@praxis.guard/auditor-cli 0.0.6 → 0.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/hooks/run-before-shell.d.ts.map +1 -1
- package/dist/hooks/run-before-shell.js +48 -1
- package/dist/hooks/run-before-shell.js.map +1 -1
- package/dist/mcp/guard-audit-status.d.ts +11 -0
- package/dist/mcp/guard-audit-status.d.ts.map +1 -0
- package/dist/mcp/guard-audit-status.js +14 -0
- package/dist/mcp/guard-audit-status.js.map +1 -0
- package/dist/mcp/server.d.ts.map +1 -1
- package/dist/mcp/server.js +7 -4
- package/dist/mcp/server.js.map +1 -1
- package/dist/shell/strip-trailing-benign-shell-redirs.d.ts +9 -0
- package/dist/shell/strip-trailing-benign-shell-redirs.d.ts.map +1 -0
- package/dist/shell/strip-trailing-benign-shell-redirs.js +31 -0
- package/dist/shell/strip-trailing-benign-shell-redirs.js.map +1 -0
- package/package.json +9 -10
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"run-before-shell.d.ts","sourceRoot":"","sources":["../../src/hooks/run-before-shell.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"run-before-shell.d.ts","sourceRoot":"","sources":["../../src/hooks/run-before-shell.ts"],"names":[],"mappings":"AAUA,MAAM,MAAM,2BAA2B,GAAG;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACzC,UAAU,EAAE,OAAO,GAAG,MAAM,GAAG,KAAK,CAAC;IACrC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AA+BF;;GAEG;AACH,wBAAsB,2BAA2B,IAAI,OAAO,CAAC,IAAI,CAAC,CAiJjE;AAED,wBAAgB,2BAA2B,CAAC,GAAG,EAAE,OAAO,GAAG,4BAA4B,CAMtF"}
|
|
@@ -3,6 +3,7 @@ import { appendAuditJsonl } from "../audit/jsonl.js";
|
|
|
3
3
|
import { getInstallId } from "../cli/install-id.js";
|
|
4
4
|
import { DEFAULT_GOVERNED_SHELL_TOOLS } from "../shell/governed-tools.js";
|
|
5
5
|
import { parseCommandToArgv } from "../shell/parse.js";
|
|
6
|
+
import { stripTrailingBenignShellRedirectsForMetacharCheck } from "../shell/strip-trailing-benign-shell-redirs.js";
|
|
6
7
|
import { tryConsumeShellApprovalBridge } from "../bridge/shell-approval-bridge.js";
|
|
7
8
|
import { sendGuardEvent } from "../telemetry/guard-events.js";
|
|
8
9
|
function tierToPermission(tier) {
|
|
@@ -39,12 +40,55 @@ async function tryAppendAuditEvent(evt, auditLogRoot) {
|
|
|
39
40
|
*/
|
|
40
41
|
export async function runBeforeShellHookFromStdin() {
|
|
41
42
|
const payload = await readStdinJson();
|
|
43
|
+
const decisionStarted = performance.now();
|
|
42
44
|
const argv = parseCommandToArgv(payload.command);
|
|
43
|
-
const
|
|
45
|
+
const commandForRawMeta = stripTrailingBenignShellRedirectsForMetacharCheck(payload.command);
|
|
46
|
+
const rawMetacharacters = /(;|&&|\|\||\||`|>|<|\$\()/.test(commandForRawMeta);
|
|
44
47
|
const tool = argv[0];
|
|
45
48
|
if (!tool || !DEFAULT_GOVERNED_SHELL_TOOLS.includes(tool)) {
|
|
49
|
+
const skipReason = !tool ? "no_command" : "ungoverned_shell_tool";
|
|
50
|
+
const auditLogRoot = typeof payload.cwd === "string" && payload.cwd.trim() ? payload.cwd.trim() : undefined;
|
|
51
|
+
const policyRevision = await readPoliciesV1Revision();
|
|
52
|
+
const latency_ms = performance.now() - decisionStarted;
|
|
53
|
+
await tryAppendAuditEvent({
|
|
54
|
+
ts: new Date().toISOString(),
|
|
55
|
+
hook: "beforeShellExecution",
|
|
56
|
+
cwd: payload.cwd,
|
|
57
|
+
command: payload.command,
|
|
58
|
+
argv,
|
|
59
|
+
status: "skipped",
|
|
60
|
+
skipped: true,
|
|
61
|
+
skip_reason: skipReason,
|
|
62
|
+
tier: "READ",
|
|
63
|
+
permission: "allow",
|
|
64
|
+
bridgeConsumed: false,
|
|
65
|
+
reasons: [`${skipReason}(policy_not_evaluated)`],
|
|
66
|
+
latency_ms,
|
|
67
|
+
}, auditLogRoot);
|
|
46
68
|
const response = { permission: "allow" };
|
|
47
69
|
process.stdout.write(JSON.stringify(response, null, 2));
|
|
70
|
+
await sendGuardEvent({
|
|
71
|
+
ts: new Date().toISOString(),
|
|
72
|
+
status: "skipped",
|
|
73
|
+
skipped: true,
|
|
74
|
+
skip_reason: skipReason,
|
|
75
|
+
tool: "auditor-hook",
|
|
76
|
+
command_path: argv[0] ?? null,
|
|
77
|
+
verb: argv[1] ?? null,
|
|
78
|
+
resource: argv.length > 2 ? argv.slice(2).join(" ") : null,
|
|
79
|
+
reason: skipReason,
|
|
80
|
+
cmd: payload.command,
|
|
81
|
+
tier: "READ",
|
|
82
|
+
decision: "allow",
|
|
83
|
+
latency_ms,
|
|
84
|
+
installId: getInstallId(),
|
|
85
|
+
kind: "shell",
|
|
86
|
+
...(policyRevision !== null ? { policy_revision: policyRevision } : {}),
