agileflow 2.77.0 → 2.78.0

package/scripts/agileflow-welcome.js

@@ -346,6 +346,67 @@ function checkPreCompact(rootDir) {
   return result;
 }
 
+function checkDamageControl(rootDir) {
+  const result = { configured: false, level: null, patternCount: 0, scriptsOk: true };
+
+  try {
+    // Check if PreToolUse hooks are configured in settings
+    const settingsPath = path.join(rootDir, '.claude/settings.json');
+    if (fs.existsSync(settingsPath)) {
+      const settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
+      if (settings.hooks?.PreToolUse && Array.isArray(settings.hooks.PreToolUse)) {
+        // Check for damage-control hooks
+        const hasDamageControlHooks = settings.hooks.PreToolUse.some(
+          h => h.hooks?.some(hk => hk.command?.includes('damage-control'))
+        );
+        if (hasDamageControlHooks) {
+          result.configured = true;
+
+          // Count how many hooks are present (should be 3: Bash, Edit, Write)
+          const dcHooks = settings.hooks.PreToolUse.filter(h =>
+            h.hooks?.some(hk => hk.command?.includes('damage-control'))
+          );
+          result.hooksCount = dcHooks.length;
+
+          // Check if all required scripts exist
+          const scriptsDir = path.join(rootDir, '.agileflow', 'scripts');
+          const requiredScripts = [
+            'damage-control-bash.js',
+            'damage-control-edit.js',
+            'damage-control-write.js',
+          ];
+          for (const script of requiredScripts) {
+            if (!fs.existsSync(path.join(scriptsDir, script))) {
+              result.scriptsOk = false;
+              break;
+            }
+          }
+        }
+      }
+    }
+
+    // Get protection level and pattern count from metadata
+    const metadataPath = path.join(rootDir, 'docs/00-meta/agileflow-metadata.json');
+    if (fs.existsSync(metadataPath)) {
+      const metadata = JSON.parse(fs.readFileSync(metadataPath, 'utf8'));
+      if (metadata.features?.damagecontrol) {
+        result.level = metadata.features.damagecontrol.protectionLevel || 'standard';
+      }
+    }
+
+    // Count patterns in config file
+    const patternsPath = path.join(rootDir, '.agileflow', 'config', 'damage-control-patterns.yaml');
+    if (fs.existsSync(patternsPath)) {
+      const content = fs.readFileSync(patternsPath, 'utf8');
+      // Count pattern entries (lines starting with "  - pattern:")
+      const patternMatches = content.match(/^\s*-\s*pattern:/gm);
+      result.patternCount = patternMatches ? patternMatches.length : 0;
+    }
+  } catch (e) {}
+
+  return result;
+}
+
 // Compare semantic versions: returns -1 if a < b, 0 if equal, 1 if a > b
 function compareVersions(a, b) {
   if (!a || !b) return 0;
@@ -611,7 +672,8 @@ function formatTable(
   precompact,
   parallelSessions,
   updateInfo = {},
-  expertise = {}
+  expertise = {},
+  damageControl = {}
 ) {
   const W = 58; // inner width
   const R = W - 24; // right column width (34 chars)
@@ -783,6 +845,20 @@ function formatTable(
     }
   }
 
+  // Damage control status (PreToolUse hooks for dangerous command protection)
+  if (damageControl && damageControl.configured) {
+    if (!damageControl.scriptsOk) {
+      lines.push(row('Damage control', '⚠️ scripts missing', c.coral, c.coral));
+    } else {
+      const levelStr = damageControl.level || 'standard';
+      const patternStr = damageControl.patternCount > 0 ? `${damageControl.patternCount} patterns` : '';
+      const dcStatus = `🛡️ ${levelStr}${patternStr ? ` (${patternStr})` : ''}`;
+      lines.push(row('Damage control', dcStatus, c.lavender, c.mintGreen));
+    }
+  } else {
+    lines.push(row('Damage control', 'not configured', c.slate, c.slate));
+  }
+
   lines.push(divider());
 
   // Current story (colorful like obtain-context)
@@ -816,6 +892,7 @@ async function main() {
   const precompact = checkPreCompact(rootDir);
   const parallelSessions = checkParallelSessions(rootDir);
   const expertise = validateExpertise(rootDir);
+  const damageControl = checkDamageControl(rootDir);
 
   // Check for updates (async, cached)
   let updateInfo = {};
@@ -840,7 +917,7 @@ async function main() {
   }
 
   console.log(
-    formatTable(info, archival, session, precompact, parallelSessions, updateInfo, expertise)
+    formatTable(info, archival, session, precompact, parallelSessions, updateInfo, expertise, damageControl)
   );
 
