@poolzin/pool-bot 2026.2.24 → 2026.2.26

package/dist/infra/exec-approvals-allowlist.js

@@ -1,31 +1,6 @@
-import fs from "node:fs";
-import path from "node:path";
 import { DEFAULT_SAFE_BINS, analyzeShellCommand, isWindowsPlatform, matchAllowlist, resolveAllowlistCandidatePath, splitCommandChain, } from "./exec-approvals-analysis.js";
+import { SAFE_BIN_GENERIC_PROFILE, SAFE_BIN_PROFILES, validateSafeBinArgv, } from "./exec-safe-bin-policy.js";
 import { isTrustedSafeBinPath } from "./exec-safe-bin-trust.js";
-function isPathLikeToken(value) {
-    const trimmed = value.trim();
-    if (!trimmed) {
-        return false;
-    }
-    if (trimmed === "-") {
-        return false;
-    }
-    if (trimmed.startsWith("./") || trimmed.startsWith("../") || trimmed.startsWith("~")) {
-        return true;
-    }
-    if (trimmed.startsWith("/")) {
-        return true;
-    }
-    return /^[A-Za-z]:[\\/]/.test(trimmed);
-}
-function defaultFileExists(filePath) {
-    try {
-        return fs.existsSync(filePath);
-    }
-    catch {
-        return false;
-    }
-}
 export function normalizeSafeBins(entries) {
     if (!Array.isArray(entries)) {
         return new Set();
@@ -41,15 +16,10 @@ export function resolveSafeBins(entries) {
     }
     return normalizeSafeBins(entries ?? []);
 }
-function hasGlobToken(value) {
-    // Safe bins are stdin-only; globbing is both surprising and a historical bypass vector.
-    // Note: we still harden execution-time expansion separately.
-    return /[*?[\]]/.test(value);
-}
 export function isSafeBinUsage(params) {
     // Windows host exec uses PowerShell, which has different parsing/expansion rules.
     // Keep safeBins conservative there (require explicit allowlist entries).
-    if (isWindowsPlatform(process.platform)) {
+    if (isWindowsPlatform(params.platform ?? process.platform)) {
         return false;
     }
     if (params.safeBins.size === 0) {
@@ -60,55 +30,25 @@ export function isSafeBinUsage(params) {
     if (!execName) {
         return false;
     }
-    const matchesSafeBin = params.safeBins.has(execName) ||
-        (process.platform === "win32" && params.safeBins.has(path.parse(execName).name));
+    const matchesSafeBin = params.safeBins.has(execName);
     if (!matchesSafeBin) {
         return false;
     }
     if (!resolution?.resolvedPath) {
         return false;
     }
-    if (!isTrustedSafeBinPath({
+    const isTrustedPath = params.isTrustedSafeBinPathFn ?? isTrustedSafeBinPath;
+    if (!isTrustedPath({
         resolvedPath: resolution.resolvedPath,
         trustedDirs: params.trustedSafeBinDirs,
     })) {
         return false;
     }
-    const cwd = params.cwd ?? process.cwd();
-    const exists = params.fileExists ?? defaultFileExists;
     const argv = params.argv.slice(1);
-    for (let i = 0; i < argv.length; i += 1) {
-        const token = argv[i];
-        if (!token) {
-            continue;
-        }
-        if (token === "-") {
-            continue;
-        }
-        if (token.startsWith("-")) {
-            const eqIndex = token.indexOf("=");
-            if (eqIndex > 0) {
-                const value = token.slice(eqIndex + 1);
-                if (value && hasGlobToken(value)) {
-                    return false;
-                }
-                if (value && (isPathLikeToken(value) || exists(path.resolve(cwd, value)))) {
-                    return false;
-                }
-            }
-            continue;
-        }
-        if (hasGlobToken(token)) {
-            return false;
-        }
-        if (isPathLikeToken(token)) {
-            return false;
-        }
-        if (exists(path.resolve(cwd, token))) {
-            return false;
-        }
-    }
-    return true;
+    const safeBinProfiles = params.safeBinProfiles ?? SAFE_BIN_PROFILES;
+    const genericSafeBinProfile = params.safeBinGenericProfile ?? SAFE_BIN_GENERIC_PROFILE;
+    const profile = safeBinProfiles[execName] ?? genericSafeBinProfile;
+    return validateSafeBinArgv(argv, profile);
 }
 function evaluateSegments(segments, params) {
     const matches = [];
@@ -127,7 +67,8 @@ function evaluateSegments(segments, params) {
             argv: segment.argv,
