@samirosamsam/aim 0.1.0 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.codex-plugin/plugin.json +5 -2
- package/README.md +32 -1
- package/assets/rippletide-logo.png +0 -0
- package/package.json +2 -1
- package/skills/aim/SKILL.md +29 -5
- package/src/engine.js +15 -2
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "aim",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.3",
|
|
4
4
|
"description": "Install deterministic Codex guardrails from natural-language block rules.",
|
|
5
5
|
"author": {
|
|
6
6
|
"name": "AIM"
|
|
@@ -13,9 +13,12 @@
|
|
|
13
13
|
"displayName": "AIM",
|
|
14
14
|
"shortDescription": "Block matching Codex tool calls with local guardrails.",
|
|
15
15
|
"longDescription": "AIM helps Codex turn natural-language block requests into local PreToolUse guardrails for Bash, file edits, and MCP tool calls.",
|
|
16
|
-
"developerName": "
|
|
16
|
+
"developerName": "Rippletide",
|
|
17
17
|
"category": "Productivity",
|
|
18
18
|
"capabilities": ["Write"],
|
|
19
|
+
"brandColor": "#272757",
|
|
20
|
+
"composerIcon": "assets/rippletide-logo.png",
|
|
21
|
+
"logo": "assets/rippletide-logo.png",
|
|
19
22
|
"defaultPrompt": [
|
|
20
23
|
"Block this Codex action.",
|
|
21
24
|
"Install deterministic guardrails for this repo."
|
package/README.md
CHANGED
|
@@ -26,7 +26,22 @@ codex plugin marketplace add tototozip/AIM --ref main
|
|
|
26
26
|
codex plugin add aim@aim
|
|
27
27
|
```
|
|
28
28
|
|
|
29
|
-
Then start a new Codex thread
|
|
29
|
+
Then start a new Codex thread, run `/hooks`, trust the AIM hook if Codex asks,
|
|
30
|
+
and invoke `@aim`.
|
|
31
|
+
|
|
32
|
+
Example:
|
|
33
|
+
|
|
34
|
+
```text
|
|
35
|
+
@aim empêche git push
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
To test it, ask Codex to run:
|
|
39
|
+
|
|
40
|
+
```bash
|
|
41
|
+
git push origin main --dry-run
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
The call should be denied before Bash executes.
|
|
30
45
|
|
|
31
46
|
## Codex Guardrail
|
|
32
47
|
|
|
@@ -36,6 +51,9 @@ Install or refresh the local Codex hook:
|
|
|
36
51
|
npx -y @samirosamsam/aim@latest setup
|
|
37
52
|
```
|
|
38
53
|
|
|
54
|
+
This is only needed when using the CLI without the Codex plugin. The plugin
|
|
55
|
+
already bundles `hooks/hooks.json`.
|
|
56
|
+
|
|
39
57
|
If Codex says hooks need review, run `/hooks`, inspect the AIM hook, and trust it.
|
|
40
58
|
|
|
41
59
|
Add a deterministic guardrail from natural language:
|
|
@@ -46,6 +64,19 @@ npx -y @samirosamsam/aim@latest rule add 'empêche de modifier package.json'
|
|
|
46
64
|
npx -y @samirosamsam/aim@latest rule add 'empêche les calls GitHub qui ajoutent des collaborators'
|
|
47
65
|
```
|
|
48
66
|
|
|
67
|
+
For SaaS data targets described by a title or label, use Codex/provider tools first to resolve the concrete resource, then write the rule with `capture`:
|
|
68
|
+
|
|
69
|
+
```bash
|
|
70
|
+
npx -y @samirosamsam/aim@latest capture \
|
|
71
|
+
--provider notion \
|
|
72
|
+
--tool fetch \
|
|
73
|
+
--args '{"url":"https://www.notion.so/..."}' \
|
|
74
|
+
--effect deny \
|
|
75
|
+
--agent codex \
|
|
76
|
+
--connection notion:codex \
|
|
77
|
+
--policy ~/.codex/aim/policy.json
|
|
78
|
+
```
|
|
79
|
+
|
|
49
80
|
Codex then calls the AIM hook before supported tool calls. A blocked Bash call returns the Codex `PreToolUse` deny shape:
|
|
50
81
|
|
|
51
82
|
```json
|
|
Binary file
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@samirosamsam/aim",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.3",
|
|
4
4
|
"description": "AIM CLI for installing deterministic Codex tool-call guardrails.",
|
|
5
5
|
"private": false,
|
|
6
6
|
"type": "module",
|
|
@@ -10,6 +10,7 @@
|
|
|
10
10
|
"files": [
|
|
11
11
|
".agents/plugins/marketplace.json",
|
|
12
12
|
".codex-plugin/plugin.json",
|
|
13
|
+
"assets/",
|
|
13
14
|
"bin/",
|
|
14
15
|
"hooks/",
|
|
15
16
|
"skills/",
|
package/skills/aim/SKILL.md
CHANGED
|
@@ -9,15 +9,24 @@ Use the public `aim` CLI as the source of truth for installing Codex hooks, addi
|
|
|
9
9
|
|
|
10
10
|
## Workflow
|
|
11
11
|
|
|
12
|
-
1.
