@sigmashake/ssg 0.29.86 → 0.29.89

package/bin/cleanup-globals.cjs

@@ -3,53 +3,55 @@
 // Also registers a per-install canary for distribution tracking.
 // This runs on `postinstall` to ensure npm takes precedence
 
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const https = require('https');
-const crypto = require('crypto');
+const fs = require("node:fs");
+const path = require("node:path");
+const os = require("node:os");
+const https = require("node:https");
+const crypto = require("node:crypto");
 
 // Only run cleanup if installed globally via npm (or we assume global if running in a global node_modules directory)
-const isGlobal = 
-  process.env.npm_config_global === 'true' || 
-  __dirname.includes('/lib/node_modules/') || 
-  __dirname.includes('\\npm\\node_modules\\');
+const isGlobal =
+	process.env.npm_config_global === "true" ||
+	__dirname.includes("/lib/node_modules/") ||
+	__dirname.includes("\\npm\\node_modules\\");
 
 if (!isGlobal) {
-  process.exit(0);
+	process.exit(0);
 }
 
 const homedir = os.homedir();
 const targets = [
-  path.join(homedir, '.local', 'bin', 'ssg'),
-  path.join(homedir, '.local', 'bin', 'libssg_eval.so'),
-  path.join(homedir, '.bun', 'bin', 'ssg'),
+	path.join(homedir, ".local", "bin", "ssg"),
+	path.join(homedir, ".local", "bin", "libssg_eval.so"),
+	path.join(homedir, ".bun", "bin", "ssg"),
 ];
 
 let cleaned = false;
 
 for (const target of targets) {
-  try {
-    if (!fs.existsSync(target)) continue;
-
-    // Do not delete if it actually belongs to this exact npm installation (symlink loopback check)
-    // Sometimes package managers like bun map symlinks directly to the node_modules bin.
-    const realPath = fs.realpathSync(target);
-    if (realPath.includes(__dirname)) {
-      continue;
-    }
-
-    // Attempt to remove the conflicting binary
-    fs.rmSync(target, {force: true});
-    console.log(`[ssg-cleanup] Removed conflicting global binary: ${target}`);
-    cleaned = true;
-  } catch (e) {
-    console.warn(`[ssg-cleanup] Could not remove ${target}: ${e.message}`);
-  }
+	try {
+		if (!fs.existsSync(target)) continue;
+
+		// Do not delete if it actually belongs to this exact npm installation (symlink loopback check)
+		// Sometimes package managers like bun map symlinks directly to the node_modules bin.
+		const realPath = fs.realpathSync(target);
+		if (realPath.includes(__dirname)) {
+			continue;
+		}
+
+		// Attempt to remove the conflicting binary
+		fs.rmSync(target, { force: true });
+		console.log(`[ssg-cleanup] Removed conflicting global binary: ${target}`);
+		cleaned = true;
+	} catch (e) {
+		console.warn(`[ssg-cleanup] Could not remove ${target}: ${e.message}`);
+	}
 }
 
 if (cleaned) {
-  console.log('[ssg-cleanup] Successfully cleaned up old binary conflicts designed for local development.');
+	console.log(
+		"[ssg-cleanup] Successfully cleaned up old binary conflicts designed for local development.",
+	);
 }
 
