vibe-forge 0.8.1 → 0.8.3

package/{bin → src}/lib/heimdall.js

@@ -1,265 +1,265 @@
-#!/usr/bin/env node
-/**
- * Heimdall -- Forge worker pre-tool hook interceptor (PLAT-1)
- *
- * Guards the Bifrost: intercepts every tool call before execution,
- * checks it against per-task policy, and blocks or allows.
- *
- * Registered as a PreToolUse hook via .claude/settings.local.json
- * written by the forge daemon at worker startup.
- *
- * Exit codes:
- *   0 -- allow (optionally with audit log entry)
- *   2 -- block (explanation written to stdout, fed back to model)
- *
- * Context file (.context.json in process.cwd()) is written by the forge
- * daemon alongside each inbox task. If absent, Heimdall exits 0 immediately
- * -- forge-native tasks are not restricted.
- */
-
-'use strict'
-
-const fs = require('fs')
-const path = require('path')
-
-// ── Input ─────────────────────────────────────────────────────────────────────
-
-let input
-try {
-  input = JSON.parse(fs.readFileSync(0, 'utf8'))
-} catch (e) {
-  // Malformed input -- allow and exit rather than blocking the worker
-  process.exit(0)
-}
-
-const { tool_name, tool_input } = input
-
-// ── Context file ──────────────────────────────────────────────────────────────
-
-const contextPath = path.join(process.cwd(), '.context.json')
-
-// No context file = forge-native task. Heimdall does not restrict forge-native work.
-if (!fs.existsSync(contextPath)) {
-  process.exit(0)
-}
-
-let ctx
-try {
-  ctx = JSON.parse(fs.readFileSync(contextPath, 'utf8'))
-} catch (e) {
-  // Unreadable context -- fail open to avoid blocking forge-native work
-  process.exit(0)
-}
-
-const {
-  story_id,
-  agent,
-  worktree_path,
-  has_db_migration,
-  allowed_paths,
-  escalation_dir,
-  audit_log: ctxAuditLog,
-} = ctx
-
-// ── Logging ───────────────────────────────────────────────────────────────────
-
-const AUDIT_LOG = ctxAuditLog
-  || path.join(process.cwd(), '_vibe-chain-output', 'heimdall-audit.log')
-
-const MAX_VIOLATIONS = parseInt(process.env.HEIMDALL_MAX_VIOLATIONS || '3', 10)
-
-// Violation tracking lives in the worktree root (process.cwd())
-const VIOLATION_FILE = path.join(process.cwd(), `.${story_id}.violations`)
-
-// Escalation signal written to the inbox agent dir so the daemon detects it
-const ESCALATION_DIR = escalation_dir || process.cwd()
-
-function timestamp() {
-  return new Date().toISOString()
-}
-
-function audit(level, message) {
-  const line = `[${timestamp()}] HEIMDALL ${level} ${agent}/${story_id}: ${message}\n`
-  try {
-    const dir = path.dirname(AUDIT_LOG)
-    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })
-    fs.appendFileSync(AUDIT_LOG, line)
-  } catch (_) {
-    // Audit log write failure must never block or crash the hook
-  }
-}
-
-function block(reason) {
-  audit('BLOCKED', reason)
-
-  // Track violations
-  let violations = 0
-  try {
-    if (fs.existsSync(VIOLATION_FILE)) {
-      violations = parseInt(fs.readFileSync(VIOLATION_FILE, 'utf8').trim(), 10) || 0
-    }
-  } catch (_) {}
-
-  violations++
-
-  try {
-    fs.writeFileSync(VIOLATION_FILE, String(violations))
-  } catch (_) {}
-
-  if (violations >= MAX_VIOLATIONS) {
-    // Sound the Gjallarhorn
-    const escalationFile = path.join(ESCALATION_DIR, `${story_id}.escalation`)
-    try {
-      fs.writeFileSync(escalationFile, JSON.stringify({
