@socketsecurity/lib 6.0.7 → 6.0.8

package/dist/ai/credentials.js

@@ -0,0 +1,82 @@
+"use strict";
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_secrets_find = require('../secrets/find.js');
+
+//#region src/ai/credentials.mts
+/**
+* @file Layered provider-credential resolver for AI backends. One call site,
+*   dev and CI: a provider token resolves from an explicit override, then the
+*   provider's env var, then the OS keychain — mirroring the
+*   `readSocketApiToken` env → keychain precedence
+*   (`secrets/socket-api-token.ts`). Why a single resolver: `ai/http.mts` read
+*   `process.env[tokenEnv]` inline, so every consumer hard-coded the env-only
+*   path and none could reach the keychain. Routing skills also need a uniform
+*   way to ask "do I have a credential for provider X?" without knowing its
+*   env-var name. This centralizes the provider → { tokenEnv, keychainService }
+*   map (the HTTP providers reuse `AI_HTTP_PROVIDERS` so the env var isn't
+*   duplicated) and the precedence. CI vs dev: pass `allowEnvOnly: true` (the
+*   resolver's existing escape) in headless contexts so a missing token returns
+*   `undefined` immediately instead of triggering a keychain auth prompt. CI
+*   sets the token as a GH-secret env var (e.g. `ANTHROPIC_API_KEY`); the same
+*   `resolveProviderCredential` call reads it there with no keychain. proteus
+*   hook-point: the forthcoming biometric credential daemon
+*   (`.claude/plans/proteus-credential-broker.md`) slots in as a layer between
+*   the env check and the keychain read inside `resolve()`'s implementation —
+*   call sites here do not change when it lands (resolver decision #4 in that
+*   plan). This module is the stable seam.
+*/
+const PROVIDER_CREDENTIALS = {
+	__proto__: null,
+	anthropic: {
+		keychainService: "socketsecurity",
+		tokenEnv: "ANTHROPIC_API_KEY"
+	},
+	fireworks: {
+		keychainService: "socketsecurity",
+		tokenEnv: "FIREWORKS_API_KEY"
+	},
+	openai: {
+		keychainService: "socketsecurity",
+		tokenEnv: "OPENAI_API_KEY"
+	},
+	synthetic: {
+		keychainService: "socketsecurity",
+		tokenEnv: "SYNTHETIC_API_KEY"
+	},
+	xai: {
+		keychainService: "socketsecurity",
+		tokenEnv: "XAI_API_KEY"
+	}
+};
+/**
+* True when `value` names a provider with a resolvable credential.
+*/
+function isCredentialProvider(value) {
+	return value in PROVIDER_CREDENTIALS;
+}
+/**
+* Resolve a provider's bearer token: explicit override → env var → keychain →
+* undefined. The token never appears inline or in logs — callers pass the
+* result straight to an `Authorization` header. Returns `undefined` when no
+* source has it (the caller decides whether that's fatal).
+*/
+async function resolveProviderCredential(options) {
+	const opts = {
+		__proto__: null,
+		...options
+	};
+	if (opts.explicit) return opts.explicit;
+	const spec = PROVIDER_CREDENTIALS[opts.provider];
+	if (!spec) return;
+	return (await require_secrets_find.resolve({
+		accounts: [spec.tokenEnv],
+		allowEnvOnly: opts.allowEnvOnly,
+		service: spec.keychainService
+	}))?.value;
+}
+
+//#endregion
+exports.PROVIDER_CREDENTIALS = PROVIDER_CREDENTIALS;
+exports.isCredentialProvider = isCredentialProvider;
+exports.resolveProviderCredential = resolveProviderCredential;

package/dist/ai/discover.d.mts

@@ -14,6 +14,10 @@
  *      cold-start cost.
  */
 import type { DiscoveredAgents } from './types.mts';
+export interface OnDiskCache {
+    readonly agents: DiscoveredAgents;
+    readonly writtenAt: number;
+}
 export declare function cachePathFor(repoRoot: string): string;
 /**
  * Discover which AI agent CLIs are installed.

