@aliou/pi-guardrails 0.11.2 → 0.12.1

package/src/shared/matching.test.ts

@@ -0,0 +1,86 @@
+import { describe, expect, it } from "vitest";
+import {
+  compileCommandPattern,
+  compileFilePattern,
+  normalizeFilePath,
+} from "./matching";
+import { drainPendingWarnings } from "./warnings";
+
+describe("normalizeFilePath", () => {
+  it.each([
+    ["./src//file.ts", "src/file.ts"],
+    ["src\\file.ts", "src/file.ts"],
+    ["./foo\\bar//baz", "foo/bar/baz"],
+  ])("normalizes %s", (input, expected) => {
+    expect(normalizeFilePath(input)).toBe(expected);
+  });
+});
+
+describe("compileFilePattern", () => {
+  it("matches basename when the pattern has no slash", () => {
+    const pattern = compileFilePattern({ pattern: ".env" });
+
+    expect(pattern.test(".env")).toBe(true);
+    expect(pattern.test("config/.env")).toBe(true);
+    expect(pattern.test("config/.env.local")).toBe(false);
+  });
+
+  it("matches full normalized paths when the pattern has a slash", () => {
+    const pattern = compileFilePattern({ pattern: "config/*.env" });
+
+    expect(pattern.test("config/app.env")).toBe(true);
+    expect(pattern.test("./config//app.env")).toBe(true);
+    expect(pattern.test("nested/config/app.env")).toBe(false);
+  });
+
+  it("uses case-insensitive regex matching for file patterns", () => {
+    const pattern = compileFilePattern({
+      pattern: "SECRET\\.TXT$",
+      regex: true,
+    });
+
+    expect(pattern.test("docs/secret.txt")).toBe(true);
+    expect(pattern.test("docs/public.txt")).toBe(false);
+  });
+
+  it("records a warning and returns a non-matching pattern for invalid regex", () => {
+    drainPendingWarnings();
+
+    const pattern = compileFilePattern({ pattern: "[", regex: true });
+
+    expect(pattern.test("anything")).toBe(false);
+    expect(drainPendingWarnings()).toEqual([
+      "Invalid regex in guardrails config: [",
+    ]);
+  });
+});
+
+describe("compileCommandPattern", () => {
+  it("uses substring matching by default", () => {
+    const pattern = compileCommandPattern({ pattern: "deploy production" });
+
+    expect(pattern.test("please deploy production now")).toBe(true);
+    expect(pattern.test("deploy staging")).toBe(false);
+  });
+
+  it("uses regex matching when requested", () => {
+    const pattern = compileCommandPattern({
+      pattern: "terraform\\s+apply",
+      regex: true,
+    });
+
+    expect(pattern.test("terraform apply -auto-approve")).toBe(true);
+    expect(pattern.test("terraform plan")).toBe(false);
+  });
+
+  it("records a warning and returns a non-matching pattern for invalid regex", () => {
+    drainPendingWarnings();
+
+    const pattern = compileCommandPattern({ pattern: "[", regex: true });
+
+    expect(pattern.test("anything")).toBe(false);
+    expect(drainPendingWarnings()).toEqual([
+      "Invalid regex in guardrails config: [",
+    ]);
+  });
+});

package/src/{utils → shared}/matching.ts

@@ -9,8 +9,8 @@
  */
 
 import { matchesGlob } from "node:path";
-import type { PatternConfig } from "../config";
-import { pendingWarnings } from "./warnings";
+import type { PatternConfig } from "./config";
+import { addPendingWarning } from "./warnings";
 
 export interface CompiledPattern {
   test: (input: string) => boolean;
@@ -47,7 +47,7 @@ export function compileFilePattern(config: PatternConfig): CompiledPattern {
         source: config,
       };
     } catch {
-      pendingWarnings.push(
+      addPendingWarning(
         `Invalid regex in guardrails config: ${config.pattern}`,
       );
       return { test: () => false, source: config };
@@ -80,7 +80,7 @@ export function compileCommandPattern(config: PatternConfig): CompiledPattern {
       const re = new RegExp(config.pattern);
       return { test: (input) => re.test(input), source: config };
     } catch {
-      pendingWarnings.push(
+      addPendingWarning(
         `Invalid regex in guardrails config: ${config.pattern}`,
       );
       return { test: () => false, source: config };

package/src/{utils → shared/paths}/bash-paths.test.ts

@@ -6,6 +6,27 @@ const CWD = "/work/project";
 const HOME = homedir();
 
