@wrongstack/core 0.54.1 → 0.66.13

package/dist/security/index.d.ts

@@ -1,10 +1,10 @@
 export { D as DefaultSecretScrubber, a as DefaultSecretVault, S as SecretVaultOptions, d as decryptConfigSecrets, e as encryptConfigSecrets, m as migratePlaintextSecrets, r as rewriteConfigEncrypted } from '../secret-scrubber-7rSC_emZ.js';
-export { A as AutoApprovePermissionPolicy, D as DefaultPermissionPolicy, P as PermissionPolicyOptions } from '../permission-policy-CU6sqWxF.js';
+export { A as AutoApprovePermissionPolicy, D as DefaultPermissionPolicy, P as PermissionPolicyOptions } from '../permission-policy-B2dK-T5N.js';
 import '../secret-vault-DoISxaKO.js';
 import '../secret-scrubber-3MHDDAtm.js';
-import '../context-DtPKqKYV.js';
+import '../context-y87Jc5ei.js';
 import '../input-reader-E-ffP2ee.js';
-import '../permission-Drm7LpPo.js';
+import '../permission-C1A5whY5.js';
 
 declare function isSecretField(name: string): boolean;
 

package/dist/security/index.js

@@ -1,7 +1,7 @@
 import { randomBytes, createCipheriv, createDecipheriv } from 'crypto';
 import * as fs2 from 'fs';
 import * as fs from 'fs/promises';
-import * as path from 'path';
+import * as path3 from 'path';
 
