npm - @tuent/sentinel - Versions diffs - 0.1.0 → 0.1.2 - Mend

@tuent/sentinel 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/README.md +26 -26
package/SECURITY_MODEL.md +281 -0
package/dist/Sentinel-XMSJE4DZ.js +10 -0
package/dist/{Sentinel-B_sv8Kiy.d.ts → Sentinel-xFCyXH45.d.ts} +31 -1
package/dist/chunk-B5QKJHSV.js +32 -0
package/dist/{chunk-3U3PKD4N.js → chunk-FWIISAZZ.js} +119 -8
package/dist/{chunk-QFRDEISP.js → chunk-GRN5P3H2.js} +67 -23
package/dist/{chunk-Z3PWIJKT.js → chunk-L4R3LPJS.js} +237 -443
package/dist/{chunk-CUJKNIKT.js → chunk-LATQNIRW.js} +33 -1
package/dist/{chunk-6MHWJATS.js → chunk-QIYQWOLO.js} +589 -19
package/dist/{chunk-2FFMYSVC.js → chunk-WLIDSTS4.js} +18 -2
package/dist/cli.js +30 -30
package/dist/gateway/index.d.ts +37 -1
package/dist/gateway/index.js +4 -3
package/dist/gatewayDaemon.js +4 -3
package/dist/index.d.ts +11 -2
package/dist/index.js +5 -5
package/dist/pidManager-DOGVN6ZT.js +23 -0
package/dist/{policyLoader-6KR5VFVV.js → policyLoader-KZL2U4M2.js} +2 -2
package/package.json +3 -2
package/dist/Sentinel-JLQL3YRD.js +0 -10
package/dist/pidManager-ZYC7SICM.js +0 -15

package/dist/{chunk-Z3PWIJKT.js → chunk-L4R3LPJS.js} RENAMED Viewed

@@ -1,48 +1,30 @@
+import {
+  deriveAgentId
+} from "./chunk-B5QKJHSV.js";
 import {
   discoverPolicy
 } from "./chunk-FMZWHT4M.js";
 import {
   DEFAULT_FORBIDDEN_PATTERNS,
+  FORBIDDEN_BASENAMES,
+  classifyDeny,
+  isPositionallySafeMention,
   matchGlobInsensitive,
-  normalizeForbiddenPattern
-} from "./chunk-6MHWJATS.js";
+  normalizeForbiddenPattern,
+  scanBashCommand,
+  scanContentForForbiddenBasenames,
+  scanGlobPattern,
+  tokenizePaths
+} from "./chunk-QIYQWOLO.js";
 import {
   loadPolicy,
   policyToConfig,
   policyToRole
-} from "./chunk-2FFMYSVC.js";
+} from "./chunk-WLIDSTS4.js";
 // src/gateway/workspaceRouter.ts
 import { resolve, dirname } from "path";
-// src/workspaceIdentity.ts
-var AGENT_PREFIX = "claude-code";
-function fnv1a32Hex(s) {
-  let h = 2166136261;
-  for (let i = 0; i < s.length; i++) {
-    h ^= s.charCodeAt(i);
-    h = Math.imul(h, 16777619);
-  }
-  return (h >>> 0).toString(16).padStart(8, "0");
-}
-function lastSegment(path) {
-  const parts = path.split("/").filter(Boolean);
-  return parts.length > 0 ? parts[parts.length - 1] : "";
-}
-function slugify(s) {
-  return s.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/(^-|-$)/g, "");
-}
-function normalizeRoot(root) {
-  if (root === "" || root === "/") return root;
-  return root.replace(/\/+$/, "") || "/";
-}
-function deriveAgentId(workspaceRoot) {
-  const root = normalizeRoot(workspaceRoot);
-  const slug = slugify(lastSegment(root)) || "root";
-  const hash = fnv1a32Hex(root);
-  return `${AGENT_PREFIX}@${slug}-${hash}`;
-}
 // src/mergeRoles.ts
 function isWithinActiveHours(hour, range) {
   const [startHour, endHour] = range;
@@ -363,393 +345,6 @@ var TranslatorRegistry = class {
   }
 };
-// src/gateway/bashScanner.ts
-import { parse as shellParse } from "shell-quote";
-import { realpathSync } from "fs";
-import { dirname as dirname2, join, basename, normalize } from "path";
-var BRACE_PATTERN_RE = /\{[^}]*,[^}]*\}/;
-var MAX_BRACE_EXPANSION = 64;
-function fnmatchBasename(pattern, candidate) {
-  if (pattern.length !== candidate.length) return false;
-  for (let i = 0; i < pattern.length; i++) {
-    const p = pattern[i].toLowerCase();
-    const c = candidate[i].toLowerCase();
-    if (p === "?") continue;
-    if (p !== c) return false;
-  }
-  return true;
-}
-function bracketTokenMatchesForbidden(token, forbiddenBasenames) {
-  const literals = [];
-  let current = "";
-  let inBracket = false;
-  for (let i = 0; i < token.length; i++) {
-    if (token[i] === "[" && !inBracket) {
-      if (current) literals.push(current);
-      current = "";
-      inBracket = true;
-    } else if (token[i] === "]" && inBracket) {
-      inBracket = false;
-    } else if (!inBracket) {
-      current += token[i];
-    }
-  }
-  if (current) literals.push(current);
-  for (const forbidden of forbiddenBasenames) {
-    const fl = forbidden.toLowerCase();
-    for (const lit of literals) {
-      if (lit.length === 0) continue;
