getprismo 0.1.26 → 0.1.27

package/README.md

@@ -492,6 +492,14 @@ Run npx getprismo optimize, then start from .prismo/architecture-summary.md.
 
 timeline shows exactly what leaked, what repeated, and what to do differently next time.
 
+to turn a postmortem into a safer next-session policy, run:
+
+```bash
+npx getprismo cc timeline --firewall --task auth-bug
+```
+
+this writes `.prismo/timeline-firewall-suggestions.md`, `.prismo/context-firewall.suggested.md`, `.prismo/allowed-context.suggested.txt`, and `.prismo/blocked-context.suggested.txt` from the latest session evidence. it does not overwrite your active firewall; it gives you a per-task allow/block recommendation for the next session.
+
 ---
 
 ## how doctor improves a repo
@@ -736,6 +744,7 @@ For local development from this repo:
 ```bash
 npx getprismo cc                         # latest session cost
 npx getprismo cc timeline                # event timeline for latest session
+npx getprismo cc timeline --firewall --task auth-bug # suggest next-session firewall rules
 npx getprismo cc list                    # list recent sessions
 npx getprismo cc last 5                  # last 5 sessions
 npx getprismo cc all                     # everything

package/lib/prismo-dev/firewall.js

@@ -99,6 +99,58 @@ function buildBlockedContext(ctx) {
   return uniq(blocked).slice(0, 80);
 }
 
+function isGeneratedLike(value) {
+  const text = String(value || "").replace(/\\/g, "/").toLowerCase();
+  return /(^|\/)(node_modules|dist|build|coverage|\.next|__pycache__|logs?|events?|source-streams?|session-dumps?|playwright-report|test-results)(\/|$)/.test(text)
+    || /(^|\/)(package-lock\.json|yarn\.lock|pnpm-lock\.yaml|bun\.lockb)$/.test(text)
+    || /\.(log|jsonl|ndjson|map|pyc)$/.test(text);
+}
+
+function firewallPatternForPath(value) {
+  const text = String(value || "").replace(/\\/g, "/").replace(/\s+\(\d+x\)$/, "");
+  if (!text) return null;
+  if (/(^|\/)__pycache__(\/|$)/.test(text)) return "**/__pycache__/**";
+  if (/(^|\/)(node_modules|dist|build|coverage|\.next|logs?|events?|source-streams?|session-dumps?|playwright-report|test-results)\//.test(text)) {
+    const match = text.match(/(^|\/)(node_modules|dist|build|coverage|\.next|logs?|events?|source-streams?|session-dumps?|playwright-report|test-results)\//);
+    const prefix = text.slice(0, match.index + match[0].length).replace(/\/$/, "");
+    return `${prefix}/**`;
+  }
+  return text;
+}
+
+function timelineEventPath(event) {
+  const detail = String(event?.detail || "");
+  const match = detail.match(/^(.+?)\s+\(\d+x\)$/);
+  return (match ? match[1] : detail).trim();
+}
+
+function buildTimelineFirewallSuggestions(ctx, session, taskScope) {
+  const baseAllowed = buildAllowedContext(ctx, taskScope);
+  const baseBlocked = buildBlockedContext(ctx);
+  const timeline = session?.timeline || [];
+  const repeated = session?.repeatedPathMentions || [];
+  const artifacts = session?.generatedArtifacts || [];
+
+  const sessionAllowed = repeated
+    .map((item) => item.value)
+    .filter((value) => value && !isGeneratedLike(value))
+    .map(globForFile)
+    .slice(0, 20);
+
+  const sessionBlocked = [
+    ...artifacts.map((item) => item.value),
+    ...timeline.filter((event) => event.type === "artifact-leak").map(timelineEventPath),
+    ...repeated.map((item) => item.value).filter(isGeneratedLike),
+  ].map(firewallPatternForPath).filter(Boolean);
+
+  return {
+    allowed: uniq([...sessionAllowed, ...baseAllowed]).slice(0, 80),
+    blocked: uniq([...sessionBlocked, ...baseBlocked]).slice(0, 100),
+    sessionAllowed: uniq(sessionAllowed),
+    sessionBlocked: uniq(sessionBlocked),
+  };
+}
+
 function renderLines(title, items) {
   return [`# ${title}`, "", ...items.map((item) => item)].join("\n") + "\n";
 }
@@ -187,6 +239,71 @@ function runFirewall(rootDir = process.cwd(), options = {}) {
   return result;
 }
 
+function renderTimelineFirewallSuggestions(result) {
+  const lines = [];
+  lines.push("# Prismo Timeline Firewall Suggestions");
+  lines.push("");
+  lines.push(`Generated: ${result.generatedAt}`);
+  lines.push(`Task: ${result.task}`);
+  lines.push(`Scope: ${result.scope}`);
+  if (result.sessionId) lines.push(`Session: ${result.sessionId}`);
+  lines.push("");
