ultimate-pi 0.18.1 → 0.19.0

package/.pi/lib/agt/build-evaluation-context.ts

@@ -0,0 +1,285 @@
+import {
+	allowsAgentTool,
+	getAgentKind,
+	isHarnessPlanningAgent,
+} from "../agents-policy.mjs";
+import {
+	evaluateContextModeMutation,
+	isMutatingBash,
+} from "../harness-context-mode-policy.js";
+import {
+	extractWritePathFromToolInput,
+	getLatestRunContext,
+	type HarnessPhase,
+	type HarnessRunContext,
+	isHarnessAutoSession,
+	isPlanPhaseAllowedMutation,
+} from "../harness-run-context.js";
+import { evaluateSubagentToolCall } from "../harness-spawn-policy.js";
+
+export interface BuildEvaluationContextInput {
+	toolName: string;
+	toolInput: Record<string, unknown>;
+	packageRoot: string;
+	projectRoot: string;
+	sessionId: string;
+	entries: unknown[];
+	policyState: {
+		phase: HarnessPhase;
+		approvedPlan: boolean;
+		planId: string | null;
+		aborted: boolean;
+		budgetBypass: boolean;
+	};
+	agentDid?: string;
+}
+
+export type HarnessAgtContext = Record<string, unknown>;
+
+const PLANNING_BASH_DENY_PATTERNS = [
+	/\bgraphify\s+update\b/i,
+	/\bgraphify\s+extract\b/i,
+	/\bgraphify\s+install\b/i,
+	/\bccc\s+(index|init|reset|daemon)\b/i,
+	/\bccc\s+search\b.*--refresh/i,
+	/\bpip\s+install\b/i,
+	/\buv\s+tool\s+install\b/i,
+	/\bnpm\s+install\b/i,
+	/\bnpm\s+install\b.*cocoindex/i,
+	/\buv\s+tool\s+install\b.*cocoindex/i,
+];
+
+const PLANNING_ARTIFACT_JSON_WRITE = /artifacts\/[^\s'"`;]+\.json\b/i;
+
+const WEB_BLOCK_PATTERNS: Array<{ re: RegExp }> = [
+	{ re: /\bfirecrawl\b/i },
+	{ re: /\b(?:curl|wget)\b[^\n|;&]*\s+https?:\/\//i },
+	{ re: /\bscrapling\s+(?:fetch|extract)\b/i },
+];
+
+const WEB_ALLOW_PATTERNS = [
+	/harness-web\.py\b/i,
+	/harness-cli-verify\.sh\b/i,
+	/\bgraphify\b/i,
+	/\bctx7\b/i,
+	/\bcontext7\b/i,
+	/\bgit\b/i,
+	/harness-searxng-bootstrap/i,
+];
+
+function resolveAgentId(): string {
+	if (process.env.PI_HARNESS_SUBPROCESS === "1") {
+		return process.env.HARNESS_AGENT_ID?.trim() || "harness/unknown";
+	}
+	return "parent-orchestrator";
+}
+
+export function bashWebBlocked(command: string): boolean {
+	if (!command) return false;
+	if (WEB_ALLOW_PATTERNS.some((re) => re.test(command))) return false;
+	return WEB_BLOCK_PATTERNS.some(({ re }) => re.test(command));
+}
+
+/** Shared session-scoped deny reasons for legacy parity and AGT context flags. */
+export function harnessSessionToolDenyReason(input: {
+	toolName: string;
+	toolInput: Record<string, unknown>;
+	phase: HarnessPhase;
+	agentId: string;
+	entries: unknown[];
+	aborted: boolean;
+}): string | null {
+	if (!isHarnessAutoSession(input.entries)) return null;
+	const bashCommand =
+		input.toolName === "bash" ? String(input.toolInput.command ?? "") : "";
+	if (
+		input.aborted &&
+		((bashCommand && isMutatingBash(bashCommand)) ||
+			input.toolName === "write" ||
+			input.toolName === "edit")
+	) {
+		return "harness-abort lock";
+	}
+	if (
+		bashCommand &&
+		isMutatingBash(bashCommand) &&
+		!input.aborted &&
+		input.phase !== "execute" &&
+		input.phase !== "merge"
+	) {
+		return "mutating bash blocked outside execute/merge";
+	}
+	if (bashCommand && bashWebBlocked(bashCommand)) {
+		return "web/bash curl blocked (use harness web_search / web_fetch)";
+	}
+	return null;
+}
+
+function bashPlanningDenied(command: string, agentType: string): boolean {
+	if (!command || !isHarnessPlanningAgent(agentType)) return false;
+	return PLANNING_BASH_DENY_PATTERNS.some((p) => p.test(command));
+}
+
+function bashPlanningJsonDenied(command: string, agentType: string): boolean {
+	if (!command || !isHarnessPlanningAgent(agentType)) return false;
+	return PLANNING_ARTIFACT_JSON_WRITE.test(command);
+}
+
+function harnessSessionActive(entries: unknown[]): boolean {
+	return isHarnessAutoSession(entries);
+}
+
+export async function buildHarnessAgtEvaluationContext(
+	input: BuildEvaluationContextInput,
+): Promise<HarnessAgtContext> {
+	const agentId = resolveAgentId();
+	const isSubprocess = process.env.PI_HARNESS_SUBPROCESS === "1";
+	const isParentOrchestrator = agentId === "parent-orchestrator";
+	const agentKind = getAgentKind(input.packageRoot, input.projectRoot, agentId);
+	const runCtx = getLatestRunContext(input.entries);
+	const phase = input.policyState.phase;
+	const bashCommand =
+		input.toolName === "bash" ? String(input.toolInput.command ?? "") : "";
+	const sessionActive = harnessSessionActive(input.entries);
+
+	const MUTATING_FILE_TOOLS = new Set(["write", "edit"]);
+	const planMutation =
+		sessionActive && MUTATING_FILE_TOOLS.has(input.toolName)
+			? await isPlanPhaseAllowedMutation(
+					input.toolName,
+					input.toolInput,
+					phase,
+					runCtx,
+					input.projectRoot,
+					{
+						aborted: input.policyState.aborted,
+						entries: input.entries,
+						ownerSessionId: runCtx?.owner_pi_session_id,
+						currentSessionId: input.sessionId,
+					},
+				)
+			: { allowed: true };
+
+	const ctxMode = sessionActive
+		? evaluateContextModeMutation(input.toolName, input.toolInput, phase, {
+				aborted: input.policyState.aborted,
+				budgetBypass: input.policyState.budgetBypass,
+				readOnlyAgent:
+					agentKind === "planner" ||
+					agentKind === "evaluator" ||
+					agentKind === "adversary" ||
+					agentKind === "tie_breaker",
+			})
+		: { blocked: false, reason: "" };
+
+	const spawnDecision = evaluateSubagentToolCall(input.toolName, agentId);
+
+	const toolAllowed = allowsAgentTool({
+		packageRoot: input.packageRoot,
+		projectRoot: input.projectRoot,
+		agentId,
+		toolName: input.toolName,
+		toolInput: input.toolInput,
+		isSubprocess,
+		isParentOrchestrator,
+	});
+
+	let evalPlanPacketBlock = false;
+	if (
+		sessionActive &&
+		runCtx?.plan_packet_path &&
+		(phase === "evaluate" || phase === "adversary") &&
+		(input.toolName === "write" || input.toolName === "edit")
+	) {
+		const target = String(
+			input.toolInput.path ?? input.toolInput.filePath ?? "",
+		);
+		if (target.includes("plan-packet.yaml")) {
+			evalPlanPacketBlock = true;
+		}
+	}
+
+	const writePath =
+		input.toolName === "write" || input.toolName === "edit"
+			? extractWritePathFromToolInput(input.toolInput)
+			: null;
+
+	const mutatingBashPhaseBlock =
+		sessionActive &&
+		Boolean(bashCommand && isMutatingBash(bashCommand)) &&
+		!input.policyState.aborted &&
+		phase !== "execute" &&
+		phase !== "merge";
+
+	const abortMutatingBlock =
+		sessionActive &&
+		input.policyState.aborted &&
+		((bashCommand && isMutatingBash(bashCommand)) ||
+			input.toolName === "write" ||
+			input.toolName === "edit");
+
+	return {
+		tool_name: input.toolName,
+		harness_phase: phase,
+		harness_agent_id: agentId,
+		harness_agent_kind: agentKind,
+		is_subprocess: isSubprocess,
+		is_parent_orchestrator: isParentOrchestrator,
+		harness_session_active: sessionActive,
+		is_harness_agent: agentId.startsWith("harness/"),
+		approved_plan: input.policyState.approvedPlan,
+		plan_ready: Boolean(runCtx?.plan_ready),
+		aborted: input.policyState.aborted,
+		budget_bypass: input.policyState.budgetBypass,
+		run_id: runCtx?.run_id ?? process.env.HARNESS_RUN_ID ?? "",
+		plan_id: input.policyState.planId ?? runCtx?.plan_id ?? "",
+		plan_mutation_allowed: planMutation.allowed,
+		plan_mutation_block: sessionActive && !planMutation.allowed,
+		context_mode_block: ctxMode.blocked,
+		tool_allowed: toolAllowed,
+		spawn_policy_block: spawnDecision.action === "block",
+		is_mutating_bash: bashCommand ? isMutatingBash(bashCommand) : false,
+		is_mutating_write_tool:
+			input.toolName === "write" || input.toolName === "edit",
+		bash_web_block: sessionActive && bashWebBlocked(bashCommand),
+		bash_planning_deny:
+			sessionActive && bashPlanningDenied(bashCommand, agentId),
+		bash_planning_json_block:
+			sessionActive && bashPlanningJsonDenied(bashCommand, agentId),
+		eval_plan_packet_write_block: evalPlanPacketBlock,
+		is_submit_tool: input.toolName.startsWith("submit_"),
+		is_planning_agent: isHarnessPlanningAgent(agentId),
+		is_read_only_kind:
+			agentKind === "planner" ||
+			agentKind === "evaluator" ||
+			agentKind === "adversary" ||
+			agentKind === "tie_breaker" ||
+			agentKind === "trace" ||
+			agentKind === "incident" ||
+			agentKind === "meta",
+		is_executor_kind: agentKind === "executor",
+		trust_score: Number(process.env.HARNESS_TRUST_SCORE ?? "1"),
+		delegation_ceiling: Number(process.env.HARNESS_DELEGATION_CEILING ?? "1"),
+		agent_did: input.agentDid ?? process.env.HARNESS_AGENT_DID ?? agentId,
+		write_path: writePath ?? "",
+		mutating_bash_phase_block: mutatingBashPhaseBlock,
+		abort_mutating_block: abortMutatingBlock,
+	};
+}
+
+export async function buildHarnessAgtEvaluationContextFromRun(
+	input: Omit<BuildEvaluationContextInput, "policyState"> & {
+		policyState?: BuildEvaluationContextInput["policyState"];
+	},
+): Promise<HarnessAgtContext> {
+	const policyState = input.policyState ?? {
+		phase: (process.env.HARNESS_SUBAGENT_PHASE_HINT as HarnessPhase) ?? "plan",
+		approvedPlan: true,
+		planId: null,
+		aborted: false,
+		budgetBypass: false,
+	};
+	return buildHarnessAgtEvaluationContext({ ...input, policyState });
+}
+
+export type { HarnessRunContext };

package/.pi/lib/agt/config.ts

@@ -0,0 +1,28 @@
+/** AGT feature flags and package-root resolution for harness policies. */
+
+import { existsSync } from "node:fs";
+import { join } from "node:path";
+
+export function isHarnessAgtPolicyEnabled(): boolean {
+	const raw = process.env.HARNESS_AGT_POLICY?.trim().toLowerCase();
+	if (raw === "0" || raw === "false" || raw === "off") return false;
+	return true;
+}
+
+export function resolveHarnessPoliciesDir(packageRoot: string): string {
+	const fromEnv = process.env.HARNESS_AGT_POLICIES_DIR?.trim();
+	if (fromEnv && existsSync(fromEnv)) return fromEnv;
+	return join(packageRoot, ".pi", "harness", "policies");
+}
+
+export function resolveProjectPoliciesDir(projectRoot: string): string {
+	return join(projectRoot, ".pi", "policies");
+}
+
+export function resolveHarnessPackageRootFromEnv(): string {
+	return (
+		process.env.HARNESS_PKG_ROOT?.trim() ||
+		process.env.UP_PKG?.trim() ||
+		process.cwd()
+	);
+}

package/.pi/lib/agt/delegation.ts

@@ -0,0 +1,69 @@
+import { mkdirSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { getOrCreateParentIdentity } from "./identity-registry.js";
+
+const ROLE_CAPABILITIES: Record<string, string[]> = {
+	planner: ["harness.read", "harness.submit.plan"],
+	executor: ["harness.read", "harness.write", "harness.submit.run"],
+	evaluator: ["harness.read", "harness.submit.review"],
+	adversary: ["harness.read", "harness.submit.review"],
+	tie_breaker: ["harness.read", "harness.submit.review"],
+	meta: ["harness.read"],
+	trace: ["harness.read"],
+	incident: ["harness.read"],
+	other: ["harness.read"],
+};
+
+export function capabilitiesForHarnessAgent(
+	agentId: string,
+	kind: string,
+): string[] {
+	if (agentId.startsWith("harness/planning/")) {
+		return ROLE_CAPABILITIES.planner ?? ["harness.read"];
+	}
+	return ROLE_CAPABILITIES[kind] ?? ROLE_CAPABILITIES.other;
+}
+
+export interface DelegationBundle {
+	agentDid: string;
+	delegationCeiling: number;
+	identityPath: string;
+}
+
+export function mintSubagentDelegation(input: {
+	runId: string;
+	runDir: string;
+	agentId: string;
+	agentKind: string;
+	trustCeiling?: number;
+}): DelegationBundle {
+	const parent = getOrCreateParentIdentity(input.runId, input.runDir);
+	const caps = capabilitiesForHarnessAgent(input.agentId, input.agentKind);
+	const safeId = input.agentId.replace(/\//g, "_");
+	const agentDir = join(input.runDir, "agents", safeId);
+	mkdirSync(agentDir, { recursive: true });
+
+	const child = parent.delegate(`harness-${safeId}`, caps, {
+		description: `Harness subagent ${input.agentId}`,
+	});
+	writeFileSync(
+		join(agentDir, "identity.json"),
+		JSON.stringify(child.toJSON(), null, 2),
+	);
+
+	const ceiling = input.trustCeiling ?? 1;
+	return {
+		agentDid: child.did,
+		delegationCeiling: ceiling,
+		identityPath: join(agentDir, "identity.json"),
+	};
+}
+
+export function delegationEnvFromBundle(
+	bundle: DelegationBundle,
+): Record<string, string> {
+	return {
+		HARNESS_AGENT_DID: bundle.agentDid,
+		HARNESS_DELEGATION_CEILING: String(bundle.delegationCeiling),
+	};
+}

package/.pi/lib/agt/evaluate-policy.ts

@@ -0,0 +1,56 @@
+import type { PolicyDecisionResult } from "@microsoft/agent-governance-sdk";
+import type { BuildEvaluationContextInput } from "./build-evaluation-context.js";
+import { buildHarnessAgtEvaluationContext } from "./build-evaluation-context.js";
+import { isHarnessAgtPolicyEnabled } from "./config.js";
+import { evaluateLegacyHarnessToolPolicy } from "./legacy-evaluate.js";
+import { getAgtPolicyEngine } from "./policy-engine.js";
+
+export interface HarnessPolicyEvaluation {
+	allowed: boolean;
+	reason: string;
+	source: "agt" | "legacy";
+	agt?: PolicyDecisionResult;
+}
+
+export async function evaluateHarnessToolPolicy(
+	packageRoot: string,
+	input: BuildEvaluationContextInput,
+): Promise<HarnessPolicyEvaluation> {
+	if (!isHarnessAgtPolicyEnabled()) {
+		const legacy = await evaluateLegacyHarnessToolPolicy(input);
+		return {
+			allowed: legacy.allowed,
+			reason: legacy.reason,
+			source: "legacy",
+		};
+	}
+
+	try {
+		const context = await buildHarnessAgtEvaluationContext(input);
+		const engine = getAgtPolicyEngine(packageRoot, input.projectRoot);
+		const agentDid = String(context.agent_did ?? context.harness_agent_id);
+		const result = engine.evaluatePolicy(agentDid, context);
+		if (!result.allowed) {
+			return {
+				allowed: false,
+				reason:
+					result.reason ??
+					`agt-policy: denied by ${result.policyName ?? "policy"}/${result.matchedRule ?? "rule"}`,
+				source: "agt",
+				agt: result,
+			};
+		}
+		return {
+			allowed: true,
+			reason: result.reason ?? "allow",
+			source: "agt",
+			agt: result,
+		};
+	} catch (err) {
+		return {
+			allowed: false,
+			reason: `agt-policy: evaluation failed (fail-closed): ${String(err)}`,
+			source: "agt",
+		};
+	}
+}

package/.pi/lib/agt/identity-registry.ts

@@ -0,0 +1,41 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { AgentIdentity } from "@microsoft/agent-governance-sdk";
+
+const runRoots = new Map<string, AgentIdentity>();
+
+export function getOrCreateParentIdentity(
+	runId: string,
+	runDir: string,
+): AgentIdentity {
+	const cached = runRoots.get(runId);
+	if (cached) return cached;
+
+	const agentsDir = join(runDir, "agents", "_parent");
+	const identityPath = join(agentsDir, "identity.json");
+	mkdirSync(agentsDir, { recursive: true });
+
+	if (existsSync(identityPath)) {
+		const json = JSON.parse(readFileSync(identityPath, "utf-8"));
+		const restored = AgentIdentity.fromJSON(json);
+		runRoots.set(runId, restored);
+		return restored;
+	}
+
+	const identity = AgentIdentity.generate(`harness-parent-${runId}`, [
+		"harness.orchestrate",
+		"harness.delegate",
+		"harness.plan",
+		"harness.execute",
+	]);
+	writeFileSync(identityPath, JSON.stringify(identity.toJSON(), null, 2));
+	runRoots.set(runId, identity);
+	return identity;
+}
+
+export function loadChildIdentity(agentDir: string): AgentIdentity | null {
+	const identityPath = join(agentDir, "identity.json");
+	if (!existsSync(identityPath)) return null;
+	const json = JSON.parse(readFileSync(identityPath, "utf-8"));
+	return AgentIdentity.fromJSON(json);
+}

package/.pi/lib/agt/index.ts

@@ -0,0 +1,55 @@
+export {
+	appendPolicyAuditEvent,
+	verifyRunAuditChain,
+} from "./audit-run-sink.js";
+export type {
+	BuildEvaluationContextInput,
+	HarnessAgtContext,
+} from "./build-evaluation-context.js";
+export {
+	buildHarnessAgtEvaluationContext,
+	buildHarnessAgtEvaluationContextFromRun,
+} from "./build-evaluation-context.js";
+export {
+	isHarnessAgtPolicyEnabled,
+	resolveHarnessPackageRootFromEnv,
+	resolveHarnessPoliciesDir,
+} from "./config.js";
+export {
+	capabilitiesForHarnessAgent,
+	delegationEnvFromBundle,
+	mintSubagentDelegation,
+} from "./delegation.js";
+export type { HarnessPolicyEvaluation } from "./evaluate-policy.js";
+export { evaluateHarnessToolPolicy } from "./evaluate-policy.js";
+export {
+	getOrCreateParentIdentity,
+	loadChildIdentity,
+} from "./identity-registry.js";
+export { evaluateLegacyHarnessToolPolicy } from "./legacy-evaluate.js";
+export {
+	createAgtPolicyEngine,
+	createHarnessPolicyEngine,
+	doctorHarnessPolicies,
+	getAgtPolicyEngine,
+	getHarnessPolicyEngine,
+	HarnessPolicyLoadError,
+	resetHarnessPolicyEngineCache,
+} from "./policy-engine.js";
+export { createRingEnforcer, ringForHarnessAgentKind } from "./rings.js";
+export {
+	getHarnessGovernanceMetrics,
+	isSreEnforceEnabled,
+	recordSpawnAttempt,
+	spawnCircuitOpen,
+} from "./sre-hooks.js";
+export {
+	getTrustManagerForRun,
+	recordPolicyAllow,
+	recordPolicyDeny,
+	trustScoreForAgent,
+} from "./trust-run-store.js";
+export {
+	workflowBlocked,
+	workflowFlagsFromEntries,
+} from "./workflow-history.js";

package/.pi/lib/agt/kill-switch-state.ts

@@ -0,0 +1,11 @@
+const denyCounts = new Map<string, number>();
+
+export function recordHarnessPolicyDeny(sessionId: string): number {
+	const n = (denyCounts.get(sessionId) ?? 0) + 1;
+	denyCounts.set(sessionId, n);
+	return n;
+}
+
+export function resetHarnessPolicyDenyCount(sessionId: string): void {
+	denyCounts.delete(sessionId);
+}

package/.pi/lib/agt/legacy-evaluate.ts

@@ -0,0 +1,101 @@
+import { allowsAgentTool } from "../agents-policy.mjs";
+import { evaluateContextModeMutation } from "../harness-context-mode-policy.js";
+import {
+	extractWritePathFromToolInput,
+	getLatestRunContext,
+	isPlanPhaseAllowedMutation,
+} from "../harness-run-context.js";
+import { evaluateSubagentToolCall } from "../harness-spawn-policy.js";
+import type { BuildEvaluationContextInput } from "./build-evaluation-context.js";
+import {
+	buildHarnessAgtEvaluationContext,
+	type HarnessAgtContext,
+	harnessSessionToolDenyReason,
+} from "./build-evaluation-context.js";
+
+/** Combined legacy path for HARNESS_AGT_POLICY=0 parity tests. */
+export async function evaluateLegacyHarnessToolPolicy(
+	input: BuildEvaluationContextInput,
+): Promise<{ allowed: boolean; reason: string; context?: HarnessAgtContext }> {
+	const { toolName, toolInput, policyState, entries, projectRoot, sessionId } =
+		input;
+	const agentId =
+		process.env.PI_HARNESS_SUBPROCESS === "1"
+			? (process.env.HARNESS_AGENT_ID?.trim() ?? "harness/unknown")
+			: "parent-orchestrator";
+	const isSubprocess = process.env.PI_HARNESS_SUBPROCESS === "1";
+	const isParent = agentId === "parent-orchestrator";
+
+	const spawn = evaluateSubagentToolCall(toolName, agentId);
+	if (spawn.action === "block") {
+		return { allowed: false, reason: spawn.reason ?? "spawn policy" };
+	}
+
+	if (
+		!allowsAgentTool({
+			packageRoot: input.packageRoot,
+			projectRoot,
+			agentId,
+			toolName,
+			toolInput,
+			isSubprocess,
+			isParentOrchestrator: isParent,
+		})
+	) {
+		return {
+			allowed: false,
+			reason: `agents-policy: ${toolName} not allowed for ${agentId}`,
+		};
+	}
+
+	const runCtx = getLatestRunContext(entries);
+	const phase = policyState.phase;
+	const bashCommand =
+		toolName === "bash" ? String(toolInput.command ?? "") : "";
+
+	if (toolName === "write" || toolName === "edit") {
+		const planMutation = await isPlanPhaseAllowedMutation(
+			toolName,
+			toolInput,
+			phase,
+			runCtx,
+			projectRoot,
+			{
+				aborted: policyState.aborted,
+				entries,
+				ownerSessionId: runCtx?.owner_pi_session_id,
+				currentSessionId: sessionId,
+			},
+		);
+		if (!planMutation.allowed) {
+			return {
+				allowed: false,
+				reason: planMutation.reason ?? "plan phase mutation blocked",
+			};
+		}
+	}
+
+	const ctxMode = evaluateContextModeMutation(toolName, toolInput, phase, {
+		aborted: policyState.aborted,
+		budgetBypass: policyState.budgetBypass,
+		readOnlyAgent: false,
+	});
+	if (ctxMode.blocked) {
+		return { allowed: false, reason: ctxMode.reason };
+	}
+
+	const sessionDeny = harnessSessionToolDenyReason({
+		toolName,
+		toolInput,
+		phase,
+		agentId,
+		entries,
+		aborted: policyState.aborted,
+	});
+	if (sessionDeny) {
+		return { allowed: false, reason: sessionDeny };
+	}
+
+	const context = await buildHarnessAgtEvaluationContext(input);
+	return { allowed: true, reason: "legacy allow", context };
+}