claude-code-pilot 3.2.0 → 3.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +67 -0
- package/README.md +14 -9
- package/bin/install.js +124 -16
- package/manifest.json +18 -3
- package/package.json +3 -2
- package/src/agents/django-build-resolver.md +252 -0
- package/src/agents/django-reviewer.md +169 -0
- package/src/agents/fastapi-reviewer.md +79 -0
- package/src/agents/fsharp-reviewer.md +109 -0
- package/src/agents/swift-build-resolver.md +170 -0
- package/src/agents/swift-reviewer.md +116 -0
- package/src/commands/ccp/cost-report.md +107 -0
- package/src/commands/ccp/intel.md +3 -3
- package/src/commands/ccp/mvp-phase.md +45 -0
- package/src/commands/ccp/plan-prd.md +160 -0
- package/src/commands/ccp/pr-ecc.md +184 -0
- package/src/commands/ccp/security-scan.md +74 -0
- package/src/hooks/ccp-bash-hook-dispatcher.js +96 -0
- package/src/hooks/ccp-context-monitor.js +23 -0
- package/src/hooks/ccp-doc-file-warning.js +93 -0
- package/src/hooks/ccp-pre-bash-dispatcher.js +24 -0
- package/src/hooks/ccp-write-gateguard.js +868 -0
- package/src/lib/project-detect.js +0 -2
- package/src/lib/shell-substitution.js +499 -0
- package/src/pilot/references/execute-mvp-tdd.md +81 -0
- package/src/pilot/references/mvp-concepts.md +49 -0
- package/src/pilot/references/planner-graphify-auto-update.md +67 -0
- package/src/pilot/references/planner-human-verify-mode.md +57 -0
- package/src/pilot/references/planner-mvp-mode.md +53 -0
- package/src/pilot/references/skeleton-template.md +48 -0
- package/src/pilot/references/spidr-splitting.md +69 -0
- package/src/pilot/references/user-story-template.md +58 -0
- package/src/pilot/references/verify-mvp-mode.md +85 -0
- package/src/pilot/references/worktree-path-safety.md +89 -0
- package/src/pilot/workflows/help.md +5 -0
- package/src/pilot/workflows/mvp-phase.md +199 -0
- package/src/skills/agent-architecture-audit/SKILL.md +256 -0
- package/src/skills/agent-harness-design/SKILL.md +73 -0
- package/src/skills/angular-developer/SKILL.md +154 -0
- package/src/skills/angular-developer/references/angular-animations.md +160 -0
- package/src/skills/angular-developer/references/angular-aria.md +410 -0
- package/src/skills/angular-developer/references/cli.md +86 -0
- package/src/skills/angular-developer/references/component-harnesses.md +59 -0
- package/src/skills/angular-developer/references/component-styling.md +91 -0
- package/src/skills/angular-developer/references/components.md +117 -0
- package/src/skills/angular-developer/references/creating-services.md +97 -0
- package/src/skills/angular-developer/references/data-resolvers.md +69 -0
- package/src/skills/angular-developer/references/define-routes.md +67 -0
- package/src/skills/angular-developer/references/defining-providers.md +72 -0
- package/src/skills/angular-developer/references/di-fundamentals.md +120 -0
- package/src/skills/angular-developer/references/e2e-testing.md +56 -0
- package/src/skills/angular-developer/references/effects.md +83 -0
- package/src/skills/angular-developer/references/hierarchical-injectors.md +43 -0
- package/src/skills/angular-developer/references/host-elements.md +80 -0
- package/src/skills/angular-developer/references/injection-context.md +63 -0
- package/src/skills/angular-developer/references/inputs.md +101 -0
- package/src/skills/angular-developer/references/linked-signal.md +59 -0
- package/src/skills/angular-developer/references/loading-strategies.md +61 -0
- package/src/skills/angular-developer/references/mcp.md +108 -0
- package/src/skills/angular-developer/references/navigate-to-routes.md +69 -0
- package/src/skills/angular-developer/references/outputs.md +86 -0
- package/src/skills/angular-developer/references/reactive-forms.md +122 -0
- package/src/skills/angular-developer/references/rendering-strategies.md +44 -0
- package/src/skills/angular-developer/references/resource.md +77 -0
- package/src/skills/angular-developer/references/route-animations.md +56 -0
- package/src/skills/angular-developer/references/route-guards.md +52 -0
- package/src/skills/angular-developer/references/router-lifecycle.md +45 -0
- package/src/skills/angular-developer/references/router-testing.md +87 -0
- package/src/skills/angular-developer/references/show-routes-with-outlets.md +68 -0
- package/src/skills/angular-developer/references/signal-forms.md +795 -0
- package/src/skills/angular-developer/references/signals-overview.md +94 -0
- package/src/skills/angular-developer/references/tailwind-css.md +69 -0
- package/src/skills/angular-developer/references/template-driven-forms.md +114 -0
- package/src/skills/angular-developer/references/testing-fundamentals.md +65 -0
- package/src/skills/error-handling/SKILL.md +376 -0
- package/src/skills/fastapi-patterns/SKILL.md +327 -0
- package/src/skills/flox-environments/SKILL.md +496 -0
- package/src/skills/fsharp-testing/SKILL.md +280 -0
- package/src/skills/ios-icon-gen/SKILL.md +157 -0
- package/src/skills/ios-icon-gen/scripts/generate_icons.swift +258 -0
- package/src/skills/ios-icon-gen/scripts/iconify_gen.sh +235 -0
- package/src/skills/make-interfaces-feel-better/SKILL.md +151 -0
- package/src/skills/mysql-patterns/SKILL.md +412 -0
- package/src/skills/plan-orchestrate/SKILL.md +220 -0
- package/src/skills/prisma-patterns/SKILL.md +371 -0
- package/src/skills/production-audit/SKILL.md +206 -0
- package/src/skills/security-scan/references/agentshield-policy-exception/candidate-playbook.md +49 -0
- package/src/skills/security-scan/references/agentshield-policy-exception/report.json +35 -0
- package/src/skills/security-scan/references/agentshield-policy-exception/scenario.json +62 -0
- package/src/skills/security-scan/references/agentshield-policy-exception/trace.json +45 -0
- package/src/skills/security-scan/references/agentshield-policy-exception/verifier-result.json +35 -0
- package/src/skills/vite-patterns/SKILL.md +449 -0
- package/src/skills/windows-desktop-e2e/SKILL.md +887 -0
|
@@ -0,0 +1,868 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
/**
|
|
3
|
+
* PreToolUse Hook: GateGuard Fact-Forcing Gate
|
|
4
|
+
*
|
|
5
|
+
* Forces investigation before editing files or running commands. Instead of
|
|
6
|
+
* asking "are you sure?" (which LLMs always answer "yes"), it demands concrete
|
|
7
|
+
* facts: importers, public API, data schemas, rollback plans. The act of
|
|
8
|
+
* investigation creates awareness that self-evaluation never did.
