npm - replicas-engine - Versions diffs - 0.1.269 → 0.1.271 - Mend

replicas-engine 0.1.269 → 0.1.271

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/src/index.js +240 -6
package/package.json +1 -1

package/dist/src/index.js CHANGED Viewed

@@ -286,7 +286,7 @@ var WORKSPACE_SIZES = ["small", "large"];
 var INVALID_WORKSPACE_SIZE_ERROR = `Invalid size: must be one of ${WORKSPACE_SIZES.join(", ")}`;
 // ../shared/src/e2b.ts
-var E2B_TEMPLATE_NAME = "replicas-sandbox-2026-06-05-v6";
+var E2B_TEMPLATE_NAME = "replicas-sandbox-2026-06-06-v2";
 // ../shared/src/runtime-env.ts
 function parsePosixEnvFile(content) {
@@ -2039,7 +2039,7 @@ function classifyCanvasFilename(filename) {
 // ../shared/src/engine/v1.ts
 var MERGED_MESSAGE_SEPARATOR = "\n\n<!-- replicas:merged -->\n\n";
 function normalizeCodexAspTranscriptStatus(status, failed = false) {
-  if (failed || status === "failed") return "failed";
+  if (failed || status === "failed" || status === "declined") return "failed";
   if (status === "completed") return "completed";
   return "in_progress";
 }
@@ -2198,6 +2198,60 @@ var CLAUDE_AUTH_ENV_KEYS_BY_METHOD = {
   ]
 };
+// ../shared/src/routes/command-protection.ts
+var COMMAND_PROTECTION_COMMAND_KEYS = ["command", "cmd", "script", "query", "endpoint", "path", "url", "mutation"];
+function stringifyCommandProtectionInput(value) {
+  if (typeof value === "string") return value;
+  if (value == null) return "";
+  try {
+    return JSON.stringify(value);
+  } catch {
+    return String(value);
+  }
+}
+function normalizeCommandProtectionText(text) {
+  return text.replace(/\\\n/g, " ").replace(/\s+/g, " ").trim().toLowerCase();
+}
+function extractCommandProtectionCommandText(request, options = {}) {
+  if (request.command && request.command.trim()) return request.command;
+  const input = request.toolInput;
+  if (isRecord(input)) {
+    for (const key of COMMAND_PROTECTION_COMMAND_KEYS) {
+      const value = input[key];
+      if (typeof value === "string" && value.trim()) return value;
+    }
+  }
+  if (typeof input === "string") return input;
+  return options.stringifyFallback ? stringifyCommandProtectionInput(input) : null;
+}
+function findPrMergeSignals(request) {
+  const command = normalizeCommandProtectionText(extractCommandProtectionCommandText(request, { stringifyFallback: true }) ?? "");
+  const input = normalizeCommandProtectionText(stringifyCommandProtectionInput(request.toolInput));
+  const combined = `${request.toolName.toLowerCase()} ${command} ${input}`;
+  const checks = [
+    ["gh-pr-merge", /\bgh\s+pr\s+merge\b/],
+    ["gh-api-pulls-merge", /\bgh\s+api\b[\s\S]*\/pulls\/(?:\d+|[^/\s]+)\/merge\b/],
+    ["github-rest-pulls-merge", /api\.github\.com\/repos\/[^/\s]+\/[^/\s]+\/pulls\/(?:\d+|[^/\s]+)\/merge\b/],
+    ["github-rest-ref-update", /\b(?:gh\s+api|curl|wget|python3?)\b[\s\S]*(?:\/repos\/|repos\/)[^/\s]+\/[^/\s]+\/git\/refs\/heads\/(?:main|master|trunk|develop)\b[\s\S]*\b(?:patch|put|sha|oid|force)\b/],
+    ["github-graphql-merge-pr", /\bmergepullrequest\b/],
+    ["github-graphql-enable-auto-merge", /\benablepullrequestautomerge\b/],
+    ["github-graphql-update-ref", /\bupdateref\b/],
+    ["git-merge-default-branch", /\bgit\s+(?:checkout|switch)\s+(?:main|master|trunk|develop)\b[\s\S]*\bgit\s+merge\b/],
+    ["git-merge-standalone", /\bgit\s+merge\s+(?:origin\/)?(main|master|trunk|develop)\b/],
+    ["git-push-main", /\bgit\s+push\b[\s\S]*\b(origin\s+)?(main|master|trunk|develop)\b/],
+    ["git-push-refspec-default-branch", /\bgit\s+push\b[\s\S]*\S+:(?:refs\/heads\/)?(main|master|trunk|develop)\b/],
+    ["git-cherry-pick-default-branch", /\bgit\s+(?:checkout|switch)\s+(?:main|master|trunk|develop)\b[\s\S]*\bgit\s+cherry-pick\b[\s\S]*\bgit\s+push\b/],
+    ["git-push-all", /\bgit\s+push\s+(-[^\s]+\s+)*(--all|--mirror)\b/],
+    ["git-push-bare", /\bgit\s+push\s*(?:["{}\[\]]|$)/],
+    ["hub-merge", /\bhub\s+merge\b/],
+    ["obfuscated-gh-pr-merge", /printf\s+['"]\\x67\\x68['"][\s\S]*\bpr\b[\s\S]*printf\s+['"]m\\x65rge['"]/],
+    ["mcp-merge-tool", /\bmcp__[^\s"]*merge[^\s"]*\b/],
+    ["tool-merge-name", /\b(pr|pull[_-]?request).{0,40}\bmerge\b|\bmerge.{0,40}(pr|pull[_-]?request)\b/],
