failproofai 0.0.11-beta.9 → 0.0.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.next/standalone/.next/BUILD_ID +1 -1
- package/.next/standalone/.next/build-manifest.json +3 -3
- package/.next/standalone/.next/prerender-manifest.json +3 -3
- package/.next/standalone/.next/required-server-files.json +1 -1
- package/.next/standalone/.next/server/app/_global-error/page/server-reference-manifest.json +1 -1
- package/.next/standalone/.next/server/app/_global-error/page.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/_global-error/page_client-reference-manifest.js +1 -1
- package/.next/standalone/.next/server/app/_global-error.html +1 -1
- package/.next/standalone/.next/server/app/_global-error.rsc +7 -7
- package/.next/standalone/.next/server/app/_global-error.segments/__PAGE__.segment.rsc +2 -2
- package/.next/standalone/.next/server/app/_global-error.segments/_full.segment.rsc +7 -7
- package/.next/standalone/.next/server/app/_global-error.segments/_head.segment.rsc +3 -3
- package/.next/standalone/.next/server/app/_global-error.segments/_index.segment.rsc +3 -3
- package/.next/standalone/.next/server/app/_global-error.segments/_tree.segment.rsc +1 -1
- package/.next/standalone/.next/server/app/_not-found/page/server-reference-manifest.json +1 -1
- package/.next/standalone/.next/server/app/_not-found/page.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/_not-found/page_client-reference-manifest.js +1 -1
- package/.next/standalone/.next/server/app/_not-found.html +1 -1
- package/.next/standalone/.next/server/app/_not-found.rsc +15 -15
- package/.next/standalone/.next/server/app/_not-found.segments/_full.segment.rsc +15 -15
- package/.next/standalone/.next/server/app/_not-found.segments/_head.segment.rsc +4 -4
- package/.next/standalone/.next/server/app/_not-found.segments/_index.segment.rsc +10 -10
- package/.next/standalone/.next/server/app/_not-found.segments/_not-found/__PAGE__.segment.rsc +2 -2
- package/.next/standalone/.next/server/app/_not-found.segments/_not-found.segment.rsc +3 -3
- package/.next/standalone/.next/server/app/_not-found.segments/_tree.segment.rsc +2 -2
- package/.next/standalone/.next/server/app/api/audit/invite/route.js +1 -1
- package/.next/standalone/.next/server/app/api/audit/invite/route.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/api/audit/run/route.js +1 -1
- package/.next/standalone/.next/server/app/api/audit/run/route.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/api/auth/login-request/route.js +1 -1
- package/.next/standalone/.next/server/app/api/auth/login-request/route.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/api/auth/login-verify/route.js +1 -1
- package/.next/standalone/.next/server/app/api/auth/login-verify/route.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/api/auth/logout/route.js +1 -1
- package/.next/standalone/.next/server/app/api/auth/logout/route.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/api/auth/reminder/route.js +1 -1
- package/.next/standalone/.next/server/app/api/auth/reminder/route.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/api/auth/status/route.js +1 -1
- package/.next/standalone/.next/server/app/api/auth/status/route.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/api/download/[project]/[session]/route.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/audit/page/server-reference-manifest.json +2 -2
- package/.next/standalone/.next/server/app/audit/page.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/audit/page_client-reference-manifest.js +1 -1
- package/.next/standalone/.next/server/app/index.html +1 -1
- package/.next/standalone/.next/server/app/index.rsc +15 -15
- package/.next/standalone/.next/server/app/index.segments/__PAGE__.segment.rsc +2 -2
- package/.next/standalone/.next/server/app/index.segments/_full.segment.rsc +15 -15
- package/.next/standalone/.next/server/app/index.segments/_head.segment.rsc +4 -4
- package/.next/standalone/.next/server/app/index.segments/_index.segment.rsc +10 -10
- package/.next/standalone/.next/server/app/index.segments/_tree.segment.rsc +2 -2
- package/.next/standalone/.next/server/app/page/server-reference-manifest.json +1 -1
- package/.next/standalone/.next/server/app/page.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/page_client-reference-manifest.js +1 -1
- package/.next/standalone/.next/server/app/policies/page/server-reference-manifest.json +8 -8
- package/.next/standalone/.next/server/app/policies/page.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/policies/page_client-reference-manifest.js +1 -1
- package/.next/standalone/.next/server/app/project/[name]/page/server-reference-manifest.json +1 -1
- package/.next/standalone/.next/server/app/project/[name]/page.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/project/[name]/page_client-reference-manifest.js +1 -1
- package/.next/standalone/.next/server/app/project/[name]/session/[sessionId]/page/react-loadable-manifest.json +2 -2
- package/.next/standalone/.next/server/app/project/[name]/session/[sessionId]/page/server-reference-manifest.json +2 -2
- package/.next/standalone/.next/server/app/project/[name]/session/[sessionId]/page.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/project/[name]/session/[sessionId]/page_client-reference-manifest.js +1 -1
- package/.next/standalone/.next/server/app/projects/page/server-reference-manifest.json +1 -1
- package/.next/standalone/.next/server/app/projects/page.js.nft.json +1 -1
- package/.next/standalone/.next/server/app/projects/page_client-reference-manifest.js +1 -1
- package/.next/standalone/.next/server/chunks/[externals]__1_g_b3t._.js +3 -0
- package/.next/standalone/.next/server/chunks/[root-of-the-server]__0dwpg-h._.js +3 -0
- package/.next/standalone/.next/server/chunks/[root-of-the-server]__0lnenda._.js +3 -0
- package/.next/standalone/.next/server/chunks/[root-of-the-server]__13i_sva._.js +3 -0
- package/.next/standalone/.next/server/chunks/[root-of-the-server]__1_mqemn._.js +1 -1
- package/.next/standalone/.next/server/chunks/node_modules_0-tu4ot._.js +1 -1
- package/.next/standalone/.next/server/chunks/node_modules_1bnh1y0._.js +1 -1
- package/.next/standalone/.next/server/chunks/node_modules_next_dist_esm_build_templates_app-route_17k9e3w.js +3 -3
- package/.next/standalone/.next/server/chunks/node_modules_posthog-node_dist_entrypoints_index_node_mjs_01r25oi._.js +1 -1
- package/.next/standalone/.next/server/chunks/node_modules_posthog-node_dist_entrypoints_index_node_mjs_09z9-p7._.js +1 -1
- package/.next/standalone/.next/server/chunks/package_json_[json]_cjs_1nxcc4v._.js +1 -1
- package/.next/standalone/.next/server/chunks/ssr/{[root-of-the-server]__0e446gb._.js → [root-of-the-server]__00uwqi6._.js} +2 -2
- package/.next/standalone/.next/server/chunks/ssr/[root-of-the-server]__0808sha._.js +2 -2
- package/.next/standalone/.next/server/chunks/ssr/[root-of-the-server]__0e4-6d8._.js +2 -2
- package/.next/standalone/.next/server/chunks/ssr/[root-of-the-server]__0ehe24g._.js +2 -2
- package/.next/standalone/.next/server/chunks/ssr/[root-of-the-server]__0g253ve._.js +2 -2
- package/.next/standalone/.next/server/chunks/ssr/[root-of-the-server]__0k65l27._.js +1 -1
- package/.next/standalone/.next/server/chunks/ssr/{[root-of-the-server]__0wprfyc._.js → [root-of-the-server]__0kjb_s4._.js} +2 -2
- package/.next/standalone/.next/server/chunks/ssr/[root-of-the-server]__0vxf0_g._.js +2 -2
- package/.next/standalone/.next/server/chunks/ssr/[root-of-the-server]__12mcauo._.js +2 -2
- package/.next/standalone/.next/server/chunks/ssr/[root-of-the-server]__1mt35_w._.js +1 -1
- package/.next/standalone/.next/server/chunks/ssr/[root-of-the-server]__1pcxxwg._.js +2 -2
- package/.next/standalone/.next/server/chunks/ssr/[root-of-the-server]__1uvfwgr._.js +2 -2
- package/.next/standalone/.next/server/chunks/ssr/_11_p9y8._.js +1 -1
- package/.next/standalone/.next/server/chunks/ssr/app_audit__components_audit-dashboard_tsx_0p9ud47._.js +49 -21
- package/.next/standalone/.next/server/chunks/ssr/app_global-error_tsx_1kp6l3x._.js +1 -1
- package/.next/standalone/.next/server/chunks/ssr/app_policies_hooks-client_tsx_19dqvpc._.js +1 -1
- package/.next/standalone/.next/server/chunks/ssr/{node_modules_html-to-image_es_index_0y4a-0q.js → node_modules_html-to-image_es_index_0ihmbv4.js} +1 -1
- package/.next/standalone/.next/server/chunks/ssr/node_modules_posthog-node_dist_entrypoints_index_node_mjs_11bnuzn._.js +1 -1
- package/.next/standalone/.next/server/middleware-build-manifest.js +3 -3
- package/.next/standalone/.next/server/pages/404.html +1 -1
- package/.next/standalone/.next/server/pages/500.html +1 -1
- package/.next/standalone/.next/server/server-reference-manifest.js +1 -1
- package/.next/standalone/.next/server/server-reference-manifest.json +10 -10
- package/.next/standalone/.next/static/chunks/{3ty6dhcuogout.js → 02fywjt0by40a.js} +1 -1
- package/.next/standalone/.next/static/chunks/0xdx2ehtbdoeg.js +1 -0
- package/.next/standalone/.next/static/chunks/{07_d165p5h5ys.js → 1-a5rvq67k7ed.js} +1 -1
- package/.next/standalone/.next/static/chunks/{3nj6g3xu9uy78.js → 15csyj1_rf0-w.js} +1 -1
- package/.next/standalone/.next/static/chunks/1o0xa47736gi9.css +2 -0
- package/.next/standalone/.next/static/chunks/24cv31x607n7k.js +1 -0
- package/.next/standalone/.next/static/chunks/2n_s8v1ae38_a.js +69 -0
- package/.next/standalone/.next/static/chunks/{277oc363p56n6.js → 2y-jmvrjxz60x.js} +2 -2
- package/.next/standalone/.next/static/chunks/{1kvadxkgnapyj.js → 3eik_d9qrvoft.js} +1 -1
- package/.next/standalone/.next/static/chunks/{168k-8z6k7e8z.css → 3i27c3hcriawq.css} +1 -1
- package/.next/standalone/.next/static/chunks/{2z42u62k-8-_q.js → 3v61675vr6jav.js} +1 -1
- package/.next/standalone/app/api/audit/invite/route.ts +10 -1
- package/.next/standalone/app/api/audit/run/route.ts +35 -0
- package/.next/standalone/app/api/auth/login-request/route.ts +2 -2
- package/.next/standalone/app/api/auth/login-verify/route.ts +10 -2
- package/.next/standalone/app/audit/_components/audit-dashboard.tsx +9 -1
- package/.next/standalone/app/audit/_components/audit-poster.tsx +11 -7
- package/.next/standalone/app/audit/_components/auth-dialog.tsx +6 -4
- package/.next/standalone/app/audit/_components/come-back-better-section.tsx +23 -3
- package/.next/standalone/app/audit/_components/invite-dialog.tsx +6 -3
- package/.next/standalone/app/audit/_components/share-templates.ts +58 -28
- package/.next/standalone/app/audit/audit-styles.css +17 -22
- package/.next/standalone/app/globals.css +27 -2
- package/.next/standalone/app/policies/hooks-client.tsx +33 -24
- package/.next/standalone/components/reach-developers.tsx +10 -25
- package/.next/standalone/lib/auth/api-server-client.ts +5 -2
- package/.next/standalone/lib/client-telemetry.ts +4 -0
- package/.next/standalone/package.json +6 -4
- package/.next/standalone/server.js +1 -1
- package/README.md +2 -2
- package/bin/failproofai.mjs +24 -5
- package/dist/cli.mjs +2328 -381
- package/lib/auth/api-server-client.ts +5 -2
- package/lib/client-telemetry.ts +4 -0
- package/package.json +6 -4
- package/scripts/launch.ts +30 -4
- package/scripts/postinstall.mjs +10 -1
- package/scripts/skew-log-filter.ts +46 -0
- package/scripts/validate-mdx.ts +139 -0
- package/src/audit/cli.ts +330 -0
- package/src/audit/open-browser.ts +69 -0
- package/src/auth/cli.ts +16 -13
- package/.next/standalone/.next/server/chunks/[root-of-the-server]__1r1h8v9._.js +0 -3
- package/.next/standalone/.next/server/chunks/[root-of-the-server]__1uatkiv._.js +0 -3
- package/.next/standalone/.next/server/chunks/[root-of-the-server]__1y6gxxb._.js +0 -3
- package/.next/standalone/.next/static/chunks/28mkxkl_d91-l.js +0 -1
- package/.next/standalone/.next/static/chunks/28x7jvo3kxd3u.js +0 -41
- package/.next/standalone/.next/static/chunks/29nrs5xs9c4hx.css +0 -2
- package/.next/standalone/.next/static/chunks/29tg7deqmq32l.js +0 -1
- /package/.next/standalone/.next/static/{NYPiJP6Rv_exQdSFVS8HP → P_MIRSeoE296wkbE-Icin}/_buildManifest.js +0 -0
- /package/.next/standalone/.next/static/{NYPiJP6Rv_exQdSFVS8HP → P_MIRSeoE296wkbE-Icin}/_clientMiddlewareManifest.js +0 -0
- /package/.next/standalone/.next/static/{NYPiJP6Rv_exQdSFVS8HP → P_MIRSeoE296wkbE-Icin}/_ssgManifest.js +0 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
module.exports=[89498,e=>{"use strict";var t=e.i(47909),i=e.i(74017),n=e.i(96250),o=e.i(59756),s=e.i(61916),a=e.i(74677),r=e.i(69741),l=e.i(16795),c=e.i(87718),d=e.i(95169),p=e.i(47587),u=e.i(66012),m=e.i(70101),f=e.i(26937),h=e.i(10372),g=e.i(93695);e.i(20232);var y=e.i(220),b=e.i(89171),w=e.i(71809),k=e.i(50227),v=e.i(12714),N=e.i(74533),S=e.i(60526);function T(e){return e?{decision:"allow",reason:e}:{decision:"allow"}}function E(e){return{decision:"deny",reason:e}}function P(e){return{decision:"instruct",reason:e}}let $="__FAILPROOFAI_POLICY_REGISTRY__",
|
|
1
|
+
module.exports=[89498,e=>{"use strict";var t=e.i(47909),i=e.i(74017),n=e.i(96250),o=e.i(59756),s=e.i(61916),a=e.i(74677),r=e.i(69741),l=e.i(16795),c=e.i(87718),d=e.i(95169),p=e.i(47587),u=e.i(66012),m=e.i(70101),f=e.i(26937),h=e.i(10372),g=e.i(93695);e.i(20232);var y=e.i(220),b=e.i(89171),w=e.i(71809),k=e.i(50227),v=e.i(12714),N=e.i(74533),S=e.i(60526);function T(e){return e?{decision:"allow",reason:e}:{decision:"allow"}}function E(e){return{decision:"deny",reason:e}}function P(e){return{decision:"instruct",reason:e}}let $="__FAILPROOFAI_POLICY_REGISTRY__",C="__FAILPROOFAI_POLICY_INDEX_CACHE__",A="failproofai";function I(e){return e.includes("/")?e:`${A}/${e}`}function R(e){globalThis[C]=e}function x(){let e=globalThis;return e[$]||(e[$]=[]),e[$]}var O=e.i(2157);let B={info:0,warn:1,error:2},_=(0,k.join)((0,S.homedir)(),".failproofai","logs"),j=!1,D="warn",W=!1,U=_;function M(e){return!function(){if(j)return;j=!0;let e=(process.env.FAILPROOFAI_LOG_LEVEL??"").toLowerCase();("info"===e||"warn"===e||"error"===e)&&(D=e);let t=(process.env.FAILPROOFAI_HOOK_LOG_FILE??"").trim();t&&(W=!0,"1"!==t&&"true"!==t&&(U=t))}(),B[e]>=B[D]}function L(e,t){process.stderr.write(`[failproofai:hook] ${e} ${t}
|
|
2
2
|
`)}function z(e,t){if(W)try{(0,O.existsSync)(U)||(0,O.mkdirSync)(U,{recursive:!0});let i=(0,k.join)(U,"hooks.log");try{if((0,O.statSync)(i).size>=524288){let e=`hooks-${Date.now()}.log`;(0,O.renameSync)(i,(0,k.join)(U,e))}}catch{}let n=new Date().toISOString(),o=`[${n}] ${e} ${t}
|
|
3
|
-
`;(0,O.appendFileSync)(i,o,"utf-8")}catch{}}function F(e){M("info")&&(L("INFO",e),z("INFO",e))}function H(e){M("warn")&&(L("WARN",e),z("WARN",e))}let q=function(e){let t=e.replaceAll("\\","/");for(let e of[".claude",".codex",".copilot",".cursor",".opencode",".pi",".gemini"]){let i=(0,k.join)((0,S.homedir)(),e).replaceAll("\\","/");if(t===i||t.startsWith(i+"/"))return!0}for(let e of[(0,k.join)(".config","opencode"),(0,k.join)(".local","share","opencode")]){let i=(0,k.join)((0,S.homedir)(),e).replaceAll("\\","/");if(t===i||t.startsWith(i+"/"))return!0}return!1},G=function(e){return!!(/[\\/]\.claude[\\/]settings(?:\.[^/\\]+)?\.json$/.test(e)||/[\\/]\.codex[\\/]hooks\.json$/.test(e)||/[\\/]\.copilot[\\/]hooks[\\/][^/\\]+\.json$/.test(e)||/[\\/]\.github[\\/]hooks[\\/][^/\\]+\.json$/.test(e)||/[\\/]\.cursor[\\/]hooks\.json$/.test(e)||/[\\/]\.opencode[\\/]opencode\.jsonc?$/.test(e)||/[\\/]\.opencode[\\/]plugins[\\/][^/\\]+\.(?:mjs|js|ts)$/.test(e)||/[\\/]\.config[\\/]opencode[\\/]opencode\.jsonc?$/.test(e)||/[\\/]\.config[\\/]opencode[\\/]config\.json$/.test(e)||/[\\/]\.config[\\/]opencode[\\/]plugins[\\/][^/\\]+\.(?:mjs|js|ts)$/.test(e)||/[\\/]\.pi[\\/](?:agent[\\/])?settings\.json$/.test(e)||/[\\/]\.pi[\\/](?:agent[\\/])?extensions[\\/]/.test(e)||/[\\/]\.gemini[\\/]settings\.json$/.test(e)||/[\\/]\.gemini[\\/]hooks[\\/]/.test(e))};function J(e){return e.toolInput?.command??""}function Y(e){return e.toolInput?.file_path??""}function Z(e){return e.trim().split(/\s+/).map(e=>e.replace(/^['"]|['"]$/g,""))}let K=new Set(["&&","||","|",";"]),Q=/[;&<>`$()\\]/,V=/eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/,X=[[/sk-ant-[A-Za-z0-9\-_]{20,}/,"Anthropic API key"],[/sk-proj-[A-Za-z0-9\-_]{20,}/,"OpenAI project API key"],[/sk-[A-Za-z0-9]{20,}/,"OpenAI API key"],[/ghp_[A-Za-z0-9]{36}/,"GitHub personal access token"],[/github_pat_[A-Za-z0-9_]{82}/,"GitHub fine-grained token"],[/AKIA[A-Z0-9]{16}/,"AWS access key ID"],[/sk_live_[A-Za-z0-9]{24,}/,"Stripe live secret key"],[/sk_test_[A-Za-z0-9]{24,}/,"Stripe test secret key"],[/AIza[0-9A-Za-z\-_]{35}/,"Google API key"]],ee=/(?:postgresql|postgres|mysql|mongodb(?:\+srv)?|redis|amqps?|smtps?):\/\/[^@\s]+@/,et=/-----BEGIN (?:[A-Z]+ )?PRIVATE KEY-----/,ei=/Authorization:\s*Bearer\s+[A-Za-z0-9\-._~+/]{20,}/i,en=/\b(?:psql|mysql|sqlite3|pgcli|clickhouse-client)\b/,eo=/\b(?:DROP\s+(?:TABLE|DATABASE|SCHEMA)|TRUNCATE\b)/i,es=/\bDELETE\s+FROM\b/i,ea=/\bWHERE\b/i,er=/\bALTER\s+TABLE\b[\s\S]*\b(?:DROP\s+COLUMN|ADD\s+COLUMN|RENAME\s+(?:COLUMN|TO)|MODIFY\s+COLUMN)\b/i,el=/(?:npm\s+publish|bun\s+publish|pnpm\s+publish|yarn\s+npm\s+publish|twine\s+upload|poetry\s+publish|cargo\s+publish|gem\s+push)\b/,ec=/(?:^|\s|;|&&|\|\|)(?:env|printenv)(?:\s|$|;|&&|\|)/,ed=/echo\s+.*\$\{?[A-Za-z_]/,ep=/(?:^|\s|;|&&|\|\|)export\s+\w+/,eu=/\$env:[A-Za-z_]/i,em=/(?:Get-ChildItem|dir|gci|ls)\s+Env:/i,ef=/\[Environment\]::GetEnvironment/i,eh=/echo\s+%[A-Za-z_]/i,eg=/(?:^|[\\/])\.env(?:\.|$)/,ey=/\.env(?:\b|\s|$|\.)/,eb=/(?:^|;|&&|\|\|)\s*sudo\s/,ew=/Start-Process\s+.*-Verb\s+RunAs/i,ek=/(?:^|;|&&|\|\|)\s*runas\s/i,ev=/(?:curl|wget)\s.*\|\s*(?:sh|bash|zsh|dash|ksh|csh|tcsh|fish|ash)\b/,eN=/(?:Invoke-WebRequest|iwr|Invoke-RestMethod|irm)\s+.*\|\s*(?:Invoke-Expression|iex)/i,eS=/(?:--force|-f\b)/,eT=/\.(?:pem|key)$/,eE=/id_rsa/,eP=/credentials/,e$=/git\s+(commit|merge|rebase|cherry-pick)\b/,eA=/(?:^|;|&&|\|\||\|)\s*failproofai(?:\s|$)/,eC=/(?:npm\s+(?:uninstall|remove|un|r)\s.*failproofai|bun\s+remove\s.*failproofai|yarn\s+global\s+remove\s+failproofai|pnpm\s+(?:remove|uninstall|un)\s.*failproofai)/,eI=/\bgit\s+commit\b.*--amend\b/,eR=/\bgit\s+stash\s+(?:drop|clear)\b/,ex=/\bgit\s+add\s+(?:-A\b|--all\b|\.(?:\s|$|;|&&|\|\|))/,eO=/\bnpm\s+(?:install|i)\b(?=.*(?:\s-g\b|--global\b))/,eB=/\byarn\s+global\s+add\b/,ej=/\bpnpm\s+(?:add|install|i)\b(?=.*(?:\s-g\b|--global\b))/,e_=/\bbun\s+(?:install|add)\b(?=.*(?:\s-g\b|--global\b))/,eD=/\bcargo\s+install\b/,eW=/\bpip(?:3)?\s+install\b(?=.*(?:--user\b|--break-system-packages\b))/,eU={pip:[/\bpip\b/,/\bpip3\b/,/\bpython3?\s+-m\s+pip\b/],npm:[/\bnpm\b/,/\bnpx\b/],yarn:[/\byarn\b/],pnpm:[/\bpnpm\b/,/\bpnpx\b/],bun:[/\bbun\b/,/\bbunx\b/],uv:[/\buv\b/],poetry:[/\bpoetry\b/],pipenv:[/\bpipenv\b/],conda:[/\bconda\b/],cargo:[/\bcargo\b/]},eM=/\bnohup\s+\S/,eL=/\bscreen\s+-[A-Za-z]*d[A-Za-z]*\b/,ez=/\btmux\s+(?:new-session|new)\b[^|&;]*-d\b/,eF=/\bdisown\b/,eH=/(?<![&|])\s?&\s*(?:$|#|;)/,eq=/(?:^|[;\n]|&&|\|\|?|&)\s*kubectl(?:\s|$)/,eG=/(?:^|[;\n]|&&|\|\|?|&)\s*(?:terraform|tofu)(?:\s|$)/,eJ=/(?:^|[;\n]|&&|\|\|?|&)\s*aws(?:\s|$)/,eY=/(?:^|[;\n]|&&|\|\|?|&)\s*gcloud(?:\s|$)/,eZ=/(?:^|[;\n]|&&|\|\|?|&)\s*az(?:\s|$)/,eK=/(?:^|[;\n]|&&|\|\|?|&)\s*helm(?:\s|$)/,eQ=/(?:^|[;\n]|&&|\|\|?|&)\s*gh\s+(?:workflow\s+(?:run|enable|disable)|run\s+(?:rerun|cancel)|pr\s+merge|release\s+(?:create|delete)|cache\s+delete|secret\s+(?:set|delete))\b/,eV=new Map;function eX(e){try{let t=eV.get(e);return void 0===t&&(t=(0,N.execSync)("git rev-parse --abbrev-ref HEAD",{cwd:e,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3}).trim(),eV.set(e,t)),t||null}catch{return null}}function e0(e,t){let i=Z(e),n=Z(t);return!(i.length<n.length||i.some(e=>K.has(e))||i.some(e=>Q.test(e)))&&n.every((e,t)=>"*"===e||e===i[t])}function e1(e){return e.split(/&&|\|\||[|;\n]/).map(e=>e.trim()).filter(e=>/^git\s+push\s/.test(e)).map(e=>e.replace(/^git\s+push\s+/,""))}function e3(e,t){if(0===t.length)return!1;let i=e.split(/&&|\|\||[|;\n]/).map(e=>e.trim()).filter(e=>/\brm\b/.test(e));if(0===i.length)return!1;for(let e of i){let i=Z(e),n=i.findIndex(e=>"rm"===e);if(n<0)continue;let o=i.slice(n+1).filter(e=>/^-[^-]/.test(e)),s=i.slice(n+1).filter(e=>/^--/.test(e));if(/r/i.test(o.join(""))||s.some(e=>/^--recursive$/i.test(e)))for(let o of i.slice(n+1).filter(e=>!e.startsWith("-"))){let i=o.replace(/\/\*$/,"").replace(/\/+$/,"")||"/";if(!t.some(e=>{let t=e.replace(/\/+$/,"")||"/";return i===t||i.startsWith(t+"/")})&&!t.some(t=>{let i=t.replace(/[.*+?