@praxis.guard/auditor-cli 0.0.32 → 0.0.34
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/approval/argv-fingerprint.d.ts +10 -1
- package/dist/approval/argv-fingerprint.d.ts.map +1 -1
- package/dist/approval/argv-fingerprint.js +10 -1
- package/dist/approval/argv-fingerprint.js.map +1 -1
- package/dist/approval/hook-inline-approval.d.ts +2 -0
- package/dist/approval/hook-inline-approval.d.ts.map +1 -1
- package/dist/approval/hook-inline-approval.js +6 -2
- package/dist/approval/hook-inline-approval.js.map +1 -1
- package/dist/approval/mcp-flow.d.ts +4 -2
- package/dist/approval/mcp-flow.d.ts.map +1 -1
- package/dist/approval/mcp-flow.js +9 -3
- package/dist/approval/mcp-flow.js.map +1 -1
- package/dist/approval/redeem.d.ts +2 -0
- package/dist/approval/redeem.d.ts.map +1 -1
- package/dist/approval/redeem.js +7 -2
- package/dist/approval/redeem.js.map +1 -1
- package/dist/bridge/execution-ticket.d.ts +3 -0
- package/dist/bridge/execution-ticket.d.ts.map +1 -1
- package/dist/bridge/execution-ticket.js +38 -9
- package/dist/bridge/execution-ticket.js.map +1 -1
- package/dist/bridge/shell-approval-bridge.d.ts +14 -5
- package/dist/bridge/shell-approval-bridge.d.ts.map +1 -1
- package/dist/bridge/shell-approval-bridge.js +47 -24
- package/dist/bridge/shell-approval-bridge.js.map +1 -1
- package/dist/hooks/before-mcp-argv.d.ts +17 -0
- package/dist/hooks/before-mcp-argv.d.ts.map +1 -0
- package/dist/hooks/before-mcp-argv.js +67 -0
- package/dist/hooks/before-mcp-argv.js.map +1 -0
- package/dist/hooks/before-mcp-mutate.d.ts +23 -0
- package/dist/hooks/before-mcp-mutate.d.ts.map +1 -0
- package/dist/hooks/before-mcp-mutate.js +76 -0
- package/dist/hooks/before-mcp-mutate.js.map +1 -0
- package/dist/hooks/before-mcp-skipped.d.ts +14 -0
- package/dist/hooks/before-mcp-skipped.d.ts.map +1 -0
- package/dist/hooks/before-mcp-skipped.js +56 -0
- package/dist/hooks/before-mcp-skipped.js.map +1 -0
- package/dist/hooks/before-mcp-types.d.ts +15 -0
- package/dist/hooks/before-mcp-types.d.ts.map +1 -0
- package/dist/hooks/before-mcp-types.js +2 -0
- package/dist/hooks/before-mcp-types.js.map +1 -0
- package/dist/hooks/before-shell-io.d.ts +3 -0
- package/dist/hooks/before-shell-io.d.ts.map +1 -0
- package/dist/hooks/before-shell-io.js +26 -0
- package/dist/hooks/before-shell-io.js.map +1 -0
- package/dist/hooks/before-shell-mutate.d.ts +23 -0
- package/dist/hooks/before-shell-mutate.d.ts.map +1 -0
- package/dist/hooks/before-shell-mutate.js +74 -0
- package/dist/hooks/before-shell-mutate.js.map +1 -0
- package/dist/hooks/before-shell-skipped.d.ts +11 -0
- package/dist/hooks/before-shell-skipped.d.ts.map +1 -0
- package/dist/hooks/before-shell-skipped.js +49 -0
- package/dist/hooks/before-shell-skipped.js.map +1 -0
- package/dist/hooks/before-shell-types.d.ts +12 -0
- package/dist/hooks/before-shell-types.d.ts.map +1 -0
- package/dist/hooks/before-shell-types.js +2 -0
- package/dist/hooks/before-shell-types.js.map +1 -0
- package/dist/hooks/run-before-mcp.d.ts +3 -27
- package/dist/hooks/run-before-mcp.d.ts.map +1 -1
- package/dist/hooks/run-before-mcp.js +57 -195
- package/dist/hooks/run-before-mcp.js.map +1 -1
- package/dist/hooks/run-before-shell.d.ts +2 -10
- package/dist/hooks/run-before-shell.d.ts.map +1 -1
- package/dist/hooks/run-before-shell.js +63 -142
- package/dist/hooks/run-before-shell.js.map +1 -1
- package/dist/index.d.ts +2 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +2 -2
- package/dist/index.js.map +1 -1
- package/dist/mcp/evaluate-guard.d.ts +11 -0
- package/dist/mcp/evaluate-guard.d.ts.map +1 -0
- package/dist/mcp/evaluate-guard.js +159 -0
- package/dist/mcp/evaluate-guard.js.map +1 -0
- package/dist/mcp/guard-approval-block.d.ts +27 -0
- package/dist/mcp/guard-approval-block.d.ts.map +1 -0
- package/dist/mcp/guard-approval-block.js +155 -0
- package/dist/mcp/guard-approval-block.js.map +1 -0
- package/dist/mcp/guard-heartbeat.d.ts +6 -0
- package/dist/mcp/guard-heartbeat.d.ts.map +1 -0
- package/dist/mcp/guard-heartbeat.js +68 -0
- package/dist/mcp/guard-heartbeat.js.map +1 -0
- package/dist/mcp/guard-schemas.d.ts +42 -0
- package/dist/mcp/guard-schemas.d.ts.map +1 -0
- package/dist/mcp/guard-schemas.js +39 -0
- package/dist/mcp/guard-schemas.js.map +1 -0
- package/dist/mcp/server.d.ts.map +1 -1
- package/dist/mcp/server.js +4 -327
- package/dist/mcp/server.js.map +1 -1
- package/dist/policies.v1.json +4 -0
- package/dist/policy/index.d.ts +4 -0
- package/dist/policy/index.d.ts.map +1 -1
- package/dist/policy/index.js +6 -0
- package/dist/policy/index.js.map +1 -1
- package/dist/shell/analyze-command-aggregate.d.ts +16 -0
- package/dist/shell/analyze-command-aggregate.d.ts.map +1 -0
- package/dist/shell/analyze-command-aggregate.js +89 -0
- package/dist/shell/analyze-command-aggregate.js.map +1 -0
- package/dist/shell/analyze-command-invocations.d.ts +11 -0
- package/dist/shell/analyze-command-invocations.d.ts.map +1 -0
- package/dist/shell/analyze-command-invocations.js +113 -0
- package/dist/shell/analyze-command-invocations.js.map +1 -0
- package/dist/shell/analyze-command.d.ts +7 -0
- package/dist/shell/analyze-command.d.ts.map +1 -0
- package/dist/shell/analyze-command.js +46 -0
- package/dist/shell/analyze-command.js.map +1 -0
- package/dist/shell/analyze-command.types.d.ts +38 -0
- package/dist/shell/analyze-command.types.d.ts.map +1 -0
- package/dist/shell/analyze-command.types.js +2 -0
- package/dist/shell/analyze-command.types.js.map +1 -0
- package/dist/shell/evaluate.d.ts +15 -18
- package/dist/shell/evaluate.d.ts.map +1 -1
- package/dist/shell/evaluate.js +57 -47
- package/dist/shell/evaluate.js.map +1 -1
- package/dist/shell/governed-tools.d.ts +18 -1
- package/dist/shell/governed-tools.d.ts.map +1 -1
- package/dist/shell/governed-tools.js +60 -1
- package/dist/shell/governed-tools.js.map +1 -1
- package/dist/shell/guard-eval.d.ts +15 -0
- package/dist/shell/guard-eval.d.ts.map +1 -0
- package/dist/shell/guard-eval.js +35 -0
- package/dist/shell/guard-eval.js.map +1 -0
- package/dist/shell/parse-segments.d.ts +14 -0
- package/dist/shell/parse-segments.d.ts.map +1 -0
- package/dist/shell/parse-segments.js +41 -0
- package/dist/shell/parse-segments.js.map +1 -0
- package/package.json +1 -1
package/dist/mcp/server.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAcA,8EAA8E;AAC9E,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,CAkDvD"}
|
package/dist/mcp/server.js
CHANGED
