npm - veto-leash - Versions diffs - 0.1.0 - Mend

veto-leash 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (135) hide show

package/IMPLEMENTATION_PLAN.md +2194 -0
package/LICENSE +201 -0
package/README.md +260 -0
package/dist/audit/index.d.ts +38 -0
package/dist/audit/index.d.ts.map +1 -0
package/dist/audit/index.js +132 -0
package/dist/audit/index.js.map +1 -0
package/dist/cli.d.ts +3 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +406 -0
package/dist/cli.js.map +1 -0
package/dist/cloud/index.d.ts +40 -0
package/dist/cloud/index.d.ts.map +1 -0
package/dist/cloud/index.js +115 -0
package/dist/cloud/index.js.map +1 -0
package/dist/compiler/builtins.d.ts +6 -0
package/dist/compiler/builtins.d.ts.map +1 -0
package/dist/compiler/builtins.js +129 -0
package/dist/compiler/builtins.js.map +1 -0
package/dist/compiler/cache.d.ts +6 -0
package/dist/compiler/cache.d.ts.map +1 -0
package/dist/compiler/cache.js +49 -0
package/dist/compiler/cache.js.map +1 -0
package/dist/compiler/index.d.ts +3 -0
package/dist/compiler/index.d.ts.map +1 -0
package/dist/compiler/index.js +48 -0
package/dist/compiler/index.js.map +1 -0
package/dist/compiler/llm.d.ts +3 -0
package/dist/compiler/llm.d.ts.map +1 -0
package/dist/compiler/llm.js +69 -0
package/dist/compiler/llm.js.map +1 -0
package/dist/compiler/prompt.d.ts +2 -0
package/dist/compiler/prompt.d.ts.map +1 -0
package/dist/compiler/prompt.js +37 -0
package/dist/compiler/prompt.js.map +1 -0
package/dist/config/loader.d.ts +22 -0
package/dist/config/loader.d.ts.map +1 -0
package/dist/config/loader.js +100 -0
package/dist/config/loader.js.map +1 -0
package/dist/config/schema.d.ts +42 -0
package/dist/config/schema.d.ts.map +1 -0
package/dist/config/schema.js +93 -0
package/dist/config/schema.js.map +1 -0
package/dist/matcher.d.ts +22 -0
package/dist/matcher.d.ts.map +1 -0
package/dist/matcher.js +69 -0
package/dist/matcher.js.map +1 -0
package/dist/native/aider.d.ts +10 -0
package/dist/native/aider.d.ts.map +1 -0
package/dist/native/aider.js +120 -0
package/dist/native/aider.js.map +1 -0
package/dist/native/claude-code.d.ts +14 -0
package/dist/native/claude-code.d.ts.map +1 -0
package/dist/native/claude-code.js +273 -0
package/dist/native/claude-code.js.map +1 -0
package/dist/native/cursor.d.ts +11 -0
package/dist/native/cursor.d.ts.map +1 -0
package/dist/native/cursor.js +105 -0
package/dist/native/cursor.js.map +1 -0
package/dist/native/index.d.ts +35 -0
package/dist/native/index.d.ts.map +1 -0
package/dist/native/index.js +171 -0
package/dist/native/index.js.map +1 -0
package/dist/native/opencode.d.ts +22 -0
package/dist/native/opencode.d.ts.map +1 -0
package/dist/native/opencode.js +225 -0
package/dist/native/opencode.js.map +1 -0
package/dist/native/windsurf.d.ts +14 -0
package/dist/native/windsurf.d.ts.map +1 -0
package/dist/native/windsurf.js +198 -0
package/dist/native/windsurf.js.map +1 -0
package/dist/types.d.ts +38 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +11 -0
package/dist/types.js.map +1 -0
package/dist/ui/colors.d.ts +21 -0
package/dist/ui/colors.d.ts.map +1 -0
package/dist/ui/colors.js +41 -0
package/dist/ui/colors.js.map +1 -0
package/dist/watchdog/index.d.ts +25 -0
package/dist/watchdog/index.d.ts.map +1 -0
package/dist/watchdog/index.js +57 -0
package/dist/watchdog/index.js.map +1 -0
package/dist/watchdog/restore.d.ts +16 -0
package/dist/watchdog/restore.d.ts.map +1 -0
package/dist/watchdog/restore.js +56 -0
package/dist/watchdog/restore.js.map +1 -0
