@rigour-labs/core 5.2.5 → 5.2.7

package/dist/hooks/checker.js

@@ -13,6 +13,23 @@ import yaml from 'yaml';
 import { ConfigSchema } from '../types/index.js';
 import { scanInputForCredentials } from './input-validator.js';
 const JS_TS_PATTERN = /\.(ts|tsx|js|jsx|mts|mjs)$/;
+/**
+ * Check if a file matches any ignore pattern from rigour.yml.
+ */
+function isIgnored(relPath, patterns) {
+    const normalized = relPath.replace(/\\/g, '/');
+    return patterns.some(pattern => {
+        const clean = pattern.replace(/\\/g, '/');
+        if (normalized === clean)
+            return true;
+        // Glob: foo/** matches foo/bar/baz
+        const prefix = clean.replace('/**', '').replace('/*', '');
+        if (prefix !== clean) {
+            return normalized.startsWith(prefix + '/') || normalized === prefix;
+        }
+        return false;
+    });
+}
 /**
  * Load rigour config from cwd, falling back to defaults.
  */
@@ -42,7 +59,9 @@ async function resolveFile(filePath, cwd) {
 function checkFile(content, relPath, cwd, config) {
     const failures = [];
     const lines = content.split('\n');
-    // Gate 0: Memory & Skills Governance — block writes to agent-native memory paths
+    // Gate 0a: Protected paths — BLOCK writes to .github/, rigour.yml, etc.
+    checkProtectedPaths(relPath, config, failures);
+    // Gate 0b: Memory & Skills Governance — block writes to agent-native memory paths
     checkGovernance(content, relPath, config, failures);
     // Gate 1: File size
     const maxLines = config.gates.max_file_lines ?? 500;
@@ -78,6 +97,7 @@ export async function runHookChecker(options) {
     try {
         const config = await loadConfig(cwd);
         const deadline = start + timeout_ms;
+        const ignorePatterns = config.ignore ?? [];
         for (const filePath of files) {
             if (Date.now() > deadline) {
                 break;
@@ -86,6 +106,10 @@ export async function runHookChecker(options) {
             if (!resolved) {
                 continue;
             }
+            // Respect rigour.yml ignore patterns
+            if (isIgnored(resolved.relPath, ignorePatterns)) {
+                continue;
+            }
             const fileFailures = checkFile(resolved.content, resolved.relPath, cwd, config);
             failures.push(...fileFailures);
         }
@@ -222,6 +246,33 @@ function checkCommandInjection(line, i, relPath, failures) {
         });
     }
 }
+// ── Protected Paths Enforcement (real-time) ───────────────────────
+/**
+ * Block writes to protected paths defined in rigour.yml safety.protected_paths.
+ * This runs in real-time via hooks — BEFORE the agent commits the write.
+ */
+function checkProtectedPaths(relPath, config, failures) {
+    const protectedPaths = config.gates.safety?.protected_paths ?? [];
+    if (protectedPaths.length === 0)
+        return;
+    const normalizedPath = relPath.replace(/\\/g, '/');
+    const matched = protectedPaths.find(pattern => {
+        const clean = pattern.replace('/**', '').replace('/*', '');
+        if (normalizedPath === clean)
+            return true;
+        if (clean.endsWith('/'))
+            return normalizedPath.startsWith(clean);
+        return normalizedPath.startsWith(clean + '/');
+    });
+    if (matched) {
+        failures.push({
+            gate: 'file-guard',
+            file: relPath,
+            message: `BLOCKED: Agent cannot write to protected path "${relPath}" (matches ${matched}). CI/CD, docs, and config files require human review.`,
+            severity: 'critical',
+        });
+    }
+}
 // ── Memory & Skills Governance (v4.2+) ────────────────────────────
 /**
  * Simple glob matcher — handles exact paths, `*` (single segment),

package/dist/hooks/types.d.ts

@@ -17,7 +17,7 @@ export interface HookConfig {
     block_on_failure: boolean;
 }
 /** The fast gates that can run per-file in <200ms */
-export declare const FAST_GATE_IDS: readonly ["governance", "hallucinated-imports", "promise-safety", "security-patterns", "file-size"];
+export declare const FAST_GATE_IDS: readonly ["file-guard", "governance", "hallucinated-imports", "promise-safety", "security-patterns", "file-size"];
 export declare const DEFAULT_HOOK_CONFIG: HookConfig;
 export type FastGateId = typeof FAST_GATE_IDS[number];
 export interface HookCheckerResult {

