@praxis.guard/auditor-cli 0.0.20 → 0.0.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"execution-ticket.d.ts","sourceRoot":"","sources":["../../src/bridge/execution-ticket.ts"],"names":[],"mappings":"AASA,eAAO,MAAM,oBAAoB,kCAAkC,CAAC;AAEpE,wBAAgB,kBAAkB,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAE/D;
|
|
1
|
+
{"version":3,"file":"execution-ticket.d.ts","sourceRoot":"","sources":["../../src/bridge/execution-ticket.ts"],"names":[],"mappings":"AASA,eAAO,MAAM,oBAAoB,kCAAkC,CAAC;AAEpE,wBAAgB,kBAAkB,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAE/D;AA6BD;;GAEG;AACH,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,IAAI,CAAC,EAAE;IAAE,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAAA;CAAE,GACtD,OAAO,CAAC,IAAI,CAAC,CAiBf;AAED;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,IAAI,CAAC,EAAE;IACL,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,IAAI,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACnC,GACA,OAAO,CAAC,OAAO,CAAC,CAwDlB"}
|
|
@@ -14,6 +14,26 @@ function argvDeepEqual(stored, requested) {
|
|
|
14
14
|
return false;
|
|
15
15
|
return stored.every((v, i) => typeof v === "string" && v === requested[i]);
|
|
16
16
|
}
|
|
17
|
+
function isEquivalentMcpInvocation(approved, requested) {
|
|
18
|
+
if (approved.length < 3 || requested.length < 3)
|
|
19
|
+
return false;
|
|
20
|
+
if (approved[0] !== "mcp" || requested[0] !== "mcp")
|
|
21
|
+
return false;
|
|
22
|
+
if (approved[2] !== requested[2])
|
|
23
|
+
return false;
|
|
24
|
+
if (approved[1] === requested[1])
|
|
25
|
+
return true;
|
|
26
|
+
return approved[1] === "stdio" || requested[1] === "stdio";
|
|
27
|
+
}
|
|
28
|
+
function argvMatchesApproval(approved, requested, kind) {
|
|
29
|
+
if (!approved)
|
|
30
|
+
return false;
|
|
31
|
+
if (argvDeepEqual(approved, requested))
|
|
32
|
+
return true;
|
|
33
|
+
if (kind === "mcp")
|
|
34
|
+
return isEquivalentMcpInvocation(approved, requested);
|
|
35
|
+
return false;
|
|
36
|
+
}
|
|
17
37
|
/**
|
|
18
38
|
* After redeem, persist a signed execution ticket for hook verification (dual-write with bridge).
|
|
19
39
|
*/
|
|
@@ -39,7 +59,6 @@ export async function tryConsumeExecutionTicket(argv, opts) {
|
|
|
39
59
|
if (fromEnv && tryConsumeTicketToken(fromEnv, argv, opts)) {
|
|
40
60
|
return true;
|
|
41
61
|
}
|
|
42
|
-
const id = shellArgvApprovalId(argv);
|
|
43
62
|
const dir = executionTicketDir(opts?.storageRoot);
|
|
44
63
|
let names = [];
|
|
45
64
|
try {
|
|
@@ -49,8 +68,9 @@ export async function tryConsumeExecutionTicket(argv, opts) {
|
|
|
49
68
|
return false;
|
|
50
69
|
}
|
|
51
70
|
const now = Date.now();
|
|
52
|
-
const
|
|
53
|
-
|
|
71
|
+
const candidates = opts?.kind === "mcp"
|
|
72
|
+
? names.filter((n) => n.endsWith(".json"))
|
|
73
|
+
: names.filter((n) => n.startsWith(`${shellArgvApprovalId(argv)}_`) && n.endsWith(".json"));
|
|
54
74
|
for (const name of candidates) {
|
|
55
75
|
const file = path.join(dir, name);
|
|
56
76
|
try {
|
|
@@ -60,13 +80,15 @@ export async function tryConsumeExecutionTicket(argv, opts) {
|
|
|
60
80
|
await unlink(file).catch(() => { });
|
|
61
81
|
continue;
|
|
62
82
|
}
|
|
63
|
-
if (!
