agileflow 2.78.0 → 2.79.0

package/scripts/damage-control/edit-tool-damage-control.js

@@ -0,0 +1,279 @@
+#!/usr/bin/env node
+
+/**
+ * edit-tool-damage-control.js - Enforce path protection for Edit tool
+ *
+ * This PreToolUse hook runs before every Edit tool execution.
+ * It checks the file path against patterns.yaml to block edits
+ * to protected paths.
+ *
+ * Path protection levels:
+ *   zeroAccessPaths: Cannot read, write, edit, or delete
+ *   readOnlyPaths: Can read, cannot modify or delete
+ *   noDeletePaths: Can read and modify, cannot delete (Edit is allowed)
+ *
+ * Exit codes:
+ *   0 = Allow edit to proceed
+ *   2 = Block edit
+ *
+ * Usage (as PreToolUse hook):
+ *   node .claude/hooks/damage-control/edit-tool-damage-control.js
+ *
+ * Environment:
+ *   CLAUDE_TOOL_INPUT - JSON string with tool input (contains "file_path")
+ *   CLAUDE_PROJECT_DIR - Project root directory
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+// ANSI colors for output
+const c = {
+  reset: '\x1b[0m',
+  bold: '\x1b[1m',
+  red: '\x1b[31m',
+  yellow: '\x1b[33m',
+  cyan: '\x1b[36m',
+};
+
+// Exit codes
+const EXIT_ALLOW = 0;
+const EXIT_BLOCK = 2;
+
+/**
+ * Load path protection rules from patterns.yaml
+ */
+function loadPathRules(projectDir) {
+  const locations = [
+    path.join(projectDir, '.claude/hooks/damage-control/patterns.yaml'),
+    path.join(projectDir, '.agileflow/hooks/damage-control/patterns.yaml'),
+    path.join(projectDir, 'patterns.yaml'),
+  ];
+
+  for (const loc of locations) {
+    if (fs.existsSync(loc)) {
+      try {
+        const content = fs.readFileSync(loc, 'utf8');
+        return parsePathRules(content);
+      } catch (e) {
+        console.error(`Warning: Could not parse ${loc}: ${e.message}`);
+      }
+    }
+  }
+
+  return getDefaultPathRules();
+}
+
+/**
+ * Parse path rules from YAML content
+ */
+function parsePathRules(content) {
+  const rules = {
+    zeroAccessPaths: [],
+    readOnlyPaths: [],
+    noDeletePaths: [],
+  };
+
+  let currentSection = null;
+
+  const lines = content.split('\n');
+
+  for (const line of lines) {
+    if (line.trim().startsWith('#') || line.trim() === '') continue;
+
+    if (line.match(/^zeroAccessPaths:/)) {
+      currentSection = 'zeroAccessPaths';
+      continue;
+    }
+    if (line.match(/^readOnlyPaths:/)) {
+      currentSection = 'readOnlyPaths';
+      continue;
+    }
+    if (line.match(/^noDeletePaths:/)) {
+      currentSection = 'noDeletePaths';
+      continue;
+    }
+    if (line.match(/^(bashToolPatterns|askPatterns|agileflowPatterns|config):/)) {
+      currentSection = null;
+      continue;
+    }
+
+    if (currentSection && rules[currentSection]) {
+      const pathMatch = line.match(/^\s+-\s*['"]?(.+?)['"]?\s*$/);
+      if (pathMatch) {
+        rules[currentSection].push(pathMatch[1]);
+      }
+    }
+  }
+
+  return rules;
+}
+
+/**
+ * Default path rules if patterns.yaml not found
+ */
+function getDefaultPathRules() {
+  return {
+    zeroAccessPaths: [
+      '~/.ssh/',
+      '~/.aws/credentials',
+      '.env',
+      '.env.local',
+      '.env.production',
+    ],
+    readOnlyPaths: [
+      '/etc/',
+      '~/.bashrc',
+      '~/.zshrc',
+      'package-lock.json',
+      'yarn.lock',
+      '.git/',
+    ],
+    noDeletePaths: [
+      '.agileflow/',
+      '.claude/',
+      'docs/09-agents/status.json',
+      'CLAUDE.md',
+    ],
+  };
+}
+
+/**
+ * Expand home directory in path
+ */
+function expandHome(filePath) {
+  if (filePath.startsWith('~/')) {
+    return path.join(process.env.HOME || '', filePath.slice(2));
+  }
+  return filePath;
+}
+
+/**
+ * Check if a file path matches a pattern
+ * Supports:
+ *   - Exact paths
+ *   - Directory prefixes (ending with /)