 // src/security/secret-scrubber.ts
 var PATTERNS = [
@@ -113,9 +113,9 @@ var DefaultSecretScrubber = class {
 // src/types/secret-vault.ts
 var ENCRYPTED_PREFIX = "enc:v1:";
 async function atomicWrite(targetPath, content, opts = {}) {
-  const dir = path.dirname(targetPath);
+  const dir = path3.dirname(targetPath);
   await fs.mkdir(dir, { recursive: true });
-  const tmp = path.join(dir, `.${path.basename(targetPath)}.${randomBytes(6).toString("hex")}.tmp`);
+  const tmp = path3.join(dir, `.${path3.basename(targetPath)}.${randomBytes(6).toString("hex")}.tmp`);
   try {
     if (typeof content === "string") {
       await fs.writeFile(tmp, content, { flag: "wx", encoding: opts.encoding ?? "utf8" });
@@ -168,7 +168,7 @@ async function renameWithRetry(from, to) {
       if (!code || !TRANSIENT_RENAME_CODES.has(code) || i === delays.length) {
         throw err;
       }
-      await new Promise((resolve) => setTimeout(resolve, delays[i]));
+      await new Promise((resolve2) => setTimeout(resolve2, delays[i]));
     }
   }
   throw lastErr;
@@ -230,7 +230,7 @@ var DefaultSecretVault = class {
     } catch (err) {
       if (err.code !== "ENOENT") throw err;
     }
-    fs2.mkdirSync(path.dirname(this.keyFile), { recursive: true });
+    fs2.mkdirSync(path3.dirname(this.keyFile), { recursive: true });
     const key = randomBytes(KEY_BYTES);
     try {
       fs2.writeFileSync(this.keyFile, key, { mode: 384, flag: "wx" });
@@ -299,7 +299,7 @@ async function rewriteConfigEncrypted(configPath, vault, patch) {
   }
   const merged = deepMerge(current, patch ?? {});
   const encrypted = encryptConfigSecrets(merged, vault);
-  await fs.mkdir(path.dirname(configPath), { recursive: true });
+  await fs.mkdir(path3.dirname(configPath), { recursive: true });
   await atomicWrite(configPath, JSON.stringify(encrypted, null, 2), { mode: 384 });
   await restrictFilePermissions(configPath);
 }
@@ -535,6 +535,87 @@ function safeParse(input, maxBytes = 5e6) {
     };
   }
 }
+var DESTRUCTIVE_BASH_PATTERNS = [
+  /\bgit\s+(?:clean\s+-[^\s]*[xdf]|reset\s+--hard)\b/i,
+  /\b(?:drop|truncate)\s+(?:table|database|schema)\b/i,
+  /\bdelete\s+from\b/i,
+  /\b(?:mkfs|format|diskpart|shutdown|reboot)\b/i,
+  /\bchmod\s+-R\s+777\b/i,
+  /\bchown\s+-R\b/i,
+  /\b(?:curl|wget)\b.*\|\s*(?:sh|bash|zsh|pwsh|powershell)\b/i,
+  /\b(?:powershell|pwsh)\b.*(?:-encodedcommand|-enc)\b/i,
+  /:\(\)\s*\{\s*:\|:&\s*}\s*;/
+];
+var PROJECT_ESCAPE_PATTERN = /(?:^|[\s"'])\.\.(?:[\\/]|$)/;
+var ABSOLUTE_PATH_PATTERN = /(?:^|[\s"'])(?:~[\\/]|\/[A-Za-z0-9_.-]|[A-Za-z]:[\\/])/;
+var SHELL_OPERATORS = /* @__PURE__ */ new Set(["&&", "||", "|", ";", ">", ">>", "<", "2>", "2>>"]);
+function getInputString(input, key) {
+  if (!input || typeof input !== "object") return void 0;
+  const value = input[key];
+  return typeof value === "string" ? value : void 0;
+}
+function pathLooksInsideProject(rawPath, projectRoot) {
+  if (!projectRoot) return false;
+  if (rawPath === "~" || rawPath.startsWith("~/") || rawPath.startsWith("~\\")) return false;
+  const resolved = path3.resolve(projectRoot, rawPath);
+  const relative2 = path3.relative(projectRoot, resolved);
+  return !!relative2 && !relative2.startsWith("..") && !path3.isAbsolute(relative2);
+}
+function tokenizeShell(command) {
+  return command.match(/"[^"]*"|'[^']*'|\S+/g)?.map((token) => token.replace(/^['"]|['"]$/g, "")) ?? [];
+}
+function pathTokenIsOutsideProject(token, projectRoot) {
+  if (!token || SHELL_OPERATORS.has(token) || token.startsWith("-")) return false;
+  if (token === "/" || token === "~" || token === "." || token === "..") return token !== ".";
+  if (token.includes("*")) return true;
+  if (token.startsWith("..") || token.includes("../") || token.includes("..\\")) return true;
+  if (path3.isAbsolute(token) || token.startsWith("~/")) return !pathLooksInsideProject(token, projectRoot);
+  return false;
+}
+function hasDangerousDeleteTarget(tokens, start, projectRoot) {
+  const targets = tokens.slice(start).filter((token) => !token.startsWith("-") && !SHELL_OPERATORS.has(token));
+  if (targets.length === 0) return true;
+  return targets.some((target) => pathTokenIsOutsideProject(target, projectRoot));
+}
+function hasDestructiveDelete(command, projectRoot) {
+  const tokens = tokenizeShell(command);
+  for (let i = 0; i < tokens.length; i++) {
+    const token = tokens[i]?.toLowerCase();
+    if (!token) continue;
+    if (token === "rm") {
+      const args = tokens.slice(i + 1);
+      const recursiveOrForce = args.some(
+        (arg) => /^-[^-]*[rf]/i.test(arg) || arg === "--recursive" || arg === "--force"
+      );
+      if (recursiveOrForce && hasDangerousDeleteTarget(tokens, i + 1, projectRoot)) return true;
+    }
+    if (token === "rmdir" || token === "rd") {
+      const args = tokens.slice(i + 1);
+      const recursive = args.some((arg) => arg.toLowerCase() === "/s");
+      if (recursive && hasDangerousDeleteTarget(tokens, i + 1, projectRoot)) return true;
+    }
+    if (token === "del" || token === "erase") {
+      if (hasDangerousDeleteTarget(tokens, i + 1, projectRoot)) return true;
+    }
+    if (token === "remove-item") {
+      const args = tokens.slice(i + 1).map((arg) => arg.toLowerCase());
+      const recursiveOrForce = args.includes("-recurse") || args.includes("-force");
+      if (recursiveOrForce && hasDangerousDeleteTarget(tokens, i + 1, projectRoot)) return true;
+    }
+  }
+  return false;
+}
+function isClearlyDestructiveBashCommand(command, projectRoot) {
+  const trimmed = command.trim();
+  if (!trimmed) return false;
+  if (hasDestructiveDelete(trimmed, projectRoot)) return true;
+  if (DESTRUCTIVE_BASH_PATTERNS.some((pattern) => pattern.test(trimmed))) return true;
+  if (/\bcd\s+(?:\.\.|~|\/|[A-Za-z]:[\\/])/i.test(trimmed)) return true;
+  if (PROJECT_ESCAPE_PATTERN.test(trimmed)) return true;
+  const absolute = trimmed.match(ABSOLUTE_PATH_PATTERN)?.[0]?.trim().replace(/^['"]|['"]$/g, "");
+  if (absolute && !pathLooksInsideProject(absolute, projectRoot)) return true;
+  return false;
+}
 
