@tuent/sentinel 0.1.2 → 0.1.4

package/dist/{chunk-L4R3LPJS.js → chunk-HRI2Y326.js}

@@ -3,9 +3,8 @@ import {
 } from "./chunk-B5QKJHSV.js";
 import {
   discoverPolicy
-} from "./chunk-FMZWHT4M.js";
+} from "./chunk-B6S2PBS4.js";
 import {
-  DEFAULT_FORBIDDEN_PATTERNS,
   FORBIDDEN_BASENAMES,
   classifyDeny,
   isPositionallySafeMention,
@@ -14,16 +13,18 @@ import {
   scanBashCommand,
   scanContentForForbiddenBasenames,
   scanGlobPattern,
-  tokenizePaths
-} from "./chunk-QIYQWOLO.js";
+  tokenizePaths,
+  unionWithDefaultForbiddenPatterns
+} from "./chunk-FIEIGBYL.js";
 import {
+  DEFAULT_FORBIDDEN_PATTERNS,
   loadPolicy,
   policyToConfig,
   policyToRole
-} from "./chunk-WLIDSTS4.js";
+} from "./chunk-KWZ7JKKO.js";
 
 // src/gateway/workspaceRouter.ts
-import { resolve, dirname } from "path";
+import { resolve, dirname, sep } from "path";
 
 // src/mergeRoles.ts
 function isWithinActiveHours(hour, range) {
@@ -251,15 +252,35 @@ async function resolveWorkspace(cwd, home) {
   const policyPath = discoverPolicy(start, home);
   let root = start;
   let workspaceRole = null;
+  const warnings = [];
   if (policyPath) {
     const policy = await loadPolicy(policyPath);
+    const policyDir = dirname(resolve(policyPath));
+    root = policyDir;
     const repoRoot = policyToConfig(policy).repo?.root;
-    root = repoRoot ? resolve(repoRoot) : dirname(resolve(policyPath));
+    if (repoRoot) {
+      const declared = resolve(policyDir, repoRoot);
+      const homeAbs = resolve(home);
+      const declaredPrefix = declared.endsWith(sep) ? declared : declared + sep;
+      const containsPolicy = policyDir === declared || policyDir.startsWith(declaredPrefix);
+      const aboveHome = declared !== homeAbs && homeAbs.startsWith(declaredPrefix);
+      if (!containsPolicy) {
+        warnings.push(
+          `repo.root "${repoRoot}" (resolves to "${declared}") does not contain the policy file "${policyPath}" \u2014 anchoring to the policy's own directory "${policyDir}" instead`
+        );
+      } else if (aboveHome) {
+        warnings.push(
+          `repo.root "${repoRoot}" (resolves to "${declared}") reaches above the home directory \u2014 anchoring to the policy's own directory "${policyDir}" instead`
+        );
+      } else {
+        root = declared;
+      }
+    }
     workspaceRole = policyToRole(policy);
   }
   return {
     ok: true,
-    resolution: { root, agentId: deriveAgentId(root), policyPath, workspaceRole }
+    resolution: { root, agentId: deriveAgentId(root), policyPath, workspaceRole, warnings }
   };
 }
 function effectiveRole(ceiling, workspaceRole) {
@@ -347,11 +368,11 @@ var TranslatorRegistry = class {
 
 // src/gateway/runtimeConstructionResolvers.ts
 var MAX_RECURSION_DEPTH = 3;
-var INTERPRETER_RE = /\b(?:python[23]?|node|ruby|perl|php)\s+(?:-[cer])\s+(.+)/s;
+var INTERPRETER_RE = /\b(?:python|node|ruby|perl|php)[0-9.]*\s+(?:\S+\s+)*?-[cer]/;
 var NESTED_ENCODING_RE = /chr\(\d+\)|String\.fromCharCode|\\x[0-9a-fA-F]{2}|\\[0-7]{1,3}|printf\s/;
 var PRINTF_HEX_RE = /printf\s+['"]?[^'"]*\\x[0-9a-fA-F]{2}/;
 var PRINTF_OCT_RE = /printf\s+['"]?[^'"]*\\[0-7]{1,3}/;
