npm - @pythonluvr/openwar - Versions diffs - 0.4.0 - Mend

@pythonluvr/openwar 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (298) hide show

package/LICENSE +21 -0
package/README.md +297 -0
package/bin/openwar +45 -0
package/dist/adapters/anthropic.d.ts +15 -0
package/dist/adapters/anthropic.d.ts.map +1 -0
package/dist/adapters/anthropic.js +179 -0
package/dist/adapters/anthropic.js.map +1 -0
package/dist/adapters/gemini.d.ts +15 -0
package/dist/adapters/gemini.d.ts.map +1 -0
package/dist/adapters/gemini.js +141 -0
package/dist/adapters/gemini.js.map +1 -0
package/dist/adapters/grok.d.ts +6 -0
package/dist/adapters/grok.d.ts.map +1 -0
package/dist/adapters/grok.js +15 -0
package/dist/adapters/grok.js.map +1 -0
package/dist/adapters/index.d.ts +16 -0
package/dist/adapters/index.d.ts.map +1 -0
package/dist/adapters/index.js +35 -0
package/dist/adapters/index.js.map +1 -0
package/dist/adapters/mock.d.ts +17 -0
package/dist/adapters/mock.d.ts.map +1 -0
package/dist/adapters/mock.js +33 -0
package/dist/adapters/mock.js.map +1 -0
package/dist/adapters/openai-compat.d.ts +6 -0
package/dist/adapters/openai-compat.d.ts.map +1 -0
package/dist/adapters/openai-compat.js +19 -0
package/dist/adapters/openai-compat.js.map +1 -0
package/dist/adapters/openai.d.ts +23 -0
package/dist/adapters/openai.d.ts.map +1 -0
package/dist/adapters/openai.js +176 -0
package/dist/adapters/openai.js.map +1 -0
package/dist/adapters/sse.d.ts +6 -0
package/dist/adapters/sse.d.ts.map +1 -0
package/dist/adapters/sse.js +45 -0
package/dist/adapters/sse.js.map +1 -0
package/dist/adapters/types.d.ts +7 -0
package/dist/adapters/types.d.ts.map +1 -0
package/dist/adapters/types.js +2 -0
package/dist/adapters/types.js.map +1 -0
package/dist/auth/categories.d.ts +13 -0
package/dist/auth/categories.d.ts.map +1 -0
package/dist/auth/categories.js +47 -0
package/dist/auth/categories.js.map +1 -0
package/dist/auth/check.d.ts +31 -0
package/dist/auth/check.d.ts.map +1 -0
package/dist/auth/check.js +59 -0
package/dist/auth/check.js.map +1 -0
package/dist/auth/role-scope.d.ts +18 -0
package/dist/auth/role-scope.d.ts.map +1 -0
package/dist/auth/role-scope.js +62 -0
package/dist/auth/role-scope.js.map +1 -0
package/dist/auth/wildcards.d.ts +5 -0
package/dist/auth/wildcards.d.ts.map +1 -0
package/dist/auth/wildcards.js +36 -0
package/dist/auth/wildcards.js.map +1 -0
package/dist/brief.d.ts +9 -0
package/dist/brief.d.ts.map +1 -0
package/dist/brief.js +514 -0
package/dist/brief.js.map +1 -0
package/dist/cli.d.ts +2 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +585 -0
package/dist/cli.js.map +1 -0
package/dist/coordinator/cost-tracker.d.ts +14 -0
package/dist/coordinator/cost-tracker.d.ts.map +1 -0
package/dist/coordinator/cost-tracker.js +63 -0
package/dist/coordinator/cost-tracker.js.map +1 -0
package/dist/coordinator/driver.d.ts +37 -0
package/dist/coordinator/driver.d.ts.map +1 -0
package/dist/coordinator/driver.js +644 -0
package/dist/coordinator/driver.js.map +1 -0
package/dist/coordinator/index.d.ts +14 -0
package/dist/coordinator/index.d.ts.map +1 -0
package/dist/coordinator/index.js +8 -0
package/dist/coordinator/index.js.map +1 -0
package/dist/coordinator/plan-parser.d.ts +17 -0
package/dist/coordinator/plan-parser.d.ts.map +1 -0
package/dist/coordinator/plan-parser.js +44 -0
package/dist/coordinator/plan-parser.js.map +1 -0
package/dist/coordinator/result-aggregator.d.ts +21 -0
package/dist/coordinator/result-aggregator.d.ts.map +1 -0
package/dist/coordinator/result-aggregator.js +58 -0
package/dist/coordinator/result-aggregator.js.map +1 -0
package/dist/coordinator/retry-policy.d.ts +7 -0
package/dist/coordinator/retry-policy.d.ts.map +1 -0
package/dist/coordinator/retry-policy.js +17 -0
package/dist/coordinator/retry-policy.js.map +1 -0
package/dist/coordinator/state-machine.d.ts +63 -0
package/dist/coordinator/state-machine.d.ts.map +1 -0
package/dist/coordinator/state-machine.js +242 -0
package/dist/coordinator/state-machine.js.map +1 -0
package/dist/coordinator/types.d.ts +3 -0
package/dist/coordinator/types.d.ts.map +1 -0
package/dist/coordinator/types.js +5 -0
package/dist/coordinator/types.js.map +1 -0
package/dist/detectors/banned-phrases.d.ts +3 -0
