@praxis.guard/auditor-cli 0.0.44 → 0.0.46
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +21 -0
- package/dist/adapters/claude-code/adapter.d.ts +28 -0
- package/dist/adapters/claude-code/adapter.d.ts.map +1 -0
- package/dist/adapters/claude-code/adapter.js +141 -0
- package/dist/adapters/claude-code/adapter.js.map +1 -0
- package/dist/adapters/claude-code/config-detect.d.ts +4 -0
- package/dist/adapters/claude-code/config-detect.d.ts.map +1 -0
- package/dist/adapters/claude-code/config-detect.js +44 -0
- package/dist/adapters/claude-code/config-detect.js.map +1 -0
- package/dist/adapters/claude-code/config-io.d.ts +8 -0
- package/dist/adapters/claude-code/config-io.d.ts.map +1 -0
- package/dist/adapters/claude-code/config-io.js +41 -0
- package/dist/adapters/claude-code/config-io.js.map +1 -0
- package/dist/adapters/claude-code/index.d.ts +3 -0
- package/dist/adapters/claude-code/index.d.ts.map +1 -0
- package/dist/adapters/claude-code/index.js +3 -0
- package/dist/adapters/claude-code/index.js.map +1 -0
- package/dist/adapters/claude-code/paths.d.ts +17 -0
- package/dist/adapters/claude-code/paths.d.ts.map +1 -0
- package/dist/adapters/claude-code/paths.js +32 -0
- package/dist/adapters/claude-code/paths.js.map +1 -0
- package/dist/adapters/claude-code.d.ts +1 -33
- package/dist/adapters/claude-code.d.ts.map +1 -1
- package/dist/adapters/claude-code.js +1 -246
- package/dist/adapters/claude-code.js.map +1 -1
- package/dist/adapters/codex.d.ts +11 -0
- package/dist/adapters/codex.d.ts.map +1 -0
- package/dist/adapters/codex.js +52 -0
- package/dist/adapters/codex.js.map +1 -0
- package/dist/adapters/registry.d.ts.map +1 -1
- package/dist/adapters/registry.js +2 -0
- package/dist/adapters/registry.js.map +1 -1
- package/dist/adapters/select-targets.js +3 -3
- package/dist/adapters/select-targets.js.map +1 -1
- package/dist/adapters/types.d.ts +9 -2
- package/dist/adapters/types.d.ts.map +1 -1
- package/dist/bridge/execution-ticket-consume.d.ts +12 -0
- package/dist/bridge/execution-ticket-consume.d.ts.map +1 -0
- package/dist/bridge/execution-ticket-consume.js +105 -0
- package/dist/bridge/execution-ticket-consume.js.map +1 -0
- package/dist/bridge/execution-ticket-match.d.ts +4 -0
- package/dist/bridge/execution-ticket-match.d.ts.map +1 -0
- package/dist/bridge/execution-ticket-match.js +40 -0
- package/dist/bridge/execution-ticket-match.js.map +1 -0
- package/dist/bridge/execution-ticket-record.d.ts +14 -0
- package/dist/bridge/execution-ticket-record.d.ts.map +1 -0
- package/dist/bridge/execution-ticket-record.js +51 -0
- package/dist/bridge/execution-ticket-record.js.map +1 -0
- package/dist/bridge/execution-ticket.d.ts +2 -23
- package/dist/bridge/execution-ticket.d.ts.map +1 -1
- package/dist/bridge/execution-ticket.js +2 -179
- package/dist/bridge/execution-ticket.js.map +1 -1
- package/dist/cli/dispatch-hook.d.ts +2 -0
- package/dist/cli/dispatch-hook.d.ts.map +1 -0
- package/dist/cli/dispatch-hook.js +29 -0
- package/dist/cli/dispatch-hook.js.map +1 -0
- package/dist/cli/dispatch-setup.d.ts +2 -0
- package/dist/cli/dispatch-setup.d.ts.map +1 -0
- package/dist/cli/dispatch-setup.js +34 -0
- package/dist/cli/dispatch-setup.js.map +1 -0
- package/dist/cli/doctor.d.ts.map +1 -1
- package/dist/cli/doctor.js +17 -13
- package/dist/cli/doctor.js.map +1 -1
- package/dist/cli/help.d.ts +2 -0
- package/dist/cli/help.d.ts.map +1 -0
- package/dist/cli/help.js +61 -0
- package/dist/cli/help.js.map +1 -0
- package/dist/cli/main.d.ts.map +1 -1
- package/dist/cli/main.js +6 -96
- package/dist/cli/main.js.map +1 -1
- package/dist/cli/setup-all.d.ts.map +1 -1
- package/dist/cli/setup-all.js +6 -2
- package/dist/cli/setup-all.js.map +1 -1
- package/dist/cli/setup-codex.d.ts +9 -0
- package/dist/cli/setup-codex.d.ts.map +1 -0
- package/dist/cli/setup-codex.js +61 -0
- package/dist/cli/setup-codex.js.map +1 -0
- package/dist/cli/setup-doctor.d.ts.map +1 -1
- package/dist/cli/setup-doctor.js +22 -7
- package/dist/cli/setup-doctor.js.map +1 -1
- package/dist/cli/setup-mcp.d.ts +1 -0
- package/dist/cli/setup-mcp.d.ts.map +1 -1
- package/dist/cli/setup-mcp.js +15 -2
- package/dist/cli/setup-mcp.js.map +1 -1
- package/dist/codex/config.d.ts +23 -0
- package/dist/codex/config.d.ts.map +1 -0
- package/dist/codex/config.js +177 -0
- package/dist/codex/config.js.map +1 -0
- package/dist/codex/evaluate-tool-audit.d.ts +29 -0
- package/dist/codex/evaluate-tool-audit.d.ts.map +1 -0
- package/dist/codex/evaluate-tool-audit.js +58 -0
- package/dist/codex/evaluate-tool-audit.js.map +1 -0
- package/dist/codex/evaluate-tool-bash.d.ts +3 -0
- package/dist/codex/evaluate-tool-bash.d.ts.map +1 -0
- package/dist/codex/evaluate-tool-bash.js +50 -0
- package/dist/codex/evaluate-tool-bash.js.map +1 -0
- package/dist/codex/evaluate-tool-mcp.d.ts +3 -0
- package/dist/codex/evaluate-tool-mcp.d.ts.map +1 -0
- package/dist/codex/evaluate-tool-mcp.js +55 -0
- package/dist/codex/evaluate-tool-mcp.js.map +1 -0
- package/dist/codex/evaluate-tool-types.d.ts +27 -0
- package/dist/codex/evaluate-tool-types.d.ts.map +1 -0
- package/dist/codex/evaluate-tool-types.js +15 -0
- package/dist/codex/evaluate-tool-types.js.map +1 -0
- package/dist/codex/evaluate-tool.d.ts +5 -0
- package/dist/codex/evaluate-tool.d.ts.map +1 -0
- package/dist/codex/evaluate-tool.js +19 -0
- package/dist/codex/evaluate-tool.js.map +1 -0
- package/dist/codex/permission-handoff.d.ts +13 -0
- package/dist/codex/permission-handoff.d.ts.map +1 -0
- package/dist/codex/permission-handoff.js +36 -0
- package/dist/codex/permission-handoff.js.map +1 -0
- package/dist/hooks/run-codex-hooks.d.ts +3 -0
- package/dist/hooks/run-codex-hooks.d.ts.map +1 -0
- package/dist/hooks/run-codex-hooks.js +77 -0
- package/dist/hooks/run-codex-hooks.js.map +1 -0
- package/dist/policy/classify.d.ts +9 -0
- package/dist/policy/classify.d.ts.map +1 -0
- package/dist/policy/classify.js +97 -0
- package/dist/policy/classify.js.map +1 -0
- package/dist/policy/index.d.ts +5 -54
- package/dist/policy/index.d.ts.map +1 -1
- package/dist/policy/index.js +4 -213
- package/dist/policy/index.js.map +1 -1
