replicas-engine 0.1.268 → 0.1.270

package/dist/src/index.js

@@ -286,7 +286,7 @@ var WORKSPACE_SIZES = ["small", "large"];
 var INVALID_WORKSPACE_SIZE_ERROR = `Invalid size: must be one of ${WORKSPACE_SIZES.join(", ")}`;
 
 // ../shared/src/e2b.ts
-var E2B_TEMPLATE_NAME = "replicas-sandbox-2026-06-05-v5";
+var E2B_TEMPLATE_NAME = "replicas-sandbox-2026-06-05-v7";
 
 // ../shared/src/runtime-env.ts
 function parsePosixEnvFile(content) {
@@ -1967,6 +1967,13 @@ function isClaudeAuthErrorText(text) {
   return lower.includes("failed to authenticate") || lower.includes("authentication_error") || lower.includes("authentication_failed") || lower.includes("authentication failed") || lower.includes("invalid authentication credentials") || lower.includes("not logged in") || lower.includes("please run /login") || lower.includes("credit balance is too low") || lower.includes("401") && lower.includes("authentic");
 }
 
+// ../shared/src/codex-auth.ts
+function isCodexAuthError(error) {
+  const msg = error instanceof Error ? error.message : String(error);
+  const lower = msg.toLowerCase();
+  return lower.includes("unauthorized") || lower.includes("authentication") || lower.includes("invalid api key") || lower.includes("incorrect api key") || lower.includes("api key") && lower.includes("invalid") || lower.includes("401") || lower.includes('codexerrorinfo="unauthorized"') || lower.includes("codexerrorinfo=unauthorized") || lower.includes("failed to refresh token") || lower.includes("your session has ended");
+}
+
 // ../shared/src/engine/environment.ts
 var DESKTOP_NOVNC_PORT = 6080;
 
@@ -2032,7 +2039,7 @@ function classifyCanvasFilename(filename) {
 // ../shared/src/engine/v1.ts
 var MERGED_MESSAGE_SEPARATOR = "\n\n<!-- replicas:merged -->\n\n";
 function normalizeCodexAspTranscriptStatus(status, failed = false) {
-  if (failed || status === "failed") return "failed";
+  if (failed || status === "failed" || status === "declined") return "failed";
   if (status === "completed") return "completed";
   return "in_progress";
 }
@@ -2191,6 +2198,60 @@ var CLAUDE_AUTH_ENV_KEYS_BY_METHOD = {
   ]
 };
 