|
@@ -1,340 +1,17 @@
|
|
|
1
1
|
import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
|
|
2
2
|
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
|
|
3
|
-
import { z } from "zod";
|
|
4
|
-
import { v4 as uuidv4 } from "uuid";
|
|
5
3
|
import { loadPoliciesV1, readPoliciesV1Revision } from "../policy/index.js";
|
|
6
|
-
import { resolveGuardToken } from "../cli/credentials.js";
|
|
7
|
-
import { getInstallId } from "../cli/install-id.js";
|
|
8
|
-
import { resolveGuardStorageRoot } from "../bridge/guard-storage-root.js";
|
|
9
|
-
import { resolveMutateApproval } from "../approval/mcp-flow.js";
|
|
10
|
-
import { evaluateMcpProposal, evaluateShellProposal, parseCommandToArgv, } from "../shell/evaluate.js";
|
|
11
|
-
import { sendGuardEvent } from "../telemetry/guard-events.js";
|
|
12
|
-
import { resolveGuardAuditStatus } from "./guard-audit-status.js";
|
|
13
|
-
import { applyGuardMode, tierToPolicyDecision } from "./guard-mode.js";
|
|
14
4
|
import { AUDITOR_CLI_VERSION } from "../runtime/version.js";
|
|
15
|
-
import {
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
const ApprovalContextSchema = z
|
|
19
|
-
.object({
|
|
20
|
-
request_id: z.string().nullable().optional(),
|
|
21
|
-
grant: z.string().nullable().optional(),
|
|
22
|
-
})
|
|
23
|
-
.optional();
|
|
24
|
-
const GuardInputSchema = z.object({
|
|
25
|
-
mode: GuardModeSchema,
|
|
26
|
-
proposal: z.object({
|
|
27
|
-
kind: ProposalKindSchema,
|
|
28
|
-
argv: z.array(z.string()).min(1),
|
|
29
|
-
cwd: z.string().optional(),
|
|
30
|
-
raw_command: z.string().optional(),
|
|
31
|
-
}),
|
|
32
|
-
context: z
|
|
33
|
-
.object({
|
|
34
|
-
provider: z.string().optional(),
|
|
35
|
-
session_id: z.string().optional(),
|
|
36
|
-
trace_id: z.string().optional(),
|
|
37
|
-
agent_id: z.string().optional(),
|
|
38
|
-
user_id: z.string().optional(),
|
|
39
|
-
environment: z.string().optional(),
|
|
40
|
-
approval: ApprovalContextSchema,
|
|
41
|
-
wait_ms: z.number().int().nonnegative().optional(),
|
|
42
|
-
tool_input_sha256: z.string().nullable().optional(),
|
|
43
|
-
})
|
|
44
|
-
.optional(),
|
|
45
|
-
});
|
|
46
|
-
const GUARD_TOOL_DESCRIPTION = "Policy gatekeeper for agent actions. Evaluates a proposal argv against policies.v1.json. " +
|
|
47
|
-
"Required `mode`: `shadow` (dry-run — response `decision` is always `allow`; see `shadow` for the policy verdict) " +
|
|
48
|
-
"or `enforce` (coordination — real `allow` / `require_approval` / `block`; runs human approval for MUTATE). " +
|
|
49
|
-
"For MUTATE after approval, pass `context.approval.request_id` (and optional `grant`) from the app or dev CLI.";
|
|
50
|
-
const GUARD_WAIT_TOOL_DESCRIPTION = "Poll until a MUTATE approval request is approved, redeem grant, and record a signed execution ticket for hooks. " +
|
|
51
|
-
"Uses enforce semantics (approval backend). Prefer this over a separate `guard` + retry. " +
|
|
52
|
-
"Set `context.wait_ms` (e.g. 120000) and `context.approval.request_id` from hook deny or a prior `guard` call.";
|
|
53
|
-
const DEFAULT_HEARTBEAT_URL = prodFunctionUrl("guardHeartbeat");
|
|
54
|
-
const HEARTBEAT_BASE_INTERVAL_MS = 5 * 60 * 1000;
|
|
55
|
-
const HEARTBEAT_MAX_INTERVAL_MS = 30 * 60 * 1000;
|
|
56
|
-
let heartbeatTimer = null;
|
|
57
|
-
let consecutiveIdleHeartbeats = 0;
|
|
58
|
-
function getNextHeartbeatInterval() {
|
|
59
|
-
if (consecutiveIdleHeartbeats < 3)
|
|
60
|
-
return HEARTBEAT_BASE_INTERVAL_MS;
|
|
61
|
-
return Math.min(HEARTBEAT_BASE_INTERVAL_MS * Math.pow(1.5, consecutiveIdleHeartbeats - 2), HEARTBEAT_MAX_INTERVAL_MS);
|
|
62
|
-
}
|
|
63
|
-
function scheduleNextHeartbeat() {
|
|
64
|
-
if (heartbeatTimer)
|
|
65
|
-
clearTimeout(heartbeatTimer);
|
|
66
|
-
heartbeatTimer = setTimeout(async () => {
|
|
67
|
-
consecutiveIdleHeartbeats++;
|
|
68
|
-
await sendGuardHeartbeat();
|
|
69
|
-
scheduleNextHeartbeat();
|
|
70
|
-
}, getNextHeartbeatInterval());
|
|
71
|
-
}
|
|
72
|
-
function resetHeartbeatIdle() {
|
|
73
|
-
consecutiveIdleHeartbeats = 0;
|
|
74
|
-
}
|
|
75
|
-
async function sendGuardHeartbeat() {
|
|
76
|
-
const heartbeatUrl = process.env.PRAXIS_GUARD_HEARTBEAT_URL || DEFAULT_HEARTBEAT_URL;
|
|
77
|
-
const token = resolveGuardToken();
|
|
78
|
-
if (!token)
|
|
79
|
-
return;
|
|
80
|
-
const payload = {
|
|
81
|
-
installId: getInstallId(),
|
|
82
|
-
kind: "auditor-mcp",
|
|
83
|
-
version: AUDITOR_CLI_VERSION,
|
|
84
|
-
status: "running",
|
|
85
|
-
client: {
|
|
86
|
-
os: process.platform,
|
|
87
|
-
arch: process.arch,
|
|
88
|
-
node: process.version,
|
|
89
|
-
},
|
|
90
|
-
};
|
|
91
|
-
try {
|
|
92
|
-
const res = await fetch(heartbeatUrl, {
|
|
93
|
-
method: "POST",
|
|
94
|
-
headers: {
|
|
95
|
-
Authorization: `Bearer ${token}`,
|
|
96
|
-
"Content-Type": "application/json",
|
|
97
|
-
},
|
|
98
|
-
body: JSON.stringify(payload),
|
|
99
|
-
signal: AbortSignal.timeout(3000),
|
|
100
|
-
});
|
|
101
|
-
if (!res.ok) {
|
|
102
|
-
process.stderr.write(`[auditor:mcp] heartbeat failed (${res.status}).\n`);
|
|
103
|
-
}
|
|
104
|
-
}
|
|
105
|
-
catch (err) {
|
|
106
|
-
const msg = err instanceof Error ? err.message : String(err);
|
|
107
|
-
process.stderr.write(`[auditor:mcp] heartbeat error: ${msg}\n`);
|
|
108
|
-
}
|
|
109
|
-
}
|
|
110
|
-
async function evaluateGuard(input, policyState) {
|
|
111
|
-
const startedAt = performance.now();
|
|
112
|
-
const event_id = uuidv4();
|
|
113
|
-
resetHeartbeatIdle();
|
|
114
|
-
policyState.policy = await loadPoliciesV1();
|
|
115
|
-
policyState.policyRevision = await readPoliciesV1Revision();
|
|
116
|
-
const storageRoot = resolveGuardStorageRoot(input.proposal.cwd);
|
|
117
|
-
const argv = input.proposal.raw_command
|
|
118
|
-
? parseCommandToArgv(input.proposal.raw_command)
|
|
119
|
-
: input.proposal.argv;
|
|
120
|
-
const { skipped, evaluation } = input.proposal.kind === "shell"
|
|
121
|
-
? evaluateShellProposal(policyState.policy, argv)
|
|
122
|
-
: evaluateMcpProposal(policyState.policy, argv);
|
|
123
|
-
const tier = evaluation.tier;
|
|
124
|
-
const reasons = [...evaluation.reasons];
|
|
125
|
-
const policyReasons = [...evaluation.reasons];
|
|
126
|
-
let enforceDecision = tierToPolicyDecision(tier, skipped);
|
|
127
|
-
let approvalBlock = {
|
|
128
|
-
required: false,
|
|
129
|
-
request_id: null,
|
|
130
|
-
expires_at: null,
|
|
131
|
-
open_url: null,
|
|
132
|
-
instructions: null,
