@gencode/agents 0.0.2 → 0.0.4

package/dist/security/command-parser.js

@@ -0,0 +1,191 @@
+function hasUnsupportedShellSyntax(command) {
+    return (command.includes("$(") ||
+        command.includes("`") ||
+        command.includes("<<") ||
+        command.includes("<(") ||
+        command.includes(">("));
+}
+function splitTopLevel(command) {
+    const segments = [];
+    let current = "";
+    let quote = null;
+    let escaped = false;
+    for (let index = 0; index < command.length; index += 1) {
+        const char = command[index];
+        const next = command[index + 1];
+        if (escaped) {
+            current += char;
+            escaped = false;
+            continue;
+        }
+        if (char === "\\") {
+            current += char;
+            escaped = true;
+            continue;
+        }
+        if (quote) {
+            current += char;
+            if (char === quote) {
+                quote = null;
+            }
+            continue;
+        }
+        if (char === "'" || char === '"') {
+            quote = char;
+            current += char;
+            continue;
+        }
+        if (char === "|" && next === "|") {
+            segments.push(current.trim());
+            current = "";
+            index += 1;
+            continue;
+        }
+        if (char === "&" && next === "&") {
+            segments.push(current.trim());
+            current = "";
+            index += 1;
+            continue;
+        }
+        if (char === ";" || char === "|") {
+            segments.push(current.trim());
+            current = "";
+            continue;
+        }
+        current += char;
+    }
+    if (quote || escaped) {
+        return null;
+    }
+    if (current.trim().length > 0) {
+        segments.push(current.trim());
+    }
+    return segments.filter((segment) => segment.length > 0);
+}
+function tokenize(segment) {
+    const tokens = [];
+    let current = "";
+    let quote = null;
+    let escaped = false;
+    for (let index = 0; index < segment.length; index += 1) {
+        const char = segment[index];
+        if (escaped) {
+            current += char;
+            escaped = false;
+            continue;
+        }
+        if (char === "\\") {
+            escaped = true;
+            continue;
+        }
+        if (quote) {
+            if (char === quote) {
+                quote = null;
+            }
+            else {
+                current += char;
+            }
+            continue;
+        }
+        if (char === "'" || char === '"') {
+            quote = char;
+            continue;
+        }
+        if (/\s/.test(char)) {
+            if (current.length > 0) {
+                tokens.push(current);
+                current = "";
+            }
+            continue;
+        }
+        if (char === ">" || char === "<") {
+            if (current.length > 0) {
+                tokens.push(current);
+                current = "";
+            }
+            const next = segment[index + 1];
+            if ((char === ">" || char === "<") && next === char) {
+                tokens.push(char + next);
+                index += 1;
+            }
+            else {
+                tokens.push(char);
+            }
+            continue;
+        }
+        if (char === "2" && segment[index + 1] === ">") {
+            if (current.length > 0) {
+                tokens.push(current);
+                current = "";
+            }
+            tokens.push("2>");
+            index += 1;
+            continue;
+        }
+        current += char;
+    }
+    if (quote || escaped) {
+        return null;
+    }
+    if (current.length > 0) {
+        tokens.push(current);
+    }
+    return tokens;
+}
+function unwrapEnv(tokens) {
+    if (tokens[0] !== "env") {
+        return tokens;
+    }
+    let index = 1;
+    while (index < tokens.length && /^[A-Za-z_][A-Za-z0-9_]*=/.test(tokens[index])) {
+        index += 1;
+    }
+    return tokens.slice(index);
+}
+function buildSegment(raw) {
+    const tokens = tokenize(raw);
+    if (!tokens || tokens.length === 0) {
+        return null;
+    }
+    const redirections = [];
+    const argv = [];
+    for (let index = 0; index < tokens.length; index += 1) {
+        const token = tokens[index];
+        if (token === ">" || token === ">>" || token === "<" || token === "2>") {
+            const target = tokens[index + 1];
+            if (!target) {
+                return null;
+            }
+            redirections.push({ operator: token, target });
+            index += 1;
+            continue;
+        }
+        argv.push(token);
+    }
+    const unwrapped = unwrapEnv(argv);
+    return {
+        raw,
+        argv,
+        executable: unwrapped[0] ?? null,
+        redirections,
+    };
+}
+export function parseCommand(command) {
+    if (!command.trim() || hasUnsupportedShellSyntax(command)) {
+        return null;
+    }
+    const rawSegments = splitTopLevel(command);
+    if (!rawSegments || rawSegments.length === 0) {
+        return null;
+    }
+    const segments = [];
+    for (const raw of rawSegments) {
+        const segment = buildSegment(raw);
+        if (!segment) {
+            return null;
+        }
+        segments.push(segment);
+    }
+    return { segments };
+}
+//# sourceMappingURL=command-parser.js.map