+// ../shared/src/routes/command-protection.ts
+var COMMAND_PROTECTION_COMMAND_KEYS = ["command", "cmd", "script", "query", "endpoint", "path", "url", "mutation"];
+function stringifyCommandProtectionInput(value) {
+  if (typeof value === "string") return value;
+  if (value == null) return "";
+  try {
+    return JSON.stringify(value);
+  } catch {
+    return String(value);
+  }
+}
+function normalizeCommandProtectionText(text) {
+  return text.replace(/\\\n/g, " ").replace(/\s+/g, " ").trim().toLowerCase();
+}
+function extractCommandProtectionCommandText(request, options = {}) {
+  if (request.command && request.command.trim()) return request.command;
+  const input = request.toolInput;
+  if (isRecord(input)) {
+    for (const key of COMMAND_PROTECTION_COMMAND_KEYS) {
+      const value = input[key];
+      if (typeof value === "string" && value.trim()) return value;
+    }
+  }
+  if (typeof input === "string") return input;
+  return options.stringifyFallback ? stringifyCommandProtectionInput(input) : null;
+}
+function findPrMergeSignals(request) {
+  const command = normalizeCommandProtectionText(extractCommandProtectionCommandText(request, { stringifyFallback: true }) ?? "");
+  const input = normalizeCommandProtectionText(stringifyCommandProtectionInput(request.toolInput));
+  const combined = `${request.toolName.toLowerCase()} ${command} ${input}`;
+  const checks = [
+    ["gh-pr-merge", /\bgh\s+pr\s+merge\b/],
+    ["gh-api-pulls-merge", /\bgh\s+api\b[\s\S]*\/pulls\/(?:\d+|[^/\s]+)\/merge\b/],
+    ["github-rest-pulls-merge", /api\.github\.com\/repos\/[^/\s]+\/[^/\s]+\/pulls\/(?:\d+|[^/\s]+)\/merge\b/],
+    ["github-rest-ref-update", /\b(?:gh\s+api|curl|wget|python3?)\b[\s\S]*(?:\/repos\/|repos\/)[^/\s]+\/[^/\s]+\/git\/refs\/heads\/(?:main|master|trunk|develop)\b[\s\S]*\b(?:patch|put|sha|oid|force)\b/],
+    ["github-graphql-merge-pr", /\bmergepullrequest\b/],
+    ["github-graphql-enable-auto-merge", /\benablepullrequestautomerge\b/],
+    ["github-graphql-update-ref", /\bupdateref\b/],
+    ["git-merge-default-branch", /\bgit\s+(?:checkout|switch)\s+(?:main|master|trunk|develop)\b[\s\S]*\bgit\s+merge\b/],
+    ["git-merge-standalone", /\bgit\s+merge\s+(?:origin\/)?(main|master|trunk|develop)\b/],
+    ["git-push-main", /\bgit\s+push\b[\s\S]*\b(origin\s+)?(main|master|trunk|develop)\b/],
+    ["git-push-refspec-default-branch", /\bgit\s+push\b[\s\S]*\S+:(?:refs\/heads\/)?(main|master|trunk|develop)\b/],
+    ["git-cherry-pick-default-branch", /\bgit\s+(?:checkout|switch)\s+(?:main|master|trunk|develop)\b[\s\S]*\bgit\s+cherry-pick\b[\s\S]*\bgit\s+push\b/],
+    ["git-push-all", /\bgit\s+push\s+(-[^\s]+\s+)*(--all|--mirror)\b/],
+    ["git-push-bare", /\bgit\s+push\s*(?:["{}\[\]]|$)/],
+    ["hub-merge", /\bhub\s+merge\b/],
+    ["obfuscated-gh-pr-merge", /printf\s+['"]\\x67\\x68['"][\s\S]*\bpr\b[\s\S]*printf\s+['"]m\\x65rge['"]/],
+    ["mcp-merge-tool", /\bmcp__[^\s"]*merge[^\s"]*\b/],
+    ["tool-merge-name", /\b(pr|pull[_-]?request).{0,40}\bmerge\b|\bmerge.{0,40}(pr|pull[_-]?request)\b/],
+    ["merge-word", /(?:^|[^a-z0-9])merge(?:$|[^a-z0-9])/]
+  ];
+  return checks.flatMap(([name, pattern]) => pattern.test(combined) ? [name] : []);
+}
+
 // ../shared/src/routes/workspaces.ts
 var WORKSPACE_FILE_UPLOAD_MAX_SIZE_BYTES = 20 * 1024 * 1024;
 var WORKSPACE_FILE_CONTENT_MAX_SIZE_BYTES = 1 * 1024 * 1024;
@@ -2551,6 +2612,7 @@ function loadEngineEnv() {
     AWS_REGION: readEnv("AWS_REGION"),
     REPLICAS_CLAUDE_AUTH_METHOD: parseClaudeAuthMethod(readEnv("REPLICAS_CLAUDE_AUTH_METHOD")),
     REPLICAS_CODEX_AUTH_METHOD: parseCodexAuthMethod(readEnv("REPLICAS_CODEX_AUTH_METHOD")),
+    REPLICAS_DISABLE_GH_PR_MERGE: readEnv("REPLICAS_DISABLE_GH_PR_MERGE")?.toLowerCase() === "true",
     REPLICAS_ENV_SYSTEM_PROMPT: readEnv("REPLICAS_ENV_SYSTEM_PROMPT"),
     REPLICAS_ENV_START_HOOK: readEnv("REPLICAS_ENV_START_HOOK"),
     REPLICAS_DISABLE_AUTO_START_HOOKS: readEnv("REPLICAS_DISABLE_AUTO_START_HOOKS")?.toLowerCase() === "true"
@@ -5624,6 +5686,52 @@ var LinearEventForwarder = class {
   }
 };
 