- package/dist/policy/load.d.ts +8 -0
- package/dist/policy/load.d.ts.map +1 -0
- package/dist/policy/load.js +52 -0
- package/dist/policy/load.js.map +1 -0
- package/dist/policy/paths.d.ts +9 -0
- package/dist/policy/paths.d.ts.map +1 -0
- package/dist/policy/paths.js +42 -0
- package/dist/policy/paths.js.map +1 -0
- package/dist/policy/schema.d.ts +35 -0
- package/dist/policy/schema.d.ts.map +1 -0
- package/dist/policy/schema.js +30 -0
- package/dist/policy/schema.js.map +1 -0
- package/dist/telemetry/agent-host.d.ts +1 -1
- package/dist/telemetry/agent-host.d.ts.map +1 -1
- package/dist/telemetry/agent-host.js +7 -1
- package/dist/telemetry/agent-host.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
import { shellApprovalFingerprintId, shellArgvApprovalId } from "./shell-approval-bridge.js";
|
|
2
|
+
function argvDeepEqual(stored, requested) {
|
|
3
|
+
if (!Array.isArray(stored) || stored.length !== requested.length)
|
|
4
|
+
return false;
|
|
5
|
+
return stored.every((v, i) => typeof v === "string" && v === requested[i]);
|
|
6
|
+
}
|
|
7
|
+
function fingerprintDeepEqual(stored, requested) {
|
|
8
|
+
if (!stored || typeof stored !== "object")
|
|
9
|
+
return false;
|
|
10
|
+
return shellApprovalFingerprintId(stored) === shellApprovalFingerprintId(requested);
|
|
11
|
+
}
|
|
12
|
+
function isEquivalentMcpInvocation(approved, requested) {
|
|
13
|
+
if (approved.length < 3 || requested.length < 3)
|
|
14
|
+
return false;
|
|
15
|
+
if (approved[0] !== "mcp" || requested[0] !== "mcp")
|
|
16
|
+
return false;
|
|
17
|
+
if (approved[2] !== requested[2])
|
|
18
|
+
return false;
|
|
19
|
+
if (approved[1] === requested[1])
|
|
20
|
+
return true;
|
|
21
|
+
return approved[1] === "stdio" || requested[1] === "stdio";
|
|
22
|
+
}
|
|
23
|
+
export function shellApprovalId(argv, fingerprint) {
|
|
24
|
+
if (fingerprint)
|
|
25
|
+
return shellApprovalFingerprintId(fingerprint);
|
|
26
|
+
return shellArgvApprovalId(argv);
|
|
27
|
+
}
|
|
28
|
+
export function argvMatchesApproval(approved, requested, kind, approvedFingerprint, requestedFingerprint) {
|
|
29
|
+
if (kind === "shell" && approvedFingerprint && requestedFingerprint) {
|
|
30
|
+
return fingerprintDeepEqual(approvedFingerprint, requestedFingerprint);
|
|
31
|
+
}
|
|
32
|
+
if (!approved)
|
|
33
|
+
return false;
|
|
34
|
+
if (argvDeepEqual(approved, requested))
|
|
35
|
+
return true;
|
|
36
|
+
if (kind === "mcp")
|
|
37
|
+
return isEquivalentMcpInvocation(approved, requested);
|
|
38
|
+
return false;
|
|
39
|
+
}
|
|
40
|
+
//# sourceMappingURL=execution-ticket-match.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"execution-ticket-match.js","sourceRoot":"","sources":["../../src/bridge/execution-ticket-match.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,0BAA0B,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAG7F,SAAS,aAAa,CAAC,MAAe,EAAE,SAA4B;IAClE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC/E,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAe,EAAE,SAA0C;IACvF,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACxD,OAAO,0BAA0B,CAAC,MAAyC,CAAC,KAAK,0BAA0B,CAAC,SAAS,CAAC,CAAC;AACzH,CAAC;AAED,SAAS,yBAAyB,CAChC,QAA2B,EAC3B,SAA4B;IAE5B,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9D,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAClE,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/C,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9C,OAAO,QAAQ,CAAC,CAAC,CAAC,KAAK,OAAO,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,IAAuB,EACvB,WAAoD;IAEpD,IAAI,WAAW;QAAE,OAAO,0BAA0B,CAAC,WAAW,CAAC,CAAC;IAChE,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,QAAuC,EACvC,SAA4B,EAC5B,IAAsB,EACtB,mBAA4D,EAC5D,oBAA6D;IAE7D,IAAI,IAAI,KAAK,OAAO,IAAI,mBAAmB,IAAI,oBAAoB,EAAE,CAAC;QACpE,OAAO,oBAAoB,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,IAAI,aAAa,CAAC,QAAQ,EAAE,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,yBAAyB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAC1E,OAAO,KAAK,CAAC;AACf,CAAC"}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
import type { ShellApprovalFingerprintPayload } from "../shell/analyze-command.js";
|
|
2
|
+
/**
|
|
3
|
+
* After redeem, persist a signed execution ticket for hook verification (dual-write with bridge).
|
|
4
|
+
*
|
|
5
|
+
* When a fingerprint is provided the primary file is indexed by the fingerprint hash.
|
|
6
|
+
* We also write an argv-hash alias so hooks that lack fingerprint context (e.g. the
|
|
7
|
+
* Claude Code PreToolUse hook) can find and consume the ticket by argv alone.
|
|
8
|
+
*/
|
|
9
|
+
export declare function recordExecutionTicket(ticket: string, argv: readonly string[], opts?: {
|
|
10
|
+
storageRoot?: string;
|
|
11
|
+
kind?: "shell" | "mcp";
|
|
12
|
+
approval_fingerprint?: ShellApprovalFingerprintPayload | null;
|
|
13
|
+
}): Promise<void>;
|
|
14
|
+
//# sourceMappingURL=execution-ticket-record.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"execution-ticket-record.d.ts","sourceRoot":"","sources":["../../src/bridge/execution-ticket-record.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,+BAA+B,EAAE,MAAM,6BAA6B,CAAC;AAOnF;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,IAAI,CAAC,EAAE;IACL,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC;IACvB,oBAAoB,CAAC,EAAE,+BAA+B,GAAG,IAAI,CAAC;CAC/D,GACA,OAAO,CAAC,IAAI,CAAC,CAiCf"}
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
import { randomUUID } from "node:crypto";
|
|
2
|
+
import { mkdir, writeFile } from "node:fs/promises";
|
|
3
|
+
import path from "node:path";
|
|
4
|
+
import { verifyExecutionTicket } from "../approval/grant.js";
|
|
5
|
+
import { guardSubpath } from "./guard-storage-root.js";
|
|
6
|
+
import { shellArgvApprovalId } from "./shell-approval-bridge.js";
|
|
7
|
+
import { shellApprovalId } from "./execution-ticket-match.js";
|
|
8
|
+
function executionTicketDir(storageRoot) {
|
|
9
|
+
return guardSubpath("tickets", storageRoot);
|
|
10
|
+
}
|
|
11
|
+
/**
|
|
12
|
+
* After redeem, persist a signed execution ticket for hook verification (dual-write with bridge).