package/dist/ai/discover.js

@@ -8,9 +8,9 @@ const require_bin_which = require('../bin/which.js');
 const require_errors_message = require('../errors/message.js');
 const require_logger_default = require('../logger/default.js');
 let node_fs = require("node:fs");
-let node_fs_promises = require("node:fs/promises");
 let node_path = require("node:path");
 node_path = require_runtime.__toESM(node_path, 1);
+let node_fs_promises = require("node:fs/promises");
 
 //#region src/ai/discover.mts
 /**

package/dist/ai/exec.d.mts

@@ -0,0 +1,52 @@
+/**
+ * @file Exec-backend seam: WHERE a shell command runs, a separate axis from
+ *   WHICH model produced it (`ai/backends`). The lib owns the INTERFACE plus
+ *   the cheap built-in `real` runner (the host shell via lib `spawn`); a
+ *   SANDBOXED runner is INJECTED by the caller, never imported here. That keeps
+ *   the small-dist lib free of a heavy sandbox dependency — the fleet's sandbox
+ *   of choice (`just-bash`, ~40MB incl. WASM) is owned by the wheelhouse hook /
+ *   CI tooling and passed in, so a lib consumer that never sandboxes pays
+ *   nothing. Layering: ExecRunner.run() — the injectable primitive (real |
+ *   sandboxed) composed into ExecContext — { runners: { real, sandboxed? },
+ *   resolve(trust) } used by runShell(script, { context, trust }) — the
+ *   ergonomic entry point Pick a runner by TRUST LEVEL, never by model.
+ *   `untrusted` resolves to the sandboxed runner — which a caller that hasn't
+ *   injected one cannot run, so `resolve` throws a clear "provide a sandboxed
+ *   runner" error rather than silently falling back to the host shell. Both
+ *   runners normalize to one `ExecResult` so callers swap trust levels without
+ *   reshaping result handling.
+ */
+export type ExecBackend = 'real' | 'sandboxed';
+export type ExecTrust = 'trusted' | 'untrusted';
+export interface ExecResult {
+    readonly stdout: string;
+    readonly stderr: string;
+    readonly exitCode: number;
+}
+export interface ExecRunOptions {
+    readonly cwd?: string | undefined;
+    readonly env?: Record<string, string> | undefined;
+    readonly files?: Record<string, string> | undefined;
+    readonly signal?: AbortSignal | undefined;
+    readonly stdin?: string | undefined;
+}
+export interface ExecRunner {
+    run(script: string, options?: ExecRunOptions | undefined): Promise<ExecResult>;
+}
+export interface ExecContext {
+    readonly runners: {
+        readonly real: ExecRunner;
+        readonly sandboxed?: ExecRunner | undefined;
+    };
+    resolve(trust: ExecTrust): ExecRunner;
+}
+export declare const realRunner: ExecRunner;
+export declare function backendForTrust(trust: ExecTrust): ExecBackend;
+export declare function createExecContext(options?: {
+    real?: ExecRunner | undefined;
+    sandboxed?: ExecRunner | undefined;
+} | undefined): ExecContext;
+export declare function runShell(script: string, options?: (ExecRunOptions & {
+    context?: ExecContext | undefined;
+    trust?: ExecTrust | undefined;
+}) | undefined): Promise<ExecResult>;

