@pugi/cli 0.1.0-beta.99 → 1.0.0-alpha.2

package/dist/core/permission.js

@@ -1,369 +0,0 @@
-import { basename, resolve } from 'node:path';
-import { classifyBash, listDestructivePatterns, } from './bash-classifier.js';
-/**
- * Map `PermissionAction.kind` to the `HookMatch.permission` taxonomy.
- * The hook taxonomy uses `mcp`/`subagent` slots that the permission
- * engine does not currently emit; `workflow` has no hook-side
- * equivalent so it falls through as undefined (any matching hook with
- * an explicit `permission` filter will not match).
- */
-function toHookPermission(kind) {
-    switch (kind) {
-        case 'read':
-        case 'edit':
-        case 'bash':
-        case 'network':
-        case 'mcp':
-            return kind;
-        case 'workflow':
-            return undefined;
-    }
-}
-/**
- * Fire the `PermissionRequest` hook for the given action and decision.
- * Caller is the permission engine's user-facing surface — when the
- * decision is `ask`, hooks can observe (and, with `onFailure: 'block'`,
- * pre-empt) the prompt. The hook system does NOT replace the prompt —
- * a `block` hook simply turns the decision into a refusal that the
- * caller surfaces as a denial.
- *
- * Returns true when no blocking hook objected; false when at least one
- * `onFailure: 'block'` hook returned a non-zero exit. Callers should
- * treat false as "deny this action".
- */
-export async function firePermissionRequestHook(action, decision, hooks, sessionId) {
-    hooks.resetBatch();
-    const ctx = {
-        sessionId,
-        event: 'PermissionRequest',
-        tool: action.tool,
-        permission: toHookPermission(action.kind),
-        path: action.kind === 'read' || action.kind === 'edit' ? action.target : undefined,
-        payload: { action, decision },
-    };
-    const matching = hooks.listMatching(ctx);
-    const results = await hooks.fire(ctx);
-    for (let i = 0; i < matching.length; i += 1) {
-        const hook = matching[i];
-        const result = results[i];
-        if (hook && result && hook.onFailure === 'block' && !result.ok) {
-            return false;
-        }
-    }
-    return true;
-}
-const protectedBasenames = new Set([
-    '.env',
-    '.npmrc',
-    '.yarnrc',
-    '.pypirc',
-    '.gitconfig',
-    'id_rsa',
-    'id_ed25519',
-]);
-const protectedSuffixes = ['.pem', '.key', '.crt', '.p12', '.dump', '.sql'];
-/**
- * Hard-deny list. The list of destructive substrings now lives in
- * `bash-classifier.ts::DESTRUCTIVE_PATTERNS`; this function exposes
- * it as a list for callers (doctor, debug tooling) that need to
- * audit the rule set without re-running `classifyBash`.
- *
- * Code Reviewer P2 retro: previously this list was
- * duplicated here as `destructiveBashPatterns`. Sprint moves it
- * into the classifier so the permission engine and the doctor surface
- * cannot drift.
- */
-export function destructiveBashPatternsList() {
-    return listDestructivePatterns();
-}
-/**
- * Class-aware bash permission decision. The matrix:
- *
- *                    | plan | ask | acceptEdits | auto      | dontAsk | bypass
- * read              | allow| allow| allow     | allow     | allow  | allow
- * build_test        | deny | ask | ask       | allow     | allow* | allow
- * network           | deny | ask | ask       | ask       | allow* | allow
- * write_workspace   | deny | ask | allow     | allow     | allow* | allow
- * write_protected   | deny | ask | ask       | ask       | deny   | ask
- * destructive       | deny | deny | deny      | deny      | deny   | deny**
- * unknown           | deny | ask | ask       | ask       | deny   | ask
- *
- * * dontAsk allows non-destructive classes when no settings rule
- *   contradicts; the bare-mode policy is encoded in the table below.
