@tuent/sentinel 0.1.1 → 0.1.3

package/dist/{chunk-WPTJBRX5.js → chunk-2TJ5Z53T.js}

@@ -6,8 +6,12 @@ import {
   discoverPolicy
 } from "./chunk-FMZWHT4M.js";
 import {
+  FORBIDDEN_BASENAMES
+} from "./chunk-JTR2E7RD.js";
+import {
+  loadPolicy,
   loadPolicyFromString
-} from "./chunk-2FFMYSVC.js";
+} from "./chunk-WLIDSTS4.js";
 
 // src/setup/initClaudeCode.ts
 import { access, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
@@ -17,13 +21,18 @@ import { createServer } from "http";
 import { fileURLToPath } from "url";
 
 // src/gateway/hookScriptSource.ts
+var SCORER_CRITICAL_EXTRAS = ["shadow", "passwd"];
+var HOOK_SENSITIVE_BASENAMES = [
+  .../* @__PURE__ */ new Set([...FORBIDDEN_BASENAMES, ...SCORER_CRITICAL_EXTRAS])
+];
 var HOOK_SCRIPT_SOURCE = `#!/usr/bin/env node
 // Sentinel cc hook bridge \u2014 generated by sentinel init claude-code
 // Do not edit manually; regenerate with: sentinel init claude-code --force
 
 import { readFileSync, appendFileSync, existsSync } from "node:fs";
-import { join } from "node:path";
+import { join, resolve, sep } from "node:path";
 import { spawn } from "node:child_process";
+import { createRequire } from "node:module";
 
 const GATEWAY_ENTRY_POINT = "__GATEWAY_ENTRY_POINT__";
 const PORT = 7847;
@@ -74,6 +83,17 @@ function logFallback(entry) {
   try { appendFileSync(FALLBACK_LOG, line + "\\n"); } catch { /* best effort */ }
 }
 
+// Sprint 26 Fix-2 Part 1 \u2014 hardcoded fail-closed FLOOR. tiers.json may ADD
+// high-tier tools but can never DOWNGRADE a floor tool to low (defeats the
+// two-step tier-config rewrite). Checked BEFORE the editable tiers below.
+const FLOOR_HIGH = ["Bash", "Write", "Edit", "WebFetch", "NotebookEdit", "Task", "Skill"];
+
+// Item D \u2014 operator allowUnknownTools escape hatch, baked at init from the
+// launch policy so it survives gateway-down (the daemon allows these names
+// unconditionally at the name level, so allowing them here keeps down \u2287 up).
+// The marker default is [] \u2014 an un-substituted script stays strictest.
+const ALLOW_UNKNOWN_TOOLS = /* __ALLOW_UNKNOWN_TOOLS__ */ [];
+
 // Tier config uses flat format: { high, low, mcpDefault, unknownDefault } (plan v3.1 spec'd nested but simplified during 5a)
 function loadTiers() {
   try {
@@ -90,10 +110,52 @@ function loadTiers() {
 }
 
