failproofai 0.0.6 → 0.0.8

package/src/hooks/builtin-policies.ts

@@ -159,6 +159,21 @@ const TMUX_DETACH_RE = /\btmux\s+(?:new-session|new)\b[^|&;]*-d\b/;
 const DISOWN_RE = /\bdisown\b/;
 const BACKGROUND_AMPERSAND_RE = /(?<![&|])\s?&\s*(?:$|#|;)/;
 
+// Infra Commands — leading-token detection across shell separators.
+// Each regex matches the CLI name only when it appears as the first token of a
+// command segment (start-of-string or after ; && || |). Trailing \s prevents
+// false matches on names like "kubectlx" or "awsctl".
+const KUBECTL_RE = /(?:^|[;\n]|&&|\|\|?|&)\s*kubectl(?:\s|$)/;
+const TERRAFORM_RE = /(?:^|[;\n]|&&|\|\|?|&)\s*(?:terraform|tofu)(?:\s|$)/;
+const AWS_CLI_RE = /(?:^|[;\n]|&&|\|\|?|&)\s*aws(?:\s|$)/;
+const GCLOUD_RE = /(?:^|[;\n]|&&|\|\|?|&)\s*gcloud(?:\s|$)/;
+const AZ_CLI_RE = /(?:^|[;\n]|&&|\|\|?|&)\s*az(?:\s|$)/;
+const HELM_RE = /(?:^|[;\n]|&&|\|\|?|&)\s*helm(?:\s|$)/;
+// gh: only mutating / pipeline-trigger subcommands. Read-only forms
+// (gh pr view, gh run list, gh api ...) are intentionally allowed because
+// failproofai's own workflow policies depend on them.
+const GH_PIPELINE_RE = /(?:^|[;\n]|&&|\|\|?|&)\s*gh\s+(?:workflow\s+(?:run|enable|disable)|run\s+(?:rerun|cancel)|pr\s+merge|release\s+(?:create|delete)|cache\s+delete|secret\s+(?:set|delete))\b/;
+
 // Caches the current branch per cwd to avoid repeated execSync calls.
 // Trade-off: if the user switches branches externally mid-session, the cache serves
 // the stale value until the process restarts. This is acceptable since branch switches
@@ -770,6 +785,48 @@ function blockFailproofaiCommands(ctx: PolicyContext): PolicyResult {
   return allow();
 }
 
+// Shared CLI-blocker: deny any command whose argv begins with the matched CLI,
+// unless an entry in `allowPatterns` matches via `matchesAllowedPattern` (which
+// already defends against shell-operator injection).
+function blockInfraCli(ctx: PolicyContext, re: RegExp, denyMsg: string): PolicyResult {
+  if (ctx.toolName !== "Bash") return allow();
+  const cmd = getCommand(ctx);
+  if (!re.test(cmd)) return allow();
+  const allowPatterns = ((ctx.params?.allowPatterns ?? []) as string[]);
+  if (allowPatterns.some((p) => matchesAllowedPattern(cmd, p))) return allow();
+  return deny(denyMsg);
+}
+
+function blockKubectl(ctx: PolicyContext): PolicyResult {
+  return blockInfraCli(ctx, KUBECTL_RE, "kubectl commands are blocked");
+}
+
+function blockTerraform(ctx: PolicyContext): PolicyResult {
+  return blockInfraCli(ctx, TERRAFORM_RE, "terraform/tofu commands are blocked");
+}
+
+function blockAwsCli(ctx: PolicyContext): PolicyResult {
+  return blockInfraCli(ctx, AWS_CLI_RE, "aws CLI commands are blocked");
+}
+
+function blockGcloud(ctx: PolicyContext): PolicyResult {
+  return blockInfraCli(ctx, GCLOUD_RE, "gcloud commands are blocked");
+}
+
+function blockAzCli(ctx: PolicyContext): PolicyResult {
+  return blockInfraCli(ctx, AZ_CLI_RE, "az (Azure) CLI commands are blocked");
+}
+
+function blockHelm(ctx: PolicyContext): PolicyResult {
+  return blockInfraCli(ctx, HELM_RE, "helm commands are blocked");
+}
+
+// gh-pipeline only fires on mutating subcommands; allowPatterns are still
+// supported in case a user wants to permit a specific scripted invocation.
+function blockGhPipeline(ctx: PolicyContext): PolicyResult {
+  return blockInfraCli(ctx, GH_PIPELINE_RE, "gh pipeline-trigger commands are blocked");
+}
+
 // Maximum size of the per-session tool-call sidecar before we stop updating it.
 // If exceeded, repeated-call detection degrades gracefully (allows through) rather
 // than growing the file unboundedly.
@@ -1147,36 +1204,19 @@ function requirePrBeforeStop(ctx: PolicyContext): PolicyResult {
       return allow(`PR #${pr.number} exists: ${pr.url}`);
     }
 