|
|
13
|
+
*
|
|
14
|
+
* When a fingerprint is provided the primary file is indexed by the fingerprint hash.
|
|
15
|
+
* We also write an argv-hash alias so hooks that lack fingerprint context (e.g. the
|
|
16
|
+
* Claude Code PreToolUse hook) can find and consume the ticket by argv alone.
|
|
17
|
+
*/
|
|
18
|
+
export async function recordExecutionTicket(ticket, argv, opts) {
|
|
19
|
+
const id = shellApprovalId(argv, opts?.approval_fingerprint);
|
|
20
|
+
const dir = executionTicketDir(opts?.storageRoot);
|
|
21
|
+
await mkdir(dir, { recursive: true });
|
|
22
|
+
const claims = verifyExecutionTicket(ticket);
|
|
23
|
+
const expMs = claims ? claims.exp * 1000 : Date.now() + 10 * 60 * 1000;
|
|
24
|
+
const content = JSON.stringify({
|
|
25
|
+
exp: expMs,
|
|
26
|
+
argv: [...argv],
|
|
27
|
+
fingerprint: opts?.approval_fingerprint ?? undefined,
|
|
28
|
+
ticket,
|
|
29
|
+
kind: opts?.kind ?? claims?.kind ?? "shell",
|
|
30
|
+
});
|
|
31
|
+
const file = path.join(dir, `${id}_${randomUUID()}.json`);
|
|
32
|
+
await writeFile(file, content, "utf8");
|
|
33
|
+
// When stored by fingerprint hash, also write an argv-hash alias so hooks
|
|
34
|
+
// without fingerprint context (e.g. claude-code PreToolUse) can find it.
|
|
35
|
+
// The alias omits the fingerprint so tryConsumeTicketToken hashes by argv,
|
|
36
|
+
// matching the argv_sha256 the server put in the JWT.
|
|
37
|
+
if (opts?.approval_fingerprint && (opts?.kind ?? claims?.kind ?? "shell") === "shell") {
|
|
38
|
+
const argvId = shellArgvApprovalId(argv);
|
|
39
|
+
if (argvId !== id) {
|
|
40
|
+
const aliasContent = JSON.stringify({
|
|
41
|
+
exp: expMs,
|
|
42
|
+
argv: [...argv],
|
|
43
|
+
ticket,
|
|
44
|
+
kind: opts?.kind ?? claims?.kind ?? "shell",
|
|
45
|
+
});
|
|
46
|
+
const aliasFile = path.join(dir, `${argvId}_${randomUUID()}.json`);
|
|
47
|
+
await writeFile(aliasFile, aliasContent, "utf8");
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
//# sourceMappingURL=execution-ticket-record.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"execution-ticket-record.js","sourceRoot":"","sources":["../../src/bridge/execution-ticket-record.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAEjE,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAE9D,SAAS,kBAAkB,CAAC,WAAoB;IAC9C,OAAO,YAAY,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,MAAc,EACd,IAAuB,EACvB,IAIC;IAED,MAAM,EAAE,GAAG,eAAe,CAAC,IAAI,EAAE,IAAI,EAAE,oBAAoB,CAAC,CAAC;IAC7D,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IAClD,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IACvE,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;QAC7B,GAAG,EAAE,KAAK;QACV,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;QACf,WAAW,EAAE,IAAI,EAAE,oBAAoB,IAAI,SAAS;QACpD,MAAM;QACN,IAAI,EAAE,IAAI,EAAE,IAAI,IAAI,MAAM,EAAE,IAAI,IAAI,OAAO;KAC5C,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,UAAU,EAAE,OAAO,CAAC,CAAC;IAC1D,MAAM,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAEvC,0EAA0E;IAC1E,yEAAyE;IACzE,2EAA2E;IAC3E,sDAAsD;IACtD,IAAI,IAAI,EAAE,oBAAoB,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,MAAM,EAAE,IAAI,IAAI,OAAO,CAAC,KAAK,OAAO,EAAE,CAAC;QACtF,MAAM,MAAM,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACzC,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;YAClB,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC;gBAClC,GAAG,EAAE,KAAK;gBACV,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;gBACf,MAAM;gBACN,IAAI,EAAE,IAAI,EAAE,IAAI,IAAI,MAAM,EAAE,IAAI,IAAI,OAAO;aAC5C,CAAC,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,IAAI,UAAU,EAAE,OAAO,CAAC,CAAC;YACnE,MAAM,SAAS,CAAC,SAAS,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;AACH,CAAC"}
|
|
@@ -1,25 +1,4 @@
|
|
|
1
|
-
|
|
2
|
-
export
|
|
1
|
+
export { EXECUTION_TICKET_ENV, tryConsumeExecutionTicket } from "./execution-ticket-consume.js";
|
|
2
|
+
export { recordExecutionTicket } from "./execution-ticket-record.js";
|
|
3
3
|
export declare function executionTicketDir(storageRoot?: string): string;
|
|
4
|
-
/**
|
|
5
|
-
* After redeem, persist a signed execution ticket for hook verification (dual-write with bridge).
|
|
6
|
-
*
|
|
7
|
-
* When a fingerprint is provided the primary file is indexed by the fingerprint hash.
|
|
8
|
-
* We also write an argv-hash alias so hooks that lack fingerprint context (e.g. the
|
|
9
|
-
* Claude Code PreToolUse hook) can find and consume the ticket by argv alone.
|
|
10
|
-
*/
|
|
11
|
-
export declare function recordExecutionTicket(ticket: string, argv: readonly string[], opts?: {
|
|
12
|
-
storageRoot?: string;
|
|
13
|
-
kind?: "shell" | "mcp";
|
|
14
|
-
approval_fingerprint?: ShellApprovalFingerprintPayload | null;
|
|
15
|
-
}): Promise<void>;
|
|
16
|
-
/**
|
|
17
|
-
* Verify a signed execution ticket locally and consume it once (env var or ticket files).
