@tuent/sentinel 0.1.3 → 0.1.5

package/dist/{chunk-WLIDSTS4.js → chunk-SKE74CYZ.js}

@@ -1,5 +1,81 @@
 // src/policyLoader.ts
 import yaml from "js-yaml";
+
+// src/defaults.ts
+var DEFAULT_FORBIDDEN_PATTERNS = [
+  "**/.env",
+  "**/.env.*",
+  "**/.ssh/**",
+  "**/.aws/**",
+  "**/secrets/**",
+  "**/credentials/**",
+  "**/id_rsa*",
+  "**/id_dsa*",
+  "**/id_ecdsa*",
+  "**/id_ed25519*",
+  "**/*.pem",
+  "**/*.key",
+  "/etc/**",
+  // Sprint 26 FIX 1 (A) — common credential stores. DRIFT: keep in sync with
+  // STARTER_POLICY.forbid.targets in setup/initClaudeCode.ts (template↔defaults
+  // unification tracked in a separate ticket — do not refactor here).
+  "**/.netrc",
+  "**/.npmrc",
+  "**/.git-credentials",
+  "**/.pgpass",
+  "**/.zsh_history",
+  "**/.config/gh/**",
+  "**/.docker/config.json",
+  "**/.gnupg/**",
+  "**/.config/gcloud/**",
+  "**/.kube/**",
+  "**/Library/Keychains/**",
+  // Sprint 26 FIX 1 (B) — Sentinel's own state dir (current path only; the
+  // ~/.dahlia → ~/.sentinel rename is a separate re-arch).
+  "**/.dahlia/**",
+  // Sprint 26 FIX 3 — the live policy file and cc's hook-wiring settings files.
+  // Denies the agent's own tool-writes (policy rewrite / unhook vectors); reads
+  // stay allowed via DEFAULT_POLICY_READ_EXCEPTIONS below. The settings glob
+  // covers project AND user-level (~/.claude/settings*.json) in one pattern.
+  // DRIFT: keep in sync with STARTER_POLICY.forbid.targets in setup/initClaudeCode.ts.
+  "**/.sentinel.yaml",
+  "**/.claude/settings*.json"
+];
+var DEFAULT_POLICY_READ_EXCEPTIONS = [
+  { target: "**/.sentinel.yaml", allowedActions: ["file_read"] },
+  { target: "**/.claude/settings*.json", allowedActions: ["file_read"] }
+];
+function withPolicyReadExceptions(existing) {
+  const merged = existing ? [...existing] : [];
+  for (const exc of DEFAULT_POLICY_READ_EXCEPTIONS) {
+    if (!merged.some((e) => e.target === exc.target)) merged.push(exc);
+  }
+  return merged;
+}
+var DEFAULT_MEDIUM_DISPOSITION = {
+  network_request: "deny"
+};
+var DEFAULT_RESTRICT_AFTER = 2;
+var DEFAULT_QUARANTINE_AFTER = 3;
+var DEFAULT_NETWORK_DENYLIST_CIDRS = [
+  "10.0.0.0/8",
+  // RFC1918 private (Class A)
+  "172.16.0.0/12",
+  // RFC1918 private (Class B)
+  "192.168.0.0/16",
+  // RFC1918 private (Class C)
+  "127.0.0.0/8",
+  // loopback v4
+  "169.254.0.0/16",
+  // link-local v4 (cloud metadata endpoints)
+  "fe80::/10",
+  // link-local v6
+  "::1/128"
+  // loopback v6
+];
+var DEFAULT_DANGEROUS_SCHEMES = ["file:", "data:", "javascript:", "vbscript:"];
+
+// src/policyLoader.ts
 var LOCKED_ACTIONABLE_TYPES = /* @__PURE__ */ new Set([
   "role_violation",
   "unauthorized_target",
@@ -29,15 +105,88 @@ var VALID_ACTIONS = /* @__PURE__ */ new Set([
 function fail(message) {
   throw new Error(`Policy validation error: ${message}`);
 }
+function checkSaneNumber(value, opts = {}) {
+  if (typeof value !== "number" || !Number.isFinite(value)) {
+    return `must be a finite number; got ${String(value)}`;
+  }
+  if (opts.integer && !Number.isInteger(value)) {
+    return `must be an integer; got ${value}`;
+  }
+  if (opts.min !== void 0 && value < opts.min) {
+    return `must be >= ${opts.min}; got ${value}`;
+  }
+  if (opts.max !== void 0 && value > opts.max) {
+    return `must be <= ${opts.max}; got ${value}`;
+  }
+  return null;
+}
+function requireSaneNumber(name, value, opts = {}) {
+  const violation = checkSaneNumber(value, opts);
+  if (violation) fail(`${name} ${violation}`);
+}
+function levenshtein(a, b) {
+  const m = a.length;
+  const n = b.length;
+  const row = Array.from({ length: n + 1 }, (_, j) => j);