 describe("extractBashPathCandidates", () => {
+  it("does not extract go package wildcard patterns as paths", async () => {
+    const result = await extractBashPathCandidates("go test ./...", CWD);
+
+    expect(result).toEqual([]);
+  });
+
+  it("extracts go run .go file operands", async () => {
+    const result = await extractBashPathCandidates("go run main.go", CWD);
+
+    expect(result).toEqual(["/work/project/main.go"]);
+  });
+
+  it("handles go -C global flag", async () => {
+    const result = await extractBashPathCandidates(
+      "go -C /tmp test ./...",
+      CWD,
+    );
+
+    expect(result).toEqual([]);
+  });
+
   describe("when a command has regular expression arguments", () => {
     it("ignores sed expressions and extracts file operands", async () => {
       const result = await extractBashPathCandidates(
@@ -84,8 +105,8 @@ describe("extractBashPathCandidates", () => {
 
     it("detects Windows-style paths", async () => {
       const result = await extractBashPathCandidates("type C:\\foo\\bar", CWD);
-      expect(result.length).toBeGreaterThan(0);
-      // On POSIX, resolve() treats backslash path as a single component under cwd
+
+      expect(result).toHaveLength(1);
       expect(result[0]).toContain("C:\\foo\\bar");
     });
   });
@@ -102,6 +123,15 @@ describe("extractBashPathCandidates", () => {
         await extractBashPathCandidates("echo foo > /tmp/out", CWD),
       ).toEqual(["/tmp/out"]);
     });
+
+    it("extracts paths from multiple commands and redirects", async () => {
+      expect(
+        await extractBashPathCandidates(
+          "cat ./input && grep needle /tmp/log > ./out",
+          CWD,
+        ),
+      ).toEqual(["/work/project/input", "/tmp/log", "/work/project/out"]);
+    });
   });
 
   describe("when command has no path-like tokens", () => {

package/src/{utils → shared/paths}/bash-paths.ts

@@ -1,9 +1,9 @@
 import { resolve } from "node:path";
 import { parse } from "@aliou/sh";
-import { classifyCommandArgs } from "./command-args";
-import { expandGlob, hasGlobChars } from "./glob-expander";
-import { expandHomePath, maybePathLike } from "./path";
-import { walkCommands, wordToString } from "./shell-utils";
+import { expandHomePath, maybePathLike } from "../../core/paths/path";
+import { walkCommands, wordToString } from "../../core/shell/ast";
+import { classifyCommandArgs } from "../../core/shell/command-args";
+import { expandGlob, hasGlobChars } from "../glob";
 
 async function expandCandidate(
   candidate: string,

package/src/shared/paths/index.ts

@@ -0,0 +1 @@
+export { extractBashPathCandidates } from "./bash-paths";

package/src/shared/warnings.ts

@@ -0,0 +1,17 @@
+/**
+ * Module-level warnings queue for messages that arise before any session
+ * context is available (config loading, migration, pattern compilation).
+ */
+const pendingWarnings: string[] = [];
+
+export function addPendingWarning(message: string): void {
+  pendingWarnings.push(message);
+}
+
+export function getPendingWarnings(): readonly string[] {
+  return pendingWarnings;
+}
+
+export function drainPendingWarnings(): string[] {
+  return pendingWarnings.splice(0);
+}