 function isHighSensitivity(toolName, tiers) {
+  if (FLOOR_HIGH.includes(toolName)) return true; // floor: tiers may add high, never downgrade
   if (tiers.high && tiers.high.includes(toolName)) return true;
   if (tiers.low && tiers.low.includes(toolName)) return false;
   if (toolName.startsWith("mcp__")) return tiers.mcpDefault === "high";
-  return tiers.unknownDefault === "high";
+  // Item D \u2014 operator-allowlisted names pass: gateway-up they are translated
+  // as known and allowed at the name level, so the escape hatch must survive
+  // gateway-down too.
+  if (ALLOW_UNKNOWN_TOOLS.includes(toolName)) return false;
+  // Item D floor: all other unknown names are always high-tier gateway-down.
+  // Deliberately stricter than gateway-up's warn default: the hook cannot
+  // persist findings while the daemon is down, so a warn-equivalent here
+  // would be allow-UNLOGGED \u2014 the exact F-8 hole. Hard-deny keeps down \u2287 up
+  // in both knob modes (same fail-closed stance as Fix-2's read handling),
+  // and a tiers.json edit (unknownDefault: "low") cannot reopen it. Named
+  // tools can still be tiered low explicitly via tiers.low above.
+  return true;
+}
+
+// Sprint 26 Fix-2 Part 2 \u2014 gateway-down safe-read exception.
+// INVARIANT: on gateway-down a read is NEVER more permissive than gateway-up.
+// Low-tier file reads (Read/Glob/Grep) fail CLOSED by default; only a
+// structurally-provably-safe target is allowed. The guard is GENERATED from the
+// canonical FORBIDDEN_BASENAMES (\u222A scorer extras), so it can't drift open.
+const SENSITIVE_BASENAMES = ${JSON.stringify(HOOK_SENSITIVE_BASENAMES)};
+const READ_TOOL_PATH_KEYS = { Read: "file_path", Glob: "pattern", Grep: "path" };
+
+function isProvablySafeRead(toolName, toolInput, payloadCwd) {
+  const key = READ_TOOL_PATH_KEYS[toolName];
+  if (!key) return false; // not a path-bearing read tool \u2014 not provably safe
+  const raw = toolInput && toolInput[key];
+  if (typeof raw !== "string" || raw.length === 0) return false; // no target \u2192 not provable
+  if (raw[0] === "/" || raw[0] === "~") return false; // absolute / home \u2192 fail closed
+  const cwd = typeof payloadCwd === "string" && payloadCwd ? payloadCwd : process.cwd();
+  const cwdNorm = resolve(cwd);
+  const norm = resolve(cwd, raw);
+  // Must resolve strictly within cwd (rejects any .. escape).
+  if (norm !== cwdNorm && !norm.startsWith(cwdNorm + sep)) return false;
+  const segments = norm.slice(cwdNorm.length).split(sep).filter(Boolean);
+  for (const seg of segments) {
+    const low = seg.toLowerCase();
+    if (low[0] === ".") return false; // dotfile / dot-dir
+    for (const s of SENSITIVE_BASENAMES) {
+      if (low.includes(s.toLowerCase())) return false; // conservative sensitive-token match
+    }
+  }
+  return true;
 }
 
 // ---------------------------------------------------------------------------
@@ -111,15 +173,29 @@ if (mode === "pre") {
     const result = JSON.parse(resp.body);
     process.stdout.write(JSON.stringify(result), () => process.exit(0));
   } catch {
-    // Gateway unreachable \u2014 tiered fail-closed
+    // Gateway unreachable \u2014 tiered fail-closed (Sprint 26 Fix-2).
     const tiers = loadTiers();
+    const restore = "Restart your Claude Code session to relaunch the gateway; see ~/.dahlia/gateway-fallback.log.";
     if (isHighSensitivity(toolName, tiers)) {
       logFallback({ event: "fail-closed-block", tool: toolName, tier: "high" });
       process.stderr.write(
-        \`Sentinel gateway unreachable; high-sensitivity tool "\${toolName}" blocked per fail-closed policy\`,
+        \`Sentinel gateway unreachable; high-sensitivity tool "\${toolName}" blocked per fail-closed policy. \${restore}\`,
+        () => process.exit(2),
+      );
+    } else if (
+      READ_TOOL_PATH_KEYS[toolName] &&
+      !isProvablySafeRead(toolName, payload.tool_input || {}, payload.cwd)
+    ) {
+      // Low-tier read whose target is not provably safe \u2192 fail CLOSED. The hook
+      // carries no policy, so it cannot evaluate the forbid surface; a read it
+      // can't prove safe is treated as if the gateway would deny it.
+      logFallback({ event: "fail-closed-block", tool: toolName, tier: "low", reason: "read-not-provably-safe" });
+      process.stderr.write(
+        \`Sentinel gateway unreachable; read by "\${toolName}" blocked (fail-closed: target not provably safe). \${restore}\`,
         () => process.exit(2),
       );
     } else {
+      // Provably-safe read, or a non-read low-tier tool (e.g. WebSearch) \u2192 allow.
       logFallback({ event: "fail-closed-allow", tool: toolName, tier: "low" });
       process.stdout.write(JSON.stringify({
         hookSpecificOutput: { hookEventName: "PreToolUse", permissionDecision: "allow" },
@@ -139,65 +215,37 @@ if (mode === "pre") {
   process.exit(0);
 
