@scheduler-systems/gal-run 0.0.378 → 0.0.380

package/dist/index.cjs

@@ -3970,7 +3970,7 @@ var cliVersion, defaultApiUrl, BUILD_CONSTANTS, constants_default;
 var init_constants = __esm({
   "src/constants.ts"() {
     "use strict";
-    cliVersion = true ? "0.0.378" : "0.0.0-dev";
+    cliVersion = true ? "0.0.380" : "0.0.0-dev";
     defaultApiUrl = true ? "https://api.gal.run" : "http://localhost:3000";
     BUILD_CONSTANTS = Object.freeze([cliVersion, defaultApiUrl]);
     constants_default = BUILD_CONSTANTS;
@@ -4880,7 +4880,7 @@ function detectEnvironment() {
     return "dev";
   }
   try {
-    const version2 = true ? "0.0.378" : void 0;
+    const version2 = true ? "0.0.380" : void 0;
     if (version2 && version2.includes("-local")) {
       return "dev";
     }
@@ -5249,7 +5249,7 @@ function getId() {
 }
 function getCliVersion() {
   try {
-    return true ? "0.0.378" : "0.0.0-dev";
+    return true ? "0.0.380" : "0.0.0-dev";
   } catch {
     return "0.0.0-dev";
   }
@@ -54045,7 +54045,8 @@ function generateSdlcPrePushHook(apiUrl, orgName) {
 # GAL SDLC Phase-Gate Pre-Push Hook
 # Installed by: gal enforce install --sdlc
 # Blocks pushes when the SDLC phase gate for the branch is not met.
-# Fail-open: if the API is unreachable the push is allowed.
+# Uses the local GAL CLI for auth and API access.
+# Fail-open: if GAL or the API is unavailable the push is allowed.
 # To skip: git push --no-verify
 
 BRANCH=$(git rev-parse --abbrev-ref HEAD)
@@ -54058,25 +54059,15 @@ esac
 API_URL="${apiUrl}"
 ORG_NAME="${orgName}"
 
-RESPONSE=$(curl -sf -w "\\n%{http_code}" \\
-  "\${API_URL}/organizations/\${ORG_NAME}/enforcement/sdlc/gate?branch=\${BRANCH}" \\
-  2>/dev/null) || {
-  # API unreachable \u2014 fail open
+RESPONSE=$(gal enforce sdlc gate --branch "$BRANCH" --json 2>/dev/null) || {
+  # GAL unavailable or API unreachable \u2014 fail open
   exit 0
 }
 
-HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
-BODY=$(echo "$RESPONSE" | sed '$ d')
-
-if [ "$HTTP_CODE" != "200" ]; then
-  # Non-200 \u2014 fail open
-  exit 0
-fi
-
-ALLOWED=$(echo "$BODY" | grep -o '"allowed"\\s*:\\s*\\(true\\|false\\)' | grep -o '\\(true\\|false\\)')
+ALLOWED=$(echo "$RESPONSE" | grep -o '"allowed"\\s*:\\s*\\(true\\|false\\)' | grep -o '\\(true\\|false\\)')
 