-var B1_CONTEXT_RE = /(?:\bbase64\s+(?:-d|--decode)\b|\bopenssl\s+(?:enc\s+)?(?:-?base64\s+(?:-\w+\s+)*-d|-d\s+(?:-\w+\s+)*-?base64)\b)/;
+var B1_CONTEXT_RE = /(?:\bbase64\s+(?:--decode\b|-[a-zA-Z]*[dD][a-zA-Z]*\b)|\bopenssl\s+(?:enc\s+)?(?:-?base64\s+(?:-\w+\s+)*-d|-d\s+(?:-\w+\s+)*-?base64)\b)/;
 var ECHO_E_HEX_RE = /\becho\s+(?:-\w+\s+)*-\w*e\w*\b[^|;&\n]*\\x[0-9a-fA-F]{2}/;
 var ANSI_C_QUOTE_HEX_RE = /\$'[^']*\\x[0-9a-fA-F]{2}/;
 var ANSI_C_QUOTE_OCT_RE = /\$'[^']*\\[0-7]{1,3}/;
@@ -786,23 +807,39 @@ function mcpVerbIsMutating(toolName) {
   const tokens = seg.split(/[_-]/).filter((t) => t.length > 0);
   return tokens.some((t) => MCP_MUTATING_VERBS.some((v) => t.startsWith(v)));
 }
+var MCP_MAX_DEPTH = 6;
+var MCP_MAX_NODES = 1e3;
+function collectMcpStrings(value, depth, state) {
+  if (state.nodes >= MCP_MAX_NODES) {
+    state.truncated = true;
+    return;
+  }
+  state.nodes++;
+  if (typeof value === "string") {
+    if (value.length > 0) state.strings.push(value);
+    return;
+  }
+  if (value === null || typeof value !== "object") return;
+  if (depth >= MCP_MAX_DEPTH) {
+    state.truncated = true;
+    return;
+  }
+  const children = Array.isArray(value) ? value : Object.values(value);
+  for (const child of children) collectMcpStrings(child, depth + 1, state);
+}
 function extractMcpTargets(toolName, toolInput) {
   const targets = [toolName];
   const keys = Object.keys(toolInput);
-  let extractedStrings = 0;
-  for (const key of keys) {
-    const value = toolInput[key];
-    if (typeof value !== "string" || value.length === 0) continue;
-    extractedStrings++;
+  const state = { strings: [], nodes: 0, truncated: false };
+  for (const key of keys) collectMcpStrings(toolInput[key], 1, state);
+  for (const value of state.strings) {
     targets.push(value);
     const resolved = runResolverPipeline(value);
-    for (const r of resolved) {
-      targets.push(r);
-    }
+    for (const r of resolved) targets.push(r);
   }
   return {
     targets,
-    unextractable: keys.length > 0 && extractedStrings === 0,
+    unextractable: keys.length > 0 && (state.strings.length === 0 || state.truncated),
     mutating: mcpVerbIsMutating(toolName)
   };
 }
@@ -1016,17 +1053,25 @@ var ClaudeCodeTranslator = class {
 };
 
 // src/gateway/grepRewriter.ts
+function toRelativeExclusionGlob(pattern) {
+  return pattern.startsWith("/") ? "**" + pattern : pattern;
+}
 function buildGrepExclusions(forbiddenPatterns) {
   const flags = [];
   for (const pattern of forbiddenPatterns) {
-    flags.push("--glob", `!${pattern}`);
+    flags.push("--glob", `!${toRelativeExclusionGlob(pattern)}`);
   }
   return flags;
 }
 function isPathItselfForbidden(searchPath, forbiddenPatterns) {
   const matched = [];
   for (const pattern of forbiddenPatterns) {
-    if (matchGlobInsensitive(pattern, searchPath)) {
+    if (matchGlobInsensitive(pattern, searchPath) || // A directory-glob (`…/**`, e.g. `**/.ssh/**` or `/etc/**`) does NOT match
+    // the bare directory itself — the trailing `/.*` requires a char after the
+    // slash, so `matchGlob('**/.ssh/**', '/home/u/.ssh')` is false. When the
+    // SEARCH PATH *is* the forbidden directory, treat it as forbidden so it
+    // routes to DENY (no rewrite), not MODIFY.