|
|
87
|
+
meta: {
|
|
88
|
+
hook: "beforeShellExecution",
|
|
89
|
+
bridgeConsumed: false,
|
|
90
|
+
},
|
|
91
|
+
});
|
|
48
92
|
return;
|
|
49
93
|
}
|
|
50
94
|
const policy = await loadPoliciesV1();
|
|
@@ -85,6 +129,7 @@ export async function runBeforeShellHookFromStdin() {
|
|
|
85
129
|
agent_message: `Blocked by guard. tier=${tier} reasons=${reasons.join(",") || "policy"}. argv=${JSON.stringify(argv)}`,
|
|
86
130
|
};
|
|
87
131
|
const auditLogRoot = typeof payload.cwd === "string" && payload.cwd.trim() ? payload.cwd.trim() : undefined;
|
|
132
|
+
const latency_ms = performance.now() - decisionStarted;
|
|
88
133
|
await tryAppendAuditEvent({
|
|
89
134
|
ts: new Date().toISOString(),
|
|
90
135
|
hook: "beforeShellExecution",
|
|
@@ -97,6 +142,7 @@ export async function runBeforeShellHookFromStdin() {
|
|
|
97
142
|
permission,
|
|
98
143
|
bridgeConsumed,
|
|
99
144
|
reasons,
|
|
145
|
+
latency_ms,
|
|
100
146
|
}, auditLogRoot);
|
|
101
147
|
// Write stdout immediately so Cursor gets the response without waiting for network.
|
|
102
148
|
process.stdout.write(JSON.stringify(response, null, 2));
|
|
@@ -113,6 +159,7 @@ export async function runBeforeShellHookFromStdin() {
|
|
|
113
159
|
cmd: payload.command,
|
|
114
160
|
tier,
|
|
115
161
|
decision: permission === "allow" ? "allow" : "block",
|
|
162
|
+
latency_ms,
|
|
116
163
|
installId: getInstallId(),
|
|
117
164
|
kind: "shell",
|
|
118
165
|
...(policyRevision !== null ? { policy_revision: policyRevision } : {}),
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"run-before-shell.js","sourceRoot":"","sources":["../../src/hooks/run-before-shell.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,sBAAsB,EAAa,MAAM,oBAAoB,CAAC;AAErG,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAc9D,SAAS,gBAAgB,CAAC,IAAU;IAClC,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO,OAAO,CAAC;IACpC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,aAAa;IAC1B,OAAO,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC3C,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAClC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC;QACrD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YAC3B,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;YAC5B,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,GAA4B,EAAE,YAAqB;IACpF,IAAI,CAAC;QACH,MAAM,gBAAgB,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sCAAsC,GAAG,IAAI,CAAC,CAAC;IACtE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B;IAC/C,MAAM,OAAO,GAAG,MAAM,aAAa,EAA+B,CAAC;
|
|
1
|
+
{"version":3,"file":"run-before-shell.js","sourceRoot":"","sources":["../../src/hooks/run-before-shell.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,sBAAsB,EAAa,MAAM,oBAAoB,CAAC;AAErG,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,iDAAiD,EAAE,MAAM,gDAAgD,CAAC;AACnH,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAc9D,SAAS,gBAAgB,CAAC,IAAU;IAClC,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO,OAAO,CAAC;IACpC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,aAAa;IAC1B,OAAO,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC3C,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAClC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC;QACrD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YAC3B,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;YAC5B,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,GAA4B,EAAE,YAAqB;IACpF,IAAI,CAAC;QACH,MAAM,gBAAgB,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sCAAsC,GAAG,IAAI,CAAC,CAAC;IACtE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B;IAC/C,MAAM,OAAO,GAAG,MAAM,aAAa,EAA+B,CAAC;IACnE,MAAM,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IAE1C,MAAM,IAAI,GAAG,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,iBAAiB,GAAG,iDAAiD,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC7F,MAAM,iBAAiB,GAAG,2BAA2B,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAE9E,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACrB,IAAI,CAAC,IAAI,IAAI,CAAC,4BAA4B,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1D,MAAM,UAAU,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,uBAAuB,CAAC;QAClE,MAAM,YAAY,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QAC5G,MAAM,cAAc,GAAG,MAAM,sBAAsB,EAAE,CAAC;QACtD,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC;QACvD,MAAM,mBAAmB,CACvB;YACE,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAC5B,IAAI,EAAE,sBAAsB;YAC5B,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,IAAI;YACJ,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,IAAI;YACb,WAAW,EAAE,UAAU;YACvB,IAAI,EAAE,MAAM;YACZ,UAAU,EAAE,OAAO;YACnB,cAAc,EAAE,KAAK;YACrB,OAAO,EAAE,CAAC,GAAG,UAAU,wBAAwB,CAAC;YAChD,UAAU;SACX,EACD,YAAY,CACb,CAAC;QAEF,MAAM,QAAQ,GAAiC,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;QACvE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAExD,MAAM,cAAc,CAAC;YACnB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAC5B,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,IAAI;YACb,WAAW,EAAE,UAAU;YACvB,IAAI,EAAE,cAAc;YACpB,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI;YAC7B,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI;YACrB,QAAQ,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;YAC1D,MAAM,EAAE,UAAU;YAClB,GAAG,EAAE,OAAO,CAAC,OAAO;YACpB,IAAI,EAAE,MAAM;YACZ,QAAQ,EAAE,OAAO;YACjB,UAAU;YACV,SAAS,EAAE,YAAY,EAAE;YACzB,IAAI,EAAE,OAAO;YACb,GAAG,CAAC,cAAc,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACvE,IAAI,EAAE;gBACJ,IAAI,EAAE,sBAAsB;gBAC5B,cAAc,EAAE,KAAK;aACtB;SACF,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,cAAc,EAAE,CAAC;IACtC,MAAM,cAAc,GAAG,MAAM,sBAAsB,EAAE,CAAC;IACtD,MAAM,EAAE,cAAc,EAAE,KAAK,EAAE,GAAG,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAE7D,IAAI,IAAI,GAAS,cAAc,CAAC,IAAI,CAAC;IACrC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,cAAc,CAAC,OAAO;QAAE,OAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;IAC3E,IAAI,KAAK,CAAC,cAAc,IAAI,iBAAiB;QAAE,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC9E,IAAI,KAAK,CAAC,eAAe;QAAE,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAE3D,IAAI,CAAC,KAAK,CAAC,cAAc,IAAI,iBAAiB,CAAC,IAAI,IAAI,KAAK,MAAM;QAAE,IAAI,GAAG,QAAQ,CAAC;IACpF,IAAI,KAAK,CAAC,eAAe;QAAE,IAAI,GAAG,aAAa,CAAC;IAEhD,IAAI,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,cAAc,GAAG,KAAK,CAAC;IAC3B,IAAI,UAAU,KAAK,MAAM,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC/C,cAAc,GAAG,MAAM,6BAA6B,CAAC,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QACjF,IAAI,cAAc,EAAE,CAAC;YACnB,UAAU,GAAG,OAAO,CAAC;QACvB,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GACZ,UAAU,KAAK,OAAO;QACpB,CAAC,CAAC;YACE,UAAU;YACV,GAAG,CAAC,cAAc;gBAChB,CAAC,CAAC;oBACE,aAAa,EACX,gGAAgG;iBACnG;gBACH,CAAC,CAAC,EAAE,CAAC;SACR;QACH,CAAC,CAAC;YACE,UAAU;YACV,YAAY,EAAE,wCAAwC,IAAI,IAAI;YAC9D,aAAa,EAAE,0BAA0B,IAAI,YAAY,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,UAAU,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;SACvH,CAAC;IAER,MAAM,YAAY,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5G,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC;IACvD,MAAM,mBAAmB,CACvB;QACE,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5B,IAAI,EAAE,sBAAsB;QAC5B,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,IAAI;QACJ,cAAc;QACd,KAAK;QACL,IAAI;QACJ,UAAU;QACV,cAAc;QACd,OAAO;QACP,UAAU;KACX,EACD,YAAY,CACb,CAAC;IAEF,oFAAoF;IACpF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAExD,2DAA2D;IAC3D,MAAM,MAAM,GAAG,UAAU,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7D,MAAM,cAAc,CAAC;QACnB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5B,MAAM;QACN,IAAI,EAAE,cAAc;QACpB,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI;QAC7B,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI;QACrB,QAAQ,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;QAC1D,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI;QAC1B,GAAG,EAAE,OAAO,CAAC,OAAO;QACpB,IAAI;QACJ,QAAQ,EAAE,UAAU,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO;QACpD,UAAU;QACV,SAAS,EAAE,YAAY,EAAE;QACzB,IAAI,EAAE,OAAO;QACb,GAAG,CAAC,cAAc,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvE,IAAI,EAAE;YACJ,IAAI,EAAE,sBAAsB;YAC5B,cAAc;SACf;KACF,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,GAAY;IACtD,OAAO;QACL,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE,0DAA0D;QACxE,aAAa,EAAE,uBAAuB,MAAM,CAAC,GAAG,CAAC,EAAE;KACpD,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
export type GuardAuditStatus = "passed" | "blocked" | "skipped" | "needs_approval";
|
|
2
|
+
export type GuardDecision = "allow" | "block" | "require_approval";
|
|
3
|
+
/**
|
|
4
|
+
* Maps MCP guard outcome to append-only / telemetry audit status.
