openkitt 0.1.2

package/dist/sandbox/command-allowlist.js

@@ -0,0 +1,103 @@
+import { createAuditLogger } from '../audit/logger.js';
+import { getCommand } from '../utils/pm.js';
+const auditLogger = createAuditLogger('.');
+const SEMVER_PATTERN = String.raw `\d+\.\d+\.\d+`;
+const PATH_PATTERN = String.raw `[A-Za-z0-9._/-]+`;
+const PACKAGE_PATTERN = String.raw `(?:@[a-z0-9][a-z0-9-]*/)?[a-z0-9][a-z0-9._-]*`;
+const COMPONENT_PATTERN = String.raw `[a-z0-9-]+`;
+const APPROVED_PACKAGES = new Set([
+    'tailwindcss',
+    '@tailwindcss/vite',
+    '@tailwindcss/postcss',
+    'shadcn',
+    'storybook',
+    '@storybook/react-vite',
+    '@storybook/addon-essentials',
+    'drizzle-orm',
+    'drizzle-kit',
+    'prisma',
+    '@prisma/client',
+    'pg',
+    '@types/pg',
+    'postgres',
+    'mysql2',
+    'better-sqlite3',
+    '@types/better-sqlite3',
+    'ioredis',
+    '@types/ioredis',
+    'better-auth',
+    'stripe',
+    '@stripe/stripe-js',
+    '@polar-sh/sdk',
+    'resend',
+    'bullmq',
+    '@trigger.dev/sdk',
+    '@trigger.dev/react',
+    'posthog-js',
+    'posthog-node',
+    '@sentry/node',
+    '@sentry/react',
+    '@sentry/nextjs',
+    '@sentry/vite-plugin',
+    'vitest',
+    '@testing-library/react',
+    '@testing-library/jest-dom',
+    '@playwright/test',
+    '@tanstack/react-start',
+    '@tanstack/react-router',
+    '@tanstack/router-plugin',
+    '@tanstack/react-query',
+    'react',
+    'react-dom',
+    '@types/react',
+    '@types/react-dom',
+    'typescript',
+    'vite',
+    'vite-tsconfig-paths',
+    '@vitejs/plugin-react',
+    'next',
+    'express',
+    '@types/express',
+    'hono',
+]);
+function escapeRegex(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, String.raw `\$&`);
+}
+function blocked(command, reason) {
+    auditLogger.security('BLOCKED', `command: "${command}" (source: LLM)`);
+    return {
+        allowed: false,
+        reason,
+    };
+}
+export function validateCommand(command, packageManager) {
+    const executePrefix = escapeRegex(getCommand(packageManager, 'execute'));
+    const removePrefix = escapeRegex(getCommand(packageManager, 'remove'));
+    const packageWithVersion = `(${PACKAGE_PATTERN})@(${SEMVER_PATTERN})`;
+    const commandPatterns = [
+        new RegExp(`^${executePrefix} create-next-app@${SEMVER_PATTERN} ${PATH_PATTERN} --typescript$`),
+        new RegExp(`^${executePrefix} @tanstack/cli@${SEMVER_PATTERN} create ${PATH_PATTERN}(?: --framework [A-Za-z]+)?(?: --no-install)?(?: --no-examples)?(?: --package-manager ${PACKAGE_PATTERN})?(?: --deployment ${COMPONENT_PATTERN})?(?: --toolchain ${COMPONENT_PATTERN})?$`),
+        new RegExp(`^${removePrefix} ${PACKAGE_PATTERN}$`),
+        new RegExp(`^${executePrefix} shadcn@${SEMVER_PATTERN} init(?: --yes)?(?: --base-color [a-z]+)?(?: --cwd ${PATH_PATTERN})?$`),
+        new RegExp(`^${executePrefix} shadcn@${SEMVER_PATTERN} add ${COMPONENT_PATTERN}$`),
+        new RegExp(`^${executePrefix} storybook@${SEMVER_PATTERN} init$`),
+        new RegExp(`^${executePrefix} prisma init$`),
+        new RegExp(`^${executePrefix} prisma generate$`),
+        new RegExp(`^${executePrefix} drizzle-kit generate$`),
+        new RegExp(`^${executePrefix} playwright install$`),
+    ];
+    const cdMatch = /^cd ([A-Za-z0-9._\/-]+) && (.+)$/.exec(command);
+    const bare = cdMatch ? cdMatch[2] : command;
+    const addPrefix = escapeRegex(getCommand(packageManager, 'add'));
+    const devFlag = String.raw `(?:(?:-D|-d|--dev|--save-dev) )?`;
+    const addRegex = new RegExp(`^${addPrefix} ${devFlag}${packageWithVersion}( ${packageWithVersion})*$`);
+    if (addRegex.test(bare)) {
+        return blocked(command, 'bun add commands are not allowed — all dependencies must be declared in package.json');
+    }
+    const allowed = commandPatterns.some((pattern) => pattern.test(bare));
+    if (allowed) {
+        return { allowed: true };
+    }
+    return blocked(command, 'Command does not match any allowed pattern');
+}
+//# sourceMappingURL=command-allowlist.js.map

