@zhijiewang/openharness 2.8.0 → 2.9.0

package/dist/types/permissions.js

@@ -1,7 +1,7 @@
 /**
  * Permission types — tool permission context and risk-based gating.
  */
-import { analyzeBashCommand } from "../utils/bash-safety.js";
+import { analyzeBashCommand, isReadOnlyBashCommand, splitCommands, stripProcessWrappers, } from "../utils/bash-safety.js";
 /** Tools auto-approved in acceptEdits mode */
 const EDIT_SAFE_TOOLS = new Set([
     "FileRead",
@@ -46,42 +46,94 @@ function matchArgGlob(pattern, value) {
     }
 }
 /** Find the first matching tool permission rule */
-function findToolRule(rules, toolName, toolInput) {
-    if (!rules || rules.length === 0)
-        return undefined;
-    return rules.find((r) => {
-        const { toolName: specToolName, argPattern } = parseToolSpecifier(r.tool);
-        // Check tool name match (with prefix * support)
-        if (!matchToolPattern(specToolName, toolName))
-            return false;
-        // If rule has an inline argument pattern (e.g., "Bash(npm run *)")
-        if (argPattern && toolInput) {
-            const input = toolInput;
-            // For Bash: match against command string
-            if (toolName === "Bash" && typeof input.command === "string") {
-                return matchArgGlob(argPattern, input.command);
+/**
+ * Priority of a rule action for "most restrictive wins" tie-breaking across
+ * subcommand matches: deny > ask > allow. Rules that don't apply return -1.
+ */
+function actionPriority(action) {
+    return action === "deny" ? 2 : action === "ask" ? 1 : 0;
+}
+function matchesSingleRule(r, toolName, toolInput) {
+    const { toolName: specToolName, argPattern } = parseToolSpecifier(r.tool);
+    if (!matchToolPattern(specToolName, toolName))
+        return false;
+    if (argPattern && toolInput) {
+        const input = toolInput;
+        if (toolName === "Bash" && typeof input.command === "string") {
+            return matchArgGlob(argPattern, input.command);
+        }
+        if (["Edit", "Write", "Read"].includes(toolName) && typeof input.file_path === "string") {
+            return matchArgGlob(argPattern, input.file_path);
+        }
+        return false;
+    }
+    if (r.pattern && toolInput && toolName === "Bash") {
+        const command = toolInput?.command;
+        if (typeof command === "string") {
+            try {
+                return new RegExp(r.pattern).test(command);
             }
-            // For file tools: match against file_path
-            if (["Edit", "Write", "Read"].includes(toolName) && typeof input.file_path === "string") {
-                return matchArgGlob(argPattern, input.file_path);
+            catch {
+                return false;
             }
-            return false; // Has pattern but no matching field
         }
-        // Legacy: separate pattern field (regex) for Bash commands
-        if (r.pattern && toolInput && toolName === "Bash") {
-            const command = toolInput?.command;
-            if (typeof command === "string") {
-                try {
-                    return new RegExp(r.pattern).test(command);
-                }
-                catch {
-                    return false;
-                }
+        return false;
+    }
+    return true;
+}
+/**
+ * Match permission rules against a Bash command.
+ *
+ * For compound commands (`cmd1 && cmd2`, `a | b`, `x; y`), evaluate rules
+ * against each sub-command independently with "most restrictive wins"
+ * semantics: any sub-command matching a `deny` rule returns deny; else any
+ * `ask` match returns ask; else any `allow` match returns allow; else no
+ * match. Process wrappers (`timeout 10 cmd`, `nice -n 5 cmd`) are stripped
+ * before matching so the real underlying command is what gets checked.
+ *
+ * Security note: this closes a common class of bypasses like
+ * `git log && rm -rf /` where a naive full-line match would hit the `git log`
+ * allow rule and skip the deny on `rm`.
+ */
+function findBashRule(rules, command) {
+    const subs = splitCommands(command).map(stripProcessWrappers).filter(Boolean);
+    if (subs.length === 0)
+        return undefined;
+    let best;
+    let bestPriority = -1;
+    for (const sub of subs) {
+        const subInput = { command: sub };
+        for (const r of rules) {
+            if (!matchesSingleRule(r, "Bash", subInput))
+                continue;
+            const p = actionPriority(r.action);
+            if (p > bestPriority) {
+                best = r;
+                bestPriority = p;
+                if (p === 2)
+                    return best; // deny short-circuits
             }
-            return false;
         }
-        return true;
-    });
+    }
+    return best;
+}
+function findToolRule(rules, toolName, toolInput) {
+    if (!rules || rules.length === 0)
+        return undefined;
+    // Bash: always route through the compound-aware matcher. For single commands
+    // this just strips wrappers and does a normal rule search; for compound
+    // commands it evaluates each sub-command with most-restrictive-wins.
+    if (toolName === "Bash" && toolInput) {
+        const command = toolInput?.command;
+        if (typeof command === "string") {
+            const compoundMatch = findBashRule(rules, command);
+            if (compoundMatch)
+                return compoundMatch;
+            // Compound matcher returned nothing (single command or no match).
+            // Fall through to the default single-rule find below.
+        }
+    }
+    return rules.find((r) => matchesSingleRule(r, toolName, toolInput));
 }
 /** Cached tool permission rules — set by the REPL at startup */
 let toolPermissionRules;
@@ -103,23 +155,33 @@ export function checkPermission(mode, riskLevel, isReadOnly, toolName, toolInput
     }
     // Bash command safety analysis — detect destructive patterns
     let effectiveRisk = riskLevel;
+    let bashReadOnly = false;
     if (toolName === "Bash" && toolInput) {
         const command = toolInput?.command;
         if (typeof command === "string") {
-            const analysis = analyzeBashCommand(command);
-            if (analysis.level === "dangerous") {
-                effectiveRisk = "high";
+            // Read-only allowlist short-circuit (Claude Code parity). A pure
+            // inspection pipeline like `ls | head` or `git status` should not
+            // prompt the user in any permission mode that gates read-only work.
+            if (isReadOnlyBashCommand(command)) {
+                bashReadOnly = true;
+                effectiveRisk = "low";
             }
-            else if (analysis.level === "moderate" && effectiveRisk !== "high") {
-                effectiveRisk = "medium";
-            }
-            else if (analysis.level === "safe") {
-                effectiveRisk = "medium"; // bash is never fully "low" risk
+            else {
+                const analysis = analyzeBashCommand(command);
+                if (analysis.level === "dangerous") {
+                    effectiveRisk = "high";
+                }
+                else if (analysis.level === "moderate" && effectiveRisk !== "high") {
+                    effectiveRisk = "medium";
+                }
+                else if (analysis.level === "safe") {
+                    effectiveRisk = "medium"; // bash is never fully "low" risk
+                }
             }
         }
     }
-    // Always allow low-risk read-only
-    if (effectiveRisk === "low" && isReadOnly) {
+    // Always allow low-risk read-only (now includes Bash commands matching the allowlist)
+    if (effectiveRisk === "low" && (isReadOnly || bashReadOnly)) {
         return { allowed: true, reason: "auto-approved", riskLevel: effectiveRisk };
     }
     // bypassPermissions — approve everything unconditionally (CI/testing only)