             resolution: segment.resolution,
             safeBins: params.safeBins,
-            cwd: params.cwd,
+            platform: params.platform,
+            trustedSafeBinDirs: params.trustedSafeBinDirs,
         });
         const skillAllow = allowSkills && segment.resolution?.executableName
             ? params.skillBins?.has(segment.resolution.executableName)
@@ -157,6 +98,8 @@ export function evaluateExecAllowlist(params) {
                 allowlist: params.allowlist,
                 safeBins: params.safeBins,
                 cwd: params.cwd,
+                platform: params.platform,
+                trustedSafeBinDirs: params.trustedSafeBinDirs,
                 skillBins: params.skillBins,
                 autoAllowSkills: params.autoAllowSkills,
             });
@@ -173,6 +116,8 @@ export function evaluateExecAllowlist(params) {
         allowlist: params.allowlist,
         safeBins: params.safeBins,
         cwd: params.cwd,
+        platform: params.platform,
+        trustedSafeBinDirs: params.trustedSafeBinDirs,
         skillBins: params.skillBins,
         autoAllowSkills: params.autoAllowSkills,
     });
@@ -182,6 +127,128 @@ export function evaluateExecAllowlist(params) {
         segmentSatisfiedBy: result.segmentSatisfiedBy,
     };
 }
+const SHELL_WRAPPER_EXECUTABLES = new Set([
+    "ash",
+    "bash",
+    "cmd",
+    "cmd.exe",
+    "dash",
+    "fish",
+    "ksh",
+    "powershell",
+    "powershell.exe",
+    "pwsh",
+    "pwsh.exe",
+    "sh",
+    "zsh",
+]);
+function normalizeExecutableName(name) {
+    return (name ?? "").trim().toLowerCase();
+}
+function isShellWrapperSegment(segment) {
+    const candidates = [
+        normalizeExecutableName(segment.resolution?.executableName),
+        normalizeExecutableName(segment.resolution?.rawExecutable),
+    ];
+    for (const candidate of candidates) {
+        if (!candidate) {
+            continue;
+        }
+        if (SHELL_WRAPPER_EXECUTABLES.has(candidate)) {
+            return true;
+        }
+        const base = candidate.split(/[\\/]/).pop();
+        if (base && SHELL_WRAPPER_EXECUTABLES.has(base)) {
+            return true;
+        }
+    }
+    return false;
+}
+function extractShellInlineCommand(argv) {
+    for (let i = 1; i < argv.length; i += 1) {
+        const token = argv[i];
+        if (!token) {
+            continue;
+        }
+        const lower = token.toLowerCase();
+        if (lower === "--") {
+            break;
+        }
+        if (lower === "-c" ||
+            lower === "--command" ||
+            lower === "-command" ||
+            lower === "/c" ||
+            lower === "/k") {
+            const next = argv[i + 1]?.trim();
+            return next ? next : null;
+        }
+        if (/^-[^-]*c[^-]*$/i.test(token)) {
+            const commandIndex = lower.indexOf("c");
+            const inline = token.slice(commandIndex + 1).trim();
+            if (inline) {
+                return inline;
+            }
+            const next = argv[i + 1]?.trim();
+            return next ? next : null;
+        }
+    }
+    return null;
+}
+function collectAllowAlwaysPatterns(params) {
+    const candidatePath = resolveAllowlistCandidatePath(params.segment.resolution, params.cwd);
+    if (!candidatePath) {
+        return;
+    }
+    if (!isShellWrapperSegment(params.segment)) {
+        params.out.add(candidatePath);
+        return;
+    }
+    if (params.depth >= 3) {
+        return;
+    }
+    const inlineCommand = extractShellInlineCommand(params.segment.argv);
+    if (!inlineCommand) {
+        return;
+    }
+    const nested = analyzeShellCommand({
+        command: inlineCommand,
+        cwd: params.cwd,
+        env: params.env,
+        platform: params.platform,
+    });
+    if (!nested.ok) {
+        return;
+    }
+    for (const nestedSegment of nested.segments) {
+        collectAllowAlwaysPatterns({
+            segment: nestedSegment,
+            cwd: params.cwd,
+            env: params.env,
+            platform: params.platform,
+            depth: params.depth + 1,
+            out: params.out,
+        });
+    }
+}
+/**
+ * Derive persisted allowlist patterns for an "allow always" decision.
