tlc-claude-code 2.2.1 → 2.3.0

package/server/lib/careful-patterns.js

@@ -0,0 +1,142 @@
+/**
+ * Careful Patterns Module
+ *
+ * Destructive command detection patterns for /tlc:careful
+ * and path scope checking for /tlc:freeze.
+ *
+ * @module careful-patterns
+ */
+
+const path = require('path');
+
+/**
+ * Destructive command patterns with their metadata.
+ * Each entry: { regex, reason, pattern }
+ * @type {Array<{regex: RegExp, reason: string, pattern: string}>}
+ */
+const DESTRUCTIVE_PATTERNS = [
+  {
+    regex: /\bgit\s+push\s+(?:.*\s+)?--force\b/,
+    reason: 'Force push',
+    pattern: 'git push --force',
+  },
+  {
+    regex: /\bgit\s+push\s+(?:.*\s+)?-f\b/,
+    reason: 'Force push',
+    pattern: 'git push -f',
+  },
+  {
+    regex: /\bgit\s+reset\s+--hard\b/,
+    reason: 'Hard reset',
+    pattern: 'git reset --hard',
+  },
+  {
+    regex: /\brm\s+-rf\b/,
+    reason: 'Recursive force delete',
+    pattern: 'rm -rf',
+  },
+  {
+    regex: /\bdrop\s+table\b/i,
+    reason: 'Drop table',
+    pattern: 'DROP TABLE',
+  },
+  {
+    regex: /\bdrop\s+database\b/i,
+    reason: 'Drop database',
+    pattern: 'DROP DATABASE',
+  },
+  {
+    regex: /\btruncate\s+table\b/i,
+    reason: 'Truncate table',
+    pattern: 'TRUNCATE TABLE',
+  },
+  {
+    regex: /\bgit\s+clean\s+-f/,
+    reason: 'Clean untracked files',
+    pattern: 'git clean -f',
+  },
+];
+
+/**
+ * Check if a shell command matches destructive patterns.
+ *
+ * Checks against known dangerous operations like force push,
+ * hard reset, recursive delete, and destructive SQL statements.
+ * SQL patterns are matched case-insensitively.
+ *
+ * @param {string} command - Shell command string to check
+ * @returns {{ destructive: boolean, reason?: string, pattern?: string }}
+ */
+function isDestructive(command) {
+  if (!command || typeof command !== 'string') {
+    return { destructive: false };
+  }
+
+  // Check DELETE FROM without WHERE (special case: only destructive without WHERE)
+  // Don't early-return on safe DELETE — continue checking for other destructive patterns
+  const deleteMatch = command.match(/\bdelete\s+from\b/i);
+  if (deleteMatch) {
+    const hasWhere = /\bwhere\b/i.test(command);
+    if (!hasWhere) {
+      return {
+        destructive: true,
+        reason: 'Delete without WHERE',
+        pattern: 'DELETE FROM',
+      };
+    }
+    // DELETE FROM ... WHERE is safe, but continue scanning for other patterns
+    // (e.g., "DELETE FROM users WHERE id=1; DROP TABLE sessions")
+  }
+
+  // Check all other patterns
+  for (const entry of DESTRUCTIVE_PATTERNS) {
+    if (entry.regex.test(command)) {
+      return {
+        destructive: true,
+        reason: entry.reason,
+        pattern: entry.pattern,
+      };
+    }
+  }
+
+  return { destructive: false };
+}
+
+/**
+ * Check if a file path is within an allowed scope directory.
+ *
+ * Resolves parent traversal (../) before checking containment.
+ * Both paths are normalized to prevent bypass via trailing slashes
+ * or prefix collisions (e.g., src/auth vs src/authorization).
