yuangs 2.38.0 → 2.40.0

package/dist/legacy/governance/actions/CodeChangeAction.js

@@ -0,0 +1,139 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CodeChangeAction = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+class CodeChangeAction {
+    id;
+    payload;
+    rationale;
+    provenance;
+    kind = "code_change";
+    state = "DRAFT";
+    updatedAt = Date.now();
+    constructor(id, payload, rationale, provenance) {
+        this.id = id;
+        this.payload = payload;
+        this.rationale = rationale;
+        this.provenance = provenance;
+        this.updatedAt = provenance.createdAt;
+    }
+    propose() {
+        if (this.state !== "DRAFT") {
+            throw new Error(`Governance violation: propose() called from ${this.state}, must be DRAFT`);
+        }
+        this.state = "PROPOSED";
+        this.updatedAt = Date.now();
+    }
+    approve(by) {
+        if (this.state !== "PROPOSED") {
+            throw new Error(`Governance violation: approve() called from ${this.state}, must be PROPOSED`);
+        }
+        if (by !== "human") {
+            throw new Error(`Governance violation: only human can approve, got ${by}`);
+        }
+        this.state = "APPROVED";
+        this.updatedAt = Date.now();
+    }
+    reject(reason) {
+        if (this.state === "REJECTED") {
+            throw new Error(`Governance violation: reject() called from ${this.state}, already rejected`);
+        }
+        this.state = "REJECTED";
+        this.updatedAt = Date.now();
+    }
+    async execute(ctx) {
+        if (this.state !== "APPROVED") {
+            throw new Error(`Governance violation: execute() called from ${this.state}, must be APPROVED`);
+        }
+        const startTime = Date.now();
+        try {
+            await ctx.executor.applyDiff(this.payload.diff);
+            this.state = "EXECUTED";
+            this.updatedAt = Date.now();
+            return {
+                ok: true,
+                executedAt: Date.now(),
+                snapshotAfter: ctx.snapshot,
+            };
+        }
+        catch (error) {
+            this.state = "REJECTED";
+            this.updatedAt = Date.now();
+            return {
+                ok: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    async observe() {
+        if (this.state !== "EXECUTED") {
+            throw new Error(`Governance violation: observe() called from ${this.state}, must be EXECUTED`);
+        }
+        const { execSync } = require("child_process");
+        const changedFiles = execSync("git diff --name-only", {
+            encoding: "utf-8",
+        })
+            .trim()
+            .split("\n")
+            .filter((f) => f);
+        const gitDiff = execSync("git diff", { encoding: "utf-8" });
+        this.state = "OBSERVED";
+        this.updatedAt = Date.now();
+        return {
+            gitDiff,
+            changedFiles,
+            executionTime: Date.now(),
+        };
+    }
+    verify(obs) {
+        if (this.state !== "OBSERVED") {
+            throw new Error(`Governance violation: verify() called from ${this.state}, must be OBSERVED`);
+        }
+        const changedFiles = new Set(obs.changedFiles);
+        const declaredFiles = new Set(this.payload.files);
+        const extraFiles = obs.changedFiles.filter((f) => !declaredFiles.has(f));
+        if (extraFiles.length > 0) {
+            throw new Error(`Governance violation: execution modified undeclared files: ${extraFiles.join(", ")}`);
+        }
+        this.state = "VERIFIED";
+        this.updatedAt = Date.now();
+        return true;
+    }
+    summarize() {
+        const changeSize = this.calculateChangeSize();
+        return {
+            id: this.id,
+            kind: this.kind,
+            state: this.state,
+            rationale: this.rationale,
+            filesAffected: this.payload.files,
+            changeSize,
+        };
+    }
+    calculateChangeSize() {
+        let additions = 0;
+        let deletions = 0;
+        for (const line of this.payload.diff.split("\n")) {
+            if (line.startsWith("+") && !line.startsWith("+++"))
+                additions++;
+            if (line.startsWith("-") && !line.startsWith("---"))
+                deletions++;
+        }
+        return additions + deletions;
+    }
+    static create(payload, rationale, agentId, planHash, parentAction) {
+        const id = crypto_1.default.randomUUID();
+        const provenance = {
+            agentId,
+            planHash,
+            parentAction,
+            createdAt: Date.now(),
+        };
+        return new CodeChangeAction(id, payload, rationale, provenance);
+    }
+}
+exports.CodeChangeAction = CodeChangeAction;
+//# sourceMappingURL=CodeChangeAction.js.map