+ * When a command is wrapped in a shell (for example `zsh -lc "<cmd>"`),
+ * persist the inner executable(s) rather than the shell binary.
+ */
+export function resolveAllowAlwaysPatterns(params) {
+    const patterns = new Set();
+    for (const segment of params.segments) {
+        collectAllowAlwaysPatterns({
+            segment,
+            cwd: params.cwd,
+            env: params.env,
+            platform: params.platform,
+            depth: 0,
+            out: patterns,
+        });
+    }
+    return Array.from(patterns);
+}
 /**
  * Evaluates allowlist for shell commands (including &&, ||, ;) and returns analysis metadata.
  */
@@ -209,6 +276,8 @@ export function evaluateShellAllowlist(params) {
             allowlist: params.allowlist,
             safeBins: params.safeBins,
             cwd: params.cwd,
+            platform: params.platform,
+            trustedSafeBinDirs: params.trustedSafeBinDirs,
             skillBins: params.skillBins,
             autoAllowSkills: params.autoAllowSkills,
         });
@@ -239,6 +308,8 @@ export function evaluateShellAllowlist(params) {
             allowlist: params.allowlist,
             safeBins: params.safeBins,
             cwd: params.cwd,
+            platform: params.platform,
+            trustedSafeBinDirs: params.trustedSafeBinDirs,
             skillBins: params.skillBins,
             autoAllowSkills: params.autoAllowSkills,
         });

package/dist/infra/exec-approvals-analysis.js

@@ -1,20 +1,8 @@
 import fs from "node:fs";
-import os from "node:os";
 import path from "node:path";
 import { splitShellArgs } from "../utils/shell-argv.js";
-export const DEFAULT_SAFE_BINS = ["jq", "grep", "cut", "sort", "uniq", "head", "tail", "tr", "wc"];
-function expandHome(value) {
-    if (!value) {
-        return value;
-    }
-    if (value === "~") {
-        return os.homedir();
-    }
-    if (value.startsWith("~/")) {
-        return path.join(os.homedir(), value.slice(2));
-    }
-    return value;
-}
+import { expandHomePrefix } from "./home-dir.js";
+export const DEFAULT_SAFE_BINS = ["jq", "cut", "uniq", "head", "tail", "tr", "wc"];
 function isExecutableFile(filePath) {
     try {
         const stat = fs.statSync(filePath);
@@ -47,7 +35,7 @@ function parseFirstToken(command) {
     return match ? match[0] : null;
 }
 function resolveExecutablePath(rawExecutable, cwd, env) {
-    const expanded = rawExecutable.startsWith("~") ? expandHome(rawExecutable) : rawExecutable;
+    const expanded = rawExecutable.startsWith("~") ? expandHomePrefix(rawExecutable) : rawExecutable;
     if (expanded.includes("/") || expanded.includes("\\")) {
         if (path.isAbsolute(expanded)) {
             return isExecutableFile(expanded) ? expanded : undefined;
@@ -145,7 +133,7 @@ function matchesPattern(pattern, target) {
     if (!trimmed) {
         return false;
     }
-    const expanded = trimmed.startsWith("~") ? expandHome(trimmed) : trimmed;
+    const expanded = trimmed.startsWith("~") ? expandHomePrefix(trimmed) : trimmed;
     const hasWildcard = /[*?]/.test(expanded);
     let normalizedPattern = expanded;
     let normalizedTarget = target;
@@ -169,7 +157,7 @@ export function resolveAllowlistCandidatePath(resolution, cwd) {
     if (!raw) {
         return undefined;
     }
-    const expanded = raw.startsWith("~") ? expandHome(raw) : raw;
+    const expanded = raw.startsWith("~") ? expandHomePrefix(raw) : raw;
     if (!expanded.includes("/") && !expanded.includes("\\")) {
         return undefined;
     }
@@ -199,6 +187,45 @@ export function matchAllowlist(entries, resolution) {
     }
     return null;
 }
+/**
+ * Tokenizes a single argv entry into a normalized option/positional model.
