aegis-bridge 2.9.3 → 2.10.1

package/dist/config.d.ts

@@ -68,6 +68,15 @@ export interface Config {
     /** Issue #884: Additional Claude projects directories to search during worktree fanout.
      *  Paths are expanded (~) and checked for existence before searching. */
     worktreeSiblingDirs: string[];
+    /** Issue #740: Verification Protocol — auto run quality gate after session ends.
+     *  When enabled, Aegis runs tsc + build + test after a Stop hook and emits
+     *  results via SSE (event: 'verification'). */
+    verificationProtocol: {
+        /** Auto-run verification when Stop hook fires (default: false). */
+        autoVerifyOnStop: boolean;
+        /** Run only critical checks: tsc + build (skip slow tests). Default: false = full. */
+        criticalOnly: boolean;
+    };
 }
 /** Compute stall threshold from env var or default (Issue #392).
  *  If CLAUDE_STREAM_IDLE_TIMEOUT_MS is set, uses Math.max(120000, parseInt(val) * 1.5).

package/dist/config.js

@@ -49,6 +49,7 @@ const defaults = {
     worktreeAwareContinuation: false,
     memoryBridge: { enabled: false },
     worktreeSiblingDirs: [],
+    verificationProtocol: { autoVerifyOnStop: false, criticalOnly: false },
 };
 /** Parse CLI args for --config flag */
 function getConfigPathFromArgv() {

package/dist/events.d.ts

@@ -6,7 +6,7 @@
  * The monitor pushes events; the SSE route consumes them.
  */
 export interface SessionSSEEvent {
-    event: 'status' | 'message' | 'system' | 'approval' | 'ended' | 'heartbeat' | 'stall' | 'dead' | 'hook' | 'subagent_start' | 'subagent_stop';
+    event: 'status' | 'message' | 'system' | 'approval' | 'ended' | 'heartbeat' | 'stall' | 'dead' | 'hook' | 'subagent_start' | 'subagent_stop' | 'verification';
     sessionId: string;
     timestamp: string;
     data: Record<string, unknown>;
@@ -15,8 +15,20 @@ export interface SessionSSEEvent {
     /** Issue #308: Incrementing event ID for Last-Event-ID replay. */
     id?: number;
 }
+export interface VerificationResult {
+    ok: boolean;
+    steps: {
+        name: 'tsc' | 'build' | 'test';
+        ok: boolean;
+        durationMs: number;
+        output?: string;
+        error?: string;
+    }[];
+    totalDurationMs: number;
+    summary: string;
+}
 export interface GlobalSSEEvent {
-    event: 'session_status_change' | 'session_message' | 'session_approval' | 'session_ended' | 'session_created' | 'session_stall' | 'session_dead' | 'session_subagent_start' | 'session_subagent_stop';
+    event: 'session_status_change' | 'session_message' | 'session_approval' | 'session_ended' | 'session_created' | 'session_stall' | 'session_dead' | 'session_subagent_start' | 'session_subagent_stop' | 'session_verification';
     sessionId: string;
     timestamp: string;
     data: Record<string, unknown>;
@@ -65,6 +77,8 @@ export declare class SessionEventBus {
     };
     /** Emit a status change event. */
     emitStatus(sessionId: string, status: string, detail: string): void;
+    /** Issue #740: Emit a verification result event. */
+    emitVerification(sessionId: string, result: VerificationResult): void;
     /** Emit a message event. */
     emitMessage(sessionId: string, role: string, text: string, contentType?: string, toolMeta?: {
         tool_name?: string;

package/dist/events.js

@@ -16,6 +16,7 @@ function toGlobalEvent(event) {
         approval: 'session_approval',
         ended: 'session_ended',
         heartbeat: 'session_status_change',
+        verification: 'session_verification',
         stall: 'session_stall',
         dead: 'session_dead',
         subagent_start: 'session_subagent_start',
@@ -167,6 +168,15 @@ export class SessionEventBus {
             data: { status, detail },
         });
     }
+    /** Issue #740: Emit a verification result event. */
+    emitVerification(sessionId, result) {
+        this.emit(sessionId, {
+            event: 'verification',
+            sessionId,
+            timestamp: new Date().toISOString(),
+            data: result,
+        });
+    }
     /** Emit a message event. */
     emitMessage(sessionId, role, text, contentType, toolMeta) {
         this.emit(sessionId, {