package/docs/defaults.md

@@ -1,140 +0,0 @@
-# Default Configuration
-
-These are the built-in defaults that ship with guardrails. Rules marked as disabled are included but inactive by default — enable them in your config or via `/guardrails:settings`.
-
-Source: [`src/config.ts`](../src/config.ts)
-
-
-Home-directory defaults use `~` in patterns. During policy evaluation, guardrails expands `~` to the current user's home directory before checking whether a file exists or should be blocked.
-## Default Policy Rules
-
-### `secret-files` — Files containing secrets
-
-Blocks access to dotenv files and similar secret-bearing files.
-
-| Protection | Only if exists |
-|------------|---------------|
-| `noAccess` | yes           |
-
-**Patterns:**
-
-| Pattern            | Type |
-|--------------------|------|
-| `.env`             | glob |
-| `.env.local`       | glob |
-| `.env.production`  | glob |
-| `.env.prod`        | glob |
-| `.dev.vars`        | glob |
-
-**Allowed exceptions:**
-
-| Pattern            | Type |
-|--------------------|------|
-| `*.example.env`    | glob |
-| `*.sample.env`     | glob |
-| `*.test.env`       | glob |
-| `.env.example`     | glob |
-| `.env.sample`      | glob |
-| `.env.test`        | glob |
-
----
-
-### `home-ssh` — SSH directory and keys
-
-Blocks access to SSH configuration, private keys, and related files. Disabled by default.
-
-| Protection | Only if exists | Enabled by default |
-|------------|---------------|-------------------|
-| `noAccess` | yes           | no                |
-
-**Patterns:**
-
-| Pattern               | Type |
-|-----------------------|------|
-| `~/.ssh/**`          | glob |
-| `~/.ssh/*_rsa`       | glob |
-| `~/.ssh/*_ed25519`   | glob |
-| `~/.ssh/*.pem`       | glob |
-
-**Allowed exceptions:**
-
-| Pattern  | Type |
-|----------|------|
-| `~/.ssh/*.pub` | glob |
-
----
-
-### `home-config` — Sensitive user configuration directories
-
-Blocks access to a small set of known sensitive config directories that commonly store credentials, tokens, or encrypted material. Disabled by default — enable it if these tools are installed and you want to protect them.
-
-| Protection | Only if exists | Enabled by default |
-|------------|---------------|-------------------|
-| `noAccess` | yes           | no                |
-
-**Patterns:**
-
-| Pattern               | Type |
-|-----------------------|------|
-| `~/.config/gh/**`     | glob |
-| `~/.config/gcloud/**` | glob |
-| `~/.config/op/**`     | glob |
-| `~/.config/sops/**`   | glob |
-
----
-
-### `home-gpg` — GPG keys and configuration
-
-Blocks access to GPG/GnuPG private keys, keyrings, and configuration. Disabled by default.
-
-| Protection | Only if exists | Enabled by default |
-|------------|---------------|-------------------|
-| `noAccess` | yes           | no                |
-
-**Patterns:**
-
-| Pattern            | Type |
-|--------------------|------|
-| `~/.gnupg/**`       | glob |
-| `~/*.gpg`           | glob |
-| `~/.gpg-agent.conf` | glob |
-
----
-
-## Path Access
-
-| Setting | Default |
-|---|---|
-| `features.pathAccess` | `false` |
-| `pathAccess.mode` | `"ask"` |
-| `pathAccess.allowedPaths` | `[]` |
-
-Modes:
-- `allow` — no path restrictions
-- `ask` — prompt when accessing paths outside working directory
-- `block` — deny all access outside working directory
-
-Allowed paths use trailing-slash convention:
-- `/path/to/file` — exact file match
-- `/path/to/dir/` — directory and all descendants
-- Supports `~/` for home directory
-
-Limitations:
-- Bash path extraction is best-effort (AST-based heuristics). Tokens like `application/json` may trigger false-positive prompts.
-- Symlinks are not resolved. Lexical path comparison only.
-- In non-interactive mode (--print), `ask` mode degrades to `block`.
-
----
-
-## Default Permission Gate Patterns
-
-These commands are detected using AST-based structural matching for accuracy.
-
-| Pattern         | Description                    |
-|-----------------|--------------------------------|
-| `rm -rf`        | Recursive force delete         |
-| `sudo`          | Superuser command              |
-| `dd of=`        | Disk write operation           |
-| `mkfs.`         | Filesystem format              |
-| `chmod -R 777`  | Insecure recursive permissions |
-| `chown -R`      | Recursive ownership change     |

