gog-safe 0.1.0

package/dist/run.js

@@ -0,0 +1,282 @@
+import { appendAuditLog } from "./audit.js";
+import { buildForcedArgs, decideCommandAllowance, findForbiddenOverride, } from "./command-control.js";
+import { parseArgv, resolveValidatorsForCommand } from "./matching.js";
+import { loadEffectivePolicy } from "./policy.js";
+import { runCommand } from "./process.js";
+import { runValidator } from "./validators.js";
+function buildBaseOutput(command, version, allowed) {
+    return {
+        ok: false,
+        allowed,
+        command,
+        safety: {
+            action: "block",
+            reasons: [],
+        },
+        data: null,
+        meta: {
+            policy_version: version,
+        },
+    };
+}
+function asErrorMessage(error) {
+    if (error instanceof Error) {
+        return error.message;
+    }
+    return String(error);
+}
+function isObject(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+async function finalizeWithAudit(outcome, auditFile, requireAuditSuccess, metadata) {
+    try {
+        await appendAuditLog(auditFile, {
+            timestamp: new Date().toISOString(),
+            command: outcome.output.command,
+            allowed: outcome.output.allowed,
+            ok: outcome.output.ok,
+            action: outcome.output.safety.action,
+            reasons: [...outcome.output.safety.reasons],
+            metadata,
+        });
+        return outcome;
+    }
+    catch (error) {
+        const updated = {
+            ...outcome,
+            output: {
+                ...outcome.output,
+                safety: {
+                    ...outcome.output.safety,
+                    reasons: [...outcome.output.safety.reasons, "audit_log_write_failed"],
+                },
+            },
+            stderrWarnings: [
+                ...outcome.stderrWarnings,
+                `audit log write failed: ${asErrorMessage(error)}`,
+            ],
+        };
+        if (!requireAuditSuccess) {
+            return updated;
+        }
+        return {
+            ...updated,
+            exitCode: 2,
+            output: {
+                ...updated.output,
+                ok: false,
+                safety: {
+                    ...updated.output.safety,
+                    action: "block",
+                },
+            },
+        };
+    }
+}
+export async function executeRun(policyPath, userArgv) {
+    let loaded;
+    try {
+        loaded = await loadEffectivePolicy(policyPath);
+    }
+    catch (error) {
+        return {
+            exitCode: 3,
+            output: {
+                ok: false,
+                allowed: false,
+                command: `gog ${userArgv.join(" ")}`.trim(),
+                safety: {
+                    action: "block",
+                    reasons: [`policy_error:${asErrorMessage(error)}`],
+                },
+                data: null,
+                meta: {
+                    policy_version: 1,
+                },
+            },
+            stderrWarnings: [],
+        };
+    }
+    const { effective } = loaded;
+    const command = `${effective.gog.binary} ${userArgv.join(" ")}`.trim();
+    const analyzed = parseArgv(userArgv);
+    const decision = decideCommandAllowance(analyzed.positionals, effective.commands.allow, effective.commands.deny);
+    let base = buildBaseOutput(command, effective.version, decision.allowed);
+    if (!decision.allowed) {
+        base.safety.reasons = decision.reasons;
+        const outcome = {
+            exitCode: 2,
+            output: base,
+            stderrWarnings: [],
+        };
+        return await finalizeWithAudit(outcome, effective.logging.audit_file, effective.logging.require_audit_success, {
+            phase: "allow_deny",
+            policyPath: loaded.policyPath,
