veto-leash 0.1.0 → 0.1.2

package/src/native/windsurf.ts

@@ -1,231 +0,0 @@
-// src/native/windsurf.ts
-// Windsurf native hook integration (Cascade Hooks)
-// Very similar to Claude Code - supports pre_write_code, pre_run_command hooks
-
-import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'fs';
-import { join } from 'path';
-import { homedir } from 'os';
-import type { Policy } from '../types.js';
-import { COLORS, SYMBOLS } from '../ui/colors.js';
-
-const WINDSURF_USER_CONFIG = join(homedir(), '.codeium', 'windsurf', 'hooks.json');
-const WINDSURF_WORKSPACE_CONFIG = '.windsurf/hooks.json';
-const VETO_SCRIPTS_DIR = join(homedir(), '.codeium', 'windsurf', 'veto-leash');
-
-interface WindsurfHooksConfig {
-  hooks?: {
-    pre_write_code?: Array<{ command: string; show_output?: boolean }>;
-    pre_run_command?: Array<{ command: string; show_output?: boolean }>;
-    pre_read_code?: Array<{ command: string; show_output?: boolean }>;
-    [key: string]: unknown;
-  };
-}
-
-/**
- * Install veto-leash as Windsurf Cascade hooks
- */
-export async function installWindsurfHooks(
-  target: 'user' | 'workspace' = 'user'
-): Promise<void> {
-  console.log(`\n${COLORS.info}Installing veto-leash for Windsurf (${target})...${COLORS.reset}\n`);
-
-  // Create scripts directory and validator
-  mkdirSync(VETO_SCRIPTS_DIR, { recursive: true });
-  mkdirSync(join(VETO_SCRIPTS_DIR, 'policies'), { recursive: true });
-
-  const validatorPath = join(VETO_SCRIPTS_DIR, 'validator.py');
-  writeFileSync(validatorPath, VALIDATOR_SCRIPT, { mode: 0o755 });
-  console.log(`  ${COLORS.success}${SYMBOLS.success}${COLORS.reset} Created validator: ${validatorPath}`);
-
-  // Determine config path
-  const configPath = target === 'user' ? WINDSURF_USER_CONFIG : WINDSURF_WORKSPACE_CONFIG;
-  const configDir = target === 'user' 
-    ? join(homedir(), '.codeium', 'windsurf')
-    : '.windsurf';
-
-  // Load existing config
-  let config: WindsurfHooksConfig = { hooks: {} };
-  if (existsSync(configPath)) {
-    try {
-      config = JSON.parse(readFileSync(configPath, 'utf-8'));
-    } catch {
-      // Start fresh
-    }
-  }
-
-  if (!config.hooks) config.hooks = {};
-
-  // Add veto-leash hooks
-  const hookCommand = `python3 "${validatorPath}"`;
-
-  // Helper to add hook if not exists
-  const addHook = (hookName: string) => {
-    if (!config.hooks![hookName]) {
-      config.hooks![hookName] = [];
-    }
-    const hooks = config.hooks![hookName] as Array<{ command: string; show_output?: boolean }>;
-    const exists = hooks.some(h => h.command.includes('veto-leash'));
-    if (!exists) {
-      hooks.unshift({ command: hookCommand, show_output: true });
-    }
-  };
-
-  addHook('pre_write_code');
-  addHook('pre_run_command');
-
-  // Write config
-  mkdirSync(configDir, { recursive: true });
-  writeFileSync(configPath, JSON.stringify(config, null, 2));
-  console.log(`  ${COLORS.success}${SYMBOLS.success}${COLORS.reset} Updated: ${configPath}`);
-
-  console.log(`\n${COLORS.success}${SYMBOLS.success} veto-leash installed for Windsurf${COLORS.reset}\n`);
-  console.log(`Add policies with: ${COLORS.dim}leash add "don't delete test files"${COLORS.reset}\n`);
-}
-
-/**
- * Add a policy for Windsurf
- */
-export async function addWindsurfPolicy(policy: Policy, name: string): Promise<void> {
-  const policiesDir = join(VETO_SCRIPTS_DIR, 'policies');
-  mkdirSync(policiesDir, { recursive: true });
-
-  const policyFile = join(policiesDir, `${name}.json`);
-  writeFileSync(policyFile, JSON.stringify(policy, null, 2));
-  console.log(`${COLORS.success}${SYMBOLS.success}${COLORS.reset} Windsurf policy saved: ${policyFile}`);
-}
-
-/**
- * Uninstall veto-leash from Windsurf
- */
-export async function uninstallWindsurfHooks(
-  target: 'user' | 'workspace' = 'user'
-): Promise<void> {
-  const configPath = target === 'user' ? WINDSURF_USER_CONFIG : WINDSURF_WORKSPACE_CONFIG;
-
-  if (!existsSync(configPath)) {
