@melihmucuk/leash 1.0.5 → 1.0.7

package/README.md

@@ -16,6 +16,16 @@ AI agents can hallucinate dangerous commands. Leash sandboxes them:
 
 ![Claude Code](assets/claude-code.png)
 
+## Example horror stories
+
+<img height="400" alt="image" src="https://github.com/user-attachments/assets/db503024-94ca-4443-b80e-b63fbc740367" />
+
+<img height="400" alt="image" src="https://github.com/user-attachments/assets/94f0a4e5-db6c-4b14-bddd-b8984c51ed3d" />
+
+Links:
+1. [Claude CLI deleted my entire home directory (Dec 8th 2025)](https://www.reddit.com/r/ClaudeAI/comments/1pgxckk/claude_cli_deleted_my_entire_home_directory_wiped/)
+2. [Google Antigravity just deleted my drive (Nov 27th 2025)](https://www.reddit.com/r/google_antigravity/comments/1p82or6/google_antigravity_just_deleted_the_contents_of/)
+
 ## Quick Start
 
 ```bash
@@ -164,6 +174,8 @@ rm -rf /tmp/build-cache           # ✅ Temp directory
 rm .env.example                   # ✅ Example files allowed
 git commit -m "message"           # ✅ Safe git commands
 git push origin main              # ✅ Normal push (no --force)
+echo "plan" > ~/.claude/plans/x   # ✅ Platform config directories
+rm ~/.pi/agent/old.md             # ✅ Platform config directories
 ```
 
 <details>
@@ -277,6 +289,14 @@ rm -rf /tmp/build-cache
 echo "data" > /tmp/output.txt
 rsync -av --delete ./src/ /tmp/backup/
 
+# Platform config directories
+rm ~/.claude/plans/old-plan.md
+echo "config" > ~/.factory/cache.json
+rm ~/.pi/agent/temp.md
+rm ~/.config/opencode/cache.json
+find ~/.claude -name '*.tmp' -delete
+rsync -av --delete ./src/ ~/.pi/backup/
+
 # Device paths
 echo "x" > /dev/null
 truncate -s 0 /dev/null

package/dist/claude-code/leash.js

@@ -32,6 +32,12 @@ var DANGEROUS_PATTERNS = [
 ];
 var REDIRECT_PATTERN = />{1,2}\s*(?:"([^"]+)"|'([^']+)'|([^\s;|&>]+))/g;
 var DEVICE_PATHS = ["/dev/null", "/dev/stdin", "/dev/stdout", "/dev/stderr"];
+var PLATFORM_PATHS = [
+  ".claude",
+  ".factory",
+  ".pi",
+  ".config/opencode"
+];
 var TEMP_PATHS = [
   "/tmp",
   "/var/tmp",
@@ -103,6 +109,12 @@ var PathValidator = class {
     const resolved = this.resolveReal(path);
     return this.matchesAny(resolved, TEMP_PATHS);
   }
+  isPlatformPath(path) {
+    const resolved = this.resolveReal(path);
+    const home = homedir();
+    const platformPaths = PLATFORM_PATHS.map((p) => `${home}/${p}`);
+    return this.matchesAny(resolved, platformPaths);
+  }
   isProtectedPath(path) {
     if (!this.isWithinWorkingDir(path)) {
       return { protected: false };
@@ -131,9 +143,31 @@ var CommandAnalyzer = class {
     const expanded = this.pathValidator.expand(path);
     return resolveBase ? resolve2(resolveBase, expanded) : expanded;
   }
+  /**
+   * Strip heredoc content from command before analyzing redirects.
+   * Handles: <<EOF, <<'EOF', <<"EOF", <<-EOF
+   */
+  stripHeredocs(command) {
+    const heredocStart = /<<-?\s*(['"]?)(\w+)\1/g;
+    let result = command;
+    let match;
+    while ((match = heredocStart.exec(command)) !== null) {
+      const delimiter = match[2];
+      const endPattern = new RegExp(`\\n\\t*${delimiter}\\s*(?:\\n|$)`);
+      const startIndex = match.index;
+      const contentAfterStart = command.slice(match.index + match[0].length);
+      const endMatch = endPattern.exec(contentAfterStart);
+      if (endMatch) {
+        const endIndex = match.index + match[0].length + endMatch.index + endMatch[0].length;
+        result = result.slice(0, startIndex) + result.slice(endIndex);
+      }
+    }
+    return result;
+  }
   isPathAllowed(path, allowDevicePaths, resolveBase) {
     const resolved = this.resolvePath(path, resolveBase);
     if (this.pathValidator.isWithinWorkingDir(resolved)) return true;
+    if (this.pathValidator.isPlatformPath(resolved)) return true;
     return allowDevicePaths ? this.pathValidator.isSafeForWrite(resolved) : this.pathValidator.isTempPath(resolved);
   }
   checkProtectedPath(path, context, resolveBase) {
@@ -256,13 +290,14 @@ var CommandAnalyzer = class {
     return commands;
   }
   checkRedirects(command) {
-    const matches = command.matchAll(REDIRECT_PATTERN);
+    const strippedCommand = this.stripHeredocs(command);
+    const matches = strippedCommand.matchAll(REDIRECT_PATTERN);
     for (const match of matches) {
       const path = match[1] || match[2] || match[3];
       if (!path || path.startsWith("&")) {
         continue;
       }
-      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
         return {
           blocked: true,
           reason: `Redirect to path outside working directory: ${path}`
@@ -306,7 +341,7 @@ var CommandAnalyzer = class {
       const paths = this.extractPaths(command);
       for (const path of paths) {
         const resolved = this.resolvePath(path, resolveBase);
-        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved)) {
+        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved) && !this.pathValidator.isPlatformPath(resolved)) {
           return {
             blocked: true,
             reason: `Command "${name}" targets path outside working directory: ${path}`
@@ -456,7 +491,7 @@ var CommandAnalyzer = class {
   }
   validatePath(path) {
     if (!path) return { blocked: false };
-    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
       return {
         blocked: true,
         reason: `File operation targets path outside working directory: ${path}`

