@tuent/sentinel 0.1.0 → 0.1.2

package/dist/{chunk-3U3PKD4N.js → chunk-FWIISAZZ.js}

@@ -1,13 +1,17 @@
 import {
   acquireGatewayLock,
   writePidFile
-} from "./chunk-CUJKNIKT.js";
+} from "./chunk-LATQNIRW.js";
 import {
   discoverPolicy
 } from "./chunk-FMZWHT4M.js";
 import {
+  FORBIDDEN_BASENAMES
+} from "./chunk-QIYQWOLO.js";
+import {
+  loadPolicy,
   loadPolicyFromString
-} from "./chunk-2FFMYSVC.js";
+} from "./chunk-WLIDSTS4.js";
 
 // src/setup/initClaudeCode.ts
 import { access, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
@@ -17,12 +21,16 @@ import { createServer } from "http";
 import { fileURLToPath } from "url";
 
 // src/gateway/hookScriptSource.ts
+var SCORER_CRITICAL_EXTRAS = ["shadow", "passwd"];
+var HOOK_SENSITIVE_BASENAMES = [
+  .../* @__PURE__ */ new Set([...FORBIDDEN_BASENAMES, ...SCORER_CRITICAL_EXTRAS])
+];
 var HOOK_SCRIPT_SOURCE = `#!/usr/bin/env node
 // Sentinel cc hook bridge \u2014 generated by sentinel init claude-code
 // Do not edit manually; regenerate with: sentinel init claude-code --force
 
 import { readFileSync, appendFileSync, existsSync } from "node:fs";
-import { join } from "node:path";
+import { join, resolve, sep } from "node:path";
 import { spawn } from "node:child_process";
 
 const GATEWAY_ENTRY_POINT = "__GATEWAY_ENTRY_POINT__";
@@ -74,6 +82,17 @@ function logFallback(entry) {
   try { appendFileSync(FALLBACK_LOG, line + "\\n"); } catch { /* best effort */ }
 }
 
+// Sprint 26 Fix-2 Part 1 \u2014 hardcoded fail-closed FLOOR. tiers.json may ADD
+// high-tier tools but can never DOWNGRADE a floor tool to low (defeats the
+// two-step tier-config rewrite). Checked BEFORE the editable tiers below.
+const FLOOR_HIGH = ["Bash", "Write", "Edit", "WebFetch", "NotebookEdit", "Task", "Skill"];
+
+// Item D \u2014 operator allowUnknownTools escape hatch, baked at init from the
+// launch policy so it survives gateway-down (the daemon allows these names
+// unconditionally at the name level, so allowing them here keeps down \u2287 up).
+// The marker default is [] \u2014 an un-substituted script stays strictest.
+const ALLOW_UNKNOWN_TOOLS = /* __ALLOW_UNKNOWN_TOOLS__ */ [];
+
 // Tier config uses flat format: { high, low, mcpDefault, unknownDefault } (plan v3.1 spec'd nested but simplified during 5a)
 function loadTiers() {
   try {
@@ -90,10 +109,52 @@ function loadTiers() {
 }
 