package/dist/hooks/types.js

@@ -7,6 +7,7 @@
  */
 /** The fast gates that can run per-file in <200ms */
 export const FAST_GATE_IDS = [
+    'file-guard',
     'governance',
     'hallucinated-imports',
     'promise-safety',

package/dist/inference/sidecar-provider.d.ts

@@ -13,5 +13,11 @@ export declare class SidecarProvider implements InferenceProvider {
     private getPlatformKey;
     private getPlatformPackageName;
     private resolveBinaryPath;
+    /**
+     * Download llama-cli directly from llama.cpp GitHub releases.
+     * Extracts the binary to ~/.rigour/bin/llama-cli
+     */
+    private downloadLlamaCli;
+    /** Legacy: install via npm brain package */
     private installSidecarBinary;
 }

package/dist/inference/sidecar-provider.js

@@ -1,7 +1,7 @@
 /**
  * Sidecar Binary Provider — runs inference via pre-compiled llama.cpp binary.
- * Binary ships as @rigour-labs/brain-{platform} optional npm dependency.
- * Falls back to PATH lookup for development/manual installs.
+ * Auto-downloads llama-cli from GitHub releases on first use.
+ * Falls back to npm packages or PATH lookup for development/manual installs.
  */
 import { execFile } from 'child_process';
 import { promisify } from 'util';
@@ -13,7 +13,8 @@ import { ensureModel, isModelCached, getModelInfo } from './model-manager.js';
 import { ensureExecutableBinary } from './executable.js';
 const execFileAsync = promisify(execFile);
 const SIDECAR_INSTALL_DIR = path.join(os.homedir(), '.rigour', 'sidecar');
-/** Platform → npm package mapping */
+const BINARY_DIR = path.join(os.homedir(), '.rigour', 'bin');
+/** Platform → npm package mapping (legacy, still checked) */
 const PLATFORM_PACKAGES = {
     'darwin-arm64': '@rigour-labs/brain-darwin-arm64',
     'darwin-x64': '@rigour-labs/brain-darwin-x64',
@@ -21,6 +22,16 @@ const PLATFORM_PACKAGES = {
     'linux-arm64': '@rigour-labs/brain-linux-arm64',
     'win32-x64': '@rigour-labs/brain-win-x64',
 };
+const LLAMA_RELEASE_TAG = 'b5604';
+const LLAMA_RELEASE_BASE = `https://github.com/ggml-org/llama.cpp/releases/download/${LLAMA_RELEASE_TAG}`;
+/** Platform → llama.cpp release asset name */
+const LLAMA_RELEASE_ASSETS = {
+    'darwin-arm64': `llama-${LLAMA_RELEASE_TAG}-bin-macos-arm64.zip`,
+    'darwin-x64': `llama-${LLAMA_RELEASE_TAG}-bin-macos-x64.zip`,
+    'linux-x64': `llama-${LLAMA_RELEASE_TAG}-bin-ubuntu-x64.zip`,
+    'win32-x64': `llama-${LLAMA_RELEASE_TAG}-bin-win-cpu-x64.zip`,
+    // linux-arm64 not published by llama.cpp — users must build from source or use cloud provider
+};
 export class SidecarProvider {
     name = 'sidecar';
     binaryPath = null;
@@ -36,26 +47,35 @@ export class SidecarProvider {
         return binary !== null;
     }
     async setup(onProgress) {
-        const packageName = this.getPlatformPackageName();
         // 1. Check/resolve binary
         this.binaryPath = await this.resolveBinaryPath();
-        // Auto-bootstrap local sidecar when missing.
-        if (!this.binaryPath && packageName) {
-            const installed = await this.installSidecarBinary(packageName, onProgress);
-            if (installed) {
+        // Auto-bootstrap: download llama-cli directly from GitHub releases
+        if (!this.binaryPath) {
+            const downloaded = await this.downloadLlamaCli(onProgress);
+            if (downloaded) {
                 this.binaryPath = await this.resolveBinaryPath();
             }
         }
+        // Legacy fallback: try npm package install
+        if (!this.binaryPath) {
+            const packageName = this.getPlatformPackageName();
+            if (packageName) {
+                const installed = await this.installSidecarBinary(packageName, onProgress);
+                if (installed) {
+                    this.binaryPath = await this.resolveBinaryPath();