package/dist/watchdog/snapshot.d.ts +38 -0
package/dist/watchdog/snapshot.d.ts.map +1 -0
package/dist/watchdog/snapshot.js +166 -0
package/dist/watchdog/snapshot.js.map +1 -0
package/dist/watchdog/watcher.d.ts +28 -0
package/dist/watchdog/watcher.d.ts.map +1 -0
package/dist/watchdog/watcher.js +117 -0
package/dist/watchdog/watcher.js.map +1 -0
package/dist/wrapper/daemon.d.ts +12 -0
package/dist/wrapper/daemon.d.ts.map +1 -0
package/dist/wrapper/daemon.js +103 -0
package/dist/wrapper/daemon.js.map +1 -0
package/dist/wrapper/shims.d.ts +4 -0
package/dist/wrapper/shims.d.ts.map +1 -0
package/dist/wrapper/shims.js +390 -0
package/dist/wrapper/shims.js.map +1 -0
package/dist/wrapper/spawn.d.ts +4 -0
package/dist/wrapper/spawn.d.ts.map +1 -0
package/dist/wrapper/spawn.js +35 -0
package/dist/wrapper/spawn.js.map +1 -0
package/package.json +46 -0
package/src/audit/index.ts +172 -0
package/src/cli.ts +503 -0
package/src/cloud/index.ts +139 -0
package/src/compiler/builtins.ts +137 -0
package/src/compiler/cache.ts +51 -0
package/src/compiler/index.ts +59 -0
package/src/compiler/llm.ts +83 -0
package/src/compiler/prompt.ts +37 -0
package/src/config/loader.ts +126 -0
package/src/config/schema.ts +136 -0
package/src/matcher.ts +89 -0
package/src/native/aider.ts +150 -0
package/src/native/claude-code.ts +308 -0
package/src/native/cursor.ts +131 -0
package/src/native/index.ts +233 -0
package/src/native/opencode.ts +310 -0
package/src/native/windsurf.ts +231 -0
package/src/types.ts +48 -0
package/src/ui/colors.ts +50 -0
package/src/watchdog/index.ts +82 -0
package/src/watchdog/restore.ts +74 -0
package/src/watchdog/snapshot.ts +209 -0
package/src/watchdog/watcher.ts +150 -0
package/src/wrapper/daemon.ts +133 -0
package/src/wrapper/shims.ts +409 -0
package/src/wrapper/spawn.ts +47 -0
package/tsconfig.json +20 -0

package/src/native/index.ts ADDED Viewed

@@ -0,0 +1,233 @@
+// src/native/index.ts
+// Agent registry and unified interface for native integrations
+import type { Policy } from '../types.js';
+import { COLORS, SYMBOLS } from '../ui/colors.js';
+// Import all agent integrations
+import {
+  installClaudeCodeHook,
+  addClaudeCodePolicy,
+  uninstallClaudeCodeHook,
+} from './claude-code.js';
+import {
+  installOpenCodePermissions,
+  uninstallOpenCodePermissions,
+  savePolicy as saveOpenCodePolicy,
+} from './opencode.js';
+import {
+  installWindsurfHooks,
+  addWindsurfPolicy,
+  uninstallWindsurfHooks,
+} from './windsurf.js';
+import {
+  installCursorRules,
+  uninstallCursorRules,
+} from './cursor.js';
+import {
+  installAiderConfig,
+  uninstallAiderConfig,
+} from './aider.js';
+export interface AgentInfo {
+  id: string;
+  name: string;
+  aliases: string[];
+  hasNativeHooks: boolean;
+  description: string;
+}
+export const AGENTS: AgentInfo[] = [
+  {
+    id: 'claude-code',
+    name: 'Claude Code',
+    aliases: ['cc', 'claude', 'claude-code'],
+    hasNativeHooks: true,
+    description: 'PreToolUse hooks for Bash/Write/Edit',
+  },
+  {
+    id: 'opencode',
+    name: 'OpenCode',
+    aliases: ['oc', 'opencode'],
+    hasNativeHooks: true,
+    description: 'permission.bash rules in opencode.json',
+  },
+  {
+    id: 'windsurf',
+    name: 'Windsurf',
+    aliases: ['ws', 'windsurf', 'cascade'],
+    hasNativeHooks: true,
+    description: 'Cascade hooks for pre_write_code/pre_run_command',
+  },
+  {
+    id: 'cursor',
+    name: 'Cursor',
+    aliases: ['cursor'],
+    hasNativeHooks: false,
