aiblueprint-cli 1.4.12 → 1.4.13

package/claude-code-config/scripts/command-validator/src/lib/validator.ts

@@ -1,360 +1,90 @@
-import { SAFE_COMMANDS, SECURITY_RULES } from "./security-rules";
 import type { ValidationResult } from "./types";
 
+const DANGEROUS_COMMANDS = [
+	"sudo",
+	"su",
+	"chmod",
+	"chown",
+	"dd",
+	"mkfs",
+	"fdisk",
+	"kill",
+	"killall",
+];
+
 export class CommandValidator {
-	validate(command: string, toolName = "Unknown"): ValidationResult {
+	validate(command: string, _toolName = "Unknown"): ValidationResult {
 		const result: ValidationResult = {
 			isValid: true,
 			severity: "LOW",
 			violations: [],
 			sanitizedCommand: command,
+			action: "allow",
 		};
 
 		if (!command || typeof command !== "string") {
 			result.isValid = false;
 			result.violations.push("Invalid command format");
+			result.action = "deny";
 			return result;
 		}
 
-		if (command.length > 2000) {
-			result.isValid = false;
-			result.severity = "MEDIUM";
-			result.violations.push("Command too long (potential buffer overflow)");
-			return result;
-		}
-
-		if (/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\xFF]/.test(command)) {
-			result.isValid = false;
-			result.severity = "HIGH";
-			result.violations.push("Binary or encoded content detected");
-			return result;
-		}
-
-		const normalizedCmd = command.trim().toLowerCase();
-		const cmdParts = normalizedCmd.split(/\s+/);
-		const mainCommand = cmdParts[0].split("/").pop() || "";
-
-		if (mainCommand === "source" || mainCommand === "python") {
-			return result;
-		}
-
-		for (const pattern of SECURITY_RULES.DANGEROUS_PATTERNS) {
-			if (pattern.test(command)) {
-				result.isValid = false;
-				result.severity = "CRITICAL";
-				result.violations.push(`Dangerous pattern detected: ${pattern.source}`);
-			}
-		}
-
-		if (SECURITY_RULES.CRITICAL_COMMANDS.includes(mainCommand)) {
+		// rm -rf → DENY (blocked completely)
+		if (this.containsRmRf(command)) {
 			result.isValid = false;
 			result.severity = "CRITICAL";
-			result.violations.push(`Critical dangerous command: ${mainCommand}`);
-		}
-
-		if (SECURITY_RULES.PRIVILEGE_COMMANDS.includes(mainCommand)) {
-			result.isValid = false;
-			result.severity = "HIGH";
-			result.violations.push(`Privilege escalation command: ${mainCommand}`);
-		}
-
-		if (SECURITY_RULES.NETWORK_COMMANDS.includes(mainCommand)) {
-			result.isValid = false;
-			result.severity = "HIGH";
-			result.violations.push(`Network/remote access command: ${mainCommand}`);
-		}
-
-		if (SECURITY_RULES.SYSTEM_COMMANDS.includes(mainCommand)) {
-			result.isValid = false;
-			result.severity = "HIGH";
-			result.violations.push(`System manipulation command: ${mainCommand}`);
-		}
-
-		if (/rm\s+.*-rf\s/.test(command)) {
-			const isRmRfSafe = this.isRmRfCommandSafe(command);
-			if (!isRmRfSafe) {
-				result.isValid = false;
-				result.severity = "CRITICAL";
-				result.violations.push("rm -rf command targeting unsafe path");
-			}
-		}
-
-		if (SAFE_COMMANDS.includes(mainCommand) && result.violations.length === 0) {
-			return result;
-		}
-
-		if (command.includes("&&")) {
-			const chainedCommands = this.splitCommandChain(command);
-			let allSafe = true;
-			for (const chainedCmd of chainedCommands) {
-				const trimmedCmd = chainedCmd.trim();
-				const cmdParts = trimmedCmd.split(/\s+/);
-				const mainCommand = cmdParts[0];
-
-				if (
-					mainCommand === "source" ||
-					mainCommand === "python" ||
-					SAFE_COMMANDS.includes(mainCommand)
-				) {
-					continue;
-				}
-
-				const chainResult = this.validateSingleCommand(trimmedCmd, toolName);
-				if (!chainResult.isValid) {
-					result.isValid = false;
-					result.severity = chainResult.severity;
-					result.violations.push(
-						`Chained command violation: ${trimmedCmd} - ${chainResult.violations.join(", ")}`,
-					);
-					allSafe = false;
-				}
-			}
-			if (allSafe) {
-				return result;
-			}
-		}
-
-		if (command.includes(";") || command.includes("||")) {
-			const chainedCommands = this.splitCommandChain(command);
-			for (const chainedCmd of chainedCommands) {
-				const chainResult = this.validateSingleCommand(
-					chainedCmd.trim(),
-					toolName,
-				);
-				if (!chainResult.isValid) {
-					result.isValid = false;
-					result.severity = chainResult.severity;
-					result.violations.push(
-						`Chained command violation: ${chainedCmd.trim()} - ${chainResult.violations.join(", ")}`,
-					);
-				}
-			}
+			result.violations.push("rm -rf is forbidden - use trash instead");
+			result.action = "deny";
 			return result;
 		}
 
