@wrongstack/core 0.267.0 → 0.269.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{agent-bridge-STJ3JwwK.d.ts → agent-bridge-PcHQl_UQ.d.ts} +1 -1
- package/dist/{agent-subagent-runner-CzPGP3jA.d.ts → agent-subagent-runner-SHJW7t8q.d.ts} +8 -8
- package/dist/{brain-Cdg77tVN.d.ts → brain-BYcK__Ym.d.ts} +1 -1
- package/dist/{compactor-iMZ84CXq.d.ts → compactor-C2RKEBtC.d.ts} +1 -1
- package/dist/{config-Du3pYYln.d.ts → config-C_ae2k86.d.ts} +79 -2
- package/dist/{context-dT5Ueund.d.ts → context-Dp87Bcaq.d.ts} +47 -1
- package/dist/coordination/index.d.ts +62 -160
- package/dist/coordination/index.js +566 -149
- package/dist/coordination/index.js.map +1 -1
- package/dist/defaults/index.d.ts +26 -25
- package/dist/defaults/index.js +366 -137
- package/dist/defaults/index.js.map +1 -1
- package/dist/execution/index.d.ts +72 -16
- package/dist/execution/index.js +267 -55
- package/dist/execution/index.js.map +1 -1
- package/dist/execution/prompt-enhancer.d.ts +1 -1
- package/dist/extension/index.d.ts +7 -6
- package/dist/global-mailbox-Bvrz1P3f.d.ts +664 -0
- package/dist/{goal-preamble-SulMTowG.d.ts → goal-preamble-CA_4yiGQ.d.ts} +9 -9
- package/dist/{goal-store-CABDwdFE.d.ts → goal-store-DhuJoUNG.d.ts} +1 -1
- package/dist/hq/index.d.ts +204 -0
- package/dist/hq/index.js +1931 -0
- package/dist/hq/index.js.map +1 -0
- package/dist/{index-DtCVWel4.d.ts → index-CZQ6Pwbs.d.ts} +8 -8
- package/dist/{index-Bms0m4oy.d.ts → index-W4VJCzHa.d.ts} +5 -5
- package/dist/{index-IEuxQd-E.d.ts → index-whDfTANu.d.ts} +2 -2
- package/dist/index.d.ts +46 -42
- package/dist/index.js +3472 -1651
- package/dist/index.js.map +1 -1
- package/dist/infrastructure/index.d.ts +6 -6
- package/dist/infrastructure/index.js +48 -21
- package/dist/infrastructure/index.js.map +1 -1
- package/dist/kernel/index.d.ts +10 -9
- package/dist/{pipeline-BfD2k1rT.d.ts → mailbox-types-Ct2hJq0P.d.ts} +1 -244
- package/dist/{mcp-servers-C2cBTxUR.d.ts → mcp-servers-DJdZiRcv.d.ts} +10 -4
- package/dist/models/index.d.ts +5 -5
- package/dist/models/index.js +4 -3
- package/dist/models/index.js.map +1 -1
- package/dist/{models-registry-BqGZNJQ-.d.ts → models-registry-C3a-2-Yd.d.ts} +1 -1
- package/dist/{multi-agent-coordinator-B8R43uPz.d.ts → multi-agent-coordinator-CJSpTe5O.d.ts} +1 -1
- package/dist/{null-fleet-bus-CnXa5oTH.d.ts → null-fleet-bus-QVshIsDx.d.ts} +6 -6
- package/dist/observability/index.d.ts +2 -2
- package/dist/{parallel-eternal-engine-DdNnw9BQ.d.ts → parallel-eternal-engine-D9y5Pkcc.d.ts} +9 -15
- package/dist/{path-resolver-COIMLCQL.d.ts → path-resolver-CnQ8SIfh.d.ts} +4 -3
- package/dist/{permission-B75JAi3-.d.ts → permission-CvYQNUqZ.d.ts} +1 -1
- package/dist/{permission-policy-DlR9eJAM.d.ts → permission-policy-D5Ss8j4B.d.ts} +2 -3
- package/dist/pipeline-l_zzFRh3.d.ts +245 -0
- package/dist/{plan-templates-DSIKCXZN.d.ts → plan-templates-NtPgyeJA.d.ts} +6 -5
- package/dist/{provider-model-resolve-BNRsNuJx.d.ts → provider-model-resolve-d5poT5y0.d.ts} +3 -3