+    ["merge-word", /(?:^|[^a-z0-9])merge(?:$|[^a-z0-9])/]
+  ];
+  return checks.flatMap(([name, pattern]) => pattern.test(combined) ? [name] : []);
+}
 // ../shared/src/routes/workspaces.ts
 var WORKSPACE_FILE_UPLOAD_MAX_SIZE_BYTES = 20 * 1024 * 1024;
 var WORKSPACE_FILE_CONTENT_MAX_SIZE_BYTES = 1 * 1024 * 1024;
@@ -2558,6 +2612,7 @@ function loadEngineEnv() {
     AWS_REGION: readEnv("AWS_REGION"),
     REPLICAS_CLAUDE_AUTH_METHOD: parseClaudeAuthMethod(readEnv("REPLICAS_CLAUDE_AUTH_METHOD")),
     REPLICAS_CODEX_AUTH_METHOD: parseCodexAuthMethod(readEnv("REPLICAS_CODEX_AUTH_METHOD")),
+    REPLICAS_DISABLE_GH_PR_MERGE: readEnv("REPLICAS_DISABLE_GH_PR_MERGE")?.toLowerCase() === "true",
     REPLICAS_ENV_SYSTEM_PROMPT: readEnv("REPLICAS_ENV_SYSTEM_PROMPT"),
     REPLICAS_ENV_START_HOOK: readEnv("REPLICAS_ENV_START_HOOK"),
     REPLICAS_DISABLE_AUTO_START_HOOKS: readEnv("REPLICAS_DISABLE_AUTO_START_HOOKS")?.toLowerCase() === "true"
@@ -5631,6 +5686,52 @@ var LinearEventForwarder = class {
   }
 };
+// src/services/command-protection-service.ts
+function asCommandProtectionResponse(value) {
+  if (typeof value !== "object" || value === null) return null;
+  const candidate = value;
+  return typeof candidate.allowed === "boolean" && typeof candidate.enabled === "boolean" ? candidate : null;
+}
+function failClosed(reason, matchedSignals) {
+  return {
+    allowed: false,
+    enabled: true,
+    reason,
+    matchedSignals
+  };
+}
+async function evaluateCommandProtection(request, signal) {
+  const matchedSignals = findPrMergeSignals(request);
+  if (matchedSignals.length === 0) {
+    return { allowed: true, enabled: true };
+  }
+  let response;
+  try {
+    response = await monolithRequest("/v1/engine/command-protection/evaluate", {
+      body: request,
+      signal
+    });
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error);
+    return failClosed(`Command protection failed closed: ${detail}`, matchedSignals);
+  }
+  if (!response.ok) {
+    const detail = await response.text().catch(() => "");
+    return failClosed(`Command protection failed closed: ${response.status} ${detail}`, matchedSignals);
+  }
+  let payload;
+  try {
+    payload = await response.json();
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error);
+    return failClosed(`Command protection failed closed: ${detail}`, matchedSignals);
+  }
+  return asCommandProtectionResponse(payload) ?? failClosed("Command protection failed closed: invalid response from policy service", matchedSignals);
+}
+function extractToolCommand(input) {
+  return extractCommandProtectionCommandText({ toolInput: input }, { stringifyFallback: false });
+}
 // src/managers/claude-manager.ts
 var PromptStream = class {
   queue = [];
@@ -5705,6 +5806,18 @@ var ALWAYS_DISALLOWED_TOOLS = [
   "PushNotification"
 ];
 var INTERACTIVE_TOOL_NAMES = ["AskUserQuestion", "ExitPlanMode"];
+var COMMAND_PROTECTION_SAFE_TOOLS = /* @__PURE__ */ new Set([
+  "Read",
+  "Write",
+  "Edit",
+  "Glob",
+  "Grep",
+  "NotebookEdit",
+  "TodoRead",
+  "TodoWrite",
+  "WebFetch",
+  "LS"
+]);
 var TOOL_INPUT_HANDLERS = {
   ExitPlanMode: {
     getRequest: () => ({
@@ -5924,6 +6037,29 @@ var ClaudeManager = class _ClaudeManager extends CodingAgentManager {
       return result;
     };
   }
+  buildCommandProtectionHook() {
+    return async (input, toolUseID, options) => {
+      if (input.hook_event_name !== "PreToolUse") return {};
+      if (COMMAND_PROTECTION_SAFE_TOOLS.has(input.tool_name)) return {};
+      const result = await evaluateCommandProtection({
+        provider: "claude",
+        source: "claude_pre_tool_use",
+        toolName: input.tool_name,
+        toolInput: input.tool_input,
+        command: extractToolCommand(input.tool_input),
+        cwd: input.cwd,
+        toolUseId: toolUseID ?? input.tool_use_id
+      }, options.signal);
+      if (result.allowed) return {};
+      return {
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "deny",
+          permissionDecisionReason: result.reason || "Blocked by organization policy: agents may not merge pull requests."