|
|
12
|
+
1. Use the bundled plugin hook when AIM is installed as a Codex plugin. Do not run `setup` just to duplicate it. If Codex reports hooks need review, tell the user to run `/hooks`, inspect the AIM hook, and trust it.
|
|
13
|
+
|
|
14
|
+
For CLI-only use without the Codex plugin, install or refresh the Codex `PreToolUse` hook before claiming enforcement is active:
|
|
13
15
|
|
|
14
16
|
```bash
|
|
15
17
|
npx -y @samirosamsam/aim@latest setup --json
|
|
16
18
|
```
|
|
17
19
|
|
|
18
|
-
|
|
20
|
+
Do not claim active enforcement until the hook is trusted and a proof call blocks.
|
|
21
|
+
|
|
22
|
+
2. Choose the smallest enforceable path:
|
|
23
|
+
|
|
24
|
+
- For Bash commands and file edits, use `rule add`.
|
|
25
|
+
- For external data or SaaS access, first discover the concrete resource with that provider's tools, then use `capture`.
|
|
26
|
+
- If the user gives a human label such as a page title, folder name, channel name, repo label, database name, or "all subpages", do not reject it as "not a resource". Search/list/fetch with the provider plugin or MCP tools, pick the best exact match when confidence is high, and explain the choice. Ask only when several plausible matches remain or when a broad wildcard would be required.
|
|
27
|
+
- For hierarchical requests such as subpages, folders, databases, repos, or projects, enumerate the concrete children when the provider tools expose them and add rules for each resolved resource. If the provider cannot enumerate future children, block the resolved current resources and state that new children need another rule.
|
|
19
28
|
|
|
20
|
-
|
|
29
|
+
For local Codex rules:
|
|
21
30
|
|
|
22
31
|
```bash
|
|
23
32
|
npx -y @samirosamsam/aim@latest rule add "<what the user wants to prevent>" --json
|
|
@@ -31,6 +40,21 @@ npx -y @samirosamsam/aim@latest rule add "empêche de modifier package.json" --j
|
|
|
31
40
|
npx -y @samirosamsam/aim@latest rule add "empêche les calls GitHub qui ajoutent des collaborators" --json
|
|
32
41
|
```
|
|
33
42
|
|
|
43
|
+
For resolved MCP resources:
|
|
44
|
+
|
|
45
|
+
```bash
|
|
46
|
+
npx -y @samirosamsam/aim@latest capture \
|
|
47
|
+
--provider "<provider>" \
|
|
48
|
+
--tool "<representative MCP tool>" \
|
|
49
|
+
--args '<representative MCP args JSON>' \
|
|
50
|
+
--resource "<stable provider resource id or path>" \
|
|
51
|
+
--effect deny \
|
|
52
|
+
--agent codex \
|
|
53
|
+
--connection "<provider>:codex" \
|
|
54
|
+
--policy ~/.codex/aim/policy.json \
|
|
55
|
+
--json
|
|
56
|
+
```
|
|
57
|
+
|
|
34
58
|
3. Prove the guardrail with a representative hook input before reporting success. Pick the proof that matches the rule:
|
|
35
59
|
|
|
36
60
|
```bash
|
|
@@ -58,7 +82,7 @@ npx -y @samirosamsam/aim@latest rule list --json
|
|
|
58
82
|
|
|
59
83
|
## Advanced Commands
|
|
60
84
|
|
|
61
|
-
Use `
|
|
85
|
+
Use `compile`, `add`, or `check` only for lower-level policy debugging. The normal public workflow is `setup`, then `rule add` for local Codex resources or provider discovery plus `capture` for MCP resources, then proof, then report.