package/dist/hook-settings.js

@@ -23,7 +23,8 @@ function isRecord(value) {
     return typeof value === 'object' && value !== null && !Array.isArray(value);
 }
 function parseSettingsWithFallback(raw) {
-    const json = JSON.parse(raw);
+    // Windows editors may write UTF-8 BOM; strip it so JSON.parse does not fail.
+    const json = JSON.parse(raw.replace(/^\uFEFF/, ''));
     if (!isRecord(json))
         return undefined;
     const parsed = ccSettingsSchema.safeParse(json);

package/dist/permission-request-manager.d.ts

@@ -0,0 +1,12 @@
+export type PermissionDecision = 'allow' | 'deny';
+export declare class PermissionRequestManager {
+    private pendingPermissions;
+    waitForPermissionDecision(sessionId: string, timeoutMs?: number, toolName?: string, prompt?: string): Promise<PermissionDecision>;
+    hasPendingPermission(sessionId: string): boolean;
+    getPendingPermissionInfo(sessionId: string): {
+        toolName?: string;
+        prompt?: string;
+    } | null;
+    resolvePendingPermission(sessionId: string, decision: PermissionDecision): boolean;
+    cleanupPendingPermission(sessionId: string): void;
+}

package/dist/permission-request-manager.js

@@ -0,0 +1,36 @@
+export class PermissionRequestManager {
+    pendingPermissions = new Map();
+    waitForPermissionDecision(sessionId, timeoutMs = 10_000, toolName, prompt) {
+        return new Promise((resolve) => {
+            const timer = setTimeout(() => {
+                this.pendingPermissions.delete(sessionId);
+                console.log(`Hooks: PermissionRequest timeout for session ${sessionId} - auto-rejecting`);
+                resolve('deny');
+            }, timeoutMs);
+            this.pendingPermissions.set(sessionId, { resolve, timer, toolName, prompt });
+        });
+    }
+    hasPendingPermission(sessionId) {
+        return this.pendingPermissions.has(sessionId);
+    }
+    getPendingPermissionInfo(sessionId) {
+        const pending = this.pendingPermissions.get(sessionId);
+        return pending ? { toolName: pending.toolName, prompt: pending.prompt } : null;
+    }
+    resolvePendingPermission(sessionId, decision) {
+        const pending = this.pendingPermissions.get(sessionId);
+        if (!pending)
+            return false;
+        clearTimeout(pending.timer);
+        this.pendingPermissions.delete(sessionId);
+        pending.resolve(decision);
+        return true;
+    }
+    cleanupPendingPermission(sessionId) {
+        const pending = this.pendingPermissions.get(sessionId);
+        if (pending) {
+            clearTimeout(pending.timer);
+            this.pendingPermissions.delete(sessionId);
+        }
+    }
+}

