veto-leash 0.1.3 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +111 -196
- package/dist/ast/builtins.d.ts +28 -0
- package/dist/ast/builtins.d.ts.map +1 -0
- package/dist/ast/builtins.js +361 -0
- package/dist/ast/builtins.js.map +1 -0
- package/dist/ast/checker.d.ts +17 -0
- package/dist/ast/checker.d.ts.map +1 -0
- package/dist/ast/checker.js +97 -0
- package/dist/ast/checker.js.map +1 -0
- package/dist/ast/index.d.ts +5 -0
- package/dist/ast/index.d.ts.map +1 -0
- package/dist/ast/index.js +7 -0
- package/dist/ast/index.js.map +1 -0
- package/dist/ast/parser.d.ts +55 -0
- package/dist/ast/parser.d.ts.map +1 -0
- package/dist/ast/parser.js +210 -0
- package/dist/ast/parser.js.map +1 -0
- package/dist/ast/query.d.ts +48 -0
- package/dist/ast/query.d.ts.map +1 -0
- package/dist/ast/query.js +102 -0
- package/dist/ast/query.js.map +1 -0
- package/dist/ast/validate-cli.d.ts +21 -0
- package/dist/ast/validate-cli.d.ts.map +1 -0
- package/dist/ast/validate-cli.js +73 -0
- package/dist/ast/validate-cli.js.map +1 -0
- package/dist/cli.js +105 -21
- package/dist/cli.js.map +1 -1
- package/dist/compiler/builtins.d.ts.map +1 -1
- package/dist/compiler/builtins.js +721 -4
- package/dist/compiler/builtins.js.map +1 -1
- package/dist/compiler/commands.d.ts +40 -0
- package/dist/compiler/commands.d.ts.map +1 -0
- package/dist/compiler/commands.js +311 -0
- package/dist/compiler/commands.js.map +1 -0
- package/dist/compiler/content.d.ts +160 -0
- package/dist/compiler/content.d.ts.map +1 -0
- package/dist/compiler/content.js +461 -0
- package/dist/compiler/content.js.map +1 -0
- package/dist/compiler/index.d.ts.map +1 -1
- package/dist/compiler/index.js +34 -7
- package/dist/compiler/index.js.map +1 -1
- package/dist/compiler/llm.d.ts.map +1 -1
- package/dist/compiler/llm.js +96 -9
- package/dist/compiler/llm.js.map +1 -1
- package/dist/compiler/prompt.d.ts +1 -1
- package/dist/compiler/prompt.d.ts.map +1 -1
- package/dist/compiler/prompt.js +247 -15
- package/dist/compiler/prompt.js.map +1 -1
- package/dist/config/leash-parser.d.ts +29 -0
- package/dist/config/leash-parser.d.ts.map +1 -0
- package/dist/config/leash-parser.js +70 -0
- package/dist/config/leash-parser.js.map +1 -0
- package/dist/config/loader.d.ts +2 -1
- package/dist/config/loader.d.ts.map +1 -1
- package/dist/config/loader.js +18 -8
- package/dist/config/loader.js.map +1 -1
- package/dist/config/schema.d.ts +8 -0
- package/dist/config/schema.d.ts.map +1 -1
- package/dist/config/schema.js +19 -0
- package/dist/config/schema.js.map +1 -1
- package/dist/config/watcher.d.ts +18 -0
- package/dist/config/watcher.d.ts.map +1 -0
- package/dist/config/watcher.js +102 -0
- package/dist/config/watcher.js.map +1 -0
- package/dist/matcher.d.ts +18 -0
- package/dist/matcher.d.ts.map +1 -1
- package/dist/matcher.js +43 -0
- package/dist/matcher.js.map +1 -1
- package/dist/native/claude-code.d.ts.map +1 -1
- package/dist/native/claude-code.js +294 -50
- package/dist/native/claude-code.js.map +1 -1
- package/dist/native/cursor.d.ts +14 -1
- package/dist/native/cursor.d.ts.map +1 -1
- package/dist/native/cursor.js +340 -34
- package/dist/native/cursor.js.map +1 -1
- package/dist/native/index.d.ts +5 -0
- package/dist/native/index.d.ts.map +1 -1
- package/dist/native/index.js +56 -10
- package/dist/native/index.js.map +1 -1
- package/dist/native/opencode.d.ts.map +1 -1
- package/dist/native/opencode.js +15 -3
- package/dist/native/opencode.js.map +1 -1
- package/dist/native/validator.d.ts +15 -0
- package/dist/native/validator.d.ts.map +1 -0
- package/dist/native/validator.js +368 -0
- package/dist/native/validator.js.map +1 -0
- package/dist/types.d.ts +114 -0
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js.map +1 -1
- package/dist/wrapper/daemon.d.ts.map +1 -1
- package/dist/wrapper/daemon.js +31 -2
- package/dist/wrapper/daemon.js.map +1 -1
- package/languages/tree-sitter-javascript.wasm +0 -0
- package/languages/tree-sitter-tsx.wasm +0 -0
- package/languages/tree-sitter-typescript.wasm +0 -0
- package/package.json +5 -2
package/dist/native/opencode.js
CHANGED
|
@@ -14,8 +14,20 @@ const POLICIES_FILE = join(VETO_LEASH_CONFIG_DIR, 'policies.json');
|
|
|
14
14
|
*/
|
|
15
15
|
function policyToOpenCodeRules(policy) {
|
|
16
16
|
const rules = {};
|
|
17
|
+
// === COMMAND RULES (Phase 1) ===
|
|
18
|
+
// Convert commandRules to OpenCode bash permission rules
|
|
19
|
+
if (policy.commandRules && policy.commandRules.length > 0) {
|
|
20
|
+
for (const rule of policy.commandRules) {
|
|
21
|
+
for (const pattern of rule.block) {
|
|
22
|
+
// Convert veto-leash command patterns to OpenCode format
|
|
23
|
+
// "npm install*" -> "npm install*" (same format)
|
|
24
|
+
rules[pattern] = 'deny';
|
|
25
|
+
}
|
|
26
|
+
}
|
|
27
|
+
}
|
|
28
|
+
// === FILE RULES ===
|
|
17
29
|
// Generate bash permission rules based on action and patterns
|
|
18
|
-
if (policy.action === 'delete') {
|
|
30
|
+
if (policy.action === 'delete' && policy.include.length > 0) {
|
|
19
31
|
// Block rm commands for protected files
|
|
20
32
|
for (const pattern of policy.include) {
|
|
21
33
|
// Convert glob to OpenCode wildcard format
|
|