+ * Consumers can share this model to keep argv parsing behavior consistent.
+ */
+export function parseExecArgvToken(raw) {
+    if (!raw) {
+        return { kind: "empty", raw };
+    }
+    if (raw === "--") {
+        return { kind: "terminator", raw };
+    }
+    if (raw === "-") {
+        return { kind: "stdin", raw };
+    }
+    if (!raw.startsWith("-")) {
+        return { kind: "positional", raw };
+    }
+    if (raw.startsWith("--")) {
+        const eqIndex = raw.indexOf("=");
+        if (eqIndex > 0) {
+            return {
+                kind: "option",
+                raw,
+                style: "long",
+                flag: raw.slice(0, eqIndex),
+                inlineValue: raw.slice(eqIndex + 1),
+            };
+        }
+        return { kind: "option", raw, style: "long", flag: raw };
+    }
+    const cluster = raw.slice(1);
+    return {
+        kind: "option",
+        raw,
+        style: "short-cluster",
+        cluster,
+        flags: cluster.split("").map((entry) => `-${entry}`),
+    };
+}
 const DISALLOWED_PIPELINE_TOKENS = new Set([">", "<", "`", "\n", "\r", "(", ")"]);
 const DOUBLE_QUOTE_ESCAPES = new Set(["\\", '"', "$", "`", "\n", "\r"]);
 const WINDOWS_UNSUPPORTED_TOKENS = new Set([
@@ -242,7 +269,7 @@ function splitShellPipeline(command) {
                     continue;
                 }
                 if (ch === quote) {
-                    return { delimiter, end: i + 1 };
+                    return { delimiter, end: i + 1, quoted: true };
                 }
                 delimiter += ch;
                 i += 1;
@@ -261,7 +288,7 @@ function splitShellPipeline(command) {
         if (!delimiter) {
             return null;
         }
-        return { delimiter, end: i };
+        return { delimiter, end: i, quoted: false };
     };
     const segments = [];
     let buf = "";
@@ -279,6 +306,28 @@ function splitShellPipeline(command) {
         }
         buf = "";
     };
+    const isEscapedInHeredocLine = (line, index) => {
+        let slashes = 0;
+        for (let i = index - 1; i >= 0 && line[i] === "\\"; i -= 1) {
+            slashes += 1;
+        }
+        return slashes % 2 === 1;
+    };
+    const hasUnquotedHeredocExpansionToken = (line) => {
+        for (let i = 0; i < line.length; i += 1) {
+            const ch = line[i];
+            if (ch === "`" && !isEscapedInHeredocLine(line, i)) {
+                return true;
+            }
+            if (ch === "$" && !isEscapedInHeredocLine(line, i)) {
+                const next = line[i + 1];
+                if (next === "(" || next === "{") {
+                    return true;
+                }
+            }
+        }
+        return false;
+    };
     for (let i = 0; i < command.length; i += 1) {
         const ch = command[i];
         const next = command[i + 1];
@@ -290,6 +339,9 @@ function splitShellPipeline(command) {
                     if (line === current.delimiter) {
                         pendingHeredocs.shift();
                     }
+                    else if (!current.quoted && hasUnquotedHeredocExpansionToken(heredocLine)) {
+                        return { ok: false, reason: "command substitution in unquoted heredoc", segments: [] };
+                    }
