agentlock-shared 0.1.0 → 0.3.0

package/dist/policy.js

@@ -1,22 +1,203 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.DEFAULT_POLICY_RULES = void 0;
+exports.compileClaudeBashPattern = exports.DEFAULT_POLICY_RULES = void 0;
+exports.maxCategory = maxCategory;
+exports.getCategoryFloor = getCategoryFloor;
+exports.compileSshPattern = compileSshPattern;
+exports.evaluateClaudeBashRules = evaluateClaudeBashRules;
 exports.evaluatePolicy = evaluatePolicy;
 exports.buildActionPreview = buildActionPreview;
-const redact_js_1 = require("./redact.js");
+exports.suggestClaudeBashPattern = suggestClaudeBashPattern;
+exports.resolveVpnRoute = resolveVpnRoute;
+exports.hostnameFromUrl = hostnameFromUrl;
+const regex_safety_js_1 = require("./regex-safety.js");
 const RISK_MAP = {
     read: 'low',
     write: 'medium',
     financial: 'high',
     admin: 'critical',
 };
+// ---------------------------------------------------------------------------
+// Category floor — anti-downgrade defense
+// ---------------------------------------------------------------------------
+// The agent self-declares `action_type` in every request. A malicious or
+// prompt-injected agent could simply label every action as `read` to bypass
+// policy restrictions. To prevent this, the server computes an independent
+// "category floor" from the tool name and payload, and uses the higher of the
+// two: effective = max(declared, floor).
+//
+// The floor is deliberately conservative — unknown tools fall back to `read`
+// (trust declared). The goal is not to classify every tool perfectly, but to
+// catch obvious downgrades like `stripe.charge` labeled as read.
+const CATEGORY_ORDER = {
+    read: 0,
+    write: 1,
+    financial: 2,
+    admin: 3,
+};
+/** Returns the more restrictive of two categories. */
+function maxCategory(a, b) {
+    return CATEGORY_ORDER[a] >= CATEGORY_ORDER[b] ? a : b;
+}
+// HTTP methods that only read data — everything else is considered a write.
+const READ_ONLY_HTTP_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
+// Browser tools that only observe page state.
+const READ_ONLY_BROWSER_TOOLS = new Set([
+    'browser.snapshot',
+    'browser.screenshot',
+    'browser.scroll',
+    'browser.close',
+]);
+// Substring patterns that promote a tool to `financial`. Matched against the
+// lowercased tool name and — for MCP `call_tool` — the downstream method name.
+const FINANCIAL_PATTERNS = [
+    'stripe.',
+    'paypal.',
+    'payment',
+    'billing',
+    'invoice',
+    'checkout',
+    'subscription',
+    'charge',
+    'refund',
+    'transfer',
+    'payout',
+    'wire',
+    'ach',
+    'sepa',
+];
+// Substring patterns that promote a tool to `admin`. Matched against the
+// lowercased tool name, lowercased URL, and — for MCP `call_tool` — the
+// downstream method name. Both tool-name forms (`admin.`) and URL-path forms
+// (`/admin/`, `/admin?`) are included so the same list works for all sources.
+const ADMIN_PATTERNS = [
+    'admin.',
+    '/admin/',
+    '/admin?',
+    'delete_user',
+    'remove_user',
+    'rotate_key',
+    'revoke_key',
+    'grant_role',
+    'revoke_role',
+    'change_permission',
+    'drop_table',
+    'drop_database',
+    'truncate',
+    'destroy',
+    'disable_mfa',
+    'reset_password',
+];
+function matchesAny(haystack, needles) {
+    return needles.some((n) => haystack.includes(n));
+}
+/**
+ * Normalise an agent-supplied tool identifier. Lowercases (case-insensitive
+ * match) and maps the legacy / SDK short form `http` to the canonical
+ * `http.request` so per-tool policy rules authored via the Policies UI
+ * (which use `http.request`) match real-world SDK traffic.
+ */
+function normalizeToolName(tool) {
+    const lower = tool.toLowerCase();
+    if (lower === 'http')
+        return 'http.request';
+    return lower;
+}
+/**
+ * Derive the minimum (floor) category for a given tool + payload, independent
+ * of what the agent declared. See comment above for rationale.
+ *
+ * Returns `undefined` when no opinion — caller treats that as "trust declared".
+ */
+function getCategoryFloor(tool, payload) {
+    const normalizedTool = normalizeToolName(tool);
+    // --- SSH: remote command execution is always admin risk ---------------
+    // ssh.open establishes a long-lived authenticated session — same risk
+    // tier as ssh.run (both grant remote-shell access). ssh.close releases
+    // resources the agent already owns; treat it as `write` so the policy
+    // engine doesn't BLOCK it under the default `admin → BLOCK` rule —
+    // session-ownership is enforced separately in the gateway.
+    if (normalizedTool === 'ssh.run' || normalizedTool === 'ssh.open')
+        return 'admin';
+    if (normalizedTool === 'ssh.close')
+        return 'write';
+    // --- HTTP: method drives read vs write ---------------------------------
+    if (normalizedTool.split('.')[0] === 'http') {
+        const method = String(payload.method ?? 'GET').toUpperCase();
+        // Still check URL for financial/admin keywords (e.g. .../payments/charge)
+        const url = typeof payload.url === 'string' ? payload.url.toLowerCase() : '';
+        if (url && matchesAny(url, ADMIN_PATTERNS))
+            return 'admin';
+        if (url && matchesAny(url, FINANCIAL_PATTERNS))
+            return 'financial';
+        return READ_ONLY_HTTP_METHODS.has(method) ? 'read' : 'write';
+    }
+    // --- Browser: most interactions mutate page state ----------------------
+    if (normalizedTool.startsWith('browser.')) {
+        return READ_ONLY_BROWSER_TOOLS.has(normalizedTool) ? 'read' : 'write';
+    }
+    // --- MCP: list_tools is read; call_tool inspects the downstream method -
+    if (normalizedTool === 'mcp.list_tools')
+        return 'read';
+    if (normalizedTool === 'mcp.call_tool') {
+        const method = typeof payload.method === 'string' ? payload.method.toLowerCase() : '';
+        const server = typeof payload.server === 'string' ? payload.server.toLowerCase() : '';
+        const combined = `${server}.${method}`;
+        if (matchesAny(combined, ADMIN_PATTERNS))
+            return 'admin';
+        if (matchesAny(combined, FINANCIAL_PATTERNS))
+            return 'financial';
+        // Unknown MCP method — floor is write (MCP calls almost always mutate
+        // something; if they only read, a dedicated tool would be clearer).
