sapper-ai 0.4.0 → 0.6.0

package/dist/harden.js

@@ -0,0 +1,309 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getHardenPlanSummary = getHardenPlanSummary;
+exports.runHarden = runHarden;
+const node_fs_1 = require("node:fs");
+const node_os_1 = require("node:os");
+const node_path_1 = require("node:path");
+const readline = __importStar(require("node:readline"));
+const package_json_1 = __importDefault(require("../package.json"));
+const policyYaml_1 = require("./policyYaml");
+const env_1 = require("./utils/env");
+const fs_1 = require("./utils/fs");
+const repoRoot_1 = require("./utils/repoRoot");
+const semver_1 = require("./utils/semver");
+const wrapConfig_1 = require("./mcp/wrapConfig");
+function isInteractivePromptAllowed(options) {
+    if (options.noPrompt === true)
+        return false;
+    if ((0, env_1.isCiEnv)(options.env))
+        return false;
+    return process.stdout.isTTY === true && process.stdin.isTTY === true;
+}
+async function promptYesNo(question, defaultYes) {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const suffix = defaultYes ? ' [Y/n] ' : ' [y/N] ';
+    const answer = await new Promise((res) => rl.question(`${question}${suffix}`, res));
+    rl.close();
+    const normalized = answer.trim().toLowerCase();
+    if (!normalized)
+        return defaultYes;
+    if (normalized === 'y' || normalized === 'yes')
+        return true;
+    if (normalized === 'n' || normalized === 'no')
+        return false;
+    return defaultYes;
+}
+function getWorkflowVersion(options) {
+    const fromFlag = options.workflowVersion?.trim();
+    const fromEnv = options.env?.SAPPERAI_WORKFLOW_VERSION?.trim();
+    const candidate = fromFlag || fromEnv || (typeof package_json_1.default.version === 'string' ? package_json_1.default.version : '');
+    return (0, semver_1.isSemver)(candidate) ? candidate : null;
+}
+function getMcpVersion(options) {
+    const fromFlag = options.mcpVersion?.trim();
+    const fromEnv = options.env?.SAPPERAI_MCP_VERSION?.trim();
+    const candidate = fromFlag || fromEnv || (0, wrapConfig_1.resolveInstalledPackageVersion)('@sapper-ai/mcp') || '';
+    return (0, semver_1.isSemver)(candidate) ? candidate : null;
+}
+function buildWorkflowYaml(version) {
+    return ([
+        'name: SapperAI Scan',
+        '',
+        'on:',
+        '  push:',
+        '  pull_request:',
+        '',
+        'jobs:',
+        '  scan:',
+        '    runs-on: ubuntu-latest',
+        '    steps:',
+        '      - uses: actions/checkout@v4',
+        '      - uses: actions/setup-node@v4',
+        '        with:',
+        "          node-version: '20'",
+        '      - name: SapperAI Scan',
+        `        run: npx -y sapper-ai@${version} scan --policy ./sapperai.config.yaml --no-prompt --no-open --no-save`,
+        '',
+    ].join('\n') + '\n');
+}
+async function planActions(options) {
+    const cwd = options.cwd ?? process.cwd();
+    const env = options.env ?? process.env;
+    const repoRoot = (0, repoRoot_1.findRepoRoot)(cwd);
+    const notes = [];
+    const workflowVersion = getWorkflowVersion({ ...options, env });
+    if (!workflowVersion) {
+        notes.push('Workflow version is unavailable (expected semver). Skipping CI workflow generation.');
+    }
+    const npxAvailable = (0, wrapConfig_1.checkNpxAvailable)();
+    if (!npxAvailable) {
+        notes.push("npx is not available on PATH. Skipping MCP config wrapping.");
+    }
+    const mcpVersion = getMcpVersion({ ...options, env });
+    if (!mcpVersion) {
+        notes.push('MCP version is unavailable (expected semver). Skipping MCP config wrapping.');
+    }
+    const actions = [];
+    const policyPathYaml = (0, node_path_1.join)(repoRoot, 'sapperai.config.yaml');
+    const policyPathYml = (0, node_path_1.join)(repoRoot, 'sapperai.config.yml');
+    if (!(0, node_fs_1.existsSync)(policyPathYaml) && !(0, node_fs_1.existsSync)(policyPathYml)) {