^${}()|[\]\\]/g,"\\$&");return RegExp(`${i}(?:[/"'\\s/*]|$)`).test(e)}))return!1}}return!0}let e8=/(?:^|;|&&|\|\||\|)\s*(?:ls|find|cat|head|tail|less|more|wc|file|stat|tree|du)\s/;function e2(e,t,i){if("Bash"!==e.toolName)return T();let n=J(e);return!t.test(n)||(e.params?.allowPatterns??[]).some(e=>e0(n,e))?T():E(i)}let e4=/\s*(?:&&|\|\||\||;)\s*/,e6=[{name:"sanitize-jwt",description:"Stop Claude from reading JWTs in tool responses",displayTitle:"Redacted JWT tokens from tool output",impact:"Stops the agent from echoing auth tokens it saw in command output.",fn:function(e){let t=JSON.stringify(e.payload);return V.test(t)?{decision:"deny",reason:"JWT token detected in tool output",message:"[REDACTED: JWT token removed by failproofai]"}:T()},match:{events:["PostToolUse"]},defaultEnabled:!0,category:"Sanitize"},{name:"sanitize-api-keys",description:"Stop Claude from reading API keys (OpenAI, Anthropic, GitHub, AWS, Stripe, Google) in tool responses",displayTitle:"Redacted API keys from tool output",impact:"Catches OpenAI / Anthropic / GitHub / AWS / Stripe / Google keys before the model sees them.",fn:function(e){let t=JSON.stringify(e.payload);for(let[e,i]of X)if(e.test(t))return{decision:"deny",reason:`${i} detected in tool output`,message:`[REDACTED: ${i} removed by failproofai]`};for(let{regex:i,label:n}of e.params?.additionalPatterns??[])try{if(new RegExp(i).test(t))return{decision:"deny",reason:`${n} detected in tool output`,message:`[REDACTED: ${n} removed by failproofai]`}}catch{H(`additionalPatterns: invalid regex "${i}", skipping`)}return T()},match:{events:["PostToolUse"]},defaultEnabled:!0,category:"Sanitize",params:{additionalPatterns:{type:"pattern[]",description:"Additional API key patterns to scrub, each with { regex, label }",default:[]}}},{name:"sanitize-connection-strings",description:"Stop Claude from reading database connection strings with embedded credentials in tool responses",displayTitle:"Redacted database connection strings from tool output",impact:"Strips embedded DB credentials before they reach the model context.",fn:function(e){let t=JSON.stringify(e.payload);return ee.test(t)?{decision:"deny",reason:"Database connection string with credentials detected in tool output",message:"[REDACTED: connection string removed by failproofai]"}:T()},match:{events:["PostToolUse"]},defaultEnabled:!0,category:"Sanitize"},{name:"sanitize-private-key-content",description:"Stop Claude from reading PEM private key content in tool responses",displayTitle:"Redacted PEM private keys from tool output",impact:"Prevents private key bodies from being echoed into chat context.",fn:function(e){let t=JSON.stringify(e.payload);return et.test(t)?{decision:"deny",reason:"Private key content detected in tool output",message:"[REDACTED: private key content removed by failproofai]"}:T()},match:{events:["PostToolUse"]},defaultEnabled:!0,category:"Sanitize"},{name:"sanitize-bearer-tokens",displayTitle:"Redacted bearer tokens from tool output",impact:"Strips Authorization: Bearer values before they hit the model.",description:"Stop Claude from reading Authorization Bearer tokens in tool responses",fn:function(e){let t=JSON.stringify(e.payload);return ei.test(t)?{decision:"deny",reason:"Bearer token detected in tool output",message:"[REDACTED: Bearer token removed by failproofai]"}:T()},match:{events:["PostToolUse"]},defaultEnabled:!0,category:"Sanitize"},{name:"protect-env-vars",displayTitle:"Tried to dump environment variables to chat",impact:"Env vars often contain secrets; blocking `env` / `printenv` keeps them out of the model context.",description:"Prevent commands that read environment variables",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return ec.test(t)?E("Command reads environment variables"):ed.test(t)?E("Command echoes environment variable"):ep.test(t)?E("Command exports environment variable"):eu.test(t)?E("Command reads environment variable via PowerShell"):em.test(t)?E("Command reads environment variables via PowerShell"):ef.test(t)?E("Command reads environment variable via .NET"):eh.test(t)?E("Command echoes environment variable via cmd"):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!0,category:"Environment"},{name:"block-env-files",displayTitle:"Tried to read or write a .env file",impact:"`.env` files routinely contain API keys and DB credentials.",description:"Block reading/writing .env files",fn:function(e){let t=J(e),i=Y(e);return i&&eg.test(i)?E("Access to .env file blocked"):"Bash"===e.toolName&&ey.test(t)?E("Command references .env file"):T()},match:{events:["PreToolUse"]},defaultEnabled:!0,category:"Environment"},{name:"block-read-outside-cwd",displayTitle:"Tried to read files outside your project directory",impact:"Stops the agent from peeking at neighboring repos or your home directory.",description:"Block file reads outside the session working directory",fn:function(e){let t=process.env.CLAUDE_PROJECT_DIR||e.session?.cwd;if(!t)return T();let i=e.params?.allowPaths??[];if("Bash"===e.toolName){let n=J(e);if(!e8.test(n))return T();let o=function(e){let t,i=[],n=/(?<![a-zA-Z0-9_.\-~\\*?:=])(?:~\/[^\s;|&"'()\[\]{}]*|~(?=\s|$|[;|&"'()\[\]{}])|\/[^\s;|&"'()\[\]{}]*)/g;function o(e){let t;for(n.lastIndex=0;null!==(t=n.exec(e));){let e=t[0];"~"===e?e=(0,S.homedir)():e.startsWith("~/")&&(e=(0,k.join)((0,S.homedir)(),e.slice(2))),i.push(e)}}let s=e.length,a=!1,r=!1;for(let t=0;t<e.length;t++){let i=e[t];if('"'!==i||r)if("'"!==i||a){if("|"===i&&!a&&!r){s=t;break}}else r=!r;else a=!a}let l=e.slice(0,s),c=/"([^"]*)"|'([^']*)'/g;for(;null!==(t=c.exec(l));){let e=t[1]??t[2]??"";/[*?\[\]^$+()\\]/.test(e)||o(e)}return o(e.replace(/"[^"]*"/g,e=>" ".repeat(e.length)).replace(/'[^']*'/g,e=>" ".repeat(e.length))),i}(n),s=t.endsWith("/")?t:t+"/";for(let e of o){let n=(0,k.resolve)(t,e);if(G(n))return E(`Reading agent settings file blocked: ${n}`);if(!q(n)&&"/dev/null"!==n&&n!==t&&!n.startsWith(s)){if(i.some(e=>n===e||n.startsWith(e.endsWith("/")?e:e+"/")))continue;return E(`Bash read outside project directory blocked: ${n}`)}}return T()}let n=Y(e),o=e.toolInput?.path??"",s=n||o;if(!s)return T();let a=(0,k.resolve)(t,s);if(G(a))return E(`Reading agent settings file blocked: ${a}`);if(q(a)||"/dev/null"===a)return T();let r=t.endsWith("/")?t:t+"/";return a===t||a.startsWith(r)?T():i.some(e=>a===e||a.startsWith(e.endsWith("/")?e:e+"/"))?T():E(`Access outside project directory blocked: ${a}`)},match:{events:["PreToolUse"],toolNames:["Read","Glob","Grep","Bash"]},defaultEnabled:!1,category:"Environment",params:{allowPaths:{type:"string[]",description:"Absolute paths outside cwd that are allowed to be read",default:[]}}},{name:"block-sudo",displayTitle:"Tried to run a command with sudo",impact:"Sudo gives the agent root — blocked unless explicitly allow-listed.",description:"Block sudo commands",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e).trimStart();return eb.test(t)||t.startsWith("sudo ")?(e.params?.allowPatterns??[]).some(e=>e0(t,e))?T():E("sudo commands are blocked"):ew.test(t)?E("Elevated process launch is blocked"):ek.test(t)?E("runas elevation is blocked"):T()},match:{events:["PreToolUse","PermissionRequest"],toolNames:["Bash"]},defaultEnabled:!0,category:"Dangerous Commands",params:{allowPatterns:{type:"string[]",description:"Sudo command patterns to allow, matched token-by-token (e.g. 'sudo systemctl status')",default:[]}}},{name:"block-curl-pipe-sh",displayTitle:"Tried to pipe a downloaded script straight to a shell",impact:"`curl ... | sh` runs unverified remote code on your machine.",description:"Block piping downloads to shell",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return ev.test(t)?E("Piping downloads to shell is blocked"):eN.test(t)?E("Piping downloads to Invoke-Expression is blocked"):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!0,category:"Dangerous Commands"},{name:"block-rm-rf",displayTitle:"Tried to recursively delete a system path",impact:"Catches catastrophic `rm -rf /` and Windows equivalents.",description:"Prevent catastrophic deletions",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e),i=Z(t).some(e=>{let t=e.replace(/\/\*$/,"").replace(/\/+$/,"")||(e.startsWith("/")?"/":"");return"/"===t||"~"===t||/^\/[A-Za-z_][\w.-]*$/.test(t)});if(i&&(/rm\s+-[^\s]*r[^\s]*f[^\s]*/.test(t)||/rm\s+-[^\s]*f[^\s]*r[^\s]*/.test(t)))return e3(t,e.params?.allowPaths??[])?T():E("Catastrophic deletion blocked");if(i&&/\brm\b/.test(t)){let i=Z(t),n=i.filter(e=>/^-[^-]/.test(e)).join(""),o=i.filter(e=>/^--/.test(e)),s=/r/i.test(n)||o.some(e=>/^--recursive$/i.test(e)),a=/f/.test(n)||o.some(e=>/^--force$/i.test(e));if(s&&a)return e3(t,e.params?.allowPaths??[])?T():E("Catastrophic deletion blocked")}return/Remove-Item\s+.*-Recurse.*-Force.*(?:[A-Z]:\\(?:\s|$)|\\\*)/i.test(t)||/(?:rd|rmdir)\s+\/s\s+\/q\s+[A-Z]:\\/i.test(t)?E("Catastrophic deletion blocked"):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Dangerous Commands",params:{allowPaths:{type:"string[]",description:"Paths that are allowed to be recursively deleted",default:[]}}},{name:"block-failproofai-commands",displayTitle:"Tried to disable or modify failproofai itself",impact:"Prevents the agent from turning off the policies that protect you.",description:"Block failproofai CLI commands and uninstallation",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return eA.test(t)?E("Running failproofai CLI commands is blocked"):eC.test(t)?E("Uninstalling failproofai is blocked"):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!0,category:"Dangerous Commands"},{name:"block-kubectl",displayTitle:"Tried to run a Kubernetes command",impact:"kubectl can change live cluster state — gated unless allow-listed.",description:"Block kubectl commands (Kubernetes cluster mutations)",fn:function(e){return e2(e,eq,"kubectl commands are blocked")},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Infra Commands",params:{allowPatterns:{type:"string[]",description:"kubectl command patterns to allow, matched token-by-token (e.g. 'kubectl get *', 'kubectl describe *')",default:[]}}},{name:"block-terraform",displayTitle:"Tried to run a Terraform/OpenTofu command",impact:"Terraform mutates real infrastructure — gated unless allow-listed.",description:"Block terraform and tofu (OpenTofu) commands",fn:function(e){return e2(e,eG,"terraform/tofu commands are blocked")},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Infra Commands",params:{allowPatterns:{type:"string[]",description:"terraform/tofu command patterns to allow (e.g. 'terraform plan', 'terraform validate')",default:[]}}},{name:"block-aws-cli",displayTitle:"Tried to run an AWS CLI command",impact:"AWS CLI can spend money or break prod — gated.",description:"Block aws CLI commands",fn:function(e){return e2(e,eJ,"aws CLI commands are blocked")},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Infra Commands",params:{allowPatterns:{type:"string[]",description:"aws CLI command patterns to allow (e.g. 'aws s3 ls *', 'aws sts get-caller-identity')",default:[]}}},{name:"block-gcloud",displayTitle:"Tried to run a Google Cloud command",impact:"gcloud can spend money or break prod — gated.",description:"Block gcloud (Google Cloud) CLI commands",fn:function(e){return e2(e,eY,"gcloud commands are blocked")},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Infra Commands",params:{allowPatterns:{type:"string[]",description:"gcloud command patterns to allow (e.g. 'gcloud auth list', 'gcloud config list')",default:[]}}},{name:"block-az-cli",displayTitle:"Tried to run an Azure CLI command",impact:"az can spend money or break prod — gated.",description:"Block az (Azure) CLI commands",fn:function(e){return e2(e,eZ,"az (Azure) CLI commands are blocked")},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Infra Commands",params:{allowPatterns:{type:"string[]",description:"az CLI command patterns to allow (e.g. 'az account show', 'az group list')",default:[]}}},{name:"block-helm",displayTitle:"Tried to run a Helm command",impact:"Helm releases mutate cluster state — gated.",description:"Block helm commands",fn:function(e){return e2(e,eK,"helm commands are blocked")},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Infra Commands",params:{allowPatterns:{type:"string[]",description:"helm command patterns to allow (e.g. 'helm list', 'helm status *')",default:[]}}},{name:"block-gh-pipeline",displayTitle:"Tried to run a privileged GitHub CLI pipeline command",impact:"Catches `gh workflow run`, `gh pr merge`, `gh secret set`, etc.",description:"Block gh CLI pipeline-trigger subcommands (workflow run, run rerun/cancel, pr merge, release create/delete, cache delete, secret set/delete)",fn:function(e){return e2(e,eQ,"gh pipeline-trigger commands are blocked")},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Infra Commands",params:{allowPatterns:{type:"string[]",description:"gh pipeline command patterns to allow (e.g. specific scripted invocations); read-only gh subcommands like 'gh pr view' and 'gh run list' are not matched by this policy",default:[]}}},{name:"block-secrets-write",displayTitle:"Tried to write a secret-key file",impact:"Stops the agent from creating `.pem`, `id_rsa`, `credentials.json`, etc.",description:"Block writing secret key files",fn:function(e){if("Write"!==e.toolName)return T();let t=Y(e);if(eT.test(t)||eE.test(t)||eP.test(t))return E("Writing secret key files is blocked");for(let i of e.params?.additionalPatterns??[])if(t.includes(i))return E(`Writing blocked file pattern: ${i}`);return T()},match:{events:["PreToolUse"],toolNames:["Write"]},defaultEnabled:!1,category:"Dangerous Commands",params:{additionalPatterns:{type:"string[]",description:"Additional filename patterns (substrings) to block",default:[]}}},{name:"block-push-master",displayTitle:"Tried to push directly to main/master",impact:"Direct pushes to a protected branch bypass review.",description:"Block pushing to main/master",fn:function(e){if("Bash"!==e.toolName)return T();let t=e.params?.protectedBranches??["main","master"];if(0===t.length)return T();let i=e1(J(e)),n=RegExp(`\\b(?:${t.map(e=>e.replace(/[.*+?^${}()|[\]\\]/g,"\\$&")).join("|")})\\b`);return i.some(e=>n.test(e))?E(`Pushing to ${t.join("/")} is blocked`):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!0,category:"Git",params:{protectedBranches:{type:"string[]",description:"Branch names to protect from direct pushes",default:["main","master"]}}},{name:"block-force-push",displayTitle:"Tried to force-push",impact:"Force-pushes rewrite history and can clobber teammates' work.",description:"Prevent force-pushing to any branch",fn:function(e){return"Bash"!==e.toolName?T():e1(J(e)).some(e=>eS.test(e))?E("Force-pushing is blocked"):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Git"},{name:"block-work-on-main",displayTitle:"Tried to commit or merge on main/master",impact:"Work should land via PR — direct commits skip review.",description:"Block git commits and merges on main/master branch",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e).match(e$);if(!t)return T();let i=e.session?.cwd;if(!i)return T();let n=eX(i);return n&&(e.params?.protectedBranches??["main","master"]).includes(n)?E(`Git ${t[1]} on ${n} is blocked. Create a feature branch first.`):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Git",params:{protectedBranches:{type:"string[]",description:"Branch names where commits/merges are blocked",default:["main","master"]}}},{name:"warn-git-amend",displayTitle:"Used git commit --amend",impact:"Amending after a push rewrites history that others may have pulled.",description:"Warns before amending git commits, which rewrites history",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return eI.test(t)?P("STOP: This command amends the last commit, which rewrites git history. If this commit has already been pushed to a shared branch, this will cause divergence for other contributors. Confirm with the user before executing."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Git"},{name:"warn-git-stash-drop",displayTitle:"Tried to drop or clear git stash",impact:"Stash deletions are permanent and silent.",description:"Warns before permanently deleting stashed changes",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return eR.test(t)?P("STOP: This command permanently deletes stashed changes (git stash drop/clear). Stash entries cannot be recovered after deletion. Confirm with the user before executing."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Git"},{name:"warn-all-files-staged",displayTitle:"Staged all files with git add -A / .",impact:"Wide stages routinely catch generated files or secrets you didn't intend to commit.",description:"Warns before staging all working tree files with git add -A / . / --all",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return ex.test(t)?P("STOP: This command stages all files in the working tree (git add -A / --all / .). This may inadvertently include build artifacts, generated files, or sensitive files not covered by .gitignore. Confirm with the user before executing."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Git"},{name:"warn-destructive-sql",displayTitle:"Ran destructive SQL (DROP / TRUNCATE / DELETE without WHERE)",impact:"Easy way to wipe a table by accident.",description:"Warn before executing destructive SQL (DROP/TRUNCATE/DELETE without WHERE) via database clients",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return en.test(t)&&(eo.test(t)||es.test(t)&&!ea.test(t))?P("STOP: This command contains destructive SQL (DROP/TRUNCATE/DELETE). Confirm with the user before executing."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Database"},{name:"warn-schema-alteration",displayTitle:"Altered a database schema column",impact:"ALTER TABLE operations can lock tables and break readers.",description:"Warns before SQL schema changes (ALTER TABLE with column or rename operations)",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return en.test(t)&&er.test(t)?P("STOP: This command contains a schema-altering SQL statement (ALTER TABLE with column or rename operation). Schema changes on production databases are irreversible or disruptive. Confirm with the user before executing."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Database"},{name:"warn-package-publish",displayTitle:"Tried to publish a package",impact:"Publishes are irreversible — `npm publish` / `cargo publish` shouldn't happen without intent.",description:"Warn before publishing packages to public registries (npm, PyPI, crates.io, RubyGems, etc.)",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return el.test(t)?P("STOP: This command publishes a package to a public registry. Confirm with the user that this is intentional."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Packages & System"},{name:"warn-global-package-install",displayTitle:"Installed a package globally",impact:"`npm i -g`, `cargo install`, `pip --user` pollute your machine outside the project.",description:"Warns before installing packages globally (npm -g, cargo install, etc.)",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return eO.test(t)||eB.test(t)||ej.test(t)||e_.test(t)||eD.test(t)||eW.test(t)?P("STOP: This command installs a package globally, which modifies the system-wide environment outside the project. This can conflict with other projects or system tools. Confirm with the user before executing."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Packages & System"},{name:"prefer-package-manager",displayTitle:"Used a non-preferred package manager",impact:"Mixing package managers creates lockfile churn for your team.",description:"Blocks non-preferred package managers and tells Claude to use an allowed one (e.g., uv instead of pip)",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);if(!t)return T();let i=e.params?.allowed??[];if(0===i.length)return T();let n=new Set(i.map(e=>e.toLowerCase())),o=e.params?.blocked??[],s=i.join(", ");for(let e of t.split(e4)){let t=e.trim();if(!t)continue;let i=!1;for(let e of n){let n=eU[e];if(n){for(let e of n)if(e.test(t)){i=!0;break}if(i)break}}if(!i){for(let[e,i]of Object.entries(eU))if(!n.has(e)){for(let n of i)if(n.test(t))return E(`"${e}" is not an allowed package manager. Allowed package managers for this project: ${s}. Rewrite this command using an allowed package manager.