package/dist/legacy/governance/actions/CodeChangeAction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"CodeChangeAction.js","sourceRoot":"","sources":["../../../../src/legacy/governance/actions/CodeChangeAction.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAuB5B,MAAa,gBAAgB;IAOT;IACA;IACA;IACA;IATT,IAAI,GAAG,aAAa,CAAC;IAE9B,KAAK,GAAoB,OAAO,CAAC;IACjC,SAAS,GAAW,IAAI,CAAC,GAAG,EAAE,CAAC;IAE/B,YACkB,EAAU,EACV,OAA0B,EAC1B,SAAiB,EACjB,UAA4B;QAH5B,OAAE,GAAF,EAAE,CAAQ;QACV,YAAO,GAAP,OAAO,CAAmB;QAC1B,cAAS,GAAT,SAAS,CAAQ;QACjB,eAAU,GAAV,UAAU,CAAkB;QAE5C,IAAI,CAAC,SAAS,GAAG,UAAU,CAAC,SAAS,CAAC;IACxC,CAAC;IAED,OAAO;QACL,IAAI,IAAI,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,+CAA+C,IAAI,CAAC,KAAK,iBAAiB,CAC3E,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC;QACxB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC9B,CAAC;IAED,OAAO,CAAC,EAAkB;QACxB,IAAI,IAAI,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CACb,+CAA+C,IAAI,CAAC,KAAK,oBAAoB,CAC9E,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CACb,qDAAqD,EAAE,EAAE,CAC1D,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC;QACxB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC9B,CAAC;IAED,MAAM,CAAC,MAAc;QACnB,IAAI,IAAI,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CACb,8CAA8C,IAAI,CAAC,KAAK,oBAAoB,CAC7E,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC;QACxB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAqB;QACjC,IAAI,IAAI,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CACb,+CAA+C,IAAI,CAAC,KAAK,oBAAoB,CAC9E,CAAC;QACJ,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAEhD,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC;YACxB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAE5B,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;gBACtB,aAAa,EAAE,GAAG,CAAC,QAAQ;aAC5B,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC;YACxB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAE5B,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC;QACJ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,IAAI,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CACb,+CAA+C,IAAI,CAAC,KAAK,oBAAoB,CAC9E,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;QAE9C,MAAM,YAAY,GAAG,QAAQ,CAAC,sBAAsB,EAAE;YACpD,QAAQ,EAAE,OAAO;SAClB,CAAC;aACC,IAAI,EAAE;aACN,KAAK,CAAC,IAAI,CAAC;aACX,MAAM,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;QAE5B,MAAM,OAAO,GAAG,QAAQ,CAAC,UAAU,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QAE5D,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC;QACxB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE5B,OAAO;YACL,OAAO;YACP,YAAY;YACZ,aAAa,EAAE,IAAI,CAAC,GAAG,EAAE;SAC1B,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,GAAgB;QACrB,IAAI,IAAI,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CACb,8CAA8C,IAAI,CAAC,KAAK,oBAAoB,CAC7E,CAAC;QACJ,CAAC;QAED,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAC/C,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAElD,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAEzE,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CACb,8DAA8D,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACtF,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC;QACxB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,SAAS;QACP,MAAM,UAAU,GAAG,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAE9C,OAAO;YACL,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,aAAa,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK;YACjC,UAAU;SACX,CAAC;IACJ,CAAC;IAEO,mBAAmB;QACzB,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,IAAI,SAAS,GAAG,CAAC,CAAC;QAElB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACjD,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;gBAAE,SAAS,EAAE,CAAC;YACjE,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;gBAAE,SAAS,EAAE,CAAC;QACnE,CAAC;QAED,OAAO,SAAS,GAAG,SAAS,CAAC;IAC/B,CAAC;IAED,MAAM,CAAC,MAAM,CACX,OAA0B,EAC1B,SAAiB,EACjB,OAAe,EACf,QAAgB,EAChB,YAAqB;QAErB,MAAM,EAAE,GAAG,gBAAM,CAAC,UAAU,EAAE,CAAC;QAC/B,MAAM,UAAU,GAAqB;YACnC,OAAO;YACP,QAAQ;YACR,YAAY;YACZ,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC;QAEF,OAAO,IAAI,gBAAgB,CAAC,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IAClE,CAAC;CACF;AA/KD,4CA+KC"}

package/dist/legacy/governance/capability/token.d.ts

@@ -0,0 +1,45 @@
+export type Right = {
+    type: "APPLY_DIFF";
+} | {
+    type: "READ_FILE";
+    path: string;
+} | {
+    type: "EXECUTE_ACTION";
+    actionId: string;
+};
+export type Scope = {
+    type: "ACTION";
+    id: string;
+} | {
+    type: "PATH_PREFIX";
+    prefix: string;
+} | {
+    type: "REPO";
+};
+export interface Capability {
+    id: string;
+    subject: string;
+    rights: Right[];
+    scope: Scope;
+    issuedAt: number;
+    expiresAt: number;
+    maxUses: number;
+    used: number;
+    signature: string;
+}
+export declare function sign(data: string): string;
+export declare function verify(cap: Capability): boolean;
+export declare function issue(input: {
+    subject: string;
+    rights: Right[];
+    scope: Scope;
+    ttlMs: number;
+    maxUses?: number;
+}): Capability;
+export declare function checkCapability(cap: Capability, want: Right, context: {
+    actionId?: string;
+    path?: string;
+}): void;
+export declare function attenuate(cap: Capability, limits: Partial<Pick<Capability, "expiresAt" | "maxUses">>): Capability;
+export declare function revoke(capId: string): void;
+export declare function checkRevoked(cap: Capability): void;