+        actions.push({
+            id: 'project.policy',
+            scope: 'project',
+            title: 'Create project policy (sapperai.config.yaml)',
+            paths: [policyPathYaml],
+            apply: async () => {
+                const header = ['# SapperAI Configuration', '# Generated by: sapper-ai harden', ''].join('\n') + '\n';
+                await (0, fs_1.atomicWriteFile)(policyPathYaml, header + (0, policyYaml_1.renderPolicyYaml)('standard'));
+                return { changed: true };
+            },
+        });
+    }
+    const workflowPath = (0, node_path_1.join)(repoRoot, '.github', 'workflows', 'sapperai.yml');
+    if (!(0, node_fs_1.existsSync)(workflowPath) && workflowVersion) {
+        actions.push({
+            id: 'project.ci_workflow',
+            scope: 'project',
+            title: 'Add GitHub Actions scan workflow (.github/workflows/sapperai.yml)',
+            paths: [workflowPath],
+            apply: async () => {
+                await (0, fs_1.atomicWriteFile)(workflowPath, buildWorkflowYaml(workflowVersion));
+                return { changed: true };
+            },
+        });
+    }
+    const includeSystem = options.includeSystem === true;
+    if (includeSystem) {
+        const home = (0, node_os_1.homedir)();
+        const globalPolicyPath = (0, node_path_1.join)(home, '.sapperai', 'policy.yaml');
+        if (!(0, node_fs_1.existsSync)(globalPolicyPath)) {
+            actions.push({
+                id: 'system.global_policy',
+                scope: 'system',
+                title: 'Create global policy (~/.sapperai/policy.yaml)',
+                paths: [globalPolicyPath],
+                apply: async () => {
+                    const header = ['# SapperAI Global Policy', '# Generated by: sapper-ai harden', ''].join('\n') + '\n';
+                    await (0, fs_1.atomicWriteFile)(globalPolicyPath, header + (0, policyYaml_1.renderPolicyYaml)('standard'));
+                    return { changed: true };
+                },
+            });
+        }
+        const claudeConfigPath = (0, node_path_1.join)(home, '.config', 'claude-code', 'config.json');
+        if ((0, node_fs_1.existsSync)(claudeConfigPath) && npxAvailable && mcpVersion) {
+            let preview = null;
+            try {
+                preview = await (0, wrapConfig_1.wrapMcpConfigFile)({
+                    filePath: claudeConfigPath,
+                    mcpVersion,
+                    format: 'jsonc',
+                    dryRun: true,
+                });
+            }
+            catch (error) {
+                const msg = error instanceof Error ? error.message : String(error);
+                notes.push(`Failed to parse Claude Code config for MCP wrapping. path=${claudeConfigPath} error=${msg}`);
+            }
+            if (preview?.changed) {
+                actions.push({
+                    id: 'system.mcp_wrap_claude',
+                    scope: 'system',
+                    title: 'Wrap Claude Code MCP servers with sapperai-proxy (~/.config/claude-code/config.json)',
+                    paths: [claudeConfigPath],
+                    apply: async () => {
+                        const result = await (0, wrapConfig_1.wrapMcpConfigFile)({
+                            filePath: claudeConfigPath,
+                            mcpVersion,
+                            format: 'jsonc',
+                        });
+                        return { changed: result.changed, note: result.backupPath ? `Backup: ${result.backupPath}` : undefined };
+                    },
+                });
+            }
+        }
+        else if ((0, node_fs_1.existsSync)(claudeConfigPath) && (!npxAvailable || !mcpVersion)) {
+            notes.push('Claude Code config found, but MCP wrapping prerequisites are missing. Provide --mcp-version and ensure npx exists.');
+        }
+    }
+    // Deterministic ordering for readability and testability.