+    description: '.cursorrules AI guidance (not enforcement)',
+  },
+  {
+    id: 'aider',
+    name: 'Aider',
+    aliases: ['aider'],
+    hasNativeHooks: false,
+    description: '.aider.conf.yml read-only files',
+  },
+  {
+    id: 'codex',
+    name: 'Codex CLI',
+    aliases: ['codex', 'codex-cli'],
+    hasNativeHooks: false,
+    description: 'OS sandbox - use watchdog mode',
+  },
+  {
+    id: 'copilot',
+    name: 'GitHub Copilot',
+    aliases: ['copilot', 'gh-copilot'],
+    hasNativeHooks: false,
+    description: 'No hook system - use wrapper mode',
+  },
+];
+/**
+ * Resolve agent alias to agent ID
+ */
+export function resolveAgent(input: string): AgentInfo | null {
+  const normalized = input?.toLowerCase().trim();
+  if (!normalized) return null;
+  for (const agent of AGENTS) {
+    if (agent.aliases.includes(normalized)) {
+      return agent;
+    }
+  }
+  return null;
+}
+/**
+ * Install native integration for an agent
+ */
+export async function installAgent(
+  agentId: string,
+  options: { global?: boolean } = {}
+): Promise<boolean> {
+  const agent = resolveAgent(agentId);
+  if (!agent) {
+    console.error(`${COLORS.error}${SYMBOLS.error} Unknown agent: ${agentId}${COLORS.reset}`);
+    printSupportedAgents();
+    return false;
+  }
+  switch (agent.id) {
+    case 'claude-code':
+      await installClaudeCodeHook();
+      return true;
+    case 'opencode':
+      await installOpenCodePermissions(options.global ? 'global' : 'project');
+      return true;
+    case 'windsurf':
+      await installWindsurfHooks(options.global ? 'user' : 'workspace');
+      return true;
+    case 'cursor':
+      await installCursorRules();
+      return true;
+    case 'aider':
+      await installAiderConfig(options.global ? 'global' : 'project');
+      return true;
+    case 'codex':
+      console.log(`\n${COLORS.warning}${SYMBOLS.warning} Codex CLI uses OS-level sandboxing.${COLORS.reset}`);
+      console.log(`Use watchdog mode for file protection:`);
+      console.log(`  ${COLORS.dim}leash watch "protect test files"${COLORS.reset}\n`);
+      return false;
+    case 'copilot':
+      console.log(`\n${COLORS.warning}${SYMBOLS.warning} GitHub Copilot has no hook system.${COLORS.reset}`);
+      console.log(`Use wrapper mode or watchdog:`);
+      console.log(`  ${COLORS.dim}leash watch "protect .env"${COLORS.reset}\n`);
+      return false;
+    default:
+      console.error(`${COLORS.error}${SYMBOLS.error} No native integration for ${agent.name}${COLORS.reset}`);
+      return false;
+  }
+}
+/**
+ * Uninstall native integration for an agent
+ */
+export async function uninstallAgent(
+  agentId: string,
+  options: { global?: boolean } = {}
+): Promise<boolean> {
+  const agent = resolveAgent(agentId);
+  if (!agent) {
+    console.error(`${COLORS.error}${SYMBOLS.error} Unknown agent: ${agentId}${COLORS.reset}`);
+    return false;
+  }
+  switch (agent.id) {
+    case 'claude-code':
+      await uninstallClaudeCodeHook();
+      return true;
+    case 'opencode':
+      await uninstallOpenCodePermissions(options.global ? 'global' : 'project');
+      return true;
+    case 'windsurf':
+      await uninstallWindsurfHooks(options.global ? 'user' : 'workspace');
+      return true;
+    case 'cursor':
+      await uninstallCursorRules();
+      return true;
+    case 'aider':
+      await uninstallAiderConfig(options.global ? 'global' : 'project');
+      return true;
+    default:
+      console.log(`${COLORS.dim}No native integration to remove for ${agent.name}${COLORS.reset}`);
+      return false;
+  }
+}
+/**
+ * Add a policy to all installed native integrations
+ */
+export async function addPolicyToAgents(
+  policy: Policy,
+  name: string
+): Promise<void> {
+  // Always save to veto-leash config
+  saveOpenCodePolicy(name, policy);
+  // Claude Code
+  await addClaudeCodePolicy(policy, name);
+  // Windsurf
+  await addWindsurfPolicy(policy, name);
+}
+function printSupportedAgents(): void {
+  console.log(`\nSupported agents:`);
+  for (const agent of AGENTS) {
+    const hookStatus = agent.hasNativeHooks ? COLORS.success + 'native' : COLORS.dim + 'wrapper';
+    console.log(`  ${COLORS.dim}${agent.aliases[0].padEnd(12)}${COLORS.reset} ${agent.name} (${hookStatus}${COLORS.reset})`);
+  }
+  console.log('');
+}
+// Re-export individual modules
+export * from './claude-code.js';
+export * from './opencode.js';
+export * from './windsurf.js';
+export * from './cursor.js';
+export * from './aider.js';

package/src/native/opencode.ts ADDED Viewed

@@ -0,0 +1,310 @@
+// src/native/opencode.ts
+// OpenCode native permission integration
+// Generates permission rules for OpenCode's opencode.json config
+import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import type { Policy } from '../types.js';
+import { COLORS, SYMBOLS } from '../ui/colors.js';
+const OPENCODE_GLOBAL_CONFIG = join(
+  homedir(),
+  '.config',
+  'opencode',
+  'opencode.json'
+);
+const OPENCODE_PROJECT_CONFIG = 'opencode.json';
+const VETO_LEASH_CONFIG_DIR = join(homedir(), '.config', 'veto-leash');
+const POLICIES_FILE = join(VETO_LEASH_CONFIG_DIR, 'policies.json');
+interface OpenCodeConfig {
+  $schema?: string;
+  permission?: {
+    edit?: string | Record<string, string>;
+    bash?: string | Record<string, string>;
+    [key: string]: unknown;
+  };
+  [key: string]: unknown;
+}
+interface StoredPolicies {
+  policies: Array<{
+    restriction: string;
+    policy: Policy;
+  }>;
+}
+/**
+ * Convert a veto-leash policy to OpenCode permission rules
+ */
+function policyToOpenCodeRules(policy: Policy): Record<string, string> {
+  const rules: Record<string, string> = {};
+  // Generate bash permission rules based on action and patterns
+  if (policy.action === 'delete') {
+    // Block rm commands for protected files
+    for (const pattern of policy.include) {
+      // Convert glob to OpenCode wildcard format
+      const ocPattern = pattern
+        .replace(/\*\*\//g, '*/')  // **/ -> */
+        .replace(/\*\*/g, '*');    // ** -> *
+      rules[`rm ${ocPattern}`] = 'deny';
+      rules[`rm -f ${ocPattern}`] = 'deny';
+      rules[`rm -rf ${ocPattern}`] = 'deny';
+      rules[`rm -r ${ocPattern}`] = 'deny';
+      rules[`git rm ${ocPattern}`] = 'deny';
+      rules[`git rm -f ${ocPattern}`] = 'deny';
+    }
+    // Allow excluded patterns
+    for (const pattern of policy.exclude) {
+      const ocPattern = pattern
+        .replace(/\*\*\//g, '*/')
+        .replace(/\*\*/g, '*');
+      rules[`rm ${ocPattern}`] = 'allow';
+      rules[`rm -f ${ocPattern}`] = 'allow';
+      rules[`rm -rf ${ocPattern}`] = 'allow';
+    }
+  }
+  if (policy.action === 'modify') {
+    // Block modification commands for protected files
+    for (const pattern of policy.include) {
+      const ocPattern = pattern
+        .replace(/\*\*\//g, '*/')
+        .replace(/\*\*/g, '*');
+      rules[`mv ${ocPattern} *`] = 'deny';
+      rules[`cp * ${ocPattern}`] = 'deny';