package/dist/factory/leash.js

@@ -32,6 +32,12 @@ var DANGEROUS_PATTERNS = [
 ];
 var REDIRECT_PATTERN = />{1,2}\s*(?:"([^"]+)"|'([^']+)'|([^\s;|&>]+))/g;
 var DEVICE_PATHS = ["/dev/null", "/dev/stdin", "/dev/stdout", "/dev/stderr"];
+var PLATFORM_PATHS = [
+  ".claude",
+  ".factory",
+  ".pi",
+  ".config/opencode"
+];
 var TEMP_PATHS = [
   "/tmp",
   "/var/tmp",
@@ -103,6 +109,12 @@ var PathValidator = class {
     const resolved = this.resolveReal(path);
     return this.matchesAny(resolved, TEMP_PATHS);
   }
+  isPlatformPath(path) {
+    const resolved = this.resolveReal(path);
+    const home = homedir();
+    const platformPaths = PLATFORM_PATHS.map((p) => `${home}/${p}`);
+    return this.matchesAny(resolved, platformPaths);
+  }
   isProtectedPath(path) {
     if (!this.isWithinWorkingDir(path)) {
       return { protected: false };
@@ -131,9 +143,31 @@ var CommandAnalyzer = class {
     const expanded = this.pathValidator.expand(path);
     return resolveBase ? resolve2(resolveBase, expanded) : expanded;
   }
+  /**
+   * Strip heredoc content from command before analyzing redirects.
+   * Handles: <<EOF, <<'EOF', <<"EOF", <<-EOF
+   */
+  stripHeredocs(command) {
+    const heredocStart = /<<-?\s*(['"]?)(\w+)\1/g;
+    let result = command;
+    let match;
+    while ((match = heredocStart.exec(command)) !== null) {
+      const delimiter = match[2];
+      const endPattern = new RegExp(`\\n\\t*${delimiter}\\s*(?:\\n|$)`);
+      const startIndex = match.index;
+      const contentAfterStart = command.slice(match.index + match[0].length);
+      const endMatch = endPattern.exec(contentAfterStart);
+      if (endMatch) {
+        const endIndex = match.index + match[0].length + endMatch.index + endMatch[0].length;
+        result = result.slice(0, startIndex) + result.slice(endIndex);
+      }
+    }
+    return result;
+  }
   isPathAllowed(path, allowDevicePaths, resolveBase) {
     const resolved = this.resolvePath(path, resolveBase);
     if (this.pathValidator.isWithinWorkingDir(resolved)) return true;
+    if (this.pathValidator.isPlatformPath(resolved)) return true;
     return allowDevicePaths ? this.pathValidator.isSafeForWrite(resolved) : this.pathValidator.isTempPath(resolved);
   }
   checkProtectedPath(path, context, resolveBase) {
@@ -256,13 +290,14 @@ var CommandAnalyzer = class {
     return commands;
   }
   checkRedirects(command) {
-    const matches = command.matchAll(REDIRECT_PATTERN);
+    const strippedCommand = this.stripHeredocs(command);
+    const matches = strippedCommand.matchAll(REDIRECT_PATTERN);
     for (const match of matches) {
       const path = match[1] || match[2] || match[3];
       if (!path || path.startsWith("&")) {
         continue;
       }
-      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
         return {
           blocked: true,
           reason: `Redirect to path outside working directory: ${path}`
@@ -306,7 +341,7 @@ var CommandAnalyzer = class {
       const paths = this.extractPaths(command);
       for (const path of paths) {
         const resolved = this.resolvePath(path, resolveBase);
-        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved)) {
+        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved) && !this.pathValidator.isPlatformPath(resolved)) {
           return {
             blocked: true,
             reason: `Command "${name}" targets path outside working directory: ${path}`
@@ -456,7 +491,7 @@ var CommandAnalyzer = class {
   }
   validatePath(path) {
     if (!path) return { blocked: false };
-    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
       return {
         blocked: true,
         reason: `File operation targets path outside working directory: ${path}`