+        return 'write';
+    }
+    // --- Direct tool-name pattern matching ---------------------------------
+    if (matchesAny(normalizedTool, ADMIN_PATTERNS))
+        return 'admin';
+    if (matchesAny(normalizedTool, FINANCIAL_PATTERNS))
+        return 'financial';
+    // Unknown tool — fail closed. We cannot vouch that an unrecognised tool is a
+    // safe read, so floor it to `write`: with `max(declared, floor)` a tool we
+    // don't recognise (even one the agent declared `read`) no longer rides the
+    // `read → ALLOW` default but is sent for approval. Same posture as the
+    // `mcp.call_tool` fallback above — a fall-through requires a human, not an
+    // auto-allow.
+    return 'write';
+}
 exports.DEFAULT_POLICY_RULES = {
     defaultMode: 'require_approval',
     rules: [
+        // Action-type defaults
         { action_type: 'read', decision: 'ALLOW' },
         { action_type: 'write', decision: 'REQUIRE_APPROVAL' },
         { action_type: 'financial', decision: 'REQUIRE_APPROVAL' },
         { action_type: 'admin', decision: 'BLOCK' },
+        // Browser tools (browser.open always requires approval via policy engine hardcode)
+        { tool: 'browser.snapshot', decision: 'ALLOW' },
+        { tool: 'browser.screenshot', decision: 'ALLOW' },
+        { tool: 'browser.close', decision: 'ALLOW' },
+        { tool: 'browser.click', decision: 'REQUIRE_APPROVAL' },
+        { tool: 'browser.type', decision: 'REQUIRE_APPROVAL' },
+        { tool: 'browser.fill_credentials', decision: 'REQUIRE_APPROVAL' },
+        { tool: 'browser.navigate', decision: 'REQUIRE_APPROVAL' },
+        { tool: 'browser.press_key', decision: 'REQUIRE_APPROVAL' },
+        { tool: 'browser.select', decision: 'REQUIRE_APPROVAL' },
+        { tool: 'browser.scroll', decision: 'ALLOW' },
+        // HTTP tool (domain/method restrictions enforced separately)
+        { tool: 'http.request', decision: 'REQUIRE_APPROVAL' },
+        // MCP tools
+        { tool: 'mcp.list_tools', decision: 'ALLOW' },
+        { tool: 'mcp.call_tool', decision: 'REQUIRE_APPROVAL' },
+        // Approval-only permission requests from local coding agents. The
+        // connector is a no-op after approval; Claude Code executes locally.
+        { tool: 'permission.claude_code', decision: 'REQUIRE_APPROVAL' },
+        // SSH tools — one-shot run + persistent session (open/close)
+        { tool: 'ssh.run', decision: 'REQUIRE_APPROVAL' },
+        { tool: 'ssh.open', decision: 'REQUIRE_APPROVAL' },
+        // ssh.close is owner-only (gateway validates session belongs to caller)
+        // so it's safe to allow without per-call approval. Rejecting close would
+        // strand sessions until TTL expiry, blowing up the per-plan limit.
+        { tool: 'ssh.close', decision: 'ALLOW' },
     ],
     http: {
         allowedDomains: [],
@@ -24,68 +205,520 @@ exports.DEFAULT_POLICY_RULES = {
         blockList: [],
     },
     limits: {
-        maxActionsPerHour: 100,
+        maxActionsPerHour: 100, // Enforced in gateway via check_rate_limit RPC
     },
 };
-function evaluatePolicy(action, rules) {
-    const risk_level = RISK_MAP[action.action_type] ?? 'medium';
-    // Browser tools: browser.open always requires approval
-    if (action.tool.startsWith('browser.')) {
-        if (action.tool === 'browser.open') {
+// Default HTTP rules when rules.http is not configured
+const DEFAULT_HTTP_RULES = {
+    allowedDomains: [],
+    allowedMethods: ['GET', 'POST', 'PUT', 'DELETE'],
+    blockList: [],
+};
+function canonicalizeCommand(cmd) {
+    return cmd.trim().replace(/\s+/g, ' ');
+}
+// A pattern is treated as a raw regex if it looks like one: explicit
+// /…/ wrapper, a leading `^`/trailing `$`, or it contains characters that
+// would otherwise be literal in shell commands but meaningful in regex.
+// Anything else is interpreted as a glob with `*` (any run) and `?` (any
+// single char) — escape every other regex metachar and anchor it. This
+// keeps older, regex-style rules working without migration.
+const REGEX_HINT_RE = /[\^\$\\\[\]{}()|+]/;
+function compileSshPattern(raw) {
+    const trimmed = raw.trim();
+    if (trimmed.length >= 2 && trimmed.startsWith('/') && trimmed.endsWith('/')) {
+        return new RegExp(trimmed.slice(1, -1));
+    }
+    if (REGEX_HINT_RE.test(trimmed)) {
+        return new RegExp(trimmed);
+    }
+    const escaped = trimmed
+        .replace(/[.+\-]/g, '\\$&')
+        .replace(/\*/g, '.*')
+        .replace(/\?/g, '.');
+    return new RegExp(`^${escaped}$`);
+}
+/**
+ * Compile a user-supplied Claude Code Bash pattern into a RegExp.
+ *
+ * Same semantics as the SSH `commandRules` evaluator (single source of
+ * truth — `compileSshPattern`), so admins only learn one pattern dialect.
+ * Default: full-string match with `*` and `?` as glob wildcards.
+ *
+ *  - `grep`        → exact match only ("grep" with no args)
+ *  - `grep *`      → grep followed by a space and any args
+ *  - `grep /home/*`→ grep with args starting with `/home/`
+ *  - `^git push`   → starts-with-regex (regex hint chars trigger raw mode)
+ *  - `/.../`       → fully raw regex (escape hatch for advanced cases)
+ *
+ * The exact-by-default behaviour is the safer choice: forgetting the `*`
+ * means your rule is narrower than expected, not wider.
+ */
+exports.compileClaudeBashPattern = compileSshPattern;
+// Shell metacharacters whose presence in a command (but not the pattern)
+// turns a glob ALLOW into a potential bypass — `ALLOW: git status *`
+// matched against `git status ; rm -rf /` is the textbook case. Escalating
+// in that case keeps the user's intent ("trust this prefix with normal
+// args") without granting the implicit "and any compound suffix" they
+// probably didn't want. Regex-style patterns (`/.../` or anything with
+// regex hint chars like `^`, `$`, `(`, `|`) opt out: an admin who wrote
+// a regex understands what they're matching.
+//
+// Includes `\n` and `\r`: most shells treat a literal newline as a command
+// terminator, so `git status\ncurl evil.com` is two commands — the second
+// would otherwise sneak past an `ALLOW: git status *` rule because the
+// canonical-form regex test ignores what's after the matched prefix.
+//
+// Includes single `&`: in POSIX shells `cmd1 & cmd2` runs cmd1 in the
+// background AND immediately runs cmd2, so it's a separator, not just an
+// async marker. The two-char `&&` is matched by this same alternation
+// (the boolean test only cares whether ANY meta is present, not which).