- package/dist/{provider-runner-CX7iIvox.d.ts → provider-runner-gkctlQV_.d.ts} +3 -3
- package/dist/{retry-policy-BilV1ujH.d.ts → retry-policy-CtFhfwa8.d.ts} +1 -1
- package/dist/sdd/index.d.ts +9 -8
- package/dist/sdd/index.js +33 -3
- package/dist/sdd/index.js.map +1 -1
- package/dist/{secret-vault-gkvEZZfE.d.ts → secret-vault-BLsVmTIK.d.ts} +1 -1
- package/dist/security/index.d.ts +5 -5
- package/dist/security/index.js +39 -29
- package/dist/security/index.js.map +1 -1
- package/dist/{selector-Bc7eWtT3.d.ts → selector-CXl2_y9W.d.ts} +1 -1
- package/dist/{session-event-bridge-D-araDEz.d.ts → session-event-bridge-Ccud20CC.d.ts} +1 -1
- package/dist/{session-reader-D7Dapswh.d.ts → session-reader-ZeXQmsmE.d.ts} +1 -1
- package/dist/skills/index.js.map +1 -1
- package/dist/storage/index.d.ts +16 -12
- package/dist/storage/index.js +273 -100
- package/dist/storage/index.js.map +1 -1
- package/dist/tools/index.d.ts +2 -2
- package/dist/tools/index.js +166 -31
- package/dist/tools/index.js.map +1 -1
- package/dist/types/index.d.ts +22 -21
- package/dist/types/index.js +178 -70
- package/dist/types/index.js.map +1 -1
- package/dist/utils/index.d.ts +22 -3
- package/dist/utils/index.js +197 -25
- package/dist/utils/index.js.map +1 -1
- package/package.json +5 -1
- package/skills/chimera/SKILL.md +1 -1
- package/skills/typescript-strict/SKILL.md +3 -3
- package/skills/typescript-strict/SKILL.save.md +1 -1
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { S as SecretScrubber } from './permission-
|
|
1
|
+
import { S as SecretScrubber } from './permission-CvYQNUqZ.js';
|
|
2
2
|
import { L as Logger } from './logger-B63L5bTg.js';
|
|
3
3
|
import { R as RotatableSecretVault, S as SecretVault } from './secret-vault-BAKpgFw_.js';
|
|
4
4
|
|
package/dist/security/index.d.ts
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
|
-
export { a as DefaultSecretScrubber, D as DefaultSecretVault, S as SecretVaultOptions, d as decryptConfigSecrets, e as encryptConfigSecrets, i as isSecretField, m as migratePlaintextSecrets, r as rewriteConfigEncrypted, b as rotateConfigKeys } from '../secret-vault-
|
|
2
|
-
export { A as AutoApprovePermissionPolicy, D as DefaultPermissionPolicy, P as PermissionPolicyOptions } from '../permission-policy-
|
|
3
|
-
export { D as DANGEROUS_FOR_SUBAGENTS, T as ToolCapabilities, a as ToolCapability, g as getDangerousCapabilities, h as hasCapability, b as hasDangerousCapabilityForSubagents } from '../index-
|
|
4
|
-
import '../permission-
|
|
5
|
-
import '../context-
|
|
1
|
+
export { a as DefaultSecretScrubber, D as DefaultSecretVault, S as SecretVaultOptions, d as decryptConfigSecrets, e as encryptConfigSecrets, i as isSecretField, m as migratePlaintextSecrets, r as rewriteConfigEncrypted, b as rotateConfigKeys } from '../secret-vault-BLsVmTIK.js';
|
|
2
|
+
export { A as AutoApprovePermissionPolicy, D as DefaultPermissionPolicy, P as PermissionPolicyOptions } from '../permission-policy-D5Ss8j4B.js';