|
|
5
|
+
* Skipped shell proposals (tool outside governed set) use `skipped`, not `passed`.
|
|
6
|
+
*/
|
|
7
|
+
export declare function resolveGuardAuditStatus(opts: {
|
|
8
|
+
skipped: boolean;
|
|
9
|
+
decision: GuardDecision;
|
|
10
|
+
}): GuardAuditStatus;
|
|
11
|
+
//# sourceMappingURL=guard-audit-status.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"guard-audit-status.d.ts","sourceRoot":"","sources":["../../src/mcp/guard-audit-status.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,SAAS,GAAG,SAAS,GAAG,gBAAgB,CAAC;AAEnF,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,OAAO,GAAG,kBAAkB,CAAC;AAEnE;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,aAAa,CAAA;CAAE,GAAG,gBAAgB,CAK7G"}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Maps MCP guard outcome to append-only / telemetry audit status.
|
|
3
|
+
* Skipped shell proposals (tool outside governed set) use `skipped`, not `passed`.
|
|
4
|
+
*/
|
|
5
|
+
export function resolveGuardAuditStatus(opts) {
|
|
6
|
+
if (opts.skipped)
|
|
7
|
+
return "skipped";
|
|
8
|
+
if (opts.decision === "allow")
|
|
9
|
+
return "passed";
|
|
10
|
+
if (opts.decision === "block")
|
|
11
|
+
return "blocked";
|
|
12
|
+
return "needs_approval";
|
|
13
|
+
}
|
|
14
|
+
//# sourceMappingURL=guard-audit-status.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"guard-audit-status.js","sourceRoot":"","sources":["../../src/mcp/guard-audit-status.ts"],"names":[],"mappings":"AAIA;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAmD;IACzF,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IACnC,IAAI,IAAI,CAAC,QAAQ,KAAK,OAAO;QAAE,OAAO,QAAQ,CAAC;IAC/C,IAAI,IAAI,CAAC,QAAQ,KAAK,OAAO;QAAE,OAAO,SAAS,CAAC;IAChD,OAAO,gBAAgB,CAAC;AAC1B,CAAC"}
|
package/dist/mcp/server.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAmJA,8EAA8E;AAC9E,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,CAsJvD"}
|
package/dist/mcp/server.js
CHANGED
|
@@ -8,6 +8,7 @@ import { getInstallId } from "../cli/install-id.js";
|
|
|
8
8
|
import { recordShellApprovalBridge, shouldRecordShellBridge } from "../bridge/shell-approval-bridge.js";
|
|
9
9
|
import { evaluateArgv, evaluateShellProposal, parseCommandToArgv, } from "../shell/evaluate.js";
|
|
10
10
|
import { sendGuardEvent } from "../telemetry/guard-events.js";
|
|
11
|
+
import { resolveGuardAuditStatus } from "./guard-audit-status.js";
|
|
11
12
|
import { AUDITOR_CLI_VERSION } from "../runtime/version.js";
|
|
12
13
|
const GuardModeSchema = z.enum(["shadow", "enforce"]);
|
|
13
14
|
const ProposalKindSchema = z.enum(["shell", "mcp"]);
|
|
@@ -136,7 +137,7 @@ export async function runMcpStdioServer() {
|
|
|
136
137
|
description: "Policy gatekeeper for agent actions. Evaluates a proposal argv against policies.v1.json; returns allow/block/require_approval with reasons.",
|
|
137
138
|
inputSchema: GuardInputSchema,
|
|
138
139
|
}, async (input) => {
|
|
139
|
-
const startedAt =
|
|
140
|
+
const startedAt = performance.now();
|
|
140
141
|
const event_id = uuidv4();
|
|
141
142
|
pruneExpiredApprovals();
|
|
142
143
|
resetHeartbeatIdle();
|
|
@@ -196,7 +197,7 @@ export async function runMcpStdioServer() {
|
|
|
196
197
|
audit: {
|
|
197
198
|
event_id,
|
|
198
199
|
timestamp: new Date().toISOString(),
|
|
199
|
-
latency_ms:
|
|
200
|
+
latency_ms: performance.now() - startedAt,
|
|
200
201
|
},
|
|
201
202
|
execution: {
|
|
202
203
|
attempted: false,
|
|
@@ -208,10 +209,12 @@ export async function runMcpStdioServer() {
|
|
|
208
209
|
null;
|
|
209
210
|
const actionVerb = argv[1] ?? null;
|
|
210
211
|
const actionResource = argv.length > 2 ? argv.slice(2).join(" ") : null;
|
|
211
|
-
const status =
|
|
212
|
+
const status = resolveGuardAuditStatus({ skipped, decision });
|
|
212
213
|
void sendGuardEvent({
|
|
213
214
|
ts: new Date().toISOString(),
|
|
214
215
|
status,
|
|
216
|
+
skipped,
|
|
217
|
+
...(skipped ? { skip_reason: "ungoverned_shell_tool" } : {}),
|
|
215
218
|
tool: "auditor-mcp",
|
|
216
219
|
command_path: argv[0] ?? null,
|
|
217
220
|
verb: actionVerb,
|
|
@@ -220,7 +223,7 @@ export async function runMcpStdioServer() {
|
|
|
220
223
|
cmd: argv.join(" "),
|
|
221
224
|
tier,
|
|
222
225
|
decision,
|
|
223
|
-
latency_ms:
|
|
226
|
+
latency_ms: performance.now() - startedAt,
|
|
224
227
|
event_id,
|
|
225
228
|
installId: getInstallId(),
|
|
226
229
|