package/dist/ai/exec.js

@@ -0,0 +1,92 @@
+"use strict";
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_process_spawn_errors = require('../process/spawn/errors.js');
+const require_process_spawn_child = require('../process/spawn/child.js');
+
+//#region src/ai/exec.mts
+/**
+* @file Exec-backend seam: WHERE a shell command runs, a separate axis from
+*   WHICH model produced it (`ai/backends`). The lib owns the INTERFACE plus
+*   the cheap built-in `real` runner (the host shell via lib `spawn`); a
+*   SANDBOXED runner is INJECTED by the caller, never imported here. That keeps
+*   the small-dist lib free of a heavy sandbox dependency — the fleet's sandbox
+*   of choice (`just-bash`, ~40MB incl. WASM) is owned by the wheelhouse hook /
+*   CI tooling and passed in, so a lib consumer that never sandboxes pays
+*   nothing. Layering: ExecRunner.run() — the injectable primitive (real |
+*   sandboxed) composed into ExecContext — { runners: { real, sandboxed? },
+*   resolve(trust) } used by runShell(script, { context, trust }) — the
+*   ergonomic entry point Pick a runner by TRUST LEVEL, never by model.
+*   `untrusted` resolves to the sandboxed runner — which a caller that hasn't
+*   injected one cannot run, so `resolve` throws a clear "provide a sandboxed
+*   runner" error rather than silently falling back to the host shell. Both
+*   runners normalize to one `ExecResult` so callers swap trust levels without
+*   reshaping result handling.
+*/
+const realRunner = { async run(script, options) {
+	const { cwd, env, signal } = {
+		__proto__: null,
+		...options
+	};
+	const spawnOptions = {
+		...cwd ? { cwd } : {},
+		...env ? { env } : {},
+		...signal ? { signal } : {},
+		stdioString: true
+	};
+	try {
+		const result = await require_process_spawn_child.spawn("bash", ["-c", script], spawnOptions);
+		return {
+			stdout: String(result.stdout ?? ""),
+			stderr: String(result.stderr ?? ""),
+			exitCode: typeof result.code === "number" ? result.code : 0
+		};
+	} catch (e) {
+		if (!require_process_spawn_errors.isSpawnError(e)) throw e;
+		return {
+			stdout: String(e.stdout ?? ""),
+			stderr: String(e.stderr ?? ""),
+			exitCode: typeof e.code === "number" ? e.code : 1
+		};
+	}
+} };
+function backendForTrust(trust) {
+	return trust === "trusted" ? "real" : "sandboxed";
+}
+function createExecContext(options) {
+	const { real = realRunner, sandboxed } = {
+		__proto__: null,
+		...options
+	};
+	const runners = {
+		real,
+		sandboxed
+	};
+	return {
+		runners,
+		resolve(trust) {
+			if (backendForTrust(trust) === "real") return runners.real;
+			if (!runners.sandboxed) throw new Error("No sandboxed exec runner provided.\n→ An `untrusted` script must run in a sandbox, not the host shell.\n→ Fix: pass a `sandboxed` runner to createExecContext() (e.g. the wheelhouse just-bash runner), or mark the script `trusted` if it is.");
+			return runners.sandboxed;
+		}
+	};
+}
+async function runShell(script, options) {
+	const { context, cwd, env, files, signal, stdin, trust = "untrusted" } = {
+		__proto__: null,
+		...options
+	};
+	return await (context ?? createExecContext()).resolve(trust).run(script, {
+		cwd,
+		env,
+		files,
+		signal,
+		stdin
+	});
+}
+
+//#endregion
+exports.backendForTrust = backendForTrust;
+exports.createExecContext = createExecContext;
+exports.realRunner = realRunner;
+exports.runShell = runShell;

