@tuent/sentinel 0.1.1 → 0.1.2

package/dist/{chunk-NS6ZLMDK.js → chunk-GRN5P3H2.js}

@@ -1,5 +1,4 @@
 import {
-  DEFAULT_FORBIDDEN_PATTERNS,
   DEFAULT_MAP_PATH,
   DEFAULT_MEDIUM_DISPOSITION,
   DEFAULT_OVERLAY_PATH,
@@ -16,13 +15,15 @@ import {
   removeOverlayDecision,
   saveMap,
   saveOverlay,
-  walkForbiddenInodeRoots
-} from "./chunk-QHE56MEO.js";
+  unionWithDefaultForbiddenPatterns,
+  walkForbiddenInodeRoots,
+  withPolicyReadExceptions
+} from "./chunk-QIYQWOLO.js";
 import {
   loadPolicy,
   policyToConfig,
   policyToRole
-} from "./chunk-2FFMYSVC.js";
+} from "./chunk-WLIDSTS4.js";
 import {
   publicKeyToBase64,
   reconstructSigningPayload,
@@ -742,6 +743,12 @@ var AuditTrail = class _AuditTrail {
     if (finding.softSignal === true) {
       entry.softSignal = true;
     }
+    if (finding.mentionOnly === true) {
+      entry.mentionOnly = true;
+    }
+    if (finding.dedupKey !== void 0) {
+      entry.dedupKey = finding.dedupKey;
+    }
     await this.writeLine(entry);
   }
   /**
@@ -6438,12 +6445,16 @@ var Sentinel = class _Sentinel {
         "tool_invocation"
       ],
       allowedTargetPatterns: options.allowedTargetPatterns ?? ["**"],
-      // Forbidden-pattern normalization chokepoint (Part A): **/-prepend bare
-      // patterns so they match absolute paths in Check 2. Idempotent.
-      forbiddenTargetPatterns: (options.forbiddenTargetPatterns ?? DEFAULT_FORBIDDEN_PATTERNS).map(
-        normalizeForbiddenPattern
-      ),
-      exceptions: options.exceptions,
+      // Forbidden-pattern normalization chokepoint (Part A) + Sprint 26 FIX 3B:
+      // the defaults are a floor unioned into every role, not a fallback — a
+      // policy yaml extends but cannot remove them (the `??` form let any
+      // policy-supplied list supersede the defaults entirely).
+      forbiddenTargetPatterns: unionWithDefaultForbiddenPatterns(options.forbiddenTargetPatterns),
+      // Sprint 26 FIX 3 — ceiling-side read carve-out for the self-protection
+      // forbids (policy + hook-wiring files). Appended here, not in the yaml
+      // template: mergeRoles drops workspace exceptions, so this is the only
+      // authorable layer — which is the self-locking property.
+      exceptions: withPolicyReadExceptions(options.exceptions),
       networkHosts: options.networkHosts,
       expectedSchedule: options.expectedSchedule,
       maxEventsPerHour: options.maxEventsPerHour,
@@ -6513,8 +6524,15 @@ var Sentinel = class _Sentinel {
       ...options.role,
       agentId,
       name: options.name,
-      // Forbidden-pattern normalization chokepoint (Part A) — idempotent.
-      forbiddenTargetPatterns: (options.role.forbiddenTargetPatterns ?? DEFAULT_FORBIDDEN_PATTERNS).map(normalizeForbiddenPattern)
+      // Forbidden-pattern normalization chokepoint (Part A) + Sprint 26 FIX 3B
+      // defaults-as-floor union — same semantics as monitor().
+      forbiddenTargetPatterns: unionWithDefaultForbiddenPatterns(
+        options.role.forbiddenTargetPatterns
+      ),
+      // Sprint 26 FIX 3 — same ceiling-side read carve-out as monitor(). The
+      // merged role arriving here keeps ceiling exceptions (workspace ones are
+      // already dropped by mergeRoles); the append is idempotent by target.
