helloagents 2.3.8 → 3.0.2-beta.1

package/scripts/cli-toml.mjs

@@ -0,0 +1,251 @@
+/**
+ * Lightweight TOML line-based helpers for HelloAGENTS CLI config edits.
+ * Targets the small subset of TOML structures used by Codex CLI config.
+ */
+
+export function isTomlTableHeader(line) {
+  const trimmed = String(line || '').trim();
+  return trimmed.startsWith('[') && trimmed.endsWith(']');
+}
+
+export function normalizeToml(text) {
+  const next = String(text || '')
+    .replace(/\r\n/g, '\n')
+    .replace(/\n{3,}/g, '\n\n')
+    .trimEnd();
+  return next ? `${next}\n` : '';
+}
+
+function escapeRegExp(text) {
+  return String(text || '').replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+function findFirstTomlSectionIndex(text) {
+  const normalized = String(text || '').replace(/\r\n/g, '\n');
+  const lines = normalized.split('\n');
+  let index = 0;
+
+  for (const line of lines) {
+    if (isTomlTableHeader(line)) return index;
+    index += line.length + 1;
+  }
+
+  return normalized.length;
+}
+
+function findTopLevelTomlBlock(text, key) {
+  const normalized = String(text || '').replace(/\r\n/g, '\n');
+  const topLevelEnd = findFirstTomlSectionIndex(normalized);
+  const topLevel = normalized.slice(0, topLevelEnd);
+  const re = new RegExp(`^${escapeRegExp(key)}\\s*=`, 'm');
+  const match = re.exec(topLevel);
+  if (!match) return null;
+
+  const start = match.index;
+  const lineEnd = normalized.indexOf('\n', start);
+  const firstLineEnd = lineEnd >= 0 ? lineEnd : normalized.length;
+  const firstLine = normalized.slice(start, firstLineEnd);
+  const value = firstLine.slice(firstLine.indexOf('=') + 1).trim();
+
+  let end = firstLineEnd;
+  if (value.startsWith('"""')) {
+    const openIndex = normalized.indexOf('"""', firstLine.indexOf('='));
+    const closeIndex = normalized.indexOf('"""', openIndex + 3);
+    end = closeIndex >= 0 ? closeIndex + 3 : normalized.length;
+  }
+
+  while (end < normalized.length && normalized[end] === '\n') {
+    end += 1;
+  }
+
+  return {
+    start,
+    end,
+    text: normalized.slice(start, end).trimEnd(),
+  };
+}
+
+export function readTopLevelTomlBlock(text, key) {
+  return findTopLevelTomlBlock(text, key)?.text || '';
+}
+
+export function upsertTopLevelTomlBlock(text, key, value) {
+  const assignment = `${key} = ${String(value || '').trim()}`;
+  const normalized = String(text || '').replace(/\r\n/g, '\n');
+  const existing = findTopLevelTomlBlock(normalized, key);
+  const next = existing
+    ? `${normalized.slice(0, existing.start)}${assignment}\n${normalized.slice(existing.end)}`
+    : `${assignment}\n${normalized}`;
+  return normalizeToml(next);
+}
+
+export function ensureTopLevelTomlBlock(text, key, block) {
+  const normalized = String(block || '').trim();
+  if (!normalized) return normalizeToml(text);
+  const value = normalized.slice(normalized.indexOf('=') + 1).trim();
+  return upsertTopLevelTomlBlock(text, key, value);
+}
+
+export function removeTopLevelTomlBlock(text, key) {
+  const normalized = String(text || '').replace(/\r\n/g, '\n');
+  const existing = findTopLevelTomlBlock(normalized, key);
+  if (!existing) return normalizeToml(text);
+  return normalizeToml(`${normalized.slice(0, existing.start)}${normalized.slice(existing.end)}`);
+}
+
+export function upsertTopLevelTomlKey(text, key, value) {
+  const re = new RegExp(`^${key}\\s*=.*$`, 'm');
+  const next = re.test(text)
+    ? String(text || '').replace(re, `${key} = ${value}`)
+    : `${key} = ${value}\n${String(text || '')}`;
+  return normalizeToml(next);
+}
+
+export function readTopLevelTomlLine(text, key) {
+  const lines = String(text || '').replace(/\r\n/g, '\n').split('\n');
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    if (isTomlTableHeader(trimmed)) break;
+    if (trimmed.startsWith(`${key} =`)) return trimmed;
+  }
+  return '';
+}
+
+export function ensureTopLevelTomlLine(text, key, line) {
+  const normalized = String(line || '').trim();
+  if (!normalized) return normalizeToml(text);
