aiblueprint-cli 1.1.8 → 1.2.0

package/claude-code-config/scripts/command-validator/src/lib/validator.ts

@@ -0,0 +1,360 @@
+import { SAFE_COMMANDS, SECURITY_RULES } from "./security-rules";
+import type { ValidationResult } from "./types";
+
+export class CommandValidator {
+	validate(command: string, toolName = "Unknown"): ValidationResult {
+		const result: ValidationResult = {
+			isValid: true,
+			severity: "LOW",
+			violations: [],
+			sanitizedCommand: command,
+		};
+
+		if (!command || typeof command !== "string") {
+			result.isValid = false;
+			result.violations.push("Invalid command format");
+			return result;
+		}
+
+		if (command.length > 2000) {
+			result.isValid = false;
+			result.severity = "MEDIUM";
+			result.violations.push("Command too long (potential buffer overflow)");
+			return result;
+		}
+
+		if (/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\xFF]/.test(command)) {
+			result.isValid = false;
+			result.severity = "HIGH";
+			result.violations.push("Binary or encoded content detected");
+			return result;
+		}
+
+		const normalizedCmd = command.trim().toLowerCase();
+		const cmdParts = normalizedCmd.split(/\s+/);
+		const mainCommand = cmdParts[0].split("/").pop() || "";
+
+		if (mainCommand === "source" || mainCommand === "python") {
+			return result;
+		}
+
+		for (const pattern of SECURITY_RULES.DANGEROUS_PATTERNS) {
+			if (pattern.test(command)) {
+				result.isValid = false;
+				result.severity = "CRITICAL";
+				result.violations.push(`Dangerous pattern detected: ${pattern.source}`);
+			}
+		}
+
+		if (SECURITY_RULES.CRITICAL_COMMANDS.includes(mainCommand)) {
+			result.isValid = false;
+			result.severity = "CRITICAL";
+			result.violations.push(`Critical dangerous command: ${mainCommand}`);
+		}
+
+		if (SECURITY_RULES.PRIVILEGE_COMMANDS.includes(mainCommand)) {
+			result.isValid = false;
+			result.severity = "HIGH";
+			result.violations.push(`Privilege escalation command: ${mainCommand}`);
+		}
+
+		if (SECURITY_RULES.NETWORK_COMMANDS.includes(mainCommand)) {
+			result.isValid = false;
+			result.severity = "HIGH";
+			result.violations.push(`Network/remote access command: ${mainCommand}`);
+		}
+
+		if (SECURITY_RULES.SYSTEM_COMMANDS.includes(mainCommand)) {
+			result.isValid = false;
+			result.severity = "HIGH";
+			result.violations.push(`System manipulation command: ${mainCommand}`);
+		}
+
+		if (/rm\s+.*-rf\s/.test(command)) {
+			const isRmRfSafe = this.isRmRfCommandSafe(command);
+			if (!isRmRfSafe) {
+				result.isValid = false;
+				result.severity = "CRITICAL";
+				result.violations.push("rm -rf command targeting unsafe path");
+			}
+		}
+
+		if (SAFE_COMMANDS.includes(mainCommand) && result.violations.length === 0) {
+			return result;
+		}
+
+		if (command.includes("&&")) {
+			const chainedCommands = this.splitCommandChain(command);
+			let allSafe = true;
+			for (const chainedCmd of chainedCommands) {
+				const trimmedCmd = chainedCmd.trim();
+				const cmdParts = trimmedCmd.split(/\s+/);
+				const mainCommand = cmdParts[0];
+
+				if (
+					mainCommand === "source" ||
+					mainCommand === "python" ||
+					SAFE_COMMANDS.includes(mainCommand)
+				) {
+					continue;
+				}
+
+				const chainResult = this.validateSingleCommand(trimmedCmd, toolName);
+				if (!chainResult.isValid) {
+					result.isValid = false;
+					result.severity = chainResult.severity;