+      exceptions: withPolicyReadExceptions(options.role.exceptions)
     };
     if (await this.profileManager.agentExists(agentId)) {
       const store = await this.profileManager.loadAgentProfile(agentId);
@@ -7318,13 +7336,13 @@ var Sentinel = class _Sentinel {
           type: "agent_quarantined",
           agentId,
           agentName: event.agentName ?? agentId,
-          description: `Agent ${agentId} is quarantined. All actions blocked. Run 'sentinel release' to restore access.`,
+          description: `Agent ${agentId} is quarantined. All actions blocked. Run 'npx @tuent/sentinel release --agent=${agentId}' to restore access.`,
           evidence: {
             action: event.action,
             target: event.primaryTarget,
             timestamp: event.timestamp
           },
-          recommendation: `Agent must be manually released before it can perform any actions. Run 'sentinel release' in this workspace (or 'sentinel release --agent=${agentId}') to restore access.`,
+          recommendation: `Agent must be manually released before it can perform any actions. Run 'npx @tuent/sentinel release --agent=${agentId}' to restore access.`,
           timestamp: event.timestamp
         }
       };
@@ -7339,13 +7357,13 @@ var Sentinel = class _Sentinel {
             type: "agent_restricted",
             agentId,
             agentName: event.agentName ?? agentId,
-            description: `Agent ${agentId} is restricted. Action '${event.action}' is not permitted in restricted mode. Run 'sentinel release' to restore full access.`,
+            description: `Agent ${agentId} is restricted. Action '${event.action}' is not permitted in restricted mode. Run 'npx @tuent/sentinel release --agent=${agentId}' to restore full access.`,
             evidence: {
               action: event.action,
               target: event.primaryTarget,
               timestamp: event.timestamp
             },
-            recommendation: `Only file_read and tool_invocation are allowed in restricted mode. Run 'sentinel release' in this workspace (or 'sentinel release --agent=${agentId}') to restore full access.`,
+            recommendation: `Only file_read and tool_invocation are allowed in restricted mode. Run 'npx @tuent/sentinel release --agent=${agentId}' to restore full access.`,
             timestamp: event.timestamp
           }
         };
@@ -7374,6 +7392,17 @@ var Sentinel = class _Sentinel {
    * Sprint 16 Prompt 3 — replaces in-memory blockCounts Map to survive
    * gateway restarts. Same pattern as Sprint 11 sessionCount Shape D fix.
    */
+  /**
+   * Shared escalation-eligibility predicate (Sprint 26 F-5). Single source of
+   * truth for "this finding counts toward the block ladder", extracted from the
+   * formerly-inline copies in getEffectiveBlockCount and maybeEscalate — behavior
+   * of both is identical to before the extraction. Accepts either a
+   * SecurityFinding-shaped object ({type}) or an audit entry ({findingType},
+   * mapped by the caller).
+   */
+  static isEscalationEligible(f) {
+    return _Sentinel.ESCALATION_ELIGIBLE_TYPES.has(f.type) && (f.severity === "HIGH" || f.severity === "CRITICAL") && f.kind === "actionable";
+  }
   async getEffectiveBlockCount(agentId) {
     const modeChanges = await this.query(agentId, { type: "mode_change" });
     const releaseEntry = modeChanges.find((e) => e.mode === "normal");
@@ -7382,16 +7411,31 @@ var Sentinel = class _Sentinel {
       type: "finding",
       ...anchor ? { startTime: anchor } : {}
     });
-    return findings.filter(
-      (f) => _Sentinel.ESCALATION_ELIGIBLE_TYPES.has(f.findingType) && (f.severity === "HIGH" || f.severity === "CRITICAL") && f.kind === "actionable"
-    ).length;
+    const survivors = findings.filter(
+      (f) => _Sentinel.isEscalationEligible({
+        type: f.findingType,
+        severity: f.severity,
+        kind: f.kind
+      }) && f.mentionOnly !== true
+    );
+    const distinctKeys = /* @__PURE__ */ new Set();
+    let keyless = 0;
+    for (const f of survivors) {
+      const key = f.dedupKey;
+      if (typeof key === "string" && key.length > 0) distinctKeys.add(key);
+      else keyless++;
+    }
+    return distinctKeys.size + keyless;
   }
   async maybeEscalate(agentId, finding) {
     const mode = this.getMode(agentId);
     if (mode === "quarantined") return;
-    if (finding.severity !== "HIGH" && finding.severity !== "CRITICAL") return;
