agileflow 3.4.3 → 4.0.0-alpha.2

package/scripts/damage-control/bash-tool-damage-control.js

@@ -1,22 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * bash-tool-damage-control.js - PreToolUse hook for Bash tool
- *
- * Validates bash commands against patterns in damage-control-patterns.yaml
- * before execution. Part of AgileFlow's damage control system.
- *
- * Exit codes:
- *   0 - Allow command (or ask via JSON output)
- *   2 - Block command
- *
- * For "ask" response, output JSON to stdout:
- *   { "result": "ask", "message": "Confirm this action?" }
- *
- * Usage: Configured as PreToolUse hook in .claude/settings.json
- */
-
-const { createBashHook } = require('../lib/damage-control-utils');
-
-// Run the hook using factory
-createBashHook()();

package/scripts/damage-control/edit-tool-damage-control.js

@@ -1,19 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * edit-tool-damage-control.js - PreToolUse hook for Edit tool
- *
- * Validates file paths against access control patterns in damage-control-patterns.yaml
- * before allowing file edits. Part of AgileFlow's damage control system.
- *
- * Exit codes:
- *   0 - Allow operation
- *   2 - Block operation
- *
- * Usage: Configured as PreToolUse hook in .claude/settings.json
- */
-
-const { createPathHook } = require('../lib/damage-control-utils');
-
-// Run the hook using factory
-createPathHook('edit')();

