npm - jettypod - Versions diffs - 4.4.54 → 4.4.55 - Mend

jettypod 4.4.54 → 4.4.55

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/claude-hooks/global-guardrails.js +281 -0
package/jettypod.js +20 -3
package/package.json +1 -1

package/claude-hooks/global-guardrails.js ADDED Viewed

@@ -0,0 +1,281 @@
+#!/usr/bin/env node
+/**
+ * Global Guardrails Hook
+ *
+ * Enforces actions that are ALWAYS allowed and ALWAYS blocked regardless of
+ * skill or context. Runs before any contextual/skill-specific validators.
+ *
+ * Claude Code PreToolUse Hook
+ */
+const fs = require('fs');
+const path = require('path');
+// Read hook input from stdin
+let input = '';
+process.stdin.on('data', chunk => input += chunk);
+process.stdin.on('end', () => {
+  try {
+    const hookInput = JSON.parse(input);
+    const result = evaluateRequest(hookInput);
+    if (result.allowed) {
+      allow();
+    } else {
+      deny(result.message, result.hint);
+    }
+  } catch (err) {
+    // On parse error, allow (fail open)
+    console.error('Hook error:', err.message);
+    allow();
+  }
+});
+/**
+ * Evaluate the request and return allow/deny decision
+ */
+function evaluateRequest(hookInput) {
+  const { tool_name, tool_input, cwd, active_worktree_path, current_branch } = hookInput;
+  // ALWAYS ALLOW: Read operations
+  if (tool_name === 'Read' || tool_name === 'Glob' || tool_name === 'Grep') {
+    return { allowed: true };
+  }
+  // Handle Bash commands
+  if (tool_name === 'Bash') {
+    return evaluateBashCommand(tool_input.command || '', current_branch, cwd);
+  }
+  // Handle Write/Edit operations
+  if (tool_name === 'Write' || tool_name === 'Edit') {
+    return evaluateWriteOperation(tool_input.file_path || '', active_worktree_path, cwd);
+  }
+  // Default: allow unknown tools
+  return { allowed: true };
+}
+/**
+ * Evaluate Bash command against global rules
+ */
+function evaluateBashCommand(command, currentBranch, cwd) {
+  // BLOCKED: Force push
+  if (/git\s+push\s+.*--force/.test(command) || /git\s+push\s+-f\b/.test(command)) {
+    return {
+      allowed: false,
+      message: 'Force push is blocked',
+      hint: 'Force pushing can destroy history. Use regular push or create a PR.'
+    };
+  }
+  // BLOCKED: Direct commit to main
+  if (/git\s+commit\b/.test(command) && currentBranch === 'main') {
+    return {
+      allowed: false,
+      message: 'Direct commits to main are blocked',
+      hint: 'Use jettypod work start to create a feature branch first.'
+    };
+  }
+  // BLOCKED: Manual worktree creation
+  if (/git\s+worktree\s+add\b/.test(command)) {
+    return {
+      allowed: false,
+      message: 'Manual worktree creation is blocked',
+      hint: 'Use jettypod work start to create worktrees.'
+    };
+  }
+  // BLOCKED: Manual branch creation
+  if (/git\s+checkout\s+-b\b/.test(command) || /git\s+branch\s+(?!-d|-D)/.test(command)) {
+    return {
+      allowed: false,
+      message: 'Manual branch creation is blocked',
+      hint: 'Use jettypod work start to create branches.'
+    };
+  }
+  // BLOCKED: Direct SQL mutation to work.db
+  if (/sqlite3\s+.*work\.db/.test(command)) {
+    const sqlCommand = command.toLowerCase();
+    // Allow SELECT, block mutations
+    if (/\b(update|insert|delete|drop|alter|create)\b/i.test(sqlCommand)) {
+      return {
+        allowed: false,
+        message: 'Direct database mutations are blocked',
+        hint: 'Use jettypod CLI commands to modify work items.'
+      };
+    }
+  }
+  // BLOCKED: Merge from inside worktree (causes CWD corruption)
+  if (/jettypod\s+(work|tests)\s+merge/.test(command)) {
+    if (cwd && /\.jettypod-work\//.test(cwd)) {
+      return {
+        allowed: false,
+        message: 'Cannot merge from inside a worktree. CWD would be deleted.',
+        hint: 'Run: cd /Users/erikspangenberg/jettypod-source && jettypod work merge <id>'
+      };
+    }
+  }
+  // ALLOWED: Git read-only commands
+  if (/git\s+(status|log|diff|show|branch\s*$|remote|fetch)\b/.test(command)) {
+    return { allowed: true };
+  }
+  // ALLOWED: Jettypod read-only commands
+  if (/jettypod\s+(backlog|status|work\s+status|impact)\b/.test(command)) {
+    return { allowed: true };
+  }
+  // Default: allow other commands
