npm - failproofai - Versions diffs - 0.0.2-beta.2 → 0.0.2-beta.4 - Mend

failproofai 0.0.2-beta.2 → 0.0.2-beta.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (130) hide show

package/dist/cli.mjs CHANGED Viewed

@@ -179,8 +179,8 @@ var init_hooks_config = __esm(() => {
 });
 // src/hooks/policy-helpers.ts
-function allow() {
-  return { decision: "allow" };
+function allow(reason) {
+  return reason ? { decision: "allow", reason } : { decision: "allow" };
 }
 function deny(reason) {
   return { decision: "deny", reason };
@@ -248,7 +248,7 @@ var REGISTRY_KEY = "__FAILPROOFAI_POLICY_REGISTRY__", INDEX_CACHE_KEY = "__FAILP
 // src/hooks/builtin-policies.ts
 import { resolve as resolve2, join as join2 } from "node:path";
 import { readFile, writeFile } from "node:fs/promises";
-import { execSync } from "node:child_process";
+import { execSync, execFileSync } from "node:child_process";
 import { homedir as homedir3 } from "node:os";
 function isClaudeInternalPath(resolved2) {
   const claudeDir = join2(homedir3(), ".claude");
@@ -266,6 +266,22 @@ function getFilePath(ctx) {
 function parseArgvTokens(cmd) {
   return cmd.trim().split(/\s+/).map((t) => t.replace(/^['"]|['"]$/g, ""));
 }
+function getCurrentBranch(cwd) {
+  try {
+    let branch = gitBranchCache.get(cwd);
+    if (branch === undefined) {
+      branch = execSync("git rev-parse --abbrev-ref HEAD", {
+        cwd,
+        encoding: "utf8",
+        timeout: 3000
+      }).trim();
+      gitBranchCache.set(cwd, branch);
+    }
+    return branch || null;
+  } catch {
+    return null;
+  }
+}
 function matchesAllowedPattern(cmd, pattern) {
   const cmdTokens = parseArgvTokens(cmd);
   const patTokens = parseArgvTokens(pattern);
@@ -480,7 +496,8 @@ function rmTargetIsAllowed(cmd, allowPaths) {
     if (rmIdx < 0)
       continue;
     const flagTokens = tokens.slice(rmIdx + 1).filter((t) => /^-[^-]/.test(t));
-    if (!/r/i.test(flagTokens.join("")))
+    const longFlagsInSeg = tokens.slice(rmIdx + 1).filter((t) => /^--/.test(t));
+    if (!/r/i.test(flagTokens.join("")) && !longFlagsInSeg.some((f) => /^--recursive$/i.test(f)))
       continue;
     const pathArgs = tokens.slice(rmIdx + 1).filter((t) => !t.startsWith("-"));
     for (const target of pathArgs) {
@@ -505,7 +522,10 @@ function blockRmRf(ctx) {
   if (ctx.toolName !== "Bash")
     return allow();
   const cmd = getCommand(ctx);
-  const hasDestructivePath = /(?:\/\s*$|\/\*|~)/.test(cmd);
+  const hasDestructivePath = parseArgvTokens(cmd).some((token) => {
+    const normalized = token.replace(/\/\*$/, "").replace(/\/+$/, "") || (token.startsWith("/") ? "/" : "");
+    return normalized === "/" || normalized === "~" || /^\/[A-Za-z_][\w.-]*$/.test(normalized);
+  });
   if (hasDestructivePath && (/rm\s+-[^\s]*r[^\s]*f[^\s]*/.test(cmd) || /rm\s+-[^\s]*f[^\s]*r[^\s]*/.test(cmd))) {
     const allowPaths = ctx.params?.allowPaths ?? [];
     if (rmTargetIsAllowed(cmd, allowPaths))
@@ -515,7 +535,10 @@ function blockRmRf(ctx) {
   if (hasDestructivePath && /\brm\b/.test(cmd)) {
     const tokens = parseArgvTokens(cmd);
     const shortFlags = tokens.filter((t) => /^-[^-]/.test(t)).join("");
-    if (/r/i.test(shortFlags) && /f/.test(shortFlags)) {
+    const longFlags = tokens.filter((t) => /^--/.test(t));
+    const hasRecursive = /r/i.test(shortFlags) || longFlags.some((f) => /^--recursive$/i.test(f));
+    const hasForce = /f/.test(shortFlags) || longFlags.some((f) => /^--force$/i.test(f));
+    if (hasRecursive && hasForce) {
       const allowPaths = ctx.params?.allowPaths ?? [];
       if (rmTargetIsAllowed(cmd, allowPaths))
         return allow();
@@ -653,22 +676,12 @@ function blockWorkOnMain(ctx) {
   const cwd = ctx.session?.cwd;
   if (!cwd)