|
|
133
|
-
redeemed: false,
|
|
134
|
-
approved_by: null,
|
|
135
|
-
};
|
|
136
|
-
let approvalRequestId = null;
|
|
137
|
-
if (skipped) {
|
|
138
|
-
enforceDecision = "allow";
|
|
139
|
-
}
|
|
140
|
-
else if (tier === "DESTRUCTIVE") {
|
|
141
|
-
enforceDecision = "block";
|
|
142
|
-
approvalBlock.instructions =
|
|
143
|
-
"DESTRUCTIVE actions cannot be approved via guard. Escalate outside the agent loop.";
|
|
144
|
-
}
|
|
145
|
-
else if (tier === "READ") {
|
|
146
|
-
enforceDecision = "allow";
|
|
147
|
-
}
|
|
148
|
-
else if (input.mode === "shadow") {
|
|
149
|
-
enforceDecision = "require_approval";
|
|
150
|
-
approvalBlock.instructions =
|
|
151
|
-
"Shadow mode: no approval request created. Re-call with mode enforce to coordinate human approval.";
|
|
152
|
-
}
|
|
153
|
-
else {
|
|
154
|
-
const hasToken = Boolean(resolveGuardToken());
|
|
155
|
-
if (!hasToken) {
|
|
156
|
-
enforceDecision = "require_approval";
|
|
157
|
-
approvalBlock = {
|
|
158
|
-
required: true,
|
|
159
|
-
request_id: null,
|
|
160
|
-
expires_at: null,
|
|
161
|
-
open_url: null,
|
|
162
|
-
instructions: "MUTATE requires human approval. Run `auditor login` (or set PRAXIS_GUARD_TOKEN), then call guard again.",
|
|
163
|
-
redeemed: false,
|
|
164
|
-
approved_by: null,
|
|
165
|
-
};
|
|
166
|
-
reasons.push({
|
|
167
|
-
code: "approval_backend_unavailable",
|
|
168
|
-
message: "No guard token; cannot create approval request.",
|
|
169
|
-
});
|
|
170
|
-
}
|
|
171
|
-
else {
|
|
172
|
-
const outcome = await resolveMutateApproval({
|
|
173
|
-
argv,
|
|
174
|
-
proposalKind: input.proposal.kind,
|
|
175
|
-
storageRoot,
|
|
176
|
-
rawDisplay: input.proposal.raw_command ?? argv.join(" "),
|
|
177
|
-
eventId: event_id,
|
|
178
|
-
policyRevision: policyState.policyRevision,
|
|
179
|
-
reasons,
|
|
180
|
-
sessionId: input.context?.session_id ?? null,
|
|
181
|
-
environment: input.context?.environment ?? null,
|
|
182
|
-
approval: input.context?.approval ?? null,
|
|
183
|
-
waitMs: input.context?.wait_ms ?? null,
|
|
184
|
-
tool_input_sha256: input.context?.tool_input_sha256 ?? null,
|
|
185
|
-
});
|
|
186
|
-
if (outcome.kind === "allow") {
|
|
187
|
-
if (!outcome.ticketRecorded) {
|
|
188
|
-
enforceDecision = "require_approval";
|
|
189
|
-
approvalRequestId = outcome.request_id;
|
|
190
|
-
approvalBlock = {
|
|
191
|
-
required: true,
|
|
192
|
-
request_id: outcome.request_id,
|
|
193
|
-
expires_at: null,
|
|
194
|
-
open_url: null,
|
|
195
|
-
instructions: "Approval redeemed but execution ticket was not written under .cursor/guard/tickets. Fix permissions and call guard_wait again.",
|
|
196
|
-
redeemed: false,
|
|
197
|
-
approved_by: outcome.approved_by,
|
|
198
|
-
};
|
|
199
|
-
reasons.push({
|
|
200
|
-
code: "hook_credential_not_recorded",
|
|
201
|
-
message: "Execution ticket file was not recorded for hooks.",
|
|
202
|
-
});
|
|
203
|
-
}
|
|
204
|
-
else {
|
|
205
|
-
enforceDecision = "allow";
|
|
206
|
-
approvalRequestId = outcome.request_id;
|
|
207
|
-
approvalBlock = {
|
|
208
|
-
required: false,
|
|
209
|
-
request_id: outcome.request_id,
|
|
210
|
-
expires_at: null,
|
|
211
|
-
open_url: null,
|
|
212
|
-
instructions: "Approval redeemed; retry the same shell/MCP invocation (hook consumes execution ticket).",
|
|
213
|
-
redeemed: outcome.redeemed,
|
|
214
|
-
approved_by: outcome.approved_by,
|
|
215
|
-
};
|
|
216
|
-
reasons.push({
|
|
217
|
-
code: "execution_ticket_recorded",
|
|
218
|
-
message: "Recorded signed execution ticket for hooks (same argv within TTL).",
|
|
219
|
-
});
|
|
220
|
-
}
|
|
221
|
-
}
|
|
222
|
-
else if (outcome.kind === "credential_not_recorded") {
|
|
223
|
-
enforceDecision = "require_approval";
|
|
224
|
-
approvalRequestId = outcome.request_id;
|
|
225
|
-
approvalBlock = {
|
|
226
|
-
required: true,
|
|
227
|
-
request_id: outcome.request_id,
|
|
228
|
-
expires_at: null,
|
|
229
|
-
open_url: null,
|
|
230
|
-
instructions: `${outcome.message} Hooks will deny until a credential is recorded; retry guard after fixing local write permissions.`,
|
|
231
|
-
redeemed: false,
|
|
232
|
-
approved_by: null,
|
|
233
|
-
};
|
|
234
|
-
reasons.push({
|
|
235
|
-
code: "hook_credential_not_recorded",
|
|
236
|
-
message: outcome.message,
|
|
237
|
-
});
|
|
238
|
-
}
|
|
239
|
-
else if (outcome.kind === "require_approval") {
|
|
240
|
-
enforceDecision = "require_approval";
|
|
241
|
-
approvalRequestId = outcome.request_id;
|
|
242
|
-
approvalBlock = {
|
|
243
|
-
required: true,
|
|
244
|
-
request_id: outcome.request_id,
|
|
245
|
-
expires_at: outcome.expires_at,
|
|
246
|
-
open_url: outcome.open_url,
|
|
247
|
-
instructions: "Human must approve in the Praxis app (or dev: `auditor approvals approve <id>`). Prefer guard_wait with context.approval.request_id and context.wait_ms, then retry once.",
|
|
248
|
-
redeemed: false,
|
|
249
|
-
approved_by: null,
|
|
250
|
-
};
|
|
251
|
-
}
|
|
252
|
-
else {
|
|
253
|
-
enforceDecision = "require_approval";
|
|
254
|
-
approvalBlock = {
|
|
255
|
-
required: true,
|
|
256
|
-
request_id: input.context?.approval?.request_id ?? null,
|
|
257
|
-
expires_at: null,
|
|
258
|
-
open_url: null,
|
|
259
|
-
instructions: `Approval backend error: ${outcome.message}. Hooks will deny MUTATE until resolved.`,
|
|
260
|
-
redeemed: false,
|
|
261
|
-
approved_by: null,
|
|
262
|
-
};
|
|
263
|
-
reasons.push({
|
|
264
|
-
code: "approval_backend_unavailable",
|
|
265
|
-
message: outcome.message,
|
|
266
|
-
});
|
|
267
|
-
}
|
|
268
|
-
}
|
|
269
|
-
}
|
|
270
|
-
const { decision, shadow } = applyGuardMode({
|
|
271
|
-
mode: input.mode,
|
|
272
|
-
skipped,
|
|
273
|
-
tier,
|
|
274
|
-
policyReasons,
|
|
275
|
-
enforceDecision,
|
|
276
|
-
});
|
|
277
|
-
const response = {
|
|
278
|
-
mode: input.mode,
|
|
279
|
-
decision,
|
|
280
|
-
skipped,
|
|
281
|
-
tier,
|
|
282
|
-
risk_score: skipped ? 0 : tier === "READ" ? 0 : tier === "MUTATE" ? 60 : 95,
|
|
283
|
-
reasons,
|
|
284
|
-
shadow,
|
|
285
|
-
approval: approvalBlock,
|
|
286
|
-
audit: {
|
|
287
|
-
event_id,
|
|
288
|
-
timestamp: new Date().toISOString(),
|
|
289
|
-
latency_ms: performance.now() - startedAt,
|
|
290
|
-
},
|
|
291
|
-
execution: {
|
|
292
|
-
attempted: false,
|
|
293
|
-
result: null,
|
|
294
|
-
},
|
|
295
|
-
};
|
|
296
|
-
const firstReason = reasons.find((r) => typeof r?.message === "string")?.message ??
