gog-safe 0.1.0

package/README.md

@@ -0,0 +1,148 @@
+# gog-safe
+
+`gog-safe` is a policy-enforced wrapper around `gog`.
+It blocks disallowed Gmail/Sheets operations, enforces JSON/non-interactive execution, and can run command-specific post-validation.
+
+## Safety model
+
+- `gog-safe` always returns a unified JSON response for `run`.
+- Validator failures (timeout, non-JSON output, non-zero exit, contract violation) are fail-closed: `safety.action="block"`, `ok=false`.
+- Audit log write failure is fail-open by default (`logging.require_audit_success=false`), and adds `audit_log_write_failed`.
+- If `logging.require_audit_success=true`, audit failure is fail-closed.
+- Final safety status must be read from `safety.action` and `ok`.
+- `allowed` means only allow/deny command decision and does not include validator result.
+
+## Install
+
+```bash
+npm install
+npm run build
+```
+
+## CLI
+
+```bash
+gog-safe run --policy ./policy.yml -- sheets get --range A1:B2
+gog-safe validate-policy --policy ./policy.yml
+gog-safe print-effective-policy --policy ./policy.yml
+gog-safe version
+```
+
+## Config files and precedence
+
+`gog-safe` merges files in this order:
+
+1. `policy.yml` (required)
+2. `~/.gog-safe/config.json` (optional)
+3. First `.gog-safe/config.json` found while walking from current directory to parent directories (optional)
+
+Home config is loaded before project config. Project config wins where override applies.
+
+## Merge rules
+
+- `commands.allow`: override priority (`project > home > policy`)
+- `commands.deny`: union (`policy ∪ home ∪ project`)
+- `validation.rules`: concatenation (`policy + home + project`)
+- `validation.validators`: key merge (`project > home > policy`)
+- `gog`, `execution`, `logging`: key override (`project > home > policy`)
+
+## Run behavior
+
+`run` enforces flags:
+
+- `--json` (when `execution.enforce_json=true`)
+- `--no-input` (when `execution.enforce_no_input=true`)
+- `--account=<gog.account>`
+- `--client=<gog.client>` only when `gog.client` is non-empty
+
+User-provided `--json`, `--no-input`, `--account`, `--client` are rejected (including `--k=v` style).
+
+`validation.rules.match` is evaluated against the original user argv (before forced flags).
+
+v1 intentionally does not validate command option semantics.
+
+## Validator contract (`external_command`)
+
+stdin JSON:
+
+```json
+{
+  "command": "gog sheets get --range A1:B2",
+  "argv": ["sheets", "get", "--range", "A1:B2"],
+  "output": {"...": "..."},
+  "policy_version": 1
+}
+```
+
+stdout JSON:
+
+```json
+{
+  "decision": "allow",
+  "reason": "safe"
+}
+```
+
+Rules:
+
+- timeout / non-JSON / non-zero exit / invalid `decision` or missing `reason` => `block`
+- multiple validators are OR-block
+- when multiple rules match, validators are merged by rule order, deduplicated, and executed in first-seen order
+
+## Output schema (`run`)
+
+```json
+{
+  "ok": true,
+  "allowed": true,
+  "command": "gog sheets get",
+  "safety": {
+    "action": "allow",
+    "reasons": []
+  },
+  "data": {},
+  "meta": {
+    "policy_version": 1
+  }
+}
+```
+
+## Exit codes (`run`)
+
+- `0`: final allow (`ok=true`)
+- `2`: policy/validator block (including fail-closed validator or audit when configured)
+- `3`: runtime/system error (gog spawn/timeout/non-zero, invalid gog JSON, internal errors)
+
+## Operations examples
+
+Project-level deny override:
+
+```json
+{
+  "commands": {
+    "deny": ["gmail labels *"]
+  }
+}
+```
+
+Project-level allow override:
+
+```json
+{
+  "commands": {
+    "allow": ["sheets get"]
+  }
+}
+```
+
+Add validator only for `sheets get`:
+
+```json
+{
+  "validation": {
+    "rules": [
+      { "match": "sheets get", "validators": ["llm-guard"] }
+    ]
+  }
+}
+```