+  for (let i = 1; i <= m; i++) {
+    let prev = row[0];
+    row[0] = i;
+    for (let j = 1; j <= n; j++) {
+      const tmp = row[j];
+      row[j] = Math.min(row[j] + 1, row[j - 1] + 1, prev + (a[i - 1] === b[j - 1] ? 0 : 1));
+      prev = tmp;
+    }
+  }
+  return row[n];
+}
+function suggestKey(unknown, valid) {
+  const lower = unknown.toLowerCase();
+  for (const v of valid) {
+    if (v.toLowerCase() === lower) return v;
+  }
+  for (const v of valid) {
+    const vl = v.toLowerCase();
+    if (lower.includes(vl) || vl.includes(lower)) return v;
+  }
+  let best = null;
+  let bestDist = 3;
+  for (const v of valid) {
+    const d = levenshtein(lower, v.toLowerCase());
+    if (d < bestDist) {
+      bestDist = d;
+      best = v;
+    }
+  }
+  return best;
+}
+function rejectUnknownKeys(section, obj, allowed) {
+  for (const key of Object.keys(obj)) {
+    if (!allowed.includes(key)) {
+      const suggestion = suggestKey(key, allowed);
+      fail(
+        `unknown key "${key}" in ${section}.` + (suggestion ? ` Did you mean "${suggestion}"?` : "") + ` Valid keys: ${allowed.join(", ")}`
+      );
+    }
+  }
+}
 function validatePolicy(data) {
   if (typeof data !== "object" || data === null) {
     fail("policy must be a YAML object");
   }
   const doc = data;
+  rejectUnknownKeys("policy document", doc, [
+    "version",
+    "agent",
+    "policy",
+    "enforcement",
+    "alerts",
+    "repo"
+  ]);
   if (doc.version === void 0) fail("version is required");
   if (String(doc.version) !== "1.0") fail('version must be "1.0"');
   if (typeof doc.agent !== "object" || doc.agent === null) fail("agent section is required");
   const agent = doc.agent;
+  rejectUnknownKeys("agent", agent, ["id", "name", "description"]);
   if (typeof agent.id !== "string" || agent.id.length === 0) fail("agent.id is required");
   if (typeof agent.name !== "string" || agent.name.length === 0) fail("agent.name is required");
   if (agent.description !== void 0 && typeof agent.description !== "string") {
@@ -45,10 +194,12 @@ function validatePolicy(data) {
   }
   if (typeof doc.policy !== "object" || doc.policy === null) fail("policy section is required");
   const policy = doc.policy;
+  rejectUnknownKeys("policy", policy, ["allow", "forbid", "exceptions", "schedule", "limits"]);
   if (typeof policy.allow !== "object" || policy.allow === null) {
     fail("policy.allow section is required");
   }
   const allow = policy.allow;
+  rejectUnknownKeys("policy.allow", allow, ["actions", "targets", "networkHosts"]);
   if (!Array.isArray(allow.actions) || allow.actions.length === 0) {
     fail("policy.allow.actions must be a non-empty array of strings");
   }
@@ -84,6 +235,7 @@ function validatePolicy(data) {
     fail("policy.forbid section is required");
   }
   const forbid = policy.forbid;
+  rejectUnknownKeys("policy.forbid", forbid, ["targets"]);
   if (!Array.isArray(forbid.targets) || forbid.targets.length === 0) {
     fail("policy.forbid.targets must be a non-empty array of strings");
   }
@@ -100,6 +252,14 @@ function validatePolicy(data) {
       if (typeof ex !== "object" || ex === null) {
         fail(`${prefix}: must be an object`);
       }
+      rejectUnknownKeys(prefix, ex, [
+        "target",
+        "allowedActions",
+        "requiresTask",
+        "requiresApproval",
+        "expiresAfter",
+        "downgradeKindTo"
+      ]);
       if (typeof ex.target !== "string" || ex.target.length === 0) {
         fail(`${prefix}: target is required and must be a non-empty string`);
       }
@@ -144,6 +304,7 @@ function validatePolicy(data) {