package/dist/sandbox/command-allowlist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-allowlist.js","sourceRoot":"","sources":["../../src/sandbox/command-allowlist.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,UAAU,EAAuB,MAAM,gBAAgB,CAAC;AAOjE,MAAM,WAAW,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;AAE3C,MAAM,cAAc,GAAG,MAAM,CAAC,GAAG,CAAA,eAAe,CAAC;AACjD,MAAM,YAAY,GAAG,MAAM,CAAC,GAAG,CAAA,kBAAkB,CAAC;AAClD,MAAM,eAAe,GAAG,MAAM,CAAC,GAAG,CAAA,+CAA+C,CAAC;AAClF,MAAM,iBAAiB,GAAG,MAAM,CAAC,GAAG,CAAA,YAAY,CAAC;AAEjD,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAS;IACxC,aAAa;IACb,mBAAmB;IACnB,sBAAsB;IACtB,QAAQ;IACR,WAAW;IACX,uBAAuB;IACvB,6BAA6B;IAC7B,aAAa;IACb,aAAa;IACb,QAAQ;IACR,gBAAgB;IAChB,IAAI;IACJ,WAAW;IACX,UAAU;IACV,QAAQ;IACR,gBAAgB;IAChB,uBAAuB;IACvB,SAAS;IACT,gBAAgB;IAChB,aAAa;IACb,QAAQ;IACR,mBAAmB;IACnB,eAAe;IACf,QAAQ;IACR,QAAQ;IACR,kBAAkB;IAClB,oBAAoB;IACpB,YAAY;IACZ,cAAc;IACd,cAAc;IACd,eAAe;IACf,gBAAgB;IAChB,qBAAqB;IACrB,QAAQ;IACR,wBAAwB;IACxB,2BAA2B;IAC3B,kBAAkB;IAClB,uBAAuB;IACvB,wBAAwB;IACxB,yBAAyB;IACzB,uBAAuB;IACvB,OAAO;IACP,WAAW;IACX,cAAc;IACd,kBAAkB;IAClB,YAAY;IACZ,MAAM;IACN,qBAAqB;IACrB,sBAAsB;IACtB,MAAM;IACN,SAAS;IACT,gBAAgB;IAChB,MAAM;CACP,CAAC,CAAC;AAEH,SAAS,WAAW,CAAC,KAAa;IAChC,OAAO,KAAK,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,GAAG,CAAA,KAAK,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,OAAO,CAAC,OAAe,EAAE,MAAc;IAC9C,WAAW,CAAC,QAAQ,CAAC,SAAS,EAAE,aAAa,OAAO,iBAAiB,CAAC,CAAC;IACvE,OAAO;QACL,OAAO,EAAE,KAAK;QACd,MAAM;KACP,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAe,EAAE,cAA8B;IAC7E,MAAM,aAAa,GAAG,WAAW,CAAC,UAAU,CAAC,cAAc,EAAE,SAAS,CAAC,CAAC,CAAC;IACzE,MAAM,YAAY,GAAG,WAAW,CAAC,UAAU,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC,CAAC;IACvE,MAAM,kBAAkB,GAAG,IAAI,eAAe,MAAM,cAAc,GAAG,CAAC;IACtE,MAAM,eAAe,GAAG;QACtB,IAAI,MAAM,CAAC,IAAI,aAAa,oBAAoB,cAAc,IAAI,YAAY,gBAAgB,CAAC;QAC/F,IAAI,MAAM,CAAC,IAAI,aAAa,kBAAkB,cAAc,WAAW,YAAY,yFAAyF,eAAe,sBAAsB,iBAAiB,qBAAqB,iBAAiB,KAAK,CAAC;QAC9Q,IAAI,MAAM,CAAC,IAAI,YAAY,IAAI,eAAe,GAAG,CAAC;QAClD,IAAI,MAAM,CAAC,IAAI,aAAa,WAAW,cAAc,sDAAsD,YAAY,KAAK,CAAC;QAC7H,IAAI,MAAM,CAAC,IAAI,aAAa,WAAW,cAAc,QAAQ,iBAAiB,GAAG,CAAC;QAClF,IAAI,MAAM,CAAC,IAAI,aAAa,cAAc,cAAc,QAAQ,CAAC;QACjE,IAAI,MAAM,CAAC,IAAI,aAAa,eAAe,CAAC;QAC5C,IAAI,MAAM,CAAC,IAAI,aAAa,mBAAmB,CAAC;QAChD,IAAI,MAAM,CAAC,IAAI,aAAa,wBAAwB,CAAC;QACrD,IAAI,MAAM,CAAC,IAAI,aAAa,sBAAsB,CAAC;KACpD,CAAC;IACF,MAAM,OAAO,GAAG,kCAAkC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACjE,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAC5C,MAAM,SAAS,GAAG,WAAW,CAAC,UAAU,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC,CAAC;IACjE,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAA,kCAAkC,CAAC;IAC7D,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC,IAAI,SAAS,IAAI,OAAO,GAAG,kBAAkB,KAAK,kBAAkB,KAAK,CAAC,CAAC;IACvG,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,OAAO,OAAO,CAAC,OAAO,EAAE,sFAAsF,CAAC,CAAC;IAClH,CAAC;IACD,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IACtE,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IACD,OAAO,OAAO,CAAC,OAAO,EAAE,4CAA4C,CAAC,CAAC;AACxE,CAAC"}