|
|
297
|
-
reasons.find((r) => typeof r?.code === "string")?.code ??
|
|
298
|
-
null;
|
|
299
|
-
const actionVerb = argv[1] ?? null;
|
|
300
|
-
const actionResource = argv.length > 2 ? argv.slice(2).join(" ") : null;
|
|
301
|
-
const status = resolveGuardAuditStatus({ skipped, decision });
|
|
302
|
-
void sendGuardEvent({
|
|
303
|
-
ts: new Date().toISOString(),
|
|
304
|
-
status,
|
|
305
|
-
skipped,
|
|
306
|
-
...(skipped
|
|
307
|
-
? {
|
|
308
|
-
skip_reason: input.proposal.kind === "shell" ? "ungoverned_shell_tool" : "mcp_policy_unmatched",
|
|
309
|
-
}
|
|
310
|
-
: {}),
|
|
311
|
-
tool: "auditor-mcp",
|
|
312
|
-
command_path: argv[0] ?? null,
|
|
313
|
-
verb: actionVerb,
|
|
314
|
-
resource: actionResource,
|
|
315
|
-
reason: firstReason,
|
|
316
|
-
cmd: argv.join(" "),
|
|
317
|
-
tier,
|
|
318
|
-
decision,
|
|
319
|
-
latency_ms: performance.now() - startedAt,
|
|
320
|
-
event_id,
|
|
321
|
-
installId: getInstallId(),
|
|
322
|
-
kind: input.proposal.kind,
|
|
323
|
-
...(policyState.policyRevision !== null
|
|
324
|
-
? { policy_revision: policyState.policyRevision }
|
|
325
|
-
: {}),
|
|
326
|
-
...(approvalRequestId ? { approval_request_id: approvalRequestId } : {}),
|
|
327
|
-
});
|
|
328
|
-
return { response, startedAt };
|
|
329
|
-
}
|
|
5
|
+
import { evaluateGuard } from "./evaluate-guard.js";
|
|
6
|
+
import { startGuardHeartbeatLoop } from "./guard-heartbeat.js";
|
|
7
|
+
import { GuardInputSchema, GUARD_TOOL_DESCRIPTION, GUARD_WAIT_TOOL_DESCRIPTION, } from "./guard-schemas.js";
|
|
330
8
|
/** Start the Praxis `guard` MCP server on stdio (blocks until disconnect). */
|
|
331
9
|
export async function runMcpStdioServer() {
|
|
332
10
|
const policyState = {
|
|
333
11
|
policy: await loadPoliciesV1(),
|
|
334
12
|
policyRevision: await readPoliciesV1Revision(),
|
|
335
13
|
};
|
|
336
|
-
|
|
337
|
-
scheduleNextHeartbeat();
|
|
14
|
+
startGuardHeartbeatLoop();
|
|
338
15
|
const server = new McpServer({
|
|
339
16
|
name: "praxis-guard",
|
|
340
17
|
version: AUDITOR_CLI_VERSION,
|
package/dist/mcp/server.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAa,MAAM,oBAAoB,CAAC;AAEvF,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,oBAAoB,EAAsB,MAAM,iBAAiB,CAAC;AAC3F,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,MAAM,eAAe,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC;AACtD,MAAM,kBAAkB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;AAEpD,MAAM,qBAAqB,GAAG,CAAC;KAC5B,MAAM,CAAC;IACN,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC5C,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;CACxC,CAAC;KACD,QAAQ,EAAE,CAAC;AAEd,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,IAAI,EAAE,eAAe;IACrB,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;QACjB,IAAI,EAAE,kBAAkB;QACxB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAChC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACnC,CAAC;IACE,OAAO,EAAE,CAAC;SACX,MAAM,CAAC;QACN,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACjC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC9B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAClC,QAAQ,EAAE,qBAAqB;QAC/B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;QAClD,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;KACpD,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAC1B,2FAA2F;IAC3F,mHAAmH;IACnH,6GAA6G;IAC7G,+GAA+G,CAAC;AAElH,MAAM,2BAA2B,GAC/B,kHAAkH;IAClH,0FAA0F;IAC1F,+GAA+G,CAAC;AAElH,MAAM,qBAAqB,GAAG,eAAe,CAAC,gBAAgB,CAAC,CAAC;AAEhE,MAAM,0BAA0B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AACjD,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AACjD,IAAI,cAAc,GAAyC,IAAI,CAAC;AAChE,IAAI,yBAAyB,GAAG,CAAC,CAAC;AAElC,SAAS,wBAAwB;IAC/B,IAAI,yBAAyB,GAAG,CAAC;QAAE,OAAO,0BAA0B,CAAC;IACrE,OAAO,IAAI,CAAC,GAAG,CACb,0BAA0B,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,yBAAyB,GAAG,CAAC,CAAC,EACzE,yBAAyB,CAC1B,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB;IAC5B,IAAI,cAAc;QAAE,YAAY,CAAC,cAAc,CAAC,CAAC;IACjD,cAAc,GAAG,UAAU,CAAC,KAAK,IAAI,EAAE;QACrC,yBAAyB,EAAE,CAAC;QAC5B,MAAM,kBAAkB,EAAE,CAAC;QAC3B,qBAAqB,EAAE,CAAC;IAC1B,CAAC,EAAE,wBAAwB,EAAE,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,kBAAkB;IACzB,yBAAyB,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,KAAK,UAAU,kBAAkB;IAC/B,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,qBAAqB,CAAC;IACrF,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAClC,IAAI,CAAC,KAAK;QAAE,OAAO;IAEnB,MAAM,OAAO,GAAG;QACd,SAAS,EAAE,YAAY,EAAE;QACzB,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,mBAAmB;QAC5B,MAAM,EAAE,SAAS;QACjB,MAAM,EAAE;YACN,EAAE,EAAE,OAAO,CAAC,QAAQ;YACpB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,IAAI,EAAE,OAAO,CAAC,OAAO;SACtB;KACF,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE;YACpC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;YAC7B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,GAAG,CAAC,MAAM,MAAM,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,GAAG,IAAI,CAAC,CAAC;IAClE,CAAC;AACH,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,KAAuC,EACvC,WAAkG;IAElG,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IACpC,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC;IAC1B,kBAAkB,EAAE,CAAC;IAErB,WAAW,CAAC,MAAM,GAAG,MAAM,cAAc,EAAE,CAAC;IAC5C,WAAW,CAAC,cAAc,GAAG,MAAM,sBAAsB,EAAE,CAAC;IAE5D,MAAM,WAAW,GAAG,uBAAuB,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAEhE,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,WAAW;QACrC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC;QAChD,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;IAExB,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAC3B,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,OAAO;QAC7B,CAAC,CAAC,qBAAqB,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC;QACjD,CAAC,CAAC,mBAAmB,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAEpD,MAAM,IAAI,GAAS,UAAU,CAAC,IAAI,CAAC;IACnC,MAAM,OAAO,GAAG,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IACxC,MAAM,aAAa,GAAG,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAE9C,IAAI,eAAe,GAAkB,oBAAoB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACzE,IAAI,aAAa,GAA4B;QAC3C,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,IAAI;QAChB,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,IAAI;QACd,YAAY,EAAE,IAAI;QAClB,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,IAAI;KAClB,CAAC;IACF,IAAI,iBAAiB,GAAkB,IAAI,CAAC;IAE5C,IAAI,OAAO,EAAE,CAAC;QACZ,eAAe,GAAG,OAAO,CAAC;IAC5B,CAAC;SAAM,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;QAClC,eAAe,GAAG,OAAO,CAAC;QAC1B,aAAa,CAAC,YAAY;YACxB,oFAAoF,CAAC;IACzF,CAAC;SAAM,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QAC3B,eAAe,GAAG,OAAO,CAAC;IAC5B,CAAC;SAAM,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QACnC,eAAe,GAAG,kBAAkB,CAAC;QACrC,aAAa,CAAC,YAAY;YACxB,mGAAmG,CAAC;IACxG,CAAC;SAAM,CAAC;QACN,MAAM,QAAQ,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC,CAAC;QAC9C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