-		for (const path of SECURITY_RULES.PROTECTED_PATHS) {
-			if (command.includes(path)) {
-				if (
-					path === "/dev/" &&
-					(command.includes("/dev/null") ||
-						command.includes("/dev/stderr") ||
-						command.includes("/dev/stdout"))
-				) {
-					continue;
-				}
-
-				const cmdStart = command.trim();
-				let isSafeExecutable = false;
-				for (const safePath of SECURITY_RULES.SAFE_EXECUTABLE_PATHS) {
-					if (cmdStart.startsWith(safePath)) {
-						isSafeExecutable = true;
-						break;
-					}
-				}
-
-				const pathIndex = command.indexOf(path);
-				const beforePath = command.substring(0, pathIndex);
-				const redirectBeforePath = />\s*$/.test(beforePath.trim());
-
-				if (!isSafeExecutable && redirectBeforePath) {
-					result.isValid = false;
-					result.severity = "HIGH";
-					result.violations.push(
-						`Dangerous operation on protected path: ${path}`,
-					);
-				}
-			}
-		}
-
-		return result;
-	}
-
-	validateSingleCommand(
-		command: string,
-		_toolName = "Unknown",
-	): ValidationResult {
-		const result: ValidationResult = {
-			isValid: true,
-			severity: "LOW",
-			violations: [],
-			sanitizedCommand: command,
-		};
-
-		if (!command || typeof command !== "string") {
-			result.isValid = false;
-			result.violations.push("Invalid command format");
-			return result;
-		}
-
-		if (command.length > 2000) {
-			result.isValid = false;
-			result.severity = "MEDIUM";
-			result.violations.push("Command too long (potential buffer overflow)");
-			return result;
-		}
-
-		if (/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\xFF]/.test(command)) {
+		// Other dangerous commands → ASK (ask for permission)
+		const dangerousCmd = this.containsDangerousCommand(command);
+		if (dangerousCmd) {
 			result.isValid = false;
 			result.severity = "HIGH";
-			result.violations.push("Binary or encoded content detected");
-			return result;
-		}
-
-		const normalizedCmd = command.trim().toLowerCase();
-		const cmdParts = normalizedCmd.split(/\s+/);
-		const mainCommand = cmdParts[0].split("/").pop() || "";
-
-		if (mainCommand === "source" || mainCommand === "python") {
+			result.violations.push(`Potentially dangerous command: ${dangerousCmd}`);
+			result.action = "ask";
 			return result;
 		}
 