package/dist/server.js

@@ -26,6 +26,7 @@ import { captureScreenshot, isPlaywrightAvailable } from './screenshot.js';
 import { validateScreenshotUrl, resolveAndCheckIp, buildHostResolverRule } from './ssrf.js';
 import { validateWorkDir, permissionRuleSchema } from './validation.js';
 import { SessionEventBus } from './events.js';
+import { runVerification } from './verification.js';
 import { SSEWriter } from './sse-writer.js';
 import { SSEConnectionLimiter } from './sse-limiter.js';
 import { PipelineManager } from './pipeline.js';
@@ -431,7 +432,8 @@ app.get('/v1/sessions/:id/metrics', async (req, reply) => {
 });
 // Issue #704: Tool usage endpoints
 app.get('/v1/sessions/:id/tools', async (req, reply) => {
-    const session = sessions.getSession(req.params.id);
+    const sessionId = req.params.id;
+    const session = sessions.getSession(sessionId);
     if (!session)
         return reply.status(404).send({ error: 'Session not found' });
     // Parse JSONL on-demand for tool usage
@@ -472,7 +474,8 @@ app.get('/v1/channels/health', async () => {
 });
 // Issue #87: Per-session latency metrics
 app.get('/v1/sessions/:id/latency', async (req, reply) => {
-    const session = sessions.getSession(req.params.id);
+    const sessionId = req.params.id;
+    const session = sessions.getSession(sessionId);
     if (!session)
         return reply.status(404).send({ error: 'Session not found' });
     const realtimeLatency = sessions.getLatencyMetrics(req.params.id);
@@ -678,7 +681,8 @@ app.post('/v1/sessions', createSessionHandler);
 app.post('/sessions', createSessionHandler);
 // Get session (Issue #20: includes actionHints for interactive states)
 async function getSessionHandler(req, reply) {
-    const session = sessions.getSession(req.params.id);
+    const sessionId = req.params.id;
+    const session = sessions.getSession(sessionId);
     if (!session)
         return reply.status(404).send({ error: 'Session not found' });
     return addActionHints(session, sessions);
@@ -739,7 +743,8 @@ app.post('/v1/sessions/:id/send', sendMessageHandler);
 app.post('/sessions/:id/send', sendMessageHandler);
 // Issue #702: GET children sessions
 async function getChildrenHandler(req, reply) {
-    const session = sessions.getSession(req.params.id);
+    const sessionId = req.params.id;
+    const session = sessions.getSession(sessionId);
     if (!session)
         return reply.status(404).send({ error: 'Session not found' });
     const children = (session.children ?? []).map(id => {
@@ -771,13 +776,15 @@ async function spawnChildHandler(req, reply) {
 app.post('/v1/sessions/:id/spawn', spawnChildHandler);
 app.post('/sessions/:id/spawn', spawnChildHandler);
 async function getPermissionPolicyHandler(req, reply) {
-    const session = sessions.getSession(req.params.id);
+    const sessionId = req.params.id;
+    const session = sessions.getSession(sessionId);
     if (!session)
         return reply.status(404).send({ error: 'Session not found' });
     return { permissionPolicy: session.permissionPolicy ?? [] };
 }
 async function updatePermissionPolicyHandler(req, reply) {
-    const session = sessions.getSession(req.params.id);
+    const sessionId = req.params.id;
+    const session = sessions.getSession(sessionId);
     if (!session)
         return reply.status(404).send({ error: 'Session not found' });
     const policy = req.body ?? [];
@@ -816,7 +823,8 @@ app.post('/v1/sessions/:id/answer', async (req, reply) => {
     if (!questionId || answer === undefined || answer === null) {
         return reply.status(400).send({ error: 'questionId and answer are required' });
     }
-    const session = sessions.getSession(req.params.id);
+    const sessionId = req.params.id;
+    const session = sessions.getSession(sessionId);
     if (!session)
         return reply.status(404).send({ error: 'Session not found' });
     const resolved = sessions.submitAnswer(req.params.id, questionId, answer);
@@ -872,7 +880,8 @@ app.delete('/v1/sessions/:id', killSessionHandler);
 app.delete('/sessions/:id', killSessionHandler);
 // Capture raw pane
 async function capturePaneHandler(req, reply) {
-    const session = sessions.getSession(req.params.id);
+    const sessionId = req.params.id;
+    const session = sessions.getSession(sessionId);
     if (!session)
         return reply.status(404).send({ error: 'Session not found' });
     const pane = await tmux.capturePane(session.windowId);
@@ -979,7 +988,8 @@ async function screenshotHandler(req, reply) {
     if (dnsResult.error)
         return reply.status(400).send({ error: dnsResult.error });
     // Validate session exists
-    const session = sessions.getSession(req.params.id);
+    const sessionId = req.params.id;
+    const session = sessions.getSession(sessionId);
     if (!session)
         return reply.status(404).send({ error: 'Session not found' });
     if (!isPlaywrightAvailable()) {
@@ -1004,7 +1014,8 @@ app.post('/v1/sessions/:id/screenshot', screenshotHandler);
 app.post('/sessions/:id/screenshot', screenshotHandler);
 // SSE event stream (Issue #32)
 app.get('/v1/sessions/:id/events', async (req, reply) => {
-    const session = sessions.getSession(req.params.id);
+    const sessionId = req.params.id;
+    const session = sessions.getSession(sessionId);
     if (!session)
         return reply.status(404).send({ error: 'Session not found' });
     const clientIp = req.ip;
@@ -1076,7 +1087,8 @@ app.get('/v1/sessions/:id/events', async (req, reply) => {
 // ── Claude Code Hook Endpoints (Issue #161) ─────────────────────────
 // POST /v1/sessions/:id/hooks/permission — PermissionRequest hook from CC
 app.post('/v1/sessions/:id/hooks/permission', async (req, reply) => {
-    const session = sessions.getSession(req.params.id);
+    const sessionId = req.params.id;
+    const session = sessions.getSession(sessionId);
     if (!session)
         return reply.status(404).send({ error: 'Session not found' });
     const parsed = permissionHookSchema.safeParse(req.body);
@@ -1103,7 +1115,8 @@ app.post('/v1/sessions/:id/hooks/permission', async (req, reply) => {
 });
 // POST /v1/sessions/:id/hooks/stop — Stop hook from CC
 app.post('/v1/sessions/:id/hooks/stop', async (req, reply) => {
-    const session = sessions.getSession(req.params.id);
+    const sessionId = req.params.id;
+    const session = sessions.getSession(sessionId);
     if (!session)
         return reply.status(404).send({ error: 'Session not found' });
     const parsed = stopHookSchema.safeParse(req.body);
@@ -1155,6 +1168,28 @@ app.post('/v1/sessions/batch', async (req, reply) => {
     const result = await pipelines.batchCreate(specs);
     return reply.status(201).send(result);
 });
+// Issue #740: Verification Protocol — run quality gate (tsc + build + test) on a session's workDir
+app.post('/v1/sessions/:id/verify', async (req, reply) => {
+    const sessionId = req.params.id;
+    const session = sessions.getSession(sessionId);
+    if (!session)
+        return reply.status(404).send({ error: 'Session not found' });
+    const { workDir } = session;
+    if (!workDir)
+        return reply.status(400).send({ error: 'Session has no workDir' });
+    const criticalOnly = config.verificationProtocol?.criticalOnly ?? false;
+    eventBus.emitStatus(sessionId, 'working', `Running verification (criticalOnly=${criticalOnly})…`);
+    try {
+        const result = await runVerification(workDir, criticalOnly);
+        eventBus.emitVerification(sessionId, result);
+        const httpStatus = result.ok ? 200 : 422;
+        return reply.status(httpStatus).send(result);
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        return reply.status(500).send({ ok: false, summary: `Verification error: ${msg}` });
+    }
+});
 // Pipeline create (Issue #36)
 app.post('/v1/pipelines', async (req, reply) => {
     const parsed = pipelineSchema.safeParse(req.body);