 // ── Per-install canary registration ─────────────────────────────────────────
@@ -57,63 +59,73 @@ if (cleaned) {
 // the source installation if a cracked binary appears in the wild.
 // Fire-and-forget: never blocks or fails the install.
 (function registerCanary() {
-  try {
-    const homedir = os.homedir();
-    const ssgDir = path.join(homedir, '.sigmashake');
-    const canaryPath = path.join(ssgDir, '.canary');
-
-    // Skip if canary already registered for this install
-    if (fs.existsSync(canaryPath)) return;
-
-    const pkg = require('../package.json');
-    const version = pkg.version;
-    const platform = process.platform;
-    const arch = process.arch;
-
-    // Generate a stable machine fingerprint (same signals as fingerprint.ts)
-    let machineId = '';
-    try {
-      if (process.platform === 'linux') {
-        const p = '/etc/machine-id';
-        if (fs.existsSync(p)) machineId = fs.readFileSync(p, 'utf8').trim();
-      }
-    } catch { /* ignore */ }
-
-    const fingerprint = crypto
-      .createHash('sha256')
-      .update([machineId, platform, arch, os.hostname(), homedir].join('|'))
-      .digest('hex');
-
-    const payload = JSON.stringify({fingerprint, version, platform, arch});
-
-    const req = https.request(
-      {
-        hostname: 'api.sigmashake.com',
-        path: '/v1/install/register',
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-          'Content-Length': Buffer.byteLength(payload),
-        },
-        timeout: 5000,
-      },
-      res => {
-        const chunks = [];
-        res.on('data', c => chunks.push(c));
-        res.on('end', () => {
-          try {
-            const body = JSON.parse(Buffer.concat(chunks).toString('utf8'));
-            if (body && body.canary_id) {
-              fs.mkdirSync(ssgDir, {recursive: true});
-              fs.writeFileSync(canaryPath, body.canary_id, {mode: 0o600});
-            }
-          } catch { /* ignore parse errors */ }
-        });
-      },
-    );
-    req.on('error', () => { /* non-blocking, ignore network errors */ });
-    req.on('timeout', () => { req.destroy(); });
-    req.write(payload);
-    req.end();
-  } catch { /* never crash the install */ }
+	try {
+		const homedir = os.homedir();
+		const ssgDir = path.join(homedir, ".sigmashake");
+		const canaryPath = path.join(ssgDir, ".canary");
+
+		// Skip if canary already registered for this install
+		if (fs.existsSync(canaryPath)) return;
+
+		const pkg = require("../package.json");
+		const version = pkg.version;
+		const platform = process.platform;
+		const arch = process.arch;
+
+		// Generate a stable machine fingerprint (same signals as fingerprint.ts)
+		let machineId = "";
+		try {
+			if (process.platform === "linux") {
+				const p = "/etc/machine-id";
+				if (fs.existsSync(p)) machineId = fs.readFileSync(p, "utf8").trim();
+			}
+		} catch {
+			/* ignore */
+		}
+
+		const fingerprint = crypto
+			.createHash("sha256")
+			.update([machineId, platform, arch, os.hostname(), homedir].join("|"))
+			.digest("hex");
+
+		const payload = JSON.stringify({ fingerprint, version, platform, arch });
+
+		const req = https.request(
+			{
+				hostname: "api.sigmashake.com",
+				path: "/v1/install/register",
+				method: "POST",
+				headers: {
+					"Content-Type": "application/json",
+					"Content-Length": Buffer.byteLength(payload),
+				},
+				timeout: 5000,
+			},
+			(res) => {
+				const chunks = [];
+				res.on("data", (c) => chunks.push(c));
+				res.on("end", () => {
+					try {
+						const body = JSON.parse(Buffer.concat(chunks).toString("utf8"));
+						if (body?.canary_id) {
+							fs.mkdirSync(ssgDir, { recursive: true });
+							fs.writeFileSync(canaryPath, body.canary_id, { mode: 0o600 });
+						}
+					} catch {
+						/* ignore parse errors */
+					}
+				});
+			},
+		);
+		req.on("error", () => {
+			/* non-blocking, ignore network errors */
+		});
+		req.on("timeout", () => {
+			req.destroy();
+		});
+		req.write(payload);
+		req.end();
+	} catch {
+		/* never crash the install */
+	}
 })();

package/bin/ssg.cjs

@@ -2,13 +2,13 @@
 // bin/ssg.cjs — launcher for @sigmashake/ssg
 // Resolves the native binary from the platform-specific optional dependency,
 // falls back to a local dist/ build (dev environment), then to Bun + source.
-'use strict';
+"use strict";
 
