bashbros 0.1.2 → 0.1.4

package/dist/index.js

@@ -1,31 +1,40 @@
 #!/usr/bin/env node
 import {
+  AnomalyDetector,
   BackgroundWorker,
   BashBro,
   BashBros,
   BashgymIntegration,
-  ClaudeCodeHooks,
   CommandSuggester,
   CostEstimator,
   LoopDetector,
-  MetricsCollector,
+  OutputScanner,
   ReportGenerator,
   SystemProfiler,
   TaskRouter,
   UndoStack,
-  gateCommand,
   getBashgymIntegration,
   resetBashgymIntegration
-} from "./chunk-XCZMQRSX.js";
+} from "./chunk-7OEWYFN3.js";
+import {
+  ClaudeCodeHooks,
+  gateCommand
+} from "./chunk-LZYW7XQO.js";
+import {
+  MoltbotHooks,
+  getMoltbotHooks
+} from "./chunk-J37RHCFJ.js";
 import {
   AuditLogger
 } from "./chunk-SG752FZC.js";
 import {
   OllamaClient
-} from "./chunk-DLP2O6PN.js";
+} from "./chunk-EMLEJVJZ.js";
+import "./chunk-4XZ64P4V.js";
+import "./chunk-LJE4EPIU.js";
 import {
   loadConfig
-} from "./chunk-BW6XCOJH.js";
+} from "./chunk-RTZ4QWG2.js";
 import {
   CommandFilter,
   PathSandbox,
@@ -42,438 +51,150 @@ import {
 import {
   RiskScorer
 } from "./chunk-DEAF6PYM.js";
-import {
-  MoltbotHooks,
-  getMoltbotHooks
-} from "./chunk-J37RHCFJ.js";
 import "./chunk-7OCVIDC7.js";
 
-// src/policy/anomaly-detector.ts
-var DEFAULT_CONFIG = {
-  workingHours: [6, 22],
-  // 6 AM to 10 PM
-  typicalCommandsPerMinute: 30,
-  knownPaths: [],
-  suspiciousPatterns: [],
-  enabled: true
-};
-var DEFAULT_SUSPICIOUS_PATTERNS = [
-  /\bpasswd\b/,
-  /\bshadow\b/,
-  /\/root\//,
-  /\.ssh\//,
-  /\.gnupg\//,
-  /\.aws\//,
-  /\.kube\//,
-  /wallet/i,
-  /crypto/i,
-  /bitcoin/i,
-  /ethereum/i,
-  /private.*key/i
-];
-var AnomalyDetector = class {
-  config;
+// src/observability/metrics.ts
+var MetricsCollector = class {
+  sessionId;
+  startTime;
   commands = [];
-  baselinePaths = /* @__PURE__ */ new Set();
-  baselineCommands = /* @__PURE__ */ new Set();
-  learningMode = true;
-  learningCount = 0;
-  LEARNING_THRESHOLD = 50;
-  constructor(config = {}) {
-    this.config = { ...DEFAULT_CONFIG, ...config };
-  }
-  /**
-   * Check a command for anomalies
-   */
-  check(command, cwd) {
-    if (!this.config.enabled) return [];
-    const anomalies = [];
-    const now = Date.now();
-    this.commands.push({ command, timestamp: now, path: cwd });
-    if (this.commands.length > 1e3) {
-      this.commands = this.commands.slice(-500);
-    }
-    if (this.learningMode) {
-      this.learn(command, cwd);
-      if (this.learningCount >= this.LEARNING_THRESHOLD) {
-        this.learningMode = false;
-      }
-      return anomalies;
-    }
-    const timingAnomaly = this.checkTiming(now);
-    if (timingAnomaly) anomalies.push(timingAnomaly);
-    const freqAnomaly = this.checkFrequency(now);
-    if (freqAnomaly) anomalies.push(freqAnomaly);
-    if (cwd) {
-      const pathAnomaly = this.checkPath(cwd);
-      if (pathAnomaly) anomalies.push(pathAnomaly);
-    }
-    const patternAnomalies = this.checkPatterns(command);
-    anomalies.push(...patternAnomalies);
-    const behaviorAnomaly = this.checkBehavior(command);
-    if (behaviorAnomaly) anomalies.push(behaviorAnomaly);
-    return anomalies;
+  filesModified = /* @__PURE__ */ new Set();
+  pathsAccessed = /* @__PURE__ */ new Set();
+  constructor() {
+    this.sessionId = this.generateSessionId();
+    this.startTime = /* @__PURE__ */ new Date();
   }
-  /**
-   * Learn from command (build baseline)
-   */
-  learn(command, cwd) {
-    this.learningCount++;
-    const baseCmd = command.split(/\s+/)[0];
-    this.baselineCommands.add(baseCmd);
-    if (cwd) {
-      this.baselinePaths.add(cwd);
-      const parts = cwd.split(/[/\\]/);
-      for (let i = 1; i <= parts.length; i++) {
-        this.baselinePaths.add(parts.slice(0, i).join("/"));
-      }
-    }
+  generateSessionId() {
+    const now = /* @__PURE__ */ new Date();