package/scripts/damage-control/patterns.yaml

@@ -1,227 +0,0 @@
-# AgileFlow Damage Control - Security Patterns
-#
-# This file defines patterns for blocking destructive commands and protecting
-# sensitive paths. The damage control hooks read this file to determine
-# whether to allow, block, or ask for confirmation before executing commands.
-#
-# Exit codes from hooks:
-#   0 = Allow command to proceed
-#   2 = Block command (show error to user)
-#
-# To ask for confirmation, hooks output JSON: {"result": "ask", "message": "..."}
-
-# ============================================================================
-# BASH TOOL PATTERNS
-# ============================================================================
-# Regex patterns to match against bash commands
-# If matched with ask: false (or no ask key), command is BLOCKED
-# If matched with ask: true, user is asked for confirmation
-
-bashToolPatterns:
-  # Recursive/force deletion
-  - pattern: '\brm\s+-[rRf]'
-    reason: 'rm with recursive or force flags can destroy entire directories'
-
-  - pattern: '\brm\s+.*--no-preserve-root'
-    reason: 'rm with --no-preserve-root is catastrophically dangerous'
-
-  - pattern: '\brm\s+-rf\s+/'
-    reason: 'rm -rf on root directory would destroy the entire system'
-
-  # SQL destructive commands without WHERE clause
-  - pattern: 'DELETE\s+FROM\s+\w+\s*;'
-    reason: 'DELETE without WHERE clause would delete all records'
-
-  - pattern: 'TRUNCATE\s+(TABLE\s+)?\w+'
-    reason: 'TRUNCATE removes all data from table'
-
-  - pattern: 'DROP\s+(TABLE|DATABASE|SCHEMA|INDEX)'
-    reason: 'DROP commands permanently destroy database objects'
-
-  # Git force operations
-  - pattern: 'git\s+push\s+.*--force'
-    reason: 'Force push can overwrite remote history'
-    ask: true
-
-  - pattern: 'git\s+push\s+.*-f\b'
-    reason: 'Force push can overwrite remote history'
-    ask: true
-
-  - pattern: 'git\s+reset\s+--hard'
-    reason: 'Hard reset discards uncommitted changes'
-    ask: true
-
-  # Format/wipe operations
-  - pattern: '\bmkfs\b'
-    reason: 'mkfs formats filesystems, destroying all data'
-
-  - pattern: '\bdd\s+.*of=/dev/'
-    reason: 'dd writing to device can destroy disk data'
-
-  - pattern: '\bshred\b'
-    reason: 'shred permanently destroys file data'
-
-  # Credential/secret exposure
-  - pattern: 'cat\s+.*\.env'
-    reason: 'Displaying .env may expose secrets'
-    ask: true
-
-  - pattern: 'cat\s+.*/\.ssh/'
-    reason: 'Displaying SSH keys is a security risk'
-
-  - pattern: 'cat\s+.*/credentials'
-    reason: 'Displaying credentials files is a security risk'
-
-  # Cloud CLI destructive operations
-  - pattern: 'aws\s+s3\s+rm\s+--recursive'
-    reason: 'Recursive S3 delete can destroy entire buckets'
-    ask: true
-
-  - pattern: 'aws\s+ec2\s+terminate-instances'
-    reason: 'Terminating EC2 instances is irreversible'
-    ask: true
-
-  - pattern: 'gcloud\s+.*delete'
-    reason: 'GCloud delete operations may be destructive'
-    ask: true
-
-  # Docker cleanup commands
-  - pattern: 'docker\s+system\s+prune\s+-a'
-    reason: 'Docker prune -a removes all unused images'
-    ask: true
-
-  - pattern: 'docker\s+volume\s+rm'
-    reason: 'Docker volume removal may delete persistent data'
-    ask: true
-
-  # npm/package manager dangerous commands
-  - pattern: 'npm\s+unpublish'
-    reason: 'npm unpublish can break dependent packages'
-    ask: true
-
-  - pattern: 'npm\s+deprecate'
-    reason: 'npm deprecate affects package visibility'
-    ask: true
-
-# ============================================================================
-# ASK PATTERNS (CONFIRMATION REQUIRED)
-# ============================================================================
-# These patterns trigger a confirmation prompt but don't block by default
-
-askPatterns:
-  - pattern: 'DELETE\s+FROM\s+\w+\s+WHERE'
-    reason: 'Deleting specific records - confirm data is correct'
-
-  - pattern: 'UPDATE\s+\w+\s+SET'
-    reason: 'Updating records - confirm scope is correct'
-
-  - pattern: 'npm\s+publish'
-    reason: 'Publishing to npm is permanent'
-
-  - pattern: 'git\s+tag\s+-d'
-    reason: 'Deleting git tags'
-
-  - pattern: 'kubectl\s+delete'
-    reason: 'Kubernetes delete operations'
-
-# ============================================================================
-# PATH PROTECTION
-# ============================================================================
-# Three protection levels:
-#   zeroAccessPaths: Cannot read, write, edit, or delete
-#   readOnlyPaths: Can read, cannot modify or delete
-#   noDeletePaths: Can read and modify, cannot delete
-
-zeroAccessPaths:
-  # System credentials
-  - ~/.ssh/
-  - ~/.gnupg/
-  - ~/.aws/credentials
-  - ~/.config/gcloud/
-
-  # Environment secrets
-  - .env
-  - .env.local
-  - .env.production
-  - .env.*.local
-
-  # Secret files
-  - '**/secrets/**'
-  - '**/credentials/**'
-  - '**/*.pem'
-  - '**/*.key'
-  - '**/id_rsa'
-  - '**/id_ed25519'
-
-readOnlyPaths:
-  # System config
-  - /etc/
-  - ~/.bashrc
-  - ~/.zshrc
-  - ~/.profile
-
-  # Package locks (should use npm install, not edit directly)
-  - package-lock.json
-  - yarn.lock
-  - pnpm-lock.yaml
-
-  # Git internals
-  - .git/
-
-noDeletePaths:
-  # AgileFlow core
-  - .agileflow/
-  - .agileflow/config.json
-  - .agileflow/scripts/
-
-  # Claude Code hooks and commands
-  - .claude/
-  - .claude/hooks/
-  - .claude/commands/
-  - .claude/settings.json
-
-  # Project documentation (can edit, can't delete)
-  - docs/09-agents/status.json
-  - CLAUDE.md
-  - AGENTS.md
-
-# ============================================================================
-# AGILEFLOW-SPECIFIC PROTECTION
-# ============================================================================
-# Additional patterns specific to AgileFlow projects
-
-agileflowPatterns:
-  # Protect AgileFlow infrastructure
-  - pattern: 'rm.*\.agileflow'
-    reason: 'Deleting .agileflow would break AgileFlow installation'
-
-  - pattern: 'rm.*\.claude'
-    reason: 'Deleting .claude would break Claude Code configuration'
-
-  - pattern: 'rm.*status\.json'
-    reason: 'Deleting status.json would lose story tracking data'
-
-  # Dangerous npm operations in AgileFlow context
-  - pattern: 'npm\s+uninstall\s+agileflow'
-    reason: 'Uninstalling AgileFlow - confirm this is intentional'
-    ask: true
-
-# ============================================================================
-# CONFIGURATION
-# ============================================================================
-# Settings for the damage control system
-
-config:
-  # Log blocked commands for pattern refinement
-  logBlocked: true
-  logPath: .agileflow/logs/damage-control.log
-
-  # Show detailed reason when blocking
-  showBlockReason: true
-
-  # Timeout for hook execution (seconds)
-  hookTimeout: 5
-
-  # Enable/disable prompt hooks (AI-based evaluation)
-  promptHooksEnabled: false
-  promptHookMessage: 'Evaluate if this command could cause irreversible damage. Block if dangerous.'

