npm - sentinelayer-cli - Versions diffs - 0.6.2 → 0.8.0 - Mend

sentinelayer-cli 0.6.2 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (159) hide show

package/README.md +996 -996
package/bin/create-sentinelayer.js +5 -5
package/bin/sentinelayer-cli.js +4 -4
package/bin/sl.js +5 -5
package/package.json +64 -63
package/src/agents/jules/config/definition.js +160 -160
package/src/agents/jules/config/system-prompt.js +182 -182
package/src/agents/jules/error-intake.js +51 -51
package/src/agents/jules/fix-cycle.js +17 -17
package/src/agents/jules/loop.js +457 -450
package/src/agents/jules/pulse.js +10 -10
package/src/agents/jules/stream.js +187 -186
package/src/agents/jules/swarm/file-scanner.js +74 -74
package/src/agents/jules/swarm/index.js +11 -11
package/src/agents/jules/swarm/orchestrator.js +362 -362
package/src/agents/jules/swarm/pattern-hunter.js +123 -123
package/src/agents/jules/swarm/sub-agent.js +311 -309
package/src/agents/jules/tools/aidenid-email.js +189 -189
package/src/agents/jules/tools/auth-audit.js +1699 -1691
package/src/agents/jules/tools/dispatch.js +340 -335
package/src/agents/jules/tools/file-edit.js +2 -2
package/src/agents/jules/tools/file-read.js +2 -2
package/src/agents/jules/tools/frontend-analyze.js +570 -570
package/src/agents/jules/tools/glob.js +2 -2
package/src/agents/jules/tools/grep.js +2 -2
package/src/agents/jules/tools/index.js +29 -29
package/src/agents/jules/tools/path-guards.js +2 -2
package/src/agents/jules/tools/runtime-audit.js +507 -507
package/src/agents/jules/tools/shell.js +2 -2
package/src/agents/jules/tools/url-policy.js +100 -100
package/src/agents/persona-visuals.js +64 -61
package/src/agents/shared-tools/dispatch-core.js +320 -315
package/src/agents/shared-tools/file-edit.js +180 -180
package/src/agents/shared-tools/file-read.js +100 -100
package/src/agents/shared-tools/glob.js +168 -168
package/src/agents/shared-tools/grep.js +228 -228
package/src/agents/shared-tools/index.js +46 -46
package/src/agents/shared-tools/path-guards.js +161 -161
package/src/agents/shared-tools/shell.js +383 -383
package/src/ai/aidenid.js +1021 -1009
package/src/ai/client.js +553 -553
package/src/ai/domain-target-store.js +268 -268
package/src/ai/identity-store.js +270 -270
package/src/ai/proxy.js +137 -137
package/src/ai/site-store.js +145 -145
package/src/audit/agents/architecture.js +180 -180
package/src/audit/agents/compliance.js +179 -179
package/src/audit/agents/documentation.js +165 -165
package/src/audit/agents/performance.js +145 -145
package/src/audit/agents/security.js +215 -215
package/src/audit/agents/testing.js +172 -172
package/src/audit/orchestrator.js +557 -557
package/src/audit/package.js +204 -204
package/src/audit/registry.js +284 -284
package/src/audit/replay.js +103 -103
package/src/auth/gate.js +400 -371
package/src/auth/http.js +681 -611
package/src/auth/service.js +1106 -1106
package/src/auth/session-store.js +813 -813
package/src/cli.js +257 -252
package/src/commands/ai/identity-lifecycle.js +1338 -1338
package/src/commands/ai/provision-governance.js +1272 -1272
package/src/commands/ai/shared.js +147 -147
package/src/commands/ai.js +11 -11
package/src/commands/apply.js +12 -12
package/src/commands/audit.js +1171 -1166
package/src/commands/auth.js +419 -419
package/src/commands/chat.js +191 -191
package/src/commands/config.js +184 -184
package/src/commands/cost.js +311 -311
package/src/commands/daemon/core.js +850 -850
package/src/commands/daemon/extended.js +1048 -1048
package/src/commands/daemon/shared.js +213 -213
package/src/commands/daemon.js +11 -11
package/src/commands/guide.js +174 -174
package/src/commands/ingest.js +58 -58
package/src/commands/init.js +55 -55
package/src/commands/legacy-args.js +10 -10
package/src/commands/mcp.js +461 -461
package/src/commands/omargate.js +29 -29
package/src/commands/persona.js +20 -20
