open-multi-agent-kit 0.78.1 → 0.78.3

package/dist/safety/enforcement-engine.js

@@ -0,0 +1,279 @@
+/**
+ * Policy / Sandbox Enforcement Engine v2
+ *
+ * Capability lattice with conservative policy combination.
+ * effectivePolicy = minByAuthority(userPolicy, repoPolicy, providerPolicy, adapterPolicy, riskPolicy)
+ *
+ * Conservative by default. Any ambiguity → block.
+ */
+import { createHash } from "node:crypto";
+export const ALL_CAPABILITIES = [
+    "read",
+    "write",
+    "shell",
+    "network",
+    "secret_read",
+    "secret_write",
+    "merge",
+    "publish",
+];
+// ---------------------------------------------------------------------------
+// Authority ranking (higher = more permissive)
+// ---------------------------------------------------------------------------
+const AUTHORITY_RANK = {
+    none: 0,
+    advisory: 1,
+    direct: 2,
+    full: 3,
+};
+export function rankOf(level) {
+    return AUTHORITY_RANK[level];
+}
+// ---------------------------------------------------------------------------
+// Defaults
+// ---------------------------------------------------------------------------
+const DEFAULT_CAPABILITY_LEVEL = "full";
+const DEFAULT_SANDBOX_MODE = "unrestricted";
+const DEFAULT_APPROVAL_POLICY = "yolo";
+export function defaultLattice() {
+    return {
+        read: DEFAULT_CAPABILITY_LEVEL,
+        write: DEFAULT_CAPABILITY_LEVEL,
+        shell: DEFAULT_CAPABILITY_LEVEL,
+        network: DEFAULT_CAPABILITY_LEVEL,
+        secret_read: DEFAULT_CAPABILITY_LEVEL,
+        secret_write: DEFAULT_CAPABILITY_LEVEL,
+        merge: DEFAULT_CAPABILITY_LEVEL,
+        publish: DEFAULT_CAPABILITY_LEVEL,
+    };
+}
+// ---------------------------------------------------------------------------
+// minByAuthority — conservative combination
+// ---------------------------------------------------------------------------
+/**
+ * Combine multiple policy layers by taking the **most restrictive**
+ * (minimum) authority level for each capability.
+ *
+ * If no layer expresses an opinion on a capability, it defaults to "full".
+ * If any layer expresses a sandbox mode, the most restrictive mode wins.
+ * If any layer expresses an approval policy, the most restrictive wins.
+ */
+export function combinePoliciesByMinAuthority(layers) {
+    const base = defaultLattice();
+    const activeSources = [];
+    // Track the most restrictive values seen so far.
+    const lattice = { ...base };
+    let sandboxMode = DEFAULT_SANDBOX_MODE;
+    let approvalPolicy = DEFAULT_APPROVAL_POLICY;
+    for (const layer of layers) {
+        activeSources.push(layer.source);
+        for (const cap of ALL_CAPABILITIES) {
+            const level = layer.lattice[cap];
+            if (level !== undefined) {
+                if (AUTHORITY_RANK[level] < AUTHORITY_RANK[lattice[cap]]) {
+                    lattice[cap] = level;
+                }
+            }
+        }
+        if (layer.sandboxMode !== undefined) {
+            if (sandboxModeRank(layer.sandboxMode) < sandboxModeRank(sandboxMode)) {
+                sandboxMode = layer.sandboxMode;
+            }
+        }
+        if (layer.approvalPolicy !== undefined) {
+            if (approvalPolicyRank(layer.approvalPolicy) < approvalPolicyRank(approvalPolicy)) {
+                approvalPolicy = layer.approvalPolicy;
+            }
+        }
+    }
+    return {
+        lattice: lattice,
+        sandboxMode,
+        approvalPolicy,
+        sources: activeSources,
+    };
+}
+// ---------------------------------------------------------------------------
+// Ranking helpers for sandbox mode and approval policy
+// ---------------------------------------------------------------------------
+function sandboxModeRank(mode) {
+    switch (mode) {
+        case "read-only":
+            return 0;
+        case "network-isolated":
+            return 1;
+        case "workspace-write":
+            return 2;
+        case "unrestricted":
+            return 3;
+    }
+}
+function approvalPolicyRank(policy) {
+    switch (policy) {
+        case "block":
+            return 0;
+        case "interactive":
+            return 1;
+        case "auto":
+            return 2;
+        case "yolo":
+            return 3;
+    }
+}
+// ---------------------------------------------------------------------------
+// Derive blocked / approval-required capabilities from combined policy
+// ---------------------------------------------------------------------------
+/**
+ * Compute the enforcement proof from a combined policy.
+ *
+ * Rules:
+ * 1. read-only sandbox blocks write, shell, network, merge, publish.
+ * 2. network-isolated sandbox blocks network.
+ * 3. Any capability with level "none" is blocked.
+ * 4. Any capability with level "advisory" requires approval.
+ * 5. interactive policy requires approval for non-read capabilities.
+ * 6. block policy blocks everything except read.
+ */
+export function computeEnforcementProof(combined) {
+    const blocked = new Set();
+    const approvalRequired = new Set();
+    const { lattice, sandboxMode, approvalPolicy, sources } = combined;