@@ -39,7 +51,7 @@ function policyToOpenCodeRules(policy) {
|
|
|
39
51
|
rules[`rm -rf ${ocPattern}`] = 'allow';
|
|
40
52
|
}
|
|
41
53
|
}
|
|
42
|
-
if (policy.action === 'modify') {
|
|
54
|
+
if (policy.action === 'modify' && policy.include.length > 0) {
|
|
43
55
|
// Block modification commands for protected files
|
|
44
56
|
for (const pattern of policy.include) {
|
|
45
57
|
const ocPattern = pattern
|
|
@@ -49,7 +61,7 @@ function policyToOpenCodeRules(policy) {
|
|
|
49
61
|
rules[`cp * ${ocPattern}`] = 'deny';
|
|
50
62
|
}
|
|
51
63
|
}
|
|
52
|
-
if (policy.action === 'execute') {
|
|
64
|
+
if (policy.action === 'execute' && policy.include.length > 0) {
|
|
53
65
|
// Block execution for protected patterns
|
|
54
66
|
for (const pattern of policy.include) {
|
|
55
67
|
const ocPattern = pattern
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"opencode.js","sourceRoot":"","sources":["../../src/native/opencode.ts"],"names":[],"mappings":"AAAA,yBAAyB;AACzB,yCAAyC;AACzC,iEAAiE;AAEjE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAE7B,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAElD,MAAM,sBAAsB,GAAG,IAAI,CACjC,OAAO,EAAE,EACT,SAAS,EACT,UAAU,EACV,eAAe,CAChB,CAAC;AACF,MAAM,uBAAuB,GAAG,eAAe,CAAC;AAChD,MAAM,qBAAqB,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;AACvE,MAAM,aAAa,GAAG,IAAI,CAAC,qBAAqB,EAAE,eAAe,CAAC,CAAC;AAmBnE;;GAEG;AACH,SAAS,qBAAqB,CAAC,MAAc;IAC3C,MAAM,KAAK,GAA2B,EAAE,CAAC;IAEzC,8DAA8D;IAC9D,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;
|
|
1
|
+
{"version":3,"file":"opencode.js","sourceRoot":"","sources":["../../src/native/opencode.ts"],"names":[],"mappings":"AAAA,yBAAyB;AACzB,yCAAyC;AACzC,iEAAiE;AAEjE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAE7B,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAElD,MAAM,sBAAsB,GAAG,IAAI,CACjC,OAAO,EAAE,EACT,SAAS,EACT,UAAU,EACV,eAAe,CAChB,CAAC;AACF,MAAM,uBAAuB,GAAG,eAAe,CAAC;AAChD,MAAM,qBAAqB,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;AACvE,MAAM,aAAa,GAAG,IAAI,CAAC,qBAAqB,EAAE,eAAe,CAAC,CAAC;AAmBnE;;GAEG;AACH,SAAS,qBAAqB,CAAC,MAAc;IAC3C,MAAM,KAAK,GAA2B,EAAE,CAAC;IAEzC,kCAAkC;IAClC,yDAAyD;IACzD,IAAI,MAAM,CAAC,YAAY,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1D,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACvC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACjC,yDAAyD;gBACzD,iDAAiD;gBACjD,KAAK,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,8DAA8D;IAC9D,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5D,wCAAwC;QACxC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACrC,2CAA2C;YAC3C,MAAM,SAAS,GAAG,OAAO;iBACtB,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,CAAE,YAAY;iBACtC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAI,UAAU;YAEvC,KAAK,CAAC,MAAM,SAAS,EAAE,CAAC,GAAG,MAAM,CAAC;YAClC,KAAK,CAAC,SAAS,SAAS,EAAE,CAAC,GAAG,MAAM,CAAC;YACrC,KAAK,CAAC,UAAU,SAAS,EAAE,CAAC,GAAG,MAAM,CAAC;YACtC,KAAK,CAAC,SAAS,SAAS,EAAE,CAAC,GAAG,MAAM,CAAC;YACrC,KAAK,CAAC,UAAU,SAAS,EAAE,CAAC,GAAG,MAAM,CAAC;YACtC,KAAK,CAAC,aAAa,SAAS,EAAE,CAAC,GAAG,MAAM,CAAC;QAC3C,CAAC;QAED,0BAA0B;QAC1B,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACrC,MAAM,SAAS,GAAG,OAAO;iBACtB,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC;iBACxB,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAEzB,KAAK,CAAC,MAAM,SAAS,EAAE,CAAC,GAAG,OAAO,CAAC;YACnC,KAAK,CAAC,SAAS,SAAS,EAAE,CAAC,GAAG,OAAO,CAAC;YACtC,KAAK,CAAC,UAAU,SAAS,EAAE,CAAC,GAAG,OAAO,CAAC;QACzC,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5D,kDAAkD;QAClD,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACrC,MAAM,SAAS,GAAG,OAAO;iBACtB,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC;iBACxB,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAEzB,KAAK,CAAC,MAAM,SAAS,IAAI,CAAC,GAAG,MAAM,CAAC;YACpC,KAAK,CAAC,QAAQ,SAAS,EAAE,CAAC,GAAG,MAAM,CAAC;QACtC,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7D,yCAAyC;QACzC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACrC,MAAM,SAAS,GAAG,OAAO;iBACtB,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC;iBACxB,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAEzB,kDAAkD;YAClD,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC/B,KAAK,CAAC,WAAW,CAAC,GAAG,MAAM,CAAC;gBAC5B,KAAK,CAAC,iBAAiB,CAAC,GAAG,MAAM,CAAC;gBAClC,KAAK,CAAC,qBAAqB,CAAC,GAAG,MAAM,CAAC;gBACtC,KAAK,CAAC,eAAe,CAAC,GAAG,MAAM,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,SAA+B,SAAS;IAExC,OAAO,CAAC,GAAG,CACT,KAAK,MAAM,CAAC,IAAI,uCAAuC,MAAM,OAAO,MAAM,CAAC,KAAK,IAAI,CACrF,CAAC;IAEF,yBAAyB;IACzB,MAAM,cAAc,GAAG,kBAAkB,EAAE,CAAC;IAC5C,IAAI,cAAc,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,OAAO,CAAC,GAAG,CACT,GAAG,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,0CAA0C,MAAM,CAAC,KAAK,EAAE,CAC5F,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,GAAG,sCAAsC,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC;QACnF,OAAO;IACT,CAAC;IAED,6BAA6B;IAC7B,MAAM,UAAU,GACd,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,uBAAuB,CAAC;IAEzE,uBAAuB;IACvB,IAAI,MAAM,GAAmB;QAC3B,OAAO,EAAE,iCAAiC;KAC3C,CAAC;IAEF,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,8BAA8B;QAChC,CAAC;IACH,CAAC;IAED,kCAAkC;IAClC,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;QACvB,MAAM,CAAC,UAAU,GAAG,EAAE,CAAC;IACzB,CAAC;IAED,8DAA8D;IAC9D,IAAI,OAAO,MAAM,CAAC,UAAU,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;QACxC,MAAM,CAAC,UAAU,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC;IAC7C,CAAC;SAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,CAAC,UAAU,CAAC,IAAI,GAAG,EAAE,CAAC;IAC9B,CAAC;IAED,6CAA6C;IAC7C,KAAK,MAAM,EAAE,MAAM,EAAE,IAAI,cAAc,CAAC,QAAQ,EAAE,CAAC;QACjD,MAAM,KAAK,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,CAAC,UAAU,CAAC,IAAI,GAAG;YACvB,GAAI,MAAM,CAAC,UAAU,CAAC,IAA+B;YACrD,GAAG,KAAK;SACT,CAAC;IACJ,CAAC;IAED,eAAe;IACf,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CACT,KAAK,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,GAAG,MAAM,CAAC,KAAK,aAAa,UAAU,EAAE,CAC9E,CAAC;IAEF,OAAO,CAAC,GAAG,CACT,KAAK,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,iDAAiD,MAAM,CAAC,KAAK,IAAI,CACvG,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,GAAG,qEAAqE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;IAC9G,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,GAAG,sDAAsD,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC;AACnG,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,0BAA0B;IACxC,MAAM,cAAc,GAAG,kBAAkB,EAAE,CAAC;IAE5C,IAAI,cAAc,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,OAAO,0CAA0C,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC;QAC3F,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,IAAI,8BAA8B,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;IAC1E,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;IAEnC,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAE5C,KAAK,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,cAAc,CAAC,QAAQ,EAAE,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,GAAG,UAAU,MAAM,CAAC,KAAK,KAAK,WAAW,GAAG,CAAC,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,GAAG,UAAU,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;QAEtE,MAAM,KAAK,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACjC,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,IAAI,mBAAmB,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;IAC7D,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,GAAG,mCAAmC,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC;AAClF,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,SAA+B,SAAS;IAExC,MAAM,UAAU,GACd,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,uBAAuB,CAAC;IAEzE,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,GAAG,2BAA2B,UAAU,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;QACjF,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAmB,IAAI,CAAC,KAAK,CACvC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAClC,CAAC;QAEF,kEAAkE;QAClE,IAAI,MAAM,CAAC,UAAU,EAAE,IAAI,IAAI,OAAO,MAAM,CAAC,UAAU,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC1E,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,IAA8B,CAAC;YAC9D,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACpC,IACE,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC;oBACrB,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;oBACzB,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC;oBACrB,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,EACrB,CAAC;oBACD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;gBACnB,CAAC;YACH,CAAC;QACH,CAAC;QAED,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC3D,OAAO,CAAC,GAAG,CACT,GAAG,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,kCAAkC,UAAU,GAAG,MAAM,CAAC,KAAK,EAAE,CACjG,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,GAAG,CACT,GAAG,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,+BAA+B,MAAM,CAAC,KAAK,EAAE,CACjF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB;IACzB,IAAI,CAAC;QACH,IAAI,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,6BAA6B;IAC/B,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,WAAmB,EAAE,MAAc;IAC5D,MAAM,MAAM,GAAG,kBAAkB,EAAE,CAAC;IAEpC,sBAAsB;IACtB,MAAM,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC,SAAS,CAC7C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,WAAW,CACrC,CAAC;IAEF,IAAI,aAAa,IAAI,CAAC,EAAE,CAAC;QACvB,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC;IAC3D,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC,CAAC;IAChD,CAAC;IAED,SAAS,CAAC,qBAAqB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtD,aAAa,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY;IAC1B,MAAM,MAAM,GAAG,kBAAkB,EAAE,CAAC;IAEpC,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,GAAG,sBAAsB,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC;QACnE,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,IAAI,kBAAkB,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;IAC9D,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;IAEnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAChD,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,IAAI,IAAI,WAAW,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,MAAM,MAAM,CAAC,GAAG,UAAU,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,MAAM,MAAM,CAAC,GAAG,eAAe,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,IAAI,CAAC,CAAC;IACrF,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
/**
|
|
3
|
+
* veto-leash validator for Claude Code PreToolUse hooks.
