npm - @ian2018cs/agenthub - Versions diffs - 0.1.59 → 0.1.60 - Mend

@ian2018cs/agenthub 0.1.59 → 0.1.60

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +1 -1
package/server/claude-sdk.js +10 -0
package/server/services/tool-guard/index.js +67 -7
package/server/services/tool-guard/rules.js +17 -34

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ian2018cs/agenthub",
-  "version": "0.1.59",
+  "version": "0.1.60",
   "description": "A web-based UI for AI Agents",
   "type": "module",
   "main": "server/index.js",

package/server/claude-sdk.js CHANGED Viewed

@@ -549,6 +549,16 @@ async function queryClaudeSDK(command, options = {}, ws) {
                     }
                   };
                 }
+                // 路径重写：将 .claude 路径替换为用户专属目录后告知 SDK 使用新参数
+                if (guardResult.modifiedInput) {
+                  return {
+                    hookSpecificOutput: {
+                      hookEventName: 'PreToolUse',
+                      permissionDecision: 'allow',
+                      updatedInput: guardResult.modifiedInput,
+                    }
+                  };
+                }
               } catch (err) {
                 console.error(`[ToolGuard] Error evaluating ${hookInput.tool_name}:`, err.message);
                 // 守卫出错时不阻塞正常流程，降级为原有权限控制