,eAAe,GAAG,kBAAkB,CAAC;YACrC,aAAa,GAAG;gBACd,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,IAAI;gBAChB,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,IAAI;gBACd,YAAY,EACV,yGAAyG;gBAC3G,QAAQ,EAAE,KAAK;gBACf,WAAW,EAAE,IAAI;aAClB,CAAC;YACF,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,8BAA8B;gBACpC,OAAO,EAAE,iDAAiD;aAC3D,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,MAAM,qBAAqB,CAAC;gBAC1C,IAAI;gBACJ,YAAY,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI;gBACjC,WAAW;gBACX,UAAU,EAAE,KAAK,CAAC,QAAQ,CAAC,WAAW,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;gBACxD,OAAO,EAAE,QAAQ;gBACjB,cAAc,EAAE,WAAW,CAAC,cAAc;gBAC1C,OAAO;gBACP,SAAS,EAAE,KAAK,CAAC,OAAO,EAAE,UAAU,IAAI,IAAI;gBAC5C,WAAW,EAAE,KAAK,CAAC,OAAO,EAAE,WAAW,IAAI,IAAI;gBAC/C,QAAQ,EAAE,KAAK,CAAC,OAAO,EAAE,QAAQ,IAAI,IAAI;gBACzC,MAAM,EAAE,KAAK,CAAC,OAAO,EAAE,OAAO,IAAI,IAAI;gBACtC,iBAAiB,EAAE,KAAK,CAAC,OAAO,EAAE,iBAAiB,IAAI,IAAI;aAC5D,CAAC,CAAC;YAEH,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC7B,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;oBAC5B,eAAe,GAAG,kBAAkB,CAAC;oBACrC,iBAAiB,GAAG,OAAO,CAAC,UAAU,CAAC;oBACvC,aAAa,GAAG;wBACd,QAAQ,EAAE,IAAI;wBACd,UAAU,EAAE,OAAO,CAAC,UAAU;wBAC9B,UAAU,EAAE,IAAI;wBAChB,QAAQ,EAAE,IAAI;wBACd,YAAY,EACV,gIAAgI;wBAClI,QAAQ,EAAE,KAAK;wBACf,WAAW,EAAE,OAAO,CAAC,WAAW;qBACjC,CAAC;oBACF,OAAO,CAAC,IAAI,CAAC;wBACX,IAAI,EAAE,8BAA8B;wBACpC,OAAO,EAAE,mDAAmD;qBAC7D,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,eAAe,GAAG,OAAO,CAAC;oBAC1B,iBAAiB,GAAG,OAAO,CAAC,UAAU,CAAC;oBACvC,aAAa,GAAG;wBACd,QAAQ,EAAE,KAAK;wBACf,UAAU,EAAE,OAAO,CAAC,UAAU;wBAC9B,UAAU,EAAE,IAAI;wBAChB,QAAQ,EAAE,IAAI;wBACd,YAAY,EACV,0FAA0F;wBAC5F,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,WAAW,EAAE,OAAO,CAAC,WAAW;qBACjC,CAAC;oBACF,OAAO,CAAC,IAAI,CAAC;wBACX,IAAI,EAAE,2BAA2B;wBACjC,OAAO,EACL,oEAAoE;qBACvE,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,IAAI,OAAO,CAAC,IAAI,KAAK,yBAAyB,EAAE,CAAC;gBACtD,eAAe,GAAG,kBAAkB,CAAC;gBACrC,iBAAiB,GAAG,OAAO,CAAC,UAAU,CAAC;gBACvC,aAAa,GAAG;oBACd,QAAQ,EAAE,IAAI;oBACd,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,UAAU,EAAE,IAAI;oBAChB,QAAQ,EAAE,IAAI;oBACd,YAAY,EAAE,GAAG,OAAO,CAAC,OAAO,oGAAoG;oBACpI,QAAQ,EAAE,KAAK;oBACf,WAAW,EAAE,IAAI;iBAClB,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI,EAAE,8BAA8B;oBACpC,OAAO,EAAE,OAAO,CAAC,OAAO;iBACzB,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,OAAO,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;gBAC/C,eAAe,GAAG,kBAAkB,CAAC;gBACrC,iBAAiB,GAAG,OAAO,CAAC,UAAU,CAAC;gBACvC,aAAa,GAAG;oBACd,QAAQ,EAAE,IAAI;oBACd,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,YAAY,EACV,2KAA2K;oBAC7K,QAAQ,EAAE,KAAK;oBACf,WAAW,EAAE,IAAI;iBAClB,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,eAAe,GAAG,kBAAkB,CAAC;gBACrC,aAAa,GAAG;oBACd,QAAQ,EAAE,IAAI;oBACd,UAAU,EAAE,KAAK,CAAC,OAAO,EAAE,QAAQ,EAAE,UAAU,IAAI,IAAI;oBACvD,UAAU,EAAE,IAAI;oBAChB,QAAQ,EAAE,IAAI;oBACd,YAAY,EAAE,2BAA2B,OAAO,CAAC,OAAO,0CAA0C;oBAClG,QAAQ,EAAE,KAAK;oBACf,WAAW,EAAE,IAAI;iBAClB,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI,EAAE,8BAA8B;oBACpC,OAAO,EAAE,OAAO,CAAC,OAAO;iBACzB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,cAAc,CAAC;QAC1C,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,OAAO;QACP,IAAI;QACJ,aAAa;QACb,eAAe;KAChB,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG;QACf,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,QAAQ;QACR,OAAO;QACP,IAAI;QACJ,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE;QAC3E,OAAO;QACP,MAAM;QACN,QAAQ,EAAE,aAAa;QACvB,KAAK,EAAE;YACL,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS;SAC1C;QACD,SAAS,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,MAAM,EAAE,IAAI;SACb;KACF,CAAC;IAEF,MAAM,WAAW,GACf,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,KAAK,QAAQ,CAAC,EAAE,OAAO;QAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,IAAI,KAAK,QAAQ,CAAC,EAAE,IAAI;QACtD,IAAI,CAAC;IACP,MAAM,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IACnC,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACxE,MAAM,MAAM,GAAG,uBAAuB,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAC;IAE9D,KAAK,cAAc,CAAC;QAClB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5B,MAAM;QACN,OAAO;QACP,GAAG,CAAC,OAAO;YACT,CAAC,CAAC;gBACE,WAAW,EACT,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,sBAAsB;aACrF;YACH,CAAC,CAAC,EAAE,CAAC;QACP,IAAI,EAAE,aAAa;QACnB,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI;QAC7B,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,cAAc;QACxB,MAAM,EAAE,WAAW;QACnB,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;QACnB,IAAI;QACJ,QAAQ;QACR,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS;QACzC,QAAQ;QACR,SAAS,EAAE,YAAY,EAAE;QACzB,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI;QACzB,GAAG,CAAC,WAAW,CAAC,cAAc,KAAK,IAAI;YACrC,CAAC,CAAC,EAAE,eAAe,EAAE,WAAW,CAAC,cAAc,EAAE;YACjD,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACzE,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AACjC,CAAC;AAED,8EAA8E;AAC9E,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,WAAW,GAAG;QAClB,MAAM,EAAE,MAAM,cAAc,EAAE;QAC9B,cAAc,EAAE,MAAM,sBAAsB,EAAE;KAC/C,CAAC;IACF,MAAM,kBAAkB,EAAE,CAAC;IAC3B,qBAAqB,EAAE,CAAC;IAExB,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,mBAAmB;KAC7B,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,KAAK,EAAE,KAAuC,EAAE,EAAE;QAChE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QAC7D,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;SAC9E,CAAC;IACJ,CAAC,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,OAAO,EACP;QACE,WAAW,EAAE,sBAAsB;QACnC,WAAW,EAAE,gBAAgB;KAC9B,EACD,OAAO,CACR,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,YAAY,EACZ;QACE,WAAW,EAAE,2BAA2B;QACxC,WAAW,EAAE,gBAAgB;KAC9B,EACD,KAAK,EAAE,KAAK,EAAE,EAAE;QACd,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,EAAE,OAAO,IAAI,OAAO,CAAC;QACjD,MAAM,QAAQ,GAAG;YACf,GAAG,KAAK;YACR,IAAI,EAAE,SAAkB;YACxB,OAAO,EAAE;gBACP,GAAG,KAAK,CAAC,OAAO;gBAChB,OAAO,EAAE,MAAM;aAChB;SACF,CAAC;QACF,OAAO,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC3B,CAAC,CACF,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC"}
|
|
1
|
+
{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAC/D,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EACtB,2BAA2B,GAE5B,MAAM,oBAAoB,CAAC;AAE5B,8EAA8E;AAC9E,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,WAAW,GAAG;QAClB,MAAM,EAAE,MAAM,cAAc,EAAE;QAC9B,cAAc,EAAE,MAAM,sBAAsB,EAAE;KAC/C,CAAC;IACF,uBAAuB,EAAE,CAAC;IAE1B,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,mBAAmB;KAC7B,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,KAAK,EAAE,KAAiB,EAAE,EAAE;QAC1C,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QAC7D,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;SAC9E,CAAC;IACJ,CAAC,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,OAAO,EACP;QACE,WAAW,EAAE,sBAAsB;QACnC,WAAW,EAAE,gBAAgB;KAC9B,EACD,OAAO,CACR,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,YAAY,EACZ;QACE,WAAW,EAAE,2BAA2B;QACxC,WAAW,EAAE,gBAAgB;KAC9B,EACD,KAAK,EAAE,KAAK,EAAE,EAAE;QACd,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,EAAE,OAAO,IAAI,OAAO,CAAC;QACjD,MAAM,QAAQ,GAAe;YAC3B,GAAG,KAAK;YACR,IAAI,EAAE,SAAS;YACf,OAAO,EAAE;gBACP,GAAG,KAAK,CAAC,OAAO;gBAChB,OAAO,EAAE,MAAM;aAChB;SACF,CAAC;QACF,OAAO,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC3B,CAAC,CACF,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC"}
