@gaberrb/polypus 0.4.4 → 0.4.5

package/dist/index.js

@@ -291,7 +291,10 @@ var en = {
   // @-mentions
   "mentions.injectedHeader": "Referenced files (@-mentions)",
   "mentions.dirHeader": "@{path} (directory listing)",
-  "mentions.notFound": "(could not resolve @{path}: not found or outside the allow-list)"
+  "mentions.notFound": "(could not resolve @{path}: not found or outside the allow-list)",
+  // safety policy
+  "policy.blockedCommand": "blocked by safety policy ({reason}) \u2014 refusing in all modes",
+  "policy.secretFound": "write blocked: a possible secret ({kind}) was found on line {line}. Remove it or load it from an environment variable instead of hard-coding it."
 };
 var ptBR = {
   "common.default": "padr\xE3o",
@@ -490,6 +493,9 @@ var ptBR = {
   "mentions.injectedHeader": "Arquivos referenciados (@-mentions)",
   "mentions.dirHeader": "@{path} (conte\xFAdo do diret\xF3rio)",
   "mentions.notFound": "(n\xE3o foi poss\xEDvel resolver @{path}: n\xE3o encontrado ou fora da allow-list)",
+  // safety policy
+  "policy.blockedCommand": "bloqueado pela pol\xEDtica de seguran\xE7a ({reason}) \u2014 recusado em todos os modos",
+  "policy.secretFound": "escrita bloqueada: poss\xEDvel segredo ({kind}) encontrado na linha {line}. Remova-o ou carregue de uma vari\xE1vel de ambiente em vez de fix\xE1-lo no c\xF3digo.",
   "models.fetching": "Buscando modelos do OpenRouter\u2026",
   "models.fetchError": "N\xE3o foi poss\xEDvel buscar modelos: {msg}",
   "models.none": "Nenhum modelo corresponde aos filtros.",
@@ -1005,6 +1011,53 @@ function isCommandPreApproved(allowedCommands, command) {
   return allowedCommands.some((prefix) => c === prefix || c.startsWith(prefix.trim() + " "));
 }
 
+// src/core/permissions/policy.ts
+var DANGEROUS_COMMANDS = [
+  { re: /--no-preserve-root/i, reason: "rm --no-preserve-root" },
+  { re: /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:/, reason: "fork bomb" },
+  { re: /\bmkfs(\.\w+)?\b/i, reason: "filesystem format (mkfs)" },
+  { re: /\bdd\b[^\n]*\bof=\/dev\/(sd|nvme|hd|disk)/i, reason: "dd writing to a raw disk device" },
+  { re: />\s*\/dev\/(sd|nvme|hd|disk)/i, reason: "redirect to a raw disk device" },
+  { re: /\bchmod\s+(-[a-z]*\s+)*-?R?\s*777\s+\//i, reason: "chmod 777 on /" },
+  { re: /\b(curl|wget)\b[^\n|]*\|\s*(sudo\s+)?(sh|bash|zsh)\b/i, reason: "piping a downloaded script straight into a shell" }
+];
+function isDangerousRm(command) {
+  if (!/\brm\b/i.test(command)) return false;
+  const recursive = /(?:^|\s)-[a-z]*r[a-z]*f/i.test(command) || /(?:^|\s)-[a-z]*f[a-z]*r/i.test(command) || /(?:^|\s)-[a-z]*r\b/i.test(command) && /(?:^|\s)-[a-z]*f\b/i.test(command);
+  if (!recursive) return false;
+  return /(?:\s|^)(?:\/\*|\/|~|\$HOME|\*)(?:\s|$)/.test(command);
+}
+function screenCommand(command) {
+  if (isDangerousRm(command)) {
+    return { blocked: true, reason: "recursive force-delete of / ~ or *" };
+  }
+  for (const { re, reason } of DANGEROUS_COMMANDS) {
+    if (re.test(command)) return { blocked: true, reason };
+  }
+  return { blocked: false };
+}
+var SECRET_PATTERNS = [
+  { re: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----/, kind: "private key block" },
+  { re: /\bAKIA[0-9A-Z]{16}\b/, kind: "AWS access key id" },
+  { re: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/, kind: "GitHub token" },
+  { re: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/, kind: "Slack token" },
+  { re: /\bsk-[A-Za-z0-9]{32,}\b/, kind: "OpenAI-style secret key" },
+  { re: /\bAIza[0-9A-Za-z_-]{35}\b/, kind: "Google API key" }
+];
+function scanSecrets(text2) {
+  const findings = [];
+  const lines = text2.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    for (const { re, kind } of SECRET_PATTERNS) {
+      if (re.test(lines[i])) {
+        findings.push({ line: i + 1, kind });
+        break;
+      }
+    }
+  }
+  return findings;
+}
+
 // src/core/permissions/modes.ts
 var PermissionEngine = class {
   constructor(opts) {
@@ -1019,9 +1072,17 @@ var PermissionEngine = class {
     const d = checkPath(this.opts.policy, target);
     return d.allowed ? { allowed: true } : { allowed: false, reason: d.reason };
   }
-  async authorizeWrite(target, preview) {
+  async authorizeWrite(target, preview, content) {
     const d = checkPath(this.opts.policy, target);
     if (!d.allowed) return { allowed: false, reason: d.reason };
+    const findings = scanSecrets(content ?? preview ?? "");
+    if (findings.length > 0) {
+      const first = findings[0];
+      return {
+        allowed: false,
+        reason: t("policy.secretFound", { kind: first.kind, line: first.line })
+      };
+    }
     if (this.opts.mode === "plan") {
       return { allowed: false, reason: "plan mode: file modifications are disabled" };
     }
@@ -1030,6 +1091,10 @@ var PermissionEngine = class {
     return ok ? { allowed: true } : { allowed: false, reason: "rejected by user" };
   }
   async authorizeCommand(command) {
+    const screen = screenCommand(command);
+    if (screen.blocked) {
+      return { allowed: false, reason: t("policy.blockedCommand", { reason: screen.reason ?? "" }) };
+    }
     if (this.opts.mode === "plan") {
       return { allowed: false, reason: "plan mode: running commands is disabled" };
     }
@@ -1317,7 +1382,8 @@ var editFileTool = {
     const decision = await ctx.permissions.authorizeWrite(
       args.data.path,
       `- ${firstLine(args.data.search)}
-+ ${firstLine(args.data.replace)}`
++ ${firstLine(args.data.replace)}`,
+      args.data.replace
     );
     if (!decision.allowed) return { ok: false, output: `Edit denied: ${decision.reason}` };
     try {
@@ -1599,7 +1665,7 @@ var writeFileTool = {
       };
     }
     const preview = previewContent(args.data.content);
-    const decision = await ctx.permissions.authorizeWrite(args.data.path, preview);
+    const decision = await ctx.permissions.authorizeWrite(args.data.path, preview, args.data.content);
     if (!decision.allowed) return { ok: false, output: `Write denied: ${decision.reason}` };
     try {
       const abs = resolve6(ctx.workspace, args.data.path);