+  const value = normalized.slice(normalized.indexOf('=') + 1).trim();
+  return upsertTopLevelTomlKey(text, key, value);
+}
+
+export function readTomlKeyInSection(text, headerLine, key) {
+  const lines = String(text || '').replace(/\r\n/g, '\n').split('\n');
+  const headerIndex = lines.findIndex((line) => line.trim() === headerLine);
+  if (headerIndex < 0) return '';
+
+  const keyRe = new RegExp(`^\\s*${key}\\s*=.*$`);
+  for (let index = headerIndex + 1; index < lines.length; index += 1) {
+    const line = lines[index];
+    if (isTomlTableHeader(line)) break;
+    if (keyRe.test(line)) return line.trim();
+  }
+  return '';
+}
+
+export function removeTomlKeyInSection(text, headerLine, key) {
+  const lines = String(text || '').replace(/\r\n/g, '\n').split('\n');
+  const headerIndex = lines.findIndex((line) => line.trim() === headerLine);
+  if (headerIndex < 0) return normalizeToml(text);
+
+  const keyRe = new RegExp(`^\\s*${key}\\s*=`);
+  const nextLines = [];
+  let removed = false;
+  for (let index = 0; index < lines.length; index += 1) {
+    const line = lines[index];
+    if (index > headerIndex && isTomlTableHeader(line)) {
+      nextLines.push(...lines.slice(index));
+      break;
+    }
+    if (index > headerIndex && keyRe.test(line)) {
+      removed = true;
+      continue;
+    }
+    nextLines.push(line);
+  }
+
+  if (!removed) return normalizeToml(text);
+  return normalizeToml(nextLines.join('\n'));
+}
+
+export function upsertTomlKeyInSection(text, headerLine, key, value) {
+  const lines = String(text || '').replace(/\r\n/g, '\n').split('\n');
+  const headerIndex = lines.findIndex((line) => line.trim() === headerLine);
+
+  if (headerIndex < 0) {
+    const base = normalizeToml(text).trimEnd();
+    return base
+      ? `${base}\n\n${headerLine}\n${key} = ${value}\n`
+      : `${headerLine}\n${key} = ${value}\n`;
+  }
+
+  let endIndex = headerIndex + 1;
+  while (endIndex < lines.length && !isTomlTableHeader(lines[endIndex])) {
+    endIndex += 1;
+  }
+
+  const keyRe = new RegExp(`^\\s*${key}\\s*=`);
+  let updated = false;
+  for (let index = headerIndex + 1; index < endIndex; index += 1) {
+    if (keyRe.test(lines[index])) {
+      lines[index] = `${key} = ${value}`;
+      updated = true;
+      break;
+    }
+  }
+
+  if (!updated) {
+    lines.splice(endIndex, 0, `${key} = ${value}`);
+  }
+
+  return normalizeToml(lines.join('\n'));
+}
+
+export function ensureTomlKeyInSection(text, headerLine, key, line) {
+  const normalized = String(line || '').trim();
+  if (!normalized) return normalizeToml(text);
+  const value = normalized.slice(normalized.indexOf('=') + 1).trim();
+  return upsertTomlKeyInSection(text, headerLine, key, value);
+}
+
+export function stripTomlSection(text, headerLine) {
+  const lines = String(text || '').replace(/\r\n/g, '\n').split('\n');
+  const kept = [];
+  let removed = false;
+
+  for (let index = 0; index < lines.length;) {
+    if (lines[index].trim() === headerLine) {
+      removed = true;
+      index += 1;
+      while (index < lines.length && !isTomlTableHeader(lines[index])) {
+        index += 1;
+      }
+      continue;
+    }
+
+    kept.push(lines[index]);
+    index += 1;
+  }
+
+  return {
+    removed,
+    text: normalizeToml(kept.join('\n')),
+  };
+}
+
+export function removeTopLevelTomlLines(text, shouldRemove) {
+  const lines = String(text || '').replace(/\r\n/g, '\n').split('\n');
+  const kept = [];
+  let currentSection = null;
+  let removed = false;
+
+  for (const line of lines) {
+    if (isTomlTableHeader(line)) {
+      currentSection = line.trim();
+      kept.push(line);
+      continue;
+    }
+
+    if (!currentSection && shouldRemove(line.trim())) {
+      removed = true;
+      continue;
+    }
+
+    kept.push(line);
+  }
+
+  return {
+    removed,
+    text: normalizeToml(kept.join('\n')),
+  };
+}

package/scripts/cli-utils.mjs

@@ -0,0 +1,139 @@
+/**
+ * Shared utilities for HelloAGENTS CLI installation scripts.