|
|
18
|
-
*/
|
|
19
|
-
export declare function tryConsumeExecutionTicket(argv: readonly string[], opts?: {
|
|
20
|
-
storageRoot?: string;
|
|
21
|
-
kind?: "shell" | "mcp";
|
|
22
|
-
tool_input_sha256?: string | null;
|
|
23
|
-
approval_fingerprint?: ShellApprovalFingerprintPayload | null;
|
|
24
|
-
}): Promise<boolean>;
|
|
25
4
|
//# sourceMappingURL=execution-ticket.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"execution-ticket.d.ts","sourceRoot":"","sources":["../../src/bridge/execution-ticket.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"execution-ticket.d.ts","sourceRoot":"","sources":["../../src/bridge/execution-ticket.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAChG,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAErE,wBAAgB,kBAAkB,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAE/D"}
|
|
@@ -1,184 +1,7 @@
|
|
|
1
|
-
import { randomUUID } from "node:crypto";
|
|
2
|
-
import { mkdir, readdir, readFile, unlink, writeFile } from "node:fs/promises";
|
|
3
|
-
import path from "node:path";
|
|
4
|
-
import { getInstallId } from "../cli/install-id.js";
|
|
5
|
-
import { verifyExecutionTicket } from "../approval/grant.js";
|
|
6
|
-
import { resolveShellApprovalHash } from "../approval/argv-fingerprint.js";
|
|
7
1
|
import { guardSubpath } from "./guard-storage-root.js";
|
|
8
|
-
|
|
9
|
-
export
|
|
2
|
+
export { EXECUTION_TICKET_ENV, tryConsumeExecutionTicket } from "./execution-ticket-consume.js";
|
|
3
|
+
export { recordExecutionTicket } from "./execution-ticket-record.js";
|
|
10
4
|
export function executionTicketDir(storageRoot) {
|
|
11
5
|
return guardSubpath("tickets", storageRoot);
|
|
12
6
|
}
|
|
13
|
-
function argvDeepEqual(stored, requested) {
|
|
14
|
-
if (!Array.isArray(stored) || stored.length !== requested.length)
|
|
15
|
-
return false;
|
|
16
|
-
return stored.every((v, i) => typeof v === "string" && v === requested[i]);
|
|
17
|
-
}
|
|
18
|
-
function fingerprintDeepEqual(stored, requested) {
|
|
19
|
-
if (!stored || typeof stored !== "object")
|
|
20
|
-
return false;
|
|
21
|
-
return shellApprovalFingerprintId(stored) === shellApprovalFingerprintId(requested);
|
|
22
|
-
}
|
|
23
|
-
function isEquivalentMcpInvocation(approved, requested) {
|
|
24
|
-
if (approved.length < 3 || requested.length < 3)
|
|
25
|
-
return false;
|
|
26
|
-
if (approved[0] !== "mcp" || requested[0] !== "mcp")
|
|
27
|
-
return false;
|
|
28
|
-
if (approved[2] !== requested[2])
|
|
29
|
-
return false;
|
|
30
|
-
if (approved[1] === requested[1])
|
|
31
|
-
return true;
|
|
32
|
-
return approved[1] === "stdio" || requested[1] === "stdio";
|
|
33
|
-
}
|
|
34
|
-
function shellApprovalId(argv, fingerprint) {
|
|
35
|
-
if (fingerprint)
|
|
36
|
-
return shellApprovalFingerprintId(fingerprint);
|
|
37
|
-
return shellArgvApprovalId(argv);
|
|
38
|
-
}
|
|
39
|
-
function argvMatchesApproval(approved, requested, kind, approvedFingerprint, requestedFingerprint) {
|
|
40
|
-
if (kind === "shell" && approvedFingerprint && requestedFingerprint) {
|
|
41
|
-
return fingerprintDeepEqual(approvedFingerprint, requestedFingerprint);
|
|
42
|
-
}
|
|
43
|
-
if (!approved)
|
|
44
|
-
return false;
|
|
45
|
-
if (argvDeepEqual(approved, requested))
|
|
46
|
-
return true;
|
|
47
|
-
if (kind === "mcp")
|
|
48
|
-
return isEquivalentMcpInvocation(approved, requested);
|
|
49
|
-
return false;
|
|
50
|
-
}
|
|
51
|
-
/**
|
|
52
|
-
* After redeem, persist a signed execution ticket for hook verification (dual-write with bridge).
|
|
53
|
-
*
|
|
54
|
-
* When a fingerprint is provided the primary file is indexed by the fingerprint hash.
|
|
55
|
-
* We also write an argv-hash alias so hooks that lack fingerprint context (e.g. the
|
|
56
|
-
* Claude Code PreToolUse hook) can find and consume the ticket by argv alone.
|
|
57
|
-
*/
|
|
58
|
-
export async function recordExecutionTicket(ticket, argv, opts) {
|
|
59
|
-
const id = shellApprovalId(argv, opts?.approval_fingerprint);
|
|
60
|
-
const dir = executionTicketDir(opts?.storageRoot);
|
|
61
|
-
await mkdir(dir, { recursive: true });
|
|
62
|
-
const claims = verifyExecutionTicket(ticket);
|
|
63
|
-
const expMs = claims ? claims.exp * 1000 : Date.now() + 10 * 60 * 1000;
|
|
64
|
-
const content = JSON.stringify({
|
|
65
|
-
exp: expMs,
|
|
66
|
-
argv: [...argv],
|
|
67
|
-
fingerprint: opts?.approval_fingerprint ?? undefined,
|
|
68
|
-
ticket,
|
|
69
|
-
kind: opts?.kind ?? claims?.kind ?? "shell",
|
|
70
|
-
});
|
|
71
|
-
const file = path.join(dir, `${id}_${randomUUID()}.json`);
|
|
72
|
-
await writeFile(file, content, "utf8");
|
|
73
|
-
// When stored by fingerprint hash, also write an argv-hash alias so hooks
|
|
74
|
-
// without fingerprint context (e.g. claude-code PreToolUse) can find it.
|
|
75
|
-
// The alias omits the fingerprint so tryConsumeTicketToken hashes by argv,
|
|
76
|
-
// matching the argv_sha256 the server put in the JWT.
|
|
77
|
-
if (opts?.approval_fingerprint && (opts?.kind ?? claims?.kind ?? "shell") === "shell") {
|
|
78
|
-
const argvId = shellArgvApprovalId(argv);
|
|
79
|
-
if (argvId !== id) {
|
|
80
|
-
const aliasContent = JSON.stringify({
|
|
81
|
-
exp: expMs,
|
|
82
|
-
argv: [...argv],
|
|
83
|
-
ticket,
|
|
84
|
-
kind: opts?.kind ?? claims?.kind ?? "shell",
|
|
85
|
-
});
|
|
86
|
-
const aliasFile = path.join(dir, `${argvId}_${randomUUID()}.json`);
|
|
87
|
-
await writeFile(aliasFile, aliasContent, "utf8");
|
|
88
|
-
}
|
|
89
|
-
}
|
|
90
|
-
}
|
|
91
|
-
/**
|
|
92
|
-
* Verify a signed execution ticket locally and consume it once (env var or ticket files).
