@animus-labs/cortex 0.2.0

package/dist/tools/bash/interactive.js

@@ -0,0 +1,262 @@
+/**
+ * Interactive command detection for Bash.
+ *
+ * Catches commands that would block waiting for TTY input (editors,
+ * pagers, REPLs, interactive DB clients) and rejects them with a
+ * concrete non-interactive suggestion. Prevents the agent from burning
+ * its entire timeout budget on a hung `vim` or `psql` invocation.
+ *
+ * This is a UX gate, not a security gate: it sits at the end of the
+ * safety cascade after all security layers have passed. Security checks
+ * always come first.
+ *
+ * The module is pure — no I/O, no global state — so the rule set can be
+ * exhaustively unit-tested without a shell.
+ */
+import { splitOnShellOperators } from './safety.js';
+// ---------------------------------------------------------------------------
+// Rule groups
+// ---------------------------------------------------------------------------
+const EDITORS = ['vim', 'vi', 'nvim', 'emacs', 'emacsclient', 'nano', 'pico', 'ed', 'joe'];
+const MONITORS = ['top', 'htop', 'atop', 'btop', 'watch'];
+const PAGERS = ['less', 'more', 'most'];
+function alwaysInteractive(name, suggestion) {
+    return { name, check: () => suggestion };
+}
+const RULES = [
+    ...EDITORS.map((name) => alwaysInteractive(name, `${name} is a terminal editor and will block waiting for input. Use the Edit or Write tools to modify files instead.`)),
+    ...MONITORS.map((name) => alwaysInteractive(name, `${name} runs continuously and blocks the shell. Use a one-shot alternative (e.g. \`ps aux | head\`, \`uptime\`, \`df -h\`).`)),
+    // Pagers block even when piped — they paginate on keypress.
+    ...PAGERS.map((name) => alwaysInteractive(name, `${name} paginates and will block waiting for a keypress. Use \`cat\`, \`head\`, or \`tail\` instead.`)),
+    // Python: interactive unless given a script file or -c/-m.
+    ...['python', 'python2', 'python3'].map((name) => ({
+        name,
+        check: (args) => pythonCheck(name, args),
+    })),
+    { name: 'node', check: nodeCheck },
+    { name: 'ruby', check: rubyCheck },
+    alwaysInteractive('irb', 'irb opens an interactive Ruby shell. Use `ruby -e "..."` for one-off code.'),
+    { name: 'mongo', check: (args) => mongoCheck('mongo', args) },
+    { name: 'mongosh', check: (args) => mongoCheck('mongosh', args) },
+    { name: 'sqlite3', check: sqliteCheck },
+    { name: 'psql', check: psqlCheck },
+    { name: 'mysql', check: mysqlCheck },
+    { name: 'mariadb', check: mysqlCheck },
+];
+// Fast lookup by basename.
+const RULES_BY_NAME = new Map(RULES.map((r) => [r.name, r]));
+// ---------------------------------------------------------------------------
+// Public entry point
+// ---------------------------------------------------------------------------
+/**
+ * Check a full shell command for interactive invocations. Splits on
+ * shell operators (`;`, `&&`, `||`, `|`) and inspects each sub-command
+ * independently — `cat file | less` is rejected because the `less`
+ * sub-command is interactive, even though `cat` is not.
+ *
+ * Returns the first interactive sub-command's rejection; if all
+ * sub-commands are non-interactive, returns `{ allowed: true }`.
+ */
+export function checkInteractive(command) {
+    const subs = splitOnShellOperators(command);
+    for (const sub of subs) {
+        const tokens = tokenize(sub);
+        const program = findProgram(tokens);
+        if (!program)
+            continue;
+        const rule = RULES_BY_NAME.get(program.name);
+        if (!rule)
+            continue;
+        const suggestion = rule.check(program.args);
+        if (suggestion !== null) {
+            return {
+                allowed: false,
+                reason: `Interactive command detected. ${suggestion}`,
+            };
+        }
+    }
+    return { allowed: true };
+}
+// ---------------------------------------------------------------------------
+// Tokenization
+// ---------------------------------------------------------------------------
+/**
+ * Minimal shell-aware tokenizer: splits on unquoted whitespace, keeps
+ * single/double-quoted regions intact (quotes themselves are stripped),
+ * and honors backslash escapes. Sufficient for identifying the program
+ * token and distinguishing flags from positional args; not a complete
+ * POSIX shell parser.
