@vyuhlabs/dxkit 2.13.2 → 2.14.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +90 -0
- package/README.md +14 -5
- package/dist/analyzers/cache.d.ts +9 -0
- package/dist/analyzers/cache.d.ts.map +1 -1
- package/dist/analyzers/cache.js +27 -15
- package/dist/analyzers/cache.js.map +1 -1
- package/dist/analyzers/health.d.ts +19 -0
- package/dist/analyzers/health.d.ts.map +1 -1
- package/dist/analyzers/health.js +72 -26
- package/dist/analyzers/health.js.map +1 -1
- package/dist/analyzers/tests/types.d.ts +9 -0
- package/dist/analyzers/tests/types.d.ts.map +1 -1
- package/dist/analyzers/tests/types.js +34 -0
- package/dist/analyzers/tests/types.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts +2 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +38 -24
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/semgrep.d.ts +15 -1
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +49 -3
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/baseline/changed-files.d.ts +12 -0
- package/dist/baseline/changed-files.d.ts.map +1 -0
- package/dist/baseline/changed-files.js +100 -0
- package/dist/baseline/changed-files.js.map +1 -0
- package/dist/baseline/check.d.ts +23 -0
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +24 -2
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +10 -0
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +19 -15
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/gather-scope.d.ts +116 -0
- package/dist/baseline/gather-scope.d.ts.map +1 -0
- package/dist/baseline/gather-scope.js +105 -0
- package/dist/baseline/gather-scope.js.map +1 -0
- package/dist/baseline/ref-baseline.d.ts +14 -0
- package/dist/baseline/ref-baseline.d.ts.map +1 -1
- package/dist/baseline/ref-baseline.js +97 -2
- package/dist/baseline/ref-baseline.js.map +1 -1
- package/dist/baseline/scoped-inputs.d.ts +21 -0
- package/dist/baseline/scoped-inputs.d.ts.map +1 -0
- package/dist/baseline/scoped-inputs.js +53 -0
- package/dist/baseline/scoped-inputs.js.map +1 -0
- package/dist/loop/doctor.d.ts.map +1 -1
- package/dist/loop/doctor.js +16 -0
- package/dist/loop/doctor.js.map +1 -1
- package/dist/loop/gate-cache.d.ts +42 -0
- package/dist/loop/gate-cache.d.ts.map +1 -0
- package/dist/loop/gate-cache.js +167 -0
- package/dist/loop/gate-cache.js.map +1 -0
- package/dist/loop/ledger.d.ts +7 -0
- package/dist/loop/ledger.d.ts.map +1 -1
- package/dist/loop/ledger.js.map +1 -1
- package/dist/loop/scaffold.d.ts +9 -0
- package/dist/loop/scaffold.d.ts.map +1 -1
- package/dist/loop/scaffold.js +23 -6
- package/dist/loop/scaffold.js.map +1 -1
- package/dist/loop/stop-gate.d.ts +10 -0
- package/dist/loop/stop-gate.d.ts.map +1 -1
- package/dist/loop/stop-gate.js +74 -1
- package/dist/loop/stop-gate.js.map +1 -1
- package/package.json +1 -1
- package/templates/.github/workflows/dxkit-guardrails.yml +12 -1
package/dist/loop/doctor.js
CHANGED
|
@@ -56,6 +56,7 @@ const child_process_1 = require("child_process");
|
|
|
56
56
|
const modes_1 = require("../baseline/modes");
|
|
57
57
|
const policy_1 = require("./policy");
|
|
58
58
|
const ledger_1 = require("./ledger");
|
|
59
|
+
const gate_cache_1 = require("./gate-cache");
|
|
59
60
|
const self_invocation_1 = require("../self-invocation");
|
|
60
61
|
const logger = __importStar(require("../logger"));
|
|
61
62
|
function isGitRepo(cwd) {
|
|
@@ -240,6 +241,21 @@ function buildLoopDoctorReport(cwd) {
|
|
|
240
241
|
? 'blocks net-new secrets + crit/high security + reachable dep-vulns; test-gap + quality warn only'
|
|
241
242
|
: 'blocks every net-new finding incl. test-gap + quality (can drive open-ended repair)',
|
|
242
243
|
});
|
|
244
|
+
// 4b. Loop-scoped activation — informational. The Stop-gate no-ops on
|
|
245
|
+
// interactive turns and runs only for unattended loops, so an operator
|
|
246
|
+
// should not assume an interactive session is gated. It auto-activates when
|
|
247
|
+
// Claude Code reports `permission_mode=bypassPermissions` (a headless run),
|
|
248
|
+
// or when forced via `DXKIT_LOOP_ACTIVE=1` / a `.dxkit/loop/active` sentinel.
|
|
249
|
+
const forcedActive = (0, gate_cache_1.loopGateActive)(cwd);
|
|
250
|
+
checks.push({
|
|
251
|
+
label: 'gate activation: loop-scoped',
|
|
252
|
+
status: 'pass',
|
|
253
|
+
detail: forcedActive
|
|
254
|
+
? `forced active here (${process.env.DXKIT_LOOP_ACTIVE === '1'
|
|
255
|
+
? 'DXKIT_LOOP_ACTIVE=1'
|
|
256
|
+
: '.dxkit/loop/active sentinel'}); unattended runs also auto-activate via permission_mode=bypassPermissions`
|
|
257
|
+
: 'interactive turns no-op; unattended runs auto-activate (permission_mode=bypassPermissions). For a hard guarantee, set DXKIT_LOOP_ACTIVE=1 or touch .dxkit/loop/active',
|
|
258
|
+
});
|
|
243
259
|
// 5. Postflight test command — optional. When unset the gate skips the
|
|
244
260
|
// post-pass test run; that is a real reduction in coverage, so warn.