+    pattern.endsWith("/**") && matchGlobInsensitive(pattern.slice(0, -3), searchPath)) {
       matched.push(pattern);
     }
   }
@@ -1044,7 +1089,6 @@ function buildModifiedGrepInput(originalInput, exclusions) {
 import { timingSafeEqual } from "crypto";
 var DEFAULT_PORT = 7847;
 var MAX_BODY_SIZE = 1024 * 1024;
-var GATEWAY_VERSION = "0.1.0";
 function isLoopbackAddress(addr) {
   if (!addr) return false;
   return addr === "127.0.0.1" || addr === "::1" || addr === "::ffff:127.0.0.1" || addr.startsWith("127.");
@@ -1101,6 +1145,9 @@ var SentinelGateway = class {
   releaseToken;
   /** Item D (F-8): disposition for unknown (non-MCP, unrecognized) tool names. */
   unknownTools;
+  /** Daemon-staleness build identity (content hash of the launched-from entry),
+   *  reported via /health. "unknown" when not supplied by the launcher. */
+  buildId;
   server = null;
   running = false;
   signalHandlersInstalled = false;
@@ -1116,6 +1163,7 @@ var SentinelGateway = class {
     this.home = options.home ?? "";
     this.releaseToken = options.releaseToken ?? null;
     this.unknownTools = options.unknownTools ?? "warn";
+    this.buildId = options.buildId ?? "unknown";
     const internal = options;
     if (internal.registry) {
       this.registry = internal.registry;
@@ -1235,7 +1283,11 @@ var SentinelGateway = class {
         const snap = this.telemetry.getSnapshot();
         this.sendJson(res, 200, {
           status: "running",
-          version: GATEWAY_VERSION,
+          // Daemon-staleness build identity (content hash of the launched-from
+          // entry). Replaces the former hardcoded GATEWAY_VERSION, which had
+          // drifted from package.json and would have mismatched spuriously.
+          // session-start compares this to the current on-disk entry hash.
+          buildId: this.buildId,
           uptime: snap.uptime_seconds
         });
         return;
@@ -1401,6 +1453,9 @@ var SentinelGateway = class {
       return { ok: false, finding };
     }
     const { root, agentId, workspaceRole } = resolved.resolution;
+    for (const w of resolved.resolution.warnings) {
+      console.warn(`[SENTINEL GATEWAY] workspace-resolution warning (${agentId}): ${w}`);
+    }
     const ceiling = this.operatorCeiling;
     if (!ceiling) {
       const check = {
@@ -1427,7 +1482,24 @@ var SentinelGateway = class {
       name: agentId
     });
     this.sentinel.touchAgent(agentId);
-    return { ok: true, agentId };
+    return { ok: true, agentId, effectiveRole: merged.role };
+  }
+  /**
+   * Forbidden-pattern list for ONE request: the gateway's construction-time
+   * list unioned with the request's merged-role patterns (operator-ceiling ∩
+   * workspace yaml). Without this, a workspace's custom forbid targets were
+   * enforced by the role validator inside wrap() but never reached the
+   * gateway's own bash-L1 / Grep layers, which checked only the static list.
+   * Normalization is idempotent (the chokepoint globstar-prepend).
+   */
+  patternsForRequest(effectiveRole2) {
+    if (!effectiveRole2?.forbiddenTargetPatterns?.length) return this.forbiddenPatterns;
+    return [
+      .../* @__PURE__ */ new Set([
+        ...this.forbiddenPatterns,
+        ...effectiveRole2.forbiddenTargetPatterns.map(normalizeForbiddenPattern)
+      ])
+    ];
   }
   async handlePreToolUse(body, res, translator) {
     let payload;
@@ -1443,6 +1515,7 @@ var SentinelGateway = class {
       return;
     }
     let routingId = this.agentId;
+    let requestForbiddenPatterns = this.forbiddenPatterns;
     if (this.workspaceIsolation) {
       const routed = await this.resolveBPathRouting(
         event.metadata?.cwd,
@@ -1460,6 +1533,7 @@ var SentinelGateway = class {
       }
       routingId = routed.agentId;
       event.agentId = routingId;
+      requestForbiddenPatterns = this.patternsForRequest(routed.effectiveRole);
     }
     if (event.metadata?._unknownTool === "true") {
       const unknownName = event.metadata.ccToolName ?? event.primaryTarget;
@@ -1532,7 +1606,7 @@ var SentinelGateway = class {
       let matchedPath = null;
       let matchedPattern = null;
       for (const tokenPath of allTokenPaths) {
-        for (const pattern of this.forbiddenPatterns) {
+        for (const pattern of requestForbiddenPatterns) {
           if (matchGlobInsensitive(pattern, tokenPath)) {
             matchedPath = tokenPath;
             matchedPattern = pattern;
@@ -1548,6 +1622,7 @@ var SentinelGateway = class {
           unparseable: anyUnparseable,
           hasDangerousConstruct: anyDangerousConstruct
         });
+        const targetKey = matchedPath ?? `l2:${[...new Set(allL2Hits)].sort().join(",")}`;
         const finding = {
           severity: "HIGH",
           kind: "actionable",
@@ -1565,7 +1640,8 @@ var SentinelGateway = class {
           timestamp: event.timestamp,
           decision: "deny",
           mentionOnly,
-          dedupKey: event.primaryTarget
+          dedupKey: event.primaryTarget,
+          targetKey
         };
         await this.sentinel.handleGatewayDeny(routingId, finding);
         this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
@@ -1592,7 +1668,9 @@ var SentinelGateway = class {
           decision: "deny",
           // A resolved path-glob hit is a file target — never a mention.
           mentionOnly: false,
-          dedupKey: event.primaryTarget
+          dedupKey: event.primaryTarget,
+          // F-5a: the resolved forbidden path IS the target identity here.