`)}for(let e of o){let i=e.toLowerCase();if(!n.has(i)&&RegExp(`\\b${i.replace(/[.*+?^${}()|[\]\\]/g,"\\$&")}\\b`).test(t))return E(`"${i}" is not an allowed package manager. Allowed package managers for this project: ${s}. Rewrite this command using an allowed package manager.`)}}}return T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Packages & System",params:{allowed:{type:"string[]",description:"Allowed package manager names (e.g. ['uv', 'bun']). Any detected manager not in this list is blocked.",default:[]},blocked:{type:"string[]",description:"Additional manager names to block beyond the built-in list (e.g. ['pdm', 'pipx']).",default:[]}}},{name:"warn-large-file-write",displayTitle:"Wrote a file larger than the configured threshold",impact:"Catches accidentally large file writes (logs, binaries, model dumps).",description:"Warn before writing files larger than 1MB (configurable via thresholdKb param)",fn:function(e){if("Write"!==e.toolName)return T();let t=e.toolInput?.content;if("string"!=typeof t)return T();let i=e.params?.thresholdKb??1024;return t.length>1024*i?P(`STOP: You are writing a file larger than ${i}KB (${Math.round(t.length/1024)}KB). This is unusually large. Confirm this is intentional before proceeding.`):T()},match:{events:["PreToolUse"],toolNames:["Write"]},defaultEnabled:!1,category:"Packages & System",params:{thresholdKb:{type:"number",description:"File size threshold in KB above which a warning is issued",default:1024}}},{name:"warn-background-process",displayTitle:"Started a long-lived background process",impact:"Catches `nohup` / `&` / `screen` / `tmux` / `disown` patterns that the agent often forgets to clean up.",description:"Warns before starting detached or background processes",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return eM.test(t)||eL.test(t)||ez.test(t)||eF.test(t)||eH.test(t)?P("STOP: This command starts a background or detached process (nohup, screen -d, tmux -d, or trailing &). Background processes persist after Claude's session and may be difficult to track or stop. Confirm with the user before executing."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Packages & System"},{name:"warn-repeated-tool-calls",displayTitle:"Called the same tool 3+ times with identical arguments",impact:"Usually a sign of a stuck loop burning tokens.",description:"Warn when the same tool is called 3+ times with identical parameters",fn:async function e(e){let t=e.session?.transcriptPath;if(!t||!e.toolName||!e.toolInput)return T();let i=`${t}.tool-calls.json`,n=JSON.stringify({tool:e.toolName,input:e.toolInput}),o={};try{let e=await (0,v.readFile)(i,"utf8");o=JSON.parse(e)}catch{}let s=o[n]??0;if(s>=3)return P(`STOP: You have already called ${e.toolName} ${s} times with identical parameters. This is wasteful and unproductive. Do NOT repeat this call — use a different approach or ask the user for clarification.`);o[n]=s+1;try{let e=JSON.stringify(o);e.length<=65536&&await (0,v.writeFile)(i,e,"utf8")}catch{}return T()},match:{events:["PreToolUse"]},defaultEnabled:!1,category:"AI Behavior"},{name:"require-commit-before-stop",displayTitle:"Stopped with uncommitted changes",impact:"Work not in a commit is invisible to teammates and easy to lose.",description:"Require all changes to be committed before Claude stops",fn:function(e){let t=e.session?.cwd;if(!t)return T("No working directory available, skipping commit check.");try{if((0,N.execSync)("git status --porcelain",{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:5e3}).trim().length>0)return E("You have uncommitted changes in the working directory. Commit all changes now.");return T("All changes are committed.")}catch{return T("Not a git repository, skipping commit check.")}},match:{events:["Stop"]},defaultEnabled:!1,category:"Workflow"},{name:"require-push-before-stop",displayTitle:"Stopped with unpushed commits",impact:"Local-only commits won't trigger CI or be reviewable.",description:"Require all commits to be pushed to remote before Claude stops",fn:function(e){let t=e.session?.cwd;if(!t)return T("No working directory available, skipping push check.");try{if(!(0,N.execSync)("git remote",{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3}).trim())return T("No git remote configured, skipping push check.");let i=e.params?.remote??"origin",n=eX(t);if(!n||"HEAD"===n)return T("Detached HEAD, skipping push check.");let o=e.params?.baseBranch??"main";if(n===o)return T(`On base branch "${o}", skipping push check.`);try{if(!(0,N.execFileSync)("git",["log",`${i}/${o}..HEAD`,"--oneline"],{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:5e3}).trim())return T(`No commits ahead of ${i}/${o}, skipping push check.`);if(!(0,N.execFileSync)("git",["diff","--stat",`${i}/${o}`,"HEAD"],{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:5e3}).trim())return T(`No file changes compared to ${i}/${o}, skipping push check.`)}catch{}let s=!1;try{(0,N.execFileSync)("git",["rev-parse","--verify",`${i}/${n}`],{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3}),s=!0}catch{}if(!s)return E(`Branch "${n}" has not been pushed to remote "${i}". Run now: git push -u ${i} ${n}`);let a=(0,N.execFileSync)("git",["log",`${i}/${n}..HEAD`,"--oneline"],{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:5e3}).trim();if(a.length>0){let e=a.split("\n").length;return E(`You have ${e} unpushed commit${e>1?"s":""} on branch "${n}". Run now: git push`)}return T(`All commits pushed to "${i}".`)}catch{return T("Could not check push status, skipping.")}},match:{events:["Stop"]},defaultEnabled:!1,category:"Workflow",params:{remote:{type:"string",description:"Remote name to push to (default: origin)",default:"origin"},baseBranch:{type:"string",description:"Base branch to compare against (default: main)",default:"main"}}},{name:"require-pr-before-stop",displayTitle:"Stopped without a PR for the branch",impact:"Branches without PRs don't get reviewed.",description:"Require a pull request to exist for the current branch before Claude stops",fn:function(e){let t=e.session?.cwd;if(!t)return T("No working directory available, skipping PR check.");try{let i;try{(0,N.execSync)("gh --version",{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3})}catch{return T("GitHub CLI (gh) not installed, skipping PR check.")}let n=eX(t);if(!n||"HEAD"===n)return T("Detached HEAD, skipping PR check.");let o=e.params?.baseBranch??"main";if(n===o)return T(`On base branch "${o}", skipping PR check.`);try{if(!(0,N.execFileSync)("git",["log",`origin/${o}..HEAD`,"--oneline"],{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:5e3}).trim())return T(`No commits ahead of origin/${o}, skipping PR check.`);if(!(0,N.execFileSync)("git",["diff","--stat",`origin/${o}`,"HEAD"],{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:5e3}).trim())return T(`No file changes compared to origin/${o}, skipping PR check.`)}catch{}try{i=(0,N.execSync)("gh pr view --json number,url,state",{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:15e3}).trim()}catch{return E(`No pull request found for branch "${n}". Run now: gh pr create`)}let s=JSON.parse(i);if("OPEN"===s.state)return T(`PR #${s.number} exists: ${s.url}`);if("MERGED"===s.state)return T(`PR #${s.number} was merged: ${s.url}. Switch off this branch (e.g. 'git checkout ${o} && git pull') before stopping again.`);return E(`Pull request for branch "${n}" is ${s.state.toLowerCase()}. Run now: gh pr create`)}catch{return T("Could not check PR status, skipping.")}},match:{events:["Stop"]},defaultEnabled:!1,category:"Workflow",params:{baseBranch:{type:"string",description:"Base branch to compare against (default: main)",default:"main"}}},{name:"require-no-conflicts-before-stop",displayTitle:"Stopped with a branch that conflicts with main",impact:"Conflicting branches can't merge — surface them early.",description:"Require the current branch to merge cleanly with the base branch before Claude stops",fn:function(e){let t,i,n=e.session?.cwd;if(!n)return T("No working directory available, skipping conflict check.");let o=eX(n);if(!o||"HEAD"===o)return T("Detached HEAD, skipping conflict check.");let s=e.params?.baseBranch??"main";if(o===s)return T(`On base branch "${s}", skipping conflict check.`);try{(0,N.execSync)("gh --version",{cwd:n,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3})}catch{return T("gh CLI not installed, skipping conflict check.")}try{t=(0,N.execSync)("gh pr view --json mergeable,number,url,state",{cwd:n,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:15e3}).trim()}catch{return T("No pull request found for branch, skipping conflict check.")}try{i=JSON.parse(t)}catch{return T("Could not parse gh pr view output, skipping conflict check.")}if("OPEN"!==i.state)return T(`PR #${i.number} is ${i.state.toLowerCase()}; skipping conflict check.`);try{(0,N.execFileSync)("git",["rev-parse","--verify",`origin/${s}`],{cwd:n,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3}),(0,N.execFileSync)("git",["log",`origin/${s}..HEAD`,"--oneline"],{cwd:n,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:5e3}).trim()&&(0,N.execFileSync)("git",["merge-tree","--write-tree","--name-only",`origin/${s}`,"HEAD"],{cwd:n,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:1e4})}catch(e){if(1===e.status){let t=("string"==typeof e.stdout?e.stdout:e.stdout?.toString("utf8")??"").trim().split("\n"),i=[];for(let e=1;e<t.length;e++){let n=t[e];if(""===n)break;i.push(n)}let n=i.length?i.join(", "):"one or more files";return E(`Branch "${o}" has merge conflicts with ${s} in: ${n}. Rebase or merge origin/${s} now and resolve the conflicts.`)}}return"CONFLICTING"===i.mergeable?E(`PR #${i.number} has merge conflicts per GitHub (${i.url}). Rebase or merge origin/${s} now and resolve the conflicts.`):"UNKNOWN"===i.mergeable?E(`GitHub is still computing mergeability for PR #${i.number} (${i.url}). Wait ~10 seconds, then re-check with \`gh pr view --json mergeable\` before attempting to stop again.`):T(`PR #${i.number} merges cleanly per GitHub.`)},match:{events:["Stop"]},defaultEnabled:!1,category:"Workflow",params:{baseBranch:{type:"string",description:"Base branch to check for conflicts against (default: main)",default:"main"}}},{name:"require-ci-green-before-stop",displayTitle:"Stopped with failing CI",impact:"Failing CI blocks deploy.",description:"Require CI checks to pass on the current HEAD commit before Claude stops (ignores stale runs on prior commits)",fn:function(e){let t=e.session?.cwd;if(!t)return T("No working directory available, skipping CI check.");try{try{(0,N.execSync)("gh --version",{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3})}catch{return T("GitHub CLI (gh) not installed, skipping CI check.")}let e=eX(t);if(!e||"HEAD"===e)return T("Detached HEAD, skipping CI check.");let i=function(e){try{return(0,N.execSync)("git rev-parse HEAD",{cwd:e,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3}).trim()||null}catch{return null}}(t),n=[];try{let o=(0,N.execFileSync)("gh",["run","list","--branch",e,"--limit","20","--json","status,conclusion,name,headSha"],{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:15e3}).trim();if(o&&"[]"!==o){let e=JSON.parse(o),t=i?e.filter(e=>e.headSha===i):e,s=new Set;n=t.filter(e=>!s.has(e.name)&&(s.add(e.name),!0))}}catch{}let o=[],s=[];i&&(o=function(e,t){try{let i=(0,N.execFileSync)("gh",["api",`repos/{owner}/{repo}/commits/${t}/check-runs`,"--jq",'.check_runs | map(select(.app.slug != "github-actions")) | map({name: .name, status: .status, conclusion: (.conclusion // "")})'],{cwd:e,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:15e3}).trim();if(!i||"[]"===i)return[];return JSON.parse(i)}catch{return[]}}(t,i),s=function(e,t){try{let i=(0,N.execFileSync)("gh",["api",`repos/{owner}/{repo}/commits/${t}/statuses`,"--jq","map({name: .context, state: .state}) | unique_by(.name)"],{cwd:e,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:15e3}).trim();if(!i||"[]"===i)return[];return JSON.parse(i).map(e=>({name:e.name,status:"pending"===e.state?"in_progress":"completed",conclusion:"pending"===e.state?"":"success"===e.state?"success":"failure"}))}catch{return[]}}(t,i));let a=[...n,...o,...s];if(0===a.length)return T(`No CI runs found for branch "${e}".`);let r=a.filter(e=>"completed"===e.status&&"success"!==e.conclusion&&"skipped"!==e.conclusion&&"cancelled"!==e.conclusion&&"neutral"!==e.conclusion);if(r.length>0){let t=r.map(e=>`"${e.name}"`).join(", ");return E(`CI checks are failing on branch "${e}": ${t}. Fix the failing checks now.`)}let l=a.filter(e=>"in_progress"===e.status||"queued"===e.status||"waiting"===e.status);if(l.length>0){let t=l.map(e=>`"${e.name}"`).join(", ");return E(`CI checks are still running on branch "${e}": ${t}. Wait for all checks to complete, then verify they pass.`)}return T(`All CI checks passed on branch "${e}".`)}catch{return T("Could not check CI status, skipping.")}},match:{events:["Stop"]},defaultEnabled:!1,category:"Workflow"}];function e5(e){if(!(0,O.existsSync)(e))return{};try{let t=(0,O.readFileSync)(e,"utf8");return JSON.parse(t)}catch(t){return H(`failed to parse config at ${e}: ${t instanceof Error?t.message:String(t)}`),{}}}let e9=["claude","codex","copilot","cursor","opencode","pi","gemini"],e7={apply_patch:"Edit",write_stdin:"Bash"},te={bash:"Bash",powershell:"Bash",list_bash:"Bash",read_bash:"Bash",stop_bash:"Bash",write_bash:"Bash",list_powershell:"Bash",read_powershell:"Bash",stop_powershell:"Bash",write_powershell:"Bash",read:"Read",view:"Read",show_file:"Read",write:"Write",create:"Write",edit:"Edit",apply_patch:"Edit",str_replace_editor:"Edit",glob:"Glob",grep:"Grep",rg:"Grep",ls:"LS",web_fetch:"WebFetch"},tt={Shell:"Bash"},ti={bash:"Bash",read:"Read",write:"Write",edit:"Edit",apply_patch:"Edit",glob:"Glob",grep:"Grep",list:"LS",webfetch:"WebFetch",websearch:"WebSearch",todowrite:"TodoWrite",todoread:"TodoRead"},tn={Read:{filePath:"file_path"},Write:{filePath:"file_path"},Edit:{filePath:"file_path",oldString:"old_string",newString:"new_string",replaceAll:"replace_all"}},to={bash:"Bash",read:"Read",write:"Write",edit:"Edit",glob:"Glob",grep:"Grep"},ts={Read:{path:"file_path"},Write:{path:"file_path"},Edit:{path:"file_path"}},ta={run_shell_command:"Bash",read_file:"Read",read_many_files:"Read",write_file:"Write",replace:"Edit",glob:"Glob",grep_search:"Grep",list_directory:"LS",web_fetch:"WebFetch",google_web_search:"WebSearch",write_todos:"TodoWrite",save_memory:"Memory",ask_user:"AskUser"};var tr=e.i(81580);let tl=/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i;var tc=e.i(54214);function td(e,t){let i=[];for(let o of e)if("assistant"===o.type)for(let e of o.message.content){var n;let s;if("tool_use"!==e.type)continue;let a=e.name,r=(n=t.cli,(a?"copilot"===n?te[a]??a:"cursor"===n?tt[a]??a:"codex"===n?e7[a]??a:"gemini"===n?ta[a]??a:"opencode"===n?ti[a]??a:"pi"===n?to[a]??a:a:a)??a),l=function(e,t,i){let n;if(!e||!t||"object"!=typeof t||Array.isArray(t)||("opencode"===i?n=tn[e]:"pi"===i&&(n=ts[e]),!n))return t;let o={};for(let[e,i]of Object.entries(t))o[n[e]??e]=i;return o}(r,e.input,t.cli);e.result?.content&&(s=function(e){let t=Buffer.from(e,"utf-8");if(t.byteLength<=65536)return e;let i=65536;for(;i>0&&(192&t[i])==128;)i--;return t.subarray(0,i).toString("utf-8")}(e.result.content)),i.push({cli:t.cli,sessionId:t.sessionId,transcriptPath:t.transcriptPath,cwd:t.cwd,timestamp:o.timestamp,toolName:r,rawToolName:a,toolInput:l??{},toolResultText:s})}return i}async function tp(e={}){let t=e.projects?new Set(e.projects):null,i=e.sinceMs??0,n=[];for(let e of function(){let e,t=(0,tr.getClaudeProjectsPath)();try{e=(0,O.readdirSync)(t,{withFileTypes:!0})}catch{return[]}return e.filter(e=>e.isDirectory()).map(e=>({name:e.name,cwd:(0,tr.decodeFolderName)(e.name),path:(0,k.join)(t,e.name)}))}()){let o;if(!t||t.has(e.cwd)){try{o=function(e){let t,i=[];try{t=(0,O.readdirSync)(e.path,{withFileTypes:!0})}catch{return i}for(let n of t)if(n.isFile()&&n.name.endsWith(".jsonl")){let t=n.name.slice(0,-6);if(!tl.test(t))continue;let o=(0,k.join)(e.path,n.name);try{let n=(0,O.statSync)(o);i.push({projectName:e.name,cwd:e.cwd,sessionId:t,transcriptPath:o,mtimeMs:n.mtimeMs,sizeBytes:n.size,isSubagent:!1})}catch{}}else if(n.isDirectory()&&tl.test(n.name)){let t,o=(0,k.join)(e.path,n.name,"subagents");if(!(0,O.existsSync)(o))continue;try{t=(0,O.readdirSync)(o,{withFileTypes:!0})}catch{continue}for(let n of t){if(!n.isFile()||!n.name.endsWith(".jsonl"))continue;let t=n.name.slice(0,-6),s=(0,k.join)(o,n.name);try{let n=(0,O.statSync)(s);i.push({projectName:e.name,cwd:e.cwd,sessionId:t,transcriptPath:s,mtimeMs:n.mtimeMs,sizeBytes:n.size,isSubagent:!0})}catch{}}}return i}(e)}catch{continue}for(let t of o)t.mtimeMs<i||n.push({cli:"claude",projectName:e.name,sessionId:t.sessionId,transcriptPath:t.transcriptPath,mtimeMs:t.mtimeMs,sizeBytes:t.sizeBytes})}}return n}async function tu(e){let t,i;try{t=await (0,v.readFile)(e.transcriptPath,"utf-8")}catch{return[]}try{i=await (0,tc.parseLogContent)(t,"session")}catch{return[]}let n="";for(let e of t.split("\n",50))if(e.trim())try{let t=JSON.parse(e);if("string"==typeof t.cwd&&t.cwd.length>0){n=t.cwd;break}}catch{}return td(i,{cli:"claude",sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:n})}var tm=e.i(36203),tf=e.i(57232);async function th(e={}){let t=e.projects?new Set(e.projects):null,i=e.sinceMs??0,n=[];for(let e of(await (0,tm.getCodexProjects)())){let{cwd:o,sessions:s}=await (0,tm.getCodexSessionsByEncodedName)(e.name),a=o??"";if(!t||t.has(a))for(let t of s){let o=t.lastModified.getTime();if(o<i)continue;let s=0;try{s=(0,O.statSync)(t.path).size}catch{}t.sessionId&&n.push({cli:"codex",projectName:e.name,sessionId:t.sessionId,transcriptPath:t.path,mtimeMs:o,sizeBytes:s})}}return n}async function tg(e){let t=await (0,tf.getCodexSessionLog)(e.sessionId);return t?td(t.entries,{cli:"codex",sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:t.cwd??""}):[]}var ty=e.i(55851),tb=e.i(78166);async function tw(e={}){let t=e.projects?new Set(e.projects):null,i=e.sinceMs??0,n=[];for(let e of(await (0,ty.getCopilotProjects)())){let{cwd:o,sessions:s}=await (0,ty.getCopilotSessionsByEncodedName)(e.name),a=o??"";if(!t||t.has(a))for(let t of s){let o=t.lastModified.getTime();if(o<i)continue;let s=0;try{s=(0,O.statSync)(t.path).size}catch{}t.sessionId&&n.push({cli:"copilot",projectName:e.name,sessionId:t.sessionId,transcriptPath:t.path,mtimeMs:o,sizeBytes:s})}}return n}async function tk(e){let t=await (0,tb.getCopilotSessionLog)(e.sessionId);return t?td(t.entries,{cli:"copilot",sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:t.cwd??""}):[]}var tv=e.i(46413),tN=e.i(72094);async function tS(e={}){let t=e.projects?new Set(e.projects):null,i=e.sinceMs??0,n=[];for(let e of(await (0,tv.getCursorProjects)())){let{cwd:o,sessions:s}=await (0,tv.getCursorSessionsByEncodedName)(e.name),a=o??"";if(!t||t.has(a))for(let t of s){let o=t.lastModified.getTime();if(o<i)continue;let s=0;try{s=(0,O.statSync)(t.path).size}catch{}t.sessionId&&n.push({cli:"cursor",projectName:e.name,sessionId:t.sessionId,transcriptPath:t.path,mtimeMs:o,sizeBytes:s})}}return n}async function tT(e){let t=await (0,tN.getCursorSessionLog)(e.sessionId);return t?td(t.entries,{cli:"cursor",sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:t.cwd??""}):[]}var tE=e.i(35435),tP=e.i(99440);async function t$(e={}){let t=e.projects?new Set(e.projects):null,i=e.sinceMs??0,n=[];for(let e of(await (0,tE.getOpenCodeProjects)())){let{cwd:o,sessions:s}=await (0,tE.getOpenCodeSessionsByEncodedName)(e.name),a=o??"";if(!t||t.has(a))for(let t of s){let o=t.lastModified.getTime();!(o<i)&&t.sessionId&&n.push({cli:"opencode",projectName:e.name,sessionId:t.sessionId,transcriptPath:t.path,mtimeMs:o,sizeBytes:0})}}return n}async function tA(e){let t=await (0,tP.getOpenCodeSessionLog)(e.sessionId);return t?td(t.entries,{cli:"opencode",sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:t.cwd??""}):[]}var tC=e.i(19791),tI=e.i(85116);async function tR(e={}){let t=e.projects?new Set(e.projects):null,i=e.sinceMs??0,n=[];for(let e of(await (0,tC.getPiProjects)())){let{cwd:o,sessions:s}=await (0,tC.getPiSessionsByEncodedName)(e.name),a=o??"";if(!t||t.has(a))for(let t of s){let o=t.lastModified.getTime();if(o<i)continue;let s=0;try{s=(0,O.statSync)(t.path).size}catch{}t.sessionId&&n.push({cli:"pi",projectName:e.name,sessionId:t.sessionId,transcriptPath:t.path,mtimeMs:o,sizeBytes:s})}}return n}async function tx(e){let t=await (0,tI.getPiSessionLog)(e.sessionId);return t?td(t.entries,{cli:"pi",sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:t.cwd??""