package/dist/detectors/banned-phrases.d.ts.map +1 -0
package/dist/detectors/banned-phrases.js +33 -0
package/dist/detectors/banned-phrases.js.map +1 -0
package/dist/detectors/blocker.d.ts +3 -0
package/dist/detectors/blocker.d.ts.map +1 -0
package/dist/detectors/blocker.js +62 -0
package/dist/detectors/blocker.js.map +1 -0
package/dist/detectors/completion.d.ts +3 -0
package/dist/detectors/completion.d.ts.map +1 -0
package/dist/detectors/completion.js +17 -0
package/dist/detectors/completion.js.map +1 -0
package/dist/detectors/confirmation-summary.d.ts +3 -0
package/dist/detectors/confirmation-summary.d.ts.map +1 -0
package/dist/detectors/confirmation-summary.js +76 -0
package/dist/detectors/confirmation-summary.js.map +1 -0
package/dist/detectors/destructive.d.ts +3 -0
package/dist/detectors/destructive.d.ts.map +1 -0
package/dist/detectors/destructive.js +96 -0
package/dist/detectors/destructive.js.map +1 -0
package/dist/detectors/index.d.ts +12 -0
package/dist/detectors/index.d.ts.map +1 -0
package/dist/detectors/index.js +19 -0
package/dist/detectors/index.js.map +1 -0
package/dist/detectors/phase-marker.d.ts +3 -0
package/dist/detectors/phase-marker.d.ts.map +1 -0
package/dist/detectors/phase-marker.js +25 -0
package/dist/detectors/phase-marker.js.map +1 -0
package/dist/framework.d.ts +2 -0
package/dist/framework.d.ts.map +1 -0
package/dist/framework.js +34 -0
package/dist/framework.js.map +1 -0
package/dist/index.d.ts +10 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +10 -0
package/dist/index.js.map +1 -0
package/dist/io.d.ts +25 -0
package/dist/io.d.ts.map +1 -0
package/dist/io.js +83 -0
package/dist/io.js.map +1 -0
package/dist/mcp/client.d.ts +22 -0
package/dist/mcp/client.d.ts.map +1 -0
package/dist/mcp/client.js +44 -0
package/dist/mcp/client.js.map +1 -0
package/dist/mcp/index.d.ts +5 -0
package/dist/mcp/index.d.ts.map +1 -0
package/dist/mcp/index.js +6 -0
package/dist/mcp/index.js.map +1 -0
package/dist/mcp/registry.d.ts +16 -0
package/dist/mcp/registry.d.ts.map +1 -0
package/dist/mcp/registry.js +53 -0
package/dist/mcp/registry.js.map +1 -0
package/dist/mcp/transport-stdio.d.ts +26 -0
package/dist/mcp/transport-stdio.d.ts.map +1 -0
package/dist/mcp/transport-stdio.js +138 -0
package/dist/mcp/transport-stdio.js.map +1 -0
package/dist/mcp/types.d.ts +90 -0
package/dist/mcp/types.d.ts.map +1 -0
package/dist/mcp/types.js +23 -0
package/dist/mcp/types.js.map +1 -0
package/dist/orchestration/handoff.d.ts +27 -0
package/dist/orchestration/handoff.d.ts.map +1 -0
package/dist/orchestration/handoff.js +322 -0
package/dist/orchestration/handoff.js.map +1 -0
package/dist/phases/blocker.d.ts +8 -0
package/dist/phases/blocker.d.ts.map +1 -0
package/dist/phases/blocker.js +11 -0
package/dist/phases/blocker.js.map +1 -0
package/dist/phases/completion.d.ts +10 -0
package/dist/phases/completion.d.ts.map +1 -0
package/dist/phases/completion.js +47 -0
package/dist/phases/completion.js.map +1 -0
package/dist/phases/destructive.d.ts +10 -0
package/dist/phases/destructive.d.ts.map +1 -0
package/dist/phases/destructive.js +31 -0
package/dist/phases/destructive.js.map +1 -0
package/dist/phases/execute.d.ts +30 -0
package/dist/phases/execute.d.ts.map +1 -0
package/dist/phases/execute.js +222 -0
package/dist/phases/execute.js.map +1 -0
package/dist/phases/intake.d.ts +16 -0
package/dist/phases/intake.d.ts.map +1 -0
package/dist/phases/intake.js +105 -0
package/dist/phases/intake.js.map +1 -0
package/dist/roles/critic.d.ts +3 -0
package/dist/roles/critic.d.ts.map +1 -0
package/dist/roles/critic.js +35 -0
package/dist/roles/critic.js.map +1 -0
package/dist/roles/executor.d.ts +3 -0
package/dist/roles/executor.d.ts.map +1 -0
package/dist/roles/executor.js +46 -0
package/dist/roles/executor.js.map +1 -0
package/dist/roles/index.d.ts +8 -0
package/dist/roles/index.d.ts.map +1 -0
package/dist/roles/index.js +8 -0
package/dist/roles/index.js.map +1 -0
package/dist/roles/planner.d.ts +3 -0
package/dist/roles/planner.d.ts.map +1 -0
package/dist/roles/planner.js +50 -0
package/dist/roles/planner.js.map +1 -0
package/dist/roles/prompt-overlay.d.ts +9 -0
package/dist/roles/prompt-overlay.d.ts.map +1 -0
package/dist/roles/prompt-overlay.js +25 -0