package/scripts/damage-control/write-tool-damage-control.js

@@ -1,19 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * write-tool-damage-control.js - PreToolUse hook for Write tool
- *
- * Validates file paths against access control patterns in damage-control-patterns.yaml
- * before allowing file writes. Part of AgileFlow's damage control system.
- *
- * Exit codes:
- *   0 - Allow operation
- *   2 - Block operation
- *
- * Usage: Configured as PreToolUse hook in .claude/settings.json
- */
-
-const { createPathHook } = require('../lib/damage-control-utils');
-
-// Run the hook using factory
-createPathHook('write')();

package/scripts/damage-control-bash.js

@@ -1,51 +0,0 @@
-#!/usr/bin/env node
-/**
- * damage-control-bash.js - PreToolUse hook for Bash tool
- *
- * Validates bash commands against patterns in damage-control-patterns.yaml
- * before execution. Part of AgileFlow's damage control system.
- *
- * Exit codes:
- *   0 - Allow command (or ask via JSON output)
- *   2 - Block command
- *
- * For "ask" response, output JSON to stdout:
- *   { "result": "ask", "message": "Confirm this action?" }
- *
- * Usage: Configured as PreToolUse hook in .claude/settings.json
- */
-
-const fs = require('fs');
-const path = require('path');
-
-function loadDamageControlUtils() {
-  const candidates = [
-    path.join(__dirname, 'lib', 'damage-control-utils.js'),
-    path.join(process.cwd(), '.agileflow', 'scripts', 'lib', 'damage-control-utils.js'),
-  ];
-
-  for (const candidate of candidates) {
-    try {
-      if (fs.existsSync(candidate)) {
-        return require(candidate);
-      }
-    } catch (e) {
-      // Try next candidate
-    }
-  }
-
-  return null;
-}
-
-const utils = loadDamageControlUtils();
-if (!utils || typeof utils.createBashHook !== 'function') {
-  // Fail-open: never block Bash tool because hook bootstrap failed.
-  process.exit(0);
-}
-
-try {
-  utils.createBashHook()();
-} catch (e) {
-  // Fail-open on runtime errors to avoid breaking CLI workflows.
-  process.exit(0);
-}

package/scripts/damage-control-edit.js

@@ -1,48 +0,0 @@
-#!/usr/bin/env node
-/**
- * damage-control-edit.js - PreToolUse hook for Edit tool
- *
- * Validates file paths against access control patterns in damage-control-patterns.yaml
- * before allowing file edits. Part of AgileFlow's damage control system.
- *
- * Exit codes:
- *   0 - Allow operation
- *   2 - Block operation
- *
- * Usage: Configured as PreToolUse hook in .claude/settings.json
- */
-
-const fs = require('fs');
-const path = require('path');
-
-function loadDamageControlUtils() {
-  const candidates = [
-    path.join(__dirname, 'lib', 'damage-control-utils.js'),
-    path.join(process.cwd(), '.agileflow', 'scripts', 'lib', 'damage-control-utils.js'),
-  ];
-
-  for (const candidate of candidates) {
-    try {
-      if (fs.existsSync(candidate)) {
-        return require(candidate);
-      }
-    } catch (e) {
-      // Try next candidate
-    }
-  }
-
-  return null;
-}
-
-const utils = loadDamageControlUtils();
-if (!utils || typeof utils.createPathHook !== 'function') {
-  // Fail-open: never block Edit tool because hook bootstrap failed.
-  process.exit(0);
-}
-
-try {
-  utils.createPathHook('edit')();
-} catch (e) {
-  // Fail-open on runtime errors to avoid breaking CLI workflows.
-  process.exit(0);
-}