-      if (fl.includes(lit.toLowerCase())) return forbidden;
-    }
-  }
-  return null;
-}
-function resolveBraceExpansion(token) {
-  const match = token.match(/^(.*?)\{([^}]*,[^}]*)\}(.*)$/);
-  if (!match) return null;
-  const [, prefix, alternatives, suffix] = match;
-  const parts = alternatives.split(",");
-  if (parts.length > MAX_BRACE_EXPANSION) return null;
-  return parts.map((p) => prefix + p + suffix);
-}
-function wildcardDispatch(token, forbiddenBasenames, metadataField) {
-  const result = {
-    resolvedBasenames: [],
-    unparseable: false,
-    metadata: {}
-  };
-  if (token === "*" || token === "**" || token === "?") {
-    return result;
-  }
-  if (BRACE_PATTERN_RE.test(token)) {
-    const expanded = resolveBraceExpansion(token);
-    if (expanded === null) {
-      result.unparseable = true;
-      return result;
-    }
-    for (const alt of expanded) {
-      const hasWildcard = /[?*[]/.test(alt);
-      if (hasWildcard) {
-        const sub = wildcardDispatch(alt, forbiddenBasenames, metadataField);
-        if (sub.resolvedBasenames.length > 0) {
-          result.resolvedBasenames.push(...sub.resolvedBasenames);
-          result.metadata["resolvedFromBrace"] = token;
-          Object.assign(result.metadata, sub.metadata);
-        }
-        if (sub.unparseable) result.unparseable = true;
-      } else {
-        const altLower = alt.toLowerCase();
-        for (const forbidden of forbiddenBasenames) {
-          if (altLower === forbidden.toLowerCase()) {
-            result.resolvedBasenames.push(forbidden);
-            result.metadata["resolvedFromBrace"] = token;
-            break;
-          }
-        }
-      }
-    }
-    return result;
-  }
-  const hasStar = token.includes("*");
-  const hasQuestion = token.includes("?");
-  const hasBracket = token.includes("[");
-  if (hasBracket) {
-    const matched = bracketTokenMatchesForbidden(token, forbiddenBasenames);
-    if (matched) {
-      result.resolvedBasenames.push(matched);
-      result.metadata["resolvedFromBracket"] = token;
-    } else {
-      result.unparseable = true;
-    }
-    return result;
-  }
-  if (hasStar && !hasQuestion) {
-    const matched = starLiteralSubstringCheck(token, forbiddenBasenames);
-    if (matched) {
-      result.resolvedBasenames.push(matched);
-      result.metadata[metadataField] = token;
-    }
-    return result;
-  }
-  if (hasQuestion && !hasStar) {
-    for (const forbidden of forbiddenBasenames) {
-      if (fnmatchBasename(token, forbidden)) {
-        result.resolvedBasenames.push(forbidden);
-        result.metadata[metadataField] = token;
-        break;
-      }
-    }
-    return result;
-  }
-  if (hasStar && hasQuestion) {
-    const starMatch = starLiteralSubstringCheck(token, forbiddenBasenames);
-    if (starMatch) {
-      result.resolvedBasenames.push(starMatch);
-      result.metadata[metadataField] = token;
-      return result;
-    }
-    const segments = token.split("*").filter((s) => s.includes("?"));
-    for (const seg of segments) {
-      for (const forbidden of forbiddenBasenames) {
-        if (fnmatchBasename(seg, forbidden)) {
-          result.resolvedBasenames.push(forbidden);
-          result.metadata[metadataField] = token;
-          return result;
-        }
-      }
-    }
-    return result;
-  }
-  return result;
-}
-function starLiteralSubstringCheck(token, forbiddenBasenames) {
-  const literals = token.split("*").filter((s) => s.length > 0);
-  for (const forbidden of forbiddenBasenames) {
-    const fl = forbidden.toLowerCase();
-    for (const lit of literals) {
-      if (fl.includes(lit.toLowerCase())) return forbidden;
-    }
-  }
-  return null;
-}
-function shouldDispatchWildcard(token) {
-  const hasMetachar = /[?*[{]/.test(token);
-  if (!hasMetachar) return false;
-  if (isPathShaped(token)) return true;
-  if (token.includes("[")) return true;
-  if (BRACE_PATTERN_RE.test(token)) return true;
-  return false;
-}
-var SENSITIVE_BASENAME_RE = /(?:\.env|\.ssh|secrets|credentials|id_rsa|id_dsa|id_ecdsa|id_ed25519|\.pem|\.key)/i;
-var DANGEROUS_COMMAND_TOKENS = /* @__PURE__ */ new Set(["eval"]);
-var COMMAND_SUBSTITUTION_RE = /\$\(|`/;