 if [ "$ALLOWED" = "false" ]; then
-  MESSAGE=$(echo "$BODY" | grep -o '"message"\\s*:\\s*"[^"]*"' | head -1 | sed 's/"message"\\s*:\\s*"//;s/"$//')
+  MESSAGE=$(echo "$RESPONSE" | grep -o '"message"\\s*:\\s*"[^"]*"' | head -1 | sed 's/"message"\\s*:\\s*"//;s/"$//')
   echo ""
   echo "\\033[31m[GAL] SDLC phase gate blocked this push.\\033[0m"
   echo "\\033[33m  Branch: $BRANCH\\033[0m"
@@ -54092,31 +54083,106 @@ exit 0
 `;
 }
 function generateSdlcAgentHook(apiUrl) {
-  const hook = {
-    type: "pre_tool_call",
-    description: "GAL SDLC phase-gate enforcement \u2014 blocks tool calls when the required SDLC phase is not met.",
-    api_url: apiUrl,
-    matchers: [
-      {
-        tool_name: "Bash",
-        command_pattern: "git\\s+push",
-        action: "check_sdlc_gate"
-      },
-      {
-        tool_name: "Edit",
-        file_pattern: "^\\.github/workflows/.*\\.yml$",
-        action: "check_sdlc_gate"
-      }
-    ],
-    check_sdlc_gate: {
-      method: "GET",
-      url: `${apiUrl}/enforcement/sdlc/gate`,
-      query_params: { branch: "{{current_branch}}" },
-      block_when: { allowed: false },
-      fail_open: true
-    }
-  };
-  return JSON.stringify(hook, null, 2);
+  return `#!/usr/bin/env python3
+"""
+GAL SDLC phase-gate hook.
+Installed by: gal enforce install --sdlc
+Fail-open: if GAL or the API is unavailable the tool call is allowed.
+API URL: ${apiUrl}
+"""
+import json
+import subprocess
+import sys
+
+PROTECTED_PREFIXES = (
+    ".github/workflows/",
+    ".claude/settings.json",
+)
+
+
+def read_hook_input():
+    try:
+        return json.load(sys.stdin)
+    except Exception:
+        return {}
+
+
+def current_branch() -> str:
+    try:
+        return subprocess.check_output(
+            ["git", "rev-parse", "--abbrev-ref", "HEAD"],
+            stderr=subprocess.DEVNULL,
+            text=True,
+            timeout=5,
+        ).strip()
+    except Exception:
+        return ""
+
+
+def should_check(tool_name: str, tool_input: dict) -> bool:
+    if tool_name == "Bash":
+        command = str(tool_input.get("command", ""))
+        return "git push" in command
+
+    if tool_name in {"Edit", "Write", "MultiEdit"}:
+        file_path = str(tool_input.get("file_path", ""))
+        return any(file_path.startswith(prefix) for prefix in PROTECTED_PREFIXES)
+
+    return False
+
+
+def query_gate(branch: str) -> dict:
+    if not branch or branch in {"main", "master"}:
+        return {"allowed": True}
+
+    try:
+        result = subprocess.run(
+            ["gal", "enforce", "sdlc", "gate", "--branch", branch, "--json"],
+            capture_output=True,
+            text=True,
+            timeout=10,
+            check=False,
+        )
+    except Exception:
+        return {"allowed": True}
+
+    if result.returncode != 0:
+        return {"allowed": True}
+
+    try:
+        payload = json.loads(result.stdout or "{}")
+        return payload if isinstance(payload, dict) else {"allowed": True}
+    except Exception:
+        return {"allowed": True}
+
+
+def main():
+    hook_input = read_hook_input()
+    tool_name = str(hook_input.get("tool_name", ""))
+    tool_input = hook_input.get("tool_input", {}) or {}
+    if not isinstance(tool_input, dict):
+        tool_input = {}
+
+    if not should_check(tool_name, tool_input):
+        print(json.dumps({"decision": "allow"}))
+        return
+
+    branch = current_branch()
+    gate = query_gate(branch)
+    if gate.get("allowed", True):
+        print(json.dumps({"decision": "allow"}))
+        return
+
+    message = gate.get("message") or "Complete the required SDLC phase before continuing."
+    print(json.dumps({
+        "decision": "block",
+        "reason": f"SDLC phase gate blocked this operation on branch '{branch}': {message}",
+    }))
+
+
+if __name__ == "__main__":
+    main()
+`;
 }
 var init_hook_generator = __esm({
   "src/enforcement/hook-generator.ts"() {
@@ -56832,7 +56898,7 @@ Installing hooks for: ${platforms.join(", ")}`));
           if (!options.dryRun) {
             await installSdlcAgentHook(basePath, sdlcApiUrl, options.force);
           }
-          spinner.succeed(`Installed SDLC agent hook \u2192 ${source_default.dim(".claude/hooks/sdlc-phase-gate.json")}`);
+          spinner.succeed(`Installed SDLC agent hook \u2192 ${source_default.dim(".claude/hooks/sdlc-phase-gate.py")}`);
         } catch (err) {
           const msg = err instanceof Error ? err.message : String(err);
           spinner.warn(`SDLC agent hook: ${msg}`);
@@ -57435,6 +57501,48 @@ Installing hooks for: ${platforms.join(", ")}`));
       process.exit(1);
     }
   });
+  sdlcCommand.command("gate").description("Evaluate the native SDLC gate for a tracked branch").requiredOption("--branch <branch>", "Git branch to evaluate").option("--json", "Output as JSON").action(async (options) => {
+    const { authToken, orgName, apiUrl } = getAuthAndOrg2();
