@scheduler-systems/gal-run 0.0.400 → 0.0.402
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +60 -7
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -3970,7 +3970,7 @@ var cliVersion, defaultApiUrl, BUILD_CONSTANTS, constants_default;
|
|
|
3970
3970
|
var init_constants = __esm({
|
|
3971
3971
|
"src/constants.ts"() {
|
|
3972
3972
|
"use strict";
|
|
3973
|
-
cliVersion = true ? "0.0.
|
|
3973
|
+
cliVersion = true ? "0.0.402" : "0.0.0-dev";
|
|
3974
3974
|
defaultApiUrl = true ? "https://api.gal.run" : "http://localhost:3000";
|
|
3975
3975
|
BUILD_CONSTANTS = Object.freeze([cliVersion, defaultApiUrl]);
|
|
3976
3976
|
constants_default = BUILD_CONSTANTS;
|
|
@@ -4880,7 +4880,7 @@ function detectEnvironment() {
|
|
|
4880
4880
|
return "dev";
|
|
4881
4881
|
}
|
|
4882
4882
|
try {
|
|
4883
|
-
const version2 = true ? "0.0.
|
|
4883
|
+
const version2 = true ? "0.0.402" : void 0;
|
|
4884
4884
|
if (version2 && version2.includes("-local")) {
|
|
4885
4885
|
return "dev";
|
|
4886
4886
|
}
|
|
@@ -5249,7 +5249,7 @@ function getId() {
|
|
|
5249
5249
|
}
|
|
5250
5250
|
function getCliVersion() {
|
|
5251
5251
|
try {
|
|
5252
|
-
return true ? "0.0.
|
|
5252
|
+
return true ? "0.0.402" : "0.0.0-dev";
|
|
5253
5253
|
} catch {
|
|
5254
5254
|
return "0.0.0-dev";
|
|
5255
5255
|
}
|
|
@@ -14409,7 +14409,60 @@ var init_capability_analyzer = __esm({
|
|
|
14409
14409
|
message: "The prompt includes a production deployment operation. Production deploys require elevated cloud permissions and may impact live users.",
|
|
14410
14410
|
recommendation: "Ensure the session has appropriate GCP / cloud IAM roles. Run a dry-run or staging deploy first to validate the change. Verify that required secrets (GCP_SA_KEY, etc.) are available to the runner."
|
|
14411
14411
|
},
|
|
14412
|
-
// 5.
|
|
14412
|
+
// 5. Browser profile / persisted browser auth
|
|
14413
|
+
{
|
|
14414
|
+
ruleId: "BROWSER_PROFILE_REQUIREMENT",
|
|
14415
|
+
category: "browser_profiles",
|
|
14416
|
+
severity: "warning",
|
|
14417
|
+
patterns: [
|
|
14418
|
+
/\bbrowser\s+profile(s)?\b/i,
|
|
14419
|
+
/\bbrowser_profile_ids\b/i,
|
|
14420
|
+
/\bstorage\s*state\b/i,
|
|
14421
|
+
/playwright.{0,40}(auth|profile|storage|cookie|session)/i,
|
|
14422
|
+
/console\.(firebase|cloud)\.google\.com/i,
|
|
14423
|
+
/(attach|inject|reuse|use).{0,40}browser.{0,30}profile/i
|
|
14424
|
+
],
|
|
14425
|
+
title: "Browser profile requirement detected",
|
|
14426
|
+
message: "The prompt indicates browser automation that may require persisted authenticated browser state. Without an active browser profile, UI/console operations can fail with login or permission errors.",
|
|
14427
|
+
recommendation: "Ensure approved browser profile IDs are available for the target account and passed to dispatch. Prefer pre-seeded profiles for production consoles instead of interactive login inside the run."
|
|
14428
|
+
},
|
|
14429
|
+
// 6. Cloud authentication (GCP/Firebase)
|
|
14430
|
+
{
|
|
14431
|
+
ruleId: "CLOUD_AUTH_REQUIREMENT",
|
|
14432
|
+
category: "cloud_auth",
|
|
14433
|
+
severity: "warning",
|
|
14434
|
+
patterns: [
|
|
14435
|
+
/\bgcloud\s+auth\b/i,
|
|
14436
|
+
/\bgcloud-adc\b/i,
|
|
14437
|
+
/\bgoogle_application_credentials\b/i,
|
|
14438
|
+
/\bgoogle\s+application\s+credentials\b/i,
|
|
14439
|
+
/\bworkload\s+identity(\s+federation)?\b/i,
|
|
14440
|
+
/\bfirebase\s+(admin|auth|cli|login)\b/i,
|
|
14441
|
+
/\bservice\s+account\b/i,
|
|
14442
|
+
/\bcloud\s+iam\b/i
|
|
14443
|
+
],
|
|
14444
|
+
title: "Cloud authentication requirement detected",
|
|
14445
|
+
message: "The prompt references GCP/Firebase authentication or cloud identity setup. Runs without valid cloud auth often fail at runtime with permission or credential errors.",
|
|
14446
|
+
recommendation: "Verify that cloud auth is available before dispatch (for example Workload Identity or approved auth refs). Confirm the target account has the required IAM roles for the requested operation."