+    const date = now.toISOString().slice(0, 10).replace(/-/g, "");
+    const time = now.toTimeString().slice(0, 8).replace(/:/g, "");
+    const rand = Math.random().toString(36).slice(2, 6);
+    return `${date}-${time}-${rand}`;
   }
   /**
-   * Check for timing anomalies
+   * Record a command execution
    */
-  checkTiming(now) {
-    const hour = new Date(now).getHours();
-    const [start, end] = this.config.workingHours;
-    if (hour < start || hour >= end) {
-      return {
-        type: "timing",
-        severity: "info",
-        message: `Activity outside normal hours (${hour}:00)`,
-        details: { hour, workingHours: this.config.workingHours }
-      };
+  record(metric) {
+    this.commands.push(metric);
+    const paths = this.extractPaths(metric.command);
+    for (const path of paths) {
+      this.pathsAccessed.add(path);
     }
-    return null;
-  }
-  /**
-   * Check for frequency anomalies
-   */
-  checkFrequency(now) {
-    const oneMinuteAgo = now - 6e4;
-    const recentCommands = this.commands.filter((c) => c.timestamp > oneMinuteAgo);
-    const rate = recentCommands.length;
-    if (rate > this.config.typicalCommandsPerMinute * 2) {
-      return {
-        type: "frequency",
-        severity: "warning",
-        message: `High command rate: ${rate}/min (typical: ${this.config.typicalCommandsPerMinute})`,
-        details: { rate, typical: this.config.typicalCommandsPerMinute }
-      };
-    }
-    const fiveSecondsAgo = now - 5e3;
-    const burstCommands = this.commands.filter((c) => c.timestamp > fiveSecondsAgo);
-    if (burstCommands.length > 10) {
-      return {
-        type: "frequency",
-        severity: "alert",
-        message: `Burst detected: ${burstCommands.length} commands in 5 seconds`,
-        details: { count: burstCommands.length, window: "5s" }
-      };
-    }
-    return null;
-  }
-  /**
-   * Check for unusual path access
-   */
-  checkPath(path) {
-    if (this.config.knownPaths.length > 0) {
-      const isKnown = this.config.knownPaths.some(
-        (p) => path.startsWith(p) || path.includes(p)
-      );
-      if (!isKnown) {
-        return {
-          type: "path",
-          severity: "warning",
-          message: `Access to unexpected path: ${path}`,
-          details: { path, knownPaths: this.config.knownPaths }
-        };
-      }
-    }
-    if (!this.learningMode && this.baselinePaths.size > 0) {
-      const isBaseline = this.baselinePaths.has(path) || [...this.baselinePaths].some((p) => path.startsWith(p));
-      if (!isBaseline) {
-        return {
-          type: "path",
-          severity: "info",
-          message: `New path accessed: ${path}`,
-          details: { path, isNew: true }
-        };
+    if (this.isWriteCommand(metric.command)) {
+      for (const path of paths) {
+        this.filesModified.add(path);
       }
     }
-    return null;
   }
   /**
-   * Check for suspicious patterns
+   * Get current session metrics
    */
-  checkPatterns(command) {
-    const anomalies = [];
-    const allPatterns = [...DEFAULT_SUSPICIOUS_PATTERNS, ...this.config.suspiciousPatterns];
-    for (const pattern of allPatterns) {
-      if (pattern.test(command)) {
-        anomalies.push({
-          type: "pattern",
-          severity: "warning",
-          message: `Suspicious pattern detected: ${pattern.source}`,
-          details: { command: command.slice(0, 100), pattern: pattern.source }
-        });
-      }
+  getMetrics() {
+    const now = /* @__PURE__ */ new Date();
+    const duration = now.getTime() - this.startTime.getTime();
+    const riskDist = { safe: 0, caution: 0, dangerous: 0, critical: 0 };
+    let totalRisk = 0;
+    for (const cmd of this.commands) {
+      riskDist[cmd.riskScore.level]++;