+// `\$` (any dollar) covers command substitution `$(...)`, parameter/brace
+// expansion `${IFS}`, and bare `$VAR` — all of which inject or separate
+// commands at runtime (notably `${IFS}` expands to whitespace incl. a newline,
+// which acts as a command separator). Matching only `$(` left `${IFS}`/`$VAR`
+// able to ride an ALLOW glob.
+const SHELL_CONTROL_RE = /(;|&&|\|\||\||&|`|\$|>|<|[\n\r])/;
+function isAdvancedPattern(pattern) {
+    const t = pattern.trim();
+    if (t.length >= 2 && t.startsWith('/') && t.endsWith('/'))
+        return true;
+    return REGEX_HINT_RE.test(t);
+}
+/**
+ * Evaluate a Bash command against the workspace's user-defined Claude Code
+ * rules. Returns the first matching rule's outcome, or — when no rule
+ * matches — the policy's `defaultDecision`. Returns `null` to signal "no
+ * opinion" (caller should fall back to the hardcoded classifier) when the
+ * rules block is undefined or the rules array is empty AND no
+ * `defaultDecision` is set.
+ *
+ * Rules are evaluated in order; the FIRST match wins. ReDoS-suspect
+ * patterns and patterns that fail to compile are silently skipped (the
+ * Zod schema rejects them at save time, but we re-check at evaluation
+ * to stay safe against rules that pre-date the validation).
+ *
+ * Safety gates (only applied to ALLOW outcomes — BLOCK and
+ * REQUIRE_APPROVAL are always honoured as written so admins keep the
+ * ability to stop a command unconditionally):
+ *
+ * 1. **Shell-meta escalation** — if the command contains shell-control
+ *    chars (`;`, `&&`, `||`, `|`, `` ` ``, `$()`, `>`, `<`) and the
+ *    matched pattern is a literal prefix (not `/.../`), the rule is
+ *    escalated to `REQUIRE_APPROVAL`. Keeps `ALLOW: git status` from
+ *    silently approving `git status; rm -rf /` — the admin almost
+ *    certainly didn't mean to grant an arbitrary suffix.
+ *
+ * Admin-class commands (`rm -rf`, `git push`, `kubectl apply`, …) are
+ * NOT auto-escalated. If an admin writes `ALLOW: git push *`, the rule
+ * fires as written. The policy editor's linter still flags such ALLOWs
+ * as a recommendation to double-check, but runtime respects the explicit
+ * intent — silent escalation surprised users more than it protected them.
+ */
+function evaluateClaudeBashRules(command, rules, options = {}) {
+    if (!rules)
+        return null;
+    const ruleList = rules.rules ?? [];
+    if (ruleList.length === 0 && !rules.defaultDecision)
+        return null;
+    const canonical = canonicalizeCommand(command);
+    let matched = null;
+    for (const rule of ruleList) {
+        if ((0, regex_safety_js_1.isLikelyRedos)(rule.pattern))
+            continue;
+        let re;
+        try {
+            re = (0, exports.compileClaudeBashPattern)(rule.pattern);
+        }
+        catch {
+            continue;
+        }
+        if (re.test(canonical)) {
+            matched = {
+                pattern: rule.pattern,
+                decision: rule.decision,
+                ...(rule.require_two_approvals !== undefined && {
+                    require_two_approvals: rule.require_two_approvals,
+                }),
+                ...(rule.allowed_approvers && rule.allowed_approvers.length > 0 && {
+                    allowed_approvers: rule.allowed_approvers,
+                }),
+            };
+            break;
+        }
+    }
+    // Two ways to reach an outcome: a rule matched, or no rule matched and
+    // the policy has a fallback `defaultDecision`. Both flow through the
+    // same safety gates below — otherwise `defaultDecision: ALLOW` would
+    // be a pole-vault around the gates and `rm -rf /` would auto-approve.
+    let source;
+    if (matched) {
+        source = 'rule';
+    }
+    else if (rules.defaultDecision) {
+        // Synthesised default-match has no per-rule overrides — the surrounding
+        // permission.claude_code rule's flags will apply via the caller's
+        // fallback.
+        matched = { pattern: '', decision: rules.defaultDecision };
+        source = 'default';
+    }
+    else {
+        return null;
+    }
+    const matchReason = (suffix) => source === 'rule'
+        ? `Matched user rule: ${matched.pattern}${suffix}`
+        : `No user rule matched; using policy defaultDecision${suffix}`;
+    // Pre-build the per-rule override fields so every return path
+    // propagates them consistently. A synthesised default-match has neither.
+    const ruleOverrides = {
+        ...(matched.require_two_approvals !== undefined && {
+            require_two_approvals: matched.require_two_approvals,
+        }),
+        ...(matched.allowed_approvers && matched.allowed_approvers.length > 0 && {
+            allowed_approvers: matched.allowed_approvers,
+        }),
+    };
+    // BLOCK / REQUIRE_APPROVAL are always applied as written — escalating
+    // them would mean an admin's "stop this!" intent could be bypassed,
+    // which defeats the purpose of having a deny list.
+    if (matched.decision !== 'ALLOW') {
+        return {
+            decision: matched.decision,
+            reason: matchReason(''),
+            matchedPattern: matched.pattern,
+            ...ruleOverrides,
+        };
+    }
+    // ALLOW path — run safety gates. The shell-meta check runs against the
+    // RAW command (not the canonical form) because canonicalizeCommand
+    // collapses whitespace — including newlines — which would otherwise
+    // mask `git status\ncurl evil.com` from the gate. Newlines act as
+    // command separators in real shells, so we have to see them here.
+    // For the synthesized default-ALLOW outcome, `pattern` is empty and
+    // therefore not "advanced" (no `/.../` wrapping, no regex hint chars),
+    // so the gate runs as expected.
+    if (!isAdvancedPattern(matched.pattern) && SHELL_CONTROL_RE.test(command)) {
+        return {
+            decision: 'REQUIRE_APPROVAL',
+            reason: source === 'rule'
+                ? `ALLOW rule "${matched.pattern}" matched but command contains shell metacharacters; ` +
+                    `escalated to approval. Wrap your pattern in /.../ to opt into compound matching.`
+                : 'Default ALLOW would have applied but command contains shell metacharacters; escalated to approval.',
+            matchedPattern: matched.pattern,
+            ...ruleOverrides,
+        };
+    }
+    return {
+        decision: 'ALLOW',
+        reason: matchReason(''),
+        matchedPattern: matched.pattern,
+        ...ruleOverrides,
+    };
+}
+function sshHostAllowed(host, allowedHosts) {
+    // Reject malformed host values: userinfo (`user@host`), ports, paths or
+    // whitespace. A bare hostname/IP never contains these, and allowing them
+    // would let `evil@trusted.example.com` slip past a `*.example.com` wildcard.
