npm - mstro-app - Versions diffs - 0.3.0 → 0.3.4 - Mend

mstro-app 0.3.0 → 0.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (121) hide show

package/README.md +3 -19
package/bin/mstro.js +62 -174
package/dist/server/cli/headless/claude-invoker.d.ts.map +1 -1
package/dist/server/cli/headless/claude-invoker.js +4 -3
package/dist/server/cli/headless/claude-invoker.js.map +1 -1
package/dist/server/cli/headless/mcp-config.js +2 -2
package/dist/server/cli/headless/mcp-config.js.map +1 -1
package/dist/server/cli/headless/runner.d.ts +6 -1
package/dist/server/cli/headless/runner.d.ts.map +1 -1
package/dist/server/cli/headless/runner.js +36 -4
package/dist/server/cli/headless/runner.js.map +1 -1
package/dist/server/cli/headless/types.d.ts +1 -1
package/dist/server/cli/headless/types.d.ts.map +1 -1
package/dist/server/cli/improvisation-session-manager.d.ts +2 -2
package/dist/server/cli/improvisation-session-manager.d.ts.map +1 -1
package/dist/server/cli/improvisation-session-manager.js +3 -2
package/dist/server/cli/improvisation-session-manager.js.map +1 -1
package/dist/server/index.js +6 -1
package/dist/server/index.js.map +1 -1
package/dist/server/mcp/bouncer-integration.d.ts +1 -1
package/dist/server/mcp/bouncer-integration.d.ts.map +1 -1
package/dist/server/mcp/bouncer-integration.js +85 -114
package/dist/server/mcp/bouncer-integration.js.map +1 -1
package/dist/server/mcp/security-audit.d.ts +3 -3
package/dist/server/mcp/security-audit.d.ts.map +1 -1
package/dist/server/mcp/security-audit.js.map +1 -1
package/dist/server/mcp/server.js +3 -2
package/dist/server/mcp/server.js.map +1 -1
package/dist/server/services/analytics.d.ts +2 -2
package/dist/server/services/analytics.d.ts.map +1 -1
package/dist/server/services/analytics.js.map +1 -1
package/dist/server/services/files.js +7 -7
package/dist/server/services/files.js.map +1 -1
package/dist/server/services/pathUtils.js +1 -1
package/dist/server/services/pathUtils.js.map +1 -1
package/dist/server/services/platform.d.ts +2 -2
package/dist/server/services/platform.d.ts.map +1 -1
package/dist/server/services/platform.js.map +1 -1
package/dist/server/services/sentry.d.ts +1 -1
package/dist/server/services/sentry.d.ts.map +1 -1
package/dist/server/services/sentry.js.map +1 -1
package/dist/server/services/terminal/pty-manager.d.ts +10 -0
package/dist/server/services/terminal/pty-manager.d.ts.map +1 -1
package/dist/server/services/terminal/pty-manager.js +32 -4
package/dist/server/services/terminal/pty-manager.js.map +1 -1
package/dist/server/services/websocket/file-explorer-handlers.js.map +1 -1
package/dist/server/services/websocket/file-utils.d.ts +4 -0
package/dist/server/services/websocket/file-utils.d.ts.map +1 -1
package/dist/server/services/websocket/file-utils.js +48 -23
package/dist/server/services/websocket/file-utils.js.map +1 -1
package/dist/server/services/websocket/git-handlers.js +17 -17
package/dist/server/services/websocket/git-handlers.js.map +1 -1
package/dist/server/services/websocket/git-pr-handlers.js +3 -3
package/dist/server/services/websocket/git-pr-handlers.js.map +1 -1
package/dist/server/services/websocket/git-worktree-handlers.js +10 -10
package/dist/server/services/websocket/git-worktree-handlers.js.map +1 -1
package/dist/server/services/websocket/handler.js +1 -1
package/dist/server/services/websocket/handler.js.map +1 -1
package/dist/server/services/websocket/session-handlers.d.ts +1 -1
package/dist/server/services/websocket/session-handlers.d.ts.map +1 -1
package/dist/server/services/websocket/session-handlers.js +12 -11
package/dist/server/services/websocket/session-handlers.js.map +1 -1
