@samirosamsam/aim 0.1.0 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "aim",
3
- "version": "0.1.0",
3
+ "version": "0.1.3",
4
4
  "description": "Install deterministic Codex guardrails from natural-language block rules.",
5
5
  "author": {
6
6
  "name": "AIM"
@@ -13,9 +13,12 @@
13
13
  "displayName": "AIM",
14
14
  "shortDescription": "Block matching Codex tool calls with local guardrails.",
15
15
  "longDescription": "AIM helps Codex turn natural-language block requests into local PreToolUse guardrails for Bash, file edits, and MCP tool calls.",
16
- "developerName": "AIM",
16
+ "developerName": "Rippletide",
17
17
  "category": "Productivity",
18
18
  "capabilities": ["Write"],
19
+ "brandColor": "#272757",
20
+ "composerIcon": "assets/rippletide-logo.png",
21
+ "logo": "assets/rippletide-logo.png",
19
22
  "defaultPrompt": [
20
23
  "Block this Codex action.",
21
24
  "Install deterministic guardrails for this repo."
package/README.md CHANGED
@@ -26,7 +26,22 @@ codex plugin marketplace add tototozip/AIM --ref main
26
26
  codex plugin add aim@aim
27
27
  ```
28
28
 
29
- Then start a new Codex thread and invoke `@aim`.
29
+ Then start a new Codex thread, run `/hooks`, trust the AIM hook if Codex asks,
30
+ and invoke `@aim`.
31
+
32
+ Example:
33
+
34
+ ```text
35
+ @aim empêche git push
36
+ ```
37
+
38
+ To test it, ask Codex to run:
39
+
40
+ ```bash
41
+ git push origin main --dry-run
42
+ ```
43
+
44
+ The call should be denied before Bash executes.
30
45
 
31
46
  ## Codex Guardrail
32
47
 
@@ -36,6 +51,9 @@ Install or refresh the local Codex hook:
36
51
  npx -y @samirosamsam/aim@latest setup
37
52
  ```
38
53
 
54
+ This is only needed when using the CLI without the Codex plugin. The plugin
55
+ already bundles `hooks/hooks.json`.
56
+
39
57
  If Codex says hooks need review, run `/hooks`, inspect the AIM hook, and trust it.
40
58
 
41
59
  Add a deterministic guardrail from natural language:
@@ -46,6 +64,19 @@ npx -y @samirosamsam/aim@latest rule add 'empêche de modifier package.json'
46
64
  npx -y @samirosamsam/aim@latest rule add 'empêche les calls GitHub qui ajoutent des collaborators'
47
65
  ```
48
66
 
67
+ For SaaS data targets described by a title or label, use Codex/provider tools first to resolve the concrete resource, then write the rule with `capture`:
68
+
69
+ ```bash
70
+ npx -y @samirosamsam/aim@latest capture \
71
+ --provider notion \
72
+ --tool fetch \
73
+ --args '{"url":"https://www.notion.so/..."}' \
74
+ --effect deny \
75
+ --agent codex \
76
+ --connection notion:codex \
77
+ --policy ~/.codex/aim/policy.json
78
+ ```
79
+
49
80
  Codex then calls the AIM hook before supported tool calls. A blocked Bash call returns the Codex `PreToolUse` deny shape:
50
81
 
51
82
  ```json
Binary file
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@samirosamsam/aim",
3
- "version": "0.1.0",
3
+ "version": "0.1.3",
4
4
  "description": "AIM CLI for installing deterministic Codex tool-call guardrails.",
5
5
  "private": false,
6
6
  "type": "module",
@@ -10,6 +10,7 @@
10
10
  "files": [
11
11
  ".agents/plugins/marketplace.json",
12
12
  ".codex-plugin/plugin.json",
13
+ "assets/",
13
14
  "bin/",
14
15
  "hooks/",
15
16
  "skills/",
@@ -9,15 +9,24 @@ Use the public `aim` CLI as the source of truth for installing Codex hooks, addi
9
9
 
10
10
  ## Workflow
11
11
 
12
- 1. Install or refresh the Codex `PreToolUse` hook before claiming enforcement is active:
12
+ 1. Use the bundled plugin hook when AIM is installed as a Codex plugin. Do not run `setup` just to duplicate it. If Codex reports hooks need review, tell the user to run `/hooks`, inspect the AIM hook, and trust it.
13
+
14
+ For CLI-only use without the Codex plugin, install or refresh the Codex `PreToolUse` hook before claiming enforcement is active:
13
15
 
14
16
  ```bash
15
17
  npx -y @samirosamsam/aim@latest setup --json
16
18
  ```
17
19
 
18
- If Codex reports that hooks need review, tell the user to run `/hooks`, inspect the AIM hook, and trust it. Do not claim active enforcement until the hook is trusted and a proof call blocks.
20
+ Do not claim active enforcement until the hook is trusted and a proof call blocks.
21
+
22
+ 2. Choose the smallest enforceable path:
23
+
24
+ - For Bash commands and file edits, use `rule add`.
25
+ - For external data or SaaS access, first discover the concrete resource with that provider's tools, then use `capture`.
26
+ - If the user gives a human label such as a page title, folder name, channel name, repo label, database name, or "all subpages", do not reject it as "not a resource". Search/list/fetch with the provider plugin or MCP tools, pick the best exact match when confidence is high, and explain the choice. Ask only when several plausible matches remain or when a broad wildcard would be required.
27
+ - For hierarchical requests such as subpages, folders, databases, repos, or projects, enumerate the concrete children when the provider tools expose them and add rules for each resolved resource. If the provider cannot enumerate future children, block the resolved current resources and state that new children need another rule.
19
28
 