+  lines.push("These suggestions came from `cc timeline` session evidence. They are safe recommendation files; Prismo does not overwrite your active firewall unless you copy/apply them.");
+  lines.push("");
+  lines.push("## Session-Derived Allowed Context");
+  lines.push("");
+  if (result.sessionAllowed.length) result.sessionAllowed.forEach((item) => lines.push(`- ${item}`));
+  else lines.push("- No repeated source files were strong enough to promote.");
+  lines.push("");
+  lines.push("## Session-Derived Blocked Context");
+  lines.push("");
+  if (result.sessionBlocked.length) result.sessionBlocked.forEach((item) => lines.push(`- ${item}`));
+  else lines.push("- No generated/noisy paths were strong enough to add.");
+  lines.push("");
+  lines.push("## Next Session Prompt");
+  lines.push("");
+  lines.push("```text");
+  lines.push(`Use .prismo/context-firewall.suggested.md as the starting context policy for this ${result.task} task.`);
+  lines.push("Start from allowed context first. Do not read blocked paths unless you explain why they are required.");
+  lines.push("If you need wider context, name the exact file and reason before reading.");
+  lines.push("```");
+  lines.push("");
+  return lines.join("\n");
+}
+
+function runTimelineFirewallSuggestions(rootDir = process.cwd(), session = null, options = {}) {
+  const ctx = createOptimizeContext(rootDir, options.scope || null);
+  const task = options.task || options.scope || "timeline-followup";
+  const scope = inferTaskScope(task, ctx);
+  const suggestions = buildTimelineFirewallSuggestions(ctx, session, scope);
+  const result = {
+    root: ctx.root,
+    task,
+    scope,
+    sessionId: session?.sessionId || null,
+    allowed: suggestions.allowed,
+    blocked: suggestions.blocked,
+    sessionAllowed: suggestions.sessionAllowed,
+    sessionBlocked: suggestions.sessionBlocked,
+    generatedAt: new Date().toISOString(),
+    generatedFiles: [
+      ".prismo/timeline-firewall-suggestions.md",
+      ".prismo/context-firewall.suggested.md",
+      ".prismo/allowed-context.suggested.txt",
+      ".prismo/blocked-context.suggested.txt",
+    ],
+  };
+
+  if (!options.dryRun) {
+    writeGeneratedFile(ctx.root, ".prismo/timeline-firewall-suggestions.md", renderTimelineFirewallSuggestions(result));
+    writeGeneratedFile(ctx.root, ".prismo/context-firewall.suggested.md", renderFirewallPolicy(result));
+    writeGeneratedFile(ctx.root, ".prismo/allowed-context.suggested.txt", renderLines("Allowed Context Suggestions", result.allowed));
+    writeGeneratedFile(ctx.root, ".prismo/blocked-context.suggested.txt", renderLines("Blocked Context Suggestions", result.blocked));
+  }
+  result.dryRun = Boolean(options.dryRun);
+  return result;
+}
+
 function renderFirewallTerminal(result) {
   const lines = [];
   lines.push("");
@@ -218,6 +335,8 @@ function renderFirewallTerminal(result) {
     renderFirewallPolicy,
     renderFirewallPrompt,
     renderFirewallTerminal,
+    renderTimelineFirewallSuggestions,
     runFirewall,
+    runTimelineFirewallSuggestions,
   };
 };

package/lib/prismo-dev-scan.js

@@ -202,6 +202,7 @@ const {
 const {
   renderFirewallTerminal,
   runFirewall,
+  runTimelineFirewallSuggestions,
 } = require("./prismo-dev/firewall")({
   fs,
   path,
@@ -263,7 +264,7 @@ Usage:
   prismo scan [--fix] [--ci] [--json] [--usage] [--optimizer-fit] [--report-card] [--simple] [--no-report] [path]
   prismo optimize [scope] [--json] [path]
   prismo context [scope] [--json] [path]
-  prismo cc [list|last N|all] [--json] [--limit N] [path]
+  prismo cc [list|last N|all|timeline] [--json] [--limit N] [--firewall] [--task TASK] [path]
   prismo usage [codex|claude|all] [--json] [--limit N] [path]
   prismo watch [codex|claude|all] [--json] [--once] [--agents] [--report] [--rescue] [--guardrails] [--throttle] [--events] [--no-events] [--auto] [--budget N] [--redact-paths] [--interval N] [path]
   prismo demo
@@ -295,6 +296,8 @@ Options:
   --simple    Print a plain-English scan summary for first-time or non-technical users.
   --no-report Do not write .prismo/prismo-dev-report.md.
   --limit N   Number of recent local sessions to show.
+  --firewall Generate cc timeline-derived firewall suggestion files.
+  --task TASK Name the task for timeline-derived firewall suggestions.
   --interval N Refresh interval in seconds for watch mode.
   --dry-run  Preview doctor/fix actions without writing files.