package/dist/utils/bash-safety.d.ts

@@ -9,10 +9,29 @@ export type BashRisk = {
     level: "safe" | "moderate" | "dangerous";
     reasons: string[];
 };
+/**
+ * Strip leading process-wrapper tokens from a command string. Returns the
+ * underlying command (tokens + original separator). When the command is
+ * `timeout 30 npm test`, returns `npm test`. When no wrapper is present,
+ * returns the input unchanged. Conservative: only strips wrappers with at
+ * least one remaining token after them.
+ */
+export declare function stripProcessWrappers(cmd: string): string;
+/**
+ * Return true iff every sub-command in the pipeline/chain is a read-only
+ * operation. Any side-effecting sub-command disqualifies the whole command.
+ * Respects quotes and command substitution via the existing splitCommands/tokenize.
+ */
+export declare function isReadOnlyBashCommand(command: string): boolean;
 /**
  * Analyze a bash command string for safety risks.
  * Does lightweight structural parsing — splits on pipes, semicolons,
  * and && / || operators to analyze each sub-command.
  */
 export declare function analyzeBashCommand(command: string): BashRisk;
+/**
+ * Split a command string into sub-commands on |, ;, &&, ||
+ * Respects quoted strings and command substitutions.
+ */
+export declare function splitCommands(cmd: string): string[];
 //# sourceMappingURL=bash-safety.d.ts.map

