@trac3r/oh-my-god 2.2.11

package/hooks/secret-guard.py

@@ -0,0 +1,120 @@
+#!/usr/bin/env python3
+"""PreToolUse Hook (Read/Write/Edit/MultiEdit): Secret File Guard (Enterprise)
+
+Delegates file policy decisions to policy_engine.py.
+"""
+import json
+import os
+import sys
+from pathlib import Path
+
+HOOKS_DIR = str(Path(__file__).resolve().parent)
+PROJECT_ROOT = str(Path(HOOKS_DIR).parent)
+PORTABLE_RUNTIME_ROOT = str(Path(PROJECT_ROOT) / "omg-runtime")
+for path in (HOOKS_DIR, PROJECT_ROOT, PORTABLE_RUNTIME_ROOT):
+    if path not in sys.path:
+        sys.path.insert(0, path)
+
+from _common import bootstrap_runtime_paths, setup_crash_handler, json_input, deny_decision, is_bypass_mode, get_project_dir
+
+bootstrap_runtime_paths(__file__)
+
+# Fail-closed: deny on crash (security hook)
+setup_crash_handler("secret-guard", fail_closed=True)
+
+try:
+    from policy_engine import evaluate_file_access, load_allowlist, to_pretool_hook_output
+    from secret_audit import log_secret_access
+    from runtime.mutation_gate import check_mutation_allowed
+except Exception as _import_err:
+    print(f"OMG secret-guard: policy_engine import failed: {_import_err}", file=sys.stderr)
+    deny_decision(f"OMG secret-guard crash: policy_engine import failed: {_import_err}. Denying for safety.")
+    sys.exit(0)
+
+data = json_input()
+
+tool = data.get("tool_name", "")
+if tool not in ("Read", "Write", "Edit", "MultiEdit"):
+    sys.exit(0)
+
+file_path = data.get("tool_input", {}).get("file_path", "")
+if not file_path:
+    sys.exit(0)
+
+if tool in ("Write", "Edit", "MultiEdit"):
+    tool_input = data.get("tool_input", {})
+    metadata = tool_input.get("metadata") if isinstance(tool_input, dict) else None
+    lock_id = tool_input.get("lock_id") if isinstance(tool_input, dict) else None
+    if not isinstance(lock_id, str) and isinstance(metadata, dict):
+        lock_id = metadata.get("lock_id")
+    exemption = tool_input.get("exemption") if isinstance(tool_input, dict) else None
+
+    gate_result = check_mutation_allowed(
+        tool=tool,
+        file_path=file_path,
+        project_dir=get_project_dir(),
+        lock_id=lock_id if isinstance(lock_id, str) else None,
+        exemption=exemption if isinstance(exemption, str) else None,
+    )
+    if gate_result.get("status") == "blocked":
+        deny_reason = str(gate_result.get("reason", "mutation denied by test intent lock gate"))
+        try:
+            from runtime.evidence_narrator import format_block_explanation
+            _sg_explanation = format_block_explanation(deny_reason, {"tool": tool})
+            deny_reason = f"{deny_reason}: {_sg_explanation}"
+        except Exception:
+            pass  # Crash isolation: always falls back
+        try:
+            import json as _sg_json
+            from datetime import datetime as _sg_dt, timezone as _sg_tz
+            _sg_artifact_dir = os.path.join(get_project_dir(), ".omg", "state")
+            os.makedirs(_sg_artifact_dir, exist_ok=True)
+            with open(os.path.join(_sg_artifact_dir, "last-block-explanation.json"), "w", encoding="utf-8") as _sg_f:
+                _sg_json.dump({
+                    "reason_code": str(gate_result.get("reason", "mutation denied by test intent lock gate")),
+                    "explanation": deny_reason,
+                    "tool": tool,
+                    "timestamp": _sg_dt.now(_sg_tz.utc).isoformat(),
+                }, _sg_f, indent=2)
+        except Exception:
+            pass  # Best-effort only
+        try:
+            log_secret_access(
+                project_dir=get_project_dir(),
+                tool=tool,
+                file_path=file_path,
+                decision="deny",
+                reason=deny_reason,
+                allowlisted=False,
+            )
+        except Exception:
+            pass
+        deny_decision(deny_reason)
+        sys.exit(0)
+
+allowlist = load_allowlist(get_project_dir())
+decision = evaluate_file_access(tool, file_path, allowlist=allowlist)
+
+# Audit log: record every secret access decision
+try:
+    log_secret_access(
+        project_dir=get_project_dir(),
+        tool=tool,
+        file_path=file_path,
+        decision=decision.action,
+        reason=decision.reason,
+        allowlisted=False,
+    )
+except Exception:
+    pass  # Crash isolation: audit logging must never break the hook
+
+# In bypass-permission mode, only enforce hard denials (critical safety).
+# Skip "ask" decisions so the user is not prompted for confirmation.
+if is_bypass_mode(data) and decision.action != "deny":
+    sys.exit(0)
+
+out = to_pretool_hook_output(decision)
+if out:
+    json.dump(out, sys.stdout)
+
+sys.exit(0)