+ *   - Glob wildcards (**)
+ */
+function pathMatches(filePath, pattern) {
+  const expandedPattern = expandHome(pattern);
+  const normalizedFile = path.normalize(filePath);
+  const normalizedPattern = path.normalize(expandedPattern);
+
+  // Exact match
+  if (normalizedFile === normalizedPattern) return true;
+
+  // Directory prefix match (pattern ends with /)
+  if (pattern.endsWith('/')) {
+    if (normalizedFile.startsWith(normalizedPattern)) return true;
+  }
+
+  // Glob pattern (**/)
+  if (pattern.includes('**/')) {
+    const globPart = pattern.split('**/')[1];
+    if (normalizedFile.includes(globPart)) return true;
+  }
+
+  // Simple wildcard at end
+  if (pattern.endsWith('*')) {
+    const prefix = normalizedPattern.slice(0, -1);
+    if (normalizedFile.startsWith(prefix)) return true;
+  }
+
+  // Basename match (for patterns like .env)
+  if (!pattern.includes('/') && !pattern.includes(path.sep)) {
+    const basename = path.basename(normalizedFile);
+    if (basename === pattern) return true;
+    // Pattern like .env* matching .env.local
+    if (pattern.endsWith('*')) {
+      const patternBase = pattern.slice(0, -1);
+      if (basename.startsWith(patternBase)) return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Check if file path is protected
+ * Returns: { blocked: boolean, reason: string, level: string }
+ */
+function checkPath(filePath, rules) {
+  // Check zero access paths (blocked completely)
+  for (const pattern of rules.zeroAccessPaths) {
+    if (pathMatches(filePath, pattern)) {
+      return {
+        blocked: true,
+        reason: `Path is in zero-access protected list: ${pattern}`,
+        level: 'zero-access',
+      };
+    }
+  }
+
+  // Check read-only paths (cannot edit)
+  for (const pattern of rules.readOnlyPaths) {
+    if (pathMatches(filePath, pattern)) {
+      return {
+        blocked: true,
+        reason: `Path is read-only: ${pattern}`,
+        level: 'read-only',
+      };
+    }
+  }
+
+  // noDeletePaths allows editing, so we don't block here
+  // (deletion is handled by a different mechanism or file watcher)
+
+  return { blocked: false, reason: null, level: null };
+}
+
+/**
+ * Main entry point
+ */
+function main() {
+  const toolInput = process.env.CLAUDE_TOOL_INPUT;
+  const projectDir = process.env.CLAUDE_PROJECT_DIR || process.cwd();
+
+  if (!toolInput) {
+    process.exit(EXIT_ALLOW);
+  }
+
+  let input;
+  try {
+    input = JSON.parse(toolInput);
+  } catch (e) {
+    console.error('Error parsing CLAUDE_TOOL_INPUT:', e.message);
+    process.exit(EXIT_ALLOW);
+  }
+
+  const filePath = input.file_path;
+  if (!filePath) {
+    process.exit(EXIT_ALLOW);
+  }
+
+  // Resolve to absolute path
+  const absolutePath = path.isAbsolute(filePath)
+    ? filePath
+    : path.join(projectDir, filePath);
+
+  // Load rules
+  const rules = loadPathRules(projectDir);
+
+  // Check path
+  const result = checkPath(absolutePath, rules);
+
+  if (result.blocked) {
+    console.error(`${c.red}${c.bold}BLOCKED${c.reset}: ${result.reason}`);
+    console.error(`${c.yellow}File: ${filePath}${c.reset}`);
+    console.error(`${c.cyan}This file is protected by damage control (${result.level}).${c.reset}`);
+    process.exit(EXIT_BLOCK);
+  }
+
+  process.exit(EXIT_ALLOW);
+}
+
+if (require.main === module) {
+  main();
+}
+
+module.exports = { checkPath, loadPathRules, pathMatches };

package/scripts/damage-control/patterns.yaml

@@ -0,0 +1,227 @@
+# AgileFlow Damage Control - Security Patterns
+#
+# This file defines patterns for blocking destructive commands and protecting
+# sensitive paths. The damage control hooks read this file to determine
+# whether to allow, block, or ask for confirmation before executing commands.
