avorelo 0.1.0 → 0.3.0

package/scripts/lib/tokenish.js

@@ -1,17 +0,0 @@
-"use strict";
-
-function summarizeLargeObject(obj) {
-  let s = "";
-  try {
-    s = JSON.stringify(obj);
-  } catch {
-    s = String(obj);
-  }
-  const bytes = Buffer.byteLength(s, "utf8");
-  if (bytes < 20000) return null;
-
-  const preview = s.slice(0, 2000) + "\n... (truncated)\n";
-  return { isLarge: true, bytes, preview };
-}
-
-module.exports = { summarizeLargeObject };

package/scripts/lib/tool-output-sandbox.js

@@ -1,304 +0,0 @@
-"use strict";
-
-// ── Tool Output Sandbox ───────────────────────────────────────────────────────
-//
-// Summarizes raw tool output before it enters context/proof/ledger.
-// Raw output is stored as artifacts; compact summaries enter context.
-//
-// Contracts:
-//   avorelo.toolOutputSandbox.v1
-//   avorelo.toolOutputBudget.v1
-//
-// Non-goals: executing commands, replacing proof, hiding failures.
-// Rules:
-//   - failure-first summarization
-//   - preserve failing test names + first relevant errors
-//   - strip ANSI codes
-//   - redact secrets/env-like values
-//   - max summary size enforced
-//   - debug references artifact path, not raw dump
-
-const fs = require("node:fs");
-const path = require("node:path");
-const { nowIso } = require("./fsx");
-const { appendProductLearningEvent } = require("./product-learning-events");
-
-const CONTRACT = "avorelo.toolOutputSandbox.v1";
-const BUDGET_CONTRACT = "avorelo.toolOutputBudget.v1";
-const SCHEMA_VERSION = 1;
-
-const TOOL_OUTPUT_DIR_REL = ".claude/cco/orchestration/tool-output";
-const LATEST_SUMMARY_REL = `${TOOL_OUTPUT_DIR_REL}/latest-summary.json`;
-
-const MAX_SUMMARY_CHARS = 4000;
-const MAX_ARTIFACT_BYTES = 10 * 1024 * 1024; // 10 MB cap on artifact write
-const MAX_LINES_CAPTURED = 50; // max lines in summary
-
-// ── ANSI / secret stripping ───────────────────────────────────────────────────
-
-const ANSI_RE = /\x1b\[[0-9;]*[a-zA-Z]/g;
-
-function stripAnsi(text) {
-  return text.replace(ANSI_RE, "");
-}
-
-// Redact patterns: env vars, tokens, passwords, keys in output text
-const SECRET_PATTERNS = [
-  /\b(password|passwd|secret|token|api[_-]?key|auth[_-]?key|private[_-]?key|access[_-]?token)\s*[:=]\s*\S+/gi,
-  /\b[A-Z0-9]{32,}\b/g,         // long uppercase hex strings (tokens)
-  /ghp_[A-Za-z0-9]{36,}/g,       // GitHub PATs
-  /sk-[A-Za-z0-9]{32,}/g,        // OpenAI/Anthropic keys
-  /-----BEGIN [A-Z ]+KEY-----/g,  // PEM blocks
-];
-
-function redactSecrets(text) {
-  let out = text;
-  for (const re of SECRET_PATTERNS) {
-    out = out.replace(re, "[REDACTED]");
-  }
-  return out;
-}
-
-function sanitize(text) {
-  return redactSecrets(stripAnsi(String(text || "")));
-}
-
-// ── Output kind classification ────────────────────────────────────────────────
-
-const SUPPORTED_KINDS = ["test", "build", "lint", "git_diff", "git_status", "rg_search", "log", "json", "generic"];
-
-function classifyToolOutput(kind, output, options = {}) {
-  const k = kind && SUPPORTED_KINDS.includes(kind) ? kind : "generic";
-  const raw = sanitize(output);
-  const lineCount = raw.split("\n").length;
-  const charCount = raw.length;