}):[]}var tO=e.i(90172),tB=e.i(88153);let tj={claude:{cli:"claude",listTranscripts:tp,streamEvents:tu},codex:{cli:"codex",listTranscripts:th,streamEvents:tg},copilot:{cli:"copilot",listTranscripts:tw,streamEvents:tk},cursor:{cli:"cursor",listTranscripts:tS,streamEvents:tT},opencode:{cli:"opencode",listTranscripts:t$,streamEvents:tA},pi:{cli:"pi",listTranscripts:tR,streamEvents:tx},gemini:{cli:"gemini",listTranscripts:async function(e={}){let t=e.projects?new Set(e.projects):null,i=e.sinceMs??0,n=[];for(let e of(await (0,tO.getGeminiProjects)())){let{cwd:o,sessions:s}=await (0,tO.getGeminiSessionsByEncodedName)(e.name),a=o??"";if(!t||t.has(a))for(let t of s){let o=t.lastModified.getTime();if(o<i)continue;let s=0;try{s=(0,O.statSync)(t.path).size}catch{}t.sessionId&&n.push({cli:"gemini",projectName:e.name,sessionId:t.sessionId,transcriptPath:t.path,mtimeMs:o,sizeBytes:s})}}return n},streamEvents:async function(e){let t=await (0,tB.getGeminiSessionLog)(e.sessionId);return t?td(t.entries,{cli:"gemini",sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:t.cwd??""}):[]}}},t_=/\.(?:ts|tsx|js|jsx|mjs|cjs|py|go|rs|java|kt|swift|rb|php|c|h|cc|cpp|hpp|cs|scala|sh|bash|zsh|json|yaml|yml|toml|md|txt|sql|html|css|scss|sass)$/i,tD=["/","/home","/usr","/etc","/var","/opt","/Users"],tW="rereadAfterEdit",tU=[{name:"redundant-cd-cwd",description:"Bash commands prefixed with `cd <cwd> && …` even though commands already run in cwd.",category:"Wasteful",severity:"info",displayTitle:"Prepended cd <cwd> before commands",impact:"Pure waste — your agent's shell already runs in `cwd`.",detect(e){if("Bash"!==e.toolName)return null;let t=e.toolInput.command;if("string"!=typeof t||!e.cwd)return null;let i=t.trimStart(),n=/^cd\s+(?:"([^"]+)"|'([^']+)'|(\S+))\s*&&\s*([\s\S]+)$/.exec(i);if(!n)return null;let o=(n[1]??n[2]??n[3]??"").replace(/\/+$/,"");if(o!==e.cwd.replace(/\/+$/,""))return null;let s=n[4].trim();return{example:`cd ${o} && ${s}`}}},{name:"prefer-edit-over-read-cat",description:"Bash `cat`/`head`/`tail`/`less`/`more` on a single source file — use Read.",category:"Wasteful",severity:"info",displayTitle:"Used `cat`/`head`/`tail` on a source file",impact:"Burns tokens; the Read tool returns content directly without going through Bash output.",detect(e){if("Bash"!==e.toolName)return null;let t=e.toolInput.command;if("string"!=typeof t)return null;let i=t.trim();if(/[|<>;&`$()]/.test(i))return null;let n=/^(cat|head|tail|less|more)\s+(?:-\S+\s+)*(?:"([^"]+)"|'([^']+)'|(\S+))\s*$/.exec(i);if(!n)return null;let o=n[2]??n[3]??n[4]??"";return!o||/(?:^|\/)\.env(?:\..+)?$/.test(o)||!t_.test(o)?null:{example:i}}},{name:"prefer-edit-over-sed-awk",description:"Bash `sed -i`/`awk` in-place edits — use Edit.",category:"Wasteful",severity:"info",displayTitle:"Used sed -i or awk for an in-place edit",impact:"Edit tool is safer and produces a diff the agent can verify.",detect(e){if("Bash"!==e.toolName)return null;let t=e.toolInput.command;if("string"!=typeof t)return null;let i=t.trim();return/(?:^|\s|;|&&|\|\|)sed\b[^|]*\s-i(?=\b|['"])/.test(i)||/(?:^|\s|;|&&|\|\|)awk\b[^|]*\s>\s*\S+/.test(i)&&!/\|/.test(i)?{example:i}:null}},{name:"prefer-write-over-heredoc",description:"Bash heredoc / `echo > file` writing multi-line content — use Write.",category:"Wasteful",severity:"info",displayTitle:"Used heredoc / `echo > file` to write a multi-line file",impact:"Write tool handles escaping and is verifiable.",detect(e){if("Bash"!==e.toolName)return null;let t=e.toolInput.command;return"string"!=typeof t?null:/<<-?\s*['"]?[A-Za-z_][A-Za-z0-9_]*['"]?\s*>\s*\S/.test(t)||/(?:^|\s|;|&&|\|\|)(?:echo|printf)\s+["'][^"']*\n[^"']*["']\s*>\s*\S/.test(t)?{example:t.replace(/\s+/g," ").trim().slice(0,160)}:null}},{name:"sleep-polling-loop",description:"Bash long `sleep` or while-sleep polling loops.",category:"Wasteful",severity:"info",displayTitle:"Used a long sleep or while-sleep polling loop",impact:"Burns wall-clock; better to wait for an explicit signal.",detect(e){if("Bash"!==e.toolName)return null;let t=e.toolInput.command;if("string"!=typeof t)return null;if(/\bwhile\b[\s\S]*?\bsleep\b[\s\S]*?\bdone\b/.test(t))return{example:t.replace(/\s+/g," ").trim().slice(0,160)};let i=/\bsleep\s+(\d+(?:\.\d+)?)(m|h|d)?\b/.exec(t);if(i){let e=parseFloat(i[1]),n=i[2]??"s";if(("m"===n?60*e:"h"===n?3600*e:"d"===n?86400*e:e)>=30)return{example:t.replace(/\s+/g," ").trim().slice(0,160)}}return null}},{name:"find-from-root",description:"Bash `find` against `/`, `/home`, `/usr`, etc. — scope to cwd instead.",category:"Risky",severity:"warn",displayTitle:"Ran find from /, /home, /usr, etc.",impact:"Filesystem-wide finds exhaust resources and rarely return useful results.",detect(e){if("Bash"!==e.toolName)return null;let t=e.toolInput.command;if("string"!=typeof t)return null;let i=t.trim(),n=/(?:^|[\s;|&])find\s+(?:-\S+\s+)*("[^"]+"|'[^']+'|\S+)/.exec(i);if(!n)return null;let o=n[1].replace(/^["']|["']$/g,"").replace(/\/+$/,"")||"/";return tD.includes(o)?{example:i.slice(0,160)}:null}},{name:"git-commit-no-verify",description:"git commit invoked with --no-verify / -n, skipping hooks.",category:"Risky",severity:"warn",displayTitle:"Committed with --no-verify",impact:"Skips pre-commit hooks that exist to catch broken or unsafe code.",detect(e){if("Bash"!==e.toolName)return null;let t=e.toolInput.command;return"string"!=typeof t?null:/\bgit\s+commit\b/.test(t)&&(/\s--no-verify\b/.test(t)||/\s-n\b/.test(t))?{example:t.replace(/\s+/g," ").trim().slice(0,160)}:null}},{name:"reread-after-edit",description:"Read of a file that was just Edit'd or Write'n in the same session.",category:"Wasteful",severity:"info",displayTitle:"Re-read a file it just edited",impact:"Edit/Write already returned the updated content; the second Read is wasted tokens.",detect(e,t){let i,n=((i=t[tW])||(i={countdown:new Map},t[tW]=i),i),o=e.toolInput.file_path,s="string"==typeof o?o:null;for(let[e,t]of n.countdown)t<=1?n.countdown.delete(e):n.countdown.set(e,t-1);return s?"Edit"===e.toolName||"Write"===e.toolName?(n.countdown.set(s,5),null):"Read"===e.toolName&&n.countdown.has(s)?(n.countdown.delete(s),{example:`Read ${s} immediately after Edit/Write`}):null:null}}],tM=["cowboy","explorer","ghost","optimist","hammer","architect"],tL={explorer:.38,architect:.33,hammer:.11,cowboy:.11,optimist:.07,ghost:.01,precision:0,goldfish:0},tz={optimist:0,cowboy:0,explorer:0,goldfish:0,architect:0,precision:0,hammer:0,ghost:0};for(let e of tM)tz[e]=Math.max(tL[e],.05);var tF=e.i(66680);let tH=null,tq=null;function tG(){if(tH)return tH;let e=e6.map(e=>`${e.name}|${e.fn.toString()}`).sort().join("\n");return tH=(0,tF.createHash)("sha1").update(e).digest("hex").slice(0,16)}function tJ(){if(tq)return tq;let e=tU.map(e=>`${e.name}|${e.detect.toString()}`).sort().join("\n");return tq=(0,tF.createHash)("sha1").update(e).digest("hex").slice(0,16)}function tY(e){let t=(0,k.join)((0,S.homedir)(),".failproofai","cache","audit"),i=(0,tF.createHash)("sha1").update(e).digest("hex");return(0,k.join)(t,`${i}.json`)}var tZ=e.i(24214),tK=e.i(28067);let tQ=tK.POSTHOG_API_KEY;async function tV(e,t,i){if("1"===process.env.FAILPROOFAI_TELEMETRY_DISABLED)return;let n=JSON.stringify({api_key:process.env.FAILPROOFAI_POSTHOG_KEY??tQ,event:t,distinct_id:e,properties:{...i,$lib:"failproofai-hooks",failproofai_version:tZ.version,product:tK.POSTHOG_PRODUCT}});try{await fetch(process.env.FAILPROOFAI_POSTHOG_HOST?`${process.env.FAILPROOFAI_POSTHOG_HOST}/capture/`:"https://us.i.posthog.com/capture/",{method:"POST",headers:{"Content-Type":"application/json"},body:n,signal:AbortSignal.timeout(5e3)})}catch{}}var tX=e.i(10659);function t0(e,t){let i=e.trim(),n="string"==typeof t?t.trim():"";return n?i?`${i}. ${n}`:n:i}let t1=new Map(e6.filter(e=>e.params).map(e=>[I(e.name),e.params]));function t3(e,t){if(!e?.policyParams)return;let i=e.policyParams[t];if(i)return i;let n=`${C}/`;if(t.startsWith(n))return e.policyParams[t.slice(n.length)]}async function t8(e,t,i,n){let o=t.tool_name,s=t.tool_input,a=function(e,t){let i=globalThis[A];i||R(i=new Map);let n=`${e}:${t??""}`,o=i.get(n);if(o)return o;let s=x().filter(i=>(!i.match.events||!(i.match.events.length>0)||!!i.match.events.includes(e))&&(!i.match.toolNames||!(i.match.toolNames.length>0)||!!t&&!!i.match.toolNames.includes(t))).sort((e,t)=>t.priority-e.priority);return i.set(n,s),s}(e,o);if(F(`evaluating ${a.length} policies for ${e}`),0===a.length)return{exitCode:0,stdout:"",stderr:"",policyName:null,reason:null,decision:"allow"};let r={eventType:e,payload:t,toolName:o,toolInput:s,session:i,cli:i?.cli},l=[],c=[];for(let t of a){let o,s,a=t1.get(t.name);if(a){let e=t3(n,t.name)??{},i={};for(let[t,n]of Object.entries(a))i[t]=t in e?e[t]:n.default;o={...r,params:i}}else o={...r,params:{}};try{s=await t.fn(o)}catch(o){let n=o instanceof Error?o.message:String(o);H(`policy "${t.name}" threw: ${n}`),t.name.startsWith("custom/")||t.name.startsWith(".failproofai-")||tV((0,tX.getInstanceId)(),"policy_evaluation_error",{policy_name:t.name,event_type:e,cli:i?.cli??null,error_type:o instanceof Error?o.name:"unknown"});continue}if("deny"===s.decision){let a,r=t0(s.reason??`Blocked by policy: ${t.name}`,t3(n,t.name)?.hint);F(`deny by "${t.name}": ${r}`),a=o.toolName?o.toolName:"UserPromptSubmit"===e?"prompt":"SessionStart"===e?"session start":"SessionEnd"===e?"session end":"Stop"===e?"stop":"operation";let l=`Blocked ${a} by failproofai because: ${r}, as per the policy configured by the user`;if(i?.cli==="cursor"){if("Stop"===e||"SubagentStop"===e)return{exitCode:0,stdout:JSON.stringify({followup_message:`MANDATORY ACTION REQUIRED from failproofai (policy: ${t.name}): ${r}
|
|
3
|
+
`;(0,O.appendFileSync)(i,o,"utf-8")}catch{}}function F(e){M("info")&&(L("INFO",e),z("INFO",e))}function H(e){M("warn")&&(L("WARN",e),z("WARN",e))}let q=function(e){let t=e.replaceAll("\\","/");for(let e of[".claude",".codex",".copilot",".cursor",".opencode",".pi",".gemini"]){let i=(0,k.join)((0,S.homedir)(),e).replaceAll("\\","/");if(t===i||t.startsWith(i+"/"))return!0}for(let e of[(0,k.join)(".config","opencode"),(0,k.join)(".local","share","opencode")]){let i=(0,k.join)((0,S.homedir)(),e).replaceAll("\\","/");if(t===i||t.startsWith(i+"/"))return!0}return!1},G=function(e){return!!(/[\\/]\.claude[\\/]settings(?:\.[^/\\]+)?\.json$/.test(e)||/[\\/]\.codex[\\/]hooks\.json$/.test(e)||/[\\/]\.copilot[\\/]hooks[\\/][^/\\]+\.json$/.test(e)||/[\\/]\.github[\\/]hooks[\\/][^/\\]+\.json$/.test(e)||/[\\/]\.cursor[\\/]hooks\.json$/.test(e)||/[\\/]\.opencode[\\/]opencode\.jsonc?$/.test(e)||/[\\/]\.opencode[\\/]plugins[\\/][^/\\]+\.(?:mjs|js|ts)$/.test(e)||/[\\/]\.config[\\/]opencode[\\/]opencode\.jsonc?$/.test(e)||/[\\/]\.config[\\/]opencode[\\/]config\.json$/.test(e)||/[\\/]\.config[\\/]opencode[\\/]plugins[\\/][^/\\]+\.(?:mjs|js|ts)$/.test(e)||/[\\/]\.pi[\\/](?:agent[\\/])?settings\.json$/.test(e)||/[\\/]\.pi[\\/](?:agent[\\/])?extensions[\\/]/.test(e)||/[\\/]\.gemini[\\/]settings\.json$/.test(e)||/[\\/]\.gemini[\\/]hooks[\\/]/.test(e))};function J(e){return e.toolInput?.command??""}function Y(e){return e.toolInput?.file_path??""}function Z(e){return e.trim().split(/\s+/).map(e=>e.replace(/^['"]|['"]$/g,""))}let K=new Set(["&&","||","|",";"]),Q=/[;&<>`$()\\]/,V=/eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/,X=[[/sk-ant-[A-Za-z0-9\-_]{20,}/,"Anthropic API key"],[/sk-proj-[A-Za-z0-9\-_]{20,}/,"OpenAI project API key"],[/sk-[A-Za-z0-9]{20,}/,"OpenAI API key"],[/ghp_[A-Za-z0-9]{36}/,"GitHub personal access token"],[/github_pat_[A-Za-z0-9_]{82}/,"GitHub fine-grained token"],[/AKIA[A-Z0-9]{16}/,"AWS access key ID"],[/sk_live_[A-Za-z0-9]{24,}/,"Stripe live secret key"],[/sk_test_[A-Za-z0-9]{24,}/,"Stripe test secret key"],[/AIza[0-9A-Za-z\-_]{35}/,"Google API key"]],ee=/(?:postgresql|postgres|mysql|mongodb(?:\+srv)?|redis|amqps?|smtps?):\/\/[^@\s]+@/,et=/-----BEGIN (?:[A-Z]+ )?PRIVATE KEY-----/,ei=/Authorization:\s*Bearer\s+[A-Za-z0-9\-._~+/]{20,}/i,en=/\b(?:psql|mysql|sqlite3|pgcli|clickhouse-client)\b/,eo=/\b(?:DROP\s+(?:TABLE|DATABASE|SCHEMA)|TRUNCATE\b)/i,es=/\bDELETE\s+FROM\b/i,ea=/\bWHERE\b/i,er=/\bALTER\s+TABLE\b[\s\S]*\b(?:DROP\s+COLUMN|ADD\s+COLUMN|RENAME\s+(?:COLUMN|TO)|MODIFY\s+COLUMN)\b/i,el=/(?:npm\s+publish|bun\s+publish|pnpm\s+publish|yarn\s+npm\s+publish|twine\s+upload|poetry\s+publish|cargo\s+publish|gem\s+push)\b/,ec=/(?:^|\s|;|&&|\|\|)(?:env|printenv)(?:\s|$|;|&&|\|)/,ed=/echo\s+.*\$\{?[A-Za-z_]/,ep=/(?:^|\s|;|&&|\|\|)export\s+\w+/,eu=/\$env:[A-Za-z_]/i,em=/(?:Get-ChildItem|dir|gci|ls)\s+Env:/i,ef=/\[Environment\]::GetEnvironment/i,eh=/echo\s+%[A-Za-z_]/i,eg=/(?:^|[\\/])\.env(?:\.|$)/,ey=/\.env(?:\b|\s|$|\.)/,eb=/(?:^|;|&&|\|\|)\s*sudo\s/,ew=/Start-Process\s+.*-Verb\s+RunAs/i,ek=/(?:^|;|&&|\|\|)\s*runas\s/i,ev=/(?:curl|wget)\s.*\|\s*(?:sh|bash|zsh|dash|ksh|csh|tcsh|fish|ash)\b/,eN=/(?:Invoke-WebRequest|iwr|Invoke-RestMethod|irm)\s+.*\|\s*(?:Invoke-Expression|iex)/i,eS=/(?:--force|-f\b)/,eT=/\.(?:pem|key)$/,eE=/id_rsa/,eP=/credentials/,e$=/git\s+(commit|merge|rebase|cherry-pick)\b/,eC=/(?:^|;|&&|\|\||\|)\s*failproofai(?:\s|$)/,eA=/(?:npm\s+(?:uninstall|remove|un|r)\s.*failproofai|bun\s+remove\s.*failproofai|yarn\s+global\s+remove\s+failproofai|pnpm\s+(?:remove|uninstall|un)\s.*failproofai)/,eI=/\bgit\s+commit\b.*--amend\b/,eR=/\bgit\s+stash\s+(?:drop|clear)\b/,ex=/\bgit\s+add\s+(?:-A\b|--all\b|\.(?:\s|$|;|&&|\|\|))/,eO=/\bnpm\s+(?:install|i)\b(?=.*(?:\s-g\b|--global\b))/,eB=/\byarn\s+global\s+add\b/,e_=/\bpnpm\s+(?:add|install|i)\b(?=.*(?:\s-g\b|--global\b))/,ej=/\bbun\s+(?:install|add)\b(?=.*(?:\s-g\b|--global\b))/,eD=/\bcargo\s+install\b/,eW=/\bpip(?:3)?\s+install\b(?=.*(?:--user\b|--break-system-packages\b))/,eU={pip:[/\bpip\b/,/\bpip3\b/,/\bpython3?\s+-m\s+pip\b/],npm:[/\bnpm\b/,/\bnpx\b/],yarn:[/\byarn\b/],pnpm:[/\bpnpm\b/,/\bpnpx\b/],bun:[/\bbun\b/,/\bbunx\b/],uv:[/\buv\b/],poetry:[/\bpoetry\b/],pipenv:[/\bpipenv\b/],conda:[/\bconda\b/],cargo:[/\bcargo\b/]},eM=/\bnohup\s+\S/,eL=/\bscreen\s+-[A-Za-z]*d[A-Za-z]*\b/,ez=/\btmux\s+(?:new-session|new)\b[^|&;]*-d\b/,eF=/\bdisown\b/,eH=/(?<![&|])\s?&\s*(?:$|#|;)/,eq=/(?:^|[;\n]|&&|\|\|?|&)\s*kubectl(?:\s|$)/,eG=/(?:^|[;\n]|&&|\|\|?|&)\s*(?:terraform|tofu)(?:\s|$)/,eJ=/(?:^|[;\n]|&&|\|\|?|&)\s*aws(?:\s|$)/,eY=/(?:^|[;\n]|&&|\|\|?|&)\s*gcloud(?:\s|$)/,eZ=/(?:^|[;\n]|&&|\|\|?|&)\s*az(?:\s|$)/,eK=/(?:^|[;\n]|&&|\|\|?|&)\s*helm(?:\s|$)/,eQ=/(?:^|[;\n]|&&|\|\|?|&)\s*gh\s+(?:workflow\s+(?:run|enable|disable)|run\s+(?:rerun|cancel)|pr\s+merge|release\s+(?:create|delete)|cache\s+delete|secret\s+(?:set|delete))\b/,eV=new Map;function eX(e){try{let t=eV.get(e);return void 0===t&&(t=(0,N.execSync)("git rev-parse --abbrev-ref HEAD",{cwd:e,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3}).trim(),eV.set(e,t)),t||null}catch{return null}}function e0(e,t){let i=Z(e),n=Z(t);return!(i.length<n.length||i.some(e=>K.has(e))||i.some(e=>Q.test(e)))&&n.every((e,t)=>"*"===e||e===i[t])}function e1(e){return e.split(/&&|\|\||[|;\n]/).map(e=>e.trim()).filter(e=>/^git\s+push\s/.test(e)).map(e=>e.replace(/^git\s+push\s+/,""))}function e3(e,t){if(0===t.length)return!1;let i=e.split(/&&|\|\||[|;\n]/).map(e=>e.trim()).filter(e=>/\brm\b/.test(e));if(0===i.length)return!1;for(let e of i){let i=Z(e),n=i.findIndex(e=>"rm"===e);if(n<0)continue;let o=i.slice(n+1).filter(e=>/^-[^-]/.test(e)),s=i.slice(n+1).filter(e=>/^--/.test(e));if(/r/i.test(o.join(""))||s.some(e=>/^--recursive$/i.test(e)))for(let o of i.slice(n+1).filter(e=>!e.startsWith("-"))){let i=o.replace(/\/\*$/,"").replace(/\/+$/,"")||"/";if(!t.some(e=>{let t=e.replace(/\/+$/,"")||"/";return i===t||i.startsWith(t+"/")})&&!t.some(t=>{let i=t.replace(/[.*+?^${}()|[\]\\]/g,"\\$&");return RegExp(`${i}(?:[/"'\\s/*]|$)`).test(e)}))return!1}}return!0}let e8=/(?:^|;|&&|\|\||\|)\s*(?:ls|find|cat|head|tail|less|more|wc|file|stat|tree|du)\s/;function e2(e,t,i){if("Bash"!==e.toolName)return T();let n=J(e);return!t.test(n)||(e.params?.allowPatterns??[]).some(e=>e0(n,e))?T():E(i)}let e6=/\s*(?:&&|\|\||\||;)\s*/,e4=[{name:"sanitize-jwt",description:"Stop Claude from reading JWTs in tool responses",displayTitle:"Redacted JWT tokens from tool output",impact:"Stops the agent from echoing auth tokens it saw in command output.",fn:function(e){let t=JSON.stringify(e.payload);return V.test(t)?{decision:"deny",reason:"JWT token detected in tool output",message:"[REDACTED: JWT token removed by failproofai]"}:T()},match:{events:["PostToolUse"]},defaultEnabled:!0,category:"Sanitize"},{name:"sanitize-api-keys",description:"Stop Claude from reading API keys (OpenAI, Anthropic, GitHub, AWS, Stripe, Google) in tool responses",displayTitle:"Redacted API keys from tool output",impact:"Catches OpenAI / Anthropic / GitHub / AWS / Stripe / Google keys before the model sees them.",fn:function(e){let t=JSON.stringify(e.payload);for(let[e,i]of X)if(e.test(t))return{decision:"deny",reason:`${i} detected in tool output`,message:`[REDACTED: ${i} removed by failproofai]`};for(let{regex:i,label:n}of e.params?.additionalPatterns??[])try{if(new RegExp(i).test(t))return{decision:"deny",reason:`${n} detected in tool output`,message:`[REDACTED: ${n} removed by failproofai]`}}catch{H(`additionalPatterns: invalid regex "${i}", skipping`)}return T()},match:{events:["PostToolUse"]},defaultEnabled:!0,category:"Sanitize",params:{additionalPatterns:{type:"pattern[]",description:"Additional API key patterns to scrub, each with { regex, label }",default:[]}}},{name:"sanitize-connection-strings",description:"Stop Claude from reading database connection strings with embedded credentials in tool responses",displayTitle:"Redacted database connection strings from tool output",impact:"Strips embedded DB credentials before they reach the model context.",fn:function(e){let t=JSON.stringify(e.payload);return ee.test(t)?{decision:"deny",reason:"Database connection string with credentials detected in tool output",message:"[REDACTED: connection string removed by failproofai]"}:T()},match:{events:["PostToolUse"]},defaultEnabled:!0,category:"Sanitize"},{name:"sanitize-private-key-content",description:"Stop Claude from reading PEM private key content in tool responses",displayTitle:"Redacted PEM private keys from tool output",impact:"Prevents private key bodies from being echoed into chat context.",fn:function(e){let t=JSON.stringify(e.payload);return et.test(t)?{decision:"deny",reason:"Private key content detected in tool output",message:"[REDACTED: private key content removed by failproofai]"}:T()},match:{events:["PostToolUse"]},defaultEnabled:!0,category:"Sanitize"},{name:"sanitize-bearer-tokens",displayTitle:"Redacted bearer tokens from tool output",impact:"Strips Authorization: Bearer values before they hit the model.",description:"Stop Claude from reading Authorization Bearer tokens in tool responses",fn:function(e){let t=JSON.stringify(e.payload);return ei.test(t)?{decision:"deny",reason:"Bearer token detected in tool output",message:"[REDACTED: Bearer token removed by failproofai]"}:T()},match:{events:["PostToolUse"]},defaultEnabled:!0,category:"Sanitize"},{name:"protect-env-vars",displayTitle:"Tried to dump environment variables to chat",impact:"Env vars often contain secrets; blocking `env` / `printenv` keeps them out of the model context.",description:"Prevent commands that read environment variables",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return ec.test(t)?E("Command reads environment variables"):ed.test(t)?E("Command echoes environment variable"):ep.test(t)?E("Command exports environment variable"):eu.test(t)?E("Command reads environment variable via PowerShell"):em.test(t)?E("Command reads environment variables via PowerShell"):ef.test(t)?E("Command reads environment variable via .NET"):eh.test(t)?E("Command echoes environment variable via cmd"):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!0,category:"Environment"},{name:"block-env-files",displayTitle:"Tried to read or write a .env file",impact:"`.env` files routinely contain API keys and DB credentials.",description:"Block reading/writing .env files",fn:function(e){let t=J(e),i=Y(e);return i&&eg.test(i)?E("Access to .env file blocked"):"Bash"===e.toolName&&ey.test(t)?E("Command references .env file"):T()},match:{events:["PreToolUse"]},defaultEnabled:!0,category:"Environment"},{name:"block-read-outside-cwd",displayTitle:"Tried to read files outside your project directory",impact:"Stops the agent from peeking at neighboring repos or your home directory.",description:"Block file reads outside the session working directory",fn:function(e){let t=process.env.CLAUDE_PROJECT_DIR||e.session?.cwd;if(!t)return T();let i=e.params?.allowPaths??