+ */
+export function tokenize(command) {
+    const tokens = [];
+    let current = '';
+    let inSingle = false;
+    let inDouble = false;
+    for (let i = 0; i < command.length; i++) {
+        const ch = command[i];
+        if (!inSingle && ch === '\\' && i + 1 < command.length) {
+            current += command[i + 1];
+            i++;
+            continue;
+        }
+        if (!inDouble && ch === "'") {
+            inSingle = !inSingle;
+            continue;
+        }
+        if (!inSingle && ch === '"') {
+            inDouble = !inDouble;
+            continue;
+        }
+        if (!inSingle && !inDouble && /\s/u.test(ch)) {
+            if (current.length > 0) {
+                tokens.push(current);
+                current = '';
+            }
+            continue;
+        }
+        current += ch;
+    }
+    if (current.length > 0)
+        tokens.push(current);
+    return tokens;
+}
+/**
+ * Find the effective program name and argument list, accounting for:
+ *   1. Leading `KEY=VALUE` env var prefixes (`FOO=bar vim file`)
+ *   2. The `env` wrapper (`env FOO=bar vim file` or `env -u BAR vim`)
+ *
+ * Returns the program's basename (last path segment) and the remaining
+ * arg tokens, or `null` if no program token is present.
+ */
+export function findProgram(tokens) {
+    let i = 0;
+    while (i < tokens.length && isEnvAssignment(tokens[i]))
+        i++;
+    if (i < tokens.length && tokens[i] === 'env') {
+        i++;
+        // `env`'s flags that take a subsequent argument. We need to skip
+        // both the flag and its value so a value that doesn't look like a
+        // flag (e.g. `env -u OLD vim`) isn't mistaken for the program.
+        const ARG_FLAGS_SHORT = new Set(['-u', '-C', '-S']);
+        const ARG_FLAGS_LONG = new Set(['--unset', '--chdir', '--split-string']);
+        while (i < tokens.length) {
+            const t = tokens[i];
+            if (isEnvAssignment(t)) {
+                i++;
+                continue;
+            }
+            if (!t.startsWith('-'))
+                break;
+            if (ARG_FLAGS_SHORT.has(t) || ARG_FLAGS_LONG.has(t)) {
+                i += 2; // consume flag + value
+                continue;
+            }
+            // --long=value form or flags with no arg (-i, -0, --verbose, etc.)
+            i++;
+        }
+    }
+    if (i >= tokens.length)
+        return null;
+    const prog = tokens[i];
+    const basename = prog.split('/').pop() ?? prog;
+    return { name: basename, args: tokens.slice(i + 1) };
+}
+function isEnvAssignment(token) {
+    return /^[A-Za-z_][A-Za-z0-9_]*=/u.test(token);
+}
+// ---------------------------------------------------------------------------
+// Per-program predicates
+// ---------------------------------------------------------------------------
+function pythonCheck(name, args) {
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        // -c / -m consume the next arg but the presence alone is enough.
+        if (arg === '-c' || arg === '-m')
+            return null;
+        if (arg === '-V' || arg === '--version')
+            return null;
+        if (arg === '-h' || arg === '--help')
+            return null;
+        // Script file.
+        if (/\.py[ocw]?$/u.test(arg) && !arg.startsWith('-'))
+            return null;
+        // Any positional arg is treated as a script (matches how Python's argv
+        // parser works).
+        if (!arg.startsWith('-'))
+            return null;
+    }
+    return `${name} without a script or \`-c\`/\`-m\` starts an interactive REPL and will block. Provide a script file or use \`${name} -c "..."\`.`;
+}
+function nodeCheck(args) {
+    for (const arg of args) {
+        if (arg === '-e' ||
+            arg === '--eval' ||
+            arg === '-p' ||
+            arg === '--print' ||
+            arg === '-v' ||
+            arg === '--version' ||
+            arg === '-h' ||
+            arg === '--help') {
+            return null;
+        }
+        if (!arg.startsWith('-'))
+            return null; // script file or --file
+    }
+    return 'node without a script or `-e` starts an interactive REPL and will block. Provide a script file or use `node -e "..."`.';
+}
+function rubyCheck(args) {
+    for (const arg of args) {
+        if (arg === '-e' || arg === '-v' || arg === '--version' || arg === '-h' || arg === '--help') {
+            return null;
+        }
+        if (!arg.startsWith('-'))
+            return null;
+    }
+    return 'ruby without a script or `-e` reads from stdin and will block. Provide a `.rb` file or use `ruby -e "..."`.';
+}
+function mongoCheck(name, args) {
+    if (args.includes('--eval') || args.includes('-e') || args.includes('--version') || args.includes('--help')) {
+        return null;
+    }
+    // Executing a script file is also non-interactive.
+    if (args.some((a) => /\.js$/u.test(a) && !a.startsWith('-')))
+        return null;
+    return `${name} without \`--eval\` or a script file opens an interactive shell. Use \`${name} --eval "..."\`.`;
+}
+function sqliteCheck(args) {
+    if (args.includes('-cmd') || args.includes('-batch') || args.includes('-version') || args.includes('--help')) {
+        return null;
+    }
+    // sqlite3 <db> "<sql>" — two or more non-flag args means the second is a query.
+    const nonFlag = args.filter((a) => !a.startsWith('-'));
+    if (nonFlag.length >= 2)
+        return null;
+    return 'sqlite3 without a SQL argument opens an interactive prompt. Use `sqlite3 <db> "<sql>"` or pass `-cmd "..."`.';
+}
+function psqlCheck(args) {
+    // -c / --command: inline SQL. -f / --file: script file. -l / --list: list DBs.
+    // --version / -V: version. All are single-shot, non-interactive.
+    // NOTE: -h means "host" in psql, NOT help. We do not treat it as safe.
+    const safeFlags = new Set([
+        '-c', '--command', '-f', '--file', '-l', '--list', '--version', '-V', '--help',
+    ]);
+    for (const arg of args) {
+        if (safeFlags.has(arg))
+            return null;
+        // Flags written as --command=VALUE.
+        if (arg.startsWith('--command=') || arg.startsWith('--file='))
+            return null;
+    }
+    return 'psql without `-c` or `-f` opens an interactive prompt. Use `psql -c "SELECT ..."` or `psql -f script.sql`.';
+}
+function mysqlCheck(args) {
+    const safeFlags = new Set(['-e', '--execute', '--version', '-V', '--help', '-?']);
+    for (const arg of args) {
+        if (safeFlags.has(arg))
+            return null;
+        if (arg.startsWith('--execute='))
+            return null;
+    }
+    return 'mysql without `-e` opens an interactive prompt. Use `mysql -e "SELECT ..."`.';
+}
+//# sourceMappingURL=interactive.js.map

package/dist/tools/bash/interactive.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interactive.js","sourceRoot":"","sources":["../../../src/tools/bash/interactive.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,qBAAqB,EAA0B,MAAM,aAAa,CAAC;AAkB5E,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,MAAM,OAAO,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;AAC3F,MAAM,QAAQ,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAC1D,MAAM,MAAM,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AAExC,SAAS,iBAAiB,CAAC,IAAY,EAAE,UAAkB;IACzD,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,UAAU,EAAE,CAAC;AAC3C,CAAC;AAED,MAAM,KAAK,GAAsB;IAC/B,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CACtB,iBAAiB,CACf,IAAI,EACJ,GAAG,IAAI,8GAA8G,CACtH,CACF;IACD,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CACvB,iBAAiB,CACf,IAAI,EACJ,GAAG,IAAI,sHAAsH,CAC9H,CACF;IACD,4DAA4D;IAC5D,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CACrB,iBAAiB,CACf,IAAI,EACJ,GAAG,IAAI,+FAA+F,CACvG,CACF;IACD,2DAA2D;IAC3D,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAmB,EAAE,CAAC,CAAC;QAClE,IAAI;QACJ,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,CAAC;KACzC,CAAC,CAAC;IACH,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;IAClC,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;IAClC,iBAAiB,CACf,KAAK,EACL,4EAA4E,CAC7E;IACD,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE;IAC7D,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE;IACjE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE;IACvC,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE;IAClC,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE;IACpC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE;CACvC,CAAC;AAEF,2BAA2B;AAC3B,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;AAE7D,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,MAAM,IAAI,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAC5C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QACpC,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;YACxB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,iCAAiC,UAAU,EAAE;aACtD,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,QAAQ,CAAC,OAAe;IACtC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;QACvB,IAAI,CAAC,QAAQ,IAAI,EAAE,KAAK,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;YACvD,OAAO,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC;YAC3B,CAAC,EAAE,CAAC;YACJ,SAAS;QACX,CAAC;QACD,IAAI,CAAC,QAAQ,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YAC5B,QAAQ,GAAG,CAAC,QAAQ,CAAC;YACrB,SAAS;QACX,CAAC;QACD,IAAI,CAAC,QAAQ,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YAC5B,QAAQ,GAAG,CAAC,QAAQ,CAAC;YACrB,SAAS;QACX,CAAC;QACD,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,IAAI,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YAC7C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACrB,OAAO,GAAG,EAAE,CAAC;YACf,CAAC;YACD,SAAS;QACX,CAAC;QACD,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC7C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,WAAW,CACzB,MAAgB;IAEhB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,IAAI,eAAe,CAAC,MAAM,CAAC,CAAC,CAAE,CAAC;QAAE,CAAC,EAAE,CAAC;IAE7D,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;QAC7C,CAAC,EAAE,CAAC;QACJ,iEAAiE;QACjE,kEAAkE;QAClE,+DAA+D;QAC/D,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;QACpD,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,SAAS,EAAE,SAAS,EAAE,gBAAgB,CAAC,CAAC,CAAC;QACzE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;YACzB,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAE,CAAC;YACrB,IAAI,eAAe,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvB,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YACD,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,MAAM;YAC9B,IAAI,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpD,CAAC,IAAI,CAAC,CAAC,CAAC,uBAAuB;gBAC/B,SAAS;YACX,CAAC;YACD,mEAAmE;YACnE,CAAC,EAAE,CAAC;QACN,CAAC;IACH,CAAC;IAED,IAAI,CAAC,IAAI,MAAM,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAE,CAAC;IACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC;IAC/C,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;AACvD,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,2BAA2B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACjD,CAAC;AAED,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E,SAAS,WAAW,CAAC,IAAY,EAAE,IAAc;IAC/C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;QACrB,iEAAiE;QACjE,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAC9C,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC;QACrD,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAClD,eAAe;QACf,IAAI,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAClE,uEAAuE;QACvE,iBAAiB;QACjB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACxC,CAAC;IACD,OAAO,GAAG,IAAI,gHAAgH,IAAI,cAAc,CAAC;AACnJ,CAAC;AAED,SAAS,SAAS,CAAC,IAAc;IAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IACE,GAAG,KAAK,IAAI;YACZ,GAAG,KAAK,QAAQ;YAChB,GAAG,KAAK,IAAI;YACZ,GAAG,KAAK,SAAS;YACjB,GAAG,KAAK,IAAI;YACZ,GAAG,KAAK,WAAW;YACnB,GAAG,KAAK,IAAI;YACZ,GAAG,KAAK,QAAQ,EAChB,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC,CAAC,wBAAwB;IACjE,CAAC;IACD,OAAO,wHAAwH,CAAC;AAClI,CAAC;AAED,SAAS,SAAS,CAAC,IAAc;IAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,WAAW,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5F,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACxC,CAAC;IACD,OAAO,6GAA6G,CAAC;AACvH,CAAC;AAED,SAAS,UAAU,CAAC,IAAY,EAAE,IAAc;IAC9C,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5G,OAAO,IAAI,CAAC;IACd,CAAC;IACD,mDAAmD;IACnD,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1E,OAAO,GAAG,IAAI,0EAA0E,IAAI,kBAAkB,CAAC;AACjH,CAAC;AAED,SAAS,WAAW,CAAC,IAAc;IACjC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7G,OAAO,IAAI,CAAC;IACd,CAAC;IACD,gFAAgF;IAChF,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACvD,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACrC,OAAO,8GAA8G,CAAC;AACxH,CAAC;AAED,SAAS,SAAS,CAAC,IAAc;IAC/B,+EAA+E;IAC/E,iEAAiE;IACjE,uEAAuE;IACvE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;QACxB,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ;KAC/E,CAAC,CAAC;IACH,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACpC,oCAAoC;QACpC,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7E,CAAC;IACD,OAAO,4GAA4G,CAAC;AACtH,CAAC;AAED,SAAS,UAAU,CAAC,IAAc;IAChC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC;IAClF,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACpC,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC;YAAE,OAAO,IAAI,CAAC;IAChD,CAAC;IACD,OAAO,8EAA8E,CAAC;AACxF,CAAC"}

package/dist/tools/bash/safety.d.ts

@@ -0,0 +1,149 @@
+/**
+ * Bash tool safety layers.
+ *
+ * Seven layers of defense-in-depth for shell command execution, plus a
+ * final UX gate:
+ * 1. Environment variable stripping
+ * 2. Critical path protection
+ * 3. Command classification
+ * 4. Path validation for write commands
+ * 5. Obfuscation and injection detection
+ * 6. Script preflight
+ * 6.5. Interactive command detection (UX gate — prevents silent timeouts
+ *      on editors, pagers, REPLs, and interactive DB clients)
+ * 7. Auto-mode classifier (utility model LLM call)
+ *
+ * Reference: docs/cortex/tools/bash.md (Safety Architecture)
+ */
+export type CommandClassification = 'read' | 'write' | 'create' | 'network' | 'safe-stdin' | 'unknown';
+export interface SafetyCheckResult {
+    allowed: boolean;
+    reason?: string | undefined;
+    classification?: CommandClassification | undefined;
+}
+/**
+ * Build a safe environment for child processes by stripping dangerous variables.
+ * Adds CORTEX_SHELL=exec as a context marker.
+ *
+ * Delegates to the shared buildSafeEnv utility so that both the Bash tool
+ * and the MCP client use the same blocklist.
+ *
+ * @param parentEnv - The source environment (typically process.env)
+ * @param overrides - Optional env var overrides that bypass the blocklist
+ */
+export declare function buildSafeEnv(parentEnv: NodeJS.ProcessEnv, overrides?: Record<string, string>): Record<string, string>;
+/**
+ * Check if a target path resolves to a critical system directory.
+ */
+export declare function isCriticalPath(targetPath: string): boolean;
+/**
+ * Split a command string on shell operators (; && || |) while respecting
+ * quoted strings. Returns the individual sub-commands.
+ */
+export declare function splitOnShellOperators(command: string): string[];
+/**
+ * Classify a command (potentially compound) by its potential impact.
+ * For compound commands, returns the highest-risk classification
+ * among all sub-commands.
+ */
+export declare function classifyCommand(command: string): CommandClassification;
+/**
+ * Extract target paths from write/create commands.
+ * Returns the paths that would be modified by the command.
+ * Handles compound commands by extracting paths from all sub-commands.
+ */
+export declare function extractWritePaths(command: string): string[];
+/**
+ * Validate that write paths are within the allowed working directory.
+ */
+export declare function validateWritePaths(command: string, workingDirectory: string, currentCwd: string): SafetyCheckResult;
+/**
+ * Strip invisible Unicode characters that could be used for obfuscation.
+ */
+export declare function stripInvisibleChars(command: string): string;
+/**
+ * Per-character quote context. Describes the quoting state at a given position.
+ */
+export type QuoteContext = 'none' | 'single' | 'double' | 'backtick' | 'escaped';
+/**
+ * Analyze the quoting context of each character in a shell command.
+ * Returns an array of QuoteContext values, one per character, indicating
+ * whether that position is inside single quotes, double quotes, backticks,
+ * escaped, or unquoted. Handles nested escapes correctly (e.g., `\"` inside
+ * double quotes keeps the next character as "double", not "escaped").
+ */
+export declare function analyzeQuoteState(command: string): QuoteContext[];
+/**
+ * Detect IFS variable manipulation in unquoted context.
+ * `IFS=` inside quotes is harmless (just a string literal).
+ * Unquoted `IFS=` is a shell variable assignment that can enable attacks.
+ */
+export declare function checkIfsInjection(command: string, states: QuoteContext[]): SafetyCheckResult;
+/**
+ * Detect access to sensitive /proc and /sys paths in unquoted context.
+ * Quoted references (e.g., `echo "/proc/self/environ"`) are harmless string
+ * literals. Unquoted references indicate actual filesystem access attempts.
+ */
+export declare function checkProcSysAccess(command: string, states: QuoteContext[]): SafetyCheckResult;
+/**
+ * Detect jq command abuse: system() calls, @sh filter for shell injection,
+ * and -n with module imports that could load malicious jq modules.
+ */
+export declare function checkJqAbuse(command: string): SafetyCheckResult;
+/**
+ * Detect ANSI-C quoting ($'...') with hex or octal escape sequences that
+ * encode potentially dangerous content. Simple escapes like $'\n' and $'\t'
+ * are legitimate and allowed.
+ */
+export declare function checkAnsiCQuoting(command: string): SafetyCheckResult;
+/**
+ * Detect heredoc patterns and validate their content. Unquoted heredoc
+ * delimiters (<<EOF) allow variable expansion and command substitution in
+ * the body, which can be used for injection. Quoted delimiters (<<'EOF')
+ * are treated as literal text and are safe.
+ */
+export declare function checkHeredocInjection(command: string): SafetyCheckResult;
+/**
+ * Detect brace expansion patterns ({a,b} or {1..N}) in unquoted context
+ * that target suspicious paths or combine with dangerous commands.
+ */
+export declare function checkBraceExpansion(command: string, states: QuoteContext[]): SafetyCheckResult;
+/**
+ * Detect escape chains and printf hex/octal patterns that can hide dangerous
+ * commands from string-level pattern matching.
+ */
+export declare function checkEnhancedEscapes(command: string, states: QuoteContext[]): SafetyCheckResult;
+/**
+ * Check a command for obfuscation and injection patterns.
+ */
+export declare function checkObfuscation(command: string): SafetyCheckResult;
+/**
+ * Check if a command is running a script file, and if so,
+ * scan the script for shell syntax bleed.
+ */
+export declare function checkScriptPreflight(command: string, cwd: string): Promise<SafetyCheckResult>;
+/**
+ * Auto-mode classifier that uses the utility model to classify whether
+ * a command should be blocked in autonomous mode.
+ *
+ * The full implementation will:
+ * 1. Fast check (256 max tokens): quick classification
+ * 2. Full analysis (4096 max tokens): if fast check is uncertain
+ *
+ * Fail-safe behavior: when auto-approve mode is active (isAutoApprove=true)
+ * but no classifier function is available, this layer BLOCKS the command.
+ * When auto-approve is not active, the consumer's permission resolver
+ * (beforeToolCall) has already approved, so this layer passes through.
+ */
+export declare function checkAutoModeClassifier(_command: string, _description: string | undefined, _utilityComplete?: ((context: unknown) => Promise<unknown>) | undefined, isAutoApprove?: boolean): Promise<SafetyCheckResult>;
+/**
+ * Run all safety layers on a command.
+ * Returns the first failure or { allowed: true } if all pass.
+ */
+export declare function runSafetyChecks(command: string, workingDirectory: string, currentCwd: string, options?: {
+    utilityComplete?: ((context: unknown) => Promise<unknown>) | undefined;
+    description?: string | undefined;
+    /** Whether the consumer is in auto-approve mode. When true and no classifier is available, Layer 7 blocks. */
+    isAutoApprove?: boolean | undefined;
+}): Promise<SafetyCheckResult>;
+//# sourceMappingURL=safety.d.ts.map

package/dist/tools/bash/safety.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"safety.d.ts","sourceRoot":"","sources":["../../../src/tools/bash/safety.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAWH,MAAM,MAAM,qBAAqB,GAC7B,MAAM,GACN,OAAO,GACP,QAAQ,GACR,SAAS,GACT,YAAY,GACZ,SAAS,CAAC;AAEd,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC5B,cAAc,CAAC,EAAE,qBAAqB,GAAG,SAAS,CAAC;CACpD;AAMD;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAC1B,SAAS,EAAE,MAAM,CAAC,UAAU,EAC5B,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GACjC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAExB;AA8BD;;GAEG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CA2B1D;AAiED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,CAiE/D;AA6FD;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,qBAAqB,CAStE;AA8BD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,CAO3D;AAeD;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,gBAAgB,EAAE,MAAM,EACxB,UAAU,EAAE,MAAM,GACjB,iBAAiB,CAuBnB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAM3D;AA8HD;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,SAAS,CAAC;AAEjF;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,YAAY,EAAE,CA8FjE;AAmBD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,iBAAiB,CAS5F;AA6BD;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,iBAAiB,CAW7F;AAMD;;;GAGG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,CAgC/D;AAMD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,CAuBpE;AAMD;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,CA+CxE;AAMD;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,iBAAiB,CA+C9F;AAMD;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,iBAAiB,CA0C/F;AAMD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,CAyFnE;AAMD;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAkDnG;AAMD;;;;;;;;;;;;GAYG;AACH,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GAAG,SAAS,EAChC,gBAAgB,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,SAAS,EACvE,aAAa,CAAC,EAAE,OAAO,GACtB,OAAO,CAAC,iBAAiB,CAAC,CAuB5B;AAMD;;;GAGG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,gBAAgB,EAAE,MAAM,EACxB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IACR,eAAe,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,SAAS,CAAC;IACvE,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACjC,8GAA8G;IAC9G,aAAa,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;CACrC,GACA,OAAO,CAAC,iBAAiB,CAAC,CAsD5B"}