+        }
+      };
+    };
+  }
   async processMessageInternal(request) {
     const MAX_AUTH_RETRIES = 2;
     let lastError;
@@ -6158,7 +6294,16 @@ var ClaudeManager = class _ClaudeManager extends CodingAgentManager {
         env: queryEnv,
         model: resolvedModel,
         ...thinkingLevel ? { effort: thinkingLevel } : {},
-        canUseTool: this.buildCanUseTool()
+        canUseTool: this.buildCanUseTool(),
+        ...ENGINE_ENV.REPLICAS_DISABLE_GH_PR_MERGE ? {
+          hooks: {
+            PreToolUse: [{
+              matcher: "*",
+              hooks: [this.buildCommandProtectionHook()],
+              timeout: 30
+            }]
+          }
+        } : {}
       }
     });
     this.activeQuery = response;
@@ -6582,7 +6727,7 @@ var AspClient = class {
 // src/managers/codex-asp/app-server-process.ts
 var DEFAULT_CODEX_BINARY = "codex";
 var DEFAULT_CODEX_ARGS = ["app-server", "--listen", "stdio://"];
-var ENGINE_PACKAGE_VERSION = "0.1.269";
+var ENGINE_PACKAGE_VERSION = "0.1.271";
 var INITIALIZE_METHOD = "initialize";
 var INITIALIZED_NOTIFICATION = "initialized";
 var ACCOUNT_LOGIN_START_METHOD = "account/login/start";
@@ -6855,6 +7000,15 @@ var TURN_START_METHOD = "turn/start";
 var TURN_INTERRUPT_METHOD = "turn/interrupt";
 var ACCOUNT_RATE_LIMITS_READ_METHOD = "account/rateLimits/read";
 var MAX_CODEX_ASP_TRANSCRIPT_OUTPUT_CHARS = DEFAULT_HOOK_OUTPUT_PREVIEW_CHARS;
+function codexApprovalPolicyOverrides() {
+  if (!ENGINE_ENV.REPLICAS_DISABLE_GH_PR_MERGE) {
+    return {};
+  }
+  return {
+    approvalPolicy: "untrusted",
+    approvalsReviewer: "user"
+  };
+}
 function toReasoningEffort(thinkingLevel) {
   return codexReasoningEffortForThinkingLevel(thinkingLevel);
 }
@@ -7250,6 +7404,7 @@ async function buildThreadStartParams(workingDirectory, request, developerInstru
     cwd: workingDirectory,
     runtimeWorkspaceRoots: additionalDirectories,
     sandbox: "danger-full-access",
+    ...codexApprovalPolicyOverrides(),
     developerInstructions: developerInstructions ?? null,
     config: { web_search: "live" },
     experimentalRawEvents: false,
@@ -7264,6 +7419,7 @@ async function buildThreadResumeParams(workingDirectory, threadId, request, deve
     cwd: workingDirectory,
     runtimeWorkspaceRoots: additionalDirectories,
     sandbox: "danger-full-access",
+    ...codexApprovalPolicyOverrides(),
     developerInstructions: developerInstructions ?? null,
     config: { web_search: "live" },
     excludeTurns: false,
@@ -7296,6 +7452,7 @@ async function buildTurnStartParams(threadId, request, developerInstructions) {
       threadId,
       input,
       model,
+      ...codexApprovalPolicyOverrides(),
       ...effort ? { effort } : {},
       ...developerInstructions ? {
         collaborationMode: {
@@ -7808,12 +7965,75 @@ var CodexAspManager = class extends CodingAgentManager {
     const requestId = serverRequest.id;
     const method = serverRequest.method;
     switch (serverRequest.method) {
-      case "item/commandExecution/requestApproval":
+      case "item/commandExecution/requestApproval": {
+        if (ENGINE_ENV.REPLICAS_DISABLE_GH_PR_MERGE) {
+          const result = await evaluateCommandProtection({
+            provider: "codex",
+            source: "codex_approval_request",
+            toolName: "commandExecution",
+            toolInput: {
+              command: serverRequest.params.command,
+              commandActions: serverRequest.params.commandActions ?? null
+            },
+            command: serverRequest.params.command,
+            cwd: serverRequest.params.cwd ?? null,
+            toolUseId: serverRequest.params.itemId ?? null
+          });
+          if (!result.allowed) {