     return allow();
-  try {
-    let branch = gitBranchCache.get(cwd);
-    if (branch === undefined) {
-      branch = execSync("git rev-parse --abbrev-ref HEAD", {
-        cwd,
-        encoding: "utf8",
-        timeout: 3000
-      }).trim();
-      gitBranchCache.set(cwd, branch);
-    }
-    const protectedBranches = ctx.params?.protectedBranches ?? ["main", "master"];
-    if (protectedBranches.includes(branch)) {
-      return deny(`Git ${cmd.match(/git\s+(\S+)/)?.[1] ?? "operation"} on ${branch} is blocked. Create a feature branch first.`);
-    }
-  } catch {
+  const branch = getCurrentBranch(cwd);
+  if (!branch)
     return allow();
+  const protectedBranches = ctx.params?.protectedBranches ?? ["main", "master"];
+  if (protectedBranches.includes(branch)) {
+    return deny(`Git ${cmd.match(/git\s+(\S+)/)?.[1] ?? "operation"} on ${branch} is blocked. Create a feature branch first.`);
   }
   return allow();
 }
@@ -767,6 +780,137 @@ function warnBackgroundProcess(ctx) {
   }
   return allow();
 }
+function requireCommitBeforeStop(ctx) {
+  const cwd = ctx.session?.cwd;
+  if (!cwd)
+    return allow("No working directory available, skipping commit check.");
+  try {
+    const status = execSync("git status --porcelain", {
+      cwd,
+      encoding: "utf8",
+      timeout: 5000
+    }).trim();
+    if (status.length > 0) {
+      return deny("You have uncommitted changes in the working directory. Commit all changes before stopping.");
+    }
+    return allow("All changes are committed.");
+  } catch {
+    return allow("Not a git repository, skipping commit check.");
+  }
+}
+function requirePushBeforeStop(ctx) {
+  const cwd = ctx.session?.cwd;
+  if (!cwd)
+    return allow("No working directory available, skipping push check.");
+  try {
+    const remotes = execSync("git remote", {
+      cwd,
+      encoding: "utf8",
+      timeout: 3000
+    }).trim();
+    if (!remotes)
+      return allow("No git remote configured, skipping push check.");
+    const remote = ctx.params?.remote ?? "origin";
+    const branch = getCurrentBranch(cwd);
+    if (!branch || branch === "HEAD")
+      return allow("Detached HEAD, skipping push check.");
+    let hasTracking = false;
+    try {
+      execFileSync("git", ["rev-parse", "--verify", `${remote}/${branch}`], {
+        cwd,
+        encoding: "utf8",
+        timeout: 3000
+      });
+      hasTracking = true;
+    } catch {}
+    if (!hasTracking) {
+      return deny(`Branch "${branch}" has not been pushed to remote "${remote}". ` + `Push your branch with: git push -u ${remote} ${branch}`);
+    }
+    const unpushed = execFileSync("git", ["log", `${remote}/${branch}..HEAD`, "--oneline"], {
+      cwd,
+      encoding: "utf8",
+      timeout: 5000
+    }).trim();
+    if (unpushed.length > 0) {
+      const commitCount = unpushed.split(`
+`).length;
+      return deny(`You have ${commitCount} unpushed commit${commitCount > 1 ? "s" : ""} on branch "${branch}". ` + `Push your changes with: git push`);
+    }
+    return allow(`All commits pushed to "${remote}".`);
+  } catch {
+    return allow("Could not check push status, skipping.");
+  }
+}
+function requirePrBeforeStop(ctx) {
+  const cwd = ctx.session?.cwd;
+  if (!cwd)
+    return allow("No working directory available, skipping PR check.");
+  try {
+    try {
+      execSync("gh --version", { cwd, encoding: "utf8", timeout: 3000 });
+    } catch {
+      return allow("GitHub CLI (gh) not installed, skipping PR check.");
+    }
+    const branch = getCurrentBranch(cwd);
+    if (!branch || branch === "HEAD")
+      return allow("Detached HEAD, skipping PR check.");
+    let prJson;
+    try {
+      prJson = execSync("gh pr view --json number,url,state", {
+        cwd,