package/dist/session.d.ts

@@ -9,6 +9,7 @@ import { type ParsedEntry } from './transcript.js';
 import { type UIState } from './terminal-parser.js';
 import type { Config } from './config.js';
 import { type PermissionPolicy } from './validation.js';
+import { type PermissionDecision } from './permission-request-manager.js';
 export interface SessionInfo {
     id: string;
     windowId: string;
@@ -53,7 +54,7 @@ export interface SessionState {
  */
 export declare function detectApprovalMethod(paneText: string): 'numbered' | 'yes';
 /** Resolves a pending PermissionRequest hook with a decision. */
-export type PermissionDecision = 'allow' | 'deny';
+export type { PermissionDecision };
 export declare class SessionManager {
     private tmux;
     private config;
@@ -66,7 +67,7 @@ export declare class SessionManager {
     private saveQueue;
     private saveDebounceTimer;
     private static readonly SAVE_DEBOUNCE_MS;
-    private pendingPermissions;
+    private permissionRequests;
     private pendingQuestions;
     private static readonly MAX_CACHE_ENTRIES_PER_SESSION;
     private parsedEntriesCache;
@@ -247,10 +248,6 @@ export declare class SessionManager {
         toolName?: string;
         prompt?: string;
     } | null;
-    /**
-     * Resolve a pending permission. Returns true if there was a pending permission to resolve.
-     */
-    private resolvePendingPermission;
     /** Clean up any pending permission for a session (e.g. on session delete). */
     cleanupPendingPermission(sessionId: string): void;
     /**

