nexus-agents 2.74.0 → 2.75.0

package/dist/{chunk-BYKS53GW.js → chunk-G5NSRX6Z.js}

@@ -70,7 +70,7 @@ import {
   clampTaskTtl,
   getAvailabilityCache,
   resolveFallback
-} from "./chunk-WCCTIRSB.js";
+} from "./chunk-QCKKDUNX.js";
 import {
   DEFAULTS
 } from "./chunk-GS3GW7C7.js";
@@ -174,6 +174,7 @@ import {
   withStep
 } from "./chunk-Q3RFPJYK.js";
 import {
+  getNexusDataDir,
   nexusDataPath
 } from "./chunk-GOT7OAL5.js";
 
@@ -39754,6 +39755,87 @@ function registerMemoryStatsTool(server, deps) {
 
 // src/mcp/tools/memory-write.ts
 import { z as z74 } from "zod";
+
+// src/mcp/middleware/tool-prerequisites.ts
+import { execFile as execFile2 } from "child_process";
+import { access as access2, constants } from "fs/promises";
+import { dirname as dirname5 } from "path";
+import { promisify as promisify2 } from "util";
+var execFileAsync2 = promisify2(execFile2);
+async function ghCliAvailable() {
+  try {
+    await execFileAsync2("gh", ["--version"], { timeout: 5e3 });
+    return { ok: true };
+  } catch (err2) {
+    return {
+      ok: false,
+      remediation: `the 'gh' CLI is not available (${getErrorMessage(err2)}) \u2014 install GitHub CLI and authenticate (\`gh auth login\`)`
+    };
+  }
+}
+async function dataDirWritable() {
+  const dir = getNexusDataDir();
+  try {
+    await access2(dir, constants.W_OK);
+    return { ok: true };
+  } catch {
+    try {
+      await access2(dirname5(dir), constants.W_OK);
+      return { ok: true };
+    } catch (err2) {
+      return {
+        ok: false,
+        remediation: `NEXUS_DATA_DIR (${dir}) is not writable or creatable (${getErrorMessage(err2)}) \u2014 fix its permissions; run \`nexus-agents doctor\` to diagnose`
+      };
+    }
+  }
+}
+var TOOL_PREREQUISITES = {
+  improvement_review: {
+    name: "gh-cli-available",
+    rationale: "improvement_review's fileIssues mode shells out to `gh` to file candidate issues; without it the write path fails mid-operation",
+    check: ghCliAvailable
+  },
+  memory_write: {
+    name: "data-dir-writable",
+    rationale: "memory_write persists entries under NEXUS_DATA_DIR \u2014 an unwritable data dir fails the write confusingly mid-operation",
+    check: dataDirWritable
+  },
+  registry_import: {
+    name: "data-dir-writable",
+    rationale: "registry_import persists a draft registry entry under NEXUS_DATA_DIR when not in dryRun mode",
+    check: dataDirWritable
+  }
+};
+function applyPrerequisite(toolName, prereq, handler3) {
+  return async (args, ctx) => {
+    let result;
+    try {
+      result = await prereq.check();
+    } catch (err2) {
+      result = { ok: false, remediation: `prerequisite check threw: ${getErrorMessage(err2)}` };
+    }
+    if (!result.ok) {
+      return toolStructuredError({
+        errorCategory: "permission",
+        message: `${toolName} blocked: prerequisite '${prereq.name}' not satisfied`,
+        detail: {
+          failedPrerequisite: prereq.name,
+          rationale: prereq.rationale,
+          remediation: result.remediation ?? "see .rules/tool-prerequisites.md"
+        }
+      });
+    }
+    return handler3(args, ctx);
+  };
+}
+function withPrerequisite(toolName, handler3) {
+  const prereq = TOOL_PREREQUISITES[toolName];
+  if (prereq === void 0) return handler3;
+  return applyPrerequisite(toolName, prereq, handler3);
+}
+
+// src/mcp/tools/memory-write.ts
 var MemoryWriteInputSchema = z74.object({
   key: z74.string().min(1).max(200).describe("Memory identifier or subject"),
   content: z74.string().min(1).max(5e3).describe("Memory content to store"),
@@ -39897,8 +39979,9 @@ function registerMemoryWriteTool(server, deps) {
     rateLimiter: deps.rateLimiter,
     logger: logger51
   });
+  const guardedHandler = withPrerequisite("memory_write", secureHandler);
   const timeoutMs = getToolTimeout("memory_write", deps.security);
-  const wrappedHandler = wrapToolWithTimeout("memory_write", secureHandler, { timeoutMs, logger: logger51 });
+  const wrappedHandler = wrapToolWithTimeout("memory_write", guardedHandler, { timeoutMs, logger: logger51 });
   const outputSchema = {
     success: z74.boolean(),
     backend: z74.string(),
@@ -40134,8 +40217,9 @@ function registerRegistryImportTool(server, deps) {
     rateLimiter: deps.rateLimiter,
     logger: logger51
   });
+  const guardedHandler = withPrerequisite("registry_import", secureHandler);
   const timeoutMs = getToolTimeout("registry_import", deps.security);
-  const wrappedHandler = wrapToolWithTimeout("registry_import", secureHandler, {
+  const wrappedHandler = wrapToolWithTimeout("registry_import", guardedHandler, {
     timeoutMs,
     logger: logger51
   });
@@ -41996,9 +42080,9 @@ var logger33 = createLogger({ component: "security-scan" });
 var SCAN_TIMEOUT_MS = 3e5;
 async function isSemgrepAvailable() {
   try {
-    const { execFile: execFile4 } = await import("child_process");
-    const { promisify: promisify4 } = await import("util");
-    const exec2 = promisify4(execFile4);
+    const { execFile: execFile5 } = await import("child_process");
+    const { promisify: promisify5 } = await import("util");
+    const exec2 = promisify5(execFile5);
     await exec2("semgrep", ["--version"], { timeout: 1e4 });
     return true;
   } catch {
@@ -42006,9 +42090,9 @@ async function isSemgrepAvailable() {
   }
 }
 async function runSemgrep(targetDir, rulesets) {
-  const { execFile: execFile4 } = await import("child_process");
-  const { promisify: promisify4 } = await import("util");
-  const exec2 = promisify4(execFile4);
+  const { execFile: execFile5 } = await import("child_process");
+  const { promisify: promisify5 } = await import("util");
+  const exec2 = promisify5(execFile5);
   const args = ["--sarif", "--quiet", ...rulesets.flatMap((r) => ["--config", r]), targetDir];
   const { stdout } = await exec2("semgrep", args, {
     timeout: SCAN_TIMEOUT_MS,
@@ -44559,8 +44643,8 @@ function registerCompareDataFeedsTool(server, deps) {
 }
 