+    const spinner = options.json ? null : ora(`Evaluating SDLC gate for ${options.branch}...`).start();
+    try {
+      const branch = options.branch.trim();
+      const res = await fetchApi3(
+        `${apiUrl}/organizations/${encodeURIComponent(orgName)}/enforcement/sdlc/gate?branch=${encodeURIComponent(branch)}`,
+        authToken
+      );
+      if (!res.ok) {
+        const data2 = await res.json().catch(() => ({}));
+        throw new Error(data2.error || `HTTP ${res.status}`);
+      }
+      const data = await res.json();
+      spinner?.stop();
+      if (options.json) {
+        console.log(JSON.stringify(data, null, 2));
+        return;
+      }
+      const allowed = data.allowed !== false;
+      const message = typeof data.message === "string" ? data.message : void 0;
+      const source = typeof data.source === "string" ? data.source : "unknown";
+      console.log(source_default.bold("\nNative SDLC Branch Gate\n"));
+      console.log(`  Organization: ${source_default.cyan(orgName)}`);
+      console.log(`  Branch:       ${branch}`);
+      console.log(`  Allowed:      ${allowed ? source_default.green("yes") : source_default.red("no")}`);
+      console.log(`  Source:       ${source_default.dim(source)}`);
+      if (message) {
+        console.log(`  Message:      ${message}`);
+      }
+      console.log();
+    } catch (error3) {
+      spinner?.stop();
+      const msg = error3 instanceof Error ? error3.message : String(error3);
+      if (options.json) {
+        console.log(JSON.stringify({ error: msg }));
+      } else {
+        console.error(source_default.red("Error evaluating SDLC branch gate:"), msg);
+      }
+      process.exit(1);
+    }
+  });
   sdlcCommand.command("set <level>").description("Set native SDLC enforcement mode (off, warn, block)").option("--reason <reason>", "Reason to include in the audit trail").option("--json", "Output as JSON").action(async (level, options) => {
     if (!["off", "warn", "block"].includes(level)) {
       console.error(source_default.red("Invalid level. Use one of: off, warn, block"));
@@ -57805,13 +57913,40 @@ async function installSdlcPrePushHook(basePath, apiUrl, orgName, force) {
 }
 async function installSdlcAgentHook(basePath, apiUrl, force) {
   const claudeHooksDir = (0, import_node_path3.join)(basePath, ".claude", "hooks");
-  const hookPath = (0, import_node_path3.join)(claudeHooksDir, "sdlc-phase-gate.json");
+  const hookPath = (0, import_node_path3.join)(claudeHooksDir, "sdlc-phase-gate.py");
   if ((0, import_node_fs2.existsSync)(hookPath) && !force) {
     throw new Error("SDLC agent hook already installed. Use --force to overwrite.");
   }
   await (0, import_promises4.mkdir)(claudeHooksDir, { recursive: true });
   const hookContent = generateSdlcAgentHook(apiUrl);
   await (0, import_promises4.writeFile)(hookPath, hookContent, "utf-8");
+  await (0, import_promises4.chmod)(hookPath, 493);
+  const claudeDir = (0, import_node_path3.join)(basePath, ".claude");
+  await (0, import_promises4.mkdir)(claudeDir, { recursive: true });
+  const settingsPath = (0, import_node_path3.join)(claudeDir, "settings.json");
+  let settings = {};
+  try {
+    const existingSettings = await (0, import_promises4.readFile)(settingsPath, "utf-8");
+    settings = JSON.parse(existingSettings);
+  } catch {
+    settings = {};
+  }
+  const hooks = settings.hooks && typeof settings.hooks === "object" ? { ...settings.hooks } : {};
+  const existingPreToolUse = Array.isArray(hooks.PreToolUse) ? [...hooks.PreToolUse] : [];
+  const filteredPreToolUse = existingPreToolUse.filter((entry) => {
+    if (!entry || typeof entry !== "object") {
+      return true;
+    }
+    return entry.command !== "python3 .claude/hooks/sdlc-phase-gate.py";
+  });
+  filteredPreToolUse.push({
+    type: "command",
+    command: "python3 .claude/hooks/sdlc-phase-gate.py",
+    timeout: 5e3
+  });
+  hooks.PreToolUse = filteredPreToolUse;
+  settings.hooks = hooks;
+  await (0, import_promises4.writeFile)(settingsPath, JSON.stringify(settings, null, 2), "utf-8");
 }
 var import_promises4, import_node_fs2, import_node_path3, import_node_crypto, defaultApiUrl7, PLATFORM_DIRS3, SCAN_PLATFORM_DIRS, ENFORCEMENT_HOOK_SUPPORT, GAL_PRECOMMIT_MARKER, GAL_PRECOMMIT_CONTENT, GAL_SDLC_PREPUSH_MARKER;
 var init_enforce = __esm({
@@ -70904,7 +71039,7 @@ var init_index = __esm({
 });
 
 // src/bootstrap.ts
-var cliVersion10 = true ? "0.0.378" : "0.0.0-dev";
+var cliVersion10 = true ? "0.0.380" : "0.0.0-dev";
 var args = process.argv.slice(2);
 var requestedGlobalHelp = args.length === 1 && (args[0] === "--help" || args[0] === "-h");
 var requestedVersion = args.length === 1 && (args[0] === "--version" || args[0] === "-V");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@scheduler-systems/gal-run",
-  "version": "0.0.378",
+  "version": "0.0.380",
   "description": "GAL CLI - Command-line tool for managing AI agent configurations across your organization",
   "license": "Elastic-2.0",
   "private": false,