thumbgate 1.26.8 → 1.27.3

package/scripts/workflow-sentinel.js

@@ -64,11 +64,14 @@ function loadJson(filePath) {
 function loadGovernanceState() {
   const raw = loadJson(GOVERNANCE_STATE_PATH);
   return {
-    taskScope: raw && raw.taskScope && typeof raw.taskScope === 'object' ? raw.taskScope : null,
-    protectedApprovals: Array.isArray(raw && raw.protectedApprovals) ? raw.protectedApprovals : [],
-    branchGovernance: raw && raw.branchGovernance && typeof raw.branchGovernance === 'object'
+    taskScope: raw?.taskScope && typeof raw.taskScope === 'object' ? raw.taskScope : null,
+    protectedApprovals: Array.isArray(raw?.protectedApprovals) ? raw.protectedApprovals : [],
+    branchGovernance: raw?.branchGovernance && typeof raw.branchGovernance === 'object'
       ? raw.branchGovernance
       : null,
+    workflowContract: raw?.workflowContract && typeof raw.workflowContract === 'object'
+      ? raw.workflowContract
+      : null,
   };
 }
 
@@ -361,6 +364,131 @@ function formatFileList(files, limit = 5) {
   return `${items.slice(0, limit).join(', ')} (+${items.length - limit} more)`;
 }
 
+function normalizeStringList(values) {
+  if (!Array.isArray(values)) return [];
+  return [...new Set(values.map((value) => String(value || '').trim()).filter(Boolean))];
+}
+
+function normalizeWorkflowContract(contract) {
+  if (!contract || typeof contract !== 'object') return null;
+  return {
+    workflowId: String(contract.workflowId || contract.workflow_id || '').trim() || null,
+    allowedBranches: normalizeStringList(contract.allowedBranches || contract.allowed_branches),
+    blockedActions: normalizeStringList(contract.blockedActions || contract.blocked_actions),
+    requiredEvidence: normalizeStringList(contract.requiredEvidence || contract.required_evidence),
+    completionGate: String(contract.completionGate || contract.completion_gate || '').trim() || null,
+  };
+}
+
+function commandMatchesPattern(command, pattern) {
+  const text = String(command || '');
+  const raw = String(pattern || '').trim();
+  if (!text || !raw) return false;
+  try {
+    return new RegExp(raw, 'i').test(text);
+  } catch {
+    return text.toLowerCase().includes(raw.toLowerCase());
+  }
+}
+
+const COMPLETION_ACTION_PATTERNS = [
+  /\bgit\s+(?:commit|push)\b/i,
+  /\bgh\s+pr\s+(?:create|merge)\b/i,
+  /\bgh\s+release\s+create\b/i,
+  /\bnpm\s+publish\b/i,
+  /\byarn\s+publish\b/i,
+  /\bpnpm\s+publish\b/i,
+];
+
+function isCompletionLikeAction(command) {
+  const text = String(command || '');
+  return COMPLETION_ACTION_PATTERNS.some((pattern) => pattern.test(text));
+}
+
+function collectEvidenceLabels(toolInput = {}, options = {}) {
+  const values = [];
+  for (const source of [
+    toolInput.evidence,
+    toolInput.evidenceLabels,
+    toolInput.proof,
+    toolInput.proofArtifacts,
+    toolInput.requiredEvidenceSatisfied,
+    options.evidence,
+    options.evidenceLabels,
+    options.proofArtifacts,
+  ]) {
+    if (Array.isArray(source)) values.push(...source);
+    else if (source && typeof source === 'object') values.push(...Object.keys(source).filter((key) => source[key]));
+    else if (typeof source === 'string') values.push(...source.split(/[,;\n]/));
+  }
+  return normalizeStringList(values).map((value) => value.toLowerCase());
+}
+
+function evaluateWorkflowContract(contractInput, context = {}) {
+  const contract = normalizeWorkflowContract(contractInput);
+  if (!contract) {
+    return {
+      active: false,
+      contract: null,
+      violations: [],
+      mode: 'allow',
+    };
+  }
+  const violations = [];
+  const command = String(context.command || '');
+  const currentBranch = String(context.currentBranch || '').trim();
+
+  const blockedAction = contract.blockedActions.find((pattern) => commandMatchesPattern(command, pattern));
+  if (blockedAction) {
+    violations.push({
+      code: 'blocked_action',
+      severity: 'block',
+      message: `Workflow contract blocks this action: ${blockedAction}`,
+      pattern: blockedAction,
+    });
+  }
+
+  if (contract.allowedBranches.length > 0 && currentBranch) {
