shield-harness 0.1.0

package/.claude/hooks/sh-instructions.js

@@ -0,0 +1,212 @@
+#!/usr/bin/env node
+// sh-instructions.js — Rule file integrity monitoring
+// Spec: DETAILED_DESIGN.md §5.8
+// Event: InstructionsLoaded
+// Target response time: < 200ms
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const {
+  readHookInput,
+  allow,
+  sha256,
+  appendEvidence,
+} = require("./lib/sh-utils");
+
+const HOOK_NAME = "sh-instructions";
+const CLAUDE_MD = "CLAUDE.md";
+const RULES_DIR = path.join(".claude", "rules");
+const HASHES_FILE = path.join(".claude", "logs", "instructions-hashes.json");
+
+// ---------------------------------------------------------------------------
+// Hash Collection
+// ---------------------------------------------------------------------------
+
+/**
+ * Compute SHA-256 hash for a file.
+ * @param {string} filePath
+ * @returns {string|null}
+ */
+function hashFile(filePath) {
+  try {
+    return sha256(fs.readFileSync(filePath, "utf8"));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Collect current hashes for CLAUDE.md and all rule files.
+ * @returns {Object} { filePath: hash }
+ */
+function collectCurrentHashes() {
+  const hashes = {};
+
+  // CLAUDE.md
+  if (fs.existsSync(CLAUDE_MD)) {
+    hashes[CLAUDE_MD] = hashFile(CLAUDE_MD);
+  }
+
+  // .claude/rules/*.md
+  if (fs.existsSync(RULES_DIR)) {
+    try {
+      const files = fs.readdirSync(RULES_DIR).filter((f) => f.endsWith(".md"));
+      for (const f of files) {
+        const fp = path.join(RULES_DIR, f);
+        hashes[fp] = hashFile(fp);
+      }
+    } catch {
+      // Directory read failure — non-critical
+    }
+  }
+
+  return hashes;
+}
+
+/**
+ * Load stored hashes from disk.
+ * @returns {Object|null} null if no baseline exists
+ */
+function loadStoredHashes() {
+  try {
+    if (!fs.existsSync(HASHES_FILE)) return null;
+    return JSON.parse(fs.readFileSync(HASHES_FILE, "utf8"));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Save hashes to disk.
+ * @param {Object} hashes
+ */
+function saveHashes(hashes) {
+  const dir = path.dirname(HASHES_FILE);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(HASHES_FILE, JSON.stringify(hashes, null, 2));
+}
+
+/**
+ * Detect changes between stored and current hashes.
+ * @param {Object} stored
+ * @param {Object} current
+ * @returns {{ added: string[], modified: string[], removed: string[] }}
+ */
+function detectChanges(stored, current) {
+  const added = [];
+  const modified = [];
+  const removed = [];
+
+  // Check current against stored
+  for (const [file, hash] of Object.entries(current)) {
+    if (!(file in stored)) {
+      added.push(file);
+    } else if (stored[file] !== hash) {
+      modified.push(file);
+    }
+  }
+
+  // Check for removed files
+  for (const file of Object.keys(stored)) {
+    if (!(file in current)) {
+      removed.push(file);
+    }
+  }
+
+  return { added, modified, removed };
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+try {
+  const input = readHookInput();
+  const currentHashes = collectCurrentHashes();
+  const storedHashes = loadStoredHashes();
+
+  // First run: save baseline, no warning
+  if (!storedHashes) {
+    saveHashes(currentHashes);
+
+    try {
+      appendEvidence({
+        hook: HOOK_NAME,
+        event: "InstructionsLoaded",
+        decision: "allow",
+        action: "baseline_recorded",
+        file_count: Object.keys(currentHashes).length,
+        session_id: input.sessionId,
+      });
+    } catch {
+      // Non-blocking
+    }
+