|
|
9
|
+
*
|
|
10
|
+
* Gates:
|
|
11
|
+
* - Edit/Write: list importers, affected API, verify data schemas, quote instruction
|
|
12
|
+
* - Bash (destructive): list targets, rollback plan, quote instruction
|
|
13
|
+
* - Bash (routine): quote current instruction (once per session)
|
|
14
|
+
*
|
|
15
|
+
* OPT-IN (default OFF): GateGuard's DENY-then-retry design is built for
|
|
16
|
+
* interactive use and would stall non-interactive plan-execution runs. It is
|
|
17
|
+
* gated behind the `strict` hook profile via src/lib/hook-flags.js, so it stays
|
|
18
|
+
* inert in standard/yolo runs. Enable it by setting CCP_HOOK_PROFILE=strict.
|
|
19
|
+
* See the `gateguard` skill for usage guidance. Re-authored from ECC 744f4169;
|
|
20
|
+
* carries no plugin-discovery resolver and exits 0 on empty stdin.
|
|
21
|
+
*
|
|
22
|
+
* Exports run(rawInput) for chaining via the pre-bash dispatcher; also runnable
|
|
23
|
+
* directly as a CLI hook (reads stdin, writes stdout/stderr, sets exit code).
|
|
24
|
+
*/
|
|
25
|
+
|
|
26
|
+
'use strict';
|
|
27
|
+
|
|
28
|
+
const crypto = require('crypto');
|
|
29
|
+
const fs = require('fs');
|
|
30
|
+
const path = require('path');
|
|
31
|
+
const {
|
|
32
|
+
extractCommandSubstitutions,
|
|
33
|
+
extractSubshellGroups,
|
|
34
|
+
extractBraceGroups
|
|
35
|
+
} = require('../lib/shell-substitution');
|
|
36
|
+
const { isHookEnabled } = require('../lib/hook-flags');
|
|
37
|
+
|
|
38
|
+
// Hook id used for the Open-Q2 strict-profile gate at the top of run().
|
|
39
|
+
const HOOK_ID = 'write:gateguard-fact-force';
|
|
40
|
+
|
|
41
|
+
// Session state — scoped per session to avoid cross-session races.
|
|
42
|
+
const STATE_DIR = process.env.GATEGUARD_STATE_DIR || path.join(process.env.HOME || process.env.USERPROFILE || '/tmp', '.gateguard');
|
|
43
|
+
let activeStateFile = null;
|
|
44
|
+
|
|
45
|
+
// State expires after 30 minutes of inactivity
|
|
46
|
+
const SESSION_TIMEOUT_MS = 30 * 60 * 1000;
|
|
47
|
+
const READ_HEARTBEAT_MS = 60 * 1000;
|
|
48
|
+
|
|
49
|
+
// Maximum checked entries to prevent unbounded growth
|
|
50
|
+
const MAX_CHECKED_ENTRIES = 500;
|
|
51
|
+
const MAX_SESSION_KEYS = 50;
|
|
52
|
+
const ROUTINE_BASH_SESSION_KEY = '__bash_session__';
|
|
53
|
+
const EDIT_WRITE_HOOK_ID = 'pre:edit-write:gateguard-fact-force';
|
|
54
|
+
const BASH_HOOK_ID = 'pre:bash:gateguard-fact-force';
|
|
55
|
+
const DISABLE_VALUES = new Set(['0', 'false', 'off', 'disabled', 'disable']);
|
|
56
|
+
|
|
57
|
+
// SQL-keyword + dd patterns stay as a single regex — they are stable
|
|
58
|
+
// phrases without shell-flag ordering concerns. Quoted strings are
|
|
59
|
+
// stripped before this regex runs so a commit message mentioning
|
|
60
|
+
// "drop table" no longer triggers a false positive.
|
|
61
|
+
const DESTRUCTIVE_SQL_DD = /\b(drop\s+table|delete\s+from|truncate|dd\s+if=)\b/i;
|
|
62
|
+
|
|
63
|
+
/**
|
|
64
|
+
* Strip the contents of single- and double-quoted strings so phrases
|
|
65
|
+
* mentioned inside a commit message or echoed argument do not trigger
|
|
66
|
+
* the destructive detector. Command substitutions are scanned separately
|
|
67
|
+
* before this runs because they execute even inside double quotes.
|
|
68
|
+
*
|
|
69
|
+
* @param {string} input
|
|
70
|
+
* @returns {string}
|
|
71
|
+
*/
|
|
72
|
+
function stripQuotedStrings(input) {
|
|
73
|
+
return input
|
|
74
|
+
.replace(/'(?:[^'\\]|\\.)*'/g, "''")
|
|
75
|
+
.replace(/"(?:[^"\\]|\\.)*"/g, '""');
|
|
76
|
+
}
|
|
77
|
+
|
|
78
|
+
/**
|
|
79
|
+
* Promote subshell delimiters to top-level segment separators so the
|
|
80
|
+
* destructive check applies inside `$(...)` and backtick subshells.
|
|
81
|
+
* Run iteratively to handle a layer of nesting.
|
|
82
|
+
*
|
|
83
|
+
* @param {string} input
|
|
84
|
+
* @returns {string}
|
|
85
|
+
*/
|
|
86
|
+
function explodeSubshells(input) {
|
|
87
|
+
let out = input;
|
|
88
|
+
for (let i = 0; i < 4; i += 1) {
|
|
89
|
+
const before = out;
|
|
90
|
+
out = out.replace(/\$\(([^()`]*)\)/g, ';$1;');
|
|
91
|
+
out = out.replace(/`([^`]*)`/g, ';$1;');
|
|
92
|
+
if (out === before) break;
|
|
93
|
+
}
|
|
94
|
+
return out;
|
|
95
|
+
}
|
|
96
|
+
|
|
97
|
+
/**
|
|
98
|
+
* Split a command line into top-level segments at unquoted shell
|
|
99
|
+
* separators (`;`, `|`, `&`, `&&`, `||`) and across subshells
|
|
100
|
+
* (`$(...)` / backticks). Quoted strings are stripped first so
|
|
101
|
+
* separators inside quotes are not split on. Per-segment comments
|
|
102
|
+
* are also stripped.
|
|
103
|
+
*
|
|
104
|
+
* @param {string} input
|
|
105
|
+
* @returns {string[]}
|
|
106
|
+
*/
|
|
107
|
+
function splitCommandSegments(input) {
|
|
108
|
+
const stripped = explodeSubshells(stripQuotedStrings(input));
|
|
109
|
+
return stripped
|
|
110
|
+
.split(/[;|&]+/)
|
|
111
|
+
.map(segment => segment.replace(/(^|\s)#.*/, '$1').trim())
|
|
112
|
+
.filter(Boolean);
|
|
113
|
+
}
|
|
114
|
+
|
|
115
|
+
/**
|
|
116
|
+
* Tokenize a single command segment by whitespace. Quoted strings
|
|
117
|
+
* are already collapsed to empty quotes by `stripQuotedStrings`, so
|
|
118
|
+
* naive whitespace splitting is sufficient.
