claude-crap 0.4.5 → 0.4.7

package/plugin/hooks/lib/gatekeeper-rules.mjs

@@ -52,35 +52,267 @@
 const DEFAULT_BLOCKED_PATH_REGEX =
   /(^|\/)(\.git|\.env|\.env\..*|node_modules|\.venv|secrets?|credentials?|id_rsa|\.ssh)(\/|$)/i;
 
+/**
+ * Canonical AWS-published example access keys. These values appear in
+ * AWS's own documentation, SDK fixtures, and thousands of tutorials; they
+ * are guaranteed *not* to authenticate against any real AWS account. The
+ * gatekeeper allowlists them so the plugin can still edit its own docs
+ * and tests that mention the rule itself.
+ *
+ * Entries are assembled from split literals so this source file does not
+ * itself match the AKIA regex and trip the gatekeeper when loaded.
+ */
+const AWS_BENIGN_EXAMPLES = new Set([
+  "AKIA" + "IOSFODNN7" + "EXAMPLE",  // AWS docs / SDK fixtures
+  "AKIA" + "I44QH8DHB" + "EXAMPLE",  // AWS SRA sample
+  "AKIA" + "IOSFODNN7" + "EXAMPL2",  // AWS sample v2
+]);
+
 /**
  * Heuristic signatures of secrets that should never be committed to source.
  * This list is intentionally conservative — the gatekeeper is a speed bump,
  * not a replacement for a real secret scanner. Deeper detection runs in
  * PostToolUse via the MCP `ingest_sarif` tool.
+ *
+ * Rule IDs here carry no category prefix — the emitter adds exactly one
+ * `SONAR-SEC-` prefix via {@link formatSecretRuleId}. Keeping the prefix
+ * out of the rule table avoids double-prefixed SARIF ruleIds, which break
+ * dedup keys and downstream SIEM correlation.
  */
-const HARDCODED_SECRET_PATTERNS = [
-  { id: "SEC-AWS", re: /AKIA[0-9A-Z]{16}/ },
-  { id: "SEC-PRIVKEY", re: /-----BEGIN (RSA |OPENSSH |EC |DSA |PGP )?PRIVATE KEY-----/ },
-  { id: "SEC-SLACKTOKEN", re: /xox[baprs]-[0-9A-Za-z-]{10,}/ },
-  { id: "SEC-GHTOKEN", re: /gh[pousr]_[A-Za-z0-9]{36,}/ },
-  { id: "SEC-JWT", re: /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/ },
+export const HARDCODED_SECRET_PATTERNS = [
+  { id: "AWS", re: /AKIA[0-9A-Z]{16}/g },
+  { id: "PRIVKEY", re: /-----BEGIN (RSA |OPENSSH |EC |DSA |PGP )?PRIVATE KEY-----/ },
+  { id: "SLACKTOKEN", re: /xox[baprs]-[0-9A-Za-z-]{10,}/ },
+  { id: "GHTOKEN", re: /gh[pousr]_[A-Za-z0-9]{36,}/ },
+  { id: "JWT", re: /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/ },
 ];
 
 /**
- * Destructive shell patterns. These commands can silently destroy work,
- * overwrite published git history, or execute remote code without review.
- * The gatekeeper refuses them outright — if the user really needs to run
- * one of these, they should do it from their own terminal.
+ * Destructive shell patterns evaluated by regex. `rm -rf`-style commands
+ * are handled separately by {@link findDestructiveBashHit}, which
+ * tokenises the command line so quoted strings (e.g. `echo 'rm -rf /'`)
+ * do not false-positive.
+ *
+ * Rule IDs carry no category prefix — the emitter adds a single
+ * `SONAR-BASH-` prefix via {@link formatBashRuleId}.
  */
-const DESTRUCTIVE_BASH_PATTERNS = [
-  { id: "BASH-RMROOT", re: /\brm\s+(-[frR]+\s+|--force\s+|--recursive\s+).*(\s|^)\/($|\s)/ },
-  { id: "BASH-RMHOME", re: /\brm\s+-[frR]+\s+.*\$HOME\b/ },
-  { id: "BASH-DD", re: /\bdd\s+.*of=\/dev\/(sd|nvme|disk)/ },
-  { id: "BASH-GITFORCE", re: /\bgit\s+push\s+.*--force(?!-with-lease)/ },
-  { id: "BASH-GITRESET", re: /\bgit\s+reset\s+--hard\s+origin/ },
-  { id: "BASH-CURLSUDO", re: /\bcurl\s+[^|]*\|\s*(sudo\s+)?(bash|sh|zsh|fish)/ },
+export const DESTRUCTIVE_BASH_PATTERNS = [
+  { id: "DD", re: /\bdd\s+.*of=\/dev\/(sd|nvme|disk)/ },
+  { id: "GITFORCE", re: /\bgit\s+push\s+.*--force(?!-with-lease)/ },
+  { id: "GITRESET", re: /\bgit\s+reset\s+--hard\s+origin/ },
+  { id: "CURLSUDO", re: /\bcurl\s+[^|]*\|\s*(sudo\s+)?(bash|sh|zsh|fish)/ },
 ];
 