package/dist/roles/prompt-overlay.js.map +1 -0
package/dist/roles/registry.d.ts +8 -0
package/dist/roles/registry.d.ts.map +1 -0
package/dist/roles/registry.js +45 -0
package/dist/roles/registry.js.map +1 -0
package/dist/roles/reviewer.d.ts +3 -0
package/dist/roles/reviewer.d.ts.map +1 -0
package/dist/roles/reviewer.js +46 -0
package/dist/roles/reviewer.js.map +1 -0
package/dist/roles/types.d.ts +2 -0
package/dist/roles/types.d.ts.map +1 -0
package/dist/roles/types.js +4 -0
package/dist/roles/types.js.map +1 -0
package/dist/runner.d.ts +3 -0
package/dist/runner.d.ts.map +1 -0
package/dist/runner.js +473 -0
package/dist/runner.js.map +1 -0
package/dist/sandbox/host-allowlist.d.ts +13 -0
package/dist/sandbox/host-allowlist.d.ts.map +1 -0
package/dist/sandbox/host-allowlist.js +85 -0
package/dist/sandbox/host-allowlist.js.map +1 -0
package/dist/sandbox/output-cap.d.ts +9 -0
package/dist/sandbox/output-cap.d.ts.map +1 -0
package/dist/sandbox/output-cap.js +66 -0
package/dist/sandbox/output-cap.js.map +1 -0
package/dist/sandbox/timeout.d.ts +7 -0
package/dist/sandbox/timeout.d.ts.map +1 -0
package/dist/sandbox/timeout.js +52 -0
package/dist/sandbox/timeout.js.map +1 -0
package/dist/sandbox/types.d.ts +18 -0
package/dist/sandbox/types.d.ts.map +1 -0
package/dist/sandbox/types.js +27 -0
package/dist/sandbox/types.js.map +1 -0
package/dist/sandbox/workdir.d.ts +9 -0
package/dist/sandbox/workdir.d.ts.map +1 -0
package/dist/sandbox/workdir.js +83 -0
package/dist/sandbox/workdir.js.map +1 -0
package/dist/state/index.d.ts +4 -0
package/dist/state/index.d.ts.map +1 -0
package/dist/state/index.js +4 -0
package/dist/state/index.js.map +1 -0
package/dist/state/paths.d.ts +5 -0
package/dist/state/paths.d.ts.map +1 -0
package/dist/state/paths.js +18 -0
package/dist/state/paths.js.map +1 -0
package/dist/state/persist.d.ts +14 -0
package/dist/state/persist.d.ts.map +1 -0
package/dist/state/persist.js +146 -0
package/dist/state/persist.js.map +1 -0
package/dist/state/transcript.d.ts +9 -0
package/dist/state/transcript.d.ts.map +1 -0
package/dist/state/transcript.js +34 -0
package/dist/state/transcript.js.map +1 -0
package/dist/tools/native/apply_patch.d.ts +18 -0
package/dist/tools/native/apply_patch.d.ts.map +1 -0
package/dist/tools/native/apply_patch.js +245 -0
package/dist/tools/native/apply_patch.js.map +1 -0
package/dist/tools/native/http_fetch.d.ts +6 -0
package/dist/tools/native/http_fetch.d.ts.map +1 -0
package/dist/tools/native/http_fetch.js +168 -0
package/dist/tools/native/http_fetch.js.map +1 -0
package/dist/tools/native/index.d.ts +9 -0
package/dist/tools/native/index.d.ts.map +1 -0
package/dist/tools/native/index.js +22 -0
package/dist/tools/native/index.js.map +1 -0
package/dist/tools/native/list_dir.d.ts +4 -0
package/dist/tools/native/list_dir.d.ts.map +1 -0
package/dist/tools/native/list_dir.js +175 -0
package/dist/tools/native/list_dir.js.map +1 -0
package/dist/tools/native/read_file.d.ts +4 -0
package/dist/tools/native/read_file.d.ts.map +1 -0
package/dist/tools/native/read_file.js +91 -0
package/dist/tools/native/read_file.js.map +1 -0
package/dist/tools/native/shell_exec.d.ts +4 -0
package/dist/tools/native/shell_exec.d.ts.map +1 -0
package/dist/tools/native/shell_exec.js +180 -0
package/dist/tools/native/shell_exec.js.map +1 -0
package/dist/tools/native/write_file.d.ts +4 -0
package/dist/tools/native/write_file.d.ts.map +1 -0
package/dist/tools/native/write_file.js +101 -0
package/dist/tools/native/write_file.js.map +1 -0
package/dist/tools/types.d.ts +48 -0
package/dist/tools/types.d.ts.map +1 -0
package/dist/tools/types.js +10 -0
package/dist/tools/types.js.map +1 -0
package/dist/types.d.ts +385 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +9 -0
package/dist/types.js.map +1 -0
package/examples/README.md +73 -0
package/examples/creative-brief.md +34 -0
package/examples/critic-disagreement-brief.md +42 -0
package/examples/engineering-brief.md +35 -0
package/examples/file-editing-brief.md +33 -0
package/examples/mcp-brief.md +34 -0
package/examples/multi-agent-brief.md +43 -0
package/examples/research-brief.md +35 -0
package/openwar.md +248 -0
package/package.json +76 -0
package/templates/brief.md +62 -0