|
|
119
|
+
*
|
|
120
|
+
* @param {string} segment
|
|
121
|
+
* @returns {string[]}
|
|
122
|
+
*/
|
|
123
|
+
function tokenize(segment) {
|
|
124
|
+
return segment.split(/\s+/).filter(Boolean);
|
|
125
|
+
}
|
|
126
|
+
|
|
127
|
+
/**
|
|
128
|
+
* Strip a leading path and trailing `.exe` from a command token so
|
|
129
|
+
* `/usr/bin/git`, `git.exe`, and `GIT` all normalize to `git`.
|
|
130
|
+
*
|
|
131
|
+
* @param {string} token
|
|
132
|
+
* @returns {string}
|
|
133
|
+
*/
|
|
134
|
+
function commandBasename(token) {
|
|
135
|
+
if (!token) return '';
|
|
136
|
+
return token.replace(/^.*[\\/]/, '').replace(/\.exe$/i, '').toLowerCase();
|
|
137
|
+
}
|
|
138
|
+
|
|
139
|
+
/**
|
|
140
|
+
* Detect `rm` invocations that recursively force-delete files. Handles
|
|
141
|
+
* combined (`-rf`, `-fr`, `-Rf`) and split (`-r -f`) flag forms.
|
|
142
|
+
*
|
|
143
|
+
* @param {string[]} tokens
|
|
144
|
+
* @returns {boolean}
|
|
145
|
+
*/
|
|
146
|
+
function isDestructiveRm(tokens) {
|
|
147
|
+
if (tokens.length === 0 || commandBasename(tokens[0]) !== 'rm') return false;
|
|
148
|
+
let hasR = false;
|
|
149
|
+
let hasF = false;
|
|
150
|
+
for (const t of tokens.slice(1)) {
|
|
151
|
+
if (t === '--recursive') {
|
|
152
|
+
hasR = true;
|
|
153
|
+
continue;
|
|
154
|
+
}
|
|
155
|
+
if (t === '--force') {
|
|
156
|
+
hasF = true;
|
|
157
|
+
continue;
|
|
158
|
+
}
|
|
159
|
+
if (!t.startsWith('-') || t.startsWith('--')) continue;
|
|
160
|
+
const body = t.slice(1);
|
|
161
|
+
if (/[rR]/.test(body)) hasR = true;
|
|
162
|
+
if (/f/.test(body)) hasF = true;
|
|
163
|
+
}
|
|
164
|
+
return hasR && hasF;
|
|
165
|
+
}
|
|
166
|
+
|
|
167
|
+
/**
|
|
168
|
+
* Locate the git subcommand within a token list, skipping over git's
|
|
169
|
+
* global options like `-c key=value`, `-C <path>`, `--git-dir=...`,
|
|
170
|
+
* `--work-tree=...`, `--namespace=...`, `--super-prefix=...`.
|
|
171
|
+
*
|
|
172
|
+
* @param {string[]} tokens
|
|
173
|
+
* @returns {{ command: string, rest: string[] } | null}
|
|
174
|
+
*/
|
|
175
|
+
function findGitSubcommand(tokens) {
|
|
176
|
+
if (tokens.length === 0 || commandBasename(tokens[0]) !== 'git') return null;
|
|
177
|
+
const valueConsumingShort = new Set(['-c', '-C']);
|
|
178
|
+
const valueConsumingLong = new Set(['--git-dir', '--work-tree', '--namespace', '--super-prefix']);
|
|
179
|
+
let i = 1;
|
|
180
|
+
while (i < tokens.length) {
|
|
181
|
+
const t = tokens[i];
|
|
182
|
+
if (valueConsumingShort.has(t) || valueConsumingLong.has(t)) {
|
|
183
|
+
i += 2;
|
|
184
|
+
continue;
|
|
185
|
+
}
|
|
186
|
+
if (t.startsWith('--git-dir=') || t.startsWith('--work-tree=') || t.startsWith('--namespace=') || t.startsWith('--super-prefix=')) {
|
|
187
|
+
i += 1;
|
|
188
|
+
continue;
|
|
189
|
+
}
|
|
190
|
+
if (t.startsWith('-')) {
|
|
191
|
+
// Unknown global option — skip without consuming a value.
|
|
192
|
+
i += 1;
|
|
193
|
+
continue;
|
|
194
|
+
}
|
|
195
|
+
return { command: t.toLowerCase(), rest: tokens.slice(i + 1) };
|
|
196
|
+
}
|
|
197
|
+
return null;
|
|
198
|
+
}
|
|
199
|
+
|
|
200
|
+
/**
|
|
201
|
+
* Detect destructive `git` invocations: `reset --hard`, `checkout --`,
|
|
202
|
+
* `clean -f...`, `push --force` (but not `--force-with-lease`),
|
|
203
|
+
* `commit --amend`, `rm -rf`, destructive `switch`.
|
|
204
|
+
*
|
|
205
|
+
* @param {string[]} tokens
|
|
206
|
+
* @returns {boolean}
|
|
207
|
+
*/
|
|
208
|
+
function isDestructiveGit(tokens) {
|
|
209
|
+
const sub = findGitSubcommand(tokens);
|
|
210
|
+
if (!sub) return false;
|
|
211
|
+
const { command, rest } = sub;
|
|
212
|
+
|
|
213
|
+
if (command === 'reset') {
|
|
214
|
+
return rest.includes('--hard');
|
|
215
|
+
}
|
|
216
|
+
|
|
217
|
+
if (command === 'checkout') {
|
|
218
|
+
return rest.includes('--');
|
|
219
|
+
}
|
|
220
|
+
|
|
221
|
+
if (command === 'clean') {
|
|
222
|
+
// `git clean -f`, `-fd`, `-fdx`, `-df`, `--force`
|
|
223
|
+
return rest.some(t => {
|
|
224
|
+
if (t === '--force') return true;
|
|
225
|
+
if (!t.startsWith('-') || t.startsWith('--')) return false;
|
|
226
|
+
return t.slice(1).includes('f');
|
|
227
|
+
});
|
|
228
|
+
}
|
|
229
|
+
|
|
230
|
+
if (command === 'push') {
|
|
231
|
+
// Only `--force-with-lease` qualifies as a safety-checked force.
|
|
232
|
+
// A `+` refspec prefix also forces a non-fast-forward update of that
|
|
233
|
+
// ref and is destructive on its own.