package/hooks/secret_audit.py

@@ -0,0 +1,144 @@
+#!/usr/bin/env python3
+"""Secret access audit logging for OMG v1 (T21).
+
+Logs every secret access attempt (allow/deny/ask) to
+.omg/state/ledger/secret-access.jsonl with:
+- fcntl file locking (same pattern as tool-ledger.py)
+- 5MB rotation with single .1 archive
+- Secret path masking (redact paths matching secret patterns)
+
+Pure stdlib — no external dependencies.
+"""
+from __future__ import annotations
+
+import json
+import os
+import re
+import shutil
+from datetime import datetime, timezone
+
+# --- Constants ---
+
+SECRET_ACCESS_LOG = "secret-access.jsonl"
+SECRET_ACCESS_MAX_BYTES = 5 * 1024 * 1024  # 5MB
+
+# Patterns that indicate a path should be redacted in audit logs.
+# Aligned with policy_engine.py SECRET_FILE_PATTERNS / BLOCKED_PATH_PATTERNS.
+_REDACT_PATH_PATTERNS = [
+    r"\.(env|pem|key|p12|pfx|jks|keystore|netrc|npmrc|pypirc)(\.\w+)?$",
+    r"(^|/)\.aws/",
+    r"(^|/)\.ssh/",
+    r"(^|/)\.kube/",
+    r"(^|/)\.gnupg/",
+    r"(^|/)secrets?/",
+    r"(^|/)credentials?\.",
+    r"(^|/)passwords?\.",
+    r"(^|/)tokens?\.",
+]
+
+# Safe env reference files that should NOT be redacted
+_SAFE_ENV_PATTERN = re.compile(r"\.env\.(example|sample|template)$", re.IGNORECASE)
+
+
+def mask_secret_path(file_path: str) -> str:
+    """Redact file paths that match secret patterns.
+
+    Returns '[REDACTED]' for paths matching known secret file patterns.
+    Safe references (.env.example, .env.sample, .env.template) are NOT redacted.
+    """
+    if not file_path:
+        return file_path
+
+    # Safe env references pass through unmasked
+    basename = os.path.basename(file_path)
+    if _SAFE_ENV_PATTERN.search(basename):
+        return file_path
+
+    for pat in _REDACT_PATH_PATTERNS:
+        if re.search(pat, file_path, re.IGNORECASE):
+            return "[REDACTED]"
+
+    return file_path
+
+
+def _rotate_log(log_path: str) -> None:
+    """Rotate log file if it exceeds 5MB. Same pattern as tool-ledger.py."""
+    try:
+        if not os.path.exists(log_path):
+            return
+        size = os.path.getsize(log_path)
+        if size <= SECRET_ACCESS_MAX_BYTES:
+            return
+
+        archive = log_path + ".1"
+        # Keep only one archive — replace old one
+        if os.path.exists(archive):
+            try:
+                os.remove(archive)
+            except OSError:
+                pass
+        shutil.move(log_path, archive)
+    except Exception:
+        pass
+
+
+def log_secret_access(
+    project_dir: str,
+    tool: str,
+    file_path: str,
+    decision: str,
+    reason: str,
+    allowlisted: bool,
+) -> None:
+    """Log a secret access decision to .omg/state/ledger/secret-access.jsonl.
+
+    Args:
+        project_dir: Project root directory
+        tool: Tool name (Read, Write, Edit, MultiEdit)
+        file_path: File being accessed (will be masked if it matches secret patterns)
+        decision: Policy decision (allow, deny, ask)
+        reason: Human-readable reason for the decision
+        allowlisted: Whether the access was via an allowlist bypass
+
+    Creates the ledger directory if it doesn't exist.
+    Uses fcntl file locking for concurrent safety.
+    Rotates at 5MB with a single .1 archive.
+    Silently fails — never raises exceptions (crash isolation invariant).
+    """
+    try:
+        ledger_dir = os.path.join(project_dir, ".omg", "state", "ledger")
+        os.makedirs(ledger_dir, exist_ok=True)
+
+        log_path = os.path.join(ledger_dir, SECRET_ACCESS_LOG)
+
+        # Rotate if needed
+        _rotate_log(log_path)
+
+        # Build entry with masked path
+        entry = {
+            "ts": datetime.now(timezone.utc).isoformat(),
+            "tool": tool,
+            "file": mask_secret_path(file_path),
+            "decision": decision,
+            "reason": reason,
+            "allowlisted": allowlisted,
+        }
+
+        # Write with fcntl locking (same pattern as tool-ledger.py)
+        try:
+            import fcntl
+
+            fd = open(log_path, "a")
+            fcntl.flock(fd.fileno(), fcntl.LOCK_EX | fcntl.LOCK_NB)
+            fd.write(json.dumps(entry, separators=(",", ":")) + "\n")
+            fcntl.flock(fd.fileno(), fcntl.LOCK_UN)
+            fd.close()
+        except (ImportError, BlockingIOError):
+            # Fallback: write without locking
+            try:
+                with open(log_path, "a") as f:
+                    f.write(json.dumps(entry, separators=(",", ":")) + "\n")
+            except Exception:
+                pass
+    except Exception:
+        pass  # Crash isolation: never fail the hook

