@tuent/sentinel 0.1.1 → 0.1.3

package/dist/{chunk-IYC5E7RL.js → chunk-G74MMDKA.js}

@@ -7,6 +7,7 @@ import {
 import {
   DEFAULT_FORBIDDEN_PATTERNS,
   FORBIDDEN_BASENAMES,
+  classifyDeny,
   isPositionallySafeMention,
   matchGlobInsensitive,
   normalizeForbiddenPattern,
@@ -14,12 +15,12 @@ import {
   scanContentForForbiddenBasenames,
   scanGlobPattern,
   tokenizePaths
-} from "./chunk-QHE56MEO.js";
+} from "./chunk-JTR2E7RD.js";
 import {
   loadPolicy,
   policyToConfig,
   policyToRole
-} from "./chunk-2FFMYSVC.js";
+} from "./chunk-WLIDSTS4.js";
 
 // src/gateway/workspaceRouter.ts
 import { resolve, dirname } from "path";
@@ -646,7 +647,37 @@ var TOOL_MAP = {
   WebSearch: { action: "network_request", targetKey: "query" },
   Task: { action: "tool_invocation", targetKey: "description" },
   Skill: { action: "tool_invocation", targetKey: "skill" },
-  NotebookEdit: { action: "file_write", targetKey: "notebook_path" }
+  NotebookEdit: { action: "file_write", targetKey: "notebook_path" },
+  // Sprint 26 Gate-A Item D (F-8) — TOOL_MAP refresh. The 11 names above were
+  // a stale subset of cc's native tool set; with the unknown-tool deny consumer
+  // live, every missing native name would hard-fail. Inventory taken from a
+  // live cc session (2026-06). Conservative mapping: tool_invocation, with a
+  // targetKey only where the input schema is known to carry a representative
+  // free-text field (scanned by Check 2 / sensitivity like Task.description).
+  // Subagent-spawning tools (Agent/Workflow/Task*) are orchestration-only here:
+  // each spawned agent's own tool calls hook through PreToolUse individually.
+  Agent: { action: "tool_invocation", targetKey: "prompt" },
+  SendMessage: { action: "tool_invocation" },
+  AskUserQuestion: { action: "tool_invocation" },
+  ScheduleWakeup: { action: "tool_invocation", targetKey: "prompt" },
+  ToolSearch: { action: "tool_invocation", targetKey: "query" },
+  Workflow: { action: "tool_invocation", targetKey: "script" },
+  Monitor: { action: "tool_invocation" },
+  EnterPlanMode: { action: "tool_invocation" },
+  ExitPlanMode: { action: "tool_invocation" },
+  EnterWorktree: { action: "tool_invocation" },
+  ExitWorktree: { action: "tool_invocation" },
+  CronCreate: { action: "tool_invocation" },
+  CronDelete: { action: "tool_invocation" },
+  CronList: { action: "tool_invocation" },
+  TaskCreate: { action: "tool_invocation" },
+  TaskGet: { action: "tool_invocation" },
+  TaskList: { action: "tool_invocation" },
+  TaskOutput: { action: "tool_invocation" },
+  TaskStop: { action: "tool_invocation" },
+  TaskUpdate: { action: "tool_invocation" },
+  PushNotification: { action: "tool_invocation" },
+  RemoteTrigger: { action: "tool_invocation" }
 };
 var AGENT_ID = "claude-code";
 var AGENT_NAME = "Claude Code";
@@ -739,7 +770,7 @@ function extractTargets(toolName, toolInput, cwd) {
       return extractGrepTargets(toolInput, cwd);
     default: {
       const mapping = TOOL_MAP[toolName];
-      if (!mapping) return [toolName];
+      if (!mapping || !mapping.targetKey) return [toolName];
       const val = toolInput[mapping.targetKey];
       if (typeof val === "string" && val.length > 0) return [val];
       return [toolName];
@@ -755,29 +786,56 @@ function mcpVerbIsMutating(toolName) {
   const tokens = seg.split(/[_-]/).filter((t) => t.length > 0);
   return tokens.some((t) => MCP_MUTATING_VERBS.some((v) => t.startsWith(v)));
 }
+var MCP_MAX_DEPTH = 6;
+var MCP_MAX_NODES = 1e3;
+function collectMcpStrings(value, depth, state) {
+  if (state.nodes >= MCP_MAX_NODES) {
+    state.truncated = true;
+    return;
+  }
+  state.nodes++;
+  if (typeof value === "string") {
+    if (value.length > 0) state.strings.push(value);
+    return;
+  }
+  if (value === null || typeof value !== "object") return;
+  if (depth >= MCP_MAX_DEPTH) {
+    state.truncated = true;
+    return;
+  }
+  const children = Array.isArray(value) ? value : Object.values(value);
+  for (const child of children) collectMcpStrings(child, depth + 1, state);
+}
 function extractMcpTargets(toolName, toolInput) {
   const targets = [toolName];
   const keys = Object.keys(toolInput);
-  let extractedStrings = 0;
-  for (const key of keys) {
-    const value = toolInput[key];
-    if (typeof value !== "string" || value.length === 0) continue;
-    extractedStrings++;
