trace-to-skill 0.1.26 → 0.1.35

package/dist/src/agentsLint.js

@@ -1,7 +1,10 @@
-import { promises as fs } from "node:fs";
+import { constants as fsConstants, promises as fs } from "node:fs";
+import os from "node:os";
 import path from "node:path";
+import { TextDecoder } from "node:util";
 import { doctorRepo } from "./doctor.js";
 const SKIP_DIRS = new Set([".git", "node_modules", "dist", "coverage", ".next", "build"]);
+const INSTRUCTION_SIZE_WARN_BYTES = 24000;
 export async function lintAgents(target = process.cwd()) {
     const root = path.resolve(target);
     const files = await listFiles(root);
@@ -15,6 +18,9 @@ export async function lintAgents(target = process.cwd()) {
         finding.kind === "secret_exposure" ||
         finding.kind === "hidden_unicode" ||
         finding.kind === "prompt_injection");
+    findings.push(...(await detectInstructionFileRisks(root, instructionFiles)));
+    findings.push(...(await detectMcpConfigDiagnostics(root, mcpConfigs)));
+    findings.push(...(await detectCodexConfigDiagnostics(root, mcpConfigs)));
     const score = calculateAgentsLintScore(checks, findings);
     const status = statusFrom(score, checks, findings);
     return {
@@ -148,9 +154,698 @@ function isInstructionFile(file) {
 }
 function isMcpConfigCandidate(file) {
     return /(^|\/)(mcp|\.mcp|mcp-config|model-context)\.(json|jsonc)$/i.test(file) ||
-        /(^|\/)\.cursor\/mcp\.json$/i.test(file);
+        /(^|\/)\.cursor\/mcp\.json$/i.test(file) ||
+        /(^|\/)\.codex\/config\.toml$/i.test(file);
 }
 function isEvidenceArchive(file) {
     return /^(fixtures|examples|runs)\//i.test(file);
 }
+async function detectInstructionFileRisks(root, instructionFiles) {
+    const findings = [];
+    const missingPathEvidence = [];
+    const largeFileEvidence = [];
+    const missingIncludeEvidence = [];
+    const nestedInstructionEvidence = [];
+    const encodingEvidence = [];
+    const instructionContents = new Map();
+    for (const file of instructionFiles) {
+        const absolute = path.join(root, file);
+        const raw = await fs.readFile(absolute);
+        const decoded = decodeInstructionFile(raw);
+        const content = decoded.content;
+        instructionContents.set(file, content);
+        const lines = content.split(/\r?\n/);
+        if (decoded.invalidUtf8) {
+            encodingEvidence.push({
+                file,
+                line: 1,
+                excerpt: `${file} contains bytes that are not valid UTF-8; Codex may skip or misread this instruction file.`
+            });
+        }
+        if (Buffer.byteLength(content, "utf8") > INSTRUCTION_SIZE_WARN_BYTES) {
+            largeFileEvidence.push({
+                file,
+                line: 1,
+                excerpt: `${file} is ${Buffer.byteLength(content, "utf8")} bytes; split long instructions into smaller scoped files or keep critical rules near the top.`
+            });
+        }
+        for (const reference of collectPathReferences(lines)) {
+            if (!(await pathExists(root, reference.value))) {
+                missingPathEvidence.push({
+                    file,
+                    line: reference.line,
+                    excerpt: `referenced path does not exist: ${reference.value}`
+                });
+            }
+        }
+        for (const reference of collectIncludeReferences(lines)) {
+            if (reference.invalid) {
+                missingIncludeEvidence.push({
+                    file,
+                    line: reference.line,
+                    excerpt: `include target is not a safe repo-relative markdown path: ${reference.value}`
+                });
+            }
+            else if (!(await pathExists(root, reference.value))) {
+                missingIncludeEvidence.push({
+                    file,
+                    line: reference.line,