package/dist/session.js

@@ -17,6 +17,7 @@ import { neutralizeBypassPermissions, restoreSettings, cleanOrphanedBackup } fro
 import { persistedStateSchema } from './validation.js';
 import { loadContinuationPointers } from './continuation-pointer.js';
 import { writeHookSettingsFile, cleanupHookSettingsFile, cleanupStaleSessionHooks } from './hook-settings.js';
+import { PermissionRequestManager } from './permission-request-manager.js';
 import { Mutex } from 'async-mutex';
 import { maybeInjectFault } from './fault-injection.js';
 /** Convert parsed JSON arrays to Sets for activeSubagents (#668). */
@@ -61,7 +62,7 @@ export class SessionManager {
     saveQueue = Promise.resolve(); // #218: serialize concurrent saves
     saveDebounceTimer = null;
     static SAVE_DEBOUNCE_MS = 5_000; // #357: debounce offset-only saves
-    pendingPermissions = new Map();
+    permissionRequests = new PermissionRequestManager();
     pendingQuestions = new Map();
     // #357: Cache of all parsed JSONL entries per session to avoid re-reading from offset 0
     // #424: Evict oldest entries when cache exceeds max to prevent unbounded growth
@@ -961,7 +962,7 @@ export class SessionManager {
         if (!session)
             throw new Error(`Session ${id} not found`);
         // Issue #284: Resolve pending hook-based permission first
-        if (this.resolvePendingPermission(id, 'allow')) {
+        if (this.permissionRequests.resolvePendingPermission(id, 'allow')) {
             session.lastActivity = Date.now();
             if (session.permissionPromptAt) {
                 session.permissionRespondedAt = Date.now();
@@ -983,7 +984,7 @@ export class SessionManager {
         if (!session)
             throw new Error(`Session ${id} not found`);
         // Issue #284: Resolve pending hook-based permission first
-        if (this.resolvePendingPermission(id, 'deny')) {
+        if (this.permissionRequests.resolvePendingPermission(id, 'deny')) {
             session.lastActivity = Date.now();
             if (session.permissionPromptAt) {
                 session.permissionRespondedAt = Date.now();
@@ -1008,43 +1009,19 @@ export class SessionManager {
      * @returns Promise that resolves with the client's decision
      */
     waitForPermissionDecision(sessionId, timeoutMs = 10_000, toolName, prompt) {
-        return new Promise((resolve) => {
-            const timer = setTimeout(() => {
-                this.pendingPermissions.delete(sessionId);
-                console.log(`Hooks: PermissionRequest timeout for session ${sessionId} — auto-rejecting`);
-                resolve('deny');
-            }, timeoutMs);
-            this.pendingPermissions.set(sessionId, { resolve, timer, toolName, prompt });
-        });
+        return this.permissionRequests.waitForPermissionDecision(sessionId, timeoutMs, toolName, prompt);
     }
     /** Check if a session has a pending permission request. */
     hasPendingPermission(sessionId) {
-        return this.pendingPermissions.has(sessionId);
+        return this.permissionRequests.hasPendingPermission(sessionId);
     }
     /** Get info about a pending permission (for API responses). */
     getPendingPermissionInfo(sessionId) {
-        const pending = this.pendingPermissions.get(sessionId);
-        return pending ? { toolName: pending.toolName, prompt: pending.prompt } : null;
-    }
-    /**
-     * Resolve a pending permission. Returns true if there was a pending permission to resolve.
-     */
-    resolvePendingPermission(sessionId, decision) {
-        const pending = this.pendingPermissions.get(sessionId);
-        if (!pending)
-            return false;
-        clearTimeout(pending.timer);
-        this.pendingPermissions.delete(sessionId);
-        pending.resolve(decision);
-        return true;
+        return this.permissionRequests.getPendingPermissionInfo(sessionId);
     }
     /** Clean up any pending permission for a session (e.g. on session delete). */
     cleanupPendingPermission(sessionId) {
-        const pending = this.pendingPermissions.get(sessionId);
-        if (pending) {
-            clearTimeout(pending.timer);
-            this.pendingPermissions.delete(sessionId);
-        }
+        this.permissionRequests.cleanupPendingPermission(sessionId);
     }
     /**
      * Issue #336: Store a pending AskUserQuestion and return a promise that