package/dist/utils/bash-safety.js

@@ -39,6 +39,184 @@ const INSTALL_COMMANDS = new Set([
 ]);
 // Commands that send data externally
 const NETWORK_EXFIL = new Set(["curl", "wget", "nc", "ncat", "socat", "ssh", "scp", "rsync"]);
+/**
+ * Process-wrapper commands that don't change what runs, just how it runs.
+ * These are stripped off the front of a sub-command before permission matching
+ * so `timeout 10 rm file` matches the same rule as `rm file`. Mirrors Claude
+ * Code's wrapper-stripping for robust permission enforcement.
+ */
+const PROCESS_WRAPPERS = new Set(["timeout", "time", "nice", "nohup", "stdbuf", "ionice", "unbuffer", "env"]);
+/**
+ * Strip leading process-wrapper tokens from a command string. Returns the
+ * underlying command (tokens + original separator). When the command is
+ * `timeout 30 npm test`, returns `npm test`. When no wrapper is present,
+ * returns the input unchanged. Conservative: only strips wrappers with at
+ * least one remaining token after them.
+ */
+export function stripProcessWrappers(cmd) {
+    const trimmed = cmd.trim();
+    let tokens = tokenize(trimmed);
+    while (tokens.length >= 2 && PROCESS_WRAPPERS.has(tokens[0])) {
+        const first = tokens[0];
+        let skip = 1;
+        // `timeout 30s`, `nice -n 10`, `stdbuf -oL` — skip option-like args
+        // belonging to the wrapper itself. Numeric or `-flag value` shapes are swallowed.
+        while (skip < tokens.length - 1) {
+            const t = tokens[skip];
+            if (t.startsWith("-") || /^[0-9.]+[a-zA-Z]?$/.test(t)) {
+                skip++;
+            }
+            else {
+                break;
+            }
+        }
+        tokens = tokens.slice(skip);
+        // Safety: if stripping removes everything, fall back to original
+        if (tokens.length === 0)
+            return trimmed;
+        // Detect and continue stripping nested wrappers (e.g., `timeout 5 nice rm`)
+        if (!PROCESS_WRAPPERS.has(tokens[0]))
+            break;
+        // Avoid infinite loops on malformed input
+        if (tokens[0] === first)
+            break;
+    }
+    return tokens.join(" ");
+}
+/**
+ * Pure read-only commands. A bash invocation consisting only of these
+ * commands (optionally piped/chained with each other) is safe to auto-approve
+ * without a permission prompt. Mirrors Claude Code's read-only allowlist so
+ * common inspection flows (`ls`, `cat file | head`, `git status`) don't pester
+ * the user.
+ *
+ * Strict criteria: no side effects, no network, no filesystem writes.
+ */
+const READ_ONLY_COMMANDS = new Set([
+    "ls",
+    "cat",
+    "head",
+    "tail",
+    "grep",
+    "egrep",
+    "fgrep",
+    "find",
+    "wc",
+    "diff",
+    "stat",
+    "du",
+    "df",
+    "pwd",
+    "echo",
+    "printf",
+    "whoami",
+    "which",
+    "type",
+    "file",
+    "basename",
+    "dirname",
+    "realpath",
+    "readlink",
+    "date",
+    "true",
+    "false",
+    "sort",
+    "uniq",
+    "cut",
+    "tr",
+    "sed", // sed without -i is read-only (checked below)
+    "awk",
+    "column",
+    "tee", // tee IS a write, handled below
+    "tree",
+    "jq",
+    "yq",
+    "xxd",
+    "od",
+    "md5sum",
+    "sha1sum",
+    "sha256sum",
+    "env", // reading env; `export` / `env X=Y cmd` is not here
+]);
+// Git subcommands that don't mutate the repo or working tree.
+const READ_ONLY_GIT_SUBCOMMANDS = new Set([
+    "status",
+    "log",
+    "show",
+    "diff",
+    "blame",
+    "branch",
+    "tag",
+    "describe",
+    "rev-parse",
+    "rev-list",
+    "ls-files",
+    "ls-tree",
+    "cat-file",
+    "config",
+    "remote",
+    "reflog",
+    "stash",
+    "for-each-ref",
+    "shortlog",
+    "grep",
+    "bisect",
+    "worktree",
+]);
+/**
+ * Return true iff every sub-command in the pipeline/chain is a read-only
+ * operation. Any side-effecting sub-command disqualifies the whole command.
+ * Respects quotes and command substitution via the existing splitCommands/tokenize.
+ */
+export function isReadOnlyBashCommand(command) {
+    const trimmed = command.trim();
+    if (!trimmed)
+        return false;
+    // Refuse any redirection that creates/overwrites files ( > >> | tee -a ... ).
+    // Append is still a write. `2>&1` alone is fine, but `> file` is not.
+    if (/(?<![<&])>+\s*[^&]/.test(trimmed))
+        return false;
+    const subCommands = splitCommands(trimmed);
+    if (subCommands.length === 0)
+        return false;
+    for (const sub of subCommands) {
+        const tokens = tokenize(sub);
+        if (tokens.length === 0)
+            continue;
+        const cmd = tokens[0];
+        const args = tokens.slice(1);
+        // `git <subcmd>` with read-only subcommand
+        if (cmd === "git") {
+            const sub = args.find((a) => !a.startsWith("-"));
+            if (!sub || !READ_ONLY_GIT_SUBCOMMANDS.has(sub))
+                return false;
+            // `git stash push`, `git stash pop`, `git stash drop` are writes — refuse.
+            if (sub === "stash") {
+                const action = args[args.indexOf("stash") + 1];
+                if (action && ["push", "pop", "drop", "apply", "clear", "save"].includes(action))
+                    return false;
+            }
+            // `git branch -d`, `git branch -D` delete branches — refuse.
+            if (sub === "branch" && args.some((a) => a === "-d" || a === "-D"))
+                return false;
+            // `git config --global foo=bar` writes config — only read forms are safe.
+            if (sub === "config" &&
+                args.some((a) => !a.startsWith("-") && args.indexOf(a) > args.indexOf("config") && a.includes("="))) {
+                return false;
+            }
+            continue;
+        }
+        // `sed -i` is in-place edit — writes.
+        if (cmd === "sed" && args.some((a) => a === "-i" || a.startsWith("-i")))
+            return false;
+        // `tee` without `-a` is a write; `tee -a` is also a write. Refuse always.
+        if (cmd === "tee")
+            return false;
+        if (!READ_ONLY_COMMANDS.has(cmd))
+            return false;
+    }
+    return true;
+}
 /**
  * Analyze a bash command string for safety risks.
  * Does lightweight structural parsing — splits on pipes, semicolons,
@@ -149,7 +327,7 @@ export function analyzeBashCommand(command) {
  * Split a command string into sub-commands on |, ;, &&, ||
  * Respects quoted strings and command substitutions.
  */
-function splitCommands(cmd) {
+export function splitCommands(cmd) {
     const parts = [];
     let current = "";
     let inSingle = false;

