npm - ccperm - Versions diffs - 1.11.0 → 1.11.2 - Mend

ccperm 1.11.0 → 1.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.ko.md CHANGED Viewed

@@ -32,6 +32,7 @@ ccperm
 | `--verbose` | 모든 권한을 상세 나열하는 텍스트 출력 |
 | `--fix` | deprecated `:*` 패턴을 ` *`로 자동 수정 |
 | `--update` | `npm install -g ccperm@latest`로 자체 업데이트 |
+| `--hey-claude-witness-me` | LLM 친화적 마크다운 감사 브리핑 (위험도 분류 포함) |
 | `--debug` | 스캔 진단 정보 표시 (파일 경로, 소요 시간) |
 | `--help`, `-h` | 도움말 표시 |
 | `--version`, `-v` | 버전 표시 |
@@ -81,6 +82,19 @@ ccperm은 Claude Code 설정을 세 단계로 구분합니다:
 권한은 합산 방식 — global + shared + local이 런타임에 병합됩니다.
+## 위험도 분류
+각 권한에 [Destructive Command Guard (DCG)](https://github.com/Dicklesworthstone/destructive_command_guard)에서 영감을 받은 위험도가 부여됩니다. `--hey-claude-witness-me` 출력과 TUI 정보 모드에서 사용됩니다.
+| 레벨 | 의미 | 예시 |
+|------|------|------|
+| **CRITICAL** | 되돌릴 수 없는 파괴 또는 전체 시스템 접근 | `rm -rf`, `sudo`, `terraform destroy`, `dd`, `curl \| sh` |
+| **HIGH** | 시스템/원격/인프라에 대한 중대한 변경 | `git push --force`, `chmod`, `aws`, `kubectl`, `ssh` |
+| **MEDIUM** | 제한된 부작용, 빌드/런타임 도구 | `docker`, `npm`, `node`, `curl`, `brew`, `sed` |
+| **LOW** | 읽기 전용 또는 안전한 개발 도구 | `cat`, `ls`, `grep`, `git` (push 제외), `eslint`, `jest` |
+컨텍스트가 중요합니다 — `git` 단독은 low지만, `git push --force`는 critical로 상승합니다. 명령어 이름뿐 아니라 전체 권한 문자열을 패턴 매칭합니다.
 ## 요구사항
 - Node.js >= 18

package/README.md CHANGED Viewed

@@ -32,6 +32,7 @@ By default, ccperm scans all projects under `~` and launches an interactive TUI.
 | `--verbose` | Detailed static output with all permissions listed |
 | `--fix` | Auto-fix deprecated `:*` patterns to ` *` |
 | `--update` | Self-update via `npm install -g ccperm@latest` |
+| `--hey-claude-witness-me` | LLM-friendly markdown audit briefing with risk classification |
 | `--debug` | Show scan diagnostics (file paths, timing) |
 | `--help`, `-h` | Show help |
 | `--version`, `-v` | Show version |
@@ -81,6 +82,19 @@ ccperm distinguishes three levels of Claude Code settings:
 Permissions are additive — global + shared + local are merged at runtime.
+## Risk Classification
+Each permission is assigned a risk level inspired by [Destructive Command Guard (DCG)](https://github.com/Dicklesworthstone/destructive_command_guard). Used in `--hey-claude-witness-me` output and the TUI info mode.
+| Level | Meaning | Examples |
+|-------|---------|----------|
+| **CRITICAL** | Irreversible destruction or full system access | `rm -rf`, `sudo`, `terraform destroy`, `dd`, `curl \| sh` |
+| **HIGH** | Significant changes to system, remote, or infrastructure | `git push --force`, `chmod`, `aws`, `kubectl`, `ssh` |
+| **MEDIUM** | Controlled side effects, build/runtime tools | `docker`, `npm`, `node`, `curl`, `brew`, `sed` |
+| **LOW** | Read-only or safe dev tools | `cat`, `ls`, `grep`, `git` (non-push), `eslint`, `jest` |
+Context matters — `git` alone is low, but `git push --force` escalates to critical. Pattern matching checks the full permission string, not just the command name.
 ## Requirements
 - Node.js >= 18

