeInput): Promise<RedeemAndBridgeResult>;
|
|
19
23
|
//# sourceMappingURL=redeem.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"redeem.d.ts","sourceRoot":"","sources":["../../src/approval/redeem.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"redeem.d.ts","sourceRoot":"","sources":["../../src/approval/redeem.ts"],"names":[],"mappings":"AAOA,MAAM,MAAM,oBAAoB,GAAG;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,IAAI,EAAE,OAAO,GAAG,KAAK,CAAC;IACtB,0DAA0D;IAC1D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,0DAA0D;IAC1D,cAAc,EAAE,OAAO,CAAC;IACxB,cAAc,EAAE,OAAO,CAAC;IACxB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;CACjC,CAAC;AAEF;;GAEG;AACH,wBAAsB,6BAA6B,CACjD,KAAK,EAAE,oBAAoB,GAC1B,OAAO,CAAC,qBAAqB,CAAC,CA8DhC"}
|
package/dist/approval/redeem.js
CHANGED
|
@@ -1,14 +1,16 @@
|
|
|
1
1
|
import { getInstallId } from "../cli/install-id.js";
|
|
2
|
-
import {
|
|
2
|
+
import { resolveGuardStorageRoot } from "../bridge/guard-storage-root.js";
|
|
3
|
+
import { recordExecutionTicket } from "../bridge/execution-ticket.js";
|
|
3
4
|
import { argvSha256 } from "./argv-fingerprint.js";
|
|
4
5
|
import { getApprovalRequest, redeemApprovalGrant } from "./client.js";
|
|
5
6
|
import { verifyApprovalGrant } from "./grant.js";
|
|
6
7
|
/**
|
|
7
|
-
* After backend status is `approved`, redeem the one-shot grant and record
|
|
8
|
+
* After backend status is `approved`, redeem the one-shot grant and record execution ticket for hooks.
|
|
8
9
|
*/
|
|
9
10
|
export async function redeemApprovalAndRecordBridge(input) {
|
|
10
11
|
const installId = getInstallId();
|
|
11
12
|
const hash = argvSha256(input.argv);
|
|
13
|
+
const storageRoot = resolveGuardStorageRoot(input.storageRoot);
|
|
12
14
|
let grant = input.grant?.trim() || null;
|
|
13
15
|
if (grant) {
|
|
14
16
|
const claims = verifyApprovalGrant(grant);
|
|
@@ -27,24 +29,48 @@ export async function redeemApprovalAndRecordBridge(input) {
|
|
|
27
29
|
throw new Error(`approval_not_ready:${row.status}`);
|
|
28
30
|
}
|
|
29
31
|
}
|
|
30
|
-
|
|
31
|
-
request_id: input.request_id,
|
|
32
|
-
grant: grant ?? "pending",
|
|
33
|
-
install_id: installId,
|
|
34
|
-
argv: [...input.argv],
|
|
35
|
-
});
|
|
36
|
-
let bridgeRecorded = false;
|
|
32
|
+
let redeem;
|
|
37
33
|
try {
|
|
38
|
-
await
|
|
39
|
-
|
|
34
|
+
redeem = await redeemApprovalGrant({
|
|
35
|
+
request_id: input.request_id,
|
|
36
|
+
grant: grant ?? "pending",
|
|
37
|
+
install_id: installId,
|
|
38
|
+
argv: [...input.argv],
|
|
39
|
+
});
|
|
40
40
|
}
|
|
41
|
-
catch {
|
|
42
|
-
|
|
41
|
+
catch (e) {
|
|
42
|
+
const msg = e instanceof Error ? e.message : String(e);
|
|
43
|
+
if (msg.includes("already_redeemed") || msg.includes("409")) {
|
|
44
|
+
redeem = {
|
|
45
|
+
redeemed: true,
|
|
46
|
+
approved_by: null,
|
|
47
|
+
execution_ticket: null,
|
|
48
|
+
};
|
|
49
|
+
}
|
|
50
|
+
else {
|
|
51
|
+
throw e;
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
let ticketRecorded = false;
|
|
55
|
+
const executionTicket = redeem.execution_ticket;
|
|
56
|
+
if (executionTicket) {
|
|
57
|
+
try {
|
|
58
|
+
await recordExecutionTicket(executionTicket, input.argv, {
|
|
59
|
+
storageRoot,
|
|
60
|
+
kind: input.kind,
|
|
61
|
+
});
|
|
62
|
+
ticketRecorded = true;
|
|
63
|
+
}
|
|
64
|
+
catch {
|
|
65
|
+
ticketRecorded = false;
|
|
66
|
+
}
|
|
43
67
|
}
|
|
44
68
|
return {
|
|
45
69
|
redeemed: redeem.redeemed,
|
|
46
70
|
approved_by: redeem.approved_by,
|
|
47
|
-
bridgeRecorded,
|
|
71
|
+
bridgeRecorded: false,
|
|
72
|
+
ticketRecorded,
|
|
73
|
+
execution_ticket: executionTicket,
|
|
48
74
|
};
|
|
49
75
|
}
|
|
50
76
|