package/dist/security/command-parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-parser.js","sourceRoot":"","sources":["../../src/security/command-parser.ts"],"names":[],"mappings":"AAEA,SAAS,yBAAyB,CAAC,OAAe;IAChD,OAAO,CACL,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QACtB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;QACrB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QACtB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QACtB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CACvB,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,OAAe;IACpC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,KAAK,GAAqB,IAAI,CAAC;IACnC,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,OAAO,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;QAEhC,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,IAAI,IAAI,CAAC;YAChB,OAAO,GAAG,KAAK,CAAC;YAChB,SAAS;QACX,CAAC;QAED,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAClB,OAAO,IAAI,IAAI,CAAC;YAChB,OAAO,GAAG,IAAI,CAAC;YACf,SAAS;QACX,CAAC;QAED,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,IAAI,IAAI,CAAC;YAChB,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;gBACnB,KAAK,GAAG,IAAI,CAAC;YACf,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YACjC,KAAK,GAAG,IAAI,CAAC;YACb,OAAO,IAAI,IAAI,CAAC;YAChB,SAAS;QACX,CAAC;QAED,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YACjC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YAC9B,OAAO,GAAG,EAAE,CAAC;YACb,KAAK,IAAI,CAAC,CAAC;YACX,SAAS;QACX,CAAC;QACD,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YACjC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YAC9B,OAAO,GAAG,EAAE,CAAC;YACb,KAAK,IAAI,CAAC,CAAC;YACX,SAAS;QACX,CAAC;QACD,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YACjC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YAC9B,OAAO,GAAG,EAAE,CAAC;YACb,SAAS;QACX,CAAC;QAED,OAAO,IAAI,IAAI,CAAC;IAClB,CAAC;IAED,IAAI,KAAK,IAAI,OAAO,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,QAAQ,CAAC,OAAe;IAC/B,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,KAAK,GAAqB,IAAI,CAAC;IACnC,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,OAAO,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAE,CAAC;QAE7B,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,IAAI,IAAI,CAAC;YAChB,OAAO,GAAG,KAAK,CAAC;YAChB,SAAS;QACX,CAAC;QAED,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAClB,OAAO,GAAG,IAAI,CAAC;YACf,SAAS;QACX,CAAC;QAED,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;gBACnB,KAAK,GAAG,IAAI,CAAC;YACf,CAAC;iBAAM,CAAC;gBACN,OAAO,IAAI,IAAI,CAAC;YAClB,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YACjC,KAAK,GAAG,IAAI,CAAC;YACb,SAAS;QACX,CAAC;QAED,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACpB,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACrB,OAAO,GAAG,EAAE,CAAC;YACf,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YACjC,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACrB,OAAO,GAAG,EAAE,CAAC;YACf,CAAC;YACD,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YAChC,IAAI,CAAC,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBACpD,MAAM,CAAC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;gBACzB,KAAK,IAAI,CAAC,CAAC;YACb,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpB,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,IAAI,KAAK,GAAG,IAAI,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YAC/C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACrB,OAAO,GAAG,EAAE,CAAC;YACf,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClB,KAAK,IAAI,CAAC,CAAC;YACX,SAAS;QACX,CAAC;QAED,OAAO,IAAI,IAAI,CAAC;IAClB,CAAC;IAED,IAAI,KAAK,IAAI,OAAO,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,SAAS,CAAC,MAAgB;IACjC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;QACxB,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,OAAO,KAAK,GAAG,MAAM,CAAC,MAAM,IAAI,0BAA0B,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAE,CAAC,EAAE,CAAC;QAChF,KAAK,IAAI,CAAC,CAAC;IACb,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,YAAY,CAAC,GAAW;IAC/B,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,YAAY,GAAgD,EAAE,CAAC;IACrE,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACtD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAE,CAAC;QAC7B,IAAI,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACvE,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YACjC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,IAAI,CAAC;YACd,CAAC;YACD,YAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;YAC/C,KAAK,IAAI,CAAC,CAAC;YACX,SAAS;QACX,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnB,CAAC;IACD,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAClC,OAAO;QACL,GAAG;QACH,IAAI;QACJ,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI;QAChC,YAAY;KACb,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,yBAAyB,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1D,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,WAAW,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAC3C,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAC5C,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtB,CAAC"}

package/dist/security/command-path-guard.d.ts

@@ -0,0 +1,10 @@
+import type { CommandPathPolicy, ParsedCommandSegment } from "./command-policy-types.js";
+import type { CommandAllowlistPolicy } from "./command-policy-types.js";
+export declare function validateCommandPaths(params: {
+    cwd: string;
+    allowedRoot: string;
+    pathPolicy: CommandPathPolicy;
+    segment: ParsedCommandSegment;
+    allowlist: CommandAllowlistPolicy;
+}): string | null;
+//# sourceMappingURL=command-path-guard.d.ts.map