package/src/commands/plugin.js +260 -260
package/src/commands/policy.js +132 -132
package/src/commands/prompt.js +238 -238
package/src/commands/review.js +704 -704
package/src/commands/scan.js +872 -872
package/src/commands/session.js +590 -0
package/src/commands/spec.js +778 -716
package/src/commands/swarm.js +651 -651
package/src/commands/telemetry.js +202 -202
package/src/commands/watch.js +511 -511
package/src/config/agent-dictionary.js +182 -182
package/src/config/io.js +56 -56
package/src/config/paths.js +18 -18
package/src/config/schema.js +55 -55
package/src/config/service.js +184 -184
package/src/cost/budget.js +235 -235
package/src/cost/history.js +188 -188
package/src/cost/tracker.js +171 -171
package/src/daemon/artifact-lineage.js +534 -534
package/src/daemon/assignment-ledger.js +966 -770
package/src/daemon/ast-parser-layer.js +258 -258
package/src/daemon/budget-governor.js +633 -633
package/src/daemon/callgraph-overlay.js +646 -646
package/src/daemon/error-worker.js +1209 -626
package/src/daemon/fix-cycle.js +384 -377
package/src/daemon/hybrid-mapper.js +929 -929
package/src/daemon/ingest-refresh.js +10 -9
package/src/daemon/jira-lifecycle.js +767 -632
package/src/daemon/operator-control.js +657 -657
package/src/daemon/pulse.js +327 -327
package/src/daemon/reliability-lane.js +471 -471
package/src/daemon/scope-engine.js +1068 -0
package/src/daemon/watchdog.js +971 -971
package/src/events/schema.js +190 -0
package/src/guide/generator.js +316 -316
package/src/ingest/engine.js +918 -918
package/src/interactive/index.js +97 -97
package/src/legacy-cli.js +3161 -2994
package/src/mcp/registry.js +695 -695
package/src/memory/blackboard.js +301 -301
package/src/memory/retrieval.js +581 -581
package/src/plugin/manifest.js +553 -553
package/src/policy/packs.js +144 -144
package/src/prompt/generator.js +136 -118
package/src/review/ai-review.js +679 -679
package/src/review/local-review.js +1351 -1305
package/src/review/omargate-interactive.js +68 -68
package/src/review/omargate-orchestrator.js +404 -300
package/src/review/persona-prompts.js +296 -296
package/src/review/replay.js +235 -235
package/src/review/report.js +664 -664
package/src/review/scan-modes.js +48 -42
package/src/review/spec-binding.js +487 -487
package/src/scaffold/generator.js +67 -67
package/src/scaffold/templates.js +150 -150
package/src/scan/generator.js +418 -418
package/src/scan/gh-secrets.js +107 -107
package/src/session/agent-registry.js +352 -0
package/src/session/daemon.js +801 -0
package/src/session/paths.js +33 -0
package/src/session/runtime-bridge.js +739 -0
package/src/session/store.js +388 -0
package/src/session/stream.js +325 -0
package/src/spec/generator.js +619 -519
package/src/spec/regenerate.js +237 -237
package/src/spec/templates.js +91 -91
package/src/swarm/dashboard.js +247 -247
package/src/swarm/factory.js +363 -363
package/src/swarm/pentest.js +934 -934
package/src/swarm/registry.js +419 -419
package/src/swarm/report.js +158 -158
package/src/swarm/runtime.js +576 -576
package/src/swarm/scenario-dsl.js +272 -272
package/src/telemetry/ledger.js +302 -302
package/src/telemetry/session-tracker.js +234 -234
package/src/telemetry/sync.js +203 -203
package/src/ui/command-hints.js +13 -13
package/src/ui/markdown.js +220 -220

package/src/agents/shared-tools/shell.js CHANGED Viewed

@@ -1,383 +1,383 @@
-import { execSync } from "node:child_process";
-import path from "node:path";
-const DEFAULT_TIMEOUT_MS = 120_000;
-const MAX_OUTPUT_CHARS = 30_000;
-const DEFAULT_ALLOWED_FETCH_HOSTS = [
-  "github.com",
-  "api.github.com",
-  "raw.githubusercontent.com",
-  "*.githubusercontent.com",
-  "registry.npmjs.org",
-  "registry.yarnpkg.com",
-  "pypi.org",
-  "files.pythonhosted.org",
-  "rubygems.org",
-  "crates.io",
-  "static.crates.io",
-];
-/**
- * Patterns that are BLOCKED unconditionally.