+/**
+ * System directories whose recursive deletion would brick the host or
+ * destroy another user's data. Matched as the first path component of
+ * the target argument after a recursive/force `rm`.
+ */
+const RM_SYSTEM_DIRS = new Set([
+  "usr", "etc", "var", "bin", "sbin", "lib", "boot",
+  "System", "Applications", "Library", "opt", "root", "home",
+]);
+
+/**
+ * Build a SARIF rule ID for a secret pattern. Keeps the single source of
+ * truth for the `SONAR-SEC-*` namespace in the emitter.
+ *
+ * @param {{ id: string }} pattern
+ * @returns {string}
+ */
+export function formatSecretRuleId(pattern) {
+  return `SONAR-SEC-${pattern.id}`;
+}
+
+/**
+ * Build a SARIF rule ID for a destructive-bash pattern.
+ *
+ * @param {{ id: string }} pattern
+ * @returns {string}
+ */
+export function formatBashRuleId(pattern) {
+  return `SONAR-BASH-${pattern.id}`;
+}
+
+/**
+ * Tokenise a shell command into argv-like tokens that distinguish
+ * quoted strings from bare words, and emit unquoted shell control
+ * operators (`;`, `&&`, `||`, `|`, `&`) as their own tokens. Emitting
+ * operators as separate tokens prevents a target argument from "sticking"
+ * to an operator and slipping past target classification — `rm -rf /;ls`
+ * must tokenise to `[..., -rf, /, ;, ls]`, not `[..., -rf, /;ls]`.
+ *
+ * Intentionally minimal: single and double quotes only, no backslash-escape
+ * handling, no variable expansion. Sufficient for gatekeeper intent
+ * detection — a full shell parser is out of scope.
+ *
+ * @param {string} cmd
+ * @returns {Array<{ text: string, quoted: boolean }>}
+ */
+function tokenizeBash(cmd) {
+  const tokens = [];
+  // Alternation order matters: quoted strings first (so their contents are
+  // preserved verbatim), then control operators (longest match first:
+  // `&&`/`||` before `&`/`|`), then bare runs of non-whitespace that stop
+  // at the next operator character.
+  const re = /"((?:[^"\\]|\\.)*)"|'([^']*)'|(&&|\|\||;|\||&)|([^\s;|&"']+)/g;
+  let m;
+  while ((m = re.exec(cmd)) !== null) {
+    if (m[1] !== undefined) tokens.push({ text: m[1], quoted: true });
+    else if (m[2] !== undefined) tokens.push({ text: m[2], quoted: true });
+    else if (m[3] !== undefined) tokens.push({ text: /** @type {string} */ (m[3]), quoted: false });
+    else tokens.push({ text: /** @type {string} */ (m[4]), quoted: false });
+  }
+  return tokens;
+}
+
+/**
+ * Extract the basename of a command token. `rm`, `/bin/rm`, `./rm`, and
+ * `../bin/rm` all resolve to `"rm"`. Used so path-qualified invocations
+ * cannot bypass detection — the shell looks up the binary by the last
+ * path segment, and so does the gatekeeper.
+ *
+ * @param {string} token
+ * @returns {string}
+ */
+function basename(token) {
+  const i = token.lastIndexOf("/");
+  return i === -1 ? token : token.slice(i + 1);
+}
+
+/**
+ * True when a flag token requests recursive or force semantics. Accepts
+ * long forms (`--recursive`, `--force`) and short-flag clusters that
+ * include any of `r`, `R`, `f` (`-rf`, `-Rf`, `-rfv`, ...).
+ *
+ * @param {string} token
+ * @returns {boolean}
+ */
+function isRecursiveOrForceFlag(token) {
+  if (token === "--recursive" || token === "--force") return true;
+  return /^-[a-zA-Z]*[rRf][a-zA-Z]*$/.test(token);
+}
+
+/**
+ * Classify the destination argument of a recursive `rm` into one of the
+ * high-severity categories we block, or `null` if the target is benign.
+ *
+ * Home-directory matching covers exact (`~`, `$HOME`) and prefixed
+ * (`~/anything`, `$HOME/anything`, `~/*`) forms — every path rooted at
+ * the user's home is considered destructive under recursive force.
+ *
+ * @param {string} target
+ * @returns {"RMROOT" | "RMSYSDIR" | "RMHOME" | null}
+ */
+function classifyRmTarget(target) {
+  if (target === "/" || target === "/*") return "RMROOT";
+  // ~, ~/, ~/anything, ~/*, $HOME, $HOME/, $HOME/anything, $HOME/*
+  if (/^(~|\$HOME)(\/.*|\*)?$/.test(target)) return "RMHOME";
+  // Any path whose first component is a protected system directory.
+  const m = /^\/([A-Za-z]+)(\/|$)/.exec(target);