|
|
3
|
+
export { D as DANGEROUS_FOR_SUBAGENTS, T as ToolCapabilities, a as ToolCapability, g as getDangerousCapabilities, h as hasCapability, b as hasDangerousCapabilityForSubagents } from '../index-whDfTANu.js';
|
|
4
|
+
import '../permission-CvYQNUqZ.js';
|
|
5
|
+
import '../context-Dp87Bcaq.js';
|
|
6
6
|
import '../logger-B63L5bTg.js';
|
|
7
7
|
import '../secret-vault-BAKpgFw_.js';
|
|
8
8
|
import '../input-reader-E-ffP2ee.js';
|
package/dist/security/index.js
CHANGED
|
@@ -395,6 +395,41 @@ function safeParse(input, maxBytes = 5e6) {
|
|
|
395
395
|
}
|
|
396
396
|
}
|
|
397
397
|
|
|
398
|
+
// src/utils/tool-subject.ts
|
|
399
|
+
var GLOB_METACHARACTERS = /[*?[\]]/g;
|
|
400
|
+
function escapeGlobSubject(value) {
|
|
401
|
+
return value.replace(GLOB_METACHARACTERS, (char) => `\\${char}`);
|
|
402
|
+
}
|
|
403
|
+
function normalizePathSubject(value) {
|
|
404
|
+
return escapeGlobSubject(value.replace(/\\/g, "/"));
|
|
405
|
+
}
|
|
406
|
+
function isPathSubjectKey(subjectKey) {
|
|
407
|
+
return subjectKey === "path" || subjectKey === "file" || subjectKey === "files";
|
|
408
|
+
}
|
|
409
|
+
function subjectForToolInput(toolName, input, subjectKey) {
|
|
410
|
+
if (!input || typeof input !== "object") return void 0;
|
|
411
|
+
const obj = input;
|
|
412
|
+
if (subjectKey) {
|
|
413
|
+
const value = obj[subjectKey];
|
|
414
|
+
if (typeof value === "string") {
|
|
415
|
+
return isPathSubjectKey(subjectKey) ? normalizePathSubject(value) : escapeGlobSubject(value);
|
|
416
|
+
}
|
|
417
|
+
}
|
|
418
|
+
if (toolName === "bash" && typeof obj.command === "string") {
|
|
419
|
+
return escapeGlobSubject(obj.command);
|
|
420
|
+
}
|
|
421
|
+
if (typeof obj.path === "string") {
|
|
422
|
+
return normalizePathSubject(obj.path);
|
|
423
|
+
}
|
|
424
|
+
if (typeof obj.url === "string") {
|
|
425
|
+
return escapeGlobSubject(obj.url);
|
|
426
|
+
}
|
|
427
|
+
if (typeof obj.name === "string") {
|
|
428
|
+
return escapeGlobSubject(obj.name);
|
|
429
|
+
}
|
|
430
|
+
return void 0;
|
|
431
|
+
}
|
|
432
|
+
|
|
398
433
|
// src/types/errors.ts
|
|
399
434
|
var ERROR_CODES = {
|
|
400
435
|
// Provider
|
|
@@ -1167,7 +1202,7 @@ var DefaultPermissionPolicy = class {
|
|
|
1167
1202
|
if (!this.loaded) await this.reload();
|
|
1168
1203
|
const namespaceEntry = this.findNamespaceEntry(tool.name);
|
|
1169
1204
|
const entry = this.policy[tool.name] ?? namespaceEntry;
|
|
1170
|
-
const subject =
|
|
1205
|
+
const subject = subjectForToolInput(tool.name, input, tool.subjectKey);
|
|
1171
1206
|
const cacheKey = `${tool.name}::${subject ?? tool.name}`;
|
|
1172
1207
|
if (tool.name !== "write") {
|
|
1173
1208
|
const cached = this._evalCache.get(cacheKey);
|
|
@@ -1349,32 +1384,6 @@ var DefaultPermissionPolicy = class {
|
|
|
1349
1384
|
this.sessionAllowed.set(`${rule.tool}::${rule.pattern}`, true);
|
|
1350
1385
|
this._evalCache.clear();