-    console.log(`${COLORS.dim}No Windsurf config found at ${configPath}${COLORS.reset}`);
-    return;
-  }
-
-  try {
-    const config: WindsurfHooksConfig = JSON.parse(readFileSync(configPath, 'utf-8'));
-
-    if (config.hooks) {
-      for (const hookName of Object.keys(config.hooks)) {
-        const hooks = config.hooks[hookName];
-        if (Array.isArray(hooks)) {
-          config.hooks[hookName] = hooks.filter(
-            (h: { command: string }) => !h.command.includes('veto-leash')
-          );
-        }
-      }
-    }
-
-    writeFileSync(configPath, JSON.stringify(config, null, 2));
-    console.log(`${COLORS.success}${SYMBOLS.success} Removed veto-leash from Windsurf${COLORS.reset}`);
-  } catch {
-    console.log(`${COLORS.warning}${SYMBOLS.warning} Could not parse Windsurf config${COLORS.reset}`);
-  }
-}
-
-/**
- * Python validator script for Windsurf Cascade hooks.
- * Handles pre_write_code and pre_run_command events.
- */
-const VALIDATOR_SCRIPT = `#!/usr/bin/env python3
-"""
-veto-leash validator for Windsurf Cascade hooks.
-Exit code 2 blocks the action.
-"""
-
-import json
-import sys
-import os
-import re
-from pathlib import Path
-from fnmatch import fnmatch
-
-POLICIES_DIR = Path(__file__).parent / "policies"
-
-def load_policies():
-    policies = []
-    if POLICIES_DIR.exists():
-        for f in POLICIES_DIR.glob("*.json"):
-            try:
-                policies.append(json.loads(f.read_text()))
-            except:
-                pass
-    return policies
-
-def normalize_path(p):
-    return str(p).replace("\\\\", "/")
-
-def matches_pattern(target, pattern):
-    target = normalize_path(target)
-    pattern = normalize_path(pattern)
-    basename = os.path.basename(target)
-    return fnmatch(target, pattern) or fnmatch(basename, pattern)
-
-def is_protected(target, policy):
-    matches_include = any(matches_pattern(target, p) for p in policy.get("include", []))
-    if not matches_include:
-        return False
-    matches_exclude = any(matches_pattern(target, p) for p in policy.get("exclude", []))
-    return not matches_exclude
-
-def parse_command_targets(command, action):
-    targets = []
-    if action == "delete":
-        rm_match = re.search(r'\\brm\\s+(?:-[rfiv]+\\s+)*(.+)', command)
-        if rm_match:
-            for arg in rm_match.group(1).split():
-                if not arg.startswith('-'):
-                    targets.append(arg)
-        git_rm = re.search(r'\\bgit\\s+rm\\s+(?:-[rf]+\\s+)*(.+)', command)
-        if git_rm:
-            for arg in git_rm.group(1).split():
-                if not arg.startswith('-'):
-                    targets.append(arg)
-    return targets
-
-def main():
-    try:
-        input_data = json.load(sys.stdin)
-    except:
-        sys.exit(0)
-
-    action_name = input_data.get("agent_action_name", "")
-    tool_info = input_data.get("tool_info", {})
-    policies = load_policies()
-
-    if not policies:
-        sys.exit(0)
-
-    targets = []
-
-    if action_name == "pre_write_code":
-        file_path = tool_info.get("file_path", "")
-        if file_path:
-            targets.append(file_path)
-
-    elif action_name == "pre_run_command":
-        command = tool_info.get("command_line", "")
-        for policy in policies:
-            action = policy.get("action", "modify")
-            targets.extend(parse_command_targets(command, action))
-
-    for target in targets:
-        for policy in policies:
-            if is_protected(target, policy):
-                desc = policy.get("description", "Protected file")
-                print(f"veto-leash: BLOCKED", file=sys.stderr)
-                print(f"  Target: {target}", file=sys.stderr)
-                print(f"  Policy: {desc}", file=sys.stderr)
-                print(f"  Filesystem unchanged.", file=sys.stderr)
-                sys.exit(2)
-
-    sys.exit(0)
-
-if __name__ == "__main__":
-    main()
-`;