kind: input.proposal.kind,
|
package/dist/mcp/server.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAa,MAAM,oBAAoB,CAAC;AAEvF,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,yBAAyB,EAAE,uBAAuB,EAAE,MAAM,oCAAoC,CAAC;AACxG,OAAO,EACL,YAAY,EACZ,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAE5D,MAAM,eAAe,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC;AACtD,MAAM,kBAAkB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;AAEpD,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,IAAI,EAAE,eAAe;IACrB,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;QACjB,IAAI,EAAE,kBAAkB;QACxB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAChC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACnC,CAAC;IACF,OAAO,EAAE,CAAC;SACP,MAAM,CAAC;QACN,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACjC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC9B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,QAAQ,EAAE;KAC3E,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAIH,SAAS,cAAc,CAAC,IAAU;IAChC,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO,OAAO,CAAC;IACpC,IAAI,IAAI,KAAK,QAAQ;QAAE,OAAO,kBAAkB,CAAC;IACjD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,eAAe,CAAC,IAAuB;IAC9C,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,wFAAwF;AACxF,MAAM,sBAAsB,GAAG,IAAI,GAAG,EAAsD,CAAC;AAC7F,SAAS,qBAAqB;IAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,sBAAsB,EAAE,CAAC;QAClD,IAAI,GAAG,GAAG,GAAG,CAAC,SAAS;YAAE,sBAAsB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,MAAM,qBAAqB,GAAG,eAAe,CAAC,gBAAgB,CAAC,CAAC;AAEhE,MAAM,0BAA0B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AACjD,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AACjD,IAAI,cAAc,GAAyC,IAAI,CAAC;AAChE,IAAI,yBAAyB,GAAG,CAAC,CAAC;AAElC,SAAS,wBAAwB;IAC/B,IAAI,yBAAyB,GAAG,CAAC;QAAE,OAAO,0BAA0B,CAAC;IACrE,OAAO,IAAI,CAAC,GAAG,CACb,0BAA0B,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,yBAAyB,GAAG,CAAC,CAAC,EACzE,yBAAyB,CAC1B,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB;IAC5B,IAAI,cAAc;QAAE,YAAY,CAAC,cAAc,CAAC,CAAC;IACjD,cAAc,GAAG,UAAU,CAAC,KAAK,IAAI,EAAE;QACrC,yBAAyB,EAAE,CAAC;QAC5B,MAAM,kBAAkB,EAAE,CAAC;QAC3B,qBAAqB,EAAE,CAAC;IAC1B,CAAC,EAAE,wBAAwB,EAAE,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,kBAAkB;IACzB,yBAAyB,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,KAAK,UAAU,kBAAkB;IAC/B,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,qBAAqB,CAAC;IACrF,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAClC,IAAI,CAAC,KAAK;QAAE,OAAO;IAEnB,MAAM,OAAO,GAAG;QACd,SAAS,EAAE,YAAY,EAAE;QACzB,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,mBAAmB;QAC5B,MAAM,EAAE,SAAS;QACjB,MAAM,EAAE;YACN,EAAE,EAAE,OAAO,CAAC,QAAQ;YACpB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,IAAI,EAAE,OAAO,CAAC,OAAO;SACtB;KACF,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE;YACpC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;YAC7B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,GAAG,CAAC,MAAM,MAAM,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,GAAG,IAAI,CAAC,CAAC;IAClE,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAC7B,KAAgC,EAChC,WAAmB,EACnB,IAAU;IAEV,IAAI,CAAC,KAAK,IAAI,IAAI,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC9C,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC9C,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC;QACvC,IAAI,GAAG;YAAE,sBAAsB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9C,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,GAAG,CAAC,WAAW,KAAK,WAAW;QAAE,OAAO,KAAK,CAAC;IAClD,sBAAsB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACrC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,MAAM,GAAG,MAAM,cAAc,EAAE,CAAC;IACtC,MAAM,cAAc,GAAG,MAAM,sBAAsB,EAAE,CAAC;IACtD,MAAM,kBAAkB,EAAE,CAAC;IAC3B,qBAAqB,EAAE,CAAC;IAExB,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,mBAAmB;KAC7B,CAAC,CAAC;IAEH,MAAM,CAAC,YAAY,CACjB,OAAO,EACP;QACE,WAAW,EACT,6IAA6I;QAC/I,WAAW,EAAE,gBAAgB;KAC9B,EACD,KAAK,EAAE,KAAK,EAAE,EAAE;QACd,MAAM,SAAS,GAAG,
|
|
1
|
+
