@melihmucuk/leash 1.0.5 → 1.0.6

package/README.md

@@ -16,6 +16,16 @@ AI agents can hallucinate dangerous commands. Leash sandboxes them:
 
 ![Claude Code](assets/claude-code.png)
 
+## Example horror stories
+
+<img height="400" alt="image" src="https://github.com/user-attachments/assets/db503024-94ca-4443-b80e-b63fbc740367" />
+
+<img height="400" alt="image" src="https://github.com/user-attachments/assets/94f0a4e5-db6c-4b14-bddd-b8984c51ed3d" />
+
+Links:
+1. [Claude CLI deleted my entire home directory (Dec 8th 2025)](https://www.reddit.com/r/ClaudeAI/comments/1pgxckk/claude_cli_deleted_my_entire_home_directory_wiped/)
+2. [Google Antigravity just deleted my drive (Nov 27th 2025)](https://www.reddit.com/r/google_antigravity/comments/1p82or6/google_antigravity_just_deleted_the_contents_of/)
+
 ## Quick Start
 
 ```bash
@@ -164,6 +174,8 @@ rm -rf /tmp/build-cache           # ✅ Temp directory
 rm .env.example                   # ✅ Example files allowed
 git commit -m "message"           # ✅ Safe git commands
 git push origin main              # ✅ Normal push (no --force)
+echo "plan" > ~/.claude/plans/x   # ✅ Platform config directories
+rm ~/.pi/agent/old.md             # ✅ Platform config directories
 ```
 
 <details>
@@ -277,6 +289,14 @@ rm -rf /tmp/build-cache
 echo "data" > /tmp/output.txt
 rsync -av --delete ./src/ /tmp/backup/
 
+# Platform config directories
+rm ~/.claude/plans/old-plan.md
+echo "config" > ~/.factory/cache.json
+rm ~/.pi/agent/temp.md
+rm ~/.config/opencode/cache.json
+find ~/.claude -name '*.tmp' -delete
+rsync -av --delete ./src/ ~/.pi/backup/
+
 # Device paths
 echo "x" > /dev/null
 truncate -s 0 /dev/null

package/dist/claude-code/leash.js

@@ -32,6 +32,12 @@ var DANGEROUS_PATTERNS = [
 ];
 var REDIRECT_PATTERN = />{1,2}\s*(?:"([^"]+)"|'([^']+)'|([^\s;|&>]+))/g;
 var DEVICE_PATHS = ["/dev/null", "/dev/stdin", "/dev/stdout", "/dev/stderr"];
+var PLATFORM_PATHS = [
+  ".claude",
+  ".factory",
+  ".pi",
+  ".config/opencode"
+];
 var TEMP_PATHS = [
   "/tmp",
   "/var/tmp",
@@ -103,6 +109,12 @@ var PathValidator = class {
     const resolved = this.resolveReal(path);
     return this.matchesAny(resolved, TEMP_PATHS);
   }
+  isPlatformPath(path) {
+    const resolved = this.resolveReal(path);
+    const home = homedir();
+    const platformPaths = PLATFORM_PATHS.map((p) => `${home}/${p}`);
+    return this.matchesAny(resolved, platformPaths);
+  }
   isProtectedPath(path) {
     if (!this.isWithinWorkingDir(path)) {
       return { protected: false };
@@ -134,6 +146,7 @@ var CommandAnalyzer = class {
   isPathAllowed(path, allowDevicePaths, resolveBase) {
     const resolved = this.resolvePath(path, resolveBase);
     if (this.pathValidator.isWithinWorkingDir(resolved)) return true;
+    if (this.pathValidator.isPlatformPath(resolved)) return true;
     return allowDevicePaths ? this.pathValidator.isSafeForWrite(resolved) : this.pathValidator.isTempPath(resolved);
   }
   checkProtectedPath(path, context, resolveBase) {
@@ -262,7 +275,7 @@ var CommandAnalyzer = class {
       if (!path || path.startsWith("&")) {
         continue;
       }
-      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
         return {
           blocked: true,
           reason: `Redirect to path outside working directory: ${path}`
@@ -306,7 +319,7 @@ var CommandAnalyzer = class {
       const paths = this.extractPaths(command);
       for (const path of paths) {
         const resolved = this.resolvePath(path, resolveBase);
-        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved)) {
+        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved) && !this.pathValidator.isPlatformPath(resolved)) {
           return {
             blocked: true,
             reason: `Command "${name}" targets path outside working directory: ${path}`
@@ -456,7 +469,7 @@ var CommandAnalyzer = class {
   }
   validatePath(path) {
     if (!path) return { blocked: false };
-    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
       return {
         blocked: true,
         reason: `File operation targets path outside working directory: ${path}`