+        encoding: "utf8",
+        timeout: 15000
+      }).trim();
+    } catch {
+      return deny(`No pull request found for branch "${branch}". ` + `Create one with: gh pr create`);
+    }
+    const pr = JSON.parse(prJson);
+    if (pr.state === "OPEN") {
+      return allow(`PR #${pr.number} exists: ${pr.url}`);
+    }
+    return deny(`Pull request for branch "${branch}" is ${pr.state.toLowerCase()}. Create a new PR with: gh pr create`);
+  } catch {
+    return allow("Could not check PR status, skipping.");
+  }
+}
+function requireCiGreenBeforeStop(ctx) {
+  const cwd = ctx.session?.cwd;
+  if (!cwd)
+    return allow("No working directory available, skipping CI check.");
+  try {
+    try {
+      execSync("gh --version", { cwd, encoding: "utf8", timeout: 3000 });
+    } catch {
+      return allow("GitHub CLI (gh) not installed, skipping CI check.");
+    }
+    const branch = getCurrentBranch(cwd);
+    if (!branch || branch === "HEAD")
+      return allow("Detached HEAD, skipping CI check.");
+    const runsJson = execFileSync("gh", ["run", "list", "--branch", branch, "--limit", "5", "--json", "status,conclusion,name"], {
+      cwd,
+      encoding: "utf8",
+      timeout: 15000
+    }).trim();
+    if (!runsJson || runsJson === "[]")
+      return allow(`No CI runs found for branch "${branch}".`);
+    const runs = JSON.parse(runsJson);
+    if (runs.length === 0)
+      return allow(`No CI runs found for branch "${branch}".`);
+    const failing = runs.filter((r) => r.status === "completed" && r.conclusion !== "success" && r.conclusion !== "skipped");
+    if (failing.length > 0) {
+      const names = failing.map((r) => `"${r.name}"`).join(", ");
+      return deny(`CI checks are failing on branch "${branch}": ${names}. Fix the failing checks before stopping.`);
+    }
+    const pending = runs.filter((r) => r.status === "in_progress" || r.status === "queued" || r.status === "waiting");
+    if (pending.length > 0) {
+      const names = pending.map((r) => `"${r.name}"`).join(", ");
+      return deny(`CI checks are still running on branch "${branch}": ${names}. Wait for all checks to complete and verify they pass.`);
+    }
+    return allow(`All CI checks passed on branch "${branch}".`);
+  } catch {
+    return allow("Could not check CI status, skipping.");
+  }
+}
 function registerBuiltinPolicies(enabledNames) {
   const enabledSet = new Set(enabledNames);
   for (const policy of BUILTIN_POLICIES) {
@@ -802,7 +946,7 @@ var init_builtin_policies = __esm(() => {
   SCHEMA_ALTER_RE = /\bALTER\s+TABLE\b[\s\S]*\b(?:DROP\s+COLUMN|ADD\s+COLUMN|RENAME\s+(?:COLUMN|TO)|MODIFY\s+COLUMN)\b/i;
   PUBLISH_CMD_RE = /(?:npm\s+publish|bun\s+publish|pnpm\s+publish|yarn\s+npm\s+publish|twine\s+upload|poetry\s+publish|cargo\s+publish|gem\s+push)\b/;
   ENV_PRINTENV_RE = /(?:^|\s|;|&&|\|\|)(?:env|printenv)(?:\s|$|;|&&|\|)/;
-  ECHO_ENV_RE = /echo\s+.*\$[A-Za-z_]/;
+  ECHO_ENV_RE = /echo\s+.*\$\{?[A-Za-z_]/;
   EXPORT_RE = /(?:^|\s|;|&&|\|\|)export\s+\w+/;
   PS_ENV_VAR_RE = /\$env:[A-Za-z_]/i;
   PS_CHILDITEM_ENV_RE = /(?:Get-ChildItem|dir|gci|ls)\s+Env:/i;
@@ -813,7 +957,7 @@ var init_builtin_policies = __esm(() => {
   SUDO_RE = /(?:^|;|&&|\|\|)\s*sudo\s/;
   PS_ELEVATION_RE = /Start-Process\s+.*-Verb\s+RunAs/i;
   RUNAS_RE = /(?:^|;|&&|\|\|)\s*runas\s/i;
-  CURL_PIPE_SH_RE = /(?:curl|wget)\s.*\|\s*(?:sh|bash|zsh)/;
+  CURL_PIPE_SH_RE = /(?:curl|wget)\s.*\|\s*(?:sh|bash|zsh|dash|ksh|csh|tcsh|fish|ash)\b/;
   PS_WEB_PIPE_RE = /(?:Invoke-WebRequest|iwr|Invoke-RestMethod|irm)\s+.*\|\s*(?:Invoke-Expression|iex)/i;
   FORCE_PUSH_RE = /(?:--force|-f\b)/;
   SECRET_FILE_RE = /\.(?:pem|key)$/;
@@ -1102,6 +1246,49 @@ var init_builtin_policies = __esm(() => {