package/dist/server/services/websocket/tab-handlers.js.map +1 -1
package/dist/server/services/websocket/terminal-handlers.js +1 -1
package/dist/server/services/websocket/terminal-handlers.js.map +1 -1
package/dist/server/services/websocket/types.d.ts.map +1 -1
package/dist/server/utils/agent-manager.d.ts +22 -2
package/dist/server/utils/agent-manager.d.ts.map +1 -1
package/dist/server/utils/agent-manager.js +2 -2
package/dist/server/utils/agent-manager.js.map +1 -1
package/dist/server/utils/paths.d.ts +0 -12
package/dist/server/utils/paths.d.ts.map +1 -1
package/dist/server/utils/paths.js +0 -12
package/dist/server/utils/paths.js.map +1 -1
package/dist/server/utils/port-manager.js.map +1 -1
package/package.json +4 -3
package/server/README.md +0 -1
package/server/cli/headless/claude-invoker.ts +21 -16
package/server/cli/headless/mcp-config.ts +8 -8
package/server/cli/headless/runner.ts +32 -4
package/server/cli/headless/types.ts +1 -1
package/server/cli/improvisation-session-manager.ts +8 -7
package/server/index.ts +15 -9
package/server/mcp/README.md +0 -5
package/server/mcp/bouncer-integration.ts +116 -188
package/server/mcp/security-audit.ts +4 -4
package/server/mcp/server.ts +6 -5
package/server/services/analytics.ts +3 -3
package/server/services/files.ts +13 -13
package/server/services/pathUtils.ts +2 -2
package/server/services/platform.ts +5 -5
package/server/services/sentry.ts +1 -1
package/server/services/terminal/pty-manager.ts +36 -9
package/server/services/websocket/file-explorer-handlers.ts +1 -1
package/server/services/websocket/file-utils.ts +52 -28
package/server/services/websocket/git-handlers.ts +34 -34
package/server/services/websocket/git-pr-handlers.ts +6 -6
package/server/services/websocket/git-worktree-handlers.ts +20 -20
package/server/services/websocket/handler.ts +2 -2
package/server/services/websocket/session-handlers.ts +31 -30
package/server/services/websocket/tab-handlers.ts +1 -1
package/server/services/websocket/terminal-handlers.ts +2 -2
package/server/services/websocket/types.ts +2 -0
package/server/utils/agent-manager.ts +6 -6
package/server/utils/paths.ts +0 -14
package/server/utils/port-manager.ts +1 -1
package/bin/configure-claude.js +0 -298
package/dist/server/mcp/bouncer-cli.d.ts +0 -3
package/dist/server/mcp/bouncer-cli.d.ts.map +0 -1
package/dist/server/mcp/bouncer-cli.js +0 -99
package/dist/server/mcp/bouncer-cli.js.map +0 -1
package/hooks/bouncer.sh +0 -145
package/server/cli/headless/output-utils.test.ts +0 -225
package/server/cli/headless/stall-assessor.test.ts +0 -165
package/server/cli/headless/tool-watchdog.test.ts +0 -429
package/server/mcp/bouncer-cli.ts +0 -127
package/server/mcp/bouncer-integration.test.ts +0 -161
package/server/mcp/security-patterns.test.ts +0 -258
package/server/services/platform.test.ts +0 -1304
package/server/services/websocket/autocomplete.test.ts +0 -194
package/server/services/websocket/handler.test.ts +0 -20

package/dist/server/mcp/bouncer-cli.js DELETED Viewed

@@ -1,99 +0,0 @@
-#!/usr/bin/env node
-// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
-// Licensed under the MIT License. See LICENSE file for details.
-/**
- * Bouncer CLI - Shell-callable wrapper for Mstro security bouncer
- *
- * This CLI reads Claude Code hook input from stdin and returns a security decision.
- * It's designed to be called from bouncer.sh.
- *
- * Input (stdin): Claude Code PreToolUse hook JSON payload
- * Output (stdout): JSON decision { decision: "allow"|"deny", reason: string }
- *
- * The hook payload includes conversation context that we pass to the bouncer
- * so it can make context-aware decisions.
