npm - @tuent/sentinel - Versions diffs - 0.1.3 → 0.1.4 - Mend

@tuent/sentinel 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/dist/Sentinel-4QKPFHTI.js +10 -0
package/dist/{Sentinel-BVoMEF3F.d.ts → Sentinel-DT0IyGQi.d.ts} +112 -9
package/dist/{chunk-PDWWRZXF.js → chunk-2IPSTUNH.js} +18 -7
package/dist/chunk-B6S2PBS4.js +47 -0
package/dist/{chunk-JTR2E7RD.js → chunk-FIEIGBYL.js} +222 -186
package/dist/{chunk-G74MMDKA.js → chunk-HRI2Y326.js} +76 -21
package/dist/{chunk-SSDIBY52.js → chunk-I2FVDDSG.js} +223 -90
package/dist/{chunk-WLIDSTS4.js → chunk-KWZ7JKKO.js} +221 -27
package/dist/{chunk-2TJ5Z53T.js → chunk-LTBVWF5H.js} +59 -20
package/dist/cli.js +33 -35
package/dist/gateway/index.d.ts +10 -1
package/dist/gateway/index.js +4 -4
package/dist/gatewayDaemon.js +5 -5
package/dist/index.d.ts +2 -12
package/dist/index.js +5 -5
package/dist/logAdapter-WM43W3S7.js +7 -0
package/dist/{mcpAdapter-R47GX2P3.js → mcpAdapter-WYAXUE7T.js} +2 -2
package/dist/{policyLoader-KZL2U4M2.js → policyLoader-XX6BQXNB.js} +8 -4
package/package.json +1 -1
package/dist/Sentinel-5CQ6HKXS.js +0 -10
package/dist/chunk-FMZWHT4M.js +0 -20
package/dist/logAdapter-IB6ZDEV2.js +0 -7

package/dist/{chunk-G74MMDKA.js → chunk-HRI2Y326.js} RENAMED Viewed

@@ -3,9 +3,8 @@ import {
 } from "./chunk-B5QKJHSV.js";
 import {
   discoverPolicy
-} from "./chunk-FMZWHT4M.js";
+} from "./chunk-B6S2PBS4.js";
 import {
-  DEFAULT_FORBIDDEN_PATTERNS,
   FORBIDDEN_BASENAMES,
   classifyDeny,
   isPositionallySafeMention,
@@ -14,16 +13,18 @@ import {
   scanBashCommand,
   scanContentForForbiddenBasenames,
   scanGlobPattern,
-  tokenizePaths
-} from "./chunk-JTR2E7RD.js";
+  tokenizePaths,
+  unionWithDefaultForbiddenPatterns
+} from "./chunk-FIEIGBYL.js";
 import {
+  DEFAULT_FORBIDDEN_PATTERNS,
   loadPolicy,
   policyToConfig,
   policyToRole
-} from "./chunk-WLIDSTS4.js";
+} from "./chunk-KWZ7JKKO.js";
 // src/gateway/workspaceRouter.ts
-import { resolve, dirname } from "path";
+import { resolve, dirname, sep } from "path";
 // src/mergeRoles.ts
 function isWithinActiveHours(hour, range) {
@@ -251,15 +252,35 @@ async function resolveWorkspace(cwd, home) {
   const policyPath = discoverPolicy(start, home);
   let root = start;
   let workspaceRole = null;
+  const warnings = [];
   if (policyPath) {
     const policy = await loadPolicy(policyPath);
+    const policyDir = dirname(resolve(policyPath));
+    root = policyDir;
     const repoRoot = policyToConfig(policy).repo?.root;
-    root = repoRoot ? resolve(repoRoot) : dirname(resolve(policyPath));
+    if (repoRoot) {
+      const declared = resolve(policyDir, repoRoot);
+      const homeAbs = resolve(home);
+      const declaredPrefix = declared.endsWith(sep) ? declared : declared + sep;
+      const containsPolicy = policyDir === declared || policyDir.startsWith(declaredPrefix);
+      const aboveHome = declared !== homeAbs && homeAbs.startsWith(declaredPrefix);
+      if (!containsPolicy) {
+        warnings.push(
+          `repo.root "${repoRoot}" (resolves to "${declared}") does not contain the policy file "${policyPath}" \u2014 anchoring to the policy's own directory "${policyDir}" instead`
+        );
+      } else if (aboveHome) {
+        warnings.push(
+          `repo.root "${repoRoot}" (resolves to "${declared}") reaches above the home directory \u2014 anchoring to the policy's own directory "${policyDir}" instead`
+        );
+      } else {
+        root = declared;
+      }
+    }
     workspaceRole = policyToRole(policy);
   }
   return {