+ *
+ * @param {string} filePath - File path to check
+ * @param {string} scopeDir - Allowed scope directory
+ * @returns {boolean}
+ */
+function isInScope(filePath, scopeDir) {
+  if (!filePath || !scopeDir) {
+    return false;
+  }
+  if (typeof filePath !== 'string' || typeof scopeDir !== 'string') {
+    return false;
+  }
+
+  // Normalize both paths to resolve ../ and remove trailing slashes
+  const normalizedFile = path.normalize(filePath);
+  const normalizedScope = path.normalize(scopeDir);
+
+  // Exact match
+  if (normalizedFile === normalizedScope) {
+    return true;
+  }
+
+  // File must be under scope directory (with path separator to prevent prefix collisions)
+  const scopePrefix = normalizedScope.endsWith(path.sep)
+    ? normalizedScope
+    : normalizedScope + path.sep;
+
+  return normalizedFile.startsWith(scopePrefix);
+}
+
+
+module.exports = { isDestructive, isInScope };

package/server/lib/careful-patterns.test.js

@@ -0,0 +1,164 @@
+/**
+ * Careful Patterns Tests - Phase 89 Task 6
+ *
+ * Destructive command detection and path scope checking
+ */
+
+import { describe, it, expect } from 'vitest';
+
+import { isDestructive, isInScope } from './careful-patterns.js';
+
+describe('careful-patterns', () => {
+  describe('isDestructive', () => {
+    it('detects git push --force as destructive', () => {
+      const result = isDestructive('git push --force origin main');
+      expect(result.destructive).toBe(true);
+      expect(result.reason).toBe('Force push');
+      expect(result.pattern).toBe('git push --force');
+    });
+
+    it('detects git push -f as destructive', () => {
+      const result = isDestructive('git push -f origin main');
+      expect(result.destructive).toBe(true);
+      expect(result.reason).toBe('Force push');
+    });
+
+    it('allows normal git push', () => {
+      const result = isDestructive('git push origin feature');
+      expect(result.destructive).toBe(false);
+      expect(result.reason).toBeUndefined();
+      expect(result.pattern).toBeUndefined();
+    });
+
+    it('detects git reset --hard as destructive', () => {
+      const result = isDestructive('git reset --hard HEAD~3');
+      expect(result.destructive).toBe(true);
+      expect(result.reason).toBe('Hard reset');
+      expect(result.pattern).toBe('git reset --hard');
+    });
+
+    it('allows git reset --soft', () => {
+      const result = isDestructive('git reset --soft HEAD~1');
+      expect(result.destructive).toBe(false);
+    });
+
+    it('detects rm -rf as destructive', () => {
+      const result = isDestructive('rm -rf /');
+      expect(result.destructive).toBe(true);
+      expect(result.reason).toBe('Recursive force delete');
+      expect(result.pattern).toBe('rm -rf');
+    });
+
+    it('allows simple rm', () => {
+      const result = isDestructive('rm file.txt');
+      expect(result.destructive).toBe(false);
+    });
+
+    it('detects DROP TABLE as destructive', () => {
+      const result = isDestructive('DROP TABLE users');
+      expect(result.destructive).toBe(true);
+      expect(result.reason).toBe('Drop table');
+      expect(result.pattern).toMatch(/drop table/i);
+    });
+
+    it('detects DELETE FROM without WHERE as destructive', () => {
+      const result = isDestructive('DELETE FROM users');
+      expect(result.destructive).toBe(true);
+      expect(result.reason).toBe('Delete without WHERE');
+    });
+
+    it('allows DELETE FROM with WHERE', () => {
+      const result = isDestructive('DELETE FROM users WHERE id = 1');
+      expect(result.destructive).toBe(false);
+    });
+
+    it('detects DROP after safe DELETE in multi-statement command', () => {
+      const result = isDestructive('DELETE FROM users WHERE id = 1; DROP TABLE sessions');
+      expect(result.destructive).toBe(true);
+      expect(result.reason).toBe('Drop table');
+    });
+
+    it('detects TRUNCATE TABLE as destructive', () => {