+ * File operations, marker injection, settings merge/clean, hooks loading.
+ */
+import { existsSync, readFileSync, writeFileSync, mkdirSync, rmSync,
+         symlinkSync, lstatSync, unlinkSync, rmdirSync, cpSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { platform } from 'node:os';
+
+const IS_WIN = platform() === 'win32';
+
+export function ensureDir(p) { mkdirSync(p, { recursive: true }); }
+export function safeWrite(p, c) { ensureDir(dirname(p)); writeFileSync(p, c, 'utf-8'); }
+export function safeRead(p) { try { return readFileSync(p, 'utf-8'); } catch { return null; } }
+export function safeJson(p) { try { return JSON.parse(readFileSync(p, 'utf-8')); } catch { return null; } }
+export function removeIfExists(p) { try { rmSync(p, { recursive: true, force: true }); } catch {} }
+export function readJsonOrThrow(p, label = p) {
+  if (!existsSync(p)) return null;
+  try {
+    return JSON.parse(readFileSync(p, 'utf-8'));
+  } catch {
+    throw new Error(`${label} JSON 解析失败: ${p}`);
+  }
+}
+export function copyEntries(sourceRoot, targetRoot, entries) {
+  for (const entry of entries) {
+    const sourcePath = join(sourceRoot, entry);
+    if (!existsSync(sourcePath)) continue;
+    const targetPath = join(targetRoot, entry);
+    ensureDir(dirname(targetPath));
+    cpSync(sourcePath, targetPath, { recursive: true, force: true });
+  }
+}
+
+export function createLink(target, linkPath) {
+  removeLink(linkPath);
+  try {
+    symlinkSync(target, linkPath, IS_WIN ? 'junction' : 'dir');
+    return true;
+  } catch { return false; }
+}
+
+export function removeLink(p) {
+  try {
+    const stat = lstatSync(p);
+    if (IS_WIN && stat.isDirectory()) rmdirSync(p);
+    else unlinkSync(p);
+    return true;
+  } catch { return false; }
+}
+
+// ── Marker injection ─────────────────────────────────────────────────
+
+const MARKER = '<!-- HELLOAGENTS_START -->';
+const MARKER_END = '<!-- HELLOAGENTS_END -->';
+const MARKER_RE = new RegExp(`\\n*${MARKER}[\\s\\S]*?${MARKER_END}\\n*`, 'g');
+
+/** Inject content wrapped in markers, preserving existing content outside markers. */
+export function injectMarkedContent(filePath, content) {
+  const existing = safeRead(filePath) || '';
+  const wrapped = `\n${MARKER}\n${content}\n${MARKER_END}\n`;
+  if (existing.includes(MARKER)) {
+    safeWrite(filePath, existing.replace(MARKER_RE, wrapped));
+  } else if (existing.trim()) {
+    safeWrite(filePath, existing.trimEnd() + '\n' + wrapped);
+  } else {
+    safeWrite(filePath, wrapped.trim() + '\n');
+  }
+}
+
+/** Remove marked content from a file. Deletes file if nothing remains. */
+export function removeMarkedContent(filePath) {
+  const existing = safeRead(filePath);
+  if (!existing || !existing.includes(MARKER)) return;
+  const cleaned = existing.replace(MARKER_RE, '\n').trim();
+  if (cleaned) safeWrite(filePath, cleaned + '\n');
+  else removeIfExists(filePath);
+}
+
+// ── Settings merge/clean ─────────────────────────────────────────────
+
+/** Deep-merge helloagents hooks into a CLI's settings.json. Optionally merges permissions. */