|
|
234
|
+
let withLease = false;
|
|
235
|
+
let bareForce = false;
|
|
236
|
+
let plusRefspecForce = false;
|
|
237
|
+
for (const t of rest) {
|
|
238
|
+
if (t === '--force-with-lease' || t.startsWith('--force-with-lease=')) {
|
|
239
|
+
withLease = true;
|
|
240
|
+
continue;
|
|
241
|
+
}
|
|
242
|
+
if (t === '--force' || t.startsWith('--force=')) {
|
|
243
|
+
bareForce = true;
|
|
244
|
+
continue;
|
|
245
|
+
}
|
|
246
|
+
if (t.startsWith('-') && !t.startsWith('--') && t.slice(1).includes('f')) {
|
|
247
|
+
bareForce = true;
|
|
248
|
+
continue;
|
|
249
|
+
}
|
|
250
|
+
if (t.startsWith('+') && t.length > 1 && /^\+(?:[a-zA-Z_/.:]|HEAD)/.test(t)) {
|
|
251
|
+
plusRefspecForce = true;
|
|
252
|
+
}
|
|
253
|
+
}
|
|
254
|
+
return bareForce || (plusRefspecForce && !withLease);
|
|
255
|
+
}
|
|
256
|
+
|
|
257
|
+
if (command === 'commit') {
|
|
258
|
+
return rest.includes('--amend');
|
|
259
|
+
}
|
|
260
|
+
|
|
261
|
+
if (command === 'rm') {
|
|
262
|
+
let hasR = false;
|
|
263
|
+
for (const t of rest) {
|
|
264
|
+
if (!t.startsWith('-') || t.startsWith('--')) continue;
|
|
265
|
+
if (/[rR]/.test(t.slice(1))) hasR = true;
|
|
266
|
+
}
|
|
267
|
+
return hasR;
|
|
268
|
+
}
|
|
269
|
+
|
|
270
|
+
if (command === 'switch') {
|
|
271
|
+
// `git switch` can discard local working-tree changes via
|
|
272
|
+
// --discard-changes, --force/-f, or -C <branch> (force-create).
|
|
273
|
+
return rest.some(t => {
|
|
274
|
+
if (t === '--discard-changes' || t === '--force') return true;
|
|
275
|
+
if (!t.startsWith('-') || t.startsWith('--')) return false;
|
|
276
|
+
const body = t.slice(1);
|
|
277
|
+
return /[fC]/.test(body);
|
|
278
|
+
});
|
|
279
|
+
}
|
|
280
|
+
|
|
281
|
+
return false;
|
|
282
|
+
}
|
|
283
|
+
|
|
284
|
+
/**
|
|
285
|
+
* Walk every executable body reachable from a raw command line and
|
|
286
|
+
* return them as a flat list. Bodies that bash will execute live in
|
|
287
|
+
* three syntactic constructs, each handled by a sibling extractor in
|
|
288
|
+
* src/lib/shell-substitution.js. The BFS here adds cross-syntax
|
|
289
|
+
* discovery by feeding every harvested body back through all three
|
|
290
|
+
* extractors. A `seen` set bounds the cost to O(unique bodies).
|
|
291
|
+
*
|
|
292
|
+
* @param {string} raw
|
|
293
|
+
* @returns {string[]}
|
|
294
|
+
*/
|
|
295
|
+
function collectExecutableBodies(raw) {
|
|
296
|
+
const bodies = [raw];
|
|
297
|
+
const queue = [raw];
|
|
298
|
+
const seen = new Set();
|
|
299
|
+
|
|
300
|
+
while (queue.length) {
|
|
301
|
+
const current = queue.shift();
|
|
302
|
+
if (seen.has(current)) continue;
|
|
303
|
+
seen.add(current);
|
|
304
|
+
|
|
305
|
+
for (const body of extractCommandSubstitutions(current)) {
|
|
306
|
+
if (seen.has(body)) continue;
|
|
307
|
+
bodies.push(body);
|
|
308
|
+
queue.push(body);
|
|
309
|
+
}
|
|
310
|
+
for (const body of extractSubshellGroups(current)) {
|
|
311
|
+
if (seen.has(body)) continue;
|
|
312
|
+
bodies.push(body);
|
|
313
|
+
queue.push(body);
|
|
314
|
+
}
|
|
315
|
+
for (const body of extractBraceGroups(current)) {
|
|
316
|
+
if (seen.has(body)) continue;
|
|
317
|
+
bodies.push(body);
|
|
318
|
+
queue.push(body);
|
|
319
|
+
}
|
|
320
|
+
}
|
|
321
|
+
|
|
322
|
+
return bodies;
|
|
323
|
+
}
|
|
324
|
+
|
|
325
|
+
function isDestructiveBash(command) {
|
|
326
|
+
const raw = String(command || '');
|
|
327
|
+
const flattened = explodeSubshells(stripQuotedStrings(raw));
|
|
328
|
+
if (DESTRUCTIVE_SQL_DD.test(flattened)) return true;
|
|
329
|
+
|
|
330
|
+
const segments = collectExecutableBodies(raw).flatMap(splitCommandSegments);
|
|
331
|
+
for (const segment of segments) {
|
|
332
|
+
if (DESTRUCTIVE_SQL_DD.test(stripQuotedStrings(segment))) return true;
|
|
333
|
+
const tokens = tokenize(segment);
|
|
334
|
+
if (isDestructiveRm(tokens)) return true;
|
|
335
|
+
if (isDestructiveGit(tokens)) return true;
|
|
336
|
+
}
|
|
337
|
+
return false;
|
|
338
|
+
}
|
|
339
|
+
|
|
340
|
+
// --- State management (per-session, atomic writes, bounded) ---
|
|
341
|
+
|
|
342
|
+
function normalizeEnvValue(value) {
|
|
343
|
+
return String(value || '').trim().toLowerCase();
|
|
344
|
+
}
|
|
345
|
+
|
|
346
|
+
function isGateGuardDisabled() {
|
|
347
|
+
if (normalizeEnvValue(process.env.GATEGUARD_DISABLED) === '1') {
|
|
348
|
+
return true;
|
|
349
|
+
}
|
|
350
|
+
|
|
351
|
+
return DISABLE_VALUES.has(normalizeEnvValue(process.env.CCP_GATEGUARD));
|
|
352
|
+
}
|
|
353
|
+
|
|
354
|
+
function sanitizeSessionKey(value) {
|
|
355
|
+
const raw = String(value || '').trim();
|
|
356
|
+
if (!raw) {
|
|
357
|
+
return '';
|
|
358
|
+
}
|
|
359
|
+
|
|
360
|
+
const sanitized = raw.replace(/[^a-zA-Z0-9_-]/g, '_');
|
|
361
|
+
if (sanitized && sanitized.length <= 64) {
|
|
362
|
+
return sanitized;
|
|
363
|
+
}
|
|
364
|
+
|
|
365
|
+
return hashSessionKey('sid', raw);
|
|
366
|
+
}
|
|
367
|
+
|
|
368
|
+
function hashSessionKey(prefix, value) {
|
|
369
|
+
return `${prefix}-${crypto.createHash('sha256').update(String(value)).digest('hex').slice(0, 24)}`;
|
|
370
|
+
}
|
|
371
|
+
|
|
372
|
+
function resolveSessionKey(data) {
|
|
373
|
+
const directCandidates = [
|
|
374
|
+
data && data.session_id,
|
|
375
|
+
data && data.sessionId,
|
|
376
|
+
data && data.session && data.session.id,
|
|
377
|
+
process.env.CLAUDE_SESSION_ID,
|
|
378
|
+
process.env.CCP_SESSION_ID
|
|
379
|
+
];
|
|
380
|
+
|
|
381
|
+
for (const candidate of directCandidates) {