- */
-import { reviewOperation } from './bouncer-integration.js';
-/**
- * Read all data from stdin (Node.js compatible)
- */
-async function readStdin() {
-    return new Promise((resolve, reject) => {
-        const chunks = [];
-        process.stdin.on('data', (chunk) => chunks.push(chunk));
-        process.stdin.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8').trim()));
-        process.stdin.on('error', reject);
-    });
-}
-function buildOperationString(toolName, toolInput) {
-    if (toolName === 'Bash' && toolInput.command) {
-        return `${toolName}: ${toolInput.command}`;
-    }
-    if (['Write', 'Edit', 'Read'].includes(toolName)) {
-        const filePath = toolInput.file_path || toolInput.filePath || toolInput.path;
-        return filePath ? `${toolName}: ${filePath}` : `${toolName}: ${JSON.stringify(toolInput)}`;
-    }
-    return `${toolName}: ${JSON.stringify(toolInput)}`;
-}
-function extractConversationContext(hookInput) {
-    const lastUserMessage = hookInput.conversation?.last_user_message;
-    if (lastUserMessage)
-        return `User's request: "${lastUserMessage}"`;
-    const recentMessages = hookInput.conversation?.messages?.slice(-5);
-    if (recentMessages?.length) {
-        return `Recent conversation:\n${recentMessages.map(m => `${m.role}: ${m.content}`).join('\n')}`;
-    }
-    return undefined;
-}
-async function main() {
-    const inputStr = await readStdin();
-    if (!inputStr) {
-        console.log(JSON.stringify({ decision: 'allow', reason: 'Empty input, allowing' }));
-        process.exit(0);
-    }
-    let hookInput;
-    try {
-        hookInput = JSON.parse(inputStr);
-    }
-    catch (e) {
-        console.error('[bouncer-cli] Failed to parse input JSON:', e);
-        console.log(JSON.stringify({ decision: 'allow', reason: 'Invalid JSON input, allowing' }));
-        process.exit(0);
-    }
-    const toolName = hookInput.tool_name || hookInput.toolName || 'unknown';
-    const toolInput = hookInput.input || hookInput.toolInput || {};
-    const userRequestContext = extractConversationContext(hookInput);
-    const lastUserMessage = hookInput.conversation?.last_user_message;
-    const recentMessages = hookInput.conversation?.messages?.slice(-5);
-    const bouncerRequest = {
-        operation: buildOperationString(toolName, toolInput),
-        context: {
-            purpose: userRequestContext || 'Tool use request from Claude',
-            workingDirectory: hookInput.working_directory || process.cwd(),
-            toolName,
-            toolInput,
-            userRequest: lastUserMessage,
-            conversationHistory: recentMessages?.map(m => `${m.role}: ${m.content}`),
-            sessionId: hookInput.session_id,
-        },
-    };
-    try {
-        const decision = await reviewOperation(bouncerRequest);
-        console.log(JSON.stringify({
-            decision: decision.decision === 'deny' ? 'deny' : 'allow',
-            reason: decision.reasoning,
-            confidence: decision.confidence,
-            threatLevel: decision.threatLevel,
-            alternative: decision.alternative,
-        }));
-    }
-    catch (error) {
-        console.error('[bouncer-cli] Error:', error.message);
-        console.log(JSON.stringify({
-            decision: 'allow',
-            reason: `Bouncer error: ${error.message}. Allowing to avoid blocking.`
-        }));
-    }
-}
-main();
-//# sourceMappingURL=bouncer-cli.js.map

package/dist/server/mcp/bouncer-cli.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"bouncer-cli.js","sourceRoot":"","sources":["../../../server/mcp/bouncer-cli.ts"],"names":[],"mappings":";AACA,8DAA8D;AAC9D,gEAAgE;AAEhE;;;;;;;;;;;GAWG;AAEH,OAAO,EAA6B,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAqBtF;;GAEG;AACH,KAAK,UAAU,SAAS;IACtB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACxD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QACvF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,oBAAoB,CAAC,QAAgB,EAAE,SAA8B;IAC5E,IAAI,QAAQ,KAAK,MAAM,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;QAC7C,OAAO,GAAG,QAAQ,KAAK,SAAS,CAAC,OAAO,EAAE,CAAC;IAC7C,CAAC;IACD,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjD,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,IAAI,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