       fail("policy.schedule must be an object");
     }
     const schedule = policy.schedule;
+    rejectUnknownKeys("policy.schedule", schedule, ["hours", "days"]);
     if (!Array.isArray(schedule.hours) || schedule.hours.length !== 2) {
       fail("schedule.hours must be [start, end] with values 0-23");
     }
@@ -165,35 +326,54 @@ function validatePolicy(data) {
     }
   }
   if (policy.limits !== void 0) {
-    if (typeof policy.limits !== "object" || policy.limits === null) {
-      fail("policy.limits must be an object");
-    }
-    const limits = policy.limits;
-    if (limits.maxEventsPerHour !== void 0 && typeof limits.maxEventsPerHour !== "number") {
-      fail("policy.limits.maxEventsPerHour must be a number");
-    }
-    if (limits.maxSessionDuration !== void 0 && typeof limits.maxSessionDuration !== "number") {
-      fail("policy.limits.maxSessionDuration must be a number");
-    }
+    fail(
+      "policy.limits is not supported \u2014 rate/duration limiting (maxEventsPerHour, maxSessionDuration) is not currently enforced by any runtime check. Remove this section. If you need rate limiting, track it as a feature request."
+    );
   }
   if (doc.enforcement !== void 0) {
     if (typeof doc.enforcement !== "object" || doc.enforcement === null) {
       fail("enforcement must be an object");
     }
     const enforcement = doc.enforcement;
-    if (enforcement.restrictAfter !== void 0 && typeof enforcement.restrictAfter !== "number") {
-      fail("enforcement.restrictAfter must be a number");
-    }
-    if (enforcement.quarantineAfter !== void 0 && typeof enforcement.quarantineAfter !== "number") {
-      fail("enforcement.quarantineAfter must be a number");
+    rejectUnknownKeys("enforcement", enforcement, [
+      "restrictAfter",
+      "quarantineAfter",
+      "approvalRequired",
+      "minKind",
+      "promote",
+      "baselineMaturity",
+      "unknownTools",
+      "allowUnknownTools",
+      "onInternalError"
+    ]);
+    if (enforcement.restrictAfter !== void 0) {
+      requireSaneNumber("enforcement.restrictAfter", enforcement.restrictAfter, {
+        integer: true,
+        min: 1
+      });
+    }
+    if (enforcement.quarantineAfter !== void 0) {
+      requireSaneNumber("enforcement.quarantineAfter", enforcement.quarantineAfter, {
+        integer: true,
+        min: 1
+      });
+    }
+    {
+      const effRestrict = enforcement.restrictAfter ?? DEFAULT_RESTRICT_AFTER;
+      const effQuarantine = enforcement.quarantineAfter ?? DEFAULT_QUARANTINE_AFTER;
+      if (effRestrict >= effQuarantine) {
+        fail(
+          `enforcement.restrictAfter (${effRestrict}) must be strictly less than enforcement.quarantineAfter (${effQuarantine}) \u2014 otherwise the restricted tier is unreachable and agents jump straight to quarantine. (Unset values default to restrictAfter ${DEFAULT_RESTRICT_AFTER}, quarantineAfter ${DEFAULT_QUARANTINE_AFTER}.)`
+        );
+      }
     }
     if (enforcement.approvalRequired !== void 0 && typeof enforcement.approvalRequired !== "boolean") {
       fail("enforcement.approvalRequired must be a boolean");
     }
     if (enforcement.minKind !== void 0) {
-      if (typeof enforcement.minKind !== "string" || !VALID_KINDS.has(enforcement.minKind)) {
-        fail("enforcement.minKind must be one of: informational, actionable");
-      }
+      fail(
+        "enforcement.minKind is not supported \u2014 enforcement gates on finding kind 'actionable' and this field was never wired. Use enforcement.promote to promote specific finding types to actionable, or remove this field."
