avorelo 0.1.0

package/scripts/lib/agent-security/auto-policy.js

@@ -0,0 +1,139 @@
+"use strict";
+
+function hasHighRiskRelatedSource(evaluation) {
+  return Array.isArray(evaluation?.relatedSources) && evaluation.relatedSources.some((source) => source && source.instructionRisk === "high");
+}
+
+function hasQuarantinedRelatedSource(evaluation) {
+  return Array.isArray(evaluation?.relatedSources) && evaluation.relatedSources.some((source) => Array.isArray(source?.remediationActions) && source.remediationActions.includes("quarantine_source"));
+}
+
+function hasExternalDataOnlySource(evaluation) {
+  return Array.isArray(evaluation?.relatedSources) && evaluation.relatedSources.some((source) =>
+    source &&
+    source.allowedToInfluenceTools === false &&
+    ["external_untrusted", "tool_returned_untrusted", "unknown"].includes(source.trustLevel)
+  );
+}
+
+function decideAutoAction(normalizedAction, evaluation, limitPlan, adapterCapability) {
+  const adapterAvailable = Boolean(adapterCapability && adapterCapability.canEnforce);
+  const blockedBy = [];
+  const highRiskRelatedSource = hasHighRiskRelatedSource(evaluation);
+  const quarantinedRelatedSource = hasQuarantinedRelatedSource(evaluation);
+  const externalDataOnlySource = hasExternalDataOnlySource(evaluation);
+  const sourceBlocksAuto = highRiskRelatedSource || quarantinedRelatedSource || externalDataOnlySource || evaluation?.intentMismatch === "intent_mismatch";
+  const sensitiveOrMutatingAction =
+    normalizedAction.actionType === "filesystem.write" ||
+    normalizedAction.actionType === "shell.run" ||
+    normalizedAction.actionType === "network.call" ||
+    normalizedAction.actionType.startsWith("package.") ||
+    normalizedAction.actionType.startsWith("mcp.");
+  const destructiveOrSecretAction =
+    (normalizedAction.actionType === "filesystem.write" && /\.env\b|id_rsa|private.?key|credential|secret/i.test(String(normalizedAction.target || ""))) ||
+    normalizedAction.actionType === "mcp.delete" ||
+    normalizedAction.actionType === "mcp.admin" ||
+    /\bcurl\b[^\n]*\|\s*(bash|sh|pwsh|powershell)\b/i.test(String(normalizedAction.command || ""));
+
+  if (!adapterAvailable) {
+    blockedBy.push("no_adapter");
+    return {
+      autoDecision: "recommended_only",
+      confidence: "high",
+      reason: "No enforcement adapter is available for this action type.",
+      jitGrantAllowed: false,
+      enforcementRequired: false,
+      blockedBy,
+    };
+  }
+
+  if (sourceBlocksAuto && destructiveOrSecretAction) {
+    blockedBy.push("instruction_risk");
+    return {
+      autoDecision: "auto_deny",
+      confidence: "high",
+      reason: "Instruction-risk signals were detected on a related source for a secret, exfiltration, or destructive action.",
+      jitGrantAllowed: false,
+      enforcementRequired: true,
+      blockedBy,
+    };
+  }
+
+  if (sourceBlocksAuto && sensitiveOrMutatingAction) {
+    blockedBy.push("instruction_risk");
+    return {
+      autoDecision: "require_approval",
+      confidence: "high",
+      reason: "Instruction-risk signals were detected on a related source, so auto grants were disabled.",
+      jitGrantAllowed: false,
+      enforcementRequired: false,
+      blockedBy,
+    };
+  }
+
+  if (!limitPlan || !limitPlan.recommendedMode) {
+    blockedBy.push("no_limit_plan");
+    return {
+      autoDecision: "limit_plan_only",
+      confidence: "low",
+      reason: "A safe limited plan could not be produced.",
+      jitGrantAllowed: false,
+      enforcementRequired: false,
+      blockedBy,
+    };