|
|
382
|
+
const sanitized = sanitizeSessionKey(candidate);
|
|
383
|
+
if (sanitized) {
|
|
384
|
+
return sanitized;
|
|
385
|
+
}
|
|
386
|
+
}
|
|
387
|
+
|
|
388
|
+
const transcriptPath = (data && (data.transcript_path || data.transcriptPath)) || process.env.CLAUDE_TRANSCRIPT_PATH;
|
|
389
|
+
if (transcriptPath && String(transcriptPath).trim()) {
|
|
390
|
+
return hashSessionKey('tx', path.resolve(String(transcriptPath).trim()));
|
|
391
|
+
}
|
|
392
|
+
|
|
393
|
+
const projectFingerprint = process.env.CLAUDE_PROJECT_DIR || process.cwd();
|
|
394
|
+
return hashSessionKey('proj', path.resolve(projectFingerprint));
|
|
395
|
+
}
|
|
396
|
+
|
|
397
|
+
function getStateFile(data) {
|
|
398
|
+
if (!activeStateFile) {
|
|
399
|
+
const sessionKey = resolveSessionKey(data);
|
|
400
|
+
activeStateFile = path.join(STATE_DIR, `state-${sessionKey}.json`);
|
|
401
|
+
}
|
|
402
|
+
return activeStateFile;
|
|
403
|
+
}
|
|
404
|
+
|
|
405
|
+
function loadState() {
|
|
406
|
+
const stateFile = getStateFile();
|
|
407
|
+
try {
|
|
408
|
+
if (fs.existsSync(stateFile)) {
|
|
409
|
+
const state = JSON.parse(fs.readFileSync(stateFile, 'utf8'));
|
|
410
|
+
const lastActive = state.last_active || 0;
|
|
411
|
+
if (Date.now() - lastActive > SESSION_TIMEOUT_MS) {
|
|
412
|
+
try {
|
|
413
|
+
fs.unlinkSync(stateFile);
|
|
414
|
+
} catch (_) {
|
|
415
|
+
/* ignore */
|
|
416
|
+
}
|
|
417
|
+
return { checked: [], last_active: Date.now() };
|
|
418
|
+
}
|
|
419
|
+
return state;
|
|
420
|
+
}
|
|
421
|
+
} catch (_) {
|
|
422
|
+
/* ignore */
|
|
423
|
+
}
|
|
424
|
+
return { checked: [], last_active: Date.now() };
|
|
425
|
+
}
|
|
426
|
+
|
|
427
|
+
function pruneCheckedEntries(checked) {
|
|
428
|
+
if (checked.length <= MAX_CHECKED_ENTRIES) {
|
|
429
|
+
return checked;
|
|
430
|
+
}
|
|
431
|
+
|
|
432
|
+
const preserved = checked.includes(ROUTINE_BASH_SESSION_KEY) ? [ROUTINE_BASH_SESSION_KEY] : [];
|
|
433
|
+
const sessionKeys = checked.filter(k => k.startsWith('__') && k !== ROUTINE_BASH_SESSION_KEY);
|
|
434
|
+
const fileKeys = checked.filter(k => !k.startsWith('__'));
|
|
435
|
+
const remainingSessionSlots = Math.max(MAX_SESSION_KEYS - preserved.length, 0);
|
|
436
|
+
const cappedSession = sessionKeys.slice(-remainingSessionSlots);
|
|
437
|
+
const remainingFileSlots = Math.max(MAX_CHECKED_ENTRIES - preserved.length - cappedSession.length, 0);
|
|
438
|
+
const cappedFiles = fileKeys.slice(-remainingFileSlots);
|
|
439
|
+
return [...preserved, ...cappedSession, ...cappedFiles];
|
|
440
|
+
}
|
|
441
|
+
|
|
442
|
+
function saveState(state) {
|
|
443
|
+
const stateFile = getStateFile();
|
|
444
|
+
let tmpFile = null;
|
|
445
|
+
try {
|
|
446
|
+
fs.mkdirSync(STATE_DIR, { recursive: true });
|
|
447
|
+
|
|
448
|
+
let mergedChecked = Array.isArray(state.checked) ? state.checked : [];
|
|
449
|
+
let mergedLastActive = typeof state.last_active === 'number' ? state.last_active : 0;
|
|
450
|
+
|
|
451
|
+
try {
|
|
452
|
+
if (fs.existsSync(stateFile)) {
|
|
453
|
+
const diskState = JSON.parse(fs.readFileSync(stateFile, 'utf8'));
|
|
454
|
+
if (Array.isArray(diskState.checked)) {
|
|
455
|
+
mergedChecked = Array.from(new Set([...diskState.checked, ...mergedChecked]));
|
|
456
|
+
}
|
|
457
|
+
if (typeof diskState.last_active === 'number') {
|
|
458
|
+
mergedLastActive = Math.max(mergedLastActive, diskState.last_active);
|
|
459
|
+
}
|
|
460
|
+
}
|
|
461
|
+
} catch (_) {
|
|
462
|
+
/* ignore malformed or transient disk state */
|
|
463
|
+
}
|
|
464
|
+
|
|
465
|
+
const finalState = {
|
|
466
|
+
checked: pruneCheckedEntries(mergedChecked),
|
|
467
|
+
last_active: Math.max(mergedLastActive, Date.now())
|
|
468
|
+
};
|
|
469
|
+
|
|
470
|
+
// Atomic write: temp file + rename prevents partial reads
|
|
471
|
+
tmpFile = `${stateFile}.tmp.${process.pid}.${crypto.randomBytes(4).toString('hex')}`;
|
|
472
|
+
fs.writeFileSync(tmpFile, JSON.stringify(finalState, null, 2), 'utf8');
|
|
473
|
+
try {
|
|
474
|
+
fs.renameSync(tmpFile, stateFile);
|
|
475
|
+
} catch (error) {
|
|
476
|
+
if (error && (error.code === 'EEXIST' || error.code === 'EPERM')) {
|
|
477
|
+
try {
|
|
478
|
+
fs.unlinkSync(stateFile);
|
|
479
|
+
} catch (_) {
|
|
480
|
+
/* ignore */
|
|
481
|
+
}
|
|
482
|
+
fs.renameSync(tmpFile, stateFile);
|
|
483
|
+
} else {
|
|
484
|
+
throw error;
|
|
485
|
+
}
|
|
486
|
+
}
|
|
487
|
+
tmpFile = null;
|
|
488
|
+
return true;
|
|
489
|
+
} catch (_) {
|
|
490
|
+
if (tmpFile) {
|
|
491
|
+
try {
|
|
492
|
+
fs.unlinkSync(tmpFile);
|
|
493
|
+
} catch (_) {
|
|
494
|
+
/* ignore */
|
|
495
|
+
}
|
|
496
|
+
}
|
|
497
|
+
return false;
|
|
498
|
+
}
|
|
499
|
+
}
|
|
500
|
+
|
|
501
|
+
function markChecked(key) {
|
|
502
|
+
const state = loadState();
|
|
503
|
+
if (!state.checked.includes(key)) {
|
|
504
|
+
state.checked.push(key);
|
|
505
|
+
return saveState(state);
|
|
506
|
+
}
|
|
507
|
+
return true;
|
|
508
|
+
}
|
|
509
|
+
|
|
510
|
+
function isChecked(key) {
|
|
511
|
+
const state = loadState();
|
|
512
|
+
const found = state.checked.includes(key);
|
|
513
|
+
if (found && Date.now() - (state.last_active || 0) > READ_HEARTBEAT_MS) {
|
|
514
|
+
saveState(state);
|
|
515
|
+
}
|
|
516
|
+
return found;
|
|
517
|
+
}
|
|
518
|
+
|
|
519
|
+
// Prune stale session files older than 1 hour. Only runs when GateGuard is
|
|
520
|
+
// actually enabled (called from run()) so default/inert runs touch no disk.
