@hiro-c/agent-gate 1.3.0 → 1.4.0

package/dist/deterministic/bashAnalysis.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Light-weight bash analysis utilities used by deterministic rules to
+ * see past common obfuscation patterns. This is intentionally not a
+ * full shell parser; it handles the cases that matter for guardrails
+ * (separators, quoting, heredoc redirects, command substitution
+ * markers) and stays small.
+ */
+/**
+ * Split a command line into top-level statements separated by `;`,
+ * `&&`, `||`, `|`, or newline. Respects single- and double-quoted
+ * regions so separators inside strings are preserved as part of the
+ * statement.
+ *
+ * Trims and drops empty results.
+ */
+export declare function splitStatements(command: string): string[];
+/**
+ * Return any redirect targets that follow a heredoc operator. Each
+ * `cat <<EOF > target` (or `>> target`) anywhere in the command
+ * contributes one entry. Returns the raw target token without quote
+ * stripping.
+ */
+export declare function extractHeredocTargets(command: string): string[];
+/**
+ * True when the command uses command substitution `$(...)` / backticks,
+ * or a non-literal variable reference (anything other than the well-
+ * known `$HOME` / `$USER` / `$PWD` which the catastrophic-path rule
+ * already understands).
+ */
+export declare function hasObfuscation(command: string): boolean;
+//# sourceMappingURL=bashAnalysis.d.ts.map

package/dist/deterministic/bashAnalysis.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bashAnalysis.d.ts","sourceRoot":"","sources":["../../src/deterministic/bashAnalysis.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,CA2CzD;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,CAS/D;AAWD;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAYvD"}

package/dist/deterministic/bashAnalysis.js

@@ -0,0 +1,108 @@
+"use strict";
+/**
+ * Light-weight bash analysis utilities used by deterministic rules to
+ * see past common obfuscation patterns. This is intentionally not a
+ * full shell parser; it handles the cases that matter for guardrails
+ * (separators, quoting, heredoc redirects, command substitution
+ * markers) and stays small.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.splitStatements = splitStatements;
+exports.extractHeredocTargets = extractHeredocTargets;
+exports.hasObfuscation = hasObfuscation;
+/**
+ * Split a command line into top-level statements separated by `;`,
+ * `&&`, `||`, `|`, or newline. Respects single- and double-quoted
+ * regions so separators inside strings are preserved as part of the
+ * statement.
+ *
+ * Trims and drops empty results.
+ */
+function splitStatements(command) {
+    const out = [];
+    let buf = '';
+    let i = 0;
+    let quote = null;
+    while (i < command.length) {
+        const c = command[i];
+        if (quote) {
+            buf += c;
+            if (c === quote)
+                quote = null;
+            i++;
+            continue;
+        }
+        if (c === '"' || c === "'") {
+            quote = c;
+            buf += c;
+            i++;
+            continue;
+        }
+        if (c === ';' || c === '\n' || c === '|') {
+            // `||` collapses with `|`; `&&` handled below.
+            out.push(buf);
+            buf = '';
+            i++;
+            // collapse a trailing | of `||`
+            if (c === '|' && command[i] === '|')
+                i++;
+            continue;
+        }
+        if (c === '&' && command[i + 1] === '&') {
+            out.push(buf);
+            buf = '';
+            i += 2;
+            continue;
+        }
+        buf += c;
+        i++;
+    }
+    out.push(buf);
+    return out.map((s) => s.trim()).filter((s) => s.length > 0);
+}
+/**
+ * Return any redirect targets that follow a heredoc operator. Each
+ * `cat <<EOF > target` (or `>> target`) anywhere in the command
+ * contributes one entry. Returns the raw target token without quote
+ * stripping.
+ */
+function extractHeredocTargets(command) {
+    const targets = [];
+    // `<<` or `<<-`, optional `'TAG'` or `"TAG"` or bare TAG, then a redirect.
+    // We are permissive about whitespace.
+    const re = /<<-?\s*(?:['"]?\w+['"]?)\s*(?:>>?)\s*([^\s;|&<>]+)/g;
+    for (const m of command.matchAll(re)) {
+        if (m[1])
+            targets.push(m[1]);
+    }
+    return targets;
+}
+const KNOWN_LITERAL_VARS = new Set([
+    '$HOME',
+    '${HOME}',
+    '$PWD',
+    '${PWD}',
+    '$USER',
+    '${USER}',
+]);
+/**
+ * True when the command uses command substitution `$(...)` / backticks,
+ * or a non-literal variable reference (anything other than the well-
+ * known `$HOME` / `$USER` / `$PWD` which the catastrophic-path rule
+ * already understands).
+ */
+function hasObfuscation(command) {
+    if (/\$\([^)]*\)/.test(command))
+        return true;
+    if (/`[^`]*`/.test(command))
+        return true;
+    // Match each $VAR / ${VAR} occurrence and decide whether it is one
+    // of the literal allowlist.
+    const re = /\$\{?[A-Za-z_][A-Za-z0-9_]*\}?/g;
+    for (const m of command.matchAll(re)) {
+        const tok = m[0];
+        if (!KNOWN_LITERAL_VARS.has(tok))
+            return true;
+    }
+    return false;
+}

