@vigil-guard/vge-cc-guard 0.9.0-beta.1

package/dist/daemon/cc-contract-probe.js

@@ -0,0 +1,138 @@
+import { execFile } from 'child_process';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+const STDERR_PREVIEW_MAX = 512;
+export const CC_CONTRACT_PROBE_UPDATED_MARKER = 'VGE_CC_GUARD_UPDATED_TOOL_OUTPUT_OK';
+const CC_CONTRACT_PROBE_RAW_MARKER = 'VGE_CC_GUARD_PROBE_RAW_OUTPUT';
+function defaultTempDir() {
+    return fs.mkdtempSync(path.join(os.tmpdir(), 'vge-cc-contract-probe-'));
+}
+function stderrPreview(value) {
+    if (!value)
+        return undefined;
+    return value.length > STDERR_PREVIEW_MAX ? value.slice(0, STDERR_PREVIEW_MAX) : value;
+}
+function errorPreview(error) {
+    if (error instanceof Error)
+        return stderrPreview(error.message);
+    return stderrPreview(String(error));
+}
+export function execFileProbeRunner(request) {
+    return new Promise((resolve) => {
+        const child = execFile(request.binaryPath, request.args, {
+            cwd: request.cwd,
+            encoding: 'utf8',
+            maxBuffer: 1024 * 1024,
+            timeout: request.timeoutMs,
+        }, (error, stdout, stderr) => {
+            const maybeError = error;
+            resolve({
+                exitCode: typeof maybeError?.code === 'number' ? maybeError.code : maybeError ? 1 : 0,
+                stdout,
+                stderr,
+                timedOut: Boolean(maybeError?.killed && maybeError.signal === 'SIGTERM'),
+            });
+        });
+        child.stdin?.end();
+    });
+}
+export function prepareClaudeCodeContractProbe(cwd) {
+    const hookScript = path.join(cwd, 'posttool-contract-hook.cjs');
+    const settingsPath = path.join(cwd, 'settings.json');
+    const hookSource = [
+        `const marker = ${JSON.stringify(CC_CONTRACT_PROBE_UPDATED_MARKER)};`,
+        'process.stdout.write(JSON.stringify({',
+        '  hookSpecificOutput: {',
+        '    hookEventName: "PostToolUse",',
+        '    updatedToolOutput: { stdout: `${marker}\\n`, stderr: "", interrupted: false, isImage: false },',
+        '  },',
+        '}));',
+        '',
+    ].join('\n');
+    fs.writeFileSync(hookScript, hookSource, { mode: 0o700 });
+    fs.writeFileSync(settingsPath, JSON.stringify({
+        hooks: {
+            PostToolUse: [
+                {
+                    matcher: 'Bash',
+                    hooks: [{ type: 'command', command: `${JSON.stringify(process.execPath)} ${JSON.stringify(hookScript)}` }],
+                },
+            ],
+        },
+    }, null, 2), { mode: 0o600 });
+    return {
+        expectedMarker: CC_CONTRACT_PROBE_UPDATED_MARKER,
+        args: [
+            '--print',
+            '--output-format=stream-json',
+            '--verbose',
+            '--include-hook-events',
+            '--no-session-persistence',
+            '--setting-sources',
+            'project',
+            '--settings',
+            settingsPath,
+            '--model',
+            'haiku',
+            '--disable-slash-commands',
+            '--tools',
+            'Bash',
+            '--allowedTools',
+            'Bash(printf *)',
+            '--permission-mode',
+            'bypassPermissions',
+            '--max-budget-usd',
+            '0.05',
+            `Use the Bash tool exactly once to run: printf '${CC_CONTRACT_PROBE_RAW_MARKER}\\n'. Do not run any other command.`,
+        ],
+    };
+}
+export async function runCcContractProbe(opts) {
+    if (!opts.binaryPath)
+        return { ok: false, reason: 'binary_missing' };
+    const makeTempDir = opts.makeTempDir ?? defaultTempDir;
+    const runProcess = opts.runProcess ?? execFileProbeRunner;
+    const cwd = makeTempDir();
+    try {
+        const plan = opts.prepareCwd?.(cwd) ?? {
+            args: opts.args ?? [],
+            expectedMarker: opts.expectedMarker ?? CC_CONTRACT_PROBE_UPDATED_MARKER,
+        };
+        const probe = await runProcess({
+            binaryPath: opts.binaryPath,
+            args: plan.args,
+            cwd,
+            timeoutMs: opts.timeoutMs,
+        });
+        if (probe.timedOut) {
+            return { ok: false, reason: 'timeout', stderrPreview: stderrPreview(probe.stderr) };
+        }
+        if (probe.exitCode !== 0) {
+            return {
+                ok: false,
+                reason: 'exit_nonzero',
+                exitCode: probe.exitCode ?? undefined,
+                stderrPreview: stderrPreview(probe.stderr),
+            };
+        }
+        if (!probe.stdout.includes(plan.expectedMarker)) {
+            return { ok: false, reason: 'shape_mismatch' };
+        }
+        return {
+            ok: true,
+            evidence: {
+                binaryPath: opts.binaryPath,
+                marker: plan.expectedMarker,
+                checkedAt: new Date().toISOString(),
+            },
+        };
+    }
+    catch (err) {
+        return { ok: false, reason: 'io_error', stderrPreview: errorPreview(err) };
+    }
+    finally {
+        fs.rmSync(cwd, { recursive: true, force: true });
+    }
+}
+//# sourceMappingURL=cc-contract-probe.js.map