 } else if (mode === "session-start") {
-  // P5 cold-start readiness poll (kept byte-equivalent to
-  // setup/gatewayReadiness.ts \u2014 a generated string can't import it). Bounded WAIT
-  // on /api/sentinel/health so cc's first PreToolUse hits a LISTENING gateway
-  // instead of racing the daemon's warmup into the tiered fail-closed. Health
-  // returns 200 only once the port is bound AFTER baseline+translator wiring, so
-  // 200 == evaluation-ready. On timeout we exit anyway; the first pre-tool-use
-  // uses the existing fail-closed, UNCHANGED. Never fail-opens.
-  async function waitForGatewayReady() {
-    const deadline = Date.now() + 5000;
-    while (Date.now() < deadline) {
-      try {
-        const controller = new AbortController();
-        const timer = setTimeout(() => controller.abort(), 500);
-        try {
-          const res = await fetch(BASE_URL + "/api/sentinel/health", { signal: controller.signal });
-          if (res.ok) return; // evaluation-ready
-        } finally { clearTimeout(timer); }
-      } catch { /* not listening yet \u2014 retry until the bound */ }
-      await new Promise((r) => setTimeout(r, 100));
-    }
-    // timed out \u2014 fall through; the first pre-tool-use uses the existing fail-closed.
-  }
-
-  // Check if gateway is already running (simple liveness; full PID validity is 5c)
-  if (existsSync(PID_PATH)) {
+  // Delegate the FULL lifecycle decision \u2014 liveness, build-version check, relaunch
+  // on stale build, and spawn \u2014 to runSessionStart via the dual-mode daemon entry.
+  // One source of truth: this generated file carries NO copy of that logic
+  // (anti-drift). We resolve the daemon entry from the PROJECT (cwd) at
+  // hook-runtime so a relocated install (pnpm / version bump) launches the CURRENT
+  // build rather than the init-time baked path; we fall back to the baked path
+  // (dev tree, or package not resolvable from cwd). The launcher itself performs
+  // the bounded readiness wait, so awaiting its exit preserves the cold-start
+  // guarantee (first PreToolUse hits a ready gateway, or the existing fail-closed).
+  function resolveDaemonEntry() {
     try {
-      const pid = parseInt(readFileSync(PID_PATH, "utf-8").trim(), 10);
-      process.kill(pid, 0); // throws if process doesn't exist
-      await waitForGatewayReady(); // alive but may still be warming \u2014 wait, bounded
-      process.exit(0); // gateway is running (and now ready, or timed out)
-    } catch {
-      // Stale PID \u2014 continue to launch
-    }
-  }
-
-  // Discover .sentinel.yaml by walking up from cwd
-  let dir = process.cwd();
-  let policyPath = null;
-  while (true) {
-    const candidate = join(dir, ".sentinel.yaml");
-    if (existsSync(candidate)) { policyPath = candidate; break; }
-    const parent = join(dir, "..");
-    if (parent === dir) break; // filesystem root
-    dir = parent;
+      const require = createRequire(join(process.cwd(), "package.json"));
+      const pkg = require.resolve("@tuent/sentinel/package.json");
+      const candidate = join(pkg, "..", "dist", "gatewayDaemon.js");
+      if (existsSync(candidate)) return candidate;
+    } catch { /* not resolvable from cwd \u2014 fall back */ }
+    return GATEWAY_ENTRY_POINT;
   }
 
-  if (!policyPath) {
-    process.stderr.write("Sentinel: no .sentinel.yaml found. Gateway not started.\\n", () => process.exit(0));
-  }
-
-  // Launch gateway daemon (detached). Extension-aware: an installed package
-  // substitutes dist/gatewayDaemon.js (plain node); the dev tree substitutes a
-  // .ts (node --import tsx/esm).
-  const gatewayArgs = GATEWAY_ENTRY_POINT.endsWith(".ts")
-    ? ["--import", "tsx/esm", GATEWAY_ENTRY_POINT, "--policy", policyPath, "--port", String(PORT)]
-    : [GATEWAY_ENTRY_POINT, "--policy", policyPath, "--port", String(PORT)];
-  const child = spawn("node", gatewayArgs, { detached: true, stdio: "ignore" });
-  child.unref();
-  await waitForGatewayReady(); // bounded wait for the just-spawned daemon to bind
+  const entry = resolveDaemonEntry();
+  const launchArgs = entry.endsWith(".ts")
+    ? ["--import", "tsx/esm", entry, "--session-start", "--port", String(PORT), "--cwd", process.cwd()]
+    : [entry, "--session-start", "--port", String(PORT), "--cwd", process.cwd()];
+  await new Promise((res) => {
+    const child = spawn("node", launchArgs, { stdio: "ignore" });
+    // Safety bound: a wedged launcher must never hang the cc session. On timeout
+    // we return; the daemon may still be coming up and the first call fail-closes.
+    const safety = setTimeout(() => { try { child.kill(); } catch {} res(undefined); }, 15000);
+    child.on("exit", () => { clearTimeout(safety); res(undefined); });
+    child.on("error", () => { clearTimeout(safety); res(undefined); });
+  });
   process.exit(0);
 