-var DANGEROUS_RAW_RE = /<<<|<\(|>\(/;
-function isVarMarker(token) {
-  return typeof token === "object" && token !== null && "__sentinel_var" in token && typeof token.__sentinel_var === "string";
-}
-function tokenizePaths(command) {
-  const result = {
-    paths: [],
-    unparseable: false,
-    hasDangerousConstruct: false
-  };
-  if (DANGEROUS_RAW_RE.test(command)) {
-    result.hasDangerousConstruct = true;
-  }
-  if (COMMAND_SUBSTITUTION_RE.test(command)) {
-    result.hasDangerousConstruct = true;
-  }
-  let tokens;
-  try {
-    tokens = shellParse(command, (key) => ({ __sentinel_var: key }));
-  } catch {
-    result.unparseable = true;
-    return result;
-  }
-  if (!Array.isArray(tokens)) {
-    result.unparseable = true;
-    return result;
-  }
-  let prevToken = null;
-  for (let i = 0; i < tokens.length; i++) {
-    const token = tokens[i];
-    if (isVarMarker(token)) {
-      const nextToken = tokens[i + 1];
-      const nextIsPathRelevant = nextToken === void 0 || // end of tokens — var is complete argument
-      typeof nextToken === "object" && nextToken !== null && "op" in nextToken || // followed by operator — var is complete argument
-      typeof nextToken === "string" && isPathShaped(nextToken);
-      const prevIsPathRelevant = prevToken !== null && isPathShaped(prevToken);
-      if (nextIsPathRelevant || prevIsPathRelevant) {
-        result.unparseable = true;
-      }
-      prevToken = null;
-      continue;
-    }
-    if (typeof token === "object" && token !== null) {
-      if ("pattern" in token) {
-        const globPattern = token.pattern;
-        const lastSlash = globPattern.lastIndexOf("/");
-        const dispatchTarget = lastSlash >= 0 ? globPattern.slice(lastSlash + 1) : globPattern;
-        const dispatch = wildcardDispatch(dispatchTarget, FORBIDDEN_BASENAMES, "resolvedFromGlob");
-        if (dispatch.resolvedBasenames.length > 0) {
-          for (const resolved of dispatch.resolvedBasenames) {
-            result.paths.push(resolved);
-          }
-        }
-        if (dispatch.unparseable) {
-          result.unparseable = true;
-        }
-        if (SENSITIVE_BASENAME_RE.test(globPattern)) {
-          result.unparseable = true;
-        }
-        prevToken = null;
-        continue;
-      }
-      if ("op" in token) {
-        if (token.op === "<(") {
-          result.hasDangerousConstruct = true;
-        }
-        prevToken = null;
-        continue;
-      }
-      prevToken = null;
-      continue;
-    }
-    if (typeof token !== "string") {
-      prevToken = null;
-      continue;
-    }
-    if (DANGEROUS_COMMAND_TOKENS.has(token.toLowerCase())) {
-      result.hasDangerousConstruct = true;
-    }
-    if ((prevToken === "sh" || prevToken === "bash" || prevToken === "/bin/sh" || prevToken === "/bin/bash") && token === "-c") {
-      result.hasDangerousConstruct = true;
-    }
-    if (shouldDispatchWildcard(token)) {
-      const metaField = "resolvedFromQuotedGlob";
-      const dispatch = wildcardDispatch(token, FORBIDDEN_BASENAMES, metaField);
-      if (dispatch.resolvedBasenames.length > 0) {
-        for (const resolved of dispatch.resolvedBasenames) {
-          result.paths.push(resolved);
-        }
-      }
-      if (dispatch.unparseable) {
-        result.unparseable = true;
-      }
-    } else if (isPathShaped(token)) {
-      const resolved = resolvePathToken(token);
-      result.paths.push(resolved);
-    }
-    prevToken = token;
-  }
-  return result;
-}
-function isPathShaped(token) {
-  if (token.includes("/")) return true;
-  if (token.startsWith(".")) return true;
-  if (SENSITIVE_BASENAME_RE.test(token)) return true;
-  return false;
-}
-function resolvePathToken(token) {
-  const normalized = normalize(token);
-  try {
-    return realpathSync(normalized);
-  } catch (err) {
-    const code = err.code;
-    if (code === "ENOENT") {
-      return resolveNonexistentPathToken(normalized);
-    }
-    return normalized;
-  }
-}
-function resolveNonexistentPathToken(normalizedPath) {
-  let current = normalizedPath;
-  let suffix = "";
-  for (let i = 0; i < 50; i++) {
-    const parent = dirname2(current);
-    if (parent === current) {