package/dist/security/command-path-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-path-guard.d.ts","sourceRoot":"","sources":["../../src/security/command-path-guard.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AAEzF,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AAiGxE,wBAAgB,oBAAoB,CAAC,MAAM,EAAE;IAC3C,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,iBAAiB,CAAC;IAC9B,OAAO,EAAE,oBAAoB,CAAC;IAC9B,SAAS,EAAE,sBAAsB,CAAC;CACnC,GAAG,MAAM,GAAG,IAAI,CA0ChB"}

package/dist/security/command-path-guard.js

@@ -0,0 +1,126 @@
+import fs from "node:fs";
+import path from "node:path";
+import { unwrapExecutable } from "./command-trusted-executables.js";
+function isWithinRoot(targetPath, root) {
+    return targetPath === root || targetPath.startsWith(`${root}${path.sep}`);
+}
+function realOrResolved(targetPath) {
+    try {
+        return fs.realpathSync(targetPath);
+    }
+    catch {
+        return path.resolve(targetPath);
+    }
+}
+function validatePath(targetPath, allowedRoot, policy) {
+    const normalizedAllowedRoot = path.resolve(allowedRoot);
+    const resolved = realOrResolved(targetPath);
+    if (!isWithinRoot(resolved, normalizedAllowedRoot)) {
+        return `path escapes allowed root: ${targetPath}`;
+    }
+    for (const blockedRoot of policy.blockedRoots) {
+        const normalizedBlockedRoot = path.resolve(blockedRoot);
+        if (resolved === normalizedBlockedRoot || resolved.startsWith(`${normalizedBlockedRoot}${path.sep}`)) {
+            return `path hits blocked root: ${targetPath}`;
+        }
+    }
+    return null;
+}
+function looksLikePathToken(token) {
+    return (token === "." ||
+        token === ".." ||
+        token.startsWith("./") ||
+        token.startsWith("../") ||
+        token.startsWith("/") ||
+        token.includes("/"));
+}
+function basename(value) {
+    if (!value) {
+        return "";
+    }
+    return path.posix.basename(value).toLowerCase();
+}
+function candidatePathFromToken(token, cwd) {
+    if (path.isAbsolute(token)) {
+        return path.resolve(token);
+    }
+    return path.resolve(cwd, token);
+}
+function collectPositionalPathTokens(segment, allowlist) {
+    const executable = unwrapExecutable(segment, allowlist)?.split(/[\\/]/).pop()?.toLowerCase() ?? "";
+    const argv = [...segment.argv];
+    if (basename(segment.executable) === "env") {
+        let index = 1;
+        while (index < argv.length && /^[A-Za-z_][A-Za-z0-9_]*=/.test(argv[index])) {
+            index += 1;
+        }
+        return collectPathTokensForExecutable(executable, argv.slice(index + 1));
+    }
+    return collectPathTokensForExecutable(executable, argv.slice(1));
+}
+function collectPathTokensForExecutable(executable, args) {
+    const paths = [];
+    if (executable === "node" || executable === "python" || executable === "python3" || executable === "bash" || executable === "sh" || executable === "zsh") {
+        for (let index = 0; index < args.length; index += 1) {
+            const arg = args[index];
+            if (arg === "-e" || arg === "--eval" || arg === "-c" || arg === "--command") {
+                paths.push("__INLINE_EVAL__");
+                return paths;
+            }
+            if (!arg.startsWith("-")) {
+                paths.push(arg);
+                return paths;
+            }
+        }
+        return paths;
+    }
+    if (executable === "npm" || executable === "npx" || executable === "pnpm" || executable === "pip" || executable === "pip3") {
+        return paths;
+    }
+    for (const arg of args) {
+        if (arg.startsWith("-")) {
+            continue;
+        }
+        if (looksLikePathToken(arg) || ["cat", "find", "grep", "sort", "sed", "awk", "git"].includes(executable)) {
+            paths.push(arg);
+        }
+    }
+    return paths;
+}
+export function validateCommandPaths(params) {
+    const unwrappedExecutable = basename(unwrapExecutable(params.segment, params.allowlist));
+    if ((unwrappedExecutable === "bash" || unwrappedExecutable === "sh" || unwrappedExecutable === "zsh") &&
+        params.segment.argv.some((arg) => arg === "-c" || arg === "--command")) {
+        return "inline shell command execution is not allowed";
+    }
+    if ((unwrappedExecutable === "node" ||
+        unwrappedExecutable === "python" ||
+        unwrappedExecutable === "python3") &&
+        params.segment.argv.some((arg) => arg === "-e" || arg === "--eval" || arg === "-c" || arg === "--command")) {
+        return "inline interpreter evaluation is not allowed";
+    }
+    const cwdError = validatePath(params.cwd, params.allowedRoot, params.pathPolicy);
+    if (cwdError) {
+        return cwdError;
+    }
+    for (const redirection of params.segment.redirections) {
+        const redirectionPath = candidatePathFromToken(redirection.target, params.cwd);
+        const redirectionError = validatePath(redirectionPath, params.allowedRoot, params.pathPolicy);
+        if (redirectionError) {
+            return redirectionError;
+        }
+    }
+    const tokens = collectPositionalPathTokens(params.segment, params.allowlist);
+    for (const token of tokens) {
+        if (token === "__INLINE_EVAL__") {
+            return "inline interpreter evaluation is not allowed";
+        }
+        const candidate = candidatePathFromToken(token, params.cwd);
+        const tokenError = validatePath(candidate, params.allowedRoot, params.pathPolicy);
+        if (tokenError) {
+            return tokenError;
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=command-path-guard.js.map