+    }
+  }
+  if (policy.action === 'execute') {
+    // Block execution for protected patterns
+    for (const pattern of policy.include) {
+      const ocPattern = pattern
+        .replace(/\*\*\//g, '*/')
+        .replace(/\*\*/g, '*');
+      // For migrations, block common migration commands
+      if (pattern.includes('migrat')) {
+        rules['*migrate*'] = 'deny';
+        rules['prisma migrate*'] = 'deny';
+        rules['npx prisma migrate*'] = 'deny';
+        rules['drizzle-kit *'] = 'deny';
+      }
+    }
+  }
+  return rules;
+}
+/**
+ * Install veto-leash permissions into OpenCode config
+ */
+export async function installOpenCodePermissions(
+  target: 'global' | 'project' = 'project'
+): Promise<void> {
+  console.log(
+    `\n${COLORS.info}Installing veto-leash for OpenCode (${target})...${COLORS.reset}\n`
+  );
+  // Load existing policies
+  const storedPolicies = loadStoredPolicies();
+  if (storedPolicies.policies.length === 0) {
+    console.log(
+      `${COLORS.warning}${SYMBOLS.warning} No policies found. Add policies first:${COLORS.reset}`
+    );
+    console.log(`  ${COLORS.dim}leash add "don't delete test files"${COLORS.reset}\n`);
+    return;
+  }
+  // Determine config file path
+  const configPath =
+    target === 'global' ? OPENCODE_GLOBAL_CONFIG : OPENCODE_PROJECT_CONFIG;
+  // Load existing config
+  let config: OpenCodeConfig = {
+    $schema: 'https://opencode.ai/config.json',
+  };
+  if (existsSync(configPath)) {
+    try {
+      config = JSON.parse(readFileSync(configPath, 'utf-8'));
+    } catch {
+      // Keep default if parse fails
+    }
+  }
+  // Ensure permission object exists
+  if (!config.permission) {
+    config.permission = {};
+  }
+  // Convert existing bash permission to object if it's a string
+  if (typeof config.permission.bash === 'string') {
+    const oldValue = config.permission.bash;
+    config.permission.bash = { '*': oldValue };
+  } else if (!config.permission.bash) {
+    config.permission.bash = {};
+  }
+  // Generate and merge rules from all policies
+  for (const { policy } of storedPolicies.policies) {
+    const rules = policyToOpenCodeRules(policy);
+    config.permission.bash = {
+      ...(config.permission.bash as Record<string, string>),
+      ...rules,
+    };
+  }
+  // Write config
+  if (target === 'global') {
+    mkdirSync(join(homedir(), '.config', 'opencode'), { recursive: true });
+  }
+  writeFileSync(configPath, JSON.stringify(config, null, 2));
+  console.log(
+    `  ${COLORS.success}${SYMBOLS.success}${COLORS.reset} Updated: ${configPath}`
+  );
+  console.log(
+    `\n${COLORS.success}${SYMBOLS.success} veto-leash permissions installed for OpenCode${COLORS.reset}\n`
+  );
+  console.log(`${COLORS.dim}Policies are now enforced via OpenCode's native permission system.${COLORS.reset}`);
+  console.log(`${COLORS.dim}OpenCode will deny matching commands automatically.${COLORS.reset}\n`);
+}
+/**
+ * Show what permissions would be generated without installing
+ */
+export function previewOpenCodePermissions(): void {
+  const storedPolicies = loadStoredPolicies();
+  if (storedPolicies.policies.length === 0) {
+    console.log(`\n${COLORS.warning}No policies stored. Add policies first.${COLORS.reset}\n`);
+    return;
+  }
+  console.log(`\n${COLORS.bold}OpenCode Permission Preview${COLORS.reset}`);
+  console.log('═'.repeat(30) + '\n');
+  const allRules: Record<string, string> = {};