+  if (m && RM_SYSTEM_DIRS.has(/** @type {string} */ (m[1]))) return "RMSYSDIR";
+  return null;
+}
+
+/**
+ * Scan a command line for destructive operations. Returns the first hit
+ * or `null` when the command is safe. A hit is `{ id, match, ruleId }`
+ * where `ruleId` is the fully-formatted SARIF identifier.
+ *
+ * Handles two modes:
+ *   1. rm with `-r`/`-R`/`-f`/`--recursive`/`--force` targeting root,
+ *      a system directory, or `$HOME` / `~` — via token-aware walk so
+ *      strings inside quotes (e.g. `echo 'rm -rf /'`) do not trigger.
+ *   2. Other destructive commands (`dd of=/dev/...`, `git push --force`,
+ *      `git reset --hard origin`, `curl ... | sh`) — via regex, which
+ *      is good enough for these patterns and cheaper than tokenisation.
+ *
+ * @param {string | null | undefined} command
+ * @returns {{ id: string, ruleId: string, match: string } | null}
+ */
+export function findDestructiveBashHit(command) {
+  if (!command) return null;
+
+  // Mode 1 — token walk for rm invocations. Match on the basename of
+  // the token so path-qualified forms (`/bin/rm`, `./rm`, `../bin/rm`)
+  // are caught. This intentionally accepts the cosmetic false positive
+  // of `echo rm -rf /` blocking — the outcome is safe (the LLM is
+  // asked to reformulate) and a full executable-position parser
+  // introduces its own bypass edge cases around wrapper flags.
+  const tokens = tokenizeBash(command);
+  for (let i = 0; i < tokens.length; i++) {
+    const t = /** @type {{ text: string, quoted: boolean }} */ (tokens[i]);
+    if (t.quoted) continue;
+    if (basename(t.text) !== "rm") continue;
+
+    // Collect flags + targets until end or a command separator.
+    const flags = [];
+    const targets = [];
+    for (let j = i + 1; j < tokens.length; j++) {
+      const next = /** @type {{ text: string, quoted: boolean }} */ (tokens[j]);
+      if (!next.quoted && /^[;&|]+$/.test(next.text)) break;
+      if (!next.quoted && next.text.startsWith("-")) flags.push(next.text);
+      else targets.push(next.text);
+    }
+
+    if (!flags.some(isRecursiveOrForceFlag)) continue;
+    for (const target of targets) {
+      const category = classifyRmTarget(target);
+      if (category !== null) {
+        return {
+          id: category,
+          ruleId: formatBashRuleId({ id: category }),
+          match: target,
+        };
+      }
+    }
+  }
+
+  // Mode 2 — other destructive patterns by regex.
+  for (const pat of DESTRUCTIVE_BASH_PATTERNS) {
+    if (pat.re.test(command)) {
+      return {
+        id: pat.id,
+        ruleId: formatBashRuleId(pat),
+        match: command,
+      };
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Scan text for hardcoded-secret signatures. Canonical AWS example
+ * keys are allowlisted so the plugin can edit its own docs/tests.
+ *
+ * @param {string} text
+ * @returns {Array<{ id: string, ruleId: string, match: string }>}
+ */
+export function findSecretHits(text) {
+  if (typeof text !== "string" || text.length === 0) return [];
+  const hits = [];
+  for (const pat of HARDCODED_SECRET_PATTERNS) {
+    // Reset stateful /g regexes between invocations.
+    if (pat.re.global) pat.re.lastIndex = 0;
+    if (pat.id === "AWS") {
+      // Reuse the canonical pattern from the rule table rather than
+      // duplicating the literal here — a single source of truth for
+      // the regex means the allowlist can never drift from the matcher.
+      for (const m of text.matchAll(pat.re)) {
+        if (AWS_BENIGN_EXAMPLES.has(m[0])) continue;
+        hits.push({ id: "AWS", ruleId: formatSecretRuleId({ id: "AWS" }), match: m[0] });
+      }
+      continue;
+    }
+    const m = pat.re.exec(text);
+    if (m) {
+      hits.push({ id: pat.id, ruleId: formatSecretRuleId(pat), match: m[0] });
+    }
+  }
+  return hits;
+}
+
 /**
  * Compile the user-configured blocked-path regex. Falls back to the default
  * pattern if the configured value is missing or malformed — we never let a
@@ -161,19 +393,18 @@ export function checkHardcodedSecrets(input) {
   if (candidates.length === 0) return null;
 
