agileflow 2.79.0 → 2.81.0

package/scripts/damage-control/patterns.yaml

@@ -20,87 +20,87 @@
 bashToolPatterns:
   # Recursive/force deletion
   - pattern: '\brm\s+-[rRf]'
-    reason: "rm with recursive or force flags can destroy entire directories"
+    reason: 'rm with recursive or force flags can destroy entire directories'
 
   - pattern: '\brm\s+.*--no-preserve-root'
-    reason: "rm with --no-preserve-root is catastrophically dangerous"
+    reason: 'rm with --no-preserve-root is catastrophically dangerous'
 
   - pattern: '\brm\s+-rf\s+/'
-    reason: "rm -rf on root directory would destroy the entire system"
+    reason: 'rm -rf on root directory would destroy the entire system'
 
   # SQL destructive commands without WHERE clause
   - pattern: 'DELETE\s+FROM\s+\w+\s*;'
-    reason: "DELETE without WHERE clause would delete all records"
+    reason: 'DELETE without WHERE clause would delete all records'
 
   - pattern: 'TRUNCATE\s+(TABLE\s+)?\w+'
-    reason: "TRUNCATE removes all data from table"
+    reason: 'TRUNCATE removes all data from table'
 
   - pattern: 'DROP\s+(TABLE|DATABASE|SCHEMA|INDEX)'
-    reason: "DROP commands permanently destroy database objects"
+    reason: 'DROP commands permanently destroy database objects'
 
   # Git force operations
   - pattern: 'git\s+push\s+.*--force'
-    reason: "Force push can overwrite remote history"
+    reason: 'Force push can overwrite remote history'
     ask: true
 
   - pattern: 'git\s+push\s+.*-f\b'
-    reason: "Force push can overwrite remote history"
+    reason: 'Force push can overwrite remote history'
     ask: true
 
   - pattern: 'git\s+reset\s+--hard'
-    reason: "Hard reset discards uncommitted changes"
+    reason: 'Hard reset discards uncommitted changes'
     ask: true
 
   # Format/wipe operations
   - pattern: '\bmkfs\b'
-    reason: "mkfs formats filesystems, destroying all data"
+    reason: 'mkfs formats filesystems, destroying all data'
 
   - pattern: '\bdd\s+.*of=/dev/'
-    reason: "dd writing to device can destroy disk data"
+    reason: 'dd writing to device can destroy disk data'
 
   - pattern: '\bshred\b'
-    reason: "shred permanently destroys file data"
+    reason: 'shred permanently destroys file data'
 
   # Credential/secret exposure
   - pattern: 'cat\s+.*\.env'
-    reason: "Displaying .env may expose secrets"
+    reason: 'Displaying .env may expose secrets'
     ask: true
 
   - pattern: 'cat\s+.*/\.ssh/'
-    reason: "Displaying SSH keys is a security risk"
+    reason: 'Displaying SSH keys is a security risk'
 
   - pattern: 'cat\s+.*/credentials'
-    reason: "Displaying credentials files is a security risk"
+    reason: 'Displaying credentials files is a security risk'
 
   # Cloud CLI destructive operations
   - pattern: 'aws\s+s3\s+rm\s+--recursive'
-    reason: "Recursive S3 delete can destroy entire buckets"
+    reason: 'Recursive S3 delete can destroy entire buckets'
     ask: true
 
   - pattern: 'aws\s+ec2\s+terminate-instances'
-    reason: "Terminating EC2 instances is irreversible"
+    reason: 'Terminating EC2 instances is irreversible'
     ask: true
 
   - pattern: 'gcloud\s+.*delete'
-    reason: "GCloud delete operations may be destructive"
+    reason: 'GCloud delete operations may be destructive'
     ask: true
 
   # Docker cleanup commands
   - pattern: 'docker\s+system\s+prune\s+-a'
-    reason: "Docker prune -a removes all unused images"
+    reason: 'Docker prune -a removes all unused images'
     ask: true
 
   - pattern: 'docker\s+volume\s+rm'
-    reason: "Docker volume removal may delete persistent data"
+    reason: 'Docker volume removal may delete persistent data'
     ask: true
 
   # npm/package manager dangerous commands
   - pattern: 'npm\s+unpublish'
-    reason: "npm unpublish can break dependent packages"
+    reason: 'npm unpublish can break dependent packages'
     ask: true
 
