@safetnsr/vet 1.3.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,2 @@
1
+ import type { CheckResult } from '../types.js';
2
+ export declare function checkPermissions(cwd: string): CheckResult;
@@ -0,0 +1,248 @@
1
+ import { join, resolve, isAbsolute } from 'node:path';
2
+ import { homedir } from 'node:os';
3
+ import { readFile, fileExists } from '../util.js';
4
+ // ── Sensitive directories that trigger DANGER if MCP server writes there ──
5
+ const SENSITIVE_DIRS = [
6
+ '~/.ssh',
7
+ '~/.aws',
8
+ '/etc',
9
+ '/var/www',
10
+ ];
11
+ function expandHome(p) {
12
+ if (p.startsWith('~/'))
13
+ return join(homedir(), p.slice(2));
14
+ if (p === '~')
15
+ return homedir();
16
+ return p;
17
+ }
18
+ function isSensitiveDir(p) {
19
+ const expanded = expandHome(p);
20
+ return SENSITIVE_DIRS.some(d => {
21
+ const expandedSensitive = expandHome(d);
22
+ return expanded === expandedSensitive || expanded.startsWith(expandedSensitive + '/');
23
+ });
24
+ }
25
+ function isOutsideCwd(p, cwd) {
26
+ const expanded = expandHome(p);
27
+ const abs = isAbsolute(expanded) ? expanded : resolve(cwd, expanded);
28
+ const resolvedCwd = resolve(cwd);
29
+ return !abs.startsWith(resolvedCwd + '/') && abs !== resolvedCwd;
30
+ }
31
+ /** Score helper */
32
+ function applyPenalty(score, severity) {
33
+ const penalties = { error: 30, warning: 15, info: 5 };
34
+ return Math.max(0, score - penalties[severity]);
35
+ }
36
+ // ── A. Scan .claude/settings.json ─────────────────────────────────────────
37
+ function checkSettingsJson(cwd, issues) {
38
+ const settingsPath = join(cwd, '.claude', 'settings.json');
39
+ if (!fileExists(settingsPath))
40
+ return;
41
+ const raw = readFile(settingsPath);
42
+ if (!raw)
43
+ return;
44
+ let settings;
45
+ try {
46
+ settings = JSON.parse(raw);
47
+ }
48
+ catch {
49
+ issues.push({
50
+ severity: 'warning',
51
+ message: '.claude/settings.json is not valid JSON — cannot audit permissions',
52
+ file: '.claude/settings.json',
53
+ fixable: false,
54
+ });
55
+ return;
56
+ }
57
+ // allowedTools containing bare "Bash" or "Bash(*)"
58
+ const allowedTools = settings.allowedTools;
59
+ if (Array.isArray(allowedTools)) {
60
+ for (const tool of allowedTools) {
61
+ if (typeof tool === 'string') {
62
+ if (tool === 'Bash' || tool === 'Bash(*)') {
63
+ issues.push({
64
+ severity: 'error',
65
+ message: `allowedTools contains "${tool}" without path restrictions — unrestricted shell access`,
66
+ file: '.claude/settings.json',
67
+ fixable: true,
68
+ fixHint: `Replace "${tool}" with specific allowed commands, e.g. "Bash(npm run *)"`,
69
+ });
70
+ }
71
+ }
72
+ }
73
+ }
74
+ // permissions.allow with wildcards
75
+ const permissions = settings.permissions;
76
+ if (permissions && Array.isArray(permissions.allow)) {
77
+ for (const rule of permissions.allow) {
78
+ if (typeof rule === 'string' && (rule === 'Bash(*)' || rule === '**' || rule.includes('**'))) {
79
+ issues.push({
80
+ severity: 'error',
81
+ message: `permissions.allow contains wildcard "${rule}" — grants broad access`,
82
+ file: '.claude/settings.json',
83
+ fixable: true,
84
+ fixHint: 'Remove wildcard rules and enumerate specific allowed operations',
85
+ });
86
+ }
87
+ }
88
+ }
89
+ // defaultMode: "bypassPermissions"
90
+ if (settings.defaultMode === 'bypassPermissions') {
91
+ issues.push({
92
+ severity: 'error',
93