- * Sourced from review/local-review.js security rules + src bash security patterns.
- */
-const BLOCKED_PATTERNS = [
-  { pattern: /rm\s+(-[rR]f?|--recursive)\s+\/($|\s)/, desc: "rm -rf /" },
-  { pattern: /:\(\)\s*\{[^}]*\}\s*;?\s*:/, desc: "fork bomb" },
-  { pattern: /\beval\s*\(/, desc: "eval injection" },
-  { pattern: /curl[^|]*\|\s*(ba)?sh/, desc: "pipe to shell" },
-  { pattern: /wget[^|]*\|\s*(ba)?sh/, desc: "wget pipe to shell" },
-  { pattern: />\s*\/dev\/sd[a-z]/, desc: "write to raw device" },
-  { pattern: /mkfs\./, desc: "filesystem format" },
-  { pattern: /dd\s+.*of=\/dev\//, desc: "dd to device" },
-  { pattern: /chmod\s+777\s+\//, desc: "chmod 777 root" },
-  { pattern: />\s*\/etc\//, desc: "write to /etc" },
-  { pattern: /rm\s+-rf?\s+~/, desc: "rm home directory" },
-  { pattern: /git\s+push\s+.*--force\s+.*main/, desc: "force push to main" },
-  { pattern: /git\s+reset\s+--hard/, desc: "git reset hard" },
-  { pattern: /DROP\s+TABLE|DROP\s+DATABASE/i, desc: "SQL drop" },
-  { pattern: /TRUNCATE\s+TABLE/i, desc: "SQL truncate" },
-];
-/**
- * Patterns that trigger a WARNING but are allowed.
- */
-const WARN_PATTERNS = [
-  { pattern: /npm\s+install|yarn\s+add|pnpm\s+add/, desc: "package install" },
-  { pattern: /git\s+push/, desc: "git push" },
-  { pattern: /curl\s|wget\s|fetch\(/, desc: "network request" },
-  { pattern: /rm\s+-/, desc: "file deletion" },
-  { pattern: /sudo\s/, desc: "elevated privileges" },
-];
-/**
- * Environment variables to strip from child process env.
- * Prevents credential leakage to spawned commands.
- */
-const EXACT_ENV_KEYS_TO_STRIP = new Set([
-  "ANTHROPIC_API_KEY",
-  "OPENAI_API_KEY",
-  "GOOGLE_API_KEY",
-  "GEMINI_API_KEY",
-  "SENTINELAYER_TOKEN",
-  "AIDENID_API_KEY",
-  "AIDENID_TOKEN",
-  "AWS_ACCESS_KEY_ID",
-  "AWS_SECRET_ACCESS_KEY",
-  "AWS_SESSION_TOKEN",
-  "AWS_WEB_IDENTITY_TOKEN_FILE",
-  "AZURE_CLIENT_SECRET",
-  "GOOGLE_APPLICATION_CREDENTIALS",
-  "GITHUB_TOKEN",
-  "GH_TOKEN",
-  "GITLAB_TOKEN",
-  "BITBUCKET_TOKEN",
-  "NPM_TOKEN",
-  "NODE_AUTH_TOKEN",
-  "PYPI_API_TOKEN",
-  "RUBYGEMS_API_KEY",
-  "CARGO_REGISTRY_TOKEN",
-  "ACTIONS_ID_TOKEN_REQUEST_TOKEN",
-  "ACTIONS_RUNTIME_TOKEN",
-  "CI_JOB_TOKEN",
-  "CI_JOB_JWT",
-  "STRIPE_SECRET_KEY",
-  "SLACK_BOT_TOKEN",
-  "TELEGRAM_BOT_TOKEN",
-  "DISCORD_BOT_TOKEN",
-  "TWILIO_AUTH_TOKEN",
-  "SENDGRID_API_KEY",
-  "RESEND_API_KEY",
-  "DATABASE_URL",
-  "REDIS_URL",
-  "MONGODB_URI",
-  "SSH_SIGNING_KEY",
-  "SSH_PRIVATE_KEY",
-  "KUBECONFIG",
-  "KUBE_CONFIG_DATA",
-]);
-const ENV_KEY_PREFIX_PATTERNS = [
-  /^AIDENID_/i,
-  /^SENTINELAYER_/i,
-  /^OPENAI_/i,
-  /^ANTHROPIC_/i,
-  /^GOOGLE_/i,
-  /^GITHUB_/i,
-  /^GH_/i,
-  /^AWS_/i,
-  /^AZURE_/i,
-  /^SLACK_/i,
-  /^STRIPE_/i,
-  /^TELEGRAM_/i,
-  /^DISCORD_/i,
-  /^TWILIO_/i,
-  /^SENDGRID_/i,
-  /^RESEND_/i,
-];
-const ENV_KEY_SUFFIX_PATTERNS = [
-  /_TOKEN$/i,
-  /_API_KEY$/i,
-  /_SECRET$/i,
-  /_SECRET_KEY$/i,
-  /_PASSWORD$/i,
-  /_PRIVATE_KEY$/i,
-  /_ACCESS_KEY$/i,
-  /_AUTH_TOKEN$/i,
-  /_SESSION_TOKEN$/i,
-];
-/**
- * Execute a shell command with security analysis, timeout, and env scrubbing.