+    allow(
+      `[${HOOK_NAME}] Baseline recorded: ${Object.keys(currentHashes).length} files`,
+    );
+    return;
+  }
+
+  // Detect changes
+  const changes = detectChanges(storedHashes, currentHashes);
+  const hasChanges =
+    changes.added.length > 0 ||
+    changes.modified.length > 0 ||
+    changes.removed.length > 0;
+
+  // Update stored hashes
+  saveHashes(currentHashes);
+
+  if (hasChanges) {
+    // Build warning message
+    const warnings = ["[RULE FILE CHANGE DETECTED]"];
+
+    if (changes.added.length > 0) {
+      warnings.push(`  Added: ${changes.added.join(", ")}`);
+    }
+    if (changes.modified.length > 0) {
+      warnings.push(`  Modified: ${changes.modified.join(", ")}`);
+    }
+    if (changes.removed.length > 0) {
+      warnings.push(`  Removed: ${changes.removed.join(", ")}`);
+    }
+
+    warnings.push("Re-read these files to ensure instructions are current.");
+
+    try {
+      appendEvidence({
+        hook: HOOK_NAME,
+        event: "InstructionsLoaded",
+        decision: "allow",
+        action: "changes_detected",
+        changes,
+        session_id: input.sessionId,
+      });
+    } catch {
+      // Non-blocking
+    }
+
+    allow(warnings.join("\n"));
+    return;
+  }
+
+  // No changes
+  allow();
+} catch (_err) {
+  // Operational hook — fail-open
+  allow();
+}
+
+// ---------------------------------------------------------------------------
+// Exports (for testing)
+// ---------------------------------------------------------------------------
+
+module.exports = {
+  hashFile,
+  collectCurrentHashes,
+  loadStoredHashes,
+  saveHashes,
+  detectChanges,
+};

package/.claude/hooks/sh-output-control.js

@@ -0,0 +1,217 @@
+#!/usr/bin/env node
+// sh-output-control.js — Output truncation + token budget tracking
+// Spec: DETAILED_DESIGN.md §4.2
+// Hook event: PostToolUse
+// Matcher: "" (all tools)
+// Target response time: < 20ms
+"use strict";
+
+const {
+  readHookInput,
+  allow,
+  allowWithResult,
+  readSession,
+  writeSession,
+} = require("./lib/sh-utils");
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+const HOOK_NAME = "sh-output-control";
+
+// Truncation limits per tool (bytes)
+const TRUNCATION_LIMITS = {
+  Bash: { max: 20 * 1024, head: 10 * 1024, tail: 5 * 1024 },
+  Task: { max: 6 * 1024, head: 3 * 1024, tail: 2 * 1024 },
+  _default: { max: 50 * 1024, head: 25 * 1024, tail: 10 * 1024 },
+};
+
+// Token budget thresholds
+const BUDGET_WARNING_RATIO = 0.8;
+const BUDGET_LIMIT_RATIO = 1.0;
+
+// Rough token estimation: ~4 chars per token
+const CHARS_PER_TOKEN = 4;
+
+// Dangerous system tags that could be used for prompt injection via tool output
+const DANGEROUS_TAG_NAMES = [
+  "system-reminder",
+  "system-instruction",
+  "system-message",
+  "system-prompt",
+];
+
+// Build a single regex that matches all dangerous tags (non-greedy, multiline)
+const DANGEROUS_TAGS_RE = new RegExp(
+  DANGEROUS_TAG_NAMES.map((tag) => `<${tag}[^>]*>[\\s\\S]*?</${tag}>`).join(
+    "|",
+  ),
+  "gi",
+);
+
+// ---------------------------------------------------------------------------
+// Helper Functions
+// ---------------------------------------------------------------------------
+
+/**
+ * Get truncation limits for a given tool.
+ * @param {string} toolName
+ * @returns {{ max: number, head: number, tail: number }}
+ */
+function getLimits(toolName) {
+  return TRUNCATION_LIMITS[toolName] || TRUNCATION_LIMITS._default;
+}
+
+/**
+ * Strip dangerous system tags from tool output to prevent prompt injection.