-  return { kind: k, lineCount, charCount, oversized: charCount > MAX_SUMMARY_CHARS * 5 };
-}
-
-// ── Kind-specific summarizers ─────────────────────────────────────────────────
-
-function summarizeTest(raw) {
-  const lines = raw.split("\n");
-  const failures = lines.filter((l) => /\b(FAIL|✗|×|not ok|Error:|AssertionError|▶ |failed)\b/i.test(l));
-  const summary = lines.filter((l) => /\b(passing|failing|pending|skipped|Tests:|Duration)\b/i.test(l));
-  const stackLines = [];
-  let inStack = false;
-  for (const l of lines) {
-    if (/^\s+at /.test(l)) { inStack = true; stackLines.push(l); }
-    else if (inStack && l.trim() === "") { inStack = false; }
-  }
-  const parts = [];
-  if (summary.length) parts.push(summary.slice(0, 3).join("\n"));
-  if (failures.length) parts.push("Failures:\n" + failures.slice(0, 10).join("\n"));
-  if (stackLines.length) parts.push("Stack (first 5):\n" + stackLines.slice(0, 5).join("\n"));
-  return parts.join("\n---\n") || lines.slice(0, 10).join("\n");
-}
-
-function summarizeBuild(raw) {
-  const lines = raw.split("\n");
-  const errors = lines.filter((l) => /\b(error|Error|ERROR|failed|FAILED)\b/.test(l));
-  const warnings = lines.filter((l) => /\b(warn|WARN|warning)\b/i.test(l));
-  const last = lines.filter((l) => l.trim()).slice(-5);
-  const parts = [];
-  if (errors.length) parts.push("Errors:\n" + errors.slice(0, 8).join("\n"));
-  else if (warnings.length) parts.push("Warnings:\n" + warnings.slice(0, 5).join("\n"));
-  if (last.length) parts.push("Last lines:\n" + last.join("\n"));
-  return parts.join("\n---\n") || lines.slice(0, 10).join("\n");
-}
-
-function summarizeLint(raw) {
-  const lines = raw.split("\n");
-  const errors = lines.filter((l) => /\berror\b/i.test(l));
-  const warnings = lines.filter((l) => /\bwarning\b/i.test(l));
-  const parts = [];
-  if (errors.length) parts.push(`${errors.length} error(s):\n` + errors.slice(0, 8).join("\n"));
-  if (warnings.length) parts.push(`${warnings.length} warning(s) (first 3):\n` + warnings.slice(0, 3).join("\n"));
-  return parts.join("\n---\n") || lines.slice(0, 10).join("\n");
-}
-
-function summarizeGitDiff(raw) {
-  const lines = raw.split("\n");
-  const fileLines = lines.filter((l) => /^diff --git|^\+\+\+|^---/.test(l));
-  const statLines = lines.filter((l) => /\|\s+\d+/.test(l));
-  const parts = [];
-  if (statLines.length) parts.push("Changed files:\n" + statLines.slice(0, 20).join("\n"));
-  else if (fileLines.length) parts.push("Files:\n" + fileLines.slice(0, 20).join("\n"));
-  parts.push(`Total lines: ${lines.length}`);
-  return parts.join("\n---\n");
-}
-
-function summarizeGitStatus(raw) {
-  const lines = raw.split("\n").filter((l) => l.trim());
-  return lines.slice(0, 30).join("\n");
-}
-
-function summarizeRgSearch(raw) {
-  const lines = raw.split("\n").filter((l) => l.trim());
-  const fileMatches = new Set(lines.map((l) => l.split(":")[0]).filter(Boolean));
-  return `${fileMatches.size} file(s) matched, ${lines.length} result(s)\n` + lines.slice(0, 20).join("\n");
-}
-
-function summarizeLog(raw) {
-  const lines = raw.split("\n");
-  const errors = lines.filter((l) => /\b(error|ERROR|FATAL|fatal|critical)\b/.test(l));