,IAAI,CAAC;QAC7E,OAAO,QAAQ,CAAC,CAAC,CAAC,GAAG,QAAQ,KAAK,QAAQ,EAAE,CAAC,CAAC,CAAC,GAAG,QAAQ,KAAK,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;IAC7F,CAAC;IACD,OAAO,GAAG,QAAQ,KAAK,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;AACrD,CAAC;AAED,SAAS,0BAA0B,CAAC,SAAoB;IACtD,MAAM,eAAe,GAAG,SAAS,CAAC,YAAY,EAAE,iBAAiB,CAAC;IAClE,IAAI,eAAe;QAAE,OAAO,oBAAoB,eAAe,GAAG,CAAC;IAEnE,MAAM,cAAc,GAAG,SAAS,CAAC,YAAY,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACnE,IAAI,cAAc,EAAE,MAAM,EAAE,CAAC;QAC3B,OAAO,yBAAyB,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;IAClG,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,QAAQ,GAAG,MAAM,SAAS,EAAE,CAAC;IAEnC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC,CAAC,CAAC;QACpF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,SAAoB,CAAC;IACzB,IAAI,CAAC;QACH,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC,CAAC,CAAC;QAC3F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,IAAI,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC;IACxE,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,IAAI,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC;IAC/D,MAAM,kBAAkB,GAAG,0BAA0B,CAAC,SAAS,CAAC,CAAC;IACjE,MAAM,eAAe,GAAG,SAAS,CAAC,YAAY,EAAE,iBAAiB,CAAC;IAClE,MAAM,cAAc,GAAG,SAAS,CAAC,YAAY,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnE,MAAM,cAAc,GAAyB;QAC3C,SAAS,EAAE,oBAAoB,CAAC,QAAQ,EAAE,SAAS,CAAC;QACpD,OAAO,EAAE;YACP,OAAO,EAAE,kBAAkB,IAAI,8BAA8B;YAC7D,gBAAgB,EAAE,SAAS,CAAC,iBAAiB,IAAI,OAAO,CAAC,GAAG,EAAE;YAC9D,QAAQ;YACR,SAAS;YACT,WAAW,EAAE,eAAe;YAC5B,mBAAmB,EAAE,cAAc,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;YACxE,SAAS,EAAE,SAAS,CAAC,UAAU;SAChC;KACF,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,cAAc,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;YACzB,QAAQ,EAAE,QAAQ,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO;YACzD,MAAM,EAAE,QAAQ,CAAC,SAAS;YAC1B,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,WAAW,EAAE,QAAQ,CAAC,WAAW;SAClC,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,sBAAsB,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;YACzB,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,kBAAkB,KAAK,CAAC,OAAO,+BAA+B;SACvE,CAAC,CAAC,CAAC;IACN,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC"}

package/hooks/bouncer.sh DELETED Viewed

@@ -1,145 +0,0 @@
-#!/usr/bin/env bash
-# Copyright (c) 2025-present Mstro, Inc. All rights reserved.
-# Licensed under the MIT License. See LICENSE file for details.
-#
-# Mstro Bouncer Gate - Claude Code Hook
-#
-# This hook intercepts Claude Code tool calls and routes them through
-# the Mstro bouncer for security analysis before execution.
-#
-# Installation:
-#   Run: npx mstro --configure-hooks
-#
-# Dependencies: Node.js (no jq or bun required)
-#
-set -euo pipefail
-# Configuration - MSTRO_BOUNCER_CLI is set by configure-claude.js
-BOUNCER_CLI="${MSTRO_BOUNCER_CLI:-}"
-BOUNCER_TIMEOUT="${BOUNCER_TIMEOUT:-10}"
-BOUNCER_LOG="${BOUNCER_LOG:-$HOME/.claude/logs/bouncer.log}"
-# Ensure log directory exists
-mkdir -p "$(dirname "$BOUNCER_LOG")"
-# Read hook input from stdin (JSON format from Claude Code)
-INPUT=$(cat)
-# Use Node.js inline to parse JSON and handle logic (eliminates jq dependency)
-RESULT=$(node --input-type=module -e "
-import { spawn } from 'child_process';
-import { appendFileSync } from 'fs';
-const input = JSON.parse(process.argv[1]);
-const bouncerCli = process.argv[2];
-const timeout = parseInt(process.argv[3], 10) * 1000;
-const logFile = process.argv[4];
-const toolName = input.tool_name || input.toolName || 'unknown';
-const toolInput = input.input || input.toolInput || {};
-function log(msg) {
-  const timestamp = new Date().toISOString();
-  appendFileSync(logFile, \`[\${timestamp}] \${msg}\n\`);
-}
-function output(decision, reason) {
-  console.log(JSON.stringify({ decision, reason }));
-}
-// Quick path for read-only and side-effect-free operations
-const safeOps = ['Read', 'Glob', 'Grep', 'Search', 'List', 'WebFetch', 'WebSearch',
-  'ExitPlanMode', 'EnterPlanMode', 'TodoWrite', 'AskUserQuestion'];
-if (safeOps.includes(toolName)) {
-  output('allow', 'Safe operation (no dangerous side effects)');
-  process.exit(0);
-}
-// Quick path for malformed tool calls with empty params (no-ops)
-if (Object.keys(toolInput).length === 0 && ['Edit', 'Write'].includes(toolName)) {
