npm - failproofai - Versions diffs - 0.0.6-beta.1 → 0.0.6-beta.3 - Mend

failproofai 0.0.6-beta.1 → 0.0.6-beta.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (177) hide show

package/.next/standalone/docs/zh/getting-started.mdx CHANGED Viewed

@@ -1,13 +1,13 @@
 ---
-title: 快速入门
+title: 快速开始
 description: "安装 failproofai，启用策略，让你的 Agent 稳定运行"
 icon: rocket
 ---
-## 系统要求
+## 环境要求
 - **Node.js** >= 20.9.0
-- **Bun** >= 1.3.0（可选 - 仅从源码构建时需要）
+- **Bun** >= 1.3.0（可选，仅在从源码构建时需要）
 ---
@@ -27,7 +27,7 @@ bun add -g failproofai
 ---
-## 快速开始
+## 快速上手
 <Steps>
   <Step title="启用策略">
@@ -37,37 +37,37 @@ bun add -g failproofai
     failproofai policies --install
     ```
-    此命令会将 hook 条目写入 Claude Code 的 `settings.json`。你也可以针对单个项目安装，或选择特定策略：
+    该命令会将 hook 条目写入 Claude Code 的 `settings.json`。你也可以仅为单个项目安装，或选择特定策略：
     ```bash
     failproofai policies --install --scope project
     failproofai policies --install block-sudo block-rm-rf sanitize-api-keys
     ```
   </Step>
-  <Step title="验证">
+  <Step title="验证安装">
     ```bash
     failproofai policies
     ```
-    显示所有策略、是否已启用以及已配置的参数。
+    显示所有策略、启用状态及已配置的参数。
   </Step>
-  <Step title="启动仪表板">
+  <Step title="启动控制台">
     ```bash
     failproofai
     ```
-    在 `http://localhost:8020` 打开本地仪表板，你可以在此浏览会话、查看工具调用详情并管理策略。
+    在 `http://localhost:8020` 打开本地控制台，你可以在此浏览会话记录、查看工具调用详情并管理策略。
   </Step>
   <Step title="运行你的 Agent">
-    像往常一样启动 Claude Code。如果 Agent 尝试执行高风险操作，failproofai 会自动拦截。让它在无人值守的情况下运行，之后在仪表板中查看执行记录。
+    像往常一样启动 Claude Code。如果 Agent 尝试执行风险操作，failproofai 会自动拦截。你可以让其在无人值守的情况下运行，之后在控制台中回顾发生的一切。
   </Step>
 </Steps>
 ---
-## 策略的工作原理
+## 策略工作原理
-每当 Agent 运行工具时，Claude Code 会将 failproofai 作为子进程调用：
+每当 Agent 运行工具时，Claude Code 会以子进程方式调用 failproofai：
 ```text
 Claude Code  →  failproofai --hook PreToolUse  →  reads stdin JSON
@@ -75,11 +75,11 @@ Claude Code  →  failproofai --hook PreToolUse  →  reads stdin JSON
                                                  writes decision to stdout
 ```
-每个策略返回以下三种决策之一：
+每条策略会返回以下三种决策之一：
 - **allow** - Agent 正常继续执行
-- **deny** - 操作被阻止，并告知 Agent 原因
-- **instruct** - 向 Agent 的提示词中追加额外上下文
+- **deny** - 操作被拦截，并将原因告知 Agent
+- **instruct** - 向 Agent 的提示词中追加额外的上下文信息
 <Note>
 策略在你的本地进程中运行，不会向任何远程服务发送数据。
@@ -87,6 +87,58 @@ Claude Code  →  failproofai --hook PreToolUse  →  reads stdin JSON
 ---
+## 使用约定式策略为团队制定统一规范
+在团队中建立质量标准最快的方式是使用 `.failproofai/policies/` 约定目录。只需将策略文件放入该目录，它们会自动加载——无需任何标志、配置变更或安装命令。
+<Steps>
+  <Step title="创建策略目录">
+    ```bash
+    mkdir -p .failproofai/policies
+    ```
+  </Step>
+  <Step title="添加策略文件">
+    复制示例文件或编写你自己的策略：
+    ```bash
+    cp node_modules/failproofai/examples/convention-policies/*.mjs .failproofai/policies/
+    ```
+    或者新建一个策略文件：
+    ```js
+    // .failproofai/policies/team-policies.mjs
+    import { customPolicies, allow, deny, instruct } from "failproofai";
+    customPolicies.add({
+      name: "test-before-commit",
+      match: { events: ["PreToolUse"] },
+      fn: async (ctx) => {
+        if (ctx.toolName !== "Bash") return allow();
+        if (/git\s+commit/.test(ctx.toolInput?.command ?? "")) {
+          return instruct("Run tests before committing.");
+        }
+        return allow();
+      },
+    });
+    ```
+  </Step>
+  <Step title="提交到 git">
+    ```bash
+    git add .failproofai/policies/
+    git commit -m "Add team quality policies"
+    ```
+    所有安装了 failproofai 的团队成员都会自动获取这些策略，无需单独配置。
+  </Step>
+</Steps>
+<Tip>
+将 `.failproofai/policies/` 提交到代码仓库，让整个团队共享同一套规范。随着团队发现新的故障模式，持续添加策略并推送更新——所有人在下次 `git pull` 时即可获取最新内容。随着时间推移，这些策略将成为不断演进的质量标准。
+</Tip>
+---
 ## 数据存储
 所有配置和日志均保存在本地：
@@ -94,10 +146,10 @@ Claude Code  →  failproofai --hook PreToolUse  →  reads stdin JSON
 | 路径 | 存储内容 |
 |------|----------------|
 | `~/.failproofai/policies-config.json` | 全局策略配置 |