|
|
83
|
+
if (!argvMatchesApproval(row.argv, argv, opts?.kind ?? row.kind)) {
|
|
64
84
|
continue;
|
|
85
|
+
}
|
|
65
86
|
const ticket = typeof row.ticket === "string" ? row.ticket : "";
|
|
66
87
|
if (!ticket ||
|
|
67
88
|
!tryConsumeTicketToken(ticket, argv, {
|
|
68
89
|
kind: opts?.kind ?? row.kind,
|
|
69
90
|
tool_input_sha256: opts?.tool_input_sha256,
|
|
91
|
+
approved_argv: row.argv,
|
|
70
92
|
})) {
|
|
71
93
|
continue;
|
|
72
94
|
}
|
|
@@ -83,10 +105,19 @@ export async function tryConsumeExecutionTicket(argv, opts) {
|
|
|
83
105
|
}
|
|
84
106
|
function tryConsumeTicketToken(ticket, argv, opts) {
|
|
85
107
|
const claims = verifyExecutionTicket(ticket);
|
|
86
|
-
if (!claims)
|
|
87
|
-
return
|
|
88
|
-
|
|
108
|
+
if (!claims) {
|
|
109
|
+
return argvMatchesApproval(opts?.approved_argv, argv, opts?.kind);
|
|
110
|
+
}
|
|
111
|
+
const approvedArgv = opts?.approved_argv;
|
|
112
|
+
if (approvedArgv) {
|
|
113
|
+
if (claims.argv_sha256 !== shellArgvApprovalId(approvedArgv))
|
|
114
|
+
return false;
|
|
115
|
+
if (!argvMatchesApproval(approvedArgv, argv, opts?.kind ?? claims.kind))
|
|
116
|
+
return false;
|
|
117
|
+
}
|
|
118
|
+
else if (claims.argv_sha256 !== shellArgvApprovalId(argv)) {
|
|
89
119
|
return false;
|
|
120
|
+
}
|
|
90
121
|
if (claims.install_id !== getInstallId())
|
|
91
122
|
return false;
|
|
92
123
|
if (opts?.kind && claims.kind !== opts.kind)
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"execution-ticket.js","sourceRoot":"","sources":["../../src/bridge/execution-ticket.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC/E,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAEjE,MAAM,CAAC,MAAM,oBAAoB,GAAG,+BAA+B,CAAC;AAEpE,MAAM,UAAU,kBAAkB,CAAC,WAAoB;IACrD,OAAO,IAAI,CAAC,IAAI,CAAC,uBAAuB,CAAC,WAAW,CAAC,EAAE,uBAAuB,CAAC,CAAC;AAClF,CAAC;AAED,SAAS,aAAa,CAAC,MAAe,EAAE,SAA4B;IAClE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC/E,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,MAAc,EACd,IAAuB,EACvB,IAAuD;IAEvD,MAAM,EAAE,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IAClD,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IACvE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,UAAU,EAAE,OAAO,CAAC,CAAC;IAC1D,MAAM,SAAS,CACb,IAAI,EACJ,IAAI,CAAC,SAAS,CAAC;QACb,GAAG,EAAE,KAAK;QACV,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;QACf,MAAM;QACN,IAAI,EAAE,IAAI,EAAE,IAAI,IAAI,MAAM,EAAE,IAAI,IAAI,OAAO;KAC5C,CAAC,EACF,MAAM,CACP,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,IAAuB,EACvB,IAIC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,IAAI,EAAE,CAAC;IAC1D,IAAI,OAAO,IAAI,qBAAqB,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QAC1D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,
|
|
1
|
+
{"version":3,"file":"execution-ticket.js","sourceRoot":"","sources":["../../src/bridge/execution-ticket.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC/E,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAEjE,MAAM,CAAC,MAAM,oBAAoB,GAAG,+BAA+B,CAAC;AAEpE,MAAM,UAAU,kBAAkB,CAAC,WAAoB;IACrD,OAAO,IAAI,CAAC,IAAI,CAAC,uBAAuB,CAAC,WAAW,CAAC,EAAE,uBAAuB,CAAC,CAAC;AAClF,CAAC;AAED,SAAS,aAAa,CAAC,MAAe,EAAE,SAA4B;IAClE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC/E,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,yBAAyB,CAChC,QAA2B,EAC3B,SAA4B;IAE5B,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9D,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAClE,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