mstro-app 0.3.7 → 0.3.9

package/server/mcp/bouncer-cli.ts

@@ -0,0 +1,73 @@
+#!/usr/bin/env node
+// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
+// Licensed under the MIT License. See LICENSE file for details.
+
+/**
+ * Bouncer CLI — stdin/stdout wrapper for Claude Code PreToolUse hooks.
+ *
+ * Reads a tool use request from stdin (JSON), runs it through the full
+ * 2-layer bouncer (pattern matching + Haiku AI), and writes the decision
+ * to stdout in the format Claude Code hooks expect.
+ *
+ * Input format (from Claude Code hook):
+ *   { "tool_name": "Bash", "input": { "command": "rm -rf /" } }
+ *
+ * Output format (to Claude Code hook):
+ *   { "decision": "allow"|"deny", "reason": "..." }
+ */
+
+import type { BouncerReviewRequest } from './bouncer-integration.js';
+import { reviewOperation } from './bouncer-integration.js';
+
+function buildOperation(toolName: string, toolInput: Record<string, unknown>): string {
+  const prefix = `${toolName}: `;
+  if (toolName === 'Bash' && toolInput.command) return prefix + String(toolInput.command);
+  if (toolName === 'Edit' && toolInput.file_path) return prefix + String(toolInput.file_path);
+  if (toolName === 'Write' && toolInput.file_path) return prefix + String(toolInput.file_path);
+  return prefix + JSON.stringify(toolInput).slice(0, 500);
+}
+
+async function evaluate(rawInput: string): Promise<{ decision: string; reason: string }> {
+  if (!rawInput.trim()) {
+    return { decision: 'allow', reason: 'Empty input' };
+  }
+
+  let parsed: { tool_name?: string; toolName?: string; input?: Record<string, unknown>; toolInput?: Record<string, unknown> };
+  try {
+    parsed = JSON.parse(rawInput);
+  } catch {
+    return { decision: 'allow', reason: 'Invalid JSON input' };
+  }
+
+  const toolName = parsed.tool_name || parsed.toolName || 'unknown';
+  const toolInput = parsed.input || parsed.toolInput || {};
+
+  const request: BouncerReviewRequest = {
+    operation: buildOperation(toolName, toolInput),
+    context: {
+      purpose: 'Tool use request from Claude Code hook',
+      workingDirectory: process.cwd(),
+      toolName,
+      toolInput,
+    },
+  };
+
+  const result = await reviewOperation(request);
+  return {
+    decision: result.decision === 'deny' ? 'deny' : 'allow',
+    reason: result.reasoning,
+  };
+}
+
+async function main(): Promise<void> {
+  let rawInput = '';
+  for await (const chunk of process.stdin) {
+    rawInput += chunk;
+  }
+  const result = await evaluate(rawInput);
+  console.log(JSON.stringify(result));
+}
+
+main().catch(() => {
+  console.log(JSON.stringify({ decision: 'allow', reason: 'Bouncer crash' }));
+});

package/server/mcp/bouncer-integration.ts

@@ -38,6 +38,7 @@ import { captureException } from '../services/sentry.js';
 import {
   CRITICAL_THREATS,
   matchesPattern,
+  normalizeOperation,
   requiresAIReview,
   SAFE_OPERATIONS
 } from './security-patterns.js';
@@ -68,6 +69,11 @@ function getCachedDecision(operation: string): BouncerDecision | null {
   return entry.decision;
 }
 
+/** Clear the decision cache. Exposed for testing statistical reliability (multiple runs per operation). */
+export function clearDecisionCache(): void {
+  decisionCache.clear();
+}
+
 function cacheDecision(operation: string, decision: BouncerDecision): void {
   // Don't cache low-confidence or error-fallback decisions
   if (decision.confidence < 50) return;
@@ -304,13 +310,54 @@ function finalizeDecision(
   return decision;
 }
 
