soulguard 0.2.1 → 0.2.3

package/dist/index.js

@@ -4096,7 +4096,8 @@ var ownershipSchema = exports_external.object({
   mode: exports_external.string()
 });
 var daemonConfigSchema = exports_external.object({
-  channel: exports_external.string()
+  channel: exports_external.string().optional(),
+  syncIntervalSecs: exports_external.number().int().nonnegative().optional()
 }).passthrough();
 var soulguardConfigSchema = exports_external.object({
   version: exports_external.literal(1),
@@ -6153,6 +6154,7 @@ ${approvalMessage}`;
 }
 
 // ../core/src/sdk/sync.ts
+import { dirname as dirname2 } from "node:path";
 async function sync(options) {
   const { tree, ops, config } = options;
   const drifts = tree.driftedEntities();
@@ -6182,8 +6184,38 @@ async function sync(options) {
       }
     }
   }
+  let stagingCopiesCreated = 0;
+  const protectFiles = tree.flatFiles().filter((f) => f.configTier === "protect");
+  for (const file of protectFiles) {
+    if (file.canonicalHash === null)
+      continue;
+    if (file.stagedHash !== null || file.status === "deleted")
+      continue;
+    const stagePath = stagingPath(file.path);
+    const parentDir = dirname2(stagePath);
+    if (parentDir !== "." && parentDir !== "/" && parentDir !== STAGING_DIR) {
+      await ops.mkdir(parentDir);
+      const defaultOwnership = config.defaultOwnership;
+      if (defaultOwnership) {
+        await ops.chown(parentDir, { user: defaultOwnership.user, group: defaultOwnership.group });
+        await ops.chmod(parentDir, "755");
+      }
+    }
+    const readResult = await ops.readFile(file.path);
+    if (!readResult.ok)
+      continue;
+    const writeResult = await ops.writeFile(stagePath, readResult.value);
+    if (writeResult.ok) {
+      const defaultOwnership = config.defaultOwnership;
+      if (defaultOwnership) {
+        await ops.chown(stagePath, { user: defaultOwnership.user, group: defaultOwnership.group });
+        await ops.chmod(stagePath, defaultOwnership.mode);
+      }
+      stagingCopiesCreated++;
+    }
+  }
   if (errors2.length > 0) {
-    return ok({ drifts, errors: errors2, git: undefined });
+    return ok({ drifts, errors: errors2, git: undefined, stagingCopiesCreated });
   }
   let git;
   if (await isGitEnabled(ops, config)) {
@@ -6195,7 +6227,7 @@ async function sync(options) {
       }
     }
   }
-  return ok({ drifts, errors: errors2, git });
+  return ok({ drifts, errors: errors2, git, stagingCopiesCreated });
 }
 // ../core/src/util/console-live.ts
 var import_picocolors = __toESM(require_picocolors(), 1);
@@ -6280,11 +6312,11 @@ function validateSelfProtection(pendingContents, deletedFiles = []) {
   return ok(undefined);
 }
 // ../core/src/sdk/apply.ts
-import { dirname as dirname2 } from "node:path";
+import { dirname as dirname3 } from "node:path";
 function collectParentDirs(prefix, paths) {
   const dirs = new Set;
   for (const p of paths) {
-    const parent = dirname2(`${prefix}/${p}`);
+    const parent = dirname3(`${prefix}/${p}`);
     if (parent !== prefix) {
       dirs.add(parent);
     }
@@ -6384,7 +6416,7 @@ async function apply(options) {
       }
     } else {
       if (file.status === "created") {
-        const parentDir = dirname2(file.path);
+        const parentDir = dirname3(file.path);
         if (parentDir !== ".") {
           await ops.mkdir(parentDir);
         }
@@ -6432,7 +6464,7 @@ async function apply(options) {
   const defaultOwnership = tree.config.defaultOwnership;
   for (const file of nonDeletedFiles) {
     const stagePath = stagingPath(file.path);
-    const stageParent = dirname2(stagePath);
+    const stageParent = dirname3(stagePath);
     if (stageParent !== STAGING_DIR) {
       await ops.mkdir(stageParent);
     }
@@ -6613,10 +6645,10 @@ class SyncCommand {
     const result = await sync(this.opts);