+                    excerpt: `include target does not exist: ${reference.value}`
+                });
+            }
+        }
+    }
+    const rootInstructions = instructionContents.get("AGENTS.md") ?? "";
+    if (rootInstructions) {
+        for (const file of instructionFiles) {
+            if (file !== "AGENTS.md" && /(^|\/)AGENTS\.md$/i.test(file) && !rootInstructions.includes(file) && !rootInstructions.includes(path.dirname(file))) {
+                nestedInstructionEvidence.push({
+                    file,
+                    line: 1,
+                    excerpt: `nested AGENTS.md may not be loaded unless Codex starts in ${path.dirname(file)} or the root AGENTS.md explicitly points to it`
+                });
+            }
+        }
+    }
+    if (missingPathEvidence.length > 0) {
+        findings.push({
+            kind: "hallucinated_file",
+            severity: "medium",
+            title: "Agent instruction references missing paths",
+            why: "Codex and other agents lose time or follow stale guidance when AGENTS.md or tool instructions point at files that no longer exist.",
+            evidence: missingPathEvidence.slice(0, 8),
+            suggestedRule: "Keep paths in agent instruction files verified; run trace-to-skill lint-agents after moving or deleting referenced files."
+        });
+    }
+    if (missingIncludeEvidence.length > 0) {
+        findings.push({
+            kind: "hallucinated_file",
+            severity: "medium",
+            title: "Agent instruction include references missing paths",
+            why: "Teams often split AGENTS.md or CLAUDE.md into reusable markdown files. Missing or unsafe include targets make instruction assembly unverifiable and create cross-tool drift.",
+            evidence: missingIncludeEvidence.slice(0, 8),
+            suggestedRule: "Keep @include-style instruction references repo-relative, present, and auditable; run trace-to-skill lint-agents after moving shared instruction files."
+        });
+    }
+    if (largeFileEvidence.length > 0) {
+        findings.push({
+            kind: "ignored_instruction",
+            severity: "medium",
+            title: "Large agent instruction file may be truncated or ignored",
+            why: "Very large instruction files make it harder for agents to preserve high-priority rules and can hide important guidance near the end.",
+            evidence: largeFileEvidence,
+            suggestedRule: "Keep critical repository instructions short, put must-follow validation rules near the top, and split long reference material into linked docs."
+        });
+    }
+    if (nestedInstructionEvidence.length > 0) {
+        findings.push({
+            kind: "ignored_instruction",
+            severity: "medium",
+            title: "Nested AGENTS.md may not be loaded automatically",
+            why: "Codex users report that nested AGENTS.md files in monorepos are easy to miss unless the agent starts in the right directory or the root instructions explicitly mention them.",
+            evidence: nestedInstructionEvidence.slice(0, 8),
+            suggestedRule: "List nested AGENTS.md files in the root AGENTS.md or add explicit package-scope rules so maintainers can verify which instruction files should be loaded for each path."
+        });
+    }
+    if (encodingEvidence.length > 0) {
+        findings.push({
+            kind: "ignored_instruction",
+            severity: "medium",
+            title: "Agent instruction file may fail UTF-8 loading",
+            why: "Instruction files with invalid encoding can be silently skipped or misread by coding agents, making policy failures hard to diagnose.",
+            evidence: encodingEvidence.slice(0, 8),
+            suggestedRule: "Save AGENTS.md, CLAUDE.md, and other agent instruction files as valid UTF-8 and reject files with replacement characters or unsupported encodings."