+      );
     }
     if (enforcement.promote !== void 0) {
       if (!Array.isArray(enforcement.promote)) {
@@ -220,11 +400,21 @@ function validatePolicy(data) {
         fail("enforcement.allowUnknownTools must be an array of tool name strings");
       }
     }
+    if (enforcement.onInternalError !== void 0) {
+      if (enforcement.onInternalError !== "fail-open" && enforcement.onInternalError !== "fail-closed") {
+        fail('enforcement.onInternalError must be "fail-open" or "fail-closed"');
+      }
+    }
     if (enforcement.baselineMaturity !== void 0) {
       if (typeof enforcement.baselineMaturity !== "object" || enforcement.baselineMaturity === null) {
         fail("enforcement.baselineMaturity must be an object");
       }
       const bm = enforcement.baselineMaturity;
+      rejectUnknownKeys("enforcement.baselineMaturity", bm, [
+        "minSessions",
+        "minDaysObserved",
+        "minCategoryDiversity"
+      ]);
       for (const key of ["minSessions", "minDaysObserved", "minCategoryDiversity"]) {
         if (bm[key] !== void 0) {
           if (typeof bm[key] !== "number" || !Number.isFinite(bm[key])) {
@@ -242,6 +432,13 @@ function validatePolicy(data) {
       fail("alerts must be an object");
     }
     const alerts = doc.alerts;
+    rejectUnknownKeys("alerts", alerts, [
+      "channels",
+      "webhookUrl",
+      "filePath",
+      "minSeverity",
+      "minKind"
+    ]);
     if (!Array.isArray(alerts.channels) || alerts.channels.length === 0) {
       fail("alerts.channels must be a non-empty array");
     }
@@ -252,6 +449,7 @@ function validatePolicy(data) {
         }
       } else if (typeof ch === "object" && ch !== null) {
         const chObj = ch;
+        rejectUnknownKeys("alerts.channels[]", chObj, ["type", "minKind"]);
         if (typeof chObj.type !== "string" || !VALID_CHANNELS.has(chObj.type)) {
           fail(
             `alerts.channels contains invalid channel type "${chObj.type}". Valid: console, webhook, file`
@@ -288,6 +486,7 @@ function validatePolicy(data) {
       fail("repo must be an object");
     }
     const repo = doc.repo;
+    rejectUnknownKeys("repo", repo, ["root", "scanOnStartup", "mapPath", "overlayPath"]);
     if (repo.root !== void 0) {
       if (typeof repo.root !== "string" || repo.root.length === 0) {
         fail("repo.root must be a non-empty string");
@@ -368,20 +567,12 @@ function policyToRole(policy) {
       activeDays: policy.policy.schedule.days
     };
   }
-  if (policy.policy.limits) {
-    if (policy.policy.limits.maxEventsPerHour !== void 0) {
-      role.maxEventsPerHour = policy.policy.limits.maxEventsPerHour;
-    }
-    if (policy.policy.limits.maxSessionDuration !== void 0) {
-      role.maxSessionDuration = policy.policy.limits.maxSessionDuration;
-    }
-  }
   return role;
 }
 function policyToConfig(policy) {
   const config = {};
   if (policy.enforcement) {
