npm - @webpresso/agent-kit - Versions diffs - 0.27.0 → 0.28.0 - Mend

@webpresso/agent-kit 0.27.0 → 0.28.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.claude-plugin/marketplace.json +2 -2
package/.claude-plugin/plugin.json +1 -1
package/dist/esm/audit/toolchain-isolation.js +8 -0
package/dist/esm/cli/commands/init/config.d.ts +10 -0
package/dist/esm/cli/commands/init/config.js +16 -0
package/package.json +6 -6

package/.claude-plugin/marketplace.json CHANGED Viewed

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "Webpresso agent-kit Claude Code plugin: blueprints, skills, hooks, MCP server",
-    "version": "0.27.0"
+    "version": "0.28.0"
   },
   "plugins": [
     {
@@ -23,5 +23,5 @@
       ]
     }
   ],
-  "version": "0.27.0"
+  "version": "0.28.0"
 }

package/.claude-plugin/plugin.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "webpresso",
-  "version": "0.27.0",
+  "version": "0.28.0",
   "description": "Webpresso agent-kit: blueprints, skills, lore commit protocol, tech-debt lifecycle",
   "skills": "./skills",
   "commands": "./commands",

package/dist/esm/audit/toolchain-isolation.js CHANGED Viewed

@@ -1,5 +1,6 @@
 import { existsSync, readdirSync, readFileSync } from 'node:fs';
 import path from 'node:path';
+import { readConfig } from '#cli/commands/init/config';
 const FORBIDDEN_DEPENDENCY_PATTERNS = [
     /^typescript$/u,
     /^vite$/u,
@@ -19,6 +20,11 @@ const ALLOWED_SCRIPT_PREFIXES = ['wp ', 'vp run ', 'vp run -r '];
 export function auditToolchainIsolation(root) {
     const packagePaths = findPackageJsonFiles(root);
     const violations = [];
+    // Per-repo runtime exemptions: dependency names the repo declares as
+    // legitimate app-specific runtimes (e.g. `tsx` for a Pulumi program's TS
+    // loader, `@playwright/test` imported by e2e specs) rather than generic
+    // toolchain. Mechanism here; data lives in the consumer's `.webpressorc.json`.
+    const allowDependencies = new Set(readConfig(root)?.audit?.toolchainIsolation?.allowDependencies ?? []);
     for (const packagePath of packagePaths) {
         const pkg = readPackageJson(packagePath);
         if (!pkg) {
@@ -36,6 +42,8 @@ export function auditToolchainIsolation(root) {
             for (const depName of Object.keys(pkg[field] ?? {})) {
                 if (!isForbiddenDependency(depName))
                     continue;
+                if (allowDependencies.has(depName))
+                    continue;
                 violations.push({
                     file: packagePath,
                     message: `${field}.${depName} is toolchain-owned; route it through @webpresso/agent-kit/wp instead of declaring it directly`,

package/dist/esm/cli/commands/init/config.d.ts CHANGED Viewed

@@ -24,6 +24,16 @@ export interface AgentkitConfig {
         packageManager?: 'vp-only';
         scriptRoutes?: Record<string, string>;
     };
+    /** Audit policy overrides. `mechanism` lives in agent-kit; this is per-repo
+     *  `data`. `toolchainIsolation.allowDependencies` lists dependency names that
+     *  are exempt from the toolchain-isolation audit because they are legitimate
+     *  app-specific runtimes (e.g. `tsx` for a Pulumi program's TS loader,
+     *  `@playwright/test` imported by e2e specs), not generic toolchain. */
+    audit?: {
+        toolchainIsolation?: {
+            allowDependencies?: string[];
+        };
+    };
     rules: {
         overrides: string[];
     };

package/dist/esm/cli/commands/init/config.js CHANGED Viewed

@@ -60,6 +60,12 @@ export function readConfig(repoRoot) {
                 ...(scriptRoutes ? { scriptRoutes } : {}),
             }
             : undefined;
+        const auditConfig = parsed.audit;
+        const rawAllowDeps = auditConfig?.toolchainIsolation?.allowDependencies;
+        const allowDependencies = Array.isArray(rawAllowDeps)
+            ? rawAllowDeps.filter((s) => typeof s === 'string' && s.length > 0)
+            : [];
+        const normalizedAudit = allowDependencies.length > 0 ? { toolchainIsolation: { allowDependencies } } : undefined;
         const selectedHosts = Array.isArray(hosts?.selected)
             ? hosts.selected.filter((s) => ['codex', 'claude', 'opencode'].includes(String(s)))
             : [];
@@ -79,6 +85,7 @@ export function readConfig(repoRoot) {
             },
             ...(normalizedMcp ? { mcp: normalizedMcp } : {}),
             ...(normalizedGuard ? { guard: normalizedGuard } : {}),
+            ...(normalizedAudit ? { audit: normalizedAudit } : {}),
             rules: { overrides: overrides.filter((s) => typeof s === 'string') },
             scripts: {
                 'setup-agent': readOptionalString(scripts?.['setup-agent']),
@@ -116,12 +123,21 @@ export function mergeConfig(existing, incoming) {
             ...(mergedScriptRoutes ? { scriptRoutes: mergedScriptRoutes } : {}),
         }
         : undefined;
+    const existingAllowDeps = existing.audit?.toolchainIsolation?.allowDependencies;
+    const incomingAllowDeps = incoming.audit?.toolchainIsolation?.allowDependencies;
+    const mergedAllowDeps = existingAllowDeps || incomingAllowDeps
+        ? Array.from(new Set([...(existingAllowDeps ?? []), ...(incomingAllowDeps ?? [])])).toSorted()
+        : undefined;
+    const mergedAudit = mergedAllowDeps
+        ? { toolchainIsolation: { allowDependencies: mergedAllowDeps } }
+        : undefined;
     return {
         version: incoming.version,
         installed: { tier3Skills: tier3 },
         hosts: incoming.hosts ?? existing.hosts,
         ...(mergedMcp ? { mcp: mergedMcp } : {}),
         ...(mergedGuard ? { guard: mergedGuard } : {}),
+        ...(mergedAudit ? { audit: mergedAudit } : {}),
         rules: { overrides },
         scripts: {
             'setup-agent': incoming.scripts['setup-agent'] ?? existing.scripts['setup-agent'],

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@webpresso/agent-kit",
-  "version": "0.27.0",
+  "version": "0.28.0",
   "private": false,
   "repository": {
     "type": "git",
@@ -710,10 +710,10 @@
     "@stryker-mutator/typescript-checker": "^9.6.1",
     "@playwright/test": "^1.55.0",
     "wrangler": "^4.50.0",
-    "@webpresso/agent-kit-runtime-darwin-arm64": "0.27.0",
-    "@webpresso/agent-kit-runtime-darwin-x64": "0.27.0",
-    "@webpresso/agent-kit-runtime-linux-x64": "0.27.0",
-    "@webpresso/agent-kit-runtime-linux-arm64": "0.27.0",
-    "@webpresso/agent-kit-runtime-windows-x64": "0.27.0"
+    "@webpresso/agent-kit-runtime-darwin-arm64": "0.28.0",
+    "@webpresso/agent-kit-runtime-darwin-x64": "0.28.0",
+    "@webpresso/agent-kit-runtime-linux-x64": "0.28.0",
+    "@webpresso/agent-kit-runtime-linux-arm64": "0.28.0",
+    "@webpresso/agent-kit-runtime-windows-x64": "0.28.0"
   }
 }