package/dist/ai/http.d.mts

@@ -0,0 +1,132 @@
+/**
+ * @file OpenAI-compatible HTTP backends for AI providers that expose a
+ *   chat-completions endpoint rather than a CLI — Fireworks
+ *   (`api.fireworks.ai`) and Synthetic (`api.synthetic.new`). The CLI path
+ *   (`spawn.mts`) drives an interactive agent binary; this path is for a
+ *   script/hook that needs a single completion from a model without an agent
+ *   harness (the way the local OpenCode setup reaches GLM-5.1 / Kimi-K2.5). Why
+ *   a separate module from `spawn.mts`: those are different surfaces. A CLI
+ *   agent gets tools + a permission mode + a working dir; an HTTP completion
+ *   gets a prompt + a model + (optionally) a reasoning effort and returns text.
+ *   Conflating them would force every HTTP call to carry meaningless CLI
+ *   lockdown fields. Lockdown equivalent: these calls send NO tools /
+ *   function-calling surface — they're plain completions, so there's no agentic
+ *   capability to constrain. The token is read from the env var the provider
+ *   config names (`FIREWORKS_API_KEY` / `SYNTHETIC_API_KEY`), NEVER passed
+ *   inline, and never logged — same token-hygiene rule as the rest of the
+ *   fleet. A missing token throws with the exact env var to set. Wire format is
+ *   the OpenAI Chat Completions API (`POST {baseUrl}/chat/completions`), which
+ *   both providers implement.
+ */
+import type { AiEffort } from './types.mts';
+/**
+ * An OpenAI-compatible HTTP provider. `id` is the slug prefix used in
+ * `provider/model` references; `baseUrl` is the chat-completions API root;
+ * `tokenEnv` names the env var holding the bearer token.
+ */
+export interface AiHttpProvider {
+    readonly id: string;
+    readonly baseUrl: string;
+    readonly tokenEnv: string;
+}
+/**
+ * Built-in OpenAI-compatible providers. Add an entry to support a new one — no
+ * other call site changes. Base URLs are the documented chat-completions
+ * roots.
+ */
+export declare const AI_HTTP_PROVIDERS: Readonly<Record<string, AiHttpProvider>>;
+/**
+ * Inputs to a single completion call.
+ *
+ * Required: `provider`, `model`, `prompt`. `effort` maps to the OpenAI
+ * `reasoning_effort` field for models that support it (left off otherwise).
+ */
+export interface AiHttpCallOptions {
+    /**
+     * Provider id (a key of AI_HTTP_PROVIDERS) or a full AiHttpProvider.
+     */
+    readonly provider: string | AiHttpProvider;
+    /**
+     * The provider's model id (e.g. `accounts/fireworks/models/glm-5p1`,
+     * `hf:moonshotai/Kimi-K2.5`).
+     */
+    readonly model: string;
+    /**
+     * The user prompt.
+     */
+    readonly prompt: string;
+    /**
+     * Optional system prompt prepended as the `system` role message.
+     */
+    readonly system?: string | undefined;
+    /**
+     * Reasoning effort (`reasoning_effort` field); omitted when absent. Only set
+     * for a model that supports it — providers ignore or reject it otherwise.
+     */
+    readonly effort?: AiEffort | undefined;
+    /**
+     * Sampling temperature; provider default when absent.
+     */
+    readonly temperature?: number | undefined;
+    /**
+     * Per-call timeout (ms).
+     */
+    readonly timeoutMs?: number | undefined;
+    /**
+     * An explicit bearer token that wins over env + keychain. When absent the
+     * token resolves via `resolveProviderCredential` (env → keychain).
+     */
+    readonly token?: string | undefined;
+    /**
+     * Skip the keychain fallback when resolving the token — env var only. Set in
+     * headless contexts (CI, hooks) where a keychain auth prompt is
+     * unacceptable.
+     */
+    readonly allowEnvOnly?: boolean | undefined;
+}
+/**
+ * Result of a completion: the assistant text plus the raw provider response for
+ * callers that need usage / finish-reason detail.
+ */
+export interface AiHttpResult {
+    readonly text: string;
+    readonly raw: OpenAiChatResponse;
+}
+/**
+ * The slice of the OpenAI chat-completions response we read.
+ */
+export interface OpenAiChatResponse {
+    readonly choices?: ReadonlyArray<{
+        message?: {
+            content?: string | undefined;
+        } | undefined;
+    }> | undefined;
+}
+/**
+ * Build the chat-completions request body. Kept pure for testing — the effort →
+ * `reasoning_effort` mapping + system-message prepend are the parts worth
+ * asserting without a network call.
+ */
+export declare function buildChatRequestBody(options: AiHttpCallOptions): string;
+/**
+ * Call an OpenAI-compatible chat-completions endpoint and return the assistant
+ * text. The bearer token is read from the provider's `tokenEnv` env var — never
+ * accepted as a parameter, never logged. Throws when the token env var is unset
+ * (naming the var to set) or when the response carries no message text.
+ *
+ * @example
+ *   ;```ts
+ *   const { text } = await callAiHttpModel({
+ *     provider: 'fireworks',
+ *     model: 'accounts/fireworks/models/glm-5p1',
+ *     prompt: 'Summarize this diff: …',
+ *     effort: 'high',
+ *   })
+ *   ```
+ */
+export declare function callAiHttpModel(options: AiHttpCallOptions): Promise<AiHttpResult>;
+/**
+ * Resolve a provider id / object to an AiHttpProvider. Throws with the known
+ * provider set when an unknown id is passed.
+ */
+export declare function resolveAiHttpProvider(provider: string | AiHttpProvider): AiHttpProvider;