- *
- * @param {object} input
- * @param {string} input.command - The shell command to execute.
- * @param {string} [input.cwd] - Working directory (default: process.cwd()).
- * @param {number} [input.timeout] - Timeout in ms (default: 120000).
- * @returns {{ stdout, stderr, exitCode, durationMs, command, security }}
- */
-export function shell(input) {
-  if (!input.command || typeof input.command !== "string") {
-    throw new ShellError("command is required and must be a non-empty string.");
-  }
-  const command = input.command.trim();
-  const cwd = input.cwd ? path.resolve(input.cwd) : process.cwd();
-  const timeout = input.timeout ?? DEFAULT_TIMEOUT_MS;
-  // Security analysis
-  const security = analyzeCommand(command);
-  if (security.risk === "blocked") {
-    throw new ShellBlockedError(
-      `Command blocked: ${security.patterns[0].desc}`,
-      security,
-    );
-  }
-  // Build scrubbed environment
-  const env = buildScrubbedEnv();
-  const startMs = Date.now();
-  let stdout = "";
-  let stderr = "";
-  let exitCode = 0;
-  try {
-    stdout = execSync(command, {
-      cwd,
-      encoding: "utf-8",
-      timeout,
-      env,
-      maxBuffer: 10 * 1024 * 1024,
-      stdio: ["pipe", "pipe", "pipe"],
-    });
-  } catch (err) {
-    exitCode = err.status ?? 1;
-    stdout = err.stdout ?? "";
-    stderr = err.stderr ?? "";
-    if (err.killed) {
-      stderr += `\n[Process killed: timeout after ${timeout}ms]`;
-    }
-  }
-  const durationMs = Date.now() - startMs;
-  // Truncate large outputs
-  if (stdout.length > MAX_OUTPUT_CHARS) {
-    stdout = stdout.slice(0, MAX_OUTPUT_CHARS) + "\n[... truncated]";
-  }
-  if (stderr.length > MAX_OUTPUT_CHARS) {
-    stderr = stderr.slice(0, MAX_OUTPUT_CHARS) + "\n[... truncated]";
-  }
-  return { stdout, stderr, exitCode, durationMs, command, security };
-}
-/**
- * Analyze a command for security risks.