- * ** destructive can be unlocked ONLY when ALL three hold:
- *     - mode === 'bypassPermissions'
- *     - PUGI_DESTRUCTIVE_OVERRIDE === '1'
- *     - source === 'human'
- *   The agent loop never sets `source: 'human'`, so even a runaway
- *   agent in bypass mode cannot trigger a destructive deletion.
- */
-export function evaluateBashPermission(cmd, mode, ctx) {
-    const classification = classifyBash(cmd, {
-        workspaceRoot: ctx.workspaceRoot,
-        additionalDirectories: ctx.additionalDirectories,
-    });
-    return decisionForClass(classification, mode, ctx);
-}
-function decisionForClass(classification, mode, ctx) {
-    const { class: klass, reason, matched } = classification;
-    const explain = `${reason}${matched ? ` [matched=${matched}]` : ''}`;
-    if (klass === 'destructive') {
-        const overrideOk = mode === 'bypassPermissions' &&
-            ctx.source === 'human' &&
-            process.env.PUGI_DESTRUCTIVE_OVERRIDE === '1';
-        if (overrideOk) {
-            return {
-                decision: 'allow',
-                reason: `${explain}; destructive override engaged (PUGI_DESTRUCTIVE_OVERRIDE=1, human source, bypassPermissions)`,
-                source: 'mode.bypassPermissions.destructive_override',
-            };
-        }
-        return {
-            decision: 'deny',
-            reason: `${explain}; destructive class is always denied`,
-            source: 'classifier.destructive',
-        };
-    }
-    switch (klass) {
-        case 'read':
-            return { decision: 'allow', reason: explain, source: `classifier.${klass}` };
-        case 'build_test':
-            return classAwareVerdict(mode, klass, explain, {
-                plan: 'deny',
-                ask: 'ask',
-                acceptEdits: 'ask',
-                auto: 'allow',
-                dontAsk: 'allow',
-                bypassPermissions: 'allow',
-            });
-        case 'network':
-            return classAwareVerdict(mode, klass, explain, {
-                plan: 'deny',
-                ask: 'ask',
-                acceptEdits: 'ask',
-                auto: 'ask',
-                dontAsk: 'allow',
-                bypassPermissions: 'allow',
-            });
-        case 'write_workspace':
-            return classAwareVerdict(mode, klass, explain, {
-                plan: 'deny',
-                ask: 'ask',
-                acceptEdits: 'allow',
-                auto: 'allow',
-                dontAsk: 'allow',
-                bypassPermissions: 'allow',
-            });
-        case 'write_protected':
-            return classAwareVerdict(mode, klass, explain, {
-                plan: 'deny',
-                ask: 'ask',
-                acceptEdits: 'ask',
-                auto: 'ask',
-                dontAsk: 'deny',
-                bypassPermissions: 'ask',
-            });
-        case 'unknown':
-            return classAwareVerdict(mode, klass, explain, {
-                plan: 'deny',
-                ask: 'ask',
-                acceptEdits: 'ask',
-                auto: 'ask',
-                dontAsk: 'deny',
-                bypassPermissions: 'ask',
-            });
-    }
-}
-function classAwareVerdict(mode, klass, reason, table) {
-    const verdict = table[mode];
-    const source = `classifier.${klass}.${mode}`;
-    switch (verdict) {
-        case 'allow':
-            return { decision: 'allow', reason, source };
-        case 'deny':
-            return { decision: 'deny', reason: `${reason}; ${mode} mode denies ${klass}`, source };
-        case 'ask':
-            return { decision: 'ask', reason, risk: riskForClass(klass) };
-    }
-}
-function riskForClass(klass) {
-    switch (klass) {
-        case 'read':
-            return 'low';
-        case 'build_test':
-        case 'write_workspace':
-            return 'medium';
-        case 'network':
-        case 'write_protected':
-        case 'unknown':
-        case 'destructive':
-            return 'high';
-    }
-}
-export function decidePermission(action, settings, root) {
-    if (action.kind === 'bash') {
-        // Legacy callers (file-tools::bashTool, runtime/cli protected-file
-        // probe) still call `decidePermission` for bash. The class-aware
-        // engine is preferred; we route through it here so the hard-deny
-        // gate stays consistent regardless of entry point.