package/dist/sandbox/package-allowlist.d.ts

@@ -0,0 +1,6 @@
+export declare const INTEGRATION_PACKAGE_MAP: ReadonlyMap<string, readonly string[]>;
+export declare const APPROVED_PACKAGES: ReadonlySet<string>;
+export declare function isApprovedPackage(packageName: string): boolean;
+export declare function getPackagesForIntegration(integration: string): string[];
+export declare function isApprovedIntegration(integration: string): boolean;
+export declare function getAllApprovedPackages(): string[];

package/dist/sandbox/package-allowlist.js

@@ -0,0 +1,49 @@
+export const INTEGRATION_PACKAGE_MAP = new Map([
+    ["TailwindCSS v4", ["tailwindcss", "@tailwindcss/vite", "@tailwindcss/postcss"]],
+    ["shadcn/ui", ["shadcn"]],
+    ["Storybook", ["storybook", "@storybook/react-vite", "@storybook/addon-essentials"]],
+    ["Drizzle", ["drizzle-orm", "drizzle-kit"]],
+    ["Prisma", ["prisma", "@prisma/client"]],
+    ["PostgreSQL", ["pg", "@types/pg", "postgres"]],
+    ["MySQL", ["mysql2"]],
+    ["SQLite", ["better-sqlite3", "@types/better-sqlite3"]],
+    ["Redis", ["ioredis", "@types/ioredis"]],
+    ["Better Auth", ["better-auth"]],
+    ["Stripe", ["stripe", "@stripe/stripe-js"]],
+    ["Polar", ["@polar-sh/sdk"]],
+    ["Resend", ["resend"]],
+    ["BullMQ", ["bullmq"]],
+    ["Trigger.dev", ["@trigger.dev/sdk", "@trigger.dev/react"]],
+    ["PostHog", ["posthog-js", "posthog-node"]],
+    ["Sentry", ["@sentry/node", "@sentry/react", "@sentry/nextjs", "@sentry/vite-plugin"]],
+    ["Vitest", ["vitest", "@testing-library/react", "@testing-library/jest-dom"]],
+    ["Playwright", ["@playwright/test"]],
+    ["TanStack Start", ["@tanstack/react-start", "@tanstack/react-router", "@tanstack/router-plugin", "react", "react-dom", "@types/react", "@types/react-dom", "typescript", "vite", "vite-tsconfig-paths", "@vitejs/plugin-react"]],
+    ["TanStack Query", ["@tanstack/react-query"]],
+    ["Next.js", ["next", "react", "react-dom", "@types/react", "@types/react-dom"]],
+    ["Express.js", ["express", "@types/express"]],
+    ["Hono", ["hono"]],
+]);
+export const APPROVED_PACKAGES = new Set(Array.from(INTEGRATION_PACKAGE_MAP.values()).flat());
+function stripVersionSuffix(packageName) {
+    const versionSeparatorIndex = packageName.startsWith("@")
+        ? packageName.indexOf("@", 1)
+        : packageName.indexOf("@");
+    return versionSeparatorIndex === -1
+        ? packageName
+        : packageName.slice(0, versionSeparatorIndex);
+}
+export function isApprovedPackage(packageName) {
+    return APPROVED_PACKAGES.has(stripVersionSuffix(packageName));
+}
+export function getPackagesForIntegration(integration) {
+    const packages = INTEGRATION_PACKAGE_MAP.get(integration);
+    return packages ? [...packages] : [];
+}
+export function isApprovedIntegration(integration) {
+    return INTEGRATION_PACKAGE_MAP.has(integration);
+}
+export function getAllApprovedPackages() {
+    return [...APPROVED_PACKAGES].sort((a, b) => a.localeCompare(b));
+}
+//# sourceMappingURL=package-allowlist.js.map

