ship-safe 6.1.1 → 6.2.0

package/cli/hooks/patterns.js

@@ -0,0 +1,313 @@
+/**
+ * Shared hook patterns
+ * ====================
+ *
+ * Single source of truth for all patterns used by pre-tool-use.js
+ * and post-tool-use.js. Keeps both hooks in sync automatically.
+ *
+ * Design rules:
+ *  - CRITICAL_PATTERNS: block on pre-tool-use. Must have SPECIFIC PREFIXES
+ *    to keep false-positive rate near zero. No generic patterns here.
+ *  - HIGH_PATTERNS: advisory only (post-tool-use). Broader, needs entropy gate.
+ *  - DANGEROUS_BASH_PATTERNS: block on Bash tool calls.
+ *  - ENV_FILE_RE: recognise .env files that SHOULD contain secrets.
+ *  - SKIP_PATHS: files where reporting is never useful.
+ */
+
+import path from 'path';
+
+// =============================================================================
+// SHANNON ENTROPY — used to filter generic token false positives
+// =============================================================================
+
+export function shannonEntropy(str) {
+  if (!str || str.length === 0) return 0;
+  const freq = {};
+  for (const ch of str) freq[ch] = (freq[ch] || 0) + 1;
+  return Object.values(freq).reduce((sum, count) => {
+    const p = count / str.length;
+    return sum - p * Math.log2(p);
+  }, 0);
+}
+
+// =============================================================================
+// CRITICAL PATTERNS — block on write (precision over recall)
+//
+// Each entry:
+//   name    — human-readable label shown in block message
+//   re      — regex (stateless; reset lastIndex between uses)
+//   envVar  — suggested environment variable name for the fix message
+//
+// Removed / demoted compared to earlier version:
+//   Supabase JWT  → was ANY HS256 JWT; now requires service_role in payload
+//   Twilio Auth Token (SK…) → no prefix, too many false positives; removed
+//   Twilio Account SID → tightened to hex-only [a-f0-9]
+//   Cloudflare API Token → broken lookahead, no reliable prefix; removed
+// =============================================================================
+
+export const CRITICAL_PATTERNS = [
+  {
+    name:   'AWS Access Key ID',
+    re:     /AKIA[0-9A-Z]{16}/,
+    envVar: 'AWS_ACCESS_KEY_ID',
+  },
+  {
+    name:   'AWS Secret Access Key',
+    re:     /(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY)\s*[=:]\s*["']?([A-Za-z0-9/+=]{40})["']?/,
+    envVar: 'AWS_SECRET_ACCESS_KEY',
+  },
+  {
+    name:   'GitHub PAT (classic)',
+    re:     /ghp_[a-zA-Z0-9]{36}/,
+    envVar: 'GITHUB_TOKEN',
+  },
+  {
+    name:   'GitHub OAuth Token',
+    re:     /gho_[a-zA-Z0-9]{36}/,
+    envVar: 'GITHUB_TOKEN',
+  },
+  {
+    name:   'GitHub App Token',
+    re:     /(?:ghu_|ghs_)[a-zA-Z0-9]{36}/,
+    envVar: 'GITHUB_TOKEN',
+  },
+  {
+    name:   'GitHub Fine-Grained PAT',
+    re:     /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/,
+    envVar: 'GITHUB_TOKEN',
+  },
+  {
+    name:   'Anthropic API Key',
+    re:     /sk-ant-api03-[a-zA-Z0-9\-_]{93}/,
+    envVar: 'ANTHROPIC_API_KEY',
+  },
+  {
+    name:   'OpenAI API Key',
+    re:     /sk-(?:proj-|None-)?[a-zA-Z0-9]{48}/,
+    envVar: 'OPENAI_API_KEY',
+  },
+  {
+    name:   'Stripe Live Secret Key',
+    re:     /sk_live_[0-9a-zA-Z]{24,}/,
+    envVar: 'STRIPE_SECRET_KEY',
+  },
+  {
+    name:   'Stripe Restricted Key',
+    re:     /rk_live_[0-9a-zA-Z]{24,}/,
+    envVar: 'STRIPE_RESTRICTED_KEY',
+  },
+  {
+    name:   'Slack Bot Token',