+  }
+
+  if (limitPlan.recommendedMode === "deny") {
+    blockedBy.push("dangerous_action");
+    return {
+      autoDecision: "auto_deny",
+      confidence: "high",
+      reason: limitPlan.reason || "No safe limited version found.",
+      jitGrantAllowed: false,
+      enforcementRequired: true,
+      blockedBy,
+    };
+  }
+
+  if (limitPlan.recommendedMode === "approval-required") {
+    blockedBy.push("approval_required");
+    return {
+      autoDecision: "require_approval",
+      confidence: evaluation.riskLevel === "medium" ? "medium" : "high",
+      reason: limitPlan.reason || "Approval is required for this action.",
+      jitGrantAllowed: false,
+      enforcementRequired: false,
+      blockedBy,
+    };
+  }
+
+  const toolName = String(normalizedAction.toolName || "").toLowerCase();
+  const safeMediumMcp = normalizedAction.actionType === "mcp.write" && ["create_pull_request", "create_issue", "update_issue"].includes(toolName);
+  const safeLow = evaluation.riskLevel === "low";
+  const safeMedium = evaluation.riskLevel === "medium" && safeMediumMcp;
+
+  if ((safeLow || safeMedium) && limitPlan.recommendedMode === "limited" && limitPlan.ttlRecommendation && normalizedAction.actionType !== "unknown") {
+    return {
+      autoDecision: "auto_allow_limited",
+      confidence: safeLow ? "high" : "medium",
+      reason: limitPlan.reason || "Wuz limited this safely.",
+      jitGrantAllowed: true,
+      enforcementRequired: true,
+      blockedBy,
+    };
+  }
+
+  blockedBy.push("not_high_confidence_safe");
+  return {
+    autoDecision: "require_approval",
+    confidence: "medium",
+    reason: "This action is enforceable, but it is not obviously safe enough to auto-limit.",
+    jitGrantAllowed: false,
+    enforcementRequired: false,
+    blockedBy,
+  };
+}
+
+module.exports = {
+  decideAutoAction,
+};

package/scripts/lib/agent-security/bounded-scan.js

@@ -0,0 +1,93 @@
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const { PERFORMANCE_GUARDRAILS } = require("./performance");
+
+const DEFAULT_IGNORED_DIRS = new Set([
+  ".git",
+  "node_modules",
+  "dist",
+  "build",
+  "coverage",
+  ".next",
+  ".turbo",
+  ".cache",
+]);
+
+function normalizePath(value) {
+  return String(value || "").replace(/\\/g, "/");
+}
+
+function createBoundedScanSession(cwd, tracker, overrides = {}) {
+  const startedAt = Date.now();
+  return {
+    cwd,
+    tracker,
+    maxFiles: Number(overrides.maxFiles || PERFORMANCE_GUARDRAILS.scanMaxFiles),
+    maxFileBytes: Number(overrides.maxFileBytes || PERFORMANCE_GUARDRAILS.scanMaxFileBytes),
+    maxTotalBytes: Number(overrides.maxTotalBytes || PERFORMANCE_GUARDRAILS.scanMaxTotalBytes),
+    maxDepth: Number(overrides.maxDepth || PERFORMANCE_GUARDRAILS.scanMaxDepth),
+    maxDurationMs: Number(overrides.maxDurationMs || PERFORMANCE_GUARDRAILS.scanMaxDurationMs),
+    ignoredDirs: new Set([...(overrides.ignoredDirs || []), ...DEFAULT_IGNORED_DIRS]),
+    filesSeen: 0,
+    bytesSeen: 0,
+    shouldStop() {
+      if (Date.now() - startedAt > this.maxDurationMs) {
+        if (tracker) tracker.timeoutHit = true;
+        return true;
+      }
+      return false;
+    },
+    isDirIgnored(absDir) {
+      const rel = normalizePath(path.relative(cwd, absDir));
+      if (rel === ".claude/cco") return true;
+      if (rel === ".wasp/out") return true;
+      const base = path.basename(absDir);
+      return this.ignoredDirs.has(rel) || this.ignoredDirs.has(base);
+    },
+    canDescend(depth, absDir) {
+      if (this.isDirIgnored(absDir)) {