package/dist/security/command-path-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-path-guard.js","sourceRoot":"","sources":["../../src/security/command-path-guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AAGpE,SAAS,YAAY,CAAC,UAAkB,EAAE,IAAY;IACpD,OAAO,UAAU,KAAK,IAAI,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,cAAc,CAAC,UAAkB;IACxC,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,UAAkB,EAAE,WAAmB,EAAE,MAAyB;IACtF,MAAM,qBAAqB,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;IAC5C,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,qBAAqB,CAAC,EAAE,CAAC;QACnD,OAAO,8BAA8B,UAAU,EAAE,CAAC;IACpD,CAAC;IACD,KAAK,MAAM,WAAW,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QAC9C,MAAM,qBAAqB,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QACxD,IAAI,QAAQ,KAAK,qBAAqB,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,qBAAqB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;YACrG,OAAO,2BAA2B,UAAU,EAAE,CAAC;QACjD,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAa;IACvC,OAAO,CACL,KAAK,KAAK,GAAG;QACb,KAAK,KAAK,IAAI;QACd,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;QACtB,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;QACvB,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC;QACrB,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CACpB,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,KAAoB;IACpC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;AAClD,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAa,EAAE,GAAW;IACxD,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,2BAA2B,CAAC,OAA6B,EAAE,SAAiC;IACnG,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IACnG,MAAM,IAAI,GAAG,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,KAAK,EAAE,CAAC;QAC3C,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,OAAO,KAAK,GAAG,IAAI,CAAC,MAAM,IAAI,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAE,CAAC,EAAE,CAAC;YAC5E,KAAK,IAAI,CAAC,CAAC;QACb,CAAC;QACD,OAAO,8BAA8B,CAAC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,8BAA8B,CAAC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,8BAA8B,CAAC,UAAkB,EAAE,IAAc;IACxE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,UAAU,KAAK,MAAM,IAAI,UAAU,KAAK,QAAQ,IAAI,UAAU,KAAK,SAAS,IAAI,UAAU,KAAK,MAAM,IAAI,UAAU,KAAK,IAAI,IAAI,UAAU,KAAK,KAAK,EAAE,CAAC;QACzJ,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;YACpD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAE,CAAC;YACzB,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;gBAC5E,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBAC9B,OAAO,KAAK,CAAC;YACf,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACzB,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAChB,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,UAAU,KAAK,KAAK,IAAI,UAAU,KAAK,KAAK,IAAI,UAAU,KAAK,MAAM,IAAI,UAAU,KAAK,KAAK,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;QAC3H,OAAO,KAAK,CAAC;IACf,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,SAAS;QACX,CAAC;QACD,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACzG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,MAMpC;IACC,MAAM,mBAAmB,GAAG,QAAQ,CAAC,gBAAgB,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;IACzF,IACE,CAAC,mBAAmB,KAAK,MAAM,IAAI,mBAAmB,KAAK,IAAI,IAAI,mBAAmB,KAAK,KAAK,CAAC;QACjG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,WAAW,CAAC,EACtE,CAAC;QACD,OAAO,+CAA+C,CAAC;IACzD,CAAC;IACD,IACE,CAAC,mBAAmB,KAAK,MAAM;QAC7B,mBAAmB,KAAK,QAAQ;QAChC,mBAAmB,KAAK,SAAS,CAAC;QACpC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,WAAW,CAAC,EAC1G,CAAC;QACD,OAAO,8CAA8C,CAAC;IACxD,CAAC;IAED,MAAM,QAAQ,GAAG,YAAY,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;IACjF,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,MAAM,WAAW,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;QACtD,MAAM,eAAe,GAAG,sBAAsB,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QAC/E,MAAM,gBAAgB,GAAG,YAAY,CAAC,eAAe,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;QAC9F,IAAI,gBAAgB,EAAE,CAAC;YACrB,OAAO,gBAAgB,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,2BAA2B,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IAC7E,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,KAAK,KAAK,iBAAiB,EAAE,CAAC;YAChC,OAAO,8CAA8C,CAAC;QACxD,CAAC;QACD,MAAM,SAAS,GAAG,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5D,MAAM,UAAU,GAAG,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;QAClF,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,UAAU,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/security/command-policy-config.d.ts