+      const result = isDestructive('TRUNCATE TABLE sessions');
+      expect(result.destructive).toBe(true);
+      expect(result.reason).toBe('Truncate table');
+    });
+
+    it('detects git clean -fd as destructive', () => {
+      const result = isDestructive('git clean -fd');
+      expect(result.destructive).toBe(true);
+      expect(result.reason).toBe('Clean untracked files');
+      expect(result.pattern).toBe('git clean -f');
+    });
+
+    it('allows npm install', () => {
+      const result = isDestructive('npm install express');
+      expect(result.destructive).toBe(false);
+    });
+
+    it('detects DROP DATABASE as destructive', () => {
+      const result = isDestructive('DROP DATABASE production');
+      expect(result.destructive).toBe(true);
+      expect(result.reason).toBe('Drop database');
+    });
+
+    it('handles SQL commands case-insensitively', () => {
+      expect(isDestructive('drop table users').destructive).toBe(true);
+      expect(isDestructive('Drop Table users').destructive).toBe(true);
+      expect(isDestructive('DELETE from users').destructive).toBe(true);
+      expect(isDestructive('truncate TABLE sessions').destructive).toBe(true);
+    });
+
+    it('returns destructive:false for empty string', () => {
+      const result = isDestructive('');
+      expect(result.destructive).toBe(false);
+    });
+
+    it('returns destructive:false for null/undefined', () => {
+      expect(isDestructive(null).destructive).toBe(false);
+      expect(isDestructive(undefined).destructive).toBe(false);
+    });
+  });
+
+  describe('isInScope', () => {
+    it('returns true for file within scope directory', () => {
+      expect(isInScope('src/auth/login.ts', 'src/auth')).toBe(true);
+    });
+
+    it('returns false for file outside scope directory', () => {
+      expect(isInScope('src/user/user.ts', 'src/auth')).toBe(false);
+    });
+
+    it('returns false for parent traversal attempts', () => {
+      expect(isInScope('src/auth/../user/user.ts', 'src/auth')).toBe(false);
+    });
+
+    it('returns true for deeply nested files within scope', () => {
+      expect(isInScope('src/auth/deep/nested/file.ts', 'src/auth')).toBe(true);
+    });
+
+    it('returns true for exact directory match', () => {
+      expect(isInScope('src/auth', 'src/auth')).toBe(true);
+    });
+
+    it('returns false when file path starts with scope but is a different dir', () => {
+      // src/authorization is not inside src/auth
+      expect(isInScope('src/authorization/file.ts', 'src/auth')).toBe(false);
+    });
+
+    it('handles trailing slashes consistently', () => {
+      expect(isInScope('src/auth/file.ts', 'src/auth/')).toBe(true);
+      expect(isInScope('src/auth/file.ts', 'src/auth')).toBe(true);
+    });
+
+    it('returns false for empty inputs', () => {
+      expect(isInScope('', 'src/auth')).toBe(false);
+      expect(isInScope('src/auth/file.ts', '')).toBe(false);
+    });
+
+    it('returns false for null/undefined inputs', () => {
+      expect(isInScope(null, 'src/auth')).toBe(false);
+      expect(isInScope('src/auth/file.ts', null)).toBe(false);
+    });
+  });
+});

package/server/lib/field-report.js

@@ -0,0 +1,92 @@
+/**
+ * Field Report Module — Agent Self-Rating
+ *
+ * After build/review, the agent rates its experience and files structured
+ * reports when quality falls below threshold (rating < 8).
+ */
+
+/** Rating threshold — reports are filed when rating is below this value */
+const REPORT_THRESHOLD = 8;
+
+/**
+ * Determine whether a field report should be filed based on the rating.
+ * @param {number} rating - Self-assessed quality rating (0–10)
+ * @returns {boolean} true if rating < 8, false otherwise
+ */
+function shouldFileReport(rating) {
+  if (typeof rating !== 'number') {
+    throw new TypeError('rating must be a number');
+  }
+  return rating < REPORT_THRESHOLD;
+}
+
+/**
+ * Create a formatted field report from the given parameters.