   - pattern: 'npm\s+deprecate'
-    reason: "npm deprecate affects package visibility"
+    reason: 'npm deprecate affects package visibility'
     ask: true
 
 # ============================================================================
@@ -110,19 +110,19 @@ bashToolPatterns:
 
 askPatterns:
   - pattern: 'DELETE\s+FROM\s+\w+\s+WHERE'
-    reason: "Deleting specific records - confirm data is correct"
+    reason: 'Deleting specific records - confirm data is correct'
 
   - pattern: 'UPDATE\s+\w+\s+SET'
-    reason: "Updating records - confirm scope is correct"
+    reason: 'Updating records - confirm scope is correct'
 
   - pattern: 'npm\s+publish'
-    reason: "Publishing to npm is permanent"
+    reason: 'Publishing to npm is permanent'
 
   - pattern: 'git\s+tag\s+-d'
-    reason: "Deleting git tags"
+    reason: 'Deleting git tags'
 
   - pattern: 'kubectl\s+delete'
-    reason: "Kubernetes delete operations"
+    reason: 'Kubernetes delete operations'
 
 # ============================================================================
 # PATH PROTECTION
@@ -193,17 +193,17 @@ noDeletePaths:
 agileflowPatterns:
   # Protect AgileFlow infrastructure
   - pattern: 'rm.*\.agileflow'
-    reason: "Deleting .agileflow would break AgileFlow installation"
+    reason: 'Deleting .agileflow would break AgileFlow installation'
 
   - pattern: 'rm.*\.claude'
-    reason: "Deleting .claude would break Claude Code configuration"
+    reason: 'Deleting .claude would break Claude Code configuration'
 
   - pattern: 'rm.*status\.json'
-    reason: "Deleting status.json would lose story tracking data"
+    reason: 'Deleting status.json would lose story tracking data'
 
   # Dangerous npm operations in AgileFlow context
   - pattern: 'npm\s+uninstall\s+agileflow'
-    reason: "Uninstalling AgileFlow - confirm this is intentional"
+    reason: 'Uninstalling AgileFlow - confirm this is intentional'
     ask: true
 
 # ============================================================================
@@ -224,4 +224,4 @@ config:
 
   # Enable/disable prompt hooks (AI-based evaluation)
   promptHooksEnabled: false
-  promptHookMessage: "Evaluate if this command could cause irreversible damage. Block if dangerous."
+  promptHookMessage: 'Evaluate if this command could cause irreversible damage. Block if dangerous.'

package/scripts/damage-control/write-tool-damage-control.js

@@ -114,27 +114,9 @@ function parsePathRules(content) {
  */
 function getDefaultPathRules() {
   return {
-    zeroAccessPaths: [
-      '~/.ssh/',
-      '~/.aws/credentials',
-      '.env',
-      '.env.local',
-      '.env.production',
-    ],
-    readOnlyPaths: [
-      '/etc/',
-      '~/.bashrc',
-      '~/.zshrc',
-      'package-lock.json',
-      'yarn.lock',
-      '.git/',
-    ],
-    noDeletePaths: [
-      '.agileflow/',
-      '.claude/',
-      'docs/09-agents/status.json',
-      'CLAUDE.md',
-    ],
+    zeroAccessPaths: ['~/.ssh/', '~/.aws/credentials', '.env', '.env.local', '.env.production'],
+    readOnlyPaths: ['/etc/', '~/.bashrc', '~/.zshrc', 'package-lock.json', 'yarn.lock', '.git/'],
+    noDeletePaths: ['.agileflow/', '.claude/', 'docs/09-agents/status.json', 'CLAUDE.md'],
   };
 }
 
@@ -247,9 +229,7 @@ function main() {
   }
 
   // Resolve to absolute path
-  const absolutePath = path.isAbsolute(filePath)
-    ? filePath
-    : path.join(projectDir, filePath);
+  const absolutePath = path.isAbsolute(filePath) ? filePath : path.join(projectDir, filePath);
 
   // Load rules
   const rules = loadPathRules(projectDir);

package/scripts/damage-control-bash.js

@@ -15,30 +15,13 @@
  * Usage: Configured as PreToolUse hook in .claude/settings.json
  */
 