package/dist/daemon/cc-contract-probe.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cc-contract-probe.js","sourceRoot":"","sources":["../../src/daemon/cc-contract-probe.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAE7B,MAAM,kBAAkB,GAAG,GAAG,CAAC;AAC/B,MAAM,CAAC,MAAM,gCAAgC,GAAG,qCAAqC,CAAC;AACtF,MAAM,4BAA4B,GAAG,+BAA+B,CAAC;AA8DrE,SAAS,cAAc;IACrB,OAAO,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,wBAAwB,CAAC,CAAC,CAAC;AAC1E,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,OAAO,KAAK,CAAC,MAAM,GAAG,kBAAkB,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AACxF,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,KAAK,YAAY,KAAK;QAAE,OAAO,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAChE,OAAO,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAsC;IACxE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,IAAI,EAAE;YACvD,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,IAAI,GAAG,IAAI;YACtB,OAAO,EAAE,OAAO,CAAC,SAAS;SAC3B,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YAC3B,MAAM,UAAU,GAAG,KAAkC,CAAC;YACtD,OAAO,CAAC;gBACN,QAAQ,EAAE,OAAO,UAAU,EAAE,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACrF,MAAM;gBACN,MAAM;gBACN,QAAQ,EAAE,OAAO,CAAC,UAAU,EAAE,MAAM,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS,CAAC;aACzE,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC;IACrB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,GAAW;IACxD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,4BAA4B,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG;QACjB,kBAAkB,IAAI,CAAC,SAAS,CAAC,gCAAgC,CAAC,GAAG;QACrE,uCAAuC;QACvC,yBAAyB;QACzB,mCAAmC;QACnC,oGAAoG;QACpG,MAAM;QACN,MAAM;QACN,EAAE;KACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACb,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC1D,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC;QAC5C,KAAK,EAAE;YACL,WAAW,EAAE;gBACX;oBACE,OAAO,EAAE,MAAM;oBACf,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;iBAC3G;aACF;SACF;KACF,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAE9B,OAAO;QACL,cAAc,EAAE,gCAAgC;QAChD,IAAI,EAAE;YACJ,SAAS;YACT,6BAA6B;YAC7B,WAAW;YACX,uBAAuB;YACvB,0BAA0B;YAC1B,mBAAmB;YACnB,SAAS;YACT,YAAY;YACZ,YAAY;YACZ,SAAS;YACT,OAAO;YACP,0BAA0B;YAC1B,SAAS;YACT,MAAM;YACN,gBAAgB;YAChB,gBAAgB;YAChB,mBAAmB;YACnB,mBAAmB;YACnB,kBAAkB;YAClB,MAAM;YACN,kDAAkD,4BAA4B,qCAAqC;SACpH;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,IAA4B;IACnE,IAAI,CAAC,IAAI,CAAC,UAAU;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAErE,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,cAAc,CAAC;IACvD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,mBAAmB,CAAC;IAC1D,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;IAE1B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI;YACrC,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;YACrB,cAAc,EAAE,IAAI,CAAC,cAAc,IAAI,gCAAgC;SACxE,CAAC;QACF,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC;YAC7B,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG;YACH,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC;QAEH,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACnB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,aAAa,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;QACtF,CAAC;QACD,IAAI,KAAK,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,cAAc;gBACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,SAAS;gBACrC,aAAa,EAAE,aAAa,CAAC,KAAK,CAAC,MAAM,CAAC;aAC3C,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;YAChD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;QACjD,CAAC;QAED,OAAO;YACL,EAAE,EAAE,IAAI;YACR,QAAQ,EAAE;gBACR,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,MAAM,EAAE,IAAI,CAAC,cAAc;gBAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,EAAE,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;IAC7E,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC;AACH,CAAC"}

package/dist/daemon/cc-contract-runtime.d.ts

@@ -0,0 +1,8 @@
+import { getCcContractHealth, type CcContractHealth } from './cc-contract-status.js';
+export declare function createCcContractRuntimeMonitor(readHealth?: typeof getCcContractHealth): {
+    observe: () => CcContractHealth;
+};
+export declare const ccContractRuntimeMonitor: {
+    observe: () => CcContractHealth;
+};
+//# sourceMappingURL=cc-contract-runtime.d.ts.map

package/dist/daemon/cc-contract-runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cc-contract-runtime.d.ts","sourceRoot":"","sources":["../../src/daemon/cc-contract-runtime.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,mBAAmB,EACnB,KAAK,gBAAgB,EACtB,MAAM,yBAAyB,CAAC;AAyBjC,wBAAgB,8BAA8B,CAAC,UAAU,6BAAsB,GAAG;IAChF,OAAO,EAAE,MAAM,gBAAgB,CAAC;CACjC,CAuBA;AAED,eAAO,MAAM,wBAAwB;aA1B1B,MAAM,gBAAgB;CA0BuC,CAAC"}