+            homeConfigPath: loaded.homeConfigPath,
+            projectConfigPath: loaded.projectConfigPath,
+        });
+    }
+    const forbidden = findForbiddenOverride(userArgv);
+    if (forbidden) {
+        base.safety.reasons = [`forbidden_option_override:${forbidden}`];
+        const outcome = {
+            exitCode: 2,
+            output: base,
+            stderrWarnings: [],
+        };
+        return await finalizeWithAudit(outcome, effective.logging.audit_file, effective.logging.require_audit_success, {
+            phase: "override_guard",
+            forbidden,
+        });
+    }
+    const gogArgs = buildForcedArgs(userArgv, {
+        enforceJson: effective.execution.enforce_json,
+        enforceNoInput: effective.execution.enforce_no_input,
+        account: effective.gog.account,
+        client: effective.gog.client,
+    });
+    const commandResult = await runCommand(effective.gog.binary, gogArgs, effective.execution.timeout_ms);
+    if (commandResult.timedOut) {
+        base.safety.reasons = ["gog_timeout"];
+        const outcome = {
+            exitCode: 3,
+            output: base,
+            stderrWarnings: commandResult.stderr ? [commandResult.stderr.trim()] : [],
+        };
+        return await finalizeWithAudit(outcome, effective.logging.audit_file, effective.logging.require_audit_success, {
+            phase: "gog_execution",
+            timedOut: true,
+        });
+    }
+    if (commandResult.spawnError) {
+        base.safety.reasons = ["gog_spawn_error"];
+        const outcome = {
+            exitCode: 3,
+            output: base,
+            stderrWarnings: [asErrorMessage(commandResult.spawnError)],
+        };
+        return await finalizeWithAudit(outcome, effective.logging.audit_file, effective.logging.require_audit_success, {
+            phase: "gog_execution",
+            spawnError: asErrorMessage(commandResult.spawnError),
+        });
+    }
+    if (commandResult.exitCode !== 0) {
+        base.safety.reasons = [`gog_exit_${commandResult.exitCode ?? "unknown"}`];
+        const outcome = {
+            exitCode: 3,
+            output: {
+                ...base,
+                data: {
+                    stderr: commandResult.stderr.trim(),
+                    stdout: commandResult.stdout.trim(),
+                },
+            },
+            stderrWarnings: commandResult.stderr ? [commandResult.stderr.trim()] : [],
+        };
+        return await finalizeWithAudit(outcome, effective.logging.audit_file, effective.logging.require_audit_success, {
+            phase: "gog_execution",
+            exitCode: commandResult.exitCode,
+        });
+    }
+    let parsedOutput;
+    try {
+        parsedOutput = JSON.parse(commandResult.stdout);
+    }
+    catch {
+        base.safety.reasons = ["gog_output_invalid_json"];
+        const outcome = {
+            exitCode: 3,
+            output: {
+                ...base,
+                data: {
+                    stdout: commandResult.stdout,
+                },
+            },
+            stderrWarnings: [],
+        };
+        return await finalizeWithAudit(outcome, effective.logging.audit_file, effective.logging.require_audit_success, {
+            phase: "gog_output_parse",
+        });
+    }
+    if (!isObject(parsedOutput)) {
+        base.safety.reasons = ["gog_output_invalid_schema"];
+        const outcome = {
+            exitCode: 3,
+            output: {
+                ...base,
+                data: parsedOutput,
+            },
+            stderrWarnings: [],
+        };
+        return await finalizeWithAudit(outcome, effective.logging.audit_file, effective.logging.require_audit_success, {
+            phase: "gog_output_schema",
+        });
+    }