+#
+# Exit codes from hooks:
+#   0 = Allow command to proceed
+#   2 = Block command (show error to user)
+#
+# To ask for confirmation, hooks output JSON: {"result": "ask", "message": "..."}
+
+# ============================================================================
+# BASH TOOL PATTERNS
+# ============================================================================
+# Regex patterns to match against bash commands
+# If matched with ask: false (or no ask key), command is BLOCKED
+# If matched with ask: true, user is asked for confirmation
+
+bashToolPatterns:
+  # Recursive/force deletion
+  - pattern: '\brm\s+-[rRf]'
+    reason: "rm with recursive or force flags can destroy entire directories"
+
+  - pattern: '\brm\s+.*--no-preserve-root'
+    reason: "rm with --no-preserve-root is catastrophically dangerous"
+
+  - pattern: '\brm\s+-rf\s+/'
+    reason: "rm -rf on root directory would destroy the entire system"
+
+  # SQL destructive commands without WHERE clause
+  - pattern: 'DELETE\s+FROM\s+\w+\s*;'
+    reason: "DELETE without WHERE clause would delete all records"
+
+  - pattern: 'TRUNCATE\s+(TABLE\s+)?\w+'
+    reason: "TRUNCATE removes all data from table"
+
+  - pattern: 'DROP\s+(TABLE|DATABASE|SCHEMA|INDEX)'
+    reason: "DROP commands permanently destroy database objects"
+
+  # Git force operations
+  - pattern: 'git\s+push\s+.*--force'
+    reason: "Force push can overwrite remote history"
+    ask: true
+
+  - pattern: 'git\s+push\s+.*-f\b'
+    reason: "Force push can overwrite remote history"
+    ask: true
+
+  - pattern: 'git\s+reset\s+--hard'
+    reason: "Hard reset discards uncommitted changes"
+    ask: true
+
+  # Format/wipe operations
+  - pattern: '\bmkfs\b'
+    reason: "mkfs formats filesystems, destroying all data"
+
+  - pattern: '\bdd\s+.*of=/dev/'
+    reason: "dd writing to device can destroy disk data"
+
+  - pattern: '\bshred\b'
+    reason: "shred permanently destroys file data"
+
+  # Credential/secret exposure
+  - pattern: 'cat\s+.*\.env'
+    reason: "Displaying .env may expose secrets"
+    ask: true
+
+  - pattern: 'cat\s+.*/\.ssh/'
+    reason: "Displaying SSH keys is a security risk"
+
+  - pattern: 'cat\s+.*/credentials'
+    reason: "Displaying credentials files is a security risk"
+
+  # Cloud CLI destructive operations
+  - pattern: 'aws\s+s3\s+rm\s+--recursive'
+    reason: "Recursive S3 delete can destroy entire buckets"
+    ask: true
+
+  - pattern: 'aws\s+ec2\s+terminate-instances'
+    reason: "Terminating EC2 instances is irreversible"
+    ask: true
+
+  - pattern: 'gcloud\s+.*delete'
+    reason: "GCloud delete operations may be destructive"
+    ask: true
+
+  # Docker cleanup commands
+  - pattern: 'docker\s+system\s+prune\s+-a'
+    reason: "Docker prune -a removes all unused images"
+    ask: true
+
+  - pattern: 'docker\s+volume\s+rm'
+    reason: "Docker volume removal may delete persistent data"
+    ask: true
+
+  # npm/package manager dangerous commands
+  - pattern: 'npm\s+unpublish'
+    reason: "npm unpublish can break dependent packages"
+    ask: true
+
+  - pattern: 'npm\s+deprecate'
+    reason: "npm deprecate affects package visibility"
+    ask: true
+
+# ============================================================================
+# ASK PATTERNS (CONFIRMATION REQUIRED)