     if (!result.ok)
       return 1;
-    const { drifts, errors: errors2, git } = result.value;
+    const { drifts, errors: errors2, git, stagingCopiesCreated } = result.value;
     this.out.heading(`Soulguard Sync — ${this.opts.ops.workspace}`);
     this.out.write("");
-    if (drifts.length === 0 && errors2.length === 0) {
+    if (drifts.length === 0 && errors2.length === 0 && stagingCopiesCreated === 0) {
       this.out.success("Nothing to fix — all files ok.");
       this.reportGit(git);
       return 0;
@@ -6639,6 +6671,10 @@ class SyncCommand {
       this.out.write("");
       return 1;
     }
+    if (stagingCopiesCreated > 0) {
+      this.out.success(`  Refreshed ${stagingCopiesCreated} staging ${stagingCopiesCreated === 1 ? "copy" : "copies"}.`);
+      this.out.write("");
+    }
     this.out.success("All files now ok.");
     this.reportGit(git);
     return 0;
@@ -6815,6 +6851,54 @@ class ResetCommand {
     return 0;
   }
 }
+// ../core/src/sdk/staging-ops.ts
+import { dirname as dirname4 } from "node:path";
+function isInProtectTier(path, protectPatterns2) {
+  for (const pattern of protectPatterns2) {
+    const normalized = pattern.endsWith("/") ? pattern.slice(0, -1) : pattern;
+    if (path === normalized || path === pattern)
+      return true;
+    if (path.startsWith(normalized + "/"))
+      return true;
+  }
+  return false;
+}
+async function ensureStagingParentDir(ops, canonicalPath, ownership) {
+  const stagePath = stagingPath(canonicalPath);
+  const parentDir = dirname4(stagePath);
+  if (parentDir === "." || parentDir === "/" || parentDir === STAGING_DIR) {
+    return ok(undefined);
+  }
+  const mkdirResult = await ops.mkdir(parentDir);
+  if (!mkdirResult.ok) {
+    return err(`Cannot create parent directory ${parentDir}: ${mkdirResult.error.kind}`);
+  }
+  if (ownership) {
+    await ops.chown(parentDir, { user: ownership.user, group: ownership.group });
+    await ops.chmod(parentDir, "755");
+  }
+  return ok(undefined);
+}
+async function createStagingCopy(ops, path, ownership) {
+  const stagePath = stagingPath(path);
+  const parentResult = await ensureStagingParentDir(ops, path, ownership);
+  if (!parentResult.ok)
+    return parentResult;
+  const readResult = await ops.readFile(path);
+  if (!readResult.ok) {
+    return err(`Cannot read ${path}: ${readResult.error.kind}`);
+  }
+  const writeResult = await ops.writeFile(stagePath, readResult.value);
+  if (!writeResult.ok) {
+    return err(`Cannot write staging copy ${stagePath}: ${writeResult.error.kind}`);
+  }
+  if (ownership) {
+    await ops.chown(stagePath, { user: ownership.user, group: ownership.group });
+    await ops.chmod(stagePath, ownership.mode);
+  }
+  return ok(undefined);
+}
+
 // ../core/src/cli/tier-command.ts
 function formatSummary(paths) {
   const dirs = paths.filter((p) => p.endsWith("/")).length;
@@ -6981,6 +7065,34 @@ class TierCommand {
           return 1;
         }
       }
+      const defaultOwnership = configResult.value.defaultOwnership;
+      await ops.mkdir(".soulguard-staging");
+      if (defaultOwnership) {
+        await ops.chown(".soulguard-staging", {
+          user: defaultOwnership.user,
+          group: defaultOwnership.group
+        });
+        await ops.chmod(".soulguard-staging", "755");
+      }
+      for (const file of changedPaths) {
+        const isDir = await isDirectory(ops, file);
+        if (isDir) {
+          const listResult = await ops.listDir(file);
+          if (listResult.ok) {
+            for (const childPath of listResult.value) {
+              const copyResult = await createStagingCopy(ops, childPath, defaultOwnership ?? undefined);
+              if (!copyResult.ok) {
+                this.out.warn(`  Warning: staging copy failed for ${childPath}: ${copyResult.error}`);
+              }
+            }
+          }