+    const validatorNames = resolveValidatorsForCommand(effective.validation.rules, analyzed);
+    const validatorReasons = [];
+    for (const validatorName of validatorNames) {
+        const validatorConfig = effective.validation.validators[validatorName];
+        if (!validatorConfig) {
+            const outcome = {
+                exitCode: 2,
+                output: {
+                    ...base,
+                    safety: {
+                        action: "block",
+                        reasons: [`validator_missing:${validatorName}`],
+                    },
+                    data: parsedOutput,
+                },
+                stderrWarnings: [],
+            };
+            return await finalizeWithAudit(outcome, effective.logging.audit_file, effective.logging.require_audit_success, {
+                phase: "validator",
+                validatorName,
+            });
+        }
+        const validatorDecision = await runValidator(validatorName, validatorConfig, {
+            command,
+            argv: userArgv,
+            output: parsedOutput,
+            policy_version: effective.version,
+        });
+        validatorReasons.push(`validator:${validatorName}:${validatorDecision.reason}`);
+        if (validatorDecision.decision === "block") {
+            const outcome = {
+                exitCode: 2,
+                output: {
+                    ...base,
+                    safety: {
+                        action: "block",
+                        reasons: [...validatorReasons],
+                    },
+                    data: parsedOutput,
+                },
+                stderrWarnings: [],
+            };
+            return await finalizeWithAudit(outcome, effective.logging.audit_file, effective.logging.require_audit_success, {
+                phase: "validator",
+                validatorName,
+                decision: "block",
+            });
+        }
+    }
+    const outcome = {
+        exitCode: 0,
+        output: {
+            ...base,
+            ok: true,
+            safety: {
+                action: "allow",
+                reasons: validatorReasons,
+            },
+            data: parsedOutput,
+        },
+        stderrWarnings: [],
+    };
+    return await finalizeWithAudit(outcome, effective.logging.audit_file, effective.logging.require_audit_success, {
+        phase: "completed",
+        validators: validatorNames,
+    });
+}
+//# sourceMappingURL=run.js.map

package/dist/run.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.js","sourceRoot":"","sources":["../src/run.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EACL,eAAe,EACf,sBAAsB,EACtB,qBAAqB,GACtB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,SAAS,EAAE,2BAA2B,EAAE,MAAM,eAAe,CAAC;AACvE,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAQ/C,SAAS,eAAe,CAAC,OAAe,EAAE,OAAe,EAAE,OAAgB;IACzE,OAAO;QACL,EAAE,EAAE,KAAK;QACT,OAAO;QACP,OAAO;QACP,MAAM,EAAE;YACN,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,EAAE;SACZ;QACD,IAAI,EAAE,IAAI;QACV,IAAI,EAAE;YACJ,cAAc,EAAE,OAAO;SACxB;KACF,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;QAC3B,OAAO,KAAK,CAAC,OAAO,CAAC;IACvB,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,OAAmB,EACnB,SAAiB,EACjB,mBAA4B,EAC5B,QAAiC;IAEjC,IAAI,CAAC;QACH,MAAM,cAAc,CAAC,SAAS,EAAE;YAC9B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,OAAO;YAC/B,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,OAAO;YAC/B,EAAE,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE;YACrB,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM;YACpC,OAAO,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC;YAC3C,QAAQ;SACT,CAAC,CAAC;QACH,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG;YACd,GAAG,OAAO;YACV,MAAM,EAAE;gBACN,GAAG,OAAO,CAAC,MAAM;gBACjB,MAAM,EAAE;oBACN,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM;oBACxB,OAAO,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,wBAAwB,CAAC;iBACtE;aACF;YACD,cAAc,EAAE;gBACd,GAAG,OAAO,CAAC,cAAc;gBACzB,2BAA2B,cAAc,CAAC,KAAK,CAAC,EAAE;aACnD;SACF,CAAC;QAEF,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,OAAO;YACL,GAAG,OAAO;YACV,QAAQ,EAAE,CAAC;YACX,MAAM,EAAE;gBACN,GAAG,OAAO,CAAC,MAAM;gBACjB,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE;oBACN,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM;oBACxB,MAAM,EAAE,OAAO;iBAChB;aACF;SACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,UAAkB,EAAE,QAAkB;IACrE,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,mBAAmB,CAAC,UAAU,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,QAAQ,EAAE,CAAC;YACX,MAAM,EAAE;gBACN,EAAE,EAAE,KAAK;gBACT,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,OAAO,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE;gBAC3C,MAAM,EAAE;oBACN,MAAM,EAAE,OAAO;oBACf,OAAO,EAAE,CAAC,gBAAgB,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;iBACnD;gBACD,IAAI,EAAE,IAAI;gBACV,IAAI,EAAE;oBACJ,cAAc,EAAE,CAAC;iBAClB;aACF;YACD,cAAc,EAAE,EAAE;SACnB,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAC7B,MAAM,OAAO,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,MAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;IACvE,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,sBAAsB,CACrC,QAAQ,CAAC,WAAW,EACpB,SAAS,CAAC,QAAQ,CAAC,KAAK,EACxB,SAAS,CAAC,QAAQ,CAAC,IAAI,CACxB,CAAC;IAEF,IAAI,IAAI,GAAG,eAAe,CAAC,OAAO,EAAE,SAAS,CAAC,OAAO,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC;IAEzE,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QACtB,IAAI,CAAC,MAAM,CAAC,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;QACvC,MAAM,OAAO,GAAG;YACd,QAAQ,EAAE,CAAC;YACX,MAAM,EAAE,IAAI;YACZ,cAAc,EAAE,EAAE;SACnB,CAAC;QACF,OAAO,MAAM,iBAAiB,CAAC,OAAO,EAAE,SAAS,CAAC,OAAO,CAAC,UAAU,EAAE,SAAS,CAAC,OAAO,CAAC,qBAAqB,EAAE;YAC7G,KAAK,EAAE,YAAY;YACnB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;SAC5C,CAAC,CAAC;IACL,CAAC;IAED,MAAM,SAAS,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IAClD,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC,MAAM,CAAC,OAAO,GAAG,CAAC,6BAA6B,SAAS,EAAE,CAAC,CAAC;QACjE,MAAM,OAAO,GAAG;YACd,QAAQ,EAAE,CAAC;YACX,MAAM,EAAE,IAAI;YACZ,cAAc,EAAE,EAAE;SACnB,CAAC;QACF,OAAO,MAAM,iBAAiB,CAAC,OAAO,EAAE,SAAS,CAAC,OAAO,CAAC,UAAU,EAAE,SAAS,CAAC,OAAO,CAAC,qBAAqB,EAAE;YAC7G,KAAK,EAAE,gBAAgB;YACvB,SAAS;SACV,CAAC,CAAC;IACL,CAAC;IAED,MAAM,OAAO,GAAG,eAAe,CAAC,QAAQ,EAAE;QACxC,WAAW,EAAE,SAAS,CAAC,SAAS,CAAC,YAAY;QAC7C,cAAc,EAAE,SAAS,CAAC,SAAS,CAAC,gBAAgB;QACpD,OAAO,EAAE,SAAS,CAAC,GAAG,CAAC,OAAO;QAC9B,MAAM,EAAE,SAAS,CAAC,GAAG,CAAC,MAAM;KAC7B,CAAC,CAAC;IAEH,MAAM,aAAa,GAAG,MAAM,UAAU,CACpC,SAAS,CAAC,GAAG,CAAC,MAAM,EACpB,OAAO,EACP,SAAS,CAAC,SAAS,CAAC,UAAU,CAC/B,CAAC;IAEF,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;QAC3B,IAAI,CAAC,MAAM,CAAC,OAAO,GAAG,CAAC,aAAa,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG;YACd,QAAQ,EAAE,CAAC;YACX,MAAM,EAAE,IAAI;YACZ,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE;SAC1E,CAAC;QACF,OAAO,MAAM,iBAAiB,CAAC,OAAO,EAAE,SAAS,CAAC,OAAO,CAAC,UAAU,EAAE,SAAS,CAAC,OAAO,CAAC,qBAAqB,EAAE;YAC7G,KAAK,EAAE,eAAe;YACtB,QAAQ,EAAE,IAAI;SACf,CAAC,CAAC;IACL,CAAC;IAED,IAAI,aAAa,CAAC,UAAU,EAAE,CAAC;QAC7B,IAAI,CAAC,MAAM,CAAC,OAAO,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAC1C,MAAM,OAAO,GAAG;YACd,QAAQ,EAAE,CAAC;YACX,MAAM,EAAE,IAAI;YACZ,cAAc,EAAE,CAAC,cAAc,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;SAC3D,CAAC;QACF,OAAO,MAAM,iBAAiB,CAAC,OAAO,EAAE,SAAS,CAAC,OAAO,CAAC,UAAU,EAAE,SAAS,CAAC,OAAO,CAAC,qBAAqB,EAAE;YAC7G,KAAK,EAAE,eAAe;YACtB,UAAU,EAAE,cAAc,CAAC,aAAa,CAAC,UAAU,CAAC;SACrD,CAAC,CAAC;IACL,CAAC;IAED,IAAI,aAAa,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;QACjC,IAAI,CAAC,MAAM,CAAC,OAAO,GAAG,CAAC,YAAY,aAAa,CAAC,QAAQ,IAAI,SAAS,EAAE,CAAC,CAAC;QAC1E,MAAM,OAAO,GAAG;YACd,QAAQ,EAAE,CAAC;YACX,MAAM,EAAE;gBACN,GAAG,IAAI;gBACP,IAAI,EAAE;oBACJ,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE;oBACnC,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE;iBACpC;aACF;YACD,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE;SAC1E,CAAC;QACF,OAAO,MAAM,iBAAiB,CAAC,OAAO,EAAE,SAAS,CAAC,OAAO,CAAC,UAAU,EAAE,SAAS,CAAC,OAAO,CAAC,qBAAqB,EAAE;YAC7G,KAAK,EAAE,eAAe;YACtB,QAAQ,EAAE,aAAa,CAAC,QAAQ;SACjC,CAAC,CAAC;IACL,CAAC;IAED,IAAI,YAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,IAAI,CAAC,MAAM,CAAC,OAAO,GAAG,CAAC,yBAAyB,CAAC,CAAC;QAClD,MAAM,OAAO,GAAG;YACd,QAAQ,EAAE,CAAC;YACX,MAAM,EAAE;gBACN,GAAG,IAAI;gBACP,IAAI,EAAE;oBACJ,MAAM,EAAE,aAAa,CAAC,MAAM;iBAC7B;aACF;YACD,cAAc,EAAE,EAAE;SACnB,CAAC;QACF,OAAO,MAAM,iBAAiB,CAAC,OAAO,EAAE,SAAS,CAAC,OAAO,CAAC,UAAU,EAAE,SAAS,CAAC,OAAO,CAAC,qBAAqB,EAAE;YAC7G,KAAK,EAAE,kBAAkB;SAC1B,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAC5B,IAAI,CAAC,MAAM,CAAC,OAAO,GAAG,CAAC,2BAA2B,CAAC,CAAC;QACpD,MAAM,OAAO,GAAG;YACd,QAAQ,EAAE,CAAC;YACX,MAAM,EAAE;gBACN,GAAG,IAAI;gBACP,IAAI,EAAE,YAAY;aACnB;YACD,cAAc,EAAE,EAAE;SACnB,CAAC;QACF,OAAO,MAAM,iBAAiB,CAAC,OAAO,EAAE,SAAS,CAAC,OAAO,CAAC,UAAU,EAAE,SAAS,CAAC,OAAO,CAAC,qBAAqB,EAAE;YAC7G,KAAK,EAAE,mBAAmB;SAC3B,CAAC,CAAC;IACL,CAAC;IAED,MAAM,cAAc,GAAG,2BAA2B,CAAC,SAAS,CAAC,UAAU,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACzF,MAAM,gBAAgB,GAAa,EAAE,CAAC;IAEtC,KAAK,MAAM,aAAa,IAAI,cAAc,EAAE,CAAC;QAC3C,MAAM,eAAe,GAAG,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QACvE,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,MAAM,OAAO,GAAG;gBACd,QAAQ,EAAE,CAAC;gBACX,MAAM,EAAE;oBACN,GAAG,IAAI;oBACP,MAAM,EAAE;wBACN,MAAM,EAAE,OAAgB;wBACxB,OAAO,EAAE,CAAC,qBAAqB,aAAa,EAAE,CAAC;qBAChD;oBACD,IAAI,EAAE,YAAY;iBACnB;gBACD,cAAc,EAAE,EAAE;aACnB,CAAC;YAEF,OAAO,MAAM,iBAAiB,CAC5B,OAAO,EACP,SAAS,CAAC,OAAO,CAAC,UAAU,EAC5B,SAAS,CAAC,OAAO,CAAC,qBAAqB,EACvC;gBACE,KAAK,EAAE,WAAW;gBAClB,aAAa;aACd,CACF,CAAC;QACJ,CAAC;QAED,MAAM,iBAAiB,GAAG,MAAM,YAAY,CAAC,aAAa,EAAE,eAAe,EAAE;YAC3E,OAAO;YACP,IAAI,EAAE,QAAQ;YACd,MAAM,EAAE,YAAY;YACpB,cAAc,EAAE,SAAS,CAAC,OAAO;SAClC,CAAC,CAAC;QAEH,gBAAgB,CAAC,IAAI,CAAC,aAAa,aAAa,IAAI,iBAAiB,CAAC,MAAM,EAAE,CAAC,CAAC;QAEhF,IAAI,iBAAiB,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAC3C,MAAM,OAAO,GAAG;gBACd,QAAQ,EAAE,CAAC;gBACX,MAAM,EAAE;oBACN,GAAG,IAAI;oBACP,MAAM,EAAE;wBACN,MAAM,EAAE,OAAgB;wBACxB,OAAO,EAAE,CAAC,GAAG,gBAAgB,CAAC;qBAC/B;oBACD,IAAI,EAAE,YAAY;iBACnB;gBACD,cAAc,EAAE,EAAE;aACnB,CAAC;YAEF,OAAO,MAAM,iBAAiB,CAC5B,OAAO,EACP,SAAS,CAAC,OAAO,CAAC,UAAU,EAC5B,SAAS,CAAC,OAAO,CAAC,qBAAqB,EACvC;gBACE,KAAK,EAAE,WAAW;gBAClB,aAAa;gBACb,QAAQ,EAAE,OAAO;aAClB,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG;QACd,QAAQ,EAAE,CAAC;QACX,MAAM,EAAE;YACN,GAAG,IAAI;YACP,EAAE,EAAE,IAAI;YACR,MAAM,EAAE;gBACN,MAAM,EAAE,OAAgB;gBACxB,OAAO,EAAE,gBAAgB;aAC1B;YACD,IAAI,EAAE,YAAY;SACnB;QACD,cAAc,EAAE,EAAE;KACnB,CAAC;IAEF,OAAO,MAAM,iBAAiB,CAC5B,OAAO,EACP,SAAS,CAAC,OAAO,CAAC,UAAU,EAC5B,SAAS,CAAC,OAAO,CAAC,qBAAqB,EACvC;QACE,KAAK,EAAE,WAAW;QAClB,UAAU,EAAE,cAAc;KAC3B,CACF,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,88 @@
+export type SafetyAction = "allow" | "block";
+export interface SafetySummary {
+    action: SafetyAction;
+    reasons: string[];
+}
+export interface RunOutput {
+    ok: boolean;
+    allowed: boolean;
+    command: string;
+    safety: SafetySummary;
+    data: unknown;
+    meta: {
+        policy_version: number;
+    };
+}
+export interface GogConfig {
+    binary: string;
+    account: string;
+    client: string;
+}
+export interface ExecutionConfig {
+    enforce_json: boolean;
+    enforce_no_input: boolean;
+    timeout_ms: number;
+}
+export interface CommandsConfig {
+    allow: string[];
+    deny: string[];
+}
+export interface ValidationRule {
+    match: string;
+    validators: string[];
+}