+                }
+            }
+        }
         if (!this.binaryPath) {
-            onProgress?.('⚠ Inference engine not found. Install @rigour-labs/brain-* or add llama-cli to PATH');
-            const installHint = packageName || `@rigour-labs/brain-${this.getPlatformKey()}`;
-            throw new Error(`Sidecar binary not found. Run: npm install ${installHint}`);
+            onProgress?.('⚠ Inference engine not found. Rigour will auto-download on next attempt.');
+            throw new Error(`Sidecar binary not found. Check network connection and retry.`);
         }
         let executableCheck = ensureExecutableBinary(this.binaryPath);
         // If the discovered binary is not executable, try a managed reinstall once.
-        if (!executableCheck.ok && packageName) {
+        const retryPackage = this.getPlatformPackageName();
+        if (!executableCheck.ok && retryPackage) {
             onProgress?.('⚠ Inference engine is present but not executable. Reinstalling managed sidecar...');
-            const installed = await this.installSidecarBinary(packageName, onProgress);
+            const installed = await this.installSidecarBinary(retryPackage, onProgress);
             if (installed) {
                 const refreshedPath = await this.resolveBinaryPath();
                 if (refreshedPath) {
@@ -172,6 +192,12 @@ export class SidecarProvider {
     }
     async resolveBinaryPath() {
         const platformKey = this.getPlatformKey();
+        // Strategy 0: Check ~/.rigour/bin/llama-cli (auto-downloaded from GitHub releases)
+        const binaryName = os.platform() === 'win32' ? 'llama-cli.exe' : 'llama-cli';
+        const autoDownloadedPath = path.join(BINARY_DIR, binaryName);
+        if (await fs.pathExists(autoDownloadedPath)) {
+            return autoDownloadedPath;
+        }
         // Strategy 1: Check @rigour-labs/brain-{platform} optional dependency
         const packageName = PLATFORM_PACKAGES[platformKey];
         if (packageName) {
@@ -264,8 +290,73 @@ export class SidecarProvider {
         }
         return null;
     }
+    /**
+     * Download llama-cli directly from llama.cpp GitHub releases.
+     * Extracts the binary to ~/.rigour/bin/llama-cli
+     */
+    async downloadLlamaCli(onProgress) {
+        const platformKey = this.getPlatformKey();
+        const assetName = LLAMA_RELEASE_ASSETS[platformKey];
+        if (!assetName)
+            return false;
+        const url = `${LLAMA_RELEASE_BASE}/${assetName}`;
+        const zipPath = path.join(BINARY_DIR, assetName);
+        const binaryName = os.platform() === 'win32' ? 'llama-cli.exe' : 'llama-cli';
+        const destPath = path.join(BINARY_DIR, binaryName);
+        // Already downloaded
+        if (await fs.pathExists(destPath))
+            return true;
+        onProgress?.(`⬇ Downloading inference engine (llama.cpp ${LLAMA_RELEASE_TAG})...`);
+        try {
+            await fs.ensureDir(BINARY_DIR);
+            // Download zip
+            const response = await fetch(url, { redirect: 'follow' });
+            if (!response.ok) {
+                throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+            }
+            const buffer = Buffer.from(await response.arrayBuffer());
+            await fs.writeFile(zipPath, buffer);
+            onProgress?.('  Extracting...');
+            // Extract llama-cli from zip
+            if (os.platform() === 'win32') {
+                await execFileAsync('powershell', [
+                    '-Command',
+                    `Expand-Archive -Path "${zipPath}" -DestinationPath "${BINARY_DIR}/llama-extract" -Force`,
+                ], { timeout: 60000 });
+            }
+            else {
+                await execFileAsync('unzip', ['-o', zipPath, '-d', path.join(BINARY_DIR, 'llama-extract')], {