+  return { allowed: true };
+}
+/**
+ * Find the jettypod database path
+ * @param {string} cwd - Starting directory
+ * @returns {string|null} Database path or null
+ */
+function findDatabasePath(cwd) {
+  let dir = cwd;
+  while (dir !== path.dirname(dir)) {
+    const dbPath = path.join(dir, '.jettypod', 'work.db');
+    if (fs.existsSync(dbPath)) {
+      return dbPath;
+    }
+    dir = path.dirname(dir);
+  }
+  return null;
+}
+/**
+ * Get the active worktree path from database
+ * @param {string} cwd - Current working directory
+ * @returns {string|null} Active worktree path or null
+ */
+function getActiveWorktreePathFromDB(cwd) {
+  const dbPath = findDatabasePath(cwd);
+  if (!dbPath) {
+    return null;
+  }
+  try {
+    // Try better-sqlite3 first
+    const sqlite3 = require('better-sqlite3');
+    const db = sqlite3(dbPath, { readonly: true });
+    const row = db.prepare(
+      `SELECT worktree_path FROM worktrees WHERE status = 'active' LIMIT 1`
+    ).get();
+    db.close();
+    return row ? row.worktree_path : null;
+  } catch (err) {
+    // Fall back to CLI
+    const { spawnSync } = require('child_process');
+    const result = spawnSync('sqlite3', [
+      dbPath,
+      `SELECT worktree_path FROM worktrees WHERE status = 'active' LIMIT 1`
+    ], { encoding: 'utf-8' });
+    if (result.error || result.status !== 0) {
+      return null;
+    }
+    return result.stdout.trim() || null;
+  }
+}
+/**
+ * Evaluate Write/Edit operation against global rules
+ */
+function evaluateWriteOperation(filePath, inputWorktreePath, cwd) {
+  // Query database for active worktree, fall back to input if provided
+  const activeWorktreePath = getActiveWorktreePathFromDB(cwd) || inputWorktreePath;
+  // Normalize paths
+  const normalizedPath = path.resolve(cwd || '.', filePath);
+  const normalizedWorktree = activeWorktreePath ? path.resolve(cwd || '.', activeWorktreePath) : null;
+  // BLOCKED: Protected files (skills, hooks)
+  const protectedPatterns = [
+    /\.claude\/skills\//i,
+    /claude-hooks\//i,
+    /\.jettypod\/hooks\//i
+  ];
+  for (const pattern of protectedPatterns) {
+    if (pattern.test(normalizedPath) || pattern.test(filePath)) {
+      return {
+        allowed: false,
+        message: 'Protected file - cannot modify',
+        hint: 'Skill and hook files are protected. Modify them through proper channels.'
+      };
+    }
+  }
+  // Check if path is in a worktree
+  const isInWorktree = /\.jettypod-work\//.test(filePath) || /\.jettypod-work\//.test(normalizedPath);
+  if (isInWorktree) {
+    // If we have an active worktree, check if this write is to it
+    if (activeWorktreePath) {
+      // SECURITY: Only use normalized path comparison to prevent traversal attacks
+      // The filePath.includes() check was vulnerable to "../" escapes
+      const isActiveWorktree = normalizedPath.startsWith(normalizedWorktree + path.sep) ||
+                               normalizedPath === normalizedWorktree;
+      if (isActiveWorktree) {
+        return { allowed: true };
+      } else {
+        return {
+          allowed: false,
+          message: 'Not your active worktree',
+          hint: 'You can only write to your currently active worktree.'
+        };
+      }
+    }
+    // No active worktree tracked but path looks like worktree - block
+    return {
+      allowed: false,
+      message: 'Not your active worktree',
+      hint: 'You can only write to your currently active worktree.'
+    };
+  }
+  // BLOCKED: Write to main repo (not in worktree)
+  return {
+    allowed: false,
+    message: 'Cannot write to main repository',
+    hint: 'Use jettypod work start to create a worktree first.'
+  };
+}
+/**
+ * Allow the action
+ */
+function allow() {
+  console.log(JSON.stringify({
+    hookSpecificOutput: {
+      hookEventName: "PreToolUse",
+      permissionDecision: "allow"
+    }
+  }));
+  process.exit(0);
+}
+/**
+ * Deny the action with explanation
+ */
+function deny(message, hint) {
+  const reason = `❌ ${message}\n\n💡 Hint: ${hint || 'Check your action.'}`;
+  console.log(JSON.stringify({
+    hookSpecificOutput: {
+      hookEventName: "PreToolUse",
+      permissionDecision: "deny",
+      permissionDecisionReason: reason
+    }
+  }));
+  process.exit(0);
+}