|
|
1351
1386
|
}
|
|
1352
|
-
subjectFor(toolName, input, subjectKey) {
|
|
1353
|
-
if (!input || typeof input !== "object") return void 0;
|
|
1354
|
-
const obj = input;
|
|
1355
|
-
const globChars = /[*?[\]]/g;
|
|
1356
|
-
const escapeGlob = (s) => s.replace(globChars, (c) => `\\${c}`);
|
|
1357
|
-
const normalizePath = (s) => escapeGlob(s.replace(/\\/g, "/"));
|
|
1358
|
-
if (subjectKey) {
|
|
1359
|
-
const v = obj[subjectKey];
|
|
1360
|
-
if (typeof v === "string") {
|
|
1361
|
-
return subjectKey === "path" || subjectKey === "file" || subjectKey === "files" ? normalizePath(v) : escapeGlob(v);
|
|
1362
|
-
}
|
|
1363
|
-
}
|
|
1364
|
-
if (toolName === "bash" && typeof obj.command === "string") {
|
|
1365
|
-
return escapeGlob(obj.command);
|
|
1366
|
-
}
|
|
1367
|
-
if (typeof obj.path === "string") {
|
|
1368
|
-
return normalizePath(obj.path);
|
|
1369
|
-
}
|
|
1370
|
-
if (typeof obj.url === "string") {
|
|
1371
|
-
return escapeGlob(obj.url);
|
|
1372
|
-
}
|
|
1373
|
-
if (typeof obj.name === "string") {
|
|
1374
|
-
return escapeGlob(obj.name);
|
|
1375
|
-
}
|
|
1376
|
-
return void 0;
|
|
1377
|
-
}
|
|
1378
1387
|
findNamespaceEntry(toolName) {
|
|
1379
1388
|
for (const { pattern, value } of this.wildcardEntries) {
|
|
1380
1389
|
if (matchGlob(pattern, toolName)) return value;
|
|
@@ -1397,12 +1406,13 @@ var AutoApprovePermissionPolicy = class _AutoApprovePermissionPolicy {
|
|
|
1397
1406
|
const caps = tool.capabilities ?? [];
|
|
1398
1407
|
const hasAllowedCap = caps.some((c) => this.allowedCapabilities.includes(c));
|
|
1399
1408
|
const isMcp = _AutoApprovePermissionPolicy.isMcpTool(tool.name);
|
|
1409
|
+
const mcpProxyAllowed = this.allowedCapabilities.includes(ToolCapabilities.MCP_PROXY);
|
|
1400
1410
|
const dangerousNotAllowed = getDangerousCapabilities(tool).filter(
|
|
1401
1411
|
(c) => !this.allowedCapabilities.includes(c)
|
|
1402
1412
|
);
|
|
1403
|
-
const blocked = tool.permission === "deny" || isMcp || !hasAllowedCap || dangerousNotAllowed.length > 0;
|
|
1413
|
+
const blocked = tool.permission === "deny" || isMcp && !mcpProxyAllowed || !hasAllowedCap || dangerousNotAllowed.length > 0;
|
|
1404
1414
|
if (blocked) {
|
|
1405
|
-
const reason = isMcp ? `MCP tool ${tool.name} is not auto-approved for subagents \u2014 ask the leader to allow
|
|
1415
|
+
const reason = isMcp && !mcpProxyAllowed ? `MCP tool ${tool.name} is not auto-approved for subagents \u2014 ask the leader to allow mcp.proxy explicitly` : tool.permission === "deny" ? "tool default deny" : dangerousNotAllowed.length > 0 ? `tool requires un-granted dangerous capability (needs: ${dangerousNotAllowed.join(", ")}, allowed: ${this.allowedCapabilities.join(", ")})` : `tool lacks allowed capability (has: ${caps.join(", ") || "none"}, allowed: ${this.allowedCapabilities.join(", ")})`;
|
|
1406
1416
|
return {
|
|
1407
1417
|
permission: "deny",
|
|
1408
1418
|
source: "subagent_guard",
|