+        } else {
+          const copyResult = await createStagingCopy(ops, file, defaultOwnership ?? undefined);
+          if (!copyResult.ok) {
+            this.out.warn(`  Warning: staging copy failed for ${file}: ${copyResult.error}`);
+          }
+        }
+      }
     } else if (action.kind === "set" && action.tier === "watch") {
       const defaultOwnership = configResult.value.defaultOwnership;
       for (const file of changedPaths) {
@@ -7018,153 +7130,114 @@ class TierCommand {
     return 0;
   }
 }
-// ../core/src/sdk/stage.ts
-import { dirname as dirname3 } from "node:path";
-function isInProtectTier(path, protectPatterns2) {
-  for (const pattern of protectPatterns2) {
-    const normalized = pattern.endsWith("/") ? pattern.slice(0, -1) : pattern;
-    if (path === normalized || path === pattern)
-      return true;
-    if (path.startsWith(normalized + "/"))
-      return true;
-  }
-  return false;
-}
-async function ensureParentDir(ops, path) {
-  const parentDir = dirname3(path);
-  if (parentDir === "." || parentDir === "/") {
-    return ok(undefined);
+// ../core/src/sdk/create.ts
+async function create(options) {
+  const { ops, config, path } = options;
+  if (!isInProtectTier(path, protectPatterns(config))) {
+    return err({ kind: "not_in_protect_tier", path });
   }
-  const mkdirResult = await ops.mkdir(parentDir);
-  if (!mkdirResult.ok) {
-    return err(`Cannot create parent directory ${parentDir}: ${mkdirResult.error.kind}`);
+  const exists = await ops.exists(path);
+  if (exists.ok && exists.value) {
+    return ok({ path, alreadyExisted: true });
   }
-  return ok(undefined);
-}
-async function stage(options) {
-  const { ops, config, path, delete: isDelete } = options;
-  const protectFiles = protectPatterns(config);
-  if (!isInProtectTier(path, protectFiles)) {
-    return err({ kind: "not_in_protect_tier", path });
+  const stagePath = stagingPath(path);
+  const parentResult = await ensureStagingParentDir(ops, path);
+  if (!parentResult.ok) {
+    return err({ kind: "create_failed", path, message: parentResult.error });
   }
-  const stagedFiles = [];
-  const pathStat = await ops.stat(path);
-  if (!pathStat.ok && pathStat.error.kind !== "not_found") {
+  const writeResult = await ops.writeFile(stagePath, "");
+  if (!writeResult.ok) {
     return err({
-      kind: "stage_failed",
+      kind: "create_failed",
       path,
-      message: `Cannot stat path: ${pathStat.error.kind}`
+      message: `Cannot create staging file: ${writeResult.error.kind}`
     });
   }
-  const isDirectory2 = pathStat.ok && pathStat.value.isDirectory;
-  if (isDirectory2 && isDelete) {
-    const stagePath = stagingPath(path);
-    const existsResult = await ops.exists(stagePath);
-    if (existsResult.ok && existsResult.value) {
-      const readResult = await ops.readFile(stagePath);
-      if (readResult.ok && isDeleteSentinel(readResult.value)) {
-        return ok({ stagedFiles: [] });
-      }
-    }
-    const parentResult = await ensureParentDir(ops, stagePath);
-    if (!parentResult.ok) {
-      return err({ kind: "stage_failed", path, message: parentResult.error });
-    }
-    const writeResult = await ops.writeFile(stagePath, JSON.stringify(DELETE_SENTINEL, null, 2));
-    if (!writeResult.ok) {
-      return err({
-        kind: "stage_failed",
-        path,
-        message: `Cannot write delete sentinel: ${writeResult.error.kind}`
-      });
-    }
-    stagedFiles.push({ path, action: "delete" });
-  } else if (isDirectory2 && !isDelete) {
-    const listResult = await ops.listDir(path);
-    if (!listResult.ok) {
-      return err({
-        kind: "stage_failed",
-        path,
-        message: `Cannot list directory: ${listResult.error.kind}`
-      });
+  return ok({ path, alreadyExisted: false });
+}
+
+// ../core/src/cli/create-command.ts