-    if (!_Sentinel.ESCALATION_ELIGIBLE_TYPES.has(finding.type)) return;
-    if (finding.kind !== "actionable") return;
+    if (!_Sentinel.isEscalationEligible({
+      type: finding.type,
+      severity: finding.severity,
+      kind: finding.kind
+    }))
+      return;
     const count = await this.getEffectiveBlockCount(agentId);
     if (mode === "restricted") {
       if (count >= this.quarantineThreshold) {
@@ -7426,4 +7470,4 @@ export {
   createCliApproval,
   Sentinel
 };
-//# sourceMappingURL=chunk-NS6ZLMDK.js.map
+//# sourceMappingURL=chunk-GRN5P3H2.js.map

package/dist/{chunk-IYC5E7RL.js → chunk-L4R3LPJS.js}

@@ -7,6 +7,7 @@ import {
 import {
   DEFAULT_FORBIDDEN_PATTERNS,
   FORBIDDEN_BASENAMES,
+  classifyDeny,
   isPositionallySafeMention,
   matchGlobInsensitive,
   normalizeForbiddenPattern,
@@ -14,12 +15,12 @@ import {
   scanContentForForbiddenBasenames,
   scanGlobPattern,
   tokenizePaths
-} from "./chunk-QHE56MEO.js";
+} from "./chunk-QIYQWOLO.js";
 import {
   loadPolicy,
   policyToConfig,
   policyToRole
-} from "./chunk-2FFMYSVC.js";
+} from "./chunk-WLIDSTS4.js";
 
 // src/gateway/workspaceRouter.ts
 import { resolve, dirname } from "path";
@@ -646,7 +647,37 @@ var TOOL_MAP = {
   WebSearch: { action: "network_request", targetKey: "query" },
   Task: { action: "tool_invocation", targetKey: "description" },
   Skill: { action: "tool_invocation", targetKey: "skill" },
-  NotebookEdit: { action: "file_write", targetKey: "notebook_path" }
+  NotebookEdit: { action: "file_write", targetKey: "notebook_path" },
+  // Sprint 26 Gate-A Item D (F-8) — TOOL_MAP refresh. The 11 names above were
+  // a stale subset of cc's native tool set; with the unknown-tool deny consumer
+  // live, every missing native name would hard-fail. Inventory taken from a
+  // live cc session (2026-06). Conservative mapping: tool_invocation, with a
+  // targetKey only where the input schema is known to carry a representative
+  // free-text field (scanned by Check 2 / sensitivity like Task.description).
+  // Subagent-spawning tools (Agent/Workflow/Task*) are orchestration-only here:
+  // each spawned agent's own tool calls hook through PreToolUse individually.
+  Agent: { action: "tool_invocation", targetKey: "prompt" },
+  SendMessage: { action: "tool_invocation" },
+  AskUserQuestion: { action: "tool_invocation" },
+  ScheduleWakeup: { action: "tool_invocation", targetKey: "prompt" },
+  ToolSearch: { action: "tool_invocation", targetKey: "query" },
+  Workflow: { action: "tool_invocation", targetKey: "script" },
+  Monitor: { action: "tool_invocation" },
+  EnterPlanMode: { action: "tool_invocation" },
+  ExitPlanMode: { action: "tool_invocation" },
+  EnterWorktree: { action: "tool_invocation" },
+  ExitWorktree: { action: "tool_invocation" },
+  CronCreate: { action: "tool_invocation" },
+  CronDelete: { action: "tool_invocation" },
+  CronList: { action: "tool_invocation" },
+  TaskCreate: { action: "tool_invocation" },
+  TaskGet: { action: "tool_invocation" },
+  TaskList: { action: "tool_invocation" },
+  TaskOutput: { action: "tool_invocation" },
+  TaskStop: { action: "tool_invocation" },
+  TaskUpdate: { action: "tool_invocation" },
+  PushNotification: { action: "tool_invocation" },
+  RemoteTrigger: { action: "tool_invocation" }
 };
 var AGENT_ID = "claude-code";
 var AGENT_NAME = "Claude Code";
@@ -739,7 +770,7 @@ function extractTargets(toolName, toolInput, cwd) {
       return extractGrepTargets(toolInput, cwd);
     default: {
       const mapping = TOOL_MAP[toolName];
-      if (!mapping) return [toolName];
+      if (!mapping || !mapping.targetKey) return [toolName];
       const val = toolInput[mapping.targetKey];
       if (typeof val === "string" && val.length > 0) return [val];
       return [toolName];
@@ -778,6 +809,17 @@ function extractMcpTargets(toolName, toolInput) {
 var UNKNOWN_TOOL_REASON = "tool schema unknown \u2014 sensitivity scoring and forbidden target patterns cannot evaluate this event";
 var ClaudeCodeTranslator = class {
   agentType = "claude-code";
+  /**
+   * Sprint 26 Gate-A Item D (F-8) — operator allowlist escape hatch. Names
+   * listed in the launch policy's enforcement.allowUnknownTools translate as
+   * KNOWN tool_invocation (no _unknownTool marker), so a new cc native tool
+   * can be unbricked with a one-line policy edit + daemon restart instead of
+   * waiting on a Sentinel release that refreshes TOOL_MAP.