-        //
-        // Source defaults to 'agent' because every code path that calls
-        // `decidePermission({ kind: 'bash' })` today is reached through
-        // the engine loop. Direct human bash invocation goes through the
-        // new `evaluateBashPermission` with `source: 'human'`.
-        const decision = evaluateBashPermission(action.target, settings.permissions.mode, {
-            workspaceRoot: root,
-            additionalDirectories: [],
-            source: 'agent',
-        });
-        if (decision.decision === 'deny' && decision.source === 'classifier.destructive') {
-            // Locked-source identifier for the retro spec — the existing
-            // tests assert `source === 'hard_deny'`. Re-label so the
-            // semantic stays the same: a destructive command was blocked
-            // by the hard-deny gate.
-            return { ...decision, source: 'hard_deny' };
-        }
-        const signature = `${action.kind}:${action.target}`;
-        if (matchesAny(signature, settings.permissions.deny)) {
-            return { decision: 'deny', reason: `Denied by rule: ${signature}`, source: 'settings.deny' };
-        }
-        if (matchesAny(signature, settings.permissions.allow) && decision.decision !== 'deny') {
-            return { decision: 'allow', reason: `Allowed by rule: ${signature}`, source: 'settings.allow' };
-        }
-        return decision;
-    }
-    const protectedReason = protectedTargetReason(action, root);
-    if (protectedReason) {
-        return decisionForMode(settings.permissions.mode, protectedReason, 'protected_file', 'high');
-    }
-    // task — operator-declared read-only paths gate edits
-    // and writes ahead of the generic deny check so the audit trail
-    // shows `source: 'readonly_paths'` (operator intent), not
-    // `settings.deny` (generic rule). Reads always pass through; the
-    // contract is "you can look but не touch".
-    if (action.kind === 'edit' && matchesAny(action.target, settings.permissions.readonlyPaths)) {
-        return {
-            decision: 'deny',
-            reason: `Read-only path: ${action.target}`,
-            source: 'readonly_paths',
-        };
-    }
-    const signature = `${action.kind}:${action.target}`;
-    if (matchesAny(signature, settings.permissions.deny)) {
-        return { decision: 'deny', reason: `Denied by rule: ${signature}`, source: 'settings.deny' };
-    }
-    if (matchesAny(signature, settings.permissions.notAutomatic) || matchesAny(signature, settings.workflow.notAutomatic)) {
-        return { decision: 'ask', reason: `Marked not automatic: ${signature}`, risk: 'medium' };
-    }
-    if (matchesAny(signature, settings.permissions.allow)) {
-        return { decision: 'allow', reason: `Allowed by rule: ${signature}`, source: 'settings.allow' };
-    }
-    return decisionForMode(settings.permissions.mode, `Default ${settings.permissions.mode} policy`, 'mode', riskForAction(action));
-}
-export function protectedTargetReason(action, root) {
-    if (action.kind !== 'edit' && action.kind !== 'read')
-        return null;
-    const target = resolve(root, action.target);
-    const name = basename(target);
-    if (protectedBasenames.has(name) || name.startsWith('.env.')) {
-        return `Protected file: ${action.target}`;
-    }
-    if (protectedSuffixes.some((suffix) => name.endsWith(suffix))) {
-        return `Protected file suffix: ${action.target}`;
-    }
-    if (target.includes('/.ssh/') || target.includes('/.gnupg/') || target.includes('/.aws/')) {
-        return `Protected credential path: ${action.target}`;
-    }
-    return null;
-}
-function decisionForMode(mode, reason, source, risk) {
-    switch (mode) {
-        case 'plan':
-            return risk === 'low'