|
|
4
|
+
*
|
|
5
|
+
* Input (via stdin): JSON with tool_name, tool_input, cwd, session_id
|
|
6
|
+
* Output (via stdout): JSON with hookSpecificOutput.permissionDecision and systemMessage
|
|
7
|
+
* Exit code: 0 always (decision communicated via JSON)
|
|
8
|
+
*
|
|
9
|
+
* Supports:
|
|
10
|
+
* - Command-level policies (commandRules with block patterns)
|
|
11
|
+
* - Content-level policies (AST-based with zero false positives)
|
|
12
|
+
* - File-level policies (include/exclude patterns)
|
|
13
|
+
*/
|
|
14
|
+
export {};
|
|
15
|
+
//# sourceMappingURL=validator.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../../src/native/validator.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;GAWG"}
|
|
@@ -0,0 +1,368 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
/**
|
|
3
|
+
* veto-leash validator for Claude Code PreToolUse hooks.
|
|
4
|
+
*
|
|
5
|
+
* Input (via stdin): JSON with tool_name, tool_input, cwd, session_id
|
|
6
|
+
* Output (via stdout): JSON with hookSpecificOutput.permissionDecision and systemMessage
|
|
7
|
+
* Exit code: 0 always (decision communicated via JSON)
|
|
8
|
+
*
|
|
9
|
+
* Supports:
|
|
10
|
+
* - Command-level policies (commandRules with block patterns)
|
|
11
|
+
* - Content-level policies (AST-based with zero false positives)
|
|
12
|
+
* - File-level policies (include/exclude patterns)
|
|
13
|
+
*/
|
|
14
|
+
import { existsSync, readdirSync, readFileSync } from 'fs';
|
|
15
|
+
import { join, dirname, basename, relative, isAbsolute } from 'path';
|
|
16
|
+
import { fileURLToPath } from 'url';
|
|
17
|
+
const __dirname = dirname(fileURLToPath(import.meta.url));
|
|
18
|
+
// AST modules - loaded dynamically to avoid crashes if not available
|
|
19
|
+
let astAvailable = false;
|
|
20
|
+
let checkContentAST = null;
|
|
21
|
+
let initParser = null;
|
|
22
|
+
let loadLanguage = null;
|
|
23
|
+
let detectLanguage = null;
|
|
24
|
+
async function loadASTModules() {
|
|
25
|
+
try {
|
|
26
|
+
// @ts-ignore - Dynamic imports for deployed standalone module
|
|
27
|
+
const checker = await import('./ast/checker.js');
|
|
28
|
+
// @ts-ignore - Dynamic imports for deployed standalone module
|
|
29
|
+
const parser = await import('./ast/parser.js');
|
|
30
|
+
checkContentAST = checker.checkContentAST;
|
|
31
|
+
initParser = parser.initParser;
|
|
32
|
+
loadLanguage = parser.loadLanguage;
|
|
33
|
+
detectLanguage = parser.detectLanguage;
|
|
34
|
+
astAvailable = true;
|
|
35
|
+
}
|
|
36
|
+
catch {
|
|
37
|
+
// AST modules not available - will use regex-only content checking
|
|
38
|
+
astAvailable = false;
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
// Common command aliases for matching
|
|
42
|
+
const COMMAND_ALIASES = {
|
|
43
|
+
'npm i': ['npm install'],
|
|
44
|
+
'npm ci': ['npm clean-install'],
|
|
45
|
+
'npm r': ['npm remove', 'npm uninstall'],
|
|
46
|
+
'npm rm': ['npm remove', 'npm uninstall'],
|
|
47
|
+
'pnpm i': ['pnpm install'],
|
|
48
|
+
'bun i': ['bun install'],
|
|
49
|
+
'bun a': ['bun add'],
|
|
50
|
+
'git co': ['git checkout'],
|
|
51
|
+
};
|
|
52
|
+
function outputAllow() {
|
|
53
|
+
const output = {
|
|
54
|
+
hookSpecificOutput: { permissionDecision: 'allow' },
|
|
55
|
+
};
|
|
56
|
+
console.log(JSON.stringify(output));
|
|
57
|
+
process.exit(0);
|
|
58
|
+
}
|
|
59
|
+
function outputDeny(reason, opts) {
|
|
60
|
+
let message = `veto-leash: BLOCKED\n\nReason: ${reason}`;
|
|
61
|
+
if (opts?.line)
|
|
62
|
+
message += `\nLine: ${opts.line}`;
|
|
63
|
+
if (opts?.match)
|
|
64
|
+
message += `\nMatch: ${opts.match}`;
|
|
65
|
+
if (opts?.suggest)
|
|
66
|
+
message += `\n\nSuggested alternative: ${opts.suggest}`;
|
|
67
|
+
message += '\n\nThe action was blocked by a veto-leash policy. Please follow the suggested alternative or modify your approach.';
|
|
68
|
+
const output = {
|
|
69
|
+
hookSpecificOutput: { permissionDecision: 'deny' },
|
|
70
|