+  for (const { restriction, policy } of storedPolicies.policies) {
+    console.log(`${COLORS.dim}Policy:${COLORS.reset} "${restriction}"`);
+    console.log(`${COLORS.dim}Action:${COLORS.reset} ${policy.action}\n`);
+    const rules = policyToOpenCodeRules(policy);
+    Object.assign(allRules, rules);
+  }
+  console.log(`${COLORS.bold}Generated Rules:${COLORS.reset}`);
+  console.log(JSON.stringify({ permission: { bash: allRules } }, null, 2));
+  console.log(`\n${COLORS.dim}Run 'leash install oc' to apply.${COLORS.reset}\n`);
+}
+/**
+ * Remove veto-leash permissions from OpenCode config
+ */
+export async function uninstallOpenCodePermissions(
+  target: 'global' | 'project' = 'project'
+): Promise<void> {
+  const configPath =
+    target === 'global' ? OPENCODE_GLOBAL_CONFIG : OPENCODE_PROJECT_CONFIG;
+  if (!existsSync(configPath)) {
+    console.log(`${COLORS.dim}No config file found at ${configPath}${COLORS.reset}`);
+    return;
+  }
+  try {
+    const config: OpenCodeConfig = JSON.parse(
+      readFileSync(configPath, 'utf-8')
+    );
+    // Remove veto-leash rules (those with deny for rm/mv/cp patterns)
+    if (config.permission?.bash && typeof config.permission.bash === 'object') {
+      const bash = config.permission.bash as Record<string, string>;
+      for (const key of Object.keys(bash)) {
+        if (
+          key.startsWith('rm ') ||
+          key.startsWith('git rm ') ||
+          key.startsWith('mv ') ||
+          key.startsWith('cp ')
+        ) {
+          delete bash[key];
+        }
+      }
+    }
+    writeFileSync(configPath, JSON.stringify(config, null, 2));
+    console.log(
+      `${COLORS.success}${SYMBOLS.success} Removed veto-leash rules from ${configPath}${COLORS.reset}`
+    );
+  } catch {
+    console.log(
+      `${COLORS.warning}${SYMBOLS.warning} Could not parse config file${COLORS.reset}`
+    );
+  }
+}
+/**
+ * Load stored policies from veto-leash config
+ */
+function loadStoredPolicies(): StoredPolicies {
+  try {
+    if (existsSync(POLICIES_FILE)) {
+      return JSON.parse(readFileSync(POLICIES_FILE, 'utf-8'));
+    }
+  } catch {
+    // Return empty if can't load
+  }
+  return { policies: [] };
+}
+/**
+ * Save a policy to the stored policies file
+ */
+export function savePolicy(restriction: string, policy: Policy): void {
+  const stored = loadStoredPolicies();
+  // Check for duplicate
+  const existingIndex = stored.policies.findIndex(
+    (p) => p.restriction === restriction
+  );
+  if (existingIndex >= 0) {
+    stored.policies[existingIndex] = { restriction, policy };
+  } else {
+    stored.policies.push({ restriction, policy });
+  }
+  mkdirSync(VETO_LEASH_CONFIG_DIR, { recursive: true });
+  writeFileSync(POLICIES_FILE, JSON.stringify(stored, null, 2));
+}
+/**
+ * List all stored policies
+ */
+export function listPolicies(): void {
+  const stored = loadStoredPolicies();
+  if (stored.policies.length === 0) {
+    console.log(`\n${COLORS.dim}No policies stored.${COLORS.reset}\n`);
+    return;
+  }
+  console.log(`\n${COLORS.bold}Stored Policies${COLORS.reset}`);
+  console.log('═'.repeat(20) + '\n');
+  for (let i = 0; i < stored.policies.length; i++) {
+    const { restriction, policy } = stored.policies[i];
+    console.log(`${i + 1}. ${COLORS.info}"${restriction}"${COLORS.reset}`);
+    console.log(`   ${COLORS.dim}Action:${COLORS.reset} ${policy.action}`);
+    console.log(`   ${COLORS.dim}Description:${COLORS.reset} ${policy.description}\n`);
+  }
+}