package/dist/sandbox/package-allowlist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"package-allowlist.js","sourceRoot":"","sources":["../../src/sandbox/package-allowlist.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,uBAAuB,GAA2C,IAAI,GAAG,CAGpF;IACA,CAAC,gBAAgB,EAAE,CAAC,aAAa,EAAE,mBAAmB,EAAE,sBAAsB,CAAU,CAAC;IACzF,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAU,CAAC;IAClC,CAAC,WAAW,EAAE,CAAC,WAAW,EAAE,uBAAuB,EAAE,6BAA6B,CAAU,CAAC;IAC7F,CAAC,SAAS,EAAE,CAAC,aAAa,EAAE,aAAa,CAAU,CAAC;IACpD,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,gBAAgB,CAAU,CAAC;IACjD,CAAC,YAAY,EAAE,CAAC,IAAI,EAAE,WAAW,EAAE,UAAU,CAAU,CAAC;IACxD,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAU,CAAC;IAC9B,CAAC,QAAQ,EAAE,CAAC,gBAAgB,EAAE,uBAAuB,CAAU,CAAC;IAChE,CAAC,OAAO,EAAE,CAAC,SAAS,EAAE,gBAAgB,CAAU,CAAC;IACjD,CAAC,aAAa,EAAE,CAAC,aAAa,CAAU,CAAC;IACzC,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,mBAAmB,CAAU,CAAC;IACpD,CAAC,OAAO,EAAE,CAAC,eAAe,CAAU,CAAC;IACrC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAU,CAAC;IAC/B,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAU,CAAC;IAC/B,CAAC,aAAa,EAAE,CAAC,kBAAkB,EAAE,oBAAoB,CAAU,CAAC;IACpE,CAAC,SAAS,EAAE,CAAC,YAAY,EAAE,cAAc,CAAU,CAAC;IACpD,CAAC,QAAQ,EAAE,CAAC,cAAc,EAAE,eAAe,EAAE,gBAAgB,EAAE,qBAAqB,CAAU,CAAC;IAC/F,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,wBAAwB,EAAE,2BAA2B,CAAU,CAAC;IACtF,CAAC,YAAY,EAAE,CAAC,kBAAkB,CAAU,CAAC;IAC7C,CAAC,gBAAgB,EAAE,CAAC,uBAAuB,EAAE,wBAAwB,EAAE,yBAAyB,EAAE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,EAAE,qBAAqB,EAAE,sBAAsB,CAAU,CAAC;IAC1O,CAAC,gBAAgB,EAAE,CAAC,uBAAuB,CAAU,CAAC;IACtD,CAAC,SAAS,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,kBAAkB,CAAU,CAAC;IACxF,CAAC,YAAY,EAAE,CAAC,SAAS,EAAE,gBAAgB,CAAU,CAAC;IACtD,CAAC,MAAM,EAAE,CAAC,MAAM,CAAU,CAAC;CAC5B,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,iBAAiB,GAAwB,IAAI,GAAG,CAC3D,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,EAAE,CACpD,CAAC;AAEF,SAAS,kBAAkB,CAAC,WAAmB;IAC7C,MAAM,qBAAqB,GAAG,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC;QACvD,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QAC7B,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE7B,OAAO,qBAAqB,KAAK,CAAC,CAAC;QACjC,CAAC,CAAC,WAAW;QACb,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,qBAAqB,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,WAAmB;IACnD,OAAO,iBAAiB,CAAC,GAAG,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC,CAAC;AAChE,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,WAAmB;IAC3D,MAAM,QAAQ,GAAG,uBAAuB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC1D,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,WAAmB;IACvD,OAAO,uBAAuB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,sBAAsB;IACpC,OAAO,CAAC,GAAG,iBAAiB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;AACnE,CAAC"}

package/dist/sandbox/scanner.d.ts

@@ -0,0 +1,25 @@
+export interface ScanResult {
+    safe: boolean;
+    warnings: ScanWarning[];
+}
+export interface ScanWarning {
+    type: 'suspicious_pattern' | 'invalid_file_type' | 'path_traversal';
+    filePath: string;
+    detail: string;
+}
+export declare function scanFileContent(filePath: string, content: string): ScanWarning[];
+export declare function validateFilePath(filePath: string): ScanWarning[];
+export declare function validateFileType(filePath: string): ScanWarning[];
+export declare function scanStagedFiles(workspaceDir: string): ScanResult;
+export interface SecretScanResult {
+    safe: boolean;
+    findings: SecretFinding[];
+}
+export interface SecretFinding {
+    filePath: string;
+    variableName: string;
+}
+export declare const SECRET_PATTERNS: readonly string[];
+export declare function isSecretVariable(variableName: string): boolean;
+export declare function maskSecretValue(value: string): string;
+export declare function scanForSecrets(workspaceDir: string, filePaths: string[]): SecretScanResult;