+ message: 'defaultMode is "bypassPermissions" — skips all permission checks',
94
+ file: '.claude/settings.json',
95
+ fixable: true,
96
+ fixHint: 'Remove defaultMode or set to "default"',
97
+ });
98
+ }
99
+ // No blockedTools or deny list
100
+ const hasBlockedTools = Array.isArray(settings.blockedTools) && settings.blockedTools.length > 0;
101
+ const hasDenyList = permissions && Array.isArray(permissions.deny) && permissions.deny.length > 0;
102
+ if (!hasBlockedTools && !hasDenyList) {
103
+ issues.push({
104
+ severity: 'warning',
105
+ message: 'No blockedTools or deny list defined — all unlisted tools remain available',
106
+ file: '.claude/settings.json',
107
+ fixable: true,
108
+ fixHint: 'Add blockedTools: ["Bash", "Write"] to restrict dangerous operations',
109
+ });
110
+ }
111
+ // ── B. MCP server configs ────────────────────────────────────────────────
112
+ checkMcpServers(cwd, settings, '.claude/settings.json', issues);
113
+ }
114
+ // ── B. MCP server analysis ─────────────────────────────────────────────────
115
+ function checkMcpServers(cwd, settings, filePath, issues) {
116
+ const mcpServers = settings.mcpServers;
117
+ if (!mcpServers || typeof mcpServers !== 'object')
118
+ return;
119
+ for (const [serverName, serverConfig] of Object.entries(mcpServers)) {
120
+ if (typeof serverConfig !== 'object' || serverConfig === null)
121
+ continue;
122
+ const config = serverConfig;
123
+ // Check server args for filesystem paths
124
+ const args = config.args;
125
+ const isFilesystemServer = (typeof config.command === 'string' && config.command.includes('filesystem')) ||
126
+ (Array.isArray(args) && args.some((a) => typeof a === 'string' && a.includes('filesystem')));
127
+ // Detect if server is read-only
128
+ const isReadOnly = Array.isArray(args) && args.some((a) => typeof a === 'string' && (a === '--read-only' || a === 'readonly' || a === '--readonly'));
129
+ // Collect root paths from args
130
+ const rootPaths = [];
131
+ if (Array.isArray(args)) {
132
+ for (const arg of args) {
133
+ if (typeof arg === 'string' && !arg.startsWith('-') && (arg.startsWith('/') || arg.startsWith('~/') || arg.startsWith('.'))) {
134
+ rootPaths.push(arg);
135
+ }
136
+ }
137
+ }
138
+ // Also check explicit root config
139
+ if (typeof config.root === 'string') {
140
+ rootPaths.push(config.root);
141
+ }
142
+ if (Array.isArray(config.roots)) {
143
+ for (const r of config.roots) {
144
+ if (typeof r === 'string')
145
+ rootPaths.push(r);
146
+ }
147
+ }
148
+ if (rootPaths.length === 0) {
149
+ // No path restrictions at all
150
+ issues.push({
151
+ severity: 'warning',
152
+ message: `MCP server "${serverName}" has no explicit path restrictions`,
153
+ file: filePath,
154
+ fixable: true,
155
+ fixHint: `Add root path restriction to "${serverName}" in mcpServers config`,
156
+ });
157
+ continue;
158
+ }
159
+ for (const rootPath of rootPaths) {
160
+ // Check sensitive directory access
161
+ if (isSensitiveDir(rootPath)) {
162
+ issues.push({
163
+ severity: 'error',
164
+ message: `MCP server "${serverName}" has access to sensitive directory: ${rootPath}`,
165
+ file: filePath,
166
+ fixable: true,
167
+ fixHint: `Remove sensitive path "${rootPath}" from MCP server config`,
168
+ });
169
+ continue;
170
+ }
171
+ // Check if root is outside cwd and not read-only
172
+ if (isOutsideCwd(rootPath, cwd) && !isReadOnly) {
173
