shield-harness 0.3.0 → 0.5.0

package/.claude/hooks/lib/automode-detect.js

@@ -0,0 +1,184 @@
+#!/usr/bin/env node
+// automode-detect.js — Claude Code Auto Mode detection & danger assessment
+// Spec: Phase 7 ADR-038 (.reference/PHASE7_8_AUTO_MODE_SELF_EVOLUTION_PLAN.md)
+// Purpose: Detect Auto Mode configuration and classify danger level
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+const SETTINGS_LOCAL = path.join(".claude", "settings.local.json");
+const SETTINGS_MAIN = path.join(".claude", "settings.json");
+
+/**
+ * Protections lost when autoMode.soft_deny is configured.
+ * A single soft_deny entry disables ALL classifier default protections.
+ */
+const LOST_PROTECTIONS = [
+  "Default force-push prevention (git push --force)",
+  "Default destructive command blocking (rm -rf, format)",
+  "Default credential access prevention (~/.ssh, ~/.aws)",
+  "Default network isolation (curl|bash, data exfiltration)",
+  "Default file system protection (system files modification)",
+  "Default package execution control (npm install, npx)",
+  "Classifier-based safety judgments for all unlisted tools",
+];
+
+// ---------------------------------------------------------------------------
+// Utility functions
+// ---------------------------------------------------------------------------
+
+/**
+ * Read autoMode section from a settings JSON file.
+ * fail-safe: returns null on any error (file missing, parse error, no autoMode).
+ * @param {string} filePath - Path to settings JSON file
+ * @returns {{ soft_deny: string[], soft_allow: string[], environment: string|null }|null}
+ */
+function readSettingsFile(filePath) {
+  try {
+    if (!fs.existsSync(filePath)) return null;
+    const content = JSON.parse(fs.readFileSync(filePath, "utf8"));
+    const autoMode = content.autoMode;
+    if (!autoMode || typeof autoMode !== "object") return null;
+    return {
+      soft_deny: Array.isArray(autoMode.soft_deny) ? autoMode.soft_deny : [],
+      soft_allow: Array.isArray(autoMode.soft_allow) ? autoMode.soft_allow : [],
+      environment:
+        typeof autoMode.environment === "string" ? autoMode.environment : null,
+    };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Classify danger level based on soft_deny and soft_allow counts.
+ * @param {number} softDenyCount
+ * @param {number} softAllowCount
+ * @returns {"safe"|"warn"|"critical"}
+ */
+function classifyDangerLevel(softDenyCount, softAllowCount) {
+  if (softDenyCount > 0) return "critical";
+  if (softAllowCount > 0) return "warn";
+  return "safe";
+}
+
+// ---------------------------------------------------------------------------
+// Main detection function
+// ---------------------------------------------------------------------------
+
+/**
+ * Detect Auto Mode configuration and assess danger level.
+ * Reads settings.local.json (priority) and settings.json, merges results.
+ * fail-safe: never throws, returns safe defaults on any error.
