@praxis.guard/auditor-cli 0.0.33 → 0.0.35
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/approval/argv-fingerprint.d.ts +10 -1
- package/dist/approval/argv-fingerprint.d.ts.map +1 -1
- package/dist/approval/argv-fingerprint.js +10 -1
- package/dist/approval/argv-fingerprint.js.map +1 -1
- package/dist/approval/hook-inline-approval.d.ts +2 -0
- package/dist/approval/hook-inline-approval.d.ts.map +1 -1
- package/dist/approval/hook-inline-approval.js +6 -2
- package/dist/approval/hook-inline-approval.js.map +1 -1
- package/dist/approval/mcp-flow.d.ts +4 -2
- package/dist/approval/mcp-flow.d.ts.map +1 -1
- package/dist/approval/mcp-flow.js +9 -3
- package/dist/approval/mcp-flow.js.map +1 -1
- package/dist/approval/redeem.d.ts +2 -0
- package/dist/approval/redeem.d.ts.map +1 -1
- package/dist/approval/redeem.js +7 -2
- package/dist/approval/redeem.js.map +1 -1
- package/dist/bridge/execution-ticket.d.ts +3 -0
- package/dist/bridge/execution-ticket.d.ts.map +1 -1
- package/dist/bridge/execution-ticket.js +38 -9
- package/dist/bridge/execution-ticket.js.map +1 -1
- package/dist/bridge/shell-approval-bridge.d.ts +14 -5
- package/dist/bridge/shell-approval-bridge.d.ts.map +1 -1
- package/dist/bridge/shell-approval-bridge.js +47 -24
- package/dist/bridge/shell-approval-bridge.js.map +1 -1
- package/dist/hooks/agent-message.d.ts.map +1 -1
- package/dist/hooks/agent-message.js +26 -14
- package/dist/hooks/agent-message.js.map +1 -1
- package/dist/hooks/before-shell-io.d.ts +3 -0
- package/dist/hooks/before-shell-io.d.ts.map +1 -0
- package/dist/hooks/before-shell-io.js +26 -0
- package/dist/hooks/before-shell-io.js.map +1 -0
- package/dist/hooks/before-shell-mutate.d.ts +23 -0
- package/dist/hooks/before-shell-mutate.d.ts.map +1 -0
- package/dist/hooks/before-shell-mutate.js +74 -0
- package/dist/hooks/before-shell-mutate.js.map +1 -0
- package/dist/hooks/before-shell-skipped.d.ts +11 -0
- package/dist/hooks/before-shell-skipped.d.ts.map +1 -0
- package/dist/hooks/before-shell-skipped.js +49 -0
- package/dist/hooks/before-shell-skipped.js.map +1 -0
- package/dist/hooks/before-shell-types.d.ts +12 -0
- package/dist/hooks/before-shell-types.d.ts.map +1 -0
- package/dist/hooks/before-shell-types.js +2 -0
- package/dist/hooks/before-shell-types.js.map +1 -0
- package/dist/hooks/run-before-shell.d.ts +2 -10
- package/dist/hooks/run-before-shell.d.ts.map +1 -1
- package/dist/hooks/run-before-shell.js +63 -142
- package/dist/hooks/run-before-shell.js.map +1 -1
- package/dist/index.d.ts +2 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +2 -2
- package/dist/index.js.map +1 -1
- package/dist/mcp/evaluate-guard.d.ts.map +1 -1
- package/dist/mcp/evaluate-guard.js +20 -9
- package/dist/mcp/evaluate-guard.js.map +1 -1
- package/dist/mcp/guard-approval-block.d.ts +1 -0
- package/dist/mcp/guard-approval-block.d.ts.map +1 -1
- package/dist/mcp/guard-approval-block.js +1 -0
- package/dist/mcp/guard-approval-block.js.map +1 -1
- package/dist/policies.v1.json +4 -0
- package/dist/policy/index.d.ts +4 -0
- package/dist/policy/index.d.ts.map +1 -1
- package/dist/policy/index.js +6 -0
- package/dist/policy/index.js.map +1 -1
- package/dist/shell/analyze-command-aggregate.d.ts +16 -0
- package/dist/shell/analyze-command-aggregate.d.ts.map +1 -0
- package/dist/shell/analyze-command-aggregate.js +89 -0
- package/dist/shell/analyze-command-aggregate.js.map +1 -0
- package/dist/shell/analyze-command-invocations.d.ts +11 -0
- package/dist/shell/analyze-command-invocations.d.ts.map +1 -0
- package/dist/shell/analyze-command-invocations.js +113 -0
- package/dist/shell/analyze-command-invocations.js.map +1 -0
- package/dist/shell/analyze-command.d.ts +7 -0
- package/dist/shell/analyze-command.d.ts.map +1 -0
- package/dist/shell/analyze-command.js +46 -0
- package/dist/shell/analyze-command.js.map +1 -0
- package/dist/shell/analyze-command.types.d.ts +38 -0
- package/dist/shell/analyze-command.types.d.ts.map +1 -0
- package/dist/shell/analyze-command.types.js +2 -0
- package/dist/shell/analyze-command.types.js.map +1 -0
- package/dist/shell/evaluate.d.ts +15 -18
- package/dist/shell/evaluate.d.ts.map +1 -1
- package/dist/shell/evaluate.js +57 -47
- package/dist/shell/evaluate.js.map +1 -1
- package/dist/shell/governed-tools.d.ts +18 -1
- package/dist/shell/governed-tools.d.ts.map +1 -1
- package/dist/shell/governed-tools.js +60 -1
- package/dist/shell/governed-tools.js.map +1 -1
- package/dist/shell/guard-eval.d.ts +15 -0
- package/dist/shell/guard-eval.d.ts.map +1 -0
- package/dist/shell/guard-eval.js +35 -0
- package/dist/shell/guard-eval.js.map +1 -0
- package/dist/shell/parse-segments.d.ts +14 -0
- package/dist/shell/parse-segments.d.ts.map +1 -0
- package/dist/shell/parse-segments.js +41 -0
- package/dist/shell/parse-segments.js.map +1 -0
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"run-before-shell.js","sourceRoot":"","sources":["../../src/hooks/run-before-shell.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"run-before-shell.js","sourceRoot":"","sources":["../../src/hooks/run-before-shell.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAa,MAAM,oBAAoB,CAAC;AAEvF,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,6BAA6B,EAAE,MAAM,4BAA4B,CAAC;AAC3E,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,gCAAgC,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,EACL,mCAAmC,EACnC,sBAAsB,GACvB,MAAM,oBAAoB,CAAC;AAK5B,SAAS,gBAAgB,CAAC,IAAU;IAClC,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO,OAAO,CAAC;IACpC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B;IAC/C,MAAM,OAAO,GAAG,MAAM,aAAa,EAA+B,CAAC;IACnE,MAAM,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAEhC,IAAI,CAAC,6BAA6B,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5C,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,YAAY,CAAC;QAC5E,MAAM,YAAY,GAChB,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QACzF,MAAM,cAAc,GAAG,MAAM,sBAAsB,EAAE,CAAC;QACtD,MAAM,sBAAsB,CAAC;YAC3B,OAAO;YACP,UAAU;YACV,cAAc;YACd,YAAY,EAAE,YAAY,IAAI,EAAE;YAChC,eAAe;SAChB,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,cAAc,EAAE,EAAE,sBAAsB,EAAE,CAAC,CAAC,CAAC;IACjG,MAAM,QAAQ,GAAG,mBAAmB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAEtD,MAAM,WAAW,GAAG,uBAAuB,CACzC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAC1D,CAAC;IAEF,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;QACrB,MAAM,sBAAsB,CAAC;YAC3B,OAAO;YACP,UAAU,EAAE,wBAAwB;YACpC,cAAc;YACd,YAAY,EAAE,WAAW;YACzB,eAAe;YACf,QAAQ;SACT,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC;IAC7C,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC;IAC/C,MAAM,IAAI,GAAS,QAAQ,CAAC,IAAI,CAAC;IAEjC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,OAAO;QAAE,OAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;IACtF,IAAI,UAAU,CAAC,KAAK,CAAC,cAAc,IAAI,QAAQ,CAAC,kBAAkB;QAAE,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACnG,IAAI,UAAU,CAAC,KAAK,CAAC,eAAe;QAAE,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACtE,IAAI,QAAQ,CAAC,WAAW;QAAE,OAAO,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IACnE,IAAI,QAAQ,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,OAAO,CAAC,IAAI,CAAC,iCAAiC,QAAQ,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC;IAChF,CAAC;IAED,IAAI,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,cAAc,GAAG,KAAK,CAAC;IAC3B,IAAI,kBAAkB,GAAkB,IAAI,CAAC;IAC7C,IAAI,cAAc,GAAoD,IAAI,CAAC;IAE3E,IAAI,UAAU,KAAK,MAAM,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC/C,MAAM,MAAM,GAAG,MAAM,gCAAgC,CAAC;YACpD,IAAI;YACJ,IAAI;YACJ,QAAQ;YACR,WAAW;YACX,UAAU,EAAE,OAAO,CAAC,OAAO;YAC3B,cAAc;YACd,cAAc,EAAE,OAAO;SACxB,CAAC,CAAC;QACH,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;QAC/B,cAAc,GAAG,MAAM,CAAC,cAAc,CAAC;QACvC,kBAAkB,GAAG,MAAM,CAAC,kBAAkB,CAAC;QAC/C,cAAc,GAAG,MAAM,CAAC,cAAc,CAAC;QACvC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;QACnB,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IAClC,CAAC;IAED,MAAM,YAAY,GAAG,mCAAmC,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC;IAC7E,MAAM,YAAY,GAChB,UAAU,KAAK,MAAM;QACnB,CAAC,CAAC,sBAAsB,CAAC;YACrB,IAAI,EAAE,sBAAsB;YAC5B,IAAI;YACJ,IAAI;YACJ,OAAO;YACP,cAAc;SACf,CAAC;QACJ,CAAC,CAAC,IAAI,CAAC;IAEX,MAAM,QAAQ,GACZ,UAAU,KAAK,OAAO;QACpB,CAAC,CAAC;YACE,UAAU;YACV,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACzD;QACH,CAAC,CAAC;YACE,UAAU;YACV,YAAY,EAAE,YAAa,CAAC,YAAY;YACxC,aAAa,EAAE,YAAa,CAAC,aAAa;SAC3C,CAAC;IAER,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC;IACvD,MAAM,mBAAmB,CACvB;QACE,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5B,IAAI,EAAE,sBAAsB;QAC5B,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,IAAI;QACJ,aAAa,EAAE,IAAI;QACnB,gBAAgB,EAAE,QAAQ,CAAC,WAAW,CAAC,MAAM;QAC7C,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,cAAc,EAAE,UAAU,CAAC,cAAc;QACzC,KAAK,EAAE,UAAU,CAAC,KAAK;QACvB,IAAI;QACJ,UAAU;QACV,cAAc;QACd,iBAAiB,EAAE,cAAc,EAAE,UAAU,IAAI,IAAI;QACrD,OAAO;QACP,oBAAoB,EAAE,kBAAkB;QACxC,UAAU;KACX,EACD,WAAW,CACZ,CAAC;IAEF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAExD,MAAM,MAAM,GAAG,UAAU,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7D,MAAM,cAAc,CAAC;QACnB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5B,MAAM;QACN,IAAI,EAAE,cAAc;QACpB,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI;QAC7B,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI;QACrB,QAAQ,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;QAC1D,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI;QAC1B,GAAG,EAAE,OAAO,CAAC,OAAO;QACpB,IAAI;QACJ,QAAQ,EAAE,UAAU,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO;QACpD,UAAU;QACV,SAAS,EAAE,YAAY,EAAE;QACzB,IAAI,EAAE,OAAO;QACb,GAAG,CAAC,cAAc,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvE,IAAI,EAAE;YACJ,IAAI,EAAE,sBAAsB;YAC5B,cAAc;YACd,mBAAmB,EAAE,cAAc,EAAE,UAAU,IAAI,IAAI;YACvD,oBAAoB,EAAE,kBAAkB;YACxC,gBAAgB,EAAE,QAAQ,CAAC,WAAW,CAAC,MAAM;SAC9C;KACF,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,GAAY;IACtD,OAAO;QACL,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE,0DAA0D;QACxE,aAAa,EAAE,uBAAuB,MAAM,CAAC,GAAG,CAAC,EAAE;KACpD,CAAC;AACJ,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
export { loadPoliciesV1 } from "./policy/index.js";
|
|
2
2
|
export type { PoliciesV1, Tier, Classification } from "./policy/index.js";
|
|
3
3
|
export { appendAuditJsonl } from "./audit/jsonl.js";
|
|
4
|
-
export { DEFAULT_SHELL_BRIDGE_TTL_MS, recordShellApprovalBridge, shellArgvApprovalId, shellBridgeDir, shouldRecordShellBridge, tryConsumeShellApprovalBridge, } from "./bridge/shell-approval-bridge.js";
|
|
5
|
-
export {
|
|
4
|
+
export { DEFAULT_SHELL_BRIDGE_TTL_MS, recordShellApprovalBridge, shellApprovalFingerprintId, shellArgvApprovalId, shellBridgeDir, shouldRecordShellBridge, tryConsumeShellApprovalBridge, } from "./bridge/shell-approval-bridge.js";
|
|
5
|
+
export { analyzeShellCommand, evaluateArgv, evaluateMcpProposal, evaluateShellProposal, gateShellCommand, listShellGovernedTools, parseCommandToArgv, commandMayContainGovernedTool, DEFAULT_GOVERNED_SHELL_TOOLS, type GuardEvaluation, type GuardReason, type ShellAnalysis, type ShellApprovalFingerprintPayload, type ShellGateDecision, } from "./shell/evaluate.js";
|
|
6
6
|
export { failClosedHookErrorResponse, runBeforeShellHookFromStdin, type BeforeShellExecutionPayload, type BeforeShellExecutionResponse, } from "./hooks/run-before-shell.js";
|
|
7
7
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAE1E,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,EACzB,mBAAmB,EACnB,cAAc,EACd,uBAAuB,EACvB,6BAA6B,GAC9B,MAAM,mCAAmC,CAAC;AAE3C,OAAO,EACL,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAE1E,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,EACzB,0BAA0B,EAC1B,mBAAmB,EACnB,cAAc,EACd,uBAAuB,EACvB,6BAA6B,GAC9B,MAAM,mCAAmC,CAAC;AAE3C,OAAO,EACL,mBAAmB,EACnB,YAAY,EACZ,mBAAmB,EACnB,qBAAqB,EACrB,gBAAgB,EAChB,sBAAsB,EACtB,kBAAkB,EAClB,6BAA6B,EAC7B,4BAA4B,EAC5B,KAAK,eAAe,EACpB,KAAK,WAAW,EAChB,KAAK,aAAa,EAClB,KAAK,+BAA+B,EACpC,KAAK,iBAAiB,GACvB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,2BAA2B,EAC3B,2BAA2B,EAC3B,KAAK,2BAA2B,EAChC,KAAK,4BAA4B,GAClC,MAAM,6BAA6B,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
export { loadPoliciesV1 } from "./policy/index.js";
|
|
2
2
|
export { appendAuditJsonl } from "./audit/jsonl.js";
|
|
3
|
-
export { DEFAULT_SHELL_BRIDGE_TTL_MS, recordShellApprovalBridge, shellArgvApprovalId, shellBridgeDir, shouldRecordShellBridge, tryConsumeShellApprovalBridge, } from "./bridge/shell-approval-bridge.js";
|
|
4
|
-
export {
|
|
3
|
+
export { DEFAULT_SHELL_BRIDGE_TTL_MS, recordShellApprovalBridge, shellApprovalFingerprintId, shellArgvApprovalId, shellBridgeDir, shouldRecordShellBridge, tryConsumeShellApprovalBridge, } from "./bridge/shell-approval-bridge.js";
|
|
4
|
+
export { analyzeShellCommand, evaluateArgv, evaluateMcpProposal, evaluateShellProposal, gateShellCommand, listShellGovernedTools, parseCommandToArgv, commandMayContainGovernedTool, DEFAULT_GOVERNED_SHELL_TOOLS, } from "./shell/evaluate.js";
|
|
5
5
|
export { failClosedHookErrorResponse, runBeforeShellHookFromStdin, } from "./hooks/run-before-shell.js";
|
|
6
6
|
//# sourceMappingURL=index.js.map
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAGnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,EACzB,mBAAmB,EACnB,cAAc,EACd,uBAAuB,EACvB,6BAA6B,GAC9B,MAAM,mCAAmC,CAAC;AAE3C,OAAO,EACL,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAGnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,EACzB,0BAA0B,EAC1B,mBAAmB,EACnB,cAAc,EACd,uBAAuB,EACvB,6BAA6B,GAC9B,MAAM,mCAAmC,CAAC;AAE3C,OAAO,EACL,mBAAmB,EACnB,YAAY,EACZ,mBAAmB,EACnB,qBAAqB,EACrB,gBAAgB,EAChB,sBAAsB,EACtB,kBAAkB,EAClB,6BAA6B,EAC7B,4BAA4B,GAM7B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,2BAA2B,EAC3B,2BAA2B,GAG5B,MAAM,6BAA6B,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"evaluate-guard.d.ts","sourceRoot":"","sources":["../../src/mcp/evaluate-guard.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,cAAc,EAAqC,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"evaluate-guard.d.ts","sourceRoot":"","sources":["../../src/mcp/evaluate-guard.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,cAAc,EAAqC,MAAM,oBAAoB,CAAC;AAavF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAErD,MAAM,MAAM,WAAW,GAAG;IACxB,MAAM,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO,cAAc,CAAC,CAAC,CAAC;IACnD,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B,CAAC;AA+CF,wBAAsB,aAAa,CACjC,KAAK,EAAE,UAAU,EACjB,WAAW,EAAE,WAAW,GACvB,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CA+HnE"}
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import { v4 as uuidv4 } from "uuid";
|
|
2
2
|
import { loadPoliciesV1, readPoliciesV1Revision } from "../policy/index.js";
|
|
3
3
|
import { resolveGuardStorageRoot } from "../bridge/guard-storage-root.js";
|
|
4
|
-
import { evaluateMcpProposal, evaluateShellProposal
|
|
4
|
+
import { evaluateMcpProposal, evaluateShellProposal } from "../shell/evaluate.js";
|
|
5
5
|
import { sendGuardEvent } from "../telemetry/guard-events.js";
|
|
6
6
|
import { getInstallId } from "../cli/install-id.js";
|
|
7
7
|
import { resolveGuardAuditStatus } from "./guard-audit-status.js";
|
|
@@ -54,12 +54,19 @@ export async function evaluateGuard(input, policyState) {
|
|
|
54
54
|
policyState.policy = await loadPoliciesV1();
|
|
55
55
|
policyState.policyRevision = await readPoliciesV1Revision();
|
|
56
56
|
const storageRoot = resolveGuardStorageRoot(input.proposal.cwd);
|
|
57
|
-
const
|
|
58
|
-
?