+ issues.push({
174
+ severity: 'error',
175
+ message: `MCP server "${serverName}" has write access outside project dir: ${rootPath}`,
176
+ file: filePath,
177
+ fixable: true,
178
+ fixHint: `Restrict to project directory or add --read-only flag`,
179
+ });
180
+ }
181
+ }
182
+ }
183
+ }
184
+ // ── C. CLAUDE.md and AGENTS.md text heuristics ────────────────────────────
185
+ const DANGEROUS_PHRASES = [
186
+ /full\s+access/i,
187
+ /unrestricted/i,
188
+ /\bsudo\b/i,
189
+ /skip\s+confirmation/i,
190
+ /no\s+restrictions/i,
191
+ ];
192
+ function checkMarkdownFiles(cwd, issues) {
193
+ for (const filename of ['CLAUDE.md', 'AGENTS.md']) {
194
+ const filePath = join(cwd, filename);
195
+ if (!fileExists(filePath))
196
+ continue;
197
+ const content = readFile(filePath);
198
+ if (!content)
199
+ continue;
200
+ const lines = content.split('\n');
201
+ for (const pattern of DANGEROUS_PHRASES) {
202
+ for (let i = 0; i < lines.length; i++) {
203
+ if (pattern.test(lines[i])) {
204
+ const matchText = lines[i].match(pattern)?.[0] ?? pattern.source;
205
+ issues.push({
206
+ severity: 'warning',
207
+ message: `${filename} contains potentially dangerous instruction: "${matchText.trim()}"`,
208
+ file: filename,
209
+ line: i + 1,
210
+ fixable: false,
211
+ fixHint: `Review line ${i + 1} in ${filename} — ensure it doesn't grant unintended permissions`,
212
+ });
213
+ break; // one issue per pattern per file
214
+ }
215
+ }
216
+ }
217
+ }
218
+ }
219
+ // ── Main export ────────────────────────────────────────────────────────────
220
+ export function checkPermissions(cwd) {
221
+ const issues = [];
222
+ checkSettingsJson(cwd, issues);
223
+ checkMarkdownFiles(cwd, issues);
224
+ // Score: start at 100, deduct per issue
225
+ let score = 100;
226
+ for (const issue of issues) {
227
+ score = applyPenalty(score, issue.severity);
228
+ }
229
+ const errorCount = issues.filter(i => i.severity === 'error').length;
230
+ const warnCount = issues.filter(i => i.severity === 'warning').length;
231
+ let summary;
232
+ if (issues.length === 0) {
233
+ summary = 'no dangerous permission grants detected';
234
+ }
235
+ else if (errorCount > 0) {
236
+ summary = `${errorCount} dangerous grant${errorCount !== 1 ? 's' : ''} detected — review before running agent`;
237
+ }
238
+ else {
239
+ summary = `${warnCount} permission warning${warnCount !== 1 ? 's' : ''} — tighten config before agent session`;
240
+ }
241
+ return {
242
+ name: 'permissions',
243
+ score,
244
+ maxScore: 100,
245
+ issues,
246
+ summary,
247
+ };
248
+ }
package/dist/cli.js CHANGED
@@ -18,6 +18,7 @@ import { checkMemory } from './checks/memory.js';
18
18
  import { checkVerify } from './checks/verify.js';
19
19
  import { checkTests } from './checks/tests.js';
20
20
  import { checkMap, renderMapReport } from './checks/map.js';
21
+ import { checkPermissions } from './checks/permissions.js';
21
22
  import { score } from './scorer.js';
22
23
  import { reportPretty, reportJSON, reportBadge } from './reporter.js';
23
24
  const args = process.argv.slice(2);
@@ -49,6 +50,7 @@ if (flags.has('--help') || flags.has('-h')) {
49
50
  npx @safetnsr/vet init generate configs + hooks
50
51
  npx @safetnsr/vet receipt show last agent session receipt
51
52
  npx @safetnsr/vet map [dir] show agent visibility map
53
+ npx @safetnsr/vet permissions [dir] audit Claude Code config for dangerous grants