+        });
+    }
+    return findings;
+}
+function decodeInstructionFile(raw) {
+    try {
+        return {
+            content: new TextDecoder("utf-8", { fatal: true }).decode(raw),
+            invalidUtf8: false
+        };
+    }
+    catch {
+        return {
+            content: raw.toString("utf8"),
+            invalidUtf8: true
+        };
+    }
+}
+function collectPathReferences(lines) {
+    const references = [];
+    const seen = new Set();
+    lines.forEach((line, index) => {
+        for (const match of line.matchAll(/`([^`\n]+)`/g)) {
+            addPathReference(references, seen, index + 1, match[1]);
+        }
+        for (const match of line.matchAll(/\[[^\]]+\]\(([^)]+)\)/g)) {
+            addPathReference(references, seen, index + 1, match[1]);
+        }
+    });
+    return references;
+}
+function addPathReference(references, seen, line, raw) {
+    const value = normalizePathReference(raw);
+    if (!value || seen.has(value)) {
+        return;
+    }
+    seen.add(value);
+    references.push({ line, value });
+}
+function collectIncludeReferences(lines) {
+    const references = [];
+    const seen = new Set();
+    lines.forEach((line, index) => {
+        for (const match of line.matchAll(/(?:^|\s)@([A-Za-z0-9._/-]+\.md)\b/g)) {
+            const raw = match[1];
+            const value = normalizeIncludeReference(raw);
+            const key = value ?? raw;
+            if (seen.has(key)) {
+                continue;
+            }
+            seen.add(key);
+            references.push({
+                line: index + 1,
+                value: key,
+                invalid: !value
+            });
+        }
+    });
+    return references;
+}
+function normalizeIncludeReference(raw) {
+    const value = raw.trim().replace(/^[.]\//, "").replace(/[),.;:]+$/, "");
+    if (!value ||
+        value.startsWith("/") ||
+        value.startsWith("~") ||
+        value.includes("..") ||
+        value.includes("$") ||
+        value.includes("*") ||
+        value.includes(" ")) {
+        return undefined;
+    }
+    return /^[A-Za-z0-9._/-]+\.md$/i.test(value) ? value : undefined;
+}
+function normalizePathReference(raw) {
+    const value = raw.trim().replace(/^file:\/\//, "").replace(/[),.;:]+$/, "");
+    if (!value ||
+        value.startsWith("http://") ||
+        value.startsWith("https://") ||
+        value.startsWith("mailto:") ||
+        value.startsWith("#") ||
+        value.includes("*") ||
+        value.includes("$") ||
+        value.includes(" ") ||
+        value.startsWith("@") ||
+        value.startsWith("~") ||
+        path.isAbsolute(value)) {
+        return undefined;
+    }
+    if (!/^[A-Za-z0-9._/@-]+(?:\/[A-Za-z0-9._@-]+)*$/.test(value)) {
+        return undefined;
+    }
+    const hasPathSignal = value.includes("/") || /\.[A-Za-z0-9]{1,8}$/.test(value);
+    return hasPathSignal ? value.replace(/^\.\//, "") : undefined;
+}
+async function pathExists(root, reference) {
+    try {
+        await fs.access(path.join(root, reference));
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function detectMcpConfigDiagnostics(root, mcpConfigs) {
+    const evidence = [];
+    for (const file of mcpConfigs) {
+        const absolute = path.join(root, file);
+        const content = await fs.readFile(absolute, "utf8");
+        const parsed = parseMcpConfig(file, content);
+        if (!parsed) {
+            evidence.push({
+                file,
+                line: 1,
+                excerpt: `MCP config could not be parsed as ${file.endsWith(".toml") ? "TOML" : "JSON/JSONC"}.`
+            });
+            continue;
+        }
+        if (isTomlConfig(file) && !asObject(parsed.mcp_servers)) {
+            continue;
+        }
+        if (!isTomlConfig(file) && asObject(parsed.mcp_servers) && !asObject(parsed.mcpServers)) {
+            evidence.push({
+                file,
+                line: findLine(content, "mcp_servers"),
+                excerpt: "uses mcp_servers; Codex plugin MCP configs commonly expect mcpServers or a direct top-level server map"
+            });
+        }
+        const servers = discoverMcpServers(parsed);
+        if (!servers) {
+            evidence.push({
+                file,
+                line: 1,