package/dist/ai/http.js

@@ -0,0 +1,130 @@
+"use strict";
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_error = require('../primordials/error.js');
+const require_ai_credentials = require('./credentials.js');
+const require_http_request_node = require('../http-request/node.js');
+
+//#region src/ai/http.mts
+/**
+* @file OpenAI-compatible HTTP backends for AI providers that expose a
+*   chat-completions endpoint rather than a CLI — Fireworks
+*   (`api.fireworks.ai`) and Synthetic (`api.synthetic.new`). The CLI path
+*   (`spawn.mts`) drives an interactive agent binary; this path is for a
+*   script/hook that needs a single completion from a model without an agent
+*   harness (the way the local OpenCode setup reaches GLM-5.1 / Kimi-K2.5). Why
+*   a separate module from `spawn.mts`: those are different surfaces. A CLI
+*   agent gets tools + a permission mode + a working dir; an HTTP completion
+*   gets a prompt + a model + (optionally) a reasoning effort and returns text.
+*   Conflating them would force every HTTP call to carry meaningless CLI
+*   lockdown fields. Lockdown equivalent: these calls send NO tools /
+*   function-calling surface — they're plain completions, so there's no agentic
+*   capability to constrain. The token is read from the env var the provider
+*   config names (`FIREWORKS_API_KEY` / `SYNTHETIC_API_KEY`), NEVER passed
+*   inline, and never logged — same token-hygiene rule as the rest of the
+*   fleet. A missing token throws with the exact env var to set. Wire format is
+*   the OpenAI Chat Completions API (`POST {baseUrl}/chat/completions`), which
+*   both providers implement.
+*/
+/**
+* Built-in OpenAI-compatible providers. Add an entry to support a new one — no
+* other call site changes. Base URLs are the documented chat-completions
+* roots.
+*/
+const AI_HTTP_PROVIDERS = {
+	__proto__: null,
+	fireworks: {
+		id: "fireworks",
+		baseUrl: "https://api.fireworks.ai/inference/v1",
+		tokenEnv: "FIREWORKS_API_KEY"
+	},
+	synthetic: {
+		id: "synthetic",
+		baseUrl: "https://api.synthetic.new/openai/v1",
+		tokenEnv: "SYNTHETIC_API_KEY"
+	}
+};
+/**
+* Build the chat-completions request body. Kept pure for testing — the effort →
+* `reasoning_effort` mapping + system-message prepend are the parts worth
+* asserting without a network call.
+*/
+function buildChatRequestBody(options) {
+	options = {
+		__proto__: null,
+		...options
+	};
+	const messages = [];
+	if (options.system) messages.push({
+		content: options.system,
+		role: "system"
+	});
+	messages.push({
+		content: options.prompt,
+		role: "user"
+	});
+	const body = {
+		messages,
+		model: options.model
+	};
+	if (options.effort) body["reasoning_effort"] = options.effort;