package/hooks/security_validators.py

@@ -0,0 +1,93 @@
+"""Shared validation helpers for security-sensitive filesystem and config writes."""
+from __future__ import annotations
+
+import re
+from pathlib import Path
+from urllib.parse import urlparse
+
+
+_OPAQUE_IDENTIFIER_RE = re.compile(r"^[A-Za-z0-9][A-Za-z0-9._-]*$")
+_SERVER_NAME_RE = re.compile(r"^[A-Za-z0-9][A-Za-z0-9_-]*$")
+
+
+def validate_opaque_identifier(value: str, field_name: str, max_length: int = 64) -> str:
+    """Validate an opaque identifier used in filenames or paths."""
+    if not isinstance(value, str):
+        raise ValueError(f"Invalid {field_name}: must be a string")
+
+    normalized = value.strip()
+    if not normalized:
+        raise ValueError(f"Invalid {field_name}: value is required")
+    if len(normalized) > max_length:
+        raise ValueError(f"Invalid {field_name}: exceeds {max_length} characters")
+    if ".." in normalized or not _OPAQUE_IDENTIFIER_RE.fullmatch(normalized):
+        raise ValueError(
+            f"Invalid {field_name}: use only ASCII letters, numbers, dot, underscore, and dash"
+        )
+    return normalized
+
+
+def ensure_path_within_dir(base_dir: str | Path, candidate_path: str | Path) -> str:
+    """Return a resolved path and reject traversal outside the intended base directory."""
+    base = Path(base_dir).resolve(strict=False)
+    candidate = Path(candidate_path).resolve(strict=False)
+    try:
+        candidate.relative_to(base)
+    except ValueError as exc:
+        raise ValueError(f"Resolved path escapes base directory: {candidate}") from exc
+    return str(candidate)
+
+
+def validate_server_name(server_name: str, max_length: int = 64) -> str:
+    """Validate an MCP server identifier suitable for JSON keys and TOML table names."""
+    if not isinstance(server_name, str):
+        raise ValueError("Invalid server_name: must be a string")
+
+    normalized = server_name.strip()
+    if not normalized:
+        raise ValueError("Invalid server_name: value is required")
+    if len(normalized) > max_length:
+        raise ValueError(f"Invalid server_name: exceeds {max_length} characters")
+    if not _SERVER_NAME_RE.fullmatch(normalized):
+        raise ValueError("Invalid server_name: use only ASCII letters, numbers, underscore, and dash")
+    return normalized
+
+
+def validate_server_url(server_url: str) -> str:
+    """Validate an MCP server URL and reject newline/control injection."""
+    if not isinstance(server_url, str):
+        raise ValueError("Invalid server_url: must be a string")
+
+    normalized = server_url.strip()
+    if not normalized:
+        raise ValueError("Invalid server_url: value is required")
+    if "\n" in normalized or "\r" in normalized:
+        raise ValueError("Invalid server_url: newline characters are not allowed")
+
+    parsed = urlparse(normalized)
+    if parsed.scheme not in {"http", "https"} or not parsed.netloc:
+        raise ValueError("Invalid server_url: must be an http or https URL")
+    return normalized
+
+
+def sanitize_run_id(value: str, *, max_length: int = 128) -> str:
+    """Sanitize a run_id for safe use in filesystem paths.
+
+    - Strip whitespace
+    - Replace any character that isn't alphanumeric, '-', '_', or '.' with '-'
+    - Remove '..' sequences to prevent path traversal
+    - Cap length at *max_length*
+    - Return ``"unknown"`` if empty after sanitization
+    """
+    cleaned = "".join(
+        ch if ch.isalnum() or ch in {"-", "_", "."} else "-"
+        for ch in str(value).strip()
+    )
+    cleaned = cleaned.replace("..", "")
+    cleaned = cleaned[:max_length]
+    return cleaned or "unknown"
+
+
+def toml_quote_string(value: str) -> str:
+    """Escape TOML basic string content."""
+    return value.replace("\\", "\\\\").replace('"', '\\"')