-		for (const pattern of SECURITY_RULES.DANGEROUS_PATTERNS) {
-			if (pattern.test(command)) {
-				result.isValid = false;
-				result.severity = "CRITICAL";
-				result.violations.push(`Dangerous pattern detected: ${pattern.source}`);
-			}
-		}
-
-		if (SECURITY_RULES.CRITICAL_COMMANDS.includes(mainCommand)) {
-			result.isValid = false;
-			result.severity = "CRITICAL";
-			result.violations.push(`Critical dangerous command: ${mainCommand}`);
-		}
-
-		if (SECURITY_RULES.PRIVILEGE_COMMANDS.includes(mainCommand)) {
-			result.isValid = false;
-			result.severity = "HIGH";
-			result.violations.push(`Privilege escalation command: ${mainCommand}`);
-		}
-
-		if (SECURITY_RULES.NETWORK_COMMANDS.includes(mainCommand)) {
-			result.isValid = false;
-			result.severity = "HIGH";
-			result.violations.push(`Network/remote access command: ${mainCommand}`);
-		}
-
-		if (SECURITY_RULES.SYSTEM_COMMANDS.includes(mainCommand)) {
-			result.isValid = false;
-			result.severity = "HIGH";
-			result.violations.push(`System manipulation command: ${mainCommand}`);
-		}
-
-		if (/rm\s+.*-rf\s/.test(command)) {
-			const isRmRfSafe = this.isRmRfCommandSafe(command);
-			if (!isRmRfSafe) {
-				result.isValid = false;
-				result.severity = "CRITICAL";
-				result.violations.push("rm -rf command targeting unsafe path");
-			}
-		}
-
-		if (SAFE_COMMANDS.includes(mainCommand) && result.violations.length === 0) {
-			return result;
-		}
-
-		for (const path of SECURITY_RULES.PROTECTED_PATHS) {
-			if (command.includes(path)) {
-				if (
-					path === "/dev/" &&
-					(command.includes("/dev/null") ||
-						command.includes("/dev/stderr") ||
-						command.includes("/dev/stdout"))
-				) {
-					continue;
-				}
-
-				const cmdStart = command.trim();
-				let isSafeExecutable = false;
-				for (const safePath of SECURITY_RULES.SAFE_EXECUTABLE_PATHS) {
-					if (cmdStart.startsWith(safePath)) {
-						isSafeExecutable = true;
-						break;
-					}
-				}
-
-				const pathIndex = command.indexOf(path);
-				const beforePath = command.substring(0, pathIndex);
-				const redirectBeforePath = />\s*$/.test(beforePath.trim());
-
-				if (!isSafeExecutable && redirectBeforePath) {
-					result.isValid = false;
-					result.severity = "HIGH";
-					result.violations.push(
-						`Dangerous operation on protected path: ${path}`,
-					);
-				}
-			}
-		}
-
 		return result;
 	}
 
-	splitCommandChain(command: string): string[] {
-		const commands: string[] = [];
-		let current = "";
-		let inQuotes = false;
-		let quoteChar = "";
-
-		for (let i = 0; i < command.length; i++) {
-			const char = command[i];
-			const nextChar = command[i + 1];
+	containsRmRf(command: string): boolean {
+		// Check for rm -rf in any form (rm -rf, rm -fr, rm -r -f, etc.)
+		const rmRfPatterns = [
+			/\brm\s+(-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*|-[a-zA-Z]*f[a-zA-Z]*r[a-zA-Z]*)\s/i,
+			/\brm\s+-r\s+-f\s/i,
+			/\brm\s+-f\s+-r\s/i,
+		];
 
-			if ((char === '"' || char === "'") && !inQuotes) {
-				inQuotes = true;
-				quoteChar = char;
-				current += char;
-			} else if (char === quoteChar && inQuotes) {
-				inQuotes = false;
-				quoteChar = "";
-				current += char;
-			} else if (inQuotes) {
-				current += char;
-			} else if (char === "&" && nextChar === "&") {
-				commands.push(current.trim());
-				current = "";
-				i++;
-			} else if (char === "|" && nextChar === "|") {
-				commands.push(current.trim());
-				current = "";
-				i++;
-			} else if (char === ";") {
-				commands.push(current.trim());
-				current = "";
-			} else {
-				current += char;
+		for (const pattern of rmRfPatterns) {
+			if (pattern.test(command)) {
+				return true;
 			}
 		}
 
-		if (current.trim()) {
-			commands.push(current.trim());
-		}
-
-		return commands.filter((cmd) => cmd.length > 0);
+		return false;
 	}
 
-	isRmRfCommandSafe(command: string): boolean {
-		const rmRfMatch = command.match(/rm\s+.*-rf\s+([^\s;&|]+)/);
-		if (!rmRfMatch) {
-			return false;
-		}
-
-		const targetPath = rmRfMatch[1];
+	containsDangerousCommand(command: string): string | null {
+		const normalizedCmd = command.trim().toLowerCase();
+		const parts = normalizedCmd.split(/\s+/);
+		const mainCommand = parts[0].split("/").pop() || "";
 
-		if (targetPath === "/" || targetPath.endsWith("/")) {
-			return false;
+		if (DANGEROUS_COMMANDS.includes(mainCommand)) {
+			return mainCommand;
 		}
 
-		for (const safePath of SECURITY_RULES.SAFE_RM_PATHS) {
-			if (targetPath.startsWith(safePath)) {
-				return true;
+		// Check in chained commands
+		for (const dangerous of DANGEROUS_COMMANDS) {
+			const pattern = new RegExp(`\\b${dangerous}\\b`, "i");
+			if (pattern.test(command)) {
+				return dangerous;
 			}
 		}
 