package/dist/opencode/leash.js

@@ -30,6 +30,12 @@ var DANGEROUS_PATTERNS = [
 ];
 var REDIRECT_PATTERN = />{1,2}\s*(?:"([^"]+)"|'([^']+)'|([^\s;|&>]+))/g;
 var DEVICE_PATHS = ["/dev/null", "/dev/stdin", "/dev/stdout", "/dev/stderr"];
+var PLATFORM_PATHS = [
+  ".claude",
+  ".factory",
+  ".pi",
+  ".config/opencode"
+];
 var TEMP_PATHS = [
   "/tmp",
   "/var/tmp",
@@ -101,6 +107,12 @@ var PathValidator = class {
     const resolved = this.resolveReal(path);
     return this.matchesAny(resolved, TEMP_PATHS);
   }
+  isPlatformPath(path) {
+    const resolved = this.resolveReal(path);
+    const home = homedir();
+    const platformPaths = PLATFORM_PATHS.map((p) => `${home}/${p}`);
+    return this.matchesAny(resolved, platformPaths);
+  }
   isProtectedPath(path) {
     if (!this.isWithinWorkingDir(path)) {
       return { protected: false };
@@ -129,9 +141,31 @@ var CommandAnalyzer = class {
     const expanded = this.pathValidator.expand(path);
     return resolveBase ? resolve2(resolveBase, expanded) : expanded;
   }
+  /**
+   * Strip heredoc content from command before analyzing redirects.
+   * Handles: <<EOF, <<'EOF', <<"EOF", <<-EOF
+   */
+  stripHeredocs(command) {
+    const heredocStart = /<<-?\s*(['"]?)(\w+)\1/g;
+    let result = command;
+    let match;
+    while ((match = heredocStart.exec(command)) !== null) {
+      const delimiter = match[2];
+      const endPattern = new RegExp(`\\n\\t*${delimiter}\\s*(?:\\n|$)`);
+      const startIndex = match.index;
+      const contentAfterStart = command.slice(match.index + match[0].length);
+      const endMatch = endPattern.exec(contentAfterStart);
+      if (endMatch) {
+        const endIndex = match.index + match[0].length + endMatch.index + endMatch[0].length;
+        result = result.slice(0, startIndex) + result.slice(endIndex);
+      }
+    }
+    return result;
+  }
   isPathAllowed(path, allowDevicePaths, resolveBase) {
     const resolved = this.resolvePath(path, resolveBase);
     if (this.pathValidator.isWithinWorkingDir(resolved)) return true;
+    if (this.pathValidator.isPlatformPath(resolved)) return true;
     return allowDevicePaths ? this.pathValidator.isSafeForWrite(resolved) : this.pathValidator.isTempPath(resolved);
   }
   checkProtectedPath(path, context, resolveBase) {
@@ -254,13 +288,14 @@ var CommandAnalyzer = class {
     return commands;
   }
   checkRedirects(command) {
-    const matches = command.matchAll(REDIRECT_PATTERN);
+    const strippedCommand = this.stripHeredocs(command);
+    const matches = strippedCommand.matchAll(REDIRECT_PATTERN);
     for (const match of matches) {
       const path = match[1] || match[2] || match[3];
       if (!path || path.startsWith("&")) {
         continue;
       }
-      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
         return {
           blocked: true,
           reason: `Redirect to path outside working directory: ${path}`
@@ -304,7 +339,7 @@ var CommandAnalyzer = class {
       const paths = this.extractPaths(command);
       for (const path of paths) {
         const resolved = this.resolvePath(path, resolveBase);
-        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved)) {
+        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved) && !this.pathValidator.isPlatformPath(resolved)) {
           return {
             blocked: true,
             reason: `Command "${name}" targets path outside working directory: ${path}`
@@ -454,7 +489,7 @@ var CommandAnalyzer = class {
   }
   validatePath(path) {
     if (!path) return { blocked: false };
-    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
       return {
         blocked: true,
         reason: `File operation targets path outside working directory: ${path}`

