@sureshsankaran/opencode-destructive-check 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +226 -18
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -9,19 +9,6 @@ An OpenCode plugin that automatically checks for destructive commands before any
9
9
  - Works automatically for all sessions and agents
10
10
  - Provides a status tool to check plugin statistics
11
11
 
12
- ## Detected Destructive Patterns
13
-
14
- | Category | Examples | Severity |
15
- | --------------- | ------------------------------------------------------------------- | -------- |
16
- | **rmDangerous** | `rm -rf /`, `rm -rf ~`, `rm .git` | Critical |
17
- | **sudo** | `sudo rm -rf /`, `sudo chmod`, `sudo chown` | Critical |
18
- | **system** | `chmod 777 /`, `dd of=/dev/`, `mkfs`, `fdisk` | Critical |
19
- | **git** | `git push --force`, `git reset --hard`, `git clean -f` | High |
20
- | **database** | `DROP TABLE`, `DELETE FROM` (without WHERE), `TRUNCATE` | High |
21
- | **container** | `kubectl delete namespace`, `docker rm -f`, `aws s3 rm --recursive` | High |
22
- | **packages** | `npm cache clean --force`, `pip uninstall -y` | Medium |
23
- | **network** | `iptables -F`, `ufw reset` | Medium |
24
-
25
12
  ## Installation
26
13
 
27
14
  Add the plugin to your `opencode.json` or `.opencode/opencode.jsonc` config:
@@ -40,6 +27,199 @@ Add the plugin to your `opencode.json` or `.opencode/opencode.jsonc` config:
40
27
 
41
28
  When a destructive command is detected, the user will be prompted to approve or deny the operation, giving full control over whether to proceed.
42
29
 