-const fs = require('fs');
-const path = require('path');
-
-// Color codes for output
-const c = {
-  red: '\x1b[38;5;203m',
-  yellow: '\x1b[38;5;215m',
-  reset: '\x1b[0m',
-  dim: '\x1b[2m'
-};
-
-/**
- * Find project root by looking for .agileflow directory
- */
-function findProjectRoot() {
-  let dir = process.cwd();
-  while (dir !== '/') {
-    if (fs.existsSync(path.join(dir, '.agileflow'))) {
-      return dir;
-    }
-    dir = path.dirname(dir);
-  }
-  return process.cwd();
-}
+const {
+  findProjectRoot,
+  loadPatterns,
+  outputBlocked,
+  runDamageControlHook,
+  c,
+} = require('./lib/damage-control-utils');
 
 /**
  * Parse simplified YAML for damage control patterns
@@ -48,7 +31,7 @@ function parseSimpleYAML(content) {
   const config = {
     bashToolPatterns: [],
     askPatterns: [],
-    agileflowProtections: []
+    agileflowProtections: [],
   };
 
   let currentSection = null;
@@ -76,44 +59,28 @@ function parseSimpleYAML(content) {
       currentPattern = null;
     } else if (trimmed.startsWith('- pattern:') && currentSection) {
       // New pattern entry
-      const patternValue = trimmed.replace('- pattern:', '').trim().replace(/^["']|["']$/g, '');
+      const patternValue = trimmed
+        .replace('- pattern:', '')
+        .trim()
+        .replace(/^["']|["']$/g, '');
       currentPattern = { pattern: patternValue };
       config[currentSection].push(currentPattern);
     } else if (trimmed.startsWith('reason:') && currentPattern) {
-      currentPattern.reason = trimmed.replace('reason:', '').trim().replace(/^["']|["']$/g, '');
+      currentPattern.reason = trimmed
+        .replace('reason:', '')
+        .trim()
+        .replace(/^["']|["']$/g, '');
     } else if (trimmed.startsWith('flags:') && currentPattern) {
-      currentPattern.flags = trimmed.replace('flags:', '').trim().replace(/^["']|["']$/g, '');
+      currentPattern.flags = trimmed
+        .replace('flags:', '')
+        .trim()
+        .replace(/^["']|["']$/g, '');
     }
   }
 
   return config;
 }
 
-/**
- * Load patterns configuration from YAML file
- */
-function loadPatterns(projectRoot) {
-  const configPaths = [
-    path.join(projectRoot, '.agileflow/config/damage-control-patterns.yaml'),
-    path.join(projectRoot, '.agileflow/config/damage-control-patterns.yml'),
-    path.join(projectRoot, '.agileflow/templates/damage-control-patterns.yaml')
-  ];
-
-  for (const configPath of configPaths) {
-    if (fs.existsSync(configPath)) {
-      try {
-        const content = fs.readFileSync(configPath, 'utf8');
-        return parseSimpleYAML(content);
-      } catch (e) {
-        // Continue to next path
-      }
-    }
-  }
-
-  // Return empty config if no file found (fail-open)
-  return { bashToolPatterns: [], askPatterns: [], agileflowProtections: [] };
-}
-
 /**
  * Test command against a single pattern rule
  */
@@ -135,14 +102,14 @@ function validateCommand(command, config) {
   // Check blocked patterns (bashToolPatterns + agileflowProtections)
   const blockedPatterns = [
     ...(config.bashToolPatterns || []),
-    ...(config.agileflowProtections || [])
+    ...(config.agileflowProtections || []),
   ];
 
   for (const rule of blockedPatterns) {
     if (matchesPattern(command, rule)) {
       return {
         action: 'block',
-        reason: rule.reason || 'Command blocked by damage control'
+        reason: rule.reason || 'Command blocked by damage control',
       };
     }
   }
@@ -152,7 +119,7 @@ function validateCommand(command, config) {
     if (matchesPattern(command, rule)) {
       return {
         action: 'ask',
-        reason: rule.reason || 'Please confirm this command'
+        reason: rule.reason || 'Please confirm this command',
       };
     }
   }
@@ -161,72 +128,18 @@ function validateCommand(command, config) {
   return { action: 'allow' };
 }
 