+        if (tracker) tracker.noteIgnoredDirectory(normalizePath(path.relative(cwd, absDir)));
+        return false;
+      }
+      if (depth >= this.maxDepth) {
+        if (tracker) tracker.maxDepthHit = true;
+        return false;
+      }
+      return !this.shouldStop();
+    },
+    canReadFile(absPath, stat) {
+      const size = Number(stat?.size || 0);
+      if (this.filesSeen >= this.maxFiles) {
+        if (tracker) tracker.maxFilesHit = true;
+        return false;
+      }
+      if (this.bytesSeen + size > this.maxTotalBytes) {
+        if (tracker) tracker.maxBytesHit = true;
+        return false;
+      }
+      if (size > this.maxFileBytes) {
+        if (tracker) tracker.noteSkippedLargeFile();
+        return false;
+      }
+      return !this.shouldStop();
+    },
+    noteFile(absPath, stat) {
+      const size = Number(stat?.size || 0);
+      this.filesSeen += 1;
+      this.bytesSeen += size;
+      if (tracker) tracker.noteFile(size);
+      return {
+        path: normalizePath(path.relative(cwd, absPath)),
+        mtimeMs: Number(stat?.mtimeMs || 0),
+        size,
+      };
+    },
+  };
+}
+
+module.exports = {
+  DEFAULT_IGNORED_DIRS,
+  createBoundedScanSession,
+};

package/scripts/lib/agent-security/enforcement-adapter.js

@@ -0,0 +1,174 @@
+"use strict";
+
+const { spawnSync } = require("child_process");
+
+const SHELL_COMMAND_ADAPTER_ID = "shell-command-v1";
+const PREVIEW_LIMIT = 400;
+
+function truncatePreview(value) {
+  const text = String(value || "");
+  if (text.length <= PREVIEW_LIMIT) return text;
+  return `${text.slice(0, PREVIEW_LIMIT)}...`;
+}
+
+function redactPreview(value) {
+  return truncatePreview(String(value || "").replace(
+    /((?:secret|token|password|api[_-]?key)[^=\n]{0,20}=)[^\s\n]+/ig,
+    "$1[redacted]"
+  ));
+}
+
+function isHardBlockedShellCommand(command) {
+  return /\b(curl|wget)\b[^\n]*\|\s*(bash|sh|pwsh|powershell)\b|\b(invoke-webrequest|invoke-restmethod|downloadstring)\b|\brm\s+-rf\b|\bdel\s+\/[qs]\b|\bremove-item\b|\bforce push\b|\bgit push\b[^\n]*--force\b/i.test(String(command || ""));
+}
+
+function touchesSensitiveShellTarget(command) {
+  return /(?:^|\s)(?:cat|type|more|copy|move|del|rm|cp|mv|sed|perl|python|node)[^\n]*(?:\.env(?:\.[^\s|&;]+)?|\.ssh|\.aws|\.gcp|\.azure|id_rsa|id_dsa|id_ed25519|secret|token|credential)/i.test(String(command || ""));
+}
+
+function touchesWorkflowShellTarget(command) {
+  return /\.github[\\/]workflows[\\/]/i.test(String(command || ""));
+}
+
+function buildShellAdapterResult(base, overrides = {}) {
+  return {
+    actionId: base.actionId,
+    componentId: base.componentId || null,
+    componentType: base.componentType || null,
+    actionType: base.actionType,
+    decision: base.decision || null,
+    adapterId: SHELL_COMMAND_ADAPTER_ID,
+    enforcementAvailable: true,
+    effectiveBehavior: "recommended_only",
+    executed: false,
+    exitCode: null,
+    stdoutPreview: "",
+    stderrPreview: "",
+    reason: "",
+    timestamp: base.timestamp,
+    ...overrides,
+  };
+}
+
+function enforceShellCommand(action, context = {}) {
+  const decisionRecord = context.decisionRecord || null;
+  const limitPlan = context.limitPlan || null;
+  const execute = context.execute === true;
+  const cwd = context.cwd;
+  const command = String(action?.command || "");
+  const executor = typeof context.executor === "function" ? context.executor : null;
+  const base = {
+    actionId: action.actionId,
+    componentId: action.componentId,
+    componentType: action.componentType,
+    actionType: action.actionType,