+      totalRisk += cmd.riskScore.score;
     }
-    return anomalies;
-  }
-  /**
-   * Check for behavioral anomalies
-   */
-  checkBehavior(command) {
-    const baseCmd = command.split(/\s+/)[0];
-    if (!this.learningMode && this.baselineCommands.size > 0) {
-      if (!this.baselineCommands.has(baseCmd)) {
-        const sensitiveCommands = /* @__PURE__ */ new Set([
-          "curl",
-          "wget",
-          "nc",
-          "netcat",
-          "ssh",
-          "scp",
-          "rsync",
-          "sudo",
-          "su",
-          "chmod",
-          "chown",
-          "mount",
-          "umount"
-        ]);
-        if (sensitiveCommands.has(baseCmd)) {
-          return {
-            type: "behavior",
-            severity: "warning",
-            message: `New sensitive command type: ${baseCmd}`,
-            details: { command: baseCmd, isNew: true }
-          };
-        }
+    const cmdFreq = /* @__PURE__ */ new Map();
+    for (const cmd of this.commands) {
+      const base = cmd.command.split(/\s+/)[0];
+      cmdFreq.set(base, (cmdFreq.get(base) || 0) + 1);
+    }
+    const topCommands = [...cmdFreq.entries()].sort((a, b) => b[1] - a[1]).slice(0, 10);
+    const violationsByType = {};
+    for (const cmd of this.commands) {
+      for (const v of cmd.violations) {
+        violationsByType[v.type] = (violationsByType[v.type] || 0) + 1;
       }
     }
-    return null;
-  }
-  /**
-   * Get anomaly stats
-   */
-  getStats() {
-    const now = Date.now();
-    const oneMinuteAgo = now - 6e4;
-    const recentRate = this.commands.filter((c) => c.timestamp > oneMinuteAgo).length;
+    const totalExecTime = this.commands.reduce((sum, c) => sum + c.duration, 0);
+    const avgExecTime = this.commands.length > 0 ? totalExecTime / this.commands.length : 0;
     return {
-      learningMode: this.learningMode,
-      learningProgress: Math.min(100, Math.round(this.learningCount / this.LEARNING_THRESHOLD * 100)),
-      baselineCommands: this.baselineCommands.size,
-      baselinePaths: this.baselinePaths.size,
-      recentCommandRate: recentRate
+      sessionId: this.sessionId,
+      startTime: this.startTime,
+      duration,
+      commandCount: this.commands.length,
+      blockedCount: this.commands.filter((c) => !c.allowed).length,
+      uniqueCommands: cmdFreq.size,
+      topCommands,
+      riskDistribution: riskDist,
+      avgRiskScore: this.commands.length > 0 ? totalRisk / this.commands.length : 0,
+      avgExecutionTime: avgExecTime,
+      totalExecutionTime: totalExecTime,
+      filesModified: [...this.filesModified],
+      pathsAccessed: [...this.pathsAccessed],
+      violationsByType
     };
   }
   /**
-   * Force end learning mode
-   */
-  endLearning() {
-    this.learningMode = false;
-  }
-  /**
-   * Reset and restart learning
+   * Extract paths from a command
    */
-  reset() {
-    this.commands = [];
-    this.baselinePaths.clear();
-    this.baselineCommands.clear();
-    this.learningMode = true;
-    this.learningCount = 0;
-  }
-};
-
-// src/policy/output-scanner.ts
-var SECRET_PATTERNS = [
-  // API Keys
-  { pattern: /sk-[A-Za-z0-9]{20,}/, name: "OpenAI API Key" },
-  { pattern: /sk-ant-[A-Za-z0-9\-]{20,}/, name: "Anthropic API Key" },
-  { pattern: /ghp_[A-Za-z0-9]{36}/, name: "GitHub Token" },
-  { pattern: /gho_[A-Za-z0-9]{36}/, name: "GitHub OAuth Token" },
-  { pattern: /github_pat_[A-Za-z0-9_]{22,}/, name: "GitHub PAT" },
-  { pattern: /glpat-[A-Za-z0-9\-]{20,}/, name: "GitLab Token" },
-  { pattern: /xox[baprs]-[A-Za-z0-9\-]{10,}/, name: "Slack Token" },
-  { pattern: /sk_live_[A-Za-z0-9]{24,}/, name: "Stripe Secret Key" },
-  { pattern: /sq0atp-[A-Za-z0-9\-_]{22,}/, name: "Square Token" },
-  { pattern: /AKIA[A-Z0-9]{16}/, name: "AWS Access Key" },