-  output('allow', 'Empty parameters - no-op');
-  process.exit(0);
-}
-// Build operation string for logging
-let operation = toolName + ': ';
-if (toolName === 'Bash' && toolInput.command) {
-  operation += toolInput.command;
-} else if (['Write', 'Edit'].includes(toolName)) {
-  operation += toolInput.file_path || toolInput.filePath || toolInput.path || JSON.stringify(toolInput);
-} else {
-  operation += JSON.stringify(toolInput);
-}
-log('Analyzing: ' + toolName);
-// Check if bouncer CLI is available
-if (bouncerCli) {
-  try {
-    const child = spawn('node', [bouncerCli], {
-      stdio: ['pipe', 'pipe', 'pipe'],
-      timeout: timeout
-    });
-    let stdout = '';
-    let stderr = '';
-    child.stdout.on('data', (data) => { stdout += data; });
-    child.stderr.on('data', (data) => { stderr += data; });
-    child.stdin.write(JSON.stringify(input));
-    child.stdin.end();
-    child.on('close', (code) => {
-      if (stderr) log('Bouncer stderr: ' + stderr);
-      if (code === 0 && stdout.trim()) {
-        try {
-          const result = JSON.parse(stdout.trim());
-          log(result.decision + ': ' + operation + ' - ' + (result.reason || ''));
-          console.log(stdout.trim());
-        } catch {
-          log('allow (parse error): ' + operation);
-          output('allow', 'Bouncer response parse error, allowing');
-        }
-      } else {
-        log('allow (bouncer error): ' + operation);
-        output('allow', 'Bouncer error, allowing');
-      }
-    });
-    child.on('error', (err) => {
-      log('allow (spawn error): ' + operation + ' - ' + err.message);
-      output('allow', 'Bouncer spawn error, allowing');
-    });
-  } catch (err) {
-    log('allow (exception): ' + operation + ' - ' + err.message);
-    output('allow', 'Bouncer exception, allowing');
-  }
-} else {
-  // Fallback: critical threat pattern matching only
-  const criticalPatterns = [
-    { pattern: /rm\s+-rf\s+(\/|~)(\$|\s)/, reason: 'Critical threat: recursive delete of root or home' },
-    { pattern: /:\(\)\{.*\}|:\(\)\{.*:\|:/, reason: 'Critical threat: fork bomb detected' },
-    { pattern: /dd\s+if=\/dev\/zero\s+of=\/dev\/sd/, reason: 'Critical threat: disk overwrite' },
-    { pattern: /mkfs\s+\/dev\/sd/, reason: 'Critical threat: filesystem format' },
-    { pattern: />\s*\/dev\/sd/, reason: 'Critical threat: direct disk write' },
-  ];
-  for (const { pattern, reason } of criticalPatterns) {
-    if (pattern.test(operation)) {
-      log('DENIED: ' + operation + ' - ' + reason);
-      output('deny', reason);
-      process.exit(0);
-    }
-  }
-  log('allow (fallback): ' + operation);
-  output('allow', 'Basic pattern check passed');
-}
-" "$INPUT" "$BOUNCER_CLI" "$BOUNCER_TIMEOUT" "$BOUNCER_LOG" 2>> "$BOUNCER_LOG")
-echo "$RESULT"

package/server/cli/headless/output-utils.test.ts DELETED Viewed

@@ -1,225 +0,0 @@
-import { describe, expect, it } from 'vitest';
-import {
-  detectErrorInStderr,
-  estimateTokensFromOutput,
-  extractCleanOutput,
-  extractModifiedFiles,
-} from './output-utils.js';
-// ========== extractCleanOutput ==========
-describe('extractCleanOutput', () => {
-  it('filters out JSON lines with "type" field', () => {
-    const input = [
-      '{"type": "system", "data": "init"}',
-      'Hello world',
-      '{"type": "assistant", "text": "hi"}',
-      'Some output',
-    ].join('\n');
-    expect(extractCleanOutput(input)).toBe('Hello world\nSome output');
-  });
-  it('strips ANSI color codes', () => {
-    const input = '\x1b[32mgreen text\x1b[0m and \x1b[1;31mred bold\x1b[0m';
-    expect(extractCleanOutput(input)).toBe('green text and red bold');
-  });
-  it('normalizes CRLF to LF', () => {
-    const input = 'line1\r\nline2\r\nline3';
-    expect(extractCleanOutput(input)).toBe('line1\nline2\nline3');
-  });
-  it('trims whitespace', () => {
-    const input = '  \n  Hello  \n  ';
-    expect(extractCleanOutput(input)).toBe('Hello');
-  });
-  it('filters empty lines', () => {
-    const input = 'line1\n\n\nline2';
-    expect(extractCleanOutput(input)).toBe('line1\nline2');
-  });
-  it('returns empty string for all-JSON input', () => {
-    const input = '{"type": "system"}\n{"type": "result"}';
-    expect(extractCleanOutput(input)).toBe('');
-  });