package/dist/sandbox/scanner.js

@@ -0,0 +1,196 @@
+import { existsSync, lstatSync, readFileSync } from 'node:fs';
+import { extname, isAbsolute, join, normalize, resolve } from 'node:path';
+import { createAuditLogger } from '../audit/logger.js';
+import { listStagedFiles } from './staging.js';
+const ALLOWED_EXTENSIONS = new Set([
+    '.ts',
+    '.tsx',
+    '.js',
+    '.mjs',
+    '.cjs',
+    '.jsx',
+    '.json',
+    '.css',
+    '.md',
+    '.toml',
+    '.prisma',
+    '.sql',
+    '.html',
+]);
+const SUSPICIOUS_CONTENT_PATTERNS = [
+    { pattern: /\beval\s*\(/, detail: "Found 'eval(' - dynamic code execution is not allowed" },
+    { pattern: /\bexec\s*\(/, detail: "Found 'exec(' - command execution is not allowed" },
+    { pattern: /\bchild_process\b/, detail: "Found 'child_process' - process spawning module usage is not allowed" },
+    { pattern: /\bspawn\s*\(/, detail: "Found 'spawn(' - process spawning is not allowed" },
+    {
+        pattern: /require\(\s*['"]http['"]\s*\)/,
+        detail: "Found 'require(\"http\")' - insecure HTTP imports are not allowed",
+    },
+    {
+        pattern: /<script[^>]*\bsrc\s*=\s*['"]https?:\/\/[^'"]+['"][^>]*>/i,
+        detail: "Found external '<script src>' URL - remote script loading is not allowed",
+    },
+];
+function isDotEnvExampleFile(filePath) {
+    const normalizedPath = normalize(filePath);
+    const segments = normalizedPath.split(/[\\/]/);
+    const fileName = segments.at(-1) ?? normalizedPath;
+    return fileName === '.env.example';
+}
+export function scanFileContent(filePath, content) {
+    const warnings = [];
+    for (const entry of SUSPICIOUS_CONTENT_PATTERNS) {
+        if (!entry.pattern.test(content)) {
+            continue;
+        }
+        warnings.push({
+            type: 'suspicious_pattern',
+            filePath,
+            detail: entry.detail,
+        });
+    }
+    if (filePath.endsWith('package.json') && /"(?:postinstall|preinstall)"\s*:/.test(content)) {
+        warnings.push({
+            type: 'suspicious_pattern',
+            filePath,
+            detail: "Found 'postinstall/preinstall' script in package.json - install hooks are not allowed",
+        });
+    }
+    return warnings;
+}
+export function validateFilePath(filePath) {
+    const warnings = [];
+    const normalizedPath = normalize(filePath);
+    if (isAbsolute(filePath) || isAbsolute(normalizedPath)) {
+        warnings.push({
+            type: 'path_traversal',
+            filePath,
+            detail: 'Path must be relative and cannot be absolute',
+        });
+    }
+    const segments = normalizedPath.split(/[\\/]/).filter(Boolean);
+    if (segments.includes('..')) {
+        warnings.push({
+            type: 'path_traversal',
+            filePath,
+            detail: "Path contains '..' segments and may escape the workspace",
+        });
+    }
+    if (existsSync(filePath)) {
+        const stats = lstatSync(filePath);
+        if (stats.isSymbolicLink()) {
+            warnings.push({
+                type: 'path_traversal',
+                filePath,
+                detail: 'Symbolic links are not allowed in staged paths',
+            });
+        }
+    }
+    return warnings;
+}
+export function validateFileType(filePath) {
+    if (isDotEnvExampleFile(filePath)) {
+        return [];
+    }
+    const extension = extname(filePath).toLowerCase();
+    if (ALLOWED_EXTENSIONS.has(extension)) {
+        return [];
+    }
+    return [
+        {
+            type: 'invalid_file_type',
+            filePath,
+            detail: `File type '${extension}' is not in the allowed list`,
+        },
+    ];
+}
+export function scanStagedFiles(workspaceDir) {
+    const auditLogger = createAuditLogger(workspaceDir);
+    const warnings = [];
+    const stagedFiles = listStagedFiles(workspaceDir);
+    const stagingRoot = resolve(workspaceDir, '.kitt/staging');
+    for (const stagedFile of stagedFiles) {
+        const filePathWarnings = validateFilePath(stagedFile.relativePath);
+        const fileTypeWarnings = validateFileType(stagedFile.relativePath);
+        warnings.push(...filePathWarnings, ...fileTypeWarnings);
+        const hasPathIssues = filePathWarnings.length > 0;
+        if (hasPathIssues) {
+            continue;
+        }
+        const stagedAbsolutePath = resolve(stagingRoot, normalize(stagedFile.relativePath));
+        const stagedContent = readFileSync(stagedAbsolutePath, 'utf-8');
+        warnings.push(...scanFileContent(stagedFile.relativePath, stagedContent));
+    }
+    for (const warning of warnings) {
+        auditLogger.security('WARNING', `${warning.filePath}: ${warning.detail}`);
+    }
+    return {
+        safe: warnings.length === 0,
+        warnings,
+    };
+}
+export const SECRET_PATTERNS = [
+    'SECRET',
+    'KEY',
+    'TOKEN',
+    'PASSWORD',
+    'CREDENTIAL',
+    'PRIVATE',
+    'API_KEY',
+    'DATABASE_URL',
+    'REDIS_URL',
+    'DSN',
+    'CONNECTION_STRING',
+];
+const DEPLOY_SECRET_SCAN_IGNORED_DIRS = new Set(['.git', '.kitt', 'node_modules', 'dist', '.next', '.vinxi']);
+function isIgnoredForDeploySecretScan(filePath) {
+    const normalizedPath = normalize(filePath);
+    const segments = normalizedPath.split(/[\\/]/).filter(Boolean);
+    return segments.some((segment) => DEPLOY_SECRET_SCAN_IGNORED_DIRS.has(segment));
+}
+export function isSecretVariable(variableName) {
+    const normalizedName = variableName.toUpperCase();
+    return SECRET_PATTERNS.some((pattern) => normalizedName.includes(pattern));
+}
+export function maskSecretValue(value) {
+    if (value.length > 8) {
+        return `${value.slice(0, 4)}****`;
+    }
+    return '****';
+}
+export function scanForSecrets(workspaceDir, filePaths) {
+    const auditLogger = createAuditLogger(workspaceDir);
+    const findings = [];
+    for (const filePath of filePaths) {
+        if (isIgnoredForDeploySecretScan(filePath)) {
+            continue;
+        }
+        const normalizedPath = normalize(filePath);
+        const segments = normalizedPath.split(/[\\/]/).filter(Boolean);
+        const fileName = segments.at(-1) ?? normalizedPath;
+        if (fileName.startsWith('.env') && !isDotEnvExampleFile(filePath)) {
+            findings.push({ filePath, variableName: '(env file)' });
+        }
+        const absolutePath = join(workspaceDir, filePath);
+        if (!existsSync(absolutePath)) {
+            continue;
+        }
+        const content = readFileSync(absolutePath, 'utf-8');
+        const variableRegex = /^([A-Z_][A-Z0-9_]*)\s*=/gm;
+        for (const match of content.matchAll(variableRegex)) {
+            const variableName = match[1];
+            if (!isSecretVariable(variableName)) {
+                continue;
+            }
+            findings.push({ filePath, variableName });
+        }
+    }
+    for (const finding of findings) {
+        auditLogger.security('WARNING', `${finding.filePath} (contains ${finding.variableName})`);
+    }
+    return {
+        safe: findings.length === 0,
+        findings,
+    };
+}
+//# sourceMappingURL=scanner.js.map

