nexus-agents 2.125.25 → 2.125.26

package/dist/{chunk-F6VJEXXJ.js → chunk-2SCNPVUP.js}

@@ -123,7 +123,7 @@ import {
   DEFAULT_TASK_TTL_MS,
   DEFAULT_TOOL_RATE_LIMITS,
   clampTaskTtl
-} from "./chunk-B3TJNOKQ.js";
+} from "./chunk-KEQQQRA6.js";
 import {
   resolveInsideRoot
 } from "./chunk-NUBSJGQZ.js";
@@ -26260,6 +26260,9 @@ async function runSinglePrecondition(config, ctx, options) {
 
 // src/orchestration/graph/graph-executor.ts
 var logger16 = createLogger({ component: "GraphExecutor" });
+function isPolicyBlockedError(error) {
+  return error instanceof Error && error.name === "PolicyBlockedError";
+}
 function failureClassification(category) {
   return { errorCategory: category, isRetryable: defaultRetryable(category) };
 }
@@ -26639,6 +26642,30 @@ async function executeWithVerification(args) {
     ...gotoTarget !== void 0 ? { gotoTarget } : {}
   };
 }
+function failedNodeResult(nodeId, error, startTime) {
+  const message = getErrorMessage(error);
+  logger16.warn("Node execution failed", { nodeId, error: message });
+  if (isPolicyBlockedError(error)) {
+    return {
+      nodeId,
+      stateUpdates: {},
+      durationMs: getTimeProvider().now() - startTime,
+      status: "failed",
+      error: message,
+      policyBlocked: true,
+      ...failureClassification("permission")
+    };
+  }
+  const category = coarsenFailureCategory(categorizeOutcomeError(error));
+  return {
+    nodeId,
+    stateUpdates: {},
+    durationMs: getTimeProvider().now() - startTime,
+    status: "failed",
+    error: message,
+    ...failureClassification(category)
+  };
+}
 async function executeSingleNode(graph, nodeId, state, nodeCtx, options) {
   const prior = options?.priorResults?.get(nodeId);
   if (prior?.status === "success") {
@@ -26665,17 +26692,7 @@ async function executeSingleNode(graph, nodeId, state, nodeCtx, options) {
   try {
     return await executeWithVerification({ node, nodeId, state, startTime, nodeCtx, options });
   } catch (error) {
-    const message = getErrorMessage(error);
-    logger16.warn("Node execution failed", { nodeId, error: message });
-    const category = coarsenFailureCategory(categorizeOutcomeError(error));
-    return {
-      nodeId,
-      stateUpdates: {},
-      durationMs: getTimeProvider().now() - startTime,
-      status: "failed",
-      error: message,
-      ...failureClassification(category)
-    };
+    return failedNodeResult(nodeId, error, startTime);
   }
 }
 function resolveEntryNodes(graph, state) {
@@ -26968,6 +26985,149 @@ function customReducer(defaultValue, merge) {
   return { defaultValue, reducer: { type: "custom", merge } };
 }
 
+// src/pipeline/v2-config.ts
+function readV2Mode() {
+  const env = process.env["NEXUS_V2_MODE"];
+  if (env === "off" || env === "partial") return env;
+  return "full";
+}
+function resolveFlag(envKey, umbrellaDefault) {
+  const env = process.env[envKey];
+  if (env === "true") return true;
+  if (env === "false") return false;
+  return umbrellaDefault;
+}
+function resolvePolicyMode(umbrella) {
+  const env = process.env["NEXUS_V2_POLICY_MODE"];
+  if (env === "off" || env === "warn" || env === "block") return env;
+  if (umbrella === "off") return "off";
+  if (umbrella === "partial") return "warn";
+  return "block";
+}
+function resolveV2Config() {
+  const mode = readV2Mode();
+  const umbrellaDelegate = mode !== "off";
+  const umbrellaOrchestrate = mode === "full";
+  return {
+    mode,
+    delegateEnabled: resolveFlag("NEXUS_V2_DELEGATE", umbrellaDelegate),
+    orchestrateEnabled: resolveFlag("NEXUS_V2_ORCHESTRATE", umbrellaOrchestrate),
+    policyMode: resolvePolicyMode(mode),
+    aorchestraEnabled: resolveFlag("NEXUS_AORCHESTRA", true),
+    dispatchEnabled: resolveFlag("NEXUS_AORCHESTRA_DISPATCH", true)
+  };
+}
+
+// src/pipeline/policy-evaluator.ts
+var logger17 = createLogger({ component: "PolicyEvaluator" });
+var PolicyBlockedError = class extends Error {
+  gateId;
+  violations;
+  constructor(gateId, violations) {
+    const summary = violations.map((v) => v.ruleId).join(", ");
+    super(`Policy gate '${gateId}' blocked stage boundary (rules: ${summary || "none"})`);
+    this.name = "PolicyBlockedError";
+    this.gateId = gateId;
+    this.violations = violations;
+  }
+};
+function getGateEnforcementMode() {
+  const env = process.env["NEXUS_POLICY_GATE_MODE"];
+  if (env === "off" || env === "warn" || env === "block") return env;
+  return "warn";
+}
+function enforceGatePolicy(enforcement, target) {
+  const mode = enforcement.mode ?? getGateEnforcementMode();
+  const result = evaluatePipelinePolicy(
+    {
+      engine: enforcement.engine,
+      mode,
+      ...enforcement.eventBus !== void 0 ? { eventBus: enforcement.eventBus } : {}
+    },
+    {
+      taskId: target.taskId,
+      stageId: target.gateId,
+      stageType: target.stageType,
+      pipelineState: enforcement.pipelineState
+    }
+  );
+  if (mode === "block" && !result.allowed) {
+    throw new PolicyBlockedError(target.gateId, result.violations);
+  }
+  return result;
+}
+function getPolicyMode() {
+  return resolveV2Config().policyMode;
+}
+function evaluatePipelinePolicy(options, context) {
+  const mode = options.mode ?? getPolicyMode();
+  if (mode === "off") {
+    return { allowed: true, violations: [], mode };
+  }
+  const violations = [];
+  const rules = options.engine.listRules();
+  for (const rule of rules) {
+    let decision;
+    try {
+      decision = rule.evaluate(context);
+    } catch (err2) {
+      const error = err2 instanceof Error ? err2 : new Error(String(err2));
+      logger17.error("Policy rule threw during evaluation", error, {
+        ruleId: rule.id,
+        stageId: context.stageId
+      });
+      const message = error.message;
+      violations.push({
+        ruleId: rule.id,
+        reason: `Rule threw during evaluation: ${message}`
+      });
+      continue;
+    }
+    if (!decision.allow) {
+      violations.push({
+        ruleId: rule.id,
+        reason: decision.reason,
+        ...decision.escalateTo !== void 0 ? { escalateTo: decision.escalateTo } : {}
+      });
+    }
+  }
+  if (violations.length > 0) {
+    emitPolicyEvents(options.eventBus, context, violations);
+    logViolations(context, violations, mode);
+  }
+  const allowed = mode === "warn" || violations.length === 0;
+  return { allowed, violations, mode };
+}
+function emitPolicyEvents(eventBus, context, violations) {
+  if (eventBus === void 0) return;
+  for (const v of violations) {
+    const event = {
+      type: "policy.evaluated",
+      timestamp: Date.now(),
+      executionId: context.taskId,
+      gateId: `${context.stageId}:${v.ruleId}`,
+      decision: "deny"
+    };
+    eventBus.emit(event);
+  }
+}
+function logViolations(context, violations, mode) {
+  const summary = violations.map((v) => v.ruleId).join(", ");
+  if (mode === "block") {
+    logger17.warn("Policy BLOCKED stage", {
+      stageId: context.stageId,
+      violations: summary,
+      count: violations.length
+    });
+  } else {
+    logger17.info("Policy WARN (violations logged)", {
+      stageId: context.stageId,
+      violations: summary,
+      count: violations.length
+    });
+  }
+}
+
 // src/pipeline/plan-compiler.ts
 function compilePlan(plan, options) {
   if (plan.stages.length === 0) {
@@ -26987,7 +27147,7 @@ function compilePlan(plan, options) {
   const builder = new GraphBuilder();
   addPipelineState(builder);
   addStageNodes(builder, plan.stages, options?.pluginRegistry);
-  addGateNodes(builder, plan.policyGates);
+  addGateNodes(builder, plan.policyGates, plan, options?.policyEnforcement);
   addEdges(builder, plan.stages, plan.policyGates);
   const result = builder.compile();
   if (result.ok) {
@@ -27020,20 +27180,32 @@ function createStageHandler(stage, registry) {
     stageResults: [{ stageId: stage.id, status: "completed" }]
   });
 }
-function createGateHandler(gate) {
-  return (_state) => Promise.resolve({
-    currentStage: gate.id,
-    stageResults: [{ gateId: gate.id, status: "passed" }]
-  });
+function createGateHandler(gate, taskId, stageType, enforcement) {
+  if (enforcement === void 0) {
+    return (_state) => Promise.resolve({
+      currentStage: gate.id,
+      stageResults: [{ gateId: gate.id, status: "passed" }]
+    });
+  }
+  return (_state) => {
+    const verdict = enforceGatePolicy(enforcement, { gateId: gate.id, taskId, stageType });
+    const status = verdict.allowed ? "passed" : "warned";
+    return Promise.resolve({
+      currentStage: gate.id,
+      stageResults: [{ gateId: gate.id, status }]
+    });
+  };
 }
 function addStageNodes(builder, stages, registry) {
   for (const stage of stages) {
     builder.addNode(stage.id, createStageHandler(stage, registry));
   }
 }
-function addGateNodes(builder, gates) {
+function addGateNodes(builder, gates, plan, enforcement) {
+  const stageTypeById = new Map(plan.stages.map((s) => [s.id, s.type]));
   for (const gate of gates) {
-    builder.addNode(gate.id, createGateHandler(gate));
+    const stageType = stageTypeById.get(gate.beforeStage) ?? "gate";
+    builder.addNode(gate.id, createGateHandler(gate, plan.taskId, stageType, enforcement));
   }
 }
 function addEdges(builder, stages, gates) {
@@ -27201,7 +27373,7 @@ var StageResultSchema = z48.object({
 });
 
 // src/pipeline/plugin-registry.ts
-var logger17 = createLogger({ component: "PluginRegistry" });
+var logger18 = createLogger({ component: "PluginRegistry" });
 var PluginRegistry = class {
   plugins = /* @__PURE__ */ new Map();
   options;
@@ -27233,7 +27405,7 @@ var PluginRegistry = class {
       };
     }
     this.plugins.set(plugin.manifest.id, plugin);
-    logger17.info("Plugin registered", {
+    logger18.info("Plugin registered", {
       id: plugin.manifest.id,
       version: plugin.manifest.version,
       trustLevel: plugin.manifest.trustLevel
@@ -27251,7 +27423,7 @@ var PluginRegistry = class {
   }
   freeze() {
     this.isFrozen = true;
-    logger17.info("Plugin registry frozen", {
+    logger18.info("Plugin registry frozen", {
       pluginCount: this.plugins.size
     });
   }
@@ -27306,7 +27478,7 @@ var PluginRegistry = class {
 };
 
 // src/pipeline/core-plugins.ts
-var logger18 = createLogger({ component: "CorePlugins" });
+var logger19 = createLogger({ component: "CorePlugins" });
 function noopStageResult() {
   return { success: true, outputArtifacts: [], metadata: { stub: true } };
 }
@@ -27359,11 +27531,11 @@ function registerCorePlugins(registry) {
     } else {
       const msg = `Failed to register ${plugin.manifest.id}: ${JSON.stringify(result.error)}`;
       errors.push(msg);
-      logger18.warn(msg);
+      logger19.warn(msg);
     }
   }
   reg.freeze();
-  logger18.info("Core plugins registered", { registered, failed: errors.length });
+  logger19.info("Core plugins registered", { registered, failed: errors.length });
   return { registered, failed: errors.length, errors };
 }
 function createCorePluginRegistry() {
@@ -27463,7 +27635,7 @@ function emitPipelineStageEvent(prefix, stage, status, details) {
 // src/pipeline/trace-writer.ts
 import { mkdir, writeFile, rename, unlink } from "fs/promises";
 import { join as join4 } from "path";
-var logger19 = createLogger({ component: "TraceWriter" });
+var logger20 = createLogger({ component: "TraceWriter" });
 var MAX_BUFFER_SIZE = 5e4;
 var TraceWriter = class {
   constructor(bus, options) {
@@ -27497,7 +27669,7 @@ var TraceWriter = class {
     } catch (err2) {
       await unlink(traceTmp).catch((unlinkErr) => {
         const msg = unlinkErr instanceof Error ? unlinkErr.message : String(unlinkErr);
-        logger19.warn("Failed to clean up trace temp file", { path: traceTmp, error: msg });
+        logger20.warn("Failed to clean up trace temp file", { path: traceTmp, error: msg });
       });
       throw err2;
     }
@@ -27510,11 +27682,11 @@ var TraceWriter = class {
     } catch (err2) {
       await unlink(indexTmp).catch((unlinkErr) => {
         const msg = unlinkErr instanceof Error ? unlinkErr.message : String(unlinkErr);
-        logger19.warn("Failed to clean up index temp file", { path: indexTmp, error: msg });
+        logger20.warn("Failed to clean up index temp file", { path: indexTmp, error: msg });
       });
       throw err2;
     }
-    logger19.info("Trace flushed", {
+    logger20.info("Trace flushed", {
       runId: this.options.runId,
       events: this.buffer.length
     });
@@ -27630,7 +27802,12 @@ var PipelineRunner = class {
   /** Compiles a PlanContract into a CompiledPipeline. */
   compile(plan, options) {
     const { pluginRegistry } = resolvePipelineDeps(options);
-    const compileOpts = { pluginRegistry };
+    const compileOpts = {
+      pluginRegistry,
+      // Thread stage-boundary policy enforcement through to the gate handlers
+      // (#3177). Unset → gates remain no-op passes (back-compat).
+      ...options?.policyEnforcement !== void 0 ? { policyEnforcement: options.policyEnforcement } : {}
+    };
     const graphResult = compilePlan(plan, compileOpts);
     if (!graphResult.ok) {
       return { ok: false, error: graphResult.error };
@@ -27745,12 +27922,16 @@ function buildGraphOptions(pipeline, options) {
 function toResult(graphResult, startTime, continueOnFailure) {
   const durationMs = Date.now() - startTime;
   const hasFailure = graphResult.nodeResults.some((r) => r.status === "failed");
+  const policyBlockedNode = graphResult.nodeResults.find((r) => r.policyBlocked === true);
   const stepResults = graphResult.nodeResults.map((r) => ({
     stepId: r.nodeId,
     status: mapNodeStatus(r.status),
     durationMs: r.durationMs,
     ...r.error !== void 0 ? { error: r.error } : {}
   }));
+  if (policyBlockedNode !== void 0) {
+    return policyBlockedResult(graphResult, durationMs, continueOnFailure, stepResults);
+  }
   if (hasFailure && !continueOnFailure) {
     const failedNode = graphResult.nodeResults.find((r) => r.status === "failed");
     return {
@@ -27773,6 +27954,17 @@ function toResult(graphResult, startTime, continueOnFailure) {
     ...!allOk && continueOnFailure ? { error: `${String(succeeded)}/${String(total)} steps succeeded` } : {}
   };
 }
+function policyBlockedResult(graphResult, durationMs, continueOnFailure, stepResults) {
+  const blocked = graphResult.nodeResults.find((r) => r.policyBlocked === true);
+  return {
+    success: false,
+    stepsExecuted: graphResult.stepsExecuted,
+    durationMs,
+    error: blocked?.error ?? "Policy gate blocked the pipeline",
+    nodeResults: graphResult.nodeResults,
+    ...continueOnFailure ? { stepResults } : {}
+  };
+}
 function mapNodeStatus(status) {
   if (status === "success") return "succeeded";
   if (status === "interrupted") return "skipped";
@@ -27841,7 +28033,7 @@ async function flushTrace(ctx) {
 }
 
 // src/pipeline/policy-engine.ts
-var logger20 = createLogger({ component: "PolicyEngine" });
+var logger21 = createLogger({ component: "PolicyEngine" });
 var PolicyEngine = class {
   rules = /* @__PURE__ */ new Map();
   registerRule(rule) {
@@ -27855,7 +28047,7 @@ var PolicyEngine = class {
     for (const rule of sorted) {
       const decision = rule.evaluate(context);
       if (!decision.allow) {
-        logger20.info("Policy rule blocked", {
+        logger21.info("Policy rule blocked", {
           ruleId: rule.id,
           gateId: gate.id,
           reason: decision.reason
@@ -27905,113 +28097,6 @@ function createDefaultPolicyEngine() {
   return engine;
 }
 
-// src/pipeline/v2-config.ts
-function readV2Mode() {
-  const env = process.env["NEXUS_V2_MODE"];
-  if (env === "off" || env === "partial") return env;
-  return "full";
-}
-function resolveFlag(envKey, umbrellaDefault) {
-  const env = process.env[envKey];
-  if (env === "true") return true;
-  if (env === "false") return false;
-  return umbrellaDefault;
-}
-function resolvePolicyMode(umbrella) {
-  const env = process.env["NEXUS_V2_POLICY_MODE"];
-  if (env === "off" || env === "warn" || env === "block") return env;
-  if (umbrella === "off") return "off";
-  if (umbrella === "partial") return "warn";
-  return "block";
-}
-function resolveV2Config() {
-  const mode = readV2Mode();
-  const umbrellaDelegate = mode !== "off";
-  const umbrellaOrchestrate = mode === "full";
-  return {
-    mode,
-    delegateEnabled: resolveFlag("NEXUS_V2_DELEGATE", umbrellaDelegate),
-    orchestrateEnabled: resolveFlag("NEXUS_V2_ORCHESTRATE", umbrellaOrchestrate),
-    policyMode: resolvePolicyMode(mode),
-    aorchestraEnabled: resolveFlag("NEXUS_AORCHESTRA", true),
-    dispatchEnabled: resolveFlag("NEXUS_AORCHESTRA_DISPATCH", true)
-  };
-}
-
-// src/pipeline/policy-evaluator.ts
-var logger21 = createLogger({ component: "PolicyEvaluator" });
-function getPolicyMode() {
-  return resolveV2Config().policyMode;
-}
-function evaluatePipelinePolicy(options, context) {
-  const mode = options.mode ?? getPolicyMode();
-  if (mode === "off") {
-    return { allowed: true, violations: [], mode };
-  }
-  const violations = [];
-  const rules = options.engine.listRules();
-  for (const rule of rules) {
-    let decision;
-    try {
-      decision = rule.evaluate(context);
-    } catch (err2) {
-      const error = err2 instanceof Error ? err2 : new Error(String(err2));
-      logger21.error("Policy rule threw during evaluation", error, {
-        ruleId: rule.id,
-        stageId: context.stageId
-      });
-      const message = error.message;
-      violations.push({
-        ruleId: rule.id,
-        reason: `Rule threw during evaluation: ${message}`
-      });
-      continue;
-    }
-    if (!decision.allow) {
-      violations.push({
-        ruleId: rule.id,
-        reason: decision.reason,
-        ...decision.escalateTo !== void 0 ? { escalateTo: decision.escalateTo } : {}
-      });
-    }
-  }
-  if (violations.length > 0) {
-    emitPolicyEvents(options.eventBus, context, violations);
-    logViolations(context, violations, mode);
-  }
-  const allowed = mode === "warn" || violations.length === 0;
-  return { allowed, violations, mode };
-}
-function emitPolicyEvents(eventBus, context, violations) {
-  if (eventBus === void 0) return;
-  for (const v of violations) {
-    const event = {
-      type: "policy.evaluated",
-      timestamp: Date.now(),
-      executionId: context.taskId,
-      gateId: `${context.stageId}:${v.ruleId}`,
-      decision: "deny"
-    };
-    eventBus.emit(event);
-  }
-}
-function logViolations(context, violations, mode) {
-  const summary = violations.map((v) => v.ruleId).join(", ");
-  if (mode === "block") {
-    logger21.warn("Policy BLOCKED stage", {
-      stageId: context.stageId,
-      violations: summary,
-      count: violations.length
-    });
-  } else {
-    logger21.info("Policy WARN (violations logged)", {
-      stageId: context.stageId,
-      violations: summary,
-      count: violations.length
-    });
-  }
-}
-
 // src/pipeline/task-contract-builders.ts
 import { randomUUID as randomUUID9 } from "crypto";
 function buildBaseTaskContract(input) {
@@ -49589,6 +49674,9 @@ export {
   overwrite,
   append,
   customReducer,
+  resolveV2Config,
+  getPolicyMode,
+  evaluatePipelinePolicy,
   compilePlan,
   TASK_STATUSES,
   STAGE_TYPES,
@@ -49617,9 +49705,6 @@ export {
   PolicyEngine,
   BUILT_IN_RULES,
   createDefaultPolicyEngine,
-  resolveV2Config,
-  getPolicyMode,
-  evaluatePipelinePolicy,
   createDelegatePipeline,
   delegateInputToTaskContract,
   executeDelegatePipeline,
@@ -49800,4 +49885,4 @@ export {
   shutdownFeedbackSubscriber,
   createEventBusBridge
 };
-//# sourceMappingURL=chunk-F6VJEXXJ.js.map
+//# sourceMappingURL=chunk-2SCNPVUP.js.map