npm - rhachet-roles-ehmpathy - Versions diffs - 1.15.15 → 1.15.16 - Mend

rhachet-roles-ehmpathy 1.15.15 → 1.15.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/domain.roles/mechanic/inits/init.claude.permissions.jsonc CHANGED Viewed

@@ -11,7 +11,9 @@
     "deny": [
       // git write operations - require explicit user request for audit trail
       "Bash(git commit:*)",
-      "Bash(git add:*)",
+      "Bash(git add .)",
+      "Bash(git add -A:*)",
+      "Bash(git add --all:*)",
       "Bash(git stash:*)",
       "Bash(git checkout:*)",
       "Bash(git branch -d:*)",
@@ -24,6 +26,10 @@
       "Bash(git reflog delete:*)",
       "Bash(git config:*)",
+      // git mv/rm - use mvsafe.sh and rmsafe.sh instead (repo-constrained)
+      "Bash(git mv:*)",
+      "Bash(git rm:*)",
       // "anywrite" commands - CRITICAL SECURITY RISK
       //
       // unlike Claude's native Edit/Write tools which are scoped to the repo,
@@ -141,10 +147,6 @@
       "Bash(mkdir:*)",
       "Bash(pwd)",
-      // git mv/rm are safe - constrained to repo, all changes revertable
-      "Bash(git mv:*)",
-      "Bash(git rm:*)",
       // git read-only - all have no write variants
       "Bash(git log:*)",
       "Bash(git status:*)",
@@ -162,6 +164,12 @@
       // cpsafe - safe file copy within git repo (source must be git-tracked)
       "Bash(.agent/repo=ehmpathy/role=mechanic/skills/.skills/claude.tools/cpsafe.sh:*)",
+      // mvsafe - safe file move within git repo
+      "Bash(.agent/repo=ehmpathy/role=mechanic/skills/.skills/claude.tools/mvsafe.sh:*)",
+      // rmsafe - safe file removal within git repo
+      "Bash(.agent/repo=ehmpathy/role=mechanic/skills/.skills/claude.tools/rmsafe.sh:*)",
       // npm read operations
       "Bash(npm view:*)",
       "Bash(npm list:*)",
@@ -209,6 +217,9 @@
       "Bash(RESNAP=true THOROUGH=true npm run test:integration:*)",
       "Bash(RESNAP=true THOROUGH=true npm run test:acceptance:*)",
+      // test list operation
+      "Bash(npx jest --listTests:*)",
       // fix operations
       "Bash(npm run fix:*)",
       "Bash(npm run fix:format:*)",

package/dist/domain.roles/mechanic/skills/claude.tools/mvsafe.sh ADDED Viewed

@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+######################################################################
+# .what = safe file move within git repo
+#
+# .why  = enables file moving without:
+#         - touching files outside the repo
+#         - accidental path traversal attacks
+#
+#         this is a controlled alternative to raw mv, which is
+#         denied in permissions due to security risks.
+#
+# usage:
+#   mvsafe.sh --src "path/to/source" --dest "path/to/dest"
+#
+# guarantee:
+#   - source must be within repo
+#   - dest must be within repo
+#   - creates parent directories if needed
+#   - fail-fast on errors
+######################################################################
+set -euo pipefail
+# parse named arguments
+SRC=""
+DEST=""
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --src)
+      SRC="$2"
+      shift 2
+      ;;
+    --dest)
+      DEST="$2"
+      shift 2
+      ;;
+    *)
+      echo "unknown argument: $1"
+      echo "usage: mvsafe.sh --src 'source' --dest 'destination'"
+      exit 1
+      ;;
+  esac
+done
+# validate required args
+if [[ -z "$SRC" ]]; then
+  echo "error: --src is required"
+  exit 1
+fi
+if [[ -z "$DEST" ]]; then
+  echo "error: --dest is required"
+  exit 1
+fi
+# ensure we're in a git repo
+if ! git rev-parse --git-dir > /dev/null 2>&1; then
+  echo "error: not in a git repository"
+  exit 1
+fi
+# get repo root
+REPO_ROOT=$(git rev-parse --show-toplevel)
+# resolve absolute paths
+SRC_ABS=$(realpath -m "$SRC")
+DEST_ABS=$(realpath -m "$DEST")
+# validate source is within repo
+if [[ "$SRC_ABS" != "$REPO_ROOT"* ]]; then
+  echo "error: source must be within the git repository"
+  echo "  repo root: $REPO_ROOT"
+  echo "  source:    $SRC_ABS"
+  exit 1
+fi
+# validate dest is within repo
+if [[ "$DEST_ABS" != "$REPO_ROOT"* ]]; then
+  echo "error: destination must be within the git repository"
+  echo "  repo root: $REPO_ROOT"
+  echo "  dest:      $DEST_ABS"
+  exit 1
+fi
+# validate source exists
+if [[ ! -e "$SRC_ABS" ]]; then
+  echo "error: source does not exist: $SRC"
+  exit 1
+fi
+# create parent directories if needed
+DEST_DIR=$(dirname "$DEST_ABS")
+if [[ ! -d "$DEST_DIR" ]]; then
+  echo "creating directory: $DEST_DIR"
+  mkdir -p "$DEST_DIR"
+fi
+# perform the move
+mv "$SRC_ABS" "$DEST_ABS"
+SRC_REL="${SRC_ABS#$REPO_ROOT/}"
+DEST_REL="${DEST_ABS#$REPO_ROOT/}"
+echo "moved: $SRC_REL -> $DEST_REL"