package/dist/audit.d.ts

@@ -0,0 +1,10 @@
+export interface AuditRecord {
+    timestamp: string;
+    command: string;
+    allowed: boolean;
+    ok: boolean;
+    action: "allow" | "block";
+    reasons: string[];
+    metadata?: Record<string, unknown>;
+}
+export declare function appendAuditLog(auditFile: string, record: AuditRecord): Promise<void>;

package/dist/audit.js

@@ -0,0 +1,9 @@
+import { appendFile, mkdir } from "node:fs/promises";
+import path from "node:path";
+export async function appendAuditLog(auditFile, record) {
+    const resolved = path.resolve(process.cwd(), auditFile);
+    const dir = path.dirname(resolved);
+    await mkdir(dir, { recursive: true });
+    await appendFile(resolved, `${JSON.stringify(record)}\n`, "utf8");
+}
+//# sourceMappingURL=audit.js.map

package/dist/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,IAAI,MAAM,WAAW,CAAC;AAY7B,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,SAAiB,EAAE,MAAmB;IACzE,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,MAAM,UAAU,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AACpE,CAAC"}

package/dist/command-control.d.ts

@@ -0,0 +1,12 @@
+export interface CommandDecision {
+    allowed: boolean;
+    reasons: string[];
+}
+export declare function decideCommandAllowance(positionals: string[], allowPatterns: string[], denyPatterns: string[]): CommandDecision;
+export declare function findForbiddenOverride(argv: string[]): string | undefined;
+export declare function buildForcedArgs(argv: string[], options: {
+    enforceJson: boolean;
+    enforceNoInput: boolean;
+    account: string;
+    client: string;
+}): string[];

package/dist/command-control.js

@@ -0,0 +1,49 @@
+import { matchCommandPattern } from "./matching.js";
+export function decideCommandAllowance(positionals, allowPatterns, denyPatterns) {
+    for (const denyPattern of denyPatterns) {
+        if (matchCommandPattern(denyPattern, positionals)) {
+            return {
+                allowed: false,
+                reasons: [`command_denied:${denyPattern}`],
+            };
+        }
+    }
+    for (const allowPattern of allowPatterns) {
+        if (matchCommandPattern(allowPattern, positionals)) {
+            return {
+                allowed: true,
+                reasons: [`command_allowed:${allowPattern}`],
+            };
+        }
+    }
+    return {
+        allowed: false,
+        reasons: ["command_not_allowed"],
+    };
+}
+const FORBIDDEN_OVERRIDE_OPTIONS = ["--json", "--no-input", "--account", "--client"];
+export function findForbiddenOverride(argv) {
+    for (const token of argv) {
+        for (const forbidden of FORBIDDEN_OVERRIDE_OPTIONS) {
+            if (token === forbidden || token.startsWith(`${forbidden}=`)) {
+                return forbidden;
+            }
+        }
+    }
+    return undefined;
+}
+export function buildForcedArgs(argv, options) {
+    const forced = [...argv];
+    if (options.enforceJson) {
+        forced.push("--json");
+    }
+    if (options.enforceNoInput) {
+        forced.push("--no-input");
+    }
+    forced.push(`--account=${options.account}`);
+    if (options.client.trim().length > 0) {
+        forced.push(`--client=${options.client}`);
+    }
+    return forced;
+}
+//# sourceMappingURL=command-control.js.map