|
|
93
|
-
*/
|
|
94
|
-
export async function tryConsumeExecutionTicket(argv, opts) {
|
|
95
|
-
const fromEnv = process.env[EXECUTION_TICKET_ENV]?.trim();
|
|
96
|
-
if (fromEnv && tryConsumeTicketToken(fromEnv, argv, opts)) {
|
|
97
|
-
return true;
|
|
98
|
-
}
|
|
99
|
-
const dir = executionTicketDir(opts?.storageRoot);
|
|
100
|
-
let names = [];
|
|
101
|
-
try {
|
|
102
|
-
names = await readdir(dir);
|
|
103
|
-
}
|
|
104
|
-
catch {
|
|
105
|
-
return false;
|
|
106
|
-
}
|
|
107
|
-
const now = Date.now();
|
|
108
|
-
const approvalId = shellApprovalId(argv, opts?.approval_fingerprint);
|
|
109
|
-
const candidates = opts?.kind === "mcp"
|
|
110
|
-
? names.filter((n) => n.endsWith(".json"))
|
|
111
|
-
: names.filter((n) => n.startsWith(`${approvalId}_`) && n.endsWith(".json"));
|
|
112
|
-
for (const name of candidates) {
|
|
113
|
-
const file = path.join(dir, name);
|
|
114
|
-
try {
|
|
115
|
-
const raw = await readFile(file, "utf8");
|
|
116
|
-
const row = JSON.parse(raw);
|
|
117
|
-
if (typeof row.exp !== "number" || row.exp < now) {
|
|
118
|
-
await unlink(file).catch(() => { });
|
|
119
|
-
continue;
|
|
120
|
-
}
|
|
121
|
-
if (!argvMatchesApproval(row.argv, argv, opts?.kind ?? row.kind, row.fingerprint, opts?.approval_fingerprint)) {
|
|
122
|
-
continue;
|
|
123
|
-
}
|
|
124
|
-
const ticket = typeof row.ticket === "string" ? row.ticket : "";
|
|
125
|
-
if (!ticket ||
|
|
126
|
-
!tryConsumeTicketToken(ticket, argv, {
|
|
127
|
-
kind: opts?.kind ?? row.kind,
|
|
128
|
-
tool_input_sha256: opts?.tool_input_sha256,
|
|
129
|
-
approved_argv: row.argv,
|
|
130
|
-
approval_fingerprint: opts?.approval_fingerprint,
|
|
131
|
-
approved_fingerprint: row.fingerprint,
|
|
132
|
-
})) {
|
|
133
|
-
continue;
|
|
134
|
-
}
|
|
135
|
-
if (row.kind && opts?.kind && row.kind !== opts.kind)
|
|
136
|
-
continue;
|
|
137
|
-
await unlink(file);
|
|
138
|
-
return true;
|
|
139
|
-
}
|
|
140
|
-
catch {
|
|
141
|
-
continue;
|
|
142
|
-
}
|
|
143
|
-
}
|
|
144
|
-
return false;
|
|
145
|
-
}
|
|
146
|
-
function tryConsumeTicketToken(ticket, argv, opts) {
|
|
147
|
-
const claims = verifyExecutionTicket(ticket);
|
|
148
|
-
const expectedHash = resolveShellApprovalHash({
|
|
149
|
-
kind: opts?.kind ?? "shell",
|
|
150
|
-
argv,
|
|
151
|
-
approval_fingerprint: opts?.approval_fingerprint,
|
|
152
|
-
});
|
|
153
|
-
if (!claims) {
|
|
154
|
-
return argvMatchesApproval(opts?.approved_argv, argv, opts?.kind, opts?.approved_fingerprint, opts?.approval_fingerprint);
|
|
155
|
-
}
|
|
156
|
-
const approvedArgv = opts?.approved_argv;
|
|
157
|
-
const approvedHash = resolveShellApprovalHash({
|
|
158
|
-
kind: opts?.kind ?? claims.kind ?? "shell",
|
|
159
|
-
argv: approvedArgv ?? argv,
|
|
160
|
-
approval_fingerprint: opts?.approved_fingerprint ?? opts?.approval_fingerprint,
|
|
161
|
-
});
|
|
162
|
-
if (approvedArgv) {
|
|
163
|
-
if (claims.argv_sha256 !== approvedHash)
|
|
164
|
-
return false;
|
|
165
|
-
if (!argvMatchesApproval(approvedArgv, argv, opts?.kind ?? claims.kind, opts?.approved_fingerprint, opts?.approval_fingerprint)) {
|
|
166
|
-
return false;
|
|
167
|
-
}
|
|
168
|
-
}
|
|
169
|
-
else if (claims.argv_sha256 !== expectedHash) {
|
|
170
|
-
return false;
|
|
171
|
-
}
|
|
172
|
-
if (claims.install_id !== getInstallId())
|
|
173
|
-
return false;
|
|
174
|
-
if (opts?.kind && claims.kind !== opts.kind)
|
|
175
|
-
return false;
|
|
176
|
-
const expectedToolHash = opts?.tool_input_sha256?.trim() || null;
|
|
177
|
-
const claimToolHash = typeof claims.tool_input_sha256 === "string" ? claims.tool_input_sha256.trim() : null;
|
|
178
|
-
if (claimToolHash && expectedToolHash && claimToolHash !== expectedToolHash)
|
|
179
|
-
return false;
|
|
180
|
-
if (claimToolHash && !expectedToolHash)
|
|
181
|
-
return false;
|
|
182
|
-
return true;
|
|
183
|
-
}
|
|
184
7
|
//# sourceMappingURL=execution-ticket.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"execution-ticket.js","sourceRoot":"","sources":["../../src/bridge/execution-ticket.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"execution-ticket.js","sourceRoot":"","sources":["../../src/bridge/execution-ticket.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAEvD,OAAO,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAChG,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAErE,MAAM,UAAU,kBAAkB,CAAC,WAAoB;IACrD,OAAO,YAAY,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;AAC9C,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dispatch-hook.d.ts","sourceRoot":"","sources":["../../src/cli/dispatch-hook.ts"],"names":[],"mappings":"AAIA,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,CAwBpF"}
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
import { runBeforeMcpHookFromStdin } from "../hooks/run-before-mcp.js";
|
|
2
|
+
import { runBeforeShellHookFromStdin } from "../hooks/run-before-shell.js";
|
|
3
|
+
import { runClaudeCodePreToolUseHookFromStdin } from "../hooks/run-claude-code-pre-tool-use.js";
|
|
4
|
+
export async function dispatchHookCommand(name) {
|
|
5
|
+
if (name === "before-shell") {
|
|
6
|
+
await runBeforeShellHookFromStdin();
|
|
7
|
+
return true;
|
|
8
|
+
}
|
|
9
|
+
if (name === "before-mcp") {
|
|
10
|
+
await runBeforeMcpHookFromStdin();
|
|
11
|
+
return true;
|
|
12
|
+
}
|
|
13
|
+
if (name === "claude-code") {
|
|
14
|
+
await runClaudeCodePreToolUseHookFromStdin();
|
|
15
|
+
return true;
|
|
16
|
+
}
|
|
17
|
+
if (name === "codex-pre-tool-use") {
|
|
18
|
+
const { runCodexPreToolUseHookFromStdin } = await import("../hooks/run-codex-hooks.js");
|
|
19
|
+
await runCodexPreToolUseHookFromStdin();
|
|
20
|
+
return true;
|
|
21
|
+
}
|
|
22
|
+
if (name === "codex-permission-request") {
|
|
23
|
+
const { runCodexPermissionRequestHookFromStdin } = await import("../hooks/run-codex-hooks.js");
|
|
24
|
+
await runCodexPermissionRequestHookFromStdin();
|
|
25
|
+
return true;
|
|
26
|
+
}
|
|
27
|
+
return false;
|
|
28
|
+
}
|
|
29
|
+