[];if("Bash"===e.toolName){let n=J(e);if(!e8.test(n))return T();let o=function(e){let t,i=[],n=/(?<![a-zA-Z0-9_.\-~\\*?:=])(?:~\/[^\s;|&"'()\[\]{}]*|~(?=\s|$|[;|&"'()\[\]{}])|\/[^\s;|&"'()\[\]{}]*)/g;function o(e){let t;for(n.lastIndex=0;null!==(t=n.exec(e));){let e=t[0];"~"===e?e=(0,S.homedir)():e.startsWith("~/")&&(e=(0,k.join)((0,S.homedir)(),e.slice(2))),i.push(e)}}let s=e.length,a=!1,r=!1;for(let t=0;t<e.length;t++){let i=e[t];if('"'!==i||r)if("'"!==i||a){if("|"===i&&!a&&!r){s=t;break}}else r=!r;else a=!a}let l=e.slice(0,s),c=/"([^"]*)"|'([^']*)'/g;for(;null!==(t=c.exec(l));){let e=t[1]??t[2]??"";/[*?\[\]^$+()\\]/.test(e)||o(e)}return o(e.replace(/"[^"]*"/g,e=>" ".repeat(e.length)).replace(/'[^']*'/g,e=>" ".repeat(e.length))),i}(n),s=t.endsWith("/")?t:t+"/";for(let e of o){let n=(0,k.resolve)(t,e);if(G(n))return E(`Reading agent settings file blocked: ${n}`);if(!q(n)&&"/dev/null"!==n&&n!==t&&!n.startsWith(s)){if(i.some(e=>n===e||n.startsWith(e.endsWith("/")?e:e+"/")))continue;return E(`Bash read outside project directory blocked: ${n}`)}}return T()}let n=Y(e),o=e.toolInput?.path??"",s=n||o;if(!s)return T();let a=(0,k.resolve)(t,s);if(G(a))return E(`Reading agent settings file blocked: ${a}`);if(q(a)||"/dev/null"===a)return T();let r=t.endsWith("/")?t:t+"/";return a===t||a.startsWith(r)?T():i.some(e=>a===e||a.startsWith(e.endsWith("/")?e:e+"/"))?T():E(`Access outside project directory blocked: ${a}`)},match:{events:["PreToolUse"],toolNames:["Read","Glob","Grep","Bash"]},defaultEnabled:!1,category:"Environment",params:{allowPaths:{type:"string[]",description:"Absolute paths outside cwd that are allowed to be read",default:[]}}},{name:"block-sudo",displayTitle:"Tried to run a command with sudo",impact:"Sudo gives the agent root — blocked unless explicitly allow-listed.",description:"Block sudo commands",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e).trimStart();return eb.test(t)||t.startsWith("sudo ")?(e.params?.allowPatterns??[]).some(e=>e0(t,e))?T():E("sudo commands are blocked"):ew.test(t)?E("Elevated process launch is blocked"):ek.test(t)?E("runas elevation is blocked"):T()},match:{events:["PreToolUse","PermissionRequest"],toolNames:["Bash"]},defaultEnabled:!0,category:"Dangerous Commands",params:{allowPatterns:{type:"string[]",description:"Sudo command patterns to allow, matched token-by-token (e.g. 'sudo systemctl status')",default:[]}}},{name:"block-curl-pipe-sh",displayTitle:"Tried to pipe a downloaded script straight to a shell",impact:"`curl ... | sh` runs unverified remote code on your machine.",description:"Block piping downloads to shell",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return ev.test(t)?E("Piping downloads to shell is blocked"):eN.test(t)?E("Piping downloads to Invoke-Expression is blocked"):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!0,category:"Dangerous Commands"},{name:"block-rm-rf",displayTitle:"Tried to recursively delete a system path",impact:"Catches catastrophic `rm -rf /` and Windows equivalents.",description:"Prevent catastrophic deletions",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e),i=Z(t).some(e=>{let t=e.replace(/\/\*$/,"").replace(/\/+$/,"")||(e.startsWith("/")?"/":"");return"/"===t||"~"===t||/^\/[A-Za-z_][\w.-]*$/.test(t)});if(i&&(/rm\s+-[^\s]*r[^\s]*f[^\s]*/.test(t)||/rm\s+-[^\s]*f[^\s]*r[^\s]*/.test(t)))return e3(t,e.params?.allowPaths??[])?T():E("Catastrophic deletion blocked");if(i&&/\brm\b/.test(t)){let i=Z(t),n=i.filter(e=>/^-[^-]/.test(e)).join(""),o=i.filter(e=>/^--/.test(e)),s=/r/i.test(n)||o.some(e=>/^--recursive$/i.test(e)),a=/f/.test(n)||o.some(e=>/^--force$/i.test(e));if(s&&a)return e3(t,e.params?.allowPaths??[])?T():E("Catastrophic deletion blocked")}return/Remove-Item\s+.*-Recurse.*-Force.*(?:[A-Z]:\\(?:\s|$)|\\\*)/i.test(t)||/(?:rd|rmdir)\s+\/s\s+\/q\s+[A-Z]:\\/i.test(t)?E("Catastrophic deletion blocked"):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Dangerous Commands",params:{allowPaths:{type:"string[]",description:"Paths that are allowed to be recursively deleted",default:[]}}},{name:"block-failproofai-commands",displayTitle:"Tried to disable or modify failproofai itself",impact:"Prevents the agent from turning off the policies that protect you.",description:"Block failproofai CLI commands and uninstallation",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return eC.test(t)?E("Running failproofai CLI commands is blocked"):eA.test(t)?E("Uninstalling failproofai is blocked"):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!0,category:"Dangerous Commands"},{name:"block-kubectl",displayTitle:"Tried to run a Kubernetes command",impact:"kubectl can change live cluster state — gated unless allow-listed.",description:"Block kubectl commands (Kubernetes cluster mutations)",fn:function(e){return e2(e,eq,"kubectl commands are blocked")},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Infra Commands",params:{allowPatterns:{type:"string[]",description:"kubectl command patterns to allow, matched token-by-token (e.g. 'kubectl get *', 'kubectl describe *')",default:[]}}},{name:"block-terraform",displayTitle:"Tried to run a Terraform/OpenTofu command",impact:"Terraform mutates real infrastructure — gated unless allow-listed.",description:"Block terraform and tofu (OpenTofu) commands",fn:function(e){return e2(e,eG,"terraform/tofu commands are blocked")},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Infra Commands",params:{allowPatterns:{type:"string[]",description:"terraform/tofu command patterns to allow (e.g. 'terraform plan', 'terraform validate')",default:[]}}},{name:"block-aws-cli",displayTitle:"Tried to run an AWS CLI command",impact:"AWS CLI can spend money or break prod — gated.",description:"Block aws CLI commands",fn:function(e){return e2(e,eJ,"aws CLI commands are blocked")},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Infra Commands",params:{allowPatterns:{type:"string[]",description:"aws CLI command patterns to allow (e.g. 'aws s3 ls *', 'aws sts get-caller-identity')",default:[]}}},{name:"block-gcloud",displayTitle:"Tried to run a Google Cloud command",impact:"gcloud can spend money or break prod — gated.",description:"Block gcloud (Google Cloud) CLI commands",fn:function(e){return e2(e,eY,"gcloud commands are blocked")},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Infra Commands",params:{allowPatterns:{type:"string[]",description:"gcloud command patterns to allow (e.g. 'gcloud auth list', 'gcloud config list')",default:[]}}},{name:"block-az-cli",displayTitle:"Tried to run an Azure CLI command",impact:"az can spend money or break prod — gated.",description:"Block az (Azure) CLI commands",fn:function(e){return e2(e,eZ,"az (Azure) CLI commands are blocked")},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Infra Commands",params:{allowPatterns:{type:"string[]",description:"az CLI command patterns to allow (e.g. 'az account show', 'az group list')",default:[]}}},{name:"block-helm",displayTitle:"Tried to run a Helm command",impact:"Helm releases mutate cluster state — gated.",description:"Block helm commands",fn:function(e){return e2(e,eK,"helm commands are blocked")},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Infra Commands",params:{allowPatterns:{type:"string[]",description:"helm command patterns to allow (e.g. 'helm list', 'helm status *')",default:[]}}},{name:"block-gh-pipeline",displayTitle:"Tried to run a privileged GitHub CLI pipeline command",impact:"Catches `gh workflow run`, `gh pr merge`, `gh secret set`, etc.",description:"Block gh CLI pipeline-trigger subcommands (workflow run, run rerun/cancel, pr merge, release create/delete, cache delete, secret set/delete)",fn:function(e){return e2(e,eQ,"gh pipeline-trigger commands are blocked")},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Infra Commands",params:{allowPatterns:{type:"string[]",description:"gh pipeline command patterns to allow (e.g. specific scripted invocations); read-only gh subcommands like 'gh pr view' and 'gh run list' are not matched by this policy",default:[]}}},{name:"block-secrets-write",displayTitle:"Tried to write a secret-key file",impact:"Stops the agent from creating `.pem`, `id_rsa`, `credentials.json`, etc.",description:"Block writing secret key files",fn:function(e){if("Write"!==e.toolName)return T();let t=Y(e);if(eT.test(t)||eE.test(t)||eP.test(t))return E("Writing secret key files is blocked");for(let i of e.params?.additionalPatterns??[])if(t.includes(i))return E(`Writing blocked file pattern: ${i}`);return T()},match:{events:["PreToolUse"],toolNames:["Write"]},defaultEnabled:!1,category:"Dangerous Commands",params:{additionalPatterns:{type:"string[]",description:"Additional filename patterns (substrings) to block",default:[]}}},{name:"block-push-master",displayTitle:"Tried to push directly to main/master",impact:"Direct pushes to a protected branch bypass review.",description:"Block pushing to main/master",fn:function(e){if("Bash"!==e.toolName)return T();let t=e.params?.protectedBranches??["main","master"];if(0===t.length)return T();let i=e1(J(e)),n=RegExp(`\\b(?:${t.map(e=>e.replace(/[.*+?^${}()|[\]\\]/g,"\\$&")).join("|")})\\b`);return i.some(e=>n.test(e))?E(`Pushing to ${t.join("/")} is blocked`):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!0,category:"Git",params:{protectedBranches:{type:"string[]",description:"Branch names to protect from direct pushes",default:["main","master"]}}},{name:"block-force-push",displayTitle:"Tried to force-push",impact:"Force-pushes rewrite history and can clobber teammates' work.",description:"Prevent force-pushing to any branch",fn:function(e){return"Bash"!==e.toolName?T():e1(J(e)).some(e=>eS.test(e))?E("Force-pushing is blocked"):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Git"},{name:"block-work-on-main",displayTitle:"Tried to commit or merge on main/master",impact:"Work should land via PR — direct commits skip review.",description:"Block git commits and merges on main/master branch",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e).match(e$);if(!t)return T();let i=e.session?.cwd;if(!i)return T();let n=eX(i);return n&&(e.params?.protectedBranches??["main","master"]).includes(n)?E(`Git ${t[1]} on ${n} is blocked. Create a feature branch first.`):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Git",params:{protectedBranches:{type:"string[]",description:"Branch names where commits/merges are blocked",default:["main","master"]}}},{name:"warn-git-amend",displayTitle:"Used git commit --amend",impact:"Amending after a push rewrites history that others may have pulled.",description:"Warns before amending git commits, which rewrites history",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return eI.test(t)?P("STOP: This command amends the last commit, which rewrites git history. If this commit has already been pushed to a shared branch, this will cause divergence for other contributors. Confirm with the user before executing."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Git"},{name:"warn-git-stash-drop",displayTitle:"Tried to drop or clear git stash",impact:"Stash deletions are permanent and silent.",description:"Warns before permanently deleting stashed changes",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return eR.test(t)?P("STOP: This command permanently deletes stashed changes (git stash drop/clear). Stash entries cannot be recovered after deletion. Confirm with the user before executing."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Git"},{name:"warn-all-files-staged",displayTitle:"Staged all files with git add -A / .",impact:"Wide stages routinely catch generated files or secrets you didn't intend to commit.",description:"Warns before staging all working tree files with git add -A / . / --all",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return ex.test(t)?P("STOP: This command stages all files in the working tree (git add -A / --all / .). This may inadvertently include build artifacts, generated files, or sensitive files not covered by .gitignore. Confirm with the user before executing."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Git"},{name:"warn-destructive-sql",displayTitle:"Ran destructive SQL (DROP / TRUNCATE / DELETE without WHERE)",impact:"Easy way to wipe a table by accident.",description:"Warn before executing destructive SQL (DROP/TRUNCATE/DELETE without WHERE) via database clients",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return en.test(t)&&(eo.test(t)||es.test(t)&&!ea.test(t))?P("STOP: This command contains destructive SQL (DROP/TRUNCATE/DELETE). Confirm with the user before executing."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Database"},{name:"warn-schema-alteration",displayTitle:"Altered a database schema column",impact:"ALTER TABLE operations can lock tables and break readers.",description:"Warns before SQL schema changes (ALTER TABLE with column or rename operations)",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return en.test(t)&&er.test(t)?P("STOP: This command contains a schema-altering SQL statement (ALTER TABLE with column or rename operation). Schema changes on production databases are irreversible or disruptive. Confirm with the user before executing."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Database"},{name:"warn-package-publish",displayTitle:"Tried to publish a package",impact:"Publishes are irreversible — `npm publish` / `cargo publish` shouldn't happen without intent.",description:"Warn before publishing packages to public registries (npm, PyPI, crates.io, RubyGems, etc.)",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return el.test(t)?P("STOP: This command publishes a package to a public registry. Confirm with the user that this is intentional."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Packages & System"},{name:"warn-global-package-install",displayTitle:"Installed a package globally",impact:"`npm i -g`, `cargo install`, `pip --user` pollute your machine outside the project.",description:"Warns before installing packages globally (npm -g, cargo install, etc.)",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return eO.test(t)||eB.test(t)||e_.test(t)||ej.test(t)||eD.test(t)||eW.test(t)?P("STOP: This command installs a package globally, which modifies the system-wide environment outside the project. This can conflict with other projects or system tools. Confirm with the user before executing."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Packages & System"},{name:"prefer-package-manager",displayTitle:"Used a non-preferred package manager",impact:"Mixing package managers creates lockfile churn for your team.",description:"Blocks non-preferred package managers and tells Claude to use an allowed one (e.g., uv instead of pip)",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);if(!t)return T();let i=e.params?.allowed??[];if(0===i.length)return T();let n=new Set(i.map(e=>e.toLowerCase())),o=e.params?.blocked??[],s=i.join(", ");for(let e of t.split(e6)){let t=e.trim();if(!t)continue;let i=!1;for(let e of n){let n=eU[e];if(n){for(let e of n)if(e.test(t)){i=!0;break}if(i)break}}if(!i){for(let[e,i]of Object.entries(eU))if(!n.has(e)){for(let n of i)if(n.test(t))return E(`"${e}" is not an allowed package manager. Allowed package managers for this project: ${s}. Rewrite this command using an allowed package manager.`)}for(let e of o){let i=e.toLowerCase();if(!n.has(i)&&RegExp(`\\b${i.replace(/[.*+?^${}()|[\]\\]/g,"\\$&")}\\b`).test(t))return E(`"${i}" is not an allowed package manager. Allowed package managers for this project: ${s}. Rewrite this command using an allowed package manager.`)}}}return T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Packages & System",params:{allowed:{type:"string[]",description:"Allowed package manager names (e.g. ['uv', 'bun']). Any detected manager not in this list is blocked.",default:[]},blocked:{type:"string[]",description:"Additional manager names to block beyond the built-in list (e.g. ['pdm', 'pipx']).",default:[]}}},{name:"warn-large-file-write",displayTitle:"Wrote a file larger than the configured threshold",impact:"Catches accidentally large file writes (logs, binaries, model dumps).",description:"Warn before writing files larger than 1MB (configurable via thresholdKb param)",fn:function(e){if("Write"!==e.toolName)return T();let t=e.toolInput?.content;if("string"!=typeof t)return T();let i=e.params?.thresholdKb??1024;return t.length>1024*i?P(`STOP: You are writing a file larger than ${i}KB (${Math.round(t.length/1024)}KB). This is unusually large. Confirm this is intentional before proceeding.`):T()},match:{events:["PreToolUse"],toolNames:["Write"]},defaultEnabled:!1,category:"Packages & System",params:{thresholdKb:{type:"number",description:"File size threshold in KB above which a warning is issued",default:1024}}},{name:"warn-background-process",displayTitle:"Started a long-lived background process",impact:"Catches `nohup` / `&` / `screen` / `tmux` / `disown` patterns that the agent often forgets to clean up.",description:"Warns before starting detached or background processes",fn:function(e){if("Bash"!==e.toolName)return T();let t=J(e);return eM.test(t)||eL.test(t)||ez.test(t)||eF.test(t)||eH.test(t)?P("STOP: This command starts a background or detached process (nohup, screen -d, tmux -d, or trailing &). Background processes persist after Claude's session and may be difficult to track or stop. Confirm with the user before executing."):T()},match:{events:["PreToolUse"],toolNames:["Bash"]},defaultEnabled:!1,category:"Packages & System"},{name:"warn-repeated-tool-calls",displayTitle:"Called the same tool 3+ times with identical arguments",impact:"Usually a sign of a stuck loop burning tokens.",description:"Warn when the same tool is called 3+ times with identical parameters",fn:async function e(e){let t=e.session?.transcriptPath;if(!t||!e.toolName||!e.toolInput)return T();let i=`${t}.tool-calls.json`,n=JSON.stringify({tool:e.toolName,input:e.toolInput}),o={};try{let e=await (0,v.readFile)(i,"utf8");o=JSON.parse(e)}catch{}let s=o[n]??0;if(s>=3)return P(`STOP: You have already called ${e.toolName} ${s} times with identical parameters. This is wasteful and unproductive. Do NOT repeat this call — use a different approach or ask the user for clarification.`);o[n]=s+1;try{let e=JSON.stringify(o);e.length<=65536&&await (0,v.writeFile)(i,e,"utf8")}catch{}return T()},match:{events:["PreToolUse"]},defaultEnabled:!1,category:"AI Behavior"},{name:"require-commit-before-stop",displayTitle:"Stopped with uncommitted changes",impact:"Work not in a commit is invisible to teammates and easy to lose.",description:"Require all changes to be committed before Claude stops",fn:function(e){let t=e.session?.cwd;if(!t)return T("No working directory available, skipping commit check.");try{if((0,N.execSync)("git status --porcelain",{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:5e3}).trim().length>0)return E("You have uncommitted changes in the working directory. Commit all changes now.");return T("All changes are committed.")}catch{return T("Not a git repository, skipping commit check.")}},match:{events:["Stop"]},defaultEnabled:!1,category:"Workflow"},{name:"require-push-before-stop",displayTitle:"Stopped with unpushed commits",impact:"Local-only commits won't trigger CI or be reviewable.",description:"Require all commits to be pushed to remote before Claude stops",fn:function(e){let t=e.session?.cwd;if(!t)return T("No working directory available, skipping push check.");try{if(!(0,N.execSync)("git remote",{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3}).trim())return T("No git remote configured, skipping push check.");let i=e.params?.remote??"origin",n=eX(t);if(!n||"HEAD"===n)return T("Detached HEAD, skipping push check.");let o=e.params?.baseBranch??"main";if(n===o)return T(`On base branch "${o}", skipping push check.`);try{if(!