-const {execFileSync, spawnSync} = require('child_process');
-const path = require('path');
-const fs = require('fs');
+const { execFileSync, spawnSync } = require("node:child_process");
+const path = require("node:path");
+const fs = require("node:fs");
 
-const ext = process.platform === 'win32' ? '.exe' : '';
+const ext = process.platform === "win32" ? ".exe" : "";
 const platformPkg = `@sigmashake/ssg-${process.platform}-${process.arch}`;
 let binaryPath;
 
@@ -18,30 +18,32 @@ let binaryPath;
 let hookBinPath;
 let evalServerBinPath;
 try {
-  const pkgRoot = path.dirname(require.resolve(`${platformPkg}/package.json`));
-  const candidate = path.join(pkgRoot, 'bin', `ssg${ext}`);
-  if (fs.existsSync(candidate)) binaryPath = candidate;
-  const hookCandidate = path.join(pkgRoot, 'bin', `ssg-hook-fast${ext}`);
-  if (fs.existsSync(hookCandidate)) hookBinPath = hookCandidate;
-  const sidecarCandidate = path.join(pkgRoot, 'bin', `ssg-eval-server${ext}`);
-  if (fs.existsSync(sidecarCandidate)) evalServerBinPath = sidecarCandidate;
+	const pkgRoot = path.dirname(require.resolve(`${platformPkg}/package.json`));
+	const candidate = path.join(pkgRoot, "bin", `ssg${ext}`);
+	if (fs.existsSync(candidate)) binaryPath = candidate;
+	const hookCandidate = path.join(pkgRoot, "bin", `ssg-hook-fast${ext}`);
+	if (fs.existsSync(hookCandidate)) hookBinPath = hookCandidate;
+	const sidecarCandidate = path.join(pkgRoot, "bin", `ssg-eval-server${ext}`);
+	if (fs.existsSync(sidecarCandidate)) evalServerBinPath = sidecarCandidate;
 } catch {}
 
 // 2. Check if binary was bundled in the root (dev: local npm pack or manual build)
 if (!binaryPath) {
-  const rootBin = path.resolve(__dirname, '..', `ssg${ext}`);
-  if (fs.existsSync(rootBin)) {
-    binaryPath = rootBin;
-  }
+	const rootBin = path.resolve(__dirname, "..", `ssg${ext}`);
+	if (fs.existsSync(rootBin)) {
+		binaryPath = rootBin;
+	}
 }
 
 // 3. Fall back to local dist/ (dev build / bun build --compile)
 if (!binaryPath) {
-  const devBin = path.resolve(
-    __dirname, '..', 'dist',
-    `ssg-${process.platform}-${process.arch}${ext}`,
-  );
-  if (fs.existsSync(devBin)) binaryPath = devBin;
+	const devBin = path.resolve(
+		__dirname,
+		"..",
+		"dist",
+		`ssg-${process.platform}-${process.arch}${ext}`,
+	);
+	if (fs.existsSync(devBin)) binaryPath = devBin;
 }
 