-  const warns = lines.filter((l) => /\b(warn|WARN|WARNING)\b/.test(l));
-  const parts = [];
-  if (errors.length) parts.push("Errors:\n" + errors.slice(0, 5).join("\n"));
-  if (warns.length) parts.push("Warnings:\n" + warns.slice(0, 5).join("\n"));
-  parts.push("Last lines:\n" + lines.filter((l) => l.trim()).slice(-5).join("\n"));
-  return parts.join("\n---\n");
-}
-
-function summarizeJson(raw) {
-  try {
-    const obj = JSON.parse(raw);
-    const keys = Object.keys(obj).slice(0, 10);
-    return `JSON object with keys: ${keys.join(", ")} (${raw.length} chars total)`;
-  } catch {
-    return `JSON-like output (${raw.length} chars, parse failed)`;
-  }
-}
-
-function summarizeGeneric(raw) {
-  const lines = raw.split("\n").filter((l) => l.trim());
-  return lines.slice(0, MAX_LINES_CAPTURED).join("\n");
-}
-
-function summarizeByKind(kind, raw) {
-  switch (kind) {
-    case "test": return summarizeTest(raw);
-    case "build": return summarizeBuild(raw);
-    case "lint": return summarizeLint(raw);
-    case "git_diff": return summarizeGitDiff(raw);
-    case "git_status": return summarizeGitStatus(raw);
-    case "rg_search": return summarizeRgSearch(raw);
-    case "log": return summarizeLog(raw);
-    case "json": return summarizeJson(raw);
-    default: return summarizeGeneric(raw);
-  }
-}
-
-// ── Main summarizer ───────────────────────────────────────────────────────────
-
-function summarizeToolOutput(output, options = {}) {
-  const kind = options.kind || "generic";
-  const raw = sanitize(output);
-  const summary = summarizeByKind(kind, raw);
-  const truncated = summary.length > MAX_SUMMARY_CHARS ? summary.slice(0, MAX_SUMMARY_CHARS) + "\n[summary truncated]" : summary;
-  return {
-    kind,
-    summaryChars: truncated.length,
-    rawChars: raw.length,
-    summary: truncated,
-    oversized: raw.length > MAX_SUMMARY_CHARS * 5,
-  };
-}
-
-// ── Artifact write ────────────────────────────────────────────────────────────
-
-function writeRawToolOutputArtifact(cwd, output, metadata = {}, options = {}) {
-  const dir = path.join(cwd, TOOL_OUTPUT_DIR_REL);
-  fs.mkdirSync(dir, { recursive: true });
-  const ts = Date.now();
-  const kind = metadata.kind || "generic";
-  const filename = `${ts}-${kind}.txt`;
-  const abs = path.join(dir, filename);
-  const raw = sanitize(output);
-  if (raw.length > MAX_ARTIFACT_BYTES) {
-    fs.writeFileSync(abs, raw.slice(0, MAX_ARTIFACT_BYTES) + "\n[artifact truncated]", "utf8");
-  } else {
-    fs.writeFileSync(abs, raw, "utf8");
-  }
-  try {
-    appendProductLearningEvent(cwd, "raw_tool_output_artifact_written", {
-      kind,
-      rawChars: raw.length,
-      artifactPath: path.relative(cwd, abs),
-    });
-  } catch {}
-  return path.relative(cwd, abs);
-}
-
-// ── Build sandbox result ──────────────────────────────────────────────────────
-
-function buildToolOutputSandboxResult(cwd, input = {}, options = {}) {
-  const { output, kind, writeArtifact = true } = input;
-  const classification = classifyToolOutput(kind, output, options);
-  const summaryResult = summarizeToolOutput(output, { kind: classification.kind });
-
-  let artifactRef = null;