-                ? { decision: 'allow', reason, source }
-                : { decision: 'deny', reason: `${reason}; plan mode blocks mutating actions`, source: 'mode.plan' };
-        case 'ask':
-            return { decision: 'ask', reason, risk };
-        case 'acceptEdits':
-            return risk === 'medium'
-                ? { decision: 'allow', reason, source: 'mode.acceptEdits' }
-                : { decision: 'ask', reason, risk };
-        case 'auto':
-            return risk === 'high' ? { decision: 'ask', reason, risk } : { decision: 'allow', reason, source: 'mode.auto' };
-        case 'dontAsk':
-            return risk === 'high'
-                ? { decision: 'deny', reason: `${reason}; dontAsk denies high-risk actions`, source: 'mode.dontAsk' }
-                : { decision: 'allow', reason, source: 'mode.dontAsk' };
-        case 'bypassPermissions':
-            return { decision: 'allow', reason, source: 'mode.bypassPermissions' };
-    }
-}
-function riskForAction(action) {
-    if (action.kind === 'read')
-        return 'low';
-    if (action.kind === 'edit')
-        return 'medium';
-    if (action.kind === 'bash')
-        return 'high';
-    if (action.kind === 'workflow')
-        return 'medium';
-    return 'medium';
-}
-/**
- * Expand `${VAR}` and `$VAR` references in a rule string against
- * `process.env`. Unknown variables expand к the empty string so a
- * typo'd `${HMOE}` cannot accidentally match every signature via a
- * literal `${HMOE}` substring; the expanded `mcp:fs/` is innocuous.
- *
- * task #23 — operator wants `mcp:secrets/${USER}-*`
- * style rules so a single settings file fits multiple machines.
- *
- * The implementation deliberately avoids shell-style features like
- * `$()` or default-value `${VAR:-x}`; permission rules should be
- * easy to reason about at audit time.
- */
-export function expandEnvVars(rule, env = process.env) {
-    // Single combined regex. Sequential `${VAR}` then `$VAR` passes are
-    // unsafe — if `${X}` expands to a value containing `$Y`, the second
-    // pass would also expand that. An attacker controlling one env var
-    // could rewrite permission rules. Substitute each variable exactly
-    // once by matching both forms in a single sweep.
-    return rule.replace(/\$(?:\{([A-Za-z_][A-Za-z0-9_]*)\}|([A-Za-z_][A-Za-z0-9_]*))/g, (_m, braced, bare) => {
-        const name = braced ?? bare ?? '';
-        return env[name] ?? '';
-    });
-}
-/**
- * Convert a glob-style rule to a RegExp anchored full-string.
- * Supports: `*` (greedy any), `?` (single char), all other regex
- * metacharacters escaped. The simpler tail-`*` form remains valid —
- * `mcp:fs/ *` works the same way as before, just via regex instead of
- * the old `startsWith` branch. Power users get `mcp:* / write*` style
- * cross-server denies.
- */
-const REGEX_META = new Set(['\\', '^', '$', '.', '|', '+', '(', ')', '[', ']', '{', '}']);
-function ruleToRegExp(rule) {
-    let out = '';
-    for (const ch of rule) {
-        if (ch === '*')
-            out += '.*';
-        else if (ch === '?')
-            out += '.';
-        else if (REGEX_META.has(ch))
-            out += '\\' + ch;
-        else
-            out += ch;
-    }
-    return new RegExp('^' + out + '$');
-}
-function matchesAny(value, rules) {
-    return rules.some((rule) => {
-        const expanded = expandEnvVars(rule);
-        if (expanded === value)
-            return true;
-        if (!expanded.includes('*') && !expanded.includes('?'))
-            return false;
-        return ruleToRegExp(expanded).test(value);
-    });
-}
-//# sourceMappingURL=permission.js.map

package/dist/core/permissions/auto-classifier.js

@@ -1,124 +0,0 @@
-/**
- * Auto-mode classifier — Phase 1 (regex allowlist + denylist).