package/dist/legacy/governance/capability/token.js

@@ -0,0 +1,103 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sign = sign;
+exports.verify = verify;
+exports.issue = issue;
+exports.checkCapability = checkCapability;
+exports.attenuate = attenuate;
+exports.revoke = revoke;
+exports.checkRevoked = checkRevoked;
+const crypto_1 = __importDefault(require("crypto"));
+const SECRET = process.env.CAP_SECRET || "default-secret-change-in-production";
+function sign(data) {
+    return crypto_1.default
+        .createHmac("sha256", SECRET)
+        .update(data)
+        .digest("hex");
+}
+function verify(cap) {
+    const { signature, ...rest } = cap;
+    const payload = JSON.stringify(rest);
+    const computed = sign(payload);
+    return computed === signature;
+}
+function issue(input) {
+    const base = {
+        id: crypto_1.default.randomUUID(),
+        subject: input.subject,
+        rights: input.rights,
+        scope: input.scope,
+        issuedAt: Date.now(),
+        expiresAt: Date.now() + input.ttlMs,
+        maxUses: input.maxUses ?? 1,
+        used: 0,
+    };
+    const payload = JSON.stringify(base);
+    return {
+        ...base,
+        signature: sign(payload),
+    };
+}
+function checkCapability(cap, want, context) {
+    if (!verify(cap)) {
+        throw new Error("Invalid capability: signature verification failed");
+    }
+    if (Date.now() > cap.expiresAt) {
+        throw new Error("Capability expired");
+    }
+    if (cap.used >= cap.maxUses) {
+        throw new Error("Capability exhausted (max uses reached)");
+    }
+    const rightMatch = cap.rights.some((r) => JSON.stringify(r) === JSON.stringify(want));
+    if (!rightMatch) {
+        throw new Error(`Capability does not grant right: ${JSON.stringify(want)}`);
+    }
+    if (cap.scope.type === "ACTION" && context.actionId !== cap.scope.id) {
+        throw new Error(`Scope violation: capability scoped to action ${cap.scope.id}, used on ${context.actionId}`);
+    }
+    if (cap.scope.type === "PATH_PREFIX" &&
+        context.path &&
+        !context.path.startsWith(cap.scope.prefix)) {
+        throw new Error(`Scope violation: capability scoped to ${cap.scope.prefix}, used on ${context.path}`);
+    }
+    cap.used++;
+}
+function attenuate(cap, limits) {
+    if (!verify(cap)) {
+        throw new Error("Cannot attenuate invalid capability");
+    }
+    const reduced = {
+        ...cap,
+        expiresAt: Math.min(cap.expiresAt, limits.expiresAt ?? cap.expiresAt),
+        maxUses: Math.min(cap.maxUses, limits.maxUses ?? cap.maxUses),
+        used: 0,
+        signature: "",
+    };
+    const payload = JSON.stringify({
+        id: reduced.id,
+        subject: reduced.subject,
+        rights: reduced.rights,
+        scope: reduced.scope,
+        issuedAt: reduced.issuedAt,
+        expiresAt: reduced.expiresAt,
+        maxUses: reduced.maxUses,
+        used: 0,
+    });
+    return {
+        ...reduced,
+        signature: sign(payload),
+    };
+}
+const revokedCaps = new Set();
+function revoke(capId) {
+    revokedCaps.add(capId);
+}
+function checkRevoked(cap) {
+    if (revokedCaps.has(cap.id)) {
+        throw new Error(`Capability ${cap.id} has been revoked`);
+    }
+}
+//# sourceMappingURL=token.js.map

package/dist/legacy/governance/capability/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../../../src/legacy/governance/capability/token.ts"],"names":[],"mappings":";;;;;AA2BA,oBAKC;AAED,wBAMC;AAED,sBAwBC;AAED,0CA4CC;AAED,8BAkCC;AAID,wBAEC;AAED,oCAIC;AAhKD,oDAA4B;AAG5B,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,qCAAqC,CAAC;AAwB/E,SAAgB,IAAI,CAAC,IAAY;IAC/B,OAAO,gBAAM;SACV,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC;SAC5B,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC;AAED,SAAgB,MAAM,CAAC,GAAe;IACpC,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI,EAAE,GAAG,GAAG,CAAC;IACnC,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC;IAE/B,OAAO,QAAQ,KAAK,SAAS,CAAC;AAChC,CAAC;AAED,SAAgB,KAAK,CAAC,KAMrB;IACC,MAAM,IAAI,GAAG;QACX,EAAE,EAAE,gBAAM,CAAC,UAAU,EAAE;QACvB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE;QACpB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,KAAK;QACnC,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,CAAC;QAC3B,IAAI,EAAE,CAAC;KACR,CAAC;IAEF,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAErC,OAAO;QACL,GAAG,IAAI;QACP,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC;KACzB,CAAC;AACJ,CAAC;AAED,SAAgB,eAAe,CAC7B,GAAe,EACf,IAAW,EACX,OAA6C;IAE7C,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IAED,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAChC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAClD,CAAC;IAEF,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CACb,oCAAoC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAC3D,CAAC;IACJ,CAAC;IAED,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,CAAC,QAAQ,KAAK,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QACrE,MAAM,IAAI,KAAK,CACb,gDAAgD,GAAG,CAAC,KAAK,CAAC,EAAE,aAAa,OAAO,CAAC,QAAQ,EAAE,CAC5F,CAAC;IACJ,CAAC;IAED,IACE,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,aAAa;QAChC,OAAO,CAAC,IAAI;QACZ,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,EAC1C,CAAC;QACD,MAAM,IAAI,KAAK,CACb,yCAAyC,GAAG,CAAC,KAAK,CAAC,MAAM,aAAa,OAAO,CAAC,IAAI,EAAE,CACrF,CAAC;IACJ,CAAC;IAED,GAAG,CAAC,IAAI,EAAE,CAAC;AACb,CAAC;AAED,SAAgB,SAAS,CACvB,GAAe,EACf,MAA0D;IAE1D,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,OAAO,GAAG;QACd,GAAG,GAAG;QACN,SAAS,EAAE,IAAI,CAAC,GAAG,CACjB,GAAG,CAAC,SAAS,EACb,MAAM,CAAC,SAAS,IAAI,GAAG,CAAC,SAAS,CAClC;QACD,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC;QAC7D,IAAI,EAAE,CAAC;QACP,SAAS,EAAE,EAAE;KACd,CAAC;IAEF,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;QAC7B,EAAE,EAAE,OAAO,CAAC,EAAE;QACd,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,IAAI,EAAE,CAAC;KACR,CAAC,CAAC;IAEH,OAAO;QACL,GAAG,OAAO;QACV,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC;KACzB,CAAC;AACJ,CAAC;AAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;AAEtC,SAAgB,MAAM,CAAC,KAAa;IAClC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;AACzB,CAAC;AAED,SAAgB,YAAY,CAAC,GAAe;IAC1C,IAAI,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,cAAc,GAAG,CAAC,EAAE,mBAAmB,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC"}