-      return normalizedPath;
-    }
-    if (parent === ".") {
-      return normalizedPath;
-    }
-    suffix = suffix ? join(basename(current), suffix) : basename(current);
-    current = parent;
-    try {
-      const resolved = realpathSync(current);
-      if (resolved !== current) {
-        return join(resolved, suffix);
-      }
-      return join(resolved, suffix);
-    } catch {
-      continue;
-    }
-  }
-  return normalizedPath;
-}
-var FORBIDDEN_BASENAMES = [
-  ".env",
-  ".ssh",
-  ".aws",
-  "secrets",
-  "credentials",
-  "id_rsa",
-  "id_dsa",
-  "id_ecdsa",
-  "id_ed25519",
-  ".pem",
-  ".key"
-];
-function scanBashCommand(command, forbiddenBasenames) {
-  const basenames = forbiddenBasenames ?? FORBIDDEN_BASENAMES;
-  const hits = [];
-  for (const basename2 of basenames) {
-    const pattern = buildPattern(basename2);
-    if (pattern.test(command)) {
-      hits.push(basename2);
-    }
-  }
-  return { matched: hits.length > 0, hits };
-}
-function buildPattern(basename2) {
-  const escaped = escapeRegex(basename2);
-  if (basename2.startsWith(".") && basename2.length <= 4 && !isAlphaAfterDot(basename2)) {
-    return new RegExp(`\\w${escaped}(?=$|[\\s;&|<>()'"=\\/])`, "i");
-  }
-  if (basename2.startsWith(".")) {
-    return new RegExp(`(?:^|[\\s;&|<>()\\/'"=])${escaped}(?=$|[\\s;&|<>()\\/'"=.])`, "i");
-  }
-  return new RegExp(`\\b${escaped}\\b`, "i");
-}
-function scanContentForForbiddenBasenames(content, forbiddenBasenames) {
-  const hits = [];
-  for (const basename2 of forbiddenBasenames) {
-    const pattern = buildContentPattern(basename2);
-    if (pattern.test(content)) {
-      hits.push(basename2);
-    }
-  }
-  return { matched: hits.length > 0, hits };
-}
-function buildContentPattern(basename2) {
-  const escaped = escapeRegex(basename2);
-  if (basename2.startsWith(".") && basename2.length <= 4 && !isAlphaAfterDot(basename2)) {
-    return new RegExp(`\\w${escaped}(?=$|[\\s;&|<>()'"=\\/])`, "i");
-  }
-  if (basename2.startsWith(".")) {
-    return new RegExp(`(?:^|[\\s;&|<>()\\/'"=])${escaped}(?=$|[\\s;&|<>()\\/'"=.])`, "i");
-  }
-  return new RegExp(`(?<=[/\\\\]\\.?)${escaped}\\b`, "i");
-}
-function isAlphaAfterDot(s) {
-  return /^\.[a-zA-Z]+$/.test(s);
-}
-function escapeRegex(s) {
-  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-function scanGlobPattern(pattern, forbiddenBasenames) {
-  const basenames = forbiddenBasenames ?? FORBIDDEN_BASENAMES;
-  const hits = [];
-  for (const basename2 of basenames) {
-    const re = buildGlobContextPattern(basename2);
-    if (re.test(pattern)) {
-      hits.push(basename2);
-    }
-  }
-  return { matched: hits.length > 0, hits };
-}
-function buildGlobContextPattern(basename2) {
-  const escaped = escapeRegex(basename2);
-  const GLOB_DELIM = String.raw`\s;&|<>()\\/'"=.*?{}\[\]`;
-  if (basename2.startsWith(".") && basename2.length <= 4 && !isAlphaAfterDot(basename2)) {
-    return new RegExp(`[\\w*]${escaped}(?=$|[${GLOB_DELIM}])`, "i");
-  }
-  if (basename2.startsWith(".")) {
-    return new RegExp(`(?:^|[${GLOB_DELIM}])${escaped}(?=$|[${GLOB_DELIM}])`, "i");
-  }
-  return new RegExp(`\\b${escaped}\\b`, "i");
-}
 // src/gateway/runtimeConstructionResolvers.ts
 var MAX_RECURSION_DEPTH = 3;
 var INTERPRETER_RE = /\b(?:python[23]?|node|ruby|perl|php)\s+(?:-[cer])\s+(.+)/s;
@@ -1052,7 +647,37 @@ var TOOL_MAP = {
   WebSearch: { action: "network_request", targetKey: "query" },
   Task: { action: "tool_invocation", targetKey: "description" },
   Skill: { action: "tool_invocation", targetKey: "skill" },
-  NotebookEdit: { action: "file_write", targetKey: "notebook_path" }
+  NotebookEdit: { action: "file_write", targetKey: "notebook_path" },
+  // Sprint 26 Gate-A Item D (F-8) — TOOL_MAP refresh. The 11 names above were
+  // a stale subset of cc's native tool set; with the unknown-tool deny consumer
+  // live, every missing native name would hard-fail. Inventory taken from a
+  // live cc session (2026-06). Conservative mapping: tool_invocation, with a
+  // targetKey only where the input schema is known to carry a representative
+  // free-text field (scanned by Check 2 / sensitivity like Task.description).