-  it('handles combined ANSI + JSON + CRLF', () => {
-    const input = '{"type": "system"}\r\n\x1b[33mwarning\x1b[0m\r\n{"type": "result"}';
-    expect(extractCleanOutput(input)).toBe('warning');
-  });
-});
-// ========== estimateTokensFromOutput ==========
-describe('estimateTokensFromOutput', () => {
-  it('estimates tokens as length / 4', () => {
-    expect(estimateTokensFromOutput('12345678')).toBe(2);
-    expect(estimateTokensFromOutput('1234')).toBe(1);
-  });
-  it('floors the result', () => {
-    expect(estimateTokensFromOutput('12345')).toBe(1); // 5/4 = 1.25 → 1
-    expect(estimateTokensFromOutput('123')).toBe(0);   // 3/4 = 0.75 → 0
-  });
-  it('returns 0 for empty string', () => {
-    expect(estimateTokensFromOutput('')).toBe(0);
-  });
-});
-// ========== extractModifiedFiles ==========
-describe('extractModifiedFiles', () => {
-  it('extracts files from "wrote" pattern', () => {
-    const output = 'wrote file "src/index.ts" successfully';
-    expect(extractModifiedFiles(output)).toContain('src/index.ts');
-  });
-  it('extracts files from "modified" pattern', () => {
-    const output = 'modified utils.js in place';
-    expect(extractModifiedFiles(output)).toContain('utils.js');
-  });
-  it('extracts files from "created" pattern', () => {
-    const output = "created file 'new-file.tsx'";
-    expect(extractModifiedFiles(output)).toContain('new-file.tsx');
-  });
-  it('extracts files from "edited" pattern', () => {
-    const output = 'edited config.json';
-    expect(extractModifiedFiles(output)).toContain('config.json');
-  });
-  it('deduplicates files', () => {
-    const output = 'wrote src/index.ts\nmodified src/index.ts';
-    const files = extractModifiedFiles(output);
-    expect(files.filter(f => f === 'src/index.ts')).toHaveLength(1);
-  });
-  it('returns empty array when no files found', () => {
-    expect(extractModifiedFiles('no files mentioned here')).toEqual([]);
-  });
-  it('extracts multiple different files', () => {
-    const output = 'wrote src/a.ts\ncreated src/b.ts\nedited src/c.ts';
-    const files = extractModifiedFiles(output);
-    expect(files).toContain('src/a.ts');
-    expect(files).toContain('src/b.ts');
-    expect(files).toContain('src/c.ts');
-  });
-});
-// ========== detectErrorInStderr ==========
-describe('detectErrorInStderr', () => {
-  it('detects auth errors', () => {
-    const result = detectErrorInStderr('Error: not logged in to Claude');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('AUTH_REQUIRED');
-  });
-  it('detects session expired', () => {
-    const result = detectErrorInStderr('Your session has expired, please re-authenticate');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('AUTH_REQUIRED');
-  });
-  it('detects account not found', () => {
-    const result = detectErrorInStderr('account not found for this user');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('ACCOUNT_NOT_FOUND');
-  });
-  it('detects API key errors', () => {
-    const result = detectErrorInStderr('invalid api key provided');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('API_KEY_INVALID');
-  });
-  it('detects quota exceeded', () => {
-    const result = detectErrorInStderr('quota exceeded for your subscription');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('QUOTA_EXCEEDED');
-  });
-  it('detects billing issues', () => {
-    const result = detectErrorInStderr('payment required to continue');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('QUOTA_EXCEEDED');
-  });
-  it('detects rate limiting', () => {
-    const result = detectErrorInStderr('rate limit exceeded, retry after 30s');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('RATE_LIMITED');
-  });
-  it('detects 429 status', () => {
-    const result = detectErrorInStderr('HTTP 429 too many requests');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('RATE_LIMITED');
-  });
-  it('detects network errors', () => {
-    const result = detectErrorInStderr('ECONNREFUSED 127.0.0.1:443');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('NETWORK_ERROR');
-  });
-  it('detects DNS failures', () => {
-    const result = detectErrorInStderr('ENOTFOUND api.anthropic.com');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('NETWORK_ERROR');
-  });
-  it('detects SSL errors', () => {