 } else if (mode === "session-end") {
@@ -322,6 +370,11 @@ agent:
 policy:
   allow:
     actions: [file_read, file_write, tool_invocation, network_request, command_exec]
+    # allow.targets is ADVISORY for file_read / file_write / tool_invocation: an
+    # access outside this list is logged as a MEDIUM scope_violation but still
+    # runs \u2014 Sentinel governs the agent's own tool calls, it is not a filesystem
+    # sandbox. forbid.targets below is the hard deny. network_request is the
+    # exception: unlisted hosts are DENIED by default (see the networkHosts note).
     targets:
       - "src/**"
       - "test/**"
@@ -378,6 +431,28 @@ policy:
       - "**/*.pem"
       - "**/*.key"
       - "/etc/**"
+      # Sprint 26 FIX 1 (A) \u2014 common credential stores. DRIFT: keep in sync with
+      # DEFAULT_FORBIDDEN_PATTERNS in defaults.ts (unification tracked separately).
+      - "**/.netrc"
+      - "**/.npmrc"
+      - "**/.git-credentials"
+      - "**/.pgpass"
+      - "**/.zsh_history"
+      - "**/.config/gh/**"
+      - "**/.docker/config.json"
+      - "**/.gnupg/**"
+      - "**/.config/gcloud/**"
+      - "**/.kube/**"
+      - "**/Library/Keychains/**"
+      # Sprint 26 FIX 1 (B) \u2014 Sentinel's own state dir (current path only).
+      - "**/.dahlia/**"
+      # Sprint 26 FIX 3 \u2014 this policy file and cc's hook-wiring settings files.
+      # Agent tool-writes are denied; reads stay allowed via a code-side ceiling
+      # exception (not authorable here \u2014 workspace-authored exceptions are
+      # dropped by the ceiling merge, by design). DRIFT: keep in sync with
+      # DEFAULT_FORBIDDEN_PATTERNS in defaults.ts.
+      - "**/.sentinel.yaml"
+      - "**/.claude/settings*.json"
 enforcement:
   restrictAfter: 3
   quarantineAfter: 5
@@ -418,7 +493,16 @@ async function runInitClaudeCode(options) {
   );
   const hookPath = join(dahliaDir, "cc-hook.mjs");
   const gatewayEntryPoint = resolveGatewayEntryPoint();
-  const hookContent = HOOK_SCRIPT_SOURCE.replace(/__GATEWAY_ENTRY_POINT__/g, gatewayEntryPoint);
+  let allowUnknownTools = [];
+  try {
+    const effectivePolicy = await loadPolicy(policyPath);
+    allowUnknownTools = effectivePolicy.enforcement?.allowUnknownTools ?? [];
+  } catch {
+  }
+  const hookContent = HOOK_SCRIPT_SOURCE.replace(
+    /__GATEWAY_ENTRY_POINT__/g,
+    gatewayEntryPoint
+  ).replace("/* __ALLOW_UNKNOWN_TOOLS__ */ []", JSON.stringify(allowUnknownTools));
   if (hookContent.includes("__GATEWAY_ENTRY_POINT__")) {
     throw new Error("Failed to substitute all __GATEWAY_ENTRY_POINT__ placeholders");
   }
@@ -477,9 +561,22 @@ async function writeIfAbsent(path, content, force, report, mode) {
   report.created.push(path);
 }
 
+// src/setup/buildId.ts
+import { createHash } from "crypto";
+import { readFileSync } from "fs";
+function computeBuildId(entryPath) {
+  try {
+    return createHash("sha256").update(readFileSync(entryPath)).digest("hex");
+  } catch {
+    return "unknown";
+  }
+}
+
 // src/setup/sessionStart.ts
 import { spawn } from "child_process";
 import { homedir } from "os";
+import { openSync, closeSync, unlinkSync, statSync, mkdirSync } from "fs";
+import { join as join2 } from "path";
 
 // src/setup/gatewayReadiness.ts
 var GATEWAY_READY_TIMEOUT_MS = 5e3;
@@ -508,6 +605,87 @@ async function waitForGatewayReady(port, options) {
 }
 