//# sourceMappingURL=redeem.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"redeem.js","sourceRoot":"","sources":["../../src/approval/redeem.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"redeem.js","sourceRoot":"","sources":["../../src/approval/redeem.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AACtE,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAsBjD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,KAA2B;IAE3B,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,WAAW,GAAG,uBAAuB,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAC/D,IAAI,KAAK,GAAG,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,IAAI,CAAC;IAExC,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,MAAM,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;QAC9C,IAAI,MAAM,CAAC,UAAU,KAAK,KAAK,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACnF,IAAI,MAAM,CAAC,WAAW,KAAK,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;QAClE,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;IAC9E,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACvD,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,sBAAsB,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,IAAI,MAA0F,CAAC;IAC/F,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,mBAAmB,CAAC;YACjC,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,KAAK,EAAE,KAAK,IAAI,SAAS;YACzB,UAAU,EAAE,SAAS;YACrB,IAAI,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC;SACtB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,IAAI,GAAG,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAM,GAAG;gBACP,QAAQ,EAAE,IAAI;gBACd,WAAW,EAAE,IAAI;gBACjB,gBAAgB,EAAE,IAAI;aACvB,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,CAAC;QACV,CAAC;IACH,CAAC;IAED,IAAI,cAAc,GAAG,KAAK,CAAC;IAC3B,MAAM,eAAe,GAAG,MAAM,CAAC,gBAAgB,CAAC;IAEhD,IAAI,eAAe,EAAE,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,qBAAqB,CAAC,eAAe,EAAE,KAAK,CAAC,IAAI,EAAE;gBACvD,WAAW;gBACX,IAAI,EAAE,KAAK,CAAC,IAAI;aACjB,CAAC,CAAC;YACH,cAAc,GAAG,IAAI,CAAC;QACxB,CAAC;QAAC,MAAM,CAAC;YACP,cAAc,GAAG,KAAK,CAAC;QACzB,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,cAAc,EAAE,KAAK;QACrB,cAAc;QACd,gBAAgB,EAAE,eAAe;KAClC,CAAC;AACJ,CAAC"}
|
package/dist/approval/types.d.ts
CHANGED
|
@@ -6,6 +6,8 @@ export type ApprovalRequestRecord = {
|
|
|
6
6
|
kind?: string | null;
|
|
7
7
|
argv?: string[] | null;
|
|
8
8
|
argv_sha256?: string | null;
|
|
9
|
+
tool_input_sha256?: string | null;
|
|
10
|
+
approval_scope?: string | null;
|
|
9
11
|
raw_display?: string | null;
|
|
10
12
|
install_id?: string | null;
|
|
11
13
|
session_id?: string | null;
|
|
@@ -16,6 +18,7 @@ export type ApprovalRequestRecord = {
|
|
|
16
18
|
open_url?: string | null;
|
|
17
19
|
event_id?: string | null;
|
|
18
20
|
};
|
|
21
|
+
export type ApprovalScope = "exact";
|
|
19
22
|
export type CreateApprovalRequestInput = {
|
|
20
23
|
kind: "shell" | "mcp";
|
|
21
24
|
tier: string;
|
|
@@ -27,6 +30,8 @@ export type CreateApprovalRequestInput = {
|
|
|
27
30
|
event_id?: string;
|
|
28
31
|
policy_revision?: number | null;
|
|
29
32
|
reasons?: unknown;
|
|
33
|
+
tool_input_sha256?: string | null;
|
|
34
|
+
approval_scope?: ApprovalScope;
|
|
30
35
|
};
|
|
31
36
|
export type ApprovalGrantClaims = {
|
|
32
37
|
typ: "approval";
|
|
@@ -39,4 +44,16 @@ export type ApprovalGrantClaims = {
|
|
|
39
44
|
exp: number;
|
|
40
45
|
jti: string;
|
|
41
46
|
};
|
|
47
|
+
/** Short-lived hook credential minted on guardApprovalRedeem (distinct from approval grant). */
|
|
48
|
+
export type ExecutionTicketClaims = {
|
|
49
|
+
typ: "execution";
|
|
50
|
+
request_id: string;
|
|
51
|
+
argv_sha256: string;
|
|
52
|
+
install_id: string;
|
|
53
|
+
kind: "shell" | "mcp";
|
|
54
|
+
jti: string;
|
|
55
|
+
exp: number;
|
|
56
|
+
env: string | null;
|
|
57
|
+
tool_input_sha256?: string | null;
|
|
58
|
+
};
|
|
42
59
|
//# sourceMappingURL=types.d.ts.map
|