-/**
- * Main function - read input and validate
- */
-function main() {
-  const projectRoot = findProjectRoot();
-  let inputData = '';
-
-  process.stdin.setEncoding('utf8');
-
-  process.stdin.on('data', chunk => {
-    inputData += chunk;
-  });
-
-  process.stdin.on('end', () => {
-    try {
-      // Parse tool input from Claude Code
-      const input = JSON.parse(inputData);
-      const command = input.command || input.tool_input?.command || '';
-
-      if (!command) {
-        // No command to validate - allow
-        process.exit(0);
-      }
-
-      // Load patterns and validate
-      const config = loadPatterns(projectRoot);
-      const result = validateCommand(command, config);
-
-      switch (result.action) {
-        case 'block':
-          // Output error message and block
-          console.error(`${c.red}[BLOCKED]${c.reset} ${result.reason}`);
-          console.error(`${c.dim}Command: ${command.substring(0, 100)}${command.length > 100 ? '...' : ''}${c.reset}`);
-          process.exit(2);
-          break;
-
-        case 'ask':
-          // Output JSON to trigger user confirmation
-          console.log(JSON.stringify({
-            result: 'ask',
-            message: result.reason
-          }));
-          process.exit(0);
-          break;
-
-        case 'allow':
-        default:
-          // Allow command to proceed
-          process.exit(0);
-      }
-    } catch (e) {
-      // Parse error or other issue - fail open
-      // This ensures broken config doesn't block all commands
-      process.exit(0);
-    }
-  });
-
-  // Handle no stdin (direct invocation)
-  process.stdin.on('error', () => {
-    process.exit(0);
-  });
-
-  // Set timeout to prevent hanging
-  setTimeout(() => {
-    process.exit(0);
-  }, 4000);
-}
-
-main();
+// Run the hook
+const projectRoot = findProjectRoot();
+const defaultConfig = { bashToolPatterns: [], askPatterns: [], agileflowProtections: [] };
+
+runDamageControlHook({
+  getInputValue: input => input.command || input.tool_input?.command,
+  loadConfig: () => loadPatterns(projectRoot, parseSimpleYAML, defaultConfig),
+  validate: validateCommand,
+  onBlock: (result, command) => {
+    outputBlocked(
+      result.reason,
+      `Command: ${command.substring(0, 100)}${command.length > 100 ? '...' : ''}`
+    );
+  },
+});

package/scripts/damage-control-edit.js

@@ -12,40 +12,13 @@
  * Usage: Configured as PreToolUse hook in .claude/settings.json
  */
 
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-
-// Color codes for output
-const c = {
-  red: '\x1b[38;5;203m',
-  reset: '\x1b[0m',
-  dim: '\x1b[2m'
-};
-
-/**
- * Find project root by looking for .agileflow directory
- */
-function findProjectRoot() {
-  let dir = process.cwd();
-  while (dir !== '/') {
-    if (fs.existsSync(path.join(dir, '.agileflow'))) {
-      return dir;
-    }
-    dir = path.dirname(dir);
-  }
-  return process.cwd();
-}
-
-/**
- * Expand ~ to home directory
- */
-function expandPath(p) {
-  if (p.startsWith('~/')) {
-    return path.join(os.homedir(), p.slice(2));
-  }
-  return p;
-}
+const {
+  findProjectRoot,
+  loadPatterns,
+  pathMatches,
+  outputBlocked,
+  runDamageControlHook,
+} = require('./lib/damage-control-utils');
 
 /**
  * Parse simplified YAML for path patterns
@@ -54,7 +27,7 @@ function parseSimpleYAML(content) {
   const config = {
     zeroAccessPaths: [],
     readOnlyPaths: [],
-    noDeletePaths: []
+    noDeletePaths: [],
   };
 
   let currentSection = null;
@@ -85,79 +58,6 @@ function parseSimpleYAML(content) {
   return config;
 }
 