//# sourceMappingURL=dispatch-hook.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dispatch-hook.js","sourceRoot":"","sources":["../../src/cli/dispatch-hook.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AACvE,OAAO,EAAE,2BAA2B,EAAE,MAAM,8BAA8B,CAAC;AAC3E,OAAO,EAAE,oCAAoC,EAAE,MAAM,0CAA0C,CAAC;AAEhG,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAwB;IAChE,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;QAC5B,MAAM,2BAA2B,EAAE,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;QAC1B,MAAM,yBAAyB,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;QAC3B,MAAM,oCAAoC,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,IAAI,KAAK,oBAAoB,EAAE,CAAC;QAClC,MAAM,EAAE,+BAA+B,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;QACxF,MAAM,+BAA+B,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,IAAI,KAAK,0BAA0B,EAAE,CAAC;QACxC,MAAM,EAAE,sCAAsC,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;QAC/F,MAAM,sCAAsC,EAAE,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dispatch-setup.d.ts","sourceRoot":"","sources":["../../src/cli/dispatch-setup.ts"],"names":[],"mappings":"AAAA,wBAAsB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAgCjG"}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
export async function dispatchSetupCommand(sub, args) {
|
|
2
|
+
if (sub === "all") {
|
|
3
|
+
const { runSetupAll } = await import("./setup-all.js");
|
|
4
|
+
await runSetupAll(args);
|
|
5
|
+
return;
|
|
6
|
+
}
|
|
7
|
+
if (sub === "hook") {
|
|
8
|
+
const { runSetupHook } = await import("./setup-hook.js");
|
|
9
|
+
await runSetupHook(args);
|
|
10
|
+
return;
|
|
11
|
+
}
|
|
12
|
+
if (sub === "mcp") {
|
|
13
|
+
const { runSetupMcp } = await import("./setup-mcp.js");
|
|
14
|
+
await runSetupMcp(args);
|
|
15
|
+
return;
|
|
16
|
+
}
|
|
17
|
+
if (sub === "cloud") {
|
|
18
|
+
const { runSetupCloud } = await import("./setup-cloud.js");
|
|
19
|
+
await runSetupCloud(args);
|
|
20
|
+
return;
|
|
21
|
+
}
|
|
22
|
+
if (sub === "doctor") {
|
|
23
|
+
const { runSetupDoctor } = await import("./setup-doctor.js");
|
|
24
|
+
await runSetupDoctor(args);
|
|
25
|
+
return;
|
|
26
|
+
}
|
|
27
|
+
if (sub === "codex") {
|
|
28
|
+
const { runSetupCodex } = await import("./setup-codex.js");
|
|
29
|
+
await runSetupCodex(args);
|
|
30
|
+
return;
|
|
31
|
+
}
|
|
32
|
+
throw new Error(`Unknown setup command: ${sub ?? "(missing)"}`);
|
|
33
|
+
}
|
|
34
|
+
//# sourceMappingURL=dispatch-setup.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dispatch-setup.js","sourceRoot":"","sources":["../../src/cli/dispatch-setup.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,GAAuB,EAAE,IAAc;IAChF,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;QAClB,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QACvD,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;QACxB,OAAO;IACT,CAAC;IACD,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QACnB,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;QACzD,MAAM,YAAY,CAAC,IAAI,CAAC,CAAC;QACzB,OAAO;IACT,CAAC;IACD,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;QAClB,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QACvD,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;QACxB,OAAO;IACT,CAAC;IACD,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;QACpB,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAC3D,MAAM,aAAa,CAAC,IAAI,CAAC,CAAC;QAC1B,OAAO;IACT,CAAC;IACD,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;QACrB,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;QAC7D,MAAM,cAAc,CAAC,IAAI,CAAC,CAAC;QAC3B,OAAO;IACT,CAAC;IACD,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;QACpB,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAC3D,MAAM,aAAa,CAAC,IAAI,CAAC,CAAC;QAC1B,OAAO;IACT,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,IAAI,WAAW,EAAE,CAAC,CAAC;AAClE,CAAC"}
|
package/dist/cli/doctor.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../src/cli/doctor.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../src/cli/doctor.ts"],"names":[],"mappings":"AAyEA,wBAAsB,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC,CAkG/C"}
|
package/dist/cli/doctor.js
CHANGED
|
@@ -13,7 +13,8 @@ import { readPoliciesMetaFile } from "./policies-meta.js";
|
|
|
13
13
|
function adapterReady(adapter, status) {
|
|
14
14
|
// For an adapter to count as "ready", every surface it declares MUST be configured.
|
|
15
15
|
// Cursor (hook + mcp + cloud) requires all three; Claude Desktop (mcp only) just needs MCP.
|
|
16
|
-
|
|
16
|
+
const hookStatus = adapter.preferredHookScope === "project" ? status.hook?.project : status.hook?.global;
|
|
17
|
+
if (adapter.upsertHook && !(hookStatus?.shell && hookStatus?.mcp))
|
|
17
18
|
return false;
|
|
18
19
|
if (!status.mcp?.configured)
|
|
19
20
|
return false;
|
|
@@ -25,17 +26,20 @@ function pushAdapterLines(lines, adapter, status) {
|
|
|
25
26
|
const installedTag = status.installed ? "installed" : "not installed";
|
|
26
27
|
lines.push(` ${adapter.label} (${installedTag}):`);
|
|
27
28
|
if (adapter.upsertHook) {
|
|
28
|
-
const
|
|
29
|
-
const
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
}
|
|
29
|
+
const globalEntry = status.hook?.global;
|
|
30
|
+
const projectEntry = status.hook?.project;
|
|
31
|
+
if (globalEntry && adapter.preferredHookScope !== "project") {
|
|
32
|
+
const ready = globalEntry.shell && globalEntry.mcp;
|
|
33
|
+
lines.push(` hook (global): ${ready ? "configured" : "missing (run \`auditor setup hook\`)"} (${globalEntry.path})`);
|
|
34
|
+
lines.push(` ${globalEntry.shellLabel ?? "beforeShell"}: ${globalEntry.shell ? "ok" : "missing"} | ${globalEntry.mcpLabel ?? "beforeMCP"}: ${globalEntry.mcp ? "ok" : "missing"}`);
|
|
35
|
+
}
|
|
36
|
+
if (projectEntry) {
|
|
37
|
+
const ready = projectEntry.shell && projectEntry.mcp;
|
|
38
|
+
lines.push(` hook (project): ${ready ? "configured" : "missing (run \`auditor setup hook --project\`)"} (${projectEntry.path})`);
|
|
39
|
+
lines.push(` ${projectEntry.shellLabel ?? "beforeShell"}: ${projectEntry.shell ? "ok" : "missing"} | ${projectEntry.mcpLabel ?? "beforeMCP"}: ${projectEntry.mcp ? "ok" : "missing"}`);
|
|
40
|
+
}
|
|
41
|
+
else if (adapter.preferredHookScope !== "project") {
|
|
42
|
+
lines.push(" hook (project): none");
|
|
39
43
|
}
|
|
40
44
|
}
|
|
41
45
|
const m = status.mcp ?? { configured: false, path: "" };
|
|
@@ -64,7 +68,7 @@ export async function runDoctor() {
|
|
|
64
68
|
const lines = [
|
|
65
69
|
`auditor doctor`,
|
|
66
70
|