+   */
+  allowUnknownTools;
+  constructor(options) {
+    this.allowUnknownTools = new Set(options?.allowUnknownTools ?? []);
+  }
   translatePreToolUse(payload) {
     const p = payload;
     if (!p || typeof p !== "object" || !p.tool_name) return null;
@@ -798,7 +840,7 @@ var ClaudeCodeTranslator = class {
       metadata._policyEnforcementBypassed = "true";
       metadata._policyBypassReason = UNKNOWN_TOOL_REASON;
       console.warn(
-        `[SENTINEL] Unknown Claude Code tool "${toolName}" \u2014 allowing with WARN. ${UNKNOWN_TOOL_REASON}`
+        `[SENTINEL] Unknown Claude Code tool "${toolName}" \u2014 flagged for gateway disposition (enforcement.unknownTools; default warn). ${UNKNOWN_TOOL_REASON}`
       );
     }
     if (isMcp) {
@@ -956,6 +998,14 @@ var ClaudeCodeTranslator = class {
         mcpMutating: mcp.mutating
       };
     }
+    if (this.allowUnknownTools.has(toolName)) {
+      return {
+        action: "tool_invocation",
+        targets: [toolName],
+        isUnknown: false,
+        isMcp: false
+      };
+    }
     return {
       action: "tool_invocation",
       targets: [toolName],
@@ -1049,6 +1099,8 @@ var SentinelGateway = class {
   operatorCeiling;
   home;
   releaseToken;
+  /** Item D (F-8): disposition for unknown (non-MCP, unrecognized) tool names. */
+  unknownTools;
   server = null;
   running = false;
   signalHandlersInstalled = false;
@@ -1063,6 +1115,7 @@ var SentinelGateway = class {
     this.operatorCeiling = options.operatorCeiling ?? null;
     this.home = options.home ?? "";
     this.releaseToken = options.releaseToken ?? null;
+    this.unknownTools = options.unknownTools ?? "warn";
     const internal = options;
     if (internal.registry) {
       this.registry = internal.registry;
@@ -1071,7 +1124,9 @@ var SentinelGateway = class {
       this.registry.register(internal.translator);
     } else {
       this.registry = new TranslatorRegistry();
-      this.registry.register(new ClaudeCodeTranslator());
+      this.registry.register(
+        new ClaudeCodeTranslator({ allowUnknownTools: options.allowUnknownTools })
+      );
     }
   }
   get port() {
@@ -1406,35 +1461,26 @@ var SentinelGateway = class {
       routingId = routed.agentId;
       event.agentId = routingId;
     }
-    let suppressForbiddenBasename = false;
-    if (event.action === "command_exec" && event.targets && event.targets.length > 0) {
-      const literalCommand = event.targets[0] ?? "";
-      const decodedImplicated = event.targets.slice(1).some((t) => scanBashCommand(t, FORBIDDEN_BASENAMES).matched);
-      suppressForbiddenBasename = isPositionallySafeMention(literalCommand) && !decodedImplicated;
-    }
-    if (event.action === "command_exec" && event.targets && event.targets.length > 0 && !suppressForbiddenBasename) {
-      const allL2Hits = [];
-      for (const scanTarget of event.targets) {
-        const scan = scanBashCommand(scanTarget, FORBIDDEN_BASENAMES);
-        if (scan.matched) allL2Hits.push(...scan.hits);
-      }
-      if (allL2Hits.length > 0) {
+    if (event.metadata?._unknownTool === "true") {
+      const unknownName = event.metadata.ccToolName ?? event.primaryTarget;
+      if (this.unknownTools === "deny") {
         const finding = {
           severity: "HIGH",
           kind: "actionable",
-          type: "unauthorized_target",
+          type: "unknown_tool",
           agentId: event.agentId,
           agentName: event.agentName,
-          description: `Bash command references forbidden basename: ${allL2Hits.join(", ")}`,
+          description: `Unknown tool "${unknownName}" denied \u2014 not in Sentinel's recognized tool set, so policy checks cannot evaluate it. If this is a legitimate tool, add it to enforcement.allowUnknownTools in the operator launch policy file and restart the gateway daemon.`,
           evidence: {
             action: event.action,
-            target: allL2Hits[0],
+            target: unknownName,
             timestamp: event.timestamp,
-            baselineComparison: "credentials_exfil_attempt"
+            baselineComparison: "unknown_tool_denied"
           },
-          recommendation: "Review the command for credential access or exfiltration. If legitimate, use existing policy exception mechanisms.",