-    // PR is merged/closed. The earlier origin/{baseBranch} checks may have
-    // used a stale ref. Fetch and re-verify before denying.
+    // Trust GitHub's authoritative state. Local-ref reconciliation can never
+    // converge after squash-merge or rebase-merge (the original branch commit
+    // is orphaned, never an ancestor of base) or when base is auto-modified
+    // post-merge (e.g. release-workflow version bumps). The PR being MERGED
+    // is itself the proof that the work shipped.
     if (pr.state === "MERGED") {
-      try {
-        execFileSync("git", ["fetch", "origin", `+refs/heads/${baseBranch}:refs/remotes/origin/${baseBranch}`], {
-          cwd,
-          encoding: "utf8", stdio: ["pipe", "pipe", "pipe"],
-          timeout: 10000,
-        });
-        const freshAhead = execFileSync(
-          "git",
-          ["log", `origin/${baseBranch}..HEAD`, "--oneline"],
-          { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 },
-        ).trim();
-        if (!freshAhead) {
-          return allow(`PR #${pr.number} was merged; branch is up to date with ${baseBranch}.`);
-        }
-        const freshDiff = execFileSync(
-          "git",
-          ["diff", "--stat", `origin/${baseBranch}`, "HEAD"],
-          { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 },
-        ).trim();
-        if (!freshDiff) {
-          return allow(`PR #${pr.number} was merged; no file changes vs ${baseBranch}.`);
-        }
-      } catch {
-        // Fetch or git command failed — fall through to deny
-      }
+      return allow(
+        `PR #${pr.number} was merged: ${pr.url}. ` +
+        `Switch off this branch (e.g. 'git checkout ${baseBranch} && git pull') before stopping again.`,
+      );
     }
 
+    // Reaches here only for CLOSED-without-merge — PR was rejected.
     return deny(
       `Pull request for branch "${branch}" is ${pr.state.toLowerCase()}. Run now: gh pr create`,
     );
@@ -1197,8 +1237,37 @@ function requireNoConflictsBeforeStop(ctx: PolicyContext): PolicyResult {
     return allow(`On base branch "${baseBranch}", skipping conflict check.`);
   }
 
+  // -- Precheck: only enforce when an OPEN PR exists on GitHub. Without a
+  // confirmable merge target there is nothing to enforce, so we skip both
+  // the local merge-tree probe and the GitHub mergeability probe.
+  try {
+    execSync("gh --version", { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 3000 });
+  } catch {
+    return allow("gh CLI not installed, skipping conflict check.");
+  }
+
+  let prJson: string;
+  try {
+    prJson = execSync("gh pr view --json mergeable,number,url,state", {
+      cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 15000,
+    }).trim();
+  } catch {
+    return allow("No pull request found for branch, skipping conflict check.");
+  }
+
+  let pr: { mergeable: string; number: number; url: string; state: string };
+  try {
+    pr = JSON.parse(prJson);
+  } catch {
+    return allow("Could not parse gh pr view output, skipping conflict check.");
+  }
+
+  // GitHub stops computing mergeability for non-OPEN PRs (returns UNKNOWN forever).
+  if (pr.state !== "OPEN") {
+    return allow(`PR #${pr.number} is ${pr.state.toLowerCase()}; skipping conflict check.`);
+  }
+
   // -- Layer 1: local git merge-tree --
-  let localSkipped = false;
   try {
     execFileSync("git", ["rev-parse", "--verify", `origin/${baseBranch}`], {
       cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 3000,
@@ -1209,17 +1278,14 @@ function requireNoConflictsBeforeStop(ctx: PolicyContext): PolicyResult {
       { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 },
     ).trim();
 