package/dist/adapters/types.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/adapters/types.ts"],"names":[],"mappings":""}

package/dist/auth/categories.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+export declare const AUTH_CATEGORIES_STATIC: readonly ["filesystem_read", "filesystem_write", "filesystem_delete", "shell_exec", "http_fetch", "paid_api_call", "git_write", "git_push", "deploy", "external_message"];
+export type AuthCategoryStatic = (typeof AUTH_CATEGORIES_STATIC)[number];
+export type AuthCategoryMcpServer = `mcp_tool:${string}`;
+export type AuthCategoryMcpTool = `mcp_tool:${string}:${string}`;
+export type AuthCategory = AuthCategoryStatic | AuthCategoryMcpServer | AuthCategoryMcpTool;
+export declare const DEFAULT_ALLOWED: ReadonlySet<AuthCategoryStatic>;
+export declare function isStaticCategory(s: string): s is AuthCategoryStatic;
+export declare function isMcpCategory(s: string): s is AuthCategoryMcpServer | AuthCategoryMcpTool;
+export declare function parseMcpCategory(s: string): {
+    server: string;
+    tool?: string;
+} | null;
+//# sourceMappingURL=categories.d.ts.map

package/dist/auth/categories.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"categories.d.ts","sourceRoot":"","sources":["../../src/auth/categories.ts"],"names":[],"mappings":"AAOA,eAAO,MAAM,sBAAsB,2KAWzB,CAAC;AAEX,MAAM,MAAM,kBAAkB,GAAG,CAAC,OAAO,sBAAsB,CAAC,CAAC,MAAM,CAAC,CAAC;AAIzE,MAAM,MAAM,qBAAqB,GAAG,YAAY,MAAM,EAAE,CAAC;AACzD,MAAM,MAAM,mBAAmB,GAAG,YAAY,MAAM,IAAI,MAAM,EAAE,CAAC;AAEjE,MAAM,MAAM,YAAY,GAAG,kBAAkB,GAAG,qBAAqB,GAAG,mBAAmB,CAAC;AAI5F,eAAO,MAAM,eAAe,EAAE,WAAW,CAAC,kBAAkB,CAE1D,CAAC;AAEH,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,MAAM,GAAG,CAAC,IAAI,kBAAkB,CAEnE;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,GAAG,CAAC,IAAI,qBAAqB,GAAG,mBAAmB,CAEzF;AAID,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,MAAM,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAUpF"}

package/dist/auth/categories.js ADDED Viewed

@@ -0,0 +1,47 @@
+// Authorization categories. Brief.authorized_costs lists items from this set
+// (or wildcards over it). Every tool call is checked against this list at the
+// boundary between LLM intent and sandbox execution.
+//
+// MCP categories are dynamic ("mcp_tool:<server>" or
+// "mcp_tool:<server>:<tool>") and represented as template literal types.
+export const AUTH_CATEGORIES_STATIC = [
+    "filesystem_read",
+    "filesystem_write",
+    "filesystem_delete",
+    "shell_exec",
+    "http_fetch",
+    "paid_api_call",
+    "git_write",
+    "git_push",
+    "deploy",
+    "external_message",
+];
+// Default-allowed categories. Reads are not destructive; everything else
+// requires explicit pre-approval in authorized_costs or a Phase 3 prompt.
+export const DEFAULT_ALLOWED = new Set([
+    "filesystem_read",
+]);
+export function isStaticCategory(s) {
+    return AUTH_CATEGORIES_STATIC.includes(s);
+}
+export function isMcpCategory(s) {
+    return s.startsWith("mcp_tool:");
+}
+// Parse "mcp_tool:server" or "mcp_tool:server:tool" into parts.
+// Returns null for malformed input.
+export function parseMcpCategory(s) {
+    if (!s.startsWith("mcp_tool:"))
+        return null;
+    const rest = s.slice("mcp_tool:".length);
+    if (rest.length === 0)
+        return null;
+    const firstColon = rest.indexOf(":");
+    if (firstColon === -1)
+        return { server: rest };
+    const server = rest.slice(0, firstColon);
+    const tool = rest.slice(firstColon + 1);
+    if (server.length === 0 || tool.length === 0)
+        return null;
+    return { server, tool };
+}
+//# sourceMappingURL=categories.js.map