+          recommendation: `Add "${unknownName}" to enforcement.allowUnknownTools in the operator launch policy file and restart the daemon, or update @tuent/sentinel to a build whose recognized tool set includes it.`,
           timestamp: event.timestamp,
-          decision: "deny"
+          decision: "deny",
+          dedupKey: unknownName
         };
         await this.sentinel.handleGatewayDeny(routingId, finding);
         this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
@@ -1442,6 +1488,38 @@ var SentinelGateway = class {
         this.sendJson(res, 200, response);
         return;
       }
+      const warnFinding = {
+        severity: "LOW",
+        kind: "informational",
+        type: "unknown_tool",
+        agentId: event.agentId,
+        agentName: event.agentName,
+        description: `Unknown tool "${unknownName}" allowed (enforcement.unknownTools: warn) \u2014 not in Sentinel's recognized tool set; policy checks could not evaluate it.`,
+        evidence: {
+          action: event.action,
+          target: unknownName,
+          timestamp: event.timestamp,
+          baselineComparison: "unknown_tool_allowed_warn"
+        },
+        recommendation: `Add "${unknownName}" to enforcement.allowUnknownTools (or update @tuent/sentinel) to clear this warning, or switch enforcement.unknownTools to deny.`,
+        timestamp: event.timestamp,
+        decision: "allow",
+        dedupKey: unknownName
+      };
+      await this.sentinel.logFinding(routingId, warnFinding);
+    }
+    let suppressForbiddenBasename = false;
+    if (event.action === "command_exec" && event.targets && event.targets.length > 0) {
+      const literalCommand = event.targets[0] ?? "";
+      const decodedImplicated = event.targets.slice(1).some((t) => scanBashCommand(t, FORBIDDEN_BASENAMES).matched);
+      suppressForbiddenBasename = isPositionallySafeMention(literalCommand) && !decodedImplicated;
+    }
+    if (event.action === "command_exec" && event.targets && event.targets.length > 0 && !suppressForbiddenBasename) {
+      const allL2Hits = [];
+      for (const scanTarget of event.targets) {
+        const scan = scanBashCommand(scanTarget, FORBIDDEN_BASENAMES);
+        if (scan.matched) allL2Hits.push(...scan.hits);
+      }
       const allTokenPaths = [];
       let anyUnparseable = false;
       let anyDangerousConstruct = false;
@@ -1463,6 +1541,38 @@ var SentinelGateway = class {
         }
         if (matchedPath) break;
       }
+      if (allL2Hits.length > 0) {
+        const { mentionOnly } = classifyDeny(event.targets[0] ?? "", {
+          l2Hits: allL2Hits,
+          hasL1Hit: matchedPath !== null,
+          unparseable: anyUnparseable,
+          hasDangerousConstruct: anyDangerousConstruct
+        });
+        const finding = {
+          severity: "HIGH",
+          kind: "actionable",
+          type: "unauthorized_target",
+          agentId: event.agentId,
+          agentName: event.agentName,
+          description: `Bash command references forbidden basename: ${allL2Hits.join(", ")}`,
+          evidence: {
+            action: event.action,
+            target: allL2Hits[0],
+            timestamp: event.timestamp,
+            baselineComparison: "credentials_exfil_attempt"
+          },
+          recommendation: "Review the command for credential access or exfiltration. If legitimate, use existing policy exception mechanisms.",
+          timestamp: event.timestamp,
+          decision: "deny",
+          mentionOnly,
+          dedupKey: event.primaryTarget
+        };
+        await this.sentinel.handleGatewayDeny(routingId, finding);
+        this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
+        const response = translator.formatPreToolUseResponse({ blocked: true, finding });
+        this.sendJson(res, 200, response);
+        return;
+      }
       if (matchedPath) {
         const finding = {
           severity: "HIGH",
@@ -1479,7 +1589,10 @@ var SentinelGateway = class {
           },
           recommendation: "Review the command for credential or sensitive file access. If legitimate, use existing policy exception mechanisms.",
           timestamp: event.timestamp,
-          decision: "deny"
+          decision: "deny",
+          // A resolved path-glob hit is a file target — never a mention.