+ * @param {object} params
+ * @param {string} params.skill - The TLC skill that was executed (e.g. 'tlc:build')
+ * @param {number} params.rating - Self-assessed quality rating (0–10)
+ * @param {string} params.issue - Description of the issue encountered
+ * @param {string} params.suggestion - Suggested improvement
+ * @param {() => Date} [params.now] - Optional clock function for deterministic dates
+ * @returns {string} Formatted markdown report
+ */
+function createFieldReport({ skill, rating, issue, suggestion, now }) {
+  if (!skill) {
+    throw new Error('skill is required');
+  }
+  if (typeof rating !== 'number') {
+    throw new TypeError('rating must be a number');
+  }
+  if (!issue) {
+    throw new Error('issue is required');
+  }
+  if (!suggestion) {
+    throw new Error('suggestion is required');
+  }
+
+  const date = (now ? now() : new Date()).toISOString();
+  const critical = rating === 0 ? ' CRITICAL' : '';
+  const heading = `## ${date} ${skill} ${rating}/10${critical} — ${issue}`;
+  const body = `**Suggestion:** ${suggestion}`;
+
+  return `${heading}\n\n${body}\n`;
+}
+
+/**
+ * Format a report string as a single markdown section.
+ * Ensures the entry ends with exactly one trailing newline.
+ * @param {string} report - Raw report content from createFieldReport
+ * @returns {string} Formatted markdown section with trailing newline
+ */
+function formatReportEntry(report) {
+  if (typeof report !== 'string') {
+    throw new TypeError('report must be a string');
+  }
+  return report.trimEnd() + '\n';
+}
+
+/**
+ * Append a new report to existing file content.
+ * If existing content is empty, creates a new document with a header.
+ * @param {string} existingContent - Current file content (may be empty)
+ * @param {string} newReport - New report to append
+ * @returns {string} Combined content
+ */
+function appendReport(existingContent, newReport) {
+  if (typeof existingContent !== 'string') {
+    throw new TypeError('existingContent must be a string');
+  }
+  if (typeof newReport !== 'string') {
+    throw new TypeError('newReport must be a string');
+  }
+
+  const entry = formatReportEntry(newReport);
+
+  if (!existingContent) {
+    return `# Field Reports\n\n${entry}`;
+  }
+
+  return `${existingContent}\n\n---\n\n${entry}`;
+}
+
+module.exports = { shouldFileReport, createFieldReport, formatReportEntry, appendReport };

package/server/lib/field-report.test.js

@@ -0,0 +1,195 @@
+/**
+ * Field Report Tests
+ *
+ * Tests for agent self-rating field report module.
+ * Reports are filed when quality is below threshold.
+ */
+
+import { describe, it, expect } from 'vitest';
+
+import {
+  shouldFileReport,
+  createFieldReport,
+  formatReportEntry,
+  appendReport,
+} from './field-report.js';
+
+const FIXED_DATE = '2026-03-26T12:00:00.000Z';
+const nowFn = () => new Date(FIXED_DATE);
+
+describe('field-report', () => {
+  describe('shouldFileReport', () => {
+    it('returns false for rating 10', () => {
+      expect(shouldFileReport(10)).toBe(false);
+    });
+
+    it('returns false for rating 9', () => {
+      expect(shouldFileReport(9)).toBe(false);
+    });
+
+    it('returns false for rating 8', () => {
+      expect(shouldFileReport(8)).toBe(false);
+    });
+
+    it('returns true for rating 7', () => {
+      expect(shouldFileReport(7)).toBe(true);
+    });
+
+    it('returns true for rating 0', () => {
+      expect(shouldFileReport(0)).toBe(true);
+    });
+
+    it('returns true for rating 1', () => {
+      expect(shouldFileReport(1)).toBe(true);
+    });
+
+    it('returns true for rating 5', () => {
+      expect(shouldFileReport(5)).toBe(true);
+    });
+  });
+
+  describe('createFieldReport', () => {
+    it('returns markdown with all fields', () => {
+      const report = createFieldReport({
+        skill: 'tlc:build',
+        rating: 5,
+        issue: 'Tests were flaky',
+        suggestion: 'Add retry logic',
+        now: nowFn,
+      });
+