+
systemMessage: message,
|
|
71
|
+
};
|
|
72
|
+
console.log(JSON.stringify(output));
|
|
73
|
+
process.exit(0);
|
|
74
|
+
}
|
|
75
|
+
function loadPolicies(policiesDir) {
|
|
76
|
+
if (!existsSync(policiesDir))
|
|
77
|
+
return [];
|
|
78
|
+
const policies = [];
|
|
79
|
+
for (const file of readdirSync(policiesDir)) {
|
|
80
|
+
if (!file.endsWith('.json'))
|
|
81
|
+
continue;
|
|
82
|
+
try {
|
|
83
|
+
const content = readFileSync(join(policiesDir, file), 'utf-8');
|
|
84
|
+
policies.push(JSON.parse(content));
|
|
85
|
+
}
|
|
86
|
+
catch {
|
|
87
|
+
// Skip invalid files
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
return policies;
|
|
91
|
+
}
|
|
92
|
+
function normalizeCommand(cmd) {
|
|
93
|
+
return cmd.toLowerCase().split(/\s+/).join(' ');
|
|
94
|
+
}
|
|
95
|
+
function expandCommandAliases(command) {
|
|
96
|
+
const normalized = normalizeCommand(command);
|
|
97
|
+
const expanded = [normalized];
|
|
98
|
+
for (const [alias, expansions] of Object.entries(COMMAND_ALIASES)) {
|
|
99
|
+
if (normalized.startsWith(alias)) {
|
|
100
|
+
const suffix = normalized.slice(alias.length);
|
|
101
|
+
for (const expansion of expansions) {
|
|
102
|
+
expanded.push(expansion + suffix);
|
|
103
|
+
}
|
|
104
|
+
}
|
|
105
|
+
}
|
|
106
|
+
return expanded;
|
|
107
|
+
}
|
|
108
|
+
function matchesGlob(text, pattern) {
|
|
109
|
+
// Simple glob matching: * matches any characters
|
|
110
|
+
const regex = new RegExp('^' + pattern.replace(/[.+^${}()|[\]\\]/g, '\\$&').replace(/\*/g, '.*').replace(/\?/g, '.') + '$');
|
|
111
|
+
return regex.test(text);
|
|
112
|
+
}
|
|
113
|
+
function commandMatchesPattern(command, pattern) {
|
|
114
|
+
const cmd = normalizeCommand(command);
|
|
115
|
+
const pat = normalizeCommand(pattern);
|
|
116
|
+
// Exact match
|
|
117
|
+
if (cmd === pat)
|
|
118
|
+
return true;
|
|
119
|
+
// No wildcards - prefix match
|
|
120
|
+
if (!pat.includes('*') && !pat.includes('?')) {
|
|
121
|
+
return cmd.startsWith(pat + ' ') || cmd === pat;
|
|
122
|
+
}
|
|
123
|
+
// Wildcards - glob match
|
|
124
|
+
if (!pat.startsWith('*')) {
|
|
125
|
+
const firstStar = pat.indexOf('*');
|
|
126
|
+
const prefix = pat.slice(0, firstStar);
|
|
127
|
+
if (!cmd.startsWith(prefix))
|
|
128
|
+
return false;
|
|
129
|
+
}
|
|
130
|
+
return matchesGlob(cmd, pat);
|
|
131
|
+
}
|
|
132
|
+
function checkCommandRules(command, policy) {
|
|
133
|
+
if (!policy.commandRules?.length)
|
|
134
|
+
return null;
|
|
135
|
+
const variations = expandCommandAliases(command);
|
|
136
|
+
for (const rule of policy.commandRules) {
|
|
137
|
+
for (const pattern of rule.block) {
|
|
138
|
+
for (const variation of variations) {
|
|
139
|
+
if (commandMatchesPattern(variation, pattern)) {
|
|
140
|
+
return { reason: rule.reason, suggest: rule.suggest };
|
|
141
|
+
}
|
|
142
|
+
}
|
|
143
|
+
}
|
|
144
|
+
}
|
|
145
|
+
return null;
|
|
146
|
+
}
|
|
147
|
+
function fileMatchesPatterns(filePath, patterns) {
|
|
148
|
+
if (!patterns.length)
|
|
149
|
+
return true;
|
|
150
|
+
const normalized = filePath.replace(/\\/g, '/');
|
|
151
|
+
const name = basename(normalized);
|
|
152
|
+
for (const pattern of patterns) {
|
|
153
|
+
// Simple extension match: "*.ts"
|
|
154
|
+
if (pattern.startsWith('*.') && !pattern.includes('/')) {
|
|
155
|
+
if (name.endsWith(pattern.slice(1)))
|
|
156
|
+
return true;
|
|
157
|
+
continue;
|
|
158
|
+
}
|
|
159
|
+
// Full glob match
|
|
160
|
+
if (matchesGlob(normalized, pattern) || matchesGlob(name, pattern))
|
|
161
|
+
return true;
|
|
162
|
+
}
|
|
163
|
+
return false;
|
|
164
|
+
}
|
|
165
|
+
function isProtected(target, policy) {
|
|
166
|
+
if (!policy.include.length)
|
|
167
|
+
return false;
|
|
168
|
+
const normalized = target.replace(/\\/g, '/');
|
|
169
|
+
const name = basename(normalized);
|
|
170
|
+
const matchesInclude = policy.include.some((p) => matchesGlob(normalized, p) || matchesGlob(name, p));