package/dist/factory/leash.js

@@ -32,6 +32,12 @@ var DANGEROUS_PATTERNS = [
 ];
 var REDIRECT_PATTERN = />{1,2}\s*(?:"([^"]+)"|'([^']+)'|([^\s;|&>]+))/g;
 var DEVICE_PATHS = ["/dev/null", "/dev/stdin", "/dev/stdout", "/dev/stderr"];
+var PLATFORM_PATHS = [
+  ".claude",
+  ".factory",
+  ".pi",
+  ".config/opencode"
+];
 var TEMP_PATHS = [
   "/tmp",
   "/var/tmp",
@@ -103,6 +109,12 @@ var PathValidator = class {
     const resolved = this.resolveReal(path);
     return this.matchesAny(resolved, TEMP_PATHS);
   }
+  isPlatformPath(path) {
+    const resolved = this.resolveReal(path);
+    const home = homedir();
+    const platformPaths = PLATFORM_PATHS.map((p) => `${home}/${p}`);
+    return this.matchesAny(resolved, platformPaths);
+  }
   isProtectedPath(path) {
     if (!this.isWithinWorkingDir(path)) {
       return { protected: false };
@@ -134,6 +146,7 @@ var CommandAnalyzer = class {
   isPathAllowed(path, allowDevicePaths, resolveBase) {
     const resolved = this.resolvePath(path, resolveBase);
     if (this.pathValidator.isWithinWorkingDir(resolved)) return true;
+    if (this.pathValidator.isPlatformPath(resolved)) return true;
     return allowDevicePaths ? this.pathValidator.isSafeForWrite(resolved) : this.pathValidator.isTempPath(resolved);
   }
   checkProtectedPath(path, context, resolveBase) {
@@ -262,7 +275,7 @@ var CommandAnalyzer = class {
       if (!path || path.startsWith("&")) {
         continue;
       }
-      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
         return {
           blocked: true,
           reason: `Redirect to path outside working directory: ${path}`
@@ -306,7 +319,7 @@ var CommandAnalyzer = class {
       const paths = this.extractPaths(command);
       for (const path of paths) {
         const resolved = this.resolvePath(path, resolveBase);
-        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved)) {
+        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved) && !this.pathValidator.isPlatformPath(resolved)) {
           return {
             blocked: true,
             reason: `Command "${name}" targets path outside working directory: ${path}`
@@ -456,7 +469,7 @@ var CommandAnalyzer = class {
   }
   validatePath(path) {
     if (!path) return { blocked: false };
-    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
       return {
         blocked: true,
         reason: `File operation targets path outside working directory: ${path}`