|
|
245
261
|
const testCmd = process.env.DXKIT_LOOP_TEST_COMMAND;
|
package/dist/loop/doctor.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../../src/loop/doctor.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../../src/loop/doctor.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkIA,sDAgMC;AAOD,sCA0BC;AAnWD;;;;;;;;;;;;;;GAcG;AACH,uCAAyB;AACzB,2CAA6B;AAC7B,iDAA6C;AAC7C,6CAAwD;AACxD,qCAA6C;AAC7C,qCAAuC;AACvC,6CAA8C;AAC9C,wDAA+D;AAC/D,kDAAoC;AA+BpC,SAAS,SAAS,CAAC,GAAW;IAC5B,IAAI,CAAC;QACH,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,uBAAuB,CAAC,EAAE;YAC1D,GAAG;YACH,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAW,EAAE,GAAW;IAC3C,IAAI,CAAC;QACH,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,GAAG,WAAW,CAAC,EAAE;YAC3E,GAAG;YACH,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,EAAE,eAAe,CAAC,EAAE,MAAM,CAAC,CAAC;QAChF,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAE5B,CAAC;QACF,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC;YAC7C,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;gBAClC,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;oBAAE,OAAO,CAAC,CAAC,OAAO,CAAC;YAC5F,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAS,gBAAgB,CAAC,GAAW,EAAE,OAAe;IACpD,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACpE,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAChE,OAAO,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC;YAC1B,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,gBAAgB,GAAG,EAAE,EAAE;YAC1C,CAAC,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,GAAG,6BAA6B,EAAE,CAAC;IAC9D,CAAC;IACD,MAAM,GAAG,GAAG,IAAA,iCAAe,EAAC,GAAG,CAAC,CAAC;IACjC,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,GAAG,EAAE,GAAG,CAAC,EAAE;YACT,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,OAAO;gBACnB,CAAC,CAAC,iCAAiC;gBACnC,CAAC,CAAC,gBAAgB;YACpB,CAAC,CAAC,eAAe;KACpB,CAAC;AACJ,CAAC;AAED,mEAAmE;AACnE,SAAgB,qBAAqB,CAAC,GAAW;IAC/C,MAAM,MAAM,GAAgB,EAAE,CAAC;IAC/B,MAAM,MAAM,GAAG,IAAA,0BAAiB,EAAC,GAAG,CAAC,CAAC;IAEtC,oEAAoE;IACpE,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IAC3B,MAAM,CAAC,IAAI,CAAC;QACV,KAAK,EAAE,gBAAgB;QACvB,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;QAC7B,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,sBAAsB;QAC/D,GAAG,CAAC,GAAG;YACL,CAAC,CAAC,EAAE;YACJ,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,4CAA4C,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC;KAC1F,CAAC,CAAC;IAEH,kEAAkE;IAClE,kEAAkE;IAClE,qEAAqE;IACrE,MAAM,IAAI,GAAG,IAAA,2BAAmB,EAAC,EAAE,GAAG,EAAE,CAAC,CAAC;IAC1C,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,aAAa,CAAC;QACtC,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAChD,MAAM,CAAC,IAAI,CAAC;YACV,KAAK,EAAE,wBAAwB,GAAG,GAAG;YACrC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;YAC5B,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,kBAAkB,GAAG,mBAAmB;YACjF,GAAG,CAAC,EAAE;gBACJ,CAAC,CAAC,EAAE;gBACJ,CAAC,CAAC;oBACE,GAAG,EAAE;wBACH,IAAI,EAAE,kHAAkH;wBACxH,OAAO,EAAE,kBAAkB;wBAC3B,KAAK,EAAE,cAAc;qBACtB;iBACF,CAAC;SACP,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;QACxE,MAAM,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC;YACV,KAAK,EAAE,+CAA+C,IAAI,CAAC,IAAI,GAAG;YAClE,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;YAC5B,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,4BAA4B,CAAC,CAAC,CAAC,uBAAuB;YACnE,GAAG,CAAC,EAAE;gBACJ,CAAC,CAAC,EAAE;gBACJ,CAAC,CAAC;oBACE,GAAG,EAAE;wBACH,IAAI,EAAE,0GAA0G;wBAChH,OAAO,EAAE,IAAA,0BAAQ,EAAC,iBAAiB,CAAC;wBACpC,KAAK,EAAE,YAAY;qBACpB;iBACF,CAAC;SACP,CAAC,CAAC;IACL,CAAC;IAED,uEAAuE;IACvE,uEAAuE;IACvE,qBAAqB;IACrB,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC;IACvB,MAAM,CAAC,IAAI,CAAC;QACV,KAAK,EAAE,2BAA2B;QAClC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;QAC9B,MAAM,EAAE,IAAI;YACV,CAAC,CAAC,qDAAqD,OAAO,KAAK;YACnE,CAAC,CAAC,iEAAiE;QACrE,GAAG,CAAC,IAAI;YACN,CAAC,CAAC,EAAE;YACJ,CAAC,CAAC;gBACE,GAAG,EAAE;oBACH,IAAI,EAAE,sGAAsG;oBAC5G,OAAO,EAAE,IAAA,0BAAQ,EAAC,oBAAoB,CAAC;oBACvC,KAAK,EAAE,YAAY;iBACpB;aACF,CAAC;KACP,CAAC,CAAC;IAEH,uEAAuE;IACvE,uEAAuE;IACvE,oEAAoE;IACpE,yEAAyE;IACzE,sEAAsE;IACtE,6BAA6B;IAC7B,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,GAAG,GAAG,gBAAgB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC;YACV,KAAK,EAAE,2BAA2B;YAClC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;YAChC,MAAM,EAAE,GAAG,CAAC,EAAE;gBACZ,CAAC,CAAC,8BAA8B,GAAG,CAAC,GAAG,gBAAgB;gBACvD,CAAC,CAAC,sCAAsC,GAAG,CAAC,GAAG,iCAAiC;YAClF,GAAG,CAAC,GAAG,CAAC,EAAE;gBACR,CAAC,CAAC,EAAE;gBACJ,CAAC,CAAC;oBACE,GAAG,EAAE;wBACH,IAAI,EAAE,+IAA+I;wBACrJ,OAAO,EAAE,wCAAwC;wBACjD,KAAK,EAAE,YAAY;qBACpB;iBACF,CAAC;SACP,CAAC,CAAC;IACL,CAAC;IAED,wEAAwE;IACxE,mEAAmE;IACnE,MAAM,CAAC,IAAI,CAAC;QACV,KAAK,EAAE,gBAAgB,MAAM,EAAE;QAC/B,MAAM,EAAE,MAAM;QACd,MAAM,EACJ,MAAM,KAAK,eAAe;YACxB,CAAC,CAAC,iGAAiG;YACnG,CAAC,CAAC,qFAAqF;KAC5F,CAAC,CAAC;IAEH,sEAAsE;IACtE,uEAAuE;IACvE,4EAA4E;IAC5E,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,YAAY,GAAG,IAAA,2BAAc,EAAC,GAAG,CAAC,CAAC;IACzC,MAAM,CAAC,IAAI,CAAC;QACV,KAAK,EAAE,8BAA8B;QACrC,MAAM,EAAE,MAAM;QACd,MAAM,EAAE,YAAY;YAClB,CAAC,CAAC,uBACE,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,GAAG;gBACnC,CAAC,CAAC,qBAAqB;gBACvB,CAAC,CAAC,6BACN,6EAA6E;YAC/E,CAAC,CAAC,uKAAuK;KAC5K,CAAC,CAAC;IAEH,uEAAuE;IACvE,qEAAqE;IACrE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC;IACpD,MAAM,CAAC,IAAI,CAAC;QACV,KAAK,EAAE,yBAAyB;QAChC,MAAM,EAAE,OAAO,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;QACnD,MAAM,EACJ,OAAO,IAAI,OAAO,CAAC,IAAI,EAAE;YACvB,CAAC,CAAC,gCAAgC,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG;YAChE,CAAC,CAAC,wFAAwF;QAC9F,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,EAAE;YAC3B,CAAC,CAAC,EAAE;YACJ,CAAC,CAAC;gBACE,GAAG,EAAE;oBACH,IAAI,EAAE,uGAAuG;iBAC9G;aACF,CAAC;KACP,CAAC,CAAC;IAEH,kEAAkE;IAClE,sEAAsE;IACtE,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;IACpE,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACtD,MAAM,CAAC,IAAI,CAAC;YACV,KAAK,EAAE,sBAAsB;YAC7B,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;YAC/B,MAAM,EAAE,KAAK;gBACX,CAAC,CAAC,0CAA0C;gBAC5C,CAAC,CAAC,wEAAwE;YAC5E,GAAG,CAAC,KAAK;gBACP,CAAC,CAAC,EAAE;gBACJ,CAAC,CAAC;oBACE,GAAG,EAAE;wBACH,IAAI,EAAE,wEAAwE;wBAC9E,OAAO,EAAE,IAAA,0BAAQ,EAAC,eAAe,CAAC;wBAClC,KAAK,EAAE,eAAe;qBACvB;iBACF,CAAC;SACP,CAAC,CAAC;IACL,CAAC;IAED,MAAM,YAAY,GAAG,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,oBAAW,CAAC,CAAC,CAAC;IAChE,MAAM,CAAC,IAAI,CAAC;QACV,KAAK,EAAE,aAAa;QACpB,MAAM,EAAE,MAAM;QACd,MAAM,EAAE,YAAY;YAClB,CAAC,CAAC,wBAAwB,oBAAW,GAAG;YACxC,CAAC,CAAC,iDAAiD;KACtD,CAAC,CAAC;IAEH,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;IACpD,OAAO;QACL,MAAM,EAAE,gBAAgB;QACxB,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,GAAG;QACH,MAAM;QACN,MAAM;QACN,EAAE;KACH,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,aAAa,CAAC,GAAW,EAAE,OAA2B,EAAE;IAC5E,MAAM,MAAM,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC;IAE1C,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAC7D,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IAED,MAAM,CAAC,MAAM,CAAC,wBAAwB,CAAC,CAAC;IACxC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,MAAM,EAAE,CAAC;QACxC,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM;YAAE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;aACzC,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM;YAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;;YAC3C,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvB,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YACjC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;YAChC,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO;gBAAE,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU;IAC3B,IAAI,MAAM,CAAC,EAAE,EAAE,CAAC;QACd,MAAM,CAAC,OAAO,CAAC,iDAAiD,CAAC,CAAC;IACpE,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,wEAAwE,CAAC,CAAC;IACxF,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAClC,CAAC;AAED,yEAAyE;AACzE,SAAS,UAAU,CAAC,GAAW,EAAE,SAAiB;IAChD,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE;YACrE,GAAG;YACH,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,QAAQ,GAAG,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC;QAClD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAC,CAAC,8BAA8B;QAC3E,OAAO,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,IAAI,QAAQ,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Whether this Stop should be gated. The Stop-gate exists for unattended
|
|
3
|
+
* loops; interactive turns must not pay the guardrail cost. A run counts as
|
|
4
|
+
* unattended when ANY of these hold:
|
|
5
|
+
*
|
|
6
|
+
* 1. Claude Code reports an unattended `permission_mode` on the hook
|
|
7
|
+
* payload (`bypassPermissions`) — the zero-config common case, since a
|
|
8
|
+
* headless loop runs with `--dangerously-skip-permissions`.