+    // Sandbox hard floors
+    if (sandboxMode === "read-only") {
+        for (const cap of ["write", "shell", "network", "merge", "publish", "secret_write"]) {
+            blocked.add(cap);
+        }
+    }
+    if (sandboxMode === "network-isolated") {
+        blocked.add("network");
+    }
+    // Per-capability levels
+    for (const cap of ALL_CAPABILITIES) {
+        const level = lattice[cap];
+        if (level === "none") {
+            blocked.add(cap);
+        }
+        else if (level === "advisory") {
+            approvalRequired.add(cap);
+        }
+    }
+    // Approval policy overrides
+    if (approvalPolicy === "block") {
+        for (const cap of ALL_CAPABILITIES) {
+            if (cap !== "read")
+                blocked.add(cap);
+        }
+    }
+    else if (approvalPolicy === "interactive") {
+        for (const cap of ALL_CAPABILITIES) {
+            if (cap !== "read" && !blocked.has(cap)) {
+                approvalRequired.add(cap);
+            }
+        }
+    }
+    else if (approvalPolicy === "yolo") {
+        // yolo removes approval requirements (but keeps blocks)
+        for (const cap of ALL_CAPABILITIES) {
+            approvalRequired.delete(cap);
+        }
+    }
+    // auto: advisory-level capabilities still need approval; full = allow
+    // (approvalRequired already contains advisory-level caps)
+    const blockedCapabilities = ALL_CAPABILITIES.filter((c) => blocked.has(c));
+    const approvalRequiredCapabilities = ALL_CAPABILITIES.filter((c) => approvalRequired.has(c) && !blocked.has(c));
+    return {
+        sandboxMode,
+        enforcedBy: [...sources],
+        blockedCapabilities,
+        approvalRequired: approvalRequiredCapabilities,
+        policyHash: hashCombinedPolicy(combined),
+    };
+}
+// ---------------------------------------------------------------------------
+// Policy hash (deterministic, no secrets)
+// ---------------------------------------------------------------------------
+function hashCombinedPolicy(combined) {
+    const payload = JSON.stringify({
+        lattice: combined.lattice,
+        sandboxMode: combined.sandboxMode,
+        approvalPolicy: combined.approvalPolicy,
+        sources: combined.sources,
+    });
+    return createHash("sha256").update(payload).digest("hex").slice(0, 16);
+}
+// ---------------------------------------------------------------------------
+// Adapter enforcement check
+// ---------------------------------------------------------------------------
+/**
+ * Returns true when the runtime/adapter has provided a valid enforcement proof.
+ * Runtimes without enforcement proof cannot enter authority lanes.
+ */
+export function hasValidEnforcementProof(proof) {
+    if (typeof proof !== "object" || proof === null)
+        return false;
+    const p = proof;
+    if (typeof p.policyHash !== "string" || p.policyHash.length === 0)
+        return false;
+    if (!Array.isArray(p.enforcedBy) || p.enforcedBy.length === 0)
+        return false;
+    if (!Array.isArray(p.blockedCapabilities))
+        return false;
+    if (!Array.isArray(p.approvalRequired))
+        return false;
+    if (!isSandboxMode(p.sandboxMode))
+        return false;
+    return true;
+}
+function isSandboxMode(v) {
+    return v === "read-only" || v === "workspace-write" || v === "network-isolated" || v === "unrestricted";
+}
+// ---------------------------------------------------------------------------
+// Convenience: build a PolicyLayer from legacy authority levels
+// ---------------------------------------------------------------------------
+export function policyLayerFromLegacyAuthorities(source, options) {
+    const lattice = {};
+    if (options.writeAuthority) {
+        lattice.write = options.writeAuthority;
+        lattice.merge = options.writeAuthority;
+        lattice.publish = options.writeAuthority;
+    }
+    if (options.shellAuthority) {
+        lattice.shell = options.shellAuthority;
+        lattice.merge = minLevel(lattice.merge, options.shellAuthority);
+        lattice.publish = minLevel(lattice.publish, options.shellAuthority);
+    }
+    return {
+        source,
+        lattice,
+        sandboxMode: options.sandboxMode,
+        approvalPolicy: options.approvalPolicy,
+    };
+}
+function minLevel(a, b) {
+    if (a === undefined)
+        return b;
+    return AUTHORITY_RANK[a] <= AUTHORITY_RANK[b] ? a : b;
+}
+/**
+ * Map a capability-lattice capability to the coarse ToolOp used by the gate.
+ * This preserves backward compatibility with the existing 4-class gate while
+ * allowing the new lattice to express finer-grained restrictions.
+ */
+export function capabilityToToolOp(cap) {
+    switch (cap) {
+        case "read":
+            return "read";
+        case "write":
+        case "publish":
+            return "write";
+        case "shell":
+            return "shell";
+        case "merge":
+            return "merge";
+        case "network":
+            return "network";
+        case "secret_read":
+        case "secret_write":
+            return "secret";
+    }
+}