 // 2.5 Hook-eval fast-path short-circuit (perf):
@@ -60,79 +62,107 @@ if (!binaryPath) {
 // full bun-startup cost on macOS (~1.3 s), even though the actual eval
 // only takes ~40 ms.
 if (
-  hookBinPath &&
-  process.env['SSG_HOOK_NO_FAST'] !== '1' &&
-  process.argv.length === 4 &&
-  process.argv[2] === 'hook' &&
-  process.argv[3] === 'eval'
+	hookBinPath &&
+	process.env.SSG_HOOK_NO_FAST !== "1" &&
+	process.argv.length === 4 &&
+	process.argv[2] === "hook" &&
+	process.argv[3] === "eval"
 ) {
-  const env = { ...process.env, SSG_PUBLIC_DIR: path.resolve(__dirname, '..', 'public') };
-  if (evalServerBinPath) env['SSG_EVAL_SERVER_BIN'] = evalServerBinPath;
-  const r = spawnSync(hookBinPath, [], { stdio: 'inherit', env, windowsHide: true });
-  // status 99 = sentinel for "needs JS path" (ask mode, TTY) — fall through.
-  // null/undefined status with error → fall through and let bun ssg handle.
-  if (r.status !== 99 && r.status !== null && r.status !== undefined && !r.error) {
-    process.exit(r.status);
-  }
-  // Otherwise fall through to the bun ssg below (handles ask mode, TTY,
-  // and surface any error diagnostics consistently with the rest of the CLI).
+	const env = {
+		...process.env,
+		SSG_PUBLIC_DIR: path.resolve(__dirname, "..", "public"),
+	};
+	if (evalServerBinPath) env.SSG_EVAL_SERVER_BIN = evalServerBinPath;
+	const r = spawnSync(hookBinPath, [], {
+		stdio: "inherit",
+		env,
+		windowsHide: true,
+	});
+	// status 99 = sentinel for "needs JS path" (ask mode, TTY) — fall through.
+	// null/undefined status with error → fall through and let bun ssg handle.
+	if (
+		r.status !== 99 &&
+		r.status !== null &&
+		r.status !== undefined &&
+		!r.error
+	) {
+		process.exit(r.status);
+	}
+	// Otherwise fall through to the bun ssg below (handles ask mode, TTY,
+	// and surface any error diagnostics consistently with the rest of the CLI).
 }
 
 // 3. Run binary if found
 if (binaryPath) {
-  const env = { ...process.env, SSG_PUBLIC_DIR: path.resolve(__dirname, '..', 'public') };
-  if (hookBinPath) env['SSG_HOOK_FAST_BIN'] = hookBinPath;
-  if (evalServerBinPath) env['SSG_EVAL_SERVER_BIN'] = evalServerBinPath;
-  const result = spawnSync(binaryPath, process.argv.slice(2), {
-    stdio: 'inherit',
-    env,
-    windowsHide: true,
-  });
-  process.exit(result.status ?? 1);
+	const env = {
+		...process.env,
+		SSG_PUBLIC_DIR: path.resolve(__dirname, "..", "public"),
+	};
+	if (hookBinPath) env.SSG_HOOK_FAST_BIN = hookBinPath;
+	if (evalServerBinPath) env.SSG_EVAL_SERVER_BIN = evalServerBinPath;
+	const result = spawnSync(binaryPath, process.argv.slice(2), {
+		stdio: "inherit",
+		env,
+		windowsHide: true,
+	});
+	process.exit(result.status ?? 1);
 }
 
 // 4. Last resort: run TypeScript source via Bun (unsupported platform / dev)
-const src = path.resolve(__dirname, '..', 'src', 'cli.ts');
-const isWin = process.platform === 'win32';
-const bunExe = isWin ? 'bun.exe' : 'bun';
+const src = path.resolve(__dirname, "..", "src", "cli.ts");
+const isWin = process.platform === "win32";
+const bunExe = isWin ? "bun.exe" : "bun";
 