package/dist/auth/categories.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"categories.js","sourceRoot":"","sources":["../../src/auth/categories.ts"],"names":[],"mappings":"AAAA,6EAA6E;AAC7E,8EAA8E;AAC9E,qDAAqD;AACrD,EAAE;AACF,qDAAqD;AACrD,yEAAyE;AAEzE,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,iBAAiB;IACjB,kBAAkB;IAClB,mBAAmB;IACnB,YAAY;IACZ,YAAY;IACZ,eAAe;IACf,WAAW;IACX,UAAU;IACV,QAAQ;IACR,kBAAkB;CACV,CAAC;AAWX,yEAAyE;AACzE,0EAA0E;AAC1E,MAAM,CAAC,MAAM,eAAe,GAAoC,IAAI,GAAG,CAAC;IACtE,iBAAiB;CAClB,CAAC,CAAC;AAEH,MAAM,UAAU,gBAAgB,CAAC,CAAS;IACxC,OAAQ,sBAA4C,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,CAAS;IACrC,OAAO,CAAC,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;AACnC,CAAC;AAED,gEAAgE;AAChE,oCAAoC;AACpC,MAAM,UAAU,gBAAgB,CAAC,CAAS;IACxC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACzC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,UAAU,KAAK,CAAC,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;IACzC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC;IACxC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1D,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AAC1B,CAAC"}

package/dist/auth/check.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import type { AuthCategory } from "./categories.js";
+import type { ToolDefinition } from "../tools/types.js";
+export interface AuthDecision {
+    allowed: boolean;
+    required_categories: readonly AuthCategory[];
+    missing_categories: readonly AuthCategory[];
+}
+export interface AuthCheckInput {
+    tool: ToolDefinition;
+    authorizedCosts: readonly string[];
+    sessionApproved?: readonly string[];
+}
+export declare function checkAuthorization(input: AuthCheckInput): AuthDecision;
+import type { RoleDefinition } from "../types.js";
+export interface RoleAwareAuthInput extends AuthCheckInput {
+    role: RoleDefinition;
+}
+export type RoleAwareAuthResult = {
+    kind: "allowed";
+    decision: AuthDecision;
+} | {
+    kind: "role_scope_violation";
+    missing_categories: string[];
+    role_id: string;
+    tool_name: string;
+} | {
+    kind: "needs_operator";
+    decision: AuthDecision;
+};
+export declare function checkAuthorizationWithRole(input: RoleAwareAuthInput): RoleAwareAuthResult;
+//# sourceMappingURL=check.d.ts.map

package/dist/auth/check.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../src/auth/check.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAGpD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAExD,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IAEjB,mBAAmB,EAAE,SAAS,YAAY,EAAE,CAAC;IAG7C,kBAAkB,EAAE,SAAS,YAAY,EAAE,CAAC;CAC7C;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,cAAc,CAAC;IACrB,eAAe,EAAE,SAAS,MAAM,EAAE,CAAC;IAGnC,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACrC;AAiBD,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,cAAc,GAAG,YAAY,CActE;AAMD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAGlD,MAAM,WAAW,kBAAmB,SAAQ,cAAc;IACxD,IAAI,EAAE,cAAc,CAAC;CACtB;AAED,MAAM,MAAM,mBAAmB,GAC3B;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,QAAQ,EAAE,YAAY,CAAA;CAAE,GAC3C;IAAE,IAAI,EAAE,sBAAsB,CAAC;IAAC,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GAClG;IAAE,IAAI,EAAE,gBAAgB,CAAC;IAAC,QAAQ,EAAE,YAAY,CAAA;CAAE,CAAC;AAEvD,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,kBAAkB,GAAG,mBAAmB,CAczF"}

