create-walle 0.1.0

package/template/claude-task-manager/approval-agent.js

@@ -0,0 +1,454 @@
+// --- Shadow Approver Agent ---
+// Shadows user approvals in Claude Code terminal sessions.
+// Monitors PTY output for "Do you want to proceed?" prompts,
+// checks learned rules first, then uses AI to decide whether to
+// auto-approve or escalate to the user.
+
+const dbModule = require('./db');
+
+// Prompt patterns: Claude Code asks various "Do you want to ...?" prompts with numbered options
+// - "Do you want to proceed?" (Bash commands)
+// - "Do you want to make this edit to <file>?" (Edit tool)
+// - "Do you want to create <file>?" (Write tool)
+const PROCEED_PATTERN = /Do you want to (proceed|make this edit to .+|create .+)\??/;
+const YES_NO_PATTERN = /[>❯]\s*1\.\s*Yes/;
+
+// Parse the terminal buffer to extract the approval context
+function parseApprovalContext(cleanText) {
+  const lines = cleanText.split('\n').map(l => l.trim()).filter(Boolean);
+
+  // Find the "Do you want to proceed?" line
+  let proceedIdx = -1;
+  for (let i = lines.length - 1; i >= 0; i--) {
+    if (PROCEED_PATTERN.test(lines[i])) {
+      proceedIdx = i;
+      break;
+    }
+  }
+  if (proceedIdx < 0) return null;
+
+  // Find "1. Yes" after it (Edit prompts may have more options so search further)
+  let hasYesNo = false;
+  for (let i = proceedIdx + 1; i < Math.min(proceedIdx + 6, lines.length); i++) {
+    if (/1\.\s*Yes/.test(lines[i])) { hasYesNo = true; break; }
+  }
+  if (!hasYesNo) return null;
+
+  // Extract warning (line before "Do you want to proceed?")
+  let warning = '';
+  for (let i = proceedIdx - 1; i >= Math.max(proceedIdx - 3, 0); i--) {
+    const line = lines[i];
+    if (!line) continue;
+    // Warning lines typically describe the risk
+    if (/command contains|could write|could modify|could delete|could overwrite|which can|permission|dangerous|destructive|overwrite|will modify|will delete|will overwrite|execute arbitrary|shell command substitution/i.test(line)) {
+      warning = line;
+      break;
+    }
+  }
+
+  // Find the warning line index (if any)
+  let warningIdx = -1;
+  if (warning) {
+    for (let i = proceedIdx - 1; i >= Math.max(proceedIdx - 3, 0); i--) {
+      if (lines[i] === warning) { warningIdx = i; break; }
+    }
+  }
+
+  // Extract the tool/command block above the warning
+  // Look for tool header like "Bash command", "Edit", "Write", etc.
+  let toolName = '';
+  const contextLines = [];
+  const endIdx = warningIdx > 0 ? warningIdx : proceedIdx;
+
+  for (let i = endIdx - 1; i >= Math.max(0, endIdx - 30); i--) {
+    const line = lines[i];
+    // Detect tool headers (Claude Code shows "Bash command", "⏺ Bash(...)", "Edit", etc.)
+    if (/^[⏺●]?\s*(Bash command|Bash|Edit|Write|Read|Glob|Grep|WebFetch|NotebookEdit|TodoWrite|Agent)\b/.test(line)) {
+      toolName = line.trim();
+      break;
+    }
+    contextLines.unshift(line);
+  }
+
+  const command = contextLines.join('\n').trim();
+
+  // Build focused context: tool header + command + warning + prompt (not the whole screen)
+  const ctxStart = Math.max(0, endIdx - (contextLines.length + 1));
+  const ctxEnd = Math.min(lines.length, proceedIdx + 5); // include Yes/No options
+  const fullContext = lines.slice(ctxStart, ctxEnd).join('\n');
+
+  return {
+    toolName: toolName || 'Unknown',
+    command: command.slice(0, 2000),
+    warning: warning || '',
+    fullContext: fullContext.slice(0, 2000),
+  };
+}
+
+// Reject regex patterns that could cause catastrophic backtracking (ReDoS).