|
|
59
|
-
:
|
|
60
|
-
const
|
|
61
|
-
? evaluateShellProposal(policyState.policy,
|
|
62
|
-
:
|
|
57
|
+
const shellCommand = input.proposal.kind === "shell"
|
|
58
|
+
? input.proposal.raw_command ?? input.proposal.argv.join(" ")
|
|
59
|
+
: null;
|
|
60
|
+
const shellResult = input.proposal.kind === "shell" && shellCommand
|
|
61
|
+
? evaluateShellProposal(policyState.policy, shellCommand)
|
|
62
|
+
: null;
|
|
63
|
+
const mcpResult = input.proposal.kind === "mcp"
|
|
64
|
+
? evaluateMcpProposal(policyState.policy, input.proposal.argv)
|
|
65
|
+
: null;
|
|
66
|
+
const skipped = shellResult?.skipped ?? mcpResult?.skipped ?? true;
|
|
67
|
+
const evaluation = shellResult?.evaluation ?? mcpResult.evaluation;
|
|
68
|
+
const analysis = shellResult?.analysis;
|
|
69
|
+
const argv = evaluation.argv;
|
|
63
70
|
const tier = evaluation.tier;
|
|
64
71
|
const reasons = [...evaluation.reasons];
|
|
65
72
|
const policyReasons = [...evaluation.reasons];
|
|
@@ -80,6 +87,7 @@ export async function evaluateGuard(input, policyState) {
|
|
|
80
87
|
eventId: event_id,
|
|
81
88
|
policyRevision: policyState.policyRevision,
|
|
82
89
|
reasons,
|
|
90
|
+
approval_fingerprint: analysis?.approval_fingerprint_payload ?? null,
|
|
83
91
|
});
|
|
84
92
|
enforceDecision = mutate.enforceDecision;
|
|
85
93
|
approvalBlock = mutate.approvalBlock;
|
|
@@ -123,7 +131,7 @@ export async function evaluateGuard(input, policyState) {
|
|
|
123
131
|
skipped,
|
|
124
132
|
...(skipped
|
|
125
133
|
? {
|
|
126
|
-
skip_reason: input.proposal.kind === "shell" ? "
|
|
134
|
+
skip_reason: input.proposal.kind === "shell" ? "no_governed_invocation" : "mcp_policy_unmatched",
|
|
127
135
|
}
|
|
128
136
|
: {}),
|
|
129
137
|
tool: "auditor-mcp",
|
|
@@ -131,7 +139,7 @@ export async function evaluateGuard(input, policyState) {
|
|
|
131
139
|
verb: actionVerb,
|
|
132
140
|
resource: actionResource,
|
|
133
141
|
reason: firstReason,
|
|
134
|
-
cmd: argv.join(" "),
|
|
142
|
+
cmd: shellCommand ?? argv.join(" "),
|
|
135
143
|
tier,
|
|
136
144
|
decision,
|
|
137
145
|
latency_ms: performance.now() - startedAt,
|
|
@@ -142,6 +150,9 @@ export async function evaluateGuard(input, policyState) {
|
|
|
142
150
|
? { policy_revision: policyState.policyRevision }
|
|
143
151
|
: {}),
|
|
144
152
|
...(approvalRequestId ? { approval_request_id: approvalRequestId } : {}),
|
|
153
|
+
meta: {
|
|
154
|
+
invocation_count: analysis?.invocations.length ?? null,
|
|
155
|
+
},
|
|
145
156
|
});
|
|
146
157
|
return { response, startedAt };
|
|
147
158
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"evaluate-guard.js","sourceRoot":"","sources":["../../src/mcp/evaluate-guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAa,MAAM,oBAAoB,CAAC;AACvF,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,
|
|
1
|
+
{"version":3,"file":"evaluate-guard.js","sourceRoot":"","sources":["../../src/mcp/evaluate-guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAa,MAAM,oBAAoB,CAAC;AACvF,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAClF,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,oBAAoB,EAAsB,MAAM,iBAAiB,CAAC;AAC3F,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EACL,oBAAoB,EACpB,4BAA4B,GAE7B,MAAM,2BAA2B,CAAC;AAQnC,SAAS,SAAS,CAAC,OAAgB,EAAE,IAAU;IAC7C,IAAI,OAAO;QAAE,OAAO,CAAC,CAAC;IACtB,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO,CAAC,CAAC;IAC9B,IAAI,IAAI,KAAK,QAAQ;QAAE,OAAO,EAAE,CAAC;IACjC,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,mBAAmB,CAAC,KAI5B;IACC,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,KAAK,CAAC;IACtC,IAAI,eAAe,GAAG,oBAAoB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC1D,MAAM,aAAa,GAAG,oBAAoB,EAAE,CAAC;IAE7C,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC;IACrD,CAAC;IACD,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;QAC3B,OAAO;YACL,eAAe,EAAE,OAAO;YACxB,aAAa,EAAE;gBACb,GAAG,aAAa;gBAChB,YAAY,EACV,oFAAoF;aACvF;SACF,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACpB,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC;IACrD,CAAC;IACD,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,OAAO;YACL,eAAe,EAAE,kBAAkB;YACnC,aAAa,EAAE;gBACb,GAAG,aAAa;gBAChB,YAAY,EACV,mGAAmG;aACtG;SACF,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,CAAC;AAC5C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAiB,EACjB,WAAwB;IAExB,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IACpC,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC;IAC1B,kBAAkB,EAAE,CAAC;IAErB,WAAW,CAAC,MAAM,GAAG,MAAM,cAAc,EAAE,CAAC;IAC5C,WAAW,CAAC,cAAc,GAAG,MAAM,sBAAsB,EAAE,CAAC;IAE5D,MAAM,WAAW,GAAG,uBAAuB,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAChE,MAAM,YAAY,GAChB,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,OAAO;QAC7B,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,WAAW,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;QAC7D,CAAC,CAAC,IAAI,CAAC;IAEX,MAAM,WAAW,GACf,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,OAAO,IAAI,YAAY;QAC7C,CAAC,CAAC,qBAAqB,CAAC,WAAW,CAAC,MAAM,EAAE,YAAY,CAAC;QACzD,CAAC,CAAC,IAAI,CAAC;IACX,MAAM,SAAS,GACb,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,KAAK;QAC3B,CAAC,CAAC,mBAAmB,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;QAC9D,CAAC,CAAC,IAAI,CAAC;IAEX,MAAM,OAAO,GAAG,WAAW,EAAE,OAAO,IAAI,SAAS,EAAE,OAAO,IAAI,IAAI,CAAC;IACnE,MAAM,UAAU,GAAG,WAAW,EAAE,UAAU,IAAI,SAAU,CAAC,UAAU,CAAC;IACpE,MAAM,QAAQ,GAAG,WAAW,EAAE,QAAQ,CAAC;IACvC,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC;IAE7B,MAAM,IAAI,GAAS,UAAU,CAAC,IAAI,CAAC;IACnC,MAAM,OAAO,GAAG,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IACxC,MAAM,aAAa,GAAG,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAE9C,IAAI,EAAE,eAAe,EAAE,aAAa,EAAE,GAAG,mBAAmB,CAAC;QAC3D,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,OAAO;QACP,IAAI;KACL,CAAC,CAAC;IACH,IAAI,iBAAiB,GAAkB,IAAI,CAAC;IAE5C,IACE,CAAC,OAAO;QACR,IAAI,KAAK,aAAa;QACtB,IAAI,KAAK,MAAM;QACf,KAAK,CAAC,IAAI,KAAK,SAAS,EACxB,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,4BAA4B,CAAC;YAChD,UAAU,EAAE,KAAK;YACjB,IAAI;YACJ,WAAW;YACX,OAAO,EAAE,QAAQ;YACjB,cAAc,EAAE,WAAW,CAAC,cAAc;YAC1C,OAAO;YACP,oBAAoB,EAAE,QAAQ,EAAE,4BAA4B,IAAI,IAAI;SACrE,CAAC,CAAC;QACH,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;QACzC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;QACrC,iBAAiB,GAAG,MAAM,CAAC,iBAAiB,CAAC;IAC/C,CAAC;IAED,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,cAAc,CAAC;QAC1C,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,OAAO;QACP,IAAI;QACJ,aAAa;QACb,eAAe;KAChB,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG;QACf,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,QAAQ;QACR,OAAO;QACP,IAAI;QACJ,UAAU,EAAE,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC;QACpC,OAAO;QACP,MAAM;QACN,QAAQ,EAAE,aAAa;QACvB,KAAK,EAAE;YACL,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS;SAC1C;QACD,SAAS,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,MAAM,EAAE,IAAI;SACb;KACF,CAAC;IAEF,MAAM,WAAW,GACf,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,KAAK,QAAQ,CAAC,EAAE,OAAO;QAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,IAAI,KAAK,QAAQ,CAAC,EAAE,IAAI;QACtD,IAAI,CAAC;IACP,MAAM,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IACnC,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACxE,MAAM,MAAM,GAAG,uBAAuB,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAC;IAE9D,KAAK,cAAc,CAAC;QAClB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5B,MAAM;QACN,OAAO;QACP,GAAG,CAAC,OAAO;YACT,CAAC,CAAC;gBACE,WAAW,EACT,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,sBAAsB;aACtF;YACH,CAAC,CAAC,EAAE,CAAC;QACP,IAAI,EAAE,aAAa;QACnB,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI;QAC7B,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,cAAc;QACxB,MAAM,EAAE,WAAW;QACnB,GAAG,EAAE,YAAY,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;QACnC,IAAI;QACJ,QAAQ;QACR,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS;QACzC,QAAQ;QACR,SAAS,EAAE,YAAY,EAAE;QACzB,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI;QACzB,GAAG,CAAC,WAAW,CAAC,cAAc,KAAK,IAAI;YACrC,CAAC,CAAC,EAAE,eAAe,EAAE,WAAW,CAAC,cAAc,EAAE;YACjD,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACxE,IAAI,EAAE;YACJ,gBAAgB,EAAE,QAAQ,EAAE,WAAW,CAAC,MAAM,IAAI,IAAI;SACvD;KACF,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AACjC,CAAC"}