-| `~/.failproofai/hook-activity.jsonl` | Hook 执行历史记录 |
+| `~/.failproofai/hook-activity.jsonl` | Hook 执行历史 |
 | `~/.failproofai/hook.log` | 自定义 hook 错误的调试日志 |
-| `.failproofai/policies-config.json` | 项目级配置（可提交至版本库） |
-| `.failproofai/policies-config.local.json` | 个人覆盖配置（已被 gitignore） |
+| `.failproofai/policies-config.json` | 项目级配置（可提交至仓库） |
+| `.failproofai/policies-config.local.json` | 个人覆盖配置（已加入 gitignore） |
 ---
@@ -115,16 +167,16 @@ failproofai policies --uninstall
 <CardGroup cols={2}>
-<Card title="配置" icon="gear" href="/zh/configuration">
+<Card title="配置说明" icon="gear" href="/zh/configuration">
   作用域与配置文件格式
 </Card>
 <Card title="内置策略" icon="shield" href="/zh/built-in-policies">
-  全部 26 个策略及其参数说明
+  全部 26 条策略及其参数说明
 </Card>
 <Card title="自定义策略" icon="code" href="/zh/custom-policies">
-  用 JavaScript 编写你自己的策略
+  使用 JavaScript 编写你自己的策略
 </Card>
 <Card title="Agent 监控" icon="chart-line" href="/zh/dashboard">

package/.next/standalone/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "failproofai",
-  "version": "0.0.6-beta.1",
+  "version": "0.0.6-beta.3",
   "description": "The easiest way to manage policies that keep your AI agents reliable, on-task, and running autonomously — for Claude Code & the Agents SDK",
   "bin": {
     "failproofai": "./dist/cli.mjs"

package/.next/standalone/server.js CHANGED Viewed

@@ -9,7 +9,7 @@ const currentPort = parseInt(process.env.PORT, 10) || 3000
 const hostname = process.env.HOSTNAME || '0.0.0.0'
 let keepAliveTimeout = parseInt(process.env.KEEP_ALIVE_TIMEOUT, 10)
-const nextConfig = {"env":{"NEXT_PUBLIC_APP_VERSION":"0.0.6-beta.1"},"typescript":{"ignoreBuildErrors":false},"typedRoutes":false,"distDir":"./.next","cleanDistDir":true,"assetPrefix":"","cacheMaxMemorySize":52428800,"configOrigin":"next.config.ts","useFileSystemPublicRoutes":true,"generateEtags":true,"pageExtensions":["tsx","ts","jsx","js"],"poweredByHeader":true,"compress":true,"images":{"deviceSizes":[640,750,828,1080,1200,1920,2048,3840],"imageSizes":[32,48,64,96,128,256,384],"path":"/_next/image","loader":"default","loaderFile":"","domains":[],"disableStaticImages":false,"minimumCacheTTL":14400,"formats":["image/webp"],"maximumRedirects":3,"maximumResponseBody":50000000,"dangerouslyAllowLocalIP":false,"dangerouslyAllowSVG":false,"contentSecurityPolicy":"script-src 'none'; frame-src 'none'; sandbox;","contentDispositionType":"attachment","localPatterns":[{"pathname":"**","search":""}],"remotePatterns":[],"qualities":[75],"unoptimized":true,"customCacheHandler":false},"devIndicators":{"position":"bottom-left"},"onDemandEntries":{"maxInactiveAge":60000,"pagesBufferLength":5},"basePath":"","sassOptions":{},"trailingSlash":false,"i18n":null,"productionBrowserSourceMaps":false,"excludeDefaultMomentLocales":true,"reactProductionProfiling":false,"reactStrictMode":null,"reactMaxHeadersLength":6000,"httpAgentOptions":{"keepAlive":true},"logging":{"serverFunctions":true,"browserToTerminal":"warn"},"compiler":{},"expireTime":31536000,"staticPageGenerationTimeout":60,"output":"standalone","modularizeImports":{"@mui/icons-material":{"transform":"@mui/icons-material/{{member}}"},"lodash":{"transform":"lodash/{{member}}"}},"outputFileTracingRoot":"/home/runner/work/failproofai/failproofai","cacheComponents":false,"cacheLife":{"default":{"stale":300,"revalidate":900,"expire":4294967294},"seconds":{"stale":30,"revalidate":1,"expire":60},"minutes":{"stale":300,"revalidate":60,"expire":3600},"hours":{"stale":300,"revalidate":3600,"expire":86400},"days":{"stale":300,"revalidate":86400,"expire":604800},"weeks":{"stale":300,"revalidate":604800,"expire":2592000},"max":{"stale":300,"revalidate":2592000,"expire":31536000}},"cacheHandlers":{},"experimental":{"appNewScrollHandler":false,"useSkewCookie":false,"cssChunking":true,"multiZoneDraftMode":false,"appNavFailHandling":false,"prerenderEarlyExit":true,"serverMinification":true,"linkNoTouchStart":false,"caseSensitiveRoutes":false,"cachedNavigations":false,"partialFallbacks":false,"dynamicOnHover":false,"varyParams":false,"prefetchInlining":false,"preloadEntriesOnStart":true,"clientRouterFilter":true,"clientRouterFilterRedirects":false,"fetchCacheKeyPrefix":"","proxyPrefetch":"flexible","optimisticClientCache":true,"manualClientBasePath":false,"cpus":3,"memoryBasedWorkersCount":false,"imgOptConcurrency":null,"imgOptTimeoutInSeconds":7,"imgOptMaxInputPixels":268402689,"imgOptSequentialRead":null,"imgOptSkipMetadata":null,"isrFlushToDisk":true,"workerThreads":false,"optimizeCss":false,"nextScriptWorkers":false,"scrollRestoration":false,"externalDir":false,"disableOptimizedLoading":false,"gzipSize":true,"craCompat":false,"esmExternals":true,"fullySpecified":false,"swcTraceProfiling":false,"forceSwcTransforms":false,"largePageDataBytes":128000,"typedEnv":false,"parallelServerCompiles":false,"parallelServerBuildTraces":false,"ppr":false,"authInterrupts":false,"webpackMemoryOptimizations":false,"optimizeServerReact":true,"strictRouteTypes":false,"viewTransition":false,"removeUncaughtErrorAndRejectionListeners":false,"validateRSCRequestHeaders":false,"staleTimes":{"dynamic":0,"static":300},"reactDebugChannel":true,"serverComponentsHmrCache":true,"staticGenerationMaxConcurrency":8,"staticGenerationMinPagesPerWorker":25,"transitionIndicator":false,"gestureTransition":false,"inlineCss":false,"useCache":false,"globalNotFound":false,"browserDebugInfoInTerminal":"warn","lockDistDir":true,"proxyClientMaxBodySize":10485760,"hideLogsAfterAbort":false,"mcpServer":true,"turbopackFileSystemCacheForDev":true,"turbopackFileSystemCacheForBuild":false,"turbopackInferModuleSideEffects":true,"turbopackPluginRuntimeStrategy":"childProcesses","optimizePackageImports":["lucide-react","date-fns","lodash-es","ramda","antd","react-bootstrap","ahooks","@ant-design/icons","@headlessui/react","@headlessui-float/react","@heroicons/react/20/solid","@heroicons/react/24/solid","@heroicons/react/24/outline","@visx/visx","@tremor/react","rxjs","@mui/material","@mui/icons-material","recharts","react-use","effect","@effect/schema","@effect/platform","@effect/platform-node","@effect/platform-browser","@effect/platform-bun","@effect/sql","@effect/sql-mssql","@effect/sql-mysql2","@effect/sql-pg","@effect/sql-sqlite-node","@effect/sql-sqlite-bun","@effect/sql-sqlite-wasm","@effect/sql-sqlite-react-native","@effect/rpc","@effect/rpc-http","@effect/typeclass","@effect/experimental","@effect/opentelemetry","@material-ui/core","@material-ui/icons","@tabler/icons-react","mui-core","react-icons/ai","react-icons/bi","react-icons/bs","react-icons/cg","react-icons/ci","react-icons/di","react-icons/fa","react-icons/fa6","react-icons/fc","react-icons/fi","react-icons/gi","react-icons/go","react-icons/gr","react-icons/hi","react-icons/hi2","react-icons/im","react-icons/io","react-icons/io5","react-icons/lia","react-icons/lib","react-icons/lu","react-icons/md","react-icons/pi","react-icons/ri","react-icons/rx","react-icons/si","react-icons/sl","react-icons/tb","react-icons/tfi","react-icons/ti","react-icons/vsc","react-icons/wi"],"trustHostHeader":false,"isExperimentalCompile":false},"htmlLimitedBots":"[\\w-]+-Google|Google-[\\w-]+|Chrome-Lighthouse|Slurp|DuckDuckBot|baiduspider|yandex|sogou|bitlybot|tumblr|vkShare|quora link preview|redditbot|ia_archiver|Bingbot|BingPreview|applebot|facebookexternalhit|facebookcatalog|Twitterbot|LinkedInBot|Slackbot|Discordbot|WhatsApp|SkypeUriPreview|Yeti|googleweblight","bundlePagesRouterDependencies":false,"configFileName":"next.config.ts","turbopack":{"root":"/home/runner/work/failproofai/failproofai"},"distDirRoot":".next"}