+      expect(report).toContain('tlc:build');
+      expect(report).toContain('5/10');
+      expect(report).toContain('Tests were flaky');
+      expect(report).toContain('Add retry logic');
+      expect(report).toContain('**Suggestion:**');
+    });
+
+    it('includes CRITICAL marker for rating 0', () => {
+      const report = createFieldReport({
+        skill: 'tlc:review',
+        rating: 0,
+        issue: 'Complete failure',
+        suggestion: 'Start over',
+        now: nowFn,
+      });
+
+      expect(report).toContain('CRITICAL');
+      expect(report).toContain('0/10');
+    });
+
+    it('does not include CRITICAL marker for rating above 0', () => {
+      const report = createFieldReport({
+        skill: 'tlc:build',
+        rating: 3,
+        issue: 'Poor quality',
+        suggestion: 'Improve',
+        now: nowFn,
+      });
+
+      expect(report).not.toContain('CRITICAL');
+    });
+
+    it('includes ISO date string', () => {
+      const report = createFieldReport({
+        skill: 'tlc:build',
+        rating: 5,
+        issue: 'Flaky',
+        suggestion: 'Fix it',
+        now: nowFn,
+      });
+
+      expect(report).toContain('2026-03-26');
+    });
+
+    it('follows expected heading format', () => {
+      const report = createFieldReport({
+        skill: 'tlc:build',
+        rating: 5,
+        issue: 'Tests were flaky',
+        suggestion: 'Add retry logic',
+        now: nowFn,
+      });
+
+      expect(report).toMatch(
+        /^## 2026-03-26T12:00:00\.000Z tlc:build 5\/10 — Tests were flaky/
+      );
+    });
+  });
+
+  describe('formatReportEntry', () => {
+    it('returns properly formatted markdown section', () => {
+      const report = createFieldReport({
+        skill: 'tlc:build',
+        rating: 4,
+        issue: 'Slow tests',
+        suggestion: 'Parallelize',
+        now: nowFn,
+      });
+
+      const entry = formatReportEntry(report);
+
+      expect(entry).toContain('## 2026-03-26');
+      expect(entry).toContain('tlc:build');
+      expect(entry).toContain('4/10');
+      expect(entry).toContain('Slow tests');
+      expect(entry).toContain('**Suggestion:** Parallelize');
+      // Entry should end with a newline
+      expect(entry.endsWith('\n')).toBe(true);
+    });
+
+    it('returns the report unchanged if already formatted', () => {
+      const report = createFieldReport({
+        skill: 'tlc:build',
+        rating: 6,
+        issue: 'Minor issue',
+        suggestion: 'Tweak config',
+        now: nowFn,
+      });
+
+      const entry = formatReportEntry(report);
+      // formatReportEntry should ensure trailing newline
+      expect(entry).toBe(report.trimEnd() + '\n');
+    });
+  });
+
+  describe('appendReport', () => {
+    it('appends to existing content with separator', () => {
+      const report = createFieldReport({
+        skill: 'tlc:build',
+        rating: 5,
+        issue: 'Flaky tests',
+        suggestion: 'Add retries',
+        now: nowFn,
+      });
+
+      const result = appendReport('existing content', report);
+
+      expect(result).toContain('existing content');
+      expect(result).toContain(report.trim());
+      // Existing content comes first
+      expect(result.indexOf('existing content')).toBeLessThan(
+        result.indexOf('tlc:build')
+      );
+      // Has separator between existing and new
+      expect(result).toMatch(/existing content\n\n---\n\n/);
+    });
+
+    it('creates fresh content with header when existing is empty', () => {
+      const report = createFieldReport({
+        skill: 'tlc:review',
+        rating: 3,
+        issue: 'Missed edge case',
+        suggestion: 'Check boundaries',
+        now: nowFn,
+      });
+
+      const result = appendReport('', report);
+
+      expect(result).toContain('# Field Reports');
+      expect(result).toContain(report.trim());
+      // No separator before first report
+      expect(result).not.toMatch(/---\n\n##/);
+    });
+  });
+});