@oked/sdk 0.1.6 → 0.1.7

package/dist/classify.d.ts

@@ -8,14 +8,14 @@ export interface ShellWriteOp {
     content?: string;
 }
 /**
- * Removes heredoc *bodies* that are being written to a file, so their contents
- * aren't parsed as shell. `cat >> file <<'EOF' … EOF` is a common file-writing
- * idiom; the body is literal data, not commands, and must not be scanned for
- * operators, redirects, or risky tokens (a config/test file full of `;`, `&&`,
- * or even the literal text "rm -rf" would otherwise wreck classification). The
- * opener line — with its redirect and target — is preserved; only the body and
- * closing delimiter are dropped. Heredocs fed to an interpreter (no file
- * redirect on the opener line) are left intact so SQL/code detection still runs.
+ * Removes heredoc *bodies* unless they're fed to an interpreter/DB/shell that
+ * executes them. The default is to strip: `cat >> file <<'EOF'`, `git commit -F
+ * - <<'MSG'`, `gh pr create --body "$(cat <<'BODY')"`, `mail <<'EOF'` and the
+ * like all treat the body as literal DATA, which must not be parsed as shell
+ * (a commit message with `->` or a PR body mentioning "TRUNCATE"/"rm -rf" would
+ * otherwise wreck classification). Only heredocs whose opener line invokes an
+ * interpreter (`psql <<EOF`, `node - <<EOF`, `cat <<EOF | bash`) keep their
+ * body, so SQL/code detection still runs. The opener line is always preserved.
  */
 export declare function stripHeredocBodies(command: string): string;
 export declare function extractShellWriteOps(command: string): ShellWriteOp[];

package/dist/classify.js

@@ -63,7 +63,8 @@ const SAFE_COMMANDS = [
     /^node\s+(-v|--version)/,
     /^npm\s+(list|ls|--version|-v|view|info|outdated|audit)\b/,
     /^npx\s+-v/,
-    /^git\s+(status|log|diff|branch|remote|show|tag|stash list)\b/,
+    /^git\s+(status|log|diff|branch|remote|show|tag|stash\s+list|ls-files|ls-tree|ls-remote|check-ignore|check-attr|rev-parse|rev-list|describe|cat-file|blame|shortlog|reflog|name-rev|whatchanged|for-each-ref|symbolic-ref|merge-base|var|grep|count-objects|show-ref|cherry|verify-commit|fsck)\b/,
+    /^git\s+config\s+(--get|--get-all|--get-regexp|--list|-l)\b/,
     /^docker\s+(ps|images|inspect|logs)\b/,
     /^docker\s+compose\s+(ps|logs)\b/,
     /^tree\b/,
@@ -178,56 +179,73 @@ const WARNING_COMMANDS = [
     /^npm\s+run\b/,
     /^bun\b/,
     /^deno\b/,
+    // Package installs run dependency postinstall scripts (code execution), so
+    // they're not "safe" — but they're a constant part of the dev loop, so log
+    // (warning) rather than prompt.
+    /^npm\s+(install|ci|i|update|upgrade|rebuild|prune|dedupe)\b/,
+    /^(pnpm|yarn)\s+(install|add|ci|up|upgrade)\b/,
 ];
 // Ephemeral filesystem locations. Writes here have no lasting effect on
 // their own — what matters is whatever subsequent command CONSUMES the file
 // (e.g. `himalaya message send < /tmp/draft.eml`). Without this carve-out,
 // every multi-step skill that drafts a temp file generates two approval
 // prompts (the temp write + the real send) instead of one.
-const EPHEMERAL_PATH_RE = /^(?:\/tmp\/|\/var\/tmp\/|\/private\/tmp\/|[A-Za-z]:[\\/](?:Windows[\\/]Temp|Users[\\/][^\\/]+[\\/]AppData[\\/]Local[\\/]Temp)[\\/])/i;
+const EPHEMERAL_PATH_RE = /^(?:\/tmp\/|\/var\/tmp\/|\/var\/folders\/|\/private\/tmp\/|\/private\/var\/folders\/|[A-Za-z]:[\\/](?:Windows[\\/]Temp|Users[\\/][^\\/]+[\\/]AppData[\\/]Local[\\/]Temp)[\\/])/i;
+// A temp-dir env var (the conventional output of `mktemp -d` etc.): $TMPDIR,
+// $TMP, $TEMP, ${TMPDIR}, and paths beneath them. Treated as ephemeral since
+// we can't resolve the value but the intent is unambiguous.