-    if (policy.enforcement.restrictAfter !== void 0 || policy.enforcement.quarantineAfter !== void 0 || policy.enforcement.promote !== void 0 || policy.enforcement.baselineMaturity !== void 0 || policy.enforcement.unknownTools !== void 0 || policy.enforcement.allowUnknownTools !== void 0) {
+    if (policy.enforcement.restrictAfter !== void 0 || policy.enforcement.quarantineAfter !== void 0 || policy.enforcement.promote !== void 0 || policy.enforcement.baselineMaturity !== void 0 || policy.enforcement.unknownTools !== void 0 || policy.enforcement.allowUnknownTools !== void 0 || policy.enforcement.onInternalError !== void 0) {
       config.enforcement = {};
       if (policy.enforcement.restrictAfter !== void 0) {
         config.enforcement.restrictAfter = policy.enforcement.restrictAfter;
@@ -401,6 +592,9 @@ function policyToConfig(policy) {
       if (policy.enforcement.allowUnknownTools !== void 0) {
         config.enforcement.allowUnknownTools = policy.enforcement.allowUnknownTools;
       }
+      if (policy.enforcement.onInternalError !== void 0) {
+        config.enforcement.onInternalError = policy.enforcement.onInternalError;
+      }
     }
   }
   if (policy.alerts) {
@@ -435,10 +629,19 @@ function policyToConfig(policy) {
 }
 
 export {
+  DEFAULT_FORBIDDEN_PATTERNS,
+  withPolicyReadExceptions,
+  DEFAULT_MEDIUM_DISPOSITION,
+  DEFAULT_RESTRICT_AFTER,
+  DEFAULT_QUARANTINE_AFTER,
+  DEFAULT_NETWORK_DENYLIST_CIDRS,
+  DEFAULT_DANGEROUS_SCHEMES,
   LOCKED_ACTIONABLE_TYPES,
+  checkSaneNumber,
+  suggestKey,
   loadPolicy,
   loadPolicyFromString,
   policyToRole,
   policyToConfig
 };
-//# sourceMappingURL=chunk-WLIDSTS4.js.map
+//# sourceMappingURL=chunk-SKE74CYZ.js.map

package/dist/{chunk-2TJ5Z53T.js → chunk-UVNRPML4.js}

@@ -4,14 +4,14 @@ import {
 } from "./chunk-LATQNIRW.js";
 import {
   discoverPolicy
-} from "./chunk-FMZWHT4M.js";
+} from "./chunk-B6S2PBS4.js";
 import {
   FORBIDDEN_BASENAMES
-} from "./chunk-JTR2E7RD.js";
+} from "./chunk-M5EEVMLU.js";
 import {
   loadPolicy,
   loadPolicyFromString
-} from "./chunk-WLIDSTS4.js";
+} from "./chunk-SKE74CYZ.js";
 
 // src/setup/initClaudeCode.ts
 import { access, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
@@ -94,19 +94,45 @@ const FLOOR_HIGH = ["Bash", "Write", "Edit", "WebFetch", "NotebookEdit", "Task",
 // The marker default is [] \u2014 an un-substituted script stays strictest.
 const ALLOW_UNKNOWN_TOOLS = /* __ALLOW_UNKNOWN_TOOLS__ */ [];
 
-// Tier config uses flat format: { high, low, mcpDefault, unknownDefault } (plan v3.1 spec'd nested but simplified during 5a)
+// Tier config uses flat format: { high, low, mcpDefault } (plan v3.1 spec'd nested but simplified during 5a)
+// Validated field-by-field against safe defaults (enforcement-config sanity class):
+// the hook must never block the cc session on a config error, so invalid values
+// fall back to the fail-closed default AND are logged \u2014 never silently honored.
+// In particular mcpDefault was compared with === "high", so any typo silently
+// demoted ALL MCP tools to low tier gateway-down (allow-unlogged, the F-8 hole).