+                excerpt: "no MCP server map found; expected mcpServers, servers, or a direct top-level server map"
+            });
+            continue;
+        }
+        for (const [name, rawServer] of Object.entries(servers)) {
+            const server = asObject(rawServer);
+            if (!server) {
+                evidence.push({
+                    file,
+                    line: findLine(content, name),
+                    excerpt: `server "${name}" is not an object`
+                });
+                continue;
+            }
+            if (isTomlConfig(file) && commandLooksLocal(server.command) && typeof server.cwd !== "string") {
+                evidence.push({
+                    file,
+                    line: findLine(content, name),
+                    excerpt: `server "${name}" in project .codex/config.toml uses a local stdio command without explicit cwd`
+                });
+            }
+            evidence.push(...(await inspectMcpServer(root, file, content, name, server)));
+        }
+    }
+    if (evidence.length === 0) {
+        return [];
+    }
+    return [{
+            kind: "mcp_risk",
+            severity: "medium",
+            title: "MCP config has unresolved startup inputs",
+            why: "Codex MCP failures are hard to debug when config shape, command paths, cwd values, or required environment variables are invalid before the server even starts.",
+            evidence: evidence.slice(0, 10),
+            suggestedRule: "Before enabling an MCP server for coding agents, verify config key casing, command availability, cwd existence, and required environment variables with trace-to-skill lint-agents."
+        }];
+}
+async function detectCodexConfigDiagnostics(root, configFiles) {
+    const evidence = [];
+    for (const file of configFiles.filter((item) => isCodexTomlConfig(item))) {
+        const absolute = path.join(root, file);
+        const content = await fs.readFile(absolute, "utf8");
+        const lines = parseTomlLines(content);
+        const permissions = collectPermissionProfiles(lines);
+        const defaultPermissions = findTomlAssignment(lines, "default_permissions");
+        if (defaultPermissions && typeof defaultPermissions.value === "string" && !permissions.has(defaultPermissions.value)) {
+            evidence.push({
+                file,
+                line: defaultPermissions.line,
+                excerpt: `default_permissions references missing permissions profile: ${defaultPermissions.value}`
+            });
+        }
+        for (const item of lines) {
+            if (item.section === "features" && item.key === "codex_hooks") {
+                evidence.push({
+                    file,
+                    line: item.line,
+                    excerpt: "deprecated [features].codex_hooks key is present; use [features].hooks instead"
+                });
+            }
+            if (item.section?.startsWith("projects.") && item.key === "trusted_level") {
+                evidence.push({
+                    file,
+                    line: item.line,
+                    excerpt: "projects.* trusted_level is stored in config.toml; this can pollute synced dotfiles with machine-specific project metadata"
+                });
+            }
+        }
+        for (const section of collectSections(lines)) {
+            if (section.startsWith("projects.") && /\/|\\|:/.test(section)) {
+                evidence.push({
+                    file,
+                    line: findLine(content, section),
+                    excerpt: `project-specific config section appears to contain a machine-local path: [${section}]`
+                });
+            }
+        }
+    }
+    if (evidence.length === 0) {
+        return [];
+    }
+    return [{
+            kind: "ignored_instruction",
+            severity: "medium",
+            title: "Codex config has drift-prone settings",
+            why: "Codex config.toml issues are hard to debug when deprecated feature flags, missing permission profiles, or machine-local project trust metadata are mixed into repository or dotfiles config.",
+            evidence: evidence.slice(0, 10),
+            suggestedRule: "Keep Codex config portable: migrate [features].codex_hooks to [features].hooks, define every default_permissions profile, and avoid syncing projects.* trusted_level entries."