+/**
+ * Layer 2: Haiku AI analysis with timeout/error handling.
+ */
+async function runHaikuAnalysis(
+  request: BouncerReviewRequest,
+  operation: string,
+  startTime: number,
+  fin: (d: BouncerDecision, layer: string, opts?: Parameters<typeof finalizeDecision>[6]) => BouncerDecision,
+): Promise<BouncerDecision> {
+  if (process.env.BOUNCER_USE_AI === 'false') {
+    console.error('[Bouncer] AI analysis disabled (BOUNCER_USE_AI=false)');
+    return fin({ decision: 'warn_allow', confidence: 60, reasoning: 'Operation requires review but AI analysis is disabled. Proceeding with caution.', threatLevel: 'medium' }, 'ai-disabled', { skipCache: true, skipAnalytics: true });
+  }
+
+  console.error('[Bouncer] 🤖 Invoking Haiku for AI analysis...');
+  trackEvent(AnalyticsEvents.BOUNCER_HAIKU_REVIEW, { operation_length: operation.length });
+
+  const claudeCommand = process.env.CLAUDE_COMMAND || 'claude';
+  const workingDir = request.context?.workingDirectory || process.cwd();
+
+  try {
+    const decision = await analyzeWithHaiku(request, claudeCommand, workingDir);
+    console.error(`[Bouncer] ✓ Haiku decision: ${decision.decision} (${decision.confidence}% confidence) [${Math.round(performance.now() - startTime)}ms]`);
+    console.error(`[Bouncer] Reasoning: ${decision.reasoning}`);
+    return fin(decision, 'haiku-ai');
+  } catch (error: unknown) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+
+    if (errorMessage.includes('timed out')) {
+      console.error(`[Bouncer] ⚠️  Haiku analysis timed out after ${HAIKU_TIMEOUT_MS}ms — defaulting to ALLOW`);
+      captureException(error, { context: 'bouncer.haiku_timeout', operation });
+      return fin({ decision: 'allow', confidence: 50, reasoning: `Security analysis timed out after ${HAIKU_TIMEOUT_MS}ms. Defaulting to allow — user initiated the action.`, threatLevel: 'medium' }, 'haiku-timeout', { skipCache: true });
+    }
+
+    console.error(`[Bouncer] ⚠️  Haiku analysis failed: ${errorMessage}`);
+    captureException(error, { context: 'bouncer.haiku_analysis', operation });
+    return fin({ decision: 'deny', confidence: 0, reasoning: `Security analysis failed: ${errorMessage}. Denying for safety.`, threatLevel: 'critical' }, 'ai-error', { skipCache: true, skipAnalytics: true, error: errorMessage });
+  }
+}
+
 /**
  * Main bouncer review function - 2-layer hybrid system
  */
 export async function reviewOperation(request: BouncerReviewRequest): Promise<BouncerDecision> {
   const { logBouncerDecision } = await import('./security-audit.js');
   const startTime = performance.now();
-  const { operation } = request;
+  const { operation: rawOperation } = request;
+  const operation = normalizeOperation(rawOperation);
   const fin = (d: BouncerDecision, layer: string, opts?: Parameters<typeof finalizeDecision>[6]) =>
     finalizeDecision(operation, d, layer, startTime, request.context, logBouncerDecision, opts);
 
@@ -336,15 +383,9 @@ export async function reviewOperation(request: BouncerReviewRequest): Promise<Bo
 
   // LAYER 1: Pattern-Based Fast Path (< 5ms)
 
-  // Check safe operations FIRST — allows trusted sources (e.g., brew, rustup)
-  // to pass before hitting critical threat patterns like curl|bash
-  const safeOperation = matchesPattern(operation, SAFE_OPERATIONS);
-  if (safeOperation) {
-    console.error('[Bouncer] ⚡ Fast path: Safe operation approved');
-    return fin({ decision: 'allow', confidence: 95, reasoning: 'Operation matches known-safe patterns. No security concerns detected.', threatLevel: 'low' }, 'pattern-safe');
-  }
-
-  // Critical threats (rm -rf /, fork bombs) — ALWAYS denied
+  // Critical threats (rm -rf /, fork bombs) — ALWAYS denied, checked first
+  // to prevent chained commands (e.g., "echo hello; rm -rf /") from bypassing
+  // via a safe prefix match.
   const criticalThreat = matchesPattern(operation, CRITICAL_THREATS);
   if (criticalThreat) {
     console.error('[Bouncer] ⚡ Fast path: CRITICAL THREAT detected');
@@ -355,43 +396,24 @@ export async function reviewOperation(request: BouncerReviewRequest): Promise<Bo
     }, 'pattern-critical');
   }
 
-  // LAYER 2: Haiku AI Analysis (~200-500ms)
-
-  // Default allow for operations that don't need AI review
+  // Use requiresAIReview() for nuanced routing — handles sensitive paths,
+  // safe operations with guards (chain operators, pipes, expansion), and
+  // exfiltration patterns in a single consistent check.
   if (!requiresAIReview(operation)) {
-    console.error('[Bouncer] ⚡ Fast path: No concerning patterns, allowing');
-    return fin({ decision: 'allow', confidence: 80, reasoning: 'Operation appears safe based on pattern analysis. No obvious threats detected.', threatLevel: 'low' }, 'pattern-default');
-  }
-
-  if (process.env.BOUNCER_USE_AI === 'false') {
-    console.error('[Bouncer] AI analysis disabled (BOUNCER_USE_AI=false)');
-    return fin({ decision: 'warn_allow', confidence: 60, reasoning: 'Operation requires review but AI analysis is disabled. Proceeding with caution.', threatLevel: 'medium' }, 'ai-disabled', { skipCache: true, skipAnalytics: true });
+    const isSafe = matchesPattern(operation, SAFE_OPERATIONS);
+    console.error(`[Bouncer] ⚡ Fast path: ${isSafe ? 'Safe operation approved' : 'No concerning patterns, allowing'}`);
+    return fin({
+      decision: 'allow',
+      confidence: isSafe ? 95 : 80,
+      reasoning: isSafe
+        ? 'Operation matches known-safe patterns. No security concerns detected.'
+        : 'Operation appears safe based on pattern analysis. No obvious threats detected.',
+      threatLevel: 'low'
+    }, isSafe ? 'pattern-safe' : 'pattern-default');
   }
 