+	if (typeof options.temperature === "number") body["temperature"] = options.temperature;
+	return JSON.stringify(body);
+}
+/**
+* Call an OpenAI-compatible chat-completions endpoint and return the assistant
+* text. The bearer token is read from the provider's `tokenEnv` env var — never
+* accepted as a parameter, never logged. Throws when the token env var is unset
+* (naming the var to set) or when the response carries no message text.
+*
+* @example
+*   ;```ts
+*   const { text } = await callAiHttpModel({
+*     provider: 'fireworks',
+*     model: 'accounts/fireworks/models/glm-5p1',
+*     prompt: 'Summarize this diff: …',
+*     effort: 'high',
+*   })
+*   ```
+*/
+async function callAiHttpModel(options) {
+	options = {
+		__proto__: null,
+		...options
+	};
+	const provider = resolveAiHttpProvider(options.provider);
+	const token = require_ai_credentials.isCredentialProvider(provider.id) ? await require_ai_credentials.resolveProviderCredential({
+		allowEnvOnly: options.allowEnvOnly,
+		explicit: options.token,
+		provider: provider.id
+	}) : options.token ?? process.env[provider.tokenEnv];
+	if (!token) throw new require_primordials_error.ErrorCtor(`Missing API token for AI HTTP provider "${provider.id}". Set the ${provider.tokenEnv} environment variable (a bearer token) or store it in the keychain — never pass it inline.`);
+	const raw = await require_http_request_node.httpJson(`${provider.baseUrl}/chat/completions`, {
+		body: buildChatRequestBody(options),
+		headers: { Authorization: `Bearer ${token}` },
+		method: "POST",
+		...options.timeoutMs === void 0 ? {} : { timeout: options.timeoutMs }
+	});
+	const text = raw.choices?.[0]?.message?.content;
+	if (typeof text !== "string") throw new require_primordials_error.ErrorCtor(`AI HTTP provider "${provider.id}" returned no message text for model "${options.model}". The response had no choices[0].message.content — check the model id and the provider's status.`);
+	return {
+		raw,
+		text
+	};
+}
+/**
+* Resolve a provider id / object to an AiHttpProvider. Throws with the known
+* provider set when an unknown id is passed.
+*/
+function resolveAiHttpProvider(provider) {
+	if (typeof provider !== "string") return provider;
+	const found = AI_HTTP_PROVIDERS[provider];
+	if (!found) throw new require_primordials_error.ErrorCtor(`Unknown AI HTTP provider "${provider}". Known providers: ${Object.keys(AI_HTTP_PROVIDERS).join(", ")}. Pass a known id or a full AiHttpProvider { id, baseUrl, tokenEnv }.`);
+	return found;
+}
+
+//#endregion
+exports.AI_HTTP_PROVIDERS = AI_HTTP_PROVIDERS;
+exports.buildChatRequestBody = buildChatRequestBody;
+exports.callAiHttpModel = callAiHttpModel;
+exports.resolveAiHttpProvider = resolveAiHttpProvider;