|
|
9
|
+
* 2. `DXKIT_LOOP_ACTIVE=1` is exported in the launching environment.
|
|
10
|
+
* 3. A `.dxkit/loop/active` sentinel file exists.
|
|
11
|
+
*
|
|
12
|
+
* (2) and (3) are the explicit override: `permission_mode` is not guaranteed
|
|
13
|
+
* on every event, so a loop that wants a hard gating guarantee sets one of
|
|
14
|
+
* them. Absent all three, the gate is an instant no-op allow.
|
|
15
|
+
*/
|
|
16
|
+
export declare function loopGateActive(repoDir: string, payload?: {
|
|
17
|
+
permission_mode?: string;
|
|
18
|
+
}): boolean;
|
|
19
|
+
/**
|
|
20
|
+
* A content-complete signature of the working tree the guardrail would
|
|
21
|
+
* scan. Captures HEAD, the ref-based comparison base (best effort), every
|
|
22
|
+
* tracked content change vs HEAD (staged + unstaged), and the untracked
|
|
23
|
+
* file list AND each untracked file's contents. Any edit to any file the
|
|
24
|
+
* gather would see changes this signature, so a cache HIT is only ever a
|
|
25
|
+
* genuinely-identical tree — the verdict cache can never skip a real
|
|
26
|
+
* net-new finding. Returns null when it cannot be computed (then the gate
|
|
27
|
+
* always gathers, the safe default).
|
|
28
|
+
*/
|
|
29
|
+
export declare function workingTreeSignature(repoDir: string): string | null;
|
|
30
|
+
/** Cached verdict keyed on a working-tree signature. Only the
|
|
31
|
+
* tree-deterministic outcomes (allow / block-model) are cached;
|
|
32
|
+
* operator/preflight failures are environment-dependent and re-tried. */
|
|
33
|
+
export interface StopGateStateCache {
|
|
34
|
+
readonly signature: string;
|
|
35
|
+
readonly outcome: 'allow' | 'block-model';
|
|
36
|
+
readonly message: string;
|
|
37
|
+
readonly netNew: number;
|
|
38
|
+
readonly baselineFindings: number;
|
|
39
|
+
}
|
|
40
|
+
export declare function readStateCache(repoDir: string): StopGateStateCache | null;
|
|
41
|
+
export declare function writeStateCache(repoDir: string, cache: StopGateStateCache): void;
|
|
42
|
+
//# sourceMappingURL=gate-cache.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"gate-cache.d.ts","sourceRoot":"","sources":["../../src/loop/gate-cache.ts"],"names":[],"mappings":"AAuBA;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;IAAE,eAAe,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAU/F;AAiBD;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAyBnE;AAED;;0EAE0E;AAC1E,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,aAAa,CAAC;IAC1C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;CACnC;AAGD,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,kBAAkB,GAAG,IAAI,CAczE;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,kBAAkB,GAAG,IAAI,CAQhF"}
|
|
@@ -0,0 +1,167 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
+
exports.loopGateActive = loopGateActive;
|
|
37
|
+
exports.workingTreeSignature = workingTreeSignature;
|
|
38
|
+
exports.readStateCache = readStateCache;
|
|
39
|
+
exports.writeStateCache = writeStateCache;
|
|
40
|
+
/**
|
|
41
|
+
* Loop Stop-gate: activation + caching helpers.
|
|
42
|
+
*
|
|
43
|
+
* Extracted from `stop-gate.ts` so the hook body stays focused on the gate
|
|
44
|
+
* decision. Three cohesive concerns live here:
|
|
45
|
+
*
|
|
46
|
+
* - `loopGateActive` — is this an unattended run that should be gated at all?
|
|
47
|
+
* - `workingTreeSignature` — a content-complete hash of the tree the gather
|
|
48
|
+
* would see, so an unchanged tree can replay the last verdict.
|
|
49
|
+
* - the verdict cache (`readStateCache` / `writeStateCache`).
|
|
50
|
+
*/
|
|
51
|
+
const child_process_1 = require("child_process");
|
|
52
|
+
const crypto_1 = require("crypto");
|
|
53
|
+
const fs = __importStar(require("fs"));
|
|
54
|
+
const path = __importStar(require("path"));
|
|
55
|
+
const ledger_1 = require("./ledger");
|
|
56
|
+
/** Permission modes that mean "running unattended", so the gate
|
|
57
|
+
* auto-activates. `bypassPermissions` is what `--dangerously-skip-permissions`
|
|
58
|
+
* and `--permission-mode bypassPermissions` (the canonical headless-loop
|
|
59
|
+
* flags) resolve to; an interactive session never bypasses all permissions. */
|
|
60
|
+
const UNATTENDED_PERMISSION_MODES = new Set(['bypassPermissions']);
|
|
61
|
+
/**
|
|
62
|
+
* Whether this Stop should be gated. The Stop-gate exists for unattended
|
|
63
|
+
* loops; interactive turns must not pay the guardrail cost. A run counts as
|
|
64
|
+
* unattended when ANY of these hold:
|
|
65
|
+
*
|
|
66
|
+
* 1. Claude Code reports an unattended `permission_mode` on the hook
|
|
67
|
+
* payload (`bypassPermissions`) — the zero-config common case, since a
|
|
68
|
+
* headless loop runs with `--dangerously-skip-permissions`.
|
|
69
|
+
* 2. `DXKIT_LOOP_ACTIVE=1` is exported in the launching environment.
|
|
70
|
+
* 3. A `.dxkit/loop/active` sentinel file exists.
|
|
71
|
+
*
|
|
72
|
+
* (2) and (3) are the explicit override: `permission_mode` is not guaranteed
|
|
73
|
+
* on every event, so a loop that wants a hard gating guarantee sets one of
|
|
74
|
+
* them. Absent all three, the gate is an instant no-op allow.