|
|
171
|
+
if (!matchesInclude)
|
|
172
|
+
return false;
|
|
173
|
+
const matchesExclude = policy.exclude.some((p) => matchesGlob(normalized, p) || matchesGlob(name, p));
|
|
174
|
+
return !matchesExclude;
|
|
175
|
+
}
|
|
176
|
+
function parseBashTargets(command, action) {
|
|
177
|
+
const targets = [];
|
|
178
|
+
if (action === 'delete') {
|
|
179
|
+
const rmMatch = command.match(/\brm\s+(?:-[rfiv]+\s+)*(.+)/);
|
|
180
|
+
if (rmMatch) {
|
|
181
|
+
for (const arg of rmMatch[1].split(/\s+/)) {
|
|
182
|
+
if (!arg.startsWith('-'))
|
|
183
|
+
targets.push(arg);
|
|
184
|
+
}
|
|
185
|
+
}
|
|
186
|
+
const gitRmMatch = command.match(/\bgit\s+rm\s+(?:-[rf]+\s+)*(.+)/);
|
|
187
|
+
if (gitRmMatch) {
|
|
188
|
+
for (const arg of gitRmMatch[1].split(/\s+/)) {
|
|
189
|
+
if (!arg.startsWith('-'))
|
|
190
|
+
targets.push(arg);
|
|
191
|
+
}
|
|
192
|
+
}
|
|
193
|
+
}
|
|
194
|
+
else if (action === 'modify') {
|
|
195
|
+
const mvMatch = command.match(/\b(mv|cp)\s+(?:-[a-z]+\s+)*(.+)/);
|
|
196
|
+
if (mvMatch) {
|
|
197
|
+
for (const arg of mvMatch[2].split(/\s+/)) {
|
|
198
|
+
if (!arg.startsWith('-')) {
|
|
199
|
+
targets.push(arg);
|
|
200
|
+
break;
|
|
201
|
+
}
|
|
202
|
+
}
|
|
203
|
+
}
|
|
204
|
+
}
|
|
205
|
+
return targets;
|
|
206
|
+
}
|
|
207
|
+
function getActionsForTool(toolName) {
|
|
208
|
+
const mapping = {
|
|
209
|
+
Bash: ['delete', 'modify', 'execute'],
|
|
210
|
+
Write: ['modify'],
|
|
211
|
+
Edit: ['modify'],
|
|
212
|
+
MultiEdit: ['modify'],
|
|
213
|
+
Read: ['read'],
|
|
214
|
+
};
|
|
215
|
+
return mapping[toolName] || [];
|
|
216
|
+
}
|
|
217
|
+
async function readStdin() {
|
|
218
|
+
const chunks = [];
|
|
219
|
+
for await (const chunk of process.stdin) {
|
|
220
|
+
chunks.push(chunk);
|
|
221
|
+
}
|
|
222
|
+
return Buffer.concat(chunks).toString('utf-8');
|
|
223
|
+
}
|
|
224
|
+
async function main() {
|
|
225
|
+
try {
|
|
226
|
+
// Try to load AST modules (may fail if dependencies not available)
|
|
227
|
+
await loadASTModules();
|
|
228
|
+
const inputText = await readStdin();
|
|
229
|
+
if (!inputText.trim()) {
|
|
230
|
+
outputAllow();
|
|
231
|
+
return;
|
|
232
|
+
}
|
|
233
|
+
let input;
|
|
234
|
+
try {
|
|
235
|
+
input = JSON.parse(inputText);
|
|
236
|
+
}
|
|
237
|
+
catch {
|
|
238
|
+
outputAllow();
|
|
239
|
+
return;
|
|
240
|
+
}
|
|
241
|
+
const { tool_name: toolName, tool_input: toolInput, cwd } = input;
|
|
242
|
+
// Determine policies directory (sibling to this script when installed)
|
|
243
|
+
const policiesDir = join(__dirname, 'policies');
|
|
244
|
+
const policies = loadPolicies(policiesDir);
|
|
245
|
+
if (!policies.length) {
|
|
246
|
+
outputAllow();
|
|
247
|
+
return;
|
|
248
|
+
}
|
|
249
|
+
// === COMMAND-LEVEL CHECKING (for Bash tool) ===
|
|
250
|
+
if (toolName === 'Bash') {
|
|
251
|
+
const command = String(toolInput.command || '');
|
|
252
|
+
for (const policy of policies) {
|
|
253
|
+
const result = checkCommandRules(command, policy);
|
|
254
|
+
if (result) {
|
|
255
|
+
outputDeny(result.reason, { suggest: result.suggest });
|
|
256
|
+
return;
|
|
257
|
+
}
|
|
258
|
+
}
|
|
259
|
+
}
|
|
260
|
+
// === CONTENT-LEVEL CHECKING WITH AST (for Write/Edit tools) ===
|
|
261
|
+
if (['Write', 'Edit', 'MultiEdit'].includes(toolName)) {
|
|
262
|
+
const filePath = String(toolInput.file_path || '');
|
|
263
|
+
let content = '';
|
|
264
|
+
if (toolName === 'Write') {
|
|
265
|
+
content = String(toolInput.content || '');
|
|
266
|
+
}
|
|
267
|
+
else if (toolName === 'Edit') {
|
|
268
|
+
content = String(toolInput.new_string || '');
|
|
269
|
+
}
|
|
270
|
+
else if (toolName === 'MultiEdit') {
|
|
271
|
+
const edits = toolInput.edits || [];
|
|
272
|
+
content = edits.map((e) => e.new_string || '').join('\n');
|
|
273
|
+
}
|
|
274
|
+
if (filePath && content) {
|
|
275
|
+
// Check if AST modules loaded and file is a supported language
