failproofai 0.0.6 → 0.0.7

package/src/hooks/builtin-policies.ts

@@ -159,6 +159,21 @@ const TMUX_DETACH_RE = /\btmux\s+(?:new-session|new)\b[^|&;]*-d\b/;
 const DISOWN_RE = /\bdisown\b/;
 const BACKGROUND_AMPERSAND_RE = /(?<![&|])\s?&\s*(?:$|#|;)/;
 
+// Infra Commands — leading-token detection across shell separators.
+// Each regex matches the CLI name only when it appears as the first token of a
+// command segment (start-of-string or after ; && || |). Trailing \s prevents
+// false matches on names like "kubectlx" or "awsctl".
+const KUBECTL_RE = /(?:^|[;\n]|&&|\|\|?|&)\s*kubectl(?:\s|$)/;
+const TERRAFORM_RE = /(?:^|[;\n]|&&|\|\|?|&)\s*(?:terraform|tofu)(?:\s|$)/;
+const AWS_CLI_RE = /(?:^|[;\n]|&&|\|\|?|&)\s*aws(?:\s|$)/;
+const GCLOUD_RE = /(?:^|[;\n]|&&|\|\|?|&)\s*gcloud(?:\s|$)/;
+const AZ_CLI_RE = /(?:^|[;\n]|&&|\|\|?|&)\s*az(?:\s|$)/;
+const HELM_RE = /(?:^|[;\n]|&&|\|\|?|&)\s*helm(?:\s|$)/;
+// gh: only mutating / pipeline-trigger subcommands. Read-only forms
+// (gh pr view, gh run list, gh api ...) are intentionally allowed because
+// failproofai's own workflow policies depend on them.
+const GH_PIPELINE_RE = /(?:^|[;\n]|&&|\|\|?|&)\s*gh\s+(?:workflow\s+(?:run|enable|disable)|run\s+(?:rerun|cancel)|pr\s+merge|release\s+(?:create|delete)|cache\s+delete|secret\s+(?:set|delete))\b/;
+
 // Caches the current branch per cwd to avoid repeated execSync calls.
 // Trade-off: if the user switches branches externally mid-session, the cache serves
 // the stale value until the process restarts. This is acceptable since branch switches
@@ -770,6 +785,48 @@ function blockFailproofaiCommands(ctx: PolicyContext): PolicyResult {
   return allow();
 }
 
+// Shared CLI-blocker: deny any command whose argv begins with the matched CLI,
+// unless an entry in `allowPatterns` matches via `matchesAllowedPattern` (which
+// already defends against shell-operator injection).
+function blockInfraCli(ctx: PolicyContext, re: RegExp, denyMsg: string): PolicyResult {
+  if (ctx.toolName !== "Bash") return allow();
+  const cmd = getCommand(ctx);
+  if (!re.test(cmd)) return allow();
+  const allowPatterns = ((ctx.params?.allowPatterns ?? []) as string[]);
+  if (allowPatterns.some((p) => matchesAllowedPattern(cmd, p))) return allow();
+  return deny(denyMsg);
+}
+
+function blockKubectl(ctx: PolicyContext): PolicyResult {
+  return blockInfraCli(ctx, KUBECTL_RE, "kubectl commands are blocked");
+}
+
+function blockTerraform(ctx: PolicyContext): PolicyResult {
+  return blockInfraCli(ctx, TERRAFORM_RE, "terraform/tofu commands are blocked");
+}
+
+function blockAwsCli(ctx: PolicyContext): PolicyResult {
+  return blockInfraCli(ctx, AWS_CLI_RE, "aws CLI commands are blocked");
+}
+
+function blockGcloud(ctx: PolicyContext): PolicyResult {
+  return blockInfraCli(ctx, GCLOUD_RE, "gcloud commands are blocked");
+}
+
+function blockAzCli(ctx: PolicyContext): PolicyResult {
+  return blockInfraCli(ctx, AZ_CLI_RE, "az (Azure) CLI commands are blocked");
+}
+
+function blockHelm(ctx: PolicyContext): PolicyResult {
+  return blockInfraCli(ctx, HELM_RE, "helm commands are blocked");
+}
+
+// gh-pipeline only fires on mutating subcommands; allowPatterns are still
+// supported in case a user wants to permit a specific scripted invocation.
+function blockGhPipeline(ctx: PolicyContext): PolicyResult {
+  return blockInfraCli(ctx, GH_PIPELINE_RE, "gh pipeline-trigger commands are blocked");
+}
+
 // Maximum size of the per-session tool-call sidecar before we stop updating it.
 // If exceeded, repeated-call detection degrades gracefully (allows through) rather
 // than growing the file unboundedly.
@@ -1197,8 +1254,37 @@ function requireNoConflictsBeforeStop(ctx: PolicyContext): PolicyResult {
     return allow(`On base branch "${baseBranch}", skipping conflict check.`);
   }
 