+          mentionOnly: false,
+          dedupKey: event.primaryTarget
         };
         await this.sentinel.handleGatewayDeny(routingId, finding);
         this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
@@ -1911,15 +2024,17 @@ async function runGatewayDaemon({
   policyPath,
   port = DEFAULT_PORT
 }) {
-  const { Sentinel: SentinelClass } = await import("./Sentinel-QHMQ67W3.js");
+  const { Sentinel: SentinelClass } = await import("./Sentinel-XMSJE4DZ.js");
   const { writePidFile, writeReleaseToken } = await import("./pidManager-DOGVN6ZT.js");
   const { homedir } = await import("os");
   const { randomBytes } = await import("crypto");
-  const { loadPolicy: loadPolicy2, policyToRole: policyToRole2 } = await import("./policyLoader-6KR5VFVV.js");
+  const { loadPolicy: loadPolicy2, policyToRole: policyToRole2, policyToConfig: policyToConfig2 } = await import("./policyLoader-KZL2U4M2.js");
   const sentinel = await SentinelClass.fromPolicy(policyPath);
   const baseline = await sentinel.computeBaseline("claude-code");
   sentinel.setBaseline("claude-code", baseline);
-  const operatorCeiling = policyToRole2(await loadPolicy2(policyPath));
+  const operatorPolicy = await loadPolicy2(policyPath);
+  const operatorCeiling = policyToRole2(operatorPolicy);
+  const operatorConfig = policyToConfig2(operatorPolicy);
   const releaseToken = randomBytes(32).toString("hex");
   const gateway = new SentinelGateway({
     port,
@@ -1929,7 +2044,9 @@ async function runGatewayDaemon({
     workspaceIsolation: process.env.SENTINEL_WORKSPACE_ISOLATION !== "0",
     operatorCeiling,
     home: homedir(),
-    releaseToken
+    releaseToken,
+    unknownTools: operatorConfig.enforcement?.unknownTools,
+    allowUnknownTools: operatorConfig.enforcement?.allowUnknownTools
   });
   await gateway.start();
   const home = homedir();
@@ -1942,4 +2059,4 @@ export {
   SentinelGateway,
   runGatewayDaemon
 };
-//# sourceMappingURL=chunk-IYC5E7RL.js.map
+//# sourceMappingURL=chunk-L4R3LPJS.js.map

package/dist/{chunk-QHE56MEO.js → chunk-QIYQWOLO.js}

@@ -234,8 +234,43 @@ var DEFAULT_FORBIDDEN_PATTERNS = [
   "**/id_ed25519*",
   "**/*.pem",
   "**/*.key",
-  "/etc/**"
+  "/etc/**",
+  // Sprint 26 FIX 1 (A) — common credential stores. DRIFT: keep in sync with
+  // STARTER_POLICY.forbid.targets in setup/initClaudeCode.ts (template↔defaults
+  // unification tracked in a separate ticket — do not refactor here).
+  "**/.netrc",
+  "**/.npmrc",
+  "**/.git-credentials",
+  "**/.pgpass",
+  "**/.zsh_history",
+  "**/.config/gh/**",
+  "**/.docker/config.json",
+  "**/.gnupg/**",
+  "**/.config/gcloud/**",
+  "**/.kube/**",
+  "**/Library/Keychains/**",
+  // Sprint 26 FIX 1 (B) — Sentinel's own state dir (current path only; the
+  // ~/.dahlia → ~/.sentinel rename is a separate re-arch).
+  "**/.dahlia/**",
+  // Sprint 26 FIX 3 — the live policy file and cc's hook-wiring settings files.