-		if (!targetPath.startsWith("/")) {
-			return true;
-		}
-
-		return false;
+		return null;
 	}
 }

package/claude-code-config/scripts/statusline/CLAUDE.md

@@ -7,6 +7,7 @@ Clean, type-safe statusline implementation for Claude Code using Bun + TypeScrip
 ## Project Setup & Configuration
 
 ### Dependencies
+
 - **Bun**: Runtime (uses `$` for shell commands)
 - **@biomejs/biome**: Linting & formatting
 - **TypeScript**: Type safety
@@ -29,16 +30,12 @@ Add to `~/.claude/settings.json`:
 
 ### Authentication
 
-OAuth token storage (platform-specific):
+OAuth token stored in macOS Keychain:
 
-**macOS**: Stored in Keychain
 - **Service**: `Claude Code-credentials`
-- **Access**: `security find-generic-password -s "Claude Code-credentials" -w`
-
-**Windows & Linux**: Stored in file system
-- **Location**: `~/.claude/.credentials.json`
 - **Format**: JSON with `claudeAiOauth.accessToken`
 - **Token type**: `sk-ant-oat01-...` (OAuth token, not API key)
+- **Access**: `security find-generic-password -s "Claude Code-credentials" -w`
 
 ## Architecture
 
@@ -78,6 +75,7 @@ Claude Code Hook → stdin JSON → index.ts
 ## Component Specifications
 
 ### Context Calculation (`lib/context.ts`)
+
 - **Purpose**: Calculate token usage from Claude Code transcript files
 - **Algorithm**: Parses `.jsonl` transcript, finds most recent main-chain entry
 - **Tokens counted**: `input_tokens + cache_read_input_tokens + cache_creation_input_tokens`
@@ -85,6 +83,7 @@ Claude Code Hook → stdin JSON → index.ts
 - **Output**: `{ tokens: number, percentage: number }` (0-100% of 200k context)
 
 ### Usage Limits (`lib/usage-limits.ts`)
+
 - **Purpose**: Fetch Claude API rate limits from OAuth endpoint
 - **Auth**: Retrieves OAuth token from macOS Keychain (`Claude Code-credentials`)
 - **API**: `https://api.anthropic.com/api/oauth/usage`
@@ -92,12 +91,14 @@ Claude Code Hook → stdin JSON → index.ts
 - **Error handling**: Fails silently, returns null on errors
 
 ### Git Status (`lib/git.ts`)
+
 - **Purpose**: Show current branch and uncommitted changes
 - **Detection**: Checks both staged and unstaged changes
 - **Output**: Branch name + line additions/deletions
 - **Display**: `main* (+123 -45)` with color coding
 
 ### Formatters (`lib/formatters.ts`)
+
 - **Colors**: ANSI color codes for terminal output
 - **Token display**: `62.5K`, `1.2M` format
 - **Time formatting**: `3h21m`, `45m` for countdowns
@@ -106,16 +107,19 @@ Claude Code Hook → stdin JSON → index.ts
 ## Output Specification
 
 ### Line 1: Session Info
+
 ```
 main* (+123 -45) | ~/.claude | Sonnet 4.5
 ```
 
 ### Line 2: Metrics
+
 ```
 $0.17 (6m) | 62.5K tokens | 31% | 15% (3h27m)
 ```
 
 **Components:**
+
 - `$0.17` - Session cost (USD)
 - `(6m)` - Session duration
 - `62.5K tokens` - Context tokens used (from transcript)
@@ -147,6 +151,7 @@ echo '{ ... }' | bun run start
 ### Error Handling & Performance
 
 **Error Handling** - All components fail silently:
+
 - Missing transcript → 0 tokens, 0%
 - API failure → No usage limits shown
 - Git errors → "no-git" branch
@@ -155,6 +160,7 @@ echo '{ ... }' | bun run start
 This ensures statusline never crashes Claude Code.
 
 **Performance Benchmarks:**
+
 - Context calculation: ~10-50ms (depends on transcript size)
 - API call: ~100-300ms (cached by Claude API)
 - Git operations: ~20-50ms
@@ -177,7 +183,23 @@ This ensures statusline never crashes Claude Code.
 
