release(v0.40.4): policy mode presets + plugin shakedown fix delivery

[vaaraio]

Summary

Patch release. Two threads bundled.

Policy mode presets

New vaara mode CLI subcommand with three actions, plus the matching vaara.policy.modes module:

• vaara mode list prints the four built-in preset operating points (eco, balanced, performance, strict) with their thresholds and one-line descriptions.
• vaara mode show NAME prints thresholds, description, and watt profile for a single preset.
• vaara mode emit NAME [--format json|yaml] [--output PATH] emits a minimal valid Vaara policy document for the chosen preset, ready for the deployer to add action classes, sequences, and escalation routes.

Preset operating points are shaped like CPU power profiles:

Mode	escalate	deny	When
eco	0.40	0.60	Cuts agent loops short on borderline risk. Pair with regex-first gating to short-circuit before any model forward pass.
balanced	0.55	0.85	Default operating point. Current Vaara behaviour.
performance	0.70	0.92	High-throughput pipelines where the deployer keeps tight action-class overrides on the few classes that matter.
strict	0.30	0.55	Escalate-on-doubt. For incident response, audit prep, or production lockdown windows.

Emitted documents round-trip through vaara.policy.from_dict, from_json, and from_yaml like any other policy artifact.

Plugin shakedown fix delivery

• plugins/claude-code-vaara-governance/.claude-plugin/plugin.json bumped 0.1.0 to 0.1.1, picking up the SessionStart audit-DB creation fix from fix(plugin): create audit DB on session start #161.
• .claude-plugin/marketplace.json ref bumped v0.40.3 to v0.40.4 so marketplace users receive the plugin update.

Test plan

• pytest tests/test_policy_modes.py 25 passed
• ruff check src/vaara/policy/modes.py src/vaara/cli.py tests/test_policy_modes.py clean
• vaara mode list / show balanced / emit eco / emit strict --format yaml --output policy.yaml smoke
• CI green
• Release workflow PyPI + GitHub Release on tag push
• mcp-publisher publish for both registry slots

Summary by CodeRabbit

• New Features

  • Added four built-in policy mode presets (eco, balanced, performance, strict) with configurable risk thresholds.
  • Added vaara mode CLI commands: list (display all modes), show (view mode details), and emit (export modes as Vaara policies in JSON or YAML format).

• Documentation

  • Updated documentation with a "Policy modes" section explaining preset modes and CLI usage.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces a policy modes feature that allows users to select from four preset operating points (eco, balanced, performance, strict) each with predefined escalate/deny thresholds. It adds a new vaara.policy.modes module, a vaara mode CLI command family for listing/showing/emitting modes, comprehensive test coverage, and coordinated version bumps to 0.40.4 across all manifests and documentation.

Changes

Policy Modes Feature

Layer / File(s)	Summary
Policy modes module with preset definitions and serialization src/vaara/policy/modes.py	Defines immutable Mode dataclass with four presets (eco, balanced, performance, strict) and their fixed escalate/deny thresholds; builds mode lookup with available_modes() and get_mode() helpers; implements to_policy_dict() to generate minimal policy artifacts and emit_json()/emit_yaml() serializers with proper indentation and vaara[yaml] extra handling.
CLI mode subcommand and handlers src/vaara/cli.py	Extends module docstring to document new mode command family; adds _cmd_mode_list, _cmd_mode_show, and _cmd_mode_emit handlers to display modes with thresholds, print individual mode details, and emit policies to stdout or file in JSON/YAML format; integrates new argument parser subcommand tree with mode → {list,show,emit} structure.
Test suite for modes and CLI tests/test_policy_modes.py	Tests mode registry ordering and invariants; validates get_mode() error messages and Mode field requirements; exercises policy dict, JSON, and YAML round-trips including indentation preservation and file-based loading; simulates missing yaml extra to verify ImportError; validates all CLI operations (list output, show thresholds, emit JSON/YAML with format/output flags, error handling for unknown modes).
Version bumps and release documentation src/vaara/__init__.py, pyproject.toml, clients/ts/package.json, server.json, server-vaara-server.json, plugins/claude-code-vaara-governance/.claude-plugin/plugin.json, .claude-plugin/marketplace.json, README.md, CHANGELOG.md	Core package and build metadata bumped from 0.40.3 to 0.40.4; TypeScript client, server configurations, and plugin manifests updated to match; README documents four modes with example CLI commands and round-trip parsing notes; CHANGELOG records new vaara mode CLI support, vaara.policy.modes module, and session_start audit/DB creation fix.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