+export interface RegexValidatorConfig {
+    type: "regex";
+    config: {
+        patterns: string[];
+    };
+}
+export interface ExternalCommandValidatorConfig {
+    type: "external_command";
+    command: string;
+    args: string[];
+    timeout_ms: number;
+}
+export type ValidatorConfig = RegexValidatorConfig | ExternalCommandValidatorConfig;
+export interface ValidationConfig {
+    rules: ValidationRule[];
+    validators: Record<string, ValidatorConfig>;
+}
+export interface LoggingConfig {
+    level: string;
+    audit_file: string;
+    require_audit_success: boolean;
+}
+export interface EffectivePolicy {
+    version: number;
+    gog: GogConfig;
+    execution: ExecutionConfig;
+    commands: CommandsConfig;
+    validation: ValidationConfig;
+    logging: LoggingConfig;
+}
+export interface PartialConfig {
+    version?: unknown;
+    gog?: Partial<GogConfig>;
+    execution?: Partial<ExecutionConfig>;
+    commands?: Partial<CommandsConfig>;
+    validation?: {
+        rules?: ValidationRule[];
+        validators?: Record<string, ValidatorConfig>;
+    };
+    logging?: Partial<LoggingConfig>;
+}
+export interface ArgvAnalysis {
+    positionals: string[];
+    options: Set<string>;
+}
+export interface ValidatorDecision {
+    decision: SafetyAction;
+    reason: string;
+}
+export interface LoadedConfigSet {
+    policyPath: string;
+    homeConfigPath?: string;
+    projectConfigPath?: string;
+    effective: EffectivePolicy;
+}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/dist/validators.d.ts

@@ -0,0 +1,7 @@
+import type { ValidatorConfig, ValidatorDecision } from "./types.js";
+export declare function runValidator(validatorName: string, config: ValidatorConfig, context: {
+    command: string;
+    argv: string[];
+    output: unknown;
+    policy_version: number;
+}): Promise<ValidatorDecision>;

package/dist/validators.js

@@ -0,0 +1,92 @@
+import { runCommandWithJsonInput } from "./process.js";
+function isObject(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+async function runRegexValidator(config, output) {
+    const serialized = JSON.stringify(output);
+    for (const pattern of config.config.patterns) {
+        try {
+            const re = new RegExp(pattern);
+            if (re.test(serialized)) {
+                return {
+                    decision: "block",
+                    reason: `regex_matched:${pattern}`,
+                };
+            }
+        }
+        catch {
+            return {
+                decision: "block",
+                reason: `regex_invalid:${pattern}`,
+            };
+        }
+    }
+    return {
+        decision: "allow",
+        reason: "regex_no_match",
+    };
+}
+async function runExternalValidator(config, payload) {
+    const result = await runCommandWithJsonInput(config.command, config.args, payload, config.timeout_ms);
+    if (result.timedOut) {
+        return {
+            decision: "block",
+            reason: "external_validator_timeout",
+        };
+    }
+    if (result.spawnError || result.writeError) {
+        return {
+            decision: "block",
+            reason: "external_validator_spawn_error",
+        };
+    }
+    if (result.exitCode !== 0) {
+        return {
+            decision: "block",
+            reason: `external_validator_exit_${result.exitCode}`,
+        };
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(result.stdout);
+    }
+    catch {
+        return {
+            decision: "block",
+            reason: "external_validator_non_json_output",
+        };
+    }
+    if (!isObject(parsed)) {
+        return {
+            decision: "block",
+            reason: "external_validator_invalid_contract",
+        };
+    }
+    const decision = parsed.decision;
+    const reason = parsed.reason;
