avorelo 0.1.0 → 0.2.0

package/scripts/lib/agent-security/auto-policy.js

@@ -1,139 +0,0 @@
-"use strict";
-
-function hasHighRiskRelatedSource(evaluation) {
-  return Array.isArray(evaluation?.relatedSources) && evaluation.relatedSources.some((source) => source && source.instructionRisk === "high");
-}
-
-function hasQuarantinedRelatedSource(evaluation) {
-  return Array.isArray(evaluation?.relatedSources) && evaluation.relatedSources.some((source) => Array.isArray(source?.remediationActions) && source.remediationActions.includes("quarantine_source"));
-}
-
-function hasExternalDataOnlySource(evaluation) {
-  return Array.isArray(evaluation?.relatedSources) && evaluation.relatedSources.some((source) =>
-    source &&
-    source.allowedToInfluenceTools === false &&
-    ["external_untrusted", "tool_returned_untrusted", "unknown"].includes(source.trustLevel)
-  );
-}
-
-function decideAutoAction(normalizedAction, evaluation, limitPlan, adapterCapability) {
-  const adapterAvailable = Boolean(adapterCapability && adapterCapability.canEnforce);
-  const blockedBy = [];
-  const highRiskRelatedSource = hasHighRiskRelatedSource(evaluation);
-  const quarantinedRelatedSource = hasQuarantinedRelatedSource(evaluation);
-  const externalDataOnlySource = hasExternalDataOnlySource(evaluation);
-  const sourceBlocksAuto = highRiskRelatedSource || quarantinedRelatedSource || externalDataOnlySource || evaluation?.intentMismatch === "intent_mismatch";
-  const sensitiveOrMutatingAction =
-    normalizedAction.actionType === "filesystem.write" ||
-    normalizedAction.actionType === "shell.run" ||
-    normalizedAction.actionType === "network.call" ||
-    normalizedAction.actionType.startsWith("package.") ||
-    normalizedAction.actionType.startsWith("mcp.");
-  const destructiveOrSecretAction =
-    (normalizedAction.actionType === "filesystem.write" && /\.env\b|id_rsa|private.?key|credential|secret/i.test(String(normalizedAction.target || ""))) ||
-    normalizedAction.actionType === "mcp.delete" ||
-    normalizedAction.actionType === "mcp.admin" ||
-    /\bcurl\b[^\n]*\|\s*(bash|sh|pwsh|powershell)\b/i.test(String(normalizedAction.command || ""));
-
-  if (!adapterAvailable) {
-    blockedBy.push("no_adapter");
-    return {
-      autoDecision: "recommended_only",
-      confidence: "high",
-      reason: "No enforcement adapter is available for this action type.",
-      jitGrantAllowed: false,
-      enforcementRequired: false,
-      blockedBy,
-    };
-  }
-
-  if (sourceBlocksAuto && destructiveOrSecretAction) {
-    blockedBy.push("instruction_risk");
-    return {
-      autoDecision: "auto_deny",
-      confidence: "high",
-      reason: "Instruction-risk signals were detected on a related source for a secret, exfiltration, or destructive action.",
-      jitGrantAllowed: false,
-      enforcementRequired: true,
-      blockedBy,
-    };
-  }
-
-  if (sourceBlocksAuto && sensitiveOrMutatingAction) {
-    blockedBy.push("instruction_risk");
-    return {
-      autoDecision: "require_approval",
-      confidence: "high",
-      reason: "Instruction-risk signals were detected on a related source, so auto grants were disabled.",
-      jitGrantAllowed: false,
-      enforcementRequired: false,
-      blockedBy,
-    };
-  }
-
-  if (!limitPlan || !limitPlan.recommendedMode) {
-    blockedBy.push("no_limit_plan");
-    return {
-      autoDecision: "limit_plan_only",
-      confidence: "low",
-      reason: "A safe limited plan could not be produced.",
-      jitGrantAllowed: false,
-      enforcementRequired: false,
-      blockedBy,