+  // Subagent-spawning tools (Agent/Workflow/Task*) are orchestration-only here:
+  // each spawned agent's own tool calls hook through PreToolUse individually.
+  Agent: { action: "tool_invocation", targetKey: "prompt" },
+  SendMessage: { action: "tool_invocation" },
+  AskUserQuestion: { action: "tool_invocation" },
+  ScheduleWakeup: { action: "tool_invocation", targetKey: "prompt" },
+  ToolSearch: { action: "tool_invocation", targetKey: "query" },
+  Workflow: { action: "tool_invocation", targetKey: "script" },
+  Monitor: { action: "tool_invocation" },
+  EnterPlanMode: { action: "tool_invocation" },
+  ExitPlanMode: { action: "tool_invocation" },
+  EnterWorktree: { action: "tool_invocation" },
+  ExitWorktree: { action: "tool_invocation" },
+  CronCreate: { action: "tool_invocation" },
+  CronDelete: { action: "tool_invocation" },
+  CronList: { action: "tool_invocation" },
+  TaskCreate: { action: "tool_invocation" },
+  TaskGet: { action: "tool_invocation" },
+  TaskList: { action: "tool_invocation" },
+  TaskOutput: { action: "tool_invocation" },
+  TaskStop: { action: "tool_invocation" },
+  TaskUpdate: { action: "tool_invocation" },
+  PushNotification: { action: "tool_invocation" },
+  RemoteTrigger: { action: "tool_invocation" }
 };
 var AGENT_ID = "claude-code";
 var AGENT_NAME = "Claude Code";
@@ -1145,7 +770,7 @@ function extractTargets(toolName, toolInput, cwd) {
       return extractGrepTargets(toolInput, cwd);
     default: {
       const mapping = TOOL_MAP[toolName];
-      if (!mapping) return [toolName];
+      if (!mapping || !mapping.targetKey) return [toolName];
       const val = toolInput[mapping.targetKey];
       if (typeof val === "string" && val.length > 0) return [val];
       return [toolName];
@@ -1184,6 +809,17 @@ function extractMcpTargets(toolName, toolInput) {
 var UNKNOWN_TOOL_REASON = "tool schema unknown \u2014 sensitivity scoring and forbidden target patterns cannot evaluate this event";
 var ClaudeCodeTranslator = class {
   agentType = "claude-code";
+  /**
+   * Sprint 26 Gate-A Item D (F-8) — operator allowlist escape hatch. Names
+   * listed in the launch policy's enforcement.allowUnknownTools translate as
+   * KNOWN tool_invocation (no _unknownTool marker), so a new cc native tool
+   * can be unbricked with a one-line policy edit + daemon restart instead of
+   * waiting on a Sentinel release that refreshes TOOL_MAP.