|
|
521
|
+
function pruneStaleFiles() {
|
|
522
|
+
try {
|
|
523
|
+
const files = fs.readdirSync(STATE_DIR);
|
|
524
|
+
const now = Date.now();
|
|
525
|
+
for (const f of files) {
|
|
526
|
+
const isStateFile = f.startsWith('state-') && (f.endsWith('.json') || f.includes('.json.tmp.'));
|
|
527
|
+
if (!isStateFile) continue;
|
|
528
|
+
const fp = path.join(STATE_DIR, f);
|
|
529
|
+
try {
|
|
530
|
+
const stat = fs.statSync(fp);
|
|
531
|
+
if (now - stat.mtimeMs > SESSION_TIMEOUT_MS * 2) {
|
|
532
|
+
fs.unlinkSync(fp);
|
|
533
|
+
}
|
|
534
|
+
} catch (_) {
|
|
535
|
+
// Ignore files that disappear between readdir/stat/unlink.
|
|
536
|
+
}
|
|
537
|
+
}
|
|
538
|
+
} catch (_) {
|
|
539
|
+
/* ignore */
|
|
540
|
+
}
|
|
541
|
+
}
|
|
542
|
+
|
|
543
|
+
// --- Sanitize file path against injection ---
|
|
544
|
+
|
|
545
|
+
function sanitizePath(filePath) {
|
|
546
|
+
// Strip control chars (including null), bidi overrides, and newlines
|
|
547
|
+
let sanitized = '';
|
|
548
|
+
for (const char of String(filePath || '')) {
|
|
549
|
+
const code = char.codePointAt(0);
|
|
550
|
+
const isAsciiControl = code <= 0x1f || code === 0x7f;
|
|
551
|
+
const isBidiOverride = (code >= 0x200e && code <= 0x200f) || (code >= 0x202a && code <= 0x202e) || (code >= 0x2066 && code <= 0x2069);
|
|
552
|
+
sanitized += isAsciiControl || isBidiOverride ? ' ' : char;
|
|
553
|
+
}
|
|
554
|
+
return sanitized.trim().slice(0, 500);
|
|
555
|
+
}
|
|
556
|
+
|
|
557
|
+
function normalizeForMatch(value) {
|
|
558
|
+
return String(value || '')
|
|
559
|
+
.replace(/\\/g, '/')
|
|
560
|
+
.toLowerCase();
|
|
561
|
+
}
|
|
562
|
+
|
|
563
|
+
function isClaudeSettingsPath(filePath) {
|
|
564
|
+
const normalized = normalizeForMatch(filePath);
|
|
565
|
+
return /(^|\/)\.claude\/settings(?:\.[^/]+)?\.json$/.test(normalized);
|
|
566
|
+
}
|
|
567
|
+
|
|
568
|
+
function isReadOnlyGitIntrospection(command) {
|
|
569
|
+
const trimmed = String(command || '').trim();
|
|
570
|
+
if (!trimmed || /[\r\n;&|><`$()]/.test(trimmed)) {
|
|
571
|
+
return false;
|
|
572
|
+
}
|
|
573
|
+
|
|
574
|
+
const tokens = trimmed.split(/\s+/);
|
|
575
|
+
if (tokens[0] !== 'git' || tokens.length < 2) {
|
|
576
|
+
return false;
|
|
577
|
+
}
|
|
578
|
+
|
|
579
|
+
const subcommand = tokens[1].toLowerCase();
|
|
580
|
+
const args = tokens.slice(2);
|
|
581
|
+
|
|
582
|
+
if (subcommand === 'status') {
|
|
583
|
+
return args.every(arg => ['--porcelain', '--short', '--branch'].includes(arg));
|
|
584
|
+
}
|
|
585
|
+
|
|
586
|
+
if (subcommand === 'diff') {
|
|
587
|
+
return args.length <= 1 && args.every(arg => ['--name-only', '--name-status'].includes(arg));
|
|
588
|
+
}
|
|
589
|
+
|
|
590
|
+
if (subcommand === 'log') {
|
|
591
|
+
return args.every(arg => arg === '--oneline' || /^--max-count=\d+$/.test(arg));
|
|
592
|
+
}
|
|
593
|
+
|
|
594
|
+
if (subcommand === 'show') {
|
|
595
|
+
return args.length === 1 && !args[0].startsWith('--') && /^[a-zA-Z0-9._:/-]+$/.test(args[0]);
|
|
596
|
+
}
|
|
597
|
+
|
|
598
|
+
if (subcommand === 'branch') {
|
|
599
|
+
return args.length === 1 && args[0] === '--show-current';
|
|
600
|
+
}
|
|
601
|
+
|
|
602
|
+
if (subcommand === 'rev-parse') {
|
|
603
|
+
return args.length === 2 && args[0] === '--abbrev-ref' && /^head$/i.test(args[1]);
|
|
604
|
+
}
|
|
605
|
+
|
|
606
|
+
return false;
|
|
607
|
+
}
|
|
608
|
+
|
|
609
|
+
// --- Gate messages ---
|
|
610
|
+
|
|
611
|
+
function editGateMsg(filePath) {
|
|
612
|
+
const safe = sanitizePath(filePath);
|
|
613
|
+
return [
|
|
614
|
+
'[Fact-Forcing Gate]',
|
|
615
|
+
'',
|
|
616
|
+
`Before editing ${safe}, present these facts:`,
|
|
617
|
+
'',
|
|
618
|
+
'1. List ALL files that import/require this file (use Grep)',
|
|
619
|
+
'2. List the public functions/classes affected by this change',
|
|
620
|
+
'3. If this file reads/writes data files, show field names, structure, and date format (use redacted or synthetic values, not raw production data)',
|
|
621
|
+
"4. Quote the user's current instruction verbatim",
|
|
622
|
+
'',
|
|
623
|
+
'Present the facts, then retry the same operation.'