 function isHighSensitivity(toolName, tiers) {
+  if (FLOOR_HIGH.includes(toolName)) return true; // floor: tiers may add high, never downgrade
   if (tiers.high && tiers.high.includes(toolName)) return true;
   if (tiers.low && tiers.low.includes(toolName)) return false;
   if (toolName.startsWith("mcp__")) return tiers.mcpDefault === "high";
-  return tiers.unknownDefault === "high";
+  // Item D \u2014 operator-allowlisted names pass: gateway-up they are translated
+  // as known and allowed at the name level, so the escape hatch must survive
+  // gateway-down too.
+  if (ALLOW_UNKNOWN_TOOLS.includes(toolName)) return false;
+  // Item D floor: all other unknown names are always high-tier gateway-down.
+  // Deliberately stricter than gateway-up's warn default: the hook cannot
+  // persist findings while the daemon is down, so a warn-equivalent here
+  // would be allow-UNLOGGED \u2014 the exact F-8 hole. Hard-deny keeps down \u2287 up
+  // in both knob modes (same fail-closed stance as Fix-2's read handling),
+  // and a tiers.json edit (unknownDefault: "low") cannot reopen it. Named
+  // tools can still be tiered low explicitly via tiers.low above.
+  return true;
+}
+
+// Sprint 26 Fix-2 Part 2 \u2014 gateway-down safe-read exception.
+// INVARIANT: on gateway-down a read is NEVER more permissive than gateway-up.
+// Low-tier file reads (Read/Glob/Grep) fail CLOSED by default; only a
+// structurally-provably-safe target is allowed. The guard is GENERATED from the
+// canonical FORBIDDEN_BASENAMES (\u222A scorer extras), so it can't drift open.
+const SENSITIVE_BASENAMES = ${JSON.stringify(HOOK_SENSITIVE_BASENAMES)};
+const READ_TOOL_PATH_KEYS = { Read: "file_path", Glob: "pattern", Grep: "path" };
+
+function isProvablySafeRead(toolName, toolInput, payloadCwd) {
+  const key = READ_TOOL_PATH_KEYS[toolName];
+  if (!key) return false; // not a path-bearing read tool \u2014 not provably safe
+  const raw = toolInput && toolInput[key];
+  if (typeof raw !== "string" || raw.length === 0) return false; // no target \u2192 not provable
+  if (raw[0] === "/" || raw[0] === "~") return false; // absolute / home \u2192 fail closed
+  const cwd = typeof payloadCwd === "string" && payloadCwd ? payloadCwd : process.cwd();
+  const cwdNorm = resolve(cwd);
+  const norm = resolve(cwd, raw);
+  // Must resolve strictly within cwd (rejects any .. escape).
+  if (norm !== cwdNorm && !norm.startsWith(cwdNorm + sep)) return false;
+  const segments = norm.slice(cwdNorm.length).split(sep).filter(Boolean);
+  for (const seg of segments) {
+    const low = seg.toLowerCase();
+    if (low[0] === ".") return false; // dotfile / dot-dir
+    for (const s of SENSITIVE_BASENAMES) {
+      if (low.includes(s.toLowerCase())) return false; // conservative sensitive-token match
+    }
+  }
+  return true;
 }
 