package/dist/opencode/leash.js

@@ -30,6 +30,12 @@ var DANGEROUS_PATTERNS = [
 ];
 var REDIRECT_PATTERN = />{1,2}\s*(?:"([^"]+)"|'([^']+)'|([^\s;|&>]+))/g;
 var DEVICE_PATHS = ["/dev/null", "/dev/stdin", "/dev/stdout", "/dev/stderr"];
+var PLATFORM_PATHS = [
+  ".claude",
+  ".factory",
+  ".pi",
+  ".config/opencode"
+];
 var TEMP_PATHS = [
   "/tmp",
   "/var/tmp",
@@ -101,6 +107,12 @@ var PathValidator = class {
     const resolved = this.resolveReal(path);
     return this.matchesAny(resolved, TEMP_PATHS);
   }
+  isPlatformPath(path) {
+    const resolved = this.resolveReal(path);
+    const home = homedir();
+    const platformPaths = PLATFORM_PATHS.map((p) => `${home}/${p}`);
+    return this.matchesAny(resolved, platformPaths);
+  }
   isProtectedPath(path) {
     if (!this.isWithinWorkingDir(path)) {
       return { protected: false };
@@ -132,6 +144,7 @@ var CommandAnalyzer = class {
   isPathAllowed(path, allowDevicePaths, resolveBase) {
     const resolved = this.resolvePath(path, resolveBase);
     if (this.pathValidator.isWithinWorkingDir(resolved)) return true;
+    if (this.pathValidator.isPlatformPath(resolved)) return true;
     return allowDevicePaths ? this.pathValidator.isSafeForWrite(resolved) : this.pathValidator.isTempPath(resolved);
   }
   checkProtectedPath(path, context, resolveBase) {
@@ -260,7 +273,7 @@ var CommandAnalyzer = class {
       if (!path || path.startsWith("&")) {
         continue;
       }
-      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
         return {
           blocked: true,
           reason: `Redirect to path outside working directory: ${path}`
@@ -304,7 +317,7 @@ var CommandAnalyzer = class {
       const paths = this.extractPaths(command);
       for (const path of paths) {
         const resolved = this.resolvePath(path, resolveBase);
-        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved)) {
+        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved) && !this.pathValidator.isPlatformPath(resolved)) {
           return {
             blocked: true,
             reason: `Command "${name}" targets path outside working directory: ${path}`
@@ -454,7 +467,7 @@ var CommandAnalyzer = class {
   }
   validatePath(path) {
     if (!path) return { blocked: false };
-    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
       return {
         blocked: true,
         reason: `File operation targets path outside working directory: ${path}`

package/dist/pi/leash.js

@@ -30,6 +30,12 @@ var DANGEROUS_PATTERNS = [
 ];
 var REDIRECT_PATTERN = />{1,2}\s*(?:"([^"]+)"|'([^']+)'|([^\s;|&>]+))/g;
 var DEVICE_PATHS = ["/dev/null", "/dev/stdin", "/dev/stdout", "/dev/stderr"];
+var PLATFORM_PATHS = [
+  ".claude",
+  ".factory",
+  ".pi",
+  ".config/opencode"
+];
 var TEMP_PATHS = [
   "/tmp",
   "/var/tmp",
@@ -101,6 +107,12 @@ var PathValidator = class {
     const resolved = this.resolveReal(path);
     return this.matchesAny(resolved, TEMP_PATHS);
   }
+  isPlatformPath(path) {
+    const resolved = this.resolveReal(path);
+    const home = homedir();
+    const platformPaths = PLATFORM_PATHS.map((p) => `${home}/${p}`);
+    return this.matchesAny(resolved, platformPaths);
+  }
   isProtectedPath(path) {
     if (!this.isWithinWorkingDir(path)) {
       return { protected: false };
@@ -132,6 +144,7 @@ var CommandAnalyzer = class {
   isPathAllowed(path, allowDevicePaths, resolveBase) {
     const resolved = this.resolvePath(path, resolveBase);
     if (this.pathValidator.isWithinWorkingDir(resolved)) return true;
+    if (this.pathValidator.isPlatformPath(resolved)) return true;
     return allowDevicePaths ? this.pathValidator.isSafeForWrite(resolved) : this.pathValidator.isTempPath(resolved);
   }
   checkProtectedPath(path, context, resolveBase) {
@@ -260,7 +273,7 @@ var CommandAnalyzer = class {
       if (!path || path.startsWith("&")) {
         continue;
       }
-      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
         return {
           blocked: true,
           reason: `Redirect to path outside working directory: ${path}`
@@ -304,7 +317,7 @@ var CommandAnalyzer = class {
       const paths = this.extractPaths(command);
       for (const path of paths) {
         const resolved = this.resolvePath(path, resolveBase);
-        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved)) {
+        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved) && !this.pathValidator.isPlatformPath(resolved)) {
           return {
             blocked: true,
             reason: `Command "${name}" targets path outside working directory: ${path}`
@@ -454,7 +467,7 @@ var CommandAnalyzer = class {
   }
   validatePath(path) {
     if (!path) return { blocked: false };
-    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
       return {
         blocked: true,
         reason: `File operation targets path outside working directory: ${path}`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@melihmucuk/leash",
-  "version": "1.0.5",
+  "version": "1.0.6",
   "type": "module",
   "description": "Security guardrails for AI coding agents",
   "bin": {