|
|
62
86
|
|
|
63
87
|
```bash
|
|
64
88
|
npx -y @samirosamsam/aim@latest capture \
|
|
@@ -75,7 +99,7 @@ If a command returns `questions`, ask for the missing command, file path, provid
|
|
|
75
99
|
|
|
76
100
|
## Scope
|
|
77
101
|
|
|
78
|
-
- For Codex enforcement, prefer `rule add` over `compile`/`add`;
|
|
102
|
+
- For Codex enforcement, prefer `rule add` for Bash/files and `capture` for resolved MCP resources over `compile`/`add`; both write rules intended for the `PreToolUse` hook.
|
|
79
103
|
- Prefer narrow resource patterns over `*`.
|
|
80
104
|
- Codex hook guardrails are default-allow: no matching block means the tool call proceeds.
|
|
81
105
|
- Treat `deny` as higher priority than `approval`, and `approval` as higher priority than `allow`.
|
package/src/engine.js
CHANGED
|
@@ -214,7 +214,12 @@ export function compileCodexRulePrompt(prompt, context = {}) {
|
|
|
214
214
|
}
|
|
215
215
|
|
|
216
216
|
if (drafts.length === 0) {
|
|
217
|
-
|
|
217
|
+
const providers = detectProviders(normalized).filter((provider) => provider !== "*");
|
|
218
|
+
if (providers.length > 0) {
|
|
219
|
+
questions.push(`Resolve the ${providers.join("/")} resource with that provider's search/list/fetch tools, then add an AIM capture rule with the stable resource id or path.`);
|
|
220
|
+
} else {
|
|
221
|
+
questions.push("Specify a Bash command, file path, or MCP provider/tool/resource to block.");
|
|
222
|
+
}
|
|
218
223
|
}
|
|
219
224
|
|
|
220
225
|
return { drafts: uniqueDrafts(drafts), questions };
|
|
@@ -531,7 +536,7 @@ function inferGithubCall(tool, args) {
|
|
|
531
536
|
}
|
|
532
537
|
|
|
533
538
|
function inferNotionCall(tool, args) {
|
|
534
|
-
const page = cleanPart(args.page_id ?? args.pageId ?? args.id);
|
|
539
|
+
const page = cleanPart(args.page_id ?? args.pageId ?? args.id ?? notionPageId(args.url ?? args.page_url ?? args.pageUrl));
|
|
535
540
|
const database = cleanPart(args.database_id ?? args.databaseId);
|
|
536
541
|
if (page) return { access: inferAccess(tool), resource: `notion/pages/${page}` };
|
|
537
542
|
if (database) return { access: inferAccess(tool), resource: `notion/databases/${database}` };
|
|
@@ -570,6 +575,14 @@ function githubRepo(args, suffix = "") {
|
|
|
570
575
|
return owner && repo ? `repo/${owner}/${repo}${suffix}` : "*";
|
|
571
576
|
}
|
|
572
577
|
|
|
578
|
+
function notionPageId(value) {
|
|
579
|
+
const text = String(value ?? "");
|
|
580
|
+
const dashed = text.match(/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/i);
|
|
581
|
+
if (dashed) return dashed[0];
|
|
582
|
+
const compact = text.match(/[0-9a-f]{32}/i);
|
|
583
|
+
return compact?.[0] ?? "";
|
|
584
|
+
}
|
|
585
|
+
|
|
573
586
|
function reasonFor(effect, access, resourcePattern) {
|
|
574
587
|
if (effect === "deny") return `Block ${access} on ${resourcePattern}.`;
|
|
575
588
|
if (effect === "approval") return `Require human approval for ${access} on ${resourcePattern}.`;
|