@@ -0,0 +1,5 @@
+import type { CommandPolicyConfig } from "./command-policy-types.js";
+export declare function getDefaultCommandPolicyPath(): string;
+export declare function getDefaultCommandPolicy(): CommandPolicyConfig;
+export declare function loadCommandPolicy(configPath?: string): CommandPolicyConfig;
+//# sourceMappingURL=command-policy-config.d.ts.map

package/dist/security/command-policy-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-policy-config.d.ts","sourceRoot":"","sources":["../../src/security/command-policy-config.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAgJrE,wBAAgB,2BAA2B,IAAI,MAAM,CAEpD;AAED,wBAAgB,uBAAuB,IAAI,mBAAmB,CAE7D;AAED,wBAAgB,iBAAiB,CAAC,UAAU,SAAsB,GAAG,mBAAmB,CAqFvF"}

package/dist/security/command-policy-config.js

@@ -0,0 +1,212 @@
+import fs from "node:fs";
+import path from "node:path";
+const DEFAULT_POLICY_PATH = process.env.PINGCLAW_COMMAND_POLICY_PATH?.trim() || "/pingclaw/command-policy.json";
+const DEFAULT_POLICY = {
+    version: 1,
+    dataRoot: "/data",
+    security: {
+        defaultMode: "allowlist",
+        approvalMode: "off",
+    },
+    exec: {
+        allowShell: true,
+        allowPty: true,
+        maxCommandLength: 8192,
+        defaultTimeoutSec: 1800,
+    },
+    pathPolicy: {
+        allowedRoots: ["/data"],
+        blockedRoots: [
+            "/",
+            "/etc",
+            "/usr",
+            "/var",
+            "/bin",
+            "/sbin",
+            "/lib",
+            "/lib64",
+            "/boot",
+            "/root",
+            "/home",
+            "/proc",
+            "/sys",
+            "/dev",
+            "/run",
+            "/mnt",
+            "/media",
+            "/tmp",
+        ],
+        followSymlink: true,
+        denyPathEscape: true,
+    },
+    safeBins: {
+        enabled: true,
+        trustedDirs: ["/bin", "/usr/bin"],
+        bins: ["jq", "cut", "uniq", "head", "tail", "tr", "wc", "grep", "sort"],
+        profiles: {
+            jq: {},
+            cut: {},
+            uniq: {},
+            head: {},
+            tail: {},
+            tr: {},
+            wc: {},
+            grep: {},
+            sort: {},
+        },
+    },
+    trustedExecutables: {
+        enabled: true,
+        executables: [
+            "/usr/bin/node",
+            "/usr/bin/npm",
+            "/usr/bin/npx",
+            "/usr/bin/pnpm",
+            "/usr/bin/python",
+            "/usr/bin/python3",
+            "/usr/bin/pip",
+            "/usr/bin/pip3",
+            "/usr/bin/bash",
+            "/usr/bin/sh",
+            "/usr/bin/zsh",
+            "/usr/bin/git",
+            "/usr/bin/grep",
+            "/usr/bin/sort",
+            "/usr/bin/find",
+            "/usr/bin/cat",
+            "/usr/bin/sed",
+            "/usr/bin/awk",
+            "/usr/bin/ls",
+            "/usr/bin/env",
+        ],
+    },
+    allowlist: {
+        executables: [
+            "/usr/bin/ls",
+            "/usr/bin/find",
+            "/usr/bin/cat",
+            "/usr/bin/grep",
+            "/usr/bin/sort",
+            "/usr/bin/git",
+            "/usr/bin/env",
+        ],
+        wrappers: ["env", "timeout", "stdbuf", "nohup"],
+    },
+    dangerousRules: {
+        denyExecutables: [
+            "mount",
+            "umount",
+            "losetup",
+            "mkfs",
+            "fdisk",
+            "parted",
+            "fsck",
+            "swapon",
+            "swapoff",
+            "sudo",
+            "su",
+            "passwd",
+            "useradd",
+            "usermod",
+            "groupadd",
+            "shutdown",
+            "reboot",
+            "poweroff",
+            "systemctl",
+            "service",
+            "iptables",
+            "nft",
+            "ufw",
+            "route",
+            "ip",
+            "docker",
+            "podman",
+            "nsenter",
+            "unshare",
+            "chroot",
+        ],
+        denyShellPatterns: ["curl|sh", "wget|sh", "curl|bash", "wget|bash", "nc -e", "bash -i", "/dev/tcp/"],
+        requireApprovalExecutables: [],
+        requireApprovalShellPatterns: [],
+    },
+};
+function normalizeStringArray(value, fallback) {
+    if (!Array.isArray(value)) {