+  // Denies the agent's own tool-writes (policy rewrite / unhook vectors); reads
+  // stay allowed via DEFAULT_POLICY_READ_EXCEPTIONS below. The settings glob
+  // covers project AND user-level (~/.claude/settings*.json) in one pattern.
+  // DRIFT: keep in sync with STARTER_POLICY.forbid.targets in setup/initClaudeCode.ts.
+  "**/.sentinel.yaml",
+  "**/.claude/settings*.json"
 ];
+var DEFAULT_POLICY_READ_EXCEPTIONS = [
+  { target: "**/.sentinel.yaml", allowedActions: ["file_read"] },
+  { target: "**/.claude/settings*.json", allowedActions: ["file_read"] }
+];
+function withPolicyReadExceptions(existing) {
+  const merged = existing ? [...existing] : [];
+  for (const exc of DEFAULT_POLICY_READ_EXCEPTIONS) {
+    if (!merged.some((e) => e.target === exc.target)) merged.push(exc);
+  }
+  return merged;
+}
 var DEFAULT_MEDIUM_DISPOSITION = {
   network_request: "deny"
 };
@@ -419,7 +454,7 @@ function shouldDispatchWildcard(token) {
   if (BRACE_PATTERN_RE.test(token)) return true;
   return false;
 }
-var SENSITIVE_BASENAME_RE = /(?:\.env|\.ssh|secrets|credentials|id_rsa|id_dsa|id_ecdsa|id_ed25519|\.pem|\.key)/i;
+var SENSITIVE_BASENAME_RE = /(?:\.env|\.ssh|secrets|credentials|id_rsa|id_dsa|id_ecdsa|id_ed25519|\.pem|\.key|\.netrc|\.npmrc|\.pgpass|\.zsh_history|\.gnupg|\.kube|\.dahlia)/i;
 var DANGEROUS_COMMAND_TOKENS = /* @__PURE__ */ new Set(["eval"]);
 var COMMAND_SUBSTITUTION_RE = /\$\(|`/;
 var DANGEROUS_RAW_RE = /<<<|<\(|>\(/;
@@ -577,7 +612,13 @@ var FORBIDDEN_BASENAMES = [
   "id_ecdsa",
   "id_ed25519",
   ".pem",
-  ".key"
+  ".key",
+  // Sprint 26 FIX 1 (A) — credential-store file basenames (L2 bash deny).
+  // `.git-credentials` is already covered by the "credentials" entry above.
+  ".netrc",
+  ".npmrc",
+  ".pgpass",
+  ".zsh_history"
 ];
 function scanBashCommand(command, forbiddenBasenames) {
   const basenames = forbiddenBasenames ?? FORBIDDEN_BASENAMES;
@@ -744,6 +785,35 @@ function isPositionallySafeMention(command) {
   const safe = positionallySafeBasenames(command);
   return hits.every((h) => safe.has(h));
 }
+function classifyDeny(command, signals) {
+  const { l2Hits, hasL1Hit, unparseable, hasDangerousConstruct } = signals;
+  if (hasL1Hit || unparseable || hasDangerousConstruct) return { mentionOnly: false };
+  if (l2Hits.length === 0) return { mentionOnly: false };
+  let tokens;
+  try {
+    tokens = shellParse(command, (key) => ({ __sentinel_var: key }));
+  } catch {
+    return { mentionOnly: false };
+  }
+  if (!Array.isArray(tokens)) return { mentionOnly: false };
+  if (tokens.some((t) => isVarMarker(t))) return { mentionOnly: false };
+  const strTokens = tokens.filter((t) => typeof t === "string");
+  for (const hit of l2Hits) {
+    const h = hit.toLowerCase();
+    const confident = strTokens.some((tok) => {
+      const low = tok.toLowerCase();
+      if (!low.includes(h)) return false;
+      if (low.length === h.length) return false;
+      const reHits = scanBashCommand(tok, FORBIDDEN_BASENAMES).hits;
+      if (reHits.some((rh) => tok.length === rh.length)) return false;
+      const reTok = tokenizePaths(tok);
+      if (reTok.unparseable || reTok.hasDangerousConstruct) return false;
+      return true;
+    });
+    if (!confident) return { mentionOnly: false };
+  }
+  return { mentionOnly: true };
+}
 
 // src/roleValidator.ts
 var SUSPICIOUS_BASENAME_RE = /^\.|(\.env|secret|credential|key|config|token)/i;
@@ -832,6 +902,11 @@ function normalizeForbiddenPattern(pattern) {