   --apply-ignores-only Only create/suggest AI ignore files in doctor mode.
@@ -377,7 +380,7 @@ Output:
 
 Usage:
   prismo cc [--json] [path]
-  prismo cc timeline [--json] [path]
+  prismo cc timeline [--json] [--firewall] [--task TASK] [path]
   prismo cc list [--json] [--limit N] [path]
   prismo cc last N [--json] [path]
   prismo cc all [--json] [path]
@@ -385,6 +388,7 @@ Usage:
 Examples:
   prismo cc
   prismo cc timeline
+  prismo cc timeline --firewall --task auth-bug
   prismo cc list
   prismo cc last 5
   prismo cc all --json
@@ -393,6 +397,7 @@ Examples:
   Reads ~/.claude/projects session logs and estimates Claude API token cost from input, output, cache write, and cache read tokens.
   Adds Prismo diagnosis: cost drivers, estimated avoidable spend, and context-optimization next actions.
   timeline shows context spikes, repeated commands, artifact leaks, and tool-output pressure for the latest session.
+  --firewall writes .prismo/timeline-firewall-suggestions.md and suggested allow/block files from timeline evidence.
   Without a path, cc commands read all Claude Code projects. Passing a path filters to that project.`,
     usage: `Prismo Usage
 
@@ -759,7 +764,17 @@ async function runCli(argv) {
   if (command === "cc") {
     const json = rest.includes("--json");
     const limitIndex = rest.indexOf("--limit");
-    const positional = getPositionals(rest, new Set(["--limit"]));
+    const firewall = rest.includes("--firewall");
+    const taskIndex = rest.indexOf("--task");
+    const firewallTask = taskIndex >= 0 && rest[taskIndex + 1] && !rest[taskIndex + 1].startsWith("-")
+      ? rest[taskIndex + 1]
+      : "timeline-followup";
+    const ccArgs = rest.filter((_, index) => {
+      if (index === rest.indexOf("--firewall")) return false;
+      if (taskIndex >= 0 && (index === taskIndex || index === taskIndex + 1)) return false;
+      return true;
+    });
+    const positional = getPositionals(ccArgs, new Set(["--limit"]));
     const subcommand = positional[0] && ["list", "last", "all", "timeline"].includes(positional[0].toLowerCase()) ? positional[0].toLowerCase() : "latest";
     const lastCount = subcommand === "last" ? parsePositiveInt(positional[1], 5) : null;
     const limit = subcommand === "list"
@@ -780,6 +795,9 @@ async function runCli(argv) {
     if (json) {
       if (subcommand === "timeline") {
         const latest = summary.sessions[0] || null;
+        const firewallSuggestions = firewall && latest
+          ? runTimelineFirewallSuggestions(path.resolve(target), latest, { task: firewallTask, dryRun: false })
+          : null;
         console.log(JSON.stringify({
           schemaVersion: 1,
           generatedAt: summary.generatedAt,
@@ -796,6 +814,7 @@ async function runCli(argv) {
               }
             : null,
           timeline: latest ? latest.timeline || [] : [],
+          firewallSuggestions,
           suggestedAction: latest?.prismo?.recommendations?.[0] || `${NPX_COMMAND} doctor`,
         }, null, 2));
         return;
@@ -803,7 +822,20 @@ async function runCli(argv) {
       console.log(JSON.stringify(summary, null, 2));
       return;
     }
-    console.log(renderClaudeCostTerminal(summary));
+    const output = [renderClaudeCostTerminal(summary)];
+    if (subcommand === "timeline" && firewall) {
+      const latest = summary.sessions[0] || null;
+      if (latest) {
+        const suggestions = runTimelineFirewallSuggestions(path.resolve(target), latest, { task: firewallTask, dryRun: false });
+        output.push("");
+        output.push("Timeline Firewall Suggestions");
+        output.push(`Wrote: ${suggestions.generatedFiles.join(", ")}`);
+        output.push(`Session-derived allowed: ${suggestions.sessionAllowed.length}`);
+        output.push(`Session-derived blocked: ${suggestions.sessionBlocked.length}`);
+        output.push("Tell your agent: Use .prismo/context-firewall.suggested.md for the next scoped session.");
+      }
+    }
+    console.log(output.join("\n"));
     return;
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "getprismo",
-  "version": "0.1.26",
+  "version": "0.1.27",
   "description": "Local AI coding workflow scanner for Codex, Claude Code, Cursor, and token-waste diagnostics.",
   "license": "MIT",
   "homepage": "https://github.com/shanirsh/prismodev#readme",