+    if (/[@/:\s]/.test(host))
+        return false;
+    // DNS hostnames are case-insensitive and a single trailing dot denotes the
+    // same FQDN — normalise both sides before comparing. (Unix usernames are
+    // case-sensitive and are matched separately, so they are left untouched.)
+    const normalizeHost = (h) => h.toLowerCase().replace(/\.$/, '');
+    const target = normalizeHost(host);
+    return allowedHosts.some((allowed) => {
+        const a = normalizeHost(allowed);
+        if (a.startsWith('*.'))
+            return target.endsWith(a.slice(1));
+        return target === a;
+    });
+}
+function evaluateSshRules(command, sshRules) {
+    const canonical = canonicalizeCommand(command);
+    for (const rule of sshRules.commandRules) {
+        // Defense in depth: the save-time schema already rejects catastrophic
+        // patterns, but a rule could pre-date that validation. Skip anything
+        // that trips the ReDoS heuristic rather than risk wedging the event
+        // loop on a single evaluation.
+        if ((0, regex_safety_js_1.isLikelyRedos)(rule.pattern))
+            continue;
+        let re;
+        try {
+            re = compileSshPattern(rule.pattern);
+        }
+        catch {
+            continue; // skip invalid pattern — policy UI should validate at save time
+        }
+        if (re.test(canonical)) {
+            return { decision: rule.decision, reason: `Matched SSH rule: ${rule.pattern}`, matchedPattern: rule.pattern };
+        }
+    }
+    return { decision: sshRules.defaultDecision, reason: 'No SSH command rule matched; using defaultDecision' };
+}
+function evaluatePolicy(action, rules, options = {}) {
+    // Block unknown action types (defense-in-depth)
+    if (!(action.action_type in RISK_MAP)) {
+        return { decision: 'BLOCK', risk_level: 'critical', reason: `Unknown action type: ${action.action_type}` };
+        // No effective_action_type — we never trusted the input.
+    }
+    // SECURITY: Normalize tool name to lowercase to prevent case-sensitivity
+    // bypasses (e.g., "Http.get" skipping HTTP domain allowlist checks).
+    // Also coerce the short-form `http` → `http.request` so per-tool rules
+    // and default-policy entries (which use the canonical `http.request`)
+    // match the identifier real-world SDKs / docs emit. Prior behavior: a
+    // rule configured via the Policies UI for `http.request` silently did
+    // nothing against an agent sending `tool: 'http'`.
+    const normalizedTool = normalizeToolName(action.tool);
+    // SECURITY: Anti-downgrade defense. The agent self-declares `action_type`,
+    // but a prompt-injected or malicious agent could simply label everything as
+    // `read` to bypass restrictions. Compute a server-side "floor" from the
+    // tool+payload and use the more restrictive of the two.
+    //
+    // When `options.skipCategoryFloor` is true (set by the gateway for agents
+    // with `trust_declared_action_type = true`), the floor is bypassed and the
+    // declared action_type is used as-is. This is an owner-opt-in escape hatch
+    // for agents with a very narrow allowed_tools surface.
+    const effectiveActionType = options.skipCategoryFloor
+        ? action.action_type
+        : maxCategory(action.action_type, getCategoryFloor(action.tool, action.payload));
+    const wasDowngradeAttempt = effectiveActionType !== action.action_type;
+    const risk_level = RISK_MAP[effectiveActionType] ?? 'medium';
+    if (normalizedTool.startsWith('ssh.')) {
+        // ssh.open: establish a persistent session. Always REQUIRE_APPROVAL,
+        // mirrors browser.open. Validates credential_id + host + user against
+        // the workspace's SSH policy allowlists. The gateway separately
+        // enforces per-plan concurrent-session limits.
+        if (normalizedTool === 'ssh.open') {
+            const credentialId = action.payload.credential_id;
+            const host = typeof action.payload.host === 'string' ? action.payload.host : '';
+            const user = typeof action.payload.user === 'string' ? action.payload.user : '';
+            if (typeof credentialId !== 'string' || credentialId.length === 0) {
+                return { decision: 'BLOCK', risk_level: 'critical', reason: 'ssh.open requires credential_id in payload', effective_action_type: effectiveActionType };
+            }
+            if (host.length === 0) {
+                return { decision: 'BLOCK', risk_level: 'critical', reason: 'ssh.open requires host in payload', effective_action_type: effectiveActionType };
+            }
+            if (user.length === 0) {
+                return { decision: 'BLOCK', risk_level: 'critical', reason: 'ssh.open requires user in payload', effective_action_type: effectiveActionType };
+            }
+            if (rules.ssh) {
+                if (!sshHostAllowed(host, rules.ssh.allowedHosts)) {
+                    return { decision: 'BLOCK', risk_level: 'critical', reason: `SSH host not in allowedHosts: ${host}`, effective_action_type: effectiveActionType };
+                }
+                if (rules.ssh.allowedUsers.length > 0 && !rules.ssh.allowedUsers.includes(user)) {
+                    return { decision: 'BLOCK', risk_level: 'critical', reason: `SSH user not in allowedUsers: ${user}`, effective_action_type: effectiveActionType };
+                }
+            }
+            // Honor an explicit per-tool BLOCK rule. This early return sits before
+            // the generic tool-rule matching at the bottom of evaluatePolicy, so
+            // without this check even DEFAULT_POLICY_RULES' own ssh.open entry was
+            // dead. Only the restrictive direction is honored — the approval
+            // requirement for opening a session is a hardcoded invariant (mirrors
+            // browser.open), so an ALLOW rule cannot downgrade it.
+            const sshOpenRule = rules.rules.find((r) => r.tool !== undefined && r.tool.toLowerCase() === 'ssh.open');
+            if (sshOpenRule?.decision === 'BLOCK') {
+                return {
+                    decision: 'BLOCK',
+                    risk_level: 'critical',
+                    reason: 'Matched rule: ssh.open',
+                    matched_rule: sshOpenRule,
+                    effective_action_type: effectiveActionType,
+                };
+            }
             return {
                 decision: 'REQUIRE_APPROVAL',
+                risk_level: 'critical',
+                reason: 'SSH sessions always require approval to open',
+                effective_action_type: effectiveActionType,
+            };
+        }
+        // ssh.close: release a session the agent already owns. The gateway
+        // validates that `session_id` belongs to this workspace+agent before
+        // policy eval — reaching here means ownership is already confirmed,
+        // so allow without per-call approval.
+        if (normalizedTool === 'ssh.close') {
+            const sessionId = action.payload.session_id;
+            if (typeof sessionId !== 'string' || sessionId.length === 0) {
+                return { decision: 'BLOCK', risk_level: 'medium', reason: 'ssh.close requires session_id in payload', effective_action_type: effectiveActionType };
+            }
+            // Honor an explicit per-tool rule in the restrictive direction
+            // (BLOCK / REQUIRE_APPROVAL). Same dead-rule problem as ssh.open:
+            // this early return preceded the generic tool-rule matching.