package/dist/legacy/governance/commands/diffEdit.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function createDiffEditCommand(): Command;

package/dist/legacy/governance/commands/diffEdit.js

@@ -0,0 +1,245 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createDiffEditCommand = createDiffEditCommand;
+const commander_1 = require("commander");
+const chalk_1 = __importDefault(require("chalk"));
+const fs_1 = __importDefault(require("fs"));
+const child_process_1 = require("child_process");
+const GovernanceEngine_1 = require("../GovernanceEngine");
+const CodeChangeAction_1 = require("../actions/CodeChangeAction");
+const diffParser_1 = require("../review/diffParser");
+const render_1 = require("../review/render");
+const sandbox_1 = require("../execution/sandbox");
+const store_1 = require("../storage/store");
+const engine = new GovernanceEngine_1.GovernanceEngine();
+(0, store_1.auditActions)((0, store_1.loadActions)());
+function collectGitResult(commitHash) {
+    try {
+        const output = (0, child_process_1.execSync)(`git show --stat --oneline ${commitHash}`, {
+            encoding: "utf-8",
+        });
+        const files = [];
+        let insertions = 0;
+        let deletions = 0;
+        for (const line of output.split("\n")) {
+            const fileMatch = line.match(/^\s*(.+?)\s+\|\s+\d+/);
+            if (fileMatch) {
+                files.push(fileMatch[1].trim());
+            }
+            const insMatch = line.match(/(\d+)\s+insertions?\(\+\)/);
+            const delMatch = line.match(/(\d+)\s+deletions?\(-\)/);
+            if (insMatch)
+                insertions = parseInt(insMatch[1], 10);
+            if (delMatch)
+                deletions = parseInt(delMatch[1], 10);
+        }
+        return {
+            commits: commitHash ? 1 : 0,
+            files,
+            insertions,
+            deletions,
+        };
+    }
+    catch {
+        return {
+            commits: 1,
+            files: [],
+            insertions: 0,
+            deletions: 0,
+            warning: "Unable to derive git stats",
+        };
+    }
+}
+class GitExecutor {
+    async applyDiff(diff) {
+        // execSync is imported at top level
+        try {
+            (0, child_process_1.execSync)("git apply --index", {
+                input: diff,
+                stdio: "pipe",
+            });
+        }
+        catch (error) {
+            throw new Error(`Failed to apply diff: ${error}`);
+        }
+    }
+    async readFile(path) {
+        return fs_1.default.promises.readFile(path, "utf-8");
+    }
+    async writeFile(path, content) {
+        await fs_1.default.promises.writeFile(path, content, "utf-8");
+    }
+    async deleteFile(path) {
+        await fs_1.default.promises.unlink(path);
+    }
+}
+function createDiffEditCommand() {
+    const program = new commander_1.Command("diff-edit");
+    program
+        .description("Governed code change CLI - review before executing")
+        .version("1.0.0");
+    program
+        .command("propose <diff-file>")
+        .option("-r, --rationale <text>", "Why this change is needed")
+        .action(async (diffFile, options) => {
+        if (!fs_1.default.existsSync(diffFile)) {
+            console.error(chalk_1.default.red(`Diff file not found: ${diffFile}`));
+            process.exit(1);
+        }
+        const diff = fs_1.default.readFileSync(diffFile, "utf-8");
+        const rationale = options.rationale || "Manual diff submission";
+        const files = (0, diffParser_1.extractFilesFromDiff)(diff);
+        const payload = { files, diff };
+        const action = CodeChangeAction_1.CodeChangeAction.create(payload, rationale, "cli", "manual-" + Date.now());
+        action.propose();
+        const actions = (0, store_1.loadActions)();
+        actions[action.id] = action;
+        (0, store_1.saveActions)(actions);
+        console.log(chalk_1.default.green(`[PROPOSED] ${action.id}`));
+        console.log(chalk_1.default.cyan("Files:"));
+        for (const f of files) {
+            console.log(`  - ${chalk_1.default.yellow(f)}`);
+        }
+        console.log(`\n${chalk_1.default.bold("Rationale:")} ${rationale}`);
+    });
+    program
+        .command("list")
+        .description("List all proposed actions")
+        .action(() => {
+        const actions = (0, store_1.loadActions)();
+        console.log(chalk_1.default.bold("\n" + "=".repeat(60)));
+        console.log(chalk_1.default.bold("Actions"));
+        console.log(chalk_1.default.bold("=".repeat(60)) + "\n");
+        const table = [];
+        for (const [id, a] of Object.entries(actions)) {
+            table.push({
+                id,
+                kind: a.kind,
+                state: a.state,
+                rationale: a.rationale.substring(0, 50),
+            });
+        }
+        console.table(table);
+    });
+    program
+        .command("approve <id>")
+        .description("Review and approve a proposed action")
+        .action(async (id) => {
+        const actions = (0, store_1.loadActions)();
+        const action = actions[id];
+        if (!action) {
+            console.error(chalk_1.default.red(`Action not found: ${id}`));
+            process.exit(1);
+        }
+        const files = (0, diffParser_1.parseUnifiedDiff)(action.payload.diff);
+        (0, render_1.renderDiffForReview)(files, action.rationale);
+        const { level, warnings } = (0, diffParser_1.assessRisk)(files);