|
|
75
|
+
*/
|
|
76
|
+
function loopGateActive(repoDir, payload) {
|
|
77
|
+
if (payload?.permission_mode && UNATTENDED_PERMISSION_MODES.has(payload.permission_mode)) {
|
|
78
|
+
return true;
|
|
79
|
+
}
|
|
80
|
+
if (process.env.DXKIT_LOOP_ACTIVE === '1')
|
|
81
|
+
return true;
|
|
82
|
+
try {
|
|
83
|
+
return fs.existsSync(path.join(repoDir, ledger_1.LEDGER_DIR, 'active'));
|
|
84
|
+
}
|
|
85
|
+
catch {
|
|
86
|
+
return false;
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
/** Best-effort git stdout; '' on any error. `args` is always a fixed,
|
|
90
|
+
* caller-controlled string (no interpolation of untrusted input). */
|
|
91
|
+
function gitCapture(repoDir, args) {
|
|
92
|
+
try {
|
|
93
|
+
return (0, child_process_1.execSync)(`git ${args}`, {
|
|
94
|
+
cwd: repoDir,
|
|
95
|
+
encoding: 'utf8',
|
|
96
|
+
stdio: ['ignore', 'pipe', 'ignore'],
|
|
97
|
+
maxBuffer: 96 * 1024 * 1024,
|
|
98
|
+
});
|
|
99
|
+
}
|
|
100
|
+
catch {
|
|
101
|
+
return '';
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
/**
|
|
105
|
+
* A content-complete signature of the working tree the guardrail would
|
|
106
|
+
* scan. Captures HEAD, the ref-based comparison base (best effort), every
|
|
107
|
+
* tracked content change vs HEAD (staged + unstaged), and the untracked
|
|
108
|
+
* file list AND each untracked file's contents. Any edit to any file the
|
|
109
|
+
* gather would see changes this signature, so a cache HIT is only ever a
|
|
110
|
+
* genuinely-identical tree — the verdict cache can never skip a real
|
|
111
|
+
* net-new finding. Returns null when it cannot be computed (then the gate
|
|
112
|
+
* always gathers, the safe default).
|
|
113
|
+
*/
|
|
114
|
+
function workingTreeSignature(repoDir) {
|
|
115
|
+
const head = gitCapture(repoDir, 'rev-parse HEAD').trim();
|
|
116
|
+
if (!head)
|
|
117
|
+
return null; // not a git repo / no commit → never cache
|
|
118
|
+
const parts = [
|
|
119
|
+
`head:${head}`,
|
|
120
|
+
// Comparison base for ref-based mode (the default is vs origin/main);
|
|
121
|
+
// empty when there is no such ref. Committed-full mode is fully
|
|
122
|
+
// captured by HEAD + the tracked/untracked content below.
|
|
123
|
+
`base:${gitCapture(repoDir, 'rev-parse origin/main').trim()}`,
|
|
124
|
+
`status:${gitCapture(repoDir, 'status --porcelain=v1 -uall')}`,
|
|
125
|
+
`diff:${gitCapture(repoDir, 'diff HEAD')}`,
|
|
126
|
+
];
|
|
127
|
+
const untracked = gitCapture(repoDir, 'ls-files --others --exclude-standard')
|
|
128
|
+
.split('\n')
|
|
129
|
+
.map((s) => s.trim())
|
|
130
|
+
.filter(Boolean);
|
|
131
|
+
for (const rel of untracked) {
|
|
132
|
+
try {
|
|
133
|
+
const buf = fs.readFileSync(path.join(repoDir, rel));
|
|
134
|
+
parts.push(`u:${rel}:${(0, crypto_1.createHash)('sha256').update(buf).digest('hex')}`);
|
|
135
|
+
}
|
|
136
|
+
catch {
|
|
137
|
+
parts.push(`u:${rel}:unreadable`);
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
return (0, crypto_1.createHash)('sha256').update(parts.join('\0')).digest('hex').slice(0, 32);
|
|
141
|
+
}
|
|
142
|
+
const STATE_FILE = 'last-state.json';
|
|
143
|
+
function readStateCache(repoDir) {
|
|
144
|
+
try {
|
|
145
|
+
const raw = fs.readFileSync(path.join(repoDir, ledger_1.LEDGER_DIR, STATE_FILE), 'utf8');
|
|
146
|
+
const parsed = JSON.parse(raw);
|
|
147
|
+
if (typeof parsed.signature === 'string' &&
|
|
148
|
+
(parsed.outcome === 'allow' || parsed.outcome === 'block-model')) {
|
|
149
|
+
return parsed;
|
|
150
|
+
}
|
|
151
|
+
return null;
|
|
152
|
+
}
|
|
153
|
+
catch {
|
|
154
|
+
return null;
|
|
155
|
+
}
|
|
156
|
+
}
|
|
157
|
+
function writeStateCache(repoDir, cache) {
|
|
158
|
+
try {
|
|
159
|
+
const dir = path.join(repoDir, ledger_1.LEDGER_DIR);
|
|
160
|
+
fs.mkdirSync(dir, { recursive: true });
|
|
161
|
+
fs.writeFileSync(path.join(dir, STATE_FILE), JSON.stringify(cache, null, 2) + '\n', 'utf8');
|
|
162
|
+
}
|
|
163
|
+
catch {
|
|
164
|
+
/* best-effort: a cache write must never break the gate */
|
|
165
|
+
}
|
|
166
|
+
}
|
|
167
|
+
//# sourceMappingURL=gate-cache.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"gate-cache.js","sourceRoot":"","sources":["../../src/loop/gate-cache.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCA,wCAUC;AA2BD,oDAyBC;AAcD,wCAcC;AAED,0CAQC;AA1ID;;;;;;;;;;GAUG;AACH,iDAAyC;AACzC,mCAAoC;AACpC,uCAAyB;AACzB,2CAA6B;AAC7B,qCAAsC;AAEtC;;;gFAGgF;AAChF,MAAM,2BAA2B,GAAG,IAAI,GAAG,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC;AAEnE;;;;;;;;;;;;;;GAcG;AACH,SAAgB,cAAc,CAAC,OAAe,EAAE,OAAsC;IACpF,IAAI,OAAO,EAAE,eAAe,IAAI,2BAA2B,CAAC,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;QACzF,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACvD,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,mBAAU,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;sEACsE;AACtE,SAAS,UAAU,CAAC,OAAe,EAAE,IAAY;IAC/C,IAAI,CAAC;QACH,OAAO,IAAA,wBAAQ,EAAC,OAAO,IAAI,EAAE,EAAE;YAC7B,GAAG,EAAE,OAAO;YACZ,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;YACnC,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,oBAAoB,CAAC,OAAe;IAClD,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC,CAAC,2CAA2C;IACnE,MAAM,KAAK,GAAa;QACtB,QAAQ,IAAI,EAAE;QACd,sEAAsE;QACtE,gEAAgE;QAChE,0DAA0D;QAC1D,QAAQ,UAAU,CAAC,OAAO,EAAE,uBAAuB,CAAC,CAAC,IAAI,EAAE,EAAE;QAC7D,UAAU,UAAU,CAAC,OAAO,EAAE,6BAA6B,CAAC,EAAE;QAC9D,QAAQ,UAAU,CAAC,OAAO,EAAE,WAAW,CAAC,EAAE;KAC3C,CAAC;IACF,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,EAAE,sCAAsC,CAAC;SAC1E,KAAK,CAAC,IAAI,CAAC;SACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,OAAO,CAAC,CAAC;IACnB,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;YACrD,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,IAAI,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC3E,CAAC;QAAC,MAAM,CAAC;YACP,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,aAAa,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IACD,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClF,CAAC;AAYD,MAAM,UAAU,GAAG,iBAAiB,CAAC;AAErC,SAAgB,cAAc,CAAC,OAAe;IAC5C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,mBAAU,EAAE,UAAU,CAAC,EAAE,MAAM,CAAC,CAAC;QAChF,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAuB,CAAC;QACrD,IACE,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;YACpC,CAAC,MAAM,CAAC,OAAO,KAAK,OAAO,IAAI,MAAM,CAAC,OAAO,KAAK,aAAa,CAAC,EAChE,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAgB,eAAe,CAAC,OAAe,EAAE,KAAyB;IACxE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,mBAAU,CAAC,CAAC;QAC3C,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACvC,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;IAC9F,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;AACH,CAAC"}
|
package/dist/loop/ledger.d.ts
CHANGED
|
@@ -51,6 +51,13 @@ export interface LedgerEvent {
|
|
|
51
51
|
readonly lint_status: CheckStatus;
|
|
52
52
|
readonly typecheck_status: CheckStatus;
|
|
53
53
|
readonly duration_ms: number;
|
|
54
|
+
/**
|
|
55
|
+
* True when this verdict was replayed from the tree-signature cache
|
|
56
|
+
* (the working tree was byte-identical to the last gather) rather than
|
|
57
|
+
* re-gathered. Optional for forward/backward compat — absent on events
|
|
58
|
+
* written before the cache existed, and on every freshly-gathered event.