+            const sshCloseRule = rules.rules.find((r) => r.tool !== undefined && r.tool.toLowerCase() === 'ssh.close');
+            if (sshCloseRule && sshCloseRule.decision !== 'ALLOW') {
+                return {
+                    decision: sshCloseRule.decision,
+                    risk_level: 'medium',
+                    reason: 'Matched rule: ssh.close',
+                    matched_rule: sshCloseRule,
+                    effective_action_type: effectiveActionType,
+                };
+            }
+            return {
+                decision: 'ALLOW',
                 risk_level: 'medium',
-                reason: 'Browser sessions always require approval to start',
+                reason: 'ssh.close is owner-only (session ownership validated by gateway)',
+                effective_action_type: effectiveActionType,
             };
         }
-        // Other browser.* actions with a valid session are handled at the gateway
-        // level (auto-approved). If they reach the policy engine without a session,
-        // they should be blocked.
+        if (normalizedTool === 'ssh.run') {
+            const credentialId = action.payload.credential_id;
+            // session_id is optional. When set, it indicates a sessioned run
+            // against an existing ssh.open session. The gateway will have
+            // validated ownership and populated host/user/port from the session
+            // row before calling evaluatePolicy, so the same checks below apply.
+            const sessionId = typeof action.payload.session_id === 'string' ? action.payload.session_id : '';
+            const host = typeof action.payload.host === 'string' ? action.payload.host : '';
+            const user = typeof action.payload.user === 'string' ? action.payload.user : '';
+            const command = action.payload.command;
+            // Sessioned runs don't require credential_id (the session was opened
+            // with one). One-shot runs always do.
+            if (sessionId.length === 0 && (typeof credentialId !== 'string' || credentialId.length === 0)) {
+                return { decision: 'BLOCK', risk_level: 'critical', reason: 'ssh.run requires credential_id (or session_id for sessioned runs)', effective_action_type: effectiveActionType };
+            }
+            if (host.length === 0) {
+                return { decision: 'BLOCK', risk_level: 'critical', reason: 'ssh.run requires host in payload', effective_action_type: effectiveActionType };
+            }
+            if (user.length === 0) {
+                return { decision: 'BLOCK', risk_level: 'critical', reason: 'ssh.run requires user in payload', effective_action_type: effectiveActionType };
+            }
+            if (typeof command !== 'string' || command.length === 0) {
+                return { decision: 'BLOCK', risk_level: 'critical', reason: 'ssh.run requires a non-empty command payload', effective_action_type: effectiveActionType };
+            }
+            if (rules.ssh) {
+                if (!sshHostAllowed(host, rules.ssh.allowedHosts)) {
+                    return { decision: 'BLOCK', risk_level: 'critical', reason: `SSH host not in allowedHosts: ${host}`, effective_action_type: effectiveActionType };
+                }
+                if (rules.ssh.allowedUsers.length > 0 && !rules.ssh.allowedUsers.includes(user)) {
+                    return { decision: 'BLOCK', risk_level: 'critical', reason: `SSH user not in allowedUsers: ${user}`, effective_action_type: effectiveActionType };
+                }
+                const outcome = evaluateSshRules(command, rules.ssh);
+                if (outcome.decision === 'ALLOW') {
+                    // Safety gate — mirrors the Claude Bash ALLOW path: a non-advanced
+                    // ALLOW glob must not hand an auto-pass to a compound/chained command
+                    // (`systemctl status x; rm -rf /`). Check the RAW command because
+                    // canonicalizeCommand collapses newlines that act as shell separators.
+                    // Applies even when admin auto-approval is enabled.
+                    const matchedPattern = outcome.matchedPattern ?? '';
+                    if (!isAdvancedPattern(matchedPattern) && SHELL_CONTROL_RE.test(command)) {
+                        return { decision: 'REQUIRE_APPROVAL', risk_level: 'critical', reason: `${outcome.reason} — command contains shell metacharacters; escalated to approval`, effective_action_type: effectiveActionType };
+                    }
+                    if (!rules.allowHighRiskAutoApproval?.admin) {
+                        return { decision: 'REQUIRE_APPROVAL', risk_level: 'critical', reason: `${outcome.reason} — escalated to approval (admin auto-approval not enabled)`, effective_action_type: effectiveActionType };
+                    }
+                }
+                return { decision: outcome.decision, risk_level: 'critical', reason: outcome.reason, effective_action_type: effectiveActionType };
+            }
+            return { decision: 'REQUIRE_APPROVAL', risk_level: 'critical', reason: 'No SSH policy configured; defaulting to approval', effective_action_type: effectiveActionType };
+        }
         return {
             decision: 'BLOCK',
-            risk_level: 'medium',
-            reason: 'Browser actions require an active session (use browser.open first)',
+            risk_level: 'critical',
+            reason: `Unknown SSH tool: ${normalizedTool}`,
+            effective_action_type: effectiveActionType,
         };
     }
-    // MCP tools: list_tools is a read (low risk), call_tool defers to action_type rules
-    if (action.tool === 'mcp.list_tools') {
-        return {
-            decision: 'ALLOW',
-            risk_level: 'low',
-            reason: 'MCP tool discovery is read-only',
-        };
+    // Browser tools: browser.open always requires approval
+    if (normalizedTool.startsWith('browser.')) {
+        if (normalizedTool === 'browser.open') {
+            return {
+                decision: 'REQUIRE_APPROVAL',
+                risk_level: 'medium',
+                reason: 'Browser sessions always require approval to start',
+                effective_action_type: effectiveActionType,
+            };
+        }
+        // Other browser.* actions require a live session. If the gateway has
+        // already validated one (hasActiveSession=true) we fall through to normal
+        // per-tool rule evaluation so admin-configured BLOCKs on specific tools
+        // (e.g. browser.fill_credentials) are honored. Without a validated
+        // session, the safe default is to block — never let an unauthenticated
+        // session_id survive policy eval.
+        if (!options.hasActiveSession) {
+            return {
+                decision: 'BLOCK',
+                risk_level: 'medium',
+                reason: 'Browser actions require an active session (use browser.open first)',
+                effective_action_type: effectiveActionType,
+            };
+        }
+        // Fall through to per-tool rule matching + default-mode below.
     }
-    if (action.tool.split('.')[0] === 'http' && rules.http) {
+    // MCP tools: list_tools handled via default rules (can be overridden by custom policies)
+    // HTTP tool checks: always enforce domain/method restrictions
+    const isHttpTool = normalizedTool.split('.')[0] === 'http';
+    if (isHttpTool) {
+        const httpRules = rules.http ?? DEFAULT_HTTP_RULES;
         const url = action.payload.url;
+        if (!url) {
+            // SECURITY: HTTP actions without a URL must be blocked at the policy level.