-    };
-  }
-
-  if (limitPlan.recommendedMode === "deny") {
-    blockedBy.push("dangerous_action");
-    return {
-      autoDecision: "auto_deny",
-      confidence: "high",
-      reason: limitPlan.reason || "No safe limited version found.",
-      jitGrantAllowed: false,
-      enforcementRequired: true,
-      blockedBy,
-    };
-  }
-
-  if (limitPlan.recommendedMode === "approval-required") {
-    blockedBy.push("approval_required");
-    return {
-      autoDecision: "require_approval",
-      confidence: evaluation.riskLevel === "medium" ? "medium" : "high",
-      reason: limitPlan.reason || "Approval is required for this action.",
-      jitGrantAllowed: false,
-      enforcementRequired: false,
-      blockedBy,
-    };
-  }
-
-  const toolName = String(normalizedAction.toolName || "").toLowerCase();
-  const safeMediumMcp = normalizedAction.actionType === "mcp.write" && ["create_pull_request", "create_issue", "update_issue"].includes(toolName);
-  const safeLow = evaluation.riskLevel === "low";
-  const safeMedium = evaluation.riskLevel === "medium" && safeMediumMcp;
-
-  if ((safeLow || safeMedium) && limitPlan.recommendedMode === "limited" && limitPlan.ttlRecommendation && normalizedAction.actionType !== "unknown") {
-    return {
-      autoDecision: "auto_allow_limited",
-      confidence: safeLow ? "high" : "medium",
-      reason: limitPlan.reason || "Wuz limited this safely.",
-      jitGrantAllowed: true,
-      enforcementRequired: true,
-      blockedBy,
-    };
-  }
-
-  blockedBy.push("not_high_confidence_safe");
-  return {
-    autoDecision: "require_approval",
-    confidence: "medium",
-    reason: "This action is enforceable, but it is not obviously safe enough to auto-limit.",
-    jitGrantAllowed: false,
-    enforcementRequired: false,
-    blockedBy,
-  };
-}
-
-module.exports = {
-  decideAutoAction,
-};

package/scripts/lib/agent-security/bounded-scan.js

@@ -1,93 +0,0 @@
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-const { PERFORMANCE_GUARDRAILS } = require("./performance");
-
-const DEFAULT_IGNORED_DIRS = new Set([
-  ".git",
-  "node_modules",
-  "dist",
-  "build",
-  "coverage",
-  ".next",
-  ".turbo",
-  ".cache",
-]);
-
-function normalizePath(value) {
-  return String(value || "").replace(/\\/g, "/");
-}
-
-function createBoundedScanSession(cwd, tracker, overrides = {}) {
-  const startedAt = Date.now();
-  return {
-    cwd,
-    tracker,
-    maxFiles: Number(overrides.maxFiles || PERFORMANCE_GUARDRAILS.scanMaxFiles),
-    maxFileBytes: Number(overrides.maxFileBytes || PERFORMANCE_GUARDRAILS.scanMaxFileBytes),
-    maxTotalBytes: Number(overrides.maxTotalBytes || PERFORMANCE_GUARDRAILS.scanMaxTotalBytes),
-    maxDepth: Number(overrides.maxDepth || PERFORMANCE_GUARDRAILS.scanMaxDepth),
-    maxDurationMs: Number(overrides.maxDurationMs || PERFORMANCE_GUARDRAILS.scanMaxDurationMs),
-    ignoredDirs: new Set([...(overrides.ignoredDirs || []), ...DEFAULT_IGNORED_DIRS]),
-    filesSeen: 0,
-    bytesSeen: 0,
-    shouldStop() {
-      if (Date.now() - startedAt > this.maxDurationMs) {
-        if (tracker) tracker.timeoutHit = true;
-        return true;
-      }
-      return false;
-    },
-    isDirIgnored(absDir) {
-      const rel = normalizePath(path.relative(cwd, absDir));
-      if (rel === ".claude/cco") return true;
-      if (rel === ".wasp/out") return true;
-      const base = path.basename(absDir);
-      return this.ignoredDirs.has(rel) || this.ignoredDirs.has(base);
-    },
-    canDescend(depth, absDir) {
-      if (this.isDirIgnored(absDir)) {