package/dist/command-control.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-control.js","sourceRoot":"","sources":["../src/command-control.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAOpD,MAAM,UAAU,sBAAsB,CACpC,WAAqB,EACrB,aAAuB,EACvB,YAAsB;IAEtB,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;QACvC,IAAI,mBAAmB,CAAC,WAAW,EAAE,WAAW,CAAC,EAAE,CAAC;YAClD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,CAAC,kBAAkB,WAAW,EAAE,CAAC;aAC3C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;QACzC,IAAI,mBAAmB,CAAC,YAAY,EAAE,WAAW,CAAC,EAAE,CAAC;YACnD,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,CAAC,mBAAmB,YAAY,EAAE,CAAC;aAC7C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK;QACd,OAAO,EAAE,CAAC,qBAAqB,CAAC;KACjC,CAAC;AACJ,CAAC;AAED,MAAM,0BAA0B,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;AAErF,MAAM,UAAU,qBAAqB,CAAC,IAAc;IAClD,KAAK,MAAM,KAAK,IAAI,IAAI,EAAE,CAAC;QACzB,KAAK,MAAM,SAAS,IAAI,0BAA0B,EAAE,CAAC;YACnD,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,SAAS,GAAG,CAAC,EAAE,CAAC;gBAC7D,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,IAAc,EACd,OAKC;IAED,MAAM,MAAM,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;IAEzB,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACxB,CAAC;IAED,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QAC3B,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC5B,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,aAAa,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAE5C,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,YAAY,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/errors.d.ts

@@ -0,0 +1,7 @@
+export declare class UserInputError extends Error {
+    constructor(message: string);
+}
+export declare class PolicyValidationError extends Error {
+    readonly issues: string[];
+    constructor(issues: string[]);
+}