|
|
276
|
+
if (astAvailable && detectLanguage) {
|
|
277
|
+
const language = detectLanguage(filePath);
|
|
278
|
+
if (language && initParser && loadLanguage && checkContentAST) {
|
|
279
|
+
// Initialize parser and load language
|
|
280
|
+
await initParser();
|
|
281
|
+
await loadLanguage(language);
|
|
282
|
+
// Check each policy with AST
|
|
283
|
+
for (const policy of policies) {
|
|
284
|
+
const result = await checkContentAST(content, filePath, policy);
|
|
285
|
+
if (!result.allowed && result.match) {
|
|
286
|
+
outputDeny(result.match.reason, {
|
|
287
|
+
suggest: result.match.suggest,
|
|
288
|
+
line: result.match.line,
|
|
289
|
+
match: result.match.text.slice(0, 50),
|
|
290
|
+
});
|
|
291
|
+
return;
|
|
292
|
+
}
|
|
293
|
+
}
|
|
294
|
+
}
|
|
295
|
+
}
|
|
296
|
+
// Fallback: check regex contentRules for non-AST files or as backup
|
|
297
|
+
for (const policy of policies) {
|
|
298
|
+
if (!policy.contentRules?.length)
|
|
299
|
+
continue;
|
|
300
|
+
for (const rule of policy.contentRules) {
|
|
301
|
+
if (!fileMatchesPatterns(filePath, rule.fileTypes))
|
|
302
|
+
continue;
|
|
303
|
+
try {
|
|
304
|
+
const regex = new RegExp(rule.pattern, 'm');
|
|
305
|
+
const match = regex.exec(content);
|
|
306
|
+
if (match) {
|
|
307
|
+
const beforeMatch = content.slice(0, match.index);
|
|
308
|
+
const lineNum = (beforeMatch.match(/\n/g) || []).length + 1;
|
|
309
|
+
outputDeny(rule.reason, {
|
|
310
|
+
suggest: rule.suggest,
|
|
311
|
+
line: lineNum,
|
|
312
|
+
match: match[0].slice(0, 50),
|
|
313
|
+
});
|
|
314
|
+
return;
|
|
315
|
+
}
|
|
316
|
+
}
|
|
317
|
+
catch {
|
|
318
|
+
// Invalid regex, skip
|
|
319
|
+
}
|
|
320
|
+
}
|
|
321
|
+
}
|
|
322
|
+
}
|
|
323
|
+
}
|
|
324
|
+
// === FILE-LEVEL CHECKING ===
|
|
325
|
+
const targets = [];
|
|
326
|
+
if (toolName === 'Bash') {
|
|
327
|
+
const command = String(toolInput.command || '');
|
|
328
|
+
for (const policy of policies) {
|
|
329
|
+
targets.push(...parseBashTargets(command, policy.action));
|
|
330
|
+
}
|
|
331
|
+
}
|
|
332
|
+
else if (['Write', 'Edit', 'MultiEdit'].includes(toolName)) {
|
|
333
|
+
const filePath = String(toolInput.file_path || '');
|
|
334
|
+
if (filePath)
|
|
335
|
+
targets.push(filePath);
|
|
336
|
+
}
|
|
337
|
+
for (const target of targets) {
|
|
338
|
+
let relTarget;
|
|
339
|
+
try {
|
|
340
|
+
if (isAbsolute(target)) {
|
|
341
|
+
relTarget = relative(cwd, target);
|
|
342
|
+
}
|
|
343
|
+
else {
|
|
344
|
+
relTarget = target;
|
|
345
|
+
}
|
|
346
|
+
}
|
|
347
|
+
catch {
|
|
348
|
+
relTarget = target;
|
|
349
|
+
}
|
|
350
|
+
for (const policy of policies) {
|
|
351
|
+
const toolActions = getActionsForTool(toolName);
|
|
352
|
+
if (toolActions.includes(policy.action)) {
|
|
353
|
+
if (isProtected(relTarget, policy)) {
|
|
354
|
+
outputDeny(`${policy.description}: ${relTarget}`);
|
|
355
|
+
return;
|
|
356
|
+
}
|
|
357
|
+
}
|
|
358
|
+
}
|
|
359
|
+
}
|
|
360
|
+
outputAllow();
|
|
361
|
+
}
|
|
362
|
+
catch (error) {
|
|
363
|
+
// Fail open on errors
|
|
364
|
+
outputAllow();
|
|
365
|
+
}
|
|
366
|
+
}
|
|
367
|
+
main();
|
|
368
|
+
//# sourceMappingURL=validator.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"validator.js","sourceRoot":"","sources":["../../src/native/validator.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AAEpC,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAuB1D,qEAAqE;AACrE,IAAI,YAAY,GAAG,KAAK,CAAC;AACzB,IAAI,eAAe,GAA6K,IAAI,CAAC;AACrM,IAAI,UAAU,GAAiC,IAAI,CAAC;AACpD,IAAI,YAAY,GAAgD,IAAI,CAAC;AACrE,IAAI,cAAc,GAAiD,IAAI,CAAC;AAExE,KAAK,UAAU,cAAc;IAC3B,IAAI,CAAC;QACH,8DAA8D;QAC9D,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QACjD,8DAA8D;QAC9D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;QAC/C,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;QAC1C,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;QAC/B,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