   // Show warning and tip if other sessions are active (vibrant colors)

package/scripts/damage-control-bash.js

@@ -0,0 +1,232 @@
+#!/usr/bin/env node
+/**
+ * damage-control-bash.js - PreToolUse hook for Bash tool
+ *
+ * Validates bash commands against patterns in damage-control-patterns.yaml
+ * before execution. Part of AgileFlow's damage control system.
+ *
+ * Exit codes:
+ *   0 - Allow command (or ask via JSON output)
+ *   2 - Block command
+ *
+ * For "ask" response, output JSON to stdout:
+ *   { "result": "ask", "message": "Confirm this action?" }
+ *
+ * Usage: Configured as PreToolUse hook in .claude/settings.json
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+// Color codes for output
+const c = {
+  red: '\x1b[38;5;203m',
+  yellow: '\x1b[38;5;215m',
+  reset: '\x1b[0m',
+  dim: '\x1b[2m'
+};
+
+/**
+ * Find project root by looking for .agileflow directory
+ */
+function findProjectRoot() {
+  let dir = process.cwd();
+  while (dir !== '/') {
+    if (fs.existsSync(path.join(dir, '.agileflow'))) {
+      return dir;
+    }
+    dir = path.dirname(dir);
+  }
+  return process.cwd();
+}
+
+/**
+ * Parse simplified YAML for damage control patterns
+ * Only parses the structure we need - not a full YAML parser
+ */
+function parseSimpleYAML(content) {
+  const config = {
+    bashToolPatterns: [],
+    askPatterns: [],
+    agileflowProtections: []
+  };
+
+  let currentSection = null;
+  let currentPattern = null;
+
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim();
+
+    // Skip empty lines and comments
+    if (!trimmed || trimmed.startsWith('#')) continue;
+
+    // Detect section headers
+    if (trimmed === 'bashToolPatterns:') {
+      currentSection = 'bashToolPatterns';
+      currentPattern = null;
+    } else if (trimmed === 'askPatterns:') {
+      currentSection = 'askPatterns';
+      currentPattern = null;
+    } else if (trimmed === 'agileflowProtections:') {
+      currentSection = 'agileflowProtections';
+      currentPattern = null;
+    } else if (trimmed.endsWith(':') && !trimmed.startsWith('-')) {
+      // Other sections we don't care about for bash validation
+      currentSection = null;
+      currentPattern = null;
+    } else if (trimmed.startsWith('- pattern:') && currentSection) {
+      // New pattern entry
+      const patternValue = trimmed.replace('- pattern:', '').trim().replace(/^["']|["']$/g, '');
+      currentPattern = { pattern: patternValue };
+      config[currentSection].push(currentPattern);
+    } else if (trimmed.startsWith('reason:') && currentPattern) {
+      currentPattern.reason = trimmed.replace('reason:', '').trim().replace(/^["']|["']$/g, '');
+    } else if (trimmed.startsWith('flags:') && currentPattern) {
+      currentPattern.flags = trimmed.replace('flags:', '').trim().replace(/^["']|["']$/g, '');
+    }
+  }
+
+  return config;
+}
+
+/**
+ * Load patterns configuration from YAML file
+ */
+function loadPatterns(projectRoot) {
+  const configPaths = [
+    path.join(projectRoot, '.agileflow/config/damage-control-patterns.yaml'),
+    path.join(projectRoot, '.agileflow/config/damage-control-patterns.yml'),
+    path.join(projectRoot, '.agileflow/templates/damage-control-patterns.yaml')
+  ];
+
+  for (const configPath of configPaths) {
+    if (fs.existsSync(configPath)) {
+      try {
+        const content = fs.readFileSync(configPath, 'utf8');
+        return parseSimpleYAML(content);
+      } catch (e) {
+        // Continue to next path
+      }
+    }
+  }
+
+  // Return empty config if no file found (fail-open)
+  return { bashToolPatterns: [], askPatterns: [], agileflowProtections: [] };
+}
+
+/**
+ * Test command against a single pattern rule
+ */
+function matchesPattern(command, rule) {
+  try {
+    const flags = rule.flags || '';
+    const regex = new RegExp(rule.pattern, flags);
+    return regex.test(command);
+  } catch (e) {
+    // Invalid regex - skip this pattern
+    return false;
+  }
+}
+
+/**
+ * Validate command against all patterns
+ */
+function validateCommand(command, config) {
+  // Check blocked patterns (bashToolPatterns + agileflowProtections)
+  const blockedPatterns = [
+    ...(config.bashToolPatterns || []),
+    ...(config.agileflowProtections || [])
+  ];
+
+  for (const rule of blockedPatterns) {
+    if (matchesPattern(command, rule)) {
+      return {
+        action: 'block',
+        reason: rule.reason || 'Command blocked by damage control'
+      };
+    }
+  }
+
+  // Check ask patterns
+  for (const rule of config.askPatterns || []) {
+    if (matchesPattern(command, rule)) {
+      return {
+        action: 'ask',
+        reason: rule.reason || 'Please confirm this command'
+      };
+    }
+  }
+
+  // Allow by default
+  return { action: 'allow' };
+}
+
+/**
+ * Main function - read input and validate
+ */
+function main() {
+  const projectRoot = findProjectRoot();
+  let inputData = '';
+
+  process.stdin.setEncoding('utf8');
+
+  process.stdin.on('data', chunk => {
+    inputData += chunk;
+  });
+
+  process.stdin.on('end', () => {
+    try {
+      // Parse tool input from Claude Code
+      const input = JSON.parse(inputData);
+      const command = input.command || input.tool_input?.command || '';
+
+      if (!command) {
+        // No command to validate - allow
+        process.exit(0);
+      }
+
+      // Load patterns and validate
+      const config = loadPatterns(projectRoot);
+      const result = validateCommand(command, config);
+
+      switch (result.action) {
+        case 'block':
+          // Output error message and block
+          console.error(`${c.red}[BLOCKED]${c.reset} ${result.reason}`);
+          console.error(`${c.dim}Command: ${command.substring(0, 100)}${command.length > 100 ? '...' : ''}${c.reset}`);
+          process.exit(2);
+          break;
+
+        case 'ask':
+          // Output JSON to trigger user confirmation
+          console.log(JSON.stringify({
+            result: 'ask',
+            message: result.reason
+          }));
+          process.exit(0);
+          break;
+
+        case 'allow':
+        default:
+          // Allow command to proceed
+          process.exit(0);
+      }
+    } catch (e) {
+      // Parse error or other issue - fail open
+      // This ensures broken config doesn't block all commands
+      process.exit(0);
+    }
+  });
+
+  // Handle no stdin (direct invocation)
+  process.stdin.on('error', () => {
+    process.exit(0);
+  });
+
+  // Set timeout to prevent hanging
+  setTimeout(() => {
+    process.exit(0);
+  }, 4000);
+}
+
+main();