+    decision: decisionRecord?.decision || null,
+    timestamp: context.timestamp,
+  };
+
+  if (isHardBlockedShellCommand(command)) {
+    return buildShellAdapterResult(base, {
+      effectiveBehavior: "blocked",
+      reason: "Remote script execution or destructive shell behavior is not allowed.",
+    });
+  }
+
+  if (decisionRecord?.decision === "let_wuz_limit" && touchesSensitiveShellTarget(command)) {
+    return buildShellAdapterResult(base, {
+      effectiveBehavior: "blocked",
+      reason: "The limited plan does not allow touching .env, credentials, or SSH material.",
+    });
+  }
+
+  if (decisionRecord?.decision === "let_wuz_limit" && touchesWorkflowShellTarget(command)) {
+    return buildShellAdapterResult(base, {
+      effectiveBehavior: "blocked",
+      reason: "The limited plan does not allow workflow modification commands.",
+    });
+  }
+
+  if (decisionRecord?.decision === "deny") {
+    return buildShellAdapterResult(base, {
+      effectiveBehavior: "blocked",
+      reason: "User denied this shell action.",
+    });
+  }
+
+  if (decisionRecord?.decision === "let_wuz_limit" && limitPlan?.recommendedMode === "deny") {
+    return buildShellAdapterResult(base, {
+      effectiveBehavior: "blocked",
+      reason: limitPlan.reason || "This shell action is not allowed by the limited plan.",
+    });
+  }
+
+  if (decisionRecord?.decision === "let_wuz_limit" && limitPlan?.recommendedMode !== "limited") {
+    return buildShellAdapterResult(base, {
+      effectiveBehavior: "blocked",
+      reason: limitPlan?.reason || "The limited plan could not safely allow this shell command.",
+    });
+  }
+
+  if (!execute) {
+    return buildShellAdapterResult(base, {
+      effectiveBehavior: decisionRecord?.decision === "let_wuz_limit" ? "limited" : "dry_run_only",
+      reason: decisionRecord?.decision === "let_wuz_limit"
+        ? (limitPlan?.reason || "Command is allowed only within the limited plan.")
+        : "Execution stayed in dry-run mode.",
+    });
+  }
+
+  const child = executor
+    ? executor({ command, cwd, action, decisionRecord, limitPlan })
+    : spawnSync(command, {
+      cwd,
+      shell: true,
+      windowsHide: true,
+      encoding: "utf8",
+      timeout: 30000,
+    });
+
+  const stdoutPreview = redactPreview(child?.stdout || "");
+  const stderrPreview = redactPreview(child?.stderr || child?.error?.message || "");
+  const exitCode = typeof child?.status === "number"
+    ? child.status
+    : typeof child?.exitCode === "number"
+      ? child.exitCode
+      : child?.error
+        ? 1
+        : 1;
+
+  return buildShellAdapterResult(base, {
+    effectiveBehavior: decisionRecord?.decision === "let_wuz_limit" ? "limited" : "allowed",
+    executed: true,
+    exitCode,
+    stdoutPreview,
+    stderrPreview,
+    reason: exitCode === 0
+      ? (decisionRecord?.decision === "let_wuz_limit"
+        ? "Command executed within the limited project scope."
+        : "Approved shell command executed once.")
+      : "Shell command executed but exited with a non-zero status.",
+  });
+}
+
+const SHELL_COMMAND_ADAPTER = {
+  adapterId: SHELL_COMMAND_ADAPTER_ID,
+  canEvaluate: true,
+  canEnforce: true,
+  supportedActionTypes: ["shell.run"],
+  enforce(action, decisionRecord, limitPlan, options = {}) {
+    return enforceShellCommand(action, {
+      ...options,
+      decisionRecord,
+      limitPlan,
+    });
+  },
+};
+
+module.exports = {
+  SHELL_COMMAND_ADAPTER_ID,
+  SHELL_COMMAND_ADAPTER,
+  isHardBlockedShellCommand,
+  touchesSensitiveShellTarget,
+  touchesWorkflowShellTarget,
+};