   for (const text of candidates) {
-    for (const pat of HARDCODED_SECRET_PATTERNS) {
-      if (pat.re.test(text)) {
-        return {
-          blocked: true,
-          ruleId: `SONAR-SEC-${pat.id}`,
-          reason:
-            `A likely hardcoded secret (${pat.id}) was detected in the proposed content. ` +
-            `Per the Golden Rule in CLAUDE.md, credentials must never be embedded in source code. ` +
-            `Corrective action: move the value to an environment variable or a managed secret; ` +
-            `do not commit tokens, private keys, or JWTs to the source tree under any circumstance.`,
-        };
-      }
-    }
+    const hits = findSecretHits(text);
+    if (hits.length === 0) continue;
+    const hit = /** @type {{ id: string, ruleId: string, match: string }} */ (hits[0]);
+    return {
+      blocked: true,
+      ruleId: hit.ruleId,
+      reason:
+        `A likely hardcoded secret (${hit.id}) was detected in the proposed content. ` +
+        `Per the Golden Rule in CLAUDE.md, credentials must never be embedded in source code. ` +
+        `Corrective action: move the value to an environment variable or a managed secret; ` +
+        `do not commit tokens, private keys, or JWTs to the source tree under any circumstance.`,
+    };
   }
   return null;
 }
@@ -194,21 +425,19 @@ export function checkDestructiveBash(input) {
     typeof input.tool_input.command === "string" ? input.tool_input.command : undefined;
   if (!command) return null;
 