-  if (writeArtifact && classification.oversized) {
-    try {
-      artifactRef = writeRawToolOutputArtifact(cwd, output, { kind: classification.kind });
-    } catch {}
-  }
-
-  return {
-    contract: CONTRACT,
-    schemaVersion: SCHEMA_VERSION,
-    createdAt: nowIso(),
-    kind: classification.kind,
-    rawChars: classification.charCount,
-    summaryChars: summaryResult.summaryChars,
-    summary: summaryResult.summary,
-    oversized: classification.oversized,
-    artifactRef,
-    redacted: true,
-  };
-}
-
-function enforceToolOutputBudget(result, options = {}) {
-  const maxChars = options.maxChars || MAX_SUMMARY_CHARS;
-  if (result.summaryChars > maxChars) {
-    return {
-      ...result,
-      summary: result.summary.slice(0, maxChars) + "\n[budget enforced]",
-      summaryChars: maxChars,
-      budgetEnforced: true,
-    };
-  }
-  return { ...result, budgetEnforced: false };
-}
-
-function formatToolOutputSummary(result, options = {}) {
-  const lines = [`Tool Output [${result.kind}]`];
-  if (result.artifactRef) lines.push(`  Raw artifact: ${result.artifactRef}`);
-  lines.push(`  Raw: ${result.rawChars} chars → Summary: ${result.summaryChars} chars`);
-  lines.push(result.summary);
-  return lines.join("\n");
-}
-
-function writeSandboxSummary(cwd, result) {
-  const dir = path.join(cwd, TOOL_OUTPUT_DIR_REL);
-  fs.mkdirSync(dir, { recursive: true });
-  const abs = path.join(cwd, LATEST_SUMMARY_REL);
-  fs.writeFileSync(abs, JSON.stringify(result, null, 2), "utf8");
-  try {
-    appendProductLearningEvent(cwd, "tool_output_sandbox_summary_written", {
-      kind: result.kind,
-      rawChars: result.rawChars,
-      summaryChars: result.summaryChars,
-      oversized: result.oversized,
-    });
-  } catch {}
-  return abs;
-}
-
-module.exports = {
-  CONTRACT,
-  BUDGET_CONTRACT,
-  SCHEMA_VERSION,
-  TOOL_OUTPUT_DIR_REL,
-  LATEST_SUMMARY_REL,
-  SUPPORTED_KINDS,
-  sanitize,
-  stripAnsi,
-  redactSecrets,
-  classifyToolOutput,
-  summarizeToolOutput,
-  writeRawToolOutputArtifact,
-  buildToolOutputSandboxResult,
-  enforceToolOutputBudget,
-  formatToolOutputSummary,
-  writeSandboxSummary,
-};

package/scripts/lib/trust-audit.js

@@ -1,136 +0,0 @@
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-const crypto = require("crypto");
-
-function sha256(content) {
-  return crypto.createHash("sha256").update(content).digest("hex");
-}
-
-function hashFile(absPath) {
-  const data = fs.readFileSync(absPath);
-  return sha256(data);
-}
-
-function walkFiles(absDir, relRoot, out) {
-  if (!fs.existsSync(absDir)) return;
-  const entries = fs.readdirSync(absDir, { withFileTypes: true });
-  entries.forEach((e) => {
-    const abs = path.join(absDir, e.name);
-    const rel = path.posix.join(relRoot, e.name).replace(/\\/g, "/");
-    if (e.isDirectory()) {
-      walkFiles(abs, rel, out);
-      return;
-    }
-    if (!e.isFile()) return;
-    if (!/\.(md|json|js|ts)$/i.test(e.name)) return;
-    out.push({ rel, abs });
-  });
-}
-
-function collectTrustTargets(cwd) {
-  const out = [];
-  const roots = [
-    { rel: ".claude-plugin", abs: path.join(cwd, ".claude-plugin") },