+    re:     /xoxb-[0-9]{11}-[0-9]{11}-[a-zA-Z0-9]{24}/,
+    envVar: 'SLACK_BOT_TOKEN',
+  },
+  {
+    name:   'Slack User Token',
+    re:     /xoxp-[0-9]{11}-[0-9]{11}-[0-9]{12}-[a-zA-Z0-9]{32}/,
+    envVar: 'SLACK_USER_TOKEN',
+  },
+  {
+    name:   'Twilio Account SID',
+    // Tightened: must be lowercase hex, not any alphanumeric
+    re:     /AC[a-f0-9]{32}/,
+    envVar: 'TWILIO_ACCOUNT_SID',
+  },
+  {
+    name:   'Google API Key',
+    re:     /AIza[0-9A-Za-z\-_]{35}/,
+    envVar: 'GOOGLE_API_KEY',
+  },
+  {
+    name:   'npm Auth Token',
+    re:     /npm_[A-Za-z0-9]{36}/,
+    envVar: 'NPM_TOKEN',
+  },
+  {
+    name:   'PyPI API Token',
+    re:     /pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,}/,
+    envVar: 'PYPI_API_TOKEN',
+  },
+  {
+    name:   'Supabase Service Role Key',
+    // Requires standard HS256 JWT header + base64("service_role") in payload
+    // Far more precise than matching any JWT.
+    re:     /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9+/_-]*c2VydmljZV9yb2xl/,
+    envVar: 'SUPABASE_SERVICE_ROLE_KEY',
+  },
+  {
+    name:   'Private Key (PEM)',
+    re:     /-----BEGIN (?:RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----/,
+    envVar: 'PRIVATE_KEY_PATH',
+  },
+];
+
+// =============================================================================
+// HIGH PATTERNS — advisory post-write scan only
+// Broader patterns; generic ones gated by entropy check.
+// =============================================================================
+
+export const HIGH_PATTERNS = [
+  {
+    name:     'Hardcoded password assignment',
+    severity: 'high',
+    re:       /(?:password|passwd|pwd)\s*[:=]\s*["'][^"']{8,}["']/i,
+    checkEntropy: true,  // run entropy on the captured value
+  },
+  {
+    name:     'Database URL with credentials',
+    severity: 'high',
+    re:       /(?:postgres|mysql|mongodb|redis):\/\/[^:]+:[^@]{4,}@/,
+    checkEntropy: false,
+  },
+  {
+    name:     'Generic high-entropy secret assignment',
+    severity: 'high',
+    re:       /(?:token|secret|api_key|apikey)\s*[:=]\s*["']([A-Za-z0-9+/=_\-]{32,})["']/i,
+    checkEntropy: true,  // only report if entropy > threshold
+  },
+];
+
+const ENTROPY_THRESHOLD = 3.5;
+
+// =============================================================================
+// DANGEROUS BASH PATTERNS — block on Bash tool calls
+// =============================================================================
+
+export const DANGEROUS_BASH_PATTERNS = [
+  {
+    name:   'Remote script execution (curl/wget piped to shell)',
+    re:     /(?:curl|wget)\s+[^|]*\|\s*(?:sudo\s+)?(?:bash|sh|zsh|dash|ksh)/,
+    reason: 'Executing remote scripts without verification is the #1 CI/CD supply chain attack vector (Trivy/CanisterWorm 2026). Download first, verify checksum, then execute.',
+  },
+  {
+    name:   'Remote script execution (PowerShell iex/Invoke-Expression)',
+    re:     /(?:iex|Invoke-Expression)\s*\(?.*(?:Invoke-WebRequest|iwr|curl|wget)/i,
+    reason: 'PowerShell equivalent of curl|bash. Download the script first, inspect it, then execute.',
+  },
+  {
+    name:   'Recursive force delete of system paths',
+    re:     /rm\s+(?:-[a-z]*f[a-z]*\s+|--force\s+)?(?:-[a-z]*r[a-z]*\s+|--recursive\s+)?\/(?:\s|$|(?!tmp|var\/tmp|home)[a-z])/,
+    reason: 'Destructive operation targeting system paths. Double-check the path before proceeding.',
+  },
+  {
+    name:   'Elevated npm install permissions',
+    re:     /npm\s+(?:i|install)\s+[^\n]*--unsafe-perm/,
+    reason: '--unsafe-perm elevates install script privileges. Use sandboxed installs instead.',
+  },
+  {
+    name:   'Credential file read (potential exfiltration)',
+    re:     /(?:cat|type|Get-Content)\s+[^\n]*(?:~\/\.(?:aws|ssh|npmrc|pypirc|netrc|gitconfig|gnupg)|\/etc\/(?:passwd|shadow))/,
+    reason: 'Reading sensitive credential files.',
+  },
+  {
+    name:   'Env-var exfiltration via network call',
+    re:     /(?:curl|wget|Invoke-WebRequest)\s+[^\n]*\$(?:AWS_|GITHUB_TOKEN|NPM_TOKEN|ANTHROPIC_|OPENAI_|GROQ_|SECRET|PASSWORD|TOKEN)/,
+    reason: 'Sending an environment variable that likely contains credentials over the network.',
+  },
+  {
+    name:   'Secret committed in git message',
+    re:     /git\s+commit\s+[^\n]*-m\s+["'][^\n]*(?:sk-|ghp_|npm_|AKIA|xoxb-|sk_live_)[^\n]*/,
+    reason: 'Possible secret hardcoded in a git commit message. Secrets in commit history are permanent.',
+  },
+];
+
+// =============================================================================
+// ENV FILE PATTERNS
+// =============================================================================
+
+/** Files that SHOULD contain secrets — write is allowed but gitignore is checked */
+export const ENV_FILE_RE = /(?:^|[/\\])\.env(?:\.[a-zA-Z0-9]+)?$/;
+
+/** Files that are purely documentation/examples — silently skip all checks */
+export const ENV_EXAMPLE_RE = /(?:^|[/\\])\.env\.(?:example|sample|template|test)$/i;
+
+// =============================================================================
+// SKIP PATHS (post-tool-use advisory scan — never report on these)
+// =============================================================================
+
+export const SKIP_PATHS = [
+  /\.test\.[jt]sx?$/,
+  /\.spec\.[jt]sx?$/,
+  /__tests__[/\\]/,
+  /[/\\]tests?[/\\]/,
+  /[/\\]fixtures?[/\\]/,
+  /[/\\]mocks?[/\\]/,
+  ENV_EXAMPLE_RE,
+  /\.sample$/,
+  /CHANGELOG/i,
+];
+
+// Note: .md files are NOT skipped — secrets in docs are real issues.
+
+// =============================================================================
+// SCAN HELPERS
+// =============================================================================
+
+/**
+ * Scan content for critical secrets.
+ * Returns array of { name, line, envVar } — line is 1-based.
+ */
+export function scanCritical(content) {
+  const lines = content.split('\n');
+  const hits = [];
+  for (const { name, re, envVar } of CRITICAL_PATTERNS) {
+    for (let i = 0; i < lines.length; i++) {
+      // Reset regex state (stateless patterns, but be safe)
+      re.lastIndex = 0;
+      if (re.test(lines[i])) {
+        hits.push({ name, line: i + 1, envVar });
+        break; // one hit per pattern type is enough for the block message
+      }
+    }
+  }
+  return hits;
+}
+
+/**
+ * Scan content for high-severity issues (advisory).
+ * Applies entropy gate for patterns that request it.
+ */
+export function scanHigh(content) {
+  const hits = [];
+  for (const { name, severity, re, checkEntropy } of HIGH_PATTERNS) {
+    re.lastIndex = 0;
+    const m = re.exec(content);
+    if (!m) continue;
+    if (checkEntropy) {
+      // Use captured group if present, otherwise the full match
+      const value = m[1] || m[0];
+      if (shannonEntropy(value) < ENTROPY_THRESHOLD) continue;
+    }
+    hits.push({ name, severity });
+  }
+  return hits;
+}
+
+/**
+ * Build a specific fix suggestion for a detected secret.
+ *
+ * @param {string} envVar    — e.g. 'STRIPE_SECRET_KEY'
+ * @param {string} filePath  — e.g. 'src/config.ts'
+ */
+export function buildFixSuggestion(envVar, filePath) {
+  const ext = filePath ? path.extname(filePath).toLowerCase() : '';
+  if (['.js', '.mjs', '.cjs', '.ts', '.tsx', '.jsx'].includes(ext)) {
+    return `process.env.${envVar}`;
+  }
+  if (ext === '.py') {
+    return `os.environ.get('${envVar}')`;
+  }
+  if (['.rb'].includes(ext)) {
+    return `ENV['${envVar}']`;
+  }
+  if (['.go'].includes(ext)) {
+    return `os.Getenv("${envVar}")`;
+  }
+  if (['.java', '.kt'].includes(ext)) {
+    return `System.getenv("${envVar}")`;
+  }
+  if (['.cs'].includes(ext)) {
+    return `Environment.GetEnvironmentVariable("${envVar}")`;
+  }
+  return `$ENV:${envVar}`;
+}

package/cli/hooks/post-tool-use.js

@@ -0,0 +1,140 @@
+#!/usr/bin/env node
+/**
+ * ship-safe PostToolUse Hook
+ * ===========================
+ *
+ * Runs after Write / Edit / MultiEdit / NotebookEdit completes successfully.
+ * Scans the written content for secrets and security issues, then returns
+ * findings as a message that Claude Code injects back into the conversation.
+ *
+ * For Write and Edit, content is read from tool_input (no disk read needed).
+ * For MultiEdit and NotebookEdit, the file is read from disk after the write.
+ *
+ * PostToolUse NEVER blocks — exit 0 always.
+ * Empty stdout = silent (no findings or file skipped).
+ *
+ * Install via:  npx ship-safe hooks install
+ */
+
+import path from 'path';
+import { existsSync, readFileSync } from 'fs';
+import {
+  scanCritical,
+  scanHigh,
+  SKIP_PATHS,
+  ENV_FILE_RE,
+  ENV_EXAMPLE_RE,
+} from './patterns.js';
+
+// =============================================================================
+// Main
+// =============================================================================
+
+async function main() {
+  let payload;
+  try {
+    const raw = await readStdin();
+    payload = JSON.parse(raw);
+  } catch {
+    process.exit(0);
+  }
+
+  const { tool_name, tool_input, tool_result_is_error } = payload;
+
+  if (tool_result_is_error) process.exit(0);
+  if (!['Write', 'Edit', 'MultiEdit', 'NotebookEdit'].includes(tool_name)) process.exit(0);
+
+  const filePath = tool_input && (tool_input.file_path || tool_input.notebook_path || tool_input.path);
+  if (!filePath) process.exit(0);
+
+  // Skip example/sample env files entirely
+  if (ENV_EXAMPLE_RE.test(filePath)) process.exit(0);
+
+  // Skip test fixtures, mocks, etc.
+  if (SKIP_PATHS.some(p => p.test(filePath))) process.exit(0);
+
+  // .env files: secrets are expected — no secret scan, but gitignore already
+  // warned in PreToolUse. Silent here.
+  if (ENV_FILE_RE.test(filePath)) process.exit(0);
+
+  // Get content to scan
+  const content = getContent(tool_name, tool_input, filePath);
+  if (!content) process.exit(0);
+
+  // Run scans
+  const critical = scanCritical(content);
+  const high = scanHigh(content);
+
+  if (critical.length === 0 && high.length === 0) process.exit(0);
+
+  // Format advisory message for Claude's context
+  const lines = [
+    `[ship-safe] Security findings in ${path.basename(filePath)}:`,
+    '',
+  ];
+
+  if (critical.length > 0) {
+    lines.push('CRITICAL — rotate these credentials immediately:');
+    for (const { name, line } of critical) {
+      lines.push(`  • ${name}${line ? ` (line ${line})` : ''}`);
+    }
+    lines.push('');
+  }
+
+  if (high.length > 0) {
+    lines.push('HIGH — review these:');
+    for (const { name } of high) {
+      lines.push(`  • ${name}`);
+    }
+    lines.push('');
+  }
+
+  lines.push('Run `npx ship-safe scan .` for full details and auto-fix options.');
+
+  process.stdout.write(lines.join('\n'));
+  process.exit(0);
+}
+
+// =============================================================================
+// Helpers
+// =============================================================================
+
+/**
+ * Get the content to scan.
+ * Prefer tool_input (avoids a disk read) for Write and Edit.
+ * Fall back to disk read for MultiEdit and NotebookEdit.
+ */
+function getContent(toolName, input, filePath) {
+  if (toolName === 'Write' && input?.content) {
+    return input.content;
+  }
+  if (toolName === 'Edit' && input?.new_string) {
+    // For Edit, scan the full file so we catch pre-existing issues too
+    return readFromDisk(filePath);
+  }
+  // MultiEdit and NotebookEdit — read the final state from disk
+  return readFromDisk(filePath);
+}
+
+function readFromDisk(filePath) {
+  try {
+    if (!existsSync(filePath)) return null;
+    return readFileSync(filePath, 'utf8');
+  } catch {
+    return null;
+  }
+}
+
+function readStdin() {
+  return new Promise((resolve, reject) => {
+    if (process.stdin.isTTY) return resolve('');
+    const chunks = [];
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', chunk => chunks.push(chunk));
+    process.stdin.on('end', () => resolve(chunks.join('')));
+    process.stdin.on('error', reject);
+    setTimeout(() => resolve(''), 3000);
+  });
+}
+
+main().catch(() => process.exit(0));

package/cli/hooks/pre-tool-use.js

@@ -0,0 +1,186 @@
+#!/usr/bin/env node
+/**
+ * ship-safe PreToolUse Hook
+ * ==========================
+ *
+ * Runs before every Claude Code tool call. Blocks:
+ *   - Write / Edit / MultiEdit / NotebookEdit: content containing critical secrets
+ *     (unless the target is a .env file — secrets belong there)
+ *   - Bash: known-dangerous command patterns
+ *
+ * Protocol (claw-code / Claude Code hooks spec):
+ *   - Input:  JSON payload on stdin
+ *   - Exit 0: allow the tool to run (stdout = optional advisory message)
+ *   - Exit 2: BLOCK the tool (stdout = reason shown to Claude and user)
+ *   - Exit 1: warn but allow (stdout = warning message)
+ *
+ * Install via:  npx ship-safe hooks install
+ */
+
+import path from 'path';
+import fs from 'fs';
+import {
+  scanCritical,
+  buildFixSuggestion,
+  DANGEROUS_BASH_PATTERNS,
+  ENV_FILE_RE,
+  ENV_EXAMPLE_RE,
+} from './patterns.js';
+
+// =============================================================================
+// Main
+// =============================================================================
+
+async function main() {
+  let payload;
+  try {
+    const raw = await readStdin();
+    payload = JSON.parse(raw);
+  } catch {
+    process.exit(0); // can't parse → allow
+  }
+
+  const { tool_name, tool_input } = payload;
+
+  // ── File write hooks (Write / Edit / MultiEdit / NotebookEdit) ───────────
+  if (['Write', 'Edit', 'MultiEdit', 'NotebookEdit'].includes(tool_name)) {
+    const filePath = tool_input && (tool_input.file_path || tool_input.notebook_path || tool_input.path);
+
+    // .env.example / .env.sample — purely documentation, skip all checks
+    if (filePath && ENV_EXAMPLE_RE.test(filePath)) {
+      process.exit(0);
+    }
+
+    // .env / .env.local / .env.production — secrets SHOULD be here
+    // Allow write, but warn if .gitignore doesn't cover the file
+    if (filePath && ENV_FILE_RE.test(filePath)) {
+      const warning = checkEnvGitignore(filePath);
+      if (warning) {
+        process.stdout.write(warning);
+        process.exit(1); // warn but allow
+      }
+      process.exit(0);
+    }
+
+    const content = extractContent(tool_name, tool_input);
+    if (content) {
+      const hits = scanCritical(content);
+      if (hits.length > 0) {
+        process.stdout.write(buildBlockMessage(hits, filePath));
+        process.exit(2);
+      }
+    }
+  }
+
+  // ── Bash hooks ─────────────────────────────────────────────────────────────
+  if (tool_name === 'Bash') {
+    const command = tool_input?.command ? String(tool_input.command) : '';
+    if (command) {
+      const hit = DANGEROUS_BASH_PATTERNS.find(p => p.re.test(command));
+      if (hit) {
+        process.stdout.write(
+          `ship-safe blocked this command — ${hit.name}\n\n${hit.reason}`
+        );
+        process.exit(2);
+      }
+    }
+  }
+
+  process.exit(0);
+}
+
+// =============================================================================
+// Helpers
+// =============================================================================
+
+function extractContent(toolName, input) {
+  if (!input) return null;
+  switch (toolName) {
+    case 'Write':
+      return input.content || null;
+    case 'Edit':
+      return input.new_string || null;
+    case 'MultiEdit':
+      return Array.isArray(input.edits)
+        ? input.edits.map(e => e.new_string || '').join('\n')
+        : null;
+    case 'NotebookEdit':
+      // NotebookEdit passes new cell source as new_source or source
+      return input.new_source || input.source || input.cell_source || null;
+    default:
+      return null;
+  }
+}
+
+function buildBlockMessage(hits, filePath) {
+  const ext = filePath ? path.extname(filePath).toLowerCase() : '.js';
+  const lines = [
+    `ship-safe blocked this write — critical secret(s) detected:`,
+    '',
+  ];
+
+  for (const { name, line, envVar } of hits) {
+    const fix = buildFixSuggestion(envVar, filePath || '');
+    lines.push(`  • ${name} on line ${line}`);
+    lines.push(`    Fix: replace with ${fix}`);
+    lines.push(`    Add to .env: ${envVar}=<your_value>`);
+    lines.push('');
+  }
+
+  lines.push('Run `npx ship-safe scan .` for a full report.');
+  return lines.join('\n');
+}
+
+/**
+ * Check if a .env file is covered by .gitignore.
+ * Returns a warning string if not covered, null if OK.
+ */
+function checkEnvGitignore(envFilePath) {
+  const dir = path.dirname(path.resolve(envFilePath));
+  const gitignorePath = path.join(dir, '.gitignore');
+
+  // Walk up to repo root looking for .gitignore
+  const roots = [dir, path.dirname(dir), path.dirname(path.dirname(dir))];
+  for (const root of roots) {
+    const gi = path.join(root, '.gitignore');
+    if (!fs.existsSync(gi)) continue;
+    try {
+      const content = fs.readFileSync(gi, 'utf8');
+      const lines = content.split('\n').map(l => l.trim()).filter(l => l && !l.startsWith('#'));
+      const basename = path.basename(envFilePath);
+      const covered = lines.some(l =>
+        l === '.env' ||
+        l === basename ||
+        l === '.env*' ||
+        l === '*.env' ||
+        l === '.env.*' ||
+        (l.startsWith('.env') && basename.startsWith(l.replace('*', '')))
+      );
+      if (covered) return null;
+      return (
+        `ship-safe: ${basename} is not in .gitignore — secrets could be committed.\n` +
+        `Add this line to ${gi}:\n  .env*\n`
+      );
+    } catch { /* ignore read errors */ }
+  }
+
+  // No .gitignore found at all
+  return (
+    `ship-safe: no .gitignore found. Create one and add ".env*" to prevent ` +
+    `secrets from being committed.\n`
+  );
+}
+
+function readStdin() {
+  return new Promise((resolve, reject) => {
+    if (process.stdin.isTTY) return resolve('');
+    const chunks = [];
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', chunk => chunks.push(chunk));
+    process.stdin.on('end', () => resolve(chunks.join('')));
+    process.stdin.on('error', reject);
+    setTimeout(() => resolve(''), 3000); // never hang Claude Code
+  });
+}
+
+main().catch(() => process.exit(0)); // never crash — silently allow on error