package/dist/errors.js

@@ -0,0 +1,15 @@
+export class UserInputError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "UserInputError";
+    }
+}
+export class PolicyValidationError extends Error {
+    issues;
+    constructor(issues) {
+        super(`Policy validation failed (${issues.length} issue(s))`);
+        this.name = "PolicyValidationError";
+        this.issues = issues;
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,cAAe,SAAQ,KAAK;IACvC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAED,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IACrC,MAAM,CAAW;IAE1B,YAAY,MAAgB;QAC1B,KAAK,CAAC,6BAA6B,MAAM,CAAC,MAAM,YAAY,CAAC,CAAC;QAC9D,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;CACF"}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,121 @@
+#!/usr/bin/env node
+import { readFile } from "node:fs/promises";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { PolicyValidationError, UserInputError } from "./errors.js";
+import { loadEffectivePolicy } from "./policy.js";
+import { executeRun } from "./run.js";
+function usage() {
+    return [
+        "Usage:",
+        "  gog-safe run --policy <path> -- <gog args...>",
+        "  gog-safe validate-policy --policy <path>",
+        "  gog-safe print-effective-policy --policy <path>",
+        "  gog-safe version",
+    ].join("\n");
+}
+function parsePolicyOption(argv) {
+    for (let i = 0; i < argv.length; i += 1) {
+        if (argv[i] === "--policy") {
+            const value = argv[i + 1];
+            if (!value || value.startsWith("--")) {
+                throw new UserInputError("--policy requires a value");
+            }
+            return value;
+        }
+        if (argv[i].startsWith("--policy=")) {
+            const value = argv[i].slice("--policy=".length);
+            if (!value) {
+                throw new UserInputError("--policy requires a value");
+            }
+            return value;
+        }
+    }
+    throw new UserInputError("--policy is required");
+}
+function parseRunArgs(argv) {
+    const separator = argv.indexOf("--");
+    const beforeSeparator = separator >= 0 ? argv.slice(0, separator) : argv;
+    const gogArgs = separator >= 0 ? argv.slice(separator + 1) : [];
+    const policyPath = parsePolicyOption(beforeSeparator);
+    if (gogArgs.length === 0) {
+        throw new UserInputError("run requires gog args after '--'");
+    }
+    return { policyPath, gogArgs };
+}
+async function readPackageVersion() {
+    const currentFile = fileURLToPath(import.meta.url);
+    const currentDir = path.dirname(currentFile);
+    const packagePath = path.resolve(currentDir, "..", "package.json");
+    const text = await readFile(packagePath, "utf8");
+    const pkg = JSON.parse(text);
+    return pkg.version ?? "0.0.0";
+}
+function printPolicyError(error) {
+    for (const issue of error.issues) {
+        console.error(`- ${issue}`);
+    }
+}
+async function main() {
+    const argv = process.argv.slice(2);
+    const command = argv[0];
+    if (!command) {
+        console.error(usage());
+        return 1;
+    }
+    try {
+        if (command === "version") {
+            console.log(await readPackageVersion());
+            return 0;
+        }
+        if (command === "validate-policy") {
+            const policyPath = parsePolicyOption(argv.slice(1));
+            await loadEffectivePolicy(policyPath);
+            console.log("policy is valid");
+            return 0;
+        }
+        if (command === "print-effective-policy") {
+            const policyPath = parsePolicyOption(argv.slice(1));
+            const loaded = await loadEffectivePolicy(policyPath);
+            console.log(JSON.stringify(loaded.effective, null, 2));
+            return 0;
+        }
+        if (command === "run") {
+            const { policyPath, gogArgs } = parseRunArgs(argv.slice(1));
+            const result = await executeRun(policyPath, gogArgs);
+            console.log(JSON.stringify(result.output));
+            for (const warning of result.stderrWarnings) {
+                if (warning.trim().length > 0) {
+                    console.error(warning);
+                }
+            }
+            return result.exitCode;
+        }
+        console.error(`unknown command: ${command}`);
+        console.error(usage());
+        return 1;
+    }
+    catch (error) {
+        if (error instanceof PolicyValidationError) {
+            printPolicyError(error);
+            return 1;
+        }
+        if (error instanceof UserInputError) {
+            console.error(error.message);
+            console.error(usage());
+            return 1;
+        }
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(message);
+        return 1;
+    }
+}
+main()
+    .then((code) => {
+    process.exitCode = code;
+})
+    .catch((error) => {
+    console.error(error instanceof Error ? error.stack : String(error));
+    process.exitCode = 1;
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAEtC,SAAS,KAAK;IACZ,OAAO;QACL,QAAQ;QACR,iDAAiD;QACjD,4CAA4C;QAC5C,mDAAmD;QACnD,oBAAoB;KACrB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAc;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,UAAU,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC1B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,MAAM,IAAI,cAAc,CAAC,2BAA2B,CAAC,CAAC;YACxD,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YACpC,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;YAChD,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,cAAc,CAAC,2BAA2B,CAAC,CAAC;YACxD,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,MAAM,IAAI,cAAc,CAAC,sBAAsB,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,YAAY,CAAC,IAAc;IAClC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,eAAe,GAAG,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACzE,MAAM,OAAO,GAAG,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAEhE,MAAM,UAAU,GAAG,iBAAiB,CAAC,eAAe,CAAC,CAAC;IAEtD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,cAAc,CAAC,kCAAkC,CAAC,CAAC;IAC/D,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;AACjC,CAAC;AAED,KAAK,UAAU,kBAAkB;IAC/B,MAAM,WAAW,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;IACnE,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACjD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAyB,CAAC;IACrD,OAAO,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC;AAChC,CAAC;AAED,SAAS,gBAAgB,CAAC,KAA4B;IACpD,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjC,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACnC,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IAExB,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QACvB,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,CAAC;QACH,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,MAAM,kBAAkB,EAAE,CAAC,CAAC;YACxC,OAAO,CAAC,CAAC;QACX,CAAC;QAED,IAAI,OAAO,KAAK,iBAAiB,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACpD,MAAM,mBAAmB,CAAC,UAAU,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;YAC/B,OAAO,CAAC,CAAC;QACX,CAAC;QAED,IAAI,OAAO,KAAK,wBAAwB,EAAE,CAAC;YACzC,MAAM,UAAU,GAAG,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACpD,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,UAAU,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACvD,OAAO,CAAC,CAAC;QACX,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;YACtB,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5D,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;YAC3C,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;gBAC5C,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC9B,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;YACD,OAAO,MAAM,CAAC,QAAQ,CAAC;QACzB,CAAC;QAED,OAAO,CAAC,KAAK,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;QAC7C,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QACvB,OAAO,CAAC,CAAC;IACX,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;YAC3C,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACxB,OAAO,CAAC,CAAC;QACX,CAAC;QAED,IAAI,KAAK,YAAY,cAAc,EAAE,CAAC;YACpC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC7B,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACvB,OAAO,CAAC,CAAC;QACX,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACvB,OAAO,CAAC,CAAC;IACX,CAAC;AACH,CAAC;AAED,IAAI,EAAE;KACH,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;IACb,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;AAC1B,CAAC,CAAC;KACD,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACf,OAAO,CAAC,KAAK,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACpE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACvB,CAAC,CAAC,CAAC"}