+  // -- Precheck: only enforce when an OPEN PR exists on GitHub. Without a
+  // confirmable merge target there is nothing to enforce, so we skip both
+  // the local merge-tree probe and the GitHub mergeability probe.
+  try {
+    execSync("gh --version", { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 3000 });
+  } catch {
+    return allow("gh CLI not installed, skipping conflict check.");
+  }
+
+  let prJson: string;
+  try {
+    prJson = execSync("gh pr view --json mergeable,number,url,state", {
+      cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 15000,
+    }).trim();
+  } catch {
+    return allow("No pull request found for branch, skipping conflict check.");
+  }
+
+  let pr: { mergeable: string; number: number; url: string; state: string };
+  try {
+    pr = JSON.parse(prJson);
+  } catch {
+    return allow("Could not parse gh pr view output, skipping conflict check.");
+  }
+
+  // GitHub stops computing mergeability for non-OPEN PRs (returns UNKNOWN forever).
+  if (pr.state !== "OPEN") {
+    return allow(`PR #${pr.number} is ${pr.state.toLowerCase()}; skipping conflict check.`);
+  }
+
   // -- Layer 1: local git merge-tree --
-  let localSkipped = false;
   try {
     execFileSync("git", ["rev-parse", "--verify", `origin/${baseBranch}`], {
       cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 3000,
@@ -1209,17 +1295,14 @@ function requireNoConflictsBeforeStop(ctx: PolicyContext): PolicyResult {
       { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 },
     ).trim();
 
-    if (!ahead) {
-      // Nothing ahead of base — Layer 1 doesn't apply, fall through to Layer 2.
-      localSkipped = true;
-    } else {
+    if (ahead) {
       execFileSync(
         "git",
         ["merge-tree", "--write-tree", "--name-only", `origin/${baseBranch}`, "HEAD"],
         { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 10000 },
       );
-      // exit 0 → clean merge, fall through to Layer 2
     }
+    // !ahead or merge-tree exit 0 → fall through to Layer 2
   } catch (err) {
     const e = err as { status?: number; stdout?: string | Buffer };
     if (e.status === 1) {
@@ -1238,46 +1321,10 @@ function requireNoConflictsBeforeStop(ctx: PolicyContext): PolicyResult {
         `Rebase or merge origin/${baseBranch} now and resolve the conflicts.`,
       );
     }
-    localSkipped = true;
-  }
-
-  // -- Layer 2: GitHub PR mergeability --
-  try {
-    execSync("gh --version", { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 3000 });
-  } catch {
-    return allow(
-      localSkipped
-        ? "Local conflict check skipped and gh CLI not installed, skipping conflict check."
-        : `Branch "${branch}" merges cleanly with ${baseBranch} locally (gh CLI not installed, PR mergeability not verified).`,
-    );
-  }
-
-  let prJson: string;
-  try {
-    prJson = execSync("gh pr view --json mergeable,number,url,state", {
-      cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 15000,
-    }).trim();
-  } catch {
-    return allow(
-      localSkipped
-        ? "No pull request found for branch, skipping conflict check."
-        : `Branch "${branch}" merges cleanly with ${baseBranch} locally (no PR to verify against).`,
-    );
-  }
-
-  let pr: { mergeable: string; number: number; url: string; state: string };
-  try {
-    pr = JSON.parse(prJson);
-  } catch {
-    return allow("Could not parse gh pr view output, skipping PR mergeability check.");
-  }
-
-  // GitHub stops computing mergeability for non-OPEN PRs (returns UNKNOWN forever).
-  // Skip the check entirely so a merged or closed PR doesn't trap Stop in a wait loop.
-  if (pr.state !== "OPEN") {
-    return allow(`PR #${pr.number} is ${pr.state.toLowerCase()}; skipping conflict check.`);
+    // any other failure (e.g. missing origin/<base>, log failure) → fall through
   }
 