(0,N.execFileSync)("git",["log",`${i}/${o}..HEAD`,"--oneline"],{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:5e3}).trim())return T(`No commits ahead of ${i}/${o}, skipping push check.`);if(!(0,N.execFileSync)("git",["diff","--stat",`${i}/${o}`,"HEAD"],{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:5e3}).trim())return T(`No file changes compared to ${i}/${o}, skipping push check.`)}catch{}let s=!1;try{(0,N.execFileSync)("git",["rev-parse","--verify",`${i}/${n}`],{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3}),s=!0}catch{}if(!s)return E(`Branch "${n}" has not been pushed to remote "${i}". Run now: git push -u ${i} ${n}`);let a=(0,N.execFileSync)("git",["log",`${i}/${n}..HEAD`,"--oneline"],{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:5e3}).trim();if(a.length>0){let e=a.split("\n").length;return E(`You have ${e} unpushed commit${e>1?"s":""} on branch "${n}". Run now: git push`)}return T(`All commits pushed to "${i}".`)}catch{return T("Could not check push status, skipping.")}},match:{events:["Stop"]},defaultEnabled:!1,category:"Workflow",params:{remote:{type:"string",description:"Remote name to push to (default: origin)",default:"origin"},baseBranch:{type:"string",description:"Base branch to compare against (default: main)",default:"main"}}},{name:"require-pr-before-stop",displayTitle:"Stopped without a PR for the branch",impact:"Branches without PRs don't get reviewed.",description:"Require a pull request to exist for the current branch before Claude stops",fn:function(e){let t=e.session?.cwd;if(!t)return T("No working directory available, skipping PR check.");try{let i;try{(0,N.execSync)("gh --version",{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3})}catch{return T("GitHub CLI (gh) not installed, skipping PR check.")}let n=eX(t);if(!n||"HEAD"===n)return T("Detached HEAD, skipping PR check.");let o=e.params?.baseBranch??"main";if(n===o)return T(`On base branch "${o}", skipping PR check.`);try{if(!(0,N.execFileSync)("git",["log",`origin/${o}..HEAD`,"--oneline"],{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:5e3}).trim())return T(`No commits ahead of origin/${o}, skipping PR check.`);if(!(0,N.execFileSync)("git",["diff","--stat",`origin/${o}`,"HEAD"],{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:5e3}).trim())return T(`No file changes compared to origin/${o}, skipping PR check.`)}catch{}try{i=(0,N.execSync)("gh pr view --json number,url,state",{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:15e3}).trim()}catch{return E(`No pull request found for branch "${n}". Run now: gh pr create`)}let s=JSON.parse(i);if("OPEN"===s.state)return T(`PR #${s.number} exists: ${s.url}`);if("MERGED"===s.state)return T(`PR #${s.number} was merged: ${s.url}. Switch off this branch (e.g. 'git checkout ${o} && git pull') before stopping again.`);return E(`Pull request for branch "${n}" is ${s.state.toLowerCase()}. Run now: gh pr create`)}catch{return T("Could not check PR status, skipping.")}},match:{events:["Stop"]},defaultEnabled:!1,category:"Workflow",params:{baseBranch:{type:"string",description:"Base branch to compare against (default: main)",default:"main"}}},{name:"require-no-conflicts-before-stop",displayTitle:"Stopped with a branch that conflicts with main",impact:"Conflicting branches can't merge — surface them early.",description:"Require the current branch to merge cleanly with the base branch before Claude stops",fn:function(e){let t,i,n=e.session?.cwd;if(!n)return T("No working directory available, skipping conflict check.");let o=eX(n);if(!o||"HEAD"===o)return T("Detached HEAD, skipping conflict check.");let s=e.params?.baseBranch??"main";if(o===s)return T(`On base branch "${s}", skipping conflict check.`);try{(0,N.execSync)("gh --version",{cwd:n,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3})}catch{return T("gh CLI not installed, skipping conflict check.")}try{t=(0,N.execSync)("gh pr view --json mergeable,number,url,state",{cwd:n,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:15e3}).trim()}catch{return T("No pull request found for branch, skipping conflict check.")}try{i=JSON.parse(t)}catch{return T("Could not parse gh pr view output, skipping conflict check.")}if("OPEN"!==i.state)return T(`PR #${i.number} is ${i.state.toLowerCase()}; skipping conflict check.`);try{(0,N.execFileSync)("git",["rev-parse","--verify",`origin/${s}`],{cwd:n,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3}),(0,N.execFileSync)("git",["log",`origin/${s}..HEAD`,"--oneline"],{cwd:n,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:5e3}).trim()&&(0,N.execFileSync)("git",["merge-tree","--write-tree","--name-only",`origin/${s}`,"HEAD"],{cwd:n,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:1e4})}catch(e){if(1===e.status){let t=("string"==typeof e.stdout?e.stdout:e.stdout?.toString("utf8")??"").trim().split("\n"),i=[];for(let e=1;e<t.length;e++){let n=t[e];if(""===n)break;i.push(n)}let n=i.length?i.join(", "):"one or more files";return E(`Branch "${o}" has merge conflicts with ${s} in: ${n}. Rebase or merge origin/${s} now and resolve the conflicts.`)}}return"CONFLICTING"===i.mergeable?E(`PR #${i.number} has merge conflicts per GitHub (${i.url}). Rebase or merge origin/${s} now and resolve the conflicts.`):"UNKNOWN"===i.mergeable?E(`GitHub is still computing mergeability for PR #${i.number} (${i.url}). Wait ~10 seconds, then re-check with \`gh pr view --json mergeable\` before attempting to stop again.`):T(`PR #${i.number} merges cleanly per GitHub.`)},match:{events:["Stop"]},defaultEnabled:!1,category:"Workflow",params:{baseBranch:{type:"string",description:"Base branch to check for conflicts against (default: main)",default:"main"}}},{name:"require-ci-green-before-stop",displayTitle:"Stopped with failing CI",impact:"Failing CI blocks deploy.",description:"Require CI checks to pass on the current HEAD commit before Claude stops (ignores stale runs on prior commits)",fn:function(e){let t=e.session?.cwd;if(!t)return T("No working directory available, skipping CI check.");try{try{(0,N.execSync)("gh --version",{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3})}catch{return T("GitHub CLI (gh) not installed, skipping CI check.")}let e=eX(t);if(!e||"HEAD"===e)return T("Detached HEAD, skipping CI check.");let i=function(e){try{return(0,N.execSync)("git rev-parse HEAD",{cwd:e,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:3e3}).trim()||null}catch{return null}}(t),n=[];try{let o=(0,N.execFileSync)("gh",["run","list","--branch",e,"--limit","20","--json","status,conclusion,name,headSha"],{cwd:t,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:15e3}).trim();if(o&&"[]"!==o){let e=JSON.parse(o),t=i?e.filter(e=>e.headSha===i):e,s=new Set;n=t.filter(e=>!s.has(e.name)&&(s.add(e.name),!0))}}catch{}let o=[],s=[];i&&(o=function(e,t){try{let i=(0,N.execFileSync)("gh",["api",`repos/{owner}/{repo}/commits/${t}/check-runs`,"--jq",'.check_runs | map(select(.app.slug != "github-actions")) | map({name: .name, status: .status, conclusion: (.conclusion // "")})'],{cwd:e,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:15e3}).trim();if(!i||"[]"===i)return[];return JSON.parse(i)}catch{return[]}}(t,i),s=function(e,t){try{let i=(0,N.execFileSync)("gh",["api",`repos/{owner}/{repo}/commits/${t}/statuses`,"--jq","map({name: .context, state: .state}) | unique_by(.name)"],{cwd:e,encoding:"utf8",stdio:["pipe","pipe","pipe"],timeout:15e3}).trim();if(!i||"[]"===i)return[];return JSON.parse(i).map(e=>({name:e.name,status:"pending"===e.state?"in_progress":"completed",conclusion:"pending"===e.state?"":"success"===e.state?"success":"failure"}))}catch{return[]}}(t,i));let a=[...n,...o,...s];if(0===a.length)return T(`No CI runs found for branch "${e}".`);let r=a.filter(e=>"completed"===e.status&&"success"!==e.conclusion&&"skipped"!==e.conclusion&&"cancelled"!==e.conclusion&&"neutral"!==e.conclusion);if(r.length>0){let t=r.map(e=>`"${e.name}"`).join(", ");return E(`CI checks are failing on branch "${e}": ${t}. Fix the failing checks now.`)}let l=a.filter(e=>"in_progress"===e.status||"queued"===e.status||"waiting"===e.status);if(l.length>0){let t=l.map(e=>`"${e.name}"`).join(", ");return E(`CI checks are still running on branch "${e}": ${t}. Wait for all checks to complete, then verify they pass.`)}return T(`All CI checks passed on branch "${e}".`)}catch{return T("Could not check CI status, skipping.")}},match:{events:["Stop"]},defaultEnabled:!1,category:"Workflow"}];function e5(e){if(!(0,O.existsSync)(e))return{};try{let t=(0,O.readFileSync)(e,"utf8");return JSON.parse(t)}catch(t){return H(`failed to parse config at ${e}: ${t instanceof Error?t.message:String(t)}`),{}}}let e9=["claude","codex","copilot","cursor","opencode","pi","gemini"],e7={apply_patch:"Edit",write_stdin:"Bash"},te={bash:"Bash",powershell:"Bash",list_bash:"Bash",read_bash:"Bash",stop_bash:"Bash",write_bash:"Bash",list_powershell:"Bash",read_powershell:"Bash",stop_powershell:"Bash",write_powershell:"Bash",read:"Read",view:"Read",show_file:"Read",write:"Write",create:"Write",edit:"Edit",apply_patch:"Edit",str_replace_editor:"Edit",glob:"Glob",grep:"Grep",rg:"Grep",ls:"LS",web_fetch:"WebFetch"},tt={Shell:"Bash"},ti={bash:"Bash",read:"Read",write:"Write",edit:"Edit",apply_patch:"Edit",glob:"Glob",grep:"Grep",list:"LS",webfetch:"WebFetch",websearch:"WebSearch",todowrite:"TodoWrite",todoread:"TodoRead"},tn={Read:{filePath:"file_path"},Write:{filePath:"file_path"},Edit:{filePath:"file_path",oldString:"old_string",newString:"new_string",replaceAll:"replace_all"}},to={bash:"Bash",read:"Read",write:"Write",edit:"Edit",glob:"Glob",grep:"Grep"},ts={Read:{path:"file_path"},Write:{path:"file_path"},Edit:{path:"file_path"}},ta={run_shell_command:"Bash",read_file:"Read",read_many_files:"Read",write_file:"Write",replace:"Edit",glob:"Glob",grep_search:"Grep",list_directory:"LS",web_fetch:"WebFetch",google_web_search:"WebSearch",write_todos:"TodoWrite",save_memory:"Memory",ask_user:"AskUser"};var tr=e.i(81580);let tl=/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i;var tc=e.i(54214);function td(e,t){let i=[];for(let o of e)if("assistant"===o.type)for(let e of o.message.content){var n;let s;if("tool_use"!==e.type)continue;let a=e.name,r=(n=t.cli,(a?"copilot"===n?te[a]??a:"cursor"===n?tt[a]??a:"codex"===n?e7[a]??a:"gemini"===n?ta[a]??a:"opencode"===n?ti[a]??a:"pi"===n?to[a]??a:a:a)??a),l=function(e,t,i){let n;if(!e||!t||"object"!=typeof t||Array.isArray(t)||("opencode"===i?n=tn[e]:"pi"===i&&(n=ts[e]),!n))return t;let o={};for(let[e,i]of Object.entries(t))o[n[e]??e]=i;return o}(r,e.input,t.cli);e.result?.content&&(s=function(e){let t=Buffer.from(e,"utf-8");if(t.byteLength<=65536)return e;let i=65536;for(;i>0&&(192&t[i])==128;)i--;return t.subarray(0,i).toString("utf-8")}(e.result.content)),i.push({cli:t.cli,sessionId:t.sessionId,transcriptPath:t.transcriptPath,cwd:t.cwd,timestamp:o.timestamp,toolName:r,rawToolName:a,toolInput:l??{},toolResultText:s})}return i}async function tp(e={}){let t=e.projects?new Set(e.projects):null,i=e.sinceMs??0,n=[];for(let e of function(){let e,t=(0,tr.getClaudeProjectsPath)();try{e=(0,O.readdirSync)(t,{withFileTypes:!0})}catch{return[]}return e.filter(e=>e.isDirectory()).map(e=>({name:e.name,cwd:(0,tr.decodeFolderName)(e.name),path:(0,k.join)(t,e.name)}))}()){let o;if(!t||t.has(e.cwd)){try{o=function(e){let t,i=[];try{t=(0,O.readdirSync)(e.path,{withFileTypes:!0})}catch{return i}for(let n of t)if(n.isFile()&&n.name.endsWith(".jsonl")){let t=n.name.slice(0,-6);if(!tl.test(t))continue;let o=(0,k.join)(e.path,n.name);try{let n=(0,O.statSync)(o);i.push({projectName:e.name,cwd:e.cwd,sessionId:t,transcriptPath:o,mtimeMs:n.mtimeMs,sizeBytes:n.size,isSubagent:!1})}catch{}}else if(n.isDirectory()&&tl.test(n.name)){let t,o=(0,k.join)(e.path,n.name,"subagents");if(!(0,O.existsSync)(o))continue;try{t=(0,O.readdirSync)(o,{withFileTypes:!0})}catch{continue}for(let n of t){if(!n.isFile()||!n.name.endsWith(".jsonl"))continue;let t=n.name.slice(0,-6),s=(0,k.join)(o,n.name);try{let n=(0,O.statSync)(s);i.push({projectName:e.name,cwd:e.cwd,sessionId:t,transcriptPath:s,mtimeMs:n.mtimeMs,sizeBytes:n.size,isSubagent:!0})}catch{}}}return i}(e)}catch{continue}for(let t of o)t.mtimeMs<i||n.push({cli:"claude",projectName:e.name,sessionId:t.sessionId,transcriptPath:t.transcriptPath,mtimeMs:t.mtimeMs,sizeBytes:t.sizeBytes})}}return n}async function tu(e){let t,i;try{t=await (0,v.readFile)(e.transcriptPath,"utf-8")}catch{return[]}try{i=await (0,tc.parseLogContent)(t,"session")}catch{return[]}let n="";for(let e of t.split("\n",50))if(e.trim())try{let t=JSON.parse(e);if("string"==typeof t.cwd&&t.cwd.length>0){n=t.cwd;break}}catch{}return td(i,{cli:"claude",sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:n})}var tm=e.i(36203),tf=e.i(57232);async function th(e={}){let t=e.projects?new Set(e.projects):null,i=e.sinceMs??0,n=[];for(let e of(await (0,tm.getCodexProjects)())){let{cwd:o,sessions:s}=await (0,tm.getCodexSessionsByEncodedName)(e.name),a=o??"";if(!t||t.has(a))for(let t of s){let o=t.lastModified.getTime();if(o<i)continue;let s=0;try{s=(0,O.statSync)(t.path).size}catch{}t.sessionId&&n.push({cli:"codex",projectName:e.name,sessionId:t.sessionId,transcriptPath:t.path,mtimeMs:o,sizeBytes:s})}}return n}async function tg(e){let t=await (0,tf.getCodexSessionLog)(e.sessionId);return t?td(t.entries,{cli:"codex",sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:t.cwd??""}):[]}var ty=e.i(55851),tb=e.i(78166);async function tw(e={}){let t=e.projects?new Set(e.projects):null,i=e.sinceMs??0,n=[];for(let e of(await (0,ty.getCopilotProjects)())){let{cwd:o,sessions:s}=await (0,ty.getCopilotSessionsByEncodedName)(e.name),a=o??"";if(!t||t.has(a))for(let t of s){let o=t.lastModified.getTime();if(o<i)continue;let s=0;try{s=(0,O.statSync)(t.path).size}catch{}t.sessionId&&n.push({cli:"copilot",projectName:e.name,sessionId:t.sessionId,transcriptPath:t.path,mtimeMs:o,sizeBytes:s})}}return n}async function tk(e){let t=await (0,tb.getCopilotSessionLog)(e.sessionId);return t?td(t.entries,{cli:"copilot",sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:t.cwd??""}):[]}var tv=e.i(46413),tN=e.i(72094);async function tS(e={}){let t=e.projects?new Set(e.projects):null,i=e.sinceMs??0,n=[];for(let e of(await (0,tv.getCursorProjects)())){let{cwd:o,sessions:s}=await (0,tv.getCursorSessionsByEncodedName)(e.name),a=o??"";if(!t||t.has(a))for(let t of s){let o=t.lastModified.getTime();if(o<i)continue;let s=0;try{s=(0,O.statSync)(t.path).size}catch{}t.sessionId&&n.push({cli:"cursor",projectName:e.name,sessionId:t.sessionId,transcriptPath:t.path,mtimeMs:o,sizeBytes:s})}}return n}async function tT(e){let t=await (0,tN.getCursorSessionLog)(e.sessionId);return t?td(t.entries,{cli:"cursor",sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:t.cwd??""}):[]}var tE=e.i(35435),tP=e.i(99440);async function t$(e={}){let t=e.projects?new Set(e.projects):null,i=e.sinceMs??0,n=[];for(let e of(await (0,tE.getOpenCodeProjects)())){let{cwd:o,sessions:s}=await (0,tE.getOpenCodeSessionsByEncodedName)(e.name),a=o??"";if(!t||t.has(a))for(let t of s){let o=t.lastModified.getTime();!(o<i)&&t.sessionId&&n.push({cli:"opencode",projectName:e.name,sessionId:t.sessionId,transcriptPath:t.path,mtimeMs:o,sizeBytes:0})}}return n}async function tC(e){let t=await (0,tP.getOpenCodeSessionLog)(e.sessionId);return t?td(t.entries,{cli:"opencode",sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:t.cwd??""}):[]}var tA=e.i(19791),tI=e.i(85116);async function tR(e={}){let t=e.projects?new Set(e.projects):null,i=e.sinceMs??0,n=[];for(let e of(await (0,tA.getPiProjects)())){let{cwd:o,sessions:s}=await (0,tA.getPiSessionsByEncodedName)(e.name),a=o??"";if(!t||t.has(a))for(let t of s){let o=t.lastModified.getTime();if(o<i)continue;let s=0;try{s=(0,O.statSync)(t.path).size}catch{}t.sessionId&&n.push({cli:"pi",projectName:e.name,sessionId:t.sessionId,transcriptPath:t.path,mtimeMs:o,sizeBytes:s})}}return n}async function tx(e){let t=await (0,tI.getPiSessionLog)(e.sessionId);return t?td(t.entries,{cli:"pi",sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:t.cwd??""}):[]}var tO=e.i(90172),tB=e.i(88153);let t_={claude:{cli:"claude",listTranscripts:tp,streamEvents:tu},codex:{cli:"codex",listTranscripts:th,streamEvents:tg},copilot:{cli:"copilot",listTranscripts:tw,streamEvents:tk},cursor:{cli:"cursor",listTranscripts:tS,streamEvents:tT},opencode:{cli:"opencode",listTranscripts:t$,streamEvents:tC},pi:{cli:"pi",listTranscripts:tR,streamEvents:tx},gemini:{cli:"gemini",listTranscripts:async function(e={}){let t=e.projects?new Set(e.projects):null,i=e.sinceMs??0,n=[];for(let e of(await (0,tO.getGeminiProjects)())){let{cwd:o,sessions:s}=await (0,tO.getGeminiSessionsByEncodedName)(e.name),a=o??"";if(!t||t.has(a))for(let t of s){let o=t.lastModified.getTime();if(o<i)continue;let s=0;try{s=(0,O.statSync)(t.path).size}catch{}t.sessionId&&n.push({cli:"gemini",projectName:e.name,sessionId:t.sessionId,transcriptPath:t.path,mtimeMs:o,sizeBytes:s})}}return n},streamEvents:async function(e){let t=await (0,tB.getGeminiSessionLog)(e.sessionId);return t?td(t.entries,{cli:"gemini",sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:t.cwd??""}):[]}}},tj=/\.(?:ts|tsx|js|jsx|mjs|cjs|py|go|rs|java|kt|swift|rb|php|c|h|cc|cpp|hpp|cs|scala|sh|bash|zsh|json|yaml|yml|toml|md|txt|sql|html|css|scss|sass)$/i,tD=["/","/home","/usr","/etc","/var","/opt","/Users"],tW="rereadAfterEdit",tU=[{name:"redundant-cd-cwd",description:"Bash commands prefixed with `cd <cwd> && …` even though commands already run in cwd.",category:"Wasteful",severity:"info",displayTitle:"Prepended cd <cwd> before commands",impact:"Pure waste — your agent's shell already runs in `cwd`.",detect(e){if("Bash"!==e.toolName)return null;let t=e.toolInput.command;if("string"!=typeof t||!e.cwd)return null;let i=t.trimStart(),n=/^cd\s+(?:"([^"]+)"|'([^']+)'|(\S+))\s*&&\s*([\s\S]+)$/.exec(i);if(!n)return null;let o=(n[1]??n[2]??n[3]??"").replace(/\/+$/,"");if(o!==e.cwd.replace(/\/+$/,""))return null;let s=n[4].trim();return{example:`cd ${o} && ${s}`}}},{name:"prefer-edit-over-read-cat",description:"Bash `cat`/`head`/`tail`/`less`/`more` on a single source file — use Read.",category:"Wasteful",severity:"info",displayTitle:"Used `cat`/`head`/`tail` on a source file",impact:"Burns tokens; the Read tool returns content directly without going through Bash output.",detect(e){if("Bash"!==e.toolName)return null;let t=e.toolInput.command;if("string"!=typeof t)return null;let i=t.trim();if(/[|<>;&`$()]/.test(i))return null;let n=/^(cat|head|tail|less|more)\s+(?:-\S+\s+)*(?:"([^"]+)"|'([^']+)'|(\S+))\s*$/.exec(i);if(!n)return null;let o=n[2]??n[3]??n[4]??"";return!o||/(?:^|\/)\.env(?:\..+)?$/.test(o)||!tj.test(o)?null:{example:i}}},{name:"prefer-edit-over-sed-awk",description:"Bash `sed -i`/`awk` in-place edits — use Edit.",category:"Wasteful",severity:"info",displayTitle:"Used sed -i or awk for an in-place edit",impact:"Edit tool is safer and produces a diff the agent can verify.",detect(e){if("Bash"!==e.toolName)return null;let t=e.toolInput.command;if("string"!=typeof t)return null;let i=t.trim();return/(?:^|\s|;|&&|\|\|)sed\b[^|]*\s-i(?=\b|['"])/.test(i)||/(?:^|\s|;|&&|\|\|)awk\b[^|]*\s>\s*\S+/.test(i)&&!/\|/.test(i)?{example:i}:null}},{name:"prefer-write-over-heredoc",description:"Bash heredoc / `echo > file` writing multi-line content — use Write.",category:"Wasteful",severity:"info",displayTitle:"Used heredoc / `echo > file` to write a multi-line file",impact:"Write tool handles escaping and is verifiable.",detect(e){if("Bash"!==e.toolName)return null;let t=e.toolInput.command;return"string"!=typeof t?null:/<<-?\s*['"]?[A-Za-z_][A-Za-z0-9_]*['"]?\s*>\s*\S/.test(t)||/(?:^|\s|;|&&|\|\|)(?:echo|printf)\s+["'][^"']*\n[^"']*["']\s*>\s*\S/.test(t)?{example:t.replace(/\s+/g," ").trim().slice(0,160)}:null}},{name:"sleep-polling-loop",description:"Bash long `sleep` or while-sleep polling loops.",category:"Wasteful",severity:"info",displayTitle:"Used a long sleep or while-sleep polling loop",impact:"Burns wall-clock; better to wait for an explicit signal.",detect(e){if("Bash"!==e.toolName)return null;let t=e.toolInput.command;if("string"!=typeof t)return null;if(/\bwhile\b[\s\S]*?\bsleep\b[\s\S]*?\bdone\b/.test(t))return{example:t.replace(/\s+/g," ").trim().slice(0,160)};let i=/\bsleep\s+(\d+(?:\.\d+)?)(m|h|d)?