- *
- * `permissionMode === 'auto'` is the the upstream tool parity mode where the
- * classifier decides safe-vs-unsafe per call. Phase 1 ships without
- * ML — just two curated regex lists covering the 80% of "obviously
- * safe" and "obviously catastrophic" patterns. Anything that doesn't
- * match either list returns `ask`, so the operator stays in the loop
- * для the ambiguous middle.
- *
- * Phase 2 (deferred, NOT in this PR): semantic classifier consulting
- * the model with a tight system prompt. The interface (`AutoVerdict`)
- * is stable so we can swap implementations without touching the gate.
- *
- * Design notes:
- *
- *  - Patterns are conservative: a read-only command is only
- *    allow-listed когда its argv shape is unambiguous (no `-exec`,
- *    no `--delete`, no `|` к shell). When в doubt, fall back to ask.
- *  - The denylist matches catastrophic patterns even в auto-mode so
- *    a misclick can't shred the workspace. The circuit-breaker
- *    (`circuit-breaker.ts`) covers the same surface для bypass-mode;
- *    this denylist is the auto-mode equivalent.
- *  - All matches operate on the FULL command string, not parsed
- *    argv. This is deliberately permissive on whitespace but strict
- *    on operator characters (`|`, `&`, `;`, `>`, backticks) — a
- *    pipe-into-shell или command-chain forces fallback к ask.
- */
-/**
- * Catastrophic patterns — the auto-mode regex denylist. Each entry
- * carries a human-readable reason surfaced в the deny payload so the
- * operator + audit log see why the gate refused. Order matters: most-
- * specific первой так "rm -rf /" reports as that, не the generic
- * "rm -rf".
- */
-const AUTO_DENY_PATTERNS = [
-    { pattern: /\brm\s+(-[a-z]*r[a-z]*f|-[a-z]*f[a-z]*r)\b/i, reason: 'rm -rf (recursive force-delete)' },
-    { pattern: /\bgit\s+push\s+(-{1,2}force\b|\-f\b)/i, reason: 'git push --force (history rewrite)' },
-    { pattern: /\bgit\s+reset\s+--hard\b/i, reason: 'git reset --hard (uncommitted-work loss)' },
-    { pattern: /\bdd\s+if=\/(dev|)/i, reason: 'dd if=/dev/* (raw device read/write)' },
-    { pattern: /\bmkfs(\.|\s|$)/i, reason: 'mkfs (filesystem format)' },
-    { pattern: /\bchmod\s+-R\s+777\b/i, reason: 'chmod -R 777 (world-writable recursive)' },
-    { pattern: /\bchown\s+-R\b/i, reason: 'chown -R (recursive ownership change)' },
-    { pattern: /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;?\s*:/, reason: 'fork bomb signature' },
-    { pattern: /\bsudo\b/i, reason: 'sudo (privilege escalation)' },
-    { pattern: /\b(npm|pnpm|yarn)\s+publish\b/i, reason: 'package publish (irreversible npm release)' },
-    { pattern: /\b(curl|wget)\b[^|;&]*\|\s*(sh|bash|zsh)\b/i, reason: 'pipe-to-shell installer (curl … | sh)' },
-];
-/**
- * Safe-by-default patterns — auto-mode regex allowlist. Each regex
- * must match the FULL command (with `^…$` anchors) so a leading
- * `sudo ls` или a trailing `; rm -rf /` does NOT slip through. The
- * caller passes the trimmed command string; whitespace around argv
- * tokens is tolerated.