+const TEMP_VAR_RE = /^\$\{?(?:TMPDIR|TMP|TEMP)\}?(?:\/|$)/;
 function isEphemeralPath(filePath) {
     if (!filePath)
         return false;
-    return EPHEMERAL_PATH_RE.test(filePath);
+    return TEMP_VAR_RE.test(filePath) || EPHEMERAL_PATH_RE.test(filePath);
 }
-// Claude Code's own plan-mode and todo scratch files live under
-// ~/.claude/plans and ~/.claude/todos. They're agent bookkeeping, not project
-// changes, and have no side effects of their own. Writes there downgrade to
-// `warning`. This is deliberately narrow: the rest of ~/.claude (notably
-// settings.json, which holds the OKed hook config) is NOT covered, so an agent
-// can't silently rewrite its own guardrails without an approval.
-const AGENT_SCRATCH_DIRS = [
-    path.join(".claude", "plans"),
-    path.join(".claude", "todos"),
-];
-function isAgentScratchPath(filePath) {
+// Paths where a write/edit is genuinely dangerous and must stay `review`:
+// system directories, credential/secret stores, shell startup files (a
+// persistence vector), and OKed's own config (so an agent can't disable its
+// guardrails). Everything else — project files, sibling repos, scratch — is
+// treated as `warning` (a file write can't act on its own; whatever later
+// executes it is classified separately).
+function isSensitiveWritePath(filePath) {
     if (!filePath)
-        return false;
+        return true; // unknown target → err toward review
+    let resolved;
     try {
-        const resolved = path.resolve(filePath);
-        const home = os.homedir();
-        return AGENT_SCRATCH_DIRS.some((dir) => {
-            const base = path.join(home, dir);
-            const relative = path.relative(base, resolved);
-            return relative !== "" && !relative.startsWith("..") && !path.isAbsolute(relative);
-        });
+        resolved = path.resolve(filePath);
     }
     catch {
-        return false;
-    }
-}
-function isInsideProject(filePath) {
-    if (!filePath)
-        return false;
-    try {
-        const projectRoot = path.resolve(process.cwd());
-        const resolved = path.resolve(filePath);
-        const relative = path.relative(projectRoot, resolved);
-        return relative === "" || (!!relative && !relative.startsWith("..") && !path.isAbsolute(relative));
+        return true;
     }
-    catch {
-        return false;
+    const home = os.homedir();
+    const underHome = (rel) => {
+        const base = path.join(home, rel);
+        return resolved === base || resolved.startsWith(base + path.sep);
+    };
+    // OKed self-config — never let an agent edit its own hook config silently.
+    if (resolved === path.join(home, ".claude", "settings.json") ||
+        resolved === path.join(home, ".claude", "settings.local.json"))
+        return true;
+    // Credential / secret stores.
+    for (const d of [".ssh", ".aws", ".gnupg", ".kube", ".docker", path.join(".config", "gcloud")]) {
+        if (underHome(d))
+            return true;
     }
+    // Sensitive dotfiles directly in $HOME (creds + shell startup persistence).
+    const sensitiveHomeFiles = new Set([
+        ".netrc", ".npmrc", ".pypirc", ".git-credentials", ".bash_history", ".zsh_history",
+        ".bashrc", ".zshrc", ".bash_profile", ".zprofile", ".profile", ".zshenv", ".zlogin",
+    ]);
+    if (path.dirname(resolved) === home && sensitiveHomeFiles.has(path.basename(resolved)))
+        return true;
+    // System directories.
+    if (/^\/(etc|usr|bin|sbin|boot|sys|proc|opt|Library|System)(\/|$)/.test(resolved))
+        return true;
+    if (/^\/private\/etc(\/|$)/.test(resolved))
+        return true;
+    // /var, except the ephemeral temp subtrees.
+    if (/^\/var(\/|$)/.test(resolved) && !/^\/var\/(tmp|folders)(\/|$)/.test(resolved))
+        return true;
+    return false;
 }
 export function classify(toolName, toolInput) {
     // Check tool-level classification first
@@ -239,14 +257,13 @@ export function classify(toolName, toolInput) {
         return "high_stakes";
     if (REVIEW_TOOLS.has(toolName))
         return "review";
-    // File-editing tools: warning if inside project or an ephemeral temp dir,
-    // review otherwise. Temp-dir writes are "warning" because the file itself
-    // can't do harm — only what consumes it can.