+// src/services/command-protection-service.ts
+function asCommandProtectionResponse(value) {
+  if (typeof value !== "object" || value === null) return null;
+  const candidate = value;
+  return typeof candidate.allowed === "boolean" && typeof candidate.enabled === "boolean" ? candidate : null;
+}
+function failClosed(reason, matchedSignals) {
+  return {
+    allowed: false,
+    enabled: true,
+    reason,
+    matchedSignals
+  };
+}
+async function evaluateCommandProtection(request, signal) {
+  const matchedSignals = findPrMergeSignals(request);
+  if (matchedSignals.length === 0) {
+    return { allowed: true, enabled: true };
+  }
+  let response;
+  try {
+    response = await monolithRequest("/v1/engine/command-protection/evaluate", {
+      body: request,
+      signal
+    });
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error);
+    return failClosed(`Command protection failed closed: ${detail}`, matchedSignals);
+  }
+  if (!response.ok) {
+    const detail = await response.text().catch(() => "");
+    return failClosed(`Command protection failed closed: ${response.status} ${detail}`, matchedSignals);
+  }
+  let payload;
+  try {
+    payload = await response.json();
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error);
+    return failClosed(`Command protection failed closed: ${detail}`, matchedSignals);
+  }
+  return asCommandProtectionResponse(payload) ?? failClosed("Command protection failed closed: invalid response from policy service", matchedSignals);
+}
+function extractToolCommand(input) {
+  return extractCommandProtectionCommandText({ toolInput: input }, { stringifyFallback: false });
+}
+
 // src/managers/claude-manager.ts
 var PromptStream = class {
   queue = [];
@@ -5698,6 +5806,18 @@ var ALWAYS_DISALLOWED_TOOLS = [
   "PushNotification"
 ];
 var INTERACTIVE_TOOL_NAMES = ["AskUserQuestion", "ExitPlanMode"];
+var COMMAND_PROTECTION_SAFE_TOOLS = /* @__PURE__ */ new Set([
+  "Read",
+  "Write",
+  "Edit",
+  "Glob",
+  "Grep",
+  "NotebookEdit",
+  "TodoRead",
+  "TodoWrite",
+  "WebFetch",
+  "LS"
+]);
 var TOOL_INPUT_HANDLERS = {
   ExitPlanMode: {
     getRequest: () => ({
@@ -5917,6 +6037,29 @@ var ClaudeManager = class _ClaudeManager extends CodingAgentManager {
       return result;
     };
   }
+  buildCommandProtectionHook() {
+    return async (input, toolUseID, options) => {
+      if (input.hook_event_name !== "PreToolUse") return {};
+      if (COMMAND_PROTECTION_SAFE_TOOLS.has(input.tool_name)) return {};
+      const result = await evaluateCommandProtection({
+        provider: "claude",
+        source: "claude_pre_tool_use",
+        toolName: input.tool_name,
+        toolInput: input.tool_input,
+        command: extractToolCommand(input.tool_input),
+        cwd: input.cwd,
+        toolUseId: toolUseID ?? input.tool_use_id
+      }, options.signal);
+      if (result.allowed) return {};
+      return {
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "deny",
+          permissionDecisionReason: result.reason || "Blocked by organization policy: agents may not merge pull requests."
+        }
+      };
+    };
+  }
   async processMessageInternal(request) {
     const MAX_AUTH_RETRIES = 2;
     let lastError;
@@ -6151,7 +6294,16 @@ var ClaudeManager = class _ClaudeManager extends CodingAgentManager {
         env: queryEnv,
         model: resolvedModel,
         ...thinkingLevel ? { effort: thinkingLevel } : {},
-        canUseTool: this.buildCanUseTool()
+        canUseTool: this.buildCanUseTool(),
+        ...ENGINE_ENV.REPLICAS_DISABLE_GH_PR_MERGE ? {
+          hooks: {
+            PreToolUse: [{
+              matcher: "*",
+              hooks: [this.buildCommandProtectionHook()],
+              timeout: 30
+            }]
+          }
+        } : {}
       }
     });
     this.activeQuery = response;
@@ -6575,7 +6727,7 @@ var AspClient = class {
 // src/managers/codex-asp/app-server-process.ts
 var DEFAULT_CODEX_BINARY = "codex";
 var DEFAULT_CODEX_ARGS = ["app-server", "--listen", "stdio://"];
-var ENGINE_PACKAGE_VERSION = "0.1.268";
+var ENGINE_PACKAGE_VERSION = "0.1.270";
 var INITIALIZE_METHOD = "initialize";
 var INITIALIZED_NOTIFICATION = "initialized";
 var ACCOUNT_LOGIN_START_METHOD = "account/login/start";
@@ -6834,13 +6986,6 @@ var CodexQuotaStatusTracker = class {
   }
 };
 