+        return [...fallback];
+    }
+    const normalized = value
+        .map((entry) => (typeof entry === "string" ? entry.trim() : ""))
+        .filter((entry) => entry.length > 0);
+    return normalized.length > 0 ? normalized : [...fallback];
+}
+export function getDefaultCommandPolicyPath() {
+    return DEFAULT_POLICY_PATH;
+}
+export function getDefaultCommandPolicy() {
+    return JSON.parse(JSON.stringify(DEFAULT_POLICY));
+}
+export function loadCommandPolicy(configPath = DEFAULT_POLICY_PATH) {
+    if (!fs.existsSync(configPath)) {
+        return getDefaultCommandPolicy();
+    }
+    const raw = JSON.parse(fs.readFileSync(configPath, "utf8"));
+    const defaults = getDefaultCommandPolicy();
+    const dataRoot = typeof raw.dataRoot === "string" && raw.dataRoot.trim().length > 0
+        ? path.posix.normalize(raw.dataRoot.trim())
+        : defaults.dataRoot;
+    return {
+        version: typeof raw.version === "number" ? raw.version : defaults.version,
+        dataRoot,
+        security: {
+            defaultMode: raw.security?.defaultMode === "deny" ||
+                raw.security?.defaultMode === "allowlist" ||
+                raw.security?.defaultMode === "full"
+                ? raw.security.defaultMode
+                : defaults.security.defaultMode,
+            approvalMode: raw.security?.approvalMode === "off" ||
+                raw.security?.approvalMode === "on-miss" ||
+                raw.security?.approvalMode === "always"
+                ? raw.security.approvalMode
+                : defaults.security.approvalMode,
+        },
+        exec: {
+            allowShell: raw.exec?.allowShell ?? defaults.exec.allowShell,
+            allowPty: raw.exec?.allowPty ?? defaults.exec.allowPty,
+            maxCommandLength: typeof raw.exec?.maxCommandLength === "number"
+                ? raw.exec.maxCommandLength
+                : defaults.exec.maxCommandLength,
+            defaultTimeoutSec: typeof raw.exec?.defaultTimeoutSec === "number"
+                ? raw.exec.defaultTimeoutSec
+                : defaults.exec.defaultTimeoutSec,
+        },
+        pathPolicy: {
+            allowedRoots: normalizeStringArray(raw.pathPolicy?.allowedRoots, [dataRoot]),
+            blockedRoots: normalizeStringArray(raw.pathPolicy?.blockedRoots, defaults.pathPolicy.blockedRoots),
+            followSymlink: raw.pathPolicy?.followSymlink ?? defaults.pathPolicy.followSymlink,
+            denyPathEscape: raw.pathPolicy?.denyPathEscape ?? defaults.pathPolicy.denyPathEscape,
+        },
+        safeBins: {
+            enabled: raw.safeBins?.enabled ?? defaults.safeBins.enabled,
+            trustedDirs: normalizeStringArray(raw.safeBins?.trustedDirs, defaults.safeBins.trustedDirs),
+            bins: normalizeStringArray(raw.safeBins?.bins, defaults.safeBins.bins),
+            profiles: raw.safeBins?.profiles && typeof raw.safeBins.profiles === "object"
+                ? raw.safeBins.profiles
+                : defaults.safeBins.profiles,
+        },
+        trustedExecutables: {
+            enabled: raw.trustedExecutables?.enabled ?? defaults.trustedExecutables.enabled,
+            executables: normalizeStringArray(raw.trustedExecutables?.executables, defaults.trustedExecutables.executables),
+        },
+        allowlist: {
+            executables: normalizeStringArray(raw.allowlist?.executables, defaults.allowlist.executables),
+            wrappers: normalizeStringArray(raw.allowlist?.wrappers, defaults.allowlist.wrappers),
+        },
+        dangerousRules: {
+            denyExecutables: normalizeStringArray(raw.dangerousRules?.denyExecutables, defaults.dangerousRules.denyExecutables),
+            denyShellPatterns: normalizeStringArray(raw.dangerousRules?.denyShellPatterns, defaults.dangerousRules.denyShellPatterns),
+            requireApprovalExecutables: normalizeStringArray(raw.dangerousRules?.requireApprovalExecutables, defaults.dangerousRules.requireApprovalExecutables),
+            requireApprovalShellPatterns: normalizeStringArray(raw.dangerousRules?.requireApprovalShellPatterns, defaults.dangerousRules.requireApprovalShellPatterns),
+        },
+    };
+}
+//# sourceMappingURL=command-policy-config.js.map