+ *
+ * @returns {{
+ *   detected: boolean,
+ *   danger_level: "safe"|"warn"|"critical",
+ *   reason: string,
+ *   soft_deny_count: number,
+ *   soft_allow_count: number,
+ *   has_environment: boolean,
+ *   environment_snippet: string|null,
+ *   danger_items: string[],
+ *   source: "settings_local"|"settings"|"both"|"none",
+ *   detected_at: string
+ * }}
+ */
+function detectAutoMode() {
+  const detected_at = new Date().toISOString();
+  const base = {
+    detected: false,
+    danger_level: "safe",
+    reason: "not_configured",
+    soft_deny_count: 0,
+    soft_allow_count: 0,
+    has_environment: false,
+    environment_snippet: null,
+    danger_items: [],
+    source: "none",
+    detected_at,
+  };
+
+  try {
+    const localResult = readSettingsFile(SETTINGS_LOCAL);
+    const mainResult = readSettingsFile(SETTINGS_MAIN);
+
+    // No autoMode in either file
+    if (!localResult && !mainResult) {
+      return base;
+    }
+
+    // Determine source
+    const source =
+      localResult && mainResult
+        ? "both"
+        : localResult
+          ? "settings_local"
+          : "settings";
+
+    // Merge soft_deny and soft_allow from both files (deduplicate)
+    const softDeny = [
+      ...new Set([
+        ...(localResult ? localResult.soft_deny : []),
+        ...(mainResult ? mainResult.soft_deny : []),
+      ]),
+    ];
+    const softAllow = [
+      ...new Set([
+        ...(localResult ? localResult.soft_allow : []),
+        ...(mainResult ? mainResult.soft_allow : []),
+      ]),
+    ];
+
+    // Environment: local overrides main
+    const environment =
+      (localResult && localResult.environment) ||
+      (mainResult && mainResult.environment) ||
+      null;
+
+    const dangerLevel = classifyDangerLevel(softDeny.length, softAllow.length);
+
+    // Determine reason code
+    let reason = "configured_safe";
+    if (softDeny.length > 0 && softAllow.length > 0) {
+      reason = "both_present";
+    } else if (softDeny.length > 0) {
+      reason = "soft_deny_present";
+    } else if (softAllow.length > 0) {
+      reason = "soft_allow_only";
+    }
+
+    return {
+      detected: true,
+      danger_level: dangerLevel,
+      reason,
+      soft_deny_count: softDeny.length,
+      soft_allow_count: softAllow.length,
+      has_environment: environment !== null,
+      environment_snippet: environment ? environment.slice(0, 80) : null,
+      danger_items: dangerLevel === "critical" ? [...LOST_PROTECTIONS] : [],
+      source,
+      detected_at,
+    };
+  } catch {
+    return { ...base, reason: "read_error" };
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Exports
+// ---------------------------------------------------------------------------
+
+module.exports = {
+  detectAutoMode,
+  classifyDangerLevel,
+  readSettingsFile,
+  LOST_PROTECTIONS,
+  SETTINGS_LOCAL,
+  SETTINGS_MAIN,
+};

package/.claude/hooks/lib/policy-drift.js

@@ -0,0 +1,322 @@
+#!/usr/bin/env node
+// policy-drift.js — Detect drift between permissions-spec.json deny rules and OpenShell policy YAML
+// Part of Shield Harness: ensures policy files stay in sync with the canonical deny rules
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+// --- Dependencies (local modules) ---
+
+const { loadPermissionsSpec } = require("./permissions-validator");
+const { classifyRulesByDomain } = require("./tier-policy-gen");
+
+// --- YAML Parsing (regex-based, no js-yaml dependency) ---
+
+/**
+ * Extract a YAML list section by name.
+ * Expects predictable structure generated by tier-policy-gen.js:
+ *   section_name:
+ *     - item1
+ *     - item2
+ *
+ * @param {string} content - Full YAML file content
+ * @param {string} sectionName - Name of the section (e.g., "deny_read")
+ * @returns {string[]} List of items found under the section
+ */
+function extractYamlList(content, sectionName) {
+  // Match section header followed by indented list items
+  var pattern = new RegExp(
+    sectionName + ":\\n((?:[ \\t]+-[ \\t]+.+\\n)*)",
+    "m",
+  );
+  var match = content.match(pattern);
+  if (!match) return [];
+  return match[1]
+    .split("\n")
+    .filter(function (l) {
+      return l.trim().startsWith("- ");
+    })
+    .map(function (l) {
+      return l.trim().replace(/^-\s+/, "");
+    });
+}
+
+/**
+ * Extract blocked network operations from YAML comment block.
+ * Expects format generated by tier-policy-gen.js:
+ *   # Blocked network operations (from permissions-spec.json deny rules):
+ *   #   - curl *
+ *   #   - wget *
+ *
+ * @param {string} content - Full YAML file content
+ * @returns {string[]} List of blocked network commands
+ */
+function extractBlockedNetworkComments(content) {
+  var pattern =
+    /# Blocked network operations[^\n]*:\n((?:#[ \t]+-[ \t]+.+\n)*)/m;
+  var match = content.match(pattern);
+  if (!match) return [];
+  return match[1]
+    .split("\n")
+    .filter(function (l) {
+      return l.trim().startsWith("#");
+    })
+    .map(function (l) {
+      return l.trim().replace(/^#\s+-\s+/, "");
+    });
+}
+
+/**
+ * Parse all relevant sections from a policy YAML file.