`Install ID: ${getInstallId()}`,
|
|
67
|
-
`MCP stdio: auditor mcp (Cursor: command auditor, args [mcp])`,
|
|
71
|
+
`MCP stdio: auditor mcp (Cursor/Codex: command auditor, args [mcp])`,
|
|
68
72
|
`Node: ${process.version}`,
|
|
69
73
|
`Policy file: ${policyPath}`,
|
|
70
74
|
`Policy source: ${policySource}`,
|
package/dist/cli/doctor.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../../src/cli/doctor.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,cAAc,CAAC;AACnC,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAErC,OAAO,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAEpF,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAEvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,iCAAiC,CAAC;AAC/D,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC/F,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE1D,SAAS,YAAY,CAAC,OAAqB,EAAE,MAAmB;IAC9D,oFAAoF;IACpF,4FAA4F;IAC5F,
|
|
1
|
+
{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../../src/cli/doctor.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,cAAc,CAAC;AACnC,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAErC,OAAO,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAEpF,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAEvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,iCAAiC,CAAC;AAC/D,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC/F,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE1D,SAAS,YAAY,CAAC,OAAqB,EAAE,MAAmB;IAC9D,oFAAoF;IACpF,4FAA4F;IAC5F,MAAM,UAAU,GACd,OAAO,CAAC,kBAAkB,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC;IACxF,IAAI,OAAO,CAAC,UAAU,IAAI,CAAC,CAAC,UAAU,EAAE,KAAK,IAAI,UAAU,EAAE,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAChF,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,UAAU;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,OAAO,CAAC,WAAW,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,UAAU;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,gBAAgB,CACvB,KAAe,EACf,OAAqB,EACrB,MAAmB;IAEnB,MAAM,YAAY,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,eAAe,CAAC;IACtE,KAAK,CAAC,IAAI,CAAC,KAAK,OAAO,CAAC,KAAK,KAAK,YAAY,IAAI,CAAC,CAAC;IACpD,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC;QACxC,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC;QAC1C,IAAI,WAAW,IAAI,OAAO,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;YAC5D,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,IAAI,WAAW,CAAC,GAAG,CAAC;YACnD,KAAK,CAAC,IAAI,CACR,sBAAsB,KAAK,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,sCAAsC,KAAK,WAAW,CAAC,IAAI,GAAG,CAC5G,CAAC;YACF,KAAK,CAAC,IAAI,CACR,SAAS,WAAW,CAAC,UAAU,IAAI,aAAa,KAAK,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,MAAM,WAAW,CAAC,QAAQ,IAAI,WAAW,KAAK,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,EAAE,CAC5K,CAAC;QACJ,CAAC;QACD,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,IAAI,YAAY,CAAC,GAAG,CAAC;YACrD,KAAK,CAAC,IAAI,CACR,uBAAuB,KAAK,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,gDAAgD,KAAK,YAAY,CAAC,IAAI,GAAG,CACxH,CAAC;YACF,KAAK,CAAC,IAAI,CACR,SAAS,YAAY,CAAC,UAAU,IAAI,aAAa,KAAK,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,MAAM,YAAY,CAAC,QAAQ,IAAI,WAAW,KAAK,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,EAAE,CAChL,CAAC;QACJ,CAAC;aAAM,IAAI,OAAO,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;YACpD,KAAK,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IACD,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACxD,KAAK,CAAC,IAAI,CACR,YAAY,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,qCAAqC,KAAK,CAAC,CAAC,IAAI,GAAG,CAC9F,CAAC;IACF,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;QAC1D,KAAK,CAAC,IAAI,CACR,wBAAwB,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,uCAAuC,KAAK,CAAC,CAAC,IAAI,GAAG,CAC5G,CAAC;IACJ,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QAChC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;IAC/B,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS;IAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAC1B,MAAM,SAAS,GACb,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,YAAY,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;IAEzE,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,EAAE,IAAI,EAAE,IAAI,qBAAqB,EAAE,CAAC;IAC1F,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,EAAE,IAAI,EAAE,IAAI,uBAAuB,EAAE,CAAC;IAC5F,MAAM,IAAI,GAAG,MAAM,oBAAoB,CAAC,QAAQ,CAAC,CAAC;IAClD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,EAAE,IAAI,EAAE;QAC9D,CAAC,CAAC,6BAA6B;QAC/B,CAAC,CAAC,IAAI,EAAE,MAAM,KAAK,mBAAmB;YACpC,CAAC,CAAC,8CAA8C;YAChD,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC;gBACtB,CAAC,CAAC,kCAAkC;gBACpC,CAAC,CAAC,qDAAqD,CAAC;IAE9D,MAAM,KAAK,GAAG;QACZ,gBAAgB;QAChB,eAAe,YAAY,EAAE,EAAE;QAC/B,sEAAsE;QACtE,SAAS,OAAO,CAAC,OAAO,EAAE;QAC1B,gBAAgB,UAAU,EAAE;QAC5B,kBAAkB,YAAY,EAAE;QAChC,kBAAkB,QAAQ,EAAE;QAC5B,IAAI;YACF,CAAC,CAAC,4BAA4B,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YAC7F,CAAC,CAAC,uEAAuE;QAC3E,eAAe,cAAc,CAAC,GAAG,CAAC,EAAE;QACpC,0BAA0B,kBAAkB,CAAC,GAAG,CAAC,EAAE;QACnD,cAAc,SAAS,EAAE;QACzB,2BAA2B,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,wBAAwB,EAAE;KAC5F,CAAC;IAEF,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACtB,MAAM,eAAe,GAAqD,EAAE,CAAC;IAC7E,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC3E,IAAI,CAAC,MAAM;YAAE,SAAS;QACtB,eAAe,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;QAC1C,gBAAgB,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,KAAK,GAAG,iBAAiB,EAAE,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,IAAI,EAAE,CAAC;IAClF,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE;QACxD,CAAC,CAAC,wBAAwB;QAC1B,CAAC,CAAC,KAAK;YACL,CAAC,CAAC,QAAQ,eAAe,EAAE,EAAE;YAC7B,CAAC,CAAC,IAAI,CAAC;IACX,KAAK,CAAC,IAAI,CACR,WAAW;QACT,CAAC,CAAC,SAAS,WAAW,YAAY,KAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,KAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG;QAC7E,CAAC,CAAC,oCAAoC,CACzC,CAAC;IACF,MAAM,SAAS,GAAG,uBAAuB,EAAE,CAAC;IAC5C,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;QACvB,KAAK,CAAC,IAAI,CACR,SAAS,KAAK,KAAK;YACjB,CAAC,CAAC,sBAAsB,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;YAC/C,CAAC,CAAC,sBAAsB,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,kBAAkB,CAClE,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,gBAAgB,CAAC,yBAAyB,CAAC