+ * Replaces matched tags with [REDACTED]. Handles multiline content.
+ * Malformed/unclosed tags are left as-is (graceful degradation).
+ * @param {string} text
+ * @returns {string}
+ */
+function stripDangerousTags(text) {
+  if (!text || typeof text !== "string") return text;
+  return text.replace(DANGEROUS_TAGS_RE, "[REDACTED]");
+}
+
+/**
+ * Truncate output if it exceeds the limit.
+ * @param {string} output
+ * @param {string} toolName
+ * @returns {{ text: string, truncated: boolean }}
+ */
+function truncateOutput(output, toolName) {
+  if (!output) return { text: output, truncated: false };
+
+  const limits = getLimits(toolName);
+  if (output.length <= limits.max) {
+    return { text: output, truncated: false };
+  }
+
+  const head = output.slice(0, limits.head);
+  const tail = output.slice(-limits.tail);
+  const omitted = output.length - limits.head - limits.tail;
+  const notice = `\n\n--- [sh-output-control] ${omitted} bytes omitted (${output.length} total → ${limits.head + limits.tail} retained) ---\n\n`;
+
+  return {
+    text: head + notice + tail,
+    truncated: true,
+  };
+}
+
+/**
+ * Estimate token count from character length.
+ * @param {number} charCount
+ * @returns {number}
+ */
+function estimateTokens(charCount) {
+  return Math.ceil(charCount / CHARS_PER_TOKEN);
+}
+
+/**
+ * Track token budget and return warning context if thresholds are crossed.
+ * @param {number} outputSize - Size of tool output in characters
+ * @returns {string|null} Warning context or null
+ */
+function trackTokenBudget(outputSize) {
+  try {
+    const session = readSession();
+    const tokenBudget = session.token_budget;
+    if (!tokenBudget || !tokenBudget.session_limit) return null; // No budget configured
+
+    const budgetLimit = tokenBudget.session_limit;
+    const currentUsage = tokenBudget.used || 0;
+    const newTokens = estimateTokens(outputSize);
+    const updatedUsage = currentUsage + newTokens;
+
+    // Update session — write to token_budget.used (single source of truth)
+    writeSession({
+      ...session,
+      token_budget: {
+        ...tokenBudget,
+        used: updatedUsage,
+      },
+    });
+
+    const ratio = updatedUsage / budgetLimit;
+
+    if (ratio >= BUDGET_LIMIT_RATIO) {
+      return `[${HOOK_NAME}] トークン予算を超過しました（${updatedUsage}/${budgetLimit} tokens）。ユーザー確認が必要です。`;
+    }
+    if (ratio >= BUDGET_WARNING_RATIO) {
+      return `[${HOOK_NAME}] トークン予算の 80% に到達しました（${updatedUsage}/${budgetLimit} tokens）。`;
+    }
+
+    return null;
+  } catch {
+    // Budget tracking failure is non-blocking
+    return null;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Main — only execute when run directly (not when require'd for testing)
+// ---------------------------------------------------------------------------
+
+if (require.main === module) {
+  try {
+    const input = readHookInput();
+    const { toolName, toolResult } = input;
+
+    const resultStr =
+      typeof toolResult === "string" ? toolResult : JSON.stringify(toolResult);
+
+    // Strip dangerous system tags before any further processing
+    const sanitized = stripDangerousTags(resultStr);
+
+    // Truncate if necessary
+    const { text, truncated } = truncateOutput(sanitized, toolName);
+
+    // Track token budget (based on sanitized output)
+    const budgetWarning = trackTokenBudget(sanitized ? sanitized.length : 0);
+
+    // Build context messages
+    const context = [];
+    if (truncated) {
+      context.push(
+        `[${HOOK_NAME}] ${toolName} の出力を切り詰めました（制限超過）。`,
+      );
+    }
+    if (budgetWarning) {
+      context.push(budgetWarning);
+    }
+
+    // Output result
+    if (truncated) {
+      // Must use allowWithResult to replace the tool output
+      if (context.length > 0) {
+        // allowWithResult doesn't support additionalContext, so prepend warnings to the result
+        const contextHeader = context.join("\n") + "\n\n";
+        allowWithResult(contextHeader + text);
+      } else {
+        allowWithResult(text);
+      }
+    } else if (context.length > 0) {
+      allow(context.join("\n"));
+    } else {
+      allow();
+    }
+  } catch (_err) {
+    // Operational hook — on error, pass through the original output.