+// Looks for nested quantifiers like (a+)+, (a*)*,  (a+|b+)+ etc.
+function isSafeRegex(pattern) {
+  // Reject patterns with nested quantifiers — the main ReDoS vector
+  if (/(\+|\*|\{)\)?(\+|\*|\?)/.test(pattern)) return false;
+  // Reject patterns with excessive alternation groups
+  if ((pattern.match(/\|/g) || []).length > 20) return false;
+  // Quick compile test — reject if it takes too long conceptually
+  try { new RegExp(pattern); } catch { return false; }
+  return true;
+}
+
+// Check if a learned rule already covers this situation
+function findMatchingRule(context) {
+  let rules;
+  try {
+    rules = dbModule.listApprovalRules();
+  } catch { return null; }
+
+  if (!rules || rules.length === 0) return null;
+
+  const searchText = `${context.toolName} ${context.command} ${context.warning}`.slice(0, 500).toLowerCase();
+  const cmdText = (context.command || '').slice(0, 500);
+  const warnText = (context.warning || '').slice(0, 500);
+
+  for (const rule of rules) {
+    if (!rule.enabled) continue;
+    try {
+      if (!rule.pattern || rule.pattern.length > 200) continue; // skip overly complex patterns
+      if (!isSafeRegex(rule.pattern)) continue; // skip ReDoS-prone patterns
+      const re = new RegExp(rule.pattern, 'i');
+      if (re.test(searchText) || re.test(cmdText) || re.test(warnText)) {
+        return rule;
+      }
+    } catch {}
+  }
+  return null;
+}
+
+// Simple heuristic review when no API key is available
+function reviewWithHeuristics(context) {
+  const cmd = (context.command || '').toLowerCase();
+  // Strip Unicode bullets/icons (⏺●) from tool name before matching
+  const tool = (context.toolName || '').replace(/^[⏺●\s]+/, '').toLowerCase();
+  const warning = (context.warning || '').toLowerCase();
+
+  // High-risk patterns — always escalate
+  const highRisk = [
+    /rm\s+-rf?\s+[\/~]/, /force.?push/, /--force/, /drop\s+table/i,
+    /delete.*production/i, /sudo\s/, /chmod\s+777/, /curl.*\|\s*sh/,
+    />\s*\/etc\//, />\s*\/usr\//, />\s*\/var\//, /mkfs/, /dd\s+if=/,
+  ];
+  for (const re of highRisk) {
+    if (re.test(cmd) || re.test(warning)) {
+      return { decision: 'escalate', reasoning: 'High-risk operation detected (heuristic)', riskLevel: 'high' };
+    }
+  }
+
+  // Low-risk patterns — auto-approve
+  const lowRisk = [
+    /^(read|glob|grep|webfetch|notebookedit)/, // Read-only tools
+    /^(edit|write)\b/, // Edit/Write to project files — normal dev workflow
+  ];
+  for (const re of lowRisk) {
+    if (re.test(tool)) {
+      return { decision: 'approve', reasoning: 'Standard dev tool (heuristic)', riskLevel: 'low',
+        ruleLabel: `${context.toolName} operations`, rulePattern: context.toolName.replace(/\s+/g, '\\\\s+'),
+        ruleDescription: `Auto-approve ${context.toolName} operations` };
+    }
+  }
+
+  // Medium: approve most local dev operations
+  const devSafe = [
+    { re: /echo\s+.*>\s*\/tmp\//, label: 'Write to /tmp', desc: 'Echo output to temp files' },
+    { re: /cat\s/, label: 'Read file contents', desc: 'View file contents with cat' },
+    { re: /ls\s/, label: 'List directory', desc: 'List files and directories' },
+    { re: /pwd/, label: 'Print working directory', desc: 'Show current directory path' },