+export function mergeSettingsHooks(settingsPath, hooksData, extraPermissions) {
+  const settings = safeJson(settingsPath) || {};
+
+  if (extraPermissions?.length) {
+    if (!settings.permissions) settings.permissions = {};
+    if (!Array.isArray(settings.permissions.allow)) settings.permissions.allow = [];
+    for (const perm of extraPermissions) {
+      if (!settings.permissions.allow.includes(perm)) settings.permissions.allow.push(perm);
+    }
+  }
+
+  if (hooksData?.hooks) {
+    if (!settings.hooks) settings.hooks = {};
+    for (const [event, entries] of Object.entries(hooksData.hooks)) {
+      if (!Array.isArray(settings.hooks[event])) settings.hooks[event] = [];
+      settings.hooks[event] = settings.hooks[event].filter(e => !JSON.stringify(e).includes('helloagents'));
+      settings.hooks[event].push(...entries);
+    }
+  }
+
+  safeWrite(settingsPath, JSON.stringify(settings, null, 2) + '\n');
+}
+
+/** Remove helloagents hooks (and optionally permissions) from a CLI's settings.json. */
+export function cleanSettingsHooks(settingsPath, cleanPermissions = false) {
+  const settings = safeJson(settingsPath);
+  if (!settings) return;
+
+  if (cleanPermissions && settings.permissions?.allow) {
+    settings.permissions.allow = settings.permissions.allow.filter(p => !p.includes('helloagents'));
+    if (!settings.permissions.allow.length) delete settings.permissions.allow;
+    if (!Object.keys(settings.permissions).length) delete settings.permissions;
+  }
+
+  if (settings.hooks) {
+    for (const [event, entries] of Object.entries(settings.hooks)) {
+      if (!Array.isArray(entries)) continue;
+      settings.hooks[event] = entries.filter(e => !JSON.stringify(e).includes('helloagents'));
+      if (!settings.hooks[event].length) delete settings.hooks[event];
+    }
+    if (!Object.keys(settings.hooks).length) delete settings.hooks;
+  }
+
+  if (Object.keys(settings).length) {
+    safeWrite(settingsPath, JSON.stringify(settings, null, 2) + '\n');
+  } else {
+    removeIfExists(settingsPath);
+  }
+}
+
+/** Read hooks source file and replace path variable with absolute PKG_ROOT. */
+export function loadHooksWithAbsPath(pkgRoot, hooksFile, pathVar) {
+  const src = safeRead(join(pkgRoot, 'hooks', hooksFile));
+  if (!src) return null;
+  const absRoot = pkgRoot.replace(/\\/g, '/');
+  return JSON.parse(src.replace(new RegExp(pathVar.replace(/[{}$]/g, '\\$&'), 'g'), absRoot));
+}

package/scripts/guard.mjs

@@ -0,0 +1,217 @@
+#!/usr/bin/env node
+/**
+ * HelloAGENTS Guard — Dangerous command blocker + L2 semantic security scan
+ * Runs on PreToolUse hook for Bash/shell commands.
+ * Runs on PostToolUse hook for Write/Edit (L2 scan).
+ */
+import { readFileSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { homedir } from 'node:os';
+
+const CONFIG_FILE = join(homedir(), '.helloagents', 'helloagents.json');
+
+// Hook event name: read from env or infer from CLI mode + --gemini flag.
+// Claude: PreToolUse/PostToolUse, Gemini: BeforeTool/AfterModel.