- * @param {object} [options]
- * @param {Record<string, string|undefined>} [options.env]
- * @returns {{ risk: "safe"|"warn"|"blocked", patterns: Array<{desc}>, networkPolicy?: object }}
- */
-export function analyzeCommand(command, options = {}) {
-  const networkPolicy = evaluateNetworkPolicy(command, options.env);
-  if (networkPolicy.blocking) {
-    return {
-      risk: "blocked",
-      patterns: [{ desc: networkPolicy.reason }],
-      networkPolicy,
-    };
-  }
-  for (const rule of BLOCKED_PATTERNS) {
-    if (rule.pattern.test(command)) {
-      return { risk: "blocked", patterns: [rule], networkPolicy };
-    }
-  }
-  const warnings = [];
-  for (const rule of WARN_PATTERNS) {
-    if (rule.pattern.test(command)) {
-      warnings.push(rule);
-    }
-  }
-  if (warnings.length > 0) {
-    return { risk: "warn", patterns: warnings, networkPolicy };
-  }
-  return { risk: "safe", patterns: [], networkPolicy };
-}
-export function buildScrubbedEnv(sourceEnv = process.env) {
-  const env = { ...sourceEnv };
-  for (const key of Object.keys(env)) {
-    if (shouldStripEnvKey(key)) {
-      delete env[key];
-    }
-  }
-  return env;
-}
-function shouldStripEnvKey(key) {
-  if (!key) {
-    return false;
-  }
-  const upperKey = String(key).toUpperCase();
-  if (EXACT_ENV_KEYS_TO_STRIP.has(upperKey)) {
-    return true;
-  }
-  if (upperKey.startsWith("INPUT_")) {
-    const baseKey = upperKey.slice("INPUT_".length);
-    if (EXACT_ENV_KEYS_TO_STRIP.has(baseKey)) {
-      return true;
-    }
-    if (ENV_KEY_PREFIX_PATTERNS.some((pattern) => pattern.test(baseKey))) {
-      return true;
-    }
-    if (ENV_KEY_SUFFIX_PATTERNS.some((pattern) => pattern.test(baseKey))) {
-      return true;
-    }
-  }
-  if (ENV_KEY_PREFIX_PATTERNS.some((pattern) => pattern.test(upperKey))) {
-    return true;
-  }
-  return ENV_KEY_SUFFIX_PATTERNS.some((pattern) => pattern.test(upperKey));
-}
-function evaluateNetworkPolicy(command, sourceEnv = process.env) {
-  if (!/\b(curl|wget)\b/i.test(command)) {
-    return {
-      blocking: false,
-      hosts: [],
-      deniedHosts: [],
-    };
-  }
-  const hosts = extractNetworkHosts(command);
-  if (hosts.length === 0) {
-    return {
-      blocking: true,
-      hosts: [],
-      deniedHosts: [],
-      reason: "network command requires explicit URL host",
-    };
-  }
-  const allowlist = resolveAllowedFetchHosts(sourceEnv);
-  const deniedHosts = hosts.filter((host) => !isAllowedHost(host, allowlist));
-  if (deniedHosts.length > 0) {
-    return {
-      blocking: true,
-      hosts,
-      deniedHosts,
-      reason: `network host not allowlisted: ${deniedHosts.join(", ")}`,
-    };
-  }
-  return {
-    blocking: false,
-    hosts,
-    deniedHosts: [],
-  };
-}
-function resolveAllowedFetchHosts(sourceEnv = process.env) {
-  const configured = String(sourceEnv.SENTINELAYER_ALLOWED_FETCH_HOSTS || "")
-    .split(",")
-    .map((item) => normalizeHostPattern(item))
-    .filter(Boolean);
-  const allPatterns = [...DEFAULT_ALLOWED_FETCH_HOSTS, ...configured]
-    .map((item) => normalizeHostPattern(item))
-    .filter(Boolean);
-  return Array.from(new Set(allPatterns));
-}
-function extractNetworkHosts(command) {
-  const matches = command.matchAll(/\bhttps?:\/\/([^\s"'`]+)/gi);
-  const hosts = new Set();
-  for (const match of matches) {
-    const candidate = match?.[0];
-    if (!candidate) {
-      continue;
-    }
-    try {
-      const parsed = new URL(candidate);
-      const host = normalizeHostPattern(parsed.hostname);
-      if (host) {
-        hosts.add(host);
-      }
-    } catch {
-      // Skip malformed URL segments.
-    }
-  }
-  return Array.from(hosts);
-}
-function isAllowedHost(host, allowlist) {
-  const normalizedHost = normalizeHostPattern(host);
-  if (!normalizedHost) {
-    return false;
-  }
-  return allowlist.some((pattern) => {
-    if (!pattern) {
-      return false;
-    }
-    if (pattern.startsWith("*.")) {
-      const suffix = pattern.slice(2);
-      return normalizedHost === suffix || normalizedHost.endsWith(`.${suffix}`);
-    }
-    return normalizedHost === pattern;
-  });
-}
-function normalizeHostPattern(value) {
-  return String(value || "")
-    .trim()
-    .toLowerCase()
-    .replace(/\.$/, "");
-}
-export class ShellError extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "ShellError";
-  }
-}
-export class ShellBlockedError extends ShellError {
-  constructor(message, security) {
-    super(message);
-    this.name = "ShellBlockedError";
-    this.security = security;
-  }
-}
+import { execSync } from "node:child_process";
+import path from "node:path";
+const DEFAULT_TIMEOUT_MS = 120_000;
+const MAX_OUTPUT_CHARS = 30_000;
+const DEFAULT_ALLOWED_FETCH_HOSTS = [
+  "github.com",
+  "api.github.com",
+  "raw.githubusercontent.com",
+  "*.githubusercontent.com",
+  "registry.npmjs.org",
+  "registry.yarnpkg.com",
+  "pypi.org",
+  "files.pythonhosted.org",
+  "rubygems.org",
+  "crates.io",
+  "static.crates.io",
+];
+/**
+ * Patterns that are BLOCKED unconditionally.