package/dist/daemon/cc-contract-runtime.js

@@ -0,0 +1,42 @@
+import { appendEvent } from '../shared/audit-writer.js';
+import { CC_BINARY_SHA_PREFIX_LEN, getCcContractHealth, } from './cc-contract-status.js';
+function availabilityFor(health) {
+    return health.l0RedactionAvailable ? 'healthy' : 'degraded';
+}
+function logContractTransition(eventType, health) {
+    appendEvent({
+        event_type: eventType,
+        reason: health.reason,
+        claude_version: health.claudeVersion,
+        binary_path: health.binaryPath,
+        binary_sha256_prefix: health.binarySha256?.slice(0, CC_BINARY_SHA_PREFIX_LEN) ?? null,
+        live_contract: health.liveContract,
+        l0_redaction_available: health.l0RedactionAvailable,
+    });
+}
+export function createCcContractRuntimeMonitor(readHealth = getCcContractHealth) {
+    let lastObserved = null;
+    return {
+        observe() {
+            const health = readHealth();
+            const availability = availabilityFor(health);
+            const observed = { availability, reason: health.reason };
+            if (!lastObserved && availability === 'degraded') {
+                logContractTransition('cc_contract_degraded', health);
+            }
+            else if (lastObserved?.availability === 'degraded' && availability === 'healthy') {
+                logContractTransition('cc_contract_recovered', health);
+            }
+            else if (lastObserved?.availability === 'healthy' && availability === 'degraded') {
+                logContractTransition('cc_contract_degraded', health);
+            }
+            else if (lastObserved?.availability === 'degraded' && availability === 'degraded' && lastObserved.reason !== health.reason) {
+                logContractTransition('cc_contract_degraded', health);
+            }
+            lastObserved = observed;
+            return health;
+        },
+    };
+}
+export const ccContractRuntimeMonitor = createCcContractRuntimeMonitor();
+//# sourceMappingURL=cc-contract-runtime.js.map

package/dist/daemon/cc-contract-runtime.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cc-contract-runtime.js","sourceRoot":"","sources":["../../src/daemon/cc-contract-runtime.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACxD,OAAO,EACL,wBAAwB,EACxB,mBAAmB,GAEpB,MAAM,yBAAyB,CAAC;AASjC,SAAS,eAAe,CAAC,MAAwB;IAC/C,OAAO,MAAM,CAAC,oBAAoB,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC;AAC9D,CAAC;AAED,SAAS,qBAAqB,CAAC,SAA2D,EAAE,MAAwB;IAClH,WAAW,CAAC;QACV,UAAU,EAAE,SAAS;QACrB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,cAAc,EAAE,MAAM,CAAC,aAAa;QACpC,WAAW,EAAE,MAAM,CAAC,UAAU;QAC9B,oBAAoB,EAAE,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC,EAAE,wBAAwB,CAAC,IAAI,IAAI;QACrF,aAAa,EAAE,MAAM,CAAC,YAAY;QAClC,sBAAsB,EAAE,MAAM,CAAC,oBAAoB;KACpD,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,UAAU,GAAG,mBAAmB;IAG7E,IAAI,YAAY,GAA4B,IAAI,CAAC;IAEjD,OAAO;QACL,OAAO;YACL,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;YAC5B,MAAM,YAAY,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;YAC7C,MAAM,QAAQ,GAAG,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;YAEzD,IAAI,CAAC,YAAY,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;gBACjD,qBAAqB,CAAC,sBAAsB,EAAE,MAAM,CAAC,CAAC;YACxD,CAAC;iBAAM,IAAI,YAAY,EAAE,YAAY,KAAK,UAAU,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;gBACnF,qBAAqB,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;YACzD,CAAC;iBAAM,IAAI,YAAY,EAAE,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;gBACnF,qBAAqB,CAAC,sBAAsB,EAAE,MAAM,CAAC,CAAC;YACxD,CAAC;iBAAM,IAAI,YAAY,EAAE,YAAY,KAAK,UAAU,IAAI,YAAY,KAAK,UAAU,IAAI,YAAY,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;gBAC7H,qBAAqB,CAAC,sBAAsB,EAAE,MAAM,CAAC,CAAC;YACxD,CAAC;YAED,YAAY,GAAG,QAAQ,CAAC;YACxB,OAAO,MAAM,CAAC;QAChB,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,wBAAwB,GAAG,8BAA8B,EAAE,CAAC"}

package/dist/daemon/cc-contract-status.d.ts

@@ -0,0 +1,40 @@
+export type CcContractState = 'healthy' | 'degraded' | 'failed';
+export interface CcContractStatus {
+    status: CcContractState;
+    claudeVersion: string;
+    checkedAt: string;
+    binaryPath?: string | null;
+    binarySha256?: string | null;
+    liveContract?: 'passed' | 'skipped' | 'failed';
+    reason?: string;
+}
+export type CcContractHealthReason = 'healthy' | 'status_missing' | 'status_not_healthy' | 'version_unknown' | 'version_mismatch' | 'binary_missing' | 'binary_path_mismatch' | 'binary_sha_mismatch' | 'live_contract_not_passed' | 'dev_override';
+export type CcContractRuntimeReason = CcContractHealthReason | 'unknown';
+export declare const CC_BINARY_SHA_PREFIX_LEN = 12;
+export declare function parseCcContractHealthReason(reason: unknown): CcContractRuntimeReason;
+export declare function ccContractNextAction(reason: CcContractRuntimeReason): string;
+export interface CcContractHealth {
+    l0RedactionAvailable: boolean;
+    state: CcContractState;
+    reason: CcContractHealthReason;
+    claudeVersion: string | null;
+    binaryPath: string | null;
+    binarySha256: string | null;
+    checkedAt: string | null;
+    statusPath: string;
+    liveContract: 'passed' | 'skipped' | 'failed' | null;
+}
+export declare function ccContractStatusPath(): string;
+export declare function resolveClaudeBinary(opts?: {
+    envPath?: string;
+    platform?: NodeJS.Platform;
+}): string | null;
+export declare function getClaudeVersion(): string | null;
+export declare function readCcContractStatus(): CcContractStatus | null;
+export declare function getCcContractHealth(): CcContractHealth;
+export declare function isCcContractHealthyForCurrentVersion(): boolean;
+export declare function writeCcContractStatus(status: CcContractStatus): string;
+export declare function createCcContractStatus(opts?: {
+    assumeLivePassed?: boolean;
+}): CcContractStatus;
+//# sourceMappingURL=cc-contract-status.d.ts.map