|
|
@@ -18,6 +18,7 @@ export declare function resolveEnforceMutateApproval(input: {
|
|
|
18
18
|
eventId: string;
|
|
19
19
|
policyRevision: number | null;
|
|
20
20
|
reasons: unknown[];
|
|
21
|
+
approval_fingerprint?: import("../shell/analyze-command.js").ShellApprovalFingerprintPayload | null;
|
|
21
22
|
}): Promise<{
|
|
22
23
|
enforceDecision: GuardDecision;
|
|
23
24
|
approvalBlock: ApprovalBlock;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"guard-approval-block.d.ts","sourceRoot":"","sources":["../../src/mcp/guard-approval-block.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAErD,MAAM,MAAM,aAAa,GAAG;IAC1B,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B,CAAC;AAEF,wBAAgB,oBAAoB,IAAI,aAAa,CAUpD;AAED,wBAAgB,oBAAoB,IAAI,aAAa,CAWpD;AAuFD,wBAAsB,4BAA4B,CAAC,KAAK,EAAE;IACxD,UAAU,EAAE,UAAU,CAAC;IACvB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,OAAO,EAAE,OAAO,EAAE,CAAC;
|
|
1
|
+
{"version":3,"file":"guard-approval-block.d.ts","sourceRoot":"","sources":["../../src/mcp/guard-approval-block.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAErD,MAAM,MAAM,aAAa,GAAG;IAC1B,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B,CAAC;AAEF,wBAAgB,oBAAoB,IAAI,aAAa,CAUpD;AAED,wBAAgB,oBAAoB,IAAI,aAAa,CAWpD;AAuFD,wBAAsB,4BAA4B,CAAC,KAAK,EAAE;IACxD,UAAU,EAAE,UAAU,CAAC;IACvB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,OAAO,EAAE,OAAO,EAAE,CAAC;IACnB,oBAAoB,CAAC,EAAE,OAAO,6BAA6B,EAAE,+BAA+B,GAAG,IAAI,CAAC;CACrG,GAAG,OAAO,CAAC;IACV,eAAe,EAAE,aAAa,CAAC;IAC/B,aAAa,EAAE,aAAa,CAAC;IAC7B,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;CAClC,CAAC,CA2DD"}
|
|
@@ -123,6 +123,7 @@ export async function resolveEnforceMutateApproval(input) {
|
|
|
123
123
|
approval: guardInput.context?.approval ?? null,
|
|
124
124
|
waitMs: guardInput.context?.wait_ms ?? null,
|
|
125
125
|
tool_input_sha256: guardInput.context?.tool_input_sha256 ?? null,
|
|
126
|
+
approval_fingerprint: input.approval_fingerprint ?? null,
|
|
126
127
|
});
|
|
127
128
|
const mapped = approvalBlockFromOutcome(outcome, guardInput.context?.approval?.request_id ?? null);
|
|
128
129
|
if (outcome.kind === "allow" && outcome.ticketRecorded) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"guard-approval-block.js","sourceRoot":"","sources":["../../src/mcp/guard-approval-block.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,qBAAqB,EAA2B,MAAM,yBAAyB,CAAC;AAczF,MAAM,UAAU,oBAAoB;IAClC,OAAO;QACL,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,IAAI;QAChB,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,IAAI;QACd,YAAY,EAAE,IAAI;QAClB,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,IAAI;KAClB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,IAAI;QAChB,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,IAAI;QACd,YAAY,EACV,yGAAyG;QAC3G,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,IAAI;KAClB,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAC/B,OAA2B,EAC3B,iBAAgC;IAEhC,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;YAC5B,OAAO;gBACL,eAAe,EAAE,kBAAkB;gBACnC,iBAAiB,EAAE,OAAO,CAAC,UAAU;gBACrC,aAAa,EAAE;oBACb,QAAQ,EAAE,IAAI;oBACd,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,UAAU,EAAE,IAAI;oBAChB,QAAQ,EAAE,IAAI;oBACd,YAAY,EACV,gIAAgI;oBAClI,QAAQ,EAAE,KAAK;oBACf,WAAW,EAAE,OAAO,CAAC,WAAW;iBACjC;aACF,CAAC;QACJ,CAAC;QACD,OAAO;YACL,eAAe,EAAE,OAAO;YACxB,iBAAiB,EAAE,OAAO,CAAC,UAAU;YACrC,aAAa,EAAE;gBACb,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,IAAI;gBACd,YAAY,EACV,0FAA0F;gBAC5F,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC;SACF,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,IAAI,KAAK,yBAAyB,EAAE,CAAC;QAC/C,OAAO;YACL,eAAe,EAAE,kBAAkB;YACnC,iBAAiB,EAAE,OAAO,CAAC,UAAU;YACrC,aAAa,EAAE;gBACb,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,IAAI;gBACd,YAAY,EAAE,GAAG,OAAO,CAAC,OAAO,oGAAoG;gBACpI,QAAQ,EAAE,KAAK;gBACf,WAAW,EAAE,IAAI;aAClB;SACF,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACxC,OAAO;YACL,eAAe,EAAE,kBAAkB;YACnC,iBAAiB,EAAE,OAAO,CAAC,UAAU;YACrC,aAAa,EAAE;gBACb,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,YAAY,EACV,2KAA2K;gBAC7K,QAAQ,EAAE,KAAK;gBACf,WAAW,EAAE,IAAI;aAClB;SACF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,eAAe,EAAE,kBAAkB;QACnC,iBAAiB,EAAE,IAAI;QACvB,aAAa,EAAE;YACb,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,iBAAiB;YAC7B,UAAU,EAAE,IAAI;YAChB,QAAQ,EAAE,IAAI;YACd,YAAY,EAAE,2BAA2B,OAAO,CAAC,OAAO,0CAA0C;YAClG,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,IAAI;SAClB;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAAC,
|
|
1
|
+
{"version":3,"file":"guard-approval-block.js","sourceRoot":"","sources":["../../src/mcp/guard-approval-block.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,qBAAqB,EAA2B,MAAM,yBAAyB,CAAC;AAczF,MAAM,UAAU,oBAAoB;IAClC,OAAO;QACL,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,IAAI;QAChB,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,IAAI;QACd,YAAY,EAAE,IAAI;QAClB,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,IAAI;KAClB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,IAAI;QAChB,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,IAAI;QACd,YAAY,EACV,yGAAyG;QAC3G,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,IAAI;KAClB,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAC/B,OAA2B,EAC3B,iBAAgC;IAEhC,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;YAC5B,OAAO;gBACL,eAAe,EAAE,kBAAkB;gBACnC,iBAAiB,EAAE,OAAO,CAAC,UAAU;gBACrC,aAAa,EAAE;oBACb,QAAQ,EAAE,IAAI;oBACd,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,UAAU,EAAE,IAAI;oBAChB,QAAQ,EAAE,IAAI;oBACd,YAAY,EACV,gIAAgI;oBAClI,QAAQ,EAAE,KAAK;oBACf,WAAW,EAAE,OAAO,CAAC,WAAW;iBACjC;aACF,CAAC;QACJ,CAAC;QACD,OAAO;YACL,eAAe,EAAE,OAAO;YACxB,iBAAiB,EAAE,OAAO,CAAC,UAAU;YACrC,aAAa,EAAE;gBACb,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,IAAI;gBACd,YAAY,EACV,0FAA0F;gBAC5F,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC;SACF,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,IAAI,KAAK,yBAAyB,EAAE,CAAC;QAC/C,OAAO;YACL,eAAe,EAAE,kBAAkB;YACnC,iBAAiB,EAAE,OAAO,CAAC,UAAU;YACrC,aAAa,EAAE;gBACb,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,IAAI;gBACd,YAAY,EAAE,GAAG,OAAO,CAAC,OAAO,oGAAoG;gBACpI,QAAQ,EAAE,KAAK;gBACf,WAAW,EAAE,IAAI;aAClB;SACF,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACxC,OAAO;YACL,eAAe,EAAE,kBAAkB;YACnC,iBAAiB,EAAE,OAAO,CAAC,UAAU;YACrC,aAAa,EAAE;gBACb,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,YAAY,EACV,2KAA2K;gBAC7K,QAAQ,EAAE,KAAK;gBACf,WAAW,EAAE,IAAI;aAClB;SACF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,eAAe,EAAE,kBAAkB;QACnC,iBAAiB,EAAE,IAAI;QACvB,aAAa,EAAE;YACb,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,iBAAiB;YAC7B,UAAU,EAAE,IAAI;YAChB,QAAQ,EAAE,IAAI;YACd,YAAY,EAAE,2BAA2B,OAAO,CAAC,OAAO,0CAA0C;YAClG,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,IAAI;SAClB;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAAC,KAQlD;IAKC,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,GAAG,KAAK,CAAC;IAElF,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;QACzB,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,8BAA8B;YACpC,OAAO,EAAE,iDAAiD;SAC3D,CAAC,CAAC;QACH,OAAO;YACL,eAAe,EAAE,kBAAkB;YACnC,aAAa,EAAE,oBAAoB,EAAE;YACrC,iBAAiB,EAAE,IAAI;SACxB,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,qBAAqB,CAAC;QAC1C,IAAI;QACJ,YAAY,EAAE,UAAU,CAAC,QAAQ,CAAC,IAAI;QACtC,WAAW;QACX,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC,WAAW,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;QAC7D,OAAO;QACP,cAAc;QACd,OAAO;QACP,SAAS,EAAE,UAAU,CAAC,OAAO,EAAE,UAAU,IAAI,IAAI;QACjD,WAAW,EAAE,UAAU,CAAC,OAAO,EAAE,WAAW,IAAI,IAAI;QACpD,QAAQ,EAAE,UAAU,CAAC,OAAO,EAAE,QAAQ,IAAI,IAAI;QAC9C,MAAM,EAAE,UAAU,CAAC,OAAO,EAAE,OAAO,IAAI,IAAI;QAC3C,iBAAiB,EAAE,UAAU,CAAC,OAAO,EAAE,iBAAiB,IAAI,IAAI;QAChE,oBAAoB,EAAE,KAAK,CAAC,oBAAoB,IAAI,IAAI;KACzD,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,wBAAwB,CACrC,OAAO,EACP,UAAU,CAAC,OAAO,EAAE,QAAQ,EAAE,UAAU,IAAI,IAAI,CACjD,CAAC;IAEF,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QACvD,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,2BAA2B;YACjC,OAAO,EAAE,oEAAoE;SAC9E,CAAC,CAAC;IACL,CAAC;SAAM,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,8BAA8B;YACpC,OAAO,EAAE,mDAAmD;SAC7D,CAAC,CAAC;IACL,CAAC;SAAM,IAAI,OAAO,CAAC,IAAI,KAAK,yBAAyB,EAAE,CAAC;QACtD,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,8BAA8B;YACpC,OAAO,EAAE,OAAO,CAAC,OAAO;SACzB,CAAC,CAAC;IACL,CAAC;SAAM,IAAI,OAAO,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;QAClD,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,8BAA8B;YACpC,OAAO,EAAE,OAAO,CAAC,OAAO;SACzB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
package/dist/policies.v1.json
CHANGED
package/dist/policy/index.d.ts
CHANGED
|
@@ -17,6 +17,10 @@ export declare const PoliciesV1Schema: z.ZodObject<{
|
|
|
17
17
|
MUTATE: "MUTATE";
|
|
18
18
|
DESTRUCTIVE: "DESTRUCTIVE";
|
|
19
19
|
}>>>>;
|
|
20
|
+
shell: z.ZodOptional<z.ZodObject<{
|
|
21
|
+
prelude_verbs: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
22
|
+
privilege_verbs: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
23
|
+
}, z.core.$strip>>;
|
|
20
24
|
}, z.core.$strip>;
|
|
21
25
|
export type PoliciesV1 = z.infer<typeof PoliciesV1Schema>;
|
|
22
26
|
export type Classification = {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,UAAU;;;;EAA4C,CAAC;AACpE,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAE9C,eAAO,MAAM,gBAAgB
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,UAAU;;;;EAA4C,CAAC;AACpE,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAE9C,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;iBAU3B,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,IAAI,EAAE,IAAI,CAAC;IACX,OAAO,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,SAAS,IAAI,EAAE,QAOzD;AAED,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,OAAO,GAAG,UAAU,CAO5D;AAuBD,wBAAgB,qBAAqB,IAAI,MAAM,CAE9C;AAED,uGAAuG;AACvG,wBAAgB,sBAAsB,CAAC,IAAI,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAK7E;AAED,wBAAgB,qBAAqB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAIpE;AAED,wBAAgB,uBAAuB,IAAI,MAAM,CAEhD;AAED,wBAAsB,sBAAsB,CAAC,IAAI,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAWnG;AA0BD,wBAAsB,cAAc,CAAC,IAAI,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAUxF;AA0BD,wBAAgB,YAAY,CAC1B,MAAM,EAAE,UAAU,EAClB,IAAI,EAAE,SAAS,MAAM,EAAE,GACtB;IAAE,cAAc,EAAE,cAAc,CAAC;IAAC,KAAK,EAAE;QAAE,cAAc,EAAE,OAAO,CAAC;QAAC,eAAe,EAAE,OAAO,CAAA;KAAE,CAAA;CAAE,CAoFlG"}
|
package/dist/policy/index.js
CHANGED
|
@@ -9,6 +9,12 @@ export const PoliciesV1Schema = z.object({
|
|
|
9
9
|
tiers: z.array(TierSchema).nonempty(),
|
|
10
10
|
dangerous_flags: z.array(z.string()),
|
|
11
11
|
policies: z.record(z.string(), z.record(z.string(), z.record(z.string(), TierSchema))),
|
|
12
|
+
shell: z
|
|
13
|
+
.object({
|
|
14
|
+
prelude_verbs: z.array(z.string()).optional(),
|
|
15
|
+
privilege_verbs: z.array(z.string()).optional(),
|
|
16
|
+
})
|
|
17
|
+
.optional(),
|
|
12
18
|
});
|
|
13
19
|
export function ensureTiersComplete(tiers) {
|
|
14
20
|
const s = new Set(tiers);
|
package/dist/policy/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAChF,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC;AAGpE,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,QAAQ,EAAE;IACrC,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACpC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAChF,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC;AAGpE,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,QAAQ,EAAE;IACrC,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACpC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC;IACtF,KAAK,EAAE,CAAC;SACL,MAAM,CAAC;QACN,aAAa,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QAC7C,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;KAChD,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAYH,MAAM,UAAU,mBAAmB,CAAC,KAAsB;IACxD,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;IACzB,KAAK,MAAM,QAAQ,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,aAAa,CAAU,EAAE,CAAC;QAClE,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,mCAAmC,QAAQ,EAAE,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,GAAY;IAC9C,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC/C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,qBAAqB,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAC/D,CAAC;IACD,mBAAmB,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACvC,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED,SAAS,yBAAyB;IAChC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,OAAO;QACL,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,qBAAqB,CAAC;QACzC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,mCAAmC,CAAC;KACxD,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B;IACjC,KAAK,MAAM,SAAS,IAAI,yBAAyB,EAAE,EAAE,CAAC;QACpD,IAAI,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,SAAS,CAAC;IAC9C,CAAC;IACD,MAAM,IAAI,KAAK,CACb,8CAA8C,yBAAyB,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC9G,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB;IACvB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,OAAO,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAC3D,CAAC;AAED,uGAAuG;AACvG,MAAM,UAAU,sBAAsB,CAAC,IAA8B;IACnE,IAAI,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC5D,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,EAAE,IAAI,EAAE,CAAC;IAC5D,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAC5B,OAAO,qBAAqB,EAAE,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,cAAsB;IAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IACzC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;IACpD,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,YAAY,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,OAAO,qBAAqB,CAAC,qBAAqB,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,IAA8B;IACzE,MAAM,UAAU,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC;IACnD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA2B,CAAC;QACzD,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAClC,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,0BAA0B,CAAC,UAAkB;IAC1D,IAAI,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO;IAEnC,MAAM,WAAW,GAAG,0BAA0B,EAAE,CAAC;IACjD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACrC,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEtC,MAAM,SAAS,GAAG,GAAG,UAAU,QAAQ,OAAO,CAAC,GAAG,EAAE,CAAC;IACrD,MAAM,QAAQ,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IACvC,MAAM,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAEpC,MAAM,QAAQ,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC;IACnD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,MAAM,aAAa,GAAG;YACpB,QAAQ,EAAE,CAAC;YACX,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAClC,MAAM,EAAE,mBAAmB;SAC5B,CAAC;QACF,MAAM,OAAO,GAAG,GAAG,QAAQ,QAAQ,OAAO,CAAC,GAAG,EAAE,CAAC;QACjD,MAAM,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAChF,MAAM,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAClC,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,IAA8B;IACjE,MAAM,UAAU,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,0BAA0B,CAAC,UAAU,CAAC,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAC/C,IAAI,CAAC;QACH,OAAO,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