+ * Sourced from review/local-review.js security rules + src bash security patterns.
+ */
+const BLOCKED_PATTERNS = [
+  { pattern: /rm\s+(-[rR]f?|--recursive)\s+\/($|\s)/, desc: "rm -rf /" },
+  { pattern: /:\(\)\s*\{[^}]*\}\s*;?\s*:/, desc: "fork bomb" },
+  { pattern: /\beval\s*\(/, desc: "eval injection" },
+  { pattern: /curl[^|]*\|\s*(ba)?sh/, desc: "pipe to shell" },
+  { pattern: /wget[^|]*\|\s*(ba)?sh/, desc: "wget pipe to shell" },
+  { pattern: />\s*\/dev\/sd[a-z]/, desc: "write to raw device" },
+  { pattern: /mkfs\./, desc: "filesystem format" },
+  { pattern: /dd\s+.*of=\/dev\//, desc: "dd to device" },
+  { pattern: /chmod\s+777\s+\//, desc: "chmod 777 root" },
+  { pattern: />\s*\/etc\//, desc: "write to /etc" },
+  { pattern: /rm\s+-rf?\s+~/, desc: "rm home directory" },
+  { pattern: /git\s+push\s+.*--force\s+.*main/, desc: "force push to main" },
+  { pattern: /git\s+reset\s+--hard/, desc: "git reset hard" },
+  { pattern: /DROP\s+TABLE|DROP\s+DATABASE/i, desc: "SQL drop" },
+  { pattern: /TRUNCATE\s+TABLE/i, desc: "SQL truncate" },
+];
+/**
+ * Patterns that trigger a WARNING but are allowed.
+ */
+const WARN_PATTERNS = [
+  { pattern: /npm\s+install|yarn\s+add|pnpm\s+add/, desc: "package install" },
+  { pattern: /git\s+push/, desc: "git push" },
+  { pattern: /curl\s|wget\s|fetch\(/, desc: "network request" },
+  { pattern: /rm\s+-/, desc: "file deletion" },
+  { pattern: /sudo\s/, desc: "elevated privileges" },
+];
+/**
+ * Environment variables to strip from child process env.
+ * Prevents credential leakage to spawned commands.
+ */
+const EXACT_ENV_KEYS_TO_STRIP = new Set([
+  "ANTHROPIC_API_KEY",
+  "OPENAI_API_KEY",
+  "GOOGLE_API_KEY",
+  "GEMINI_API_KEY",
+  "SENTINELAYER_TOKEN",
+  "AIDENID_API_KEY",
+  "AIDENID_TOKEN",
+  "AWS_ACCESS_KEY_ID",
+  "AWS_SECRET_ACCESS_KEY",
+  "AWS_SESSION_TOKEN",
+  "AWS_WEB_IDENTITY_TOKEN_FILE",
+  "AZURE_CLIENT_SECRET",
+  "GOOGLE_APPLICATION_CREDENTIALS",
+  "GITHUB_TOKEN",
+  "GH_TOKEN",
+  "GITLAB_TOKEN",
+  "BITBUCKET_TOKEN",
+  "NPM_TOKEN",
+  "NODE_AUTH_TOKEN",
+  "PYPI_API_TOKEN",
+  "RUBYGEMS_API_KEY",
+  "CARGO_REGISTRY_TOKEN",
+  "ACTIONS_ID_TOKEN_REQUEST_TOKEN",
+  "ACTIONS_RUNTIME_TOKEN",
+  "CI_JOB_TOKEN",
+  "CI_JOB_JWT",
+  "STRIPE_SECRET_KEY",
+  "SLACK_BOT_TOKEN",
+  "TELEGRAM_BOT_TOKEN",
+  "DISCORD_BOT_TOKEN",
+  "TWILIO_AUTH_TOKEN",
+  "SENDGRID_API_KEY",
+  "RESEND_API_KEY",
+  "DATABASE_URL",
+  "REDIS_URL",
+  "MONGODB_URI",
+  "SSH_SIGNING_KEY",
+  "SSH_PRIVATE_KEY",
+  "KUBECONFIG",
+  "KUBE_CONFIG_DATA",
+]);
+const ENV_KEY_PREFIX_PATTERNS = [
+  /^AIDENID_/i,
+  /^SENTINELAYER_/i,
+  /^OPENAI_/i,
+  /^ANTHROPIC_/i,
+  /^GOOGLE_/i,
+  /^GITHUB_/i,
+  /^GH_/i,
+  /^AWS_/i,
+  /^AZURE_/i,
+  /^SLACK_/i,
+  /^STRIPE_/i,
+  /^TELEGRAM_/i,
+  /^DISCORD_/i,
+  /^TWILIO_/i,
+  /^SENDGRID_/i,
+  /^RESEND_/i,
+];
+const ENV_KEY_SUFFIX_PATTERNS = [
+  /_TOKEN$/i,
+  /_API_KEY$/i,
+  /_SECRET$/i,
+  /_SECRET_KEY$/i,
+  /_PASSWORD$/i,
+  /_PRIVATE_KEY$/i,
+  /_ACCESS_KEY$/i,
+  /_AUTH_TOKEN$/i,
+  /_SESSION_TOKEN$/i,
+];
+/**
+ * Execute a shell command with security analysis, timeout, and env scrubbing.