+class CreateCommand {
+  opts;
+  out;
+  constructor(opts, out) {
+    this.opts = opts;
+    this.out = out;
+  }
+  async execute() {
+    const { ops, config, paths } = this.opts;
+    if (paths.length === 0) {
+      this.out.error("No paths specified.");
+      return 1;
     }
-    for (const filePath of listResult.value) {
-      const result = await stage({ ops, config, path: filePath, delete: isDelete });
+    let created = 0;
+    for (const path of paths) {
+      const result = await create({ ops, config, path });
       if (!result.ok) {
-        return result;
-      }
-      stagedFiles.push(...result.value.stagedFiles);
-    }
-  } else if (!isDirectory2 && isDelete) {
-    const stagePath = stagingPath(path);
-    const existsResult = await ops.exists(stagePath);
-    if (existsResult.ok && existsResult.value) {
-      const readResult = await ops.readFile(stagePath);
-      if (readResult.ok && isDeleteSentinel(readResult.value)) {
-        return ok({ stagedFiles: [] });
+        switch (result.error.kind) {
+          case "not_in_protect_tier":
+            this.out.error(`${result.error.path} is not in the protect tier.`);
+            return 1;
+          case "create_failed":
+            this.out.error(`Failed to create ${result.error.path}: ${result.error.message}`);
+            return 1;
+        }
       }
-    }
-    const parentResult = await ensureParentDir(ops, stagePath);
-    if (!parentResult.ok) {
-      return err({ kind: "stage_failed", path, message: parentResult.error });
-    }
-    const writeResult = await ops.writeFile(stagePath, JSON.stringify(DELETE_SENTINEL, null, 2));
-    if (!writeResult.ok) {
-      return err({
-        kind: "stage_failed",
-        path,
-        message: `Cannot write delete sentinel: ${writeResult.error.kind}`
-      });
-    }
-    stagedFiles.push({ path, action: "delete" });
-  } else if (!isDirectory2 && !isDelete) {
-    const stagePath = stagingPath(path);
-    const existsResult = await ops.exists(stagePath);
-    if (existsResult.ok && existsResult.value) {
-      const readResult = await ops.readFile(stagePath);
-      if (readResult.ok && isDeleteSentinel(readResult.value)) {} else {
-        return ok({ stagedFiles: [] });
+      if (result.value.alreadyExisted) {
+        this.out.warn(`  · ${path} (already exists — staging copy was created automatically)`);
+        continue;
       }
+      this.out.success(`  + ${path} → ${stagingPath(path)}`);
+      created++;
     }
-    const parentResult = await ensureParentDir(ops, stagePath);
-    if (!parentResult.ok) {
-      return err({ kind: "stage_failed", path, message: parentResult.error });
-    }
-    const sourceExists = await ops.exists(path);
-    if (sourceExists.ok && sourceExists.value) {
-      const readResult = await ops.readFile(path);
-      if (!readResult.ok) {
-        return err({
-          kind: "stage_failed",
-          path,
-          message: `Cannot read file: ${readResult.error.kind}`
-        });
-      }
-      const writeResult = await ops.writeFile(stagePath, readResult.value);
-      if (!writeResult.ok) {
-        return err({
-          kind: "stage_failed",
-          path,
-          message: `Cannot write staging copy: ${writeResult.error.kind}`
-        });
-      }
+    if (created === 0) {
+      this.out.info("Nothing to create.");
     } else {
-      const writeResult = await ops.writeFile(stagePath, "");
-      if (!writeResult.ok) {
-        return err({
-          kind: "stage_failed",
-          path,
-          message: `Cannot create empty staging file: ${writeResult.error.kind}`
-        });
-      }
+      this.out.write("");
+      this.out.success(`Created ${created} staging ${created === 1 ? "entry" : "entries"}.`);
+    }
+    return 0;
+  }
+}
+// ../core/src/sdk/delete.ts