,4BAA4B,UAAU,KAAK,GAAG,EAAE,CAAC,CAAC;IACpE,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAuB;IAChD,MAAM,GAAG,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IACxD,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAuB,EAAE,cAAiC;IACnF,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;IAClC,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,iBAAiB,CACxB,YAAkC,EAClC,IAAuB,EACvB,SAAiB,EACjB,KAAoB;IAEpB,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC;IAClC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,MAAM,QAAQ,GAAG,GAAG,KAAK,IAAI,KAAK,EAAE,CAAC;IACrC,IAAI,YAAY,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC5C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,YAAY,CAC1B,MAAkB,EAClB,IAAuB;IAEvB,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC7B,MAAM,cAAc,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAC/C,MAAM,eAAe,GAAG,iBAAiB,CAAC,IAAI,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC;IAExE,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,OAAO;YACL,cAAc,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE;YACxF,KAAK,EAAE,EAAE,cAAc,EAAE,eAAe,EAAE;SAC3C,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,SAAS,GAAyC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAG3E,CAAC;IAEF,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,EAAE,CAAC,aAAa,CAAC,CAAC;QACnC,IAAI,IAAI,EAAE,CAAC;YACT,OAAO;gBACL,cAAc,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;gBACnF,KAAK,EAAE,EAAE,cAAc,EAAE,eAAe,EAAE;aAC3C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;QAC7B,IAAI,IAAsB,CAAC;QAC3B,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;YAClB,IAAI,IAAI,KAAK,SAAS;gBAAE,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,IAAI,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC;QAC7B,CAAC;QACD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,OAAO;gBACL,cAAc,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;gBAC7E,KAAK,EAAE,EAAE,cAAc,EAAE,eAAe,EAAE;aAC3C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;IAClG,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;QACvC,MAAM,OAAO,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;QAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC;QACtC,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,CAAC,IAAK,EAA2B,CAAC;QACxE,MAAM,IAAI,GAAG,iBAAiB,CAAC,YAAY,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;QAErE,IAAI,IAAsB,CAAC;QAC3B,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;YAC1B,IAAI,IAAI,KAAK,SAAS;gBAAE,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QACnD,CAAC;aAAM,CAAC;YACN,IAAI,GAAG,YAAY,CAAC,aAAa,CAAC,CAAC;QACrC,CAAC;QAED,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,OAAO;gBACL,cAAc,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE;gBACrF,KAAK,EAAE,EAAE,cAAc,EAAE,eAAe,EAAE;aAC3C,CAAC;QACJ,CAAC;QAED,OAAO;YACL,cAAc,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;YAC1E,KAAK,EAAE,EAAE,cAAc,EAAE,eAAe,EAAE;SAC3C,CAAC;IACJ,CAAC;IAED,OAAO;QACL,cAAc,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE;QAC9G,KAAK,EAAE,EAAE,cAAc,EAAE,eAAe,EAAE;KAC3C,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import type { Tier } from "../policy/index.js";
|
|
2
|
+
import type { ShellAnalysis, ShellApprovalFingerprintPayload, ShellInvocation } from "./analyze-command.types.js";
|
|
3
|
+
import type { GuardEvaluation } from "./guard-eval.js";
|
|
4
|
+
import type { ShellOperator } from "./parse-segments.js";
|
|
5
|
+
export declare function rawMetacharactersInCommand(command: string): boolean;
|
|
6
|
+
export declare function extractNestedShellScript(argv: readonly string[]): string | null;
|
|
7
|
+
export declare function aggregateTier(invocations: ShellInvocation[], rawMetacharacters: boolean): Tier;
|
|
8
|
+
export declare function buildFingerprintPayload(segments: {
|
|
9
|
+
argv: string[];
|
|
10
|
+
}[], operators: ShellOperator[], invocations: ShellInvocation[]): ShellApprovalFingerprintPayload;
|
|
11
|
+
export declare function selectPrimary(invocations: ShellInvocation[]): {
|
|
12
|
+
canonical_argv: string[];
|
|
13
|
+
evaluation: GuardEvaluation;
|
|
14
|
+
};
|
|
15
|
+
export declare function failClosedAnalysis(command: string, rawMetacharacters: boolean): ShellAnalysis;
|
|
16
|
+
//# sourceMappingURL=analyze-command-aggregate.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyze-command-aggregate.d.ts","sourceRoot":"","sources":["../../src/shell/analyze-command-aggregate.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAE/C,OAAO,KAAK,EACV,aAAa,EACb,+BAA+B,EAC/B,eAAe,EAChB,MAAM,4BAA4B,CAAC;AACpC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAUzD,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAGnE;AAED,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,GAAG,IAAI,CAM/E;AAED,wBAAgB,aAAa,CAAC,WAAW,EAAE,eAAe,EAAE,EAAE,iBAAiB,EAAE,OAAO,GAAG,IAAI,CAO9F;AAED,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE;IAAE,IAAI,EAAE,MAAM,EAAE,CAAA;CAAE,EAAE,EAC9B,SAAS,EAAE,aAAa,EAAE,EAC1B,WAAW,EAAE,eAAe,EAAE,GAC7B,+BAA+B,CAejC;AAED,wBAAgB,aAAa,CAAC,WAAW,EAAE,eAAe,EAAE,GAAG;IAC7D,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,UAAU,EAAE,eAAe,CAAC;CAC7B,CAyBA;AAED,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,OAAO,GAAG,aAAa,CAqB7F"}
|
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
import { stripTrailingBenignShellRedirectsForMetacharCheck } from "./strip-trailing-benign-shell-redirs.js";
|
|
2
|
+
const SHELL_NAMES = new Set(["bash", "sh", "zsh"]);
|
|
3
|
+
const TIER_RANK = { READ: 0, MUTATE: 1, DESTRUCTIVE: 2 };
|
|
4
|
+
function maxTier(a, b) {
|
|
5
|
+
return TIER_RANK[a] >= TIER_RANK[b] ? a : b;
|
|
6
|
+
}
|
|
7
|
+
export function rawMetacharactersInCommand(command) {
|
|
8
|
+
const stripped = stripTrailingBenignShellRedirectsForMetacharCheck(command);
|
|
9
|
+
return /(;|&&|\|\||\||`|>|<|\$\()/.test(stripped);
|
|
10
|
+
}
|
|
11
|
+
export function extractNestedShellScript(argv) {
|
|
12
|
+
const tool = argv[0];
|
|
13
|
+
if (!tool || !SHELL_NAMES.has(tool))
|
|
14
|
+
return null;
|
|
15
|
+
const cIndex = argv.indexOf("-c");
|
|
16
|
+
if (cIndex < 0 || cIndex + 1 >= argv.length)
|
|
17
|
+
return null;
|
|
18
|
+
return argv[cIndex + 1] ?? null;
|
|
19
|
+
}
|
|
20
|
+
export function aggregateTier(invocations, rawMetacharacters) {
|
|
21
|
+
let tier = "READ";
|
|
22
|
+
for (const inv of invocations) {
|
|
23
|
+
tier = maxTier(tier, inv.evaluation.tier);
|
|
24
|
+
}
|
|
25
|
+
if (rawMetacharacters && tier === "READ")
|
|
26
|
+
tier = "MUTATE";
|
|
27
|
+
return tier;
|
|
28
|
+
}
|
|
29
|
+
export function buildFingerprintPayload(segments, operators, invocations) {
|
|
30
|
+
const bySegment = new Map();
|
|
31
|
+
for (const inv of invocations) {
|
|
32
|
+
const list = bySegment.get(inv.segment_index) ?? [];
|
|
33
|
+
list.push({ canonical_argv: inv.canonical_argv, tier: inv.evaluation.tier });
|
|
34
|
+
bySegment.set(inv.segment_index, list);
|
|
35
|
+
}
|
|
36
|
+
return {
|
|
37
|
+
segments: segments.map((_, segment_index) => ({
|
|
38
|
+
segment_index,
|
|
39
|
+
invocations: bySegment.get(segment_index) ?? [],
|
|
40
|
+
})),
|
|
41
|
+
operators: [...operators],
|
|
42
|
+
};
|
|
43
|
+
}
|
|
44
|
+
export function selectPrimary(invocations) {
|
|
45
|
+
if (invocations.length === 0) {
|
|
46
|
+
return {
|
|
47
|
+
canonical_argv: [],
|
|
48
|
+
evaluation: {
|
|
49
|
+
argv: [],
|
|
50
|
+
tier: "READ",
|
|
51
|
+
reasons: [],
|
|
52
|
+
classification: { tool: null, command_path: null, verb: null, tier: "READ", matched: false },
|
|
53
|
+
flags: { metacharacters: false, dangerous_flags: false },
|
|
54
|
+
},
|
|
55
|
+
};
|
|
56
|
+
}
|
|
57
|
+
let primary = invocations[0];
|
|
58
|
+
for (const inv of invocations.slice(1)) {
|
|
59
|
+
if (TIER_RANK[inv.evaluation.tier] > TIER_RANK[primary.evaluation.tier]) {
|
|
60