+    const scopeOrder = { project: 0, system: 1 };
+    actions.sort((a, b) => {
+        const diff = scopeOrder[a.scope] - scopeOrder[b.scope];
+        if (diff !== 0)
+            return diff;
+        return a.id.localeCompare(b.id);
+    });
+    return { actions, notes, repoRoot: (0, node_path_1.resolve)(repoRoot) };
+}
+async function getHardenPlanSummary(options = {}) {
+    const { actions, notes, repoRoot } = await planActions(options);
+    return {
+        repoRoot,
+        notes,
+        actions: actions.map((a) => ({ id: a.id, scope: a.scope, title: a.title, paths: a.paths.slice() })),
+    };
+}
+async function runHarden(options = {}) {
+    const env = options.env ?? process.env;
+    const write = options.write ?? ((text) => process.stdout.write(text));
+    const { actions, notes, repoRoot } = await planActions({ ...options, env });
+    write('\n  SapperAI Hardening\n\n');
+    write(`  Repo root: ${repoRoot}\n`);
+    if (actions.length === 0) {
+        write('\n  No hardening actions recommended.\n\n');
+        for (const note of notes) {
+            write(`  Note: ${note}\n`);
+        }
+        if (notes.length > 0)
+            write('\n');
+        return 0;
+    }
+    write('\n  Planned actions:\n');
+    for (const action of actions) {
+        const prefix = action.scope === 'project' ? '  [project]' : '  [system]';
+        write(`${prefix} ${action.title}\n`);
+        for (const p of action.paths) {
+            write(`           - ${p}\n`);
+        }
+    }
+    for (const note of notes) {
+        write(`\n  Note: ${note}\n`);
+    }
+    write('\n');
+    if (options.apply !== true) {
+        write("  Run 'npx sapper-ai harden --apply' to apply project changes.\n");
+        write("  Add '--include-system' to include system changes.\n\n");
+        return 0;
+    }
+    const canPrompt = isInteractivePromptAllowed({ ...options, env });
+    if (!options.yes && !canPrompt) {
+        write("  Refusing to apply changes without confirmation. Use '--yes' (and '--include-system' for system).\n\n");
+        return 1;
+    }
+    const projectActions = actions.filter((a) => a.scope === 'project');
+    const systemActions = actions.filter((a) => a.scope === 'system');
+    let applyProject = options.yes === true;
+    if (!applyProject && projectActions.length > 0) {
+        applyProject = await promptYesNo('Apply project changes now?', true);
+    }
+    if (applyProject) {
+        for (const action of projectActions) {
+            write(`  Applying: ${action.title}\n`);
+            try {
+                await action.apply();
+            }
+            catch (error) {
+                const msg = error instanceof Error ? error.message : String(error);
+                write(`  Error applying action (${action.id}): ${msg}\n\n`);
+                return 1;
+            }
+        }
+        write('  Project hardening complete.\n');
+    }
+    else {
+        write('  Skipped project changes.\n');
+    }
+    if (options.includeSystem !== true || systemActions.length === 0) {
+        write('\n');
+        return 0;
+    }
+    // Two-stage confirmation: system writes are confirmed separately.
+    let applySystem = options.yes === true;
+    if (!applySystem) {
+        applySystem = await promptYesNo('Also apply system changes (writes to your home directory)?', true);
+    }
+    if (!applySystem) {
+        write('  Skipped system changes.\n\n');
+        return 0;
+    }
+    for (const action of systemActions) {
+        write(`  Applying: ${action.title}\n`);
+        try {
+            await action.apply();
+        }
+        catch (error) {
+            const msg = error instanceof Error ? error.message : String(error);
+            write(`  Error applying action (${action.id}): ${msg}\n\n`);
+            return 1;
+        }
+    }
+    write('  System hardening complete.\n\n');
+    return 0;
+}