30
+ ---
31
+
32
+ ## Complete List of Restricted Commands
33
+
34
+ ### Critical Severity
35
+
36
+ #### File Deletion (rmDangerous)
37
+
38
+ | Pattern | Description |
39
+ | --------------------- | -------------------------------------------------- |
40
+ | `rm /` | Remove root directory |
41
+ | `rm ~` | Remove home directory |
42
+ | `rm /*` | Remove all files in root |
43
+ | `rm ~/*` | Remove all files in home |
44
+ | `rm -rf /` | Force recursive remove root |
45
+ | `rm -rf ~` | Force recursive remove home |
46
+ | `rm -rf $HOME` | Force recursive remove home via variable |
47
+ | `rm -rf /home` | Remove all user home directories |
48
+ | `rm -rf /etc` | Remove system configuration |
49
+ | `rm -rf /var` | Remove variable data (logs, databases) |
50
+ | `rm -rf /usr` | Remove user programs |
51
+ | `rm -rf /bin` | Remove essential binaries |
52
+ | `rm -rf /sbin` | Remove system binaries |
53
+ | `rm -rf /boot` | Remove boot files |
54
+ | `rm -rf /lib` | Remove shared libraries |
55
+ | `rm -rf /opt` | Remove optional packages |
56
+ | `rm -rf /root` | Remove root user home |
57
+ | `rm -rf /sys` | Remove kernel virtual filesystem |
58
+ | `rm -rf /proc` | Remove process information |
59
+ | `rm -rf /dev` | Remove device files |
60
+ | `rm -rf /mnt` | Remove mount points |
61
+ | `rm -rf /tmp` | Remove temporary files |
62
+ | `rm -rf .git` | Remove git repository |
63
+ | `rm -rf node_modules` | Remove node modules (dangerous in wrong directory) |
64
+
65
+ #### Sudo Commands (sudo)
66
+
67
+ | Pattern | Description |
68
+ | ------------------ | ------------------------------- |
69
+ | `sudo rm -rf /` | Elevated remove root |
70
+ | `sudo rm -rf /...` | Elevated remove any system path |
71
+ | `sudo chmod ...` | Elevated permission changes |
72
+ | `sudo chown ...` | Elevated ownership changes |
73
+ | `sudo dd ...` | Elevated disk operations |
74
+ | `sudo mkfs ...` | Elevated filesystem creation |
75
+
76
+ #### System Commands (system)
77
+
78
+ | Pattern | Description |
79
+ | -------------------- | ------------------------------------ |
80
+ | `chmod 777 /` | Make root world-writable |
81
+ | `chmod -R 777 /` | Recursively make root world-writable |
82
+ | `chown <user> /` | Change root ownership |
83
+ | `chown -R <user> /` | Recursively change root ownership |
84
+ | `dd ... of=/dev/...` | Write directly to device |
85
+ | `mkfs` | Format filesystem |
86
+ | `mkfs.ext4` | Format as ext4 |
87
+ | `mkfs.xfs` | Format as xfs |
88
+ | `format C:` | Windows format drive |
89
+ | `format D:` | Windows format drive |
90
+ | `fdisk` | Partition manipulation |
91
+ | `parted` | Partition manipulation |
92
+
93
+ ---
94
+
95
+ ### High Severity
96
+
97
+ #### Git Commands (git)
98
+
99
+ | Pattern | Description |
100
+ | ------------------------- | -------------------------------------------- |
101
+ | `git push --force` | Force push (overwrites remote history) |
102
+ | `git push -f` | Force push (short form) |
103
+ | `git push origin --force` | Force push to origin |
104
+ | `git reset --hard` | Discard all local changes |
105
+ | `git reset --hard HEAD~1` | Discard commits |
106
+ | `git clean -f` | Force remove untracked files |
107
+ | `git clean -fd` | Force remove untracked files and directories |
108
+ | `git checkout -- .` | Discard all working directory changes |
109
+ | `git stash drop` | Delete stashed changes |
110
+ | `git branch -D` | Force delete branch |
111
+ | `git reflog expire` | Expire reflog entries |
112
+ | `git gc --prune` | Garbage collect and prune |
113
+
114
+ #### Database Commands (database)
115
+
116
+ | Pattern | Description |
117
+ | ----------------------------- | --------------------------------- |
118
+ | `DROP TABLE <name>` | Delete database table |
119
+ | `DROP DATABASE <name>` | Delete entire database |
120
+ | `DROP SCHEMA <name>` | Delete database schema |
121
+ | `DROP INDEX <name>` | Delete database index |
122
+ | `TRUNCATE TABLE <name>` | Remove all rows from table |
123
+ | `DELETE FROM <table>;` | Delete all rows (no WHERE clause) |
124
+ | `DELETE FROM <table>` | Delete all rows (no WHERE clause) |
125
+ | `ALTER TABLE <name> DROP ...` | Drop column or constraint |
126
+
127
+ #### Container/Cloud Commands (container)
128
+
129
+ | Pattern | Description |
130
+ | ----------------------------------- | ----------------------------------- |
131
+ | `kubectl delete namespace` | Delete Kubernetes namespace |
132
+ | `kubectl delete ns` | Delete Kubernetes namespace (short) |
133
+ | `kubectl delete pod` | Delete Kubernetes pod |
134
+ | `kubectl delete deployment` | Delete Kubernetes deployment |
135
+ | `kubectl delete service` | Delete Kubernetes service |
136
+ | `docker rm -f` | Force remove container |
137
+ | `docker rm --force` | Force remove container |
138
+ | `docker system prune -a` | Remove all unused Docker data |
139
+ | `docker system prune --all` | Remove all unused Docker data |
140
+ | `docker volume rm` | Remove Docker volume |
141
+ | `aws s3 rm --recursive` | Recursively delete S3 objects |
142
+ | `aws s3 rm s3://bucket --recursive` | Delete entire S3 bucket contents |
143
+ | `aws ec2 terminate-instances` | Terminate EC2 instances |
144
+ | `gcloud ... delete` | Google Cloud delete operations |
145
+ | `gcloud compute instances delete` | Delete GCP instances |
146
+ | `gcloud container clusters delete` | Delete GKE clusters |
147
+
148
+ ---
149
+
150
+ ### Medium Severity
151
+
152
+ #### Package Manager Commands (packages)
153
+
154
+ | Pattern | Description |
155
+ | ------------------------- | -------------------------------- |
156
+ | `npm cache clean --force` | Force clean npm cache |
157
+ | `yarn cache clean` | Clean yarn cache |
158
+ | `pip uninstall -y` | Auto-confirm pip uninstall |
159
+ | `pip uninstall --yes` | Auto-confirm pip uninstall |
160
+ | `brew uninstall --force` | Force uninstall Homebrew package |
161
+
162
+ #### Network Commands (network)
163
+
164
+ | Pattern | Description |
165
+ | -------------------- | -------------------------- |
166
+ | `iptables -F` | Flush all iptables rules |
167
+ | `iptables --flush` | Flush all iptables rules |
168
+ | `iptables -t nat -F` | Flush NAT table |
169
+ | `ufw reset` | Reset firewall to defaults |
170
+
171
+ ---
172
+
173
+ ## Protected File Paths
174
+
175
+ The plugin also asks for permission when file operations target these dangerous paths:
176
+
177
+ ### System Directories
178
+
179
+ | Path | Description |
180
+ | ------- | --------------------- |
181
+ | `/` | Root directory |
182
+ | `/*` | All files in root |
183
+ | `/home` | User home directories |
184
+ | `/etc` | System configuration |
185
+ | `/var` | Variable data |
186
+ | `/usr` | User programs |
187
+ | `/bin` | Essential binaries |
188
+ | `/sbin` | System binaries |
189
+ | `/boot` | Boot files |
190
+ | `/lib` | Shared libraries |
191
+ | `/opt` | Optional packages |
192
+ | `/root` | Root user home |
193
+ | `/sys` | Kernel filesystem |
194
+ | `/proc` | Process information |
195
+ | `/dev` | Device files |
196
+
197
+ ### User Directories
198
+
199
+ | Path | Description |
200
+ | ------- | ----------------------- |
201
+ | `~` | Current user home |
202
+ | `~/` | Current user home |
203
+ | `$HOME` | Home directory variable |
204
+
205
+ ### Project/Config Files
206
+
207
+ | Path | Description |
208
+ | ------------------- | ------------------------------------------- |
209
+ | `.git` | Git repository |
210
+ | `.env` | Environment variables (may contain secrets) |
211
+ | `.ssh` | SSH keys and config |
212
+ | `package.json` | Node.js project config |
213
+ | `package-lock.json` | Node.js dependency lock |
214
+ | `yarn.lock` | Yarn dependency lock |
215
+ | `bun.lockb` | Bun dependency lock |
216
+ | `Cargo.toml` | Rust project config |
217
+ | `go.mod` | Go module config |
218
+ | `pyproject.toml` | Python project config |
219
+ | `requirements.txt` | Python dependencies |
220
+
221
+ ---
222
+
43
223
  ## Available Tools
44
224
 