package/dist/security/command-policy-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-policy-config.js","sourceRoot":"","sources":["../../src/security/command-policy-config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,MAAM,mBAAmB,GAAG,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE,IAAI,EAAE,IAAI,+BAA+B,CAAC;AAEhH,MAAM,cAAc,GAAwB;IAC1C,OAAO,EAAE,CAAC;IACV,QAAQ,EAAE,OAAO;IACjB,QAAQ,EAAE;QACR,WAAW,EAAE,WAAW;QACxB,YAAY,EAAE,KAAK;KACpB;IACD,IAAI,EAAE;QACJ,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,IAAI;QACd,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,IAAI;KACxB;IACD,UAAU,EAAE;QACV,YAAY,EAAE,CAAC,OAAO,CAAC;QACvB,YAAY,EAAE;YACZ,GAAG;YACH,MAAM;YACN,MAAM;YACN,MAAM;YACN,MAAM;YACN,OAAO;YACP,MAAM;YACN,QAAQ;YACR,OAAO;YACP,OAAO;YACP,OAAO;YACP,OAAO;YACP,MAAM;YACN,MAAM;YACN,MAAM;YACN,MAAM;YACN,QAAQ;YACR,MAAM;SACP;QACD,aAAa,EAAE,IAAI;QACnB,cAAc,EAAE,IAAI;KACrB;IACD,QAAQ,EAAE;QACR,OAAO,EAAE,IAAI;QACb,WAAW,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;QACjC,IAAI,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC;QACvE,QAAQ,EAAE;YACR,EAAE,EAAE,EAAE;YACN,GAAG,EAAE,EAAE;YACP,IAAI,EAAE,EAAE;YACR,IAAI,EAAE,EAAE;YACR,IAAI,EAAE,EAAE;YACR,EAAE,EAAE,EAAE;YACN,EAAE,EAAE,EAAE;YACN,IAAI,EAAE,EAAE;YACR,IAAI,EAAE,EAAE;SACT;KACF;IACD,kBAAkB,EAAE;QAClB,OAAO,EAAE,IAAI;QACb,WAAW,EAAE;YACX,eAAe;YACf,cAAc;YACd,cAAc;YACd,eAAe;YACf,iBAAiB;YACjB,kBAAkB;YAClB,cAAc;YACd,eAAe;YACf,eAAe;YACf,aAAa;YACb,cAAc;YACd,cAAc;YACd,eAAe;YACf,eAAe;YACf,eAAe;YACf,cAAc;YACd,cAAc;YACd,cAAc;YACd,aAAa;YACb,cAAc;SACf;KACF;IACD,SAAS,EAAE;QACT,WAAW,EAAE;YACX,aAAa;YACb,eAAe;YACf,cAAc;YACd,eAAe;YACf,eAAe;YACf,cAAc;YACd,cAAc;SACf;QACD,QAAQ,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,CAAC;KAChD;IACD,cAAc,EAAE;QACd,eAAe,EAAE;YACf,OAAO;YACP,QAAQ;YACR,SAAS;YACT,MAAM;YACN,OAAO;YACP,QAAQ;YACR,MAAM;YACN,QAAQ;YACR,SAAS;YACT,MAAM;YACN,IAAI;YACJ,QAAQ;YACR,SAAS;YACT,SAAS;YACT,UAAU;YACV,UAAU;YACV,QAAQ;YACR,UAAU;YACV,WAAW;YACX,SAAS;YACT,UAAU;YACV,KAAK;YACL,KAAK;YACL,OAAO;YACP,IAAI;YACJ,QAAQ;YACR,QAAQ;YACR,SAAS;YACT,SAAS;YACT,QAAQ;SACT;QACD,iBAAiB,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,CAAC;QACpG,0BAA0B,EAAE,EAAE;QAC9B,4BAA4B,EAAE,EAAE;KACjC;CACF,CAAC;AAEF,SAAS,oBAAoB,CAAC,KAAc,EAAE,QAAkB;IAC9D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC;IACvB,CAAC;IACD,MAAM,UAAU,GAAG,KAAK;SACrB,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;SAC/D,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACvC,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC;AAC5D,CAAC;AAED,MAAM,UAAU,2BAA2B;IACzC,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,CAAwB,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,UAAU,GAAG,mBAAmB;IAChE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,OAAO,uBAAuB,EAAE,CAAC;IACnC,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAiC,CAAC;IAC5F,MAAM,QAAQ,GAAG,uBAAuB,EAAE,CAAC;IAC3C,MAAM,QAAQ,GACZ,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC3C,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;IAExB,OAAO;QACL,OAAO,EAAE,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO;QACzE,QAAQ;QACR,QAAQ,EAAE;YACR,WAAW,EACT,GAAG,CAAC,QAAQ,EAAE,WAAW,KAAK,MAAM;gBACpC,GAAG,CAAC,QAAQ,EAAE,WAAW,KAAK,WAAW;gBACzC,GAAG,CAAC,QAAQ,EAAE,WAAW,KAAK,MAAM;gBAClC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW;gBAC1B,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW;YACnC,YAAY,EACV,GAAG,CAAC,QAAQ,EAAE,YAAY,KAAK,KAAK;gBACpC,GAAG,CAAC,QAAQ,EAAE,YAAY,KAAK,SAAS;gBACxC,GAAG,CAAC,QAAQ,EAAE,YAAY,KAAK,QAAQ;gBACrC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY;gBAC3B,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY;SACrC;QACD,IAAI,EAAE;YACJ,UAAU,EAAE,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,QAAQ,CAAC,IAAI,CAAC,UAAU;YAC5D,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,QAAQ,IAAI,QAAQ,CAAC,IAAI,CAAC,QAAQ;YACtD,gBAAgB,EACd,OAAO,GAAG,CAAC,IAAI,EAAE,gBAAgB,KAAK,QAAQ;gBAC5C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB;gBAC3B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,gBAAgB;YACpC,iBAAiB,EACf,OAAO,GAAG,CAAC,IAAI,EAAE,iBAAiB,KAAK,QAAQ;gBAC7C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,iBAAiB;gBAC5B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,iBAAiB;SACtC;QACD,UAAU,EAAE;YACV,YAAY,EAAE,oBAAoB,CAAC,GAAG,CAAC,UAAU,EAAE,YAAY,EAAE,CAAC,QAAQ,CAAC,CAAC;YAC5E,YAAY,EAAE,oBAAoB,CAAC,GAAG,CAAC,UAAU,EAAE,YAAY,EAAE,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC;YAClG,aAAa,EAAE,GAAG,CAAC,UAAU,EAAE,aAAa,IAAI,QAAQ,CAAC,UAAU,CAAC,aAAa;YACjF,cAAc,EAAE,GAAG,CAAC,UAAU,EAAE,cAAc,IAAI,QAAQ,CAAC,UAAU,CAAC,cAAc;SACrF;QACD,QAAQ,EAAE;YACR,OAAO,EAAE,GAAG,CAAC,QAAQ,EAAE,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO;YAC3D,WAAW,EAAE,oBAAoB,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,EAAE,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC3F,IAAI,EAAE,oBAAoB,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC;YACtE,QAAQ,EACN,GAAG,CAAC,QAAQ,EAAE,QAAQ,IAAI,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,KAAK,QAAQ;gBACjE,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ;gBACvB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ;SACjC;QACD,kBAAkB,EAAE;YAClB,OAAO,EAAE,GAAG,CAAC,kBAAkB,EAAE,OAAO,IAAI,QAAQ,CAAC,kBAAkB,CAAC,OAAO;YAC/E,WAAW,EAAE,oBAAoB,CAC/B,GAAG,CAAC,kBAAkB,EAAE,WAAW,EACnC,QAAQ,CAAC,kBAAkB,CAAC,WAAW,CACxC;SACF;QACD,SAAS,EAAE;YACT,WAAW,EAAE,oBAAoB,CAAC,GAAG,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,SAAS,CAAC,WAAW,CAAC;YAC7F,QAAQ,EAAE,oBAAoB,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,SAAS,CAAC,QAAQ,CAAC;SACrF;QACD,cAAc,EAAE;YACd,eAAe,EAAE,oBAAoB,CACnC,GAAG,CAAC,cAAc,EAAE,eAAe,EACnC,QAAQ,CAAC,cAAc,CAAC,eAAe,CACxC;YACD,iBAAiB,EAAE,oBAAoB,CACrC,GAAG,CAAC,cAAc,EAAE,iBAAiB,EACrC,QAAQ,CAAC,cAAc,CAAC,iBAAiB,CAC1C;YACD,0BAA0B,EAAE,oBAAoB,CAC9C,GAAG,CAAC,cAAc,EAAE,0BAA0B,EAC9C,QAAQ,CAAC,cAAc,CAAC,0BAA0B,CACnD;YACD,4BAA4B,EAAE,oBAAoB,CAChD,GAAG,CAAC,cAAc,EAAE,4BAA4B,EAChD,QAAQ,CAAC,cAAc,CAAC,4BAA4B,CACrD;SACF;KACF,CAAC;AACJ,CAAC"}

package/dist/security/command-policy-engine.d.ts

@@ -0,0 +1,8 @@
+import type { CommandPolicyConfig, CommandPolicyResult } from "./command-policy-types.js";
+export declare function evaluateCommandPolicy(params: {
+    command: string;
+    cwd: string;
+    allowedRoot: string;
+    policy: CommandPolicyConfig;
+}): CommandPolicyResult;
+//# sourceMappingURL=command-policy-engine.d.ts.map

package/dist/security/command-policy-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-policy-engine.d.ts","sourceRoot":"","sources":["../../src/security/command-policy-engine.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAO1F,wBAAgB,qBAAqB,CAAC,MAAM,EAAE;IAC5C,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,mBAAmB,CAAC;CAC7B,GAAG,mBAAmB,CAgItB"}