|
package/dist/policies.v1.json
CHANGED
package/dist/policy/index.d.ts
CHANGED
|
@@ -17,6 +17,10 @@ export declare const PoliciesV1Schema: z.ZodObject<{
|
|
|
17
17
|
MUTATE: "MUTATE";
|
|
18
18
|
DESTRUCTIVE: "DESTRUCTIVE";
|
|
19
19
|
}>>>>;
|
|
20
|
+
shell: z.ZodOptional<z.ZodObject<{
|
|
21
|
+
prelude_verbs: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
22
|
+
privilege_verbs: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
23
|
+
}, z.core.$strip>>;
|
|
20
24
|
}, z.core.$strip>;
|
|
21
25
|
export type PoliciesV1 = z.infer<typeof PoliciesV1Schema>;
|
|
22
26
|
export type Classification = {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,UAAU;;;;EAA4C,CAAC;AACpE,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAE9C,eAAO,MAAM,gBAAgB
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,UAAU;;;;EAA4C,CAAC;AACpE,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAE9C,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;iBAU3B,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,IAAI,EAAE,IAAI,CAAC;IACX,OAAO,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,SAAS,IAAI,EAAE,QAOzD;AAED,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,OAAO,GAAG,UAAU,CAO5D;AAuBD,wBAAgB,qBAAqB,IAAI,MAAM,CAE9C;AAED,uGAAuG;AACvG,wBAAgB,sBAAsB,CAAC,IAAI,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAK7E;AAED,wBAAgB,qBAAqB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAIpE;AAED,wBAAgB,uBAAuB,IAAI,MAAM,CAEhD;AAED,wBAAsB,sBAAsB,CAAC,IAAI,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAWnG;AA0BD,wBAAsB,cAAc,CAAC,IAAI,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAUxF;AA0BD,wBAAgB,YAAY,CAC1B,MAAM,EAAE,UAAU,EAClB,IAAI,EAAE,SAAS,MAAM,EAAE,GACtB;IAAE,cAAc,EAAE,cAAc,CAAC;IAAC,KAAK,EAAE;QAAE,cAAc,EAAE,OAAO,CAAC;QAAC,eAAe,EAAE,OAAO,CAAA;KAAE,CAAA;CAAE,CAoFlG"}
|
package/dist/policy/index.js
CHANGED
|
@@ -9,6 +9,12 @@ export const PoliciesV1Schema = z.object({
|
|
|
9
9
|
tiers: z.array(TierSchema).nonempty(),
|
|
10
10
|
dangerous_flags: z.array(z.string()),
|
|
11
11
|
policies: z.record(z.string(), z.record(z.string(), z.record(z.string(), TierSchema))),
|
|
12
|
+
shell: z
|
|
13
|
+
.object({
|
|
14
|
+
prelude_verbs: z.array(z.string()).optional(),
|
|
15
|
+
privilege_verbs: z.array(z.string()).optional(),
|
|
16
|
+
})
|
|
17
|
+
.optional(),
|
|
12
18
|
});
|
|
13
19
|
export function ensureTiersComplete(tiers) {
|
|
14
20
|
const s = new Set(tiers);
|
package/dist/policy/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAChF,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC;AAGpE,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,QAAQ,EAAE;IACrC,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACpC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAChF,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC;AAGpE,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,QAAQ,EAAE;IACrC,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACpC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC;IACtF,KAAK,EAAE,CAAC;SACL,MAAM,CAAC;QACN,aAAa,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QAC7C,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;KAChD,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAYH,MAAM,UAAU,mBAAmB,CAAC,KAAsB;IACxD,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;IACzB,KAAK,MAAM,QAAQ,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,aAAa,CAAU,EAAE,CAAC;QAClE,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,mCAAmC,QAAQ,EAAE,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,GAAY;IAC9C,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC/C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,qBAAqB,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAC/D,CAAC;IACD,mBAAmB,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACvC,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED,SAAS,yBAAyB;IAChC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,OAAO;QACL,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,qBAAqB,CAAC;QACzC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,mCAAmC,CAAC;KACxD,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B;IACjC,KAAK,MAAM,SAAS,IAAI,yBAAyB,EAAE,EAAE,CAAC;QACpD,IAAI,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,SAAS,CAAC;IAC9C,CAAC;IACD,MAAM,IAAI,KAAK,CACb,8CAA8C,yBAAyB,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC9G,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB;IACvB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,OAAO,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAC3D,CAAC;AAED,uGAAuG;AACvG,MAAM,UAAU,sBAAsB,CAAC,IAA8B;IACnE,IAAI,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC5D,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,EAAE,IAAI,EAAE,CAAC;IAC5D,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAC5B,OAAO,qBAAqB,EAAE,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,cAAsB;IAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IACzC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;IACpD,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,YAAY,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,OAAO,qBAAqB,CAAC,qBAAqB,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,IAA8B;IACzE,MAAM,UAAU,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC;IACnD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA2B,CAAC;QACzD,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAClC,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,0BAA0B,CAAC,UAAkB;IAC1D,IAAI,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO;IAEnC,MAAM,WAAW,GAAG,0BAA0B,EAAE,CAAC;IACjD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACrC,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEtC,MAAM,SAAS,GAAG,GAAG,UAAU,QAAQ,OAAO,CAAC,GAAG,EAAE,CAAC;IACrD,MAAM,QAAQ,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IACvC,MAAM,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAEpC,MAAM,QAAQ,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC;IACnD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,MAAM,aAAa,GAAG;YACpB,QAAQ,EAAE,CAAC;YACX,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAClC,MAAM,EAAE,mBAAmB;SAC5B,CAAC;QACF,MAAM,OAAO,GAAG,GAAG,QAAQ,QAAQ,OAAO,CAAC,GAAG,EAAE,CAAC;QACjD,MAAM,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAChF,MAAM,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAClC,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,IAA8B;IACjE,MAAM,UAAU,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,0BAA0B,CAAC,UAAU,CAAC,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAC/C,IAAI,CAAC;QACH,OAAO,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,4BAA4B,UAAU,KAAK,GAAG,EAAE,CAAC,CAAC;IACpE,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAuB;IAChD,MAAM,GAAG,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IACxD,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAuB,EAAE,cAAiC;IACnF,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;IAClC,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,iBAAiB,CACxB,YAAkC,EAClC,IAAuB,EACvB,SAAiB,EACjB,KAAoB;IAEpB,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC;IAClC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,MAAM,QAAQ,GAAG,GAAG,KAAK,IAAI,KAAK,EAAE,CAAC;IACrC,IAAI,YAAY,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC5C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,YAAY,CAC1B,MAAkB,EAClB,IAAuB;IAEvB,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC7B,MAAM,cAAc,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAC/C,MAAM,eAAe,GAAG,iBAAiB,CAAC,IAAI,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC;IAExE,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,OAAO;YACL,cAAc,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE;YACxF,KAAK,EAAE,EAAE,cAAc,EAAE,eAAe,EAAE;SAC3C,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,SAAS,GAAyC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAG3E,CAAC;IAEF,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,EAAE,CAAC,aAAa,CAAC,CAAC;QACnC,IAAI,IAAI,EAAE,CAAC;YACT,OAAO;gBACL,cAAc,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;gBACnF,KAAK,EAAE,EAAE,cAAc,EAAE,eAAe,EAAE;aAC3C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;QAC7B,IAAI,IAAsB,CAAC;QAC3B,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;YAClB,IAAI,IAAI,KAAK,SAAS;gBAAE,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,IAAI,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC;QAC7B,CAAC;QACD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,OAAO;gBACL,cAAc,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;gBAC7E,KAAK,EAAE,EAAE,cAAc,EAAE,eAAe,EAAE;aAC3C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;IAClG,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;QACvC,MAAM,OAAO,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;QAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC;QACtC,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,CAAC,IAAK,EAA2B,CAAC;QACxE,MAAM,IAAI,GAAG,iBAAiB,CAAC,YAAY,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;QAErE,IAAI,IAAsB,CAAC;QAC3B,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;YAC1B,IAAI,IAAI,KAAK,SAAS;gBAAE,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QACnD,CAAC;aAAM,CAAC;YACN,IAAI,GAAG,YAAY,CAAC,aAAa,CAAC,CAAC;QACrC,CAAC;QAED,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,OAAO;gBACL,cAAc,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE;gBACrF,KAAK,EAAE,EAAE,cAAc,EAAE,eAAe,EAAE;aAC3C,CAAC;QACJ,CAAC;QAED,OAAO;YACL,cAAc,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;YAC1E,KAAK,EAAE,EAAE,cAAc,EAAE,eAAe,EAAE;SAC3C,CAAC;IACJ,CAAC;IAED,OAAO;QACL,cAAc,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE;QAC9G,KAAK,EAAE,EAAE,cAAc,EAAE,eAAe,EAAE;KAC3C,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import type { Tier } from "../policy/index.js";
|
|
2
|
+
import type { ShellAnalysis, ShellApprovalFingerprintPayload, ShellInvocation } from "./analyze-command.types.js";
|
|
3
|
+
import type { GuardEvaluation } from "./guard-eval.js";
|
|
4
|
+
import type { ShellOperator } from "./parse-segments.js";
|
|
5
|
+
export declare function rawMetacharactersInCommand(command: string): boolean;
|
|
6
|
+
export declare function extractNestedShellScript(argv: readonly string[]): string | null;
|
|
7
|
+
export declare function aggregateTier(invocations: ShellInvocation[], rawMetacharacters: boolean): Tier;
|
|
8
|
+
export declare function buildFingerprintPayload(segments: {
|
|
9
|
+
argv: string[];
|
|
10
|
+
}[], operators: ShellOperator[], invocations: ShellInvocation[]): ShellApprovalFingerprintPayload;
|
|
11
|
+
export declare function selectPrimary(invocations: ShellInvocation[]): {
|
|
12
|
+
canonical_argv: string[];
|
|
13
|
+
evaluation: GuardEvaluation;
|
|
14
|
+
};
|
|
15
|
+
export declare function failClosedAnalysis(command: string, rawMetacharacters: boolean): ShellAnalysis;
|
|
16
|
+
//# sourceMappingURL=analyze-command-aggregate.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyze-command-aggregate.d.ts","sourceRoot":"","sources":["../../src/shell/analyze-command-aggregate.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAE/C,OAAO,KAAK,EACV,aAAa,EACb,+BAA+B,EAC/B,eAAe,EAChB,MAAM,4BAA4B,CAAC;AACpC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAUzD,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAGnE;AAED,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,GAAG,IAAI,CAM/E;AAED,wBAAgB,aAAa,CAAC,WAAW,EAAE,eAAe,EAAE,EAAE,iBAAiB,EAAE,OAAO,GAAG,IAAI,CAO9F;AAED,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE;IAAE,IAAI,EAAE,MAAM,EAAE,CAAA;CAAE,EAAE,EAC9B,SAAS,EAAE,aAAa,EAAE,EAC1B,WAAW,EAAE,eAAe,EAAE,GAC7B,+BAA+B,CAejC;AAED,wBAAgB,aAAa,CAAC,WAAW,EAAE,eAAe,EAAE,GAAG;IAC7D,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,UAAU,EAAE,eAAe,CAAC;CAC7B,CAyBA;AAED,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,OAAO,GAAG,aAAa,CAqB7F"}
|
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
import { stripTrailingBenignShellRedirectsForMetacharCheck } from "./strip-trailing-benign-shell-redirs.js";
|
|
2
|
+
const SHELL_NAMES = new Set(["bash", "sh", "zsh"]);
|
|
3
|
+
const TIER_RANK = { READ: 0, MUTATE: 1, DESTRUCTIVE: 2 };
|
|
4
|
+
function maxTier(a, b) {
|
|
5
|
+
return TIER_RANK[a] >= TIER_RANK[b] ? a : b;
|
|
6
|
+
}
|
|
7
|
+
export function rawMetacharactersInCommand(command) {
|
|
8
|
+
const stripped = stripTrailingBenignShellRedirectsForMetacharCheck(command);
|
|
9
|
+
return /(;|&&|\|\||\||`|>|<|\$\()/.test(stripped);
|
|
10
|
+
}
|
|
11
|
+
export function extractNestedShellScript(argv) {
|
|
12
|
+
const tool = argv[0];
|
|
13
|
+
if (!tool || !SHELL_NAMES.has(tool))
|
|
14
|
+
return null;
|
|
15
|
+
const cIndex = argv.indexOf("-c");
|
|
16
|
+
if (cIndex < 0 || cIndex + 1 >= argv.length)
|
|
17
|
+
return null;
|
|
18
|
+
return argv[cIndex + 1] ?? null;
|
|
19
|
+
}
|
|
20
|
+
export function aggregateTier(invocations, rawMetacharacters) {
|
|
21
|
+
let tier = "READ";
|
|
22
|
+
for (const inv of invocations) {
|
|
23
|
+
tier = maxTier(tier, inv.evaluation.tier);
|
|
24
|
+
}
|
|
25
|
+
if (rawMetacharacters && tier === "READ")
|
|
26
|
+
tier = "MUTATE";
|
|
27
|
+
return tier;
|
|
28
|
+
}
|
|
29
|
+
export function buildFingerprintPayload(segments, operators, invocations) {
|
|
30
|
+
const bySegment = new Map();
|
|
31
|
+
for (const inv of invocations) {
|
|
32
|
+
const list = bySegment.get(inv.segment_index) ?? [];
|
|
33
|
+
list.push({ canonical_argv: inv.canonical_argv, tier: inv.evaluation.tier });
|
|
34
|
+
bySegment.set(inv.segment_index, list);