-    const result = detectErrorInStderr('CERT_HAS_EXPIRED for api.example.com');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('SSL_ERROR');
-  });
-  it('detects service unavailable', () => {
-    const result = detectErrorInStderr('service unavailable, try again later');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('SERVICE_UNAVAILABLE');
-  });
-  it('detects 503 status', () => {
-    const result = detectErrorInStderr('HTTP 503 from upstream');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('SERVICE_UNAVAILABLE');
-  });
-  it('detects internal errors', () => {
-    const result = detectErrorInStderr('internal server error occurred');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('INTERNAL_ERROR');
-  });
-  it('detects context too long', () => {
-    const result = detectErrorInStderr('context too long, exceeds 200k tokens');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('CONTEXT_TOO_LONG');
-  });
-  it('detects session not found', () => {
-    const result = detectErrorInStderr('session not found, please create a new one');
-    expect(result).not.toBeNull();
-    expect(result!.errorCode).toBe('SESSION_NOT_FOUND');
-  });
-  it('returns null for non-matching stderr', () => {
-    expect(detectErrorInStderr('Processing file...')).toBeNull();
-    expect(detectErrorInStderr('Warning: deprecated API usage')).toBeNull();
-    expect(detectErrorInStderr('')).toBeNull();
-  });
-  it('returns user-friendly messages', () => {
-    const result = detectErrorInStderr('not logged in');
-    expect(result).not.toBeNull();
-    expect(result!.message).toContain('authentication');
-    // Should not expose raw error
-    expect(result!.message).not.toContain('not logged in');
-  });
-});

package/server/cli/headless/stall-assessor.test.ts DELETED Viewed

@@ -1,165 +0,0 @@
-import { describe, expect, it } from 'vitest';
-import type { StallContext } from './stall-assessor.js';
-// quickHeuristic, parseAssessmentResponse, and parseVerdictResponse are not exported.
-// We test them via assessStall (which calls quickHeuristic first) and by testing
-// the parsing functions indirectly. Since quickHeuristic is the critical logic
-// and assessStall calls it before Haiku, we can test the heuristic paths by
-// providing contexts that match known patterns.
-//
-// To avoid spawning Haiku (which requires `claude` CLI), we only test contexts
-// that trigger the heuristic fast-path (return non-null from quickHeuristic).
-import { assessStall } from './stall-assessor.js';
-function makeContext(overrides: Partial<StallContext> = {}): StallContext {
-  return {
-    originalPrompt: 'Fix the bug in auth.ts',
-    silenceMs: 120_000,
-    pendingToolCount: 0,
-    totalToolCalls: 5,
-    elapsedTotalMs: 300_000,
-    ...overrides,
-  };
-}
-describe('assessStall - quickHeuristic paths', () => {
-  it('extends when tokens are still flowing (tokenSilenceMs < 60s)', async () => {
-    const ctx = makeContext({ tokenSilenceMs: 30_000 });
-    const verdict = await assessStall(ctx, 'claude', false, false);
-    expect(verdict.action).toBe('extend');
-    expect(verdict.extensionMs).toBe(10 * 60_000);
-    expect(verdict.reason).toContain('Tokens still flowing');
-  });
-  it('extends when tokenSilenceMs is 0', async () => {
-    const ctx = makeContext({ tokenSilenceMs: 0 });
-    const verdict = await assessStall(ctx, 'claude', false, false);
-    expect(verdict.action).toBe('extend');
-    expect(verdict.reason).toContain('Tokens still flowing');
-  });
-  it('does not use token heuristic when tokenSilenceMs >= 60s', async () => {
-    const ctx = makeContext({
-      tokenSilenceMs: 60_000,
-      pendingToolCount: 3, // will trigger parallel tools heuristic
-    });
-    const verdict = await assessStall(ctx, 'claude', false, false);
-    // Should NOT hit the token heuristic, should hit the 3+ parallel tools one
-    expect(verdict.action).toBe('extend');
-    expect(verdict.reason).toContain('parallel tool calls');
-  });
-  it('defers to watchdog when active and tools are pending', async () => {
-    const ctx = makeContext({ pendingToolCount: 1, lastToolName: 'Bash' });
-    const verdict = await assessStall(ctx, 'claude', false, true);
-    expect(verdict.action).toBe('extend');
-    expect(verdict.extensionMs).toBe(15 * 60_000);