package/src/types.ts

@@ -1,48 +0,0 @@
-// src/types.ts
-
-export interface Policy {
-  action: 'delete' | 'modify' | 'execute' | 'read';
-  include: string[];
-  exclude: string[];
-  description: string;
-}
-
-export interface CheckRequest {
-  action: string;
-  target: string;
-}
-
-export interface CheckResponse {
-  allowed: boolean;
-  reason?: string;
-}
-
-export interface SessionState {
-  pid: number;
-  agent: string;
-  policy: Policy;
-  startTime: Date;
-  blockedCount: number;
-  allowedCount: number;
-  blockedActions: Array<{ time: Date; action: string; target: string }>;
-}
-
-export interface Config {
-  failClosed: boolean;
-  fallbackToBuiltins: boolean;
-  warnBroadPatterns: boolean;
-  maxSnapshotFiles: number;
-  maxMemoryCacheSize: number;
-  auditLog: boolean;
-  verbose: boolean;
-}
-
-export const DEFAULT_CONFIG: Config = {
-  failClosed: true,
-  fallbackToBuiltins: true,
-  warnBroadPatterns: true,
-  maxSnapshotFiles: 10000,
-  maxMemoryCacheSize: 100 * 1024,
-  auditLog: false,
-  verbose: false,
-};

package/src/ui/colors.ts

@@ -1,50 +0,0 @@
-// src/ui/colors.ts
-
-const isTTY = process.stdout.isTTY && process.stderr.isTTY;
-const noColor = process.env.NO_COLOR !== undefined || process.env.TERM === 'dumb';
-
-function color(code: string): string {
-  return isTTY && !noColor ? code : '';
-}
-
-export const COLORS = {
-  success: color('\x1b[32m'),
-  error: color('\x1b[31m'),
-  warning: color('\x1b[33m'),
-  info: color('\x1b[36m'),
-  dim: color('\x1b[90m'),
-  bold: color('\x1b[1m'),
-  reset: color('\x1b[0m'),
-};
-
-export const SYMBOLS = {
-  success: '\u2713',
-  error: '\u2717',
-  blocked: '\u26D4',
-  warning: '\u26A0',
-  arrow: '\u2192',
-  bullet: '\u2022',
-};
-
-const SPINNER_FRAMES = ['\u25D0', '\u25D3', '\u25D1', '\u25D2'];
-
-export function createSpinner(message: string): { stop: () => void } {
-  if (!isTTY) {
-    console.log(message);
-    return { stop: () => {} };
-  }
-
-  let i = 0;
-  const interval = setInterval(() => {
-    process.stdout.write(
-      `\r${COLORS.dim}${SPINNER_FRAMES[i++ % 4]} ${message}${COLORS.reset}`
-    );
-  }, 100);
-
-  return {
-    stop: () => {
-      clearInterval(interval);
-      process.stdout.write('\r\x1b[K'); // Clear line
-    },
-  };
-}

package/src/watchdog/index.ts

@@ -1,82 +0,0 @@
-// src/watchdog/index.ts
-// Watchdog mode orchestrator
-
-import type { FSWatcher } from 'chokidar';
-import type { Policy } from '../types.js';
-import { createSnapshot, cleanupSnapshot, generateSessionId, type Snapshot } from './snapshot.js';
-import { createWatcher, type WatcherStats } from './watcher.js';
-import { COLORS, SYMBOLS } from '../ui/colors.js';
-
-export interface WatchdogSession {
-  sessionId: string;
-  rootDir: string;
-  policy: Policy;
-  snapshot: Snapshot;
-  watcher: FSWatcher;
-  stats: WatcherStats;
-  startTime: Date;
-}
-
-/**
- * Start watchdog mode - monitors and auto-restores protected files
- */
-export async function startWatchdog(
-  rootDir: string,
-  policy: Policy
-): Promise<WatchdogSession> {
-  const sessionId = generateSessionId();
-  const startTime = new Date();
-
-  // Create snapshot of protected files
-  const snapshot = await createSnapshot(rootDir, policy, sessionId);
-
-  // Start filesystem watcher
-  const { watcher, stats } = createWatcher({
-    rootDir,
-    policy,
-    snapshot,
-  });
-
-  return {
-    sessionId,
-    rootDir,
-    policy,
-    snapshot,
-    watcher,
-    stats,
-    startTime,
-  };
-}
-
-/**
- * Stop watchdog mode and print summary
- */
-export async function stopWatchdog(session: WatchdogSession): Promise<void> {
-  const duration = Date.now() - session.startTime.getTime();
-  const minutes = Math.floor(duration / 60000);
-  const seconds = Math.floor((duration % 60000) / 1000);
-
-  // Close watcher
-  await session.watcher.close();
-
-  // Print summary
-  console.log(`\n${COLORS.success}${SYMBOLS.success} veto-leash watchdog ended${COLORS.reset}\n`);
-  console.log(`   Duration: ${minutes}m ${seconds}s`);
-  console.log(`   Files protected: ${session.snapshot.files.size}`);
-  console.log(`   Auto-restored: ${session.stats.restored}`);
-
-  if (session.stats.events.length > 0) {
-    console.log(`\n   Recent events:`);
-    for (const event of session.stats.events.slice(-5)) {
-      console.log(`     ${SYMBOLS.bullet} ${event.action} ${event.path}`);
-    }
-  }
-  console.log('');
-
-  // Cleanup snapshot (optional - keep for debugging)
-  // cleanupSnapshot(session.sessionId);
-}
-
-export { createSnapshot, cleanupSnapshot, generateSessionId } from './snapshot.js';
-export { restoreFile, restoreAll } from './restore.js';
-export { createWatcher } from './watcher.js';