20
- 2. Add the user's requested block as a Codex guardrail rule:
29
+ For local Codex rules:
21
30
 
22
31
  ```bash
23
32
  npx -y @samirosamsam/aim@latest rule add "<what the user wants to prevent>" --json
@@ -31,6 +40,21 @@ npx -y @samirosamsam/aim@latest rule add "empêche de modifier package.json" --j
31
40
  npx -y @samirosamsam/aim@latest rule add "empêche les calls GitHub qui ajoutent des collaborators" --json
32
41
  ```
33
42
 
43
+ For resolved MCP resources:
44
+
45
+ ```bash
46
+ npx -y @samirosamsam/aim@latest capture \
47
+ --provider "<provider>" \
48
+ --tool "<representative MCP tool>" \
49
+ --args '<representative MCP args JSON>' \
50
+ --resource "<stable provider resource id or path>" \
51
+ --effect deny \
52
+ --agent codex \
53
+ --connection "<provider>:codex" \
54
+ --policy ~/.codex/aim/policy.json \
55
+ --json
56
+ ```
57
+
34
58
  3. Prove the guardrail with a representative hook input before reporting success. Pick the proof that matches the rule:
35
59
 
36
60
  ```bash
@@ -58,7 +82,7 @@ npx -y @samirosamsam/aim@latest rule list --json
58
82
 
59
83
  ## Advanced Commands
60
84
 
61
- Use `capture`, `authorize`, `compile`, `add`, or `check` only for lower-level policy debugging. The normal public workflow is `setup`, `rule add`, proof, report.
85
+ Use `compile`, `add`, or `check` only for lower-level policy debugging. The normal public workflow is `setup`, then `rule add` for local Codex resources or provider discovery plus `capture` for MCP resources, then proof, then report.
62
86
 
63
87
  ```bash
64
88
  npx -y @samirosamsam/aim@latest capture \
@@ -75,7 +99,7 @@ If a command returns `questions`, ask for the missing command, file path, provid
75
99
 
76
100
  ## Scope
77
101
 
78
- - For Codex enforcement, prefer `rule add` over `compile`/`add`; it writes rules intended for the `PreToolUse` hook.
102
+ - For Codex enforcement, prefer `rule add` for Bash/files and `capture` for resolved MCP resources over `compile`/`add`; both write rules intended for the `PreToolUse` hook.
79
103
  - Prefer narrow resource patterns over `*`.
80
104
  - Codex hook guardrails are default-allow: no matching block means the tool call proceeds.
81
105
  - Treat `deny` as higher priority than `approval`, and `approval` as higher priority than `allow`.
package/src/engine.js CHANGED
@@ -214,7 +214,12 @@ export function compileCodexRulePrompt(prompt, context = {}) {
214
214
  }
215
215
 
216
216
  if (drafts.length === 0) {
217
- questions.push("Specify a Bash command, file path, or MCP provider/tool/resource to block.");
217
+ const providers = detectProviders(normalized).filter((provider) => provider !== "*");
218
+ if (providers.length > 0) {
219
+ questions.push(`Resolve the ${providers.join("/")} resource with that provider's search/list/fetch tools, then add an AIM capture rule with the stable resource id or path.`);
220
+ } else {
221
+ questions.push("Specify a Bash command, file path, or MCP provider/tool/resource to block.");
222
+ }
218
223
  }
219
224
 
220
225
  return { drafts: uniqueDrafts(drafts), questions };
@@ -531,7 +536,7 @@ function inferGithubCall(tool, args) {
531
536
  }
532
537
 
533
538
  function inferNotionCall(tool, args) {
534
- const page = cleanPart(args.page_id ?? args.pageId ?? args.id);
539
+ const page = cleanPart(args.page_id ?? args.pageId ?? args.id ?? notionPageId(args.url ?? args.page_url ?? args.pageUrl));
535
540
  const database = cleanPart(args.database_id ?? args.databaseId);
536
541
  if (page) return { access: inferAccess(tool), resource: `notion/pages/${page}` };
537
542
  if (database) return { access: inferAccess(tool), resource: `notion/databases/${database}` };
@@ -570,6 +575,14 @@ function githubRepo(args, suffix = "") {
570
575
  return owner && repo ? `repo/${owner}/${repo}${suffix}` : "*";
571
576
  }
572
577
 
578
+ function notionPageId(value) {
579
+ const text = String(value ?? "");
580
+ const dashed = text.match(/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/i);
581
+ if (dashed) return dashed[0];
582
+ const compact = text.match(/[0-9a-f]{32}/i);
583
+ return compact?.[0] ?? "";
584
+ }
585
+
573
586
  function reasonFor(effect, access, resourcePattern) {
574
587
  if (effect === "deny") return `Block ${access} on ${resourcePattern}.`;
575
588
  if (effect === "approval") return `Require human approval for ${access} on ${resourcePattern}.`;