+ *
+ * @param {object} input
+ * @param {string} input.command - The shell command to execute.
+ * @param {string} [input.cwd] - Working directory (default: process.cwd()).
+ * @param {number} [input.timeout] - Timeout in ms (default: 120000).
+ * @returns {{ stdout, stderr, exitCode, durationMs, command, security }}
+ */
+export function shell(input) {
+  if (!input.command || typeof input.command !== "string") {
+    throw new ShellError("command is required and must be a non-empty string.");
+  }
+  const command = input.command.trim();
+  const cwd = input.cwd ? path.resolve(input.cwd) : process.cwd();
+  const timeout = input.timeout ?? DEFAULT_TIMEOUT_MS;
+  // Security analysis
+  const security = analyzeCommand(command);
+  if (security.risk === "blocked") {
+    throw new ShellBlockedError(
+      `Command blocked: ${security.patterns[0].desc}`,
+      security,
+    );
+  }
+  // Build scrubbed environment
+  const env = buildScrubbedEnv();
+  const startMs = Date.now();
+  let stdout = "";
+  let stderr = "";
+  let exitCode = 0;
+  try {
+    stdout = execSync(command, {
+      cwd,
+      encoding: "utf-8",
+      timeout,
+      env,
+      maxBuffer: 10 * 1024 * 1024,
+      stdio: ["pipe", "pipe", "pipe"],
+    });
+  } catch (err) {
+    exitCode = err.status ?? 1;
+    stdout = err.stdout ?? "";
+    stderr = err.stderr ?? "";
+    if (err.killed) {
+      stderr += `\n[Process killed: timeout after ${timeout}ms]`;
+    }
+  }
+  const durationMs = Date.now() - startMs;
+  // Truncate large outputs
+  if (stdout.length > MAX_OUTPUT_CHARS) {
+    stdout = stdout.slice(0, MAX_OUTPUT_CHARS) + "\n[... truncated]";
+  }
+  if (stderr.length > MAX_OUTPUT_CHARS) {
+    stderr = stderr.slice(0, MAX_OUTPUT_CHARS) + "\n[... truncated]";
+  }
+  return { stdout, stderr, exitCode, durationMs, command, security };
+}
+/**
+ * Analyze a command for security risks.