 let bunPath;
 try {
-  // `where` on Windows, `which` everywhere else.
-  bunPath = execFileSync(isWin ? 'where' : 'which', [bunExe], {encoding: 'utf8'})
-    .trim()
-    .split(/\r?\n/)[0];
+	// `where` on Windows, `which` everywhere else.
+	bunPath = execFileSync(isWin ? "where" : "which", [bunExe], {
+		encoding: "utf8",
+	})
+		.trim()
+		.split(/\r?\n/)[0];
 } catch {
-  const home = process.env.HOME ?? process.env.USERPROFILE ?? '';
-  const candidates = isWin
-    ? [
-        path.join(home, '.bun', 'bin', 'bun.exe'),
-        path.join(process.env.LOCALAPPDATA ?? '', 'Programs', 'bun', 'bin', 'bun.exe'),
-        'C:\\Program Files\\bun\\bin\\bun.exe',
-      ]
-    : [
-        path.join(home, '.bun', 'bin', 'bun'),
-        '/usr/local/bin/bun',
-        '/opt/homebrew/bin/bun',
-      ];
-  bunPath = candidates.find(p => {
-    try { fs.accessSync(p, fs.constants.X_OK); return true; } catch { return false; }
-  });
+	const home = process.env.HOME ?? process.env.USERPROFILE ?? "";
+	const candidates = isWin
+		? [
+				path.join(home, ".bun", "bin", "bun.exe"),
+				path.join(
+					process.env.LOCALAPPDATA ?? "",
+					"Programs",
+					"bun",
+					"bin",
+					"bun.exe",
+				),
+				"C:\\Program Files\\bun\\bin\\bun.exe",
+			]
+		: [
+				path.join(home, ".bun", "bin", "bun"),
+				"/usr/local/bin/bun",
+				"/opt/homebrew/bin/bun",
+			];
+	bunPath = candidates.find((p) => {
+		try {
+			fs.accessSync(p, fs.constants.X_OK);
+			return true;
+		} catch {
+			return false;
+		}
+	});
 }
 
 if (!bunPath) {
-  process.stderr.write(
-    `ssg: no pre-compiled binary for ${process.platform}-${process.arch}.\n` +
-    `Expected platform package: ${platformPkg}\n` +
-    'Install Bun to run from source (https://bun.sh):\n\n' +
-    '  curl -fsSL https://bun.sh/install | bash\n\n',
-  );
-  process.exit(1);
+	process.stderr.write(
+		`ssg: no pre-compiled binary for ${process.platform}-${process.arch}.\n` +
+			`Expected platform package: ${platformPkg}\n` +
+			"Install Bun to run from source (https://bun.sh):\n\n" +
+			"  curl -fsSL https://bun.sh/install | bash\n\n",
+	);
+	process.exit(1);
 }
 
 const result = spawnSync(bunPath, [src, ...process.argv.slice(2)], {
-  stdio: 'inherit',
-  env: process.env,
-  windowsHide: true,
+	stdio: "inherit",
+	env: process.env,
+	windowsHide: true,
 });
 process.exit(result.status ?? 1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sigmashake/ssg",
-  "version": "0.29.86",
+  "version": "0.29.89",
   "description": "AI Agent Governance CLI — evaluate tool calls against rules, block dangerous operations, and surface blocked commands",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
@@ -14,8 +14,8 @@
     "README.md"
   ],
   "optionalDependencies": {
-    "@sigmashake/ssg-linux-x64": "0.29.86",
-    "@sigmashake/ssg-linux-arm64": "0.29.86",
+    "@sigmashake/ssg-linux-x64": "0.29.89",
+    "@sigmashake/ssg-linux-arm64": "0.29.89",
     "@sigmashake/ssg-darwin-arm64": "0.29.82",
     "@sigmashake/ssg-darwin-x64": "0.29.82",
     "@sigmashake/ssg-win32-x64": "0.29.85"
@@ -107,7 +107,8 @@
     "check:rust-audit:windows": "cd native/rust-audit && cargo zigbuild --target x86_64-pc-windows-gnu",
     "check:rust-audit:all": "bun run check:rust-audit:linux-x64 && bun run check:rust-audit:linux-arm64 && bun run check:rust-audit:darwin-arm64 && bun run check:rust-audit:darwin-x64 && bun run check:rust-audit:windows",
     "test:regression": "bun test test/regression",
-    "test:configuration": "bun test test/configuration"
+    "test:configuration": "bun test test/configuration",
+    "typecheck": "bun run typecheck:client && bun run compile"
   },
   "keywords": [
     "ai",