-  { pattern: /amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/, name: "Amazon MWS Key" },
-  // OAuth/JWT
-  { pattern: /Bearer\s+[A-Za-z0-9\-._~+/]+=*/, name: "Bearer Token" },
-  { pattern: /eyJ[A-Za-z0-9\-_]+\.eyJ[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+/, name: "JWT Token" },
-  // Credentials in output
-  { pattern: /password\s*[=:]\s*['"]?[^\s'"]{4,}['"]?/i, name: "Password" },
-  { pattern: /passwd\s*[=:]\s*['"]?[^\s'"]{4,}['"]?/i, name: "Password" },
-  { pattern: /api[_-]?key\s*[=:]\s*['"]?[^\s'"]{8,}['"]?/i, name: "API Key" },
-  { pattern: /secret\s*[=:]\s*['"]?[^\s'"]{8,}['"]?/i, name: "Secret" },
-  { pattern: /token\s*[=:]\s*['"]?[^\s'"]{8,}['"]?/i, name: "Token" },
-  // Private keys
-  { pattern: /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----/, name: "Private Key" },
-  { pattern: /-----BEGIN\s+EC\s+PRIVATE\s+KEY-----/, name: "EC Private Key" },
-  { pattern: /-----BEGIN\s+OPENSSH\s+PRIVATE\s+KEY-----/, name: "SSH Private Key" },
-  { pattern: /-----BEGIN\s+PGP\s+PRIVATE\s+KEY\s+BLOCK-----/, name: "PGP Private Key" },
-  // Database URLs
-  { pattern: /mongodb(\+srv)?:\/\/[^:]+:[^@]+@/, name: "MongoDB Connection String" },
-  { pattern: /postgres(ql)?:\/\/[^:]+:[^@]+@/, name: "PostgreSQL Connection String" },
-  { pattern: /mysql:\/\/[^:]+:[^@]+@/, name: "MySQL Connection String" },
-  { pattern: /redis:\/\/[^:]+:[^@]+@/, name: "Redis Connection String" },
-  // SSH
-  { pattern: /ssh-rsa\s+[A-Za-z0-9+/]+[=]{0,2}/, name: "SSH Public Key" },
-  { pattern: /ssh-ed25519\s+[A-Za-z0-9+/]+/, name: "SSH ED25519 Key" }
-];
-var ERROR_PATTERNS = [
-  { pattern: /EACCES|EPERM|permission denied/i, name: "Permission Error" },
-  { pattern: /ENOENT|no such file|not found/i, name: "File Not Found" },
-  { pattern: /ECONNREFUSED|connection refused/i, name: "Connection Refused" },
-  { pattern: /ETIMEDOUT|timed out/i, name: "Timeout Error" },
-  { pattern: /segmentation fault|core dumped/i, name: "Crash" },
-  { pattern: /out of memory|OOM|cannot allocate/i, name: "Memory Error" },
-  { pattern: /stack trace|traceback|at\s+\S+:\d+:\d+/i, name: "Stack Trace" },
-  { pattern: /error:|fatal:|failed:/i, name: "Error Message" }
-];
-var OutputScanner = class {
-  secretPatterns;
-  redactPatterns;
-  policy;
-  constructor(policy) {
-    this.policy = policy;
-    this.secretPatterns = SECRET_PATTERNS.map((p) => p.pattern);
-    this.redactPatterns = (policy.redactPatterns || []).map((p) => {
-      try {
-        return new RegExp(p, "gi");
-      } catch {
-        return null;
+  extractPaths(command) {
+    const paths = [];
+    const tokens = command.split(/\s+/);
+    for (const token of tokens) {
+      if (token.startsWith("-")) continue;
+      if (token.startsWith("/") || token.startsWith("./") || token.startsWith("../") || token.startsWith("~/") || token.includes(".")) {
+        paths.push(token);
       }
-    }).filter((p) => p !== null);
+    }
+    return paths;
   }
   /**
-   * Scan output for secrets and sensitive data
+   * Check if command modifies files
    */
-  scan(output) {
-    if (!this.policy.enabled) {
-      return {
-        hasSecrets: false,
-        hasErrors: false,
-        redactedOutput: output,
-        findings: []
-      };
-    }
-    const findings = [];
-    let hasSecrets = false;
-    let hasErrors = false;
-    let processedOutput = output;
-    if (output.length > this.policy.maxOutputLength) {
-      processedOutput = output.slice(0, this.policy.maxOutputLength) + "\n... [truncated]";
-    }
-    if (this.policy.scanForSecrets) {
-      const secretFindings = this.scanForSecrets(processedOutput);
-      if (secretFindings.length > 0) {
-        hasSecrets = true;
-        findings.push(...secretFindings);
-      }
-    }
-    if (this.policy.scanForErrors) {