+            console.warn(`[CodexAspManager] blocked command approval by PR merge policy: ${result.reason ?? "unknown reason"}`);
+            this.recordBlockedCommand(
+              serverRequest.params.threadId,
+              serverRequest.params.turnId,
+              serverRequest.params.itemId,
+              serverRequest.params.command ?? "",
+              result.reason,
+              serverRequest.params.startedAtMs
+            );
+            host.client.respond(requestId, { decision: "decline" });
+            return;
+          }
+        }
+        console.warn("[CodexAspManager] approval requested while sandbox is danger-full-access");
+        host.client.respond(requestId, { decision: "accept" });
+        return;
+      }
       case "item/fileChange/requestApproval":
         console.warn("[CodexAspManager] approval requested while sandbox is danger-full-access");
         host.client.respond(requestId, { decision: "accept" });
         return;
-      case "execCommandApproval":
+      case "execCommandApproval": {
+        if (ENGINE_ENV.REPLICAS_DISABLE_GH_PR_MERGE) {
+          const command = serverRequest.params.command.join(" ");
+          const result = await evaluateCommandProtection({
+            provider: "codex",
+            source: "codex_approval_request",
+            toolName: "execCommand",
+            toolInput: {
+              command: serverRequest.params.command,
+              parsedCmd: serverRequest.params.parsedCmd ?? null
+            },
+            command,
+            cwd: serverRequest.params.cwd ?? null,
+            toolUseId: serverRequest.params.callId ?? null
+          });
+          if (!result.allowed) {
+            console.warn(`[CodexAspManager] blocked legacy command approval by PR merge policy: ${result.reason ?? "unknown reason"}`);
+            this.recordBlockedCommand(
+              this.currentThreadId ?? serverRequest.params.conversationId,
+              this.activeTurnId ?? `legacy-${requestId}`,
+              serverRequest.params.callId,
+              command,
+              result.reason,
+              Date.now()
+            );
+            host.client.respond(requestId, { decision: "denied" });
+            return;
+          }
+        }
+        console.warn("[CodexAspManager] legacy approval requested while sandbox is danger-full-access");
+        host.client.respond(requestId, { decision: "approved" });
+        return;
+      }
       case "applyPatchApproval":
         console.warn("[CodexAspManager] legacy approval requested while sandbox is danger-full-access");
         host.client.respond(requestId, { decision: "approved" });
@@ -7861,6 +8081,20 @@ var CodexAspManager = class extends CodingAgentManager {
   nextTranscriptSequence() {
     return this.codexAspSequence++;
   }
+  recordBlockedCommand(threadId, turnId, itemId, command, reason, startedAtMs) {
+    const output = reason?.includes("Blocked by organization policy") ? reason : `Blocked by organization policy: ${reason || "agents may not merge pull requests."}`;
+    const timestamp = timestampFromMilliseconds(startedAtMs);
+    const blockedItem = {
+      type: "commandExecution",
+      id: itemId,
+      command,
+      aggregatedOutput: output,
+      exitCode: null,
+      status: "declined"
+    };
+    this.upsertTranscriptItem(threadId, turnId, blockedItem, timestamp, "failed", "completed");
+    this.emitTranscriptUpdated(threadId, { immediate: true });
+  }
   syncTranscriptSequence(transcript) {
     if (!transcript) return;
     let next = 0;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "replicas-engine",
-  "version": "0.1.269",
+  "version": "0.1.271",
   "description": "Lightweight API server for Replicas workspaces",
   "type": "module",
   "main": "dist/src/index.js",