+const nextConfig = {"env":{"NEXT_PUBLIC_APP_VERSION":"0.0.6-beta.3"},"typescript":{"ignoreBuildErrors":false},"typedRoutes":false,"distDir":"./.next","cleanDistDir":true,"assetPrefix":"","cacheMaxMemorySize":52428800,"configOrigin":"next.config.ts","useFileSystemPublicRoutes":true,"generateEtags":true,"pageExtensions":["tsx","ts","jsx","js"],"poweredByHeader":true,"compress":true,"images":{"deviceSizes":[640,750,828,1080,1200,1920,2048,3840],"imageSizes":[32,48,64,96,128,256,384],"path":"/_next/image","loader":"default","loaderFile":"","domains":[],"disableStaticImages":false,"minimumCacheTTL":14400,"formats":["image/webp"],"maximumRedirects":3,"maximumResponseBody":50000000,"dangerouslyAllowLocalIP":false,"dangerouslyAllowSVG":false,"contentSecurityPolicy":"script-src 'none'; frame-src 'none'; sandbox;","contentDispositionType":"attachment","localPatterns":[{"pathname":"**","search":""}],"remotePatterns":[],"qualities":[75],"unoptimized":true,"customCacheHandler":false},"devIndicators":{"position":"bottom-left"},"onDemandEntries":{"maxInactiveAge":60000,"pagesBufferLength":5},"basePath":"","sassOptions":{},"trailingSlash":false,"i18n":null,"productionBrowserSourceMaps":false,"excludeDefaultMomentLocales":true,"reactProductionProfiling":false,"reactStrictMode":null,"reactMaxHeadersLength":6000,"httpAgentOptions":{"keepAlive":true},"logging":{"serverFunctions":true,"browserToTerminal":"warn"},"compiler":{},"expireTime":31536000,"staticPageGenerationTimeout":60,"output":"standalone","modularizeImports":{"@mui/icons-material":{"transform":"@mui/icons-material/{{member}}"},"lodash":{"transform":"lodash/{{member}}"}},"outputFileTracingRoot":"/home/runner/work/failproofai/failproofai","cacheComponents":false,"cacheLife":{"default":{"stale":300,"revalidate":900,"expire":4294967294},"seconds":{"stale":30,"revalidate":1,"expire":60},"minutes":{"stale":300,"revalidate":60,"expire":3600},"hours":{"stale":300,"revalidate":3600,"expire":86400},"days":{"stale":300,"revalidate":86400,"expire":604800},"weeks":{"stale":300,"revalidate":604800,"expire":2592000},"max":{"stale":300,"revalidate":2592000,"expire":31536000}},"cacheHandlers":{},"experimental":{"appNewScrollHandler":false,"useSkewCookie":false,"cssChunking":true,"multiZoneDraftMode":false,"appNavFailHandling":false,"prerenderEarlyExit":true,"serverMinification":true,"linkNoTouchStart":false,"caseSensitiveRoutes":false,"cachedNavigations":false,"partialFallbacks":false,"dynamicOnHover":false,"varyParams":false,"prefetchInlining":false,"preloadEntriesOnStart":true,"clientRouterFilter":true,"clientRouterFilterRedirects":false,"fetchCacheKeyPrefix":"","proxyPrefetch":"flexible","optimisticClientCache":true,"manualClientBasePath":false,"cpus":3,"memoryBasedWorkersCount":false,"imgOptConcurrency":null,"imgOptTimeoutInSeconds":7,"imgOptMaxInputPixels":268402689,"imgOptSequentialRead":null,"imgOptSkipMetadata":null,"isrFlushToDisk":true,"workerThreads":false,"optimizeCss":false,"nextScriptWorkers":false,"scrollRestoration":false,"externalDir":false,"disableOptimizedLoading":false,"gzipSize":true,"craCompat":false,"esmExternals":true,"fullySpecified":false,"swcTraceProfiling":false,"forceSwcTransforms":false,"largePageDataBytes":128000,"typedEnv":false,"parallelServerCompiles":false,"parallelServerBuildTraces":false,"ppr":false,"authInterrupts":false,"webpackMemoryOptimizations":false,"optimizeServerReact":true,"strictRouteTypes":false,"viewTransition":false,"removeUncaughtErrorAndRejectionListeners":false,"validateRSCRequestHeaders":false,"staleTimes":{"dynamic":0,"static":300},"reactDebugChannel":true,"serverComponentsHmrCache":true,"staticGenerationMaxConcurrency":8,"staticGenerationMinPagesPerWorker":25,"transitionIndicator":false,"gestureTransition":false,"inlineCss":false,"useCache":false,"globalNotFound":false,"browserDebugInfoInTerminal":"warn","lockDistDir":true,"proxyClientMaxBodySize":10485760,"hideLogsAfterAbort":false,"mcpServer":true,"turbopackFileSystemCacheForDev":true,"turbopackFileSystemCacheForBuild":false,"turbopackInferModuleSideEffects":true,"turbopackPluginRuntimeStrategy":"childProcesses","optimizePackageImports":["lucide-react","date-fns","lodash-es","ramda","antd","react-bootstrap","ahooks","@ant-design/icons","@headlessui/react","@headlessui-float/react","@heroicons/react/20/solid","@heroicons/react/24/solid","@heroicons/react/24/outline","@visx/visx","@tremor/react","rxjs","@mui/material","@mui/icons-material","recharts","react-use","effect","@effect/schema","@effect/platform","@effect/platform-node","@effect/platform-browser","@effect/platform-bun","@effect/sql","@effect/sql-mssql","@effect/sql-mysql2","@effect/sql-pg","@effect/sql-sqlite-node","@effect/sql-sqlite-bun","@effect/sql-sqlite-wasm","@effect/sql-sqlite-react-native","@effect/rpc","@effect/rpc-http","@effect/typeclass","@effect/experimental","@effect/opentelemetry","@material-ui/core","@material-ui/icons","@tabler/icons-react","mui-core","react-icons/ai","react-icons/bi","react-icons/bs","react-icons/cg","react-icons/ci","react-icons/di","react-icons/fa","react-icons/fa6","react-icons/fc","react-icons/fi","react-icons/gi","react-icons/go","react-icons/gr","react-icons/hi","react-icons/hi2","react-icons/im","react-icons/io","react-icons/io5","react-icons/lia","react-icons/lib","react-icons/lu","react-icons/md","react-icons/pi","react-icons/ri","react-icons/rx","react-icons/si","react-icons/sl","react-icons/tb","react-icons/tfi","react-icons/ti","react-icons/vsc","react-icons/wi"],"trustHostHeader":false,"isExperimentalCompile":false},"htmlLimitedBots":"[\\w-]+-Google|Google-[\\w-]+|Chrome-Lighthouse|Slurp|DuckDuckBot|baiduspider|yandex|sogou|bitlybot|tumblr|vkShare|quora link preview|redditbot|ia_archiver|Bingbot|BingPreview|applebot|facebookexternalhit|facebookcatalog|Twitterbot|LinkedInBot|Slackbot|Discordbot|WhatsApp|SkypeUriPreview|Yeti|googleweblight","bundlePagesRouterDependencies":false,"configFileName":"next.config.ts","turbopack":{"root":"/home/runner/work/failproofai/failproofai"},"distDirRoot":".next"}
 process.env.__NEXT_PRIVATE_STANDALONE_CONFIG = JSON.stringify(nextConfig)

package/.next/standalone/src/auth/login.ts ADDED Viewed

@@ -0,0 +1,104 @@
+import { spawn } from "node:child_process";
+import { platform } from "node:os";
+import { writeTokens, type AuthTokens } from "./token-store";
+const DEFAULT_SERVER_URL = process.env.FAILPROOFAI_SERVER_URL ?? "https://api.befailproof.ai";
+const HTTP_TIMEOUT_MS = 10_000;
+interface DeviceCodeResponse {
+  device_code: string;
+  user_code: string;
+  verification_url: string;
+  expires_in: number;
+  interval: number;
+}
+interface TokenResponse {
+  access_token: string;
+  refresh_token: string;
+  expires_in: number;
+  user: { id: string; email: string; name?: string };
+}
+function openBrowser(url: string): void {
+  const os = platform();
+  try {
+    if (os === "darwin") {
+      spawn("open", [url], { detached: true, stdio: "ignore" }).unref();
+    } else if (os === "win32") {
+      // On cmd's `start`, the first quoted token is treated as a window
+      // title. Pass an empty title so URLs containing "&" or spaces are
+      // interpreted as the target, not the title.
+      spawn("cmd", ["/c", "start", "", url], { detached: true, stdio: "ignore" }).unref();
+    } else {
+      spawn("xdg-open", [url], { detached: true, stdio: "ignore" }).unref();
+    }
+  } catch {
+    // Fallback: the URL is already printed above.
