"use strict"; // ============================================================================= // SECURITY GUARDRAILS — Protected VIBN Platform Resources // // These repos and Coolify resources belong to the Vibn platform itself. // Agents must never be allowed to push code or trigger deployments here. // Read-only operations (list, read file, get status) are still permitted // so agents can observe platform state, but all mutations are blocked. // ============================================================================= Object.defineProperty(exports, "__esModule", { value: true }); exports.PROTECTED_COOLIFY_APPS = exports.PROTECTED_COOLIFY_PROJECT = exports.PROTECTED_GITEA_REPOS = void 0; exports.assertGiteaWritable = assertGiteaWritable; exports.assertCoolifyDeployable = assertCoolifyDeployable; /** Gitea repos agents can NEVER push to, commit to, or write issues on. */ exports.PROTECTED_GITEA_REPOS = new Set([ 'mark/vibn-frontend', 'mark/theia-code-os', 'mark/vibn-agent-runner', 'mark/vibn-api', 'mark/master-ai', ]); /** Coolify project UUID for the VIBN platform — agents cannot deploy here. */ exports.PROTECTED_COOLIFY_PROJECT = 'f4owwggokksgw0ogo0844os0'; /** * Specific Coolify app UUIDs that must never be deployed by an agent. * Belt-and-suspenders check in case the project UUID filter is bypassed. */ exports.PROTECTED_COOLIFY_APPS = new Set([ 'y4cscsc8s08c8808go0448s0', // vibn-frontend 'kggs4ogckc0w8ggwkkk88kck', // vibn-postgres 'o4wwck0g0c04wgoo4g4s0004', // gitea ]); function assertGiteaWritable(repo) { if (exports.PROTECTED_GITEA_REPOS.has(repo)) { throw new Error(`SECURITY: Repo "${repo}" is a protected Vibn platform repo. ` + `Agents cannot push code or modify issues in this repository.`); } } function assertCoolifyDeployable(appUuid) { if (exports.PROTECTED_COOLIFY_APPS.has(appUuid)) { throw new Error(`SECURITY: App "${appUuid}" is a protected Vibn platform application. ` + `Agents cannot trigger deployments for this application.`); } }