package/jettypod.js CHANGED Viewed

@@ -785,6 +785,14 @@ async function initializeProject() {
     fs.chmodSync(enforceHookDest, 0o755);
   }
+  // Install global-guardrails hook
+  const guardrailsHookSource = path.join(__dirname, 'claude-hooks', 'global-guardrails.js');
+  const guardrailsHookDest = path.join('.jettypod', 'hooks', 'global-guardrails.js');
+  if (fs.existsSync(guardrailsHookSource)) {
+    fs.copyFileSync(guardrailsHookSource, guardrailsHookDest);
+    fs.chmodSync(guardrailsHookDest, 0o755);
+  }
   // Create Claude Code settings
   if (!fs.existsSync('.claude')) {
     fs.mkdirSync('.claude', { recursive: true });
@@ -800,15 +808,24 @@ async function initializeProject() {
         PreToolUse: [
           {
             matcher: 'Edit',
-            hooks: [{ type: 'command', command: '.jettypod/hooks/protect-claude-md.js' }]
+            hooks: [
+              { type: 'command', command: '.jettypod/hooks/global-guardrails.js' },
+              { type: 'command', command: '.jettypod/hooks/protect-claude-md.js' }
+            ]
           },
           {
             matcher: 'Write',
-            hooks: [{ type: 'command', command: '.jettypod/hooks/protect-claude-md.js' }]
+            hooks: [
+              { type: 'command', command: '.jettypod/hooks/global-guardrails.js' },
+              { type: 'command', command: '.jettypod/hooks/protect-claude-md.js' }
+            ]
           },
           {
             matcher: 'Bash',
-            hooks: [{ type: 'command', command: '.jettypod/hooks/enforce-skill-activation.js' }]
+            hooks: [
+              { type: 'command', command: '.jettypod/hooks/global-guardrails.js' },
+              { type: 'command', command: '.jettypod/hooks/enforce-skill-activation.js' }
+            ]
           }
         ]
       }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "jettypod",
-  "version": "4.4.54",
+  "version": "4.4.55",
   "description": "AI-powered development workflow manager with TDD, BDD, and automatic test generation",
   "main": "jettypod.js",
   "bin": {