package/dist/safety/tool-authority-gate.d.ts

@@ -60,3 +60,43 @@ export declare function mapToolNameToOp(toolName: string): ToolOp;
  * @see ToolAuthorityContext for the decision inputs and ordering rules.
  */
 export declare function decideToolAuthority(ctx: ToolAuthorityContext): ToolAuthorityDecision;
+import type { CapabilityLattice, CapabilityLevel, EnforcementProof, SandboxCapability } from "./enforcement-engine.js";
+/**
+ * Extended operation class for v2 gate.
+ * Adds "network" and "secret" ops so the lattice can express finer
+ * restrictions without weakening the existing 4-class gate.
+ */
+export type ToolOpV2 = ToolOp | "network" | "secret";
+/** Authority context enriched with enforcement proof. */
+export interface ToolAuthorityContextV2 extends ToolAuthorityContext {
+    /** v2 enforcement proof — required for authority lanes. */
+    readonly enforcementProof?: EnforcementProof;
+    /** Full capability lattice when available. */
+    readonly lattice?: Readonly<CapabilityLattice>;
+}
+/**
+ * Derive the effective capability level for a tool operation from the lattice.
+ */
+export declare function toolOpToCapability(op: ToolOpV2): SandboxCapability;
+/**
+ * Build a ToolAuthorityContext from an enforcement proof.
+ * Bridges the v2 lattice into the legacy gate.
+ */
+export declare function buildToolAuthorityContextFromProof(op: ToolOpV2, proof: EnforcementProof, tty: boolean): ToolAuthorityContext;
+/**
+ * Decide using v2 enforcement proof when available, else fall back to legacy.
+ */
+export declare function decideToolAuthorityV2(ctx: ToolAuthorityContextV2): ToolAuthorityDecision;
+/**
+ * Pure v2 capability check.
+ */
+export declare function effectiveCapabilityLevel(cap: SandboxCapability, lattice?: Readonly<CapabilityLattice>): CapabilityLevel;
+/**
+ * Adapter-enforced capability resolution.
+ * Runtimes without enforcement proof cannot enter authority lanes.
+ */
+export declare function isOperationAllowedByProof(op: ToolOpV2, proof: EnforcementProof | undefined): boolean;
+/**
+ * Returns true when the operation requires explicit approval per the proof.
+ */
+export declare function isOperationApprovalRequiredByProof(op: ToolOpV2, proof: EnforcementProof | undefined): boolean;