package/docs/examples.md

@@ -1,170 +0,0 @@
-# Example Presets
-
-Pre-configured presets available in the `/guardrails:settings` Examples tab. These can be applied to any config scope (global, local, or memory).
-
-Source: [`src/commands/settings-command.ts`](../src/commands/settings-command.ts)
-
-## File Policy Presets
-
-### Secrets (.env)
-
-Block dotenv-like files using glob patterns.
-
-| Field      | Value                              |
-|------------|------------------------------------|
-| ID         | `example-secret-env-files`         |
-| Protection | `noAccess`                         |
-| Patterns   | `.env`, `.env.*`                   |
-| Exceptions | `.env.example`, `*.sample.env`     |
-
----
-
-### Logs (*.log)
-
-Mark log files as read-only to prevent accidental modification.
-
-| Field      | Value                     |
-|------------|---------------------------|
-| ID         | `example-log-files`       |
-| Protection | `readOnly`                |
-| Patterns   | `*.log`, `*.out`          |
-
----
-
-### Regex env
-
-Regex-based matching for `.env` and `.env.*` files. Demonstrates regex mode.
-
-| Field      | Value                                    |
-|------------|------------------------------------------|
-| ID         | `example-regex-env`                      |
-| Protection | `noAccess`                               |
-| Patterns   | `^\.env(\..+)?$` (regex)                 |
-| Exceptions | `^\.env\.example$` (regex)               |
-
----
-
-### SSH keys
-
-Block access to SSH private key files.
-
-| Field      | Value                                |
-|------------|--------------------------------------|
-| ID         | `example-ssh-keys`                   |
-| Protection | `noAccess`                           |
-| Patterns   | `*.pem`, `*_rsa`, `*_ed25519`       |
-| Exceptions | `*.pub`                              |
-
----
-
-### AWS credentials
-
-Block AWS CLI credentials and config files.
-
-| Field      | Value                                  |
-|------------|----------------------------------------|
-| ID         | `example-aws-credentials`              |
-| Protection | `noAccess`                             |
-| Patterns   | `.aws/credentials`, `.aws/config`      |
-
----
-
-### Database files
-
-Mark SQLite and database files as read-only.
-
-| Field      | Value                                  |
-|------------|----------------------------------------|
-| ID         | `example-database-files`               |
-| Protection | `readOnly`                             |
-| Patterns   | `*.db`, `*.sqlite`, `*.sqlite3`        |
-
----
-
-### Kubernetes secrets
-
-Block kubeconfig and Kubernetes secret files.
-
-| Field      | Value                                  |
-|------------|----------------------------------------|
-| ID         | `example-k8s-secrets`                  |
-| Protection | `noAccess`                             |
-| Patterns   | `.kube/config`, `*kubeconfig*`         |
-
----
-
-### Certificates
-
-Block SSL/TLS certificate and key files.
-
-| Field      | Value                                  |
-|------------|----------------------------------------|
-| ID         | `example-certificates`                 |
-| Protection | `noAccess`                             |
-| Patterns   | `*.crt`, `*.key`, `*.p12`              |
-| Exceptions | `*.csr`                                |
-
----
-
-## Dangerous Command Presets
-
-### General
-
-| Label              | Pattern              | Description                            |
-|--------------------|----------------------|----------------------------------------|
-| Homebrew           | `brew`               | Homebrew package manager               |
-| git push --force   | `git push --force`   | Git force push                         |
-| npm publish        | `npm publish`        | NPM package publishing                 |
-| yarn publish       | `yarn publish`       | Yarn package publishing                |
-| pnpm publish       | `pnpm publish`       | PNPM package publishing                |
-| drop database      | `DROP DATABASE`      | SQL database drop                      |
-| drop table         | `DROP TABLE`         | SQL table drop                         |
-
-### dbt
-
-| Label    | Pattern    | Description            |
-|----------|------------|------------------------|
-| dbt run  | `dbt run`  | dbt model execution    |
-| dbt seed | `dbt seed` | dbt seed data loading  |
-
-### AWS
-
-| Label                | Pattern                        | Description                  |
-|----------------------|--------------------------------|------------------------------|
-| aws s3 rm            | `aws s3 rm`                    | AWS S3 object deletion       |
-| aws iam              | `aws iam`                      | AWS IAM permission changes   |
-| aws ec2 terminate    | `aws ec2 terminate-instances`  | AWS EC2 instance termination |
-
-### Kubernetes
-
-| Label          | Pattern          | Description                    |
-|----------------|------------------|--------------------------------|
-| kubectl delete | `kubectl delete` | Kubernetes resource deletion   |
-| kubectl apply  | `kubectl apply`  | Kubernetes resource application|
-| kubectl scale  | `kubectl scale`  | Kubernetes scaling operation   |
-
-### Docker
-
-| Label                | Pattern                | Description                              |
-|----------------------|------------------------|------------------------------------------|
-| Docker secrets       | `docker inspect`       | Docker inspect (may expose env vars)     |
-| docker rm            | `docker rm`            | Docker container removal                 |
-| docker rmi           | `docker rmi`           | Docker image removal                     |
-| docker system prune  | `docker system prune`  | Docker system cleanup                    |
-| docker compose down  | `docker compose down`  | Docker Compose service teardown          |
-
-### Terraform
-
-| Label              | Pattern              | Description                        |
-|--------------------|----------------------|------------------------------------|
-| Terraform apply    | `terraform apply`    | Terraform infrastructure changes   |
-| Terraform destroy  | `terraform destroy`  | Terraform infrastructure destruction|
-| terraform import   | `terraform import`   | Terraform resource import          |
-
-### Google Cloud
-
-| Label                  | Pattern                            | Description                      |
-|------------------------|------------------------------------|----------------------------------|
-| gcloud compute delete  | `gcloud compute instances delete`  | GCP compute instance deletion    |
-| gcloud iam             | `gcloud iam`                       | GCP IAM permission changes       |
-| gcloud sql delete      | `gcloud sql instances delete`      | GCP Cloud SQL instance deletion  |