     ok: true,
-    resolution: { root, agentId: deriveAgentId(root), policyPath, workspaceRole }
+    resolution: { root, agentId: deriveAgentId(root), policyPath, workspaceRole, warnings }
   };
 }
 function effectiveRole(ceiling, workspaceRole) {
@@ -347,11 +368,11 @@ var TranslatorRegistry = class {
 // src/gateway/runtimeConstructionResolvers.ts
 var MAX_RECURSION_DEPTH = 3;
-var INTERPRETER_RE = /\b(?:python[23]?|node|ruby|perl|php)\s+(?:-[cer])\s+(.+)/s;
+var INTERPRETER_RE = /\b(?:python|node|ruby|perl|php)[0-9.]*\s+(?:\S+\s+)*?-[cer]/;
 var NESTED_ENCODING_RE = /chr\(\d+\)|String\.fromCharCode|\\x[0-9a-fA-F]{2}|\\[0-7]{1,3}|printf\s/;
 var PRINTF_HEX_RE = /printf\s+['"]?[^'"]*\\x[0-9a-fA-F]{2}/;
 var PRINTF_OCT_RE = /printf\s+['"]?[^'"]*\\[0-7]{1,3}/;
-var B1_CONTEXT_RE = /(?:\bbase64\s+(?:-d|--decode)\b|\bopenssl\s+(?:enc\s+)?(?:-?base64\s+(?:-\w+\s+)*-d|-d\s+(?:-\w+\s+)*-?base64)\b)/;
+var B1_CONTEXT_RE = /(?:\bbase64\s+(?:--decode\b|-[a-zA-Z]*[dD][a-zA-Z]*\b)|\bopenssl\s+(?:enc\s+)?(?:-?base64\s+(?:-\w+\s+)*-d|-d\s+(?:-\w+\s+)*-?base64)\b)/;
 var ECHO_E_HEX_RE = /\becho\s+(?:-\w+\s+)*-\w*e\w*\b[^|;&\n]*\\x[0-9a-fA-F]{2}/;
 var ANSI_C_QUOTE_HEX_RE = /\$'[^']*\\x[0-9a-fA-F]{2}/;
 var ANSI_C_QUOTE_OCT_RE = /\$'[^']*\\[0-7]{1,3}/;
@@ -1032,17 +1053,25 @@ var ClaudeCodeTranslator = class {
 };
 // src/gateway/grepRewriter.ts
+function toRelativeExclusionGlob(pattern) {
+  return pattern.startsWith("/") ? "**" + pattern : pattern;
+}
 function buildGrepExclusions(forbiddenPatterns) {
   const flags = [];
   for (const pattern of forbiddenPatterns) {
-    flags.push("--glob", `!${pattern}`);
+    flags.push("--glob", `!${toRelativeExclusionGlob(pattern)}`);
   }
   return flags;
 }
 function isPathItselfForbidden(searchPath, forbiddenPatterns) {
   const matched = [];
   for (const pattern of forbiddenPatterns) {
-    if (matchGlobInsensitive(pattern, searchPath)) {
+    if (matchGlobInsensitive(pattern, searchPath) || // A directory-glob (`…/**`, e.g. `**/.ssh/**` or `/etc/**`) does NOT match
+    // the bare directory itself — the trailing `/.*` requires a char after the
+    // slash, so `matchGlob('**/.ssh/**', '/home/u/.ssh')` is false. When the
+    // SEARCH PATH *is* the forbidden directory, treat it as forbidden so it
+    // routes to DENY (no rewrite), not MODIFY.
+    pattern.endsWith("/**") && matchGlobInsensitive(pattern.slice(0, -3), searchPath)) {
       matched.push(pattern);
     }
   }
@@ -1424,6 +1453,9 @@ var SentinelGateway = class {
       return { ok: false, finding };
     }
     const { root, agentId, workspaceRole } = resolved.resolution;
+    for (const w of resolved.resolution.warnings) {
+      console.warn(`[SENTINEL GATEWAY] workspace-resolution warning (${agentId}): ${w}`);
+    }
     const ceiling = this.operatorCeiling;
     if (!ceiling) {
       const check = {
@@ -1450,7 +1482,24 @@ var SentinelGateway = class {
       name: agentId
     });
     this.sentinel.touchAgent(agentId);
-    return { ok: true, agentId };
+    return { ok: true, agentId, effectiveRole: merged.role };
+  }
+  /**
+   * Forbidden-pattern list for ONE request: the gateway's construction-time
+   * list unioned with the request's merged-role patterns (operator-ceiling ∩
+   * workspace yaml). Without this, a workspace's custom forbid targets were
+   * enforced by the role validator inside wrap() but never reached the
+   * gateway's own bash-L1 / Grep layers, which checked only the static list.
+   * Normalization is idempotent (the chokepoint globstar-prepend).
