create-merlin-brain 4.2.0 → 5.0.1

package/files/scripts/duo-risk-detect.sh

@@ -0,0 +1,157 @@
+#!/usr/bin/env bash
+# duo-risk-detect.sh — heuristic risk scorer for duo auto-offer
+# Usage: duo-risk-detect.sh --task "<text>" [--workflow <name>] [--files <comma,sep>] [--loc <int>]
+# Output: single JSON line {"score":<0-100>,"reasons":[...],"suggest_duo":<bool>}
+# Always exits 0 — never blocks routing. Times out at 500ms.
+
+set -euo pipefail
+
+TASK=""
+WORKFLOW=""
+FILES=""
+LOC=""
+
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --task)     TASK="${2:-}";     shift 2 ;;
+        --workflow) WORKFLOW="${2:-}"; shift 2 ;;
+        --files)    FILES="${2:-}";    shift 2 ;;
+        --loc)      LOC="${2:-}";      shift 2 ;;
+        *)          shift ;;
+    esac
+done
+
+THRESHOLD="${MERLIN_DUO_OFFER_THRESHOLD:-50}"
+
+# Write the scorer to a temp file so timeout can exec it cleanly (no eval of user input)
+TMPSCRIPT=$(mktemp /tmp/duo-risk-score.XXXXXX.py)
+trap 'rm -f "$TMPSCRIPT"' EXIT
+
+cat > "$TMPSCRIPT" << 'PYEOF'
+import os, sys, json, re
+
+task      = os.environ.get("_DUO_TASK", "")
+workflow  = os.environ.get("_DUO_WORKFLOW", "")
+files     = os.environ.get("_DUO_FILES", "")
+loc_raw   = os.environ.get("_DUO_LOC", "")
+threshold = int(os.environ.get("_DUO_THRESHOLD", "50"))
+
+score   = 0
+reasons = []
+
+# Keyword scoring: +20 each, cap +40
+KEYWORDS = [
+    "auth", "password", "payment", "billing", "migration", "schema",
+    "production", "prod", "security", "crypto", "token", "secret",
+    "permission", "role", "admin", "delete", "drop", "force"
+]
+task_lower = task.lower()
+kw_score = 0
+for kw in KEYWORDS:
+    if re.search(r"\b" + re.escape(kw) + r"\b", task_lower):
+        if kw_score < 40:
+            add = min(20, 40 - kw_score)
+            kw_score += add
+            reasons.append(f"keyword:{kw}")
+score += kw_score
+
+# File path scoring: +25 each, cap +50
+PATH_PATTERNS = [
+    ("migrations/",          "path:migrations/"),
+    ("auth/",                "path:auth/"),
+    ("payment/",             "path:payment/"),
+    ("billing/",             "path:billing/"),
+    ("security/",            "path:security/"),
+    ("database/migrations/", "path:database/migrations/"),
+    ("infra/",               "path:infra/"),
+    (".github/workflows/",   "path:.github/workflows/"),
+    ("Dockerfile",           "path:Dockerfile"),
+    (".sql",                 "path:*.sql"),
+]
+path_score = 0
+for pattern, tag in PATH_PATTERNS:
+    if pattern in files:
+        if path_score < 50:
+            add = min(25, 50 - path_score)
+            path_score += add
+            reasons.append(tag)
+score += path_score
+
+# Workflow scoring: +30
+HIGH_RISK_WORKFLOWS = {"security-audit", "refactor", "migration"}
+if workflow.lower() in HIGH_RISK_WORKFLOWS:
+    score += 30
+    reasons.append(f"workflow:{workflow.lower()}")
+
+# LOC delta scoring (>500 replaces >200)
+try:
+    loc = int(loc_raw.strip()) if loc_raw.strip() else 0
+except ValueError:
+    loc = 0
+
+if loc > 500:
+    score += 35
+    reasons.append("loc:>500")
+elif loc > 200:
+    score += 20
+    reasons.append("loc:>200")
+
+# Files count: +15
+if files.strip():
+    file_list = [f for f in files.split(",") if f.strip()]
+    if len(file_list) > 10:
+        score += 15
+        reasons.append("files:>10")
+
+# Production/critical keywords: +25 (first match only)
+PROD_WORDS = ["production", "ship", "release", "critical"]
+for word in PROD_WORDS:
+    if re.search(r"\b" + re.escape(word) + r"\b", task_lower):
+        score += 25
+        reasons.append(f"keyword:{word}")
+        break
+
+# Dep-manifest files: +15 (first match only)
+DEP_FILES = ["package.json", "go.mod", "Cargo.toml", "requirements.txt"]
+for dep in DEP_FILES:
+    if dep in files:
+        score += 15
+        reasons.append(f"dep:{dep}")
+        break
+
+# Cap at 100, keep top 5 reasons
+score   = min(score, 100)
+reasons = reasons[:5]
+
+print(json.dumps({"score": score, "reasons": reasons, "suggest_duo": score >= threshold}))
+PYEOF
+
+# Export all inputs via env — never interpolated into code
+export _DUO_TASK="$TASK"
+export _DUO_WORKFLOW="$WORKFLOW"
+export _DUO_FILES="$FILES"
+export _DUO_LOC="$LOC"
+export _DUO_THRESHOLD="$THRESHOLD"
+
+# Run with 500ms timeout — try gtimeout (macOS Homebrew coreutils), then timeout, then perl alarm
+_TIMEOUT_CMD=""
+if command -v gtimeout >/dev/null 2>&1; then
+    _TIMEOUT_CMD="gtimeout 0.5"
+elif timeout --version >/dev/null 2>&1; then
+    _TIMEOUT_CMD="timeout 0.5"
+fi
+
+if [[ -n "$_TIMEOUT_CMD" ]]; then
+    OUT=$($_TIMEOUT_CMD python3 "$TMPSCRIPT" 2>/dev/null) || OUT=""
+else
+    OUT=$(perl -e 'alarm 1; exec @ARGV' -- python3 "$TMPSCRIPT" 2>/dev/null) || OUT=""
+fi
+
+# Validate JSON; fall back to safe default
+if python3 -c "import json,sys; json.loads(sys.stdin.read())" <<< "$OUT" 2>/dev/null; then
+    echo "$OUT"
+else
+    echo '{"score":0,"reasons":["timeout"],"suggest_duo":false}'
+fi
+
+exit 0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-merlin-brain",
-  "version": "4.2.0",
+  "version": "5.0.1",
   "description": "Merlin - The Ultimate AI Brain for Claude Code, Codex, and other AI CLIs. One install: workflows, agents, loop, and Sights MCP server.",
   "type": "module",
   "main": "./dist/server/index.js",