package/dist/matching.d.ts

@@ -0,0 +1,11 @@
+import type { ArgvAnalysis, ValidationRule } from "./types.js";
+export declare function tokenizePattern(pattern: string): string[];
+export declare function validateCommandPattern(pattern: string): string[];
+export declare function parseArgv(argv: string[]): ArgvAnalysis;
+export declare function matchCommandPattern(pattern: string, positionals: string[]): boolean;
+export declare function parseRuleMatch(match: string): {
+    positionals: string[];
+    requiredOptions: string[];
+};
+export declare function doesRuleMatch(rule: ValidationRule, analyzed: ArgvAnalysis): boolean;
+export declare function resolveValidatorsForCommand(rules: ValidationRule[], analyzed: ArgvAnalysis): string[];

package/dist/matching.js

@@ -0,0 +1,118 @@
+export function tokenizePattern(pattern) {
+    return pattern
+        .trim()
+        .split(/\s+/)
+        .filter((token) => token.length > 0);
+}
+export function validateCommandPattern(pattern) {
+    const issues = [];
+    const tokens = tokenizePattern(pattern);
+    if (tokens.length === 0) {
+        issues.push("pattern must not be empty");
+        return issues;
+    }
+    let starIndex = -1;
+    tokens.forEach((token, index) => {
+        if (token.includes("*") && token !== "*") {
+            issues.push(`invalid wildcard token: ${token}`);
+            return;
+        }
+        if (token === "*") {
+            if (starIndex >= 0) {
+                issues.push("wildcard '*' must appear at most once");
+            }
+            starIndex = index;
+        }
+    });
+    if (starIndex >= 0 && starIndex !== tokens.length - 1) {
+        issues.push("wildcard '*' must appear only at the end");
+    }
+    return issues;
+}
+export function parseArgv(argv) {
+    const positionals = [];
+    const options = new Set();
+    for (let i = 0; i < argv.length; i += 1) {
+        const token = argv[i];
+        if (!token.startsWith("--")) {
+            positionals.push(token);
+            continue;
+        }
+        const eqIndex = token.indexOf("=");
+        if (eqIndex > 0) {
+            options.add(token.slice(0, eqIndex));
+            continue;
+        }
+        options.add(token);
+        const next = argv[i + 1];
+        // v1 minimal parser:
+        // `--k v` is treated as option presence and `v` is not positional.
+        // Keep consuming unless the next token is another long option.
+        if (next && !next.startsWith("--")) {
+            i += 1;
+        }
+    }
+    return { positionals, options };
+}
+export function matchCommandPattern(pattern, positionals) {
+    const tokens = tokenizePattern(pattern);
+    if (tokens.length === 0) {
+        return false;
+    }
+    const hasWildcard = tokens[tokens.length - 1] === "*";
+    const base = hasWildcard ? tokens.slice(0, -1) : tokens;
+    if (hasWildcard) {
+        if (positionals.length < base.length) {
+            return false;
+        }
+        return base.every((token, index) => token === positionals[index]);
+    }
+    if (base.length !== positionals.length) {
+        return false;
+    }
+    return base.every((token, index) => token === positionals[index]);
+}
+export function parseRuleMatch(match) {
+    const tokens = tokenizePattern(match);
+    const positionals = [];
+    const requiredOptions = [];
+    for (const token of tokens) {
+        if (!token.startsWith("--")) {
+            positionals.push(token);
+            continue;
+        }
+        const eqIndex = token.indexOf("=");
+        requiredOptions.push(eqIndex > 0 ? token.slice(0, eqIndex) : token);
+    }
+    return { positionals, requiredOptions };
+}
+export function doesRuleMatch(rule, analyzed) {
+    const parsed = parseRuleMatch(rule.match);
+    if (parsed.positionals.length !== analyzed.positionals.length) {
+        return false;
+    }
+    for (let i = 0; i < parsed.positionals.length; i += 1) {
+        if (parsed.positionals[i] !== analyzed.positionals[i]) {
+            return false;
+        }
+    }
+    return parsed.requiredOptions.every((option) => analyzed.options.has(option));
+}
+export function resolveValidatorsForCommand(rules, analyzed) {
+    const merged = [];
+    const seen = new Set();
+    for (const rule of rules) {
+        if (!doesRuleMatch(rule, analyzed)) {
+            continue;
+        }
+        for (const validatorName of rule.validators) {
+            if (seen.has(validatorName)) {
+                continue;
+            }
+            seen.add(validatorName);
+            merged.push(validatorName);
+        }
+    }
+    return merged;
+}
+//# sourceMappingURL=matching.js.map