+        }];
+}
+async function inspectMcpServer(root, file, content, name, server) {
+    const evidence = [];
+    const hasUrl = typeof server.url === "string" || typeof server.httpUrl === "string";
+    const command = typeof server.command === "string" ? server.command.trim() : "";
+    if (!command && !hasUrl) {
+        evidence.push({
+            file,
+            line: findLine(content, name),
+            excerpt: `server "${name}" has neither command nor url`
+        });
+    }
+    const commandIssue = startupStringIssue(command);
+    if (commandIssue) {
+        evidence.push({
+            file,
+            line: findLine(content, command),
+            excerpt: `server "${name}" command ${commandIssue}: ${command}`
+        });
+    }
+    else if (command && !(await commandExists(root, command))) {
+        evidence.push({
+            file,
+            line: findLine(content, command),
+            excerpt: `server "${name}" command is not resolvable without starting it: ${command}`
+        });
+    }
+    if (typeof server.cwd === "string" && server.cwd.trim()) {
+        const cwd = server.cwd.trim();
+        const cwdIssue = startupStringIssue(cwd);
+        if (cwdIssue) {
+            evidence.push({
+                file,
+                line: findLine(content, cwd),
+                excerpt: `server "${name}" cwd ${cwdIssue}: ${cwd}`
+            });
+        }
+        else if (!(await localPathExists(root, cwd))) {
+            evidence.push({
+                file,
+                line: findLine(content, cwd),
+                excerpt: `server "${name}" cwd does not exist: ${cwd}`
+            });
+        }
+    }
+    if (Array.isArray(server.args)) {
+        server.args.forEach((value) => {
+            if (typeof value !== "string") {
+                return;
+            }
+            const issue = startupStringIssue(value);
+            if (issue) {
+                evidence.push({
+                    file,
+                    line: findLine(content, value),
+                    excerpt: `server "${name}" arg ${issue}: ${value}`
+                });
+            }
+        });
+    }
+    const env = asObject(server.env);
+    if (env) {
+        for (const [key, value] of Object.entries(env)) {
+            const issue = envValueIssue(key, value);
+            if (issue) {
+                evidence.push({
+                    file,
+                    line: findLine(content, key),
+                    excerpt: `server "${name}" env ${key}: ${issue}`
+                });
+            }
+        }
+    }
+    return evidence;
+}
+function discoverMcpServers(parsed) {
+    const wrapped = asObject(parsed.mcpServers) ?? asObject(parsed.servers) ?? asObject(parsed.mcp_servers);
+    if (wrapped) {
+        return wrapped;
+    }
+    const entries = Object.entries(parsed).filter(([key, value]) => !key.startsWith("$") && asObject(value));
+    if (entries.length > 0 && entries.every(([, value]) => looksLikeMcpServer(value))) {
+        return Object.fromEntries(entries);
+    }
+    return undefined;
+}
+function looksLikeMcpServer(value) {
+    const server = asObject(value);
+    return Boolean(server && (typeof server.command === "string" ||
+        typeof server.url === "string" ||
+        typeof server.httpUrl === "string" ||
+        Array.isArray(server.args) ||
+        asObject(server.env)));
+}
+function commandLooksLocal(value) {
+    return typeof value === "string" && (value.includes("/") || value.includes("\\") || value === "php" || value === "node" || value === "python" || value === "python3");
+}
+async function commandExists(root, command) {
+    if (command.includes("/") || command.includes("\\")) {
+        return localPathExists(root, command);
+    }
+    const paths = (process.env.PATH ?? "").split(path.delimiter).filter(Boolean);
+    const extensions = process.platform === "win32"
+        ? (process.env.PATHEXT ?? ".EXE;.CMD;.BAT;.COM").split(";")
+        : [""];