package/dist/ai/profiles.d.mts

@@ -16,11 +16,20 @@
  *   - `AI_PROFILE.create` — edit AND create files. Adds MultiEdit + Write on top
  *     of `.edit`. Still no Bash. Codegen, adding a test, refactors that split
  *     modules.
- *   - `AI_PROFILE.full` — `.create` plus Bash, allowlisted to git / pnpm / node.
- *     Skills that commit, run tests, install deps. No "wide open" tier exists
- *     by design — letting an agent run arbitrary tools is the lockdown rule's
- *     exact failure mode. The ladder is read ⊂ edit ⊂ create ⊂ full: each
- *     tier's tool set is a superset of the one above.
+ *   - `AI_PROFILE.verify` — `.create` plus a READ-ONLY Bash allowlist (node /
+ *     pnpm test+run / git status·diff·log). Lets an agent author files AND run
+ *     the verifier (its own tests, a check script) — but it CANNOT mutate the
+ *     repo: no `git add`, no `git commit`, no install. For codegen that must
+ *     self-verify without being trusted to land.
+ *   - `AI_PROFILE.full` — `.verify` plus the mutating git commands (`git add` /
+ *     `git commit`) and `pnpm exec`. Skills that commit, run tests, install
+ *     deps. No "wide open" tier exists by design — letting an agent run
+ *     arbitrary tools is the lockdown rule's exact failure mode. The ladder is
+ *     read ⊂ edit ⊂ create ⊂ verify ⊂ full: each tier's tool set is a superset
+ *     of the one above. Bash allowlists are composed from the `BASH_ALLOW`
+ *     building blocks below so a caller can assemble a custom tier
+ *     (`[...BASH_ALLOW.git, ...BASH_ALLOW.test]`) without forking a profile
+ *     literal.
  */
 import type { PermissionMode } from './types.mts';
 export interface AiProfile {
@@ -29,6 +38,26 @@ export interface AiProfile {
     readonly permissionMode: PermissionMode;
     readonly tools: readonly string[];
 }
+/**
+ * Composable Bash-allowlist building blocks. Each group is a frozen list of
+ * `Bash(<cmd>:*)` glob entries; the profiles below compose tiers from them, and
+ * callers can mix their own (`allow: [...BASH_ALLOW.test, 'Bash(make:*)']`)
+ * without rewriting a whole tier's literal.
+ *
+ * - `gitRead` — non-mutating inspection (`status` / `diff` / `log`).
+ * - `gitWrite` — mutating (`add` / `commit`). The bright line between `verify`
+ *   (may NOT land) and `full` (may land).
+ * - `node` — run a `.mts` / `.js` directly (tests, check scripts, codegen).
+ * - `test` — `pnpm test` / `pnpm run <script>` (the verify surface).
+ * - `pkgExec` — `pnpm exec` (run a workspace bin); broader, full-tier only.
+ */
+export declare const BASH_ALLOW: {
+    readonly gitRead: readonly ["Bash(git status:*)", "Bash(git diff:*)", "Bash(git log:*)"];
+    readonly gitWrite: readonly ["Bash(git add:*)", "Bash(git commit:*)"];
+    readonly node: readonly ["Bash(node:*)"];
+    readonly pkgExec: readonly ["Bash(pnpm exec:*)"];
+    readonly test: readonly ["Bash(pnpm run:*)", "Bash(pnpm test:*)"];
+};
 /**
  * Capability ladder of lockdown profiles, ordered least → most capable. Key
  * order documents the ladder; each tier is a strict superset of the previous
@@ -53,8 +82,14 @@ export declare const AI_PROFILE: {
         readonly permissionMode: 'acceptEdits';
         readonly tools: readonly ["Edit", "Glob", "Grep", "MultiEdit", "Read", "Write"];
     };
+    readonly verify: {
+        readonly allow: readonly ["Bash(git status:*)", "Bash(git diff:*)", "Bash(git log:*)", "Bash(node:*)", "Bash(pnpm run:*)", "Bash(pnpm test:*)"];
+        readonly disallow: readonly ["Agent", "WebFetch", "WebSearch"];
+        readonly permissionMode: 'acceptEdits';
+        readonly tools: readonly ["Bash", "Edit", "Glob", "Grep", "MultiEdit", "Read", "Write"];
+    };
     readonly full: {
-        readonly allow: readonly ["Bash(git status:*)", "Bash(git diff:*)", "Bash(git log:*)", "Bash(git add:*)", "Bash(git commit:*)", "Bash(node:*)", "Bash(pnpm exec:*)", "Bash(pnpm run:*)", "Bash(pnpm test:*)"];
+        readonly allow: readonly ["Bash(git status:*)", "Bash(git diff:*)", "Bash(git log:*)", "Bash(node:*)", "Bash(pnpm run:*)", "Bash(pnpm test:*)", "Bash(git add:*)", "Bash(git commit:*)", "Bash(pnpm exec:*)"];
         readonly disallow: readonly ["Agent", "WebFetch", "WebSearch"];
         readonly permissionMode: 'acceptEdits';
         readonly tools: readonly ["Bash", "Edit", "Glob", "Grep", "MultiEdit", "Read", "Write"];