package/dist/daemon/cc-contract-status.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cc-contract-status.d.ts","sourceRoot":"","sources":["../../src/daemon/cc-contract-status.ts"],"names":[],"mappings":"AAOA,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;AAEhE,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,eAAe,CAAC;IACxB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,YAAY,CAAC,EAAE,QAAQ,GAAG,SAAS,GAAG,QAAQ,CAAC;IAC/C,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,sBAAsB,GAC9B,SAAS,GACT,gBAAgB,GAChB,oBAAoB,GACpB,iBAAiB,GACjB,kBAAkB,GAClB,gBAAgB,GAChB,sBAAsB,GACtB,qBAAqB,GACrB,0BAA0B,GAC1B,cAAc,CAAC;AAEnB,MAAM,MAAM,uBAAuB,GAAG,sBAAsB,GAAG,SAAS,CAAC;AAEzE,eAAO,MAAM,wBAAwB,KAAK,CAAC;AAe3C,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,OAAO,GAAG,uBAAuB,CAIpF;AAED,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,uBAAuB,GAAG,MAAM,CAU5E;AAED,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,KAAK,EAAE,eAAe,CAAC;IACvB,MAAM,EAAE,sBAAsB,CAAC;IAC/B,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,QAAQ,GAAG,SAAS,GAAG,QAAQ,GAAG,IAAI,CAAC;CACtD;AAaD,wBAAgB,oBAAoB,IAAI,MAAM,CAE7C;AAcD,wBAAgB,mBAAmB,CAAC,IAAI,GAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAA;CAAO,GAAG,MAAM,GAAG,IAAI,CAe9G;AAcD,wBAAgB,gBAAgB,IAAI,MAAM,GAAG,IAAI,CAqBhD;AAED,wBAAgB,oBAAoB,IAAI,gBAAgB,GAAG,IAAI,CAM9D;AAqBD,wBAAgB,mBAAmB,IAAI,gBAAgB,CAuDtD;AAED,wBAAgB,oCAAoC,IAAI,OAAO,CAE9D;AAoBD,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAKtE;AAED,wBAAgB,sBAAsB,CAAC,IAAI,GAAE;IAAE,gBAAgB,CAAC,EAAE,OAAO,CAAA;CAAO,GAAG,gBAAgB,CA6BlG"}