package/dist/sandbox/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../src/sandbox/scanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC9D,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAa/C,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAS;IACzC,KAAK;IACL,MAAM;IACN,KAAK;IACL,MAAM;IACN,MAAM;IACN,MAAM;IACN,OAAO;IACP,MAAM;IACN,KAAK;IACL,OAAO;IACP,SAAS;IACT,MAAM;IACN,OAAO;CACR,CAAC,CAAC;AAEH,MAAM,2BAA2B,GAA+C;IAC9E,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,uDAAuD,EAAE;IAC3F,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,kDAAkD,EAAE;IACtF,EAAE,OAAO,EAAE,mBAAmB,EAAE,MAAM,EAAE,sEAAsE,EAAE;IAChH,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,kDAAkD,EAAE;IACvF;QACE,OAAO,EAAE,+BAA+B;QACxC,MAAM,EAAE,mEAAmE;KAC5E;IACD;QACE,OAAO,EAAE,0DAA0D;QACnE,MAAM,EAAE,0EAA0E;KACnF;CACF,CAAC;AAEF,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,MAAM,cAAc,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/C,MAAM,QAAQ,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,cAAc,CAAC;IACnD,OAAO,QAAQ,KAAK,cAAc,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,QAAgB,EAAE,OAAe;IAC/D,MAAM,QAAQ,GAAkB,EAAE,CAAC;IAEnC,KAAK,MAAM,KAAK,IAAI,2BAA2B,EAAE,CAAC;QAChD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACjC,SAAS;QACX,CAAC;QAED,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,oBAAoB;YAC1B,QAAQ;YACR,MAAM,EAAE,KAAK,CAAC,MAAM;SACrB,CAAC,CAAC;IACL,CAAC;IAED,IAAI,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,kCAAkC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1F,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,oBAAoB;YAC1B,QAAQ;YACR,MAAM,EAAE,uFAAuF;SAChG,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,MAAM,cAAc,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;IAE3C,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QACvD,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,gBAAgB;YACtB,QAAQ;YACR,MAAM,EAAE,8CAA8C;SACvD,CAAC,CAAC;IACL,CAAC;IAED,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/D,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,gBAAgB;YACtB,QAAQ;YACR,MAAM,EAAE,0DAA0D;SACnE,CAAC,CAAC;IACL,CAAC;IAED,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QAClC,IAAI,KAAK,CAAC,cAAc,EAAE,EAAE,CAAC;YAC3B,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,QAAQ;gBACR,MAAM,EAAE,gDAAgD;aACzD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,IAAI,mBAAmB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAClD,IAAI,kBAAkB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,OAAO;QACL;YACE,IAAI,EAAE,mBAAmB;YACzB,QAAQ;YACR,MAAM,EAAE,cAAc,SAAS,8BAA8B;SAC9D;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,YAAoB;IAClD,MAAM,WAAW,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,MAAM,WAAW,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,WAAW,GAAG,OAAO,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;IAE3D,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;QACnE,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;QAEnE,QAAQ,CAAC,IAAI,CAAC,GAAG,gBAAgB,EAAE,GAAG,gBAAgB,CAAC,CAAC;QAExD,MAAM,aAAa,GAAG,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC;QAClD,IAAI,aAAa,EAAE,CAAC;YAClB,SAAS;QACX,CAAC;QAED,MAAM,kBAAkB,GAAG,OAAO,CAAC,WAAW,EAAE,SAAS,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC;QACpF,MAAM,aAAa,GAAG,YAAY,CAAC,kBAAkB,EAAE,OAAO,CAAC,CAAC;QAChE,QAAQ,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,UAAU,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC,CAAC;IAC5E,CAAC;IAED,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,WAAW,CAAC,QAAQ,CAAC,SAAS,EAAE,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5E,CAAC;IAED,OAAO;QACL,IAAI,EAAE,QAAQ,CAAC,MAAM,KAAK,CAAC;QAC3B,QAAQ;KACT,CAAC;AACJ,CAAC;AAYD,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,QAAQ;IACR,KAAK;IACL,OAAO;IACP,UAAU;IACV,YAAY;IACZ,SAAS;IACT,SAAS;IACT,cAAc;IACd,WAAW;IACX,KAAK;IACL,mBAAmB;CACpB,CAAC;AAEF,MAAM,+BAA+B,GAAG,IAAI,GAAG,CAAS,CAAC,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AAEtH,SAAS,4BAA4B,CAAC,QAAgB;IACpD,MAAM,cAAc,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/D,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,+BAA+B,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;AAClF,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,YAAoB;IACnD,MAAM,cAAc,GAAG,YAAY,CAAC,WAAW,EAAE,CAAC;IAClD,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC;IACpC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,YAAoB,EAAE,SAAmB;IACtE,MAAM,WAAW,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,IAAI,4BAA4B,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3C,SAAS;QACX,CAAC;QAED,MAAM,cAAc,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,QAAQ,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,cAAc,CAAC;QAEnD,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClE,QAAQ,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,YAAY,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;QAClD,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAC9B,SAAS;QACX,CAAC;QAED,MAAM,OAAO,GAAG,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QACpD,MAAM,aAAa,GAAG,2BAA2B,CAAC;QAClD,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YACpD,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC9B,IAAI,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAAE,CAAC;gBACpC,SAAS;YACX,CAAC;YAED,QAAQ,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,WAAW,CAAC,QAAQ,CAAC,SAAS,EAAE,GAAG,OAAO,CAAC,QAAQ,cAAc,OAAO,CAAC,YAAY,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,OAAO;QACL,IAAI,EAAE,QAAQ,CAAC,MAAM,KAAK,CAAC;QAC3B,QAAQ;KACT,CAAC;AACJ,CAAC"}