+async function deleteStagingEntry(options) {
+  const { ops, config, path } = options;
+  if (!isInProtectTier(path, protectPatterns(config))) {
+    return err({ kind: "not_in_protect_tier", path });
+  }
+  const diskExists = await ops.exists(path);
+  const stagePath = stagingPath(path);
+  const stagingExists = await ops.exists(stagePath);
+  if ((!diskExists.ok || !diskExists.value) && (!stagingExists.ok || !stagingExists.value)) {
+    return err({ kind: "not_found", path });
+  }
+  if (stagingExists.ok && stagingExists.value) {
+    const readResult = await ops.readFile(stagePath);
+    if (readResult.ok && isDeleteSentinel(readResult.value)) {
+      return err({ kind: "already_deleted", path });
     }
-    stagedFiles.push({ path, action: "edit" });
   }
-  return ok({ stagedFiles });
+  const stageExists = await ops.stat(stagePath);
+  if (stageExists.ok && stageExists.value.isDirectory) {
+    await ops.exec("rm", ["-rf", stagePath]);
+  }
+  const parentResult = await ensureStagingParentDir(ops, path);
+  if (!parentResult.ok) {
+    return err({ kind: "delete_failed", path, message: parentResult.error });
+  }
+  const writeResult = await ops.writeFile(stagePath, JSON.stringify(DELETE_SENTINEL, null, 2));
+  if (!writeResult.ok) {
+    return err({
+      kind: "delete_failed",
+      path,
+      message: `Cannot write delete sentinel: ${writeResult.error.kind}`
+    });
+  }
+  return ok({ path });
 }
 
-// ../core/src/cli/stage-command.ts
-class StageCommand {
+// ../core/src/cli/delete-command.ts
+class DeleteCommand {
   opts;
   out;
   constructor(opts, out) {
@@ -7172,46 +7245,38 @@ class StageCommand {
     this.out = out;
   }
   async execute() {
-    const { ops, config, paths, delete: isDelete } = this.opts;
+    const { ops, config, paths } = this.opts;
     if (paths.length === 0) {
       this.out.error("No paths specified.");
       return 1;
     }
-    const allStagedFiles = [];
-    const alreadyStaged = [];
+    let deleted = 0;
     for (const path of paths) {
-      const result = await stage({ ops, config, path, delete: isDelete });
+      const result = await deleteStagingEntry({ ops, config, path });
       if (!result.ok) {
         switch (result.error.kind) {
           case "not_in_protect_tier":
             this.out.error(`${result.error.path} is not in the protect tier.`);
             return 1;
-          case "stage_failed":
-            this.out.error(`Failed to stage ${result.error.path}: ${result.error.message}`);
+          case "not_found":
+            this.out.error(`${result.error.path} does not exist.`);
+            return 1;
+          case "already_deleted":
+            this.out.info(`  · ${result.error.path} (already staged for deletion)`);
+            continue;
+          case "delete_failed":
+            this.out.error(`Failed to delete ${result.error.path}: ${result.error.message}`);
             return 1;
         }
       }
-      if (result.value.stagedFiles.length === 0) {
-        alreadyStaged.push(path);
-      } else {
-        allStagedFiles.push(...result.value.stagedFiles);
-      }
-    }
-    for (const file of alreadyStaged) {
-      this.out.info(`  · ${file} (already staged)`);
-    }
-    for (const { path, action } of allStagedFiles) {
-      if (action === "delete") {
-        this.out.success(`  \uD83D\uDDD1️  ${path} (staged for deletion)`);
-      } else {
-        this.out.success(`  \uD83D\uDCDD ${path} (staged for editing)`);
-      }
+      this.out.success(`  \uD83D\uDDD1️  ${path} (staged for deletion)`);
+      deleted++;
     }
-    if (allStagedFiles.length === 0) {
-      this.out.info("Nothing to stage.");
+    if (deleted === 0) {
+      this.out.info("Nothing to do.");
     } else {
       this.out.write("");
-      this.out.success(`Staged ${allStagedFiles.length} file(s).`);