package/dist/daemon/cc-contract-status.js

@@ -0,0 +1,242 @@
+import * as crypto from 'crypto';
+import fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import { execFileSync } from 'child_process';
+import { writePrivateFileSync } from '../shared/private-file.js';
+export const CC_BINARY_SHA_PREFIX_LEN = 12;
+const CC_CONTRACT_HEALTH_REASONS = new Set([
+    'healthy',
+    'status_missing',
+    'status_not_healthy',
+    'version_unknown',
+    'version_mismatch',
+    'binary_missing',
+    'binary_path_mismatch',
+    'binary_sha_mismatch',
+    'live_contract_not_passed',
+    'dev_override',
+]);
+export function parseCcContractHealthReason(reason) {
+    return typeof reason === 'string' && CC_CONTRACT_HEALTH_REASONS.has(reason)
+        ? reason
+        : 'unknown';
+}
+export function ccContractNextAction(reason) {
+    if (reason === 'healthy')
+        return 'No action needed.';
+    if (reason === 'dev_override')
+        return 'Development override is active; do not use for production trust.';
+    if (reason === 'version_unknown' || reason === 'binary_missing') {
+        return 'Ensure Claude Code is installed and on PATH.';
+    }
+    if (reason === 'binary_path_mismatch' || reason === 'binary_sha_mismatch' || reason === 'version_mismatch') {
+        return 'Run doctor --cc-contract after verifying this Claude Code binary.';
+    }
+    return 'Run doctor --cc-contract after live contract verification.';
+}
+const CLAUDE_VERSION_CACHE_TTL_MS = 60_000;
+let cachedClaudeVersion;
+let cachedClaudeFingerprint;
+function configDir() {
+    return process.env['VGE_CC_GUARD_CONFIG_DIR'] ?? path.join(os.homedir(), '.vge-cc-guard');
+}
+export function ccContractStatusPath() {
+    return path.join(configDir(), 'cc-contract-status.json');
+}
+function isExecutable(filePath, platform = process.platform) {
+    try {
+        const stat = fs.statSync(filePath);
+        if (!stat.isFile())
+            return false;
+        if (platform === 'win32')
+            return true;
+        fs.accessSync(filePath, fs.constants.X_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export function resolveClaudeBinary(opts = {}) {
+    const envPath = opts.envPath ?? process.env['PATH'] ?? '';
+    const platform = opts.platform ?? process.platform;
+    for (const dir of envPath.split(path.delimiter)) {
+        if (!dir)
+            continue;
+        const candidate = path.join(dir, 'claude');
+        // PRD_10 owns Windows PATHEXT and claude.exe activation.
+        if (!isExecutable(candidate, platform))
+            continue;
+        try {
+            return fs.realpathSync(candidate);
+        }
+        catch {
+            return candidate;
+        }
+    }
+    return null;
+}
+function readClaudeVersionFromBinary(binaryPath) {
+    try {
+        return execFileSync(binaryPath, ['--version'], {
+            encoding: 'utf-8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+            timeout: 1500,
+        }).trim();
+    }
+    catch {
+        return null;
+    }
+}
+export function getClaudeVersion() {
+    if (cachedClaudeVersion && cachedClaudeVersion.expiresAt > Date.now()) {
+        return cachedClaudeVersion.value;
+    }
+    const override = process.env['VGE_CC_GUARD_CC_VERSION_OVERRIDE'];
+    if (override) {
+        cachedClaudeVersion = { value: override, expiresAt: Date.now() + CLAUDE_VERSION_CACHE_TTL_MS };
+        return override;
+    }
+    const binaryPath = resolveClaudeBinary();
+    if (!binaryPath) {
+        cachedClaudeVersion = { value: null, expiresAt: Date.now() + CLAUDE_VERSION_CACHE_TTL_MS };
+        return null;
+    }
+    const value = readClaudeVersionFromBinary(binaryPath);
+    if (value) {
+        cachedClaudeVersion = { value, expiresAt: Date.now() + CLAUDE_VERSION_CACHE_TTL_MS };
+        return value;
+    }
+    cachedClaudeVersion = { value: null, expiresAt: Date.now() + CLAUDE_VERSION_CACHE_TTL_MS };
+    return null;
+}
+export function readCcContractStatus() {
+    try {
+        return JSON.parse(fs.readFileSync(ccContractStatusPath(), 'utf-8'));
+    }
+    catch {
+        return null;
+    }
+}
+function degradedHealth(params) {
+    return {
+        l0RedactionAvailable: false,
+        state: params.status?.status === 'failed' ? 'failed' : 'degraded',
+        reason: params.reason,
+        claudeVersion: params.claudeVersion,
+        binaryPath: params.fingerprint?.path ?? null,
+        binarySha256: params.fingerprint?.sha256 ?? null,
+        checkedAt: params.status?.checkedAt ?? null,
+        statusPath: ccContractStatusPath(),
+        liveContract: params.status?.liveContract ?? null,