+    { re: /git\s+(status|log|diff|branch|show)/, label: 'Git read operations', desc: 'Read-only git commands (status, log, diff, branch, show)' },
+    { re: /node\s+-e/, label: 'Node one-liner', desc: 'Run inline Node.js expression' },
+    { re: /python3?\s+-c/, label: 'Python one-liner', desc: 'Run inline Python expression' },
+    { re: /npm\s+(run|test|start)/, label: 'npm script', desc: 'Run npm scripts (run, test, start)' },
+    { re: /mkdir\s+-?p?\s/, label: 'Create directory', desc: 'Create directories with mkdir' },
+    { re: />\s*\/tmp\//, label: 'Write to /tmp', desc: 'Redirect output to temp files' },
+    { re: /touch\s/, label: 'Create empty file', desc: 'Create or update file timestamps' },
+    { re: /cp\s/, label: 'Copy files', desc: 'Copy files or directories' },
+    { re: /mv\s/, label: 'Move/rename files', desc: 'Move or rename files' },
+  ];
+  for (const { re, label, desc } of devSafe) {
+    if (re.test(cmd)) {
+      return { decision: 'approve', reasoning: 'Common dev operation (heuristic)', riskLevel: 'low',
+        ruleLabel: label, rulePattern: re.source,
+        ruleDescription: desc };
+    }
+  }
+
+  // Default: approve with medium risk (user can review in the decisions log)
+  return { decision: 'approve', reasoning: 'No API key; auto-approved with medium risk (heuristic)', riskLevel: 'medium',
+    ruleLabel: context.toolName || 'Unknown', rulePattern: '',
+    ruleDescription: 'Auto-approved without AI review' };
+}
+
+// Call Claude API to review the command as a TL/Code Reviewer
+async function reviewWithAI(context, learnedRules) {
+  const baseUrl = process.env.ANTHROPIC_BASE_URL || 'https://api.anthropic.com';
+  const apiKey = process.env.ANTHROPIC_API_KEY || '';
+  if (!apiKey) return reviewWithHeuristics(context);
+
+  // Build custom headers if any
+  let customHeaders = {};
+  try {
+    const headerStr = process.env.ANTHROPIC_CUSTOM_HEADERS || '';
+    if (headerStr) {
+      for (const pair of headerStr.split(',')) {
+        const [k, ...v] = pair.split(':');
+        if (k && v.length) customHeaders[k.trim()] = v.join(':').trim();
+      }
+    }
+  } catch {}
+
+  const rulesContext = learnedRules.length > 0
+    ? `\nPreviously approved patterns (the user always approves these):\n${learnedRules.map(r => `- ${r.label}: ${r.description || r.pattern}`).join('\n')}\n`
+    : '';
+
+  const prompt = `You are a senior TL/Code Reviewer acting as a gatekeeper for a developer's Claude Code sessions.
+
+Your job: Review commands that Claude Code wants to execute and decide whether to AUTO-APPROVE (safe) or ESCALATE to the developer (risky).
+
+The developer's general approach:
+- They approve most read-only operations, file reads, searches
+- They approve code editing within their project
+- They approve running their own scripts (python3 -c, node -e) for data analysis
+- They approve git operations like commit, status, diff, log, branch
+- They approve server restarts (kill + restart node server)
+- They approve npm/pip install for known dependencies
+- They are cautious about: force push, deleting production data, modifying CI/CD, running unknown binaries, writing to system directories
+${rulesContext}
+Current request being reviewed:
+Tool: ${context.toolName}
+Command/Content:
+${context.command.slice(0, 1500)}
+
+Safety Warning: ${context.warning || 'None'}
+
+Analyze the risk and decide.