+    if ((decision !== "allow" && decision !== "block")
+        || typeof reason !== "string"
+        || reason.trim().length === 0) {
+        return {
+            decision: "block",
+            reason: "external_validator_invalid_contract",
+        };
+    }
+    return {
+        decision,
+        reason,
+    };
+}
+export async function runValidator(validatorName, config, context) {
+    if (config.type === "regex") {
+        return await runRegexValidator(config, context.output);
+    }
+    if (config.type === "external_command") {
+        return await runExternalValidator(config, context);
+    }
+    return {
+        decision: "block",
+        reason: `unsupported_validator_type:${validatorName}`,
+    };
+}
+//# sourceMappingURL=validators.js.map

package/dist/validators.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validators.js","sourceRoot":"","sources":["../src/validators.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAQvD,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,MAA4B,EAC5B,MAAe;IAEf,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAE1C,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC7C,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC;YAC/B,IAAI,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;gBACxB,OAAO;oBACL,QAAQ,EAAE,OAAO;oBACjB,MAAM,EAAE,iBAAiB,OAAO,EAAE;iBACnC,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,iBAAiB,OAAO,EAAE;aACnC,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,OAAO;QACjB,MAAM,EAAE,gBAAgB;KACzB,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,MAAsC,EACtC,OAKC;IAED,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAC1C,MAAM,CAAC,OAAO,EACd,MAAM,CAAC,IAAI,EACX,OAAO,EACP,MAAM,CAAC,UAAU,CAClB,CAAC;IAEF,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,4BAA4B;SACrC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QAC3C,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,gCAAgC;SACzC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,2BAA2B,MAAM,CAAC,QAAQ,EAAE;SACrD,CAAC;IACJ,CAAC;IAED,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,oCAAoC;SAC7C,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACtB,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,qCAAqC;SAC9C,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IACjC,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IAE7B,IACE,CAAC,QAAQ,KAAK,OAAO,IAAI,QAAQ,KAAK,OAAO,CAAC;WAC3C,OAAO,MAAM,KAAK,QAAQ;WAC1B,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAC7B,CAAC;QACD,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,qCAAqC;SAC9C,CAAC;IACJ,CAAC;IAED,OAAO;QACL,QAAQ;QACR,MAAM;KACP,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,aAAqB,EACrB,MAAuB,EACvB,OAKC;IAED,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,OAAO,MAAM,iBAAiB,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IACzD,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACvC,OAAO,MAAM,oBAAoB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrD,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,OAAO;QACjB,MAAM,EAAE,8BAA8B,aAAa,EAAE;KACtD,CAAC;AACJ,CAAC"}

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "gog-safe",
+  "version": "0.1.0",
+  "private": false,
+  "description": "Policy-enforced wrapper for gog",
+  "type": "module",
+  "bin": {
+    "gog-safe": "dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "dev": "tsx src/index.ts",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit"
+  },
+  "engines": {
+    "node": ">=24"
+  },
+  "dependencies": {
+    "yaml": "^2.8.1"
+  },
+  "devDependencies": {
+    "@types/node": "^24.3.0",
+    "tsx": "^4.20.6",
+    "typescript": "^5.9.2",
+    "vitest": "^2.1.9"
+  },
+  "keywords": [],
+  "author": "catnose <hello@catnose.me> (https://catnose.me)",
+  "license": "MIT",
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ]
+}