package/server/services/tool-guard/index.js CHANGED Viewed

@@ -7,27 +7,85 @@
 import { evaluateRules } from './rules.js';
 import { reviewWithLLM } from './llm-reviewer.js';
-import { getUserPaths, DATA_DIR } from '../user-directories.js';
+import { DATA_DIR, getUserPaths } from '../user-directories.js';
 import path from 'path';
 const VERBOSE = process.env.TOOL_GUARD_VERBOSE === 'true';
+/**
+ * 将工具输入中的 .claude 路径重写为用户专属 claudeDir
+ *
+ * 处理以下模式（以便多用户环境下正确访问技能、配置等）：
+ *   ~/.claude/...      → claudeDir/...
+ *   $HOME/.claude/...  → claudeDir/...
+ *   ./.claude/...      → claudeDir/...（相对路径，常见于技能脚本调用）
+ *
+ * @param {string} toolName
+ * @param {Record<string, unknown>} input
+ * @param {string} claudeDir - 用户的 .claude 绝对路径
+ * @returns {Record<string, unknown>|null} 有改动时返回新 input 对象，否则返回 null
+ */
+function rewriteClaudePaths(toolName, input, claudeDir) {
+  if (!input || !claudeDir) return null;
+  function replaceInStr(str) {
+    if (!str || typeof str !== 'string') return str;
+    let s = str;
+    // ~/.claude
+    s = s.replace(/~\/\.claude(\/|$)/g, `${claudeDir}$1`);
+    // $HOME/.claude
+    s = s.replace(/\$HOME\/\.claude(\/|$)/g, `${claudeDir}$1`);
+    // ./.claude（前面是行首、空白或引号）
+    s = s.replace(/(^|[\s"'])\.\/\.claude(\/|$)/g, `$1${claudeDir}$2`);
+    return s;
+  }
+  const newInput = { ...input };
+  let modified = false;
+  if (['Read', 'Write', 'Edit'].includes(toolName) && typeof input.file_path === 'string') {
+    const rewritten = replaceInStr(input.file_path);
+    if (rewritten !== input.file_path) { newInput.file_path = rewritten; modified = true; }
+  }
+  if (['Glob', 'Grep'].includes(toolName) && typeof input.path === 'string') {
+    const rewritten = replaceInStr(input.path);
+    if (rewritten !== input.path) { newInput.path = rewritten; modified = true; }
+  }
+  if (toolName === 'Bash' && typeof input.command === 'string') {
+    const rewritten = replaceInStr(input.command);
+    if (rewritten !== input.command) { newInput.command = rewritten; modified = true; }
+  }
+  return modified ? newInput : null;
+}
 /**
  * 评估工具调用是否安全
  * @param {string} toolName - 工具名称（如 Bash, Read, Write, Edit, Glob, Grep）
  * @param {Record<string, unknown>} input - 工具参数
  * @param {{ userUuid: string, cwd?: string }} opts
- * @returns {Promise<{ allowed: boolean, reason?: string }>}
+ * @returns {Promise<{ allowed: boolean, reason?: string, modifiedInput?: Record<string, unknown> }>}
  */
 export async function evaluate(toolName, input, { userUuid, cwd }) {
   if (process.env.TOOL_GUARD_ENABLED === 'false') {
     return { allowed: true };
   }
+  // 路径适配：将 .claude 相关路径重写为用户专属目录（多用户模式兼容）
+  const { claudeDir } = getUserPaths(userUuid);
+  const rewrittenInput = rewriteClaudePaths(toolName, input, claudeDir);
+  const effectiveInput = rewrittenInput || input;
+  if (rewrittenInput && VERBOSE) {
+    console.log(`[ToolGuard] PATH-REWRITE ${toolName}: .claude paths → ${claudeDir}`);
+  }
   const context = buildContext(userUuid, cwd);
   // Phase 1: 正则规则快速检查
-  const { denied, uncertain, denyReasons, uncertainReasons } = evaluateRules(toolName, input, context);
+  const { denied, uncertain, denyReasons, uncertainReasons } = evaluateRules(toolName, effectiveInput, context);
   if (denied) {
     if (VERBOSE) console.log(`[ToolGuard] RULE-DENY ${toolName}: ${denyReasons.join('; ')}`);
@@ -36,19 +94,21 @@ export async function evaluate(toolName, input, { userUuid, cwd }) {
   if (!uncertain) {
     if (VERBOSE) console.log(`[ToolGuard] RULE-ALLOW ${toolName}`);
-    return { allowed: true };
+    return rewrittenInput ? { allowed: true, modifiedInput: rewrittenInput } : { allowed: true };
   }
   // Phase 2: LLM 兜底审查
   if (process.env.TOOL_GUARD_LLM_ENABLED === 'false') {
     if (VERBOSE) console.log(`[ToolGuard] LLM disabled, UNCERTAIN→ALLOW ${toolName}`);
-    return { allowed: true };
+    return rewrittenInput ? { allowed: true, modifiedInput: rewrittenInput } : { allowed: true };
   }
   try {
-    const llmResult = await reviewWithLLM(toolName, input, context, uncertainReasons);
+    const llmResult = await reviewWithLLM(toolName, effectiveInput, context, uncertainReasons);
     if (VERBOSE) console.log(`[ToolGuard] LLM-${llmResult.allowed ? 'ALLOW' : 'DENY'} ${toolName}: ${llmResult.reason || ''}`);
-    return llmResult;
+    return rewrittenInput && llmResult.allowed
+      ? { ...llmResult, modifiedInput: rewrittenInput }
+      : llmResult;
   } catch (err) {
     console.error(`[ToolGuard] LLM review error for ${toolName}:`, err.message);
     // LLM 失败时安全兜底：拒绝