+const IS_GEMINI = process.argv.includes('--gemini');
+const IS_POST_WRITE = process.argv.includes('post-write');
+const HOOK_EVENT = process.env.HELLOAGENTS_HOOK_EVENT
+  || (IS_POST_WRITE ? (IS_GEMINI ? 'AfterModel' : 'PostToolUse') : (IS_GEMINI ? 'BeforeTool' : 'PreToolUse'));
+
+function readSettings() {
+  try { return JSON.parse(readFileSync(CONFIG_FILE, 'utf-8')); } catch {}
+  return {};
+}
+
+function emitHookPayload(payload) {
+  process.stdout.write(JSON.stringify(payload));
+}
+
+const DANGEROUS_PATTERNS = [
+  // Destructive file operations (including sudo prefix and long options)
+  { pattern: /(sudo\s+)?rm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?(-[a-zA-Z]*r[a-zA-Z]*\s+)?(\/|~|\*)/, reason: 'Recursive delete of critical path' },
+  { pattern: /(sudo\s+)?rm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+)?(-[a-zA-Z]*f[a-zA-Z]*\s+)?(\/|~|\*)/, reason: 'Recursive delete of critical path' },
+  { pattern: /(sudo\s+)?rm\s+--recursive/, reason: 'Recursive delete (long option)' },
+  { pattern: /(sudo\s+)?rm\s+-[a-zA-Z]*r[a-zA-Z]*\s+\.\.?(\s|$)/, reason: 'Recursive delete of current/parent directory' },
+  // Force push
+  { pattern: /git\s+push\s+(-f|--force)/, reason: 'Force push (specify branch explicitly)' },
+  // Hard reset
+  { pattern: /git\s+reset\s+--hard/, reason: 'Hard reset (destructive operation)' },
+  // Database destruction
+  { pattern: /DROP\s+(DATABASE|TABLE|SCHEMA)/i, reason: 'Database destruction command' },
+  { pattern: /TRUNCATE\s+TABLE/i, reason: 'Table truncation' },
+  // Dangerous system commands
+  { pattern: /chmod\s+777/, reason: 'World-writable permissions' },
+  { pattern: /mkfs\b/, reason: 'Filesystem format command' },
+  { pattern: /dd\s+.*of=\/dev\//, reason: 'Direct device write' },
+  // Redis flush
+  { pattern: /FLUSHALL|FLUSHDB/i, reason: 'Redis data flush' },
+];
+
+// ── L2 Semantic Security Patterns (advisory, non-blocking) ──────────────────
+
+const SECRET_PATTERNS = [
+  { pattern: /AKIA[0-9A-Z]{16}/, reason: 'AWS Access Key ID detected' },
+  { pattern: /ghp_[a-zA-Z0-9]{36}/, reason: 'GitHub Personal Access Token detected' },
+  { pattern: /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/, reason: 'GitHub Fine-grained PAT detected' },
+  { pattern: /sk-[a-zA-Z0-9]{20,}/, reason: 'API secret key pattern detected (sk-)' },
+  { pattern: /key-[a-zA-Z0-9]{20,}/, reason: 'API key pattern detected (key-)' },
+  { pattern: /-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----/, reason: 'Private key detected' },
+  { pattern: /password\s*[:=]\s*["'][^"']{4,}["']/i, reason: 'Hardcoded password detected' },
+  { pattern: /secret\s*[:=]\s*["'][^"']{4,}["']/i, reason: 'Hardcoded secret detected' },
+  { pattern: /AIza[0-9A-Za-z\-_]{35}/, reason: 'Google API Key detected' },
+  { pattern: /xox[bpras]-[0-9a-zA-Z\-]+/, reason: 'Slack Token detected' },
+  { pattern: /eyJ[A-Za-z0-9\-_]+\.eyJ[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_.+/=]+/, reason: 'JWT token detected' },
+  { pattern: /(postgres|mysql|mongodb(\+srv)?):\/\/[^:]+:[^@]+@/i, reason: 'Database connection string with credentials detected' },
+  { pattern: /sk_live_[a-zA-Z0-9]{24,}/, reason: 'Stripe Secret Key detected' },
+  { pattern: /sk-ant-[a-zA-Z0-9\-]{20,}/, reason: 'Anthropic API Key detected' },
+];
+
+function scanForSecrets(content) {
+  const warnings = [];
+  for (const { pattern, reason } of SECRET_PATTERNS) {
+    if (pattern.test(content)) {
+      warnings.push(reason);
+    }
+  }
+  return warnings;
+}
+
+// ── Post-Write L2 Scan ──────────────────────────────────────────────────────
+// Triggered by PostToolUse matcher: Write|Edit|NotebookEdit (see hooks.json).
+// If Claude Code adds new file-writing tools, update the matcher accordingly.