+        (0, render_1.renderRiskAssessment)(level, warnings);
+        const approved = await (0, render_1.promptForApproval)();
+        if (!approved) {
+            console.log(chalk_1.default.red("\n[REJECTED] Approval aborted"));
+            action.state = "REJECTED";
+            (0, store_1.saveActions)(actions);
+            return;
+        }
+        action.state = "APPROVED";
+        (0, store_1.saveActions)(actions);
+        console.log(chalk_1.default.green(`\n[APPROVED] ${id}`));
+    });
+    program
+        .command("exec <id>")
+        .description("Execute an approved action")
+        .action(async (id) => {
+        const actions = (0, store_1.loadActions)();
+        const action = actions[id];
+        if (!action) {
+            console.error(chalk_1.default.red(`Action not found: ${id}`));
+            process.exit(1);
+        }
+        if (action.state !== "APPROVED") {
+            console.error(chalk_1.default.red(`Action not approved (state: ${action.state})`));
+            process.exit(1);
+        }
+        console.log(chalk_1.default.cyan(`\n[EXECUTING] ${id}...`));
+        const snapshot = (0, sandbox_1.createSnapshot)();
+        const executor = new GitExecutor();
+        const ctx = { executor, snapshot: snapshot.id };
+        try {
+            // === PRE-EXEC: Snapshot Validation ===
+            await executor.applyDiff(action.payload.diff);
+            const changedFiles = (0, sandbox_1.getChangedFiles)();
+            (0, sandbox_1.assertNoExtraChanges)(action.payload.files, changedFiles);
+            const snapshotResult = {
+                changedFiles,
+                unexpectedFiles: changedFiles.filter((f) => !action.payload.files.includes(f)),
+                matchedBySandbox: changedFiles.length === action.payload.files.length,
+            };
+            // === EXEC: Commit ===
+            (0, sandbox_1.commitChanges)(`EXECUTED action ${id}`, snapshot.id);
+            const commitHash = (0, child_process_1.execSync)("git rev-parse HEAD", {
+                encoding: "utf-8",
+            }).trim();
+            action.state = "EXECUTED";
+            action.executedAt = Date.now();
+            (0, store_1.saveActions)(actions);
+            // === POST-EXEC: Reporting ===
+            const gitResult = collectGitResult(commitHash);
+            console.log(chalk_1.default.green("\n[EXECUTED]"));
+            console.log(chalk_1.default.green(`Action ID: ${id}`));
+            console.log(chalk_1.default.cyan("\nSnapshot Verification (pre-commit):"));
+            console.log(chalk_1.default.cyan(`  - Files changed: ${snapshotResult.changedFiles.length}`));
+            for (const f of snapshotResult.changedFiles) {
+                console.log(chalk_1.default.cyan(`    - ${f}`));
+            }
+            if (snapshotResult.unexpectedFiles.length > 0) {
+                console.log(chalk_1.default.yellow("  - Unexpected files:"));
+                for (const f of snapshotResult.unexpectedFiles) {
+                    console.log(chalk_1.default.yellow(`    - ${f}`));
+                }
+            }
+            console.log(chalk_1.default.cyan(`  - Status: ${snapshotResult.matchedBySandbox ? "✅ MATCHED" : "⚠️ DEVIATION"}`));
+            console.log(chalk_1.default.cyan("\nGit Result:"));
+            console.log(chalk_1.default.cyan(`  - Commit: ${commitHash.substring(0, 7)}`));
+            console.log(chalk_1.default.cyan(`  - Files changed: ${gitResult.files.length}`));
+            console.log(chalk_1.default.cyan(`  - Insertions: ${gitResult.insertions}`));
+            console.log(chalk_1.default.cyan(`  - Deletions: ${gitResult.deletions}`));
+            console.log(chalk_1.default.green("\nStatus:"));
+            console.log(chalk_1.default.green("  ✅ EXECUTED (validated + committed)"));
+        }
+        catch (error) {
+            console.error(chalk_1.default.red(`\n[FAILED] ${error}`));
+            console.log(chalk_1.default.yellow("\nRolling back to snapshot..."));
+            (0, sandbox_1.rollbackToSnapshot)(snapshot.id);
+            action.state = "REJECTED";
+            (0, store_1.saveActions)(actions);
+            console.log(chalk_1.default.cyan("\nRolled back successfully"));
+            process.exit(1);
+        }
+    });
+    program
+        .command("status <id>")
+        .description("Show status of an action")
+        .action((id) => {
+        const actions = (0, store_1.loadActions)();
+        const action = actions[id];
+        if (!action) {
+            console.error(chalk_1.default.red(`Action not found: ${id}`));
+            process.exit(1);
+        }
+        console.log(chalk_1.default.bold("\n" + "=".repeat(60)));
+        console.log(chalk_1.default.bold(`Action: ${id}`));
+        console.log(chalk_1.default.bold("=".repeat(60)) + "\n");
+        console.log(`${chalk_1.default.bold("Kind:")} ${action.kind}`);
+        console.log(`${chalk_1.default.bold("State:")} ${action.state}`);
+        console.log(`${chalk_1.default.bold("Rationale:")} ${action.rationale}`);
+        console.log(`${chalk_1.default.bold("Updated:")} ${new Date(action.updatedAt).toLocaleString()}`);
+        if (action.state === "EXECUTED" && action.executedAt) {
+            console.log(`${chalk_1.default.bold("Executed:")} ${new Date(action.executedAt).toLocaleString()}`);
+        }
+    });
+    return program;
+}
+//# sourceMappingURL=diffEdit.js.map