-    if (!ahead) {
-      // Nothing ahead of base — Layer 1 doesn't apply, fall through to Layer 2.
-      localSkipped = true;
-    } else {
+    if (ahead) {
       execFileSync(
         "git",
         ["merge-tree", "--write-tree", "--name-only", `origin/${baseBranch}`, "HEAD"],
         { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 10000 },
       );
-      // exit 0 → clean merge, fall through to Layer 2
     }
+    // !ahead or merge-tree exit 0 → fall through to Layer 2
   } catch (err) {
     const e = err as { status?: number; stdout?: string | Buffer };
     if (e.status === 1) {
@@ -1238,46 +1304,10 @@ function requireNoConflictsBeforeStop(ctx: PolicyContext): PolicyResult {
         `Rebase or merge origin/${baseBranch} now and resolve the conflicts.`,
       );
     }
-    localSkipped = true;
-  }
-
-  // -- Layer 2: GitHub PR mergeability --
-  try {
-    execSync("gh --version", { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 3000 });
-  } catch {
-    return allow(
-      localSkipped
-        ? "Local conflict check skipped and gh CLI not installed, skipping conflict check."
-        : `Branch "${branch}" merges cleanly with ${baseBranch} locally (gh CLI not installed, PR mergeability not verified).`,
-    );
-  }
-
-  let prJson: string;
-  try {
-    prJson = execSync("gh pr view --json mergeable,number,url,state", {
-      cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 15000,
-    }).trim();
-  } catch {
-    return allow(
-      localSkipped
-        ? "No pull request found for branch, skipping conflict check."
-        : `Branch "${branch}" merges cleanly with ${baseBranch} locally (no PR to verify against).`,
-    );
-  }
-
-  let pr: { mergeable: string; number: number; url: string; state: string };
-  try {
-    pr = JSON.parse(prJson);
-  } catch {
-    return allow("Could not parse gh pr view output, skipping PR mergeability check.");
-  }
-
-  // GitHub stops computing mergeability for non-OPEN PRs (returns UNKNOWN forever).
-  // Skip the check entirely so a merged or closed PR doesn't trap Stop in a wait loop.
-  if (pr.state !== "OPEN") {
-    return allow(`PR #${pr.number} is ${pr.state.toLowerCase()}; skipping conflict check.`);
+    // any other failure (e.g. missing origin/<base>, log failure) → fall through
   }
 
+  // -- Layer 2: GitHub PR mergeability (reuses pr from precheck) --
   if (pr.mergeable === "CONFLICTING") {
     return deny(
       `PR #${pr.number} has merge conflicts per GitHub (${pr.url}). ` +
@@ -1495,6 +1525,111 @@ export const BUILTIN_POLICIES: BuiltinPolicyDefinition[] = [
     defaultEnabled: true,
     category: "Dangerous Commands",
   },
+  {
+    name: "block-kubectl",
+    description: "Block kubectl commands (Kubernetes cluster mutations)",
+    fn: blockKubectl,
+    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    defaultEnabled: false,
+    category: "Infra Commands",
+    params: {
+      allowPatterns: {
+        type: "string[]",
+        description: "kubectl command patterns to allow, matched token-by-token (e.g. 'kubectl get *', 'kubectl describe *')",
+        default: [],
+      },
+    } satisfies PolicyParamsSchema,
+  },
+  {
+    name: "block-terraform",
+    description: "Block terraform and tofu (OpenTofu) commands",
+    fn: blockTerraform,
+    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    defaultEnabled: false,
+    category: "Infra Commands",
+    params: {
+      allowPatterns: {
+        type: "string[]",
+        description: "terraform/tofu command patterns to allow (e.g. 'terraform plan', 'terraform validate')",
+        default: [],
+      },
+    } satisfies PolicyParamsSchema,
+  },
+  {
+    name: "block-aws-cli",
+    description: "Block aws CLI commands",
+    fn: blockAwsCli,
+    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    defaultEnabled: false,
+    category: "Infra Commands",
+    params: {
+      allowPatterns: {
+        type: "string[]",
+        description: "aws CLI command patterns to allow (e.g. 'aws s3 ls *', 'aws sts get-caller-identity')",
+        default: [],
+      },
+    } satisfies PolicyParamsSchema,
+  },
+  {
+    name: "block-gcloud",
+    description: "Block gcloud (Google Cloud) CLI commands",
+    fn: blockGcloud,
+    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    defaultEnabled: false,
+    category: "Infra Commands",
+    params: {
+      allowPatterns: {
+        type: "string[]",
+        description: "gcloud command patterns to allow (e.g. 'gcloud auth list', 'gcloud config list')",
+        default: [],
+      },
+    } satisfies PolicyParamsSchema,
+  },
+  {
+    name: "block-az-cli",
+    description: "Block az (Azure) CLI commands",
+    fn: blockAzCli,
+    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    defaultEnabled: false,
+    category: "Infra Commands",
+    params: {
+      allowPatterns: {
+        type: "string[]",
+        description: "az CLI command patterns to allow (e.g. 'az account show', 'az group list')",
+        default: [],
+      },
+    } satisfies PolicyParamsSchema,
+  },
+  {
+    name: "block-helm",
+    description: "Block helm commands",
+    fn: blockHelm,
+    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    defaultEnabled: false,
+    category: "Infra Commands",
+    params: {
+      allowPatterns: {
+        type: "string[]",
+        description: "helm command patterns to allow (e.g. 'helm list', 'helm status *')",
+        default: [],
+      },
+    } satisfies PolicyParamsSchema,
+  },
+  {
+    name: "block-gh-pipeline",
+    description: "Block gh CLI pipeline-trigger subcommands (workflow run, run rerun/cancel, pr merge, release create/delete, cache delete, secret set/delete)",
+    fn: blockGhPipeline,
+    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    defaultEnabled: false,
+    category: "Infra Commands",
+    params: {
+      allowPatterns: {
+        type: "string[]",
+        description: "gh pipeline command patterns to allow (e.g. specific scripted invocations); read-only gh subcommands like 'gh pr view' and 'gh run list' are not matched by this policy",
+        default: [],
+      },
+    } satisfies PolicyParamsSchema,
+  },
   {
     name: "block-secrets-write",
     description: "Block writing secret key files",