package/dist/auth/check.js ADDED Viewed

@@ -0,0 +1,59 @@
+// Authorization gate for tool calls. Runs at the boundary between
+// "the LLM said call this tool" and "the sandbox actually runs it."
+//
+// Inputs:
+//   - The tool definition (which categories does this tool require?)
+//   - authorized_costs from the brief frontmatter
+//   - A session-level set of categories approved at Phase 3 (operator
+//     answered "Y" for session-wide on a prior call)
+//
+// Output: AuthDecision. allowed=false means the runtime must enter Phase 3
+// and prompt the operator. After approval, the runtime re-runs the check
+// with the session-approved set updated.
+import { DEFAULT_ALLOWED, isStaticCategory } from "./categories.js";
+import { matchesAuthorization } from "./wildcards.js";
+function isCovered(cat, authorizedCosts, sessionApproved) {
+    if (isStaticCategory(cat) && DEFAULT_ALLOWED.has(cat))
+        return true;
+    for (const entry of authorizedCosts) {
+        if (matchesAuthorization(cat, entry))
+            return true;
+    }
+    for (const entry of sessionApproved) {
+        if (matchesAuthorization(cat, entry))
+            return true;
+    }
+    return false;
+}
+export function checkAuthorization(input) {
+    const sessionApproved = input.sessionApproved ?? [];
+    const required = input.tool.authorization_categories;
+    const missing = [];
+    for (const cat of required) {
+        if (!isCovered(cat, input.authorizedCosts, sessionApproved)) {
+            missing.push(cat);
+        }
+    }
+    return {
+        allowed: missing.length === 0,
+        required_categories: required,
+        missing_categories: missing,
+    };
+}
+import { checkRoleScope } from "./role-scope.js";
+export function checkAuthorizationWithRole(input) {
+    const scope = checkRoleScope({ tool: input.tool, role: input.role });
+    if (!scope.in_scope) {
+        return {
+            kind: "role_scope_violation",
+            missing_categories: scope.missing_categories,
+            role_id: input.role.id,
+            tool_name: input.tool.name,
+        };
+    }
+    const decision = checkAuthorization(input);
+    return decision.allowed
+        ? { kind: "allowed", decision }
+        : { kind: "needs_operator", decision };
+}
+//# sourceMappingURL=check.js.map

package/dist/auth/check.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"check.js","sourceRoot":"","sources":["../../src/auth/check.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,oEAAoE;AACpE,EAAE;AACF,UAAU;AACV,qEAAqE;AACrE,kDAAkD;AAClD,sEAAsE;AACtE,qDAAqD;AACrD,EAAE;AACF,2EAA2E;AAC3E,yEAAyE;AACzE,yCAAyC;AAGzC,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAoBtD,SAAS,SAAS,CAChB,GAAiB,EACjB,eAAkC,EAClC,eAAkC;IAElC,IAAI,gBAAgB,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACnE,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE,CAAC;QACpC,IAAI,oBAAoB,CAAC,GAAG,EAAE,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;IACpD,CAAC;IACD,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE,CAAC;QACpC,IAAI,oBAAoB,CAAC,GAAG,EAAE,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;IACpD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAqB;IACtD,MAAM,eAAe,GAAG,KAAK,CAAC,eAAe,IAAI,EAAE,CAAC;IACpD,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,wBAAwB,CAAC;IACrD,MAAM,OAAO,GAAmB,EAAE,CAAC;IACnC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,KAAK,CAAC,eAAe,EAAE,eAAe,CAAC,EAAE,CAAC;YAC5D,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO;QACL,OAAO,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC;QAC7B,mBAAmB,EAAE,QAAQ;QAC7B,kBAAkB,EAAE,OAAO;KAC5B,CAAC;AACJ,CAAC;AAOD,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAWjD,MAAM,UAAU,0BAA0B,CAAC,KAAyB;IAClE,MAAM,KAAK,GAAG,cAAc,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IACrE,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;QACpB,OAAO;YACL,IAAI,EAAE,sBAAsB;YAC5B,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;YAC5C,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,EAAE;YACtB,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI;SAC3B,CAAC;IACJ,CAAC;IACD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC3C,OAAO,QAAQ,CAAC,OAAO;QACrB,CAAC,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE;QAC/B,CAAC,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,CAAC;AAC3C,CAAC"}

package/dist/auth/role-scope.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import type { ToolDefinition } from "../tools/types.js";
+import type { RoleDefinition } from "../types.js";
+export interface RoleScopeDecision {
+    in_scope: boolean;
+    missing_categories: string[];
+}
+export declare function checkRoleScope(input: {
+    tool: ToolDefinition;
+    role: RoleDefinition;
+}): RoleScopeDecision;
+export declare class RoleScopeViolation extends Error {
+    readonly role_id: string;
+    readonly tool_name: string;
+    readonly missing_categories: string[];
+    readonly code: "ROLE_SCOPE_VIOLATION";
+    constructor(role_id: string, tool_name: string, missing_categories: string[]);
+}
+//# sourceMappingURL=role-scope.d.ts.map

package/dist/auth/role-scope.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"role-scope.d.ts","sourceRoot":"","sources":["../../src/auth/role-scope.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAGlD,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,OAAO,CAAC;IAClB,kBAAkB,EAAE,MAAM,EAAE,CAAC;CAC9B;AAKD,wBAAgB,cAAc,CAAC,KAAK,EAAE;IACpC,IAAI,EAAE,cAAc,CAAC;IACrB,IAAI,EAAE,cAAc,CAAC;CACtB,GAAG,iBAAiB,CAwBpB;AAKD,qBAAa,kBAAmB,SAAQ,KAAK;aAGzB,OAAO,EAAE,MAAM;aACf,SAAS,EAAE,MAAM;aACjB,kBAAkB,EAAE,MAAM,EAAE;IAJ9C,QAAQ,CAAC,IAAI,EAAG,sBAAsB,CAAU;gBAE9B,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,kBAAkB,EAAE,MAAM,EAAE;CAQ/C"}