-  console.error('[Bouncer] 🤖 Invoking Haiku for AI analysis...');
-  trackEvent(AnalyticsEvents.BOUNCER_HAIKU_REVIEW, { operation_length: operation.length });
-
-  const claudeCommand = process.env.CLAUDE_COMMAND || 'claude';
-  const workingDir = request.context?.workingDirectory || process.cwd();
-
-  try {
-    const decision = await analyzeWithHaiku(request, claudeCommand, workingDir);
-    console.error(`[Bouncer] ✓ Haiku decision: ${decision.decision} (${decision.confidence}% confidence) [${Math.round(performance.now() - startTime)}ms]`);
-    console.error(`[Bouncer] Reasoning: ${decision.reasoning}`);
-    return fin(decision, 'haiku-ai');
-  } catch (error: unknown) {
-    const errorMessage = error instanceof Error ? error.message : String(error);
-
-    if (errorMessage.includes('timed out')) {
-      console.error(`[Bouncer] ⚠️  Haiku analysis timed out after ${HAIKU_TIMEOUT_MS}ms — defaulting to ALLOW`);
-      captureException(error, { context: 'bouncer.haiku_timeout', operation });
-      return fin({ decision: 'allow', confidence: 50, reasoning: `Security analysis timed out after ${HAIKU_TIMEOUT_MS}ms. Defaulting to allow — user initiated the action.`, threatLevel: 'medium' }, 'haiku-timeout', { skipCache: true });
-    }
-
-    console.error(`[Bouncer] ⚠️  Haiku analysis failed: ${errorMessage}`);
-    captureException(error, { context: 'bouncer.haiku_analysis', operation });
-    return fin({ decision: 'deny', confidence: 0, reasoning: `Security analysis failed: ${errorMessage}. Denying for safety.`, threatLevel: 'critical' }, 'ai-error', { skipCache: true, skipAnalytics: true, error: errorMessage });
-  }
+  // LAYER 2: Haiku AI Analysis (~200-500ms)
+  return runHaikuAnalysis(request, operation, startTime, fin);
 }
 