+    const allowed = contract.allowedBranches.some((glob) => matchesAnyGlob(currentBranch, [glob]));
+    if (!allowed) {
+      violations.push({
+        code: 'branch_outside_contract',
+        severity: 'warn',
+        message: `Current branch ${currentBranch} is outside the workflow contract.`,
+        currentBranch,
+        allowedBranches: contract.allowedBranches,
+      });
+    }
+  }
+
+  if (contract.requiredEvidence.length > 0 && isCompletionLikeAction(command)) {
+    const evidenceLabels = collectEvidenceLabels(context.toolInput || {}, context.options || {});
+    const missing = contract.requiredEvidence.filter((label) => !evidenceLabels.includes(label.toLowerCase()));
+    if (missing.length > 0) {
+      violations.push({
+        code: 'missing_required_evidence',
+        severity: 'block',
+        message: `Workflow completion is missing required evidence: ${missing.join(', ')}`,
+        missingEvidence: missing,
+      });
+    }
+  }
+
+  const hasBlock = violations.some((violation) => violation.severity === 'block');
+  let mode = 'allow';
+  if (hasBlock) {
+    mode = 'block';
+  } else if (violations.length > 0) {
+    mode = 'warn';
+  }
+  return {
+    active: true,
+    contract,
+    violations,
+    mode,
+  };
+}
+
 function severityFromScore(score) {
   if (score >= 0.8) return 'critical';
   if (score >= 0.55) return 'high';
@@ -434,6 +562,7 @@ function scoreRisk({
   protectedSurface,
   costControl,
   workflowControl,
+  workflowContract,
   actionProfile,
 }) {
   const drivers = [];
@@ -590,7 +719,18 @@ function scoreRisk({
       );
     }
   }
-  if (memoryGuard && memoryGuard.mode && memoryGuard.mode !== 'allow') {
+  if (workflowContract?.active && workflowContract.violations.length > 0) {
+    for (const violation of workflowContract.violations) {
+      addDriver(
+        drivers,
+        `workflow_contract_${violation.code}`,
+        violation.severity === 'block' ? 0.38 : 0.18,
+        violation.message,
+        { workflowId: workflowContract.contract?.workflowId }
+      );
+    }
+  }
+  if (memoryGuard?.mode && memoryGuard.mode !== 'allow') {
     addDriver(
       drivers,
       'memory_recurrence',
@@ -599,7 +739,7 @@ function scoreRisk({
       { mode: memoryGuard.mode }
     );
   }
-  if (learnedPolicy && learnedPolicy.enabled && learnedPolicy.prediction) {
+  if (learnedPolicy?.enabled && learnedPolicy.prediction) {
     const confidence = learnedPolicy.prediction.confidence || 0;
     const label = learnedPolicy.prediction.label;
     if (label === 'deny' && confidence >= 0.6) {
@@ -663,6 +803,7 @@ function buildEvidence({
   normalizedAction,
   costControl,
   workflowControl,
+  workflowContract,
   actionProfile,
 }) {
   const evidence = [];
@@ -683,10 +824,17 @@ function buildEvidence({
       evidence.push(`Workflow control ${workflowControl.mode}: ${workflowControl.reasons.join(' ')}`);
     }
   }
-  if (actionProfile && actionProfile.backgroundAgent) {
+  if (workflowContract?.active) {
+    const workflowId = workflowContract.contract?.workflowId || 'unnamed';
+    evidence.push(`Workflow contract active: ${workflowId}.`);
+    for (const violation of workflowContract.violations.slice(0, 3)) {
+      evidence.push(`Workflow contract ${violation.severity}: ${violation.message}`);
+    }
+  }
+  if (actionProfile?.backgroundAgent) {
     evidence.push('Background or scheduled agent context detected for this action.');
   }
-  if (actionProfile && actionProfile.economicAction) {
+  if (actionProfile?.economicAction) {
     evidence.push('Economic action keywords detected (billing, refunds, payouts, invoices, or subscriptions).');
   }
   if (actionProfile && actionProfile.customerSystemAction) {
@@ -801,6 +949,7 @@ function buildRemediations({
   executionSurface,
   costControl,
   workflowControl,
+  workflowContract,
   actionProfile,
 }) {
   const remediations = [];
@@ -895,7 +1044,7 @@ function buildRemediations({
       'Isolated execution limits host damage when a high-risk local action goes wrong.'