+					result.violations.push(
+						`Chained command violation: ${trimmedCmd} - ${chainResult.violations.join(", ")}`,
+					);
+					allSafe = false;
+				}
+			}
+			if (allSafe) {
+				return result;
+			}
+		}
+
+		if (command.includes(";") || command.includes("||")) {
+			const chainedCommands = this.splitCommandChain(command);
+			for (const chainedCmd of chainedCommands) {
+				const chainResult = this.validateSingleCommand(
+					chainedCmd.trim(),
+					toolName,
+				);
+				if (!chainResult.isValid) {
+					result.isValid = false;
+					result.severity = chainResult.severity;
+					result.violations.push(
+						`Chained command violation: ${chainedCmd.trim()} - ${chainResult.violations.join(", ")}`,
+					);
+				}
+			}
+			return result;
+		}
+
+		for (const path of SECURITY_RULES.PROTECTED_PATHS) {
+			if (command.includes(path)) {
+				if (
+					path === "/dev/" &&
+					(command.includes("/dev/null") ||
+						command.includes("/dev/stderr") ||
+						command.includes("/dev/stdout"))
+				) {
+					continue;
+				}
+
+				const cmdStart = command.trim();
+				let isSafeExecutable = false;
+				for (const safePath of SECURITY_RULES.SAFE_EXECUTABLE_PATHS) {
+					if (cmdStart.startsWith(safePath)) {
+						isSafeExecutable = true;
+						break;
+					}
+				}
+
+				const pathIndex = command.indexOf(path);
+				const beforePath = command.substring(0, pathIndex);
+				const redirectBeforePath = />\s*$/.test(beforePath.trim());
+
+				if (!isSafeExecutable && redirectBeforePath) {
+					result.isValid = false;
+					result.severity = "HIGH";
+					result.violations.push(
+						`Dangerous operation on protected path: ${path}`,
+					);
+				}
+			}
+		}
+
+		return result;
+	}
+
+	validateSingleCommand(
+		command: string,
+		_toolName = "Unknown",
+	): ValidationResult {
+		const result: ValidationResult = {
+			isValid: true,
+			severity: "LOW",
+			violations: [],
+			sanitizedCommand: command,
+		};
+
+		if (!command || typeof command !== "string") {
+			result.isValid = false;
+			result.violations.push("Invalid command format");
+			return result;
+		}
+
+		if (command.length > 2000) {
+			result.isValid = false;
+			result.severity = "MEDIUM";
+			result.violations.push("Command too long (potential buffer overflow)");
+			return result;
+		}
+
+		if (/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\xFF]/.test(command)) {
+			result.isValid = false;
+			result.severity = "HIGH";
+			result.violations.push("Binary or encoded content detected");
+			return result;
+		}
+
+		const normalizedCmd = command.trim().toLowerCase();
+		const cmdParts = normalizedCmd.split(/\s+/);
+		const mainCommand = cmdParts[0].split("/").pop() || "";
+
+		if (mainCommand === "source" || mainCommand === "python") {
+			return result;
+		}
+
+		for (const pattern of SECURITY_RULES.DANGEROUS_PATTERNS) {
+			if (pattern.test(command)) {
+				result.isValid = false;
+				result.severity = "CRITICAL";
+				result.violations.push(`Dangerous pattern detected: ${pattern.source}`);
+			}
+		}
+
+		if (SECURITY_RULES.CRITICAL_COMMANDS.includes(mainCommand)) {
+			result.isValid = false;
+			result.severity = "CRITICAL";
+			result.violations.push(`Critical dangerous command: ${mainCommand}`);
+		}
+
+		if (SECURITY_RULES.PRIVILEGE_COMMANDS.includes(mainCommand)) {
+			result.isValid = false;