-// src/utils/codex-auth.ts
-function isCodexAuthError(error) {
-  const msg = error instanceof Error ? error.message : String(error);
-  const lower = msg.toLowerCase();
-  return lower.includes("unauthorized") || lower.includes("authentication") || lower.includes("invalid api key") || lower.includes("incorrect api key") || lower.includes("api key") && lower.includes("invalid") || lower.includes("401") || lower.includes('codexerrorinfo="unauthorized"') || lower.includes("codexerrorinfo=unauthorized");
-}
-
 // src/managers/codex-asp/mappers.ts
 import { existsSync as existsSync6, readFileSync as readFileSync3 } from "fs";
 var localImageCache = /* @__PURE__ */ new Map();
@@ -6855,6 +7000,15 @@ var TURN_START_METHOD = "turn/start";
 var TURN_INTERRUPT_METHOD = "turn/interrupt";
 var ACCOUNT_RATE_LIMITS_READ_METHOD = "account/rateLimits/read";
 var MAX_CODEX_ASP_TRANSCRIPT_OUTPUT_CHARS = DEFAULT_HOOK_OUTPUT_PREVIEW_CHARS;
+function codexApprovalPolicyOverrides() {
+  if (!ENGINE_ENV.REPLICAS_DISABLE_GH_PR_MERGE) {
+    return {};
+  }
+  return {
+    approvalPolicy: "untrusted",
+    approvalsReviewer: "user"
+  };
+}
 function toReasoningEffort(thinkingLevel) {
   return codexReasoningEffortForThinkingLevel(thinkingLevel);
 }
@@ -7250,6 +7404,7 @@ async function buildThreadStartParams(workingDirectory, request, developerInstru
     cwd: workingDirectory,
     runtimeWorkspaceRoots: additionalDirectories,
     sandbox: "danger-full-access",
+    ...codexApprovalPolicyOverrides(),
     developerInstructions: developerInstructions ?? null,
     config: { web_search: "live" },
     experimentalRawEvents: false,
@@ -7264,6 +7419,7 @@ async function buildThreadResumeParams(workingDirectory, threadId, request, deve
     cwd: workingDirectory,
     runtimeWorkspaceRoots: additionalDirectories,
     sandbox: "danger-full-access",
+    ...codexApprovalPolicyOverrides(),
     developerInstructions: developerInstructions ?? null,
     config: { web_search: "live" },
     excludeTurns: false,
@@ -7296,6 +7452,7 @@ async function buildTurnStartParams(threadId, request, developerInstructions) {
       threadId,
       input,
       model,
+      ...codexApprovalPolicyOverrides(),
       ...effort ? { effort } : {},
       ...developerInstructions ? {
         collaborationMode: {
@@ -7808,12 +7965,75 @@ var CodexAspManager = class extends CodingAgentManager {
     const requestId = serverRequest.id;
     const method = serverRequest.method;
     switch (serverRequest.method) {
-      case "item/commandExecution/requestApproval":
+      case "item/commandExecution/requestApproval": {
+        if (ENGINE_ENV.REPLICAS_DISABLE_GH_PR_MERGE) {
+          const result = await evaluateCommandProtection({
+            provider: "codex",
+            source: "codex_approval_request",
+            toolName: "commandExecution",
+            toolInput: {
+              command: serverRequest.params.command,
+              commandActions: serverRequest.params.commandActions ?? null
+            },
+            command: serverRequest.params.command,
+            cwd: serverRequest.params.cwd ?? null,
+            toolUseId: serverRequest.params.itemId ?? null
+          });
+          if (!result.allowed) {
+            console.warn(`[CodexAspManager] blocked command approval by PR merge policy: ${result.reason ?? "unknown reason"}`);
+            this.recordBlockedCommand(
+              serverRequest.params.threadId,
+              serverRequest.params.turnId,
+              serverRequest.params.itemId,
