@webpresso/agent-kit 0.27.0 → 0.28.0

package/.claude-plugin/marketplace.json

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "Webpresso agent-kit Claude Code plugin: blueprints, skills, hooks, MCP server",
-    "version": "0.27.0"
+    "version": "0.28.0"
   },
   "plugins": [
     {
@@ -23,5 +23,5 @@
       ]
     }
   ],
-  "version": "0.27.0"
+  "version": "0.28.0"
 }

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "webpresso",
-  "version": "0.27.0",
+  "version": "0.28.0",
   "description": "Webpresso agent-kit: blueprints, skills, lore commit protocol, tech-debt lifecycle",
   "skills": "./skills",
   "commands": "./commands",

package/dist/esm/audit/toolchain-isolation.js

@@ -1,5 +1,6 @@
 import { existsSync, readdirSync, readFileSync } from 'node:fs';
 import path from 'node:path';
+import { readConfig } from '#cli/commands/init/config';
 const FORBIDDEN_DEPENDENCY_PATTERNS = [
     /^typescript$/u,
     /^vite$/u,
@@ -19,6 +20,11 @@ const ALLOWED_SCRIPT_PREFIXES = ['wp ', 'vp run ', 'vp run -r '];
 export function auditToolchainIsolation(root) {
     const packagePaths = findPackageJsonFiles(root);
     const violations = [];
+    // Per-repo runtime exemptions: dependency names the repo declares as
+    // legitimate app-specific runtimes (e.g. `tsx` for a Pulumi program's TS
+    // loader, `@playwright/test` imported by e2e specs) rather than generic
+    // toolchain. Mechanism here; data lives in the consumer's `.webpressorc.json`.
+    const allowDependencies = new Set(readConfig(root)?.audit?.toolchainIsolation?.allowDependencies ?? []);
     for (const packagePath of packagePaths) {
         const pkg = readPackageJson(packagePath);
         if (!pkg) {
@@ -36,6 +42,8 @@ export function auditToolchainIsolation(root) {
             for (const depName of Object.keys(pkg[field] ?? {})) {
                 if (!isForbiddenDependency(depName))
                     continue;
+                if (allowDependencies.has(depName))
+                    continue;
                 violations.push({
                     file: packagePath,
                     message: `${field}.${depName} is toolchain-owned; route it through @webpresso/agent-kit/wp instead of declaring it directly`,

package/dist/esm/cli/commands/init/config.d.ts

@@ -24,6 +24,16 @@ export interface AgentkitConfig {
         packageManager?: 'vp-only';
         scriptRoutes?: Record<string, string>;
     };
+    /** Audit policy overrides. `mechanism` lives in agent-kit; this is per-repo
+     *  `data`. `toolchainIsolation.allowDependencies` lists dependency names that
+     *  are exempt from the toolchain-isolation audit because they are legitimate
+     *  app-specific runtimes (e.g. `tsx` for a Pulumi program's TS loader,
+     *  `@playwright/test` imported by e2e specs), not generic toolchain. */
+    audit?: {
+        toolchainIsolation?: {
+            allowDependencies?: string[];
+        };
+    };
     rules: {
         overrides: string[];
     };

package/dist/esm/cli/commands/init/config.js

@@ -60,6 +60,12 @@ export function readConfig(repoRoot) {
                 ...(scriptRoutes ? { scriptRoutes } : {}),
             }
             : undefined;
+        const auditConfig = parsed.audit;
+        const rawAllowDeps = auditConfig?.toolchainIsolation?.allowDependencies;
+        const allowDependencies = Array.isArray(rawAllowDeps)
+            ? rawAllowDeps.filter((s) => typeof s === 'string' && s.length > 0)
+            : [];
+        const normalizedAudit = allowDependencies.length > 0 ? { toolchainIsolation: { allowDependencies } } : undefined;
         const selectedHosts = Array.isArray(hosts?.selected)
             ? hosts.selected.filter((s) => ['codex', 'claude', 'opencode'].includes(String(s)))
             : [];
@@ -79,6 +85,7 @@ export function readConfig(repoRoot) {
             },
             ...(normalizedMcp ? { mcp: normalizedMcp } : {}),
             ...(normalizedGuard ? { guard: normalizedGuard } : {}),
+            ...(normalizedAudit ? { audit: normalizedAudit } : {}),
             rules: { overrides: overrides.filter((s) => typeof s === 'string') },
             scripts: {
                 'setup-agent': readOptionalString(scripts?.['setup-agent']),
@@ -116,12 +123,21 @@ export function mergeConfig(existing, incoming) {
             ...(mergedScriptRoutes ? { scriptRoutes: mergedScriptRoutes } : {}),
         }
         : undefined;
+    const existingAllowDeps = existing.audit?.toolchainIsolation?.allowDependencies;
+    const incomingAllowDeps = incoming.audit?.toolchainIsolation?.allowDependencies;
+    const mergedAllowDeps = existingAllowDeps || incomingAllowDeps
+        ? Array.from(new Set([...(existingAllowDeps ?? []), ...(incomingAllowDeps ?? [])])).toSorted()
+        : undefined;
+    const mergedAudit = mergedAllowDeps
+        ? { toolchainIsolation: { allowDependencies: mergedAllowDeps } }
+        : undefined;
     return {
         version: incoming.version,
         installed: { tier3Skills: tier3 },
         hosts: incoming.hosts ?? existing.hosts,
         ...(mergedMcp ? { mcp: mergedMcp } : {}),
         ...(mergedGuard ? { guard: mergedGuard } : {}),
+        ...(mergedAudit ? { audit: mergedAudit } : {}),
         rules: { overrides },
         scripts: {
             'setup-agent': incoming.scripts['setup-agent'] ?? existing.scripts['setup-agent'],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@webpresso/agent-kit",
-  "version": "0.27.0",
+  "version": "0.28.0",
   "private": false,
   "repository": {
     "type": "git",
@@ -710,10 +710,10 @@
     "@stryker-mutator/typescript-checker": "^9.6.1",
     "@playwright/test": "^1.55.0",
     "wrangler": "^4.50.0",
-    "@webpresso/agent-kit-runtime-darwin-arm64": "0.27.0",
-    "@webpresso/agent-kit-runtime-darwin-x64": "0.27.0",
-    "@webpresso/agent-kit-runtime-linux-x64": "0.27.0",
-    "@webpresso/agent-kit-runtime-linux-arm64": "0.27.0",
-    "@webpresso/agent-kit-runtime-windows-x64": "0.27.0"
+    "@webpresso/agent-kit-runtime-darwin-arm64": "0.28.0",
+    "@webpresso/agent-kit-runtime-darwin-x64": "0.28.0",
+    "@webpresso/agent-kit-runtime-linux-x64": "0.28.0",
+    "@webpresso/agent-kit-runtime-linux-arm64": "0.28.0",
+    "@webpresso/agent-kit-runtime-windows-x64": "0.28.0"
   }
 }