package/src/watchdog/restore.ts

@@ -1,74 +0,0 @@
-// src/watchdog/restore.ts
-// File restoration from snapshots
-
-import { existsSync, writeFileSync, mkdirSync } from 'fs';
-import { join, dirname } from 'path';
-import type { Snapshot } from './snapshot.js';
-import { getSnapshotContent } from './snapshot.js';
-import { normalizePath } from '../matcher.js';
-
-/**
- * Restore a file from snapshot
- * Returns true if restored, false if no snapshot exists
- */
-export function restoreFile(
-  snapshot: Snapshot,
-  filePath: string,
-  rootDir: string
-): boolean {
-  const normalizedPath = normalizePath(filePath);
-  const content = getSnapshotContent(snapshot, normalizedPath);
-  
-  if (!content) return false;
-  
-  const fullPath = join(rootDir, normalizedPath);
-  const dir = dirname(fullPath);
-  
-  // Ensure directory exists
-  if (!existsSync(dir)) {
-    mkdirSync(dir, { recursive: true });
-  }
-  
-  // Write restored content
-  writeFileSync(fullPath, content);
-  
-  return true;
-}
-
-/**
- * Restore all files from snapshot
- * Returns count of restored files
- */
-export function restoreAll(snapshot: Snapshot, rootDir: string): number {
-  let restored = 0;
-  
-  for (const [filePath] of snapshot.files) {
-    const fullPath = join(rootDir, filePath);
-    
-    // Only restore if file is missing or different
-    if (!existsSync(fullPath)) {
-      if (restoreFile(snapshot, filePath, rootDir)) {
-        restored++;
-      }
-    }
-  }
-  
-  return restored;
-}
-
-/**
- * Check what files would be restored
- */
-export function previewRestore(snapshot: Snapshot, rootDir: string): string[] {
-  const toRestore: string[] = [];
-  
-  for (const [filePath] of snapshot.files) {
-    const fullPath = join(rootDir, filePath);
-    
-    if (!existsSync(fullPath)) {
-      toRestore.push(filePath);
-    }
-  }
-  
-  return toRestore;
-}