       match: { events: ["PreToolUse"] },
       defaultEnabled: false,
       category: "AI Behavior"
+    },
+    {
+      name: "require-commit-before-stop",
+      description: "Require all changes to be committed before Claude stops",
+      fn: requireCommitBeforeStop,
+      match: { events: ["Stop"] },
+      defaultEnabled: false,
+      category: "Workflow",
+      beta: true
+    },
+    {
+      name: "require-push-before-stop",
+      description: "Require all commits to be pushed to remote before Claude stops",
+      fn: requirePushBeforeStop,
+      match: { events: ["Stop"] },
+      defaultEnabled: false,
+      category: "Workflow",
+      beta: true,
+      params: {
+        remote: {
+          type: "string",
+          description: "Remote name to push to (default: origin)",
+          default: "origin"
+        }
+      }
+    },
+    {
+      name: "require-pr-before-stop",
+      description: "Require a pull request to exist for the current branch before Claude stops",
+      fn: requirePrBeforeStop,
+      match: { events: ["Stop"] },
+      defaultEnabled: false,
+      category: "Workflow",
+      beta: true
+    },
+    {
+      name: "require-ci-green-before-stop",
+      description: "Require CI checks to pass on the current branch before Claude stops",
+      fn: requireCiGreenBeforeStop,
+      match: { events: ["Stop"] },
+      defaultEnabled: false,
+      category: "Workflow",
+      beta: true
     }
   ];
 });
@@ -1124,6 +1311,7 @@ async function evaluatePolicies(eventType, payload, session, config) {
   };
   let instructPolicyName = null;
   let instructReason = null;
+  const allowEntries = [];
   for (const policy of policies) {
     const schema = POLICY_PARAMS_MAP.get(policy.name);
     let ctx;
@@ -1184,7 +1372,7 @@ async function evaluatePolicies(eventType, payload, session, config) {
       return {
         exitCode: 2,
         stdout: "",
-        stderr: "",
+        stderr: reason,
         policyName: policy.name,
         reason,
         decision: "deny"
@@ -1195,6 +1383,9 @@ async function evaluatePolicies(eventType, payload, session, config) {
       instructReason = result.reason ?? `Instruction from policy: ${policy.name}`;
       hookLogInfo(`instruct by "${policy.name}": ${instructReason}`);
     }
+    if (result.decision === "allow" && result.reason) {
+      allowEntries.push({ policyName: policy.name, reason: result.reason });
+    }
   }
   if (instructPolicyName && instructReason) {
     if (eventType === "Stop") {
@@ -1222,6 +1413,17 @@ async function evaluatePolicies(eventType, payload, session, config) {
       decision: "instruct"
     };
   }
+  if (allowEntries.length > 0) {
+    const combined = allowEntries.map((e) => e.reason).join(`
+`);
+    const policyNames = allowEntries.map((e) => e.policyName);
+    const supportsHookSpecificOutput = eventType === "PreToolUse" || eventType === "PostToolUse" || eventType === "UserPromptSubmit";
+    const response = supportsHookSpecificOutput ? { hookSpecificOutput: { hookEventName: eventType, additionalContext: `Note from failproofai: ${combined}` } } : { reason: combined };
+    const stderrMsg = allowEntries.map((e) => `[failproofai] ${e.policyName}: ${e.reason}`).join(`
+`);
+    return { exitCode: 0, stdout: JSON.stringify(response), stderr: stderrMsg + `
+`, policyName: policyNames[0], policyNames, reason: combined, decision: "allow" };
+  }
   return { exitCode: 0, stdout: "", stderr: "", policyName: null, reason: null, decision: "allow" };
 }
 var POLICY_PARAMS_MAP;
@@ -1516,7 +1718,11 @@ function updateStats(entry) {
   s.totalEvents += 1;
   if (entry.decision === "deny")
     s.denyCount += 1;
-  if (entry.policyName) {
+  if (entry.policyNames && entry.policyNames.length > 0) {