package/dist/mcp/jsonc.d.ts

@@ -0,0 +1,3 @@
+export declare function stripJsonc(input: string): string;
+export declare function parseJsonc<T = unknown>(input: string): T;
+//# sourceMappingURL=jsonc.d.ts.map

package/dist/mcp/jsonc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jsonc.d.ts","sourceRoot":"","sources":["../../src/mcp/jsonc.ts"],"names":[],"mappings":"AAiIA,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAIhD;AAED,wBAAgB,UAAU,CAAC,CAAC,GAAG,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,CAExD"}

package/dist/mcp/jsonc.js

@@ -0,0 +1,119 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.stripJsonc = stripJsonc;
+exports.parseJsonc = parseJsonc;
+function stripBom(input) {
+    if (input.charCodeAt(0) === 0xfeff) {
+        return input.slice(1);
+    }
+    return input;
+}
+function stripComments(input) {
+    let out = '';
+    let inString = false;
+    let stringQuote = '"';
+    let escaped = false;
+    let inLineComment = false;
+    let inBlockComment = false;
+    for (let i = 0; i < input.length; i += 1) {
+        const ch = input[i];
+        const next = i + 1 < input.length ? input[i + 1] : '';
+        if (inLineComment) {
+            if (ch === '\n') {
+                inLineComment = false;
+                out += ch;
+            }
+            continue;
+        }
+        if (inBlockComment) {
+            if (ch === '*' && next === '/') {
+                inBlockComment = false;
+                i += 1;
+            }
+            continue;
+        }
+        if (inString) {
+            out += ch;
+            if (escaped) {
+                escaped = false;
+                continue;
+            }
+            if (ch === '\\') {
+                escaped = true;
+                continue;
+            }
+            if (ch === stringQuote) {
+                inString = false;
+            }
+            continue;
+        }
+        if (ch === '/' && next === '/') {
+            inLineComment = true;
+            i += 1;
+            continue;
+        }
+        if (ch === '/' && next === '*') {
+            inBlockComment = true;
+            i += 1;
+            continue;
+        }
+        if (ch === '"' || ch === "'") {
+            inString = true;
+            stringQuote = ch;
+            out += ch;
+            continue;
+        }
+        out += ch;
+    }
+    return out;
+}
+function stripTrailingCommas(input) {
+    let out = '';
+    let inString = false;
+    let stringQuote = '"';
+    let escaped = false;
+    for (let i = 0; i < input.length; i += 1) {
+        const ch = input[i];
+        if (inString) {
+            out += ch;
+            if (escaped) {
+                escaped = false;
+                continue;
+            }
+            if (ch === '\\') {
+                escaped = true;
+                continue;
+            }
+            if (ch === stringQuote) {
+                inString = false;
+            }
+            continue;
+        }
+        if (ch === '"' || ch === "'") {
+            inString = true;
+            stringQuote = ch;
+            out += ch;
+            continue;
+        }
+        if (ch === ',') {
+            let j = i + 1;
+            while (j < input.length && /\s/.test(input[j])) {
+                j += 1;
+            }
+            const nextNonWs = j < input.length ? input[j] : '';
+            if (nextNonWs === ']' || nextNonWs === '}') {
+                continue;
+            }
+        }
+        out += ch;
+    }
+    return out;
+}
+function stripJsonc(input) {
+    const withoutBom = stripBom(input);
+    const withoutComments = stripComments(withoutBom);
+    return stripTrailingCommas(withoutComments);
+}
+function parseJsonc(input) {
+    return JSON.parse(stripJsonc(input));
+}

package/dist/mcp/wrapConfig.d.ts

@@ -0,0 +1,22 @@
+export declare function checkNpxAvailable(): boolean;
+export declare function resolveInstalledPackageVersion(packageName: string): string | null;
+export interface WrapMcpConfigOptions {
+    filePath: string;
+    mcpVersion: string;
+    format?: 'json' | 'jsonc';
+    dryRun?: boolean;
+}
+export interface WrapMcpConfigResult {
+    changed: boolean;
+    changedServers: string[];
+    backupPath?: string;
+    restoredFromBackupPath?: string;
+}
+export declare function wrapMcpConfigFile(options: WrapMcpConfigOptions): Promise<WrapMcpConfigResult>;
+export interface UnwrapMcpConfigOptions {
+    filePath: string;
+    format?: 'json' | 'jsonc';
+    dryRun?: boolean;
+}
+export declare function unwrapMcpConfigFile(options: UnwrapMcpConfigOptions): Promise<WrapMcpConfigResult>;
+//# sourceMappingURL=wrapConfig.d.ts.map

package/dist/mcp/wrapConfig.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wrapConfig.d.ts","sourceRoot":"","sources":["../../src/mcp/wrapConfig.ts"],"names":[],"mappings":"AAgBA,wBAAgB,iBAAiB,IAAI,OAAO,CAO3C;AAED,wBAAgB,8BAA8B,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CASjF;AAkCD,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;IACzB,MAAM,CAAC,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAA;IAChB,cAAc,EAAE,MAAM,EAAE,CAAA;IACxB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,sBAAsB,CAAC,EAAE,MAAM,CAAA;CAChC;AAED,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAsDnG;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;IACzB,MAAM,CAAC,EAAE,OAAO,CAAA;CACjB;AAED,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAuEvG"}