{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAa,MAAM,oBAAoB,CAAC;AAEvF,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,yBAAyB,EAAE,uBAAuB,EAAE,MAAM,oCAAoC,CAAC;AACxG,OAAO,EACL,YAAY,EACZ,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAE5D,MAAM,eAAe,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC;AACtD,MAAM,kBAAkB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;AAEpD,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,IAAI,EAAE,eAAe;IACrB,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;QACjB,IAAI,EAAE,kBAAkB;QACxB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAChC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACnC,CAAC;IACF,OAAO,EAAE,CAAC;SACP,MAAM,CAAC;QACN,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACjC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC9B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,QAAQ,EAAE;KAC3E,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAIH,SAAS,cAAc,CAAC,IAAU;IAChC,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO,OAAO,CAAC;IACpC,IAAI,IAAI,KAAK,QAAQ;QAAE,OAAO,kBAAkB,CAAC;IACjD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,eAAe,CAAC,IAAuB;IAC9C,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,wFAAwF;AACxF,MAAM,sBAAsB,GAAG,IAAI,GAAG,EAAsD,CAAC;AAC7F,SAAS,qBAAqB;IAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,sBAAsB,EAAE,CAAC;QAClD,IAAI,GAAG,GAAG,GAAG,CAAC,SAAS;YAAE,sBAAsB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,MAAM,qBAAqB,GAAG,eAAe,CAAC,gBAAgB,CAAC,CAAC;AAEhE,MAAM,0BAA0B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AACjD,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AACjD,IAAI,cAAc,GAAyC,IAAI,CAAC;AAChE,IAAI,yBAAyB,GAAG,CAAC,CAAC;AAElC,SAAS,wBAAwB;IAC/B,IAAI,yBAAyB,GAAG,CAAC;QAAE,OAAO,0BAA0B,CAAC;IACrE,OAAO,IAAI,CAAC,GAAG,CACb,0BAA0B,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,yBAAyB,GAAG,CAAC,CAAC,EACzE,yBAAyB,CAC1B,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB;IAC5B,IAAI,cAAc;QAAE,YAAY,CAAC,cAAc,CAAC,CAAC;IACjD,cAAc,GAAG,UAAU,CAAC,KAAK,IAAI,EAAE;QACrC,yBAAyB,EAAE,CAAC;QAC5B,MAAM,kBAAkB,EAAE,CAAC;QAC3B,qBAAqB,EAAE,CAAC;IAC1B,CAAC,EAAE,wBAAwB,EAAE,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,kBAAkB;IACzB,yBAAyB,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,KAAK,UAAU,kBAAkB;IAC/B,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,qBAAqB,CAAC;IACrF,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAClC,IAAI,CAAC,KAAK;QAAE,OAAO;IAEnB,MAAM,OAAO,GAAG;QACd,SAAS,EAAE,YAAY,EAAE;QACzB,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,mBAAmB;QAC5B,MAAM,EAAE,SAAS;QACjB,MAAM,EAAE;YACN,EAAE,EAAE,OAAO,CAAC,QAAQ;YACpB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,IAAI,EAAE,OAAO,CAAC,OAAO;SACtB;KACF,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE;YACpC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;YAC7B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,GAAG,CAAC,MAAM,MAAM,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,GAAG,IAAI,CAAC,CAAC;IAClE,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAC7B,KAAgC,EAChC,WAAmB,EACnB,IAAU;IAEV,IAAI,CAAC,KAAK,IAAI,IAAI,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC9C,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC9C,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC;QACvC,IAAI,GAAG;YAAE,sBAAsB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9C,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,GAAG,CAAC,WAAW,KAAK,WAAW;QAAE,OAAO,KAAK,CAAC;IAClD,sBAAsB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACrC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,MAAM,GAAG,MAAM,cAAc,EAAE,CAAC;IACtC,MAAM,cAAc,GAAG,MAAM,sBAAsB,EAAE,CAAC;IACtD,MAAM,kBAAkB,EAAE,CAAC;IAC3B,qBAAqB,EAAE,CAAC;IAExB,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,mBAAmB;KAC7B,CAAC,CAAC;IAEH,MAAM,CAAC,YAAY,CACjB,OAAO,EACP;QACE,WAAW,EACT,6IAA6I;QAC/I,WAAW,EAAE,gBAAgB;KAC9B,EACD,KAAK,EAAE,KAAK,EAAE,EAAE;QACd,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QACpC,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC;QAC1B,qBAAqB,EAAE,CAAC;QACxB,kBAAkB,EAAE,CAAC;QAErB,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,WAAW;YACrC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC;YAChD,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;QAExB,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAC3B,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,OAAO;YAC7B,CAAC,CAAC,qBAAqB,CAAC,MAAM,EAAE,IAAI,CAAC;YACrC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAc,EAAE,UAAU,EAAE,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC;QAE1E,MAAM,IAAI,GAAS,UAAU,CAAC,IAAI,CAAC;QACnC,MAAM,OAAO,GAAG,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;QACxC,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