+			result.severity = "HIGH";
+			result.violations.push(`Privilege escalation command: ${mainCommand}`);
+		}
+
+		if (SECURITY_RULES.NETWORK_COMMANDS.includes(mainCommand)) {
+			result.isValid = false;
+			result.severity = "HIGH";
+			result.violations.push(`Network/remote access command: ${mainCommand}`);
+		}
+
+		if (SECURITY_RULES.SYSTEM_COMMANDS.includes(mainCommand)) {
+			result.isValid = false;
+			result.severity = "HIGH";
+			result.violations.push(`System manipulation command: ${mainCommand}`);
+		}
+
+		if (/rm\s+.*-rf\s/.test(command)) {
+			const isRmRfSafe = this.isRmRfCommandSafe(command);
+			if (!isRmRfSafe) {
+				result.isValid = false;
+				result.severity = "CRITICAL";
+				result.violations.push("rm -rf command targeting unsafe path");
+			}
+		}
+
+		if (SAFE_COMMANDS.includes(mainCommand) && result.violations.length === 0) {
+			return result;
+		}
+
+		for (const path of SECURITY_RULES.PROTECTED_PATHS) {
+			if (command.includes(path)) {
+				if (
+					path === "/dev/" &&
+					(command.includes("/dev/null") ||
+						command.includes("/dev/stderr") ||
+						command.includes("/dev/stdout"))
+				) {
+					continue;
+				}
+
+				const cmdStart = command.trim();
+				let isSafeExecutable = false;
+				for (const safePath of SECURITY_RULES.SAFE_EXECUTABLE_PATHS) {
+					if (cmdStart.startsWith(safePath)) {
+						isSafeExecutable = true;
+						break;
+					}
+				}
+
+				const pathIndex = command.indexOf(path);
+				const beforePath = command.substring(0, pathIndex);
+				const redirectBeforePath = />\s*$/.test(beforePath.trim());
+
+				if (!isSafeExecutable && redirectBeforePath) {
+					result.isValid = false;
+					result.severity = "HIGH";
+					result.violations.push(
+						`Dangerous operation on protected path: ${path}`,
+					);
+				}
+			}
+		}
+
+		return result;
+	}
+
+	splitCommandChain(command: string): string[] {
+		const commands: string[] = [];
+		let current = "";
+		let inQuotes = false;
+		let quoteChar = "";
+
+		for (let i = 0; i < command.length; i++) {
+			const char = command[i];
+			const nextChar = command[i + 1];
+
+			if ((char === '"' || char === "'") && !inQuotes) {
+				inQuotes = true;
+				quoteChar = char;
+				current += char;
+			} else if (char === quoteChar && inQuotes) {
+				inQuotes = false;
+				quoteChar = "";
+				current += char;
+			} else if (inQuotes) {
+				current += char;
+			} else if (char === "&" && nextChar === "&") {
+				commands.push(current.trim());
+				current = "";
+				i++;
+			} else if (char === "|" && nextChar === "|") {
+				commands.push(current.trim());
+				current = "";
+				i++;
+			} else if (char === ";") {
+				commands.push(current.trim());
+				current = "";
+			} else {
+				current += char;
+			}
+		}
+
+		if (current.trim()) {
+			commands.push(current.trim());
+		}
+
+		return commands.filter((cmd) => cmd.length > 0);
+	}
+
+	isRmRfCommandSafe(command: string): boolean {
+		const rmRfMatch = command.match(/rm\s+.*-rf\s+([^\s;&|]+)/);
+		if (!rmRfMatch) {
+			return false;
+		}
+
+		const targetPath = rmRfMatch[1];
+
+		if (targetPath === "/" || targetPath.endsWith("/")) {
+			return false;
+		}
+
+		for (const safePath of SECURITY_RULES.SAFE_RM_PATHS) {
+			if (targetPath.startsWith(safePath)) {
+				return true;
+			}
+		}
+
+		if (!targetPath.startsWith("/")) {
+			return true;
+		}
+
+		return false;
+	}
+}