package/scripts/damage-control-edit.js

@@ -0,0 +1,243 @@
+#!/usr/bin/env node
+/**
+ * damage-control-edit.js - PreToolUse hook for Edit tool
+ *
+ * Validates file paths against access control patterns in damage-control-patterns.yaml
+ * before allowing file edits. Part of AgileFlow's damage control system.
+ *
+ * Exit codes:
+ *   0 - Allow operation
+ *   2 - Block operation
+ *
+ * Usage: Configured as PreToolUse hook in .claude/settings.json
+ */
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+// Color codes for output
+const c = {
+  red: '\x1b[38;5;203m',
+  reset: '\x1b[0m',
+  dim: '\x1b[2m'
+};
+
+/**
+ * Find project root by looking for .agileflow directory
+ */
+function findProjectRoot() {
+  let dir = process.cwd();
+  while (dir !== '/') {
+    if (fs.existsSync(path.join(dir, '.agileflow'))) {
+      return dir;
+    }
+    dir = path.dirname(dir);
+  }
+  return process.cwd();
+}
+
+/**
+ * Expand ~ to home directory
+ */
+function expandPath(p) {
+  if (p.startsWith('~/')) {
+    return path.join(os.homedir(), p.slice(2));
+  }
+  return p;
+}
+
+/**
+ * Parse simplified YAML for path patterns
+ */
+function parseSimpleYAML(content) {
+  const config = {
+    zeroAccessPaths: [],
+    readOnlyPaths: [],
+    noDeletePaths: []
+  };
+
+  let currentSection = null;
+
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim();
+
+    // Skip empty lines and comments
+    if (!trimmed || trimmed.startsWith('#')) continue;
+
+    // Detect section headers
+    if (trimmed === 'zeroAccessPaths:') {
+      currentSection = 'zeroAccessPaths';
+    } else if (trimmed === 'readOnlyPaths:') {
+      currentSection = 'readOnlyPaths';
+    } else if (trimmed === 'noDeletePaths:') {
+      currentSection = 'noDeletePaths';
+    } else if (trimmed.endsWith(':') && !trimmed.startsWith('-')) {
+      // Other sections we don't care about for path validation
+      currentSection = null;
+    } else if (trimmed.startsWith('- ') && currentSection && config[currentSection]) {
+      // Path entry
+      const pathValue = trimmed.slice(2).replace(/^["']|["']$/g, '');
+      config[currentSection].push(pathValue);
+    }
+  }
+
+  return config;
+}
+
+/**
+ * Load patterns configuration from YAML file
+ */
+function loadPatterns(projectRoot) {
+  const configPaths = [
+    path.join(projectRoot, '.agileflow/config/damage-control-patterns.yaml'),
+    path.join(projectRoot, '.agileflow/config/damage-control-patterns.yml'),
+    path.join(projectRoot, '.agileflow/templates/damage-control-patterns.yaml')
+  ];
+
+  for (const configPath of configPaths) {
+    if (fs.existsSync(configPath)) {
+      try {
+        const content = fs.readFileSync(configPath, 'utf8');
+        return parseSimpleYAML(content);
+      } catch (e) {
+        // Continue to next path
+      }
+    }
+  }
+
+  // Return empty config if no file found (fail-open)
+  return { zeroAccessPaths: [], readOnlyPaths: [], noDeletePaths: [] };
+}
+
+/**
+ * Check if a file path matches any of the protected patterns
+ */
+function pathMatches(filePath, patterns) {
+  if (!filePath) return null;
+
+  const normalizedPath = path.resolve(filePath);
+  const relativePath = path.relative(process.cwd(), normalizedPath);