package/dist/mcp/wrapConfig.js

@@ -0,0 +1,192 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkNpxAvailable = checkNpxAvailable;
+exports.resolveInstalledPackageVersion = resolveInstalledPackageVersion;
+exports.wrapMcpConfigFile = wrapMcpConfigFile;
+exports.unwrapMcpConfigFile = unwrapMcpConfigFile;
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = require("node:fs");
+const fs_1 = require("../utils/fs");
+const semver_1 = require("../utils/semver");
+const jsonc_1 = require("./jsonc");
+function isRecord(value) {
+    return typeof value === 'object' && value !== null;
+}
+function isStringArray(value) {
+    return Array.isArray(value) && value.every((v) => typeof v === 'string');
+}
+function checkNpxAvailable() {
+    try {
+        const result = (0, node_child_process_1.spawnSync)('npx', ['--version'], { stdio: 'ignore' });
+        return result.status === 0;
+    }
+    catch {
+        return false;
+    }
+}
+function resolveInstalledPackageVersion(packageName) {
+    try {
+        // eslint-disable-next-line @typescript-eslint/no-var-requires
+        const pkg = require(`${packageName}/package.json`);
+        const version = typeof pkg.version === 'string' ? pkg.version : null;
+        return version && version.length > 0 ? version : null;
+    }
+    catch {
+        return null;
+    }
+}
+function isWrappedBySapperProxy(command, args) {
+    if (command !== 'npx')
+        return false;
+    if (!isStringArray(args))
+        return false;
+    if (args.length < 6)
+        return false;
+    if (!(args[0] === '-y' || args[0] === '--yes'))
+        return false;
+    if (args[1] !== '--package')
+        return false;
+    if (typeof args[2] !== 'string' || !args[2].startsWith('@sapper-ai/mcp@'))
+        return false;
+    if (args[3] !== 'sapperai-proxy')
+        return false;
+    const sepIndex = args.indexOf('--');
+    return sepIndex >= 0 && sepIndex + 1 < args.length;
+}
+function buildWrappedCommand(originalCommand, originalArgs, mcpVersion) {
+    return {
+        command: 'npx',
+        args: ['-y', '--package', `@sapper-ai/mcp@${mcpVersion}`, 'sapperai-proxy', '--', originalCommand, ...originalArgs],
+    };
+}
+function unwrapWrappedCommand(args) {
+    const sepIndex = args.indexOf('--');
+    if (sepIndex < 0)
+        return null;
+    const originalCommand = args[sepIndex + 1];
+    if (!originalCommand)
+        return null;
+    const originalArgs = args.slice(sepIndex + 2);
+    return { command: originalCommand, args: originalArgs };
+}
+async function wrapMcpConfigFile(options) {
+    if (!(0, semver_1.isSemver)(options.mcpVersion)) {
+        throw new Error(`Invalid MCP version (expected semver): ${options.mcpVersion}`);
+    }
+    if (!(0, node_fs_1.existsSync)(options.filePath)) {
+        throw new Error(`Config file not found: ${options.filePath}`);
+    }
+    const raw = await (0, fs_1.readFileIfExists)(options.filePath);
+    if (raw === null) {
+        throw new Error(`Unable to read config file: ${options.filePath}`);
+    }
+    const parsed = options.format === 'jsonc' ? (0, jsonc_1.parseJsonc)(raw) : JSON.parse(raw);
+    if (!isRecord(parsed)) {
+        throw new Error(`Invalid config format (expected object): ${options.filePath}`);
+    }
+    const mcpServers = parsed.mcpServers;
+    if (!isRecord(mcpServers)) {
+        return { changed: false, changedServers: [] };
+    }
+    const changedServers = [];
+    for (const [name, config] of Object.entries(mcpServers)) {
+        if (!isRecord(config))
+            continue;
+        const command = config.command;
+        const args = config.args;
+        if (typeof command !== 'string')
+            continue;
+        const argList = isStringArray(args) ? args : [];
+        if (isWrappedBySapperProxy(command, argList)) {
+            continue;
+        }
+        const wrapped = buildWrappedCommand(command, argList, options.mcpVersion);