+
+Return ONLY valid JSON (no markdown fences):
+{
+  "decision": "approve" or "escalate",
+  "riskLevel": "low" or "medium" or "high",
+  "reasoning": "brief explanation (1-2 sentences)",
+  "ruleLabel": "short label for this type of operation (e.g. 'Read JSONL files', 'Restart dev server')",
+  "rulePattern": "regex pattern that would match similar future requests",
+  "ruleDescription": "human-readable description of what this rule covers"
+}
+
+Be pragmatic. Most development operations in a local dev environment are safe. Only escalate things that could cause irreversible damage or affect production/shared systems.`;
+
+  try {
+    const res = await fetch(`${baseUrl}/messages`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'x-api-key': apiKey,
+        'anthropic-version': '2023-06-01',
+        ...customHeaders,
+      },
+      body: JSON.stringify({
+        model: 'claude-sonnet-4-20250514',
+        max_tokens: 512,
+        messages: [{ role: 'user', content: prompt }],
+      }),
+    });
+
+    if (!res.ok) {
+      const text = await res.text();
+      console.error('[approval-agent] Claude API error:', res.status, text);
+      return { decision: 'escalate', reasoning: `API error: ${res.status}`, riskLevel: 'unknown' };
+    }
+
+    const data = await res.json();
+    const text = data.content?.[0]?.text || '';
+    const match = text.match(/\{[\s\S]*\}/);
+    if (!match) {
+      return { decision: 'escalate', reasoning: 'Could not parse AI response', riskLevel: 'unknown' };
+    }
+
+    const result = JSON.parse(match[0]);
+    return {
+      decision: result.decision || 'escalate',
+      riskLevel: result.riskLevel || 'medium',
+      reasoning: result.reasoning || '',
+      ruleLabel: result.ruleLabel || '',
+      rulePattern: result.rulePattern || '',
+      ruleDescription: result.ruleDescription || '',
+    };
+  } catch (e) {
+    console.error('[approval-agent] Review failed:', e.message);
+    return { decision: 'escalate', reasoning: `Review failed: ${e.message}`, riskLevel: 'unknown' };
+  }
+}
+
+// Main entry point: check terminal buffer for approval prompts and handle them
+async function handleApprovalCheck(sessionId, session, cleanText, broadcastFn) {
+  const context = parseApprovalContext(cleanText);
+  if (!context) return false;
+
+  // Check learned rules first (fast path)
+  const matchingRule = findMatchingRule(context);
+  if (matchingRule) {
+    // Auto-approve based on learned rule
+    const decision = {
+      sessionId,
+      toolName: context.toolName,
+      commandSummary: matchingRule.label,
+      fullContext: context.fullContext.slice(0, 2000),
+      warning: context.warning,
+      decision: 'approved',
+      reasoning: `Matched learned rule: ${matchingRule.label}`,
+      decidedBy: 'rule',
+      ruleId: matchingRule.id,
+      riskLevel: matchingRule.risk_level || 'low',
+    };
+
+    // Record and execute
+    try { dbModule.addApprovalDecision(decision); } catch (e) { console.error('[approval-agent] DB error:', e.message); }
+
+    // Send "1" for Yes then Enter
+    setTimeout(() => {
+      session.ptyProcess.write('1');
+      setTimeout(() => session.ptyProcess.write('\r'), 50);
+      // Notify clients
+      broadcastFn(sessionId, session, {
+        type: 'approval-decision',
+        sessionId,
+        decision: 'approved',
+        decidedBy: 'rule',
+        label: matchingRule.label,
+        reasoning: decision.reasoning,
+        riskLevel: decision.riskLevel,
+      });
+    }, 400);
+
+    return true;
+  }
+
+  // No matching rule — check heuristics for obvious safe/dangerous patterns first
+  const heuristic = reviewWithHeuristics(context);
+  if (heuristic.riskLevel === 'low') {
+    // Heuristic says it's safe — auto-approve without AI call
+    const decision = {
+      sessionId,
+      toolName: context.toolName,
+      commandSummary: heuristic.ruleLabel || context.toolName,
+      fullContext: context.fullContext.slice(0, 2000),
+      warning: context.warning,
+      decision: 'approved',
+      reasoning: heuristic.reasoning,
+      decidedBy: 'heuristic',
+      riskLevel: 'low',
+    };
+    try { dbModule.addApprovalDecision(decision); } catch (e) { console.error('[approval-agent] DB error:', e.message); }