+      this.out.success(`Staged ${deleted} ${deleted === 1 ? "path" : "paths"} for deletion.`);
     }
     return 0;
   }
@@ -7405,6 +7470,9 @@ class ProposalManager extends EventEmitter {
     this._abortController = null;
   }
 }
+// ../core/src/daemon/daemon.ts
+import { EventEmitter as EventEmitter2 } from "node:events";
+
 // ../core/src/daemon/channel-registry.ts
 var REGISTRY_KEY = "__soulguard_channel_registry__";
 function getRegistry() {
@@ -7422,13 +7490,16 @@ function getChannel(name) {
 }
 
 // ../core/src/daemon/daemon.ts
-class SoulguardDaemon {
+class SoulguardDaemon extends EventEmitter2 {
   _ops;
   _config;
   _channel = null;
   _proposalManager = null;
+  _syncTimer = null;
+  _syncRunning = false;
   _running = false;
   constructor(options) {
+    super();
     this._ops = options.ops;
     this._config = options.config;
   }
@@ -7446,28 +7517,40 @@ class SoulguardDaemon {
       throw new Error("Daemon configuration missing. Add a 'daemon' section to soulguard.json.");
     }
     const channelName = daemonConfig.channel;
-    console.log(`[daemon] channel: "${channelName}", config keys: ${JSON.stringify(Object.keys(daemonConfig))}`);
-    const createChannelFn = getChannel(channelName);
-    if (!createChannelFn) {
-      throw new Error(`No channel registered for "${channelName}". Register it with registerChannel() before starting the daemon.`);
-    }
-    const channelConfig = daemonConfig[channelName];
-    console.log(`[daemon] channelConfig present: ${!!channelConfig}, keys: ${channelConfig ? JSON.stringify(Object.keys(channelConfig)) : "n/a"}`);
-    this._channel = createChannelFn(channelConfig);
-    console.log(`[daemon] channel created: ${this._channel.name}`);
-    this._proposalManager = new ProposalManager({
-      ops: this._ops,
-      config: this._config,
-      channel: this._channel
-    });
-    console.log(`[daemon] starting proposal manager`);
-    this._proposalManager.start();
+    if (channelName) {
+      const createChannelFn = getChannel(channelName);
+      if (!createChannelFn) {
+        throw new Error(`No channel registered for "${channelName}". Register it with registerChannel() before starting the daemon.`);
+      }
+      const channelConfig = daemonConfig[channelName];
+      this._channel = createChannelFn(channelConfig);
+      this._proposalManager = new ProposalManager({
+        ops: this._ops,
+        config: this._config,
+        channel: this._channel
+      });
+      this._proposalManager.on("proposed", (...args) => this.emit("proposed", ...args));
+      this._proposalManager.on("applied", (...args) => this.emit("applied", ...args));
+      this._proposalManager.on("rejected", (...args) => this.emit("rejected", ...args));
+      this._proposalManager.on("superseded", (...args) => this.emit("superseded", ...args));
+      this._proposalManager.on("error", (...args) => this.emit("proposal:error", ...args));
+      this._proposalManager.start();
+    }
+    const syncIntervalSecs = daemonConfig.syncIntervalSecs ?? 60;
+    if (syncIntervalSecs > 0) {
+      this._runSync();
+      this._syncTimer = setInterval(() => this._runSync(), syncIntervalSecs * 1000);
+    }
     this._running = true;
   }
   async stop() {
     if (!this._running)
       return;
     this._running = false;
+    if (this._syncTimer) {
+      clearInterval(this._syncTimer);
+      this._syncTimer = null;
+    }
     if (this._proposalManager) {
       await this._proposalManager.stop();
       this._proposalManager = null;
@@ -7477,6 +7560,35 @@ class SoulguardDaemon {
       this._channel = null;
     }
   }
+  async _runSync() {
+    if (this._syncRunning)
+      return;
+    this._syncRunning = true;
+    try {
+      const treeResult = await StateTree.build({
+        ops: this._ops,
+        config: this._config
+      });
+      if (!treeResult.ok) {