52
54
 
53
55
  ${c.dim}categories:${c.reset}
54
56
  security (30%) scan, secrets, config, model usage
@@ -83,7 +85,7 @@ if (flags.has('--version') || flags.has('-v')) {
83
85
  }
84
86
  process.exit(0);
85
87
  }
86
- const COMMANDS = ['init', 'receipt', 'map'];
88
+ const COMMANDS = ['init', 'receipt', 'map', 'permissions'];
87
89
  const command = COMMANDS.includes(positional[0]) ? positional[0] : undefined;
88
90
  const cwd = resolve(positional.find(p => !COMMANDS.includes(p)) || '.');
89
91
  const isCI = flags.has('--ci');
@@ -123,6 +125,30 @@ if (command === 'map') {
123
125
  }
124
126
  process.exit(0);
125
127
  }
128
+ if (command === 'permissions') {
129
+ const result = checkPermissions(cwd);
130
+ if (isJSON) {
131
+ console.log(JSON.stringify(result, null, 2));
132
+ }
133
+ else {
134
+ console.log(`\n ${c.bold}vet permissions${c.reset} — ${result.summary}\n`);
135
+ console.log(` score: ${result.score}/100\n`);
136
+ if (result.issues.length === 0) {
137
+ console.log(` ${c.green}no issues found${c.reset}\n`);
138
+ }
139
+ else {
140
+ for (const issue of result.issues) {
141
+ const icon = issue.severity === 'error' ? c.red + '✗' : issue.severity === 'warning' ? c.yellow + '⚠' : c.dim + 'i';
142
+ const loc = issue.file ? ` ${c.dim}(${issue.file}${issue.line ? `:${issue.line}` : ''})${c.reset}` : '';
143
+ console.log(` ${icon}${c.reset} ${issue.message}${loc}`);
144
+ if (issue.fixHint)
145
+ console.log(` ${c.dim}→ ${issue.fixHint}${c.reset}`);
146
+ }
147
+ console.log('');
148
+ }
149
+ }
150
+ process.exit(result.score < 60 ? 1 : 0);
151
+ }
126
152
  if (!isGitRepo(cwd)) {
127
153
  console.error(`${c.red}not a git repository${c.reset}. vet operates on git repos.`);
128
154
  process.exit(1);
@@ -145,7 +171,7 @@ if (isFix) {
145
171
  }
146
172
  async function runChecks() {
147
173
  // Run all checks, grouped into categories
148
- // Security: scan, secrets, config, models, owasp
174
+ // Security: scan, secrets, config, models, owasp, permissions
149
175
  const [scanResult, secretsResult, configResult, modelsResult, owaspResult] = await Promise.all([
150
176
  Promise.resolve(checkScan(cwd)),
151
177
  checkSecrets(cwd),
@@ -153,6 +179,7 @@ async function runChecks() {
153
179
  checkModels(cwd, ignore),
154
180
  Promise.resolve(checkOwasp(cwd)),
155
181
  ]);
182
+ const permissionsResult = checkPermissions(cwd);
156
183
  // Integrity: diff, integrity checks
157
184
  const diffResult = checkDiff(cwd, { since });
158
185
  const integrityResult = await checkIntegrity(cwd, ignore);
@@ -173,7 +200,7 @@ async function runChecks() {
173
200
  // Tests: test theater detection
174
201
  const testsResult = checkTests(cwd, ignore);
175
202
  return score(cwd, {
176
- security: [scanResult, secretsResult, configResult, modelsResult, owaspResult],
203
+ security: [scanResult, secretsResult, configResult, modelsResult, owaspResult, permissionsResult],
177
204
  integrity: [diffResult, integrityResult, receiptResult, memoryResult, verifyResult, testsResult],
178
205
  debt: [readyResult, historyResult, debtResult],
179
206
  deps: [depsResult],
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@safetnsr/vet",
3
- "version": "1.3.0",
3
+ "version": "1.4.0",
4
4
  "description": "vet your AI-generated code — one command, one score card, one letter grade",
5
5
  "type": "module",
6
6
  "bin": {