+          targetKey: matchedPath
         };
         await this.sentinel.handleGatewayDeny(routingId, finding);
         this.telemetry.recordToolCall(event.action, "pre", "blocked", 0);
@@ -1710,7 +1788,7 @@ var SentinelGateway = class {
     if (ccToolName === "Grep") {
       const toolInput = parsedPayload.tool_input ?? {};
       const searchPath = typeof toolInput.path === "string" && toolInput.path.length > 0 ? toolInput.path : parsedPayload.cwd ?? ".";
-      const pathCheck = isPathItselfForbidden(searchPath, this.forbiddenPatterns);
+      const pathCheck = isPathItselfForbidden(searchPath, requestForbiddenPatterns);
       if (pathCheck.forbidden) {
         const finding2 = {
           severity: "HIGH",
@@ -1735,7 +1813,7 @@ var SentinelGateway = class {
         this.sendJson(res, 200, response);
         return;
       }
-      const exclusions = buildGrepExclusions(this.forbiddenPatterns);
+      const exclusions = buildGrepExclusions(requestForbiddenPatterns);
       const updatedInput = buildModifiedGrepInput(toolInput, exclusions);
       const finding = {
         severity: "MEDIUM",
@@ -1758,7 +1836,7 @@ var SentinelGateway = class {
       await this.sentinel.logFinding(routingId, finding);
       this.telemetry.recordToolCall(event.action, "pre", "allowed", 0);
       const ccTranslator = translator;
-      const excludedPatterns = this.forbiddenPatterns.join(", ");
+      const excludedPatterns = requestForbiddenPatterns.join(", ");
       const additionalContext = `Sentinel: this Grep search was modified to exclude forbidden paths. Excluded patterns: ${excludedPatterns}. To search specific forbidden files, use Read with explicit approval.`;
       if (typeof ccTranslator.formatPreToolUseModifyResponse === "function") {
         const response = ccTranslator.formatPreToolUseModifyResponse({
@@ -2022,13 +2100,14 @@ var SentinelGateway = class {
 };
 async function runGatewayDaemon({
   policyPath,
-  port = DEFAULT_PORT
+  port = DEFAULT_PORT,
+  buildId
 }) {
-  const { Sentinel: SentinelClass } = await import("./Sentinel-XMSJE4DZ.js");
+  const { Sentinel: SentinelClass } = await import("./Sentinel-4QKPFHTI.js");
   const { writePidFile, writeReleaseToken } = await import("./pidManager-DOGVN6ZT.js");
   const { homedir } = await import("os");
   const { randomBytes } = await import("crypto");
-  const { loadPolicy: loadPolicy2, policyToRole: policyToRole2, policyToConfig: policyToConfig2 } = await import("./policyLoader-KZL2U4M2.js");
+  const { loadPolicy: loadPolicy2, policyToRole: policyToRole2, policyToConfig: policyToConfig2 } = await import("./policyLoader-XX6BQXNB.js");
   const sentinel = await SentinelClass.fromPolicy(policyPath);
   const baseline = await sentinel.computeBaseline("claude-code");
   sentinel.setBaseline("claude-code", baseline);
@@ -2046,7 +2125,12 @@ async function runGatewayDaemon({
     home: homedir(),
     releaseToken,
     unknownTools: operatorConfig.enforcement?.unknownTools,
-    allowUnknownTools: operatorConfig.enforcement?.allowUnknownTools
+    allowUnknownTools: operatorConfig.enforcement?.allowUnknownTools,
+    buildId,
+    // The operator policy's custom forbid targets must reach the gateway's own
+    // bash-L1/Grep layers (defaults-as-floor union, same chokepoint as role
+    // construction) — previously the gateway saw only the built-in defaults.
+    forbiddenPatterns: unionWithDefaultForbiddenPatterns(operatorCeiling.forbiddenTargetPatterns)
   });
   await gateway.start();
   const home = homedir();
@@ -2059,4 +2143,4 @@ export {
   SentinelGateway,
   runGatewayDaemon
 };
-//# sourceMappingURL=chunk-L4R3LPJS.js.map
+//# sourceMappingURL=chunk-HRI2Y326.js.map