     );
   }
-  if (costControl && costControl.mode && costControl.mode !== 'allow') {
+  if (costControl?.mode && costControl.mode !== 'allow') {
     push(
       'reduce_model_budget',
       'Reduce model budget before execution',
@@ -903,6 +1052,33 @@ function buildRemediations({
       'High token or cost estimates should be reviewed before the model/tool loop continues.'
     );
   }
+  if (workflowContract?.active && workflowContract.violations.length > 0) {
+    const codes = new Set(workflowContract.violations.map((violation) => violation.code));
+    if (codes.has('missing_required_evidence')) {
+      push(
+        'attach_workflow_evidence',
+        'Attach workflow evidence before completion',
+        'Attach every required evidence label from the workflow contract before commit, push, PR, merge, release, or publish.',
+        'Deterministic workflows should not claim completion until the run contract is proven.'
+      );
+    }
+    if (codes.has('branch_outside_contract')) {
+      push(
+        'switch_to_contract_branch',
+        'Move to an allowed workflow branch',
+        'Switch to a branch allowed by the workflow contract or update the contract before retrying.',
+        'Workflow contracts define where repeatable agent runs are allowed to mutate state.'
+      );
+    }
+    if (codes.has('blocked_action')) {
+      push(
+        'remove_blocked_workflow_action',
+        'Remove blocked workflow action',
+        'Change the workflow step or request an explicit contract update before retrying this action.',
+        'The run contract blocks this action before execution.'
+      );
+    }
+  }
   if (workflowControl && workflowControl.mode && workflowControl.mode !== 'allow') {
     push(
       'add_environment_inspection',
@@ -1068,6 +1244,7 @@ function buildDecisionControl({
   protectedSurface,
   costControl,
   workflowControl,
+  workflowContract,
   actionProfile,
 }) {
   const reversibility = classifyReversibility({
@@ -1077,16 +1254,19 @@ function buildDecisionControl({
     protectedSurface,
     actionProfile,
   });
-  const hasOperationalBlockers = Boolean(integrity && Array.isArray(integrity.blockers) && integrity.blockers.length > 0);
-  const hasCostWarning = Boolean(costControl && costControl.mode === 'warn');
-  const hasCostBlock = Boolean(costControl && costControl.mode === 'block');
-  const hasWorkflowWarning = Boolean(workflowControl && workflowControl.mode === 'warn');
-  const hasWorkflowBlock = Boolean(workflowControl && workflowControl.mode === 'block');
+  const hasOperationalBlockers = Boolean(integrity?.blockers?.length);
+  const hasCostWarning = costControl?.mode === 'warn';
+  const hasCostBlock = costControl?.mode === 'block';
+  const hasWorkflowWarning = workflowControl?.mode === 'warn';
+  const hasWorkflowBlock = workflowControl?.mode === 'block';
+  const hasContractWarning = workflowContract?.mode === 'warn';
+  const hasContractBlock = workflowContract?.mode === 'block';
   const requiresCheckpoint = decision === 'warn'
-    || (decision === 'allow' && (reversibility !== 'two_way_door' || hasOperationalBlockers || hasCostWarning || hasWorkflowWarning));
+    || (decision === 'allow' && (reversibility !== 'two_way_door' || hasOperationalBlockers || hasCostWarning || hasWorkflowWarning || hasContractWarning));
   const executionMode = decision === 'deny'
     || hasCostBlock
     || hasWorkflowBlock
+    || hasContractBlock
     ? 'blocked'
     : requiresCheckpoint
       ? 'checkpoint_required'
@@ -1110,7 +1290,7 @@ function buildDecisionControl({
     decisionOwner,
     reversibility,
     deliberation,
-    requiresHumanApproval: (executionMode === 'checkpoint_required' && decisionOwner !== 'agent') || hasCostBlock || hasWorkflowBlock,
+    requiresHumanApproval: (executionMode === 'checkpoint_required' && decisionOwner !== 'agent') || hasCostBlock || hasWorkflowBlock || hasContractBlock,
     recommendedAction: executionMode === 'blocked'
       ? 'halt'
       : executionMode === 'checkpoint_required'
@@ -1124,46 +1304,51 @@ function buildDecisionControl({
   };
 }
 
-function chooseDecision({ riskScore, integrity, memoryGuard, learnedPolicy, blastRadius, command, costControl, workflowControl, actionProfile }) {
-  const hasOperationalBlockers = Boolean(integrity && Array.isArray(integrity.blockers) && integrity.blockers.length > 0);