,EAAE,QAAQ,EAAE,KAAK,IAAI,IAAI,CAAC;QAE9D,MAAM,QAAQ,GACZ,CAAC,OAAO,IAAI,sBAAsB,CAAC,cAAc,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;QAExE,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,iFAAiF;aAC3F,CAAC,CAAC;QACL,CAAC;QAED,IAAI,QAAkB,CAAC;QACvB,IAAI,OAAO,IAAI,QAAQ;YAAE,QAAQ,GAAG,OAAO,CAAC;aACvC,IAAI,IAAI,KAAK,aAAa;YAAE,QAAQ,GAAG,OAAO,CAAC;;YAC/C,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;QAErC,MAAM,UAAU,GAAG,QAAQ,KAAK,kBAAkB,CAAC;QACnD,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,QAAQ,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QACvD,IAAI,UAAU,IAAI,QAAQ,EAAE,CAAC;YAC3B,sBAAsB,CAAC,GAAG,CAAC,QAAQ,EAAE;gBACnC,WAAW;gBACX,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;aACvC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,QAAQ,GAAG;YACf,QAAQ;YACR,OAAO;YACP,IAAI;YACJ,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE;YAC3E,OAAO;YACP,MAAM,EAAE;gBACN,QAAQ;gBACR,IAAI;gBACJ,OAAO,EAAE,EAAE;aACZ;YACD,QAAQ,EAAE;gBACR,QAAQ,EAAE,QAAQ,KAAK,kBAAkB;gBACzC,KAAK,EAAE,QAAQ;gBACf,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI;gBACnF,YAAY,EACV,QAAQ,KAAK,kBAAkB;oBAC7B,CAAC,CAAC,2IAA2I;oBAC7I,CAAC,CAAC,QAAQ;wBACR,CAAC,CAAC,yDAAyD;wBAC3D,CAAC,CAAC,IAAI;aACb;YACD,KAAK,EAAE;gBACL,QAAQ;gBACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS;aAC1C;YACD,SAAS,EAAE;gBACT,SAAS,EAAE,KAAK;gBAChB,MAAM,EAAE,IAAI;aACb;SACF,CAAC;QAEF,MAAM,WAAW,GACf,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,KAAK,QAAQ,CAAC,EAAE,OAAO;YAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,IAAI,KAAK,QAAQ,CAAC,EAAE,IAAI;YACtD,IAAI,CAAC;QACP,MAAM,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;QACnC,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACxE,MAAM,MAAM,GAAG,uBAAuB,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAC;QAE9D,KAAK,cAAc,CAAC;YAClB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAC5B,MAAM;YACN,OAAO;YACP,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,uBAAuB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5D,IAAI,EAAE,aAAa;YACnB,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI;YAC7B,IAAI,EAAE,UAAU;YAChB,QAAQ,EAAE,cAAc;YACxB,MAAM,EAAE,WAAW;YACnB,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;YACnB,IAAI;YACJ,QAAQ;YACR,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS;YACzC,QAAQ;YACR,SAAS,EAAE,YAAY,EAAE;YACzB,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI;YACzB,GAAG,CAAC,cAAc,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACxE,CAAC,CAAC;QAEH,IACE,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,OAAO;YAC/B,uBAAuB,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,EACpD,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,yBAAyB,CAAC,IAAI,EAAE,EAAE,GAAG,EAAE,KAAK,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC;gBACnE,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI,EAAE,uBAAuB;oBAC7B,OAAO,EACL,0FAA0F;iBAC7F,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI,EAAE,4BAA4B;oBAClC,OAAO,EAAE,yEAAyE;iBACnF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;SACrE,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Removes trailing-only benign I/O redirects from a shell command string before
|
|
3
|
+
* running coarse metacharacter heuristics. These patterns do not introduce new
|
|
4
|
+
* commands; they only merge or discard streams (common when runners append `2>&1`).
|
|
5
|
+
*
|
|
6
|
+
* Does not alter argv parsing — only used for `rawMetacharacters`-style scans.
|
|
7
|
+
*/
|
|
8
|
+
export declare function stripTrailingBenignShellRedirectsForMetacharCheck(command: string): string;
|
|
9
|
+
//# sourceMappingURL=strip-trailing-benign-shell-redirs.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"strip-trailing-benign-shell-redirs.d.ts","sourceRoot":"","sources":["../../src/shell/strip-trailing-benign-shell-redirs.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,wBAAgB,iDAAiD,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAqBzF"}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Removes trailing-only benign I/O redirects from a shell command string before
|
|
3
|
+
* running coarse metacharacter heuristics. These patterns do not introduce new
|
|
4
|
+
* commands; they only merge or discard streams (common when runners append `2>&1`).
|
|
5
|
+
*
|
|
6
|
+
* Does not alter argv parsing — only used for `rawMetacharacters`-style scans.