+  }
+}
+async function postJson<T>(url: string, body: unknown, timeoutMs = HTTP_TIMEOUT_MS): Promise<T> {
+  const resp = await fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(timeoutMs),
+  });
+  if (!resp.ok) {
+    throw new Error(`${url} → ${resp.status} ${resp.statusText}`);
+  }
+  return (await resp.json()) as T;
+}
+export async function login(): Promise<void> {
+  const serverUrl = DEFAULT_SERVER_URL;
+  console.log("Requesting device code...");
+  const dc = await postJson<DeviceCodeResponse>(`${serverUrl}/api/v1/auth/device-code`, {});
+  console.log(`\n  Open this URL in your browser (will be opened automatically):`);
+  console.log(`    ${dc.verification_url}\n`);
+  console.log(`  Your code: ${dc.user_code}\n`);
+  openBrowser(dc.verification_url);
+  const deadline = Date.now() + dc.expires_in * 1000;
+  const intervalMs = dc.interval * 1000;
+  while (Date.now() < deadline) {
+    await new Promise((r) => setTimeout(r, intervalMs));
+    try {
+      const result = await postJson<TokenResponse | { status: string }>(
+        `${serverUrl}/api/v1/auth/device-token`,
+        { device_code: dc.device_code },
+      );
+      if ("access_token" in result) {
+        const tokens: AuthTokens = {
+          access_token: result.access_token,
+          refresh_token: result.refresh_token,
+          expires_at: Math.floor(Date.now() / 1000) + result.expires_in,
+          user_email: result.user.email,
+          user_id: result.user.id,
+          server_url: serverUrl,
+        };
+        writeTokens(tokens);
+        console.log(`Logged in as ${result.user.email}`);
+        // Auto-start relay daemon
+        try {
+          const { ensureRelayRunning } = await import("../relay/daemon");
+          ensureRelayRunning();
+          console.log("Relay daemon started.");
+        } catch (e) {
+          console.warn("Failed to auto-start relay daemon:", e);
+        }
+        return;
+      }
+    } catch {
+      // Pending or transient error — keep polling
+    }
+  }
+  throw new Error("Login timed out. Run `failproofai login` again.");
+}

package/.next/standalone/src/auth/logout.ts ADDED Viewed

@@ -0,0 +1,50 @@
+import { readTokens, clearTokens } from "./token-store";
+import { stopRelay } from "../relay/pid";
+const LOGOUT_TIMEOUT_MS = 3_000;
+export async function logout(): Promise<void> {
+  const tokens = readTokens();
+  if (!tokens) {
+    console.log("Not logged in.");
+    return;
+  }
+  // Best-effort server revoke with a short timeout — the local logout
+  // must not block on a slow network.
+  try {
+    await fetch(`${tokens.server_url}/api/v1/auth/logout`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ refresh_token: tokens.refresh_token }),
+      signal: AbortSignal.timeout(LOGOUT_TIMEOUT_MS),
+    });
+  } catch {
+    // Network or timeout — proceed to local clear anyway
+  }
+  try {
+    stopRelay();
+  } catch {
+    // Best-effort daemon stop
+  }
+  clearTokens();
+  console.log("Logged out.");
+}
+export function whoami(): void {
+  const tokens = readTokens();
+  if (!tokens) {
+    console.log("Not logged in. Run `failproofai login` to authenticate.");
+    process.exit(1);
+  }
+  console.log(`Logged in as ${tokens.user_email}`);
+  console.log(`Server: ${tokens.server_url}`);
+  const expiresIn = tokens.expires_at - Math.floor(Date.now() / 1000);
+  if (expiresIn > 0) {
+    console.log(`Access token expires in ${Math.floor(expiresIn / 60)} minutes`);
+  } else {
+    console.log(`Access token expired (will refresh on next use)`);
+  }
+}

package/.next/standalone/src/auth/token-store.ts ADDED Viewed

@@ -0,0 +1,64 @@
+import {
+  readFileSync,
+  writeFileSync,
+  existsSync,
+  mkdirSync,
+  unlinkSync,
+  renameSync,
+  openSync,
+  closeSync,
+} from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+export interface AuthTokens {
+  access_token: string;
+  refresh_token: string;
+  expires_at: number;
+  user_email: string;
+  user_id: string;
+  server_url: string;
+}
+const AUTH_DIR = join(homedir(), ".failproofai");
+const AUTH_FILE = join(AUTH_DIR, "auth.json");
+function ensureAuthDir(): void {
+  if (!existsSync(AUTH_DIR)) mkdirSync(AUTH_DIR, { recursive: true, mode: 0o700 });
+}
+export function readTokens(): AuthTokens | null {
+  if (!existsSync(AUTH_FILE)) return null;
+  try {
+    const raw = readFileSync(AUTH_FILE, "utf8");
+    return JSON.parse(raw) as AuthTokens;
+  } catch {
+    return null;
+  }
+}
+/**
+ * Write tokens atomically with 0600 permissions *from creation*.