|
+
primary = inv;
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
return {
|
|
64
|
+
canonical_argv: primary.canonical_argv,
|
|
65
|
+
evaluation: primary.evaluation,
|
|
66
|
+
};
|
|
67
|
+
}
|
|
68
|
+
export function failClosedAnalysis(command, rawMetacharacters) {
|
|
69
|
+
const evaluation = {
|
|
70
|
+
argv: ["<unparseable>", command],
|
|
71
|
+
tier: "MUTATE",
|
|
72
|
+
reasons: [{ code: "unparseable", message: "Command could not be parsed safely; fail closed." }],
|
|
73
|
+
classification: { tool: null, command_path: null, verb: null, tier: "MUTATE", matched: false },
|
|
74
|
+
flags: { metacharacters: rawMetacharacters, dangerous_flags: false },
|
|
75
|
+
};
|
|
76
|
+
return {
|
|
77
|
+
raw_command: command,
|
|
78
|
+
segments: [{ argv: ["<unparseable>", command] }],
|
|
79
|
+
operators: [],
|
|
80
|
+
invocations: [],
|
|
81
|
+
primary: { canonical_argv: ["<unparseable>", command], evaluation },
|
|
82
|
+
approval_fingerprint_payload: { segments: [{ segment_index: 0, invocations: [] }], operators: [] },
|
|
83
|
+
skipped: false,
|
|
84
|
+
tier: "MUTATE",
|
|
85
|
+
raw_metacharacters: rawMetacharacters,
|
|
86
|
+
fail_closed: true,
|
|
87
|
+
};
|
|
88
|
+
}
|
|
89
|
+
//# sourceMappingURL=analyze-command-aggregate.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyze-command-aggregate.js","sourceRoot":"","sources":["../../src/shell/analyze-command-aggregate.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,iDAAiD,EAAE,MAAM,yCAAyC,CAAC;AAE5G,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;AACnD,MAAM,SAAS,GAAyB,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC;AAE/E,SAAS,OAAO,CAAC,CAAO,EAAE,CAAO;IAC/B,OAAO,SAAS,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,OAAe;IACxD,MAAM,QAAQ,GAAG,iDAAiD,CAAC,OAAO,CAAC,CAAC;IAC5E,OAAO,2BAA2B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,IAAuB;IAC9D,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACrB,IAAI,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,MAAM,GAAG,CAAC,IAAI,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzD,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,WAA8B,EAAE,iBAA0B;IACtF,IAAI,IAAI,GAAS,MAAM,CAAC;IACxB,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,iBAAiB,IAAI,IAAI,KAAK,MAAM;QAAE,IAAI,GAAG,QAAQ,CAAC;IAC1D,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,QAA8B,EAC9B,SAA0B,EAC1B,WAA8B;IAE9B,MAAM,SAAS,GAAG,IAAI,GAAG,EAAsD,CAAC;IAChF,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;QACpD,IAAI,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;QAC7E,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IACzC,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,EAAE,CAAC,CAAC;YAC5C,aAAa;YACb,WAAW,EAAE,SAAS,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE;SAChD,CAAC,CAAC;QACH,SAAS,EAAE,CAAC,GAAG,SAAS,CAAC;KAC1B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,WAA8B;IAI1D,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,cAAc,EAAE,EAAE;YAClB,UAAU,EAAE;gBACV,IAAI,EAAE,EAAE;gBACR,IAAI,EAAE,MAAM;gBACZ,OAAO,EAAE,EAAE;gBACX,cAAc,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE;gBAC5F,KAAK,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE;aACzD;SACF,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,GAAG,WAAW,CAAC,CAAC,CAAE,CAAC;IAC9B,KAAK,MAAM,GAAG,IAAI,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QACvC,IAAI,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACxE,OAAO,GAAG,GAAG,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO;QACL,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,UAAU,EAAE,OAAO,CAAC,UAAU;KAC/B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,OAAe,EAAE,iBAA0B;IAC5E,MAAM,UAAU,GAAoB;QAClC,IAAI,EAAE,CAAC,eAAe,EAAE,OAAO,CAAC;QAChC,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,kDAAkD,EAAE,CAAC;QAC/F,cAAc,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE;QAC9F,KAAK,EAAE,EAAE,cAAc,EAAE,iBAAiB,EAAE,eAAe,EAAE,KAAK,EAAE;KACrE,CAAC;IAEF,OAAO;QACL,WAAW,EAAE,OAAO;QACpB,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,eAAe,EAAE,OAAO,CAAC,EAAE,CAAC;QAChD,SAAS,EAAE,EAAE;QACb,WAAW,EAAE,EAAE;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,CAAC,eAAe,EAAE,OAAO,CAAC,EAAE,UAAU,EAAE;QACnE,4BAA4B,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,aAAa,EAAE,CAAC,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE;QAClG,OAAO,EAAE,KAAK;QACd,IAAI,EAAE,QAAQ;QACd,kBAAkB,EAAE,iBAAiB;QACrC,WAAW,EAAE,IAAI;KAClB,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import type { PoliciesV1 } from "../policy/index.js";
|
|
2
|
+
import type { ShellInvocation } from "./analyze-command.types.js";
|
|
3
|
+
import { type ShellPolicyConfig } from "./governed-tools.js";
|
|
4
|
+
/** Strip trailing fd redirects from argv before policy classification (e.g. `2>&1` from shell-quote). */
|
|
5
|
+
export declare function stripTrailingBenignRedirectArgv(argv: readonly string[]): string[];
|
|
6
|
+
export declare function findGovernedInvocationsInSegment(segmentArgv: readonly string[], segmentIndex: number, policy: PoliciesV1, governedTools: readonly string[], shellConfig: ShellPolicyConfig): ShellInvocation[];
|
|
7
|
+
export declare function resolveInvocationScanContext(policy: PoliciesV1): {
|
|
8
|
+
governedTools: readonly string[];
|
|
9
|
+
shellConfig: ShellPolicyConfig;
|
|
10
|
+
};
|
|
11
|
+
//# sourceMappingURL=analyze-command-invocations.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyze-command-invocations.d.ts","sourceRoot":"","sources":["../../src/shell/analyze-command-invocations.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAErD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAElE,OAAO,EAIL,KAAK,iBAAiB,EACvB,MAAM,qBAAqB,CAAC;AAI7B,yGAAyG;AACzG,wBAAgB,+BAA+B,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,EAAE,CAoBjF;AA8DD,wBAAgB,gCAAgC,CAC9C,WAAW,EAAE,SAAS,MAAM,EAAE,EAC9B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,UAAU,EAClB,aAAa,EAAE,SAAS,MAAM,EAAE,EAChC,WAAW,EAAE,iBAAiB,GAC7B,eAAe,EAAE,CA4BnB;AAED,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,UAAU;;;EAK9D"}
|
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
import { evaluateArgv } from "./guard-eval.js";
|
|
2
|
+
import { listShellGovernedTools, normalizeExecutableToken, resolveShellPolicyConfig, } from "./governed-tools.js";
|
|
3
|
+
const REDIRECT_OP_TOKENS = new Set([">", ">>", "<", ">&", "2>", "2>>", "1>", "2>&1", "|"]);
|
|
4
|
+
/** Strip trailing fd redirects from argv before policy classification (e.g. `2>&1` from shell-quote). */
|
|
5
|
+
export function stripTrailingBenignRedirectArgv(argv) {
|
|
6
|
+
let end = argv.length;
|
|
7
|
+
for (;;) {
|
|
8
|
+
if (end === 0)
|
|
9
|
+
break;
|
|
10
|
+
const last = argv[end - 1];
|
|
11
|
+
const secondLast = end >= 2 ? argv[end - 2] : null;
|
|
12
|
+
if (last === "1" && secondLast === ">&") {
|
|
13
|
+
end -= 2;
|
|
14
|
+
if (end > 0 && /^\d+$/.test(argv[end - 1]))
|
|
15
|
+
end -= 1;
|
|
16
|
+
continue;
|
|
17
|
+
}
|
|
18
|
+
if (REDIRECT_OP_TOKENS.has(last) || (secondLast && /^\d+$/.test(secondLast) && REDIRECT_OP_TOKENS.has(last))) {
|
|
19
|
+
end -= 1;
|
|
20
|
+
if (end > 0 && /^\d+$/.test(argv[end - 1]))
|
|
21
|
+
end -= 1;
|
|
22
|
+
continue;
|
|
23
|
+
}
|
|
24
|
+
break;
|
|
25
|
+
}
|
|
26
|
+
return argv.slice(0, end);
|
|
27
|
+
}
|
|
28
|
+
function isEnvAssignment(token) {
|
|
29
|
+
return /^[A-Za-z_][A-Za-z0-9_]*=/.test(token);
|
|
30
|
+
}
|
|
31
|
+
function isFlagToken(token) {
|
|
32
|
+
return token.startsWith("-");
|
|
33
|
+
}
|
|
34
|
+
function isPathLikeToken(token) {
|
|
35
|
+
return token.includes("/") || token.startsWith(".");
|
|
36
|
+
}
|
|
37
|
+
function isStructuralPrelude(token) {
|
|
38
|
+
return isEnvAssignment(token) || isFlagToken(token) || isPathLikeToken(token);
|
|
39
|
+
}
|
|
40
|
+
function tokensBeforeIndexAreValidPrelude(argv, index, config, governedTools) {