+    for (const directory of paths) {
+        for (const extension of extensions) {
+            const candidate = path.join(directory, `${command}${extension}`);
+            if (await isExecutableFile(candidate)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+async function localPathExists(root, value) {
+    const expanded = value === "~" || value.startsWith("~/")
+        ? path.join(os.homedir(), value.slice(2))
+        : value;
+    const candidate = path.isAbsolute(expanded) ? expanded : path.join(root, expanded);
+    try {
+        await fs.access(candidate);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function isExecutableFile(candidate) {
+    try {
+        const stat = await fs.stat(candidate);
+        if (!stat.isFile()) {
+            return false;
+        }
+        if (process.platform === "win32") {
+            return true;
+        }
+        await fs.access(candidate, fsConstants.X_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function envValueIssue(key, value) {
+    if (typeof value !== "string") {
+        return "value should be a string so the launcher receives the intended environment variable";
+    }
+    const trimmed = value.trim();
+    if (!trimmed) {
+        return "empty value";
+    }
+    if (/^(todo|tbd|changeme|change-me|your[-_ ]?(token|key|secret|password)|example)$/i.test(trimmed)) {
+        return "placeholder value";
+    }
+    const variableReference = /^\$\{?([A-Za-z_][A-Za-z0-9_]*)\}?$/.exec(trimmed);
+    if (variableReference && !process.env[variableReference[1]]) {
+        return `references unset environment variable ${variableReference[1]}`;
+    }
+    if (/token|secret|key|password/i.test(key) && /^[A-Za-z0-9_./+=-]{16,}$/.test(trimmed) && !variableReference) {
+        return "appears to contain a literal secret; prefer referencing an external environment variable";
+    }
+    return undefined;
+}
+function startupStringIssue(value) {
+    const variableReferences = Array.from(value.matchAll(/\$\{?([A-Za-z_][A-Za-z0-9_]*)\}?/g)).map((match) => match[1]);
+    const unresolved = variableReferences.filter((name) => !process.env[name]);
+    if (unresolved.length > 0) {
+        return `references unset environment variable ${unresolved.join(", ")}`;
+    }
+    return undefined;
+}
+function parseMcpConfig(file, content) {
+    if (isTomlConfig(file)) {
+        return parseMcpToml(content);
+    }
+    return parseJsonObject(stripJsonComments(content));
+}
+function isTomlConfig(file) {
+    return /\.toml$/i.test(file);
+}
+function isCodexTomlConfig(file) {
+    return /(^|\/)\.codex\/config\.toml$/i.test(file);
+}
+function parseMcpToml(content) {
+    const mcpServers = {};
+    const lines = content.split(/\r?\n/);
+    let currentServer;
+    for (const rawLine of lines) {
+        const line = stripTomlComment(rawLine).trim();
+        if (!line) {
+            continue;
+        }
+        const section = /^\[mcp_servers\.([A-Za-z0-9_.-]+)\]$/.exec(line) ?? /^\[mcpServers\.([A-Za-z0-9_.-]+)\]$/.exec(line);
+        if (section) {
+            currentServer = {};
+            mcpServers[section[1]] = currentServer;
+            continue;
+        }
+        if (line.startsWith("[") && line.endsWith("]")) {
+            currentServer = undefined;
+            continue;
+        }
+        if (!currentServer) {
+            continue;
+        }
+        const assignment = /^([A-Za-z0-9_-]+)\s*=\s*(.+)$/.exec(line);
+        if (!assignment) {
+            continue;
+        }
+        currentServer[assignment[1]] = parseTomlValue(assignment[2].trim());
+    }
+    return Object.keys(mcpServers).length > 0 ? { mcp_servers: mcpServers } : {};
+}
+function parseTomlValue(value) {
+    if (value.startsWith("\"") || value.startsWith("'")) {
+        return parseTomlString(value);
+    }
+    if (value.startsWith("[")) {
+        return parseTomlArray(value);
+    }
+    if (value === "true") {
+        return true;
+    }
+    if (value === "false") {