+            // The connector would also reject it, but policy should be the first gate.
+            return {
+                decision: 'BLOCK',
+                risk_level: 'critical',
+                reason: 'HTTP actions require a URL in payload',
+                effective_action_type: effectiveActionType,
+            };
+        }
         if (url) {
             try {
-                const domain = new URL(url).hostname;
+                const domain = new URL(url).hostname.replace(/\.$/, '').toLowerCase();
                 // Use exact match or proper subdomain match (preceded by a dot)
                 // to prevent "not-trusted.com" from matching allowlist entry "trusted.com"
-                const matchesDomain = (d, pattern) => d === pattern || d.endsWith('.' + pattern);
-                if (rules.http.blockList.some((b) => matchesDomain(domain, b))) {
-                    return { decision: 'BLOCK', risk_level: 'critical', reason: `Domain ${domain} is in block list` };
-                }
-                if (rules.http.allowedDomains.length === 0) {
-                    // No allowlist configured: safe default is REQUIRE_APPROVAL, not ALLOW.
-                    // This prevents agents from exfiltrating data to arbitrary domains.
+                // Both sides are normalized: lowercase + trailing-dot stripped.
+                const matchesDomain = (d, pattern) => {
+                    const normalizedPattern = pattern.replace(/\.$/, '').toLowerCase();
+                    return d === normalizedPattern || d.endsWith('.' + normalizedPattern);
+                };
+                if (httpRules.blockList.some((b) => matchesDomain(domain, b))) {
                     return {
-                        decision: 'REQUIRE_APPROVAL',
-                        risk_level,
-                        reason: 'HTTP allowlist not configured — approval required for all HTTP calls',
+                        decision: 'BLOCK',
+                        risk_level: 'critical',
+                        reason: `Domain ${domain} is in block list`,
+                        effective_action_type: effectiveActionType,
                     };
                 }
-                if (!rules.http.allowedDomains.some((d) => matchesDomain(domain, d))) {
-                    return { decision: 'BLOCK', risk_level, reason: `Domain ${domain} not in allowed list` };
+                // DANGEROUS opt-in: if allowAllDomains is true, any domain not in the
+                // blockList is permitted — fall through to the normal rule evaluation.
+                // Otherwise enforce the safe default (empty allowlist → REQUIRE_APPROVAL).
+                if (!httpRules.allowAllDomains) {
+                    if (httpRules.allowedDomains.length === 0) {
+                        // No allowlist configured: safe default is REQUIRE_APPROVAL, not ALLOW.
+                        // This prevents agents from exfiltrating data to arbitrary domains.
+                        return {
+                            decision: 'REQUIRE_APPROVAL',
+                            risk_level,
+                            reason: 'HTTP allowlist not configured — approval required for all HTTP calls',
+                            effective_action_type: effectiveActionType,
+                        };
+                    }
+                    if (!httpRules.allowedDomains.some((d) => matchesDomain(domain, d))) {
+                        return {
+                            decision: 'BLOCK',
+                            risk_level,
+                            reason: `Domain ${domain} not in allowed list`,
+                            effective_action_type: effectiveActionType,
+                        };
+                    }
                 }
             }
             catch {
-                return { decision: 'BLOCK', risk_level: 'critical', reason: 'Invalid URL' };
+                return {
+                    decision: 'BLOCK',
+                    risk_level: 'critical',
+                    reason: 'Invalid URL',
+                    effective_action_type: effectiveActionType,
+                };
             }
         }
         const method = action.payload.method?.toUpperCase();
-        if (method && !rules.http.allowedMethods.includes(method)) {
-            return { decision: 'BLOCK', risk_level, reason: `HTTP method ${method} not allowed` };
+        if (method && !httpRules.allowedMethods.includes(method)) {
+            return {
+                decision: 'BLOCK',
+                risk_level,
+                reason: `HTTP method ${method} not allowed`,
+                effective_action_type: effectiveActionType,
+            };
         }
     }
     if (rules.limits?.maxCostPerAction !== undefined &&
@@ -95,28 +728,100 @@ function evaluatePolicy(action, rules) {
             decision: 'BLOCK',
             risk_level: 'high',
             reason: `Cost estimate ${action.cost_estimate} exceeds limit ${rules.limits.maxCostPerAction}`,
+            effective_action_type: effectiveActionType,
         };
     }
-    // Most specific: tool-specific rule
-    let matched = rules.rules.find((r) => r.tool === action.tool);
-    // Then action-type rule
+    // Most specific: tool-specific rule (case-insensitive to prevent bypasses)
+    let matched = rules.rules.find((r) => r.tool !== undefined && r.tool.toLowerCase() === normalizedTool);
+    // Then action-type rule — match against the EFFECTIVE type so a downgraded
+    // `read` declaration on `stripe.charge` still hits the `financial` rule.
     if (!matched)
-        matched = rules.rules.find((r) => r.action_type === action.action_type);
+        matched = rules.rules.find((r) => r.action_type === effectiveActionType);
+    // Helper: is auto-approval explicitly opted in for this high-risk category?
+    const highRiskOptIn = (cat) => rules.allowHighRiskAutoApproval?.[cat] === true;
+    // Reason suffix that explains a floor upgrade, so the audit trail makes the
+    // downgrade attempt visible to humans reviewing the log.
+    const downgradeSuffix = wasDowngradeAttempt
+        ? ` [category floored: agent declared '${action.action_type}', server classified as '${effectiveActionType}']`
+        : '';
     if (matched) {
+        let finalDecision = matched.decision;
+        // SECURITY: By default, never auto-allow admin/financial actions even via
+        // explicit rules. Workspace admins can opt in via allowHighRiskAutoApproval
+        // (shown with a prominent warning in the UI). Check against the EFFECTIVE
+        // type so floored categories are also covered.
+        if (finalDecision === 'ALLOW' && effectiveActionType === 'financial' && !highRiskOptIn('financial')) {
+            finalDecision = 'REQUIRE_APPROVAL';
+        }
+        if (finalDecision === 'ALLOW' && effectiveActionType === 'admin' && !highRiskOptIn('admin')) {
+            finalDecision = 'REQUIRE_APPROVAL';
+        }
+        // SECURITY: a write that was floored UP (the agent under-declared, or the LLM
+        // reclassified it above the declared type) must not ride a permissive ALLOW
+        // rule. An explicit ALLOW is honored only for an honestly-declared write; a
+        // reclassified one is escalated to approval. financial/admin handled above.