package/scripts/damage-control-multi-agent.js

@@ -1,231 +0,0 @@
-#!/usr/bin/env node
-/**
- * damage-control-multi-agent.js - PreToolUse hook for Agent Teams tools
- *
- * Validates TeamCreate/TeamDelete, TaskCreate/TaskUpdate, and SendMessage
- * operations against safety rules when native Agent Teams is enabled.
- *
- * Protection layers:
- * 1. Tool validation: Ensure Team/Task operations have valid parameters
- * 2. Message schema: SendMessage content is validated against allowlist
- * 3. Rate limiting: Prevents runaway agent spawning
- * 4. Permission checks: Agents cannot escalate beyond their own tool access
- *
- * Exit codes:
- *   0 - Allow operation (or ask via JSON output)
- *   2 - Block operation
- *
- * Usage: Configured as PreToolUse hook in .claude/settings.json
- */
-
-const fs = require('fs');
-const path = require('path');
-
-function loadDamageControlUtils() {
-  const candidates = [
-    path.join(__dirname, 'lib', 'damage-control-utils.js'),
-    path.join(process.cwd(), '.agileflow', 'scripts', 'lib', 'damage-control-utils.js'),
-  ];
-
-  for (const candidate of candidates) {
-    try {
-      if (fs.existsSync(candidate)) {
-        return require(candidate);
-      }
-    } catch (e) {
-      // Try next candidate
-    }
-  }
-
-  return null;
-}
-
-const utils = loadDamageControlUtils();
-if (!utils || typeof utils.runDamageControlHook !== 'function') {
-  // Fail-open: never block tools because hook bootstrap failed
-  process.exit(0);
-}
-
-// Tools this hook handles
-const MULTI_AGENT_TOOLS = [
-  'TeamCreate',
-  'TeamDelete',
-  'TaskCreate',
-  'TaskUpdate',
-  'TaskGet',
-  'TaskList',
-  'SendMessage',
-];
-
-// Maximum number of teams that can be active simultaneously
-const MAX_CONCURRENT_TEAMS = 4;
-
-// Maximum teammates per team
-const MAX_TEAMMATES_PER_TEAM = 8;
-
-// SendMessage content size limit (10KB)
-const MAX_MESSAGE_SIZE = 10240;
-
-// Blocked patterns in SendMessage content
-const BLOCKED_MESSAGE_PATTERNS = [
-  // Command injection attempts
-  /\$\{.*\}/, // Template injection ${...}
-  /`[^`]*`/, // Backtick execution
-  /\bexec\s*\(/, // exec() calls
-  /\beval\s*\(/, // eval() calls
-  // Dangerous git operations
-  /\bgit\s+push\s+--force\b/i,
-  /\bgit\s+reset\s+--hard\b/i,
-  // System destructive commands
-  /\brm\s+-rf\s+\//,
-  /\bdrop\s+database\b/i,
-  /\bdrop\s+table\b/i,
-];
-
-/**
- * Validate a TeamCreate operation
- */
-function validateTeamCreate(input) {
-  const toolInput = input.tool_input || input;
-
-  // Check teammate count
-  const teammates = toolInput.teammates || [];
-  if (teammates.length > MAX_TEAMMATES_PER_TEAM) {
-    return {
-      action: 'block',
-      reason: `Team size ${teammates.length} exceeds maximum (${MAX_TEAMMATES_PER_TEAM})`,
-    };
-  }
-
-  // Check for empty team
-  if (teammates.length === 0) {
-    return {
-      action: 'ask',
-      reason: 'Creating a team with no teammates. Continue?',
-    };
-  }
-
-  return { action: 'allow' };
-}
-
-/**
- * Validate a SendMessage operation
- */
-function validateSendMessage(input) {
-  const toolInput = input.tool_input || input;
-  const content = toolInput.message || toolInput.content || '';
-
-  // Check message size
-  if (content.length > MAX_MESSAGE_SIZE) {
-    return {
-      action: 'block',
-      reason: `Message size (${content.length} bytes) exceeds limit (${MAX_MESSAGE_SIZE})`,
-    };
-  }
-
-  // Check for blocked patterns in content
-  for (const pattern of BLOCKED_MESSAGE_PATTERNS) {
-    if (pattern.test(content)) {
-      return {
-        action: 'block',
-        reason: 'Message contains potentially dangerous content pattern',
-        detail: `Matched: ${pattern.source}`,
-      };
-    }
-  }
-
-  return { action: 'allow' };
-}
-
-/**
- * Validate TaskCreate/TaskUpdate operations
- */
-function validateTaskOperation(input) {
-  const toolInput = input.tool_input || input;
-  const description = toolInput.description || toolInput.prompt || '';
-
-  // Check for secrets in task descriptions
-  const secretPatterns = [
-    /\b(?:API_KEY|SECRET|PASSWORD|TOKEN|CREDENTIALS)\s*[:=]\s*\S+/i,
-    /\bsk-[a-zA-Z0-9]{20,}/, // API keys starting with sk-
-    /\bghp_[a-zA-Z0-9]{36}/, // GitHub personal access tokens
-    /\bnpm_[a-zA-Z0-9]{36}/, // npm tokens
-  ];
-
-  for (const pattern of secretPatterns) {
-    if (pattern.test(description)) {
-      return {
-        action: 'block',
-        reason: 'Task description appears to contain secrets or credentials',
-        detail: 'Never pass secrets in task parameters. Use environment variables instead.',
-      };
-    }
-  }
-
-  return { action: 'allow' };
-}
-
-try {
-  utils.runDamageControlHook({
-    getInputValue: input => {
-      // Check if this is a multi-agent tool
-      const toolName = input.tool_name || '';
-      if (!MULTI_AGENT_TOOLS.includes(toolName)) {
-        return null; // Not our tool - allow
-      }
-      return input;
-    },
-
-    loadConfig: () => {
-      // Multi-agent hook uses inline rules, not YAML patterns
-      return {
-        maxTeams: MAX_CONCURRENT_TEAMS,
-        maxTeammates: MAX_TEAMMATES_PER_TEAM,
-        maxMessageSize: MAX_MESSAGE_SIZE,
-      };
-    },
-
-    validate: (input, config) => {
-      const toolName = input.tool_name || '';
-
-      switch (toolName) {
-        case 'TeamCreate':
-          return validateTeamCreate(input);
-
-        case 'TeamDelete':
-          // Always ask before deleting a team
-          return {
-            action: 'ask',
-            reason: 'Deleting a team will stop all teammates. Continue?',
-          };
-
-        case 'SendMessage':
-          return validateSendMessage(input);
-
-        case 'TaskCreate':
-        case 'TaskUpdate':
-          return validateTaskOperation(input);
-
-        case 'TaskGet':
-        case 'TaskList':
-          // Read operations are always allowed
-          return { action: 'allow' };
-
-        default:
-          return { action: 'allow' };
-      }
-    },
-
-    onBlock: (result, input) => {
-      const toolName = input.tool_name || 'unknown';
-      utils.outputBlocked(
-        `${toolName}: ${result.reason}`,
-        result.detail || '',
-        'Multi-agent damage control'
-      );
-    },
-  });
-} catch (e) {
-  // Fail-open on runtime errors
-  process.exit(0);
-}

