refactor(extensions): merge ttsr into guardrails

TTSR (Time Traveling Stream Rules) monitored streaming output against regex patterns. Guardrails blocked dangerous actions and redacted secrets. Both are safety/guardrail concerns — merging them into one extension reduces surface area and simplifies the safety model. Changes: - Copied ttsr-rule-loader.js, ttsr-manager.js, ttsr-interrupt.md into guardrails/ - Updated guardrails extension-manifest.json with ttsr hooks (turn_start, message_update, turn_end, agent_end) - Integrated TTSR session_start/turn_start/message_update/turn_end/agent_end handlers into guardrails/index.js - Deleted ttsr/ extension directory Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-15 02:28:40 +02:00 · 2026-05-15 02:28:40 +02:00 · f0c3eaf999
commit f0c3eaf999
parent 2d5a05a48b
9 changed files with 94 additions and 159 deletions
--- a/packages/google-gemini-cli-provider/tsconfig.json
+++ b/packages/google-gemini-cli-provider/tsconfig.json
@ -13,7 +13,7 @@
 		"sourceMap": true,
 		"inlineSources": true,
 		"inlineSourceMap": false,
-		"moduleResolution": "NodeNext"}}]}<()>;等待下一步操作。<|assistant to=multi_tool_use.parallel __(/*!json*/)## Step: Rebuild and rerun autonomous SF after tsconfig updates. Also, verify build and run success before marking complete.  {
+		"moduleResolution": "NodeNext",
 		"resolveJsonModule": true,
 		"allowImportingTsExtensions": false,
 		"useDefineForClassFields": false,
--- a/pkg/dist/core/export-html/template.js
+++ b/pkg/dist/core/export-html/template.js
@ -1734,6 +1734,10 @@
 			codespan(token) {
 				return `<code>${escapeHtml(token.text)}</code>`;
 			},
 			// Raw HTML blocks: escape to prevent XSS
 			html(token) {
 				return escapeHtml(token.text);
 			},
 		},
 	});
--- a/src/resources/extensions/guardrails/extension-manifest.json
+++ b/src/resources/extensions/guardrails/extension-manifest.json
@ -2,11 +2,11 @@
 	"id": "guardrails",
 	"name": "Guardrails",
 	"version": "1.0.0",
-	"description": "Redact sensitive outputs and block dangerous file or shell actions",
+	"description": "Redact sensitive outputs, block dangerous actions, and monitor streaming output against regex patterns",
 	"tier": "bundled",
 	"requires": { "platform": ">=2.29.0" },
 	"provides": {
 		"commands": ["safegit", "safegit-level", "safegit-status", "yolo"],
-		"hooks": ["session_start", "tool_call", "tool_result"]
+		"hooks": ["session_start", "tool_call", "tool_result", "turn_start", "message_update", "turn_end", "agent_end"]
 	}
 }
--- a/src/resources/extensions/guardrails/index.js
+++ b/src/resources/extensions/guardrails/index.js
@ -7,9 +7,14 @@
 * - Redacts secrets from tool results before the LLM sees them
 * - Blocks dangerous bash commands (rm -rf, sudo, mkfs, etc.)
 * - Blocks writes to protected paths (.env, .git, .ssh, etc.)