package/claude-code-config/scripts/command-validator/vitest.config.ts

@@ -0,0 +1,7 @@
+import { defineConfig } from "vitest/config";
+
+export default defineConfig({
+	test: {
+		globals: true,
+	},
+});

package/claude-code-config/scripts/statusline/package.json

@@ -1,13 +1,11 @@
 {
 	"name": "statusline",
-	"version": "1.0.0",
+	"version": "2.0.0",
 	"module": "src/index.ts",
 	"type": "module",
 	"scripts": {
 		"start": "bun run src/index.ts",
 		"test": "bun run test.ts",
-		"spend:today": "bun run src/commands/spend-today.ts",
-		"spend:month": "bun run src/commands/spend-month.ts",
 		"lint": "biome check --write .",
 		"format": "biome format --write ."
 	},

package/claude-code-config/scripts/statusline/src/index.ts

@@ -1,89 +1,14 @@
 #!/usr/bin/env bun
 
-import type { StatuslineConfig } from "../statusline.config";
 import { defaultConfig } from "../statusline.config";
 import { getContextData } from "./lib/context";
-import {
-	colors,
-	formatBranch,
-	formatCost,
-	formatDuration,
-	formatPath,
-	formatProgressBar,
-	formatResetTime,
-	formatSession,
-} from "./lib/formatters";
-import { getGitStatus } from "./lib/git";
-import { saveSession } from "./lib/spend";
+import { colors, formatPath, formatSession } from "./lib/formatters";
 import type { HookInput } from "./lib/types";
-import { getUsageLimits } from "./lib/usage-limits";
-
-function buildFirstLine(
-	branch: string,
-	dirPath: string,
-	modelName: string,
-	showSonnetModel: boolean,
-	separator: string,
-): string {
-	const isSonnet = modelName.toLowerCase().includes("sonnet");
-	const sep = `${colors.GRAY}${separator}${colors.LIGHT_GRAY}`;
-
-	if (isSonnet && !showSonnetModel) {
-		return `${colors.LIGHT_GRAY}${branch} ${sep} ${dirPath}${colors.RESET}`;
-	}
-
-	return `${colors.LIGHT_GRAY}${branch} ${sep} ${dirPath} ${sep} ${modelName}${colors.RESET}`;
-}
-
-function buildSecondLine(
-	sessionCost: string,
-	_sessionDuration: string,
-	tokensUsed: number,
-	tokensMax: number,
-	contextPercentage: number,
-	fiveHourUtilization: number | null,
-	fiveHourReset: string | null,
-	sessionConfig: StatuslineConfig["session"],
-	limitsConfig: StatuslineConfig["limits"],
-	separator: string,
-): string {
-	let line = formatSession(
-		sessionCost,
-		tokensUsed,
-		tokensMax,
-		contextPercentage,
-		sessionConfig,
-	);
-
-	if (fiveHourUtilization !== null && fiveHourReset) {
-		const resetTime = formatResetTime(fiveHourReset);
-		const sep = `${colors.GRAY}${separator}`;
-
-		if (limitsConfig.showProgressBar) {
-			const bar = formatProgressBar(
-				fiveHourUtilization,
-				limitsConfig.progressBarLength,
-				limitsConfig.color,
-			);
-			line += ` ${sep} L: ${bar} ${colors.LIGHT_GRAY}${fiveHourUtilization}${colors.GRAY}% ${colors.GRAY}(${resetTime} left)`;
-		} else {
-			line += ` ${sep} L:${colors.LIGHT_GRAY} ${fiveHourUtilization}${colors.GRAY}% ${colors.GRAY}(${resetTime} left)`;
-		}
-	}
-
-	line += colors.RESET;
-
-	return line;
-}
 
 async function main() {
 	try {
 		const input: HookInput = await Bun.stdin.json();
 