 ## Known Limitations
 
+- macOS only (uses Keychain)
 - Requires `git` CLI for git status
 - Requires Claude Code OAuth (not API key)
 - Transcript must be accessible (permissions)
-- Cross-platform support: macOS (Keychain), Windows & Linux (file-based credentials)
+
+## Critical Requirements
+
+### Configuration Updates
+
+- **CRITICAL**: When updating `statusline.config.json` or `statusline.config.ts`, you **MUST** update the interactive demo in `src/commands/interactive-config.ts`
+- **ALWAYS** run `bun run config` after config changes to verify the interactive demo works correctly
+- **REQUIRED**: Keep config file structure in sync with interactive prompts
+
+### Runtime & Dependencies
+
+- **ALWAYS** use Bun for all commands and runtime operations
+- Use `bun run <script>` instead of `npm run` or `pnpm run`
+- Use `bun install` for dependency management
+- **AUTHORIZED LIBRARIES**: `@biomejs/biome` for linting/formatting, third-party libraries like `tiers` are permitted if needed
+- **NEVER** add external npm packages without verification - prefer Bun APIs first

package/claude-code-config/scripts/statusline/README.md

@@ -9,6 +9,8 @@ Clean, modular statusline for Claude Code with TypeScript + Bun.
 - 🧩 Context tokens used
 - 📊 Context percentage (0-100%)
 - ⏱️ Five-hour usage limit with reset time
+- 📅 Weekly usage limit with configurable threshold
+- 📈 Daily usage percentage tracking and statistics
 
 ## Structure
 
@@ -38,6 +40,12 @@ bun run spend:today
 # View this month's spending
 bun run spend:month
 
+# View usage statistics
+bun run stats
+
+# Interactive config demo
+bun run demo
+
 # Format code
 bun run format
 
@@ -45,7 +53,9 @@ bun run format
 bun run lint
 ```
 
-## Spend Tracking
+## Tracking Features
+
+### Spend Tracking
 
 The statusline automatically saves session data to `data/spend.json`. You can view your spending with:
 
@@ -63,6 +73,84 @@ Each session tracks:
 - Lines added/removed
 - Working directory
 
+### Usage Statistics
+
+Daily usage percentages are automatically tracked in `data/daily-usage.json`. Each 5-hour rate limit period is tracked separately using the `resets_at` timestamp as a unique key.
+
+```bash
+bun run stats
+```
+
+This shows:
+- Average daily usage percentage across all tracked days
+- Total days and total 5-hour periods tracked
+- Recent 7-day usage history with visual bars
+- Per-day statistics: average, max, min across all 5-hour periods
+- Data is kept for 90 days
+
+**How it works:**
+- Each `resets_at` value represents a unique 5-hour rate limit period
+- Multiple 5-hour periods can occur in a single day
+- If the API is called multiple times during the same 5-hour period, only the latest value is kept
+- Daily statistics show the average, maximum, and minimum usage across all periods in that day
+
+## Interactive Demo
+
+Explore all configuration options with a live preview:
+
+```bash
+bun run demo
+```
+
+This opens an interactive menu where you can:
+- Toggle any config option with arrow keys and spacebar
+- See instant preview of how the statusline changes
+- Navigate through all available settings
+- Reset to defaults with `R`
+- Explore session, limits, weekly usage, and git display options
+
+**Controls:**
+- `↑↓` or `j/k` - Navigate options
+- `Space` - Toggle selected option
+- `R` - Reset to defaults
+- `Q` - Quit
+
+## Configuration
+
+The statusline can be customized via `statusline.config.ts`. Key configuration options:
+
+### Weekly Usage Display
+
+```typescript
+weeklyUsage: {
+  enabled: boolean | "90%",  // true: always show, false: never, "90%": show when 5-hour usage >= 90%
+  showTimeLeft: boolean,
+  percentage: {
+    enabled: boolean,
+    progressBar: {
+      enabled: boolean,
+      length: 5 | 10 | 15,
+      style: "filled" | "rectangle" | "braille",
+      color: "progressive" | "green" | "yellow" | "red"
+    }
+  }
+}
+```
+
+**Default:** `enabled: "90%"` - Weekly limits appear when your 5-hour usage reaches 90%
+
+Display format: `W: ⣿⣿⣧⣀⣀⣀⣀⣀⣀⣀ 45% (6d12h)`
+
+### Other Configuration Options
+
+- **Session display**: Cost, tokens, context percentage
+- **Limits display**: Five-hour usage limits
+- **Git display**: Branch, changes, staged/unstaged files
+- **Path display**: Full, truncated, or basename modes
+- **Progress bars**: Multiple styles and color schemes
+
+See `statusline.config.ts` for all available options and defaults.
+
 ## Usage in Claude Code
 
 Update your `~/.claude/settings.json`: