npm - @cybedefend/vibedefend - Versions diffs - 1.1.1 - Mend

@cybedefend/vibedefend 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/LICENSE +77 -0
package/README.md +120 -0
package/bin/vibedefend.js +19 -0
package/dist/auth/auth-store.js +170 -0
package/dist/auth/auth-store.js.map +1 -0
package/dist/auth/auth.js +125 -0
package/dist/auth/auth.js.map +1 -0
package/dist/auth/callback-server.js +216 -0
package/dist/auth/callback-server.js.map +1 -0
package/dist/auth/pkce.js +31 -0
package/dist/auth/pkce.js.map +1 -0
package/dist/auth/token-exchange.js +83 -0
package/dist/auth/token-exchange.js.map +1 -0
package/dist/clients/claude-code.js +170 -0
package/dist/clients/claude-code.js.map +1 -0
package/dist/clients/codex.js +378 -0
package/dist/clients/codex.js.map +1 -0
package/dist/clients/cursor-guards-rules.js +94 -0
package/dist/clients/cursor-guards-rules.js.map +1 -0
package/dist/clients/cursor.js +172 -0
package/dist/clients/cursor.js.map +1 -0
package/dist/clients/detect.js +86 -0
package/dist/clients/detect.js.map +1 -0
package/dist/clients/registry.js +41 -0
package/dist/clients/registry.js.map +1 -0
package/dist/clients/types.js +2 -0
package/dist/clients/types.js.map +1 -0
package/dist/clients/vscode.js +187 -0
package/dist/clients/vscode.js.map +1 -0
package/dist/clients/windsurf.js +151 -0
package/dist/clients/windsurf.js.map +1 -0
package/dist/config.js +32 -0
package/dist/config.js.map +1 -0
package/dist/custom-regions.js +112 -0
package/dist/custom-regions.js.map +1 -0
package/dist/diagnostics.js +122 -0
package/dist/diagnostics.js.map +1 -0
package/dist/doctor.js +125 -0
package/dist/doctor.js.map +1 -0
package/dist/guards-evaluator/bucketing.js +83 -0
package/dist/guards-evaluator/bucketing.js.map +1 -0
package/dist/guards-evaluator/evaluate.js +272 -0
package/dist/guards-evaluator/evaluate.js.map +1 -0
package/dist/guards-evaluator/glob.js +148 -0
package/dist/guards-evaluator/glob.js.map +1 -0
package/dist/guards-evaluator/index.js +9 -0
package/dist/guards-evaluator/index.js.map +1 -0
package/dist/guards-evaluator/preprocess.js +174 -0
package/dist/guards-evaluator/preprocess.js.map +1 -0
package/dist/guards-evaluator/redact.js +111 -0
package/dist/guards-evaluator/redact.js.map +1 -0
package/dist/guards-evaluator/regex.js +125 -0
package/dist/guards-evaluator/regex.js.map +1 -0
package/dist/guards-evaluator/types.js +2 -0
package/dist/guards-evaluator/types.js.map +1 -0
package/dist/guards-evaluator/validation.js +115 -0
package/dist/guards-evaluator/validation.js.map +1 -0
package/dist/hook-runner.js +6680 -0
package/dist/hooks/install.js +169 -0
package/dist/hooks/install.js.map +1 -0
package/dist/hooks/runtime/api.js +167 -0
package/dist/hooks/runtime/api.js.map +1 -0
package/dist/hooks/runtime/config.js +60 -0
package/dist/hooks/runtime/config.js.map +1 -0
package/dist/hooks/runtime/emit.js +45 -0
package/dist/hooks/runtime/emit.js.map +1 -0
package/dist/hooks/runtime/fetch-rules.js +154 -0
package/dist/hooks/runtime/fetch-rules.js.map +1 -0
package/dist/hooks/runtime/guard-rules-cache.js +217 -0
package/dist/hooks/runtime/guard-rules-cache.js.map +1 -0
package/dist/hooks/runtime/guard-violations-buffer.js +105 -0
package/dist/hooks/runtime/guard-violations-buffer.js.map +1 -0
package/dist/hooks/runtime/pre-compact.js +41 -0
package/dist/hooks/runtime/pre-compact.js.map +1 -0
package/dist/hooks/runtime/resolve.js +206 -0
package/dist/hooks/runtime/resolve.js.map +1 -0
package/dist/hooks/runtime/session-review.js +198 -0
package/dist/hooks/runtime/session-review.js.map +1 -0
package/dist/hooks/runtime/session-start.js +101 -0
package/dist/hooks/runtime/session-start.js.map +1 -0
package/dist/hooks/runtime/sniff.js +112 -0
package/dist/hooks/runtime/sniff.js.map +1 -0
package/dist/hooks/runtime/types.js +22 -0
package/dist/hooks/runtime/types.js.map +1 -0
package/dist/hooks/runtime/user-prompt-submit.js +154 -0
package/dist/hooks/runtime/user-prompt-submit.js.map +1 -0
package/dist/index.js +129 -0
package/dist/index.js.map +1 -0
package/dist/install.js +183 -0
package/dist/install.js.map +1 -0
package/dist/login.js +335 -0
package/dist/login.js.map +1 -0
package/dist/prompts.js +134 -0
package/dist/prompts.js.map +1 -0
package/dist/self-update.js +177 -0
package/dist/self-update.js.map +1 -0
package/dist/status.js +58 -0
package/dist/status.js.map +1 -0
package/dist/utils.js +84 -0
package/dist/utils.js.map +1 -0
package/dist/version.js +23 -0
package/dist/version.js.map +1 -0
package/package.json +73 -0

package/dist/guards-evaluator/evaluate.js ADDED Viewed

@@ -0,0 +1,272 @@
+/**
+ * Core evaluator — pure function evaluate(rules, request) → Decision.
+ *
+ * Algorithm:
+ *  1. Filter rules with action === 'off'.
+ *  2. Bucket the request's target type.
+ *  3. Walk rules in that bucket; for each: check toolMatch, then per-target matchers.
+ *  4. Collect matched rules; sort by severity descending.
+ *  5. If any matched rule has action=deny → verdict=deny, message from highest-severity deny.
+ *  6. Else if any has action=warn → verdict=warn, message from highest-severity warn.
+ *  7. Else → verdict=allow.
+ */
+import { matchAnyGlob, matchAllGlobExcludes, matchGlob } from './glob.js';
+import { compileRegex } from './regex.js';
+import { bucketRules, targetTypeBucket } from './bucketing.js';
+import { stripDataArgs } from './preprocess.js';
+// -----------------------------------------------------------------------
+// Severity ordering
+// -----------------------------------------------------------------------
+const SEVERITY_ORDER = {
+    critical: 4,
+    high: 3,
+    medium: 2,
+    low: 1,
+};
+function compareSeverityDesc(a, b) {
+    return SEVERITY_ORDER[b.severity] - SEVERITY_ORDER[a.severity];
+}
+// -----------------------------------------------------------------------
+// Message formatter
+// -----------------------------------------------------------------------
+/**
+ * Format a message template substituting {target} and {rule_name}.
+ *
+ * {target}    → human-readable description of the target
+ * {rule_name} → rule.name if set, else rule.id
+ */
+export function formatMessage(template, target, rule) {
+    let targetStr;
+    switch (target.type) {
+        case 'file':
+            targetStr = target.path;
+            break;
+        case 'command':
+            targetStr = target.command;
+            break;
+        case 'env':
+            targetStr = target.name;
+            break;
+        case 'http':
+            targetStr = target.url;
+            break;
+        case 'git':
+            targetStr = `git ${target.subcommand}`;
+            break;
+    }
+    const ruleName = rule.name ?? rule.id;
+    return template
+        .replace(/\{target\}/g, targetStr)
+        .replace(/\{rule_name\}/g, ruleName);
+}
+// -----------------------------------------------------------------------
+// Per-target matchers
+// -----------------------------------------------------------------------
+function matchesFile(rule, target, homeDir) {
+    const opts = { homeDir };
+    const globsSet = rule.filePathGlobs && rule.filePathGlobs.length > 0;
+    if (globsSet) {
+        if (!matchAnyGlob(rule.filePathGlobs, target.path, opts))
+            return false;
+    }
+    if (!matchAllGlobExcludes(rule.filePathExcludes, target.path, opts))
+        return false;
+    // If no globs at all (only excludes or nothing), treat as "any" only if at
+    // least one matcher is set.
+    if (!globsSet)
+        return false;
+    return true;
+}
+function matchesCommand(rule, target, homeDir) {
+    const opts = { homeDir };
+    const hasRegex = !!rule.commandRegex;
+    const hasArgGlobs = rule.commandArgGlobs && rule.commandArgGlobs.length > 0;
+    if (!hasRegex && !hasArgGlobs)
+        return false;
+    // Reconstruct full command string for regex matching (command + args joined).
+    // Then strip data-bearing arg values (e.g. `git commit -m "..."`, `gh pr
+    // --body "..."`) so the regex doesn't false-positive on user-provided text
+    // that happens to mention a dangerous keyword. See preprocess.ts header for
+    // the full rationale.
+    //
+    // CRITICAL: pass the argv-tuple to stripDataArgs directly (not the joined
+    // string). Naively joining `[cmd, ...argv].join(' ')` LOSES quote boundaries
+    // — a message arg "fix: drop table users" becomes 4 separate tokens, and
+    // the preprocessor only strips the first one. Passing the already-tokenized
+    // argv preserves each argument as one indivisible token regardless of
+    // whether it contains spaces.
+    const fullCommand = stripDataArgs([target.command, ...target.argv]);
+    if (hasRegex) {
+        // A single malformed rule (e.g. an unsupported `(?i)` inline flag rejected
+        // by native RegExp when re2-wasm isn't available) MUST NOT poison the
+        // evaluation of every other rule in the bucket. Swallow per-rule compile
+        // failures: log to stderr once so operators see the culprit, treat the
+        // rule as non-matching, and continue. The other rules still enforce.
+        try {
+            const re = compileRegex(rule.commandRegex);
+            if (!re.test(fullCommand))
+                return false;
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            // eslint-disable-next-line no-console
+            console.error(`[guards-evaluator] Skipping rule ${rule.id} — invalid commandRegex: ${msg}`);
+            return false;
+        }
+    }
+    if (hasArgGlobs) {
+        // Every glob in commandArgGlobs must match at least one entry of argv
+        for (const glob of rule.commandArgGlobs) {
+            const matchedAny = target.argv.some((arg) => matchGlob(glob, arg, opts));
+            if (!matchedAny)
+                return false;
+        }
+    }
+    return true;
+}
+function matchesEnv(rule, target, homeDir) {
+    return matchAnyGlob(rule.envNameGlobs, target.name, { homeDir });
+}
+function matchesHttp(rule, target, homeDir) {
+    const opts = { homeDir };
+    // Parse hostname and path from URL
+    let hostname;
+    let pathname;
+    try {
+        const u = new URL(target.url);
+        hostname = u.hostname;
+        pathname = u.pathname;
+    }
+    catch {
+        // Fallback: treat entire url as hostname
+        hostname = target.url;
+        pathname = '';
+    }
+    // httpHostGlobs — at least one must match
+    const hostGlobsSet = rule.httpHostGlobs && rule.httpHostGlobs.length > 0;
+    if (hostGlobsSet) {
+        if (!matchAnyGlob(rule.httpHostGlobs, hostname, opts))
+            return false;
+    }
+    // httpHostExcludes — none must match
+    if (!matchAllGlobExcludes(rule.httpHostExcludes, hostname, opts))
+        return false;
+    // httpMethod — if set, method must be in the list
+    if (rule.httpMethod && rule.httpMethod.length > 0) {
+        if (!rule.httpMethod.includes(target.method.toUpperCase()))
+            return false;
+    }
+    // httpPathGlobs — if set, at least one must match the path
+    if (rule.httpPathGlobs && rule.httpPathGlobs.length > 0) {
+        if (!matchAnyGlob(rule.httpPathGlobs, pathname, opts))
+            return false;
+    }
+    // Must have at least one positive matcher
+    if (!hostGlobsSet)
+        return false;
+    return true;
+}
+function matchesGit(rule, target, homeDir) {
+    const opts = { homeDir };
+    // gitSubcommand — if set, must include target.subcommand
+    if (rule.gitSubcommand && rule.gitSubcommand.length > 0) {
+        if (!rule.gitSubcommand.includes(target.subcommand))
+            return false;
+    }
+    // gitRemoteGlobs — if set, target.remote must match at least one
+    if (rule.gitRemoteGlobs && rule.gitRemoteGlobs.length > 0) {
+        if (!target.remote)
+            return false;
+        if (!matchAnyGlob(rule.gitRemoteGlobs, target.remote, opts))
+            return false;
+    }
+    // gitBranchGlobs — if set, target.branch must match at least one
+    if (rule.gitBranchGlobs && rule.gitBranchGlobs.length > 0) {
+        if (!target.branch)
+            return false;
+        if (!matchAnyGlob(rule.gitBranchGlobs, target.branch, opts))
+            return false;
+    }
+    // Must have at least one matcher to be useful
+    const hasAny = (rule.gitSubcommand && rule.gitSubcommand.length > 0) ||
+        (rule.gitRemoteGlobs && rule.gitRemoteGlobs.length > 0) ||
+        (rule.gitBranchGlobs && rule.gitBranchGlobs.length > 0);
+    if (!hasAny)
+        return false;
+    return true;
+}
+function ruleMatches(rule, req) {
+    // toolMatch filter
+    if (rule.toolMatch && rule.toolMatch.length > 0) {
+        if (!rule.toolMatch.includes(req.tool))
+            return false;
+    }
+    const { target, homeDir } = req;
+    switch (target.type) {
+        case 'file': return matchesFile(rule, target, homeDir);
+        case 'command': return matchesCommand(rule, target, homeDir);
+        case 'env': return matchesEnv(rule, target, homeDir);
+        case 'http': return matchesHttp(rule, target, homeDir);
+        case 'git': return matchesGit(rule, target, homeDir);
+    }
+}
+// -----------------------------------------------------------------------
+// Public evaluator
+// -----------------------------------------------------------------------
+/**
+ * Evaluate a list of effective rules against a guard request.
+ *
+ * Rules with `action === 'off'` are silently ignored.
+ * Matching rules are sorted by severity descending; deny always beats warn.
+ */
+export function evaluate(rules, req) {
+    try {
+        // 1. Filter off rules
+        const active = rules.filter((r) => r.action !== 'off');
+        // 2. Bucket by target type
+        const bucketed = bucketRules(active);
+        const bucket = targetTypeBucket(req.target);
+        const candidates = bucketed[bucket];
+        // 3. Match each candidate
+        const matched = [];
+        for (const rule of candidates) {
+            if (ruleMatches(rule, req)) {
+                matched.push(rule);
+            }
+        }
+        if (matched.length === 0) {
+            return { verdict: 'allow', matchedRuleIds: [], message: undefined, maxSeverity: null };
+        }
+        // 4. Sort by severity descending
+        matched.sort(compareSeverityDesc);
+        const matchedRuleIds = matched.map((r) => r.id);
+        const maxSeverity = matched[0].severity;
+        // 5. Determine verdict
+        const denyRules = matched.filter((r) => r.action === 'deny');
+        if (denyRules.length > 0) {
+            const topDeny = denyRules[0]; // already sorted
+            const template = topDeny.denyMessage ?? 'Action denied by rule {rule_name} on {target}.';
+            const message = formatMessage(template, req.target, topDeny);
+            return { verdict: 'deny', matchedRuleIds, message, maxSeverity };
+        }
+        const warnRules = matched.filter((r) => r.action === 'warn');
+        if (warnRules.length > 0) {
+            const topWarn = warnRules[0];
+            const template = topWarn.warnMessage ?? 'Action warned by rule {rule_name} on {target}.';
+            const message = formatMessage(template, req.target, topWarn);
+            return { verdict: 'warn', matchedRuleIds, message, maxSeverity };
+        }
+        // All matched rules are 'off' (shouldn't happen after filtering, but be safe)
+        return { verdict: 'allow', matchedRuleIds: [], message: undefined, maxSeverity: null };
+    }
+    catch (e) {
+        const message = e instanceof Error ? e.message : 'unknown evaluator error';
+        return {
+            verdict: 'deny',
+            matchedRuleIds: [],
+            message: `Guard evaluator failed: ${message}. Failing closed — refuse the action.`,
+            maxSeverity: 'critical',
+        };
+    }
+}
+//# sourceMappingURL=evaluate.js.map

package/dist/guards-evaluator/evaluate.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"evaluate.js","sourceRoot":"","sources":["../../src/guards-evaluator/evaluate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAE,YAAY,EAAE,oBAAoB,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC1E,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAEhD,0EAA0E;AAC1E,oBAAoB;AACpB,0EAA0E;AAE1E,MAAM,cAAc,GAA6B;IAC/C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAM,CAAC;IACX,MAAM,EAAI,CAAC;IACX,GAAG,EAAO,CAAC;CACZ,CAAC;AAEF,SAAS,mBAAmB,CAAC,CAAO,EAAE,CAAO;IAC3C,OAAO,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;AACjE,CAAC;AAED,0EAA0E;AAC1E,oBAAoB;AACpB,0EAA0E;AAE1E;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAC3B,QAAgB,EAChB,MAAc,EACd,IAAU;IAEV,IAAI,SAAiB,CAAC;IACtB,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;QACpB,KAAK,MAAM;YAAK,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC;YAAC,MAAM;QAC/C,KAAK,SAAS;YAAE,SAAS,GAAG,MAAM,CAAC,OAAO,CAAC;YAAC,MAAM;QAClD,KAAK,KAAK;YAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC;YAAC,MAAM;QAC/C,KAAK,MAAM;YAAK,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC;YAAC,MAAM;QAC9C,KAAK,KAAK;YAAM,SAAS,GAAG,OAAO,MAAM,CAAC,UAAU,EAAE,CAAC;YAAC,MAAM;IAChE,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC;IACtC,OAAO,QAAQ;SACZ,OAAO,CAAC,aAAa,EAAE,SAAS,CAAC;SACjC,OAAO,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;AACzC,CAAC;AAED,0EAA0E;AAC1E,sBAAsB;AACtB,0EAA0E;AAE1E,SAAS,WAAW,CAClB,IAAU,EACV,MAAyC,EACzC,OAAe;IAEf,MAAM,IAAI,GAAG,EAAE,OAAO,EAAE,CAAC;IACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC;IACrE,IAAI,QAAQ,EAAE,CAAC;QACb,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;IACzE,CAAC;IACD,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,gBAAgB,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAClF,2EAA2E;IAC3E,4BAA4B;IAC5B,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,cAAc,CACrB,IAAU,EACV,MAA4C,EAC5C,OAAe;IAEf,MAAM,IAAI,GAAG,EAAE,OAAO,EAAE,CAAC;IACzB,MAAM,QAAQ,GAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC;IACxC,MAAM,WAAW,GAAG,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC;IAE5E,IAAI,CAAC,QAAQ,IAAI,CAAC,WAAW;QAAE,OAAO,KAAK,CAAC;IAE5C,8EAA8E;IAC9E,yEAAyE;IACzE,2EAA2E;IAC3E,4EAA4E;IAC5E,sBAAsB;IACtB,EAAE;IACF,0EAA0E;IAC1E,6EAA6E;IAC7E,yEAAyE;IACzE,4EAA4E;IAC5E,sEAAsE;IACtE,8BAA8B;IAC9B,MAAM,WAAW,GAAG,aAAa,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IAEpE,IAAI,QAAQ,EAAE,CAAC;QACb,2EAA2E;QAC3E,sEAAsE;QACtE,yEAAyE;QACzE,uEAAuE;QACvE,qEAAqE;QACrE,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC,YAAsB,CAAC,CAAC;YACrD,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC;gBAAE,OAAO,KAAK,CAAC;QAC1C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvD,sCAAsC;YACtC,OAAO,CAAC,KAAK,CACX,oCAAoC,IAAI,CAAC,EAAE,4BAA4B,GAAG,EAAE,CAC7E,CAAC;YACF,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,IAAI,WAAW,EAAE,CAAC;QAChB,sEAAsE;QACtE,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,eAA2B,EAAE,CAAC;YACpD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;YACzE,IAAI,CAAC,UAAU;gBAAE,OAAO,KAAK,CAAC;QAChC,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,UAAU,CACjB,IAAU,EACV,MAAwC,EACxC,OAAe;IAEf,OAAO,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,WAAW,CAClB,IAAU,EACV,MAAyC,EACzC,OAAe;IAEf,MAAM,IAAI,GAAG,EAAE,OAAO,EAAE,CAAC;IAEzB,mCAAmC;IACnC,IAAI,QAAgB,CAAC;IACrB,IAAI,QAAgB,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9B,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;QACtB,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,yCAAyC;QACzC,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC;QACtB,QAAQ,GAAG,EAAE,CAAC;IAChB,CAAC;IAED,0CAA0C;IAC1C,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC;IACzE,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,EAAE,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;IACtE,CAAC;IAED,qCAAqC;IACrC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,gBAAgB,EAAE,QAAQ,EAAE,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAE/E,kDAAkD;IAClD,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YAAE,OAAO,KAAK,CAAC;IAC3E,CAAC;IAED,2DAA2D;IAC3D,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,EAAE,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;IACtE,CAAC;IAED,0CAA0C;IAC1C,IAAI,CAAC,YAAY;QAAE,OAAO,KAAK,CAAC;IAEhC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,UAAU,CACjB,IAAU,EACV,MAAwC,EACxC,OAAe;IAEf,MAAM,IAAI,GAAG,EAAE,OAAO,EAAE,CAAC;IAEzB,yDAAyD;IACzD,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxD,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC;YAAE,OAAO,KAAK,CAAC;IACpE,CAAC;IAED,iEAAiE;IACjE,IAAI,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1D,IAAI,CAAC,MAAM,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QACjC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;IAC5E,CAAC;IAED,iEAAiE;IACjE,IAAI,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1D,IAAI,CAAC,MAAM,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QACjC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;IAC5E,CAAC;IAED,8CAA8C;IAC9C,MAAM,MAAM,GACV,CAAC,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC;QACrD,CAAC,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC;QACvD,CAAC,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC1D,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAE1B,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,WAAW,CAAC,IAAU,EAAE,GAAiB;IAChD,mBAAmB;IACnB,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;IACvD,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;IAEhC,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;QACpB,KAAK,MAAM,CAAC,CAAI,OAAO,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;QAC1D,KAAK,SAAS,CAAC,CAAC,OAAO,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;QAC7D,KAAK,KAAK,CAAC,CAAK,OAAO,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;QACzD,KAAK,MAAM,CAAC,CAAI,OAAO,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;QAC1D,KAAK,KAAK,CAAC,CAAK,OAAO,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED,0EAA0E;AAC1E,mBAAmB;AACnB,0EAA0E;AAE1E;;;;;GAKG;AACH,MAAM,UAAU,QAAQ,CAAC,KAAa,EAAE,GAAiB;IACvD,IAAI,CAAC;QACH,sBAAsB;QACtB,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC;QAEvD,2BAA2B;QAC3B,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QACrC,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;QAEpC,0BAA0B;QAC1B,MAAM,OAAO,GAAW,EAAE,CAAC;QAC3B,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,IAAI,WAAW,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,CAAC;gBAC3B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;QACzF,CAAC;QAED,iCAAiC;QACjC,OAAO,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QAElC,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAChD,MAAM,WAAW,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;QAExC,uBAAuB;QACvB,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;QAC7D,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,iBAAiB;YAC/C,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,IAAI,gDAAgD,CAAC;YACzF,MAAM,OAAO,GAAG,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;QACnE,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;QAC7D,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;YAC7B,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,IAAI,gDAAgD,CAAC;YACzF,MAAM,OAAO,GAAG,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;QACnE,CAAC;QAED,8EAA8E;QAC9E,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IACzF,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,yBAAyB,CAAC;QAC3E,OAAO;YACL,OAAO,EAAE,MAAM;YACf,cAAc,EAAE,EAAE;YAClB,OAAO,EAAE,2BAA2B,OAAO,uCAAuC;YAClF,WAAW,EAAE,UAAU;SACxB,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/guards-evaluator/glob.js ADDED Viewed

@@ -0,0 +1,148 @@
+/**
+ * Glob matching implementation for VibeDefend Action Guards.
+ *
+ * Supports: * (no path sep), ** (any chars including /), ? (single char),
+ * [abc] character classes, ~ expansion (home dir only), path separator
+ * normalisation.
+ */
+/**
+ * Expand ~ at the start of a pattern to opts.homeDir.
+ */
+function expandHome(pattern, homeDir) {
+    if (pattern === '~')
+        return homeDir;
+    if (pattern.startsWith('~/'))
+        return homeDir + pattern.slice(1);
+    return pattern;
+}
+/**
+ * Normalise path separators (Windows backslashes → forward slashes).
+ */
+function normaliseSep(s) {
+    return s.replace(/\\/g, '/');
+}
+/**
+ * Escape a literal string for inclusion in a regex.
+ */
+function escapeRegex(s) {
+    return s.replace(/[.+^${}()|[\]\\]/g, '\\$&');
+}
+/**
+ * Convert a glob pattern (after ~ expansion + sep normalisation) to a RegExp.
+ *
+ * Rules:
+ *   **  → matches any sequence of characters including '/' (greedy)
+ *   *   → matches any sequence of characters except '/'
+ *   ?   → matches any single character except '/'
+ *   [abc] → character class (passed through as-is)
+ */
+function globToRegex(pattern) {
+    let src = '';
+    let i = 0;
+    while (i < pattern.length) {
+        const c = pattern[i];
+        if (c === '*') {
+            if (pattern[i + 1] === '*') {
+                // ** — matches everything including slashes
+                // consume any surrounding slashes in pattern to avoid double-//
+                const before = src.endsWith('/') ? src.slice(0, -1) : src;
+                let j = i + 2;
+                while (j < pattern.length && pattern[j] === '/')
+                    j++;
+                if (i === 0 && j === pattern.length) {
+                    // just ** alone — matches anything
+                    src = before + '.*';
+                }
+                else if (i === 0) {
+                    // **/ at start
+                    src = before + '(?:.*\\/)?';
+                }
+                else if (j >= pattern.length) {
+                    // /** at end
+                    src = before + '(?:\\/.*)?';
+                }
+                else {
+                    // /**/  in the middle
+                    src = before + '(?:\\/.*\\/|\\/|\\/)';
+                    // Actually: /**/foo should match /foo and /a/b/foo
+                    // We handle this more carefully:
+                    src = before + '(?:\\/|(?:\\/.+\\/))';
+                }
+                i = j;
+                continue;
+            }
+            else {
+                // single * — no path separator
+                src += '[^/]*';
+                i++;
+                continue;
+            }
+        }
+        else if (c === '?') {
+            src += '[^/]';
+            i++;
+        }
+        else if (c === '[') {
+            // pass character class through
+            let j = i + 1;
+            let cls = '[';
+            if (j < pattern.length && pattern[j] === '!') {
+                cls += '^';
+                j++;
+            }
+            if (j < pattern.length && pattern[j] === ']') {
+                cls += '\\]';
+                j++;
+            }
+            while (j < pattern.length && pattern[j] !== ']') {
+                cls += escapeRegex(pattern[j]);
+                j++;
+            }
+            cls += ']';
+            src += cls;
+            i = j + 1;
+        }
+        else {
+            src += escapeRegex(c);
+            i++;
+        }
+    }
+    return new RegExp('^' + src + '$');
+}
+/**
+ * Match a single glob pattern against a value.
+ *
+ * @param pattern  Glob pattern (may start with ~)
+ * @param value    The string to test (file path, host, etc.)
+ * @param opts     Must include homeDir for ~ expansion
+ */
+export function matchGlob(pattern, value, opts) {
+    const expanded = expandHome(normaliseSep(pattern), normaliseSep(opts.homeDir));
+    const normValue = normaliseSep(value);
+    // A pattern without any glob characters — exact match
+    const hasGlob = /[*?[\]]/.test(expanded);
+    if (!hasGlob) {
+        return expanded === normValue;
+    }
+    const re = globToRegex(expanded);
+    return re.test(normValue);
+}
+/**
+ * Returns true if `value` matches ANY of the `patterns`.
+ * Returns false if patterns is undefined or empty.
+ */
+export function matchAnyGlob(patterns, value, opts) {
+    if (!patterns || patterns.length === 0)
+        return false;
+    return patterns.some((p) => matchGlob(p, value, opts));
+}
+/**
+ * Returns true if `value` does NOT match any of the `excludes`.
+ * If excludes is undefined or empty, always returns true (nothing is excluded).
+ */
+export function matchAllGlobExcludes(excludes, value, opts) {
+    if (!excludes || excludes.length === 0)
+        return true;
+    return !excludes.some((p) => matchGlob(p, value, opts));
+}
+//# sourceMappingURL=glob.js.map

package/dist/guards-evaluator/glob.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"glob.js","sourceRoot":"","sources":["../../src/guards-evaluator/glob.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAOH;;GAEG;AACH,SAAS,UAAU,CAAC,OAAe,EAAE,OAAe;IAClD,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,OAAO,CAAC;IACpC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAChE,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,CAAS;IAC5B,OAAO,CAAC,CAAC,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC;AAChD,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,WAAW,CAAC,OAAe;IAClC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QAC1B,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACrB,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YACd,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBAC3B,4CAA4C;gBAC5C,gEAAgE;gBAChE,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC1D,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACd,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG;oBAAE,CAAC,EAAE,CAAC;gBACrD,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;oBACpC,mCAAmC;oBACnC,GAAG,GAAG,MAAM,GAAG,IAAI,CAAC;gBACtB,CAAC;qBAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBACnB,eAAe;oBACf,GAAG,GAAG,MAAM,GAAG,YAAY,CAAC;gBAC9B,CAAC;qBAAM,IAAI,CAAC,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;oBAC/B,aAAa;oBACb,GAAG,GAAG,MAAM,GAAG,YAAY,CAAC;gBAC9B,CAAC;qBAAM,CAAC;oBACN,sBAAsB;oBACtB,GAAG,GAAG,MAAM,GAAG,sBAAsB,CAAC;oBACtC,mDAAmD;oBACnD,iCAAiC;oBACjC,GAAG,GAAG,MAAM,GAAG,sBAAsB,CAAC;gBACxC,CAAC;gBACD,CAAC,GAAG,CAAC,CAAC;gBACN,SAAS;YACX,CAAC;iBAAM,CAAC;gBACN,+BAA+B;gBAC/B,GAAG,IAAI,OAAO,CAAC;gBACf,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;QACH,CAAC;aAAM,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YACrB,GAAG,IAAI,MAAM,CAAC;YACd,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YACrB,+BAA+B;YAC/B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACd,IAAI,GAAG,GAAG,GAAG,CAAC;YACd,IAAI,CAAC,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBAAC,GAAG,IAAI,GAAG,CAAC;gBAAC,CAAC,EAAE,CAAC;YAAC,CAAC;YAClE,IAAI,CAAC,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBAAC,GAAG,IAAI,KAAK,CAAC;gBAAC,CAAC,EAAE,CAAC;YAAC,CAAC;YACpE,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBAChD,GAAG,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC/B,CAAC,EAAE,CAAC;YACN,CAAC;YACD,GAAG,IAAI,GAAG,CAAC;YACX,GAAG,IAAI,GAAG,CAAC;YACX,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACZ,CAAC;aAAM,CAAC;YACN,GAAG,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC;YACtB,CAAC,EAAE,CAAC;QACN,CAAC;IACH,CAAC;IACD,OAAO,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC,CAAC;AACrC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CAAC,OAAe,EAAE,KAAa,EAAE,IAAc;IACtE,MAAM,QAAQ,GAAG,UAAU,CAAC,YAAY,CAAC,OAAO,CAAC,EAAE,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/E,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAEtC,sDAAsD;IACtD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,QAAQ,KAAK,SAAS,CAAC;IAChC,CAAC;IAED,MAAM,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;IACjC,OAAO,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;AAC5B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAC1B,QAA8B,EAC9B,KAAa,EACb,IAAc;IAEd,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrD,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,QAA8B,EAC9B,KAAa,EACb,IAAc;IAEd,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC;AAC1D,CAAC"}

package/dist/guards-evaluator/index.js ADDED Viewed

@@ -0,0 +1,9 @@
+export * from './types.js';
+export { evaluate, formatMessage } from './evaluate.js';
+export { validateRule } from './validation.js';
+export { redactTarget, hashTarget } from './redact.js';
+export { matchGlob, matchAnyGlob, matchAllGlobExcludes } from './glob.js';
+export { compileRegex, isRegexSafe, isRe2Available, waitForRe2 } from './regex.js';
+export { targetTypeBucket, ruleBuckets, bucketRules } from './bucketing.js';
+export { stripDataArgs } from './preprocess.js';
+//# sourceMappingURL=index.js.map

package/dist/guards-evaluator/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/guards-evaluator/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AAC1E,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACnF,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC5E,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/guards-evaluator/preprocess.js ADDED Viewed

@@ -0,0 +1,174 @@
+/**
+ * Quote-aware preprocessing of shell command strings.
+ *
+ * Problem: the rule-evaluation regexes scan the full command string for
+ * dangerous patterns. They have no awareness of shell semantics, so they
+ * cannot tell that the literal text inside a `git commit -m "..."` argument
+ * is DATA (a commit message) rather than CODE. This produces false positives
+ * — a perfectly safe commit message saying "fix: close .env bypass" trips
+ * the secret-read rule because the regex sees `.env` as a substring.
+ *
+ * Fix: before running the rule regex, tokenize the command with `shell-quote`
+ * (a pure-JS bash-grammar tokenizer that respects single/double quotes,
+ * escapes, and shell operators). For known data-bearing flags — `-m`/`-F`/
+ * `--message`/`--file`/`--body` on `git commit|tag|notes|stash` and `gh
+ * pr|issue create` — replace the value token with an opaque placeholder
+ * so the regex never sees the user-provided text.
+ *
+ * Scope is INTENTIONALLY narrow:
+ *   - Only flags that take freeform USER TEXT (commit messages, PR bodies)
+ *     get their values stripped. `bash -c "..."` does NOT get stripped —
+ *     that arg IS code, not data.
+ *   - Only the subcommands that genuinely accept message text. `git push
+ *     -m` (not a real flag) keeps its argument so we don't lose detection
+ *     on hypothetical future variants.
+ *   - Stripping resets at every shell operator (`;`, `&&`, `||`, `|`).
+ *     So `git commit -m "msg"; cat .env` strips the message but keeps
+ *     `cat .env` for evaluation.
+ *
+ * No I/O, no system access — pure string in, pure string out. Parse failures
+ * (unclosed quotes, invalid escapes) fall back to the original input so
+ * the scanner keeps running.
+ */
+import { parse as shellParse } from 'shell-quote';
+/** Opaque placeholder substituted for stripped data arguments. */
+const PLACEHOLDER = '<DATA>';
+/**
+ * Subcommands that accept user-provided message TEXT as a `-m` / `-F` /
+ * `--message` / `--file` value. Other subcommands of the same tool either
+ * don't accept these flags or use them differently (e.g. `git push` has
+ * no `-m`, `git diff` doesn't either).
+ *
+ * Keyed by top-level command. Empty set means "always treat as data" (used
+ * for commands where every -m/-F is a message regardless of subcommand,
+ * e.g. `gh`).
+ */
+const DATA_BEARING_CONTEXTS = {
+    git: new Set(['commit', 'tag', 'notes', 'stash', 'merge', 'cherry-pick', 'revert']),
+    gh: null, // gh pr/issue create/edit all accept --body
+    hg: new Set(['commit', 'tag']), // mercurial
+};
+/** Flags whose VALUE is data (skip the next token). */
+const DATA_FLAGS_VALUE = new Set([
+    '-m', '-F',
+    '--message', '--file',
+    '--body', '--body-file',
+]);
+/** Flags in `--flag=value` form whose value is data. */
+const DATA_FLAGS_EQUAL = ['--message=', '--file=', '--body=', '--body-file='];
+/**
+ * Strip data-argument values from a shell command.
+ *
+ * Accepts either a raw command STRING (legacy callers; will be tokenized
+ * with shell-quote, which may lose quote boundaries on free-form input) or
+ * a pre-tokenized ARGV ARRAY (preferred; quote boundaries already
+ * established by the caller's own tokenizer). The argv path is what the
+ * production evaluator uses — each argv element is treated as one
+ * indivisible token, so a message arg with spaces stays one token and gets
+ * cleanly replaced by `<DATA>`.
+ *
+ * Returns the (possibly modified) command as a single string. The caller's
+ * regex then sees the rest of the command unchanged — operators, other
+ * args, subsequent commands — so genuine code patterns still match.
+ *
+ * Never throws. Parse failures return the original input so the scanner
+ * still runs (fail-open at this layer; the per-rule regex is the gate).
+ */
+export function stripDataArgs(command) {
+    if (!command || (Array.isArray(command) && command.length === 0)) {
+        return Array.isArray(command) ? '' : command;
+    }
+    let tokens;
+    if (Array.isArray(command)) {
+        // Caller already tokenized — each element is one indivisible token.
+        // Skip shell-quote so we don't accidentally re-split a message arg
+        // that contains spaces. Operators in argv (rare; the caller's tokenizer
+        // would normally absorb them into the command string) are passed through
+        // as bare strings — they won't match our data-flag detection anyway.
+        tokens = command.slice();
+    }
+    else {
+        try {
+            // CRITICAL: pass an env function that preserves `$VAR` references as
+            // their literal form. shell-quote's default behavior is to substitute
+            // variable references with empty strings, which would DROP `$HOME`,
+            // `$SECRET_KEY`, etc. from the command — breaking every rule that
+            // matches on those literals (e.g. shell.env.echo_secret looks for
+            // `echo $SECRET_KEY`, fs.delete.root_or_home matches `rm -rf $HOME`).
+            // Returning `$<name>` keeps the regex's view of the command identical
+            // to what the user typed.
+            tokens = shellParse(command, (key) => '$' + key);
+        }
+        catch {
+            return command;
+        }
+    }
+    // Walk tokens, tracking the current segment's top-level command and
+    // subcommand so we know whether a `-m` is a data flag here.
+    const out = [];
+    let segmentTopCmd = null;
+    let segmentSubCmd = null;
+    let positionInSegment = 0;
+    for (let i = 0; i < tokens.length; i++) {
+        const tok = tokens[i];
+        if (typeof tok === 'object' && 'op' in tok) {
+            // Shell operator (`;`, `&&`, `||`, `|`, `>`, `<`, etc.) — segment boundary.
+            out.push(tok.op);
+            segmentTopCmd = null;
+            segmentSubCmd = null;
+            positionInSegment = 0;
+            continue;
+        }
+        if (typeof tok !== 'string') {
+            // Patterns / comments / other object tokens — preserve literal form.
+            out.push(JSON.stringify(tok));
+            continue;
+        }
+        // First non-operator token in a segment is the command name.
+        if (positionInSegment === 0) {
+            segmentTopCmd = tok;
+            out.push(tok);
+            positionInSegment++;
+            continue;
+        }
+        // Second token might be the subcommand.