+   */
+  allowUnknownTools;
+  constructor(options) {
+    this.allowUnknownTools = new Set(options?.allowUnknownTools ?? []);
+  }
   translatePreToolUse(payload) {
     const p = payload;
     if (!p || typeof p !== "object" || !p.tool_name) return null;
@@ -1204,7 +840,7 @@ var ClaudeCodeTranslator = class {
       metadata._policyEnforcementBypassed = "true";
       metadata._policyBypassReason = UNKNOWN_TOOL_REASON;
       console.warn(
-        `[SENTINEL] Unknown Claude Code tool "${toolName}" \u2014 allowing with WARN. ${UNKNOWN_TOOL_REASON}`
+        `[SENTINEL] Unknown Claude Code tool "${toolName}" \u2014 flagged for gateway disposition (enforcement.unknownTools; default warn). ${UNKNOWN_TOOL_REASON}`
       );
     }
     if (isMcp) {
@@ -1362,6 +998,14 @@ var ClaudeCodeTranslator = class {
         mcpMutating: mcp.mutating
       };
     }
+    if (this.allowUnknownTools.has(toolName)) {
+      return {
+        action: "tool_invocation",
+        targets: [toolName],
+        isUnknown: false,
+        isMcp: false
+      };
+    }
     return {
       action: "tool_invocation",
       targets: [toolName],
@@ -1397,9 +1041,23 @@ function buildModifiedGrepInput(originalInput, exclusions) {
 }
 // src/gateway/server.ts
+import { timingSafeEqual } from "crypto";
 var DEFAULT_PORT = 7847;
 var MAX_BODY_SIZE = 1024 * 1024;
 var GATEWAY_VERSION = "0.1.0";
+function isLoopbackAddress(addr) {
+  if (!addr) return false;
+  return addr === "127.0.0.1" || addr === "::1" || addr === "::ffff:127.0.0.1" || addr.startsWith("127.");
+}
+function constantTimeEqual(a, b) {
+  const ab = Buffer.from(a, "utf-8");
+  const bb = Buffer.from(b, "utf-8");
+  if (ab.length !== bb.length) {
+    timingSafeEqual(bb, bb);
+    return false;
+  }
+  return timingSafeEqual(ab, bb);
+}
 function parseIntentLine(prompt) {
   if (typeof prompt !== "string") return null;
   const firstNonEmpty = prompt.split("\n").find((line) => line.trim().length > 0);
@@ -1440,6 +1098,9 @@ var SentinelGateway = class {
   workspaceIsolation;
   operatorCeiling;
   home;
+  releaseToken;
+  /** Item D (F-8): disposition for unknown (non-MCP, unrecognized) tool names. */
+  unknownTools;
   server = null;
   running = false;
   signalHandlersInstalled = false;
@@ -1453,6 +1114,8 @@ var SentinelGateway = class {
     this.workspaceIsolation = options.workspaceIsolation ?? process.env.SENTINEL_WORKSPACE_ISOLATION === "1";
     this.operatorCeiling = options.operatorCeiling ?? null;
     this.home = options.home ?? "";
+    this.releaseToken = options.releaseToken ?? null;
+    this.unknownTools = options.unknownTools ?? "warn";
     const internal = options;
     if (internal.registry) {
       this.registry = internal.registry;
@@ -1461,7 +1124,9 @@ var SentinelGateway = class {
       this.registry.register(internal.translator);
     } else {
       this.registry = new TranslatorRegistry();
-      this.registry.register(new ClaudeCodeTranslator());
+      this.registry.register(
+        new ClaudeCodeTranslator({ allowUnknownTools: options.allowUnknownTools })
+      );
     }
   }
   get port() {
@@ -1580,6 +1245,10 @@ var SentinelGateway = class {
         return;
       }
     }
+    if (method === "POST" && url === "/api/sentinel/release") {
+      this.handleReleaseRoute(req, res);
+      return;
+    }
     if (method === "POST") {
       const match = url.match(
         /^\/api\/sentinel\/(pre-tool-use|post-tool-use|session-end|user-prompt-submit)\/(.+)$/
@@ -1606,6 +1275,58 @@ var SentinelGateway = class {
     }
     this.sendJson(res, 404, { error: "not found" });
   }
+  /**
+   * Operator release route (Sprint 0.1.1). Loopback-only + token-gated. On a
+   * valid request, calls sentinel.release() on the LIVE instance — flipping the
+   * in-memory mode, writing mode.json, and logging the signed mode_change anchor
+   * in-process (single writer). Never re-reads mode.json or trusts file content.