+        return false;
+    }
+    return value;
+}
+function parseTomlArray(value) {
+    const trimmed = value.trim();
+    if (!trimmed.startsWith("[") || !trimmed.endsWith("]")) {
+        return [];
+    }
+    const items = [];
+    const pattern = /"((?:\\.|[^"\\])*)"|'((?:\\.|[^'\\])*)'|([^,\s][^,]*)/g;
+    const inner = trimmed.slice(1, -1);
+    for (const match of inner.matchAll(pattern)) {
+        if (match[1] !== undefined) {
+            items.push(unescapeTomlString(match[1]));
+        }
+        else if (match[2] !== undefined) {
+            items.push(match[2]);
+        }
+        else if (match[3] !== undefined) {
+            items.push(parseTomlValue(match[3].trim()));
+        }
+    }
+    return items;
+}
+function parseTomlString(value) {
+    if (value.startsWith("\"")) {
+        const match = /^"((?:\\.|[^"\\])*)"/.exec(value);
+        return match ? unescapeTomlString(match[1]) : value;
+    }
+    const match = /^'([^']*)'/.exec(value);
+    return match ? match[1] : value;
+}
+function unescapeTomlString(value) {
+    return value
+        .replace(/\\"/g, "\"")
+        .replace(/\\n/g, "\n")
+        .replace(/\\t/g, "\t")
+        .replace(/\\\\/g, "\\");
+}
+function stripTomlComment(line) {
+    let quote;
+    for (let index = 0; index < line.length; index += 1) {
+        const char = line[index];
+        const previous = line[index - 1];
+        if ((char === "\"" || char === "'") && previous !== "\\") {
+            quote = quote === char ? undefined : quote ?? char;
+            continue;
+        }
+        if (char === "#" && !quote) {
+            return line.slice(0, index);
+        }
+    }
+    return line;
+}
+function parseTomlLines(content) {
+    const result = [];
+    let currentSection;
+    content.split(/\r?\n/).forEach((rawLine, index) => {
+        const line = stripTomlComment(rawLine).trim();
+        if (!line) {
+            return;
+        }
+        const section = /^\[([^\]]+)\]$/.exec(line);
+        if (section) {
+            currentSection = section[1];
+            result.push({ line: index + 1, section: currentSection });
+            return;
+        }
+        const assignment = /^([A-Za-z0-9_-]+)\s*=\s*(.+)$/.exec(line);
+        if (assignment) {
+            result.push({
+                line: index + 1,
+                section: currentSection,
+                key: assignment[1],
+                value: parseTomlValue(assignment[2].trim())
+            });
+        }
+    });
+    return result;
+}
+function collectPermissionProfiles(lines) {
+    const profiles = new Set();
+    for (const item of lines) {
+        if (!item.section) {
+            continue;
+        }
+        const match = /^permissions\.((?:"[^"]+"|'[^']+'|[^.]+))/.exec(item.section);
+        if (match) {
+            profiles.add(unquoteTomlBarePart(match[1]));
+        }
+    }
+    return profiles;
+}
+function findTomlAssignment(lines, key) {
+    return lines.find((item) => item.key === key);
+}
+function collectSections(lines) {
+    return lines.filter((item) => item.section && !item.key).map((item) => item.section);
+}
+function unquoteTomlBarePart(value) {
+    if (value.startsWith("\"") || value.startsWith("'")) {
+        return parseTomlString(value);
+    }
+    return value;
+}
+function stripJsonComments(content) {
+    return content
+        .replace(/\/\*[\s\S]*?\*\//g, "")
+        .replace(/^\s*\/\/.*$/gm, "");
+}
+function parseJsonObject(content) {
+    try {
+        const parsed = JSON.parse(content);
+        return asObject(parsed);
+    }
+    catch {
+        return undefined;
+    }
+}
+function asObject(value) {
+    return value && typeof value === "object" && !Array.isArray(value) ? value : undefined;
+}
+function findLine(content, needle) {
+    const lines = content.split(/\r?\n/);
+    const index = lines.findIndex((line) => line.includes(needle));
+    return index >= 0 ? index + 1 : 1;
+}
 //# sourceMappingURL=agentsLint.js.map