package/dist/safety/tool-authority-gate.js

@@ -106,3 +106,95 @@ export function decideToolAuthority(ctx) {
     // interactive: ask only when a TTY is attached; non-TTY ask = deny-by-default.
     return ctx.tty ? "ask" : "block";
 }
+/**
+ * Derive the effective capability level for a tool operation from the lattice.
+ */
+export function toolOpToCapability(op) {
+    switch (op) {
+        case "read":
+            return "read";
+        case "write":
+            return "write";
+        case "shell":
+            return "shell";
+        case "merge":
+            return "merge";
+        case "network":
+            return "network";
+        case "secret":
+            return "secret_write";
+    }
+}
+/**
+ * Build a ToolAuthorityContext from an enforcement proof.
+ * Bridges the v2 lattice into the legacy gate.
+ */
+export function buildToolAuthorityContextFromProof(op, proof, tty) {
+    const cap = toolOpToCapability(op);
+    const blocked = proof.blockedCapabilities.includes(cap);
+    const approvalPolicy = blocked
+        ? "block"
+        : proof.approvalRequired.includes(cap)
+            ? "interactive"
+            : "auto";
+    const writeBlocked = proof.blockedCapabilities.includes("write") || proof.blockedCapabilities.includes("publish");
+    const shellBlocked = proof.blockedCapabilities.includes("shell");
+    const writeApproval = proof.approvalRequired.includes("write") || proof.approvalRequired.includes("publish");
+    const shellApproval = proof.approvalRequired.includes("shell");
+    const writeAuthority = writeBlocked
+        ? "none"
+        : writeApproval
+            ? "advisory"
+            : "full";
+    const shellAuthority = shellBlocked
+        ? "none"
+        : shellApproval
+            ? "advisory"
+            : "full";
+    const sandboxMode = proof.sandboxMode === "read-only" ? "read-only" : "workspace-write";
+    return {
+        op: op === "network" || op === "secret" ? "shell" : op,
+        writeAuthority,
+        shellAuthority,
+        approvalPolicy,
+        sandboxMode,
+        tty,
+    };
+}
+/**
+ * Decide using v2 enforcement proof when available, else fall back to legacy.
+ */
+export function decideToolAuthorityV2(ctx) {
+    if (ctx.enforcementProof) {
+        const legacyCtx = buildToolAuthorityContextFromProof(ctx.op, ctx.enforcementProof, ctx.tty);
+        return decideToolAuthority(legacyCtx);
+    }
+    return decideToolAuthority(ctx);
+}
+/**
+ * Pure v2 capability check.
+ */
+export function effectiveCapabilityLevel(cap, lattice) {
+    if (!lattice)
+        return "full";
+    return lattice[cap] ?? "full";
+}
+/**
+ * Adapter-enforced capability resolution.
+ * Runtimes without enforcement proof cannot enter authority lanes.
+ */
+export function isOperationAllowedByProof(op, proof) {
+    if (!proof)
+        return false;
+    const cap = toolOpToCapability(op);
+    return !proof.blockedCapabilities.includes(cap);
+}
+/**
+ * Returns true when the operation requires explicit approval per the proof.
+ */
+export function isOperationApprovalRequiredByProof(op, proof) {
+    if (!proof)
+        return true;
+    const cap = toolOpToCapability(op);
+    return proof.approvalRequired.includes(cap);
+}