-  if (costControl && costControl.mode === 'block') {
-    return 'deny';
-  }
-  if (workflowControl && workflowControl.mode === 'block') {
-    return 'deny';
-  }
-  const destructiveBypass = /\bgit\s+push\b.*(?:--force|-f)\b/i.test(command) || /\bgh\s+pr\s+merge\b.*--admin\b/i.test(command);
-  const learnedPrediction = learnedPolicy && learnedPolicy.enabled ? learnedPolicy.prediction : null;
-  const learnedHardStop = Boolean(
-    learnedPrediction
-      && learnedPrediction.label === 'deny'
-      && learnedPrediction.confidence >= 0.7
-  );
-  const learnedWarning = Boolean(
-    learnedPrediction
-      && ['warn', 'verify', 'deny'].includes(learnedPrediction.label)
-      && learnedPrediction.confidence >= 0.3
-  );
-  const learnedRecall = Boolean(
-    learnedPrediction
-      && learnedPrediction.label === 'recall'
-      && learnedPrediction.confidence >= 0.3
+function isDestructiveBypass(command) {
+  return /\bgit\s+push\b.*(?:--force|-f)\b/i.test(command)
+    || /\bgh\s+pr\s+merge\b.*--admin\b/i.test(command);
+}
+
+function getLearnedPrediction(learnedPolicy) {
+  return learnedPolicy?.enabled ? learnedPolicy.prediction : null;
+}
+
+function learnedPredictionMatches(prediction, labels, minConfidence) {
+  return Boolean(
+    prediction
+      && labels.includes(prediction.label)
+      && prediction.confidence >= minConfidence
   );
-  const lowBlastRadius = blastRadius.fileCount <= 1
+}
+
+function isLowBlastRadius(blastRadius) {
+  return blastRadius.fileCount <= 1
     && blastRadius.surfaceCount <= 1
     && blastRadius.releaseSensitiveFiles.length === 0
     && blastRadius.unapprovedProtectedFiles === 0;
-  const lowRiskHandoff = /\bgit\s+push\b|\bgh\s+pr\s+(?:create|merge)\b/i.test(command)
+}
+
+function isLowRiskHandoff({
+  command,
+  destructiveBypass,
+  learnedHardStop,
+  blastRadius,
+  hasOperationalBlockers,
+  memoryGuard,
+  riskScore,
+}) {
+  return /\bgit\s+push\b|\bgh\s+pr\s+(?:create|merge)\b/i.test(command)
     && !destructiveBypass
     && !learnedHardStop
-    && lowBlastRadius
+    && isLowBlastRadius(blastRadius)
     && !hasOperationalBlockers
-    && memoryGuard
-    && memoryGuard.mode !== 'allow'
+    && memoryGuard?.mode !== 'allow'
     && riskScore <= 0.62;
-  const repeatedHighBlast = Boolean(
-    memoryGuard
-      && memoryGuard.mode === 'block'
+}
+
+function isRepeatedHighBlast(memoryGuard, blastRadius) {
+  return Boolean(
+    memoryGuard?.mode === 'block'
       && (
         blastRadius.severity === 'high'
         || blastRadius.severity === 'critical'
@@ -1171,25 +1356,49 @@ function chooseDecision({ riskScore, integrity, memoryGuard, learnedPolicy, blas
         || blastRadius.unapprovedProtectedFiles > 0
       )
   );
-  const economicAction = Boolean(actionProfile && actionProfile.economicAction);
-  const backgroundAgent = Boolean(actionProfile && actionProfile.backgroundAgent);
-  const customerSystemAction = Boolean(actionProfile && actionProfile.customerSystemAction);
+}
+
+function hasSoftControlWarning({ workflowContract, workflowControl, costControl, riskScore, learnedWarning, learnedRecall }) {
+  return workflowContract?.mode === 'warn'
+    || workflowControl?.mode === 'warn'
+    || costControl?.mode === 'warn'
+    || riskScore >= 0.45
+    || (learnedWarning && riskScore >= 0.3)
+    || (learnedRecall && riskScore >= 0.34);
+}
 
-  if (lowRiskHandoff) {
+function chooseDecision({ riskScore, integrity, memoryGuard, learnedPolicy, blastRadius, command, costControl, workflowControl, workflowContract, actionProfile }) {
+  if (costControl?.mode === 'block' || workflowControl?.mode === 'block' || workflowContract?.mode === 'block') {
+    return 'deny';
+  }
+
+  const hasOperationalBlockers = Boolean(integrity?.blockers?.length);
+  const destructiveBypass = isDestructiveBypass(command);
+  const learnedPrediction = getLearnedPrediction(learnedPolicy);
+  const learnedHardStop = learnedPredictionMatches(learnedPrediction, ['deny'], 0.7);
+  const learnedWarning = learnedPredictionMatches(learnedPrediction, ['warn', 'verify', 'deny'], 0.3);
+  const learnedRecall = learnedPredictionMatches(learnedPrediction, ['recall'], 0.3);
+
+  if (isLowRiskHandoff({ command, destructiveBypass, learnedHardStop, blastRadius, hasOperationalBlockers, memoryGuard, riskScore })) {
     return 'allow';
   }
+
   // Background customer-system actions checkpoint (warn), never hard-deny.