45
225
  ### `destructive-check-status`
@@ -51,13 +231,41 @@ Returns the current status of the plugin including:
51
231
  - Last matched destructive pattern
52
232
  - Pattern categories and counts
53
233
 
54
- ## Dangerous Paths
234
+ Example output:
235
+
236
+ ```json
237
+ {
238
+ "enabled": true,
239
+ "session": {
240
+ "id": "session-123",
241
+ "checked": 45,
242
+ "permissionsRequested": 2
243
+ },
244
+ "global": {
245
+ "checked": 120,
246
+ "permissionsRequested": 5
247
+ },
248
+ "patterns": {
249
+ "categories": ["rmDangerous", "git", "database", "system", "sudo", "container", "packages", "network"],
250
+ "total": 52
251
+ },
252
+ "dangerousPaths": 28
253
+ }
254
+ ```
255
+
256
+ ---
257
+
258
+ ## Severity Levels
259
+
260
+ | Severity | Action | Categories |
261
+ | ------------ | ------------------- | ------------------------------- |
262
+ | **Critical** | Permission required | `rmDangerous`, `sudo`, `system` |
263
+ | **High** | Permission required | `git`, `database`, `container` |
264
+ | **Medium** | Permission required | `packages`, `network` |
55
265
 
56
- The plugin also protects against file operations on dangerous paths:
266
+ All severity levels require user permission before execution.
57
267
 
58
- - System directories: `/`, `/home`, `/etc`, `/var`, `/usr`, `/bin`, etc.
59
- - User directories: `~`, `$HOME`
60
- - Project files: `.git`, `.env`, `.ssh`, `package.json`, `Cargo.toml`, etc.
268
+ ---
61
269
 
62
270
  ## License
63
271
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@sureshsankaran/opencode-destructive-check",
3
- "version": "1.0.0",
3
+ "version": "1.0.1",
4
4
  "description": "OpenCode plugin that checks for destructive commands before any tool/bash call and asks for permission",
5
5
  "main": "src/index.ts",
6
6
  "types": "src/index.ts",