 // ---------------------------------------------------------------------------
@@ -111,15 +172,29 @@ if (mode === "pre") {
     const result = JSON.parse(resp.body);
     process.stdout.write(JSON.stringify(result), () => process.exit(0));
   } catch {
-    // Gateway unreachable \u2014 tiered fail-closed
+    // Gateway unreachable \u2014 tiered fail-closed (Sprint 26 Fix-2).
     const tiers = loadTiers();
+    const restore = "Restart your Claude Code session to relaunch the gateway; see ~/.dahlia/gateway-fallback.log.";
     if (isHighSensitivity(toolName, tiers)) {
       logFallback({ event: "fail-closed-block", tool: toolName, tier: "high" });
       process.stderr.write(
-        \`Sentinel gateway unreachable; high-sensitivity tool "\${toolName}" blocked per fail-closed policy\`,
+        \`Sentinel gateway unreachable; high-sensitivity tool "\${toolName}" blocked per fail-closed policy. \${restore}\`,
+        () => process.exit(2),
+      );
+    } else if (
+      READ_TOOL_PATH_KEYS[toolName] &&
+      !isProvablySafeRead(toolName, payload.tool_input || {}, payload.cwd)
+    ) {
+      // Low-tier read whose target is not provably safe \u2192 fail CLOSED. The hook
+      // carries no policy, so it cannot evaluate the forbid surface; a read it
+      // can't prove safe is treated as if the gateway would deny it.
+      logFallback({ event: "fail-closed-block", tool: toolName, tier: "low", reason: "read-not-provably-safe" });
+      process.stderr.write(
+        \`Sentinel gateway unreachable; read by "\${toolName}" blocked (fail-closed: target not provably safe). \${restore}\`,
         () => process.exit(2),
       );
     } else {
+      // Provably-safe read, or a non-read low-tier tool (e.g. WebSearch) \u2192 allow.
       logFallback({ event: "fail-closed-allow", tool: toolName, tier: "low" });
       process.stdout.write(JSON.stringify({
         hookSpecificOutput: { hookEventName: "PreToolUse", permissionDecision: "allow" },
@@ -322,6 +397,11 @@ agent:
 policy:
   allow:
     actions: [file_read, file_write, tool_invocation, network_request, command_exec]
+    # allow.targets is ADVISORY for file_read / file_write / tool_invocation: an
+    # access outside this list is logged as a MEDIUM scope_violation but still
+    # runs \u2014 Sentinel governs the agent's own tool calls, it is not a filesystem
+    # sandbox. forbid.targets below is the hard deny. network_request is the
+    # exception: unlisted hosts are DENIED by default (see the networkHosts note).
     targets:
       - "src/**"
       - "test/**"
@@ -378,6 +458,28 @@ policy:
       - "**/*.pem"
       - "**/*.key"
       - "/etc/**"
+      # Sprint 26 FIX 1 (A) \u2014 common credential stores. DRIFT: keep in sync with
+      # DEFAULT_FORBIDDEN_PATTERNS in defaults.ts (unification tracked separately).
+      - "**/.netrc"
+      - "**/.npmrc"
+      - "**/.git-credentials"
+      - "**/.pgpass"
+      - "**/.zsh_history"
+      - "**/.config/gh/**"
+      - "**/.docker/config.json"
+      - "**/.gnupg/**"
+      - "**/.config/gcloud/**"
+      - "**/.kube/**"
+      - "**/Library/Keychains/**"
+      # Sprint 26 FIX 1 (B) \u2014 Sentinel's own state dir (current path only).
+      - "**/.dahlia/**"
+      # Sprint 26 FIX 3 \u2014 this policy file and cc's hook-wiring settings files.
+      # Agent tool-writes are denied; reads stay allowed via a code-side ceiling
+      # exception (not authorable here \u2014 workspace-authored exceptions are
+      # dropped by the ceiling merge, by design). DRIFT: keep in sync with
+      # DEFAULT_FORBIDDEN_PATTERNS in defaults.ts.
+      - "**/.sentinel.yaml"
+      - "**/.claude/settings*.json"
 enforcement:
   restrictAfter: 3
   quarantineAfter: 5
@@ -418,7 +520,16 @@ async function runInitClaudeCode(options) {
   );
   const hookPath = join(dahliaDir, "cc-hook.mjs");
   const gatewayEntryPoint = resolveGatewayEntryPoint();
-  const hookContent = HOOK_SCRIPT_SOURCE.replace(/__GATEWAY_ENTRY_POINT__/g, gatewayEntryPoint);
+  let allowUnknownTools = [];
+  try {
+    const effectivePolicy = await loadPolicy(policyPath);
+    allowUnknownTools = effectivePolicy.enforcement?.allowUnknownTools ?? [];
+  } catch {
+  }
+  const hookContent = HOOK_SCRIPT_SOURCE.replace(
+    /__GATEWAY_ENTRY_POINT__/g,
+    gatewayEntryPoint
+  ).replace("/* __ALLOW_UNKNOWN_TOOLS__ */ []", JSON.stringify(allowUnknownTools));
   if (hookContent.includes("__GATEWAY_ENTRY_POINT__")) {
     throw new Error("Failed to substitute all __GATEWAY_ENTRY_POINT__ placeholders");
   }
@@ -536,4 +647,4 @@ export {
   runInitClaudeCode,
   runSessionStart
 };
-//# sourceMappingURL=chunk-3U3PKD4N.js.map
+//# sourceMappingURL=chunk-FWIISAZZ.js.map