- */
-const AUTO_ALLOW_PATTERNS = [
-    { pattern: /^ls(\s+-[a-zA-Z]+)*(\s+[^|;&`>$()\\]+)?$/, reason: 'ls (directory listing)' },
-    { pattern: /^pwd\s*$/, reason: 'pwd (working directory)' },
-    { pattern: /^cat\s+[^|;&`>$()\\]+$/, reason: 'cat (file read)' },
-    { pattern: /^head(\s+-n?\s*\d+)?\s+[^|;&`>$()\\]+$/, reason: 'head (file preview)' },
-    { pattern: /^tail(\s+-n?\s*\d+)?\s+[^|;&`>$()\\]+$/, reason: 'tail (file preview)' },
-    { pattern: /^wc(\s+-[a-z]+)?\s+[^|;&`>$()\\]+$/, reason: 'wc (line/word count)' },
-    { pattern: /^du\s+-sh?\s+[^|;&`>$()\\]+$/, reason: 'du -sh (disk usage summary)' },
-    { pattern: /^df\s+-h\s*$/, reason: 'df -h (filesystem free space)' },
-    { pattern: /^git\s+status(\s+--short|\s+-s)?\s*$/, reason: 'git status' },
-    { pattern: /^git\s+diff(\s+[a-zA-Z0-9_./~^-]+)*\s*$/, reason: 'git diff (read-only)' },
-    { pattern: /^git\s+log(\s+[a-zA-Z0-9_./~^-]+)*\s*$/, reason: 'git log (read-only)' },
-    { pattern: /^git\s+branch(\s+-[a-z]+)?\s*$/, reason: 'git branch (read-only)' },
-    { pattern: /^git\s+remote\s+-v\s*$/, reason: 'git remote -v (read-only)' },
-    { pattern: /^pnpm\s+(typecheck|lint|test\s+--run|test\s+--watch=false)\s*$/, reason: 'pnpm read-only build check' },
-    { pattern: /^npm\s+(--version|-v|run\s+typecheck|run\s+lint)\s*$/, reason: 'npm read-only check' },
-    { pattern: /^node\s+--version\s*$/, reason: 'node --version' },
-    { pattern: /^pnpm\s+--version\s*$/, reason: 'pnpm --version' },
-    { pattern: /^which\s+[a-zA-Z0-9_-]+\s*$/, reason: 'which (command lookup)' },
-    { pattern: /^find\s+\.\s+-type\s+f(\s+-name\s+[^|;&`>$()\\]+)?\s*$/, reason: 'find -type f (read-only)' },
-    { pattern: /^(rg|ripgrep|grep)\s+(-[a-z]+\s+)*[^|;&`>$()\\]+(\s+[^|;&`>$()\\]+)?\s*$/, reason: 'grep/ripgrep (read-only search)' },
-];
-/**
- * Classify an auto-mode command. Order:
- *  1. Catastrophic deny patterns — surface the explicit deny reason.
- *  2. Safe allow patterns — surface the matched reason.
- *  3. Fallback к ask.
- *
- * The order matters: a destructive pattern that ALSO looks like a
- * read-only token (e.g. `git diff ; rm -rf .`) hits deny first because
- * the allow patterns require `^…$` anchors that the chained command
- * fails to satisfy. Belt + suspenders.
- */
-export function classifyAutoMode(command) {
-    const trimmed = command.trim();
-    if (trimmed.length === 0)
-        return { verdict: 'ask' };
-    for (const entry of AUTO_DENY_PATTERNS) {
-        if (entry.pattern.test(trimmed)) {
-            return {
-                verdict: 'deny',
-                reason: entry.reason,
-                pattern: entry.pattern.source,
-            };
-        }
-    }
-    for (const entry of AUTO_ALLOW_PATTERNS) {
-        if (entry.pattern.test(trimmed)) {
-            return {
-                verdict: 'allow',
-                reason: entry.reason,
-                pattern: entry.pattern.source,
-            };
-        }
-    }
-    return { verdict: 'ask' };
-}
-/**
- * Diagnostic accessors — exposed для doctor surfaces + spec coverage.
- * The arrays are frozen at module load so callers can iterate without
- * mutating the source-of-truth.
- */
-export function listAutoAllowPatterns() {
-    return AUTO_ALLOW_PATTERNS.map((e) => ({ pattern: e.pattern.source, reason: e.reason }));
-}
-export function listAutoDenyPatterns() {
-    return AUTO_DENY_PATTERNS.map((e) => ({ pattern: e.pattern.source, reason: e.reason }));
-}
-//# sourceMappingURL=auto-classifier.js.map