|
|
35
|
+
}
|
|
36
|
+
return {
|
|
37
|
+
segments: segments.map((_, segment_index) => ({
|
|
38
|
+
segment_index,
|
|
39
|
+
invocations: bySegment.get(segment_index) ?? [],
|
|
40
|
+
})),
|
|
41
|
+
operators: [...operators],
|
|
42
|
+
};
|
|
43
|
+
}
|
|
44
|
+
export function selectPrimary(invocations) {
|
|
45
|
+
if (invocations.length === 0) {
|
|
46
|
+
return {
|
|
47
|
+
canonical_argv: [],
|
|
48
|
+
evaluation: {
|
|
49
|
+
argv: [],
|
|
50
|
+
tier: "READ",
|
|
51
|
+
reasons: [],
|
|
52
|
+
classification: { tool: null, command_path: null, verb: null, tier: "READ", matched: false },
|
|
53
|
+
flags: { metacharacters: false, dangerous_flags: false },
|
|
54
|
+
},
|
|
55
|
+
};
|
|
56
|
+
}
|
|
57
|
+
let primary = invocations[0];
|
|
58
|
+
for (const inv of invocations.slice(1)) {
|
|
59
|
+
if (TIER_RANK[inv.evaluation.tier] > TIER_RANK[primary.evaluation.tier]) {
|
|
60
|
+
primary = inv;
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
return {
|
|
64
|
+
canonical_argv: primary.canonical_argv,
|
|
65
|
+
evaluation: primary.evaluation,
|
|
66
|
+
};
|
|
67
|
+
}
|
|
68
|
+
export function failClosedAnalysis(command, rawMetacharacters) {
|
|
69
|
+
const evaluation = {
|
|
70
|
+
argv: ["<unparseable>", command],
|
|
71
|
+
tier: "MUTATE",
|
|
72
|
+
reasons: [{ code: "unparseable", message: "Command could not be parsed safely; fail closed." }],
|
|
73
|
+
classification: { tool: null, command_path: null, verb: null, tier: "MUTATE", matched: false },
|
|
74
|
+
flags: { metacharacters: rawMetacharacters, dangerous_flags: false },
|
|
75
|
+
};
|
|
76
|
+
return {
|
|
77
|
+
raw_command: command,
|
|
78
|
+
segments: [{ argv: ["<unparseable>", command] }],
|
|
79
|
+
operators: [],
|
|
80
|
+
invocations: [],
|
|
81
|
+
primary: { canonical_argv: ["<unparseable>", command], evaluation },
|
|
82
|
+
approval_fingerprint_payload: { segments: [{ segment_index: 0, invocations: [] }], operators: [] },
|
|
83
|
+
skipped: false,
|
|
84
|
+
tier: "MUTATE",
|
|
85
|
+
raw_metacharacters: rawMetacharacters,
|
|
86
|
+
fail_closed: true,
|
|
87
|
+
};
|
|
88
|
+
}
|
|
89
|
+
//# sourceMappingURL=analyze-command-aggregate.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyze-command-aggregate.js","sourceRoot":"","sources":["../../src/shell/analyze-command-aggregate.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,iDAAiD,EAAE,MAAM,yCAAyC,CAAC;AAE5G,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;AACnD,MAAM,SAAS,GAAyB,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC;AAE/E,SAAS,OAAO,CAAC,CAAO,EAAE,CAAO;IAC/B,OAAO,SAAS,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,OAAe;IACxD,MAAM,QAAQ,GAAG,iDAAiD,CAAC,OAAO,CAAC,CAAC;IAC5E,OAAO,2BAA2B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,IAAuB;IAC9D,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACrB,IAAI,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,MAAM,GAAG,CAAC,IAAI,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzD,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,WAA8B,EAAE,iBAA0B;IACtF,IAAI,IAAI,GAAS,MAAM,CAAC;IACxB,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,iBAAiB,IAAI,IAAI,KAAK,MAAM;QAAE,IAAI,GAAG,QAAQ,CAAC;IAC1D,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,QAA8B,EAC9B,SAA0B,EAC1B,WAA8B;IAE9B,MAAM,SAAS,GAAG,IAAI,GAAG,EAAsD,CAAC;IAChF,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;QACpD,IAAI,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;QAC7E,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IACzC,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,EAAE,CAAC,CAAC;YAC5C,aAAa;YACb,WAAW,EAAE,SAAS,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE;SAChD,CAAC,CAAC;QACH,SAAS,EAAE,CAAC,GAAG,SAAS,CAAC;KAC1B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,WAA8B;IAI1D,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,cAAc,EAAE,EAAE;YAClB,UAAU,EAAE;gBACV,IAAI,EAAE,EAAE;gBACR,IAAI,EAAE,MAAM;gBACZ,OAAO,EAAE,EAAE;gBACX,cAAc,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE;gBAC5F,KAAK,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE;aACzD;SACF,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,GAAG,WAAW,CAAC,CAAC,CAAE,CAAC;IAC9B,KAAK,MAAM,GAAG,IAAI,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QACvC,IAAI,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACxE,OAAO,GAAG,GAAG,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO;QACL,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,UAAU,EAAE,OAAO,CAAC,UAAU;KAC/B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,OAAe,EAAE,iBAA0B;IAC5E,MAAM,UAAU,GAAoB;QAClC,IAAI,EAAE,CAAC,eAAe,EAAE,OAAO,CAAC;QAChC,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,kDAAkD,EAAE,CAAC;QAC/F,cAAc,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE;QAC9F,KAAK,EAAE,EAAE,cAAc,EAAE,iBAAiB,EAAE,eAAe,EAAE,KAAK,EAAE;KACrE,CAAC;IAEF,OAAO;QACL,WAAW,EAAE,OAAO;QACpB,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,eAAe,EAAE,OAAO,CAAC,EAAE,CAAC;QAChD,SAAS,EAAE,EAAE;QACb,WAAW,EAAE,EAAE;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,CAAC,eAAe,EAAE,OAAO,CAAC,EAAE,UAAU,EAAE;QACnE,4BAA4B,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,aAAa,EAAE,CAAC,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE;QAClG,OAAO,EAAE,KAAK;QACd,IAAI,EAAE,QAAQ;QACd,kBAAkB,EAAE,iBAAiB;QACrC,WAAW,EAAE,IAAI;KAClB,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import type { PoliciesV1 } from "../policy/index.js";
|
|
2
|
+
import type { ShellInvocation } from "./analyze-command.types.js";
|
|
3
|
+
import { type ShellPolicyConfig } from "./governed-tools.js";
|
|
4
|
+
/** Strip trailing fd redirects from argv before policy classification (e.g. `2>&1` from shell-quote). */
|
|
5
|
+
export declare function stripTrailingBenignRedirectArgv(argv: readonly string[]): string[];
|
|
6
|
+
export declare function findGovernedInvocationsInSegment(segmentArgv: readonly string[], segmentIndex: number, policy: PoliciesV1, governedTools: readonly string[], shellConfig: ShellPolicyConfig): ShellInvocation[];
|
|
7
|
+
export declare function resolveInvocationScanContext(policy: PoliciesV1): {
|
|
8
|
+
governedTools: readonly string[];
|
|
9
|
+
shellConfig: ShellPolicyConfig;
|
|
10
|
+
};
|
|
11
|
+
//# sourceMappingURL=analyze-command-invocations.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyze-command-invocations.d.ts","sourceRoot":"","sources":["../../src/shell/analyze-command-invocations.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAErD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAElE,OAAO,EAIL,KAAK,iBAAiB,EACvB,MAAM,qBAAqB,CAAC;AAI7B,yGAAyG;AACzG,wBAAgB,+BAA+B,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,EAAE,CAoBjF;AA8DD,wBAAgB,gCAAgC,CAC9C,WAAW,EAAE,SAAS,MAAM,EAAE,EAC9B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,UAAU,EAClB,aAAa,EAAE,SAAS,MAAM,EAAE,EAChC,WAAW,EAAE,iBAAiB,GAC7B,eAAe,EAAE,CA4BnB;AAED,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,UAAU;;;EAK9D"}
|