package/server/services/tool-guard/rules.js CHANGED Viewed

@@ -86,19 +86,8 @@ function checkPathsInContent(content, context) {
   const pathPattern = /(?:^|\s|=|"|')(\/[^\s"'`;|&><){}$]+)/gm;
   let match;
   while ((match = pathPattern.exec(nonCommentContent)) !== null) {
-    const resolvedPath = path.resolve(match[1]);
-    // 安全路径跳过
-    if (SAFE_SPECIAL_PATHS.includes(resolvedPath)) continue;
-    if (SAFE_COMMAND_PATHS.some(prefix => resolvedPath.startsWith(prefix))) continue;
-    if (isPathAllowed(resolvedPath, context)) continue;
-    if (isInTempDir(resolvedPath, context)) continue;
-    // 占位符/示例路径跳过
-    if (PLACEHOLDER_PATH_PREFIXES.some(prefix => resolvedPath.startsWith(prefix))) continue;
-    // API 端点路径跳过（/v1/..., /api/... 等，不是文件系统路径）
-    if (API_PATH_PATTERN.test(resolvedPath)) continue;
-    // 路径在文件系统上不存在 → 不是真实文件（API 路径、变量占位符等），无法被访问
-    if (!existsSync(resolvedPath)) continue;
-    return { denied: true, reason: `访问项目目录之外的路径: ${resolvedPath}` };
+    const bad = checkResolvedPath(path.resolve(match[1]), context);
+    if (bad) return { denied: true, reason: `访问项目目录之外的路径: ${bad}` };
   }
   return { denied: false };
 }
@@ -151,8 +140,19 @@ function hasTempUserSubdir(resolvedPath, context) {
   return resolvedPath.includes('/' + context.userUuid + '/') || resolvedPath.includes('/' + context.userUuid);
 }
-/** 系统敏感路径前缀 */
-const SYSTEM_PATHS = ['/etc/', '/usr/', '/var/', '/sys/', '/proc/', '/dev/', '/boot/', '/sbin/', '/lib/', '/bin/'];
+/**
+ * 对已解析的绝对路径执行统一白名单检查（供内容扫描和 Bash 命令扫描复用）
+ * @returns {string|null} null = 通过；字符串 = 越界的路径
+ */
+function checkResolvedPath(resolvedPath, context) {
+  if (SAFE_SPECIAL_PATHS.includes(resolvedPath)) return null;
+  if (SAFE_COMMAND_PATHS.some(prefix => resolvedPath.startsWith(prefix))) return null;
+  if (isPathAllowed(resolvedPath, context)) return null;
+  if (isInTempDir(resolvedPath, context)) return null;
+  if (PLACEHOLDER_PATH_PREFIXES.some(prefix => resolvedPath.startsWith(prefix))) return null;
+  if (!existsSync(resolvedPath)) return null;
+  return resolvedPath;
+}
 /** 安全命令路径前缀（用于 Bash 路径提取时排除） */
 const SAFE_COMMAND_PATHS = ['/usr/bin/', '/usr/local/bin/', '/bin/', '/sbin/', '/usr/sbin/', '/opt/homebrew/bin/'];
@@ -163,8 +163,6 @@ const SAFE_SPECIAL_PATHS = ['/dev/null', '/dev/stdin', '/dev/stdout', '/dev/stde
 /** 常见占位符路径前缀（示例/文档用途，不应被视为真实访问路径） */
 const PLACEHOLDER_PATH_PREFIXES = ['/path/to/', '/your/', '/example/', '/placeholder/'];
-/** API 路径模式：匹配 REST API 风格路径（如 /v1/images/generations），不是文件系统路径 */
-const API_PATH_PATTERN = /^\/(?:v\d+|api|graphql|rpc|rest|openapi|swagger)\//;
 /**
  * 检查单个文件路径的安全性
@@ -589,23 +587,8 @@ const rules = [
       }
       for (const rawPath of extractedPaths) {
-        const resolvedPath = path.resolve(rawPath);
-        // 白名单：只有以下路径允许通过，其他一律拒绝
-        // 1. 安全的特殊路径（/dev/null 等）
-        if (SAFE_SPECIAL_PATHS.includes(resolvedPath)) continue;
-        // 2. 命令路径（/usr/bin/ 等）— 执行命令本身，不是访问文件
-        if (SAFE_COMMAND_PATHS.some(prefix => resolvedPath.startsWith(prefix))) continue;
-        // 3. 在用户允许的目录内（user-data/{uuid}/, user-projects/{uuid}/, cwd）
-        if (isPathAllowed(resolvedPath, context)) continue;
-        // 4. 在临时目录中且有用户子目录 → 已由 temp-dir-isolation 规则处理，跳过
-        if (isInTempDir(resolvedPath, context)) continue;
-        // 不在白名单中 → DENY
-        return { result: 'deny', reason: `不允许访问项目目录之外的路径: ${resolvedPath}` };
+        const bad = checkResolvedPath(path.resolve(rawPath), context);
+        if (bad) return { result: 'deny', reason: `不允许访问项目目录之外的路径: ${bad}` };
       }
       // 检查命令复杂度：包含变量替换、子 shell 等 → UNCERTAIN