package/dist/{chunk-QFRDEISP.js → chunk-GRN5P3H2.js}

@@ -1,5 +1,4 @@
 import {
-  DEFAULT_FORBIDDEN_PATTERNS,
   DEFAULT_MAP_PATH,
   DEFAULT_MEDIUM_DISPOSITION,
   DEFAULT_OVERLAY_PATH,
@@ -16,13 +15,15 @@ import {
   removeOverlayDecision,
   saveMap,
   saveOverlay,
-  walkForbiddenInodeRoots
-} from "./chunk-6MHWJATS.js";
+  unionWithDefaultForbiddenPatterns,
+  walkForbiddenInodeRoots,
+  withPolicyReadExceptions
+} from "./chunk-QIYQWOLO.js";
 import {
   loadPolicy,
   policyToConfig,
   policyToRole
-} from "./chunk-2FFMYSVC.js";
+} from "./chunk-WLIDSTS4.js";
 import {
   publicKeyToBase64,
   reconstructSigningPayload,
@@ -742,6 +743,12 @@ var AuditTrail = class _AuditTrail {
     if (finding.softSignal === true) {
       entry.softSignal = true;
     }
+    if (finding.mentionOnly === true) {
+      entry.mentionOnly = true;
+    }
+    if (finding.dedupKey !== void 0) {
+      entry.dedupKey = finding.dedupKey;
+    }
     await this.writeLine(entry);
   }
   /**
@@ -6438,12 +6445,16 @@ var Sentinel = class _Sentinel {
         "tool_invocation"
       ],
       allowedTargetPatterns: options.allowedTargetPatterns ?? ["**"],
-      // Forbidden-pattern normalization chokepoint (Part A): **/-prepend bare
-      // patterns so they match absolute paths in Check 2. Idempotent.
-      forbiddenTargetPatterns: (options.forbiddenTargetPatterns ?? DEFAULT_FORBIDDEN_PATTERNS).map(
-        normalizeForbiddenPattern
-      ),
-      exceptions: options.exceptions,
+      // Forbidden-pattern normalization chokepoint (Part A) + Sprint 26 FIX 3B:
+      // the defaults are a floor unioned into every role, not a fallback — a
+      // policy yaml extends but cannot remove them (the `??` form let any
+      // policy-supplied list supersede the defaults entirely).
+      forbiddenTargetPatterns: unionWithDefaultForbiddenPatterns(options.forbiddenTargetPatterns),
+      // Sprint 26 FIX 3 — ceiling-side read carve-out for the self-protection
+      // forbids (policy + hook-wiring files). Appended here, not in the yaml
+      // template: mergeRoles drops workspace exceptions, so this is the only
+      // authorable layer — which is the self-locking property.
+      exceptions: withPolicyReadExceptions(options.exceptions),
       networkHosts: options.networkHosts,
       expectedSchedule: options.expectedSchedule,
       maxEventsPerHour: options.maxEventsPerHour,
@@ -6513,8 +6524,15 @@ var Sentinel = class _Sentinel {
       ...options.role,
       agentId,
       name: options.name,
-      // Forbidden-pattern normalization chokepoint (Part A) — idempotent.
-      forbiddenTargetPatterns: (options.role.forbiddenTargetPatterns ?? DEFAULT_FORBIDDEN_PATTERNS).map(normalizeForbiddenPattern)
+      // Forbidden-pattern normalization chokepoint (Part A) + Sprint 26 FIX 3B
+      // defaults-as-floor union — same semantics as monitor().
+      forbiddenTargetPatterns: unionWithDefaultForbiddenPatterns(
+        options.role.forbiddenTargetPatterns
+      ),
+      // Sprint 26 FIX 3 — same ceiling-side read carve-out as monitor(). The
+      // merged role arriving here keeps ceiling exceptions (workspace ones are
+      // already dropped by mergeRoles); the append is idempotent by target.
+      exceptions: withPolicyReadExceptions(options.role.exceptions)
     };
     if (await this.profileManager.agentExists(agentId)) {
       const store = await this.profileManager.loadAgentProfile(agentId);
@@ -7318,13 +7336,13 @@ var Sentinel = class _Sentinel {
           type: "agent_quarantined",
           agentId,
           agentName: event.agentName ?? agentId,
-          description: `Agent ${agentId} is quarantined. All actions blocked.`,
+          description: `Agent ${agentId} is quarantined. All actions blocked. Run 'npx @tuent/sentinel release --agent=${agentId}' to restore access.`,
           evidence: {
             action: event.action,
             target: event.primaryTarget,
             timestamp: event.timestamp
           },