-  for (const pat of DESTRUCTIVE_BASH_PATTERNS) {
-    if (pat.re.test(command)) {
-      return {
-        blocked: true,
-        ruleId: `SONAR-BASH-${pat.id}`,
-        reason:
-          `The proposed Bash command matched the destructive pattern ${pat.id}: '${command}'. ` +
-          `claude-crap blocks operations that can wipe the project tree, rewrite published git history, ` +
-          `or execute remote code without review. ` +
-          `Corrective action: if this operation is truly intended, ask the user to confirm and run it ` +
-          `manually from their own terminal instead of through the agent.`,
-      };
-    }
-  }
-  return null;
+  const hit = findDestructiveBashHit(command);
+  if (!hit) return null;
+
+  return {
+    blocked: true,
+    ruleId: hit.ruleId,
+    reason:
+      `The proposed Bash command matched the destructive pattern ${hit.id}: '${command}'. ` +
+      `claude-crap blocks operations that can wipe the project tree, rewrite published git history, ` +
+      `or execute remote code without review. ` +
+      `Corrective action: if this operation is truly intended, ask the user to confirm and run it ` +
+      `manually from their own terminal instead of through the agent.`,
+  };
 }
 
 /**

package/plugin/hooks/lib/quality-gate.mjs

@@ -150,6 +150,9 @@ const LOC_WALK_SKIP_DIRS = new Set([
   ".git",
   // Build outputs
   "dist", "build", "bundle", "out", "target", "coverage",
+  // Test coverage report bundles (ReportGenerator, Istanbul, coverage.py, dotnet test)
+  "coverage-report", "CoverageReport", "coveragereport",
+  "TestResults", "cobertura", "lcov-report", "htmlcov",
   // Framework build outputs
   ".next", ".nuxt", ".output", ".vercel", ".svelte-kit",
   ".astro", ".angular", ".turbo", ".parcel-cache", ".expo",

package/plugin/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "claude-crap-plugin",
-  "version": "0.4.5",
+  "version": "0.4.6",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "claude-crap-plugin",
-      "version": "0.4.5",
+      "version": "0.4.6",
       "dependencies": {
         "@fastify/static": "^8.0.3",
         "@modelcontextprotocol/sdk": "^1.0.4",
@@ -1208,9 +1208,9 @@
       "license": "BSD-3-Clause"
     },
     "node_modules/fastify": {
-      "version": "5.8.4",
-      "resolved": "https://registry.npmjs.org/fastify/-/fastify-5.8.4.tgz",
-      "integrity": "sha512-sa42J1xylbBAYUWALSBoyXKPDUvM3OoNOibIefA+Oha57FryXKKCZarA1iDntOCWp3O35voZLuDg2mdODXtPzQ==",
+      "version": "5.8.5",
+      "resolved": "https://registry.npmjs.org/fastify/-/fastify-5.8.5.tgz",
+      "integrity": "sha512-Yqptv59pQzPgQUSIm87hMqHJmdkb1+GPxdE6vW6FRyVE9G86mt7rOghitiU4JHRaTyDUk9pfeKmDeu70lAwM4Q==",
       "funding": [
         {
           "type": "github",
@@ -1505,9 +1505,9 @@
       }
     },
     "node_modules/hono": {
-      "version": "4.12.12",
-      "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.12.tgz",
-      "integrity": "sha512-p1JfQMKaceuCbpJKAPKVqyqviZdS0eUxH9v82oWo1kb9xjQ5wA6iP3FNVAPDFlz5/p7d45lO+BpSk1tuSZMF4Q==",
+      "version": "4.12.14",
+      "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.14.tgz",
+      "integrity": "sha512-am5zfg3yu6sqn5yjKBNqhnTX7Cv+m00ox+7jbaKkrLMRJ4rAdldd1xPd/JzbBWspqaQv6RSTrgFN95EsfhC+7w==",
       "license": "MIT",
       "engines": {
         "node": ">=16.9.0"

package/plugin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-crap-plugin",
-  "version": "0.4.5",
+  "version": "0.4.6",
   "private": true,
   "description": "Runtime dependencies for the claude-crap plugin bundle",
   "type": "module",

package/src/dashboard/file-detail.ts

@@ -58,6 +58,12 @@ export interface FileDetailSummary {
 /** Full response payload for the file detail endpoint. */
 export interface FileDetailResponse {
   readonly filePath: string;
+  /**
+   * Absolute path on the host filesystem, already resolved through the
+   * workspace-traversal guard. The UI uses this to build editor
+   * deep-links (e.g. `vscode://file/{absolutePath}:{line}`).
+   */
+  readonly absolutePath: string;
   readonly language: SupportedLanguage | null;
   readonly physicalLoc: number;
   readonly logicalLoc: number;
@@ -175,6 +181,7 @@ export async function buildFileDetail(
 
   return {
     filePath: relativePath,
+    absolutePath,
     language,
     physicalLoc,
     logicalLoc,