-      const errorFindings = this.scanForErrors(processedOutput);
-      if (errorFindings.length > 0) {
-        hasErrors = true;
-        findings.push(...errorFindings);
-      }
-    }
-    const redactedOutput = this.redact(processedOutput);
-    return {
-      hasSecrets,
-      hasErrors,
-      redactedOutput,
-      findings
-    };
+  isWriteCommand(command) {
+    const writePatterns = [
+      /^(vim|vi|nano|emacs|code)\s/,
+      /^(touch|mkdir|cp|mv|rm)\s/,
+      /^(echo|cat|printf).*>/,
+      /^(git\s+(add|commit|checkout|reset))/,
+      /^(npm|yarn|pnpm)\s+(install|uninstall)/,
+      /^(pip|pip3)\s+(install|uninstall)/,
+      /^chmod\s/,
+      /^chown\s/
+    ];
+    return writePatterns.some((p) => p.test(command));
   }
   /**
-   * Scan for secrets in output
+   * Get recent commands
    */
-  scanForSecrets(output) {
-    const findings = [];
-    const lines = output.split("\n");
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      for (const { pattern, name } of SECRET_PATTERNS) {
-        if (pattern.test(line)) {
-          findings.push({
-            type: "secret",
-            pattern: name,
-            message: `Potential ${name} found in output`,
-            line: i + 1
-          });
-        }
-      }
-    }
-    return findings;
+  getRecentCommands(n = 10) {
+    return this.commands.slice(-n);
   }
   /**
-   * Scan for error patterns in output
+   * Get blocked commands
    */
-  scanForErrors(output) {
-    const findings = [];
-    const lines = output.split("\n");
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      for (const { pattern, name } of ERROR_PATTERNS) {
-        if (pattern.test(line)) {
-          findings.push({
-            type: "error",
-            pattern: name,
-            message: `${name} detected`,
-            line: i + 1
-          });
-          break;
-        }
-      }
-    }
-    return findings;
+  getBlockedCommands() {
+    return this.commands.filter((c) => !c.allowed);
   }
   /**
-   * Redact sensitive data from output
+   * Get high-risk commands
    */
-  redact(output) {
-    let redacted = output;
-    for (const { pattern, name } of SECRET_PATTERNS) {
-      redacted = redacted.replace(new RegExp(pattern.source, "g"), `[REDACTED ${name}]`);
-    }
-    for (const pattern of this.redactPatterns) {
-      redacted = redacted.replace(pattern, "[REDACTED]");
-    }
-    return redacted;
+  getHighRiskCommands(threshold = 6) {
+    return this.commands.filter((c) => c.riskScore.score >= threshold);
   }
   /**
-   * Check if output contains any secrets
+   * Format duration for display
    */
-  hasSecrets(output) {
-    for (const pattern of this.secretPatterns) {
-      if (pattern.test(output)) {
-        return true;
-      }
-    }
-    return false;
+  static formatDuration(ms) {
+    if (ms < 1e3) return `${ms}ms`;
+    if (ms < 6e4) return `${(ms / 1e3).toFixed(1)}s`;
+    if (ms < 36e5) return `${Math.floor(ms / 6e4)}m ${Math.floor(ms % 6e4 / 1e3)}s`;
+    return `${Math.floor(ms / 36e5)}h ${Math.floor(ms % 36e5 / 6e4)}m`;
   }
   /**
-   * Get summary of findings
+   * Reset collector
    */
-  static summarize(findings) {
-    if (findings.length === 0) {
-      return "No issues found";
-    }
-    const secrets = findings.filter((f) => f.type === "secret");
-    const errors = findings.filter((f) => f.type === "error");
-    const parts = [];
-    if (secrets.length > 0) {
-      parts.push(`${secrets.length} potential secret(s)`);
-    }
-    if (errors.length > 0) {
-      parts.push(`${errors.length} error(s)`);
-    }
-    return parts.join(", ");
+  reset() {
+    this.sessionId = this.generateSessionId();
+    this.startTime = /* @__PURE__ */ new Date();
+    this.commands = [];
+    this.filesModified.clear();
+    this.pathsAccessed.clear();
   }
 };