-        story_id,
-        agent,
-        violations,
-        last_reason: reason,
-        timestamp: timestamp(),
-      }, null, 2))
-    } catch (_) {}
-
-    audit('SOUNDED', `${violations} violations -- escalating to human review`)
-
-    console.log(
-      `[HEIMDALL] Action blocked: ${reason}\n` +
-      `[HEIMDALL] GJALLARHORN SOUNDED: ${violations} violations recorded.\n` +
-      `[HEIMDALL] Story ${story_id} has been escalated to human review. Stop working on this story.`
-    )
-  } else {
-    console.log(
-      `[HEIMDALL] Action blocked: ${reason}\n` +
-      `[HEIMDALL] Violation ${violations}/${MAX_VIOLATIONS}. Self-correct and continue.`
-    )
-  }
-
-  process.exit(2)
-}
-
-function allow(note) {
-  if (note) audit('ALLOWED', note)
-  process.exit(0)
-}
-
-// ── Path helpers ──────────────────────────────────────────────────────────────
-
-function isOutsideAllowedPaths(targetPath) {
-  if (!targetPath) return false
-  try {
-    const resolved = path.resolve(targetPath)
-    return !allowed_paths.some(p => resolved.startsWith(path.resolve(p)))
-  } catch (_) {
-    return true // Unresolvable path -- treat as outside
-  }
-}
-
-// ── Bash tool checks ──────────────────────────────────────────────────────────
-
-if (tool_name === 'Bash') {
-  const cmd = (tool_input && tool_input.command || '').trim()
-
-  // Destructive rm -- check if target escapes worktree
-  if (/rm\s+-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r/.test(cmd) && /\brm\b/.test(cmd)) {
-    // Extract everything after the flags as the target
-    const rmMatch = cmd.match(/rm\s+(?:-\S+\s+)(.+)/)
-    const rmTarget = rmMatch ? rmMatch[1].trim().replace(/^['"]|['"]$/g, '') : ''
-
-    const isRootTarget = /^(\/|~)/.test(rmTarget) || rmTarget === '' || rmTarget.includes('..')
-    const isOutside = !rmTarget || isRootTarget || isOutsideAllowedPaths(rmTarget)
-
-    if (isOutside) {
-      block(`destructive rm outside worktree: ${cmd}`)
-    }
-  }
-
-  // Credential access
-  if (/\.(env|pem|key|cert)\b/.test(cmd) && !/\.env\.(example|sample|template)/.test(cmd)) {
-    block(`credential file access: ${cmd}`)
-  }
-  if (/~\/\.(ssh|aws|gnupg)\b/.test(cmd)) {
-    block(`credential directory access: ${cmd}`)
-  }
-  // Echoing or exporting secrets (but not reading them as part of build)
-  if (/(echo|printf|export)\s+.*\b(TOKEN|SECRET|PASSWORD|API_KEY)\s*=/.test(cmd)) {
-    block(`credential assignment in shell: ${cmd}`)
-  }
-
-  // Dangerous git operations
-  if (/git\s+push\b.*--force(-with-lease)?/.test(cmd)) {
-    block(`force push blocked: ${cmd}`)
-  }
-  if (/git\s+reset\s+--hard\s+HEAD~[2-9]/.test(cmd)) {
-    block(`multi-commit hard reset blocked: ${cmd}`)
-  }
-  if (/git\s+clean\s+-[a-zA-Z]*f[a-zA-Z]*d|-[a-zA-Z]*d[a-zA-Z]*f/.test(cmd) && /\bgit\b/.test(cmd)) {
-    block(`git clean -fd blocked: ${cmd}`)
-  }
-  // Push to a non-origin remote (e.g. git push upstream)
-  if (/git\s+push\s+(?!origin\b)(\S+)/.test(cmd)) {
-    const remoteMatch = cmd.match(/git\s+push\s+(\S+)/)
-    if (remoteMatch && remoteMatch[1] !== 'origin' && !remoteMatch[1].startsWith('-')) {
-      block(`push to non-origin remote blocked: ${cmd}`)
-    }
-  }
-  // Direct push to main/master — all changes must go through PRs
-  if (/git\s+push\b/.test(cmd) && /\b(main|master)\b/.test(cmd)) {