 function loadTiers() {
+  const DEFAULT_TIERS = {
+    high: ["Bash", "Write", "Edit", "WebFetch", "NotebookEdit", "Task", "Skill"],
+    low: ["Read", "Glob", "Grep", "WebSearch"],
+    mcpDefault: "high",
+  };
+  let parsed;
   try {
-    return JSON.parse(readFileSync(TIERS_PATH, "utf-8"));
+    parsed = JSON.parse(readFileSync(TIERS_PATH, "utf-8"));
   } catch {
-    // Default tiers if config is missing
-    return {
-      high: ["Bash", "Write", "Edit", "WebFetch", "NotebookEdit", "Task", "Skill"],
-      low: ["Read", "Glob", "Grep", "WebSearch"],
-      mcpDefault: "high",
-      unknownDefault: "high",
-    };
+    return DEFAULT_TIERS; // missing/unreadable config \u2014 safe defaults
   }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    logFallback({ event: "tiers-config-invalid", reason: "top level must be an object", treatedAs: "defaults" });
+    return DEFAULT_TIERS;
+  }
+  const tiers = { ...DEFAULT_TIERS };
+  if (Array.isArray(parsed.high)) tiers.high = parsed.high.filter((t) => typeof t === "string");
+  else if (parsed.high !== undefined) logFallback({ event: "tiers-config-invalid", field: "high", reason: "must be an array of tool names", treatedAs: "defaults" });
+  if (Array.isArray(parsed.low)) tiers.low = parsed.low.filter((t) => typeof t === "string");
+  else if (parsed.low !== undefined) logFallback({ event: "tiers-config-invalid", field: "low", reason: "must be an array of tool names", treatedAs: "defaults" });
+  if (parsed.mcpDefault === "high" || parsed.mcpDefault === "low") tiers.mcpDefault = parsed.mcpDefault;
+  else if (parsed.mcpDefault !== undefined) logFallback({ event: "tiers-config-invalid", field: "mcpDefault", value: String(parsed.mcpDefault), reason: 'must be "high" or "low"', treatedAs: "high" });
+  // unknownDefault is NOT supported: unknown tools are ALWAYS high-tier
+  // gateway-down (see isHighSensitivity). It used to be written by init and
+  // read by nothing \u2014 a silent no-op knob. Warn so the operator knows.
+  if (parsed.unknownDefault !== undefined) logFallback({ event: "tiers-config-ignored", field: "unknownDefault", reason: "unsupported \u2014 unknown tools are always high-tier gateway-down" });
+  for (const key of Object.keys(parsed)) {
+    if (!["high", "low", "mcpDefault", "unknownDefault"].includes(key)) {
+      logFallback({ event: "tiers-config-unknown-key", key: key });
+    }
+  }
+  return tiers;
 }
 
 function isHighSensitivity(toolName, tiers) {
@@ -460,8 +486,7 @@ enforcement:
 var FAIL_CLOSED_TIERS = {
   high: ["Bash", "Write", "Edit", "WebFetch", "NotebookEdit", "Task", "Skill"],
   low: ["Read", "Glob", "Grep", "WebSearch"],
-  mcpDefault: "high",
-  unknownDefault: "high"
+  mcpDefault: "high"
 };
 async function runInitClaudeCode(options) {
   const force = options.force ?? false;
@@ -712,16 +737,30 @@ async function runSessionStart(options) {
     }
     try {
       if (lock.pid) await terminateDaemon(lock.pid);
-      const pid2 = spawnDaemon(gatewayEntry, policyPath, port, home);
+      const pid = spawnDaemon(gatewayEntry, policyPath, port, home);
       await waitForGatewayReady(port);
-      return { action: "relaunched", pid: pid2, policyPath, relaunchReason: reason };
+      return { action: "relaunched", pid, policyPath, relaunchReason: reason };
     } finally {
       releaseRelaunchLock(home);
     }
   }
-  const pid = spawnDaemon(gatewayEntry, policyPath, port, home);
-  await waitForGatewayReady(port);
-  return { action: "spawned", pid, policyPath, relaunchReason: null };
+  if (!acquireRelaunchLock(home)) {
+    await waitForGatewayReady(port);
+    const peerPid = acquireGatewayLock(home).pid ?? void 0;
+    return { action: "reused", pid: peerPid, policyPath, relaunchReason: null };
+  }
+  try {
+    const relock = acquireGatewayLock(home);
+    if (relock.reused) {
+      await waitForGatewayReady(port);
+      return { action: "reused", pid: relock.pid, policyPath, relaunchReason: null };
+    }
+    const pid = spawnDaemon(gatewayEntry, policyPath, port, home);
+    await waitForGatewayReady(port);
+    return { action: "spawned", pid, policyPath, relaunchReason: null };
+  } finally {
+    releaseRelaunchLock(home);
+  }
 }
 
 export {
@@ -729,4 +768,4 @@ export {
   computeBuildId,
   runSessionStart
 };
-//# sourceMappingURL=chunk-2TJ5Z53T.js.map
+//# sourceMappingURL=chunk-UVNRPML4.js.map