|
|
59
|
+
*/
|
|
60
|
+
readonly cached?: boolean;
|
|
54
61
|
}
|
|
55
62
|
/**
|
|
56
63
|
* Fill in the repo-derived fields (branch, commit) and stamp the
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ledger.d.ts","sourceRoot":"","sources":["../../src/loop/ledger.ts"],"names":[],"mappings":"AAiBA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAE3C,yDAAyD;AACzD,eAAO,MAAM,qBAAqB,IAAI,CAAC;AAEvC,qDAAqD;AACrD,eAAO,MAAM,UAAU,QAA8B,CAAC;AACtD,eAAO,MAAM,WAAW,QAAwC,CAAC;AAEjE,uEAAuE;AACvE,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,gBAAgB,GAAG,SAAS,CAAC;AAEnF;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB;;iDAE6C;IAC7C,QAAQ,CAAC,MAAM,CAAC,EAAE,UAAU,CAAC;IAC7B,4CAA4C;IAC5C,QAAQ,CAAC,gBAAgB,EAAE,WAAW,CAAC;IACvC,0EAA0E;IAC1E,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;IACnC,qEAAqE;IACrE,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B;;;;;OAKG;IACH,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B;;;;;OAKG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC,QAAQ,CAAC,YAAY,EAAE,WAAW,CAAC;IACnC,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,QAAQ,CAAC,gBAAgB,EAAE,WAAW,CAAC;IACvC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"ledger.d.ts","sourceRoot":"","sources":["../../src/loop/ledger.ts"],"names":[],"mappings":"AAiBA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAE3C,yDAAyD;AACzD,eAAO,MAAM,qBAAqB,IAAI,CAAC;AAEvC,qDAAqD;AACrD,eAAO,MAAM,UAAU,QAA8B,CAAC;AACtD,eAAO,MAAM,WAAW,QAAwC,CAAC;AAEjE,uEAAuE;AACvE,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,gBAAgB,GAAG,SAAS,CAAC;AAEnF;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB;;iDAE6C;IAC7C,QAAQ,CAAC,MAAM,CAAC,EAAE,UAAU,CAAC;IAC7B,4CAA4C;IAC5C,QAAQ,CAAC,gBAAgB,EAAE,WAAW,CAAC;IACvC,0EAA0E;IAC1E,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;IACnC,qEAAqE;IACrE,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B;;;;;OAKG;IACH,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B;;;;;OAKG;IACH,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC,QAAQ,CAAC,YAAY,EAAE,WAAW,CAAC;IACnC,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,QAAQ,CAAC,gBAAgB,EAAE,WAAW,CAAC;IACvC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;;;;OAKG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;CAC3B;AA4BD;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,gBAAgB,GAAG,WAAW,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC,GACvF,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,GAAG,QAAQ,CAAC,CAAC,GAChD,WAAW,CASb;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,OAAO,CAS1E;AAED,qEAAqE;AACrE,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,EAAE,CAqBrD;AAED,oEAAoE;AACpE,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAOhD;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,wDAAwD;IACxD,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B;;;;;OAKG;IACH,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,mEAAmE;IACnE,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;CACrC;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,aAAa,CAAC,WAAW,CAAC,GAAG,aAAa,CAuCjF"}
|
package/dist/loop/ledger.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ledger.js","sourceRoot":"","sources":["../../src/loop/ledger.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"ledger.js","sourceRoot":"","sources":["../../src/loop/ledger.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiHA,4CAaC;AAQD,8CASC;AAGD,gCAqBC;AAGD,kCAOC;AA0BD,0CAuCC;AAlPD;;;;;;;;;;;;;GAaG;AACH,iDAA6C;AAC7C,uCAAyB;AACzB,2CAA6B;AAG7B,yDAAyD;AAC5C,QAAA,qBAAqB,GAAG,CAAC,CAAC;AAEvC,qDAAqD;AACxC,QAAA,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;AACzC,QAAA,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,kBAAU,EAAE,cAAc,CAAC,CAAC;AA2DjE,mEAAmE;AACnE,SAAS,SAAS,CAAC,GAAW;IAC5B,IAAI,CAAC;QACH,OAAO,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,cAAc,EAAE,MAAM,CAAC,EAAE;YAChE,GAAG;YACH,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC,IAAI,EAAE,CAAC;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,uEAAuE;AACvE,SAAS,SAAS,CAAC,GAAW;IAC5B,IAAI,CAAC;QACH,OAAO,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,MAAM,CAAC,EAAE;YAChD,GAAG;YACH,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC,IAAI,EAAE,CAAC;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,gBAAgB,CAC9B,GAAW,EACX,MACiD;IAEjD,OAAO;QACL,cAAc,EAAE,6BAAqB;QACrC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,KAAK,EAAE,MAAM;QACb,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,SAAS,CAAC,GAAG,CAAC;QACvC,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,SAAS,CAAC,GAAG,CAAC;QACvC,GAAG,MAAM;KACV,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,iBAAiB,CAAC,GAAW,EAAE,KAAkB;IAC/D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAU,CAAC,CAAC;QACvC,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACvC,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,mBAAW,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;QACrF,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,qEAAqE;AACrE,SAAgB,UAAU,CAAC,GAAW;IACpC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,mBAAW,CAAC,CAAC;IACzC,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAkB,EAAE,CAAC;IAC9B,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,IAAI,CAAC;YACH,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAgB,CAAC,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,+DAA+D;YAC/D,gEAAgE;YAChE,gCAAgC;QAClC,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,oEAAoE;AACpE,SAAgB,WAAW,CAAC,GAAW;IACrC,IAAI,CAAC;QACH,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,mBAAW,CAAC,CAAC,CAAC;QACvC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAmBD;;;;;;GAMG;AACH,SAAgB,eAAe,CAAC,MAAkC;IAChE,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,IAAI,aAAa,GAAG,CAAC,CAAC;IAEtB,mEAAmE;IACnE,qEAAqE;IACrE,MAAM,SAAS,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,iCAAiC;IAC9E,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC3C,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;IAE1C,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE;QACxB,IAAI,CAAC,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC;aACpB,CAAC;YACJ,OAAO,EAAE,CAAC;YACV,aAAa,IAAI,CAAC,CAAC,gBAAgB,CAAC;QACtC,CAAC;QAED,MAAM,GAAG,GAAG,CAAC,CAAC,UAAU,IAAI,WAAW,CAAC;QACxC,IAAI,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;YACf,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACzB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAS,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACnD,CAAC;aAAM,IACL,CAAC,CAAC,gBAAgB,KAAK,MAAM;YAC7B,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC;YAClB,GAAG,GAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAY,EACpC,CAAC;YACD,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM;QACpB,OAAO;QACP,OAAO;QACP,aAAa;QACb,kBAAkB,EAAE,gBAAgB,CAAC,IAAI;QACzC,kBAAkB,EAAE,CAAC,GAAG,eAAe,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM;KACxF,CAAC;AACJ,CAAC"}
|
package/dist/loop/scaffold.d.ts
CHANGED
|
@@ -5,6 +5,15 @@ import { type LoopPreset } from './policy';
|
|
|
5
5
|
* future tooling agree on the exact string and the loop Stop hook is a
|
|
6
6
|
* registered self-invocation surface (devDependency + doctor coverage). */
|
|
7
7
|
export declare const STOP_HOOK_COMMAND: string;
|
|
8
|
+
/**
|
|
9
|
+
* Timeout (seconds) for the installed Stop hook. Claude Code's default
|
|
10
|
+
* hook timeout (60s) is too short for a cold first guardrail gather on a
|
|
11
|
+
* large repo — especially in ref-based mode, where the comparison side is
|
|
12
|
+
* scanned in a worktree — so the hook surfaces as a "Stop hook error" even
|
|
13
|
+
* though it would have finished. The verdict + ref-scan caches make warm
|
|
14
|
+
* gathers fast; this generous ceiling covers the cold case.