 // src/security/permission-policy.ts
 var DefaultPermissionPolicy = class {
@@ -542,7 +623,9 @@ var DefaultPermissionPolicy = class {
   loaded = false;
   trustFile;
   yolo;
-  forceAllYolo;
+  yoloDestructive;
+  /** When true, destructive ops still require confirmation even in YOLO mode. */
+  confirmDestructive;
   /**
    * Session-scoped "soft deny" map. When the user presses 'n' (block once),
    * the tool+pattern is added here. If the LLM retries in the same session,
@@ -575,7 +658,8 @@ var DefaultPermissionPolicy = class {
   constructor(opts) {
     this.trustFile = opts.trustFile;
     this.yolo = opts.yolo ?? false;
-    this.forceAllYolo = opts.forceAllYolo ?? false;
+    this.yoloDestructive = opts.yoloDestructive ?? opts.forceAllYolo ?? false;
+    this.confirmDestructive = opts.confirmDestructive ?? false;
     this.promptDelegate = opts.promptDelegate;
   }
   /**
@@ -595,13 +679,29 @@ var DefaultPermissionPolicy = class {
   getYolo() {
     return this.yolo;
   }
-  /** Toggle force-all-YOLO at runtime. */
+  /** Toggle the destructive YOLO override at runtime. */
+  setYoloDestructive(enabled) {
+    this.yoloDestructive = enabled;
+  }
+  /** Check whether the destructive YOLO override is active. */
+  getYoloDestructive() {
+    return this.yoloDestructive;
+  }
+  /** Toggle destructive confirmation gate (only meaningful when yolo is active). */
+  setConfirmDestructive(enabled) {
+    this.confirmDestructive = enabled;
+  }
+  /** Check whether destructive confirmation gate is active. */
+  getConfirmDestructive() {
+    return this.confirmDestructive;
+  }
+  /** @deprecated Use `setYoloDestructive`. */
   setForceAllYolo(enabled) {
-    this.forceAllYolo = enabled;
+    this.setYoloDestructive(enabled);
   }
-  /** Check whether force-all-YOLO is active. */
+  /** @deprecated Use `getYoloDestructive`. */
   getForceAllYolo() {
-    return this.forceAllYolo;
+    return this.getYoloDestructive();
   }
   async reload() {
     try {
@@ -648,29 +748,28 @@ var DefaultPermissionPolicy = class {
       return { permission: "auto", source: "trust" };
     }
     if (this.yolo) {
-      if (tool.riskTier === "destructive" && !this.forceAllYolo) {
-        if (this.promptDelegate) {
-          const decision = await this.promptDelegate(tool, input, subject ?? tool.name);
-          if (decision === "always") {
-            await this.trust({ tool: tool.name, pattern: subject ?? tool.name });
-            return {
-              permission: "auto",
-              source: "user",
-              reason: "destructive yolo always-allowed"
-            };
+      if (this.confirmDestructive) {
+        const destructive = this.isDestructiveYoloCall(tool, input, ctx);
+        if (destructive) {
+          if (this.promptDelegate) {
+            const decision = await this.promptDelegate(tool, input, subject ?? tool.name);
+            if (decision === "always") {
+              await this.trust({ tool: tool.name, pattern: subject ?? tool.name });
+              return { permission: "auto", source: "user", reason: "destructive yolo always-allowed" };
+            }
+            if (decision === "deny") {
+              await this.deny({ tool: tool.name, pattern: subject ?? tool.name });
+              return { permission: "deny", source: "user", reason: "user denied destructive yolo" };
+            }
+            return { permission: decision === "yes" ? "auto" : "deny", source: "user" };
           }
-          if (decision === "deny") {
-            await this.deny({ tool: tool.name, pattern: subject ?? tool.name });
-            return { permission: "deny", source: "user", reason: "user denied destructive yolo" };
-          }
-          return { permission: decision === "yes" ? "auto" : "deny", source: "user" };
+          return {
+            permission: "confirm",
+            source: "yolo_destructive",
+            riskTier: "destructive",
+            reason: "destructive tool needs explicit approval (confirmDestructive is on)"
+          };
         }
-        return {
-          permission: "confirm",
-          source: "yolo_destructive",
-          riskTier: "destructive",
-          reason: "destructive tool needs explicit approval even in yolo mode"
-        };
       }
       return { permission: "auto", source: "yolo" };
     }
@@ -700,6 +799,18 @@ var DefaultPermissionPolicy = class {
     }
     return { permission: "confirm", source: "default" };
   }
+  isDestructiveYoloCall(tool, input, ctx) {
+    if (tool.name === "bash") {
+      const command = getInputString(input, "command");
+      return command ? isClearlyDestructiveBashCommand(command, ctx.projectRoot) : true;
+    }
+    if (tool.name === "write" || tool.name === "edit" || tool.name === "replace" || tool.name === "patch") {
+      const targetPath = getInputString(input, "path") ?? getInputString(input, "file");
+      if (!targetPath || !ctx.projectRoot) return false;
+      return !pathLooksInsideProject(targetPath, ctx.projectRoot);
+    }
+    return tool.riskTier === "destructive";
+  }
   async trust(rule) {
     if (!this.loaded) await this.reload();
     const entry = this.policy[rule.tool] ?? {};