|
|
624
|
+
].join('\n');
|
|
625
|
+
}
|
|
626
|
+
|
|
627
|
+
function writeGateMsg(filePath) {
|
|
628
|
+
const safe = sanitizePath(filePath);
|
|
629
|
+
return [
|
|
630
|
+
'[Fact-Forcing Gate]',
|
|
631
|
+
'',
|
|
632
|
+
`Before creating ${safe}, present these facts:`,
|
|
633
|
+
'',
|
|
634
|
+
'1. Name the file(s) and line(s) that will call this new file',
|
|
635
|
+
'2. Confirm no existing file serves the same purpose (use Glob)',
|
|
636
|
+
'3. If this file reads/writes data files, show field names, structure, and date format (use redacted or synthetic values, not raw production data)',
|
|
637
|
+
"4. Quote the user's current instruction verbatim",
|
|
638
|
+
'',
|
|
639
|
+
'Present the facts, then retry the same operation.'
|
|
640
|
+
].join('\n');
|
|
641
|
+
}
|
|
642
|
+
|
|
643
|
+
function destructiveBashMsg() {
|
|
644
|
+
return [
|
|
645
|
+
'[Fact-Forcing Gate]',
|
|
646
|
+
'',
|
|
647
|
+
'Destructive command detected. Before running, present:',
|
|
648
|
+
'',
|
|
649
|
+
'1. List all files/data this command will modify or delete',
|
|
650
|
+
'2. Write a one-line rollback procedure',
|
|
651
|
+
"3. Quote the user's current instruction verbatim",
|
|
652
|
+
'',
|
|
653
|
+
'Present the facts, then retry the same operation.'
|
|
654
|
+
].join('\n');
|
|
655
|
+
}
|
|
656
|
+
|
|
657
|
+
function routineBashMsg() {
|
|
658
|
+
return [
|
|
659
|
+
'[Fact-Forcing Gate]',
|
|
660
|
+
'',
|
|
661
|
+
'Before the first Bash command this session, present these facts:',
|
|
662
|
+
'',
|
|
663
|
+
'1. The current user request in one sentence',
|
|
664
|
+
'2. What this specific command verifies or produces',
|
|
665
|
+
'',
|
|
666
|
+
'Present the facts, then retry the same operation.'
|
|
667
|
+
].join('\n');
|
|
668
|
+
}
|
|
669
|
+
|
|
670
|
+
function withRecoveryHint(message, hookIds = [EDIT_WRITE_HOOK_ID]) {
|
|
671
|
+
const disableTargets = hookIds.map(hookId => `\`${hookId}\``).join(' or ');
|
|
672
|
+
return [
|
|
673
|
+
message,
|
|
674
|
+
'',
|
|
675
|
+
`Recovery: if GateGuard is blocking setup or repair work, run this session with \`CCP_GATEGUARD=off\` or add ${disableTargets} to \`CCP_DISABLED_HOOKS\`.`
|
|
676
|
+
].join('\n');
|
|
677
|
+
}
|
|
678
|
+
|
|
679
|
+
function isSubagentInvocation(data) {
|
|
680
|
+
if (!data || typeof data !== 'object') {
|
|
681
|
+
return false;
|
|
682
|
+
}
|
|
683
|
+
|
|
684
|
+
const candidates = [
|
|
685
|
+
data.agent_id,
|
|
686
|
+
data.agentId,
|
|
687
|
+
data.parent_tool_use_id,
|
|
688
|
+
data.parentToolUseId
|
|
689
|
+
];
|
|
690
|
+
|
|
691
|
+
return candidates.some(candidate => typeof candidate === 'string' && candidate.trim());
|
|
692
|
+
}
|
|
693
|
+
|
|
694
|
+
// --- Deny helper ---
|
|
695
|
+
|
|
696
|
+
function denyResult(reason, options = {}) {
|
|
697
|
+
const includeRecoveryHint = options.includeRecoveryHint !== false;
|
|
698
|
+
const hookIds = Array.isArray(options.hookIds) && options.hookIds.length > 0 ? options.hookIds : [EDIT_WRITE_HOOK_ID];
|
|
699
|
+
return {
|
|
700
|
+
stdout: JSON.stringify({
|
|
701
|
+
hookSpecificOutput: {
|
|
702
|
+
hookEventName: 'PreToolUse',
|
|
703
|
+
permissionDecision: 'deny',
|
|
704
|
+
permissionDecisionReason: includeRecoveryHint ? withRecoveryHint(reason, hookIds) : reason
|
|
705
|
+
}
|
|
706
|
+
}),
|
|
707
|
+
exitCode: 0
|
|
708
|
+
};
|
|
709
|
+
}
|
|
710
|
+
|
|
711
|
+
function allowWithStateWarning() {
|
|
712
|
+
return {
|
|
713
|
+
stderr: '[Fact-Forcing Gate] GateGuard state could not be persisted; allowing this operation to avoid a permanent retry loop. Check GATEGUARD_STATE_DIR or filesystem permissions.',
|
|
714
|
+
exitCode: 0
|
|
715
|
+
};
|
|
716
|
+
}
|
|
717
|
+
|
|
718
|
+
// --- Core logic (exported for the pre-bash dispatcher / run-with-flags) ---
|
|
719
|
+
|
|
720
|
+
function run(rawInput) {
|
|
721
|
+
// Open-Q2 gate: GateGuard is opt-in (profile `strict` only). In standard/yolo
|
|
722
|
+
// runs it is inert and returns the rawInput passthrough (allow). Enable with
|
|
723
|
+
// CCP_HOOK_PROFILE=strict. This runs BEFORE any parsing/state I/O so default
|
|
724
|
+
// runs touch no disk.
