@scheduler-systems/gal-run 0.0.404 → 0.0.405
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +95 -4
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -3970,7 +3970,7 @@ var cliVersion, defaultApiUrl, BUILD_CONSTANTS, constants_default;
|
|
|
3970
3970
|
var init_constants = __esm({
|
|
3971
3971
|
"src/constants.ts"() {
|
|
3972
3972
|
"use strict";
|
|
3973
|
-
cliVersion = true ? "0.0.
|
|
3973
|
+
cliVersion = true ? "0.0.405" : "0.0.0-dev";
|
|
3974
3974
|
defaultApiUrl = true ? "https://api.gal.run" : "http://localhost:3000";
|
|
3975
3975
|
BUILD_CONSTANTS = Object.freeze([cliVersion, defaultApiUrl]);
|
|
3976
3976
|
constants_default = BUILD_CONSTANTS;
|
|
@@ -4880,7 +4880,7 @@ function detectEnvironment() {
|
|
|
4880
4880
|
return "dev";
|
|
4881
4881
|
}
|
|
4882
4882
|
try {
|
|
4883
|
-
const version2 = true ? "0.0.
|
|
4883
|
+
const version2 = true ? "0.0.405" : void 0;
|
|
4884
4884
|
if (version2 && version2.includes("-local")) {
|
|
4885
4885
|
return "dev";
|
|
4886
4886
|
}
|
|
@@ -5249,7 +5249,7 @@ function getId() {
|
|
|
5249
5249
|
}
|
|
5250
5250
|
function getCliVersion() {
|
|
5251
5251
|
try {
|
|
5252
|
-
return true ? "0.0.
|
|
5252
|
+
return true ? "0.0.405" : "0.0.0-dev";
|
|
5253
5253
|
} catch {
|
|
5254
5254
|
return "0.0.0-dev";
|
|
5255
5255
|
}
|
|
@@ -14550,6 +14550,97 @@ var init_capability_analyzer = __esm({
|
|
|
14550
14550
|
title: "Org/repo admin operation may exceed integration token scope",
|
|
14551
14551
|
message: 'The prompt indicates intent to perform an org-wide or repo-admin operation (rulesets, branch protection write, org settings, or team membership). Background agent sessions run with a GitHub App installation token that, by default, does NOT include "Administration: write" or "Members: write" at the organisation level. These calls will fail with HTTP 403 "Resource not accessible by integration".',
|
|
14552
14552
|
recommendation: 'This operation cannot be completed with the current integration token. Options:\n 1. Use a Personal Access Token (PAT) with the required org/repo admin scopes instead of the integration token \u2014 set it in the session environment as GITHUB_TOKEN.\n 2. Ask a GitHub organisation owner to grant the GAL GitHub App the "Administration" (repository or organisation) and/or "Members" permissions.\n 3. Perform the admin operation manually in the GitHub UI or with a PAT before dispatching the agent session.'
|
|
14553
|
+
},
|
|
14554
|
+
// 8. Browser automation with saved login state / browser profile (#4814)
|
|
14555
|
+
{
|
|
14556
|
+
ruleId: "BROWSER_AUTOMATION",
|
|
14557
|
+
category: "browser_automation",
|
|
14558
|
+
severity: "warning",
|
|
14559
|
+
patterns: [
|
|
14560
|
+
/browser\s+profile/i,
|
|
14561
|
+
/chrome\s+profile/i,
|
|
14562
|
+
/firefox\s+profile/i,
|
|
14563
|
+
/saved\s+(login|session|cookies?|credential)/i,
|
|
14564
|
+
/login\s+state/i,
|
|
14565
|
+
/persistent\s+(session|browser|cookie)/i,
|
|
14566
|
+
/user[\s-]?data[\s-]?dir/i,
|
|
14567
|
+
/--user-data-dir/i,
|
|
14568
|
+
/browser\s+automation.{0,30}(login|auth|session|profile)/i,
|
|
14569
|
+
/(login|auth|session|profile).{0,30}browser\s+automation/i,
|
|
14570
|
+
/playwright.{0,30}(storage[\s-]?state|saved[\s-]?auth)/i,
|
|
14571
|
+
/(storage[\s-]?state|saved[\s-]?auth).{0,30}playwright/i,
|
|
14572
|
+
/puppeteer.{0,30}(profile|user[\s-]?data)/i,
|
|
14573
|
+
/(profile|user[\s-]?data).{0,30}puppeteer/i
|
|
14574
|
+
],
|
|
14575
|
+
title: "Browser automation with saved login state detected",
|
|
14576
|
+
message: "The prompt requires browser automation that depends on a saved browser profile, login state, or persistent cookies. Background agent runners do not have access to local browser profiles or saved authentication sessions.",
|
|
14577
|
+
recommendation: "Provide explicit authentication credentials via environment variables or the approved config environment block instead of relying on a saved browser profile. If Playwright is used, export and supply a `storageState` JSON file via the environment config."