+ * We open with O_WRONLY|O_CREAT|O_TRUNC and explicit mode 0600 so the
+ * file is never world-readable, not even briefly during the write.
+ * Then rename into place (atomic on POSIX).
+ */
+export function writeTokens(tokens: AuthTokens): void {
+  ensureAuthDir();
+  const tmpPath = `${AUTH_FILE}.tmp`;
+  const fd = openSync(tmpPath, "w", 0o600);
+  try {
+    writeFileSync(fd, JSON.stringify(tokens, null, 2));
+  } finally {
+    closeSync(fd);
+  }
+  renameSync(tmpPath, AUTH_FILE);
+}
+export function clearTokens(): void {
+  if (existsSync(AUTH_FILE)) unlinkSync(AUTH_FILE);
+}
+export function isLoggedIn(): boolean {
+  return existsSync(AUTH_FILE);
+}

package/.next/standalone/src/hooks/builtin-policies.ts CHANGED Viewed

@@ -171,7 +171,7 @@ function getCurrentBranch(cwd: string): string | null {
     if (branch === undefined) {
       branch = execSync("git rev-parse --abbrev-ref HEAD", {
         cwd,
-        encoding: "utf8",
+        encoding: "utf8", stdio: ["pipe", "pipe", "pipe"],
         timeout: 3000,
       }).trim();
       gitBranchCache.set(cwd, branch);
@@ -186,7 +186,7 @@ function getHeadSha(cwd: string): string | null {
   try {
     const sha = execSync("git rev-parse HEAD", {
       cwd,
-      encoding: "utf8",
+      encoding: "utf8", stdio: ["pipe", "pipe", "pipe"],
       timeout: 3000,
     }).trim();
     return sha || null;
@@ -214,7 +214,7 @@ function getThirdPartyCheckRuns(cwd: string, sha: string): CiCheck[] {
       ],
       {
         cwd,
-        encoding: "utf8",
+        encoding: "utf8", stdio: ["pipe", "pipe", "pipe"],
         timeout: 15000,
       },
     ).trim();
@@ -239,7 +239,7 @@ function getCommitStatuses(cwd: string, sha: string): CiCheck[] {
       ],
       {
         cwd,
-        encoding: "utf8",
+        encoding: "utf8", stdio: ["pipe", "pipe", "pipe"],
         timeout: 15000,
       },
     ).trim();
@@ -676,7 +676,9 @@ function extractAbsolutePaths(command: string): string[] {
 }
 function blockReadOutsideCwd(ctx: PolicyContext): PolicyResult {
-  const cwd = ctx.session?.cwd;
+  // Prefer $CLAUDE_PROJECT_DIR (stable project root) over ctx.session.cwd,
+  // which tracks the live shell CWD and drifts when Claude `cd`s into a subdir.
+  const cwd = process.env.CLAUDE_PROJECT_DIR || ctx.session?.cwd;
   if (!cwd) return allow(); // Can't enforce without cwd
   const allowPaths = ((ctx.params?.allowPaths ?? []) as string[]);
@@ -964,7 +966,7 @@ function requireCommitBeforeStop(ctx: PolicyContext): PolicyResult {
   try {
     const status = execSync("git status --porcelain", {
       cwd,
-      encoding: "utf8",
+      encoding: "utf8", stdio: ["pipe", "pipe", "pipe"],
       timeout: 5000,
     }).trim();
@@ -986,7 +988,7 @@ function requirePushBeforeStop(ctx: PolicyContext): PolicyResult {
   try {
     const remotes = execSync("git remote", {
       cwd,
-      encoding: "utf8",
+      encoding: "utf8", stdio: ["pipe", "pipe", "pipe"],
       timeout: 3000,
     }).trim();
@@ -1009,7 +1011,7 @@ function requirePushBeforeStop(ctx: PolicyContext): PolicyResult {
       const ahead = execFileSync(
         "git",
         ["log", `${remote}/${baseBranch}..HEAD`, "--oneline"],
-        { cwd, encoding: "utf8", timeout: 5000 },
+        { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 },
       ).trim();
       if (!ahead) {
@@ -1022,7 +1024,7 @@ function requirePushBeforeStop(ctx: PolicyContext): PolicyResult {
       const diff = execFileSync(
         "git",
         ["diff", "--stat", `${remote}/${baseBranch}`, "HEAD"],
-        { cwd, encoding: "utf8", timeout: 5000 },
+        { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 },
       ).trim();
       if (!diff) {
@@ -1037,7 +1039,7 @@ function requirePushBeforeStop(ctx: PolicyContext): PolicyResult {
     try {
       execFileSync("git", ["rev-parse", "--verify", `${remote}/${branch}`], {
         cwd,
-        encoding: "utf8",
+        encoding: "utf8", stdio: ["pipe", "pipe", "pipe"],
         timeout: 3000,
       });
       hasTracking = true;
@@ -1055,7 +1057,7 @@ function requirePushBeforeStop(ctx: PolicyContext): PolicyResult {
     // Check for unpushed commits
     const unpushed = execFileSync("git", ["log", `${remote}/${branch}..HEAD`, "--oneline"], {