-    block(`direct push to main/master blocked — create a feature branch and open a PR`)
-  }
-
-  // DB destructive operations without authorization
-  if (/(DROP\s+TABLE|TRUNCATE\s+TABLE)/i.test(cmd) && !has_db_migration) {
-    block(`DROP/TRUNCATE requires has_db_migration: true on the story`)
-  }
-  if (/DELETE\s+FROM\s+\S+\s*;?\s*$/i.test(cmd) && !/WHERE\s+/i.test(cmd)) {
-    block(`DELETE without WHERE clause blocked: ${cmd}`)
-  }
-
-  // High-risk but legitimate -- audit log only
-  if (/\b(npm|yarn|pnpm)\s+(install|add|ci)\b/.test(cmd)) {
-    allow(`dependency install: ${cmd}`)
-  }
-  if (/\b(pip|pip3)\s+install\b/.test(cmd)) {
-    allow(`pip install: ${cmd}`)
-  }
-  if (/\bcargo\s+(build|install)\b/.test(cmd)) {
-    allow(`cargo build: ${cmd}`)
-  }
-  if (/\b(curl|wget)\b/.test(cmd)) {
-    allow(`network request: ${cmd}`)
-  }
-  if (/git\s+commit\s+--amend/.test(cmd)) {
-    allow(`git commit --amend`)
-  }
-}
-
-// ── Write / Edit tool checks ──────────────────────────────────────────────────
-
-if (tool_name === 'Write' || tool_name === 'Edit') {
-  const filePath = tool_input && (tool_input.file_path || tool_input.path) || ''
-
-  if (filePath) {
-    // Credential files
-    if (/\.(env|pem|key|cert)$/.test(filePath) && !/\.(example|sample|template)$/.test(filePath)) {
-      block(`write to credential file: ${filePath}`)
-    }
-
-    // Settings that could override Heimdall
-    if (/\.claude[/\\]settings(\.local)?\.json$/.test(filePath)) {
-      block(`write to .claude/settings blocked -- Heimdall config is daemon-managed`)
-    }
-
-    // Path escape check
-    if (isOutsideAllowedPaths(filePath)) {
-      block(`path escape: ${filePath} is outside allowed paths`)
-    }
-
-    // Pipeline output writes -- allowed but logged
-    if (filePath.includes('_vibe-chain-output')) {
-      allow(`pipeline output write: ${filePath}`)
-    }
-  }
-}
-
-// ── Default: allow ────────────────────────────────────────────────────────────
-
-allow(null)
+#!/usr/bin/env node
+/**
+ * Heimdall -- Forge worker pre-tool hook interceptor (PLAT-1)
+ *
+ * Guards the Bifrost: intercepts every tool call before execution,
+ * checks it against per-task policy, and blocks or allows.
+ *
+ * Registered as a PreToolUse hook via .claude/settings.local.json
+ * written by the forge daemon at worker startup.
+ *
+ * Exit codes:
+ *   0 -- allow (optionally with audit log entry)
+ *   2 -- block (explanation written to stdout, fed back to model)
+ *
+ * Context file (.context.json in process.cwd()) is written by the forge
+ * daemon alongside each inbox task. If absent, Heimdall exits 0 immediately
+ * -- forge-native tasks are not restricted.
+ */
+
+'use strict'
+
+const fs = require('fs')
+const path = require('path')
+
+// ── Input ─────────────────────────────────────────────────────────────────────
+
+let input
+try {
+  input = JSON.parse(fs.readFileSync(0, 'utf8'))
+} catch (e) {
+  // Malformed input -- allow and exit rather than blocking the worker
+  process.exit(0)
+}
+
+const { tool_name, tool_input } = input
+
+// ── Context file ──────────────────────────────────────────────────────────────
+
+const contextPath = path.join(process.cwd(), '.context.json')
+
+// No context file = forge-native task. Heimdall does not restrict forge-native work.