|
|
14447
|
+
},
|
|
14448
|
+
// 7. Approved environment secrets/auth refs
|
|
14449
|
+
{
|
|
14450
|
+
ruleId: "ENVIRONMENT_CONFIG_REQUIREMENT",
|
|
14451
|
+
category: "environment_config",
|
|
14452
|
+
severity: "warning",
|
|
14453
|
+
patterns: [
|
|
14454
|
+
/\benvironmentconfig\b/i,
|
|
14455
|
+
/\benvironment\s+config(uration)?\b/i,
|
|
14456
|
+
/\bapproved\s+environment\b/i,
|
|
14457
|
+
/environment\.(secrets|auth)/i,
|
|
14458
|
+
/secrets\/[a-z0-9._-]+/i,
|
|
14459
|
+
/\b(secret|auth)\s+ref(erence)?s?\b/i
|
|
14460
|
+
],
|
|
14461
|
+
title: "Approved environment configuration requirement detected",
|
|
14462
|
+
message: "The prompt references environment-level secrets or auth references. If approved environment configuration is missing, dispatch can appear healthy but fail during execution.",
|
|
14463
|
+
recommendation: "Confirm approved environment config includes all required secret/auth refs before dispatch. Block or defer dispatch when required refs are missing."
|
|
14464
|
+
},
|
|
14465
|
+
// 8. npm publish
|
|
14413
14466
|
{
|
|
14414
14467
|
ruleId: "NPM_PUBLISH",
|
|
14415
14468
|
category: "npm_publish",
|
|
@@ -14428,7 +14481,7 @@ var init_capability_analyzer = __esm({
|
|
|
14428
14481
|
message: "The prompt includes an npm publish operation. Publishing requires a valid npm token with publish rights to the target package scope.",
|
|
14429
14482
|
recommendation: "Ensure NPM_TOKEN or NODE_AUTH_TOKEN is set in the runner environment. Verify the package version has been bumped and CHANGELOG is updated before publishing. Consider using a one-time publish token scoped to the specific package."
|
|
14430
14483
|
},
|
|
14431
|
-
//
|
|
14484
|
+
// 9. Elevated / admin permissions
|
|
14432
14485
|
{
|
|
14433
14486
|
ruleId: "ELEVATED_PERMISSIONS",
|
|
14434
14487
|
category: "elevated_permissions",
|
|
@@ -14450,7 +14503,7 @@ var init_capability_analyzer = __esm({
|
|
|
14450
14503
|
message: "The prompt references elevated permissions (admin merge, bypass reviews, skip CI checks). These operations should only be performed by authorised users in exceptional circumstances.",
|
|
14451
14504
|
recommendation: "Document the reason for the elevated operation. Prefer the normal PR review flow. If CI must be skipped, add `[skip ci]` only to non-production changes."
|
|
14452
14505
|
},
|
|
14453
|
-
//
|
|
14506
|
+
// 10. Org/repo admin operations requiring elevated GitHub App permissions (#1878)
|
|
14454
14507
|
//
|
|
14455
14508
|
// The GitHub App integration token used by background sessions is scoped to
|
|
14456
14509
|
// repository-level access. Org-wide or repo-level admin write operations
|
|
@@ -71140,7 +71193,7 @@ var init_index = __esm({
|
|
|
71140
71193
|
});
|
|
71141
71194
|
|
|
71142
71195
|
// src/bootstrap.ts
|
|
71143
|
-
var cliVersion10 = true ? "0.0.
|
|
71196
|
+
var cliVersion10 = true ? "0.0.402" : "0.0.0-dev";
|
|
71144
71197
|
var args = process.argv.slice(2);
|
|
71145
71198
|
var requestedGlobalHelp = args.length === 1 && (args[0] === "--help" || args[0] === "-h");
|
|
71146
71199
|
var requestedVersion = args.length === 1 && (args[0] === "--version" || args[0] === "-V");
|
package/package.json
CHANGED