+    setTimeout(() => {
+      session.ptyProcess.write('1');
+      setTimeout(() => session.ptyProcess.write('\r'), 50);
+      broadcastFn(sessionId, session, {
+        type: 'approval-decision', sessionId, decision: 'approved', decidedBy: 'heuristic',
+        label: heuristic.ruleLabel || context.toolName, reasoning: heuristic.reasoning, riskLevel: 'low',
+      });
+    }, 400);
+    return true;
+  }
+  if (heuristic.riskLevel === 'high') {
+    // Heuristic says it's dangerous — escalate immediately
+    const decision = {
+      sessionId,
+      toolName: context.toolName,
+      commandSummary: heuristic.ruleLabel || context.toolName,
+      fullContext: context.fullContext.slice(0, 2000),
+      warning: context.warning,
+      decision: 'escalated',
+      reasoning: heuristic.reasoning,
+      decidedBy: 'heuristic',
+      riskLevel: 'high',
+    };
+    try { dbModule.addApprovalDecision(decision); } catch (e) { console.error('[approval-agent] DB error:', e.message); }
+    broadcastFn(sessionId, session, {
+      type: 'approval-decision', sessionId, decision: 'escalated', decidedBy: 'heuristic',
+      label: context.toolName, reasoning: heuristic.reasoning, riskLevel: 'high',
+    });
+    return true;
+  }
+
+  // Medium risk — call AI for review
+  let learnedRules;
+  try { learnedRules = dbModule.listApprovalRules(); } catch { learnedRules = []; }
+
+  const review = await reviewWithAI(context, learnedRules);
+
+  const decision = {
+    sessionId,
+    toolName: context.toolName,
+    commandSummary: review.ruleLabel || context.toolName,
+    fullContext: context.fullContext.slice(0, 2000),
+    warning: context.warning,
+    decision: review.decision === 'approve' ? 'approved' : 'escalated',
+    reasoning: review.reasoning,
+    decidedBy: 'ai',
+    riskLevel: review.riskLevel,
+  };
+
+  // Record decision
+  let decisionId;
+  try { decisionId = dbModule.addApprovalDecision(decision); } catch (e) { console.error('[approval-agent] DB error:', e.message); }
+
+  if (review.decision === 'approve') {
+    // Auto-approve and learn a new rule
+    if (review.rulePattern && review.ruleLabel) {
+      try {
+        dbModule.upsertApprovalRule({
+          pattern: review.rulePattern,
+          label: review.ruleLabel,
+          description: review.ruleDescription || '',
+          category: context.toolName.toLowerCase().replace(/\s+/g, '-'),
+          riskLevel: review.riskLevel || 'low',
+          enabled: true,
+        });
+      } catch (e) { console.error('[approval-agent] Rule save error:', e.message); }
+    }
+
+    setTimeout(() => {
+      session.ptyProcess.write('1');
+      setTimeout(() => session.ptyProcess.write('\r'), 50);
+      broadcastFn(sessionId, session, {
+        type: 'approval-decision',
+        sessionId,
+        decision: 'approved',
+        decidedBy: 'ai',
+        label: review.ruleLabel || context.toolName,
+        reasoning: review.reasoning,
+        riskLevel: review.riskLevel,
+      });
+    }, 400);
+  } else {
+    // Escalate to user
+    broadcastFn(sessionId, session, {
+      type: 'approval-decision',
+      sessionId,
+      decision: 'escalated',
+      decidedBy: 'ai',
+      decisionId,
+      label: review.ruleLabel || context.toolName,
+      reasoning: review.reasoning,
+      riskLevel: review.riskLevel,
+      command: context.command.slice(0, 500),
+      warning: context.warning,
+    });
+  }
+
+  return true;
+}
+
+module.exports = {
+  parseApprovalContext,
+  findMatchingRule,
+  reviewWithAI,
+  handleApprovalCheck,
+};

package/template/claude-task-manager/bin/restart-ctm.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# Graceful CTM restart — spawns a watcher process, then exits cleanly.
+# Use this instead of killing the process directly.
+curl -s -X POST "http://localhost:3456/api/restart/ctm" | cat
+echo ""
+echo "CTM server restarting... waiting for it to come back."
+sleep 2
+for i in $(seq 1 15); do
+  if curl -sf "http://localhost:3456/api/services/status" > /dev/null 2>&1; then
+    echo "CTM server is back up."
+    exit 0
+  fi
+  sleep 1
+done
+echo "CTM server did not come back within 15 seconds."
+exit 1