+if (!fs.existsSync(contextPath)) {
+  process.exit(0)
+}
+
+let ctx
+try {
+  ctx = JSON.parse(fs.readFileSync(contextPath, 'utf8'))
+} catch (e) {
+  // Unreadable context -- fail open to avoid blocking forge-native work
+  process.exit(0)
+}
+
+const {
+  story_id,
+  agent,
+  worktree_path,
+  has_db_migration,
+  allowed_paths,
+  escalation_dir,
+  audit_log: ctxAuditLog,
+} = ctx
+
+// ── Logging ───────────────────────────────────────────────────────────────────
+
+const AUDIT_LOG = ctxAuditLog
+  || path.join(process.cwd(), '_vibe-chain-output', 'heimdall-audit.log')
+
+const MAX_VIOLATIONS = parseInt(process.env.HEIMDALL_MAX_VIOLATIONS || '3', 10)
+
+// Violation tracking lives in the worktree root (process.cwd())
+const VIOLATION_FILE = path.join(process.cwd(), `.${story_id}.violations`)
+
+// Escalation signal written to the inbox agent dir so the daemon detects it
+const ESCALATION_DIR = escalation_dir || process.cwd()
+
+function timestamp() {
+  return new Date().toISOString()
+}
+
+function audit(level, message) {
+  const line = `[${timestamp()}] HEIMDALL ${level} ${agent}/${story_id}: ${message}\n`
+  try {
+    const dir = path.dirname(AUDIT_LOG)
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })
+    fs.appendFileSync(AUDIT_LOG, line)
+  } catch (_) {
+    // Audit log write failure must never block or crash the hook
+  }
+}
+
+function block(reason) {
+  audit('BLOCKED', reason)
+
+  // Track violations
+  let violations = 0
+  try {
+    if (fs.existsSync(VIOLATION_FILE)) {
+      violations = parseInt(fs.readFileSync(VIOLATION_FILE, 'utf8').trim(), 10) || 0
+    }
+  } catch (_) {}
+
+  violations++
+
+  try {
+    fs.writeFileSync(VIOLATION_FILE, String(violations))
+  } catch (_) {}
+
+  if (violations >= MAX_VIOLATIONS) {
+    // Sound the Gjallarhorn
+    const escalationFile = path.join(ESCALATION_DIR, `${story_id}.escalation`)
+    try {
+      fs.writeFileSync(escalationFile, JSON.stringify({
+        story_id,
+        agent,
+        violations,
+        last_reason: reason,
+        timestamp: timestamp(),
+      }, null, 2))
+    } catch (_) {}
+
+    audit('SOUNDED', `${violations} violations -- escalating to human review`)
+
+    console.log(
+      `[HEIMDALL] Action blocked: ${reason}\n` +
+      `[HEIMDALL] GJALLARHORN SOUNDED: ${violations} violations recorded.\n` +
+      `[HEIMDALL] Story ${story_id} has been escalated to human review. Stop working on this story.`
+    )
+  } else {
+    console.log(
+      `[HEIMDALL] Action blocked: ${reason}\n` +
+      `[HEIMDALL] Violation ${violations}/${MAX_VIOLATIONS}. Self-correct and continue.`
+    )
+  }
+
+  process.exit(2)
+}
+
+function allow(note) {
+  if (note) audit('ALLOWED', note)
+  process.exit(0)
+}
+
+// ── Path helpers ──────────────────────────────────────────────────────────────
+
+function isOutsideAllowedPaths(targetPath) {
+  if (!targetPath) return false
+  try {
+    const resolved = path.resolve(targetPath)
+    return !allowed_paths.some(p => resolved.startsWith(path.resolve(p)))
+  } catch (_) {
+    return true // Unresolvable path -- treat as outside
+  }
+}
+
+// ── Bash tool checks ──────────────────────────────────────────────────────────
+
+if (tool_name === 'Bash') {
+  const cmd = (tool_input && tool_input.command || '').trim()
+
+  // Destructive rm -- check if target escapes worktree
+  if (/rm\s+-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r/.test(cmd) && /\brm\b/.test(cmd)) {
+    // Extract everything after the flags as the target
+    const rmMatch = cmd.match(/rm\s+(?:-\S+\s+)(.+)/)
+    const rmTarget = rmMatch ? rmMatch[1].trim().replace(/^['"]|['"]$/g, '') : ''
+
+    const isRootTarget = /^(\/|~)/.test(rmTarget) || rmTarget === '' || rmTarget.includes('..')
