@rigour-labs/core 5.2.6 → 5.2.8

package/dist/hooks/checker.js

@@ -13,6 +13,23 @@ import yaml from 'yaml';
 import { ConfigSchema } from '../types/index.js';
 import { scanInputForCredentials } from './input-validator.js';
 const JS_TS_PATTERN = /\.(ts|tsx|js|jsx|mts|mjs)$/;
+/**
+ * Check if a file matches any ignore pattern from rigour.yml.
+ */
+function isIgnored(relPath, patterns) {
+    const normalized = relPath.replace(/\\/g, '/');
+    return patterns.some(pattern => {
+        const clean = pattern.replace(/\\/g, '/');
+        if (normalized === clean)
+            return true;
+        // Glob: foo/** matches foo/bar/baz
+        const prefix = clean.replace('/**', '').replace('/*', '');
+        if (prefix !== clean) {
+            return normalized.startsWith(prefix + '/') || normalized === prefix;
+        }
+        return false;
+    });
+}
 /**
  * Load rigour config from cwd, falling back to defaults.
  */
@@ -42,7 +59,9 @@ async function resolveFile(filePath, cwd) {
 function checkFile(content, relPath, cwd, config) {
     const failures = [];
     const lines = content.split('\n');
-    // Gate 0: Memory & Skills Governance — block writes to agent-native memory paths
+    // Gate 0a: Protected paths — BLOCK writes to .github/, rigour.yml, etc.
+    checkProtectedPaths(relPath, config, failures);
+    // Gate 0b: Memory & Skills Governance — block writes to agent-native memory paths
     checkGovernance(content, relPath, config, failures);
     // Gate 1: File size
     const maxLines = config.gates.max_file_lines ?? 500;
@@ -78,6 +97,7 @@ export async function runHookChecker(options) {
     try {
         const config = await loadConfig(cwd);
         const deadline = start + timeout_ms;
+        const ignorePatterns = config.ignore ?? [];
         for (const filePath of files) {
             if (Date.now() > deadline) {
                 break;
@@ -86,6 +106,10 @@ export async function runHookChecker(options) {
             if (!resolved) {
                 continue;
             }
+            // Respect rigour.yml ignore patterns
+            if (isIgnored(resolved.relPath, ignorePatterns)) {
+                continue;
+            }
             const fileFailures = checkFile(resolved.content, resolved.relPath, cwd, config);
             failures.push(...fileFailures);
         }
@@ -222,6 +246,33 @@ function checkCommandInjection(line, i, relPath, failures) {
         });
     }
 }
+// ── Protected Paths Enforcement (real-time) ───────────────────────
+/**
+ * Block writes to protected paths defined in rigour.yml safety.protected_paths.
+ * This runs in real-time via hooks — BEFORE the agent commits the write.
+ */
+function checkProtectedPaths(relPath, config, failures) {
+    const protectedPaths = config.gates.safety?.protected_paths ?? [];
+    if (protectedPaths.length === 0)
+        return;
+    const normalizedPath = relPath.replace(/\\/g, '/');
+    const matched = protectedPaths.find(pattern => {
+        const clean = pattern.replace('/**', '').replace('/*', '');
+        if (normalizedPath === clean)
+            return true;
+        if (clean.endsWith('/'))
+            return normalizedPath.startsWith(clean);
+        return normalizedPath.startsWith(clean + '/');
+    });
+    if (matched) {
+        failures.push({
+            gate: 'file-guard',
+            file: relPath,
+            message: `BLOCKED: Agent cannot write to protected path "${relPath}" (matches ${matched}). CI/CD, docs, and config files require human review.`,
+            severity: 'critical',
+        });
+    }
+}
 // ── Memory & Skills Governance (v4.2+) ────────────────────────────
 /**
  * Simple glob matcher — handles exact paths, `*` (single segment),

package/dist/hooks/types.d.ts

@@ -17,7 +17,7 @@ export interface HookConfig {
     block_on_failure: boolean;
 }
 /** The fast gates that can run per-file in <200ms */
-export declare const FAST_GATE_IDS: readonly ["governance", "hallucinated-imports", "promise-safety", "security-patterns", "file-size"];
+export declare const FAST_GATE_IDS: readonly ["file-guard", "governance", "hallucinated-imports", "promise-safety", "security-patterns", "file-size"];
 export declare const DEFAULT_HOOK_CONFIG: HookConfig;
 export type FastGateId = typeof FAST_GATE_IDS[number];
 export interface HookCheckerResult {

package/dist/hooks/types.js

@@ -7,6 +7,7 @@
  */
 /** The fast gates that can run per-file in <200ms */
 export const FAST_GATE_IDS = [
+    'file-guard',
     'governance',
     'hallucinated-imports',
     'promise-safety',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/core",
-  "version": "5.2.6",
+  "version": "5.2.8",
   "description": "AI-native quality gate engine with local Bayesian learning. AST analysis, drift detection, Fix Packet generation, and agent self-healing across TypeScript, JavaScript, Python, Go, Ruby, and C#.",
   "license": "MIT",
   "homepage": "https://rigour.run",
@@ -66,11 +66,11 @@
     "@xenova/transformers": "^2.17.2",
     "sqlite3": "^5.1.7",
     "openai": "^4.104.0",
-    "@rigour-labs/brain-darwin-x64": "5.2.6",
-    "@rigour-labs/brain-linux-x64": "5.2.6",
-    "@rigour-labs/brain-darwin-arm64": "5.2.6",
-    "@rigour-labs/brain-win-x64": "5.2.6",
-    "@rigour-labs/brain-linux-arm64": "5.2.6"
+    "@rigour-labs/brain-darwin-arm64": "5.2.8",
+    "@rigour-labs/brain-darwin-x64": "5.2.8",
+    "@rigour-labs/brain-linux-x64": "5.2.8",
+    "@rigour-labs/brain-linux-arm64": "5.2.8",
+    "@rigour-labs/brain-win-x64": "5.2.8"
   },
   "devDependencies": {
     "@types/fs-extra": "^11.0.4",