package/dist/deterministic/rules/preventBashSecretWrite.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"preventBashSecretWrite.d.ts","sourceRoot":"","sources":["../../../src/deterministic/rules/preventBashSecretWrite.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAe,MAAM,UAAU,CAAA;AAwDzD,eAAO,MAAM,sBAAsB,EAAE,iBAkBpC,CAAA"}
+{"version":3,"file":"preventBashSecretWrite.d.ts","sourceRoot":"","sources":["../../../src/deterministic/rules/preventBashSecretWrite.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAe,MAAM,UAAU,CAAA;AA6DzD,eAAO,MAAM,sBAAsB,EAAE,iBAsBpC,CAAA"}

package/dist/deterministic/rules/preventBashSecretWrite.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.preventBashSecretWrite = void 0;
+const bashAnalysis_1 = require("../bashAnalysis");
 const TEMPLATE_SUFFIXES = ['.example', '.sample', '.template', '.dist'];
 function basename(path) {
     const cleaned = path.replace(/[\s'"]+$/, '');
@@ -30,18 +31,18 @@ function isSecretTargetPath(rawPath) {
     return false;
 }
 /**
- * Extracts files that the command writes to via redirect (>, >>) or `tee`.
- * Conservative: matches the next non-flag token after the operator/word.
+ * Extracts every file the command writes to:
+ *   1. Standard redirects (`>`, `>>`, `1>`, `2>`, `&>`)
+ *   2. `tee [-a] FILE [FILE ...]`
+ *   3. Heredoc redirects (`cat <<EOF > file`)
  */
 function extractWriteTargets(command) {
     const targets = [];
-    // Redirect operators: >, >>, &>, &>>, 1>, 2> etc.
     const redirectRe = /[12&]?>>?\s*([^\s;|&<>]+)/g;
     for (const m of command.matchAll(redirectRe)) {
         if (m[1])
             targets.push(m[1]);
     }
-    // tee [-a] FILE [FILE ...]
     const teeRe = /\btee\b(?:\s+-[A-Za-z]+)*\s+([^\s;|&<>]+(?:\s+[^\s;|&<>]+)*)/g;
     for (const m of command.matchAll(teeRe)) {
         if (m[1]) {
@@ -51,6 +52,9 @@ function extractWriteTargets(command) {
             }
         }
     }
+    for (const t of (0, bashAnalysis_1.extractHeredocTargets)(command)) {
+        targets.push(t);
+    }
     return targets;
 }
 exports.preventBashSecretWrite = {
@@ -61,13 +65,17 @@ exports.preventBashSecretWrite = {
         const command = toolInput.command;
         if (typeof command !== 'string')
             return { kind: 'allow' };
-        const targets = extractWriteTargets(command);
-        for (const target of targets) {
-            if (isSecretTargetPath(target)) {
-                return {
-                    kind: 'block',
-                    reason: `Refusing to write to a likely secret/credential file via shell redirect: ${target}. If this is intentional, run the command manually outside of the agent.`,
-                };
+        // Inspect each top-level statement; heredoc spans newlines so the
+        // statement splitter preserves the heredoc body inside its segment.
+        for (const stmt of (0, bashAnalysis_1.splitStatements)(command)) {
+            const targets = extractWriteTargets(stmt);
+            for (const target of targets) {
+                if (isSecretTargetPath(target)) {
+                    return {
+                        kind: 'block',
+                        reason: `Refusing to write to a likely secret/credential file via shell redirect: ${target}. If this is intentional, run the command manually outside of the agent.`,
+                    };
+                }
             }
         }
         return { kind: 'allow' };