package/dist/schema/evidence.schema.d.ts

@@ -14,7 +14,7 @@ export declare const EvidenceRecordSchema: z.ZodObject<{
     observedAt: z.ZodString;
     message: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
-    status: "failed" | "skipped" | "blocked" | "missing" | "passed";
+    status: "failed" | "skipped" | "missing" | "blocked" | "passed";
     kind: "file-exists" | "custom" | "summary-present" | "command-passes" | "git-diff-non-empty" | "marker-present" | "screenshot-present";
     required: boolean;
     runId: string;
@@ -27,7 +27,7 @@ export declare const EvidenceRecordSchema: z.ZodObject<{
     path?: string | undefined;
     nodeId?: string | undefined;
 }, {
-    status: "failed" | "skipped" | "blocked" | "missing" | "passed";
+    status: "failed" | "skipped" | "missing" | "blocked" | "passed";
     kind: "file-exists" | "custom" | "summary-present" | "command-passes" | "git-diff-non-empty" | "marker-present" | "screenshot-present";
     required: boolean;
     runId: string;

package/dist/schema/proof-bundle.schema.d.ts

@@ -16,29 +16,29 @@ export declare const ProofBundleFilesSchema: z.ZodObject<{
 }, "strip", z.ZodTypeAny, {
     commands: string;
     rawPrompt: string;
-    verifyJson: string;
+    limitations: string;
     decisionsJsonl: string;
-    runManifest: string;
     evidenceJsonl: string;
-    limitations: string;
+    verifyJson: string;
+    runManifest: string;
     stdout?: string | undefined;
     stderr?: string | undefined;
     replay?: string | undefined;
-    diffPatch?: string | undefined;
     inspectJson?: string | undefined;
+    diffPatch?: string | undefined;
 }, {
     commands: string;
     rawPrompt: string;
-    verifyJson: string;
+    limitations: string;
     decisionsJsonl: string;
-    runManifest: string;
     evidenceJsonl: string;
-    limitations: string;
+    verifyJson: string;
+    runManifest: string;
     stdout?: string | undefined;
     stderr?: string | undefined;
     replay?: string | undefined;
-    diffPatch?: string | undefined;
     inspectJson?: string | undefined;
+    diffPatch?: string | undefined;
 }>;
 export declare const ProofBundleSchema: z.ZodObject<{
     schemaVersion: z.ZodLiteral<"omk.proof-bundle.v1">;
@@ -66,29 +66,29 @@ export declare const ProofBundleSchema: z.ZodObject<{
     }, "strip", z.ZodTypeAny, {
         commands: string;
         rawPrompt: string;
-        verifyJson: string;
+        limitations: string;
         decisionsJsonl: string;
-        runManifest: string;
         evidenceJsonl: string;
-        limitations: string;
+        verifyJson: string;
+        runManifest: string;
         stdout?: string | undefined;
         stderr?: string | undefined;
         replay?: string | undefined;
-        diffPatch?: string | undefined;
         inspectJson?: string | undefined;
+        diffPatch?: string | undefined;
     }, {
         commands: string;
         rawPrompt: string;
-        verifyJson: string;
+        limitations: string;
         decisionsJsonl: string;
-        runManifest: string;
         evidenceJsonl: string;
-        limitations: string;
+        verifyJson: string;
+        runManifest: string;
         stdout?: string | undefined;
         stderr?: string | undefined;
         replay?: string | undefined;
-        diffPatch?: string | undefined;
         inspectJson?: string | undefined;
+        diffPatch?: string | undefined;
     }>;
     verdict: z.ZodEnum<["passed", "failed", "partial"]>;
     knownLimitations: z.ZodArray<z.ZodString, "many">;
@@ -101,23 +101,23 @@ export declare const ProofBundleSchema: z.ZodObject<{
     files: {
         commands: string;
         rawPrompt: string;
-        verifyJson: string;
+        limitations: string;
         decisionsJsonl: string;
-        runManifest: string;
         evidenceJsonl: string;
-        limitations: string;
+        verifyJson: string;
+        runManifest: string;
         stdout?: string | undefined;
         stderr?: string | undefined;
         replay?: string | undefined;
-        diffPatch?: string | undefined;
         inspectJson?: string | undefined;
+        diffPatch?: string | undefined;
     };
     providerPolicy: string;
     omkVersion: string;
-    runtimeVersion: "v1.2";
+    verdict: "failed" | "partial" | "passed";
     proofId: string;
+    runtimeVersion: "v1.2";
     scenario: "no-kimi-smoke" | "evidence-block" | "fallback-route" | "dag-dependent-block" | "replay-inspect" | "example-generation" | "doctor-provider" | "native-safety" | "contract-version-smoke";
-    verdict: "failed" | "partial" | "passed";
     knownLimitations: string[];
     checksums: Record<string, string>;
 }, {
@@ -128,23 +128,23 @@ export declare const ProofBundleSchema: z.ZodObject<{
     files: {
         commands: string;
         rawPrompt: string;
-        verifyJson: string;
+        limitations: string;
         decisionsJsonl: string;
-        runManifest: string;
         evidenceJsonl: string;
-        limitations: string;
+        verifyJson: string;
+        runManifest: string;
         stdout?: string | undefined;
         stderr?: string | undefined;
         replay?: string | undefined;
-        diffPatch?: string | undefined;
         inspectJson?: string | undefined;
+        diffPatch?: string | undefined;
     };
     providerPolicy: string;
     omkVersion: string;
-    runtimeVersion: "v1.2";
+    verdict: "failed" | "partial" | "passed";
     proofId: string;
+    runtimeVersion: "v1.2";
     scenario: "no-kimi-smoke" | "evidence-block" | "fallback-route" | "dag-dependent-block" | "replay-inspect" | "example-generation" | "doctor-provider" | "native-safety" | "contract-version-smoke";
-    verdict: "failed" | "partial" | "passed";
     knownLimitations: string[];
     checksums: Record<string, string>;
 }>;