+    // File-editing tools: a write/edit can't act on its own — whatever later
+    // executes it is classified separately — so it's `warning` (logged, no
+    // prompt) everywhere EXCEPT sensitive targets (system dirs, secret stores,
+    // shell startup files, OKed's own config), which stay `review`.
     if (toolName === "Write" || toolName === "Edit" || toolName === "NotebookEdit") {
         const filePath = toolInput.file_path;
-        if (isEphemeralPath(filePath) || isInsideProject(filePath) || isAgentScratchPath(filePath))
-            return "warning";
-        return "review";
+        return isSensitiveWritePath(filePath) ? "review" : "warning";
     }
     // Agent tool - safe. Launching a sub-agent is not itself a side effect, and
     // the sub-agent's own tool calls (Bash/Write/Edit/MCP) each fire their own
@@ -276,9 +293,7 @@ export function classify(toolName, toolInput) {
     const writePath = (toolInput.file_path ?? toolInput.path);
     const writeContent = (toolInput.content ?? toolInput.data ?? toolInput.body);
     if (typeof writePath === "string" && typeof writeContent === "string") {
-        if (isEphemeralPath(writePath) || isInsideProject(writePath) || isAgentScratchPath(writePath))
-            return "warning";
-        return "review";
+        return isSensitiveWritePath(writePath) ? "review" : "warning";
     }
     // Unknown tool - default to review (require approval)
     return "review";
@@ -406,16 +421,15 @@ function classifyBashCommand(command) {
         return classifySqlSeverity(sql);
     // File-mutating shell patterns. Content-creation idioms (echo > X, tee,
     // dd of=, touch, sed -i) are the bypass route from a denied Write, so they're
-    // classified like the Write/Edit tool: writes inside the project, an
-    // ephemeral temp dir (/tmp, %TEMP%), or an agent scratch dir downgrade to
-    // warning; writes elsewhere stay review. cp/mv (rearranging existing bytes)
-    // stay review.
+    // classified exactly like the Write/Edit tool: `warning` unless a target is a
+    // sensitive path (system dir, secret store, shell rc, OKed config), which
+    // stays `review`. cp/mv (which can clobber/relocate existing files) stay
+    // review.
     const ops = extractShellWriteOps(trimmed);
     if (ops.length > 0) {
         const creates = ops.filter((o) => o.kind !== "copy" && o.kind !== "move");
         if (creates.length > 0) {
-            const allLocal = creates.every((o) => isEphemeralPath(o.target) || isInsideProject(o.target) || isAgentScratchPath(o.target));
-            return allLocal ? "warning" : "review";
+            return creates.some((o) => isSensitiveWritePath(o.target)) ? "review" : "warning";
         }
         return "review";
     }
@@ -461,29 +475,23 @@ function classifySqlSeverity(sql) {
  *
  * Skips /dev/null and bare-digit FD duplicates (2>&1).
  */
-// True when the opener line sends the heredoc to a FILE (a `>`/`>>` redirect to
-// a real path, or `tee`). Those bodies are literal data; bodies fed to an
-// interpreter/DB instead (`psql <<EOF`, `node - <<EOF`, `bash <<EOF`) are
-// executed and must NOT be stripped — they still need to be classified.
-function openerWritesToFile(line) {
-    if (/\btee\b/.test(line))
-        return true;
-    for (const m of line.matchAll(/(?:^|[^>])([12]?>>?|&>>?)\s*([^\s>|&;]+)/g)) {
-        const target = unquote(m[2]);
-        if (target && !/^\d+$/.test(target) && !isDevNullish(target))
-            return true;
-    }
-    return false;
+// Commands that EXECUTE a heredoc body fed to their stdin — a SQL CLI, a code
+// interpreter, or a shell. Their heredoc bodies are code/SQL and must stay
+// scannable. Detected as a command word at the start of the opener line or
+// after a pipe / `&&` / `;` / `$(` / backtick.
+const HEREDOC_INTERPRETER_RE = /(?:^|\||&&|;|\$\(|`)\s*(?:\w+=\S+\s+)*(?:sudo\s+)?(?:psql|mysql|mariadb|sqlite3?|node|python\d?|ruby|perl|deno|bun|bash|sh|zsh|ksh|fish)\b/;
+function openerFeedsInterpreter(line) {
+    return HEREDOC_INTERPRETER_RE.test(line);
 }
 /**
- * Removes heredoc *bodies* that are being written to a file, so their contents
- * aren't parsed as shell. `cat >> file <<'EOF' … EOF` is a common file-writing
- * idiom; the body is literal data, not commands, and must not be scanned for
- * operators, redirects, or risky tokens (a config/test file full of `;`, `&&`,
- * or even the literal text "rm -rf" would otherwise wreck classification). The
- * opener line — with its redirect and target — is preserved; only the body and
- * closing delimiter are dropped. Heredocs fed to an interpreter (no file
- * redirect on the opener line) are left intact so SQL/code detection still runs.