+ * Returns structured data without requiring js-yaml.
+ *
+ * @param {string} content - Full YAML file content
+ * @returns {{
+ *   denyRead: string[],
+ *   denyWrite: string[],
+ *   readWrite: string[],
+ *   blockedNetwork: string[]
+ * }}
+ */
+function parsePolicyYaml(content) {
+  return {
+    denyRead: extractYamlList(content, "deny_read"),
+    denyWrite: extractYamlList(content, "deny_write"),
+    readWrite: extractYamlList(content, "read_write"),
+    blockedNetwork: extractBlockedNetworkComments(content),
+  };
+}
+
+// --- Drift Detection ---
+
+/**
+ * Check drift between permissions-spec deny rules and OpenShell policy YAML.
+ *
+ * Compares the classified deny rules from permissions-spec.json against
+ * the content of policy YAML files in the specified directory.
+ *
+ * Drift rules:
+ *   1. Missing filesystem deny (read): spec denyRead paths not in policy deny_read
+ *   2. Missing filesystem deny (write): spec denyWrite paths not in policy deny_write
+ *   3. Policy allows denied: paths in denyRead/denyWrite that also appear in read_write
+ *   4. Missing network deny: network commands not in blocked network comments
+ *   5. No policy files: skip (no drift reported)
+ *   6. No spec file: skip (no drift reported)
+ *   7. Parse errors: fail-safe (no drift, warning logged)
+ *
+ * @param {{ specPath: string, policyDir: string }} params
+ * @returns {{
+ *   has_drift: boolean,
+ *   warnings: string[],
+ *   details: {
+ *     missing_filesystem_deny: string[],
+ *     missing_network_deny: string[],
+ *     policy_allows_denied: string[]
+ *   },
+ *   checked_at: string
+ * }}
+ */
+function checkPolicyDrift({ specPath, policyDir }) {
+  var emptyResult = {
+    has_drift: false,
+    warnings: [],
+    details: {
+      missing_filesystem_deny: [],
+      missing_network_deny: [],
+      policy_allows_denied: [],
+    },
+    checked_at: new Date().toISOString(),
+  };
+
+  // Rule 6: No spec file — skip silently
+  if (!specPath || !fs.existsSync(specPath)) {
+    return emptyResult;
+  }
+
+  // Rule 5: No policy directory or no .yaml files — skip silently
+  if (!policyDir || !fs.existsSync(policyDir)) {
+    return emptyResult;
+  }
+
+  var policyFiles;
+  try {
+    policyFiles = fs.readdirSync(policyDir).filter(function (f) {
+      return f.endsWith(".yaml") || f.endsWith(".yml");
+    });
+  } catch (e) {
+    return emptyResult;
+  }
+
+  if (policyFiles.length === 0) {
+    return emptyResult;
+  }
+
+  // Load and classify spec deny rules
+  var spec;
+  try {
+    spec = loadPermissionsSpec(specPath);
+  } catch (err) {
+    return {
+      has_drift: false,
+      warnings: ["parse_error: spec load failed \u2014 " + err.message],
+      details: {
+        missing_filesystem_deny: [],
+        missing_network_deny: [],
+        policy_allows_denied: [],
+      },
+      checked_at: new Date().toISOString(),
+    };
+  }
+
+  var classified;
+  try {
+    classified = classifyRulesByDomain(spec.deny);
+  } catch (err) {
+    return {
+      has_drift: false,
+      warnings: [
+        "parse_error: rule classification failed \u2014 " + err.message,
+      ],
+      details: {
+        missing_filesystem_deny: [],
+        missing_network_deny: [],
+        policy_allows_denied: [],
+      },
+      checked_at: new Date().toISOString(),
+    };
+  }
+
+  // Aggregate policy content from all YAML files
+  var aggregated = {
+    denyRead: new Set(),
+    denyWrite: new Set(),
+    readWrite: new Set(),
+    blockedNetwork: new Set(),
+  };
+
+  for (var i = 0; i < policyFiles.length; i++) {
+    var filePath = path.join(policyDir, policyFiles[i]);