+                    timeout: 60000,
+                });
+            }
+            // Find llama-cli in extracted files
+            const extractDir = path.join(BINARY_DIR, 'llama-extract');
+            const llamaBin = await findFileRecursive(extractDir, binaryName);
+            if (!llamaBin) {
+                throw new Error(`${binaryName} not found in release archive`);
+            }
+            await fs.copy(llamaBin, destPath);
+            if (os.platform() !== 'win32') {
+                await fs.chmod(destPath, 0o755);
+            }
+            // Cleanup
+            await fs.remove(zipPath);
+            await fs.remove(extractDir);
+            onProgress?.(`✓ Inference engine ready (${LLAMA_RELEASE_TAG})`);
+            return true;
+        }
+        catch (error) {
+            const reason = typeof error?.message === 'string' ? error.message : 'unknown error';
+            onProgress?.(`⚠ Download failed: ${reason}`);
+            // Cleanup partial downloads
+            await fs.remove(zipPath).catch(() => { });
+            await fs.remove(path.join(BINARY_DIR, 'llama-extract')).catch(() => { });
+            return false;
+        }
+    }
+    /** Legacy: install via npm brain package */
     async installSidecarBinary(packageName, onProgress) {
-        onProgress?.(`⬇ Inference engine missing. Attempting automatic install: ${packageName}`);
+        onProgress?.(`⬇ Trying npm fallback: ${packageName}`);
         try {
             await fs.ensureDir(SIDECAR_INSTALL_DIR);
             await execFileAsync(os.platform() === 'win32' ? 'npm.cmd' : 'npm', ['install', '--no-save', '--no-package-lock', '--prefix', SIDECAR_INSTALL_DIR, packageName], {
@@ -276,7 +367,7 @@ export class SidecarProvider {
         }
         catch (error) {
             const reason = typeof error?.message === 'string' ? error.message : 'unknown install error';
-            onProgress?.(`⚠ Auto-install failed: ${reason}`);
+            onProgress?.(`⚠ npm install failed: ${reason}`);
             return false;
         }
         onProgress?.(`✓ Installed ${packageName}`);
@@ -286,3 +377,19 @@ export class SidecarProvider {
 function quoteCmdArg(value) {
     return `"${value.replace(/"/g, '\\"')}"`;
 }
+/** Recursively find a file by name in a directory */
+async function findFileRecursive(dir, filename) {
+    const entries = await fs.readdir(dir, { withFileTypes: true });
+    for (const entry of entries) {
+        const fullPath = path.join(dir, entry.name);
+        if (entry.isDirectory()) {
+            const found = await findFileRecursive(fullPath, filename);
+            if (found)
+                return found;
+        }
+        else if (entry.name === filename) {
+            return fullPath;
+        }
+    }
+    return null;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/core",
-  "version": "5.2.5",
+  "version": "5.2.7",
   "description": "AI-native quality gate engine with local Bayesian learning. AST analysis, drift detection, Fix Packet generation, and agent self-healing across TypeScript, JavaScript, Python, Go, Ruby, and C#.",
   "license": "MIT",
   "homepage": "https://rigour.run",
@@ -66,11 +66,11 @@
     "@xenova/transformers": "^2.17.2",
     "sqlite3": "^5.1.7",
     "openai": "^4.104.0",
-    "@rigour-labs/brain-darwin-arm64": "5.2.5",
-    "@rigour-labs/brain-darwin-x64": "5.2.5",
-    "@rigour-labs/brain-linux-arm64": "5.2.5",
-    "@rigour-labs/brain-linux-x64": "5.2.5",
-    "@rigour-labs/brain-win-x64": "5.2.5"
+    "@rigour-labs/brain-darwin-arm64": "5.2.7",
+    "@rigour-labs/brain-linux-arm64": "5.2.7",
+    "@rigour-labs/brain-linux-x64": "5.2.7",
+    "@rigour-labs/brain-win-x64": "5.2.7",
+    "@rigour-labs/brain-darwin-x64": "5.2.7"
   },
   "devDependencies": {
     "@types/fs-extra": "^11.0.4",