|
|
15
|
+
*/
|
|
16
|
+
export declare const STOP_HOOK_TIMEOUT_SECONDS = 600;
|
|
8
17
|
interface LoopScaffoldOpts {
|
|
9
18
|
/**
|
|
10
19
|
* Explicit loop posture to write into `.dxkit/policy.json`. When set
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scaffold.d.ts","sourceRoot":"","sources":["../../src/loop/scaffold.ts"],"names":[],"mappings":"AAkBA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAuB,KAAK,UAAU,EAAE,MAAM,UAAU,CAAC;AAGhE;;;4EAG4E;AAC5E,eAAO,MAAM,iBAAiB,QAA6B,CAAC;
|
|
1
|
+
{"version":3,"file":"scaffold.d.ts","sourceRoot":"","sources":["../../src/loop/scaffold.ts"],"names":[],"mappings":"AAkBA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAuB,KAAK,UAAU,EAAE,MAAM,UAAU,CAAC;AAGhE;;;4EAG4E;AAC5E,eAAO,MAAM,iBAAiB,QAA6B,CAAC;AAE5D;;;;;;;GAOG;AACH,eAAO,MAAM,yBAAyB,MAAM,CAAC;AAgC7C,UAAU,gBAAgB;IACxB;;;;;;OAMG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,UAAU,CAAC;CAC9B;AAWD;;gDAEgD;AAChD,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAY1D;AA6ID;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,GAAE,gBAAqB,GAAG,iBAAiB,CAM7F"}
|
package/dist/loop/scaffold.js
CHANGED
|
@@ -33,7 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
|
|
|
33
33
|
};
|
|
34
34
|
})();
|
|
35
35
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
-
exports.STOP_HOOK_COMMAND = void 0;
|
|
36
|
+
exports.STOP_HOOK_TIMEOUT_SECONDS = exports.STOP_HOOK_COMMAND = void 0;
|
|
37
37
|
exports.isClaudeLoopInstalled = isClaudeLoopInstalled;
|
|
38
38
|
exports.installClaudeLoop = installClaudeLoop;
|
|
39
39
|
/**
|
|
@@ -61,6 +61,15 @@ const self_invocation_1 = require("../self-invocation");
|
|
|
61
61
|
* future tooling agree on the exact string and the loop Stop hook is a
|
|
62
62
|
* registered self-invocation surface (devDependency + doctor coverage). */
|
|
63
63
|
exports.STOP_HOOK_COMMAND = (0, self_invocation_1.dxkitCli)('hook stop-gate');
|
|
64
|
+
/**
|
|
65
|
+
* Timeout (seconds) for the installed Stop hook. Claude Code's default
|
|
66
|
+
* hook timeout (60s) is too short for a cold first guardrail gather on a
|
|
67
|
+
* large repo — especially in ref-based mode, where the comparison side is
|
|
68
|
+
* scanned in a worktree — so the hook surfaces as a "Stop hook error" even
|
|
69
|
+
* though it would have finished. The verdict + ref-scan caches make warm
|
|
70
|
+
* gathers fast; this generous ceiling covers the cold case.
|
|
71
|
+
*/
|
|
72
|
+
exports.STOP_HOOK_TIMEOUT_SECONDS = 600;
|
|
64
73
|
/** Sentinel markers bounding the dxkit-managed region of CLAUDE.md. Only
|
|
65
74
|
* the text between them is ever rewritten. */
|
|
66
75
|
const CLAUDE_BLOCK_START = '<!-- dxkit:loop:start -->';
|
|
@@ -70,11 +79,17 @@ const CLAUDE_BLOCK_END = '<!-- dxkit:loop:end -->';
|
|
|
70
79
|
* when the preset is switched without re-running init. */
|
|
71
80
|
const CLAUDE_LOOP_NORM = `## Autonomous loop safety (dxkit)
|
|
72
81
|
|
|
73
|
-
This repo runs coding loops behind the dxkit Stop-gate: when
|
|
74
|
-
to stop, \`vyuh-dxkit hook stop-gate\` re-runs the guardrail and
|
|
75
|
-
completion if the branch introduced net-new findings, handing them
|
|
76
|
-
for repair. Loop norms:
|
|
82
|
+
This repo runs coding loops behind the dxkit Stop-gate: when an unattended
|
|
83
|
+
loop tries to stop, \`vyuh-dxkit hook stop-gate\` re-runs the guardrail and
|
|
84
|
+
blocks completion if the branch introduced net-new findings, handing them
|
|
85
|
+
back for repair. Loop norms:
|
|
77
86
|
|
|
87
|
+
- The gate runs only for UNATTENDED loops, so interactive sessions are not
|
|
88
|
+
slowed. A headless loop (\`claude --dangerously-skip-permissions\`, i.e.
|
|
89
|
+
\`permission_mode=bypassPermissions\`) auto-activates it — nothing to
|
|
90
|
+
configure. For a hard guarantee (\`permission_mode\` is not on every event),
|
|
91
|
+
export \`DXKIT_LOOP_ACTIVE=1\` or \`touch .dxkit/loop/active\` before
|
|
92
|
+
launching the agent. Interactive work is covered by your review + CI.
|
|
78
93
|
- Fix the net-new finding the gate reports. Do NOT refresh the baseline to
|
|
79
94
|
clear a block, and do NOT fix unrelated pre-existing debt — the gate
|
|
80
95
|
only asks for what this branch introduced.
|
|
@@ -137,7 +152,9 @@ function mergeStopHook(cwd, result) {
|
|
|
137
152
|
}
|
|
138
153
|
function stopEntry() {
|
|
139
154
|
// Stop hooks take no matcher (unlike PreToolUse).