-/**
- * Load patterns configuration from YAML file
- */
-function loadPatterns(projectRoot) {
-  const configPaths = [
-    path.join(projectRoot, '.agileflow/config/damage-control-patterns.yaml'),
-    path.join(projectRoot, '.agileflow/config/damage-control-patterns.yml'),
-    path.join(projectRoot, '.agileflow/templates/damage-control-patterns.yaml')
-  ];
-
-  for (const configPath of configPaths) {
-    if (fs.existsSync(configPath)) {
-      try {
-        const content = fs.readFileSync(configPath, 'utf8');
-        return parseSimpleYAML(content);
-      } catch (e) {
-        // Continue to next path
-      }
-    }
-  }
-
-  // Return empty config if no file found (fail-open)
-  return { zeroAccessPaths: [], readOnlyPaths: [], noDeletePaths: [] };
-}
-
-/**
- * Check if a file path matches any of the protected patterns
- */
-function pathMatches(filePath, patterns) {
-  if (!filePath) return null;
-
-  const normalizedPath = path.resolve(filePath);
-  const relativePath = path.relative(process.cwd(), normalizedPath);
-
-  for (const pattern of patterns) {
-    const expandedPattern = expandPath(pattern);
-
-    // Check if pattern is a directory prefix
-    if (pattern.endsWith('/')) {
-      const patternDir = expandedPattern.slice(0, -1);
-      if (normalizedPath.startsWith(patternDir)) {
-        return pattern;
-      }
-    }
-
-    // Check exact match
-    if (normalizedPath === expandedPattern) {
-      return pattern;
-    }
-
-    // Check if normalized path ends with pattern (for filenames like "id_rsa")
-    if (normalizedPath.endsWith(pattern) || relativePath.endsWith(pattern)) {
-      return pattern;
-    }
-
-    // Check if pattern appears in path (for patterns like "*.pem")
-    if (pattern.startsWith('*')) {
-      const ext = pattern.slice(1);
-      if (normalizedPath.endsWith(ext) || relativePath.endsWith(ext)) {
-        return pattern;
-      }
-    }
-
-    // Check if path contains pattern (for things like ".env.production")
-    const patternBase = path.basename(pattern);
-    if (path.basename(normalizedPath) === patternBase) {
-      return pattern;
-    }
-  }
-
-  return null;
-}
-
 /**
  * Validate file path for edit operation
  */
@@ -168,7 +68,7 @@ function validatePath(filePath, config) {
     return {
       action: 'block',
       reason: `Zero-access path: ${zeroMatch}`,
-      detail: 'This file is protected and cannot be accessed'
+      detail: 'This file is protected and cannot be accessed',
     };
   }
 
@@ -178,7 +78,7 @@ function validatePath(filePath, config) {
     return {
       action: 'block',
       reason: `Read-only path: ${readOnlyMatch}`,
-      detail: 'This file is read-only and cannot be edited'
+      detail: 'This file is read-only and cannot be edited',
     };
   }
 
@@ -186,58 +86,15 @@ function validatePath(filePath, config) {
   return { action: 'allow' };
 }
 
-/**
- * Main function - read input and validate
- */
-function main() {
-  const projectRoot = findProjectRoot();
-  let inputData = '';
-
-  process.stdin.setEncoding('utf8');
-
-  process.stdin.on('data', chunk => {
-    inputData += chunk;
-  });
-
-  process.stdin.on('end', () => {
-    try {
-      // Parse tool input from Claude Code
-      const input = JSON.parse(inputData);
-      const filePath = input.file_path || input.tool_input?.file_path || '';
-
-      if (!filePath) {
-        // No path to validate - allow
-        process.exit(0);
-      }
-
-      // Load patterns and validate
-      const config = loadPatterns(projectRoot);
-      const result = validatePath(filePath, config);
-
-      if (result.action === 'block') {
-        console.error(`${c.red}[BLOCKED]${c.reset} ${result.reason}`);
-        console.error(`${c.dim}${result.detail}${c.reset}`);
-        console.error(`${c.dim}File: ${filePath}${c.reset}`);
-        process.exit(2);
-      }
-
-      // Allow
-      process.exit(0);
-    } catch (e) {
-      // Parse error or other issue - fail open
-      process.exit(0);
-    }
-  });
-
-  // Handle no stdin
-  process.stdin.on('error', () => {
-    process.exit(0);
-  });
-
-  // Set timeout to prevent hanging
-  setTimeout(() => {
-    process.exit(0);
-  }, 4000);
-}
-
-main();
+// Run the hook
+const projectRoot = findProjectRoot();
+const defaultConfig = { zeroAccessPaths: [], readOnlyPaths: [], noDeletePaths: [] };
+
+runDamageControlHook({
+  getInputValue: input => input.file_path || input.tool_input?.file_path,
+  loadConfig: () => loadPatterns(projectRoot, parseSimpleYAML, defaultConfig),
+  validate: validatePath,
+  onBlock: (result, filePath) => {
+    outputBlocked(result.reason, result.detail, `File: ${filePath}`);
+  },
+});