+        if (finalDecision === 'ALLOW' && effectiveActionType === 'write' && wasDowngradeAttempt) {
+            finalDecision = 'REQUIRE_APPROVAL';
+        }
         return {
-            decision: matched.decision,
+            decision: finalDecision,
             risk_level,
-            reason: `Matched rule: ${matched.action_type ?? matched.tool}`,
+            reason: `Matched rule: ${matched.action_type ?? matched.tool}${downgradeSuffix}`,
             matched_rule: matched,
+            effective_action_type: effectiveActionType,
         };
     }
     const defaultDecision = rules.defaultMode === 'allow' ? 'ALLOW' : rules.defaultMode === 'block' ? 'BLOCK' : 'REQUIRE_APPROVAL';
-    return { decision: defaultDecision, risk_level, reason: 'Default policy' };
+    // SECURITY: By default, never auto-allow high-risk actions via permissive default mode.
+    // Opt-in via allowHighRiskAutoApproval honors the permissive default instead.
+    if (defaultDecision === 'ALLOW' && effectiveActionType === 'financial' && !highRiskOptIn('financial')) {
+        return {
+            decision: 'REQUIRE_APPROVAL',
+            risk_level,
+            reason: `Financial actions require approval by default (enable allowHighRiskAutoApproval.financial to change this)${downgradeSuffix}`,
+            effective_action_type: effectiveActionType,
+        };
+    }
+    if (defaultDecision === 'ALLOW' && effectiveActionType === 'admin' && !highRiskOptIn('admin')) {
+        return {
+            decision: 'REQUIRE_APPROVAL',
+            risk_level,
+            reason: `Admin actions require approval by default (enable allowHighRiskAutoApproval.admin to change this)${downgradeSuffix}`,
+            effective_action_type: effectiveActionType,
+        };
+    }
+    // SECURITY: a write floored UP above the declared action_type must not ride a
+    // permissive default ALLOW — escalate the reclassified write to approval.
+    if (defaultDecision === 'ALLOW' && effectiveActionType === 'write' && wasDowngradeAttempt) {
+        return {
+            decision: 'REQUIRE_APPROVAL',
+            risk_level,
+            reason: `Write reclassified above the declared action_type; escalated to approval${downgradeSuffix}`,
+            effective_action_type: effectiveActionType,
+        };
+    }
+    return {
+        decision: defaultDecision,
+        risk_level,
+        reason: `Default policy${downgradeSuffix}`,
+        effective_action_type: effectiveActionType,
+    };
 }
-function buildActionPreview(action) {
-    let summary = `${action.action_type.toUpperCase()} via ${action.tool}`;
+function buildActionPreview(action, effectiveActionType) {
+    const normalizedTool = normalizeToolName(action.tool);
+    // Prefer the server-computed effective type in the preview. Falls back to
+    // the declared type when the caller didn't pass one (e.g. in tests).
+    const effective = effectiveActionType ?? action.action_type;
+    let summary = `${effective.toUpperCase()} via ${action.tool}`;
     let target;
-    if (action.tool.split('.')[0] === 'http') {
+    // Extracted from permission.claude_code payloads so the approval UI can
+    // pre-fill its rule-creation form. Only set when the underlying Claude
+    // Code tool is Bash (path-based rules for Edit/Write are a separate
+    // feature). Already redaction-safe — the routing endpoint runs `redact`
+    // + truncates to 2000 chars before stashing it in the payload.
+    let command;
+    let claudeTool;
+    if (normalizedTool.split('.')[0] === 'http') {
         const url = action.payload.url;
         const method = action.payload.method;
         if (url) {
@@ -129,40 +834,228 @@ function buildActionPreview(action) {
             summary = `${method?.toUpperCase() ?? 'HTTP'} request to ${target}`;
         }
     }
-    else if (action.tool === 'browser.open') {
+    else if (normalizedTool === 'browser.open') {
         const url = action.payload.url;
+        const allowedDomains = Array.isArray(action.payload.allowed_domains)
+            ? action.payload.allowed_domains.filter((d) => typeof d === 'string')
+            : [];
+        let initialHost = '';
         if (url) {
             try {
-                target = new URL(url).hostname;
+                initialHost = new URL(url).hostname;
             }
             catch {
-                target = url;
+                initialHost = url;
             }
-            summary = `Open browser session to ${target}`;
+        }
+        // Approver must see the full allow-list, not just the landing domain.
+        // Previously the preview only surfaced the initial URL's host, so an
+        // agent could request `browser.open` with url=accounts.example.com but
+        // allowed_domains=[attacker.example.com], and the approver would
+        // approve a seemingly narrow session that actually grants broader
+        // reach. Summary lists every domain the session will accept.
+        const extraDomains = allowedDomains.filter((d) => d !== initialHost);
+        target = initialHost || url || 'browser session';
+        if (url) {
+            summary = extraDomains.length > 0
+                ? `Open browser session to ${initialHost} (also allows: ${extraDomains.join(', ')})`
+                : `Open browser session to ${initialHost}`;
         }
         else {
-            summary = 'Open browser session';
+            summary = allowedDomains.length > 0
+                ? `Open browser session (allows: ${allowedDomains.join(', ')})`
+                : 'Open browser session';
         }
     }
-    else if (action.tool === 'mcp.list_tools') {
+    else if (normalizedTool === 'mcp.list_tools') {
         const server = action.payload.server;
         target = server;
         summary = `List available tools on MCP server "${server ?? 'unknown'}"`;
     }
-    else if (action.tool === 'mcp.call_tool') {
+    else if (normalizedTool === 'mcp.call_tool') {
         const server = action.payload.server;
         const method = action.payload.method;
         target = server;
         summary = `Call "${method ?? 'unknown'}" on MCP server "${server ?? 'unknown'}"`;
     }
-    else if (action.tool === 'demo') {
-        summary = `Write to demo table: ${JSON.stringify((0, redact_js_1.redact)(action.payload)).slice(0, 80)}`;
+    else if (normalizedTool === 'permission.claude_code') {
+        const claudeToolName = action.payload.tool_name;
+        const cmd = action.payload.command;
+        const filePath = action.payload.file_path;
+        const cwd = action.payload.cwd;
+        target = filePath ?? cwd;
+        claudeTool = claudeToolName;
+        if (claudeToolName === 'Bash' && cmd) {
+            command = cmd;
+            const shortenedCommand = cmd.length > 120
+                ? `${cmd.slice(0, 117)}...`
+                : cmd;
+            summary = `Allow Claude Code to run "${shortenedCommand}"`;
+        }
+        else if (filePath) {
+            summary = `Allow Claude Code ${claudeToolName ?? 'tool'} on ${filePath}`;
+        }
+        else {
+            summary = `Allow Claude Code ${claudeToolName ?? 'tool'} action`;
+        }
+    }
+    else if (normalizedTool === 'ssh.run') {
+        const host = action.payload.host;
+        const user = action.payload.user;
+        const port = action.payload.port;
+        const command = action.payload.command;
+        const sessionId = action.payload.session_id;
+        const targetSuffix = port && port !== 22 ? `:${port}` : '';
+        target = host ? `${user ?? 'unknown'}@${host}${targetSuffix}` : undefined;
+        const shortenedCommand = typeof command === 'string' && command.length > 0
+            ? command.length > 80
+                ? `${command.slice(0, 77)}...`
+                : command
+            : 'unknown command';
+        const sessionSuffix = sessionId ? ' (in existing session)' : '';
+        summary = target
+            ? `Run SSH command "${shortenedCommand}" on ${target}${sessionSuffix}`
+            : `Run SSH command "${shortenedCommand}"${sessionSuffix}`;
+    }
+    else if (normalizedTool === 'ssh.open') {
+        const host = action.payload.host;
+        const user = action.payload.user;
+        const port = action.payload.port;
+        const targetSuffix = port && port !== 22 ? `:${port}` : '';
+        target = host ? `${user ?? 'unknown'}@${host}${targetSuffix}` : undefined;
+        summary = target
+            ? `Open persistent SSH session to ${target}`
+            : 'Open persistent SSH session';
+    }
+    else if (normalizedTool === 'ssh.close') {
+        const sessionId = action.payload.session_id;
+        target = sessionId;
+        summary = sessionId
+            ? `Close SSH session ${sessionId.slice(0, 12)}…`
+            : 'Close SSH session';
     }
+    // Impact text reflects the effective category (so write/financial/admin all
+    // surface a warning, not just the declared category).