package/dist/explain.js CHANGED Viewed

@@ -134,35 +134,66 @@ const CRITICAL_PATTERNS = [
     [/git\s+reset\s+--hard/, 'Hard reset (destroys uncommitted changes)', 'core.git'],
     [/git\s+clean\s+-f/, 'Remove untracked files permanently', 'core.git'],
     [/git\s+stash\s+clear/, 'Delete all stashed changes', 'core.git'],
+    [/git\s+filter-branch/, 'Permanent history rewrite', 'core.git'],
     // containers
     [/docker\s+system\s+prune/, 'Prune all docker data', 'containers.docker'],
+    [/docker\s+volume\s+prune/, 'Delete all unused volumes', 'containers.docker'],
     // kubernetes
     [/kubectl\s+delete\s+namespace/, 'Delete entire namespace', 'kubernetes.kubectl'],
     [/kubectl\s+delete.*--all/, 'Delete all resources', 'kubernetes.kubectl'],
+    [/kubectl\s+delete\s+pvc/, 'Delete persistent volume claim', 'kubernetes.kubectl'],
     // cloud
     [/aws\s+s3\s+rb|aws\s+s3\s+rm.*--recursive/, 'Delete S3 data', 'cloud.aws'],
+    [/aws\s+ec2\s+terminate/, 'Terminate EC2 instances', 'cloud.aws'],
+    [/aws\s+rds\s+delete/, 'Delete RDS database', 'cloud.aws'],
+    [/aws\s+iam\s+delete/, 'Delete IAM resource', 'cloud.aws'],
     [/terraform\s+destroy/, 'Destroy infrastructure', 'infrastructure.terraform'],
+    [/terraform\s+apply\s+.*-auto-approve/, 'Auto-approve infrastructure changes', 'infrastructure.terraform'],
     // system
     [/chmod\s+777|chmod\s+-R/, 'Broad permission change', 'system.permissions'],
+    [/chmod\s+000/, 'Remove all file access', 'system.permissions'],
+    [/iptables\s+-F/, 'Flush firewall rules', 'system.network'],
+    [/\beval\b/, 'Arbitrary code execution', 'system'],
     // catch-all dangerous
     [/mkfs|shred|wipefs/, 'Disk destruction', 'core.filesystem'],
     [/curl.*\|\s*sh|curl.*\|\s*bash|wget.*\|\s*sh/, 'Pipe to shell (remote code execution)', 'networking'],
+    // database destructive
+    [/DROP\s+DATABASE/i, 'Drop database', 'database'],
+    [/DROP\s+TABLE/i, 'Drop table', 'database'],
+    [/DROP\s+SCHEMA.*CASCADE/i, 'Drop schema cascade', 'database'],
+    [/TRUNCATE/i, 'Truncate table data', 'database'],
 ];
 const HIGH_PATTERNS = [
     // core.git
     [/git\s+push/, 'Push to remote', 'core.git'],
     [/git\s+rebase/, 'Rewrite commit history', 'core.git'],
     [/git\s+branch\s+-D/, 'Force delete branch', 'core.git'],
+    [/git\s+checkout\s+.*--/, 'Discard uncommitted changes', 'core.git'],
+    [/git\s+stash\s+drop/, 'Drop stashed changes', 'core.git'],
     // containers
     [/docker\s+rm/, 'Remove containers', 'containers.docker'],
     [/docker\s+run/, 'Run container', 'containers.docker'],
+    [/docker\s+image\s+prune.*--all/, 'Delete all images', 'containers.docker'],
+    // kubernetes
+    [/kubectl\s+drain/, 'Evict pods from node', 'kubernetes.kubectl'],
+    [/kubectl\s+scale.*--replicas=0/, 'Scale to zero (service down)', 'kubernetes.kubectl'],
+    [/helm\s+uninstall|helm\s+delete/, 'Uninstall Helm release', 'kubernetes.helm'],
     // cloud
     [/aws\s+ecs/, 'ECS management', 'cloud.aws'],
     [/aws\s+codepipeline/, 'CI/CD pipeline', 'cloud.aws'],
     [/aws\s+ssm/, 'Systems Manager', 'cloud.aws'],
+    [/aws\s+lambda\s+delete/, 'Delete Lambda function', 'cloud.aws'],
+    [/gcloud.*delete/, 'Delete GCP resource', 'cloud.gcp'],
+    // remote
+    [/rsync.*--delete/, 'Sync with deletion', 'remote.rsync'],
     // deploy
     [/npm\s+publish/, 'Publish to npm', 'packages'],
     [/vercel\s+--prod/, 'Deploy to production', 'deploy'],
+    // database
+    [/redis-cli.*FLUSHALL/i, 'Flush all Redis data', 'database.redis'],
+    [/redis-cli.*FLUSHDB/i, 'Flush Redis database', 'database.redis'],
+    // secrets
+    [/vault\s+delete/, 'Delete Vault secret', 'secrets.vault'],
 ];
 // Write path risk assessment
 const WRITE_CRITICAL = [

package/dist/interactive.js CHANGED Viewed

@@ -7,6 +7,15 @@ exports.startInteractive = startInteractive;
 const node_readline_1 = __importDefault(require("node:readline"));
 const colors_js_1 = require("./colors.js");
 const explain_js_1 = require("./explain.js");
+function severityTag(s) {
+    const labels = {
+        critical: `${colors_js_1.RED}CRITICAL${colors_js_1.NC}`,
+        high: `${colors_js_1.YELLOW}HIGH${colors_js_1.NC}    `,
+        medium: `${colors_js_1.DIM}MEDIUM${colors_js_1.NC}  `,
+        low: `${colors_js_1.DIM}LOW${colors_js_1.NC}     `,
+    };
+    return labels[s];
+}
 // Clean up messy bash permission labels for display
 function cleanLabel(label) {
     let s = label;
@@ -201,10 +210,12 @@ function renderDetail(state, withPerms, results) {
                 const clean = cleanLabel(item.name);
                 if (state.showInfo) {
                     const info = (0, explain_js_1.explain)(group.category, item.name);
-                    const nameMax = Math.min(35, w - 10);
+                    const tag = severityTag(info.risk);
+                    const tagLen = info.risk.length + 2; // tag visual width (e.g. "CRITICAL" + 2 spaces)
+                    const nameMax = Math.min(30, w - tagLen - 14);
                     const name = clean.length > nameMax ? clean.slice(0, nameMax - 1) + '…' : clean;
                     const desc = info.description ? `${colors_js_1.DIM}${info.description}${colors_js_1.NC}` : '';
-                    navRows.push({ text: `  ${pad(name, nameMax)}  ${desc}`, perm: item.name });
+                    navRows.push({ text: `  ${pad(name, nameMax)} ${tag} ${desc}`, perm: item.name });
                 }
                 else {
                     const maxLen = w - 8;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ccperm",
-  "version": "1.11.0",
+  "version": "1.11.2",
   "description": "Audit Claude Code permissions across all your projects",
   "bin": {
     "ccperm": "bin/ccperm.js"