+    const isOutside = !rmTarget || isRootTarget || isOutsideAllowedPaths(rmTarget)
+
+    if (isOutside) {
+      block(`destructive rm outside worktree: ${cmd}`)
+    }
+  }
+
+  // Credential access
+  if (/\.(env|pem|key|cert)\b/.test(cmd) && !/\.env\.(example|sample|template)/.test(cmd)) {
+    block(`credential file access: ${cmd}`)
+  }
+  if (/~\/\.(ssh|aws|gnupg)\b/.test(cmd)) {
+    block(`credential directory access: ${cmd}`)
+  }
+  // Echoing or exporting secrets (but not reading them as part of build)
+  if (/(echo|printf|export)\s+.*\b(TOKEN|SECRET|PASSWORD|API_KEY)\s*=/.test(cmd)) {
+    block(`credential assignment in shell: ${cmd}`)
+  }
+
+  // Dangerous git operations
+  if (/git\s+push\b.*--force(-with-lease)?/.test(cmd)) {
+    block(`force push blocked: ${cmd}`)
+  }
+  if (/git\s+reset\s+--hard\s+HEAD~[2-9]/.test(cmd)) {
+    block(`multi-commit hard reset blocked: ${cmd}`)
+  }
+  if (/git\s+clean\s+-[a-zA-Z]*f[a-zA-Z]*d|-[a-zA-Z]*d[a-zA-Z]*f/.test(cmd) && /\bgit\b/.test(cmd)) {
+    block(`git clean -fd blocked: ${cmd}`)
+  }
+  // Push to a non-origin remote (e.g. git push upstream)
+  if (/git\s+push\s+(?!origin\b)(\S+)/.test(cmd)) {
+    const remoteMatch = cmd.match(/git\s+push\s+(\S+)/)
+    if (remoteMatch && remoteMatch[1] !== 'origin' && !remoteMatch[1].startsWith('-')) {
+      block(`push to non-origin remote blocked: ${cmd}`)
+    }
+  }
+  // Direct push to main/master — all changes must go through PRs
+  if (/git\s+push\b/.test(cmd) && /\b(main|master)\b/.test(cmd)) {
+    block(`direct push to main/master blocked — create a feature branch and open a PR`)
+  }
+
+  // DB destructive operations without authorization
+  if (/(DROP\s+TABLE|TRUNCATE\s+TABLE)/i.test(cmd) && !has_db_migration) {
+    block(`DROP/TRUNCATE requires has_db_migration: true on the story`)
+  }
+  if (/DELETE\s+FROM\s+\S+\s*;?\s*$/i.test(cmd) && !/WHERE\s+/i.test(cmd)) {
+    block(`DELETE without WHERE clause blocked: ${cmd}`)
+  }
+
+  // High-risk but legitimate -- audit log only
+  if (/\b(npm|yarn|pnpm)\s+(install|add|ci)\b/.test(cmd)) {
+    allow(`dependency install: ${cmd}`)
+  }
+  if (/\b(pip|pip3)\s+install\b/.test(cmd)) {
+    allow(`pip install: ${cmd}`)
+  }
+  if (/\bcargo\s+(build|install)\b/.test(cmd)) {
+    allow(`cargo build: ${cmd}`)
+  }
+  if (/\b(curl|wget)\b/.test(cmd)) {
+    allow(`network request: ${cmd}`)
+  }
+  if (/git\s+commit\s+--amend/.test(cmd)) {
+    allow(`git commit --amend`)
+  }
+}
+
+// ── Write / Edit tool checks ──────────────────────────────────────────────────
+
+if (tool_name === 'Write' || tool_name === 'Edit') {
+  const filePath = tool_input && (tool_input.file_path || tool_input.path) || ''
+
+  if (filePath) {
+    // Credential files
+    if (/\.(env|pem|key|cert)$/.test(filePath) && !/\.(example|sample|template)$/.test(filePath)) {
+      block(`write to credential file: ${filePath}`)
+    }
+
+    // Settings that could override Heimdall
+    if (/\.claude[/\\]settings(\.local)?\.json$/.test(filePath)) {
+      block(`write to .claude/settings blocked -- Heimdall config is daemon-managed`)
+    }
+
+    // Path escape check
+    if (isOutsideAllowedPaths(filePath)) {
+      block(`path escape: ${filePath} is outside allowed paths`)
+    }
+
+    // Pipeline output writes -- allowed but logged
+    if (filePath.includes('_vibe-chain-output')) {
+      allow(`pipeline output write: ${filePath}`)
+    }
+  }
+}
+
+// ── Default: allow ────────────────────────────────────────────────────────────
+
+allow(null)

package/src/lib/index.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+#
+# src/lib/index.sh
+#
+# Central entry point for sourcing common libraries.
+# Scripts source this instead of individually sourcing each lib.
+#
+# Usage: source "$LIB_DIR/index.sh"
+
+# Prevent double-sourcing
+[[ -n "${_LIB_INDEX_LOADED:-}" ]] && return 0
+_LIB_INDEX_LOADED=1
+
+_LIB_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Core libraries (order matters: colors first, then constants, then the rest)
+source "$_LIB_DIR/colors.sh"
+source "$_LIB_DIR/constants.sh"
+source "$_LIB_DIR/json.sh"
+source "$_LIB_DIR/util.sh"
+
+# Optional libraries (sourced on demand by scripts that need them)
+# source "$_LIB_DIR/config.sh"    # Agent config loading
+# source "$_LIB_DIR/agents.sh"    # Agent resolution
+# source "$_LIB_DIR/database.sh"  # SQLite operations (daemon only)