package/src/hooks/custom-hooks-loader.ts

@@ -17,6 +17,7 @@ import { homedir } from "node:os";
 import { hookLogWarn, hookLogError, hookLogInfo } from "./hook-logger";
 import { getCustomHooks, clearCustomHooks } from "./custom-hooks-registry";
 import { findDistIndex, rewriteFileTree, TMP_SUFFIX, cleanupTmpFiles } from "./loader-utils";
+import { findProjectConfigDir } from "./hooks-config";
 import type { CustomHook } from "./policy-types";
 
 const LOADING_KEY = "__FAILPROOFAI_LOADING_HOOKS__";
@@ -126,11 +127,13 @@ export async function loadAllCustomHooks(
 
   const conventionSources: ConventionSource[] = [];
 
+  const projectRoot = findProjectConfigDir(opts?.sessionCwd ?? process.cwd());
+
   // 1. Explicit customPoliciesPath (existing behavior)
   if (customPoliciesPath) {
     const absPath = isAbsolute(customPoliciesPath)
       ? customPoliciesPath
-      : resolve(opts?.sessionCwd ?? process.cwd(), customPoliciesPath);
+      : resolve(projectRoot, customPoliciesPath);
     if (existsSync(absPath)) {
       await loadSingleFile(absPath);
     } else {
@@ -140,8 +143,8 @@ export async function loadAllCustomHooks(
 
   const hooksBeforeConvention = getCustomHooks().length;
 
-  // 2. Project convention: {cwd}/.failproofai/policies/*policies.{js,mjs,ts}
-  const projectDir = resolve(opts?.sessionCwd ?? process.cwd(), ".failproofai", "policies");
+  // 2. Project convention: {projectRoot}/.failproofai/policies/*policies.{js,mjs,ts}
+  const projectDir = resolve(projectRoot, ".failproofai", "policies");
   const projectFiles = discoverPolicyFiles(projectDir);
   for (const file of projectFiles) {
     const hooksBefore = getCustomHooks().length;

package/src/hooks/hooks-config.ts

@@ -1,7 +1,7 @@
 /**
  * Read/write the hooks configuration file at ~/.failproofai/policies-config.json.
  */
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
+import { readFileSync, writeFileSync, existsSync, mkdirSync, statSync } from "node:fs";
 import { resolve, dirname } from "node:path";
 import { homedir } from "node:os";
 import type { HooksConfig } from "./policy-types";
@@ -19,6 +19,33 @@ function readConfigAt(path: string): Partial<HooksConfig> {
   }
 }
 