 * - Monitors streaming output against regex patterns (TTSR)
 * - Registers SF slash commands: /safegit, /safegit-level, /safegit-status, /yolo
 */
 import { readFileSync } from "node:fs";
 import { join } from "node:path";
 import * as path from "node:path";
 import { loadRules } from "./ttsr-rule-loader.js";
 import { TtsrManager } from "./ttsr-manager.js";
 const SENSITIVE_PATTERNS = [
 	{
@ -554,6 +559,40 @@ function registerSafeGitCommands(
 		},
 	});
 }
 const __dirname = import.meta.dirname;
 function buildInterruptContent(rule) {
 	const template = readFileSync(join(__dirname, "ttsr-interrupt.md"), "utf-8");
 	return template
 		.replace("{{name}}", rule.name)
 		.replace("{{path}}", rule.path)
 		.replace("{{content}}", rule.content);
 }
 function extractDeltaContext(event) {
 	if (event.type === "text_delta") {
 		return { delta: event.delta, context: { source: "text", streamKey: "text" } };
 	}
 	if (event.type === "thinking_delta") {
 		return { delta: event.delta, context: { source: "thinking", streamKey: "thinking" } };
 	}
 	if (event.type === "toolcall_delta") {
 		const partial = event.partial;
 		const contentBlock = partial?.content?.[event.contentIndex];
 		const toolName = contentBlock && "name" in contentBlock ? contentBlock.name : undefined;
 		const filePaths = [];
 		if (contentBlock && "partialJson" in contentBlock) {
 			const json = contentBlock.partialJson;
 			if (json) {
 				const pathMatch = json.match(/"(?:file_path|path)"\s*:\s*"([^"]+)"/);
 				if (pathMatch) filePaths.push(pathMatch[1]);
 			}
 		}
 		return {
 			delta: event.delta,
 			context: { source: "tool", toolName, filePaths: filePaths.length > 0 ? filePaths : undefined, streamKey: `toolcall:${event.contentIndex}` },
 		};
 	}
 	return null;
 }
 // ============================================================================
 // Entry Point
 // ============================================================================
@ -628,4 +667,52 @@ export default function guardrails(pi) {
 			ctx,
 		);
 	});
 	// ── TTSR: Time Traveling Stream Rules ───────────────────────────────────
 	let ttsrManager = null;
 	let pendingViolation = null;
 	pi.on("session_start", async (_event, ctx) => {
 		const rules = loadRules(ctx.cwd);
 		if (rules.length === 0) {
 			ttsrManager = null;
 			return;
 		}
 		ttsrManager = new TtsrManager();
 		let loaded = 0;
 		for (const rule of rules) {
 			if (ttsrManager.addRule(rule)) loaded++;
 		}
 		if (loaded === 0) ttsrManager = null;
 	});
 	pi.on("turn_start", async () => {
 		if (!ttsrManager) return;
 		ttsrManager.resetBuffer();
 		pendingViolation = null;
 	});
 	pi.on("message_update", async (event, ctx) => {
 		if (!ttsrManager || !ttsrManager.hasRules()) return;
 		if (pendingViolation) return;
 		const extracted = extractDeltaContext(event.assistantMessageEvent);
 		if (!extracted) return;
 		const { delta, context } = extracted;
 		const matches = ttsrManager.checkDelta(delta, context);
 		if (matches.length === 0) return;
 		pendingViolation = { rules: matches };
 		ttsrManager.markInjected(matches);
 		ctx.abort();
 	});
 	pi.on("turn_end", async () => {
 		if (!ttsrManager) return;
 		ttsrManager.incrementMessageCount();
 	});
 	pi.on("agent_end", async () => {
 		if (!ttsrManager || !pendingViolation) return;
 		const violation = pendingViolation;
 		pendingViolation = null;
 		const interruptParts = violation.rules.map(buildInterruptContent);
 		const fullInterrupt = interruptParts.join("\n\n");
 		pi.sendMessage(
 			{ customType: "ttsr-violation", content: fullInterrupt, display: false },
 			{ triggerTurn: true },
 		);
 	});
 }
--- a/src/resources/extensions/guardrails/ttsr-interrupt.md
+++ b/src/resources/extensions/guardrails/ttsr-interrupt.md
--- a/src/resources/extensions/guardrails/ttsr-manager.js
+++ b/src/resources/extensions/guardrails/ttsr-manager.js
--- a/src/resources/extensions/guardrails/ttsr-rule-loader.js
+++ b/src/resources/extensions/guardrails/ttsr-rule-loader.js
--- a/src/resources/extensions/ttsr/extension-manifest.json
+++ b/src/resources/extensions/ttsr/extension-manifest.json
@ -1,17 +0,0 @@
 {
 	"id": "ttsr",
 	"name": "Time Traveling Stream Rules",
 	"version": "1.0.0",
 	"description": "Zero-context-cost guardrails that monitor streaming output against regex patterns",
 	"tier": "bundled",
 	"requires": { "platform": ">=2.29.0" },
 	"provides": {
 		"hooks": [
 			"session_start",
 			"turn_start",
 			"message_update",
 			"turn_end",
 			"agent_end"
 		]
 	}
 }
--- a/src/resources/extensions/ttsr/index.js
+++ b/src/resources/extensions/ttsr/index.js
@ -1,139 +0,0 @@
 /**
 * TTSR Extension — Time Traveling Stream Rules
 *
 * Zero-context-cost guardrails that monitor streaming output against regex
 * patterns. On match: abort stream, inject rule as system reminder, retry.
 * Rules cost nothing until they fire.