package/dist/auth/role-scope.js ADDED Viewed

@@ -0,0 +1,62 @@
+// Per-role authorization scoping (v0.4). On top of the brief-level
+// authorized_costs check, every tool call is also checked against the
+// role's own tool_categories allowlist. The two checks compose:
+//
+//   1. Role scope check: is this tool's category in the role's allowlist?
+//      If no, this is a *programming error* (the coordinator routed a tool
+//      call to a role that shouldn't have it). Halt the coordinator.
+//
+//   2. Brief authorization check: does the brief's authorized_costs cover
+//      the tool's categories? If no, run the Phase 3 operator prompt.
+//
+// The role-scope check is therefore fail-closed and structural; the brief
+// check is the operator-decision gate.
+import { matchesAuthorization } from "./wildcards.js";
+// Pure. Returns whether the tool's required auth categories are all covered
+// by the role's tool_categories allowlist (plus a free `read_file` if the
+// role opted in via `allow_read_file`).
+export function checkRoleScope(input) {
+    const required = input.tool.authorization_categories;
+    // Special exemption: read_file (and other tools that only require
+    // filesystem_read) is allowed for any role with allow_read_file: true,
+    // regardless of the role's tool_categories list.
+    const onlyReads = required.length === 0 ||
+        required.every((c) => c === "filesystem_read");
+    if (onlyReads && input.role.allow_read_file) {
+        return { in_scope: true, missing_categories: [] };
+    }
+    const allowed = input.role.tool_categories;
+    const missing = [];
+    for (const cat of required) {
+        if (cat === "filesystem_read" && input.role.allow_read_file)
+            continue;
+        let covered = false;
+        for (const entry of allowed) {
+            if (matchesAuthorization(cat, entry)) {
+                covered = true;
+                break;
+            }
+        }
+        if (!covered)
+            missing.push(cat);
+    }
+    return { in_scope: missing.length === 0, missing_categories: missing };
+}
+// Thrown when the coordinator detects a role-scope violation. Distinct from
+// a Phase 3 prompt: this represents a programming bug or a misconfigured
+// custom role, not an operator decision.
+export class RoleScopeViolation extends Error {
+    role_id;
+    tool_name;
+    missing_categories;
+    code = "ROLE_SCOPE_VIOLATION";
+    constructor(role_id, tool_name, missing_categories) {
+        super(`Role "${role_id}" attempted to call "${tool_name}" but its scope ` +
+            `does not include: ${missing_categories.join(", ")}`);
+        this.role_id = role_id;
+        this.tool_name = tool_name;
+        this.missing_categories = missing_categories;
+        this.name = "RoleScopeViolation";
+    }
+}
+//# sourceMappingURL=role-scope.js.map

package/dist/auth/role-scope.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"role-scope.js","sourceRoot":"","sources":["../../src/auth/role-scope.ts"],"names":[],"mappings":"AAAA,mEAAmE;AACnE,sEAAsE;AACtE,gEAAgE;AAChE,EAAE;AACF,0EAA0E;AAC1E,2EAA2E;AAC3E,qEAAqE;AACrE,EAAE;AACF,0EAA0E;AAC1E,sEAAsE;AACtE,EAAE;AACF,0EAA0E;AAC1E,uCAAuC;AAIvC,OAAO,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAOtD,4EAA4E;AAC5E,0EAA0E;AAC1E,wCAAwC;AACxC,MAAM,UAAU,cAAc,CAAC,KAG9B;IACC,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,wBAAwB,CAAC;IAErD,kEAAkE;IAClE,uEAAuE;IACvE,iDAAiD;IACjD,MAAM,SAAS,GACb,QAAQ,CAAC,MAAM,KAAK,CAAC;QACrB,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,iBAAiB,CAAC,CAAC;IACjD,IAAI,SAAS,IAAI,KAAK,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;QAC5C,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,kBAAkB,EAAE,EAAE,EAAE,CAAC;IACpD,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC;IAC3C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,IAAI,GAAG,KAAK,iBAAiB,IAAI,KAAK,CAAC,IAAI,CAAC,eAAe;YAAE,SAAS;QACtE,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,oBAAoB,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC;gBAAC,OAAO,GAAG,IAAI,CAAC;gBAAC,MAAM;YAAC,CAAC;QAClE,CAAC;QACD,IAAI,CAAC,OAAO;YAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,kBAAkB,EAAE,OAAO,EAAE,CAAC;AACzE,CAAC;AAED,4EAA4E;AAC5E,yEAAyE;AACzE,yCAAyC;AACzC,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAGzB;IACA;IACA;IAJT,IAAI,GAAG,sBAA+B,CAAC;IAChD,YACkB,OAAe,EACf,SAAiB,EACjB,kBAA4B;QAE5C,KAAK,CACH,SAAS,OAAO,wBAAwB,SAAS,kBAAkB;YACjE,qBAAqB,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACvD,CAAC;QAPc,YAAO,GAAP,OAAO,CAAQ;QACf,cAAS,GAAT,SAAS,CAAQ;QACjB,uBAAkB,GAAlB,kBAAkB,CAAU;QAM5C,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF"}