+        this.emit("sync:error", new Error(`StateTree.build failed: ${treeResult.error.message}`));
+        return;
+      }
+      const syncResult = await sync({
+        tree: treeResult.value,
+        ops: this._ops,
+        config: this._config
+      });
+      if (!syncResult.ok) {
+        this.emit("sync:error", new Error(`sync failed: ${syncResult.error.message}`));
+        return;
+      }
+      this.emit("synced", syncResult.value);
+    } catch (e) {
+      this.emit("sync:error", e instanceof Error ? e : new Error(String(e)));
+    } finally {
+      this._syncRunning = false;
+    }
+  }
 }
 // ../core/src/daemon/service.ts
 function generateServiceFile(options) {
@@ -7578,10 +7690,9 @@ var templates = {
       "workspace/HEARTBEAT.md",
       "workspace/BOOTSTRAP.md",
       "openclaw.json",
-      "cron/",
       "extensions/"
     ],
-    watch: ["workspace/MEMORY.md", "workspace/memory/", "workspace/skills/"],
+    watch: ["workspace/MEMORY.md", "workspace/memory/", "workspace/skills/", "cron/"],
     release: ["workspace/sessions/"]
   },
   paranoid: {
@@ -7629,8 +7740,9 @@ var templates = {
 };
 // ../openclaw/src/plugin.ts
 import { readFileSync } from "node:fs";
+import { access as access2, chmod, copyFile, mkdir } from "node:fs/promises";
 import os from "node:os";
-import { join as join2 } from "node:path";
+import { dirname as dirname5, join as join2 } from "node:path";
 
 // ../openclaw/src/guard.ts
 import path from "node:path";
@@ -7638,40 +7750,57 @@ var WRITE_TOOLS = new Set(["write", "edit"]);
 var PATH_KEYS = ["file_path", "path", "file"];
 function guardToolCall(toolName, params, options) {
   if (!WRITE_TOOLS.has(toolName.toLowerCase())) {
-    return { blocked: false };
+    return { action: "allow" };
   }
-  let targetPath;
+  let pathKey;
+  let rawPath;
   for (const key of PATH_KEYS) {
     const v = params[key];
     if (typeof v === "string" && v.length > 0) {
-      targetPath = v;
+      pathKey = key;
+      rawPath = v;
       break;
     }
   }
-  if (targetPath && path.isAbsolute(targetPath)) {
-    targetPath = path.relative(options.stateDir, targetPath);
-  }
-  if (!targetPath)
-    return { blocked: false };
-  if (isStagingPath(targetPath))
-    return { blocked: false };
-  if (!isProtectedFile(options.protectFiles, targetPath))
-    return { blocked: false };
+  if (!pathKey || !rawPath)
+    return { action: "allow" };
+  const isAbsolute = path.isAbsolute(rawPath);
+  const relativePath = isAbsolute ? path.relative(options.stateDir, rawPath) : rawPath;
+  if (isStagingPath(relativePath))
+    return { action: "allow" };
+  if (!isProtectedFile(options.protectFiles, relativePath))
+    return { action: "allow" };
+  const relativeStaging = stagingPath(relativePath);
+  const redirectedPath = isAbsolute ? path.join(options.stateDir, relativeStaging) : relativeStaging;
   return {
-    blocked: true,
-    reason: [
-      `${targetPath} is protected by soulguard.`,
-      `To propose changes, run \`soulguard stage ${targetPath}\` to create a working copy,`,
-      `then edit the staged file at ${stagingPath(targetPath)}.`,
-      `Run \`soulguard diff\` to review your changes.`,
-      `Your owner will review and apply the changes.`
-    ].join(" ")
+    action: "redirect",
+    pathKey,
+    originalPath: relativePath,
+    redirectedPath
   };
 }
 
 // ../openclaw/src/plugin.ts
 var PKG_VERSION = typeof SOULGUARD_VERSION !== "undefined" ? SOULGUARD_VERSION : "0.0.0-dev";
 var PLUGIN_DESCRIPTION = "Identity protection for AI agents";
+var MAX_TRACKED_REDIRECTS = 1024;
+var redirectMap = new Map;
+async function ensureStagingCopy(originalAbsPath, stagingAbsPath) {
+  try {
+    await access2(stagingAbsPath);
+    return;
+  } catch {}
+  await mkdir(dirname5(stagingAbsPath), { recursive: true });
+  try {