package/dist/pi/leash.js

@@ -30,6 +30,12 @@ var DANGEROUS_PATTERNS = [
 ];
 var REDIRECT_PATTERN = />{1,2}\s*(?:"([^"]+)"|'([^']+)'|([^\s;|&>]+))/g;
 var DEVICE_PATHS = ["/dev/null", "/dev/stdin", "/dev/stdout", "/dev/stderr"];
+var PLATFORM_PATHS = [
+  ".claude",
+  ".factory",
+  ".pi",
+  ".config/opencode"
+];
 var TEMP_PATHS = [
   "/tmp",
   "/var/tmp",
@@ -101,6 +107,12 @@ var PathValidator = class {
     const resolved = this.resolveReal(path);
     return this.matchesAny(resolved, TEMP_PATHS);
   }
+  isPlatformPath(path) {
+    const resolved = this.resolveReal(path);
+    const home = homedir();
+    const platformPaths = PLATFORM_PATHS.map((p) => `${home}/${p}`);
+    return this.matchesAny(resolved, platformPaths);
+  }
   isProtectedPath(path) {
     if (!this.isWithinWorkingDir(path)) {
       return { protected: false };
@@ -129,9 +141,31 @@ var CommandAnalyzer = class {
     const expanded = this.pathValidator.expand(path);
     return resolveBase ? resolve2(resolveBase, expanded) : expanded;
   }
+  /**
+   * Strip heredoc content from command before analyzing redirects.
+   * Handles: <<EOF, <<'EOF', <<"EOF", <<-EOF
+   */
+  stripHeredocs(command) {
+    const heredocStart = /<<-?\s*(['"]?)(\w+)\1/g;
+    let result = command;
+    let match;
+    while ((match = heredocStart.exec(command)) !== null) {
+      const delimiter = match[2];
+      const endPattern = new RegExp(`\\n\\t*${delimiter}\\s*(?:\\n|$)`);
+      const startIndex = match.index;
+      const contentAfterStart = command.slice(match.index + match[0].length);
+      const endMatch = endPattern.exec(contentAfterStart);
+      if (endMatch) {
+        const endIndex = match.index + match[0].length + endMatch.index + endMatch[0].length;
+        result = result.slice(0, startIndex) + result.slice(endIndex);
+      }
+    }
+    return result;
+  }
   isPathAllowed(path, allowDevicePaths, resolveBase) {
     const resolved = this.resolvePath(path, resolveBase);
     if (this.pathValidator.isWithinWorkingDir(resolved)) return true;
+    if (this.pathValidator.isPlatformPath(resolved)) return true;
     return allowDevicePaths ? this.pathValidator.isSafeForWrite(resolved) : this.pathValidator.isTempPath(resolved);
   }
   checkProtectedPath(path, context, resolveBase) {
@@ -254,13 +288,14 @@ var CommandAnalyzer = class {
     return commands;
   }
   checkRedirects(command) {
-    const matches = command.matchAll(REDIRECT_PATTERN);
+    const strippedCommand = this.stripHeredocs(command);
+    const matches = strippedCommand.matchAll(REDIRECT_PATTERN);
     for (const match of matches) {
       const path = match[1] || match[2] || match[3];
       if (!path || path.startsWith("&")) {
         continue;
       }
-      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+      if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
         return {
           blocked: true,
           reason: `Redirect to path outside working directory: ${path}`
@@ -304,7 +339,7 @@ var CommandAnalyzer = class {
       const paths = this.extractPaths(command);
       for (const path of paths) {
         const resolved = this.resolvePath(path, resolveBase);
-        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved)) {
+        if (!this.pathValidator.isWithinWorkingDir(resolved) && !this.pathValidator.isTempPath(resolved) && !this.pathValidator.isPlatformPath(resolved)) {
           return {
             blocked: true,
             reason: `Command "${name}" targets path outside working directory: ${path}`
@@ -454,7 +489,7 @@ var CommandAnalyzer = class {
   }
   validatePath(path) {
     if (!path) return { blocked: false };
-    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path)) {
+    if (!this.pathValidator.isSafeForWrite(path) && !this.pathValidator.isWithinWorkingDir(path) && !this.pathValidator.isPlatformPath(path)) {
       return {
         blocked: true,
         reason: `File operation targets path outside working directory: ${path}`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@melihmucuk/leash",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "type": "module",
   "description": "Security guardrails for AI coding agents",
   "bin": {