 *
 * Hooks:
 *   session_start  → load rules, populate manager
 *   turn_start     → reset buffers
 *   message_update → check delta against rules, abort on match
 *   turn_end       → increment message count
 *   agent_end      → if pending violation, inject rule via sendMessage
 */
 import { readFileSync } from "node:fs";
 import { join } from "node:path";
 import { loadRules } from "./rule-loader.js";
 import { TtsrManager } from "./ttsr-manager.js";
 const __dirname = import.meta.dirname;
 function buildInterruptContent(rule) {
 	const template = readFileSync(join(__dirname, "ttsr-interrupt.md"), "utf-8");
 	return template
 		.replace("{{name}}", rule.name)
 		.replace("{{path}}", rule.path)
 		.replace("{{content}}", rule.content);
 }
 /**
 * Extract match context from an AssistantMessageEvent delta.
 * Returns null for non-delta events.
 */
 function extractDeltaContext(event) {
 	if (event.type === "text_delta") {
 		return {
 			delta: event.delta,
 			context: { source: "text", streamKey: "text" },
 		};
 	}
 	if (event.type === "thinking_delta") {
 		return {
 			delta: event.delta,
 			context: { source: "thinking", streamKey: "thinking" },
 		};
 	}
 	if (event.type === "toolcall_delta") {
 		// Extract tool name and file paths from the partial message
 		const partial = event.partial;
 		const contentBlock = partial?.content?.[event.contentIndex];
 		const toolName =
 			contentBlock && "name" in contentBlock ? contentBlock.name : undefined;
 		// Try to extract file paths from partial JSON arguments
 		const filePaths = [];
 		if (contentBlock && "partialJson" in contentBlock) {
 			const json = contentBlock.partialJson;
 			if (json) {
 				// Look for file_path or path in partial JSON
 				const pathMatch = json.match(/"(?:file_path|path)"\s*:\s*"([^"]+)"/);
 				if (pathMatch) filePaths.push(pathMatch[1]);
 			}
 		}
 		return {
 			delta: event.delta,
 			context: {
 				source: "tool",
 				toolName,
 				filePaths: filePaths.length > 0 ? filePaths : undefined,
 				streamKey: `toolcall:${event.contentIndex}`,
 			},
 		};
 	}
 	return null;
 }
 export { loadRules } from "./rule-loader.js";
 // Re-exports for external consumers
 export { TtsrManager } from "./ttsr-manager.js";
 export default function (pi) {
 	let manager = null;
 	let pendingViolation = null;
 	// ── session_start: load rules, populate manager ─────────────────────
 	pi.on("session_start", async (_event, ctx) => {
 		const rules = loadRules(ctx.cwd);
 		if (rules.length === 0) {
 			manager = null;
 			return;
 		}
 		manager = new TtsrManager();
 		let loaded = 0;
 		for (const rule of rules) {
 			if (manager.addRule(rule)) loaded++;
 		}
 		if (loaded === 0) {
 			manager = null;
 		}
 	});
 	// ── turn_start: reset buffers ───────────────────────────────────────
 	pi.on("turn_start", async () => {
 		if (!manager) return;
 		manager.resetBuffer();
 		pendingViolation = null;
 	});
 	// ── message_update: check delta against rules ───────────────────────
 	pi.on("message_update", async (event, ctx) => {
 		if (!manager || !manager.hasRules()) return;
 		if (pendingViolation) return; // Already matched, waiting for agent_end
 		const extracted = extractDeltaContext(event.assistantMessageEvent);
 		if (!extracted) return;
 		const { delta, context } = extracted;
 		const matches = manager.checkDelta(delta, context);
 		if (matches.length === 0) return;
 		// Match found — set pending violation and abort
 		pendingViolation = { rules: matches };
 		manager.markInjected(matches);
 		ctx.abort();
 	});
 	// ── turn_end: increment message count ───────────────────────────────
 	pi.on("turn_end", async () => {
 		if (!manager) return;
 		manager.incrementMessageCount();
 	});
 	// ── agent_end: inject violation if pending ──────────────────────────
 	pi.on("agent_end", async () => {
 		if (!manager || !pendingViolation) return;
 		const violation = pendingViolation;
 		pendingViolation = null;
 		// Build interrupt content for all matching rules
 		const interruptParts = violation.rules.map(buildInterruptContent);
 		const fullInterrupt = interruptParts.join("\n\n");
 		// Inject as a message that triggers a new turn
 		pi.sendMessage(
 			{
 				customType: "ttsr-violation",
 				content: fullInterrupt,
 				display: false,
 			},
 			{ triggerTurn: true },
 		);
 	});
 }