+        config.command = wrapped.command;
+        config.args = wrapped.args;
+        changedServers.push(name);
+    }
+    if (changedServers.length === 0) {
+        return { changed: false, changedServers: [] };
+    }
+    if (options.dryRun === true) {
+        return { changed: true, changedServers };
+    }
+    const backupPath = await (0, fs_1.backupFile)(options.filePath);
+    await (0, fs_1.atomicWriteFile)(options.filePath, `${JSON.stringify(parsed, null, 2)}\n`);
+    return { changed: true, changedServers, backupPath };
+}
+async function unwrapMcpConfigFile(options) {
+    if (!(0, node_fs_1.existsSync)(options.filePath)) {
+        throw new Error(`Config file not found: ${options.filePath}`);
+    }
+    const raw = await (0, fs_1.readFileIfExists)(options.filePath);
+    if (raw === null) {
+        throw new Error(`Unable to read config file: ${options.filePath}`);
+    }
+    let parsed;
+    try {
+        parsed = options.format === 'jsonc' ? (0, jsonc_1.parseJsonc)(raw) : JSON.parse(raw);
+    }
+    catch (error) {
+        const restoredFromBackupPath = findLatestBackupPath(options.filePath);
+        if (!restoredFromBackupPath) {
+            throw error;
+        }
+        if (options.dryRun === true) {
+            return { changed: true, changedServers: [], restoredFromBackupPath };
+        }
+        const backupPath = await (0, fs_1.backupFile)(options.filePath);
+        const backupRaw = await (0, fs_1.readFileIfExists)(restoredFromBackupPath);
+        if (backupRaw === null) {
+            throw error;
+        }
+        await (0, fs_1.atomicWriteFile)(options.filePath, backupRaw);
+        return { changed: true, changedServers: [], backupPath, restoredFromBackupPath };
+    }
+    if (!isRecord(parsed)) {
+        throw new Error(`Invalid config format (expected object): ${options.filePath}`);
+    }
+    const mcpServers = parsed.mcpServers;
+    if (!isRecord(mcpServers)) {
+        return { changed: false, changedServers: [] };
+    }
+    const changedServers = [];
+    for (const [name, config] of Object.entries(mcpServers)) {
+        if (!isRecord(config))
+            continue;
+        const command = config.command;
+        const args = config.args;
+        if (!isWrappedBySapperProxy(command, args)) {
+            continue;
+        }
+        const unwrapped = unwrapWrappedCommand(args);
+        if (!unwrapped)
+            continue;
+        config.command = unwrapped.command;
+        config.args = unwrapped.args;
+        changedServers.push(name);
+    }
+    if (changedServers.length === 0) {
+        return { changed: false, changedServers: [] };
+    }
+    if (options.dryRun === true) {
+        return { changed: true, changedServers };
+    }
+    const backupPath = await (0, fs_1.backupFile)(options.filePath);
+    await (0, fs_1.atomicWriteFile)(options.filePath, `${JSON.stringify(parsed, null, 2)}\n`);
+    return { changed: true, changedServers, backupPath };
+}
+function findLatestBackupPath(originalPath) {
+    let latest = null;
+    const first = `${originalPath}.bak`;
+    if ((0, node_fs_1.existsSync)(first)) {
+        latest = first;
+    }
+    for (let i = 1; i < 1000; i += 1) {
+        const candidate = `${originalPath}.bak.${i}`;
+        if ((0, node_fs_1.existsSync)(candidate)) {
+            latest = candidate;
+        }
+    }
+    return latest;
+}

package/dist/policyYaml.d.ts

@@ -0,0 +1,3 @@
+import type { PresetName } from './presets';
+export declare function renderPolicyYaml(preset: PresetName, auditLogPath?: string): string;
+//# sourceMappingURL=policyYaml.d.ts.map

package/dist/policyYaml.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policyYaml.d.ts","sourceRoot":"","sources":["../src/policyYaml.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,WAAW,CAAA;AAG3C,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,UAAU,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,MAAM,CA2BlF"}