-    expect(verdict.reason).toContain('Watchdog active');
-  });
-  it('defers to watchdog and lists pending tool names', async () => {
-    const ctx = makeContext({
-      pendingToolCount: 2,
-      pendingToolNames: new Set(['WebFetch', 'Bash']),
-    });
-    const verdict = await assessStall(ctx, 'claude', false, true);
-    expect(verdict.action).toBe('extend');
-    expect(verdict.reason).toContain('WebFetch');
-    expect(verdict.reason).toContain('Bash');
-  });
-  it('extends for Task subagent via pendingToolNames', async () => {
-    const ctx = makeContext({
-      pendingToolCount: 1,
-      pendingToolNames: new Set(['Task']),
-    });
-    const verdict = await assessStall(ctx, 'claude', false, false);
-    expect(verdict.action).toBe('extend');
-    expect(verdict.reason).toContain('Task subagent');
-  });
-  it('extends for Task subagent via lastToolName fallback', async () => {
-    const ctx = makeContext({
-      pendingToolCount: 1,
-      lastToolName: 'Task',
-    });
-    const verdict = await assessStall(ctx, 'claude', false, false);
-    expect(verdict.action).toBe('extend');
-    expect(verdict.reason).toContain('Task subagent');
-  });
-  it('scales Task extension with pending count', async () => {
-    const ctx1 = makeContext({
-      pendingToolCount: 1,
-      pendingToolNames: new Set(['Task']),
-    });
-    const ctx3 = makeContext({
-      pendingToolCount: 3,
-      pendingToolNames: new Set(['Task']),
-    });
-    const v1 = await assessStall(ctx1, 'claude', false, false);
-    const v3 = await assessStall(ctx3, 'claude', false, false);
-    // More pending = more extension, capped at 30 min
-    expect(v3.extensionMs).toBeGreaterThanOrEqual(v1.extensionMs);
-    expect(v3.extensionMs).toBeLessThanOrEqual(30 * 60_000);
-  });
-  it('extends for 3+ parallel tool calls', async () => {
-    const ctx = makeContext({ pendingToolCount: 3 });
-    const verdict = await assessStall(ctx, 'claude', false, false);
-    expect(verdict.action).toBe('extend');
-    expect(verdict.extensionMs).toBe(15 * 60_000);
-    expect(verdict.reason).toContain('parallel tool calls');
-  });
-  it('extends for 5 parallel tool calls', async () => {
-    const ctx = makeContext({ pendingToolCount: 5 });
-    const verdict = await assessStall(ctx, 'claude', false, false);
-    expect(verdict.action).toBe('extend');
-    expect(verdict.reason).toContain('5 parallel tool calls');
-  });
-  it('extends for WebSearch without watchdog', async () => {
-    const ctx = makeContext({ lastToolName: 'WebSearch', pendingToolCount: 1 });
-    // pendingToolCount < 3, not Task, not watchdog active, but WebSearch
-    const verdict = await assessStall(ctx, 'claude', false, false);
-    expect(verdict.action).toBe('extend');
-    expect(verdict.extensionMs).toBe(5 * 60_000);
-    expect(verdict.reason).toContain('WebSearch');
-  });
-  it('extends for WebFetch without watchdog', async () => {
-    const ctx = makeContext({ lastToolName: 'WebFetch', pendingToolCount: 1 });
-    const verdict = await assessStall(ctx, 'claude', false, false);
-    expect(verdict.action).toBe('extend');
-    expect(verdict.extensionMs).toBe(5 * 60_000);
-    expect(verdict.reason).toContain('WebFetch');
-  });
-  it('does NOT extend for WebSearch when watchdog is active', async () => {
-    // When watchdog is active and tools are pending, the watchdog deferral
-    // takes priority over the WebSearch heuristic
-    const ctx = makeContext({
-      lastToolName: 'WebSearch',
-      pendingToolCount: 1,
-    });
-    const verdict = await assessStall(ctx, 'claude', false, true);
-    // Should defer to watchdog, not WebSearch heuristic
-    expect(verdict.action).toBe('extend');
-    expect(verdict.reason).toContain('Watchdog active');
-  });
-  it('falls back to extend when Haiku assessment fails', async () => {
-    // Context that doesn't match any heuristic → triggers Haiku →
-    // Haiku fails (no `claude` binary) → cautious extend
-    const ctx = makeContext({
-      pendingToolCount: 1,
-      lastToolName: 'Edit',
-    });
-    const verdict = await assessStall(ctx, 'nonexistent-claude-binary', false, false);
-    expect(verdict.action).toBe('extend');
-    expect(verdict.extensionMs).toBe(10 * 60_000);
-    expect(verdict.reason).toContain('unavailable');
-  });
-});