   // The checkpoint IS the mitigation — blocking outright prevents legitimate work.
-  if (backgroundAgent && customerSystemAction) {
+  if (actionProfile?.backgroundAgent && actionProfile?.customerSystemAction) {
     return 'warn';
   }
+
+  const repeatedHighBlast = isRepeatedHighBlast(memoryGuard, blastRadius);
   if (destructiveBypass || learnedHardStop || repeatedHighBlast || (hasOperationalBlockers && riskScore >= 0.72) || riskScore >= 0.86) {
     return 'deny';
   }
-  if (economicAction || (backgroundAgent && riskScore >= 0.3)) {
+
+  if (actionProfile?.economicAction || (actionProfile?.backgroundAgent && riskScore >= 0.3)) {
     return 'warn';
   }
-  if ((workflowControl && workflowControl.mode === 'warn') || (costControl && costControl.mode === 'warn') || riskScore >= 0.45 || (learnedWarning && riskScore >= 0.3) || (learnedRecall && riskScore >= 0.34)) {
+
+  if (hasSoftControlWarning({ workflowContract, workflowControl, costControl, riskScore, learnedWarning, learnedRecall })) {
     return 'warn';
   }
   return 'allow';
@@ -1238,11 +1447,24 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
     baseBranch,
     command: normalizedToolInput.command,
     changedFiles: affectedFiles,
+    currentBranch: options.currentBranch
+      || normalizedToolInput.currentBranch
+      || normalizedToolInput.branchName
+      || normalizedToolInput.branch,
     headSha: options.headSha || toolInput.headSha,
     requirePrForReleaseSensitive: options.requirePrForReleaseSensitive === true,
     requireVersionNotBehindBase: options.requireVersionNotBehindBase === true,
     branchGovernance: governanceState.branchGovernance,
   });
+  const workflowContract = evaluateWorkflowContract(
+    normalizedToolInput.workflowContract || options.workflowContract || governanceState.workflowContract,
+    {
+      command: normalizedToolInput.command || '',
+      currentBranch: integrity.currentBranch,
+      toolInput: normalizedToolInput,
+      options,
+    }
+  );
   const taskScopeViolation = buildTaskScopeViolation(governanceState.taskScope, affectedFiles);
   const protectedSurface = buildProtectedSurface(governanceState, affectedFiles);
   const protectedSurfaceForRisk = isProtectedApprovalRelevant(normalizedToolName, normalizedToolInput)
@@ -1290,6 +1512,7 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
     protectedSurface: protectedSurfaceForRisk,
     costControl,
     workflowControl,
+    workflowContract,
     actionProfile,
   });
   const executionSurface = buildDockerSandboxPlan({
@@ -1316,6 +1539,7 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
     command: normalizedToolInput.command || '',
     costControl,
     workflowControl,
+    workflowContract,
     actionProfile,
   });
   const evidence = buildEvidence({
@@ -1328,6 +1552,7 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
     normalizedAction,
     costControl,
     workflowControl,
+    workflowContract,
     actionProfile,
   });
   const remediations = buildRemediations({
@@ -1340,6 +1565,7 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
     executionSurface,
     costControl,
     workflowControl,
+    workflowContract,
     actionProfile,
   });
   const summary = decision === 'allow'
@@ -1353,6 +1579,7 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
     normalizedAction,
     costControl,
     workflowControl,
+    workflowContract,
     decision,
     riskScore: risk.score,
     band: risk.band,
@@ -1388,6 +1615,7 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
     protectedSurface: protectedSurfaceForRisk,
     costControl,
     workflowControl,
+    workflowContract,
     actionProfile,
   });
   report.reasoning = buildReasoning(report);