+  // -- Layer 2: GitHub PR mergeability (reuses pr from precheck) --
   if (pr.mergeable === "CONFLICTING") {
     return deny(
       `PR #${pr.number} has merge conflicts per GitHub (${pr.url}). ` +
@@ -1495,6 +1542,111 @@ export const BUILTIN_POLICIES: BuiltinPolicyDefinition[] = [
     defaultEnabled: true,
     category: "Dangerous Commands",
   },
+  {
+    name: "block-kubectl",
+    description: "Block kubectl commands (Kubernetes cluster mutations)",
+    fn: blockKubectl,
+    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    defaultEnabled: false,
+    category: "Infra Commands",
+    params: {
+      allowPatterns: {
+        type: "string[]",
+        description: "kubectl command patterns to allow, matched token-by-token (e.g. 'kubectl get *', 'kubectl describe *')",
+        default: [],
+      },
+    } satisfies PolicyParamsSchema,
+  },
+  {
+    name: "block-terraform",
+    description: "Block terraform and tofu (OpenTofu) commands",
+    fn: blockTerraform,
+    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    defaultEnabled: false,
+    category: "Infra Commands",
+    params: {
+      allowPatterns: {
+        type: "string[]",
+        description: "terraform/tofu command patterns to allow (e.g. 'terraform plan', 'terraform validate')",
+        default: [],
+      },
+    } satisfies PolicyParamsSchema,
+  },
+  {
+    name: "block-aws-cli",
+    description: "Block aws CLI commands",
+    fn: blockAwsCli,
+    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    defaultEnabled: false,
+    category: "Infra Commands",
+    params: {
+      allowPatterns: {
+        type: "string[]",
+        description: "aws CLI command patterns to allow (e.g. 'aws s3 ls *', 'aws sts get-caller-identity')",
+        default: [],
+      },
+    } satisfies PolicyParamsSchema,
+  },
+  {
+    name: "block-gcloud",
+    description: "Block gcloud (Google Cloud) CLI commands",
+    fn: blockGcloud,
+    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    defaultEnabled: false,
+    category: "Infra Commands",
+    params: {
+      allowPatterns: {
+        type: "string[]",
+        description: "gcloud command patterns to allow (e.g. 'gcloud auth list', 'gcloud config list')",
+        default: [],
+      },
+    } satisfies PolicyParamsSchema,
+  },
+  {
+    name: "block-az-cli",
+    description: "Block az (Azure) CLI commands",
+    fn: blockAzCli,
+    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    defaultEnabled: false,
+    category: "Infra Commands",
+    params: {
+      allowPatterns: {
+        type: "string[]",
+        description: "az CLI command patterns to allow (e.g. 'az account show', 'az group list')",
+        default: [],
+      },
+    } satisfies PolicyParamsSchema,
+  },
+  {
+    name: "block-helm",
+    description: "Block helm commands",
+    fn: blockHelm,
+    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    defaultEnabled: false,
+    category: "Infra Commands",
+    params: {
+      allowPatterns: {
+        type: "string[]",
+        description: "helm command patterns to allow (e.g. 'helm list', 'helm status *')",
+        default: [],
+      },
+    } satisfies PolicyParamsSchema,
+  },
+  {
+    name: "block-gh-pipeline",
+    description: "Block gh CLI pipeline-trigger subcommands (workflow run, run rerun/cancel, pr merge, release create/delete, cache delete, secret set/delete)",
+    fn: blockGhPipeline,
+    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    defaultEnabled: false,
+    category: "Infra Commands",
+    params: {
+      allowPatterns: {
+        type: "string[]",
+        description: "gh pipeline command patterns to allow (e.g. specific scripted invocations); read-only gh subcommands like 'gh pr view' and 'gh run list' are not matched by this policy",
+        default: [],
+      },
+    } satisfies PolicyParamsSchema,
+  },
   {
     name: "block-secrets-write",
     description: "Block writing secret key files",

package/src/hooks/custom-hooks-loader.ts

@@ -17,6 +17,7 @@ import { homedir } from "node:os";
 import { hookLogWarn, hookLogError, hookLogInfo } from "./hook-logger";
 import { getCustomHooks, clearCustomHooks } from "./custom-hooks-registry";
 import { findDistIndex, rewriteFileTree, TMP_SUFFIX, cleanupTmpFiles } from "./loader-utils";
+import { findProjectConfigDir } from "./hooks-config";
 import type { CustomHook } from "./policy-types";
 
 const LOADING_KEY = "__FAILPROOFAI_LOADING_HOOKS__";
@@ -126,11 +127,13 @@ export async function loadAllCustomHooks(
 
   const conventionSources: ConventionSource[] = [];
 