|
|
41
|
+
if (index === 0)
|
|
42
|
+
return true;
|
|
43
|
+
let i = 0;
|
|
44
|
+
while (i < index) {
|
|
45
|
+
const token = argv[i];
|
|
46
|
+
if (token === "env") {
|
|
47
|
+
i += 1;
|
|
48
|
+
while (i < index && (isEnvAssignment(argv[i]) || isFlagToken(argv[i])))
|
|
49
|
+
i += 1;
|
|
50
|
+
continue;
|
|
51
|
+
}
|
|
52
|
+
if (config.privilege_verbs.includes(token)) {
|
|
53
|
+
i += 1;
|
|
54
|
+
while (i < index && isFlagToken(argv[i]))
|
|
55
|
+
i += 1;
|
|
56
|
+
continue;
|
|
57
|
+
}
|
|
58
|
+
if (config.prelude_verbs.includes(token)) {
|
|
59
|
+
i += 1;
|
|
60
|
+
while (i < index && (isPathLikeToken(argv[i]) || isFlagToken(argv[i])))
|
|
61
|
+
i += 1;
|
|
62
|
+
continue;
|
|
63
|
+
}
|
|
64
|
+
if (isStructuralPrelude(token)) {
|
|
65
|
+
i += 1;
|
|
66
|
+
continue;
|
|
67
|
+
}
|
|
68
|
+
if (governedTools.includes(token) || normalizeExecutableToken(token, governedTools)) {
|
|
69
|
+
i += 1;
|
|
70
|
+
continue;
|
|
71
|
+
}
|
|
72
|
+
return false;
|
|
73
|
+
}
|
|
74
|
+
return true;
|
|
75
|
+
}
|
|
76
|
+
function canonicalArgvFromCandidate(rawToolToken, candidate, normalizedTool) {
|
|
77
|
+
if (candidate[0] === normalizedTool)
|
|
78
|
+
return [...candidate];
|
|
79
|
+
return [normalizedTool, ...candidate.slice(1)];
|
|
80
|
+
}
|
|
81
|
+
export function findGovernedInvocationsInSegment(segmentArgv, segmentIndex, policy, governedTools, shellConfig) {
|
|
82
|
+
const invocations = [];
|
|
83
|
+
for (let i = 0; i < segmentArgv.length; i++) {
|
|
84
|
+
const token = segmentArgv[i];
|
|
85
|
+
const normalized = normalizeExecutableToken(token, governedTools);
|
|
86
|
+
if (!normalized)
|
|
87
|
+
continue;
|
|
88
|
+
if (i > 0 && !tokensBeforeIndexAreValidPrelude(segmentArgv, i, shellConfig, governedTools)) {
|
|
89
|
+
continue;
|
|
90
|
+
}
|
|
91
|
+
const candidate = stripTrailingBenignRedirectArgv(segmentArgv.slice(i));
|
|
92
|
+
if (candidate.length === 0 || normalizeExecutableToken(candidate[0], governedTools) !== normalized) {
|
|
93
|
+
continue;
|
|
94
|
+
}
|
|
95
|
+
const canonical = canonicalArgvFromCandidate(token, candidate, normalized);
|
|
96
|
+
const evaluation = evaluateArgv(policy, canonical);
|
|
97
|
+
invocations.push({
|
|
98
|
+
canonical_argv: canonical,
|
|
99
|
+
raw_tool_token: token,
|
|
100
|
+
segment_index: segmentIndex,
|
|
101
|
+
offset_in_segment: i,
|
|
102
|
+
evaluation,
|
|
103
|
+
});
|
|
104
|
+
}
|
|
105
|
+
return invocations;
|
|
106
|
+
}
|
|
107
|
+
export function resolveInvocationScanContext(policy) {
|
|
108
|
+
return {
|
|
109
|
+
governedTools: listShellGovernedTools(policy),
|
|
110
|
+
shellConfig: resolveShellPolicyConfig(policy),
|
|
111
|
+
};
|
|
112
|
+
}
|
|
113
|
+
//# sourceMappingURL=analyze-command-invocations.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyze-command-invocations.js","sourceRoot":"","sources":["../../src/shell/analyze-command-invocations.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EACL,sBAAsB,EACtB,wBAAwB,EACxB,wBAAwB,GAEzB,MAAM,qBAAqB,CAAC;AAE7B,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;AAE3F,yGAAyG;AACzG,MAAM,UAAU,+BAA+B,CAAC,IAAuB;IACrE,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC;IACtB,SAAS,CAAC;QACR,IAAI,GAAG,KAAK,CAAC;YAAE,MAAM;QACrB,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC,CAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,CAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QAEpD,IAAI,IAAI,KAAK,GAAG,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;YACxC,GAAG,IAAI,CAAC,CAAC;YACT,IAAI,GAAG,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,CAAE,CAAC;gBAAE,GAAG,IAAI,CAAC,CAAC;YACtD,SAAS;QACX,CAAC;QACD,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC7G,GAAG,IAAI,CAAC,CAAC;YACT,IAAI,GAAG,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,CAAE,CAAC;gBAAE,GAAG,IAAI,CAAC,CAAC;YACtD,SAAS;QACX,CAAC;QACD,MAAM;IACR,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AAC5B,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAChC,OAAO,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa;IACxC,OAAO,eAAe,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC,KAAK,CAAC,IAAI,eAAe,CAAC,KAAK,CAAC,CAAC;AAChF,CAAC;AAED,SAAS,gCAAgC,CACvC,IAAuB,EACvB,KAAa,EACb,MAAyB,EACzB,aAAgC;IAEhC,IAAI,KAAK,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE7B,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,KAAK,EAAE,CAAC;QACjB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;QACvB,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;YACpB,CAAC,IAAI,CAAC,CAAC;YACP,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;gBAAE,CAAC,IAAI,CAAC,CAAC;YACjF,SAAS;QACX,CAAC;QACD,IAAI,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,CAAC,IAAI,CAAC,CAAC;YACP,OAAO,CAAC,GAAG,KAAK,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC;gBAAE,CAAC,IAAI,CAAC,CAAC;YAClD,SAAS;QACX,CAAC;QACD,IAAI,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACzC,CAAC,IAAI,CAAC,CAAC;YACP,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;gBAAE,CAAC,IAAI,CAAC,CAAC;YACjF,SAAS;QACX,CAAC;QACD,IAAI,mBAAmB,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/B,CAAC,IAAI,CAAC,CAAC;YACP,SAAS;QACX,CAAC;QACD,IAAI,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,wBAAwB,CAAC,KAAK,EAAE,aAAa,CAAC,EAAE,CAAC;YACpF,CAAC,IAAI,CAAC,CAAC;YACP,SAAS;QACX,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,0BAA0B,CAAC,YAAoB,EAAE,SAAmB,EAAE,cAAsB;IACnG,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,cAAc;QAAE,OAAO,CAAC,GAAG,SAAS,CAAC,CAAC;IAC3D,OAAO,CAAC,cAAc,EAAE,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,gCAAgC,CAC9C,WAA8B,EAC9B,YAAoB,EACpB,MAAkB,EAClB,aAAgC,EAChC,WAA8B;IAE9B,MAAM,WAAW,GAAsB,EAAE,CAAC;IAE1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5C,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAE,CAAC;QAC9B,MAAM,UAAU,GAAG,wBAAwB,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;QAClE,IAAI,CAAC,UAAU;YAAE,SAAS;QAE1B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,gCAAgC,CAAC,WAAW,EAAE,CAAC,EAAE,WAAW,EAAE,aAAa,CAAC,EAAE,CAAC;YAC3F,SAAS;QACX,CAAC;QAED,MAAM,SAAS,GAAG,+BAA+B,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACxE,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,IAAI,wBAAwB,CAAC,SAAS,CAAC,CAAC,CAAE,EAAE,aAAa,CAAC,KAAK,UAAU,EAAE,CAAC;YACpG,SAAS;QACX,CAAC;QACD,MAAM,SAAS,GAAG,0BAA0B,CAAC,KAAK,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;QAC3E,MAAM,UAAU,GAAG,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QACnD,WAAW,CAAC,IAAI,CAAC;YACf,cAAc,EAAE,SAAS;YACzB,cAAc,EAAE,KAAK;YACrB,aAAa,EAAE,YAAY;YAC3B,iBAAiB,EAAE,CAAC;YACpB,UAAU;SACX,CAAC,CAAC;IACL,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,MAAkB;IAC7D,OAAO;QACL,aAAa,EAAE,sBAAsB,CAAC,MAAM,CAAC;QAC7C,WAAW,EAAE,wBAAwB,CAAC,MAAM,CAAC;KAC9C,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
import type { PoliciesV1 } from "../policy/index.js";
|
|
2
|
+
import type { ShellAnalysis } from "./analyze-command.types.js";
|
|
3
|
+
export type { ShellAnalysis, ShellApprovalFingerprintPayload, ShellInvocation, } from "./analyze-command.types.js";
|
|
4
|
+
import { listShellGovernedTools } from "./governed-tools.js";
|
|
5
|
+
export { listShellGovernedTools };
|
|
6
|
+
export declare function analyzeShellCommand(command: string, policy: PoliciesV1, depth?: number): ShellAnalysis;
|
|
7
|
+
//# sourceMappingURL=analyze-command.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyze-command.d.ts","sourceRoot":"","sources":["../../src/shell/analyze-command.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAUrD,OAAO,KAAK,EAAE,aAAa,EAAmB,MAAM,4BAA4B,CAAC;AACjF,YAAY,EACV,aAAa,EACb,+BAA+B,EAC/B,eAAe,GAChB,MAAM,4BAA4B,CAAC;AAKpC,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAG7D,OAAO,EAAE,sBAAsB,EAAE,CAAC;AAElC,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,SAAI,GAAG,aAAa,CAsDjG"}
|