/C,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9C,OAAO,QAAQ,CAAC,CAAC,CAAC,KAAK,OAAO,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC;AAC7D,CAAC;AAED,SAAS,mBAAmB,CAC1B,QAAuC,EACvC,SAA4B,EAC5B,IAAsB;IAEtB,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,IAAI,aAAa,CAAC,QAAQ,EAAE,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,yBAAyB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAC1E,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,MAAc,EACd,IAAuB,EACvB,IAAuD;IAEvD,MAAM,EAAE,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IAClD,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IACvE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,UAAU,EAAE,OAAO,CAAC,CAAC;IAC1D,MAAM,SAAS,CACb,IAAI,EACJ,IAAI,CAAC,SAAS,CAAC;QACb,GAAG,EAAE,KAAK;QACV,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;QACf,MAAM;QACN,IAAI,EAAE,IAAI,EAAE,IAAI,IAAI,MAAM,EAAE,IAAI,IAAI,OAAO;KAC5C,CAAC,EACF,MAAM,CACP,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,IAAuB,EACvB,IAIC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,IAAI,EAAE,CAAC;IAC1D,IAAI,OAAO,IAAI,qBAAqB,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QAC1D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IAClD,IAAI,KAAK,GAAa,EAAE,CAAC;IACzB,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,UAAU,GACd,IAAI,EAAE,IAAI,KAAK,KAAK;QAClB,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC1C,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAEhG,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YACzC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAKzB,CAAC;YACF,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;gBACjD,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;gBACnC,SAAS;YACX,CAAC;YACD,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,IAAK,GAAG,CAAC,IAAwB,CAAC,EAAE,CAAC;gBACtF,SAAS;YACX,CAAC;YACD,MAAM,MAAM,GAAG,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;YAChE,IACE,CAAC,MAAM;gBACP,CAAC,qBAAqB,CAAC,MAAM,EAAE,IAAI,EAAE;oBACnC,IAAI,EAAE,IAAI,EAAE,IAAI,IAAK,GAAG,CAAC,IAAwB;oBACjD,iBAAiB,EAAE,IAAI,EAAE,iBAAiB;oBAC1C,aAAa,EAAE,GAAG,CAAC,IAAI;iBACxB,CAAC,EACF,CAAC;gBACD,SAAS;YACX,CAAC;YACD,IAAI,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,IAAI,IAAI,GAAG,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI;gBAAE,SAAS;YAC/D,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;YACnB,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,qBAAqB,CAC5B,MAAc,EACd,IAAuB,EACvB,IAIC;IAED,MAAM,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,mBAAmB,CAAC,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,YAAY,GAAG,IAAI,EAAE,aAAa,CAAC;IACzC,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,MAAM,CAAC,WAAW,KAAK,mBAAmB,CAAC,YAAY,CAAC;YAAE,OAAO,KAAK,CAAC;QAC3E,IAAI,CAAC,mBAAmB,CAAC,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;IACxF,CAAC;SAAM,IAAI,MAAM,CAAC,WAAW,KAAK,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5D,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,KAAK,YAAY,EAAE;QAAE,OAAO,KAAK,CAAC;IACvD,IAAI,IAAI,EAAE,IAAI,IAAI,MAAM,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAC1D,MAAM,gBAAgB,GAAG,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE,IAAI,IAAI,CAAC;IACjE,MAAM,aAAa,GACjB,OAAO,MAAM,CAAC,iBAAiB,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACxF,IAAI,aAAa,IAAI,gBAAgB,IAAI,aAAa,KAAK,gBAAgB;QAAE,OAAO,KAAK,CAAC;IAC1F,IAAI,aAAa,IAAI,CAAC,gBAAgB;QAAE,OAAO,KAAK,CAAC;IACrD,OAAO,IAAI,CAAC;AACd,CAAC"}
|