+   */
+  handleReleaseRoute(req, res) {
+    const remote = req.socket?.remoteAddress;
+    if (!isLoopbackAddress(remote)) {
+      console.warn(`[SENTINEL GATEWAY] /release refused non-loopback origin: ${remote ?? "?"}`);
+      this.sendJson(res, 403, { ok: false, error: "release is loopback-only" });
+      return;
+    }
+    if (!this.releaseToken) {
+      this.sendJson(res, 503, { ok: false, error: "release endpoint not configured" });
+      return;
+    }
+    const provided = req.headers["x-sentinel-token"];
+    const token = typeof provided === "string" ? provided : "";
+    if (!constantTimeEqual(token, this.releaseToken)) {
+      console.warn(`[SENTINEL GATEWAY] /release rejected: invalid token from ${remote}`);
+      this.sendJson(res, 401, { ok: false, error: "invalid or missing token" });
+      return;
+    }
+    this.readBody(req, res, (body) => {
+      let payload;
+      try {
+        payload = JSON.parse(body);
+      } catch {
+        this.sendJson(res, 400, { ok: false, error: "invalid JSON" });
+        return;
+      }
+      const p = payload ?? {};
+      const agentId = typeof p.agentId === "string" ? p.agentId : "";
+      if (!agentId) {
+        this.sendJson(res, 400, { ok: false, error: "agentId required" });
+        return;
+      }
+      const reason = typeof p.reason === "string" ? p.reason : "operator release (live)";
+      const previousMode = this.sentinel.getMode(agentId);
+      this.sentinel.release(agentId, reason).then(() => {
+        this.sendJson(res, 200, {
+          ok: true,
+          agentId,
+          previousMode,
+          mode: this.sentinel.getMode(agentId)
+        });
+      }).catch((err) => {
+        this.sendJson(res, 500, { ok: false, error: String(err.message) });
+      });
+    });
+  }
   // -------------------------------------------------------------------------
   // Endpoint handlers
   // -------------------------------------------------------------------------
@@ -1740,29 +1461,26 @@ var SentinelGateway = class {
       routingId = routed.agentId;
       event.agentId = routingId;
     }
-    if (event.action === "command_exec" && event.targets && event.targets.length > 0) {
-      const allL2Hits = [];
-      for (const scanTarget of event.targets) {
-        const scan = scanBashCommand(scanTarget, FORBIDDEN_BASENAMES);
-        if (scan.matched) allL2Hits.push(...scan.hits);
-      }
-      if (allL2Hits.length > 0) {
+    if (event.metadata?._unknownTool === "true") {
+      const unknownName = event.metadata.ccToolName ?? event.primaryTarget;
+      if (this.unknownTools === "deny") {
         const finding = {
           severity: "HIGH",
           kind: "actionable",
-          type: "unauthorized_target",
+          type: "unknown_tool",
           agentId: event.agentId,
           agentName: event.agentName,
-          description: `Bash command references forbidden basename: ${allL2Hits.join(", ")}`,
+          description: `Unknown tool "${unknownName}" denied \u2014 not in Sentinel's recognized tool set, so policy checks cannot evaluate it. If this is a legitimate tool, add it to enforcement.allowUnknownTools in the operator launch policy file and restart the gateway daemon.`,
           evidence: {
             action: event.action,
-            target: allL2Hits[0],
+            target: unknownName,
             timestamp: event.timestamp,
-            baselineComparison: "credentials_exfil_attempt"
+            baselineComparison: "unknown_tool_denied"
           },
-          recommendation: "Review the command for credential access or exfiltration. If legitimate, use existing policy exception mechanisms.",
+          recommendation: `Add "${unknownName}" to enforcement.allowUnknownTools in the operator launch policy file and restart the daemon, or update @tuent/sentinel to a build whose recognized tool set includes it.`,
           timestamp: event.timestamp,
-          decision: "deny"
+          decision: "deny",
+          dedupKey: unknownName
         };
         await this.sentinel.handleGatewayDeny(routingId, finding);
         this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
@@ -1770,6 +1488,38 @@ var SentinelGateway = class {
         this.sendJson(res, 200, response);
         return;
       }
+      const warnFinding = {
+        severity: "LOW",
+        kind: "informational",
+        type: "unknown_tool",
+        agentId: event.agentId,
+        agentName: event.agentName,
+        description: `Unknown tool "${unknownName}" allowed (enforcement.unknownTools: warn) \u2014 not in Sentinel's recognized tool set; policy checks could not evaluate it.`,
+        evidence: {
+          action: event.action,
+          target: unknownName,
+          timestamp: event.timestamp,
+          baselineComparison: "unknown_tool_allowed_warn"
+        },
+        recommendation: `Add "${unknownName}" to enforcement.allowUnknownTools (or update @tuent/sentinel) to clear this warning, or switch enforcement.unknownTools to deny.`,
+        timestamp: event.timestamp,
+        decision: "allow",
+        dedupKey: unknownName
+      };
+      await this.sentinel.logFinding(routingId, warnFinding);