+    for (const name of entry.policyNames) {
+      s.policyMap[name] = (s.policyMap[name] ?? 0) + 1;
+    }
+  } else if (entry.policyName) {
     s.policyMap[entry.policyName] = (s.policyMap[entry.policyName] ?? 0) + 1;
   }
   const tmpPath = join3(storeDir, `stats.json.${process.pid}.tmp`);
@@ -1536,7 +1742,7 @@ var init_hook_activity_store = __esm(() => {
 });
 // package.json
-var version2 = "0.0.2-beta.2";
+var version2 = "0.0.2-beta.4";
 var init_package = () => {};
 // src/posthog-key.ts
@@ -1745,6 +1951,7 @@ async function handleHookEvent(eventType) {
       eventType,
       toolName: parsed.tool_name ?? null,
       policyName: result.policyName,
+      policyNames: result.policyNames,
       decision: result.decision,
       reason: result.reason,
       durationMs,
@@ -2762,7 +2969,7 @@ import { realpathSync as realpathSync2 } from "fs";
 import { dirname as dirname5, resolve as resolve8 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 // package.json
-var version = "0.0.2-beta.2";
+var version = "0.0.2-beta.4";
 // bin/failproofai.mjs
 if (!process.env.FAILPROOFAI_PACKAGE_ROOT) {

package/dist/index.js CHANGED Viewed

@@ -69,8 +69,8 @@ function clearCustomHooks() {
   g[REGISTRY_KEY] = [];
 }
 // src/hooks/policy-helpers.ts
-function allow() {
-  return { decision: "allow" };
+function allow(reason) {
+  return reason ? { decision: "allow", reason } : { decision: "allow" };
 }
 function deny(reason) {
   return { decision: "deny", reason };

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "failproofai",
-  "version": "0.0.2-beta.2",
-  "description": "Open-source hooks, policies, and project visualization for Claude Code & Agents SDK",
+  "version": "0.0.2-beta.4",
+  "description": "The easiest way to manage policies that keep your AI agents reliable, on-task, and running autonomously — for Claude Code & the Agents SDK",
   "bin": {
     "failproofai": "./dist/cli.mjs"
   },
@@ -40,17 +40,14 @@
     "claude-agents-sdk",
     "anthropic",
     "ai-agent",
-    "llm-observability",
-    "agent-observability",
-    "log-viewer",
-    "session-replay",
+    "agent-reliability",
+    "agent-monitoring",
+    "autonomous-agent",
+    "failure-prevention",
     "developer-tools",
     "devtools",
     "cli",
     "local-first",
-    "monitoring",
-    "debugging",
-    "tracing",
     "hooks",
     "policies"
   ],

package/scripts/publish-aliases.mjs CHANGED Viewed

@@ -8,6 +8,8 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
 const rootPkg = JSON.parse(readFileSync(join(__dirname, '..', 'package.json'), 'utf8'));
 const VERSION = rootPkg.version;
 const DRY_RUN = process.argv.includes('--dry-run');
+const distTagIdx = process.argv.indexOf('--dist-tag');
+const DIST_TAG = distTagIdx !== -1 ? process.argv[distTagIdx + 1] : (VERSION.includes('-') ? 'beta' : 'latest');
 const ALIASES = [
   // Formatting variants — no "ai", or hyphen/underscore separators
@@ -54,7 +56,7 @@ for (const name of ALIASES) {
   cpSync(join(__dirname, 'alias-proxy.js'), join(binDir, 'proxy.js'));
   if (DRY_RUN) {
-    console.log(`[dry-run] Would publish ${name}@${VERSION}`);
+    console.log(`[dry-run] Would publish ${name}@${VERSION} (tag: ${DIST_TAG})`);
     console.log(JSON.stringify(pkg, null, 2));
     console.log('---');
     rmSync(tmpDir, { recursive: true, force: true });
@@ -63,7 +65,7 @@ for (const name of ALIASES) {
   console.log(`Publishing ${name}@${VERSION}...`);
   try {
-    execSync('npm publish', { cwd: tmpDir, stdio: 'pipe' });
+    execSync(`npm publish --tag ${DIST_TAG}`, { cwd: tmpDir, stdio: 'pipe' });
     console.log(`Done: ${name}`);
   } catch (err) {
     const output = (err.stdout?.toString() ?? '') + (err.stderr?.toString() ?? '');