+  const state = { strings: [], nodes: 0, truncated: false };
+  for (const key of keys) collectMcpStrings(toolInput[key], 1, state);
+  for (const value of state.strings) {
     targets.push(value);
     const resolved = runResolverPipeline(value);
-    for (const r of resolved) {
-      targets.push(r);
-    }
+    for (const r of resolved) targets.push(r);
   }
   return {
     targets,
-    unextractable: keys.length > 0 && extractedStrings === 0,
+    unextractable: keys.length > 0 && (state.strings.length === 0 || state.truncated),
     mutating: mcpVerbIsMutating(toolName)
   };
 }
 var UNKNOWN_TOOL_REASON = "tool schema unknown \u2014 sensitivity scoring and forbidden target patterns cannot evaluate this event";
 var ClaudeCodeTranslator = class {
   agentType = "claude-code";
+  /**
+   * Sprint 26 Gate-A Item D (F-8) — operator allowlist escape hatch. Names
+   * listed in the launch policy's enforcement.allowUnknownTools translate as
+   * KNOWN tool_invocation (no _unknownTool marker), so a new cc native tool
+   * can be unbricked with a one-line policy edit + daemon restart instead of
+   * waiting on a Sentinel release that refreshes TOOL_MAP.
+   */
+  allowUnknownTools;
+  constructor(options) {
+    this.allowUnknownTools = new Set(options?.allowUnknownTools ?? []);
+  }
   translatePreToolUse(payload) {
     const p = payload;
     if (!p || typeof p !== "object" || !p.tool_name) return null;
@@ -798,7 +856,7 @@ var ClaudeCodeTranslator = class {
       metadata._policyEnforcementBypassed = "true";
       metadata._policyBypassReason = UNKNOWN_TOOL_REASON;
       console.warn(
-        `[SENTINEL] Unknown Claude Code tool "${toolName}" \u2014 allowing with WARN. ${UNKNOWN_TOOL_REASON}`
+        `[SENTINEL] Unknown Claude Code tool "${toolName}" \u2014 flagged for gateway disposition (enforcement.unknownTools; default warn). ${UNKNOWN_TOOL_REASON}`
       );
     }
     if (isMcp) {
@@ -956,6 +1014,14 @@ var ClaudeCodeTranslator = class {
         mcpMutating: mcp.mutating
       };
     }
+    if (this.allowUnknownTools.has(toolName)) {
+      return {
+        action: "tool_invocation",
+        targets: [toolName],
+        isUnknown: false,
+        isMcp: false
+      };
+    }
     return {
       action: "tool_invocation",
       targets: [toolName],
@@ -994,7 +1060,6 @@ function buildModifiedGrepInput(originalInput, exclusions) {
 import { timingSafeEqual } from "crypto";
 var DEFAULT_PORT = 7847;
 var MAX_BODY_SIZE = 1024 * 1024;
-var GATEWAY_VERSION = "0.1.0";
 function isLoopbackAddress(addr) {
   if (!addr) return false;
   return addr === "127.0.0.1" || addr === "::1" || addr === "::ffff:127.0.0.1" || addr.startsWith("127.");
@@ -1049,6 +1114,11 @@ var SentinelGateway = class {
   operatorCeiling;
   home;
   releaseToken;
+  /** Item D (F-8): disposition for unknown (non-MCP, unrecognized) tool names. */
+  unknownTools;
+  /** Daemon-staleness build identity (content hash of the launched-from entry),
+   *  reported via /health. "unknown" when not supplied by the launcher. */
+  buildId;
   server = null;
   running = false;
   signalHandlersInstalled = false;
@@ -1063,6 +1133,8 @@ var SentinelGateway = class {
     this.operatorCeiling = options.operatorCeiling ?? null;
     this.home = options.home ?? "";
     this.releaseToken = options.releaseToken ?? null;
+    this.unknownTools = options.unknownTools ?? "warn";
+    this.buildId = options.buildId ?? "unknown";
     const internal = options;
     if (internal.registry) {
       this.registry = internal.registry;
@@ -1071,7 +1143,9 @@ var SentinelGateway = class {
       this.registry.register(internal.translator);
     } else {
       this.registry = new TranslatorRegistry();
-      this.registry.register(new ClaudeCodeTranslator());
+      this.registry.register(
+        new ClaudeCodeTranslator({ allowUnknownTools: options.allowUnknownTools })
+      );
     }
   }
   get port() {
@@ -1180,7 +1254,11 @@ var SentinelGateway = class {
         const snap = this.telemetry.getSnapshot();
         this.sendJson(res, 200, {
           status: "running",
-          version: GATEWAY_VERSION,
+          // Daemon-staleness build identity (content hash of the launched-from
+          // entry). Replaces the former hardcoded GATEWAY_VERSION, which had
+          // drifted from package.json and would have mismatched spuriously.