|
|
140
|
-
return {
|
|
155
|
+
return {
|
|
156
|
+
hooks: [{ type: 'command', command: exports.STOP_HOOK_COMMAND, timeout: exports.STOP_HOOK_TIMEOUT_SECONDS }],
|
|
157
|
+
};
|
|
141
158
|
}
|
|
142
159
|
/**
|
|
143
160
|
* Upsert the dxkit loop managed block in CLAUDE.md. Replaces the block
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scaffold.js","sourceRoot":"","sources":["../../src/loop/scaffold.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"scaffold.js","sourceRoot":"","sources":["../../src/loop/scaffold.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2FA,sDAYC;AAiJD,8CAMC;AA9PD;;;;;;;;;;;;;;;GAeG;AACH,uCAAyB;AACzB,2CAA6B;AAE7B,qCAAgE;AAChE,wDAA8C;AAE9C;;;4EAG4E;AAC/D,QAAA,iBAAiB,GAAG,IAAA,0BAAQ,EAAC,gBAAgB,CAAC,CAAC;AAE5D;;;;;;;GAOG;AACU,QAAA,yBAAyB,GAAG,GAAG,CAAC;AAE7C;+CAC+C;AAC/C,MAAM,kBAAkB,GAAG,2BAA2B,CAAC;AACvD,MAAM,gBAAgB,GAAG,yBAAyB,CAAC;AAEnD;;2DAE2D;AAC3D,MAAM,gBAAgB,GAAG;;;;;;;;;;;;;;;;;;;;kEAoByC,CAAC;AAsBnE;;gDAEgD;AAChD,SAAgB,qBAAqB,CAAC,GAAW;IAC/C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,EAAE,eAAe,CAAC,EAAE,MAAM,CAAC,CAAC;QAChF,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAmB,CAAC;QACjD,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAC3C,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,CAClB,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAC3E,CACF,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,aAAa,CAAC,GAAW,EAAE,MAAyB;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAClD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAEhC,IAAI,QAAQ,GAAmB,EAAE,CAAC;IAClC,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,IAAI,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,GAAG,IAAI,CAAC;QACf,IAAI,CAAC;YACH,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,CAAmB,CAAC;QACxE,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;YAClE,MAAM,OAAO,GAAG,GAAG,GAAG,QAAQ,CAAC;YAC/B,EAAE,CAAC,aAAa,CACd,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,EACvB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAClE,MAAM,CACP,CAAC;YACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9B,MAAM,CAAC,KAAK,CAAC,IAAI,CACf,GAAG,GAAG,iEAAiE,OAAO,WAAW,CAC1F,CAAC;YACF,OAAO;QACT,CAAC;IACH,CAAC;IAED,QAAQ,CAAC,KAAK,KAAK,EAAE,CAAC;IACtB,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,EAAE,CAAC;IAC3B,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAC7C,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,CAClB,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAC3E,CACF,CAAC;IACF,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzB,OAAO;IACT,CAAC;IACD,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IACtC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACrD,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;IACxE,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,CAAC,KAAK,CAAC,IAAI,CACf,gDAAgD,GAAG,2BAA2B,CAC/E,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,SAAS;IAChB,kDAAkD;IAClD,OAAO;QACL,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,yBAAiB,EAAE,OAAO,EAAE,iCAAyB,EAAE,CAAC;KAC7F,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,GAAW,EAAE,MAAyB;IAC/D,MAAM,GAAG,GAAG,WAAW,CAAC;IACxB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAChC,MAAM,KAAK,GAAG,GAAG,kBAAkB,KAAK,gBAAgB,KAAK,gBAAgB,EAAE,CAAC;IAEhF,IAAI,QAAQ,GAAG,EAAE,CAAC;IAClB,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,IAAI,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,GAAG,IAAI,CAAC;QACf,QAAQ,GAAG,EAAE,CAAC,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACtD,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAClD,IAAI,IAAY,CAAC;IACjB,IAAI,QAAQ,KAAK,CAAC,CAAC,IAAI,MAAM,KAAK,CAAC,CAAC,IAAI,MAAM,GAAG,QAAQ,EAAE,CAAC;QAC1D,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAC3C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAC/D,IAAI,GAAG,MAAM,GAAG,KAAK,GAAG,KAAK,CAAC;QAC9B,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtB,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACzB,OAAO;QACT,CAAC;IACH,CAAC;SAAM,IAAI,OAAO,EAAE,CAAC;QACnB,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,MAAM,GAAG,KAAK,GAAG,IAAI,CAAC;IAC9D,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,kBAAkB,KAAK,IAAI,CAAC;IACrC,CAAC;IACD,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,OAAO,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,CAAC,KAAK,CAAC,IAAI,CACf,gDAAgD,GAAG,4BAA4B,CAChF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAS,gBAAgB,CACvB,GAAW,EACX,QAAgC,EAChC,MAAyB;IAEzB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAEhC,IAAI,MAAM,GAAyD,EAAE,CAAC;IACtE,IAAI,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,GAAG,+DAA+D,CAAC,CAAC;YACzF,OAAO;QACT,CAAC;IACH,CAAC;IACD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC;IACrC,mEAAmE;IACnE,MAAM,MAAM,GAAG,QAAQ,IAAI,QAAQ,IAAI,4BAAmB,CAAC;IAC3D,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzB,OAAO;IACT,CAAC;IACD,MAAM,CAAC,IAAI,GAAG,EAAE,GAAG,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IACjD,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACrD,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;IACtE,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,GAAW,EAAE,OAAyB,EAAE;IACxE,MAAM,MAAM,GAAsB,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IAC1F,aAAa,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC3B,iBAAiB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC/B,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3C,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
package/dist/loop/stop-gate.d.ts
CHANGED
|
@@ -37,6 +37,16 @@ interface StopHookPayload {
|
|
|
37
37
|
readonly stop_hook_active?: boolean;
|
|
38
38
|
readonly agent_id?: string;
|
|
39
39
|
readonly agent_type?: string;
|
|
40
|
+
/**
|
|
41
|
+
* Active permission mode, when Claude Code includes it
|
|
42
|
+
* (`default` | `plan` | `acceptEdits` | `auto` | `dontAsk` |
|
|
43
|
+
* `bypassPermissions`). `bypassPermissions` is the canonical
|
|
44
|
+
* unattended/headless mode (`--dangerously-skip-permissions` /
|
|
45
|
+
* `--permission-mode bypassPermissions`), so it auto-activates the gate.
|
|
46
|
+
* Not guaranteed present on every event, so the env / sentinel remain the
|
|
47
|
+
* reliable override for guaranteed gating.
|
|
48
|
+
*/
|
|
49
|
+
readonly permission_mode?: string;
|
|
40
50
|
}
|
|
41
51
|
/** What the gate decided, before any process I/O. */
|
|
42
52
|
export interface StopGateDecision {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"stop-gate.d.ts","sourceRoot":"","sources":["../../src/loop/stop-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACxE,OAAO,EAKL,KAAK,WAAW,EACjB,MAAM,UAAU,CAAC;
|
|
1
|
+
{"version":3,"file":"stop-gate.d.ts","sourceRoot":"","sources":["../../src/loop/stop-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACxE,OAAO,EAKL,KAAK,WAAW,EACjB,MAAM,UAAU,CAAC;AAWlB,oEAAoE;AACpE,UAAU,eAAe;IACvB,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B;;;;;;;;OAQG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;CACnC;AAED,qDAAqD;AACrD,MAAM,WAAW,gBAAgB;IAC/B;8CAC0C;IAC1C,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,aAAa,GAAG,gBAAgB,CAAC;IAC7D,2EAA2E;IAC3E,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,+CAA+C;IAC/C,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;CAC7B;AAuBD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,oBAAoB,GAAG,MAAM,CA2BrE;AAqBD;;;;GAIG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,oBAAoB,CAAC,GAC3D,OAAO,CAAC,gBAAgB,CAAC,CAiI3B;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA+H5D"}
|
package/dist/loop/stop-gate.js
CHANGED
|
@@ -40,6 +40,7 @@ const ledger_1 = require("./ledger");
|
|
|
40
40
|
const child_process_1 = require("child_process");
|
|
41
41
|
const fs = __importStar(require("fs"));
|
|
42
42
|
const path = __importStar(require("path"));
|
|
43
|
+
const gate_cache_1 = require("./gate-cache");
|
|
43
44
|
/** Read and parse the stdin hook payload; {} on any problem. */
|
|
44
45
|
function readStdinPayload() {
|
|
45
46
|
let raw = '';
|
|
@@ -249,14 +250,73 @@ async function computeStopGate(cwd, payload, runCheck) {
|
|
|
249
250
|
async function runStopGate(cwd) {
|
|
250
251
|
const payload = readStdinPayload();
|
|
251
252
|
const repoDir = payload.cwd || cwd;
|
|
253
|
+
// ── Loop-scoped activation. The Stop-gate is for UNATTENDED loops, where
|
|
254
|
+
// no human is reviewing each stop. An interactive turn — a person present,
|
|
255
|
+
// the agent stopping to ask a question — must not pay the guardrail cost.