package/src/watchdog/snapshot.ts

@@ -1,209 +0,0 @@
-// src/watchdog/snapshot.ts
-// File snapshot system for watchdog mode
-
-import { existsSync, readFileSync, mkdirSync, writeFileSync, readdirSync, statSync, unlinkSync } from 'fs';
-import { join, dirname, relative } from 'path';
-import { homedir } from 'os';
-import { createHash } from 'crypto';
-import { glob } from 'glob';
-import type { Policy } from '../types.js';
-import { isProtected, normalizePath } from '../matcher.js';
-
-const SNAPSHOT_DIR = join(homedir(), '.config', 'veto-leash', 'snapshots');
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB max per file
-const MAX_TOTAL_SIZE = 100 * 1024 * 1024; // 100MB max total
-
-export interface Snapshot {
-  sessionId: string;
-  rootDir: string;
-  files: Map<string, SnapshotEntry>;
-  createdAt: Date;
-}
-
-export interface SnapshotEntry {
-  path: string;
-  hash: string;
-  size: number;
-  snapshotPath: string;
-}
-
-/**
- * Create a snapshot of all files matching the policy
- */
-export async function createSnapshot(
-  rootDir: string,
-  policy: Policy,
-  sessionId: string
-): Promise<Snapshot> {
-  const sessionDir = join(SNAPSHOT_DIR, sessionId);
-  mkdirSync(sessionDir, { recursive: true });
-
-  const snapshot: Snapshot = {
-    sessionId,
-    rootDir: normalizePath(rootDir),
-    files: new Map(),
-    createdAt: new Date(),
-  };
-
-  // Find all files matching include patterns
-  const matchedFiles = await findMatchingFiles(rootDir, policy);
-  
-  let totalSize = 0;
-  
-  for (const filePath of matchedFiles) {
-    const fullPath = join(rootDir, filePath);
-    
-    if (!existsSync(fullPath)) continue;
-    
-    const stat = statSync(fullPath);
-    if (!stat.isFile()) continue;
-    if (stat.size > MAX_FILE_SIZE) continue;
-    if (totalSize + stat.size > MAX_TOTAL_SIZE) break;
-    
-    const content = readFileSync(fullPath);
-    const hash = createHash('sha256').update(content).digest('hex').slice(0, 16);
-    
-    // Store with hash prefix for deduplication
-    const snapshotPath = join(sessionDir, hash);
-    if (!existsSync(snapshotPath)) {
-      writeFileSync(snapshotPath, content);
-    }
-    
-    snapshot.files.set(filePath, {
-      path: filePath,
-      hash,
-      size: stat.size,
-      snapshotPath,
-    });
-    
-    totalSize += stat.size;
-  }
-
-  // Write manifest
-  const manifest = {
-    sessionId,
-    rootDir: snapshot.rootDir,
-    createdAt: snapshot.createdAt.toISOString(),
-    files: Array.from(snapshot.files.entries()).map(([path, entry]) => ({
-      path,
-      hash: entry.hash,
-      size: entry.size,
-    })),
-  };
-  
-  writeFileSync(join(sessionDir, 'manifest.json'), JSON.stringify(manifest, null, 2));
-  
-  return snapshot;
-}
-
-/**
- * Find all files matching the policy's include patterns
- */
-async function findMatchingFiles(rootDir: string, policy: Policy): Promise<string[]> {
-  const allFiles: string[] = [];
-  
-  for (const pattern of policy.include) {
-    const matches = await glob(pattern, {
-      cwd: rootDir,
-      dot: true,
-      nodir: true,
-      ignore: ['node_modules/**', '.git/**'],
-    });
-    allFiles.push(...matches);
-  }
-  
-  // Dedupe and filter by policy
-  const unique = [...new Set(allFiles)];
-  return unique.filter(f => isProtected(f, policy));
-}
-
-/**
- * Get the snapshot content for a file
- */
-export function getSnapshotContent(snapshot: Snapshot, filePath: string): Buffer | null {
-  const entry = snapshot.files.get(normalizePath(filePath));
-  if (!entry) return null;
-  
-  if (!existsSync(entry.snapshotPath)) return null;
-  
-  return readFileSync(entry.snapshotPath);
-}
-
-/**
- * Check if a file has been modified since snapshot
- */
-export function hasChanged(snapshot: Snapshot, filePath: string, rootDir: string): boolean {
-  const normalizedPath = normalizePath(filePath);
-  const entry = snapshot.files.get(normalizedPath);
-  
-  if (!entry) return false; // Not in snapshot, can't detect change
-  
-  const fullPath = join(rootDir, normalizedPath);
-  
-  if (!existsSync(fullPath)) return true; // Deleted
-  
-  const content = readFileSync(fullPath);
-  const currentHash = createHash('sha256').update(content).digest('hex').slice(0, 16);
-  
-  return currentHash !== entry.hash;
-}
-
-/**
- * Load an existing snapshot from disk
- */
-export function loadSnapshot(sessionId: string): Snapshot | null {
-  const sessionDir = join(SNAPSHOT_DIR, sessionId);
-  const manifestPath = join(sessionDir, 'manifest.json');
-  
-  if (!existsSync(manifestPath)) return null;
-  
-  try {
-    const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
-    const snapshot: Snapshot = {
-      sessionId: manifest.sessionId,
-      rootDir: manifest.rootDir,
-      files: new Map(),
-      createdAt: new Date(manifest.createdAt),
-    };
-    
-    for (const file of manifest.files) {
-      snapshot.files.set(file.path, {
-        path: file.path,
-        hash: file.hash,
-        size: file.size,
-        snapshotPath: join(sessionDir, file.hash),
-      });
-    }
-    
-    return snapshot;
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Clean up a snapshot session
- */
-export function cleanupSnapshot(sessionId: string): void {
-  const sessionDir = join(SNAPSHOT_DIR, sessionId);
-  
-  if (!existsSync(sessionDir)) return;
-  
-  try {
-    const files = readdirSync(sessionDir);
-    for (const file of files) {
-      unlinkSync(join(sessionDir, file));
-    }
-    // Remove directory
-    require('fs').rmdirSync(sessionDir);
-  } catch {
-    // Ignore cleanup errors
-  }
-}
-
-/**
- * Generate a unique session ID
- */
-export function generateSessionId(): string {
-  return `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
-}