+ * Removes heredoc *bodies* unless they're fed to an interpreter/DB/shell that
+ * executes them. The default is to strip: `cat >> file <<'EOF'`, `git commit -F
+ * - <<'MSG'`, `gh pr create --body "$(cat <<'BODY')"`, `mail <<'EOF'` and the
+ * like all treat the body as literal DATA, which must not be parsed as shell
+ * (a commit message with `->` or a PR body mentioning "TRUNCATE"/"rm -rf" would
+ * otherwise wreck classification). Only heredocs whose opener line invokes an
+ * interpreter (`psql <<EOF`, `node - <<EOF`, `cat <<EOF | bash`) keep their
+ * body, so SQL/code detection still runs. The opener line is always preserved.
  */
 export function stripHeredocBodies(command) {
     const lines = command.split("\n");
@@ -496,7 +504,7 @@ export function stripHeredocBodies(command) {
         // space). Require a word-char delimiter so numeric left-shifts ($((1<<2)))
         // don't match. Use the last opener on the line as the active delimiter.
         const openers = [...line.matchAll(/<<-?\s*(["']?)([A-Za-z_][A-Za-z0-9_]*)\1/g)];
-        if (openers.length > 0 && openerWritesToFile(line)) {
+        if (openers.length > 0 && !openerFeedsInterpreter(line)) {
             const delim = openers[openers.length - 1][2];
             i++;
             while (i < lines.length && lines[i].trim() !== delim)

package/dist/describe.js

@@ -7,7 +7,7 @@
  * from the `fields` payload. `describe()` returns just the title for
  * backwards-compatible single-line consumers (audit logs, SMS).
  */
-import { extractShellWriteOps, stripHeredocBodies } from "./classify.js";
+import { extractShellWriteOps } from "./classify.js";
 const BODY_PREVIEW_MAX = 200;
 const COMMAND_INLINE_MAX = 50;
 const DIFF_HUNK_MAX_LINES = 10;
@@ -84,9 +84,7 @@ function summarize(toolName, toolInput) {
 // Bash / shell — semantic rerendering
 // ───────────────────────────────────────────────────────────────────────
 function summarizeBash(command, sizeBytes) {
-    // Strip heredoc bodies so a file's literal contents aren't parsed as shell
-    // (and don't bloat the card) — the redirect/target on the opener line stays.
-    const cmd = stripHeredocBodies(command || "").trim();
+    const cmd = (command || "").trim();
     if (!cmd)
         return { title: "Run empty command", kind: "unknown_bash" };
     // SQL detection runs before shell-write detection so that inline-interpreter
@@ -123,13 +121,17 @@ function summarizeBash(command, sizeBytes) {
         };
     }
     // git
-    if (/\bgit\s+push\s+(?:--force|-f)\b/.test(cmd)) {
-        const m = cmd.match(/git\s+push\s+(?:--force|-f)\s+(\S+)\s+(\S+)/);
-        return { title: "Force push", target: m ? `${m[2]} → ${m[1]}` : "current branch", kind: "git_force_push" };
-    }
     if (/\bgit\s+push\b/.test(cmd)) {
-        const m = cmd.match(/git\s+push\s+(\S+)\s+(\S+)/);
-        return { title: "Push", target: m ? `${m[2]} → ${m[1]}` : "current branch", kind: "git_push" };
+        // Parse the remote + branch ignoring flags (-u, --force, --set-upstream, …)
+        // so `git push -u origin feat` renders "feat → origin", not "origin → -u".
+        const after = cmd.match(/\bgit\s+push\b(.*)$/s)?.[1] ?? "";
+        const args = after.split(/\s+/).filter((a) => a && !a.startsWith("-"));
+        const [remote, branch] = args;
+        const target = remote && branch ? `${branch} → ${remote}` : remote || "current branch";
+        const forced = /\bgit\s+push\b[^\n]*\s(?:--force(?:-with-lease)?|-f)\b/.test(cmd);
+        return forced
+            ? { title: "Force push", target, kind: "git_force_push" }
+            : { title: "Push", target, kind: "git_push" };
     }
     if (/\bgit\s+reset\s+--hard\b/.test(cmd))
         return { title: "Hard reset — discard all local changes", kind: "git_reset_hard" };
@@ -291,12 +293,16 @@ function extractSqlFromScriptBody(body) {
     }
     return sqls.length > 0 ? sqls.join("\n") : null;
 }
+// A SQL CLI or code interpreter as a command word — at the start of the command
+// (allowing env=val / sudo prefixes) or after a pipe / `&&` / `;` / `$(`. Used
+// to gate SQL extraction so SQL words appearing in *argument data* (a `gh pr
+// create --body` mentioning "TRUNCATE", a path like `better-sqlite3`) don't get
+// misread as a statement to run.