+    await copyFile(originalAbsPath, stagingAbsPath);
+    await chmod(stagingAbsPath, 420);
+  } catch {}
+}
+function buildRedirectWarning(info) {
+  return `
+
+[Soulguard] This edit was redirected to the staging copy at ${info.redirectedPath}. ` + `The original file ${info.originalPath} is protected. ` + "Run `soulguard diff` to review your changes. " + "Your owner will review and apply them.";
+}
 function createSoulguardPlugin(options) {
   return {
     id: "soulguard",
@@ -7692,7 +7821,7 @@ function createSoulguardPlugin(options) {
       }
       if (protectFiles.length === 0)
         return;
-      api.on("before_tool_call", (...args) => {
+      api.on("before_tool_call", async (...args) => {
         const event = args[0];
         if (!event || typeof event !== "object" || !("toolName" in event)) {
           return;
@@ -7702,11 +7831,57 @@ function createSoulguardPlugin(options) {
           protectFiles,
           stateDir
         });
-        if (result.blocked) {
+        if (result.action === "block") {
           return { block: true, blockReason: result.reason };
         }
+        if (result.action === "redirect") {
+          const originalAbsPath = join2(stateDir, result.originalPath);
+          const stagingAbsPath = result.redirectedPath.startsWith("/") ? result.redirectedPath : join2(stateDir, result.redirectedPath);
+          await ensureStagingCopy(originalAbsPath, stagingAbsPath);
+          const toolCallId = e.toolCallId;
+          if (toolCallId) {
+            if (redirectMap.size >= MAX_TRACKED_REDIRECTS) {
+              const oldest = redirectMap.keys().next().value;
+              if (oldest)
+                redirectMap.delete(oldest);
+            }
+            redirectMap.set(toolCallId, {
+              originalPath: result.originalPath,
+              redirectedPath: result.redirectedPath
+            });
+          }
+          return {
+            params: { [result.pathKey]: result.redirectedPath }
+          };
+        }
         return;
       });
+      api.on("tool_result_persist", (...args) => {
+        const event = args[0];
+        if (!event?.toolCallId || !event.message)
+          return;
+        const info = redirectMap.get(event.toolCallId);
+        if (!info)
+          return;
+        redirectMap.delete(event.toolCallId);
+        const warning = buildRedirectWarning(info);
+        const msg = event.message;
+        const content = Array.isArray(msg.content) ? [...msg.content] : [];
+        let lastText;
+        for (let i = content.length - 1;i >= 0; i--) {
+          const block = content[i];
+          if (block && block.type === "text") {
+            lastText = block;
+            break;
+          }
+        }
+        if (lastText && lastText.text != null) {
+          lastText.text += warning;
+        } else {
+          content.push({ type: "text", text: warning.trimStart() });
+        }
+        return { message: { ...msg, content } };
+      });
     }
   };
 }
@@ -7752,6 +7927,7 @@ export {
   makeDefaultConfig,
   isStagingPath,
   isProtectedFile,
+  isInProtectTier,
   isDeleteSentinel,
   guardianName,
   getProtectOwnership,
@@ -7762,13 +7938,15 @@ export {
   evaluatePolicies,
   err,
   diff,
+  deleteStagingEntry,
+  createStagingCopy,
+  create,
   apply,
   TierCommand,
   SyncCommand,
   StatusCommand,
   StateTreeBuildError,
   StateTree,
-  StageCommand,
   SoulguardDaemon,
   STAGING_DIR,
   SOULGUARD_GROUP,
@@ -7778,6 +7956,8 @@ export {
   MockSystemOps,
   LiveConsoleOutput,
   DiffCommand,
+  DeleteCommand,
   DELETE_SENTINEL,
+  CreateCommand,
   ApplyCommand
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "soulguard",
-  "version": "0.2.1",
+  "version": "0.2.3",
   "description": "Identity protection for AI agents",
   "homepage": "https://soulguard.ai",
   "license": "MIT",