,CAAC;IAEpE,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,SAAS,CAAuB;gBAChD,GAAG,EAAE,eAAe;gBACpB,WAAW,EAAE,KAAK;aACnB,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC,8BAA8B,MAAM,EAAE,CAAC,CAAC;YACnD,IAAI,IAAI,EAAE,CAAC;gBACT,KAAK,CAAC,IAAI,CACR,IAAI,CAAC,QAAQ,KAAK,MAAM;oBACtB,CAAC,CAAC,4CAA4C;oBAC9C,CAAC,CAAC,qCAAqC,IAAI,CAAC,QAAQ,cAAc,MAAM,IAAI,CAC/E,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,IAAI,CAAC,6BAA6B,MAAM,wBAAwB,CAAC,CAAC;YAC1E,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvD,KAAK,CAAC,IAAI,CAAC,iCAAiC,GAAG,EAAE,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;IACjF,CAAC;IAED,2EAA2E;IAC3E,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;IAChG,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC;IAC1B,MAAM,KAAK,GAAG,UAAU,IAAI,SAAS,CAAC;IACtC,KAAK,CAAC,IAAI,CACR,UAAU,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,WAAW,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,UAAU,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,GAAG,CAChH,CAAC;IAEF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChD,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"help.d.ts","sourceRoot":"","sources":["../../src/cli/help.ts"],"names":[],"mappings":"AA2DA,wBAAgB,SAAS,IAAI,IAAI,CAEhC"}
|
package/dist/cli/help.js
ADDED
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
import process from "node:process";
|
|
2
|
+
const HELP_TEXT = `auditor — Praxis guard CLI
|
|
3
|
+
|
|
4
|
+
Usage:
|
|
5
|
+
auditor setup all Configure all detected agents (use --for=<agent>; Codex uses --project/cwd)
|
|
6
|
+
auditor setup hook Configure hook settings (Cursor global by default; Codex is repo-local)
|
|
7
|
+
auditor setup mcp Configure MCP settings (Cursor global by default; Codex uses --project/cwd)
|
|
8
|
+
auditor setup cloud Configure .cursor/environment.json for Cloud Agents
|
|
9
|
+
auditor setup doctor Validate configured agent setup, including project-local Codex
|
|
10
|
+
auditor setup codex Configure repo-local .codex MCP + hooks (--project, --dry-run)
|
|
11
|
+
auditor setup codex doctor Validate repo-local Codex setup
|
|
12
|
+
auditor login Authenticate this CLI with your Praxis account (device code flow)
|
|
13
|
+
auditor logout [--revoke] Remove saved credentials (and optionally revoke token server-side)
|
|
14
|
+
auditor token create Generate a new bearer token (for Cloud Agents, CI, etc.)
|
|
15
|
+
auditor whoami Show signed-in uid, email, and token source (calls Cloud Function)
|
|
16
|
+
auditor mcp MCP stdio server (tools: guard, guard_wait) — use in Cursor mcp.json
|
|
17
|
+
auditor approvals list List pending approval requests
|
|
18
|
+
auditor approvals open <id> Print approval URL for a request
|
|
19
|
+
auditor approvals approve <id> Dev-only: approve request (GUARD_APPROVAL_DEV=1)
|
|
20
|
+
auditor approvals deny <id> Deny an approval request (human auth or dev)
|
|
21
|
+
auditor approvals watch <id> Poll until approved and write execution ticket
|
|
22
|
+
auditor hook before-shell Cursor beforeShellExecution (stdin JSON → stdout JSON)
|
|
23
|
+
auditor hook before-mcp Cursor beforeMCPExecution (stdin JSON → stdout JSON)
|
|
24
|
+
auditor hook claude-code Claude Code PreToolUse/Bash (stdin JSON → stdout JSON)
|
|
25
|
+
auditor hook codex-pre-tool-use Codex PreToolUse (Bash + MCP)
|
|
26
|
+
auditor hook codex-permission-request Codex PermissionRequest (Bash + MCP)
|
|
27
|
+
auditor doctor Show policy path, sync revision, auth status
|
|
28
|
+
auditor policies sync Fetch policies from Cloud Functions → local policies.v1.json + meta
|
|
29
|
+
auditor version Package version and git short SHA when available
|
|
30
|
+
auditor help | --help This message
|
|
31
|
+
|
|
32
|
+
Auth:
|
|
33
|
+
Token is resolved in order: PRAXIS_GUARD_TOKEN env var → ~/.config/praxis/credentials.json.
|
|
34
|
+
Run \`auditor login\` to authenticate interactively.
|
|
35
|
+
|
|
36
|
+
Defaults (production):
|
|
37
|
+
Project ID and region use built-in Praxis production values unless overridden below.
|
|
38
|
+
Function URLs are derived from project/region or explicit base-url env vars.
|
|
39
|
+
|
|
40
|
+
Local development:
|
|
41
|
+
Set PRAXIS_FIREBASE_FUNCTIONS_EMULATOR_HOST to your Functions emulator host:port.
|
|
42
|
+
|
|
43
|
+
Env (all optional):
|
|
44
|
+
PRAXIS_GUARD_TOKEN Override token (CI/CD). Skips credential file.
|
|
45
|
+
PRAXIS_FIREBASE_ID_TOKEN Alternative: Firebase Auth ID JWT for the functions project.
|
|
46
|
+
PRAXIS_FIREBASE_FUNCTIONS_EMULATOR_HOST Functions emulator host:port (local dev).
|
|
47
|
+
PRAXIS_FIREBASE_PROJECT_ID Override Firebase project id.
|
|
48
|
+
PRAXIS_FIREBASE_FUNCTIONS_REGION Override Functions region.
|
|
49
|
+
PRAXIS_FIREBASE_CALLABLE_BASE_URL Full override base URL (no trailing slash).
|
|
50
|
+
PRAXIS_GUARD_EVENT_URL Full override for guard event endpoint.
|
|
51
|
+
PRAXIS_APP_URL Web app origin for login and approval links.
|
|
52
|
+
PRAXIS_POLICIES_V1_PATH Override path for policies.v1.json (default: ~/.praxis/policies.v1.json).
|
|
53
|
+
PRAXIS_POLICIES_META_PATH Override path for policies.v1.meta.json (default beside policy file).
|
|
54
|
+
PRAXIS_GUARD_STORAGE_ROOT Workspace root for .praxis/guard tickets/pending (auto-detected from cwd).
|
|
55
|
+
PRAXIS_HOOK_INLINE_APPROVAL Set to 0 to disable hook-inline approval request on MUTATE deny (default: on).
|
|
56
|
+
PRAXIS_HOOK_INLINE_APPROVAL_TIMEOUT_MS Max ms for inline approval HTTP from hooks (default: 1200).
|
|
57
|
+
`;
|
|
58
|
+
export function printHelp() {
|
|
59
|
+
process.stdout.write(HELP_TEXT);
|
|
60
|
+
}
|
|
61
|
+
//# sourceMappingURL=help.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"help.js","sourceRoot":"","sources":["../../src/cli/help.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,cAAc,CAAC;AAEnC,MAAM,SAAS,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuDjB,CAAC;AAEF,MAAM,UAAU,SAAS;IACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC"}
|
package/dist/cli/main.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../../src/cli/main.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../../src/cli/main.ts"],"names":[],"mappings":"AAQA,wBAAsB,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAkH1D"}
|