@seanmozeik/tripwire 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +186 -0
- package/dist/tripwire-cli.js +6 -0
- package/dist/tripwire-cli.js.jsc +0 -0
- package/dist/tripwire.js +90 -0
- package/dist/tripwire.js.jsc +0 -0
- package/package.json +49 -0
- package/src/cli.ts +148 -0
- package/src/dispatch.ts +340 -0
- package/src/index.ts +4 -0
- package/src/lib/bash.ts +428 -0
- package/src/lib/config.ts +106 -0
- package/src/lib/decision.ts +49 -0
- package/src/lib/diff.ts +26 -0
- package/src/lib/event.ts +106 -0
- package/src/lib/log.ts +23 -0
- package/src/lib/rtk.ts +96 -0
- package/src/lib/secrets.ts +120 -0
- package/src/rules/bash-deny.ts +346 -0
- package/src/rules/bash-git.ts +592 -0
- package/src/rules/bash-network-install.ts +72 -0
- package/src/rules/bash-redirect.ts +91 -0
- package/src/rules/bash-scoped-rm.ts +84 -0
- package/src/rules/bash-tar-explosion.ts +76 -0
- package/src/rules/bash-tool-policy.ts +134 -0
- package/src/rules/config-custom.ts +51 -0
- package/src/rules/lazy-code.ts +95 -0
- package/src/rules/path-protect.ts +59 -0
- package/src/rules/post-secret-scrub.ts +38 -0
- package/src/rules/read-protect.ts +62 -0
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
import { resolve } from 'node:path';
|
|
2
|
+
|
|
3
|
+
import { type Decision, allow, deny } from '../lib/decision';
|
|
4
|
+
import type { ReadInput } from '../lib/event';
|
|
5
|
+
|
|
6
|
+
interface Spec {
|
|
7
|
+
readonly rule: string;
|
|
8
|
+
readonly pattern: RegExp;
|
|
9
|
+
readonly message: string;
|
|
10
|
+
}
|
|
11
|
+
|
|
12
|
+
const PROTECTIONS: readonly Spec[] = [
|
|
13
|
+
{
|
|
14
|
+
rule: 'read-env',
|
|
15
|
+
pattern: /(^|\/)\.env(\.[^/]+)?$/,
|
|
16
|
+
message:
|
|
17
|
+
'.env files hold secrets that should never enter the model context. Refuse to read. If the goal is documenting required env vars, look at .env.example or describe the schema from memory.',
|
|
18
|
+
},
|
|
19
|
+
{
|
|
20
|
+
rule: 'read-dev-vars',
|
|
21
|
+
pattern: /(^|\/)\.dev\.vars(\.[^/]+)?$/,
|
|
22
|
+
message: 'Refuse to read .dev.vars (Cloudflare/Wrangler secrets).',
|
|
23
|
+
},
|
|
24
|
+
{ rule: 'read-ssh', pattern: /(^|\/)\.ssh\//, message: 'Refuse to read files inside ~/.ssh/.' },
|
|
25
|
+
{
|
|
26
|
+
rule: 'read-ssh-key',
|
|
27
|
+
pattern: /(^|\/)(id_rsa|id_ed25519|id_ecdsa|id_dsa)$/,
|
|
28
|
+
message: 'Refuse to read SSH private key files.',
|
|
29
|
+
},
|
|
30
|
+
{
|
|
31
|
+
rule: 'read-private-key',
|
|
32
|
+
pattern: /\.(pem|key|p12|pfx)$/i,
|
|
33
|
+
message: 'Refuse to read private-key-shaped files.',
|
|
34
|
+
},
|
|
35
|
+
{
|
|
36
|
+
rule: 'read-aws-credentials',
|
|
37
|
+
pattern: /(^|\/)\.aws\/credentials$/,
|
|
38
|
+
message: 'Refuse to read ~/.aws/credentials.',
|
|
39
|
+
},
|
|
40
|
+
{
|
|
41
|
+
rule: 'read-netrc',
|
|
42
|
+
pattern: /(^|\/)\.netrc$/,
|
|
43
|
+
message: 'Refuse to read ~/.netrc (host credentials).',
|
|
44
|
+
},
|
|
45
|
+
{
|
|
46
|
+
rule: 'read-secrets-file',
|
|
47
|
+
pattern: /(^|\/)secrets?\.(json|ya?ml|toml|env)$/i,
|
|
48
|
+
message: 'Refuse to read a file named secrets.{json,yaml,toml,env}.',
|
|
49
|
+
},
|
|
50
|
+
];
|
|
51
|
+
|
|
52
|
+
const readProtect = (input: ReadInput): Decision => {
|
|
53
|
+
const path = resolve(input.file_path);
|
|
54
|
+
for (const p of PROTECTIONS) {
|
|
55
|
+
if (p.pattern.test(path)) {
|
|
56
|
+
return deny(p.rule, p.message);
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
return allow('read-protect');
|
|
60
|
+
};
|
|
61
|
+
|
|
62
|
+
export { readProtect };
|