-    { rel: "hooks", abs: path.join(cwd, "hooks") },
-    { rel: "skills", abs: path.join(cwd, "skills") },
-    { rel: "agents", abs: path.join(cwd, "agents") },
-    { rel: "scripts", abs: path.join(cwd, "scripts") },
-  ];
-
-  roots.forEach((root) => walkFiles(root.abs, root.rel, out));
-  return out;
-}
-
-function snapshotPath(cwd) {
-  return path.join(cwd, ".claude", "cco", "state", "trust-snapshot.json");
-}
-
-function loadSnapshot(cwd) {
-  try {
-    return JSON.parse(fs.readFileSync(snapshotPath(cwd), "utf8"));
-  } catch {
-    return { files: {}, capturedAt: null };
-  }
-}
-
-function saveSnapshot(cwd, filesMap) {
-  const p = snapshotPath(cwd);
-  fs.mkdirSync(path.dirname(p), { recursive: true });
-  fs.writeFileSync(
-    p,
-    JSON.stringify({ capturedAt: new Date().toISOString(), files: filesMap }, null, 2),
-    "utf8"
-  );
-}
-
-function pathBlockedByPolicy(rel, teamPolicy) {
-  const patterns = Array.isArray(teamPolicy?.blockedPatterns) ? teamPolicy.blockedPatterns : [];
-  return patterns.some((pat) => {
-    try {
-      return new RegExp(pat, "i").test(rel);
-    } catch {
-      return false;
-    }
-  });
-}
-
-function classifyChanges(currentFiles, previousSnapshot, teamPolicy) {
-  const prev = previousSnapshot?.files || {};
-  const changed = [];
-  const currentMap = {};
-
-  currentFiles.forEach((f) => {
-    const hash = hashFile(f.abs);
-    currentMap[f.rel] = hash;
-    const prevHash = prev[f.rel] || null;
-
-    if (!prevHash) {
-      changed.push({ path: f.rel, changeType: "new", trustLevel: pathBlockedByPolicy(f.rel, teamPolicy) ? "untrusted" : "unknown", hash });
-      return;
-    }
-
-    if (prevHash !== hash) {
-      changed.push({ path: f.rel, changeType: "changed", trustLevel: pathBlockedByPolicy(f.rel, teamPolicy) ? "untrusted" : "unknown", hash });
-      return;
-    }
-
-    changed.push({ path: f.rel, changeType: "unchanged", trustLevel: "trusted", hash });
-  });
-
-  Object.keys(prev).forEach((rel) => {
-    if (!currentMap[rel]) changed.push({ path: rel, changeType: "removed", trustLevel: "unknown", hash: null });
-  });
-
-  return { currentMap, changed };
-}
-
-function runTrustAudit({ cwd, teamPolicy, writeSnapshot = true }) {
-  const targets = collectTrustTargets(cwd);
-  const previous = loadSnapshot(cwd);
-  const { currentMap, changed } = classifyChanges(targets, previous, teamPolicy);
-
-  const summary = {
-    total: changed.length,
-    newOrChanged: changed.filter((x) => x.changeType === "new" || x.changeType === "changed").length,
-    unknown: changed.filter((x) => x.trustLevel === "unknown").length,
-    untrusted: changed.filter((x) => x.trustLevel === "untrusted").length,
-    trusted: changed.filter((x) => x.trustLevel === "trusted").length,
-  };
-
-  const audit = {
-    createdAt: new Date().toISOString(),
-    summary,
-    entries: changed,
-    unknownFiles: changed.filter((x) => x.trustLevel === "unknown").map((x) => x.path),
-    untrustedFiles: changed.filter((x) => x.trustLevel === "untrusted").map((x) => x.path),
-  };
-
-  if (writeSnapshot) saveSnapshot(cwd, currentMap);
-  return audit;
-}
-
-module.exports = {
-  runTrustAudit,
-};