       cwd,
-      encoding: "utf8",
+      encoding: "utf8", stdio: ["pipe", "pipe", "pipe"],
       timeout: 5000,
     }).trim();
@@ -1080,7 +1082,7 @@ function requirePrBeforeStop(ctx: PolicyContext): PolicyResult {
   try {
     // Check if gh CLI is available
     try {
-      execSync("gh --version", { cwd, encoding: "utf8", timeout: 3000 });
+      execSync("gh --version", { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 3000 });
     } catch {
       return allow("GitHub CLI (gh) not installed, skipping PR check.");
     }
@@ -1100,7 +1102,7 @@ function requirePrBeforeStop(ctx: PolicyContext): PolicyResult {
       const ahead = execFileSync(
         "git",
         ["log", `origin/${baseBranch}..HEAD`, "--oneline"],
-        { cwd, encoding: "utf8", timeout: 5000 },
+        { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 },
       ).trim();
       if (!ahead) {
@@ -1113,7 +1115,7 @@ function requirePrBeforeStop(ctx: PolicyContext): PolicyResult {
       const diff = execFileSync(
         "git",
         ["diff", "--stat", `origin/${baseBranch}`, "HEAD"],
-        { cwd, encoding: "utf8", timeout: 5000 },
+        { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 },
       ).trim();
       if (!diff) {
@@ -1128,7 +1130,7 @@ function requirePrBeforeStop(ctx: PolicyContext): PolicyResult {
     try {
       prJson = execSync("gh pr view --json number,url,state", {
         cwd,
-        encoding: "utf8",
+        encoding: "utf8", stdio: ["pipe", "pipe", "pipe"],
         timeout: 15000,
       }).trim();
     } catch {
@@ -1151,13 +1153,13 @@ function requirePrBeforeStop(ctx: PolicyContext): PolicyResult {
       try {
         execFileSync("git", ["fetch", "origin", `+refs/heads/${baseBranch}:refs/remotes/origin/${baseBranch}`], {
           cwd,
-          encoding: "utf8",
+          encoding: "utf8", stdio: ["pipe", "pipe", "pipe"],
           timeout: 10000,
         });
         const freshAhead = execFileSync(
           "git",
           ["log", `origin/${baseBranch}..HEAD`, "--oneline"],
-          { cwd, encoding: "utf8", timeout: 5000 },
+          { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 },
         ).trim();
         if (!freshAhead) {
           return allow(`PR #${pr.number} was merged; branch is up to date with ${baseBranch}.`);
@@ -1165,7 +1167,7 @@ function requirePrBeforeStop(ctx: PolicyContext): PolicyResult {
         const freshDiff = execFileSync(
           "git",
           ["diff", "--stat", `origin/${baseBranch}`, "HEAD"],
-          { cwd, encoding: "utf8", timeout: 5000 },
+          { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 },
         ).trim();
         if (!freshDiff) {
           return allow(`PR #${pr.number} was merged; no file changes vs ${baseBranch}.`);
@@ -1190,7 +1192,7 @@ function requireCiGreenBeforeStop(ctx: PolicyContext): PolicyResult {
   try {
     // Check if gh CLI is available
     try {
-      execSync("gh --version", { cwd, encoding: "utf8", timeout: 3000 });
+      execSync("gh --version", { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 3000 });
     } catch {
       return allow("GitHub CLI (gh) not installed, skipping CI check.");
     }
@@ -1204,7 +1206,7 @@ function requireCiGreenBeforeStop(ctx: PolicyContext): PolicyResult {
       const runsJson = execFileSync(
         "gh",
         ["run", "list", "--branch", branch, "--limit", "5", "--json", "status,conclusion,name"],
-        { cwd, encoding: "utf8", timeout: 15000 },
+        { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 15000 },
       ).trim();
       if (runsJson && runsJson !== "[]") {
@@ -1229,7 +1231,11 @@ function requireCiGreenBeforeStop(ctx: PolicyContext): PolicyResult {
     if (allChecks.length === 0) return allow(`No CI runs found for branch "${branch}".`);
     const failing = allChecks.filter(
-      (r) => r.status === "completed" && r.conclusion !== "success" && r.conclusion !== "skipped",
+      (r) =>
+        r.status === "completed" &&
+        r.conclusion !== "success" &&
+        r.conclusion !== "skipped" &&
+        r.conclusion !== "cancelled",
     );
     if (failing.length > 0) {
       const names = failing.map((r) => `"${r.name}"`).join(", ");