package/dist/legacy/governance/commands/diffEdit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"diffEdit.js","sourceRoot":"","sources":["../../../../src/legacy/governance/commands/diffEdit.ts"],"names":[],"mappings":";;;;;AAsFA,sDAoPC;AA1UD,yCAAoC;AACpC,kDAA0B;AAC1B,4CAAoB;AACpB,iDAAyC;AAEzC,0DAAuD;AACvD,kEAAkF;AAElF,qDAA0F;AAC1F,6CAA+G;AAC/G,kDAAgI;AAEhI,4CAA0E;AAE1E,MAAM,MAAM,GAAG,IAAI,mCAAgB,EAAE,CAAC;AACtC,IAAA,oBAAY,EAAC,IAAA,mBAAW,GAAE,CAAC,CAAC;AAG5B,SAAS,gBAAgB,CAAC,UAAkB;IAC1C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,6BAA6B,UAAU,EAAE,EAAE;YACjE,QAAQ,EAAE,OAAO;SAClB,CAAC,CAAC;QAEH,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,UAAU,GAAG,CAAC,CAAC;QACnB,IAAI,SAAS,GAAG,CAAC,CAAC;QAElB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACtC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;YACrD,IAAI,SAAS,EAAE,CAAC;gBACd,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAClC,CAAC;YAED,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;YACzD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;YACvD,IAAI,QAAQ;gBAAE,UAAU,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACrD,IAAI,QAAQ;gBAAE,SAAS,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACtD,CAAC;QAED,OAAO;YACL,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3B,KAAK;YACL,UAAU;YACV,SAAS;SACV,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,OAAO,EAAE,CAAC;YACV,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,CAAC;YACb,SAAS,EAAE,CAAC;YACZ,OAAO,EAAE,4BAA4B;SACtC,CAAC;IACJ,CAAC;AACH,CAAC;AAID,MAAM,WAAW;IACf,KAAK,CAAC,SAAS,CAAC,IAAY;QAC1B,oCAAoC;QAEpC,IAAI,CAAC;YACH,IAAA,wBAAQ,EAAC,mBAAmB,EAAE;gBAC5B,KAAK,EAAE,IAAI;gBACX,KAAK,EAAE,MAAM;aACd,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,yBAAyB,KAAK,EAAE,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,IAAY;QACzB,OAAO,YAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,IAAY,EAAE,OAAe;QAC3C,MAAM,YAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IACtD,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAY;QAC3B,MAAM,YAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;CACF;AAED,SAAgB,qBAAqB;IACnC,MAAM,OAAO,GAAG,IAAI,mBAAO,CAAC,WAAW,CAAC,CAAC;IAEzC,OAAO;SACJ,WAAW,CAAC,oDAAoD,CAAC;SACjE,OAAO,CAAC,OAAO,CAAC,CAAC;IAEpB,OAAO;SACJ,OAAO,CAAC,qBAAqB,CAAC;SAC9B,MAAM,CAAC,wBAAwB,EAAE,2BAA2B,CAAC;SAC7D,MAAM,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE;QAClC,IAAI,CAAC,YAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,KAAK,CAAC,eAAK,CAAC,GAAG,CAAC,wBAAwB,QAAQ,EAAE,CAAC,CAAC,CAAC;YAC7D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,IAAI,GAAG,YAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAChD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,wBAAwB,CAAC;QAEhE,MAAM,KAAK,GAAG,IAAA,iCAAoB,EAAC,IAAI,CAAC,CAAC;QACzC,MAAM,OAAO,GAAsB,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAEnD,MAAM,MAAM,GAAG,mCAAgB,CAAC,MAAM,CACpC,OAAO,EACP,SAAS,EACT,KAAK,EACL,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CACvB,CAAC;QAEF,MAAM,CAAC,OAAO,EAAE,CAAC;QAEjB,MAAM,OAAO,GAAG,IAAA,mBAAW,GAAE,CAAC;QAC9B,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,MAAa,CAAC;QACnC,IAAA,mBAAW,EAAC,OAAO,CAAC,CAAC;QAErB,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,KAAK,CAAC,cAAc,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;QAClC,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,OAAO,eAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,KAAK,eAAK,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,SAAS,EAAE,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,2BAA2B,CAAC;SACxC,MAAM,CAAC,GAAG,EAAE;QACX,MAAM,OAAO,GAAG,IAAA,mBAAW,GAAE,CAAC;QAE9B,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAE/C,MAAM,KAAK,GAKN,EAAE,CAAC;QAER,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9C,KAAK,CAAC,IAAI,CAAC;gBACT,EAAE;gBACF,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,SAAS,EAAE,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC;aACxC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACvB,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,cAAc,CAAC;SACvB,WAAW,CAAC,sCAAsC,CAAC;SACnD,MAAM,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QACnB,MAAM,OAAO,GAAG,IAAA,mBAAW,GAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC,CAAC;QAE3B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,KAAK,CAAC,eAAK,CAAC,GAAG,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC,CAAC;YACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,KAAK,GAAG,IAAA,6BAAgB,EAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpD,IAAA,4BAAmB,EAAC,KAAK,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QAE7C,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,IAAA,uBAAU,EAAC,KAAK,CAAC,CAAC;QAC9C,IAAA,6BAAoB,EAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAEtC,MAAM,QAAQ,GAAG,MAAM,IAAA,0BAAiB,GAAE,CAAC;QAE3C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC,CAAC;YACxD,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC;YAC1B,IAAA,mBAAW,EAAC,OAAO,CAAC,CAAC;YACrB,OAAO;QACT,CAAC;QAED,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC;QAC1B,IAAA,mBAAW,EAAC,OAAO,CAAC,CAAC;QAErB,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,KAAK,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,WAAW,CAAC;SACpB,WAAW,CAAC,4BAA4B,CAAC;SACzC,MAAM,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QACnB,MAAM,OAAO,GAAG,IAAA,mBAAW,GAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC,CAAC;QAE3B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,KAAK,CAAC,eAAK,CAAC,GAAG,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC,CAAC;YACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,MAAM,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAChC,OAAO,CAAC,KAAK,CACX,eAAK,CAAC,GAAG,CACP,+BAA+B,MAAM,CAAC,KAAK,GAAG,CAC/C,CACF,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC,CAAC;QAElD,MAAM,QAAQ,GAAG,IAAA,wBAAc,GAAE,CAAC;QAClC,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC;QACnC,MAAM,GAAG,GAAqB,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC,EAAE,EAAE,CAAC;QAElE,IAAI,CAAC;YACH,wCAAwC;YACxC,MAAM,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAE9C,MAAM,YAAY,GAAG,IAAA,yBAAe,GAAE,CAAC;YACvC,IAAA,8BAAoB,EAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;YAEzD,MAAM,cAAc,GAAG;gBACrB,YAAY;gBACZ,eAAe,EAAE,YAAY,CAAC,MAAM,CAClC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CACzC;gBACD,gBAAgB,EAAE,YAAY,CAAC,MAAM,KAAK,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM;aACtE,CAAC;YAEF,uBAAuB;YACvB,IAAA,uBAAa,EAAC,mBAAmB,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC;YAEpD,MAAM,UAAU,GAAG,IAAA,wBAAQ,EAAC,oBAAoB,EAAE;gBAChD,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC,IAAI,EAAE,CAAC;YAEV,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC;YAC1B,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC/B,IAAA,mBAAW,EAAC,OAAO,CAAC,CAAC;YAErB,+BAA+B;YAC/B,MAAM,SAAS,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;YAE/C,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,KAAK,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC,CAAC;YAE7C,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC,CAAC;YACjE,OAAO,CAAC,GAAG,CACT,eAAK,CAAC,IAAI,CACR,sBAAsB,cAAc,CAAC,YAAY,CAAC,MAAM,EAAE,CAC3D,CACF,CAAC;YACF,KAAK,MAAM,CAAC,IAAI,cAAc,CAAC,YAAY,EAAE,CAAC;gBAC5C,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC;YACxC,CAAC;YACD,IAAI,cAAc,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9C,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,MAAM,CAAC,uBAAuB,CAAC,CAAC,CAAC;gBACnD,KAAK,MAAM,CAAC,IAAI,cAAc,CAAC,eAAe,EAAE,CAAC;oBAC/C,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC;gBAC1C,CAAC;YACH,CAAC;YACD,OAAO,CAAC,GAAG,CACT,eAAK,CAAC,IAAI,CACR,eAAe,cAAc,CAAC,gBAAgB,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,cAC/D,EAAE,CACH,CACF,CAAC;YAEF,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,eAAe,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACrE,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,sBAAsB,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YACxE,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,mBAAmB,SAAS,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;YACnE,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,kBAAkB,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;YAEjE,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC,CAAC;QACnE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,eAAK,CAAC,GAAG,CAAC,cAAc,KAAK,EAAE,CAAC,CAAC,CAAC;YAEhD,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,MAAM,CAAC,+BAA+B,CAAC,CAAC,CAAC;YAC3D,IAAA,4BAAkB,EAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAEhC,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC;YAC1B,IAAA,mBAAW,EAAC,OAAO,CAAC,CAAC;YAErB,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,aAAa,CAAC;SACtB,WAAW,CAAC,0BAA0B,CAAC;SACvC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE;QACb,MAAM,OAAO,GAAG,IAAA,mBAAW,GAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC,CAAC;QAE3B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,KAAK,CAAC,eAAK,CAAC,GAAG,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC,CAAC;YACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAE/C,OAAO,CAAC,GAAG,CAAC,GAAG,eAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,GAAG,eAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,GAAG,eAAK,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/D,OAAO,CAAC,GAAG,CACT,GAAG,eAAK,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,IAAI,CACnC,MAAM,CAAC,SAAS,CACjB,CAAC,cAAc,EAAE,EAAE,CACrB,CAAC;QAEF,IAAI,MAAM,CAAC,KAAK,KAAK,UAAU,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACrD,OAAO,CAAC,GAAG,CACT,GAAG,eAAK,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,IAAI,IAAI,CACpC,MAAM,CAAC,UAAU,CAClB,CAAC,cAAc,EAAE,EAAE,CACrB,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/legacy/governance/execution/sandbox.d.ts