package/dist/sandbox/staging.d.ts

@@ -0,0 +1,12 @@
+export interface StagedFile {
+    relativePath: string;
+    lineCount: number;
+    isNew: boolean;
+    isModified: boolean;
+}
+export declare function clearStaging(workspaceDir: string): void;
+export declare function writeToStaging(workspaceDir: string, relativePath: string, content: string): void;
+export declare function listStagedFiles(workspaceDir: string): StagedFile[];
+export declare function generateDiffSummary(workspaceDir: string, stagedFiles: StagedFile[]): string[];
+export declare function applyStagedChanges(workspaceDir: string, stagedFiles: StagedFile[]): void;
+export declare function rejectStagedChanges(workspaceDir: string): void;

package/dist/sandbox/staging.js

@@ -0,0 +1,107 @@
+import { copyFileSync, existsSync, mkdirSync, readdirSync, readFileSync, rmSync, statSync, writeFileSync, } from 'node:fs';
+import { createHash } from 'node:crypto';
+import { dirname, join, relative } from 'node:path';
+import { createAuditLogger } from '../audit/logger.js';
+const KITT_DIR = '.kitt';
+const STAGING_DIR = 'staging';
+function getStagingDir(workspaceDir) {
+    return join(workspaceDir, KITT_DIR, STAGING_DIR);
+}
+function hashContent(content) {
+    return createHash('sha256').update(content).digest('hex');
+}
+function assertWithinWorkspace(workspaceDir, targetPath) {
+    const pathFromWorkspace = relative(workspaceDir, targetPath);
+    if (pathFromWorkspace === '..' || pathFromWorkspace.startsWith(`..${pathFromWorkspace.includes('\\') ? '\\' : '/'}`)) {
+        throw new Error(`Refusing to write outside workspace: ${targetPath}`);
+    }
+}
+function countLines(content) {
+    return content.match(/\n/g)?.length ?? 0;
+}
+function collectStagedFilePaths(stagingDir, currentDir, output) {
+    const entries = readdirSync(currentDir);
+    for (const entry of entries) {
+        const absolutePath = join(currentDir, entry);
+        const stats = statSync(absolutePath);
+        if (stats.isDirectory()) {
+            collectStagedFilePaths(stagingDir, absolutePath, output);
+            continue;
+        }
+        const stagedRelativePath = relative(stagingDir, absolutePath);
+        output.push(stagedRelativePath);
+    }
+}
+export function clearStaging(workspaceDir) {
+    const logger = createAuditLogger(workspaceDir);
+    const stagingDir = getStagingDir(workspaceDir);
+    if (existsSync(stagingDir)) {
+        rmSync(stagingDir, { recursive: true, force: true });
+    }
+    mkdirSync(stagingDir, { recursive: true });
+    logger.staged(join(KITT_DIR, STAGING_DIR), 'cleared');
+}
+export function writeToStaging(workspaceDir, relativePath, content) {
+    const logger = createAuditLogger(workspaceDir);
+    const stagingDir = getStagingDir(workspaceDir);
+    const stagedPath = join(stagingDir, relativePath);
+    assertWithinWorkspace(stagingDir, stagedPath);
+    mkdirSync(dirname(stagedPath), { recursive: true });
+    writeFileSync(stagedPath, content, 'utf-8');
+    const hash = hashContent(content);
+    logger.staged(relativePath, 'written to staging');
+    logger.fileWrite(join(KITT_DIR, STAGING_DIR, relativePath), hash);
+}
+export function listStagedFiles(workspaceDir) {
+    const logger = createAuditLogger(workspaceDir);
+    const stagingDir = getStagingDir(workspaceDir);
+    if (!existsSync(stagingDir)) {
+        return [];
+    }
+    const filePaths = [];
+    collectStagedFilePaths(stagingDir, stagingDir, filePaths);
+    return filePaths
+        .sort((a, b) => a.localeCompare(b))
+        .map((stagedRelativePath) => {
+        const workspacePath = join(workspaceDir, stagedRelativePath);
+        assertWithinWorkspace(workspaceDir, workspacePath);
+        const content = readFileSync(join(stagingDir, stagedRelativePath), 'utf-8');
+        const isNew = !existsSync(workspacePath);
+        const isModified = !isNew;
+        logger.staged(stagedRelativePath, isNew ? 'new' : 'modified');
+        return {
+            relativePath: stagedRelativePath,
+            lineCount: countLines(content),
+            isNew,
+            isModified,
+        };
+    });
+}
+export function generateDiffSummary(workspaceDir, stagedFiles) {
+    void workspaceDir;
+    return stagedFiles.map((file) => {
+        if (file.isNew) {
+            return `  + ${file.relativePath} (${file.lineCount} lines, new)`;
+        }
+        return `  ~ ${file.relativePath} (modified)`;
+    });
+}
+export function applyStagedChanges(workspaceDir, stagedFiles) {
+    const logger = createAuditLogger(workspaceDir);
+    const stagingDir = getStagingDir(workspaceDir);
+    for (const stagedFile of stagedFiles) {
+        const sourcePath = join(stagingDir, stagedFile.relativePath);
+        const destinationPath = join(workspaceDir, stagedFile.relativePath);
+        assertWithinWorkspace(workspaceDir, destinationPath);
+        mkdirSync(dirname(destinationPath), { recursive: true });
+        copyFileSync(sourcePath, destinationPath);
+        const content = readFileSync(destinationPath, 'utf-8');
+        logger.staged(stagedFile.relativePath, 'applied');
+        logger.fileWrite(stagedFile.relativePath, hashContent(content));
+    }
+    clearStaging(workspaceDir);
+}
+export function rejectStagedChanges(workspaceDir) {
+    clearStaging(workspaceDir);
+}
+//# sourceMappingURL=staging.js.map