+    }
+    let suppressForbiddenBasename = false;
+    if (event.action === "command_exec" && event.targets && event.targets.length > 0) {
+      const literalCommand = event.targets[0] ?? "";
+      const decodedImplicated = event.targets.slice(1).some((t) => scanBashCommand(t, FORBIDDEN_BASENAMES).matched);
+      suppressForbiddenBasename = isPositionallySafeMention(literalCommand) && !decodedImplicated;
+    }
+    if (event.action === "command_exec" && event.targets && event.targets.length > 0 && !suppressForbiddenBasename) {
+      const allL2Hits = [];
+      for (const scanTarget of event.targets) {
+        const scan = scanBashCommand(scanTarget, FORBIDDEN_BASENAMES);
+        if (scan.matched) allL2Hits.push(...scan.hits);
+      }
       const allTokenPaths = [];
       let anyUnparseable = false;
       let anyDangerousConstruct = false;
@@ -1791,6 +1541,38 @@ var SentinelGateway = class {
         }
         if (matchedPath) break;
       }
+      if (allL2Hits.length > 0) {
+        const { mentionOnly } = classifyDeny(event.targets[0] ?? "", {
+          l2Hits: allL2Hits,
+          hasL1Hit: matchedPath !== null,
+          unparseable: anyUnparseable,
+          hasDangerousConstruct: anyDangerousConstruct
+        });
+        const finding = {
+          severity: "HIGH",
+          kind: "actionable",
+          type: "unauthorized_target",
+          agentId: event.agentId,
+          agentName: event.agentName,
+          description: `Bash command references forbidden basename: ${allL2Hits.join(", ")}`,
+          evidence: {
+            action: event.action,
+            target: allL2Hits[0],
+            timestamp: event.timestamp,
+            baselineComparison: "credentials_exfil_attempt"
+          },
+          recommendation: "Review the command for credential access or exfiltration. If legitimate, use existing policy exception mechanisms.",
+          timestamp: event.timestamp,
+          decision: "deny",
+          mentionOnly,
+          dedupKey: event.primaryTarget
+        };
+        await this.sentinel.handleGatewayDeny(routingId, finding);
+        this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
+        const response = translator.formatPreToolUseResponse({ blocked: true, finding });
+        this.sendJson(res, 200, response);
+        return;
+      }
       if (matchedPath) {
         const finding = {
           severity: "HIGH",
@@ -1807,7 +1589,10 @@ var SentinelGateway = class {
           },
           recommendation: "Review the command for credential or sensitive file access. If legitimate, use existing policy exception mechanisms.",
           timestamp: event.timestamp,
-          decision: "deny"
+          decision: "deny",
+          // A resolved path-glob hit is a file target — never a mention.
+          mentionOnly: false,
+          dedupKey: event.primaryTarget
         };
         await this.sentinel.handleGatewayDeny(routingId, finding);
         this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
@@ -2239,14 +2024,18 @@ async function runGatewayDaemon({
   policyPath,
   port = DEFAULT_PORT
 }) {
-  const { Sentinel: SentinelClass } = await import("./Sentinel-JLQL3YRD.js");
-  const { writePidFile } = await import("./pidManager-ZYC7SICM.js");
+  const { Sentinel: SentinelClass } = await import("./Sentinel-XMSJE4DZ.js");
+  const { writePidFile, writeReleaseToken } = await import("./pidManager-DOGVN6ZT.js");
   const { homedir } = await import("os");
-  const { loadPolicy: loadPolicy2, policyToRole: policyToRole2 } = await import("./policyLoader-6KR5VFVV.js");
+  const { randomBytes } = await import("crypto");
+  const { loadPolicy: loadPolicy2, policyToRole: policyToRole2, policyToConfig: policyToConfig2 } = await import("./policyLoader-KZL2U4M2.js");
   const sentinel = await SentinelClass.fromPolicy(policyPath);
   const baseline = await sentinel.computeBaseline("claude-code");
   sentinel.setBaseline("claude-code", baseline);
-  const operatorCeiling = policyToRole2(await loadPolicy2(policyPath));
+  const operatorPolicy = await loadPolicy2(policyPath);
+  const operatorCeiling = policyToRole2(operatorPolicy);
+  const operatorConfig = policyToConfig2(operatorPolicy);
+  const releaseToken = randomBytes(32).toString("hex");
   const gateway = new SentinelGateway({
     port,
     sentinel,
@@ -2254,10 +2043,15 @@ async function runGatewayDaemon({
     agentId: "claude-code",
     workspaceIsolation: process.env.SENTINEL_WORKSPACE_ISOLATION !== "0",
     operatorCeiling,
-    home: homedir()
+    home: homedir(),
+    releaseToken,
+    unknownTools: operatorConfig.enforcement?.unknownTools,
+    allowUnknownTools: operatorConfig.enforcement?.allowUnknownTools
   });
   await gateway.start();
-  writePidFile(homedir(), process.pid);
+  const home = homedir();
+  writePidFile(home, process.pid);
+  writeReleaseToken(home, releaseToken, gateway.port);
   console.log(`[SENTINEL GATEWAY] PID ${process.pid} written`);
 }
@@ -2265,4 +2059,4 @@ export {
   SentinelGateway,
   runGatewayDaemon
 };
-//# sourceMappingURL=chunk-Z3PWIJKT.js.map
+//# sourceMappingURL=chunk-L4R3LPJS.js.map