+        if (positionInSegment === 1) {
+            segmentSubCmd = tok;
+        }
+        const contextSubcommands = segmentTopCmd
+            ? DATA_BEARING_CONTEXTS[segmentTopCmd]
+            : undefined;
+        const inDataBearingContext = contextSubcommands === null ||
+            (contextSubcommands !== undefined &&
+                segmentSubCmd !== null &&
+                contextSubcommands.has(segmentSubCmd));
+        if (inDataBearingContext) {
+            // -m "msg" / -F file / --message msg / --file path
+            if (DATA_FLAGS_VALUE.has(tok)) {
+                out.push(tok);
+                if (i + 1 < tokens.length) {
+                    const next = tokens[i + 1];
+                    if (typeof next === 'string') {
+                        out.push(PLACEHOLDER);
+                        i++;
+                        positionInSegment++;
+                        continue;
+                    }
+                }
+                positionInSegment++;
+                continue;
+            }
+            // --message=msg / --file=path / --body=...
+            const equalPrefix = DATA_FLAGS_EQUAL.find((p) => tok.startsWith(p));
+            if (equalPrefix) {
+                out.push(equalPrefix + PLACEHOLDER);
+                positionInSegment++;
+                continue;
+            }
+        }
+        out.push(tok);
+        positionInSegment++;
+    }
+    return out.join(' ');
+}
+//# sourceMappingURL=preprocess.js.map

package/dist/guards-evaluator/preprocess.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"preprocess.js","sourceRoot":"","sources":["../../src/guards-evaluator/preprocess.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,OAAO,EAAE,KAAK,IAAI,UAAU,EAAE,MAAM,aAAa,CAAC;AAWlD,kEAAkE;AAClE,MAAM,WAAW,GAAG,QAAQ,CAAC;AAE7B;;;;;;;;;GASG;AACH,MAAM,qBAAqB,GAAuC;IAChE,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,CAAC,CAAC;IACnF,EAAE,EAAG,IAAI,EAAG,4CAA4C;IACxD,EAAE,EAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,EAAG,YAAY;CAC/C,CAAC;AAEF,uDAAuD;AACvD,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,IAAI,EAAE,IAAI;IACV,WAAW,EAAE,QAAQ;IACrB,QAAQ,EAAE,aAAa;CACxB,CAAC,CAAC;AAEH,wDAAwD;AACxD,MAAM,gBAAgB,GAAG,CAAC,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,cAAc,CAAC,CAAC;AAE9E;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,aAAa,CAAC,OAA0B;IACtD,IAAI,CAAC,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QACjE,OAAO,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;IAC/C,CAAC;IAED,IAAI,MAAoB,CAAC;IACzB,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3B,oEAAoE;QACpE,mEAAmE;QACnE,wEAAwE;QACxE,yEAAyE;QACzE,qEAAqE;QACrE,MAAM,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC;IAC3B,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,qEAAqE;YACrE,sEAAsE;YACtE,oEAAoE;YACpE,kEAAkE;YAClE,kEAAkE;YAClE,sEAAsE;YACtE,sEAAsE;YACtE,0BAA0B;YAC1B,MAAM,GAAG,UAAU,CAAC,OAAO,EAAE,CAAC,GAAW,EAAE,EAAE,CAAC,GAAG,GAAG,GAAG,CAAiB,CAAC;QAC3E,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,OAAO,CAAC;QACjB,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,4DAA4D;IAC5D,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,IAAI,aAAa,GAAkB,IAAI,CAAC;IACxC,IAAI,aAAa,GAAkB,IAAI,CAAC;IACxC,IAAI,iBAAiB,GAAG,CAAC,CAAC;IAE1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QAEtB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;YAC3C,4EAA4E;YAC5E,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACjB,aAAa,GAAG,IAAI,CAAC;YACrB,aAAa,GAAG,IAAI,CAAC;YACrB,iBAAiB,GAAG,CAAC,CAAC;YACtB,SAAS;QACX,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,qEAAqE;YACrE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;YAC9B,SAAS;QACX,CAAC;QAED,6DAA6D;QAC7D,IAAI,iBAAiB,KAAK,CAAC,EAAE,CAAC;YAC5B,aAAa,GAAG,GAAG,CAAC;YACpB,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACd,iBAAiB,EAAE,CAAC;YACpB,SAAS;QACX,CAAC;QAED,wCAAwC;QACxC,IAAI,iBAAiB,KAAK,CAAC,EAAE,CAAC;YAC5B,aAAa,GAAG,GAAG,CAAC;QACtB,CAAC;QAED,MAAM,kBAAkB,GAAG,aAAa;YACtC,CAAC,CAAC,qBAAqB,CAAC,aAAa,CAAC;YACtC,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,oBAAoB,GACxB,kBAAkB,KAAK,IAAI;YAC3B,CAAC,kBAAkB,KAAK,SAAS;gBAC/B,aAAa,KAAK,IAAI;gBACtB,kBAAkB,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC;QAE3C,IAAI,oBAAoB,EAAE,CAAC;YACzB,mDAAmD;YACnD,IAAI,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC9B,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACd,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;oBAC1B,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;oBAC3B,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;wBAC7B,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;wBACtB,CAAC,EAAE,CAAC;wBACJ,iBAAiB,EAAE,CAAC;wBACpB,SAAS;oBACX,CAAC;gBACH,CAAC;gBACD,iBAAiB,EAAE,CAAC;gBACpB,SAAS;YACX,CAAC;YAED,2CAA2C;YAC3C,MAAM,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;YACpE,IAAI,WAAW,EAAE,CAAC;gBAChB,GAAG,CAAC,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC,CAAC;gBACpC,iBAAiB,EAAE,CAAC;gBACpB,SAAS;YACX,CAAC;QACH,CAAC;QAED,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACd,iBAAiB,EAAE,CAAC;IACtB,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACvB,CAAC"}