+   */
+  patternsForRequest(effectiveRole2) {
+    if (!effectiveRole2?.forbiddenTargetPatterns?.length) return this.forbiddenPatterns;
+    return [
+      .../* @__PURE__ */ new Set([
+        ...this.forbiddenPatterns,
+        ...effectiveRole2.forbiddenTargetPatterns.map(normalizeForbiddenPattern)
+      ])
+    ];
   }
   async handlePreToolUse(body, res, translator) {
     let payload;
@@ -1466,6 +1515,7 @@ var SentinelGateway = class {
       return;
     }
     let routingId = this.agentId;
+    let requestForbiddenPatterns = this.forbiddenPatterns;
     if (this.workspaceIsolation) {
       const routed = await this.resolveBPathRouting(
         event.metadata?.cwd,
@@ -1483,6 +1533,7 @@ var SentinelGateway = class {
       }
       routingId = routed.agentId;
       event.agentId = routingId;
+      requestForbiddenPatterns = this.patternsForRequest(routed.effectiveRole);
     }
     if (event.metadata?._unknownTool === "true") {
       const unknownName = event.metadata.ccToolName ?? event.primaryTarget;
@@ -1555,7 +1606,7 @@ var SentinelGateway = class {
       let matchedPath = null;
       let matchedPattern = null;
       for (const tokenPath of allTokenPaths) {
-        for (const pattern of this.forbiddenPatterns) {
+        for (const pattern of requestForbiddenPatterns) {
           if (matchGlobInsensitive(pattern, tokenPath)) {
             matchedPath = tokenPath;
             matchedPattern = pattern;
@@ -1737,7 +1788,7 @@ var SentinelGateway = class {
     if (ccToolName === "Grep") {
       const toolInput = parsedPayload.tool_input ?? {};
       const searchPath = typeof toolInput.path === "string" && toolInput.path.length > 0 ? toolInput.path : parsedPayload.cwd ?? ".";
-      const pathCheck = isPathItselfForbidden(searchPath, this.forbiddenPatterns);
+      const pathCheck = isPathItselfForbidden(searchPath, requestForbiddenPatterns);
       if (pathCheck.forbidden) {
         const finding2 = {
           severity: "HIGH",
@@ -1762,7 +1813,7 @@ var SentinelGateway = class {
         this.sendJson(res, 200, response);
         return;
       }
-      const exclusions = buildGrepExclusions(this.forbiddenPatterns);
+      const exclusions = buildGrepExclusions(requestForbiddenPatterns);
       const updatedInput = buildModifiedGrepInput(toolInput, exclusions);
       const finding = {
         severity: "MEDIUM",
@@ -1785,7 +1836,7 @@ var SentinelGateway = class {
       await this.sentinel.logFinding(routingId, finding);
       this.telemetry.recordToolCall(event.action, "pre", "allowed", 0);
       const ccTranslator = translator;
-      const excludedPatterns = this.forbiddenPatterns.join(", ");
+      const excludedPatterns = requestForbiddenPatterns.join(", ");
       const additionalContext = `Sentinel: this Grep search was modified to exclude forbidden paths. Excluded patterns: ${excludedPatterns}. To search specific forbidden files, use Read with explicit approval.`;
       if (typeof ccTranslator.formatPreToolUseModifyResponse === "function") {
         const response = ccTranslator.formatPreToolUseModifyResponse({
@@ -2052,11 +2103,11 @@ async function runGatewayDaemon({
   port = DEFAULT_PORT,
   buildId
 }) {
-  const { Sentinel: SentinelClass } = await import("./Sentinel-5CQ6HKXS.js");
+  const { Sentinel: SentinelClass } = await import("./Sentinel-4QKPFHTI.js");
   const { writePidFile, writeReleaseToken } = await import("./pidManager-DOGVN6ZT.js");
   const { homedir } = await import("os");
   const { randomBytes } = await import("crypto");
-  const { loadPolicy: loadPolicy2, policyToRole: policyToRole2, policyToConfig: policyToConfig2 } = await import("./policyLoader-KZL2U4M2.js");
+  const { loadPolicy: loadPolicy2, policyToRole: policyToRole2, policyToConfig: policyToConfig2 } = await import("./policyLoader-XX6BQXNB.js");
   const sentinel = await SentinelClass.fromPolicy(policyPath);
   const baseline = await sentinel.computeBaseline("claude-code");
   sentinel.setBaseline("claude-code", baseline);
@@ -2075,7 +2126,11 @@ async function runGatewayDaemon({
     releaseToken,
     unknownTools: operatorConfig.enforcement?.unknownTools,
     allowUnknownTools: operatorConfig.enforcement?.allowUnknownTools,
-    buildId
+    buildId,
+    // The operator policy's custom forbid targets must reach the gateway's own
+    // bash-L1/Grep layers (defaults-as-floor union, same chokepoint as role
+    // construction) — previously the gateway saw only the built-in defaults.
+    forbiddenPatterns: unionWithDefaultForbiddenPatterns(operatorCeiling.forbiddenTargetPatterns)
   });
   await gateway.start();
   const home = homedir();
@@ -2088,4 +2143,4 @@ export {
   SentinelGateway,
   runGatewayDaemon
 };
-//# sourceMappingURL=chunk-G74MMDKA.js.map
+//# sourceMappingURL=chunk-HRI2Y326.js.map