package/dist/sandbox/staging.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"staging.js","sourceRoot":"","sources":["../../src/sandbox/staging.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,UAAU,EACV,SAAS,EACT,WAAW,EACX,YAAY,EACZ,MAAM,EACN,QAAQ,EACR,aAAa,GACd,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAEpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAEvD,MAAM,QAAQ,GAAG,OAAO,CAAC;AACzB,MAAM,WAAW,GAAG,SAAS,CAAC;AAS9B,SAAS,aAAa,CAAC,YAAoB;IACzC,OAAO,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,WAAW,CAAC,OAAe;IAClC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,qBAAqB,CAAC,YAAoB,EAAE,UAAkB;IACrE,MAAM,iBAAiB,GAAG,QAAQ,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;IAC7D,IAAI,iBAAiB,KAAK,IAAI,IAAI,iBAAiB,CAAC,UAAU,CAAC,KAAK,iBAAiB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;QACrH,MAAM,IAAI,KAAK,CAAC,wCAAwC,UAAU,EAAE,CAAC,CAAC;IACxE,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,OAAe;IACjC,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,MAAM,IAAI,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,sBAAsB,CAAC,UAAkB,EAAE,UAAkB,EAAE,MAAgB;IACtF,MAAM,OAAO,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;IAExC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAC7C,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,CAAC;QAErC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,sBAAsB,CAAC,UAAU,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;YACzD,SAAS;QACX,CAAC;QAED,MAAM,kBAAkB,GAAG,QAAQ,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QAC9D,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAClC,CAAC;AACH,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,YAAoB;IAC/C,MAAM,MAAM,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC;IAE/C,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC;IAED,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,EAAE,SAAS,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,YAAoB,EAAE,YAAoB,EAAE,OAAe;IACxF,MAAM,MAAM,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IAClD,qBAAqB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAE9C,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,aAAa,CAAC,UAAU,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAE5C,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;IAClD,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,EAAE,YAAY,CAAC,EAAE,IAAI,CAAC,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,YAAoB;IAClD,MAAM,MAAM,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC;IAE/C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,SAAS,GAAa,EAAE,CAAC;IAC/B,sBAAsB,CAAC,UAAU,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IAE1D,OAAO,SAAS;SACb,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;SAClC,GAAG,CAAC,CAAC,kBAAkB,EAAE,EAAE;QAC1B,MAAM,aAAa,GAAG,IAAI,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;QAC7D,qBAAqB,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;QAEnD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,kBAAkB,CAAC,EAAE,OAAO,CAAC,CAAC;QAC5E,MAAM,KAAK,GAAG,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QACzC,MAAM,UAAU,GAAG,CAAC,KAAK,CAAC;QAE1B,MAAM,CAAC,MAAM,CAAC,kBAAkB,EAAE,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;QAE9D,OAAO;YACL,YAAY,EAAE,kBAAkB;YAChC,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC;YAC9B,KAAK;YACL,UAAU;SACX,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,YAAoB,EAAE,WAAyB;IACjF,KAAK,YAAY,CAAC;IAElB,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QAC9B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,OAAO,IAAI,CAAC,YAAY,KAAK,IAAI,CAAC,SAAS,cAAc,CAAC;QACnE,CAAC;QAED,OAAO,OAAO,IAAI,CAAC,YAAY,aAAa,CAAC;IAC/C,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,YAAoB,EAAE,WAAyB;IAChF,MAAM,MAAM,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC;IAE/C,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC;QAC7D,MAAM,eAAe,GAAG,IAAI,CAAC,YAAY,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC;QACpE,qBAAqB,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;QAErD,SAAS,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,YAAY,CAAC,UAAU,EAAE,eAAe,CAAC,CAAC;QAE1C,MAAM,OAAO,GAAG,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAClD,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,YAAY,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC;IAClE,CAAC;IAED,YAAY,CAAC,YAAY,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,YAAoB;IACtD,YAAY,CAAC,YAAY,CAAC,CAAC;AAC7B,CAAC"}

package/dist/scaffold/frameworks/express.d.ts

@@ -0,0 +1,3 @@
+import type { ScaffoldFile, StaticScaffoldOptions } from '../types.js';
+export declare function buildExpressFiles(opts: StaticScaffoldOptions): ScaffoldFile[];
+export declare function buildExpressPackageJson(opts: StaticScaffoldOptions): string;