package/dist/util/clipboard-image.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Cross-platform clipboard image reader.
+ *
+ * Wraps the platform-specific clipboard reading from screenshot-store patterns
+ * into a reusable utility for the chat REPL, goal commands, and any input
+ * surface that needs Ctrl+V / paste image support.
+ *
+ * Platforms:
+ * - macOS: `pngpaste -` (brew) or `osascript` with TIFF→PNG conversion
+ * - Linux: `xclip -selection clipboard -target image/png`
+ * - Windows: PowerShell System.Windows.Forms.Clipboard
+ *
+ * Output: PNG Buffer + saved file path under .omk/screenshots/
+ */
+export declare const SCREENSHOT_DIR = ".omk/screenshots";
+export declare const MAX_IMAGE_BYTES: number;
+export interface ClipboardImage {
+    ok: boolean;
+    /** Absolute path to the saved PNG/JPG/WebP/GIF file. */
+    path?: string;
+    /** Project-relative path (e.g. .omk/screenshots/2026-06-08/screenshot-....png). */
+    relativePath?: string;
+    /** Base64 data URI suitable for wire protocol image_url. */
+    dataUri?: string;
+    /** Base64 raw (no prefix). */
+    base64?: string;
+    /** Detected extension: png, jpg, webp, gif. */
+    ext?: string;
+    /** Error message when ok=false. */
+    error?: string;
+}
+export declare function detectImageExt(buf: Buffer): string | null;
+export declare function toDataUri(base64: string, ext: string): string;
+/**
+ * Read an image from the system clipboard. Returns null if clipboard is empty
+ * or contains no image. Platform-specific: macOS (pngpaste/osascript), Linux
+ * (xclip/wl-paste), Windows (PowerShell).
+ */
+export declare function readClipboardImage(platform?: NodeJS.Platform): Buffer | null;
+/**
+ * Read clipboard image, validate, save to .omk/screenshots/, and return
+ * both the file path and base64 data URI for wire protocol use.
+ */
+export declare function pasteClipboardImage(projectRoot: string): ClipboardImage;
+/**
+ * Read an image file from disk, validate, and return base64 data URI.
+ * Used for --image <file> flag support.
+ */
+export declare function readImageFile(filePath: string): ClipboardImage;