|
|
7
|
+
*/
|
|
8
|
+
export function stripTrailingBenignShellRedirectsForMetacharCheck(command) {
|
|
9
|
+
let s = command.trimEnd();
|
|
10
|
+
for (;;) {
|
|
11
|
+
const before = s;
|
|
12
|
+
s = s
|
|
13
|
+
.replace(/\s*2>&1\s*$/u, "")
|
|
14
|
+
.replace(/\s*1>&2\s*$/u, "")
|
|
15
|
+
.replace(/\s*2>>\s*\/dev\/null\s*$/u, "")
|
|
16
|
+
.replace(/\s*2>>\/dev\/null\s*$/u, "")
|
|
17
|
+
.replace(/\s*2>\s*\/dev\/null\s*$/u, "")
|
|
18
|
+
.replace(/\s*2>\/dev\/null\s*$/u, "")
|
|
19
|
+
.replace(/\s*>>\s*\/dev\/null\s*$/u, "")
|
|
20
|
+
.replace(/\s*>>\/dev\/null\s*$/u, "")
|
|
21
|
+
.replace(/\s*>\s*\/dev\/null\s*$/u, "")
|
|
22
|
+
.replace(/\s*>\/dev\/null\s*$/u, "")
|
|
23
|
+
.replace(/\s*&>\s*\/dev\/null\s*$/u, "")
|
|
24
|
+
.replace(/\s*&>\/dev\/null\s*$/u, "")
|
|
25
|
+
.trimEnd();
|
|
26
|
+
if (s === before)
|
|
27
|
+
break;
|
|
28
|
+
}
|
|
29
|
+
return s;
|
|
30
|
+
}
|
|
31
|
+
//# sourceMappingURL=strip-trailing-benign-shell-redirs.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"strip-trailing-benign-shell-redirs.js","sourceRoot":"","sources":["../../src/shell/strip-trailing-benign-shell-redirs.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,UAAU,iDAAiD,CAAC,OAAe;IAC/E,IAAI,CAAC,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;IAC1B,SAAS,CAAC;QACR,MAAM,MAAM,GAAG,CAAC,CAAC;QACjB,CAAC,GAAG,CAAC;aACF,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC;aAC3B,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC;aAC3B,OAAO,CAAC,2BAA2B,EAAE,EAAE,CAAC;aACxC,OAAO,CAAC,wBAAwB,EAAE,EAAE,CAAC;aACrC,OAAO,CAAC,0BAA0B,EAAE,EAAE,CAAC;aACvC,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC;aACpC,OAAO,CAAC,0BAA0B,EAAE,EAAE,CAAC;aACvC,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC;aACpC,OAAO,CAAC,yBAAyB,EAAE,EAAE,CAAC;aACtC,OAAO,CAAC,sBAAsB,EAAE,EAAE,CAAC;aACnC,OAAO,CAAC,0BAA0B,EAAE,EAAE,CAAC;aACvC,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC;aACpC,OAAO,EAAE,CAAC;QACb,IAAI,CAAC,KAAK,MAAM;YAAE,MAAM;IAC1B,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@praxis.guard/auditor-cli",
|
|
3
|
-
"version": "0.0.
|
|
3
|
+
"version": "0.0.8",
|
|
4
4
|
"private": false,
|
|
5
5
|
"type": "module",
|
|
6
6
|
"files": [
|
|
@@ -17,14 +17,6 @@
|
|
|
17
17
|
"./mcp": "./dist/mcp/server.js",
|
|
18
18
|
"./package.json": "./package.json"
|
|
19
19
|
},
|
|
20
|
-
"scripts": {
|
|
21
|
-
"build": "tsc -p tsconfig.build.json",
|
|
22
|
-
"typecheck": "tsc -p tsconfig.json",
|
|
23
|
-
"test": "node --import tsx/esm --test src/**/*.test.ts",
|
|
24
|
-
"mcp:dev": "tsx src/cli.ts mcp",
|
|
25
|
-
"prepack": "pnpm run build && node scripts/prepare-package.cjs",
|
|
26
|
-
"e2e:pack-install": "bash scripts/e2e-pack-install.sh"
|
|
27
|
-
},
|
|
28
20
|
"dependencies": {
|
|
29
21
|
"@modelcontextprotocol/sdk": "^1.17.4",
|
|
30
22
|
"shell-quote": "^1.8.3",
|
|
@@ -36,5 +28,12 @@
|
|
|
36
28
|
"@types/shell-quote": "^1.7.5",
|
|
37
29
|
"tsx": "^4.20.5",
|
|
38
30
|
"typescript": "^5.9.2"
|
|
31
|
+
},
|
|
32
|
+
"scripts": {
|
|
33
|
+
"build": "tsc -p tsconfig.build.json",
|
|
34
|
+
"typecheck": "tsc -p tsconfig.json",
|
|
35
|
+
"test": "node --import tsx/esm --test src/**/*.test.ts",
|
|
36
|
+
"mcp:dev": "tsx src/cli.ts mcp",
|
|
37
|
+
"e2e:pack-install": "bash scripts/e2e-pack-install.sh"
|
|
39
38
|
}
|
|
40
|
-
}
|
|
39
|
+
}
|