+          // session-start compares this to the current on-disk entry hash.
+          buildId: this.buildId,
           uptime: snap.uptime_seconds
         });
         return;
@@ -1406,35 +1484,26 @@ var SentinelGateway = class {
       routingId = routed.agentId;
       event.agentId = routingId;
     }
-    let suppressForbiddenBasename = false;
-    if (event.action === "command_exec" && event.targets && event.targets.length > 0) {
-      const literalCommand = event.targets[0] ?? "";
-      const decodedImplicated = event.targets.slice(1).some((t) => scanBashCommand(t, FORBIDDEN_BASENAMES).matched);
-      suppressForbiddenBasename = isPositionallySafeMention(literalCommand) && !decodedImplicated;
-    }
-    if (event.action === "command_exec" && event.targets && event.targets.length > 0 && !suppressForbiddenBasename) {
-      const allL2Hits = [];
-      for (const scanTarget of event.targets) {
-        const scan = scanBashCommand(scanTarget, FORBIDDEN_BASENAMES);
-        if (scan.matched) allL2Hits.push(...scan.hits);
-      }
-      if (allL2Hits.length > 0) {
+    if (event.metadata?._unknownTool === "true") {
+      const unknownName = event.metadata.ccToolName ?? event.primaryTarget;
+      if (this.unknownTools === "deny") {
         const finding = {
           severity: "HIGH",
           kind: "actionable",
-          type: "unauthorized_target",
+          type: "unknown_tool",
           agentId: event.agentId,
           agentName: event.agentName,
-          description: `Bash command references forbidden basename: ${allL2Hits.join(", ")}`,
+          description: `Unknown tool "${unknownName}" denied \u2014 not in Sentinel's recognized tool set, so policy checks cannot evaluate it. If this is a legitimate tool, add it to enforcement.allowUnknownTools in the operator launch policy file and restart the gateway daemon.`,
           evidence: {
             action: event.action,
-            target: allL2Hits[0],
+            target: unknownName,
             timestamp: event.timestamp,
-            baselineComparison: "credentials_exfil_attempt"
+            baselineComparison: "unknown_tool_denied"
           },
-          recommendation: "Review the command for credential access or exfiltration. If legitimate, use existing policy exception mechanisms.",
+          recommendation: `Add "${unknownName}" to enforcement.allowUnknownTools in the operator launch policy file and restart the daemon, or update @tuent/sentinel to a build whose recognized tool set includes it.`,
           timestamp: event.timestamp,
-          decision: "deny"
+          decision: "deny",
+          dedupKey: unknownName
         };
         await this.sentinel.handleGatewayDeny(routingId, finding);
         this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
@@ -1442,6 +1511,38 @@ var SentinelGateway = class {
         this.sendJson(res, 200, response);
         return;
       }
+      const warnFinding = {
+        severity: "LOW",
+        kind: "informational",
+        type: "unknown_tool",
+        agentId: event.agentId,
+        agentName: event.agentName,
+        description: `Unknown tool "${unknownName}" allowed (enforcement.unknownTools: warn) \u2014 not in Sentinel's recognized tool set; policy checks could not evaluate it.`,
+        evidence: {
+          action: event.action,
+          target: unknownName,
+          timestamp: event.timestamp,
+          baselineComparison: "unknown_tool_allowed_warn"
+        },
+        recommendation: `Add "${unknownName}" to enforcement.allowUnknownTools (or update @tuent/sentinel) to clear this warning, or switch enforcement.unknownTools to deny.`,
+        timestamp: event.timestamp,
+        decision: "allow",
+        dedupKey: unknownName
+      };
+      await this.sentinel.logFinding(routingId, warnFinding);
+    }
+    let suppressForbiddenBasename = false;
+    if (event.action === "command_exec" && event.targets && event.targets.length > 0) {
+      const literalCommand = event.targets[0] ?? "";
+      const decodedImplicated = event.targets.slice(1).some((t) => scanBashCommand(t, FORBIDDEN_BASENAMES).matched);
+      suppressForbiddenBasename = isPositionallySafeMention(literalCommand) && !decodedImplicated;
+    }
+    if (event.action === "command_exec" && event.targets && event.targets.length > 0 && !suppressForbiddenBasename) {
+      const allL2Hits = [];
+      for (const scanTarget of event.targets) {