package/dist/verification.d.ts

@@ -0,0 +1,2 @@
+import type { VerificationResult } from './events.js';
+export declare function runVerification(workDir: string, criticalOnly?: boolean): Promise<VerificationResult>;

package/dist/verification.js

@@ -0,0 +1,72 @@
+import { exec } from 'child_process';
+import { promisify } from 'util';
+import { join } from 'path';
+import { statSync } from 'fs';
+const execAsync = promisify(exec);
+async function runCmd(cmd, { cwd, timeoutMs }) {
+    try {
+        const { stdout, stderr } = await execAsync(cmd, { cwd, timeout: Math.floor(timeoutMs / 1000), killSignal: 'SIGKILL' });
+        return { stdout, stderr, exitCode: 0 };
+    }
+    catch (e) {
+        const err = e;
+        return { stdout: err.stdout ?? '', stderr: err.stderr ?? '', exitCode: err.code ?? 1 };
+    }
+}
+export async function runVerification(workDir, criticalOnly = false) {
+    const start = Date.now();
+    const hasPackageJson = statSync(join(workDir, 'package.json')).isFile();
+    if (!hasPackageJson) {
+        return {
+            ok: false,
+            steps: [],
+            totalDurationMs: Date.now() - start,
+            summary: 'No package.json found — cannot verify',
+        };
+    }
+    const steps = [];
+    const timeoutMs = 120_000;
+    // Step 1: tsc
+    const tscStart = Date.now();
+    const tscResult = await runCmd('npx tsc --noEmit', { cwd: workDir, timeoutMs });
+    const tscDuration = Date.now() - tscStart;
+    const tscOk = tscResult.exitCode === 0;
+    steps.push({
+        name: 'tsc',
+        ok: tscOk,
+        durationMs: tscDuration,
+        output: tscResult.stdout.slice(0, 2000),
+        error: tscOk ? undefined : (tscResult.stderr || tscResult.stdout).slice(0, 2000),
+    });
+    // Step 2: build
+    const buildStart = Date.now();
+    const buildResult = await runCmd('npm run build', { cwd: workDir, timeoutMs });
+    const buildDuration = Date.now() - buildStart;
+    const buildOk = buildResult.exitCode === 0;
+    steps.push({
+        name: 'build',
+        ok: buildOk,
+        durationMs: buildDuration,
+        output: buildResult.stdout.slice(0, 2000),
+        error: buildOk ? undefined : (buildResult.stderr || buildResult.stdout).slice(0, 2000),
+    });
+    // Step 3: test (unless criticalOnly)
+    let testOk = true;
+    if (!criticalOnly) {
+        const testStart = Date.now();
+        const testResult = await runCmd('npm test', { cwd: workDir, timeoutMs: 180_000 });
+        const testDuration = Date.now() - testStart;
+        testOk = testResult.exitCode === 0;
+        steps.push({ name: 'test', ok: testOk, durationMs: testDuration, output: testResult.stdout.slice(0, 2000), error: testOk ? undefined : (testResult.stderr || testResult.stdout).slice(0, 2000) });
+    }
+    const ok = tscOk && buildOk && (!criticalOnly || testOk);
+    const totalDurationMs = Date.now() - start;
+    const summary = ok
+        ? `Verification passed: tsc ✅, build ✅${criticalOnly ? '' : ', test ✅'} (${totalDurationMs}ms)`
+        : `Verification failed: ${[
+            !tscOk ? 'tsc ❌' : '',
+            !buildOk ? 'build ❌' : '',
+            !criticalOnly && !testOk ? 'test ❌' : '',
+        ].filter(Boolean).join(', ')} (${totalDurationMs}ms)`;
+    return { ok, steps, totalDurationMs, summary };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aegis-bridge",
-  "version": "2.9.3",
+  "version": "2.10.1",
   "type": "module",
   "description": "Orchestrate Claude Code sessions via API. Create, brief, monitor, refine, ship.",
   "main": "dist/server.js",