                 }
                 heredocLine = "";
                 if (pendingHeredocs.length === 0) {
@@ -395,7 +447,7 @@ function splitShellPipeline(command) {
             }
             const parsed = parseHeredocDelimiter(command, scanIndex);
             if (parsed) {
-                pendingHeredocs.push({ delimiter: parsed.delimiter, stripTabs });
+                pendingHeredocs.push({ delimiter: parsed.delimiter, stripTabs, quoted: parsed.quoted });
                 buf += command.slice(scanIndex, parsed.end);
                 i = parsed.end - 1;
             }
@@ -415,8 +467,14 @@ function splitShellPipeline(command) {
         const line = current.stripTabs ? heredocLine.replace(/^\t+/, "") : heredocLine;
         if (line === current.delimiter) {
             pendingHeredocs.shift();
+            if (pendingHeredocs.length === 0) {
+                inHeredocBody = false;
+            }
         }
     }
+    if (pendingHeredocs.length > 0 || inHeredocBody) {
+        return { ok: false, reason: "unterminated heredoc", segments: [] };
+    }
     if (escaped || inSingle || inDouble) {
         return { ok: false, reason: "unterminated shell quote/escape", segments: [] };
     }

package/dist/infra/exec-approvals.js

@@ -1,8 +1,8 @@
 import crypto from "node:crypto";
 import fs from "node:fs";
-import os from "node:os";
 import path from "node:path";
 import { DEFAULT_AGENT_ID } from "../routing/session-key.js";
+import { expandHomePrefix } from "./home-dir.js";
 import { requestJsonlSocket } from "./jsonl-socket.js";
 export * from "./exec-approvals-analysis.js";
 export * from "./exec-approvals-allowlist.js";
@@ -20,23 +20,11 @@ function hashExecApprovalsRaw(raw) {
         .update(raw ?? "")
         .digest("hex");
 }
-function expandHome(value) {
-    if (!value) {
-        return value;
-    }
-    if (value === "~") {
-        return os.homedir();
-    }
-    if (value.startsWith("~/")) {
-        return path.join(os.homedir(), value.slice(2));
-    }
-    return value;
-}
 export function resolveExecApprovalsPath() {
-    return expandHome(DEFAULT_FILE);
+    return expandHomePrefix(DEFAULT_FILE);
 }
 export function resolveExecApprovalsSocketPath() {
-    return expandHome(DEFAULT_SOCKET);
+    return expandHomePrefix(DEFAULT_SOCKET);
 }
 function normalizeAllowlistPattern(value) {
     const trimmed = value?.trim() ?? "";
@@ -261,7 +249,7 @@ export function resolveExecApprovals(agentId, overrides) {
         agentId,
         overrides,
         path: resolveExecApprovalsPath(),
-        socketPath: expandHome(file.socket?.path ?? resolveExecApprovalsSocketPath()),
+        socketPath: expandHomePrefix(file.socket?.path ?? resolveExecApprovalsSocketPath()),
         token: file.socket?.token ?? "",
     });
 }
@@ -293,7 +281,7 @@ export function resolveExecApprovalsFromFile(params) {
     ];
     return {
         path: params.path ?? resolveExecApprovalsPath(),
-        socketPath: expandHome(params.socketPath ?? file.socket?.path ?? resolveExecApprovalsSocketPath()),
+        socketPath: expandHomePrefix(params.socketPath ?? file.socket?.path ?? resolveExecApprovalsSocketPath()),
         token: params.token ?? file.socket?.token ?? "",
         defaults: resolvedDefaults,
         agent: resolvedAgent,