-          recommendation: "Agent must be manually released before it can perform any actions.",
+          recommendation: `Agent must be manually released before it can perform any actions. Run 'npx @tuent/sentinel release --agent=${agentId}' to restore access.`,
           timestamp: event.timestamp
         }
       };
@@ -7339,13 +7357,13 @@ var Sentinel = class _Sentinel {
             type: "agent_restricted",
             agentId,
             agentName: event.agentName ?? agentId,
-            description: `Agent ${agentId} is restricted. Action '${event.action}' is not permitted in restricted mode.`,
+            description: `Agent ${agentId} is restricted. Action '${event.action}' is not permitted in restricted mode. Run 'npx @tuent/sentinel release --agent=${agentId}' to restore full access.`,
             evidence: {
               action: event.action,
               target: event.primaryTarget,
               timestamp: event.timestamp
             },
-            recommendation: "Only file_read and tool_invocation are allowed in restricted mode. Release the agent to restore full access.",
+            recommendation: `Only file_read and tool_invocation are allowed in restricted mode. Run 'npx @tuent/sentinel release --agent=${agentId}' to restore full access.`,
             timestamp: event.timestamp
           }
         };
@@ -7374,6 +7392,17 @@ var Sentinel = class _Sentinel {
    * Sprint 16 Prompt 3 — replaces in-memory blockCounts Map to survive
    * gateway restarts. Same pattern as Sprint 11 sessionCount Shape D fix.
    */
+  /**
+   * Shared escalation-eligibility predicate (Sprint 26 F-5). Single source of
+   * truth for "this finding counts toward the block ladder", extracted from the
+   * formerly-inline copies in getEffectiveBlockCount and maybeEscalate — behavior
+   * of both is identical to before the extraction. Accepts either a
+   * SecurityFinding-shaped object ({type}) or an audit entry ({findingType},
+   * mapped by the caller).
+   */
+  static isEscalationEligible(f) {
+    return _Sentinel.ESCALATION_ELIGIBLE_TYPES.has(f.type) && (f.severity === "HIGH" || f.severity === "CRITICAL") && f.kind === "actionable";
+  }
   async getEffectiveBlockCount(agentId) {
     const modeChanges = await this.query(agentId, { type: "mode_change" });
     const releaseEntry = modeChanges.find((e) => e.mode === "normal");
@@ -7382,16 +7411,31 @@ var Sentinel = class _Sentinel {
       type: "finding",
       ...anchor ? { startTime: anchor } : {}
     });
-    return findings.filter(
-      (f) => _Sentinel.ESCALATION_ELIGIBLE_TYPES.has(f.findingType) && (f.severity === "HIGH" || f.severity === "CRITICAL") && f.kind === "actionable"
-    ).length;
+    const survivors = findings.filter(
+      (f) => _Sentinel.isEscalationEligible({
+        type: f.findingType,
+        severity: f.severity,
+        kind: f.kind
+      }) && f.mentionOnly !== true
+    );
+    const distinctKeys = /* @__PURE__ */ new Set();
+    let keyless = 0;
+    for (const f of survivors) {
+      const key = f.dedupKey;
+      if (typeof key === "string" && key.length > 0) distinctKeys.add(key);
+      else keyless++;
+    }
+    return distinctKeys.size + keyless;
   }
   async maybeEscalate(agentId, finding) {
     const mode = this.getMode(agentId);
     if (mode === "quarantined") return;
-    if (finding.severity !== "HIGH" && finding.severity !== "CRITICAL") return;
-    if (!_Sentinel.ESCALATION_ELIGIBLE_TYPES.has(finding.type)) return;
-    if (finding.kind !== "actionable") return;
+    if (!_Sentinel.isEscalationEligible({
+      type: finding.type,
+      severity: finding.severity,
+      kind: finding.kind
+    }))
+      return;
     const count = await this.getEffectiveBlockCount(agentId);
     if (mode === "restricted") {
       if (count >= this.quarantineThreshold) {
@@ -7426,4 +7470,4 @@ export {
   createCliApproval,
   Sentinel
 };
-//# sourceMappingURL=chunk-QFRDEISP.js.map
+//# sourceMappingURL=chunk-GRN5P3H2.js.map