+    let impact;
+    if (effective === 'admin')
+        impact = 'Administrative action — privileged change';
+    else if (effective === 'financial')
+        impact = 'Financial action — money movement';
+    else if (effective === 'write')
+        impact = 'Data will be modified';
     return {
         summary,
         target,
-        impact: action.action_type === 'write' ? 'Data will be modified' : undefined,
+        impact,
         cost_estimate: action.cost_estimate,
+        declared_action_type: action.action_type,
+        effective_action_type: effective,
+        ...(command !== undefined && { command }),
+        ...(claudeTool !== undefined && { claude_tool: claudeTool }),
     };
 }
+/**
+ * Suggest a Claude Code Bash policy pattern from a raw command string. Used
+ * by the "Approve and remember" affordance in the approval UI to pre-fill
+ * the rule-creation form with a sensible default; admins can edit the
+ * suggestion before submitting.
+ *
+ * Heuristic (in order):
+ *  - Empty / whitespace-only → empty string (UI handles this).
+ *  - Quoted segments (`"..."`, `'...'`) are removed before tokenising so
+ *    `git commit -m "fix bug"` → tokens `[git, commit, -m]`, not five
+ *    fragmented strings.
+ *  - Single token → `<token>` (exact match for that bare command).
+ *  - Two tokens, second is a flag (`-x`, `--long`) → `<first> *`.
+ *  - Two tokens, second looks like a path (starts with `/`, `.`, `~`, `\\`)
+ *    → `<first> *`. Pinning the path makes the rule too narrow; dropping
+ *    it makes nothing match. Falling back to `<first> *` is the safest
+ *    middle ground; the admin can tighten further if they want.
+ *  - Two+ tokens, second is non-flag → `<first> <second> *` (typical
+ *    subcommand form: `git push *`, `kubectl apply *`).
+ *
+ * The output is always a glob the routing endpoint understands. Admins
+ * can switch to a regex via `/.../` if they need finer control.
+ */
+function suggestClaudeBashPattern(command) {
+    // Strip quoted segments first so a single-quoted commit message like
+    // `git commit -m "wip: fix"` doesn't tokenise into the five-token mess
+    // `[git, commit, -m, "wip:, fix"]` and lock the suggestion to whatever
+    // happened to land at index 1.
+    const cleaned = command.replace(/"[^"]*"|'[^']*'/g, ' ');
+    const tokens = cleaned.trim().split(/\s+/).filter(Boolean);
+    if (tokens.length === 0)
+        return '';
+    if (tokens.length === 1)
+        return tokens[0];
+    const [first, second] = tokens;
+    if (second.startsWith('-'))
+        return `${first} *`;
+    // Subcommand-style second token: alphanumeric + `-` / `_` only. Anything
+    // else (path operand, shell meta, URL, JSON literal, …) drops to
+    // `<first> *` — pinning a path makes the rule too specific to be
+    // useful, and pinning a shell meta produces nonsense like `echo | *`.
+    // Single source of truth for both concerns.
+    if (!/^[a-zA-Z0-9_-]+$/.test(second))
+        return `${first} *`;
+    return `${first} ${second} *`;
+}
+// ---------------------------------------------------------------------------
+// VPN route resolution
+// ---------------------------------------------------------------------------
+// Policies can carry a `vpnRoutes` table that pins specific domains to a
+// specific WireGuard credential. The runner calls `resolveVpnRoute(host,
+// rules.vpnRoutes)` before resolving credentials so the matched route
+// wins over the credential's own `vpn_credential_id` default.
+//
+// Matching rules:
+//   - "example.com"   → exact hostname match (case-insensitive)
+//   - "*.example.com" → matches any single-or-multi-level SUBDOMAIN of
+//                       example.com (e.g. "www.example.com",
+//                       "a.b.example.com"), NOT "example.com" itself
+//   - First entry in the array wins; later matches are ignored.
+//
+// Invalid patterns (empty string, whitespace-only, `*`-only) are silently
+// skipped rather than throwing — the Zod schema already rejects them at
+// save time, but this path stays robust if a malformed entry sneaks in.
+/** Return the vpnCredentialId matching `host`, or `undefined` if no route
+ *  matches (or `host`/`routes` is missing/empty). */
+function resolveVpnRoute(host, routes) {
+    if (!host || !routes || routes.length === 0)
+        return undefined;
+    const target = host.trim().toLowerCase().replace(/\.$/, ''); // drop trailing dot from FQDN forms
+    if (!target)
+        return undefined;
+    for (const route of routes) {
+        const pattern = (route.domainPattern ?? '').trim().toLowerCase();
+        if (!pattern)
+            continue;
+        if (pattern.startsWith('*.')) {
+            // Wildcard subdomain: the suffix after "*." must be non-empty, and
+            // `target` must end with ".<suffix>". Bare suffix does NOT match.
+            const suffix = pattern.slice(2);
+            if (!suffix)
+                continue;
+            if (target.endsWith('.' + suffix))
+                return route.vpnCredentialId;
+            continue;
+        }
+        if (target === pattern)
+            return route.vpnCredentialId;
+    }
+    return undefined;
+}
+/** Parse a URL string and return its hostname in lowercase, or `undefined`
+ *  if the input isn't a parseable URL. Used by the runner to extract the
+ *  routing key for http.request / browser.open actions. */
+function hostnameFromUrl(url) {
+    if (!url || typeof url !== 'string')
+        return undefined;
+    try {
+        return new URL(url).hostname.toLowerCase();
+    }
+    catch {
+        return undefined;
+    }
+}
 //# sourceMappingURL=policy.js.map