package/dist/deterministic/rules/preventRmRfRoot.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"preventRmRfRoot.d.ts","sourceRoot":"","sources":["../../../src/deterministic/rules/preventRmRfRoot.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAe,MAAM,UAAU,CAAA;AA+CzD,eAAO,MAAM,eAAe,EAAE,iBAmB7B,CAAA"}
+{"version":3,"file":"preventRmRfRoot.d.ts","sourceRoot":"","sources":["../../../src/deterministic/rules/preventRmRfRoot.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAe,MAAM,UAAU,CAAA;AA0EzD,eAAO,MAAM,eAAe,EAAE,iBAa7B,CAAA"}

package/dist/deterministic/rules/preventRmRfRoot.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.preventRmRfRoot = void 0;
+const bashAnalysis_1 = require("../bashAnalysis");
 const CATASTROPHIC_TARGETS = new Set([
     '/',
     '$HOME',
@@ -44,6 +45,29 @@ function extractTargets(command) {
     const tokens = trimmed.split(/\s+/);
     return tokens.slice(1).filter((t) => !t.startsWith('-'));
 }
+function evaluateStatement(stmt) {
+    if (!isRecursiveForceRm(stmt))
+        return { kind: 'allow' };
+    // Substitution / unresolved variable targets cannot be evaluated
+    // statically. Treat them as suspicious: we cannot prove they are not
+    // catastrophic, so block.
+    if ((0, bashAnalysis_1.hasObfuscation)(stmt)) {
+        return {
+            kind: 'block',
+            reason: 'Refusing recursive rm whose target is a command substitution or unresolved variable. The target cannot be evaluated statically, so the operation is rejected as a safety precaution.',
+        };
+    }
+    const targets = extractTargets(stmt);
+    for (const target of targets) {
+        if (CATASTROPHIC_TARGETS.has(target)) {
+            return {
+                kind: 'block',
+                reason: `Refusing to run recursive rm on a catastrophic path: ${target}. If this is genuinely intended, run the command manually outside of the agent.`,
+            };
+        }
+    }
+    return { kind: 'allow' };
+}
 exports.preventRmRfRoot = {
     id: 'prevent-rm-rf-root',
     check(toolName, toolInput) {
@@ -52,16 +76,10 @@ exports.preventRmRfRoot = {
         const command = toolInput.command;
         if (typeof command !== 'string')
             return { kind: 'allow' };
-        if (!isRecursiveForceRm(command))
-            return { kind: 'allow' };
-        const targets = extractTargets(command);
-        for (const target of targets) {
-            if (CATASTROPHIC_TARGETS.has(target)) {
-                return {
-                    kind: 'block',
-                    reason: `Refusing to run recursive rm on a catastrophic path: ${target}. If this is genuinely intended, run the command manually outside of the agent.`,
-                };
-            }
+        for (const stmt of (0, bashAnalysis_1.splitStatements)(command)) {
+            const v = evaluateStatement(stmt);
+            if (v.kind === 'block')
+                return v;
         }
         return { kind: 'allow' };
     },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hiro-c/agent-gate",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Runtime rule enforcer for AI coding agents. Reads CLAUDE.md / AGENTS.md / .cursorrules and enforces them via Claude Code and Cursor hooks, with a deterministic safety baseline.",
   "author": "Hiro-Chiba",
   "license": "MIT",