\b/.exec(t);if(i){let e=parseFloat(i[1]),n=i[2]??"s";if(("m"===n?60*e:"h"===n?3600*e:"d"===n?86400*e:e)>=30)return{example:t.replace(/\s+/g," ").trim().slice(0,160)}}return null}},{name:"find-from-root",description:"Bash `find` against `/`, `/home`, `/usr`, etc. — scope to cwd instead.",category:"Risky",severity:"warn",displayTitle:"Ran find from /, /home, /usr, etc.",impact:"Filesystem-wide finds exhaust resources and rarely return useful results.",detect(e){if("Bash"!==e.toolName)return null;let t=e.toolInput.command;if("string"!=typeof t)return null;let i=t.trim(),n=/(?:^|[\s;|&])find\s+(?:-\S+\s+)*("[^"]+"|'[^']+'|\S+)/.exec(i);if(!n)return null;let o=n[1].replace(/^["']|["']$/g,"").replace(/\/+$/,"")||"/";return tD.includes(o)?{example:i.slice(0,160)}:null}},{name:"git-commit-no-verify",description:"git commit invoked with --no-verify / -n, skipping hooks.",category:"Risky",severity:"warn",displayTitle:"Committed with --no-verify",impact:"Skips pre-commit hooks that exist to catch broken or unsafe code.",detect(e){if("Bash"!==e.toolName)return null;let t=e.toolInput.command;return"string"!=typeof t?null:/\bgit\s+commit\b/.test(t)&&(/\s--no-verify\b/.test(t)||/\s-n\b/.test(t))?{example:t.replace(/\s+/g," ").trim().slice(0,160)}:null}},{name:"reread-after-edit",description:"Read of a file that was just Edit'd or Write'n in the same session.",category:"Wasteful",severity:"info",displayTitle:"Re-read a file it just edited",impact:"Edit/Write already returned the updated content; the second Read is wasted tokens.",detect(e,t){let i,n=((i=t[tW])||(i={countdown:new Map},t[tW]=i),i),o=e.toolInput.file_path,s="string"==typeof o?o:null;for(let[e,t]of n.countdown)t<=1?n.countdown.delete(e):n.countdown.set(e,t-1);return s?"Edit"===e.toolName||"Write"===e.toolName?(n.countdown.set(s,5),null):"Read"===e.toolName&&n.countdown.has(s)?(n.countdown.delete(s),{example:`Read ${s} immediately after Edit/Write`}):null:null}}],tM=["cowboy","explorer","ghost","optimist","hammer","architect"],tL={explorer:.38,architect:.33,hammer:.11,cowboy:.11,optimist:.07,ghost:.01,precision:0,goldfish:0},tz={optimist:0,cowboy:0,explorer:0,goldfish:0,architect:0,precision:0,hammer:0,ghost:0};for(let e of tM)tz[e]=Math.max(tL[e],.05);var tF=e.i(66680);let tH=null,tq=null;function tG(){if(tH)return tH;let e=e4.map(e=>`${e.name}|${e.fn.toString()}`).sort().join("\n");return tH=(0,tF.createHash)("sha1").update(e).digest("hex").slice(0,16)}function tJ(){if(tq)return tq;let e=tU.map(e=>`${e.name}|${e.detect.toString()}`).sort().join("\n");return tq=(0,tF.createHash)("sha1").update(e).digest("hex").slice(0,16)}function tY(e){let t=(0,k.join)((0,S.homedir)(),".failproofai","cache","audit"),i=(0,tF.createHash)("sha1").update(e).digest("hex");return(0,k.join)(t,`${i}.json`)}var tZ=e.i(24214),tK=e.i(28067);let tQ=tK.POSTHOG_API_KEY;async function tV(e,t,i){if("1"===process.env.FAILPROOFAI_TELEMETRY_DISABLED)return;let n=JSON.stringify({api_key:process.env.FAILPROOFAI_POSTHOG_KEY??tQ,event:t,distinct_id:e,properties:{...i,$lib:"failproofai-hooks",failproofai_version:tZ.version,product:tK.POSTHOG_PRODUCT}});try{await fetch(process.env.FAILPROOFAI_POSTHOG_HOST?`${process.env.FAILPROOFAI_POSTHOG_HOST}/capture/`:"https://us.i.posthog.com/capture/",{method:"POST",headers:{"Content-Type":"application/json"},body:n,signal:AbortSignal.timeout(5e3)})}catch{}}var tX=e.i(10659);function t0(e,t){let i=e.trim(),n="string"==typeof t?t.trim():"";return n?i?`${i}. ${n}`:n:i}let t1=new Map(e4.filter(e=>e.params).map(e=>[I(e.name),e.params]));function t3(e,t){if(!e?.policyParams)return;let i=e.policyParams[t];if(i)return i;let n=`${A}/`;if(t.startsWith(n))return e.policyParams[t.slice(n.length)]}async function t8(e,t,i,n){let o=t.tool_name,s=t.tool_input,a=function(e,t){let i=globalThis[C];i||R(i=new Map);let n=`${e}:${t??""}`,o=i.get(n);if(o)return o;let s=x().filter(i=>(!i.match.events||!(i.match.events.length>0)||!!i.match.events.includes(e))&&(!i.match.toolNames||!(i.match.toolNames.length>0)||!!t&&!!i.match.toolNames.includes(t))).sort((e,t)=>t.priority-e.priority);return i.set(n,s),s}(e,o);if(F(`evaluating ${a.length} policies for ${e}`),0===a.length)return{exitCode:0,stdout:"",stderr:"",policyName:null,reason:null,decision:"allow"};let r={eventType:e,payload:t,toolName:o,toolInput:s,session:i,cli:i?.cli},l=[],c=[];for(let t of a){let o,s,a=t1.get(t.name);if(a){let e=t3(n,t.name)??{},i={};for(let[t,n]of Object.entries(a))i[t]=t in e?e[t]:n.default;o={...r,params:i}}else o={...r,params:{}};try{s=await t.fn(o)}catch(o){let n=o instanceof Error?o.message:String(o);H(`policy "${t.name}" threw: ${n}`),t.name.startsWith("custom/")||t.name.startsWith(".failproofai-")||tV((0,tX.getInstanceId)(),"policy_evaluation_error",{policy_name:t.name,event_type:e,cli:i?.cli??null,error_type:o instanceof Error?o.name:"unknown"});continue}if("deny"===s.decision){let a,r=t0(s.reason??`Blocked by policy: ${t.name}`,t3(n,t.name)?.hint);F(`deny by "${t.name}": ${r}`),a=o.toolName?o.toolName:"UserPromptSubmit"===e?"prompt":"SessionStart"===e?"session start":"SessionEnd"===e?"session end":"Stop"===e?"stop":"operation";let l=`Blocked ${a} by failproofai because: ${r}, as per the policy configured by the user`;if(i?.cli==="cursor"){if("Stop"===e||"SubagentStop"===e)return{exitCode:0,stdout:JSON.stringify({followup_message:`MANDATORY ACTION REQUIRED from failproofai (policy: ${t.name}): ${r}
|
|
4
4
|
|
|
5
5
|
You MUST complete the above action NOW. Do NOT ask the user for confirmation — execute the required action, then attempt to finish your task again.`}),stderr:"",policyName:t.name,reason:r,decision:"deny"};return{exitCode:0,stdout:JSON.stringify({permission:"deny",user_message:l,agent_message:l}),stderr:"",policyName:t.name,reason:r,decision:"deny"}}if(i?.cli==="pi"){if("Stop"===e)return{exitCode:0,stdout:JSON.stringify({permission:"deny",reason:`MANDATORY ACTION REQUIRED from failproofai (policy: ${t.name}): ${r}
|
|
6
6
|
|
|
@@ -18,6 +18,6 @@ You MUST complete the above action(s) NOW. Do NOT ask the user for confirmation
|
|
|
18
18
|
|
|
19
19
|
You MUST complete the above action(s) NOW. Do NOT ask the user for confirmation — execute the required action(s), then attempt to finish your task again.`}}),stderr:"",policyName:n[0],policyNames:n,reason:t,decision:"instruct"}}if("Stop"===e||"SubagentStop"===e){let e=1===n.length?`policy: ${n[0]}`:`policies: ${n.join(", ")}`,o=`MANDATORY ACTION REQUIRED from failproofai (${e}): ${t}
|
|
20
20
|
|
|
21
|
-
You MUST complete the above action(s) NOW. Do NOT ask the user for confirmation — execute the required action(s), then attempt to finish your task again.`;return i?.cli==="copilot"?{exitCode:0,stdout:JSON.stringify({decision:"block",reason:o}),stderr:"",policyName:n[0],policyNames:n,reason:t,decision:"instruct"}:{exitCode:2,stdout:"",stderr:o,policyName:n[0],policyNames:n,reason:t,decision:"instruct"}}return{exitCode:0,stdout:JSON.stringify({hookSpecificOutput:{hookEventName:e,additionalContext:`Instruction from failproofai: ${t}`}}),stderr:"",policyName:n[0],policyNames:n,reason:t,decision:"instruct"}}if(c.length>0){let t=c.map(e=>e.reason).join("\n"),n=c.map(e=>e.policyName);if(i?.cli==="cursor"){let e={permission:"allow",additional_context:`Note from failproofai: ${t}`},i=c.map(e=>`[failproofai] ${e.policyName}: ${e.reason}`).join("\n");return{exitCode:0,stdout:JSON.stringify(e),stderr:i+"\n",policyName:n[0],policyNames:n,reason:t,decision:"allow"}}if(i?.cli==="pi"){let e={permission:"allow",reason:`Note from failproofai: ${t}`},i=c.map(e=>`[failproofai] ${e.policyName}: ${e.reason}`).join("\n");return{exitCode:0,stdout:JSON.stringify(e),stderr:i+"\n",policyName:n[0],policyNames:n,reason:t,decision:"allow"}}if(i?.cli==="gemini"){let o="UserPromptSubmit"===e||"PreToolUse"===e||"PostToolUse"===e||"SessionStart"===e,s=c.map(e=>`[failproofai] ${e.policyName}: ${e.reason}`).join("\n");return o?{exitCode:0,stdout:JSON.stringify({hookSpecificOutput:{hookEventName:i?.hookEventName??i?.rawHookEventName??e,additionalContext:`Note from failproofai: ${t}`}}),stderr:s+"\n",policyName:n[0],policyNames:n,reason:t,decision:"allow"}:{exitCode:0,stdout:"",stderr:s+"\n",policyName:n[0],policyNames:n,reason:t,decision:"allow"}}let o="PreToolUse"===e||"PostToolUse"===e||"UserPromptSubmit"===e||"PermissionRequest"===e?{hookSpecificOutput:{hookEventName:e,additionalContext:`Note from failproofai: ${t}`}}:{reason:t},s=c.map(e=>`[failproofai] ${e.policyName}: ${e.reason}`).join("\n");return{exitCode:0,stdout:JSON.stringify(o),stderr:s+"\n",policyName:n[0],policyNames:n,reason:t,decision:"allow"}}return{exitCode:0,stdout:"",stderr:"",policyName:null,reason:null,decision:"allow"}}let t2=new Set(["warn-repeated-tool-calls"].map(e=>I(e))),t4=!1,t6=null;function t5(){if(t4)return;t6=[...x()],globalThis[$]=[],R(null);let e=new Set(e6.map(e=>e.name).filter(e=>!t2.has(I(e))).map(I));for(let t of e6)e.has(I(t.name))&&function(e,t,i,n,o=0){let s=I(e),a=x(),r=a.findIndex(e=>e.name===s),l={name:s,description:t,fn:i,match:n,priority:o};r>=0?a[r]=l:a.push(l),R(null)}(t.name,t.description,t.fn,t.match);t4=!0}async function t9(e){t4||t5();let t={sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:e.cwd,cli:e.cli},i={tool_name:e.toolName,tool_input:e.toolInput,session_id:e.sessionId,cwd:e.cwd,transcript_path:e.transcriptPath},n=[];if(t7(await t8("PreToolUse",i,t),"PreToolUse",n),void 0!==e.toolResultText){let o={...i,tool_response:e.toolResultText};t7(await t8("PostToolUse",o,t),"PostToolUse",n)}return n}function t7(e,t,i){for(let n of e.policyNames&&e.policyNames.length>0?e.policyNames:e.policyName?[e.policyName]:[])i.push({policyName:n,decision:e.decision,reason:e.reason,eventType:t})}function ie(e){let t=e.indexOf("/");return t>=0?e.slice(t+1):e}function it(e){return e.length<=80?e:e.slice(0,79)+"…"}async function ii(e){let t={transcriptPath:e.transcriptPath,cli:e.cli,projectName:e.projectName,sessionId:e.sessionId,mtimeMs:e.mtimeMs,sizeBytes:e.sizeBytes,cwd:"",eventsScanned:0,hitsByName:{},examplesByName:{},rangeByName:{}},i=await tj[e.cli].streamEvents(e);if(0===i.length)return t;t.eventsScanned=i.length,t.cwd=i[0].cwd||"";let n={};for(let e of i){let i;for(let i of tU){let o=i.detect(e,n);o&&io(t,i.name,e.timestamp,e.cwd,it(o.example))}try{i=await t9(e)}catch{continue}for(let n of i){let i=function(e,t){if("Bash"===t.toolName){let e=t.toolInput.command;if("string"==typeof e)return e.replace(/\s+/g," ")}let i=t.toolInput.file_path;return"string"==typeof i?`${t.toolName} ${i}`:`${t.toolName}`}(n.policyName,e);io(t,n.policyName,e.timestamp,e.cwd,it(i))}}return t}function io(e,t,i,n,o){e.hitsByName[t]=(e.hitsByName[t]??0)+1;let s=e.examplesByName[t]??[];s.length<3&&(s.push({timestamp:i,cwd:n,example:o}),e.examplesByName[t]=s);let a=e.rangeByName[t];a?(i<a.first&&(a.first=i),i>a.last&&(a.last=i)):e.rangeByName[t]={first:i,last:i}}async function is(e={}){let t=Date.now();t5();try{return await ia(e,t)}finally{if(t4){if(null!==t6){var i;i=t6,globalThis[$]=[...i],R(null),t6=null}t4=!1}}}async function ia(e,t){let i=e.clis??Array.from(e9),n=function(e){if(!e)return;let t=/^(\d+)\s*([dhm])$/i.exec(e.trim());if(t){let e=parseInt(t[1],10),i=t[2].toLowerCase();return Date.now()-e*("d"===i?864e5:"h"===i?36e5:6e4)}let i=Date.parse(e);if(!Number.isNaN(i))return i;throw Error(`Invalid --since value: "${e}" (expected e.g. "7d", "30d", or "2026-04-01")`)}(e.since),o=new Set(((function(){let e=function(e){let t=(0,S.homedir)(),i=(0,k.resolve)(e);for(;i!==t;){let e=(0,k.resolve)(i,".failproofai");try{if((0,O.statSync)(e).isDirectory())return i}catch{}let t=(0,k.dirname)(i);if(t===i)break;i=t}return(0,k.resolve)(e)}((void 0)??process.cwd()),t=(0,k.resolve)(e,".failproofai","policies-config.json"),i=(0,k.resolve)(e,".failproofai","policies-config.local.json"),n=(0,k.resolve)((0,S.homedir)(),".failproofai","policies-config.json"),o=e5(t),s=e5(i),a=e5(n),r=new Set([...o.enabledPolicies??[],...s.enabledPolicies??[],...a.enabledPolicies??[]]),l={};for(let e of[o,s,a])if(e.policyParams)for(let[t,i]of Object.entries(e.policyParams))t in l||(l[t]=i);let c=o.customPoliciesPath??s.customPoliciesPath??a.customPoliciesPath,d=o.llm??s.llm??a.llm;return{enabledPolicies:[...r],...Object.keys(l).length>0?{policyParams:l}:{},...void 0!==c?{customPoliciesPath:c}:{},...void 0!==d?{llm:d}:{}}})().enabledPolicies??[]).map(e=>I(e))),s=[];for(let t of i){let i,o=tj[t];try{i=await o.listTranscripts({projects:e.projects,sinceMs:n})}catch{continue}s.push(...i)}let a=0,r=0,l=s.map(t=>async()=>{if(!e.noCache){let e=function(e,t,i){if(0===i)return null;let n=tY(e);if(!(0,O.existsSync)(n))return null;try{let e=(0,O.readFileSync)(n,"utf-8"),o=JSON.parse(e);if(3!==o.schemaVersion||o.mtimeMs!==t||o.sizeBytes!==i||o.engineVersion!==tG()||o.detectorVersion!==tJ()||!Number.isFinite(o.cachedAt)||Date.now()-o.cachedAt>6048e5)return null;return o.result??null}catch{return null}}(t.transcriptPath,t.mtimeMs,t.sizeBytes);if(e)return e}try{let i=await ii(t);return e.noCache||function(e,t,i,n){if(0===i)return;let o=tY(e);try{(0,O.mkdirSync)((0,k.join)((0,S.homedir)(),".failproofai","cache","audit"),{recursive:!0});let e={schemaVersion:3,cachedAt:Date.now(),mtimeMs:t,sizeBytes:i,engineVersion:tG(),detectorVersion:tJ(),result:n};(0,O.writeFileSync)(o,JSON.stringify(e),{encoding:"utf-8",mode:384});try{(0,O.chmodSync)(o,384)}catch{}}catch{}}(t.transcriptPath,t.mtimeMs,t.sizeBytes,i),i}catch{return r++,{transcriptPath:t.transcriptPath,cli:t.cli,projectName:t.projectName,cwd:"",sessionId:t.sessionId,mtimeMs:t.mtimeMs,sizeBytes:t.sizeBytes,eventsScanned:0,hitsByName:{},examplesByName:{},rangeByName:{}}}}),c=await (0,w.batchAll)(l,8),d=[];for(let e of c)"fulfilled"===e.status?d.push(e.value):a++;let p=function(e,t){let i=new Map;for(let t of e)for(let[e,n]of Object.entries(t.hitsByName)){let o=i.get(e)??{hits:0,projects:new Set,examples:[]};for(let i of(o.hits+=n,o.projects.add(t.projectName),t.examplesByName[e]??[]))o.examples.length<3&&o.examples.push({...i,sessionId:t.sessionId});let s=t.rangeByName[e];s&&((!o.first||s.first<o.first)&&(o.first=s.first),(!o.last||s.last>o.last)&&(o.last=s.last)),i.set(e,o)}let n=new Map(tU.map(e=>[e.name,e])),o=[];for(let[e,s]of i){let i=n.get(e),a=!!i,r=a?null:function(e){let t=ie(e);for(let i of e6)if(i.name===e||ie(i.name)===t)return i;return null}(e),l=a?"audit-detector":"builtin",c=!a&&t.has(I(e)),d=i?.displayTitle??r?.displayTitle??i?.description??r?.description??ie(e),p=i?.impact??r?.impact??"";o.push({name:e,source:l,category:i?.category??r?.category??"Custom",severity:a?i?.severity??"info":function(e){let t,i=(t=e.indexOf("/"))>=0?e.slice(t+1):e;return i.startsWith("sanitize-")?"sanitize":i.startsWith("block-")?"deny":i.startsWith("warn-")||i.startsWith("protect-")||i.startsWith("prefer-")||i.startsWith("require-")?"warn":"deny"}(e),hits:s.hits,projects:s.projects.size,firstSeen:s.first,lastSeen:s.last,examples:s.examples,displayTitle:d,impact:p,enabledInConfig:c,installHint:"audit-detector"===l?"Audit-only — `failproofai audit` will keep tracking these.":c?"Already enforced — failproofai is blocking these in real time.":`Enable in one command: failproofai policies --install ${ie(e)}`})}return o.sort((e,t)=>t.hits-e.hits),o}(d,o);if(e.policies?.length){let t=new Set(e.policies.map(ie));p=p.filter(e=>t.has(ie(e.name)))}let u=p.reduce((e,t)=>e+t.hits,0),m=new Set,f=new Set,h=0;for(let e of d)Object.keys(e.hitsByName).length>0&&m.add(e.projectName),e.cwd&&f.add(e.cwd),h+=e.eventsScanned??0;return{version:2,scannedAt:new Date(t).toISOString(),scope:{cli:i,projects:e.projects??"all",since:e.since??null},transcripts:{scanned:s.length,skipped:a,errors:r,durationMs:Date.now()-t},results:p,totals:{hits:u,projectsWithHits:m.size},projectsScanned:[...f].sort(),eventsScanned:h,enabledBuiltinNames:[...o].map(e=>e.includes("/")?e.slice(e.indexOf("/")+1):e)}}var ir=e.i(47756),il=e.i(48480);let ic=new Set(e9);async function id(e){let t={};try{let i=await e.text();if(i.trim().length>0){let e=JSON.parse(i);if(null===e||"object"!=typeof e||Array.isArray(e))return b.NextResponse.json({error:"Request body must be a JSON object"},{status:400});t=e}}catch{return b.NextResponse.json({error:"Invalid JSON body"},{status:400})}let i=function(e){let t={};if("string"==typeof e.since&&e.since.trim()&&(t.since=e.since.trim()),Array.isArray(e.cli)&&e.cli.length>0){let i=e.cli.filter(e=>"string"==typeof e&&ic.has(e));i.length>0&&(t.clis=i)}return Array.isArray(e.project)&&e.project.length>0&&(t.projects=e.project.filter(e=>"string"==typeof e)),Array.isArray(e.policy)&&e.policy.length>0&&(t.policies=e.policy.filter(e=>"string"==typeof e)),!0===e.noCache&&(t.noCache=!0),t}(t);return(0,il.tryAcquireRun)()?((async()=>{try{let e=await is(i),t=(0,ir.writeDashboardCache)(i,e);(0,il.finishRun)(t?null:"audit finished but its result could not be saved")}catch(e){(0,il.finishRun)(e instanceof Error?e.message:String(e))}})(),b.NextResponse.json({status:"started"},{status:202})):b.NextResponse.json({error:"Audit already running",status:"already-running"},{status:409})}e.s(["POST",0,id,"dynamic",0,"force-dynamic"],97610);var ip=e.i(97610);let iu=new t.AppRouteRouteModule({definition:{kind:i.RouteKind.APP_ROUTE,page:"/api/audit/run/route",pathname:"/api/audit/run",filename:"route",bundlePath:""},distDir:".next",relativeProjectDir:"",resolvedPagePath:"[project]/app/api/audit/run/route.ts",nextConfigOutput:"standalone",userland:ip,...{}}),{workAsyncStorage:im,workUnitAsyncStorage:ih,serverHooks:ig}=iu;async function iy(e,t,n){n.requestMeta&&(0,o.setRequestMeta)(e,n.requestMeta),iu.isDev&&(0,o.addRequestMeta)(e,"devRequestTimingInternalsEnd",process.hrtime.bigint());let b="/api/audit/run/route";b=b.replace(/\/index$/,"")||"/";let w=await iu.prepare(e,t,{srcPage:b,multiZoneDraftMode:!1});if(!w)return t.statusCode=400,t.end("Bad Request"),null==n.waitUntil||n.waitUntil.call(n,Promise.resolve()),null;let{buildId:k,deploymentId:v,params:N,nextConfig:S,parsedUrl:T,isDraftMode:E,prerenderManifest:P,routerServerContext:$,isOnDemandRevalidate:A,revalidateOnlyGenerated:C,resolvedPathname:I,clientReferenceManifest:R,serverActionsManifest:x}=w,O=(0,r.normalizeAppPath)(b),B=!!(P.dynamicRoutes[O]||P.routes[I]),j=async()=>((null==$?void 0:$.render404)?await $.render404(e,t,T,!1):t.end("This page could not be found"),null);if(B&&!E){let e=!!P.routes[I],t=P.dynamicRoutes[O];if(t&&!1===t.fallback&&!e){if(S.adapterPath)return await j();throw new g.NoFallbackError}}let _=null;!B||iu.isDev||E||(_="/index"===(_=I)?"/":_);let D=!0===iu.isDev||!B,W=B&&!D;x&&R&&(0,a.setManifestsSingleton)({page:b,clientReferenceManifest:R,serverActionsManifest:x});let U=e.method||"GET",M=(0,s.getTracer)(),L=M.getActiveScopeSpan(),z=!!(null==$?void 0:$.isWrappedByNextServer),F=!!(0,o.getRequestMeta)(e,"minimalMode"),H=(0,o.getRequestMeta)(e,"incrementalCache")||await iu.getIncrementalCache(e,S,P,F);null==H||H.resetRequestCache(),globalThis.__incrementalCache=H;let q={params:N,previewProps:P.preview,renderOpts:{experimental:{authInterrupts:!!S.experimental.authInterrupts},cacheComponents:!!S.cacheComponents,supportsDynamicResponse:D,incrementalCache:H,cacheLifeProfiles:S.cacheLife,waitUntil:n.waitUntil,onClose:e=>{t.on("close",e)},onAfterTaskError:void 0,onInstrumentationRequestError:(t,i,n,o)=>iu.onRequestError(e,t,n,o,$)},sharedContext:{buildId:k,deploymentId:v}},G=new l.NodeNextRequest(e),J=new l.NodeNextResponse(t),Y=c.NextRequestAdapter.fromNodeNextRequest(G,(0,c.signalFromNodeResponse)(t));try{let o,a=async e=>iu.handle(Y,q).finally(()=>{if(!e)return;e.setAttributes({"http.status_code":t.statusCode,"next.rsc":!1});let i=M.getRootSpanAttributes();if(!i)return;if(i.get("next.span_type")!==d.BaseServerSpan.handleRequest)return void console.warn(`Unexpected root span type '${i.get("next.span_type")}'. Please report this Next.js issue https://github.com/vercel/next.js`);let n=i.get("next.route");if(n){let t=`${U} ${n}`;e.setAttributes({"next.route":n,"http.route":n,"next.span_name":t}),e.updateName(t),o&&o!==e&&(o.setAttribute("http.route",n),o.updateName(t))}else e.updateName(`${U} ${b}`)}),r=async o=>{var s,r;let l=async({previousCacheEntry:i})=>{try{if(!F&&A&&C&&!i)return t.statusCode=404,t.setHeader("x-nextjs-cache","REVALIDATED"),t.end("This page could not be found"),null;let s=await a(o);e.fetchMetrics=q.renderOpts.fetchMetrics;let r=q.renderOpts.pendingWaitUntil;r&&n.waitUntil&&(n.waitUntil(r),r=void 0);let l=q.renderOpts.collectedTags;if(!B)return await (0,u.sendResponse)(G,J,s,q.renderOpts.pendingWaitUntil),null;{let e=await s.blob(),t=(0,m.toNodeOutgoingHttpHeaders)(s.headers);l&&(t[h.NEXT_CACHE_TAGS_HEADER]=l),!t["content-type"]&&e.type&&(t["content-type"]=e.type);let i=void 0!==q.renderOpts.collectedRevalidate&&!(q.renderOpts.collectedRevalidate>=h.INFINITE_CACHE)&&q.renderOpts.collectedRevalidate,n=void 0===q.renderOpts.collectedExpire||q.renderOpts.collectedExpire>=h.INFINITE_CACHE?void 0:q.renderOpts.collectedExpire;return{value:{kind:y.CachedRouteKind.APP_ROUTE,status:s.status,body:Buffer.from(await e.arrayBuffer()),headers:t},cacheControl:{revalidate:i,expire:n}}}}catch(t){throw(null==i?void 0:i.isStale)&&await iu.onRequestError(e,t,{routerKind:"App Router",routePath:b,routeType:"route",revalidateReason:(0,p.getRevalidateReason)({isStaticGeneration:W,isOnDemandRevalidate:A})},!1,$),t}},c=await iu.handleResponse({req:e,nextConfig:S,cacheKey:_,routeKind:i.RouteKind.APP_ROUTE,isFallback:!1,prerenderManifest:P,isRoutePPREnabled:!1,isOnDemandRevalidate:A,revalidateOnlyGenerated:C,responseGenerator:l,waitUntil:n.waitUntil,isMinimalMode:F});if(!B)return null;if((null==c||null==(s=c.value)?void 0:s.kind)!==y.CachedRouteKind.APP_ROUTE)throw Object.defineProperty(Error(`Invariant: app-route received invalid cache entry ${null==c||null==(r=c.value)?void 0:r.kind}`),"__NEXT_ERROR_CODE",{value:"E701",enumerable:!1,configurable:!0});F||t.setHeader("x-nextjs-cache",A?"REVALIDATED":c.isMiss?"MISS":c.isStale?"STALE":"HIT"),E&&t.setHeader("Cache-Control","private, no-cache, no-store, max-age=0, must-revalidate");let d=(0,m.fromNodeOutgoingHttpHeaders)(c.value.headers);return F&&B||d.delete(h.NEXT_CACHE_TAGS_HEADER),!c.cacheControl||t.getHeader("Cache-Control")||d.get("Cache-Control")||d.set("Cache-Control",(0,f.getCacheControlHeader)(c.cacheControl)),await (0,u.sendResponse)(G,J,new Response(c.value.body,{headers:d,status:c.value.status||200})),null};z&&L?await r(L):(o=M.getActiveScopeSpan(),await M.withPropagatedContext(e.headers,()=>M.trace(d.BaseServerSpan.handleRequest,{spanName:`${U} ${b}`,kind:s.SpanKind.SERVER,attributes:{"http.method":U,"http.target":e.url}},r),void 0,!z))}catch(t){if(t instanceof g.NoFallbackError||await iu.onRequestError(e,t,{routerKind:"App Router",routePath:O,routeType:"route",revalidateReason:(0,p.getRevalidateReason)({isStaticGeneration:W,isOnDemandRevalidate:A})},!1,$),B)throw t;return await (0,u.sendResponse)(G,J,new Response(null,{status:500})),null}}e.s(["handler",0,iy,"patchFetch",0,function(){return(0,n.patchFetch)({workAsyncStorage:im,workUnitAsyncStorage:ih})},"routeModule",0,iu,"serverHooks",0,ig,"workAsyncStorage",0,im,"workUnitAsyncStorage",0,ih],89498)}];