+    allow();
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Exports (for testing)
+// ---------------------------------------------------------------------------
+
+module.exports = {
+  TRUNCATION_LIMITS,
+  stripDangerousTags,
+  truncateOutput,
+  estimateTokens,
+  getLimits,
+  trackTokenBudget,
+};

package/.claude/hooks/sh-permission-learn.js

@@ -0,0 +1,227 @@
+#!/usr/bin/env node
+// sh-permission-learn.js — Permission learning guard
+// Spec: DETAILED_DESIGN.md §5.7
+// Event: PermissionRequest
+// Target response time: < 20ms
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const {
+  readHookInput,
+  allow,
+  deny,
+  appendEvidence,
+} = require("./lib/sh-utils");
+
+const HOOK_NAME = "sh-permission-learn";
+const SETTINGS_FILE = path.join(".claude", "settings.json");
+const SETTINGS_LOCAL_FILE = path.join(".claude", "settings.local.json");
+const MAX_LEARNED_RULES = 100;
+
+// Overly broad patterns that should never be learned
+const LEARNING_BLACKLIST = [
+  /^Bash\(\*\)$/, // Too broad — allows all Bash commands
+  /^Edit\(\*\)$/, // Too broad — allows editing any file
+  /^Write\(\*\)$/, // Too broad — allows writing any file
+  /^Bash\(curl\s/, // Network access
+  /^Bash\(wget\s/, // Network access
+  /^Edit\(\.claude\//, // Self-modification
+  /^Write\(\.claude\//, // Self-modification
+];
+
+// ---------------------------------------------------------------------------
+// Checks
+// ---------------------------------------------------------------------------
+
+/**
+ * Load deny rules from settings.json.
+ * @returns {string[]}
+ */
+function loadDenyRules() {
+  try {
+    if (!fs.existsSync(SETTINGS_FILE)) return [];
+    const settings = JSON.parse(fs.readFileSync(SETTINGS_FILE, "utf8"));
+    return (settings.permissions && settings.permissions.deny) || [];
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Load current learned allow rules count from settings.local.json.
+ * @returns {number}
+ */
+function getLearnedRuleCount() {
+  try {
+    if (!fs.existsSync(SETTINGS_LOCAL_FILE)) return 0;
+    const local = JSON.parse(fs.readFileSync(SETTINGS_LOCAL_FILE, "utf8"));
+    return ((local.permissions && local.permissions.allow) || []).length;
+  } catch {
+    return 0;
+  }
+}
+
+/**
+ * Check if a permission pattern conflicts with any deny rule.
+ * A conflict exists when the requested permission would match something denied.
+ * @param {string} permissionPattern - e.g., "Bash(rm -rf *)"
+ * @param {string[]} denyRules
+ * @returns {string|null} - Conflicting deny rule, or null
+ */
+function checkDenyConflict(permissionPattern, denyRules) {
+  // Simple substring/overlap check
+  // Extract tool name from pattern
+  const toolMatch = permissionPattern.match(/^(\w+)\((.+)\)$/);
+  if (!toolMatch) return null;
+
+  const [, tool, pattern] = toolMatch;
+
+  for (const denyRule of denyRules) {
+    const denyMatch = denyRule.match(/^(\w+)\((.+)\)$/);
+    if (!denyMatch) continue;
+
+    const [, denyTool, denyPattern] = denyMatch;
+
+    // Same tool type
+    if (tool !== denyTool) continue;
+
+    // Check if the requested pattern would overlap with deny
+    // If the requested pattern contains the denied path/command, it conflicts
+    if (
+      pattern.includes(denyPattern.replace(/\*/g, "")) ||
+      denyPattern.includes(pattern.replace(/\*/g, ""))
+    ) {
+      return denyRule;
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Check if a permission pattern is in the blacklist.