package/dist/ai/profiles.js

@@ -4,6 +4,35 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 
 //#region src/ai/profiles.mts
 /**
+* Composable Bash-allowlist building blocks. Each group is a frozen list of
+* `Bash(<cmd>:*)` glob entries; the profiles below compose tiers from them, and
+* callers can mix their own (`allow: [...BASH_ALLOW.test, 'Bash(make:*)']`)
+* without rewriting a whole tier's literal.
+*
+* - `gitRead` — non-mutating inspection (`status` / `diff` / `log`).
+* - `gitWrite` — mutating (`add` / `commit`). The bright line between `verify`
+*   (may NOT land) and `full` (may land).
+* - `node` — run a `.mts` / `.js` directly (tests, check scripts, codegen).
+* - `test` — `pnpm test` / `pnpm run <script>` (the verify surface).
+* - `pkgExec` — `pnpm exec` (run a workspace bin); broader, full-tier only.
+*/
+const BASH_ALLOW = {
+	gitRead: [
+		"Bash(git status:*)",
+		"Bash(git diff:*)",
+		"Bash(git log:*)"
+	],
+	gitWrite: ["Bash(git add:*)", "Bash(git commit:*)"],
+	node: ["Bash(node:*)"],
+	pkgExec: ["Bash(pnpm exec:*)"],
+	test: ["Bash(pnpm run:*)", "Bash(pnpm test:*)"]
+};
+const VERIFY_BASH_ALLOW = [
+	...BASH_ALLOW.gitRead,
+	...BASH_ALLOW.node,
+	...BASH_ALLOW.test
+];
+/**
 * Capability ladder of lockdown profiles, ordered least → most capable. Key
 * order documents the ladder; each tier is a strict superset of the previous
 * tier's tool surface.
@@ -63,17 +92,29 @@ const AI_PROFILE = {
 			"Write"
 		]
 	},
+	verify: {
+		allow: [...VERIFY_BASH_ALLOW],
+		disallow: [
+			"Agent",
+			"WebFetch",
+			"WebSearch"
+		],
+		permissionMode: "acceptEdits",
+		tools: [
+			"Bash",
+			"Edit",
+			"Glob",
+			"Grep",
+			"MultiEdit",
+			"Read",
+			"Write"
+		]
+	},
 	full: {
 		allow: [
-			"Bash(git status:*)",
-			"Bash(git diff:*)",
-			"Bash(git log:*)",
-			"Bash(git add:*)",
-			"Bash(git commit:*)",
-			"Bash(node:*)",
-			"Bash(pnpm exec:*)",
-			"Bash(pnpm run:*)",
-			"Bash(pnpm test:*)"
+			...VERIFY_BASH_ALLOW,
+			...BASH_ALLOW.gitWrite,
+			...BASH_ALLOW.pkgExec
 		],
 		disallow: [
 			"Agent",
@@ -94,4 +135,5 @@ const AI_PROFILE = {
 };
 
 //#endregion
-exports.AI_PROFILE = AI_PROFILE;
+exports.AI_PROFILE = AI_PROFILE;
+exports.BASH_ALLOW = BASH_ALLOW;