+/**
+ * Walk up from `start` until a `.failproofai/` directory is found, and return that
+ * dir as the project root. Stops at homedir (the global `~/.failproofai/` is not a
+ * project root) or filesystem root. If no marker is found, returns the original
+ * `start` so callers fall through to the global-only config merge.
+ *
+ * Fixes #200: when Claude Code's Bash tool drifts CWD into a subdirectory, the
+ * project policy config was silently missed because we resolved it at the exact
+ * cwd instead of walking up.
+ */
+export function findProjectConfigDir(start: string): string {
+  const home = homedir();
+  let dir = resolve(start);
+  while (dir !== home) {
+    const marker = resolve(dir, ".failproofai");
+    try {
+      if (statSync(marker).isDirectory()) return dir;
+    } catch {
+      // not present or unreadable — keep walking
+    }
+    const parent = dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return resolve(start);
+}
+
 /**
  * Read and merge hooks config from three scopes in priority order:
  *   1. {cwd}/.failproofai/policies-config.json        (project)
@@ -32,7 +59,7 @@ function readConfigAt(path: string): Partial<HooksConfig> {
  *   llm:            first scope that defines it wins
  */
 export function readMergedHooksConfig(cwd?: string): HooksConfig {
-  const base = cwd ? resolve(cwd) : process.cwd();
+  const base = findProjectConfigDir(cwd ?? process.cwd());
   const projectPath = resolve(base, ".failproofai", "policies-config.json");
   const localPath = resolve(base, ".failproofai", "policies-config.local.json");
   const globalPath = resolve(homedir(), ".failproofai", "policies-config.json");
@@ -105,14 +132,13 @@ export function writeHooksConfig(config: HooksConfig): void {
  * Resolve the policies-config path for a specific scope.
  */
 export function getConfigPathForScope(scope: HookScope, cwd?: string): string {
-  const base = cwd ? resolve(cwd) : process.cwd();
   switch (scope) {
     case "user":
       return resolve(homedir(), ".failproofai", "policies-config.json");
     case "project":
-      return resolve(base, ".failproofai", "policies-config.json");
+      return resolve(findProjectConfigDir(cwd ?? process.cwd()), ".failproofai", "policies-config.json");
     case "local":
-      return resolve(base, ".failproofai", "policies-config.local.json");
+      return resolve(findProjectConfigDir(cwd ?? process.cwd()), ".failproofai", "policies-config.local.json");
   }
 }
 

package/.next/standalone/.next/static/chunks/04iuhj_-h-21-.js

@@ -1 +0,0 @@
-(globalThis.TURBOPACK||(globalThis.TURBOPACK=[])).push(["object"==typeof document?document.currentScript:void 0,53348,e=>{"use strict";var r=e.i(43476),t=e.i(71645),n=e.i(65771),i=e.i(9969);e.s(["default",0,function({error:e,reset:o}){return(0,t.useEffect)(()=>{(0,n.getTelemetryConfig)().then(r=>{(0,i.setClientTelemetryConfig)(r),(0,i.captureClientEvent)("client_error",{error_message:e.message,error_name:e.name,error_digest:e.digest,boundary:"global"})}).catch(()=>{})},[e]),(0,r.jsx)("html",{children:(0,r.jsx)("body",{children:(0,r.jsx)("main",{style:{minHeight:"100vh",display:"flex",alignItems:"center",justifyContent:"center",background:"#031035",color:"#f8fafc",fontFamily:"system-ui, sans-serif"},children:(0,r.jsxs)("div",{style:{textAlign:"center",padding:"2rem",border:"1px solid rgba(239,68,68,0.4)",borderRadius:"0.5rem",maxWidth:"500px"},children:[(0,r.jsx)("h2",{style:{color:"#ef4444",marginBottom:"0.5rem",fontSize:"1.25rem"},children:"Something went wrong"}),(0,r.jsx)("p",{style:{color:"#94a3b8",marginBottom:"1.5rem"},children:e.message||"An unexpected error occurred."}),(0,r.jsx)("button",{onClick:o,style:{padding:"0.5rem 1.25rem",background:"#3b82f6",color:"white",border:"none",borderRadius:"0.375rem",cursor:"pointer",fontSize:"0.875rem"},children:"Try again"})]})})})})}])}]);