package/dist/utils/safe-env.d.ts

@@ -4,7 +4,11 @@
  */
 /**
  * Filter process.env to remove credential-containing variables.
- * Merges optional extra env vars on top.
+ *
+ * Precedence order (later wins):
+ *   1. process.env (filtered)
+ *   2. .oh/config.yaml `env:` block (Claude Code parity — inject API keys etc.)
+ *   3. `extra` argument (call-site overrides — e.g. per-MCP-server env)
  */
 export declare function safeEnv(extra?: Record<string, string>): Record<string, string>;
 //# sourceMappingURL=safe-env.d.ts.map

package/dist/utils/safe-env.js

@@ -2,6 +2,7 @@
  * Safe environment variable filtering.
  * Blocks credential-containing vars from being passed to subprocesses.
  */
+import { readOhConfig } from "../harness/config.js";
 /** Env var names that should never be passed to subprocesses */
 const BLOCKED_PATTERNS = [
     /^ANTHROPIC_API_KEY$/i,
@@ -21,7 +22,11 @@ const BLOCKED_PATTERNS = [
 ];
 /**
  * Filter process.env to remove credential-containing variables.
- * Merges optional extra env vars on top.
+ *
+ * Precedence order (later wins):
+ *   1. process.env (filtered)
+ *   2. .oh/config.yaml `env:` block (Claude Code parity — inject API keys etc.)
+ *   3. `extra` argument (call-site overrides — e.g. per-MCP-server env)
  */
 export function safeEnv(extra) {
     const env = {};
@@ -32,6 +37,19 @@ export function safeEnv(extra) {
             continue;
         env[key] = value;
     }
+    // Layer in config-declared env vars if available.
+    try {
+        const cfg = readOhConfig();
+        if (cfg?.env) {
+            for (const [k, v] of Object.entries(cfg.env)) {
+                if (typeof v === "string")
+                    env[k] = v;
+            }
+        }
+    }
+    catch {
+        /* config unavailable — fall through */
+    }
     if (extra) {
         Object.assign(env, extra);
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zhijiewang/openharness",
-  "version": "2.8.0",
+  "version": "2.9.0",
   "description": "Open-source terminal coding agent. Works with any LLM.",
   "type": "module",
   "bin": {
@@ -17,6 +17,8 @@
     "dist/**/*.d.ts",
     "!dist/**/*.test.*",
     "!dist/**/test-helpers.*",
+    "data/skills/**/*.md",
+    "data/registry.json",
     "README.md",
     "LICENSE"
   ],