|
|
256
|
+
// So the hook is an instant no-op allow unless the loop marks itself
|
|
257
|
+
// active (DXKIT_LOOP_ACTIVE=1, or a `.dxkit/loop/active` sentinel the loop
|
|
258
|
+
// runner drops). The CI guardrail still gates the branch either way.
|
|
259
|
+
if (!(0, gate_cache_1.loopGateActive)(repoDir, payload)) {
|
|
260
|
+
process.exit(0);
|
|
261
|
+
}
|
|
252
262
|
// Resolve the loop-scoped posture ONCE (preset → policy). This is the
|
|
253
263
|
// only place the loop preset is read; the CI guardrail never sees it.
|
|
254
264
|
const { resolveLoopPolicy } = await Promise.resolve().then(() => __importStar(require('./policy')));
|
|
255
265
|
const { policy, preset } = resolveLoopPolicy(repoDir);
|
|
266
|
+
// ── Fast path: replay the last verdict when the working tree is
|
|
267
|
+
// byte-identical to what was last gathered (a no-change stop — an
|
|
268
|
+
// interactive Q&A turn, or a re-stop after a block with no edit). Skips
|
|
269
|
+
// the full guardrail gather + tests entirely. Safe by construction: the
|
|
270
|
+
// signature captures every file the gather would see, so a cache hit is
|
|
271
|
+
// only ever a genuinely-identical tree and the cache can never skip a
|
|
272
|
+
// real net-new finding. Bypass with DXKIT_LOOP_NO_CACHE=1.
|
|
273
|
+
const signature = process.env.DXKIT_LOOP_NO_CACHE === '1' ? null : (0, gate_cache_1.workingTreeSignature)(repoDir);
|
|
274
|
+
const agentFields = {
|
|
275
|
+
...(payload.agent_id ? { agent_id: payload.agent_id } : {}),
|
|
276
|
+
...(payload.agent_type ? { agent_type: payload.agent_type } : {}),
|
|
277
|
+
};
|
|
278
|
+
if (signature) {
|
|
279
|
+
const cached = (0, gate_cache_1.readStateCache)(repoDir);
|
|
280
|
+
if (cached && cached.signature === signature) {
|
|
281
|
+
const event = (0, ledger_1.buildLedgerEvent)(repoDir, {
|
|
282
|
+
session_id: payload.session_id || '',
|
|
283
|
+
...agentFields,
|
|
284
|
+
cwd: repoDir,
|
|
285
|
+
guardrail_status: cached.outcome === 'allow' ? 'pass' : 'fail',
|
|
286
|
+
net_new_findings: cached.netNew,
|
|
287
|
+
baseline_findings: cached.baselineFindings,
|
|
288
|
+
files_changed: 0,
|
|
289
|
+
allowed: cached.outcome === 'allow',
|
|
290
|
+
stop_hook_active: !!payload.stop_hook_active,
|
|
291
|
+
tests_status: 'skipped',
|
|
292
|
+
lint_status: 'not_configured',
|
|
293
|
+
typecheck_status: 'not_configured',
|
|
294
|
+
duration_ms: 0,
|
|
295
|
+
cached: true,
|
|
296
|
+
});
|
|
297
|
+
(0, ledger_1.appendLedgerEvent)(repoDir, { ...event, preset });
|
|
298
|
+
if (cached.outcome === 'block-model') {
|
|
299
|
+
process.stdout.write(JSON.stringify({ decision: 'block', reason: cached.message }) + '\n');
|
|
300
|
+
process.exit(0);
|
|
301
|
+
}
|
|
302
|
+
process.exit(0); // allow — clean stop replayed from cache
|
|
303
|
+
}
|
|
304
|
+
}
|
|
305
|
+
// Scope the gather to the analyzers this posture can actually block on.
|
|
306
|
+
// A `security-only` loop skips jscpd / lint / coverage / cloc / test-gaps /
|
|
307
|
+
// graphify — they feed only kinds the policy can't act on, so skipping them
|
|
308
|
+
// cannot change the verdict (see src/baseline/gather-scope.ts). Both sides
|
|
309
|
+
// of the diff are scoped identically. `full-debt` derives FULL_SCOPE.
|
|
310
|
+
const { scopeForPolicy } = await Promise.resolve().then(() => __importStar(require('../baseline/gather-scope')));
|
|
311
|
+
const scope = scopeForPolicy(policy);
|
|
256
312
|
const runCheck = async (dir) => {
|
|
257
313
|
const { runGuardrailCheck } = await Promise.resolve().then(() => __importStar(require('../baseline/check')));
|
|
258
314
|
const { renderJson } = await Promise.resolve().then(() => __importStar(require('../baseline/check-renderers')));
|
|
259
|
-
|
|
315
|
+
// `incremental: true` scopes the current side's semgrep to changed
|
|
316
|
+
// files (opt 3). Verdict-safe: semgrep is intraprocedural, so a net-new
|
|
317
|
+
// code finding only appears in a file the diff touched, and the scan
|
|
318
|
+
// falls back to full whenever the changed set can't be computed.
|
|
319
|
+
const result = await runGuardrailCheck({ cwd: dir, policy, scope, incremental: true });
|
|
260
320
|
const json = renderJson(result);
|
|
261
321
|
// Persist the full machine-readable verdict so the model (and a human)
|
|
262
322
|
// can read the exact net-new findings the block message points to.
|
|
@@ -274,6 +334,19 @@ async function runStopGate(cwd) {
|
|
|
274
334
|
// Stamp the active preset onto the ledger line so the audit trail shows
|
|
275
335
|
// which posture was in force when the gate allowed/blocked.
|
|
276
336
|
(0, ledger_1.appendLedgerEvent)(repoDir, { ...decision.event, preset });
|
|
337
|
+
// Persist the verdict keyed on the tree signature so the next stop with
|
|
338
|
+
// an unchanged tree replays it instead of re-gathering. Only the
|
|
339
|
+
// tree-deterministic outcomes are cached; an operator/preflight failure
|
|
340
|
+
// is environment-dependent and must be re-tried.
|
|
341
|
+
if (signature && (decision.outcome === 'allow' || decision.outcome === 'block-model')) {
|
|
342
|
+
(0, gate_cache_1.writeStateCache)(repoDir, {
|
|
343
|
+
signature,
|
|
344
|
+
outcome: decision.outcome,
|
|
345
|
+
message: decision.message,
|
|
346
|
+
netNew: decision.event.net_new_findings,
|
|
347
|
+
baselineFindings: decision.event.baseline_findings,
|
|
348
|
+
});
|
|
349
|
+
}
|
|
277
350
|
if (decision.outcome === 'block-model') {
|
|
278
351
|
// Exit 0 + decision JSON on stdout → blocks the stop and feeds the
|
|
279
352
|
// reason to the model so it repairs.
|