+              serverRequest.params.command ?? "",
+              result.reason,
+              serverRequest.params.startedAtMs
+            );
+            host.client.respond(requestId, { decision: "decline" });
+            return;
+          }
+        }
+        console.warn("[CodexAspManager] approval requested while sandbox is danger-full-access");
+        host.client.respond(requestId, { decision: "accept" });
+        return;
+      }
       case "item/fileChange/requestApproval":
         console.warn("[CodexAspManager] approval requested while sandbox is danger-full-access");
         host.client.respond(requestId, { decision: "accept" });
         return;
-      case "execCommandApproval":
+      case "execCommandApproval": {
+        if (ENGINE_ENV.REPLICAS_DISABLE_GH_PR_MERGE) {
+          const command = serverRequest.params.command.join(" ");
+          const result = await evaluateCommandProtection({
+            provider: "codex",
+            source: "codex_approval_request",
+            toolName: "execCommand",
+            toolInput: {
+              command: serverRequest.params.command,
+              parsedCmd: serverRequest.params.parsedCmd ?? null
+            },
+            command,
+            cwd: serverRequest.params.cwd ?? null,
+            toolUseId: serverRequest.params.callId ?? null
+          });
+          if (!result.allowed) {
+            console.warn(`[CodexAspManager] blocked legacy command approval by PR merge policy: ${result.reason ?? "unknown reason"}`);
+            this.recordBlockedCommand(
+              this.currentThreadId ?? serverRequest.params.conversationId,
+              this.activeTurnId ?? `legacy-${requestId}`,
+              serverRequest.params.callId,
+              command,
+              result.reason,
+              Date.now()
+            );
+            host.client.respond(requestId, { decision: "denied" });
+            return;
+          }
+        }
+        console.warn("[CodexAspManager] legacy approval requested while sandbox is danger-full-access");
+        host.client.respond(requestId, { decision: "approved" });
+        return;
+      }
       case "applyPatchApproval":
         console.warn("[CodexAspManager] legacy approval requested while sandbox is danger-full-access");
         host.client.respond(requestId, { decision: "approved" });
@@ -7861,6 +8081,20 @@ var CodexAspManager = class extends CodingAgentManager {
   nextTranscriptSequence() {
     return this.codexAspSequence++;
   }
+  recordBlockedCommand(threadId, turnId, itemId, command, reason, startedAtMs) {
+    const output = reason?.includes("Blocked by organization policy") ? reason : `Blocked by organization policy: ${reason || "agents may not merge pull requests."}`;
+    const timestamp = timestampFromMilliseconds(startedAtMs);
+    const blockedItem = {
+      type: "commandExecution",
+      id: itemId,
+      command,
+      aggregatedOutput: output,
+      exitCode: null,
+      status: "declined"
+    };
+    this.upsertTranscriptItem(threadId, turnId, blockedItem, timestamp, "failed", "completed");
+    this.emitTranscriptUpdated(threadId, { immediate: true });
+  }
   syncTranscriptSequence(transcript) {
     if (!transcript) return;
     let next = 0;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "replicas-engine",
-  "version": "0.1.268",
+  "version": "0.1.270",
   "description": "Lightweight API server for Replicas workspaces",
   "type": "module",
   "main": "dist/src/index.js",