+    };
+}
+export function getCcContractHealth() {
+    const status = readCcContractStatus();
+    const currentVersion = getClaudeVersion();
+    const fingerprint = getCachedClaudeFingerprint();
+    if (process.env['VGE_CC_GUARD_L0_DEV_OVERRIDE'] === '1') {
+        return {
+            l0RedactionAvailable: true,
+            state: 'healthy',
+            reason: 'dev_override',
+            claudeVersion: currentVersion,
+            binaryPath: fingerprint?.path ?? null,
+            binarySha256: fingerprint?.sha256 ?? null,
+            checkedAt: status?.checkedAt ?? null,
+            statusPath: ccContractStatusPath(),
+            liveContract: status?.liveContract ?? null,
+        };
+    }
+    if (!status)
+        return degradedHealth({ reason: 'status_missing', status, claudeVersion: currentVersion, fingerprint });
+    if (status.status !== 'healthy') {
+        return degradedHealth({ reason: 'status_not_healthy', status, claudeVersion: currentVersion, fingerprint });
+    }
+    if (currentVersion === null) {
+        return degradedHealth({ reason: 'version_unknown', status, claudeVersion: currentVersion, fingerprint });
+    }
+    if (status.claudeVersion !== currentVersion) {
+        return degradedHealth({ reason: 'version_mismatch', status, claudeVersion: currentVersion, fingerprint });
+    }
+    if (status.binaryPath || status.binarySha256) {
+        if (!fingerprint)
+            return degradedHealth({ reason: 'binary_missing', status, claudeVersion: currentVersion, fingerprint });
+        if (status.binaryPath !== fingerprint.path) {
+            return degradedHealth({ reason: 'binary_path_mismatch', status, claudeVersion: currentVersion, fingerprint });
+        }
+        if (status.binarySha256 && status.binarySha256 !== fingerprint.sha256) {
+            return degradedHealth({ reason: 'binary_sha_mismatch', status, claudeVersion: currentVersion, fingerprint });
+        }
+    }
+    if (status.liveContract !== 'passed') {
+        return degradedHealth({ reason: 'live_contract_not_passed', status, claudeVersion: currentVersion, fingerprint });
+    }
+    return {
+        l0RedactionAvailable: true,
+        state: 'healthy',
+        reason: 'healthy',
+        claudeVersion: currentVersion,
+        binaryPath: fingerprint?.path ?? null,
+        binarySha256: fingerprint?.sha256 ?? null,
+        checkedAt: status.checkedAt,
+        statusPath: ccContractStatusPath(),
+        liveContract: status.liveContract,
+    };
+}
+export function isCcContractHealthyForCurrentVersion() {
+    return getCcContractHealth().l0RedactionAvailable;
+}
+function sha256(filePath) {
+    try {
+        return crypto.createHash('sha256').update(fs.readFileSync(filePath)).digest('hex');
+    }
+    catch {
+        return null;
+    }
+}
+function getCachedClaudeFingerprint() {
+    if (cachedClaudeFingerprint && cachedClaudeFingerprint.expiresAt > Date.now()) {
+        return cachedClaudeFingerprint.value;
+    }
+    const binaryPath = resolveClaudeBinary();
+    const value = binaryPath ? { path: binaryPath, sha256: sha256(binaryPath) } : null;
+    cachedClaudeFingerprint = { value, expiresAt: Date.now() + CLAUDE_VERSION_CACHE_TTL_MS };
+    return value;
+}
+export function writeCcContractStatus(status) {
+    const target = ccContractStatusPath();
+    fs.mkdirSync(path.dirname(target), { recursive: true });
+    writePrivateFileSync(target, JSON.stringify(status, null, 2));
+    return target;
+}
+export function createCcContractStatus(opts = {}) {
+    const binaryPath = resolveClaudeBinary();
+    const claudeVersion = process.env['VGE_CC_GUARD_CC_VERSION_OVERRIDE']
+        ?? (binaryPath ? readClaudeVersionFromBinary(binaryPath) : null);
+    if (!claudeVersion) {
+        return {
+            status: 'failed',
+            claudeVersion: 'unknown',
+            checkedAt: new Date().toISOString(),
+            binaryPath,
+            binarySha256: binaryPath ? sha256(binaryPath) : null,
+            liveContract: 'failed',
+            reason: 'claude binary not found',
+        };
+    }
+    const liveContract = opts.assumeLivePassed ? 'passed' : 'skipped';
+    return {
+        status: liveContract === 'passed' ? 'healthy' : 'degraded',
+        claudeVersion,
+        checkedAt: new Date().toISOString(),
+        binaryPath,
+        binarySha256: binaryPath ? sha256(binaryPath) : null,
+        liveContract,
+        reason: liveContract === 'passed'
+            ? 'live contract marked passed by explicit doctor flag'
+            : 'live contract was not run',
+    };
+}
+//# sourceMappingURL=cc-contract-status.js.map