+# ============================================================================
+# These patterns trigger a confirmation prompt but don't block by default
+
+askPatterns:
+  - pattern: 'DELETE\s+FROM\s+\w+\s+WHERE'
+    reason: "Deleting specific records - confirm data is correct"
+
+  - pattern: 'UPDATE\s+\w+\s+SET'
+    reason: "Updating records - confirm scope is correct"
+
+  - pattern: 'npm\s+publish'
+    reason: "Publishing to npm is permanent"
+
+  - pattern: 'git\s+tag\s+-d'
+    reason: "Deleting git tags"
+
+  - pattern: 'kubectl\s+delete'
+    reason: "Kubernetes delete operations"
+
+# ============================================================================
+# PATH PROTECTION
+# ============================================================================
+# Three protection levels:
+#   zeroAccessPaths: Cannot read, write, edit, or delete
+#   readOnlyPaths: Can read, cannot modify or delete
+#   noDeletePaths: Can read and modify, cannot delete
+
+zeroAccessPaths:
+  # System credentials
+  - ~/.ssh/
+  - ~/.gnupg/
+  - ~/.aws/credentials
+  - ~/.config/gcloud/
+
+  # Environment secrets
+  - .env
+  - .env.local
+  - .env.production
+  - .env.*.local
+
+  # Secret files
+  - '**/secrets/**'
+  - '**/credentials/**'
+  - '**/*.pem'
+  - '**/*.key'
+  - '**/id_rsa'
+  - '**/id_ed25519'
+
+readOnlyPaths:
+  # System config
+  - /etc/
+  - ~/.bashrc
+  - ~/.zshrc
+  - ~/.profile
+
+  # Package locks (should use npm install, not edit directly)
+  - package-lock.json
+  - yarn.lock
+  - pnpm-lock.yaml
+
+  # Git internals
+  - .git/
+
+noDeletePaths:
+  # AgileFlow core
+  - .agileflow/
+  - .agileflow/config.json
+  - .agileflow/scripts/
+
+  # Claude Code hooks and commands
+  - .claude/
+  - .claude/hooks/
+  - .claude/commands/
+  - .claude/settings.json
+
+  # Project documentation (can edit, can't delete)
+  - docs/09-agents/status.json
+  - CLAUDE.md
+  - AGENTS.md
+
+# ============================================================================
+# AGILEFLOW-SPECIFIC PROTECTION
+# ============================================================================
+# Additional patterns specific to AgileFlow projects
+
+agileflowPatterns:
+  # Protect AgileFlow infrastructure
+  - pattern: 'rm.*\.agileflow'
+    reason: "Deleting .agileflow would break AgileFlow installation"
+
+  - pattern: 'rm.*\.claude'
+    reason: "Deleting .claude would break Claude Code configuration"
+
+  - pattern: 'rm.*status\.json'
+    reason: "Deleting status.json would lose story tracking data"
+
+  # Dangerous npm operations in AgileFlow context
+  - pattern: 'npm\s+uninstall\s+agileflow'
+    reason: "Uninstalling AgileFlow - confirm this is intentional"
+    ask: true
+
+# ============================================================================
+# CONFIGURATION
+# ============================================================================
+# Settings for the damage control system
+
+config:
+  # Log blocked commands for pattern refinement
+  logBlocked: true
+  logPath: .agileflow/logs/damage-control.log
+
+  # Show detailed reason when blocking
+  showBlockReason: true
+
+  # Timeout for hook execution (seconds)
+  hookTimeout: 5
+
+  # Enable/disable prompt hooks (AI-based evaluation)
+  promptHooksEnabled: false
+  promptHookMessage: "Evaluate if this command could cause irreversible damage. Block if dangerous."