|
|
14578
|
+
},
|
|
14579
|
+
// 9. Firebase / Firestore access (#4814)
|
|
14580
|
+
{
|
|
14581
|
+
ruleId: "FIREBASE_ACCESS",
|
|
14582
|
+
category: "firebase_access",
|
|
14583
|
+
severity: "warning",
|
|
14584
|
+
patterns: [
|
|
14585
|
+
/firebase[\s-]?admin/i,
|
|
14586
|
+
/firestore\s+(read|write|query|update|delete|set|add|batch|transaction)/i,
|
|
14587
|
+
/(read|write|query|update|delete|set|add)\s+.{0,30}firestore/i,
|
|
14588
|
+
/firebase\s+(auth|database|rtdb|realtime|storage|functions|hosting)/i,
|
|
14589
|
+
/FIREBASE_SERVICE_ACCOUNT/i,
|
|
14590
|
+
/FIREBASE_TOKEN/i,
|
|
14591
|
+
/FIREBASE_PROJECT_ID/i,
|
|
14592
|
+
/GOOGLE_APPLICATION_CREDENTIALS/i,
|
|
14593
|
+
/firebase[\s-]?emulator/i,
|
|
14594
|
+
/firebase\s+deploy/i,
|
|
14595
|
+
/firebaserc/i
|
|
14596
|
+
],
|
|
14597
|
+
title: "Firebase / Firestore access detected",
|
|
14598
|
+
message: "The prompt requires Firebase or Firestore access. Background agent runners need a Firebase service account key or Application Default Credentials to interact with Firebase services.",
|
|
14599
|
+
recommendation: "Ensure the approved config environment block includes a Firebase service account key (e.g. GOOGLE_APPLICATION_CREDENTIALS as a file secret). For emulator-only work, set FIRESTORE_EMULATOR_HOST in the environment config."
|
|
14600
|
+
},
|
|
14601
|
+
// 10. GCP / cloud access beyond deployment (#4814)
|
|
14602
|
+
{
|
|
14603
|
+
ruleId: "CLOUD_ACCESS",
|
|
14604
|
+
category: "cloud_access",
|
|
14605
|
+
severity: "warning",
|
|
14606
|
+
patterns: [
|
|
14607
|
+
/gcloud\s+(auth|config|iam|projects|secrets|kms|storage|compute|sql|pubsub|run\s+services)/i,
|
|
14608
|
+
/GCP_SA_KEY/i,
|
|
14609
|
+
/GOOGLE_CLOUD_PROJECT/i,
|
|
14610
|
+
/service[\s-]?account[\s-]?key/i,
|
|
14611
|
+
/application[\s-]?default[\s-]?credentials/i,
|
|
14612
|
+
/cloud\s+(storage|kms|sql|pubsub|functions|secret[\s-]?manager)/i,
|
|
14613
|
+
/gsutil\b/i,
|
|
14614
|
+
/bq\s+(query|load|extract|mk|ls)/i,
|
|
14615
|
+
/gcs:\/\//i,
|
|
14616
|
+
/gs:\/\//i
|
|
14617
|
+
],
|
|
14618
|
+
title: "GCP / cloud service access detected",
|
|
14619
|
+
message: "The prompt requires Google Cloud Platform service access (IAM, Secret Manager, Cloud Storage, etc.). Background agent runners need a service account key or workload identity credentials.",
|
|
14620
|
+
recommendation: "Add a GCP service account key to the approved config environment block (secret type: file, source: secrets/gcp-sa-key) and include a setup step to activate it. Alternatively, configure workload identity federation for keyless auth."
|
|
14621
|
+
},
|
|
14622
|
+
// 11. Approved environment secrets / auth references (#4814)
|
|
14623
|
+
{
|
|
14624
|
+
ruleId: "ENVIRONMENT_AUTH_REFS",
|
|
14625
|
+
category: "environment_auth",
|
|
14626
|
+
severity: "warning",
|
|
14627
|
+
patterns: [
|
|
14628
|
+
/approved[\s-]?config.{0,30}(secret|auth|credential|environment)/i,
|
|
14629
|
+
/(secret|auth|credential|environment).{0,30}approved[\s-]?config/i,
|
|
14630
|
+
/environment[\s-]?block.{0,30}(secret|auth|key|token)/i,
|
|
14631
|
+
/(secret|auth|key|token).{0,30}environment[\s-]?block/i,
|
|
14632
|
+
/gal[\s-]?config.{0,30}(secret|environment|auth)/i,
|
|
14633
|
+
/(secret|environment|auth).{0,30}gal[\s-]?config/i,
|
|
14634
|
+
/environment\.secrets/i,
|
|
14635
|
+
/environment\.auth/i,
|
|
14636
|
+
/environment\.setup/i,
|
|
14637
|
+
/secret[\s-]?manager\s+wiring/i,
|
|
14638
|
+
/inject.{0,30}(secret|credential|key)/i,
|
|
14639
|
+
/(secret|credential|key).{0,30}inject/i
|
|
14640
|
+
],
|
|
14641
|
+
title: "Approved environment secrets or auth configuration required",
|
|
14642
|
+
message: "The prompt references secrets, authentication, or environment configuration from the approved config. The agent runner must have the environment block properly configured with the required secrets and auth entries before dispatch.",
|
|
14643
|
+
recommendation: "Verify the workspace approved config includes an `environment` block with the required `secrets` and/or `auth` entries. Use `gal config get --platform claude` to inspect the current approved config before dispatching."
|
|
14553
14644
|
}
|
|
14554
14645
|
];
|
|
14555
14646
|
}
|
|
@@ -71193,7 +71284,7 @@ var init_index = __esm({
|
|
|
71193
71284
|
});
|
|
71194
71285
|
|
|
71195
71286
|
// src/bootstrap.ts
|
|
71196
|
-
var cliVersion10 = true ? "0.0.
|
|
71287
|
+
var cliVersion10 = true ? "0.0.405" : "0.0.0-dev";
|
|
71197
71288
|
var args = process.argv.slice(2);
|
|
71198
71289
|
var requestedGlobalHelp = args.length === 1 && (args[0] === "--help" || args[0] === "-h");
|
|
71199
71290
|
var requestedVersion = args.length === 1 && (args[0] === "--version" || args[0] === "-V");
|
package/package.json
CHANGED