+  const projectRoot = findProjectConfigDir(opts?.sessionCwd ?? process.cwd());
+
   // 1. Explicit customPoliciesPath (existing behavior)
   if (customPoliciesPath) {
     const absPath = isAbsolute(customPoliciesPath)
       ? customPoliciesPath
-      : resolve(opts?.sessionCwd ?? process.cwd(), customPoliciesPath);
+      : resolve(projectRoot, customPoliciesPath);
     if (existsSync(absPath)) {
       await loadSingleFile(absPath);
     } else {
@@ -140,8 +143,8 @@ export async function loadAllCustomHooks(
 
   const hooksBeforeConvention = getCustomHooks().length;
 
-  // 2. Project convention: {cwd}/.failproofai/policies/*policies.{js,mjs,ts}
-  const projectDir = resolve(opts?.sessionCwd ?? process.cwd(), ".failproofai", "policies");
+  // 2. Project convention: {projectRoot}/.failproofai/policies/*policies.{js,mjs,ts}
+  const projectDir = resolve(projectRoot, ".failproofai", "policies");
   const projectFiles = discoverPolicyFiles(projectDir);
   for (const file of projectFiles) {
     const hooksBefore = getCustomHooks().length;

package/src/hooks/hooks-config.ts

@@ -1,7 +1,7 @@
 /**
  * Read/write the hooks configuration file at ~/.failproofai/policies-config.json.
  */
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
+import { readFileSync, writeFileSync, existsSync, mkdirSync, statSync } from "node:fs";
 import { resolve, dirname } from "node:path";
 import { homedir } from "node:os";
 import type { HooksConfig } from "./policy-types";
@@ -19,6 +19,33 @@ function readConfigAt(path: string): Partial<HooksConfig> {
   }
 }
 
+/**
+ * Walk up from `start` until a `.failproofai/` directory is found, and return that
+ * dir as the project root. Stops at homedir (the global `~/.failproofai/` is not a
+ * project root) or filesystem root. If no marker is found, returns the original
+ * `start` so callers fall through to the global-only config merge.
+ *
+ * Fixes #200: when Claude Code's Bash tool drifts CWD into a subdirectory, the
+ * project policy config was silently missed because we resolved it at the exact
+ * cwd instead of walking up.
+ */
+export function findProjectConfigDir(start: string): string {
+  const home = homedir();
+  let dir = resolve(start);
+  while (dir !== home) {
+    const marker = resolve(dir, ".failproofai");
+    try {
+      if (statSync(marker).isDirectory()) return dir;
+    } catch {
+      // not present or unreadable — keep walking
+    }
+    const parent = dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return resolve(start);
+}
+
 /**
  * Read and merge hooks config from three scopes in priority order:
  *   1. {cwd}/.failproofai/policies-config.json        (project)
@@ -32,7 +59,7 @@ function readConfigAt(path: string): Partial<HooksConfig> {
  *   llm:            first scope that defines it wins
  */
 export function readMergedHooksConfig(cwd?: string): HooksConfig {
-  const base = cwd ? resolve(cwd) : process.cwd();
+  const base = findProjectConfigDir(cwd ?? process.cwd());
   const projectPath = resolve(base, ".failproofai", "policies-config.json");
   const localPath = resolve(base, ".failproofai", "policies-config.local.json");
   const globalPath = resolve(homedir(), ".failproofai", "policies-config.json");
@@ -105,14 +132,13 @@ export function writeHooksConfig(config: HooksConfig): void {
  * Resolve the policies-config path for a specific scope.
  */
 export function getConfigPathForScope(scope: HookScope, cwd?: string): string {
-  const base = cwd ? resolve(cwd) : process.cwd();
   switch (scope) {
     case "user":
       return resolve(homedir(), ".failproofai", "policies-config.json");
     case "project":
-      return resolve(base, ".failproofai", "policies-config.json");
+      return resolve(findProjectConfigDir(cwd ?? process.cwd()), ".failproofai", "policies-config.json");
     case "local":
-      return resolve(base, ".failproofai", "policies-config.local.json");
+      return resolve(findProjectConfigDir(cwd ?? process.cwd()), ".failproofai", "policies-config.local.json");
   }
 }