 // src/setup/sessionStart.ts
+var KILL_GRACE_MS = 3e3;
+var KILL_POLL_MS = 100;
+var RELAUNCH_LOCK_STALE_MS = 15e3;
+function relaunchLockPath(home) {
+  return join2(home, ".dahlia", "gateway-relaunch.lock");
+}
+async function fetchHealthBuildId(port) {
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), 500);
+    try {
+      const res = await fetch(`http://localhost:${port}/api/sentinel/health`, {
+        signal: controller.signal
+      });
+      if (!res.ok) return null;
+      const body = await res.json();
+      return typeof body.buildId === "string" ? body.buildId : null;
+    } finally {
+      clearTimeout(timer);
+    }
+  } catch {
+    return null;
+  }
+}
+function isAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function terminateDaemon(pid) {
+  try {
+    process.kill(pid, "SIGTERM");
+  } catch {
+    return;
+  }
+  const deadline = Date.now() + KILL_GRACE_MS;
+  while (Date.now() < deadline) {
+    if (!isAlive(pid)) return;
+    await new Promise((r) => setTimeout(r, KILL_POLL_MS));
+  }
+  if (isAlive(pid)) {
+    try {
+      process.kill(pid, "SIGKILL");
+    } catch {
+    }
+  }
+}
+function acquireRelaunchLock(home) {
+  const path = relaunchLockPath(home);
+  try {
+    closeSync(openSync(path, "wx"));
+    return true;
+  } catch {
+    try {
+      const age = Date.now() - statSync(path).mtimeMs;
+      if (age > RELAUNCH_LOCK_STALE_MS) {
+        unlinkSync(path);
+        closeSync(openSync(path, "wx"));
+        return true;
+      }
+    } catch {
+    }
+    return false;
+  }
+}
+function releaseRelaunchLock(home) {
+  try {
+    unlinkSync(relaunchLockPath(home));
+  } catch {
+  }
+}
+function spawnDaemon(entry, policyPath, port, home) {
+  const args = entry.endsWith(".ts") ? ["--import", "tsx/esm", entry, "--policy", policyPath, "--port", String(port)] : [entry, "--policy", policyPath, "--port", String(port)];
+  const child = spawn("node", args, { detached: true, stdio: "ignore" });
+  child.unref();
+  if (child.pid) writePidFile(home, child.pid);
+  return child.pid;
+}
 async function runSessionStart(options) {
   const cwd = options?.cwd ?? process.cwd();
   const home = options?.home ?? homedir();
@@ -516,24 +694,39 @@ async function runSessionStart(options) {
   if (!policyPath) {
     return { action: "no-policy" };
   }
+  mkdirSync(join2(home, ".dahlia"), { recursive: true });
+  const gatewayEntry = options?.gatewayEntry ?? resolveGatewayEntryPoint();
+  const localBuildId = computeBuildId(gatewayEntry);
   const lock = acquireGatewayLock(home);
   if (lock.reused) {
-    await waitForGatewayReady(port);
-    return { action: "reused", pid: lock.pid, policyPath };
-  }
-  const gatewayEntry = resolveGatewayEntryPoint();
-  const gatewayArgs = gatewayEntry.endsWith(".ts") ? ["--import", "tsx/esm", gatewayEntry, "--policy", policyPath, "--port", String(port)] : [gatewayEntry, "--policy", policyPath, "--port", String(port)];
-  const child = spawn("node", gatewayArgs, { detached: true, stdio: "ignore" });
-  child.unref();
-  if (child.pid) {
-    writePidFile(home, child.pid);
+    const remoteBuildId = await fetchHealthBuildId(port);
+    if (remoteBuildId !== null && remoteBuildId === localBuildId) {
+      await waitForGatewayReady(port);
+      return { action: "reused", pid: lock.pid, policyPath, relaunchReason: null };
+    }
+    const reason = remoteBuildId === null ? "health-unreachable-or-unknown" : "build-mismatch";
+    if (!acquireRelaunchLock(home)) {
+      await waitForGatewayReady(port);
+      const peerPid = acquireGatewayLock(home).pid ?? lock.pid;
+      return { action: "reused", pid: peerPid, policyPath, relaunchReason: null };
+    }
+    try {
+      if (lock.pid) await terminateDaemon(lock.pid);
+      const pid2 = spawnDaemon(gatewayEntry, policyPath, port, home);
+      await waitForGatewayReady(port);
+      return { action: "relaunched", pid: pid2, policyPath, relaunchReason: reason };
+    } finally {
+      releaseRelaunchLock(home);
+    }
   }
+  const pid = spawnDaemon(gatewayEntry, policyPath, port, home);
   await waitForGatewayReady(port);
-  return { action: "spawned", pid: child.pid, policyPath };
+  return { action: "spawned", pid, policyPath, relaunchReason: null };
 }
 
 export {
   runInitClaudeCode,
+  computeBuildId,
   runSessionStart
 };
-//# sourceMappingURL=chunk-WPTJBRX5.js.map
+//# sourceMappingURL=chunk-2TJ5Z53T.js.map