-        if (tracker) tracker.noteIgnoredDirectory(normalizePath(path.relative(cwd, absDir)));
-        return false;
-      }
-      if (depth >= this.maxDepth) {
-        if (tracker) tracker.maxDepthHit = true;
-        return false;
-      }
-      return !this.shouldStop();
-    },
-    canReadFile(absPath, stat) {
-      const size = Number(stat?.size || 0);
-      if (this.filesSeen >= this.maxFiles) {
-        if (tracker) tracker.maxFilesHit = true;
-        return false;
-      }
-      if (this.bytesSeen + size > this.maxTotalBytes) {
-        if (tracker) tracker.maxBytesHit = true;
-        return false;
-      }
-      if (size > this.maxFileBytes) {
-        if (tracker) tracker.noteSkippedLargeFile();
-        return false;
-      }
-      return !this.shouldStop();
-    },
-    noteFile(absPath, stat) {
-      const size = Number(stat?.size || 0);
-      this.filesSeen += 1;
-      this.bytesSeen += size;
-      if (tracker) tracker.noteFile(size);
-      return {
-        path: normalizePath(path.relative(cwd, absPath)),
-        mtimeMs: Number(stat?.mtimeMs || 0),
-        size,
-      };
-    },
-  };
-}
-
-module.exports = {
-  DEFAULT_IGNORED_DIRS,
-  createBoundedScanSession,
-};

package/scripts/lib/agent-security/enforcement-adapter.js

@@ -1,174 +0,0 @@
-"use strict";
-
-const { spawnSync } = require("child_process");
-
-const SHELL_COMMAND_ADAPTER_ID = "shell-command-v1";
-const PREVIEW_LIMIT = 400;
-
-function truncatePreview(value) {
-  const text = String(value || "");
-  if (text.length <= PREVIEW_LIMIT) return text;
-  return `${text.slice(0, PREVIEW_LIMIT)}...`;
-}
-
-function redactPreview(value) {
-  return truncatePreview(String(value || "").replace(
-    /((?:secret|token|password|api[_-]?key)[^=\n]{0,20}=)[^\s\n]+/ig,
-    "$1[redacted]"
-  ));
-}
-
-function isHardBlockedShellCommand(command) {
-  return /\b(curl|wget)\b[^\n]*\|\s*(bash|sh|pwsh|powershell)\b|\b(invoke-webrequest|invoke-restmethod|downloadstring)\b|\brm\s+-rf\b|\bdel\s+\/[qs]\b|\bremove-item\b|\bforce push\b|\bgit push\b[^\n]*--force\b/i.test(String(command || ""));
-}
-
-function touchesSensitiveShellTarget(command) {
-  return /(?:^|\s)(?:cat|type|more|copy|move|del|rm|cp|mv|sed|perl|python|node)[^\n]*(?:\.env(?:\.[^\s|&;]+)?|\.ssh|\.aws|\.gcp|\.azure|id_rsa|id_dsa|id_ed25519|secret|token|credential)/i.test(String(command || ""));
-}
-
-function touchesWorkflowShellTarget(command) {
-  return /\.github[\\/]workflows[\\/]/i.test(String(command || ""));
-}
-
-function buildShellAdapterResult(base, overrides = {}) {
-  return {
-    actionId: base.actionId,
-    componentId: base.componentId || null,
-    componentType: base.componentType || null,
-    actionType: base.actionType,
-    decision: base.decision || null,
-    adapterId: SHELL_COMMAND_ADAPTER_ID,
-    enforcementAvailable: true,
-    effectiveBehavior: "recommended_only",
-    executed: false,
-    exitCode: null,
-    stdoutPreview: "",
-    stderrPreview: "",
-    reason: "",
-    timestamp: base.timestamp,
-    ...overrides,
-  };
-}
-
-function enforceShellCommand(action, context = {}) {
-  const decisionRecord = context.decisionRecord || null;
-  const limitPlan = context.limitPlan || null;
-  const execute = context.execute === true;
-  const cwd = context.cwd;
-  const command = String(action?.command || "");
-  const executor = typeof context.executor === "function" ? context.executor : null;
-  const base = {
-    actionId: action.actionId,
-    componentId: action.componentId,
-    componentType: action.componentType,
-    actionType: action.actionType,