|
|
725
|
+
if (!isHookEnabled(HOOK_ID, { profiles: 'strict' })) {
|
|
726
|
+
return rawInput;
|
|
727
|
+
}
|
|
728
|
+
|
|
729
|
+
let data;
|
|
730
|
+
try {
|
|
731
|
+
data = typeof rawInput === 'string' ? JSON.parse(rawInput) : rawInput;
|
|
732
|
+
} catch (_) {
|
|
733
|
+
return rawInput; // allow on parse error
|
|
734
|
+
}
|
|
735
|
+
|
|
736
|
+
if (isGateGuardDisabled()) {
|
|
737
|
+
return rawInput;
|
|
738
|
+
}
|
|
739
|
+
|
|
740
|
+
pruneStaleFiles();
|
|
741
|
+
|
|
742
|
+
activeStateFile = null;
|
|
743
|
+
getStateFile(data);
|
|
744
|
+
|
|
745
|
+
const rawToolName = data.tool_name || '';
|
|
746
|
+
const toolInput = data.tool_input || {};
|
|
747
|
+
// Normalize: case-insensitive matching via lookup map
|
|
748
|
+
const TOOL_MAP = { edit: 'Edit', write: 'Write', multiedit: 'MultiEdit', bash: 'Bash' };
|
|
749
|
+
const toolName = TOOL_MAP[rawToolName.toLowerCase()] || rawToolName;
|
|
750
|
+
const inSubagent = isSubagentInvocation(data);
|
|
751
|
+
|
|
752
|
+
if (toolName === 'Edit' || toolName === 'Write') {
|
|
753
|
+
const filePath = toolInput.file_path || '';
|
|
754
|
+
if (!filePath || isClaudeSettingsPath(filePath)) {
|
|
755
|
+
return rawInput; // allow
|
|
756
|
+
}
|
|
757
|
+
|
|
758
|
+
if (inSubagent) {
|
|
759
|
+
return rawInput; // parent session already passed the first-touch file gate
|
|
760
|
+
}
|
|
761
|
+
|
|
762
|
+
if (!isChecked(filePath)) {
|
|
763
|
+
if (!markChecked(filePath)) {
|
|
764
|
+
return allowWithStateWarning();
|
|
765
|
+
}
|
|
766
|
+
return denyResult(toolName === 'Edit' ? editGateMsg(filePath) : writeGateMsg(filePath));
|
|
767
|
+
}
|
|
768
|
+
|
|
769
|
+
return rawInput; // allow
|
|
770
|
+
}
|
|
771
|
+
|
|
772
|
+
if (toolName === 'MultiEdit') {
|
|
773
|
+
if (inSubagent) {
|
|
774
|
+
return rawInput; // parent session already passed the first-touch file gate
|
|
775
|
+
}
|
|
776
|
+
|
|
777
|
+
const edits = toolInput.edits || [];
|
|
778
|
+
for (const edit of edits) {
|
|
779
|
+
const filePath = edit.file_path || '';
|
|
780
|
+
if (filePath && !isClaudeSettingsPath(filePath) && !isChecked(filePath)) {
|
|
781
|
+
if (!markChecked(filePath)) {
|
|
782
|
+
return allowWithStateWarning();
|
|
783
|
+
}
|
|
784
|
+
return denyResult(editGateMsg(filePath));
|
|
785
|
+
}
|
|
786
|
+
}
|
|
787
|
+
return rawInput; // allow
|
|
788
|
+
}
|
|
789
|
+
|
|
790
|
+
if (toolName === 'Bash') {
|
|
791
|
+
const command = toolInput.command || '';
|
|
792
|
+
if (isReadOnlyGitIntrospection(command)) {
|
|
793
|
+
return rawInput;
|
|
794
|
+
}
|
|
795
|
+
|
|
796
|
+
if (isDestructiveBash(command)) {
|
|
797
|
+
// Gate destructive commands on first attempt; allow retry after facts presented
|
|
798
|
+
const key = '__destructive__' + crypto.createHash('sha256').update(command).digest('hex').slice(0, 16);
|
|
799
|
+
if (!isChecked(key)) {
|
|
800
|
+
if (!markChecked(key)) {
|
|
801
|
+
return allowWithStateWarning();
|
|
802
|
+
}
|
|
803
|
+
return denyResult(destructiveBashMsg(), { includeRecoveryHint: false });
|
|
804
|
+
}
|
|
805
|
+
return rawInput; // allow retry after facts presented
|
|
806
|
+
}
|
|
807
|
+
|
|
808
|
+
if (!isChecked(ROUTINE_BASH_SESSION_KEY)) {
|
|
809
|
+
if (!markChecked(ROUTINE_BASH_SESSION_KEY)) {
|
|
810
|
+
return allowWithStateWarning();
|
|
811
|
+
}
|
|
812
|
+
return denyResult(routineBashMsg(), { hookIds: [BASH_HOOK_ID] });
|
|
813
|
+
}
|
|
814
|
+
|
|
815
|
+
return rawInput; // allow
|
|
816
|
+
}
|
|
817
|
+
|
|
818
|
+
return rawInput; // allow
|
|
819
|
+
}
|
|
820
|
+
|
|
821
|
+
module.exports = { run };
|
|
822
|
+
|
|
823
|
+
// --- CLI entrypoint ---
|
|
824
|
+
// Reads JSON on stdin, runs the gate, and emits the result. Empty stdin and
|
|
825
|
+
// parse errors fall through run()'s passthrough contract, so this exits 0.
|
|
826
|
+
if (require.main === module) {
|
|
827
|
+
const MAX_STDIN = 1024 * 1024;
|
|
828
|
+
let raw = '';
|
|
829
|
+
let truncated = false;
|
|
830
|
+
|
|
831
|
+
process.stdin.setEncoding('utf8');
|
|
832
|
+
process.stdin.on('data', chunk => {
|
|
833
|
+
if (truncated) return;
|
|
834
|
+
raw += chunk;
|
|
835
|
+
if (raw.length > MAX_STDIN) {
|
|
836
|
+
raw = raw.slice(0, MAX_STDIN);
|
|
837
|
+
truncated = true;
|
|
838
|
+
}
|
|
839
|
+
});
|
|
840
|
+
process.stdin.on('end', () => {
|
|
841
|
+
let result;
|
|
842
|
+
try {
|
|
843
|
+
result = run(raw);
|
|
844
|
+
} catch (_) {
|
|
845
|
+
// Never block tool execution on an internal error.
|
|
846
|
+
process.exit(0);
|
|
847
|
+
}
|
|
848
|
+
|
|
849
|
+
if (typeof result === 'string' || Buffer.isBuffer(result)) {
|
|
850
|
+
// Passthrough (allow) — emit nothing, exit 0.
|
|
851
|
+
process.exit(0);
|
|
852
|
+
}
|
|
853
|
+
|
|
854
|
+
if (result && typeof result === 'object') {
|
|
855
|
+
if (typeof result.stderr === 'string' && result.stderr) {
|
|
856
|
+
process.stderr.write(result.stderr);
|
|
857
|
+
}
|
|
858
|
+
if (typeof result.stdout === 'string' && result.stdout) {
|
|
859
|
+
process.stdout.write(result.stdout);
|
|
860
|
+
}
|
|
861
|
+
process.exitCode = Number.isInteger(result.exitCode) ? result.exitCode : 0;
|
|
862
|
+
return;
|
|
863
|
+
}
|
|
864
|
+
|
|
865
|
+
process.exit(0);
|
|
866
|
+
});
|
|
867
|
+
process.stdin.on('error', () => process.exit(0));
|
|
868
|
+
}
|