 // src/mcp/tools/improvement-review.ts
-import { execFile as execFile2 } from "child_process";
-import { promisify as promisify2 } from "util";
+import { execFile as execFile3 } from "child_process";
+import { promisify as promisify3 } from "util";
 import { z as z94 } from "zod";
 
 // src/governance/fitness-score.ts
@@ -45104,7 +45188,7 @@ function calculateFitnessScore(version) {
 }
 
 // src/mcp/tools/improvement-review.ts
-var execFileAsync2 = promisify2(execFile2);
+var execFileAsync3 = promisify3(execFile3);
 var ImprovementReviewInputSchema = z94.object({
   lookbackDays: z94.number().int().min(1).max(90).optional().default(7).describe("Lookback window for outcome data, in days. Default 7."),
   fileIssues: z94.boolean().optional().default(false).describe(
@@ -45247,7 +45331,7 @@ function detectFitnessSignals(audit, fitnessFloor) {
 }
 async function existingIssueForSignal(signalKey) {
   try {
-    const { stdout } = await execFileAsync2("gh", [
+    const { stdout } = await execFileAsync3("gh", [
       "issue",
       "list",
       "--state",
@@ -45276,7 +45360,7 @@ async function fileIssueForSignal(signal) {
 _Signal key (do not edit): \`${signal.signalKey}\` \xB7 Generated by \`improvement_review\` (#2402) \xB7 Severity: ${signal.severity}_`;
   const labels = signal.category === "security" ? "security" : signal.category;
   try {
-    const { stdout } = await execFileAsync2("gh", [
+    const { stdout } = await execFileAsync3("gh", [
       "issue",
       "create",
       "--title",
@@ -45393,8 +45477,9 @@ function registerImprovementReviewTool(server, deps) {
     rateLimiter: deps.rateLimiter,
     logger: logger51
   });
+  const guardedHandler = withPrerequisite("improvement_review", secureHandler);
   const timeoutMs = getToolTimeout("improvement_review", deps.security);
-  const wrappedHandler = wrapToolWithTimeout("improvement_review", secureHandler, {
+  const wrappedHandler = wrapToolWithTimeout("improvement_review", guardedHandler, {
     timeoutMs,
     logger: logger51
   });
@@ -48766,10 +48851,10 @@ function getPolicy(id) {
 }
 
 // src/security/sandbox/sandbox-executor.ts
-import { execFile as execFile3 } from "child_process";
-import { promisify as promisify3 } from "util";
+import { execFile as execFile4 } from "child_process";
+import { promisify as promisify4 } from "util";
 import { resolve as resolve17, normalize as normalize2, sep as sep6 } from "path";
-var execFileAsync3 = promisify3(execFile3);
+var execFileAsync4 = promisify4(execFile4);
 var logger45 = createLogger({ component: "sandbox-executor" });
 function parseExecError(error) {
   const execError = error;
@@ -48878,7 +48963,7 @@ var PolicySandboxExecutor = class {
    * Executes command with resource limits.
    */
   async executeWithLimits(command, args, cwd, env, limits) {
-    const { stdout, stderr } = await execFileAsync3(command, [...args], {
+    const { stdout, stderr } = await execFileAsync4(command, [...args], {
       cwd: cwd ?? process.cwd(),
       timeout: limits.maxWallTimeMs,
       maxBuffer: limits.maxOutputBytes,
@@ -49205,9 +49290,9 @@ import * as fs14 from "fs";
 import * as path13 from "path";
 var logger50 = createLogger({ component: "task-tracker" });
 async function exec(cmd, args, timeout = 15e3) {
-  const { execFile: execFile4 } = await import("child_process");
-  const { promisify: promisify4 } = await import("util");
-  const run = promisify4(execFile4);
+  const { execFile: execFile5 } = await import("child_process");
+  const { promisify: promisify5 } = await import("util");
+  const run = promisify5(execFile5);
   const { stdout } = await run(cmd, [...args], { timeout });
   return stdout.trim();
 }
@@ -49922,4 +50007,4 @@ export {
   detectBackend,
   createTaskTracker
 };
-//# sourceMappingURL=chunk-BYKS53GW.js.map
+//# sourceMappingURL=chunk-G5NSRX6Z.js.map