package/scripts/damage-control-write.js

@@ -1,48 +0,0 @@
-#!/usr/bin/env node
-/**
- * damage-control-write.js - PreToolUse hook for Write tool
- *
- * Validates file paths against access control patterns in damage-control-patterns.yaml
- * before allowing file writes. Part of AgileFlow's damage control system.
- *
- * Exit codes:
- *   0 - Allow operation
- *   2 - Block operation
- *
- * Usage: Configured as PreToolUse hook in .claude/settings.json
- */
-
-const fs = require('fs');
-const path = require('path');
-
-function loadDamageControlUtils() {
-  const candidates = [
-    path.join(__dirname, 'lib', 'damage-control-utils.js'),
-    path.join(process.cwd(), '.agileflow', 'scripts', 'lib', 'damage-control-utils.js'),
-  ];
-
-  for (const candidate of candidates) {
-    try {
-      if (fs.existsSync(candidate)) {
-        return require(candidate);
-      }
-    } catch (e) {
-      // Try next candidate
-    }
-  }
-
-  return null;
-}
-
-const utils = loadDamageControlUtils();
-if (!utils || typeof utils.createPathHook !== 'function') {
-  // Fail-open: never block Write tool because hook bootstrap failed.
-  process.exit(0);
-}
-
-try {
-  utils.createPathHook('write')();
-} catch (e) {
-  // Fail-open on runtime errors to avoid breaking CLI workflows.
-  process.exit(0);
-}