|
|
21
|
+
You MUST complete the above action(s) NOW. Do NOT ask the user for confirmation — execute the required action(s), then attempt to finish your task again.`;return i?.cli==="copilot"?{exitCode:0,stdout:JSON.stringify({decision:"block",reason:o}),stderr:"",policyName:n[0],policyNames:n,reason:t,decision:"instruct"}:{exitCode:2,stdout:"",stderr:o,policyName:n[0],policyNames:n,reason:t,decision:"instruct"}}return{exitCode:0,stdout:JSON.stringify({hookSpecificOutput:{hookEventName:e,additionalContext:`Instruction from failproofai: ${t}`}}),stderr:"",policyName:n[0],policyNames:n,reason:t,decision:"instruct"}}if(c.length>0){let t=c.map(e=>e.reason).join("\n"),n=c.map(e=>e.policyName);if(i?.cli==="cursor"){let e={permission:"allow",additional_context:`Note from failproofai: ${t}`},i=c.map(e=>`[failproofai] ${e.policyName}: ${e.reason}`).join("\n");return{exitCode:0,stdout:JSON.stringify(e),stderr:i+"\n",policyName:n[0],policyNames:n,reason:t,decision:"allow"}}if(i?.cli==="pi"){let e={permission:"allow",reason:`Note from failproofai: ${t}`},i=c.map(e=>`[failproofai] ${e.policyName}: ${e.reason}`).join("\n");return{exitCode:0,stdout:JSON.stringify(e),stderr:i+"\n",policyName:n[0],policyNames:n,reason:t,decision:"allow"}}if(i?.cli==="gemini"){let o="UserPromptSubmit"===e||"PreToolUse"===e||"PostToolUse"===e||"SessionStart"===e,s=c.map(e=>`[failproofai] ${e.policyName}: ${e.reason}`).join("\n");return o?{exitCode:0,stdout:JSON.stringify({hookSpecificOutput:{hookEventName:i?.hookEventName??i?.rawHookEventName??e,additionalContext:`Note from failproofai: ${t}`}}),stderr:s+"\n",policyName:n[0],policyNames:n,reason:t,decision:"allow"}:{exitCode:0,stdout:"",stderr:s+"\n",policyName:n[0],policyNames:n,reason:t,decision:"allow"}}let o="PreToolUse"===e||"PostToolUse"===e||"UserPromptSubmit"===e||"PermissionRequest"===e?{hookSpecificOutput:{hookEventName:e,additionalContext:`Note from failproofai: ${t}`}}:{reason:t},s=c.map(e=>`[failproofai] ${e.policyName}: ${e.reason}`).join("\n");return{exitCode:0,stdout:JSON.stringify(o),stderr:s+"\n",policyName:n[0],policyNames:n,reason:t,decision:"allow"}}return{exitCode:0,stdout:"",stderr:"",policyName:null,reason:null,decision:"allow"}}let t2=new Set(["warn-repeated-tool-calls"].map(e=>I(e))),t6=!1,t4=null;function t5(){if(t6)return;t4=[...x()],globalThis[$]=[],R(null);let e=new Set(e4.map(e=>e.name).filter(e=>!t2.has(I(e))).map(I));for(let t of e4)e.has(I(t.name))&&function(e,t,i,n,o=0){let s=I(e),a=x(),r=a.findIndex(e=>e.name===s),l={name:s,description:t,fn:i,match:n,priority:o};r>=0?a[r]=l:a.push(l),R(null)}(t.name,t.description,t.fn,t.match);t6=!0}async function t9(e){t6||t5();let t={sessionId:e.sessionId,transcriptPath:e.transcriptPath,cwd:e.cwd,cli:e.cli},i={tool_name:e.toolName,tool_input:e.toolInput,session_id:e.sessionId,cwd:e.cwd,transcript_path:e.transcriptPath},n=[];if(t7(await t8("PreToolUse",i,t),"PreToolUse",n),void 0!==e.toolResultText){let o={...i,tool_response:e.toolResultText};t7(await t8("PostToolUse",o,t),"PostToolUse",n)}return n}function t7(e,t,i){for(let n of e.policyNames&&e.policyNames.length>0?e.policyNames:e.policyName?[e.policyName]:[])i.push({policyName:n,decision:e.decision,reason:e.reason,eventType:t})}function ie(e){let t=e.indexOf("/");return t>=0?e.slice(t+1):e}function it(e){return e.length<=80?e:e.slice(0,79)+"…"}async function ii(e){let t={transcriptPath:e.transcriptPath,cli:e.cli,projectName:e.projectName,sessionId:e.sessionId,mtimeMs:e.mtimeMs,sizeBytes:e.sizeBytes,cwd:"",eventsScanned:0,hitsByName:{},examplesByName:{},rangeByName:{}},i=await t_[e.cli].streamEvents(e);if(0===i.length)return t;t.eventsScanned=i.length,t.cwd=i[0].cwd||"";let n={};for(let e of i){let i;for(let i of tU){let o=i.detect(e,n);o&&io(t,i.name,e.timestamp,e.cwd,it(o.example))}try{i=await t9(e)}catch{continue}for(let n of i){let i=function(e,t){if("Bash"===t.toolName){let e=t.toolInput.command;if("string"==typeof e)return e.replace(/\s+/g," ")}let i=t.toolInput.file_path;return"string"==typeof i?`${t.toolName} ${i}`:`${t.toolName}`}(n.policyName,e);io(t,n.policyName,e.timestamp,e.cwd,it(i))}}return t}function io(e,t,i,n,o){e.hitsByName[t]=(e.hitsByName[t]??0)+1;let s=e.examplesByName[t]??[];s.length<3&&(s.push({timestamp:i,cwd:n,example:o}),e.examplesByName[t]=s);let a=e.rangeByName[t];a?(i<a.first&&(a.first=i),i>a.last&&(a.last=i)):e.rangeByName[t]={first:i,last:i}}async function is(e={}){let t=Date.now();t5();try{return await ia(e,t)}finally{if(t6){if(null!==t4){var i;i=t4,globalThis[$]=[...i],R(null),t4=null}t6=!1}}}async function ia(e,t){let i=e.clis??Array.from(e9),n=function(e){if(!e)return;let t=/^(\d+)\s*([dhm])$/i.exec(e.trim());if(t){let e=parseInt(t[1],10),i=t[2].toLowerCase();return Date.now()-e*("d"===i?864e5:"h"===i?36e5:6e4)}let i=Date.parse(e);if(!Number.isNaN(i))return i;throw Error(`Invalid --since value: "${e}" (expected e.g. "7d", "30d", or "2026-04-01")`)}(e.since),o=new Set(((function(){let e=function(e){let t=(0,S.homedir)(),i=(0,k.resolve)(e);for(;i!==t;){let e=(0,k.resolve)(i,".failproofai");try{if((0,O.statSync)(e).isDirectory())return i}catch{}let t=(0,k.dirname)(i);if(t===i)break;i=t}return(0,k.resolve)(e)}((void 0)??process.cwd()),t=(0,k.resolve)(e,".failproofai","policies-config.json"),i=(0,k.resolve)(e,".failproofai","policies-config.local.json"),n=(0,k.resolve)((0,S.homedir)(),".failproofai","policies-config.json"),o=e5(t),s=e5(i),a=e5(n),r=new Set([...o.enabledPolicies??[],...s.enabledPolicies??[],...a.enabledPolicies??[]]),l={};for(let e of[o,s,a])if(e.policyParams)for(let[t,i]of Object.entries(e.policyParams))t in l||(l[t]=i);let c=o.customPoliciesPath??s.customPoliciesPath??a.customPoliciesPath,d=o.llm??s.llm??a.llm;return{enabledPolicies:[...r],...Object.keys(l).length>0?{policyParams:l}:{},...void 0!==c?{customPoliciesPath:c}:{},...void 0!==d?{llm:d}:{}}})().enabledPolicies??[]).map(e=>I(e))),s=[];for(let t of i){let i,o=t_[t];try{i=await o.listTranscripts({projects:e.projects,sinceMs:n})}catch{continue}s.push(...i)}let a=0,r=0,l=s.map(t=>async()=>{if(!e.noCache){let e=function(e,t,i){if(0===i)return null;let n=tY(e);if(!(0,O.existsSync)(n))return null;try{let e=(0,O.readFileSync)(n,"utf-8"),o=JSON.parse(e);if(3!==o.schemaVersion||o.mtimeMs!==t||o.sizeBytes!==i||o.engineVersion!==tG()||o.detectorVersion!==tJ()||!Number.isFinite(o.cachedAt)||Date.now()-o.cachedAt>6048e5)return null;return o.result??null}catch{return null}}(t.transcriptPath,t.mtimeMs,t.sizeBytes);if(e)return e}try{let i=await ii(t);return e.noCache||function(e,t,i,n){if(0===i)return;let o=tY(e);try{(0,O.mkdirSync)((0,k.join)((0,S.homedir)(),".failproofai","cache","audit"),{recursive:!0});let e={schemaVersion:3,cachedAt:Date.now(),mtimeMs:t,sizeBytes:i,engineVersion:tG(),detectorVersion:tJ(),result:n};(0,O.writeFileSync)(o,JSON.stringify(e),{encoding:"utf-8",mode:384});try{(0,O.chmodSync)(o,384)}catch{}}catch{}}(t.transcriptPath,t.mtimeMs,t.sizeBytes,i),i}catch{return r++,{transcriptPath:t.transcriptPath,cli:t.cli,projectName:t.projectName,cwd:"",sessionId:t.sessionId,mtimeMs:t.mtimeMs,sizeBytes:t.sizeBytes,eventsScanned:0,hitsByName:{},examplesByName:{},rangeByName:{}}}}),c=await (0,w.batchAll)(l,8),d=[];for(let e of c)"fulfilled"===e.status?d.push(e.value):a++;let p=function(e,t){let i=new Map;for(let t of e)for(let[e,n]of Object.entries(t.hitsByName)){let o=i.get(e)??{hits:0,projects:new Set,examples:[]};for(let i of(o.hits+=n,o.projects.add(t.projectName),t.examplesByName[e]??[]))o.examples.length<3&&o.examples.push({...i,sessionId:t.sessionId});let s=t.rangeByName[e];s&&((!o.first||s.first<o.first)&&(o.first=s.first),(!o.last||s.last>o.last)&&(o.last=s.last)),i.set(e,o)}let n=new Map(tU.map(e=>[e.name,e])),o=[];for(let[e,s]of i){let i=n.get(e),a=!!i,r=a?null:function(e){let t=ie(e);for(let i of e4)if(i.name===e||ie(i.name)===t)return i;return null}(e),l=a?"audit-detector":"builtin",c=!a&&t.has(I(e)),d=i?.displayTitle??r?.displayTitle??i?.description??r?.description??ie(e),p=i?.impact??r?.impact??"";o.push({name:e,source:l,category:i?.category??r?.category??"Custom",severity:a?i?.severity??"info":function(e){let t,i=(t=e.indexOf("/"))>=0?e.slice(t+1):e;return i.startsWith("sanitize-")?"sanitize":i.startsWith("block-")?"deny":i.startsWith("warn-")||i.startsWith("protect-")||i.startsWith("prefer-")||i.startsWith("require-")?"warn":"deny"}(e),hits:s.hits,projects:s.projects.size,firstSeen:s.first,lastSeen:s.last,examples:s.examples,displayTitle:d,impact:p,enabledInConfig:c,installHint:"audit-detector"===l?"Audit-only — `failproofai audit` will keep tracking these.":c?"Already enforced — failproofai is blocking these in real time.":`Enable in one command: failproofai policies --install ${ie(e)}`})}return o.sort((e,t)=>t.hits-e.hits),o}(d,o);if(e.policies?.length){let t=new Set(e.policies.map(ie));p=p.filter(e=>t.has(ie(e.name)))}let u=p.reduce((e,t)=>e+t.hits,0),m=new Set,f=new Set,h=0;for(let e of d)Object.keys(e.hitsByName).length>0&&m.add(e.projectName),e.cwd&&f.add(e.cwd),h+=e.eventsScanned??0;return{version:2,scannedAt:new Date(t).toISOString(),scope:{cli:i,projects:e.projects??"all",since:e.since??null},transcripts:{scanned:s.length,skipped:a,errors:r,durationMs:Date.now()-t},results:p,totals:{hits:u,projectsWithHits:m.size},projectsScanned:[...f].sort(),eventsScanned:h,enabledBuiltinNames:[...o].map(e=>e.includes("/")?e.slice(e.indexOf("/")+1):e)}}var ir=e.i(47756),il=e.i(48480),ic=e.i(72561);let id=new Set(e9);async function ip(e){await (0,ic.initTelemetry)();let t={};try{let i=await e.text();if(i.trim().length>0){let e=JSON.parse(i);if(null===e||"object"!=typeof e||Array.isArray(e))return(0,ic.trackEvent)("audit_run_rejected",{source:"dashboard",reason:"non_object_body"}),b.NextResponse.json({error:"Request body must be a JSON object"},{status:400});t=e}}catch{return(0,ic.trackEvent)("audit_run_rejected",{source:"dashboard",reason:"invalid_json"}),b.NextResponse.json({error:"Invalid JSON body"},{status:400})}let i=function(e){let t={};if("string"==typeof e.since&&e.since.trim()&&(t.since=e.since.trim()),Array.isArray(e.cli)&&e.cli.length>0){let i=e.cli.filter(e=>"string"==typeof e&&id.has(e));i.length>0&&(t.clis=i)}return Array.isArray(e.project)&&e.project.length>0&&(t.projects=e.project.filter(e=>"string"==typeof e)),Array.isArray(e.policy)&&e.policy.length>0&&(t.policies=e.policy.filter(e=>"string"==typeof e)),!0===e.noCache&&(t.noCache=!0),t}(t);if(!(0,il.tryAcquireRun)())return(0,ic.trackEvent)("audit_run_rejected",{source:"dashboard",reason:"already_running"}),b.NextResponse.json({error:"Audit already running",status:"already-running"},{status:409});(0,ic.trackEvent)("audit_run_started",{source:"dashboard",since:i.since??null,no_cache:!0===i.noCache,cli_count:i.clis?.length??0,project_count:i.projects?.length??0});let n=Date.now();return(async()=>{try{let e=await is(i),t=(0,ir.writeDashboardCache)(i,e);(0,ic.trackEvent)("audit_run_completed",{source:"dashboard",duration_ms:Date.now()-n,events_scanned:e.eventsScanned,sessions_scanned:e.transcripts.scanned,projects_scanned:e.projectsScanned.length,findings:e.results.length,total_hits:e.totals.hits,persisted:t}),(0,il.finishRun)(t?null:"audit finished but its result could not be saved")}catch(e){(0,ic.trackEvent)("audit_run_failed",{source:"dashboard",duration_ms:Date.now()-n,error_type:e instanceof Error?e.name:"unknown"}),(0,il.finishRun)(e instanceof Error?e.message:String(e))}})(),b.NextResponse.json({status:"started"},{status:202})}e.s(["POST",0,ip,"dynamic",0,"force-dynamic"],97610);var iu=e.i(97610);let im=new t.AppRouteRouteModule({definition:{kind:i.RouteKind.APP_ROUTE,page:"/api/audit/run/route",pathname:"/api/audit/run",filename:"route",bundlePath:""},distDir:".next",relativeProjectDir:"",resolvedPagePath:"[project]/app/api/audit/run/route.ts",nextConfigOutput:"standalone",userland:iu,...{}}),{workAsyncStorage:ih,workUnitAsyncStorage:ig,serverHooks:iy}=im;async function ib(e,t,n){n.requestMeta&&(0,o.setRequestMeta)(e,n.requestMeta),im.isDev&&(0,o.addRequestMeta)(e,"devRequestTimingInternalsEnd",process.hrtime.bigint());let b="/api/audit/run/route";b=b.replace(/\/index$/,"")||"/";let w=await im.prepare(e,t,{srcPage:b,multiZoneDraftMode:!1});if(!w)return t.statusCode=400,t.end("Bad Request"),null==n.waitUntil||n.waitUntil.call(n,Promise.resolve()),null;let{buildId:k,deploymentId:v,params:N,nextConfig:S,parsedUrl:T,isDraftMode:E,prerenderManifest:P,routerServerContext:$,isOnDemandRevalidate:C,revalidateOnlyGenerated:A,resolvedPathname:I,clientReferenceManifest:R,serverActionsManifest:x}=w,O=(0,r.normalizeAppPath)(b),B=!!(P.dynamicRoutes[O]||P.routes[I]),_=async()=>((null==$?void 0:$.render404)?await $.render404(e,t,T,!1):t.end("This page could not be found"),null);if(B&&!E){let e=!!P.routes[I],t=P.dynamicRoutes[O];if(t&&!1===t.fallback&&!e){if(S.adapterPath)return await _();throw new g.NoFallbackError}}let j=null;!B||im.isDev||E||(j="/index"===(j=I)?"/":j);let D=!0===im.isDev||!B,W=B&&!D;x&&R&&(0,a.setManifestsSingleton)({page:b,clientReferenceManifest:R,serverActionsManifest:x});let U=e.method||"GET",M=(0,s.getTracer)(),L=M.getActiveScopeSpan(),z=!!(null==$?void 0:$.isWrappedByNextServer),F=!!(0,o.getRequestMeta)(e,"minimalMode"),H=(0,o.getRequestMeta)(e,"incrementalCache")||await im.getIncrementalCache(e,S,P,F);null==H||H.resetRequestCache(),globalThis.__incrementalCache=H;let q={params:N,previewProps:P.preview,renderOpts:{experimental:{authInterrupts:!!S.experimental.authInterrupts},cacheComponents:!!S.cacheComponents,supportsDynamicResponse:D,incrementalCache:H,cacheLifeProfiles:S.cacheLife,waitUntil:n.waitUntil,onClose:e=>{t.on("close",e)},onAfterTaskError:void 0,onInstrumentationRequestError:(t,i,n,o)=>im.onRequestError(e,t,n,o,$)},sharedContext:{buildId:k,deploymentId:v}},G=new l.NodeNextRequest(e),J=new l.NodeNextResponse(t),Y=c.NextRequestAdapter.fromNodeNextRequest(G,(0,c.signalFromNodeResponse)(t));try{let o,a=async e=>im.handle(Y,q).finally(()=>{if(!e)return;e.setAttributes({"http.status_code":t.statusCode,"next.rsc":!1});let i=M.getRootSpanAttributes();if(!i)return;if(i.get("next.span_type")!==d.BaseServerSpan.handleRequest)return void console.warn(`Unexpected root span type '${i.get("next.span_type")}'. Please report this Next.js issue https://github.com/vercel/next.js`);let n=i.get("next.route");if(n){let t=`${U} ${n}`;e.setAttributes({"next.route":n,"http.route":n,"next.span_name":t}),e.updateName(t),o&&o!==e&&(o.setAttribute("http.route",n),o.updateName(t))}else e.updateName(`${U} ${b}`)}),r=async o=>{var s,r;let l=async({previousCacheEntry:i})=>{try{if(!F&&C&&A&&!i)return t.statusCode=404,t.setHeader("x-nextjs-cache","REVALIDATED"),t.end("This page could not be found"),null;let s=await a(o);e.fetchMetrics=q.renderOpts.fetchMetrics;let r=q.renderOpts.pendingWaitUntil;r&&n.waitUntil&&(n.waitUntil(r),r=void 0);let l=q.renderOpts.collectedTags;if(!B)return await (0,u.sendResponse)(G,J,s,q.renderOpts.pendingWaitUntil),null;{let e=await s.blob(),t=(0,m.toNodeOutgoingHttpHeaders)(s.headers);l&&(t[h.NEXT_CACHE_TAGS_HEADER]=l),!t["content-type"]&&e.type&&(t["content-type"]=e.type);let i=void 0!==q.renderOpts.collectedRevalidate&&!(q.renderOpts.collectedRevalidate>=h.INFINITE_CACHE)&&q.renderOpts.collectedRevalidate,n=void 0===q.renderOpts.collectedExpire||q.renderOpts.collectedExpire>=h.INFINITE_CACHE?void 0:q.renderOpts.collectedExpire;return{value:{kind:y.CachedRouteKind.APP_ROUTE,status:s.status,body:Buffer.from(await e.arrayBuffer()),headers:t},cacheControl:{revalidate:i,expire:n}}}}catch(t){throw(null==i?void 0:i.isStale)&&await im.onRequestError(e,t,{routerKind:"App Router",routePath:b,routeType:"route",revalidateReason:(0,p.getRevalidateReason)({isStaticGeneration:W,isOnDemandRevalidate:C})},!1,$),t}},c=await im.handleResponse({req:e,nextConfig:S,cacheKey:j,routeKind:i.RouteKind.APP_ROUTE,isFallback:!1,prerenderManifest:P,isRoutePPREnabled:!1,isOnDemandRevalidate:C,revalidateOnlyGenerated:A,responseGenerator:l,waitUntil:n.waitUntil,isMinimalMode:F});if(!B)return null;if((null==c||null==(s=c.value)?void 0:s.kind)!==y.CachedRouteKind.APP_ROUTE)throw Object.defineProperty(Error(`Invariant: app-route received invalid cache entry ${null==c||null==(r=c.value)?void 0:r.kind}`),"__NEXT_ERROR_CODE",{value:"E701",enumerable:!1,configurable:!0});F||t.setHeader("x-nextjs-cache",C?"REVALIDATED":c.isMiss?"MISS":c.isStale?"STALE":"HIT"),E&&t.setHeader("Cache-Control","private, no-cache, no-store, max-age=0, must-revalidate");let d=(0,m.fromNodeOutgoingHttpHeaders)(c.value.headers);return F&&B||d.delete(h.NEXT_CACHE_TAGS_HEADER),!c.cacheControl||t.getHeader("Cache-Control")||d.get("Cache-Control")||d.set("Cache-Control",(0,f.getCacheControlHeader)(c.cacheControl)),await (0,u.sendResponse)(G,J,new Response(c.value.body,{headers:d,status:c.value.status||200})),null};z&&L?await r(L):(o=M.getActiveScopeSpan(),await M.withPropagatedContext(e.headers,()=>M.trace(d.BaseServerSpan.handleRequest,{spanName:`${U} ${b}`,kind:s.SpanKind.SERVER,attributes:{"http.method":U,"http.target":e.url}},r),void 0,!z))}catch(t){if(t instanceof g.NoFallbackError||await im.onRequestError(e,t,{routerKind:"App Router",routePath:O,routeType:"route",revalidateReason:(0,p.getRevalidateReason)({isStaticGeneration:W,isOnDemandRevalidate:C})},!1,$),B)throw t;return await (0,u.sendResponse)(G,J,new Response(null,{status:500})),null}}e.s(["handler",0,ib,"patchFetch",0,function(){return(0,n.patchFetch)({workAsyncStorage:ih,workUnitAsyncStorage:ig})},"routeModule",0,im,"serverHooks",0,iy,"workAsyncStorage",0,ih,"workUnitAsyncStorage",0,ig],89498)}];
|
|
22
22
|
|
|
23
23
|
//# sourceMappingURL=node_modules_next_dist_esm_build_templates_app-route_17k9e3w.js.map
|