package/dist/daemon/cc-contract-status.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cc-contract-status.js","sourceRoot":"","sources":["../../src/daemon/cc-contract-status.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AACjC,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AA4BjE,MAAM,CAAC,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAE3C,MAAM,0BAA0B,GAAG,IAAI,GAAG,CAAS;IACjD,SAAS;IACT,gBAAgB;IAChB,oBAAoB;IACpB,iBAAiB;IACjB,kBAAkB;IAClB,gBAAgB;IAChB,sBAAsB;IACtB,qBAAqB;IACrB,0BAA0B;IAC1B,cAAc;CACf,CAAC,CAAC;AAEH,MAAM,UAAU,2BAA2B,CAAC,MAAe;IACzD,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,0BAA0B,CAAC,GAAG,CAAC,MAAM,CAAC;QACzE,CAAC,CAAC,MAAgC;QAClC,CAAC,CAAC,SAAS,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,MAA+B;IAClE,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,mBAAmB,CAAC;IACrD,IAAI,MAAM,KAAK,cAAc;QAAE,OAAO,kEAAkE,CAAC;IACzG,IAAI,MAAM,KAAK,iBAAiB,IAAI,MAAM,KAAK,gBAAgB,EAAE,CAAC;QAChE,OAAO,8CAA8C,CAAC;IACxD,CAAC;IACD,IAAI,MAAM,KAAK,sBAAsB,IAAI,MAAM,KAAK,qBAAqB,IAAI,MAAM,KAAK,kBAAkB,EAAE,CAAC;QAC3G,OAAO,mEAAmE,CAAC;IAC7E,CAAC;IACD,OAAO,4DAA4D,CAAC;AACtE,CAAC;AAcD,MAAM,2BAA2B,GAAG,MAAM,CAAC;AAE3C,IAAI,mBAA4E,CAAC;AACjF,IAAI,uBAES,CAAC;AAEd,SAAS,SAAS;IAChB,OAAO,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,eAAe,CAAC,CAAC;AAC5F,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,yBAAyB,CAAC,CAAC;AAC3D,CAAC;AAED,SAAS,YAAY,CAAC,QAAgB,EAAE,QAAQ,GAAG,OAAO,CAAC,QAAQ;IACjE,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;YAAE,OAAO,KAAK,CAAC;QACjC,IAAI,QAAQ,KAAK,OAAO;YAAE,OAAO,IAAI,CAAC;QACtC,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAyD,EAAE;IAC7F,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IACnD,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAChD,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC3C,yDAAyD;QACzD,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,QAAQ,CAAC;YAAE,SAAS;QACjD,IAAI,CAAC;YACH,OAAO,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,2BAA2B,CAAC,UAAkB;IACrD,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,UAAU,EAAE,CAAC,WAAW,CAAC,EAAE;YAC7C,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;YACnC,OAAO,EAAE,IAAI;SACd,CAAC,CAAC,IAAI,EAAE,CAAC;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,IAAI,mBAAmB,IAAI,mBAAmB,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QACtE,OAAO,mBAAmB,CAAC,KAAK,CAAC;IACnC,CAAC;IACD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;IACjE,IAAI,QAAQ,EAAE,CAAC;QACb,mBAAmB,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,2BAA2B,EAAE,CAAC;QAC/F,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,MAAM,UAAU,GAAG,mBAAmB,EAAE,CAAC;IACzC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,mBAAmB,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,2BAA2B,EAAE,CAAC;QAC3F,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,KAAK,GAAG,2BAA2B,CAAC,UAAU,CAAC,CAAC;IACtD,IAAI,KAAK,EAAE,CAAC;QACV,mBAAmB,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,2BAA2B,EAAE,CAAC;QACrF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,mBAAmB,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,2BAA2B,EAAE,CAAC;IAC3F,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,oBAAoB,EAAE,EAAE,OAAO,CAAC,CAAqB,CAAC;IAC1F,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,MAKvB;IACC,OAAO;QACL,oBAAoB,EAAE,KAAK;QAC3B,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU;QACjE,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,UAAU,EAAE,MAAM,CAAC,WAAW,EAAE,IAAI,IAAI,IAAI;QAC5C,YAAY,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,IAAI,IAAI;QAChD,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,IAAI,IAAI;QAC3C,UAAU,EAAE,oBAAoB,EAAE;QAClC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,IAAI,IAAI;KAClD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,MAAM,MAAM,GAAG,oBAAoB,EAAE,CAAC;IACtC,MAAM,cAAc,GAAG,gBAAgB,EAAE,CAAC;IAC1C,MAAM,WAAW,GAAG,0BAA0B,EAAE,CAAC;IAEjD,IAAI,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,KAAK,GAAG,EAAE,CAAC;QACxD,OAAO;YACL,oBAAoB,EAAE,IAAI;YAC1B,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,cAAc;YACtB,aAAa,EAAE,cAAc;YAC7B,UAAU,EAAE,WAAW,EAAE,IAAI,IAAI,IAAI;YACrC,YAAY,EAAE,WAAW,EAAE,MAAM,IAAI,IAAI;YACzC,SAAS,EAAE,MAAM,EAAE,SAAS,IAAI,IAAI;YACpC,UAAU,EAAE,oBAAoB,EAAE;YAClC,YAAY,EAAE,MAAM,EAAE,YAAY,IAAI,IAAI;SAC3C,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,MAAM;QAAE,OAAO,cAAc,CAAC,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,aAAa,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;IACrH,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO,cAAc,CAAC,EAAE,MAAM,EAAE,oBAAoB,EAAE,MAAM,EAAE,aAAa,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;IAC9G,CAAC;IACD,IAAI,cAAc,KAAK,IAAI,EAAE,CAAC;QAC5B,OAAO,cAAc,CAAC,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,EAAE,aAAa,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;IAC3G,CAAC;IACD,IAAI,MAAM,CAAC,aAAa,KAAK,cAAc,EAAE,CAAC;QAC5C,OAAO,cAAc,CAAC,EAAE,MAAM,EAAE,kBAAkB,EAAE,MAAM,EAAE,aAAa,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;IAC5G,CAAC;IAED,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QAC7C,IAAI,CAAC,WAAW;YAAE,OAAO,cAAc,CAAC,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,aAAa,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;QAC1H,IAAI,MAAM,CAAC,UAAU,KAAK,WAAW,CAAC,IAAI,EAAE,CAAC;YAC3C,OAAO,cAAc,CAAC,EAAE,MAAM,EAAE,sBAAsB,EAAE,MAAM,EAAE,aAAa,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;QAChH,CAAC;QACD,IAAI,MAAM,CAAC,YAAY,IAAI,MAAM,CAAC,YAAY,KAAK,WAAW,CAAC,MAAM,EAAE,CAAC;YACtE,OAAO,cAAc,CAAC,EAAE,MAAM,EAAE,qBAAqB,EAAE,MAAM,EAAE,aAAa,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;QAC/G,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;QACrC,OAAO,cAAc,CAAC,EAAE,MAAM,EAAE,0BAA0B,EAAE,MAAM,EAAE,aAAa,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;IACpH,CAAC;IAED,OAAO;QACL,oBAAoB,EAAE,IAAI;QAC1B,KAAK,EAAE,SAAS;QAChB,MAAM,EAAE,SAAS;QACjB,aAAa,EAAE,cAAc;QAC7B,UAAU,EAAE,WAAW,EAAE,IAAI,IAAI,IAAI;QACrC,YAAY,EAAE,WAAW,EAAE,MAAM,IAAI,IAAI;QACzC,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,UAAU,EAAE,oBAAoB,EAAE;QAClC,YAAY,EAAE,MAAM,CAAC,YAAY;KAClC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oCAAoC;IAClD,OAAO,mBAAmB,EAAE,CAAC,oBAAoB,CAAC;AACpD,CAAC;AAED,SAAS,MAAM,CAAC,QAAgB;IAC9B,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACrF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,0BAA0B;IACjC,IAAI,uBAAuB,IAAI,uBAAuB,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAC9E,OAAO,uBAAuB,CAAC,KAAK,CAAC;IACvC,CAAC;IACD,MAAM,UAAU,GAAG,mBAAmB,EAAE,CAAC;IACzC,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACnF,uBAAuB,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,2BAA2B,EAAE,CAAC;IACzF,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,MAAwB;IAC5D,MAAM,MAAM,GAAG,oBAAoB,EAAE,CAAC;IACtC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,oBAAoB,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,OAAuC,EAAE;IAC9E,MAAM,UAAU,GAAG,mBAAmB,EAAE,CAAC;IACzC,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC;WAChE,CAAC,UAAU,CAAC,CAAC,CAAC,2BAA2B,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACnE,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,aAAa,EAAE,SAAS;YACxB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,UAAU;YACV,YAAY,EAAE,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI;YACpD,YAAY,EAAE,QAAQ;YACtB,MAAM,EAAE,yBAAyB;SAClC,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IAClE,OAAO;QACL,MAAM,EAAE,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU;QAC1D,aAAa;QACb,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,UAAU;QACV,YAAY,EAAE,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI;QACpD,YAAY;QACZ,MAAM,EACJ,YAAY,KAAK,QAAQ;YACvB,CAAC,CAAC,qDAAqD;YACvD,CAAC,CAAC,2BAA2B;KAClC,CAAC;AACJ,CAAC"}