package/dist/matching.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"matching.js","sourceRoot":"","sources":["../src/matching.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,OAAO,OAAO;SACX,IAAI,EAAE;SACN,KAAK,CAAC,KAAK,CAAC;SACZ,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAExC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACzC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,SAAS,GAAG,CAAC,CAAC,CAAC;IACnB,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QAC9B,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,KAAK,GAAG,EAAE,CAAC;YACzC,MAAM,CAAC,IAAI,CAAC,2BAA2B,KAAK,EAAE,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QACD,IAAI,KAAK,KAAK,GAAG,EAAE,CAAC;YAClB,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;gBACnB,MAAM,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;YACvD,CAAC;YACD,SAAS,GAAG,KAAK,CAAC;QACpB,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,IAAI,SAAS,IAAI,CAAC,IAAI,SAAS,KAAK,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtD,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,IAAc;IACtC,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACxB,SAAS;QACX,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;YACrC,SAAS;QACX,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAEnB,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACzB,qBAAqB;QACrB,mEAAmE;QACnE,+DAA+D;QAC/D,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACnC,CAAC,IAAI,CAAC,CAAC;QACT,CAAC;IACH,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAe,EAAE,WAAqB;IACxE,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACxC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC;IACtD,MAAM,IAAI,GAAG,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAExD,IAAI,WAAW,EAAE,CAAC;QAChB,IAAI,WAAW,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;YACrC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC;IACpE,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW,CAAC,MAAM,EAAE,CAAC;QACvC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,KAAa;IAI1C,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACtC,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,MAAM,eAAe,GAAa,EAAE,CAAC;IAErC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACxB,SAAS;QACX,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,eAAe,CAAC,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IACtE,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,IAAoB,EAAE,QAAsB;IACxE,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAE1C,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,KAAK,QAAQ,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC;QAC9D,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACtD,IAAI,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;YACtD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;AAChF,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,KAAuB,EACvB,QAAsB;IAEtB,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;YACnC,SAAS;QACX,CAAC;QAED,KAAK,MAAM,aAAa,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YAC5C,IAAI,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC5B,SAAS;YACX,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/policy.d.ts

@@ -0,0 +1,4 @@
+import type { EffectivePolicy, LoadedConfigSet, PartialConfig } from "./types.js";
+export declare function buildEffectivePolicy(policyConfig: PartialConfig, homeConfig?: PartialConfig, projectConfig?: PartialConfig): EffectivePolicy;
+export declare function validateEffectivePolicy(policy: EffectivePolicy): string[];
+export declare function loadEffectivePolicy(policyPath: string, cwd?: string): Promise<LoadedConfigSet>;