+
+  for (const pattern of patterns) {
+    const expandedPattern = expandPath(pattern);
+
+    // Check if pattern is a directory prefix
+    if (pattern.endsWith('/')) {
+      const patternDir = expandedPattern.slice(0, -1);
+      if (normalizedPath.startsWith(patternDir)) {
+        return pattern;
+      }
+    }
+
+    // Check exact match
+    if (normalizedPath === expandedPattern) {
+      return pattern;
+    }
+
+    // Check if normalized path ends with pattern (for filenames like "id_rsa")
+    if (normalizedPath.endsWith(pattern) || relativePath.endsWith(pattern)) {
+      return pattern;
+    }
+
+    // Check if pattern appears in path (for patterns like "*.pem")
+    if (pattern.startsWith('*')) {
+      const ext = pattern.slice(1);
+      if (normalizedPath.endsWith(ext) || relativePath.endsWith(ext)) {
+        return pattern;
+      }
+    }
+
+    // Check if path contains pattern (for things like ".env.production")
+    const patternBase = path.basename(pattern);
+    if (path.basename(normalizedPath) === patternBase) {
+      return pattern;
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Validate file path for edit operation
+ */
+function validatePath(filePath, config) {
+  // Check zero access paths - completely blocked
+  const zeroMatch = pathMatches(filePath, config.zeroAccessPaths || []);
+  if (zeroMatch) {
+    return {
+      action: 'block',
+      reason: `Zero-access path: ${zeroMatch}`,
+      detail: 'This file is protected and cannot be accessed'
+    };
+  }
+
+  // Check read-only paths - cannot edit
+  const readOnlyMatch = pathMatches(filePath, config.readOnlyPaths || []);
+  if (readOnlyMatch) {
+    return {
+      action: 'block',
+      reason: `Read-only path: ${readOnlyMatch}`,
+      detail: 'This file is read-only and cannot be edited'
+    };
+  }
+
+  // Allow by default
+  return { action: 'allow' };
+}
+
+/**
+ * Main function - read input and validate
+ */
+function main() {
+  const projectRoot = findProjectRoot();
+  let inputData = '';
+
+  process.stdin.setEncoding('utf8');
+
+  process.stdin.on('data', chunk => {
+    inputData += chunk;
+  });
+
+  process.stdin.on('end', () => {
+    try {
+      // Parse tool input from Claude Code
+      const input = JSON.parse(inputData);
+      const filePath = input.file_path || input.tool_input?.file_path || '';
+
+      if (!filePath) {
+        // No path to validate - allow
+        process.exit(0);
+      }
+
+      // Load patterns and validate
+      const config = loadPatterns(projectRoot);
+      const result = validatePath(filePath, config);
+
+      if (result.action === 'block') {
+        console.error(`${c.red}[BLOCKED]${c.reset} ${result.reason}`);
+        console.error(`${c.dim}${result.detail}${c.reset}`);
+        console.error(`${c.dim}File: ${filePath}${c.reset}`);
+        process.exit(2);
+      }
+
+      // Allow
+      process.exit(0);
+    } catch (e) {
+      // Parse error or other issue - fail open
+      process.exit(0);
+    }
+  });
+
+  // Handle no stdin
+  process.stdin.on('error', () => {
+    process.exit(0);
+  });
+
+  // Set timeout to prevent hanging
+  setTimeout(() => {
+    process.exit(0);
+  }, 4000);
+}
+
+main();