+ * @param {object} [options]
+ * @param {Record<string, string|undefined>} [options.env]
+ * @returns {{ risk: "safe"|"warn"|"blocked", patterns: Array<{desc}>, networkPolicy?: object }}
+ */
+export function analyzeCommand(command, options = {}) {
+  const networkPolicy = evaluateNetworkPolicy(command, options.env);
+  if (networkPolicy.blocking) {
+    return {
+      risk: "blocked",
+      patterns: [{ desc: networkPolicy.reason }],
+      networkPolicy,
+    };
+  }
+  for (const rule of BLOCKED_PATTERNS) {
+    if (rule.pattern.test(command)) {
+      return { risk: "blocked", patterns: [rule], networkPolicy };
+    }
+  }
+  const warnings = [];
+  for (const rule of WARN_PATTERNS) {
+    if (rule.pattern.test(command)) {
+      warnings.push(rule);
+    }
+  }
+  if (warnings.length > 0) {
+    return { risk: "warn", patterns: warnings, networkPolicy };
+  }
+  return { risk: "safe", patterns: [], networkPolicy };
+}
+export function buildScrubbedEnv(sourceEnv = process.env) {
+  const env = { ...sourceEnv };
+  for (const key of Object.keys(env)) {
+    if (shouldStripEnvKey(key)) {
+      delete env[key];
+    }
+  }
+  return env;
+}
+function shouldStripEnvKey(key) {
+  if (!key) {
+    return false;
+  }
+  const upperKey = String(key).toUpperCase();
+  if (EXACT_ENV_KEYS_TO_STRIP.has(upperKey)) {
+    return true;
+  }
+  if (upperKey.startsWith("INPUT_")) {
+    const baseKey = upperKey.slice("INPUT_".length);
+    if (EXACT_ENV_KEYS_TO_STRIP.has(baseKey)) {
+      return true;
+    }
+    if (ENV_KEY_PREFIX_PATTERNS.some((pattern) => pattern.test(baseKey))) {
+      return true;
+    }
+    if (ENV_KEY_SUFFIX_PATTERNS.some((pattern) => pattern.test(baseKey))) {
+      return true;
+    }
+  }
+  if (ENV_KEY_PREFIX_PATTERNS.some((pattern) => pattern.test(upperKey))) {
+    return true;
+  }
+  return ENV_KEY_SUFFIX_PATTERNS.some((pattern) => pattern.test(upperKey));
+}
+function evaluateNetworkPolicy(command, sourceEnv = process.env) {
+  if (!/\b(curl|wget)\b/i.test(command)) {
+    return {
+      blocking: false,
+      hosts: [],
+      deniedHosts: [],
+    };
+  }
+  const hosts = extractNetworkHosts(command);
+  if (hosts.length === 0) {
+    return {
+      blocking: true,
+      hosts: [],
+      deniedHosts: [],
+      reason: "network command requires explicit URL host",
+    };
+  }
+  const allowlist = resolveAllowedFetchHosts(sourceEnv);
+  const deniedHosts = hosts.filter((host) => !isAllowedHost(host, allowlist));
+  if (deniedHosts.length > 0) {
+    return {
+      blocking: true,
+      hosts,
+      deniedHosts,
+      reason: `network host not allowlisted: ${deniedHosts.join(", ")}`,
+    };
+  }
+  return {
+    blocking: false,
+    hosts,
+    deniedHosts: [],
+  };
+}
+function resolveAllowedFetchHosts(sourceEnv = process.env) {
+  const configured = String(sourceEnv.SENTINELAYER_ALLOWED_FETCH_HOSTS || "")
+    .split(",")
+    .map((item) => normalizeHostPattern(item))
+    .filter(Boolean);
+  const allPatterns = [...DEFAULT_ALLOWED_FETCH_HOSTS, ...configured]
+    .map((item) => normalizeHostPattern(item))
+    .filter(Boolean);
+  return Array.from(new Set(allPatterns));
+}
+function extractNetworkHosts(command) {
+  const matches = command.matchAll(/\bhttps?:\/\/([^\s"'`]+)/gi);
+  const hosts = new Set();
+  for (const match of matches) {
+    const candidate = match?.[0];
+    if (!candidate) {
+      continue;
+    }
+    try {
+      const parsed = new URL(candidate);
+      const host = normalizeHostPattern(parsed.hostname);
+      if (host) {
+        hosts.add(host);
+      }
+    } catch {
+      // Skip malformed URL segments.
+    }
+  }
+  return Array.from(hosts);
+}
+function isAllowedHost(host, allowlist) {
+  const normalizedHost = normalizeHostPattern(host);
+  if (!normalizedHost) {
+    return false;
+  }
+  return allowlist.some((pattern) => {
+    if (!pattern) {
+      return false;
+    }
+    if (pattern.startsWith("*.")) {
+      const suffix = pattern.slice(2);
+      return normalizedHost === suffix || normalizedHost.endsWith(`.${suffix}`);
+    }
+    return normalizedHost === pattern;
+  });
+}
+function normalizeHostPattern(value) {
+  return String(value || "")
+    .trim()
+    .toLowerCase()
+    .replace(/\.$/, "");
+}
+export class ShellError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ShellError";
+  }
+}
+export class ShellBlockedError extends ShellError {
+  constructor(message, security) {
+    super(message);
+    this.name = "ShellBlockedError";
+    this.security = security;
+  }
+}