   if (pattern.startsWith("**/") || pattern.startsWith("/")) return pattern;
   return "**/" + pattern;
 }
+function unionWithDefaultForbiddenPatterns(supplied) {
+  return [
+    ...new Set([...supplied ?? [], ...DEFAULT_FORBIDDEN_PATTERNS].map(normalizeForbiddenPattern))
+  ];
+}
 function isPathShaped2(value) {
   if (value.length === 0 || value.length > 4096) return false;
   if (/\s/.test(value)) return false;
@@ -1694,6 +1769,7 @@ export {
   removeOverlayDecision,
   createEmptyOverlay,
   DEFAULT_FORBIDDEN_PATTERNS,
+  withPolicyReadExceptions,
   DEFAULT_MEDIUM_DISPOSITION,
   TargetSensitivityScorer,
   tokenizePaths,
@@ -1702,12 +1778,14 @@ export {
   scanContentForForbiddenBasenames,
   scanGlobPattern,
   isPositionallySafeMention,
+  classifyDeny,
   matchGlob,
   normalizeForbiddenPattern,
+  unionWithDefaultForbiddenPatterns,
   matchGlobInsensitive,
   getTargetRecommendation,
   walkForbiddenInodeRoots,
   findMatchingException,
   RoleValidator
 };
-//# sourceMappingURL=chunk-QHE56MEO.js.map
+//# sourceMappingURL=chunk-QIYQWOLO.js.map

package/dist/{chunk-2FFMYSVC.js → chunk-WLIDSTS4.js}

@@ -210,6 +210,16 @@ function validatePolicy(data) {
         }
       }
     }
+    if (enforcement.unknownTools !== void 0) {
+      if (enforcement.unknownTools !== "deny" && enforcement.unknownTools !== "warn") {
+        fail('enforcement.unknownTools must be "deny" or "warn"');
+      }
+    }
+    if (enforcement.allowUnknownTools !== void 0) {
+      if (!Array.isArray(enforcement.allowUnknownTools) || !enforcement.allowUnknownTools.every((t) => typeof t === "string")) {
+        fail("enforcement.allowUnknownTools must be an array of tool name strings");
+      }
+    }
     if (enforcement.baselineMaturity !== void 0) {
       if (typeof enforcement.baselineMaturity !== "object" || enforcement.baselineMaturity === null) {
         fail("enforcement.baselineMaturity must be an object");
@@ -371,7 +381,7 @@ function policyToRole(policy) {
 function policyToConfig(policy) {
   const config = {};
   if (policy.enforcement) {
-    if (policy.enforcement.restrictAfter !== void 0 || policy.enforcement.quarantineAfter !== void 0 || policy.enforcement.promote !== void 0 || policy.enforcement.baselineMaturity !== void 0) {
+    if (policy.enforcement.restrictAfter !== void 0 || policy.enforcement.quarantineAfter !== void 0 || policy.enforcement.promote !== void 0 || policy.enforcement.baselineMaturity !== void 0 || policy.enforcement.unknownTools !== void 0 || policy.enforcement.allowUnknownTools !== void 0) {
       config.enforcement = {};
       if (policy.enforcement.restrictAfter !== void 0) {
         config.enforcement.restrictAfter = policy.enforcement.restrictAfter;
@@ -385,6 +395,12 @@ function policyToConfig(policy) {
       if (policy.enforcement.baselineMaturity !== void 0) {
         config.enforcement.baselineMaturity = policy.enforcement.baselineMaturity;
       }
+      if (policy.enforcement.unknownTools !== void 0) {
+        config.enforcement.unknownTools = policy.enforcement.unknownTools;
+      }
+      if (policy.enforcement.allowUnknownTools !== void 0) {
+        config.enforcement.allowUnknownTools = policy.enforcement.allowUnknownTools;
+      }
     }
   }
   if (policy.alerts) {
@@ -425,4 +441,4 @@ export {
   policyToRole,
   policyToConfig
 };
-//# sourceMappingURL=chunk-2FFMYSVC.js.map
+//# sourceMappingURL=chunk-WLIDSTS4.js.map