+
+/** Check for unrequested file creation (Write tool only). */
+function scanUnrequestedFiles(filePath, toolName) {
+  if (!filePath || toolName?.toLowerCase() !== 'write') return [];
+  const basename = filePath.split(/[/\\]/).pop() || '';
+  const UNREQUESTED_PATTERNS = [
+    { pattern: /^(SUMMARY|NOTES|TODO|SCRATCH|TEMP)\.(md|txt)$/i, reason: `Unrequested file creation: ${basename}` },
+    { pattern: /^README.*\.md$/i, test: () => {
+      const depth = filePath.replace(/\\/g, '/').split('/').length;
+      return depth > 4;
+    }, reason: `Suspicious README creation in nested path: ${basename}` },
+  ];
+  const warnings = [];
+  for (const { pattern, test, reason } of UNREQUESTED_PATTERNS) {
+    if (pattern.test(basename) && (!test || test())) warnings.push(reason);
+  }
+  return warnings;
+}
+
+/** Check for dangerous npm scripts and unsafe dependency patterns. */
+function scanDangerousPackages(content, filePath) {
+  const warnings = [];
+  if (filePath.endsWith('package.json')) {
+    const dangerousScripts = /("(preinstall|postinstall|preuninstall)")\s*:\s*"[^"]*\b(curl|wget|bash|sh|eval|exec)\b/i;
+    if (dangerousScripts.test(content)) {
+      warnings.push('Potentially dangerous lifecycle script in package.json (preinstall/postinstall with curl/wget/bash/eval)');
+    }
+  }
+  const unsafeInstall = /npm install\s+[^-].*--ignore-scripts\s*=\s*false|pip install\s+--trusted-host|pip install\s+http:/i;
+  if (unsafeInstall.test(content)) {
+    warnings.push('Unsafe dependency installation pattern detected');
+  }
+  return warnings;
+}
+
+/** Check if .env file is covered by .gitignore. */
+function scanEnvCoverage(filePath) {
+  if (!filePath.endsWith('.env') && !filePath.includes('.env.')) return [];
+  let dir = dirname(filePath);
+  for (let i = 0; i < 10; i++) {
+    try {
+      const gitignore = readFileSync(join(dir, '.gitignore'), 'utf-8');
+      return gitignore.includes('.env') ? [] : ['.env file written but .gitignore does not contain .env pattern'];
+    } catch {
+      const parent = dirname(dir);
+      if (parent === dir) break;
+      dir = parent;
+    }
+  }
+  return ['.env file written but no .gitignore found'];
+}
+
+function postWriteScan(data) {
+  const settings = readSettings();
+  if (settings.guard_enabled === false) {
+    return;
+  }
+
+  const content = data.tool_input?.content || data.tool_input?.new_string || '';
+  const filePath = data.tool_input?.file_path || '';
+
+  if (!content && !filePath) {
+    return;
+  }
+
+  const warnings = [
+    ...scanUnrequestedFiles(filePath, data.tool_name),
+    ...(content ? [...scanForSecrets(content), ...scanDangerousPackages(content, filePath)] : []),
+    ...scanEnvCoverage(filePath),
+  ];
+
+  if (warnings.length > 0) {
+    emitHookPayload({
+      hookSpecificOutput: {
+        hookEventName: HOOK_EVENT,
+        additionalContext: `⚠️ [HelloAGENTS L2 安全扫描] 检测到潜在问题:\n${warnings.map(w => `  - ${w}`).join('\n')}\n请检查以上问题。`,
+      },
+    });
+  }
+}
+
+// ── Main ──────────────────────────────────────────────────────────────────
+
+async function main() {
+  // Latest Codex rejects suppressOutput on PreToolUse/PostToolUse.
+  // For pass-through cases, emit nothing and exit 0.
+
+  // Check if running in post-write mode (PostToolUse)
+  const mode = process.argv[2] || '';
+  if (mode === 'post-write') {
+    let data = {};
+    try {
+      const input = readFileSync(0, 'utf-8');
+      data = JSON.parse(input);
+    } catch {}
+    postWriteScan(data);
+    return;
+  }
+
+  const settings = readSettings();
+  if (settings.guard_enabled === false) {
+    return;
+  }
+
+  let data = {};
+  try {
+    const input = readFileSync(0, 'utf-8');
+    data = JSON.parse(input);
+  } catch {}
+
+  // Only check Bash/shell tool calls
+  const toolName = (data.tool_name || '').toLowerCase();
+  if (!['bash', 'shell', 'terminal', 'command'].some(t => toolName.includes(t))) {
+    return;
+  }
+
+  const command = data.tool_input?.command || data.tool_input?.input || '';
+  if (!command) {
+    return;
+  }
+
+  for (const { pattern, reason } of DANGEROUS_PATTERNS) {
+    if (pattern.test(command)) {
+      emitHookPayload({
+        hookSpecificOutput: {
+          hookEventName: HOOK_EVENT,
+          permissionDecision: 'deny',
+          permissionDecisionReason: `[HelloAGENTS Guard] Blocked: ${reason}\nCommand: ${command.slice(0, 200)}`,
+        },
+      });
+      return;
+    }
+  }
+}
+
+main().catch(() => {});