package/dist/domain.roles/mechanic/skills/claude.tools/rmsafe.sh ADDED Viewed

@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+######################################################################
+# .what = safe file removal within git repo
+#
+# .why  = enables file deletion without:
+#         - touching files outside the repo
+#         - accidental path traversal attacks
+#
+#         this is a controlled alternative to raw rm, which is
+#         denied in permissions due to security risks.
+#
+# usage:
+#   rmsafe.sh --path "path/to/file"
+#   rmsafe.sh --path "path/to/dir" --recursive
+#
+# guarantee:
+#   - path must be within repo
+#   - requires --recursive for directories
+#   - fail-fast on errors
+######################################################################
+set -euo pipefail
+# parse named arguments
+TARGET=""
+RECURSIVE=false
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --path)
+      TARGET="$2"
+      shift 2
+      ;;
+    --recursive|-r)
+      RECURSIVE=true
+      shift
+      ;;
+    *)
+      echo "unknown argument: $1"
+      echo "usage: rmsafe.sh --path 'target' [--recursive]"
+      exit 1
+      ;;
+  esac
+done
+# validate required args
+if [[ -z "$TARGET" ]]; then
+  echo "error: --path is required"
+  exit 1
+fi
+# ensure we're in a git repo
+if ! git rev-parse --git-dir > /dev/null 2>&1; then
+  echo "error: not in a git repository"
+  exit 1
+fi
+# get repo root
+REPO_ROOT=$(git rev-parse --show-toplevel)
+# resolve absolute path
+TARGET_ABS=$(realpath -m "$TARGET")
+# validate target is within repo
+if [[ "$TARGET_ABS" != "$REPO_ROOT"* ]]; then
+  echo "error: path must be within the git repository"
+  echo "  repo root: $REPO_ROOT"
+  echo "  path:      $TARGET_ABS"
+  exit 1
+fi
+# prevent deleting repo root itself
+if [[ "$TARGET_ABS" == "$REPO_ROOT" ]]; then
+  echo "error: cannot delete the repository root"
+  exit 1
+fi
+# validate target exists
+if [[ ! -e "$TARGET_ABS" ]]; then
+  echo "error: path does not exist: $TARGET"
+  exit 1
+fi
+# check if directory and require --recursive
+if [[ -d "$TARGET_ABS" ]] && [[ "$RECURSIVE" != true ]]; then
+  echo "error: target is a directory, use --recursive to delete"
+  exit 1
+fi
+# perform the removal
+if [[ "$RECURSIVE" == true ]]; then
+  rm -rf "$TARGET_ABS"
+else
+  rm "$TARGET_ABS"
+fi
+TARGET_REL="${TARGET_ABS#$REPO_ROOT/}"
+echo "removed: $TARGET_REL"

package/package.json CHANGED Viewed

@@ -2,7 +2,7 @@
   "name": "rhachet-roles-ehmpathy",
   "author": "ehmpathy",
   "description": "empathetic software construction roles and skills, via rhachet",
-  "version": "1.15.15",
+  "version": "1.15.16",
   "repository": "ehmpathy/rhachet-roles-ehmpathy",
   "homepage": "https://github.com/ehmpathy/rhachet-roles-ehmpathy",
   "keywords": [