package/dist/daemon/confidence-router.d.ts

@@ -0,0 +1,3 @@
+import type { RouterOutcome, GuardResponseSubset } from '../shared/types.js';
+export declare function routeResponse(response: GuardResponseSubset): RouterOutcome;
+//# sourceMappingURL=confidence-router.d.ts.map

package/dist/daemon/confidence-router.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"confidence-router.d.ts","sourceRoot":"","sources":["../../src/daemon/confidence-router.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAS7E,wBAAgB,aAAa,CAAC,QAAQ,EAAE,mBAAmB,GAAG,aAAa,CAoB1E"}

package/dist/daemon/confidence-router.js

@@ -0,0 +1,34 @@
+import { isVgeAnalysisUnavailable } from './blocking-decision-triggers.js';
+const BRANCH_THRESHOLDS = {
+    heuristics: 50,
+    semantic: 50,
+    llmGuard: 55,
+};
+export function routeResponse(response) {
+    // Step 1: VGE policy pre-check (exact order per PRD §7.7)
+    if (isVgeAnalysisUnavailable(response))
+        return 'SOFT_TAINT';
+    if (response.ruleAction === 'BLOCK')
+        return 'ESCALATE';
+    if (response.decision === 'BLOCKED')
+        return 'ESCALATE';
+    if (response.arbiterSignal === 'BLOCK')
+        return 'ESCALATE';
+    // Step 2: Count agreed branches
+    const agreedBranches = [
+        (response.branches.heuristics?.score ?? 0) >= BRANCH_THRESHOLDS.heuristics,
+        (response.branches.semantic?.score ?? 0) >= BRANCH_THRESHOLDS.semantic,
+        (response.branches.llmGuard?.score ?? 0) >= BRANCH_THRESHOLDS.llmGuard,
+    ].filter(Boolean).length;
+    // Step 3: Route
+    if (agreedBranches >= 2)
+        return 'ESCALATE';
+    if (agreedBranches === 1 && response.score >= 90)
+        return 'ESCALATE';
+    if (agreedBranches === 1 && response.score >= 55)
+        return 'ESCALATE';
+    if (agreedBranches === 1)
+        return 'SOFT_TAINT';
+    return 'ALLOW';
+}
+//# sourceMappingURL=confidence-router.js.map

package/dist/daemon/confidence-router.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"confidence-router.js","sourceRoot":"","sources":["../../src/daemon/confidence-router.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,wBAAwB,EAAE,MAAM,iCAAiC,CAAC;AAE3E,MAAM,iBAAiB,GAAG;IACxB,UAAU,EAAE,EAAE;IACd,QAAQ,EAAE,EAAE;IACZ,QAAQ,EAAE,EAAE;CACJ,CAAC;AAEX,MAAM,UAAU,aAAa,CAAC,QAA6B;IACzD,0DAA0D;IAC1D,IAAI,wBAAwB,CAAC,QAAQ,CAAC;QAAE,OAAO,YAAY,CAAC;IAC5D,IAAI,QAAQ,CAAC,UAAU,KAAK,OAAO;QAAE,OAAO,UAAU,CAAC;IACvD,IAAI,QAAQ,CAAC,QAAQ,KAAK,SAAS;QAAE,OAAO,UAAU,CAAC;IACvD,IAAI,QAAQ,CAAC,aAAa,KAAK,OAAO;QAAE,OAAO,UAAU,CAAC;IAE1D,gCAAgC;IAChC,MAAM,cAAc,GAAG;QACrB,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,EAAE,KAAK,IAAI,CAAC,CAAC,IAAI,iBAAiB,CAAC,UAAU;QAC1E,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,KAAK,IAAI,CAAC,CAAC,IAAI,iBAAiB,CAAC,QAAQ;QACtE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,KAAK,IAAI,CAAC,CAAC,IAAI,iBAAiB,CAAC,QAAQ;KACvE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAEzB,gBAAgB;IAChB,IAAI,cAAc,IAAI,CAAC;QAAE,OAAO,UAAU,CAAC;IAC3C,IAAI,cAAc,KAAK,CAAC,IAAI,QAAQ,CAAC,KAAK,IAAI,EAAE;QAAE,OAAO,UAAU,CAAC;IACpE,IAAI,cAAc,KAAK,CAAC,IAAI,QAAQ,CAAC,KAAK,IAAI,EAAE;QAAE,OAAO,UAAU,CAAC;IACpE,IAAI,cAAc,KAAK,CAAC;QAAE,OAAO,YAAY,CAAC;IAC9C,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/daemon/conversation-context.d.ts

@@ -0,0 +1,28 @@
+import type { ConversationMessage } from '../shared/types.js';
+export interface FreshAttachment {
+    content: string;
+    contentBytes: number;
+    contentChars: number;
+    contentHash: string;
+    displayPath: string;
+    endOffset: number;
+    filePath: string;
+    offset: number;
+    recordFingerprint: string;
+    resourceId: string;
+    transcriptPath: string;
+}
+export interface FreshAttachmentExtraction {
+    attachments: FreshAttachment[];
+    cursorReset: boolean;
+    nextOffset: number;
+}
+export declare function normalizeConversation(messages: ConversationMessage[]): ConversationMessage[];
+export declare function buildConversationFromTranscript(transcriptPath: unknown): ConversationMessage[];
+export declare function extractFreshAttachments(params: {
+    transcriptPath: unknown;
+    sessionId: string;
+    cursorOffset: number;
+    seenFingerprints: Set<string>;
+}): FreshAttachmentExtraction;
+//# sourceMappingURL=conversation-context.d.ts.map

package/dist/daemon/conversation-context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"conversation-context.d.ts","sourceRoot":"","sources":["../../src/daemon/conversation-context.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAa9D,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,yBAAyB;IACxC,WAAW,EAAE,eAAe,EAAE,CAAC;IAC/B,WAAW,EAAE,OAAO,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;CACpB;AAuKD,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,mBAAmB,EAAE,GAAG,mBAAmB,EAAE,CAqB5F;AAED,wBAAgB,+BAA+B,CAAC,cAAc,EAAE,OAAO,GAAG,mBAAmB,EAAE,CAc9F;AAED,wBAAgB,uBAAuB,CAAC,MAAM,EAAE;IAC9C,cAAc,EAAE,OAAO,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CAC/B,GAAG,yBAAyB,CAyD5B"}