+ * @param {string} permissionPattern
+ * @returns {boolean}
+ */
+function isBlacklisted(permissionPattern) {
+  return LEARNING_BLACKLIST.some((re) => re.test(permissionPattern));
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+try {
+  const input = readHookInput();
+  // Permission pattern from the request
+  const permissionPattern =
+    input.toolInput.permission || input.toolInput.tool_pattern || "";
+
+  if (!permissionPattern) {
+    allow();
+    return;
+  }
+
+  // Check 1: deny rule conflict
+  const denyRules = loadDenyRules();
+  const conflict = checkDenyConflict(permissionPattern, denyRules);
+  if (conflict) {
+    try {
+      appendEvidence({
+        hook: HOOK_NAME,
+        event: "PermissionRequest",
+        decision: "deny",
+        reason: "deny_rule_conflict",
+        pattern: permissionPattern,
+        conflicting_rule: conflict,
+        session_id: input.sessionId,
+      });
+    } catch {
+      // Non-blocking
+    }
+
+    deny(
+      `[${HOOK_NAME}] deny ルールは学習で上書きできません。衝突ルール: ${conflict}`,
+    );
+    return;
+  }
+
+  // Check 2: blacklist
+  if (isBlacklisted(permissionPattern)) {
+    try {
+      appendEvidence({
+        hook: HOOK_NAME,
+        event: "PermissionRequest",
+        decision: "deny",
+        reason: "blacklisted_pattern",
+        pattern: permissionPattern,
+        session_id: input.sessionId,
+      });
+    } catch {
+      // Non-blocking
+    }
+
+    deny(`[${HOOK_NAME}] パターンが広すぎます: ${permissionPattern}`);
+    return;
+  }
+
+  // Check 3: learning limit
+  const currentCount = getLearnedRuleCount();
+  if (currentCount >= MAX_LEARNED_RULES) {
+    try {
+      appendEvidence({
+        hook: HOOK_NAME,
+        event: "PermissionRequest",
+        decision: "deny",
+        reason: "learning_limit_exceeded",
+        pattern: permissionPattern,
+        current_count: currentCount,
+        session_id: input.sessionId,
+      });
+    } catch {
+      // Non-blocking
+    }
+
+    deny(
+      `[${HOOK_NAME}] 学習上限に到達しました (${currentCount}/${MAX_LEARNED_RULES})`,
+    );
+    return;
+  }
+
+  // All checks passed — allow
+  try {
+    appendEvidence({
+      hook: HOOK_NAME,
+      event: "PermissionRequest",
+      decision: "allow",
+      pattern: permissionPattern,
+      session_id: input.sessionId,
+    });
+  } catch {
+    // Non-blocking
+  }
+
+  allow();
+} catch (err) {
+  // SECURITY hook — fail-close
+  process.stdout.write(
+    JSON.stringify({
+      reason: `[${HOOK_NAME}] Hook error (fail-close): ${err.message}`,
+    }),
+  );
+  process.exit(2);
+}
+
+// ---------------------------------------------------------------------------
+// Exports (for testing)
+// ---------------------------------------------------------------------------
+
+module.exports = {
+  LEARNING_BLACKLIST,
+  MAX_LEARNED_RULES,
+  loadDenyRules,
+  getLearnedRuleCount,
+  checkDenyConflict,
+  isBlacklisted,
+};