@@ -0,0 +1,12 @@
+export interface ExecutionSnapshot {
+    id: string;
+    commitHash: string;
+    timestamp: number;
+    isClean: boolean;
+}
+export declare function createSnapshot(): ExecutionSnapshot;
+export declare function verifySnapshot(snapshotId: string): boolean;
+export declare function rollbackToSnapshot(snapshotId: string): void;
+export declare function commitChanges(message: string, snapshotId: string): void;
+export declare function getChangedFiles(): string[];
+export declare function assertNoExtraChanges(approvedFiles: string[], actualFiles: string[]): void;

package/dist/legacy/governance/execution/sandbox.js

@@ -0,0 +1,76 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSnapshot = createSnapshot;
+exports.verifySnapshot = verifySnapshot;
+exports.rollbackToSnapshot = rollbackToSnapshot;
+exports.commitChanges = commitChanges;
+exports.getChangedFiles = getChangedFiles;
+exports.assertNoExtraChanges = assertNoExtraChanges;
+const child_process_1 = require("child_process");
+function createSnapshot() {
+    const statusOutput = (0, child_process_1.execSync)("git status --porcelain", {
+        encoding: "utf-8",
+    }).trim();
+    const isClean = statusOutput.length === 0;
+    if (!isClean) {
+        throw new Error("Cannot create snapshot: working tree is dirty. Commit or stash changes first.");
+    }
+    const commitHash = (0, child_process_1.execSync)("git rev-parse HEAD", {
+        encoding: "utf-8",
+    }).trim();
+    return {
+        id: commitHash,
+        commitHash,
+        timestamp: Date.now(),
+        isClean,
+    };
+}
+function verifySnapshot(snapshotId) {
+    try {
+        const current = (0, child_process_1.execSync)("git rev-parse HEAD", {
+            encoding: "utf-8",
+        }).trim();
+        return current === snapshotId;
+    }
+    catch {
+        return false;
+    }
+}
+function rollbackToSnapshot(snapshotId) {
+    try {
+        (0, child_process_1.execSync)(`git reset --hard ${snapshotId}`, {
+            stdio: "inherit",
+        });
+        console.log(`Rolled back to snapshot ${snapshotId}`);
+    }
+    catch (error) {
+        throw new Error(`Failed to rollback to snapshot ${snapshotId}: ${error}`);
+    }
+}
+function commitChanges(message, snapshotId) {
+    try {
+        (0, child_process_1.execSync)(`git commit -am "${message}"`, {
+            stdio: "inherit",
+        });
+    }
+    catch (error) {
+        throw new Error(`Failed to commit changes: ${error}`);
+    }
+}
+function getChangedFiles() {
+    const output = (0, child_process_1.execSync)("git diff --name-only HEAD", {
+        encoding: "utf-8",
+    });
+    return output
+        .trim()
+        .split("\n")
+        .filter((f) => f.length > 0);
+}
+function assertNoExtraChanges(approvedFiles, actualFiles) {
+    const approvedSet = new Set(approvedFiles);
+    const extraFiles = actualFiles.filter((f) => !approvedSet.has(f));
+    if (extraFiles.length > 0) {
+        throw new Error(`Governance violation: execution modified undeclared files:\n${extraFiles.join("\n")}`);
+    }
+}
+//# sourceMappingURL=sandbox.js.map