package/dist/auth/wildcards.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import type { AuthCategory } from "./categories.js";
+export declare function matchesAuthorization(required: AuthCategory, authorizedEntry: string): boolean;
+export declare const WILDCARD_ALL_WARNING: string;
+export declare function detectWildcardAllWarning(authorizedCosts: readonly string[]): string | null;
+//# sourceMappingURL=wildcards.d.ts.map

package/dist/auth/wildcards.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"wildcards.d.ts","sourceRoot":"","sources":["../../src/auth/wildcards.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO,CAY7F;AAKD,eAAO,MAAM,oBAAoB,QAE+C,CAAC;AAEjF,wBAAgB,wBAAwB,CAAC,eAAe,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,GAAG,IAAI,CAE1F"}

package/dist/auth/wildcards.js ADDED Viewed

@@ -0,0 +1,36 @@
+// Wildcard matching for authorization entries. Supported patterns:
+//
+//   "*"                       matches every category (with linter warning)
+//   "mcp_tool:*"              matches any "mcp_tool:..." category
+//   "mcp_tool:server:*"       matches any tool from the named MCP server
+//                             (and the server umbrella itself)
+//
+// Exact entries match by string equality (case-sensitive; categories are
+// lower_snake_case by convention).
+export function matchesAuthorization(required, authorizedEntry) {
+    if (required === authorizedEntry)
+        return true;
+    if (authorizedEntry === "*")
+        return true;
+    if (authorizedEntry === "mcp_tool:*" && required.startsWith("mcp_tool:"))
+        return true;
+    if (authorizedEntry.startsWith("mcp_tool:") && authorizedEntry.endsWith(":*")) {
+        const prefix = authorizedEntry.slice(0, -2);
+        // "mcp_tool:server:*" matches "mcp_tool:server:anytool"
+        if (required.startsWith(prefix + ":"))
+            return true;
+        // "mcp_tool:server:*" also matches the server umbrella "mcp_tool:server"
+        if (required === prefix)
+            return true;
+    }
+    return false;
+}
+// Emitted by brief lint when "*" appears in authorized_costs. Brief frontmatter
+// validation surfaces this; it is not a hard error because operators may opt in
+// deliberately. The runtime still runs.
+export const WILDCARD_ALL_WARNING = "authorized_costs contains '*'. This authorizes every destructive category. " +
+    "Almost always you want a specific list (filesystem_write, shell_exec, etc.).";
+export function detectWildcardAllWarning(authorizedCosts) {
+    return authorizedCosts.includes("*") ? WILDCARD_ALL_WARNING : null;
+}
+//# sourceMappingURL=wildcards.js.map

package/dist/auth/wildcards.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"wildcards.js","sourceRoot":"","sources":["../../src/auth/wildcards.ts"],"names":[],"mappings":"AAAA,mEAAmE;AACnE,EAAE;AACF,2EAA2E;AAC3E,kEAAkE;AAClE,yEAAyE;AACzE,+DAA+D;AAC/D,EAAE;AACF,yEAAyE;AACzE,mCAAmC;AAInC,MAAM,UAAU,oBAAoB,CAAC,QAAsB,EAAE,eAAuB;IAClF,IAAI,QAAQ,KAAK,eAAe;QAAE,OAAO,IAAI,CAAC;IAC9C,IAAI,eAAe,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACzC,IAAI,eAAe,KAAK,YAAY,IAAI,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IACtF,IAAI,eAAe,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9E,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC5C,wDAAwD;QACxD,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACnD,yEAAyE;QACzE,IAAI,QAAQ,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;IACvC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,gFAAgF;AAChF,gFAAgF;AAChF,wCAAwC;AACxC,MAAM,CAAC,MAAM,oBAAoB,GAC/B,6EAA6E;IAC7E,8EAA8E,CAAC;AAEjF,MAAM,UAAU,wBAAwB,CAAC,eAAkC;IACzE,OAAO,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC;AACrE,CAAC"}

package/dist/brief.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { Brief, ValidationResult } from "./types.js";
+export declare function parseBrief(input: string): Brief;
+export interface ValidateBriefOptions {
+    knownRoles?: readonly string[];
+}
+export declare function validateBrief(brief: Brief, options?: ValidateBriefOptions): ValidationResult;
+export declare function renderBriefForAgent(brief: Brief): string;
+export declare function generateBriefId(date?: Date): string;
+//# sourceMappingURL=brief.d.ts.map

package/dist/brief.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"brief.d.ts","sourceRoot":"","sources":["../src/brief.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,KAAK,EAGL,gBAAgB,EAGjB,MAAM,YAAY,CAAC;AAKpB,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,KAAK,CAsB/C;AAED,MAAM,WAAW,oBAAoB;IAKnC,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAUD,wBAAgB,aAAa,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,GAAE,oBAAyB,GAAG,gBAAgB,CAmHhG;AAID,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,KAAK,GAAG,MAAM,CAyBxD;AA2TD,wBAAgB,eAAe,CAAC,IAAI,OAAa,GAAG,MAAM,CAMzD"}