-		await saveSession(input);
-
-		const git = await getGitStatus();
-		const branch = formatBranch(git, defaultConfig.git);
 		const dirPath = formatPath(
 			input.workspace.current_dir,
 			defaultConfig.pathDisplayMode,
@@ -92,49 +17,22 @@ async function main() {
 		const contextData = await getContextData({
 			transcriptPath: input.transcript_path,
 			maxContextTokens: defaultConfig.context.maxContextTokens,
-			autocompactBufferTokens: defaultConfig.context.autocompactBufferTokens,
-			useUsableContextOnly: defaultConfig.context.useUsableContextOnly,
-			overheadTokens: defaultConfig.context.overheadTokens,
 		});
-		const usageLimits = await getUsageLimits();
-
-		const sessionCost = formatCost(input.cost.total_cost_usd);
-		const sessionDuration = formatDuration(input.cost.total_duration_ms);
 
-		const firstLine = buildFirstLine(
-			branch,
-			dirPath,
-			input.model.display_name,
-			defaultConfig.showSonnetModel,
-			defaultConfig.separator,
-		);
-		const secondLine = buildSecondLine(
-			sessionCost,
-			sessionDuration,
+		const sessionInfo = formatSession(
 			contextData.tokens,
-			defaultConfig.context.maxContextTokens,
 			contextData.percentage,
-			usageLimits.five_hour?.utilization ?? null,
-			usageLimits.five_hour?.resets_at ?? null,
 			defaultConfig.session,
-			defaultConfig.limits,
-			defaultConfig.separator,
 		);
 
-		if (defaultConfig.oneLine) {
-			const sep = ` ${colors.GRAY}${defaultConfig.separator}${colors.LIGHT_GRAY} `;
-			console.log(`${firstLine}${sep}${secondLine}`);
-			console.log(""); // Empty second line for spacing
-		} else {
-			console.log(firstLine);
-			console.log(secondLine);
-		}
+		const sep = ` ${colors.GRAY}${defaultConfig.separator}${colors.LIGHT_GRAY} `;
+		console.log(`${colors.LIGHT_GRAY}${dirPath}${sep}${sessionInfo}${colors.RESET}`);
+		console.log("");
 	} catch (error) {
 		const errorMessage = error instanceof Error ? error.message : String(error);
 		console.log(
 			`${colors.RED}Error:${colors.LIGHT_GRAY} ${errorMessage}${colors.RESET}`,
 		);
-		console.log(`${colors.GRAY}Check statusline configuration${colors.RESET}`);
 	}
 }
 

package/claude-code-config/scripts/statusline/src/lib/context.ts

@@ -1,103 +1,82 @@
 import { existsSync } from "node:fs";
 
-export interface TokenUsage {
-  input_tokens: number;
-  output_tokens: number;
-  cache_creation_input_tokens?: number;
-  cache_read_input_tokens?: number;
+interface TokenUsage {
+	input_tokens: number;
+	cache_creation_input_tokens?: number;
+	cache_read_input_tokens?: number;
 }
 
-export interface TranscriptLine {
-  message?: { usage?: TokenUsage };
-  timestamp?: string;
-  isSidechain?: boolean;
-  isApiErrorMessage?: boolean;
+interface TranscriptLine {
+	message?: { usage?: TokenUsage };
+	timestamp?: string;
+	isSidechain?: boolean;
+	isApiErrorMessage?: boolean;
 }
 
 export interface ContextResult {
-  tokens: number;
-  percentage: number;
+	tokens: number;
+	percentage: number;
 }
 