 /**

package/server/mcp/bouncer-sandbox.ts

@@ -0,0 +1,214 @@
+// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
+// Licensed under the MIT License. See LICENSE file for details.
+
+/**
+ * Sandbox Harness for Bouncer Testing
+ *
+ * Wraps command execution in Anthropic's sandbox-runtime (bubblewrap on Linux,
+ * sandbox-exec on macOS) to safely test what happens when the bouncer FAILS —
+ * i.e., when a malicious tool call gets through.
+ *
+ * Usage in tests:
+ *   const harness = new BouncerSandboxHarness();
+ *   await harness.initialize();
+ *   const result = await harness.executeInSandbox('rm -rf /tmp/test-canary');
+ *   expect(result.violations).toContain(...)
+ *   await harness.cleanup();
+ */
+
+import { execSync } from 'node:child_process';
+import { existsSync, mkdirSync, mkdtempSync, rmSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+export interface SandboxExecResult {
+  /** The sandboxed command that was actually run */
+  wrappedCommand: string;
+  /** Whether sandbox-runtime is available on this platform */
+  sandboxAvailable: boolean;
+  /** Whether the sandbox contained the operation (no violations) */
+  contained: boolean;
+  /** List of violation descriptions if any escaped the sandbox */
+  violations: string[];
+}
+
+export interface CanaryCheckResult {
+  /** Whether the canary file still exists (should be true if sandbox contained the write) */
+  canaryIntact: boolean;
+  /** Whether a file was written outside the sandbox (should be false) */
+  escapeDetected: boolean;
+}
+
+/**
+ * Test harness that wraps command execution in sandbox-runtime.
+ * Provides canary files and violation tracking to verify containment.
+ */
+export class BouncerSandboxHarness {
+  private sandboxManager: Awaited<typeof import('@anthropic-ai/sandbox-runtime')>['SandboxManager'] | null = null;
+  private sandboxAvailable = false;
+  private tempDir: string;
+  private canaryDir: string;
+
+  constructor() {
+    this.tempDir = mkdtempSync(join(tmpdir(), 'bouncer-sandbox-'));
+    this.canaryDir = join(this.tempDir, 'canaries');
+    mkdirSync(this.canaryDir, { recursive: true });
+  }
+
+  /**
+   * Initialize the sandbox. Falls back gracefully if bwrap/sandbox-exec not available.
+   */
+  async initialize(): Promise<{ available: boolean; reason?: string }> {
+    try {
+      const { SandboxManager } = await import('@anthropic-ai/sandbox-runtime');
+
+      if (!SandboxManager.isSupportedPlatform()) {
+        return { available: false, reason: 'Platform not supported by sandbox-runtime' };
+      }
+
+      const deps = SandboxManager.checkDependencies();
+      if (deps.errors.length > 0) {
+        return {
+          available: false,
+          reason: `Missing dependencies: ${deps.errors.join(', ')}`,
+        };
+      }
+
+      await SandboxManager.initialize({
+        network: {
+          allowedDomains: [], // Block ALL network access
+          deniedDomains: ['*'],
+        },
+        filesystem: {
+          denyRead: [
+            '/home/*/.ssh',
+            '/home/*/.aws',
+            '/home/*/.gnupg',
+            '/etc/shadow',
+            '/etc/passwd',
+          ],
+          allowWrite: [this.tempDir], // Only allow writes to our temp dir
+          denyWrite: [
+            '/',
+            '/home',
+            '/etc',
+            '/usr',
+            '/var',
+          ],
+        },
+      });
+
+      this.sandboxManager = SandboxManager;
+      this.sandboxAvailable = true;
+      return { available: true };
+    } catch (error: unknown) {
+      const msg = error instanceof Error ? error.message : String(error);
+      return { available: false, reason: `Failed to initialize sandbox: ${msg}` };
+    }
+  }
+
+  /**
+   * Execute a command inside the sandbox. Returns containment results.
+   * If sandbox is not available, validates the bouncer decision only (no actual execution).
+   */
+  async executeInSandbox(command: string): Promise<SandboxExecResult> {
+    if (!this.sandboxAvailable || !this.sandboxManager) {
+      return {
+        wrappedCommand: command,
+        sandboxAvailable: false,
+        contained: true,
+        violations: ['Sandbox not available — decision-only testing mode'],
+      };
+    }
+
+    const violations: string[] = [];
+    try {
+      const wrappedCommand = await this.sandboxManager.wrapWithSandbox(command);
+
+      // Execute the wrapped command and capture violations
+      try {
+        execSync(wrappedCommand, {
+          timeout: 5000,
+          stdio: 'pipe',
+          cwd: this.tempDir,
+        });
+      } catch {
+        // Command failure inside sandbox is expected for malicious ops
+      }
+
+      // Check violation store
+      const stderr = this.sandboxManager.annotateStderrWithSandboxFailures(command, '');
+      if (stderr) {
+        violations.push(stderr);
+      }
+
+      this.sandboxManager.cleanupAfterCommand();
+
+      return {
+        wrappedCommand,
+        sandboxAvailable: true,
+        contained: violations.length === 0,
+        violations,
+      };
+    } catch (error: unknown) {
+      const msg = error instanceof Error ? error.message : String(error);
+      violations.push(`Sandbox execution error: ${msg}`);
+      return {
+        wrappedCommand: command,
+        sandboxAvailable: true,
+        contained: true, // Error means the command didn't execute
+        violations,
+      };
+    }
+  }
+
+  /**
+   * Place a canary file and return a checker to verify containment.
+   * If a sandboxed command can delete or modify the canary, containment failed.
+   */
+  placeCanary(name: string): { path: string; check: () => CanaryCheckResult } {
+    const canaryPath = join(this.canaryDir, name);
+    const escapePath = join(this.canaryDir, `${name}.escaped`);
+    writeFileSync(canaryPath, `canary-${Date.now()}`, 'utf-8');
+
+    return {
+      path: canaryPath,
+      check: () => ({
+        canaryIntact: existsSync(canaryPath),
+        escapeDetected: existsSync(escapePath),
+      }),
+    };
+  }
+
+  /**
+   * Get the temp directory where sandboxed commands can write.
+   */
+  getSandboxWriteDir(): string {
+    return this.tempDir;
+  }
+
+  /**
+   * Whether the sandbox is actually available and initialized.
+   */
+  isAvailable(): boolean {
+    return this.sandboxAvailable;
+  }
+
+  /**
+   * Clean up temp dirs and reset sandbox state.
+   */
+  async cleanup(): Promise<void> {
+    try {
+      if (this.sandboxManager) {
+        await this.sandboxManager.reset();
+      }
+    } catch {
+      // Ignore cleanup errors
+    }
+    try {
+      rmSync(this.tempDir, { recursive: true, force: true });
+    } catch {
+      // Ignore cleanup errors
+    }
+  }
+}