+        const scan = scanBashCommand(scanTarget, FORBIDDEN_BASENAMES);
+        if (scan.matched) allL2Hits.push(...scan.hits);
+      }
       const allTokenPaths = [];
       let anyUnparseable = false;
       let anyDangerousConstruct = false;
@@ -1463,6 +1564,40 @@ var SentinelGateway = class {
         }
         if (matchedPath) break;
       }
+      if (allL2Hits.length > 0) {
+        const { mentionOnly } = classifyDeny(event.targets[0] ?? "", {
+          l2Hits: allL2Hits,
+          hasL1Hit: matchedPath !== null,
+          unparseable: anyUnparseable,
+          hasDangerousConstruct: anyDangerousConstruct
+        });
+        const targetKey = matchedPath ?? `l2:${[...new Set(allL2Hits)].sort().join(",")}`;
+        const finding = {
+          severity: "HIGH",
+          kind: "actionable",
+          type: "unauthorized_target",
+          agentId: event.agentId,
+          agentName: event.agentName,
+          description: `Bash command references forbidden basename: ${allL2Hits.join(", ")}`,
+          evidence: {
+            action: event.action,
+            target: allL2Hits[0],
+            timestamp: event.timestamp,
+            baselineComparison: "credentials_exfil_attempt"
+          },
+          recommendation: "Review the command for credential access or exfiltration. If legitimate, use existing policy exception mechanisms.",
+          timestamp: event.timestamp,
+          decision: "deny",
+          mentionOnly,
+          dedupKey: event.primaryTarget,
+          targetKey
+        };
+        await this.sentinel.handleGatewayDeny(routingId, finding);
+        this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
+        const response = translator.formatPreToolUseResponse({ blocked: true, finding });
+        this.sendJson(res, 200, response);
+        return;
+      }
       if (matchedPath) {
         const finding = {
           severity: "HIGH",
@@ -1479,7 +1614,12 @@ var SentinelGateway = class {
           },
           recommendation: "Review the command for credential or sensitive file access. If legitimate, use existing policy exception mechanisms.",
           timestamp: event.timestamp,
-          decision: "deny"
+          decision: "deny",
+          // A resolved path-glob hit is a file target — never a mention.
+          mentionOnly: false,
+          dedupKey: event.primaryTarget,
+          // F-5a: the resolved forbidden path IS the target identity here.
+          targetKey: matchedPath
         };
         await this.sentinel.handleGatewayDeny(routingId, finding);
         this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
@@ -1909,17 +2049,20 @@ var SentinelGateway = class {
 };
 async function runGatewayDaemon({
   policyPath,
-  port = DEFAULT_PORT
+  port = DEFAULT_PORT,
+  buildId
 }) {
-  const { Sentinel: SentinelClass } = await import("./Sentinel-QHMQ67W3.js");
+  const { Sentinel: SentinelClass } = await import("./Sentinel-5CQ6HKXS.js");
   const { writePidFile, writeReleaseToken } = await import("./pidManager-DOGVN6ZT.js");
   const { homedir } = await import("os");
   const { randomBytes } = await import("crypto");
-  const { loadPolicy: loadPolicy2, policyToRole: policyToRole2 } = await import("./policyLoader-6KR5VFVV.js");
+  const { loadPolicy: loadPolicy2, policyToRole: policyToRole2, policyToConfig: policyToConfig2 } = await import("./policyLoader-KZL2U4M2.js");
   const sentinel = await SentinelClass.fromPolicy(policyPath);
   const baseline = await sentinel.computeBaseline("claude-code");
   sentinel.setBaseline("claude-code", baseline);
-  const operatorCeiling = policyToRole2(await loadPolicy2(policyPath));
+  const operatorPolicy = await loadPolicy2(policyPath);
+  const operatorCeiling = policyToRole2(operatorPolicy);
+  const operatorConfig = policyToConfig2(operatorPolicy);
   const releaseToken = randomBytes(32).toString("hex");
   const gateway = new SentinelGateway({
     port,
@@ -1929,7 +2072,10 @@ async function runGatewayDaemon({
     workspaceIsolation: process.env.SENTINEL_WORKSPACE_ISOLATION !== "0",
     operatorCeiling,
     home: homedir(),
-    releaseToken
+    releaseToken,
+    unknownTools: operatorConfig.enforcement?.unknownTools,
+    allowUnknownTools: operatorConfig.enforcement?.allowUnknownTools,
+    buildId
   });
   await gateway.start();
   const home = homedir();
@@ -1942,4 +2088,4 @@ export {
   SentinelGateway,
   runGatewayDaemon
 };
-//# sourceMappingURL=chunk-IYC5E7RL.js.map
+//# sourceMappingURL=chunk-G74MMDKA.js.map