-export async function getContextLength(
-  transcriptPath: string,
-): Promise<number> {
-  try {
-    const content = await Bun.file(transcriptPath).text();
-    const lines = content.trim().split("\n");
-
-    if (lines.length === 0) return 0;
-
-    let mostRecentMainChainEntry: TranscriptLine | null = null;
-    let mostRecentTimestamp: Date | null = null;
-
-    for (const line of lines) {
-      try {
-        const data = JSON.parse(line) as TranscriptLine;
-
-        if (!data.message?.usage) continue;
-        if (data.isSidechain === true) continue;
-        if (data.isApiErrorMessage === true) continue;
-        if (!data.timestamp) continue;
-
-        const entryTime = new Date(data.timestamp);
-
-        if (!mostRecentTimestamp || entryTime > mostRecentTimestamp) {
-          mostRecentTimestamp = entryTime;
-          mostRecentMainChainEntry = data;
-        }
-      } catch {}
-    }
-
-    if (!mostRecentMainChainEntry?.message?.usage) {
-      return 0;
-    }
-
-    const usage = mostRecentMainChainEntry.message.usage;
-
-    return (
-      (usage.input_tokens || 0) +
-      (usage.cache_read_input_tokens ?? 0) +
-      (usage.cache_creation_input_tokens ?? 0)
-    );
-  } catch {
-    return 0;
-  }
+async function getContextLength(transcriptPath: string): Promise<number> {
+	try {
+		const content = await Bun.file(transcriptPath).text();
+		const lines = content.trim().split("\n");
+
+		if (lines.length === 0) return 0;
+
+		let mostRecentEntry: TranscriptLine | null = null;
+		let mostRecentTimestamp: Date | null = null;
+
+		for (const line of lines) {
+			try {
+				const data = JSON.parse(line) as TranscriptLine;
+
+				if (!data.message?.usage) continue;
+				if (data.isSidechain === true) continue;
+				if (data.isApiErrorMessage === true) continue;
+				if (!data.timestamp) continue;
+
+				const entryTime = new Date(data.timestamp);
+
+				if (!mostRecentTimestamp || entryTime > mostRecentTimestamp) {
+					mostRecentTimestamp = entryTime;
+					mostRecentEntry = data;
+				}
+			} catch {}
+		}
+
+		if (!mostRecentEntry?.message?.usage) {
+			return 0;
+		}
+
+		const usage = mostRecentEntry.message.usage;
+
+		return (
+			(usage.input_tokens || 0) +
+			(usage.cache_read_input_tokens ?? 0) +
+			(usage.cache_creation_input_tokens ?? 0)
+		);
+	} catch {
+		return 0;
+	}
 }
 
-export interface ContextDataParams {
-  transcriptPath: string;
-  maxContextTokens: number;
-  autocompactBufferTokens: number;
-  useUsableContextOnly?: boolean;
-  overheadTokens?: number;
+interface ContextDataParams {
+	transcriptPath: string;
+	maxContextTokens: number;
 }
 
 export async function getContextData({
-  transcriptPath,
-  maxContextTokens,
-  autocompactBufferTokens,
-  useUsableContextOnly = false,
-  overheadTokens = 0,
+	transcriptPath,
+	maxContextTokens,
 }: ContextDataParams): Promise<ContextResult> {
-  if (!transcriptPath || !existsSync(transcriptPath)) {
-    return { tokens: 0, percentage: 0 };
-  }
-
-  const contextLength = await getContextLength(transcriptPath);
-  let totalTokens = contextLength + overheadTokens;
-
-  // If useUsableContextOnly is true, add the autocompact buffer to displayed tokens
-  if (useUsableContextOnly) {
-    totalTokens += autocompactBufferTokens;
-  }
-
-  // Always calculate percentage based on max context window
-  // (matching /context display behavior)
-  const percentage = Math.min(100, (totalTokens / maxContextTokens) * 100);
-
-  return {
-    tokens: totalTokens,
-    percentage: Math.round(percentage),
-  };
+	if (!transcriptPath || !existsSync(transcriptPath)) {
+		return { tokens: 0, percentage: 0 };
+	}
+
+	const tokens = await getContextLength(transcriptPath);
+	const percentage = Math.min(100, Math.round((tokens / maxContextTokens) * 100));
+
+	return { tokens, percentage };
 }