+const SQL_CONSUMER_RE = /(?:^|\||&&|;|\$\(|`)\s*(?:\w+=\S+\s+)*(?:sudo\s+)?(?:psql|mysql|mariadb|sqlite3?|node|python\d?|ruby|perl|deno|bun)\b/;
 export function findSqlInCommand(cmd) {
-    // Inline interpreter flags: node -e, python -c, ruby -e, perl -e. Checked
-    // before the SQL-CLI prefix matchers below because those prefixes (e.g.
-    // `sqlite3`) can appear as substrings inside the interpreter body (e.g.
-    // `require('better-sqlite3')`) and would extract the wrong fragment.
-    const inline = cmd.match(/\b(?:node|python\d?|ruby|perl|deno|bun)\s+-[ec]\s+(?:"([\s\S]+?)"|'([\s\S]+?)')\s*$/);
+    // Inline interpreter flags: node -e, python -c, ruby -e, perl -e. Anchored to
+    // a command position so a SQL-looking string elsewhere doesn't match.
+    const inline = cmd.match(/(?:^|\||&&|;|\$\()\s*(?:\w+=\S+\s+)*(?:sudo\s+)?(?:node|python\d?|ruby|perl|deno|bun)\s+-[ec]\s+(?:"([\s\S]+?)"|'([\s\S]+?)')\s*$/);
     if (inline) {
         const body = inline[1] ?? inline[2];
         if (body && SQL_KEYWORDS_RE.test(body)) {
@@ -304,19 +310,23 @@ export function findSqlInCommand(cmd) {
         }
     }
     // psql -c "..." / mysql -e "..." / sqlite3 db "..." — outer-quoted statement.
-    const dq = cmd.match(/(?:psql|mysql|sqlite3?|mariadb)\b[^"]*"([\s\S]+?)"\s*$/i);
+    // Anchored to the start of the command so "psql"/"mysql" appearing inside an
+    // argument (another tool's --body, etc.) can't trigger a false SQL match.
+    const dq = cmd.match(/^(?:\s*\w+=\S+\s+)*(?:sudo\s+)?(?:psql|mysql|sqlite3?|mariadb)\b[^"]*"([\s\S]+?)"\s*$/i);
     if (dq)
         return dq[1];
-    const sq = cmd.match(/(?:psql|mysql|sqlite3?|mariadb)\b[^']*'([\s\S]+?)'\s*$/i);
+    const sq = cmd.match(/^(?:\s*\w+=\S+\s+)*(?:sudo\s+)?(?:psql|mysql|sqlite3?|mariadb)\b[^']*'([\s\S]+?)'\s*$/i);
     if (sq)
         return sq[1];
-    // Heredoc-piped script: <<EOF / <<'EOF' / <<"EOF" / <<-EOF.
-    // Single capture for the delimiter (quote-stripped) lets the closing
-    // anchor reference it without going through alternation.
+    // Heredoc-piped script: <<EOF / <<'EOF' / <<"EOF" / <<-EOF. Only when the
+    // command (outside the body) actually feeds the heredoc to a SQL CLI or
+    // interpreter — otherwise a `gh`/`cat`/`mail` heredoc whose body merely
+    // mentions SQL words would be misclassified as a statement to run.
     const hd = cmd.match(/<<-?\s*['"]?(\w+)['"]?[ \t]*\r?\n([\s\S]*?)\r?\n[ \t]*\1\b/);
     if (hd) {
         const body = hd[2];
-        if (body && SQL_KEYWORDS_RE.test(body)) {
+        const context = cmd.slice(0, hd.index) + cmd.slice((hd.index ?? 0) + hd[0].length);
+        if (body && SQL_CONSUMER_RE.test(context) && SQL_KEYWORDS_RE.test(body)) {
             return extractSqlFromScriptBody(body) ?? body;
         }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oked/sdk",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "OKed SDK - human approval layer for AI agents",
   "type": "module",
   "main": "dist/index.js",