+    var content;
+    try {
+      content = fs.readFileSync(filePath, "utf8");
+    } catch (err) {
+      // Rule 7: Parse error — fail-safe
+      return {
+        has_drift: false,
+        warnings: [
+          "parse_error: cannot read " + filePath + " \u2014 " + err.message,
+        ],
+        details: {
+          missing_filesystem_deny: [],
+          missing_network_deny: [],
+          policy_allows_denied: [],
+        },
+        checked_at: new Date().toISOString(),
+      };
+    }
+
+    var parsed;
+    try {
+      parsed = parsePolicyYaml(content);
+    } catch (err) {
+      return {
+        has_drift: false,
+        warnings: [
+          "parse_error: cannot parse " + filePath + " \u2014 " + err.message,
+        ],
+        details: {
+          missing_filesystem_deny: [],
+          missing_network_deny: [],
+          policy_allows_denied: [],
+        },
+        checked_at: new Date().toISOString(),
+      };
+    }
+
+    parsed.denyRead.forEach(function (p) {
+      aggregated.denyRead.add(p);
+    });
+    parsed.denyWrite.forEach(function (p) {
+      aggregated.denyWrite.add(p);
+    });
+    parsed.readWrite.forEach(function (p) {
+      aggregated.readWrite.add(p);
+    });
+    parsed.blockedNetwork.forEach(function (cmd) {
+      aggregated.blockedNetwork.add(cmd);
+    });
+  }
+
+  // --- Compare classified rules against aggregated policy ---
+
+  var warnings = [];
+  var missingFilesystemDeny = [];
+  var missingNetworkDeny = [];
+  var policyAllowsDenied = [];
+
+  // Rule 1: Missing filesystem deny (read)
+  for (var ri = 0; ri < classified.denyRead.length; ri++) {
+    var readPath = classified.denyRead[ri];
+    if (!aggregated.denyRead.has(readPath)) {
+      warnings.push("deny_read missing in policy: " + readPath);
+      missingFilesystemDeny.push(readPath);
+    }
+  }
+
+  // Rule 2: Missing filesystem deny (write)
+  for (var wi = 0; wi < classified.denyWrite.length; wi++) {
+    var writePath = classified.denyWrite[wi];
+    if (!aggregated.denyWrite.has(writePath)) {
+      warnings.push("deny_write missing in policy: " + writePath);
+      missingFilesystemDeny.push(writePath);
+    }
+  }
+
+  // Rule 3: Policy allows denied — conflict detection
+  var allDeniedPaths = new Set(
+    classified.denyRead.concat(classified.denyWrite),
+  );
+  aggregated.readWrite.forEach(function (rwPath) {
+    if (allDeniedPaths.has(rwPath)) {
+      warnings.push("conflict: read_write allows denied path: " + rwPath);
+      policyAllowsDenied.push(rwPath);
+    }
+  });
+
+  // Rule 4: Missing network deny
+  for (var ni = 0; ni < classified.network.length; ni++) {
+    var netCmd = classified.network[ni];
+    if (!aggregated.blockedNetwork.has(netCmd)) {
+      warnings.push(
+        "blocked network command missing in policy comments: " + netCmd,
+      );
+      missingNetworkDeny.push(netCmd);
+    }
+  }
+
+  var hasDrift =
+    missingFilesystemDeny.length > 0 ||
+    missingNetworkDeny.length > 0 ||
+    policyAllowsDenied.length > 0;
+
+  return {
+    has_drift: hasDrift,
+    warnings: warnings,
+    details: {
+      missing_filesystem_deny: missingFilesystemDeny,
+      missing_network_deny: missingNetworkDeny,
+      policy_allows_denied: policyAllowsDenied,
+    },
+    checked_at: new Date().toISOString(),
+  };
+}
+
+module.exports = {
+  // Main entry point
+  checkPolicyDrift: checkPolicyDrift,
+  // Parsing helpers (exported for unit testing)
+  extractYamlList: extractYamlList,
+  extractBlockedNetworkComments: extractBlockedNetworkComments,
+  parsePolicyYaml: parsePolicyYaml,
+};