A rabbit hops through thresholds new,
Four modes to pick—which one for you?
Eco whispers, strict demands,
Policy presets made by hand. 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.83% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the two main changes: policy mode presets and plugin shakedown fix delivery, with the version bump as context.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch release/v0.40.4

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/vaara/cli.py (1)

1145-1154: ⚡ Quick win

Prefer the public API over private implementation details.

Line 1146 imports _BY_NAME, which is a private module variable (indicated by the leading underscore). Line 1149 accesses it directly. Use the public get_mode() function instead to respect encapsulation.

♻️ Refactor to use public API

 def _cmd_mode_list(_args: argparse.Namespace) -> int:
-    from vaara.policy.modes import _BY_NAME, available_modes
+    from vaara.policy.modes import available_modes, get_mode
 
     for name in available_modes():
-        m = _BY_NAME[name]
+        m = get_mode(name)
         print(
             f"{name:12s} escalate={m.escalate:.2f} deny={m.deny:.2f}  "
             f"{m.description}"
         )
     return 0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/vaara/cli.py` around lines 1145 - 1154, The function _cmd_mode_list
currently imports and uses the private _BY_NAME mapping; change it to use the
public API by importing and calling get_mode(name) for each mode from
vaara.policy.modes instead of accessing _BY_NAME[name]; keep available_modes()
to iterate names and replace m = _BY_NAME[name] with m = get_mode(name) so you
respect encapsulation and avoid using the private symbol.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/vaara/cli.py`:
- Around line 1173-1188: In _cmd_mode_emit, the code writes to Path(args.output)
without expanding user home (~); update the write path to call expanduser on the
Path before writing (use Path(args.output).expanduser() when calling write_text)
so user-supplied paths like ~/output.json resolve consistently with other
commands (reference: function _cmd_mode_emit and the args.output usage).

---

Nitpick comments:
In `@src/vaara/cli.py`:
- Around line 1145-1154: The function _cmd_mode_list currently imports and uses
the private _BY_NAME mapping; change it to use the public API by importing and
calling get_mode(name) for each mode from vaara.policy.modes instead of
accessing _BY_NAME[name]; keep available_modes() to iterate names and replace m
= _BY_NAME[name] with m = get_mode(name) so you respect encapsulation and avoid
using the private symbol.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: bc0dc967-6840-489d-918a-c067fbd7a811

📥 Commits

Reviewing files that changed from the base of the PR and between 31d44ed and 194fb83.

📒 Files selected for processing (12)

• .claude-plugin/marketplace.json
• CHANGELOG.md
• README.md
• clients/ts/package.json
• plugins/claude-code-vaara-governance/.claude-plugin/plugin.json
• pyproject.toml
• server-vaara-server.json
• server.json
• src/vaara/__init__.py
• src/vaara/cli.py
• src/vaara/policy/modes.py
• tests/test_policy_modes.py

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add .expanduser() when writing to user-supplied paths.

Line 1185 writes to Path(args.output) without expanding tilde (~) in paths. Other file-writing commands in this module consistently use .expanduser() (e.g., lines 603, 696). Without this, paths like ~/output.json will not resolve correctly.

🔧 Proposed fix

     if args.output:
-        Path(args.output).write_text(text, encoding="utf-8")
+        Path(args.output).expanduser().write_text(text, encoding="utf-8")
     else:
         sys.stdout.write(text)
     return 0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/vaara/cli.py` around lines 1173 - 1188, In _cmd_mode_emit, the code
writes to Path(args.output) without expanding user home (~); update the write
path to call expanduser on the Path before writing (use
Path(args.output).expanduser() when calling write_text) so user-supplied paths
like ~/output.json resolve consistently with other commands (reference: function
_cmd_mode_emit and the args.output usage).