-    decision: decisionRecord?.decision || null,
-    timestamp: context.timestamp,
-  };
-
-  if (isHardBlockedShellCommand(command)) {
-    return buildShellAdapterResult(base, {
-      effectiveBehavior: "blocked",
-      reason: "Remote script execution or destructive shell behavior is not allowed.",
-    });
-  }
-
-  if (decisionRecord?.decision === "let_wuz_limit" && touchesSensitiveShellTarget(command)) {
-    return buildShellAdapterResult(base, {
-      effectiveBehavior: "blocked",
-      reason: "The limited plan does not allow touching .env, credentials, or SSH material.",
-    });
-  }
-
-  if (decisionRecord?.decision === "let_wuz_limit" && touchesWorkflowShellTarget(command)) {
-    return buildShellAdapterResult(base, {
-      effectiveBehavior: "blocked",
-      reason: "The limited plan does not allow workflow modification commands.",
-    });
-  }
-
-  if (decisionRecord?.decision === "deny") {
-    return buildShellAdapterResult(base, {
-      effectiveBehavior: "blocked",
-      reason: "User denied this shell action.",
-    });
-  }
-
-  if (decisionRecord?.decision === "let_wuz_limit" && limitPlan?.recommendedMode === "deny") {
-    return buildShellAdapterResult(base, {
-      effectiveBehavior: "blocked",
-      reason: limitPlan.reason || "This shell action is not allowed by the limited plan.",
-    });
-  }
-
-  if (decisionRecord?.decision === "let_wuz_limit" && limitPlan?.recommendedMode !== "limited") {
-    return buildShellAdapterResult(base, {
-      effectiveBehavior: "blocked",
-      reason: limitPlan?.reason || "The limited plan could not safely allow this shell command.",
-    });
-  }
-
-  if (!execute) {
-    return buildShellAdapterResult(base, {
-      effectiveBehavior: decisionRecord?.decision === "let_wuz_limit" ? "limited" : "dry_run_only",
-      reason: decisionRecord?.decision === "let_wuz_limit"
-        ? (limitPlan?.reason || "Command is allowed only within the limited plan.")
-        : "Execution stayed in dry-run mode.",
-    });
-  }
-
-  const child = executor
-    ? executor({ command, cwd, action, decisionRecord, limitPlan })
-    : spawnSync(command, {
-      cwd,
-      shell: true,
-      windowsHide: true,
-      encoding: "utf8",
-      timeout: 30000,
-    });
-
-  const stdoutPreview = redactPreview(child?.stdout || "");
-  const stderrPreview = redactPreview(child?.stderr || child?.error?.message || "");
-  const exitCode = typeof child?.status === "number"
-    ? child.status
-    : typeof child?.exitCode === "number"
-      ? child.exitCode
-      : child?.error
-        ? 1
-        : 1;
-
-  return buildShellAdapterResult(base, {
-    effectiveBehavior: decisionRecord?.decision === "let_wuz_limit" ? "limited" : "allowed",
-    executed: true,
-    exitCode,
-    stdoutPreview,
-    stderrPreview,
-    reason: exitCode === 0
-      ? (decisionRecord?.decision === "let_wuz_limit"
-        ? "Command executed within the limited project scope."
-        : "Approved shell command executed once.")
-      : "Shell command executed but exited with a non-zero status.",
-  });
-}
-
-const SHELL_COMMAND_ADAPTER = {
-  adapterId: SHELL_COMMAND_ADAPTER_ID,
-  canEvaluate: true,
-  canEnforce: true,
-  supportedActionTypes: ["shell.run"],
-  enforce(action, decisionRecord, limitPlan, options = {}) {
-    return enforceShellCommand(action, {
-      ...options,
-      decisionRecord,
-      limitPlan,
-    });
-  },
-};
-
-module.exports = {
-  SHELL_COMMAND_ADAPTER_ID,
-  SHELL_COMMAND_ADAPTER,
-  isHardBlockedShellCommand,
-  touchesSensitiveShellTarget,
-  touchesWorkflowShellTarget,
-};