;QACnC,cAAc,GAAG,MAAM,CAAC,cAAc,CAAC;QACvC,YAAY,GAAG,IAAI,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,mEAAmE;QACnE,YAAY,GAAG,KAAK,CAAC;IACvB,CAAC;AACH,CAAC;AAED,sCAAsC;AACtC,MAAM,eAAe,GAA6B;IAChD,OAAO,EAAE,CAAC,aAAa,CAAC;IACxB,QAAQ,EAAE,CAAC,mBAAmB,CAAC;IAC/B,OAAO,EAAE,CAAC,YAAY,EAAE,eAAe,CAAC;IACxC,QAAQ,EAAE,CAAC,YAAY,EAAE,eAAe,CAAC;IACzC,QAAQ,EAAE,CAAC,cAAc,CAAC;IAC1B,OAAO,EAAE,CAAC,aAAa,CAAC;IACxB,OAAO,EAAE,CAAC,SAAS,CAAC;IACpB,QAAQ,EAAE,CAAC,cAAc,CAAC;CAC3B,CAAC;AAgBF,SAAS,WAAW;IAClB,MAAM,MAAM,GAAe;QACzB,kBAAkB,EAAE,EAAE,kBAAkB,EAAE,OAAO,EAAE;KACpD,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,UAAU,CAAC,MAAc,EAAE,IAA0D;IAC5F,IAAI,OAAO,GAAG,kCAAkC,MAAM,EAAE,CAAC;IACzD,IAAI,IAAI,EAAE,IAAI;QAAE,OAAO,IAAI,WAAW,IAAI,CAAC,IAAI,EAAE,CAAC;IAClD,IAAI,IAAI,EAAE,KAAK;QAAE,OAAO,IAAI,YAAY,IAAI,CAAC,KAAK,EAAE,CAAC;IACrD,IAAI,IAAI,EAAE,OAAO;QAAE,OAAO,IAAI,8BAA8B,IAAI,CAAC,OAAO,EAAE,CAAC;IAC3E,OAAO,IAAI,qHAAqH,CAAC;IAEjI,MAAM,MAAM,GAAe;QACzB,kBAAkB,EAAE,EAAE,kBAAkB,EAAE,MAAM,EAAE;QAClD,aAAa,EAAE,OAAO;KACvB,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,YAAY,CAAC,WAAmB;IACvC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,EAAE,CAAC;IAExC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,KAAK,MAAM,IAAI,IAAI,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC;QAC5C,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;YAAE,SAAS;QACtC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;YAC/D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAW,CAAC,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,qBAAqB;QACvB,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAW;IACnC,OAAO,GAAG,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe;IAC3C,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,CAAC,UAAU,CAAC,CAAC;IAE9B,KAAK,MAAM,CAAC,KAAK,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;QAClE,IAAI,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YACjC,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAC9C,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;gBACnC,QAAQ,CAAC,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,WAAW,CAAC,IAAY,EAAE,OAAe;IAChD,iDAAiD;IACjD,MAAM,KAAK,GAAG,IAAI,MAAM,CACtB,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,GAAG,CAClG,CAAC;IACF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,qBAAqB,CAAC,OAAe,EAAE,OAAe;IAC7D,MAAM,GAAG,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAEtC,cAAc;IACd,IAAI,GAAG,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAE7B,8BAA8B;IAC9B,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7C,OAAO,GAAG,CAAC,UAAU,CAAC,GAAG,GAAG,GAAG,CAAC,IAAI,GAAG,KAAK,GAAG,CAAC;IAClD,CAAC;IAED,yBAAyB;IACzB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QACvC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO,KAAK,CAAC;IAC5C,CAAC;IAED,OAAO,WAAW,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAe,EAAE,MAAc;IACxD,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM;QAAE,OAAO,IAAI,CAAC;IAE9C,MAAM,UAAU,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAEjD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACvC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACjC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;gBACnC,IAAI,qBAAqB,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC;oBAC9C,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;gBACxD,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAgB,EAAE,QAAkB;IAC/D,IAAI,CAAC,QAAQ,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAElC,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAChD,MAAM,IAAI,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC;IAElC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,iCAAiC;QACjC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACvD,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAC;YACjD,SAAS;QACX,CAAC;QAED,kBAAkB;QAClB,IAAI,WAAW,CAAC,UAAU,EAAE,OAAO,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;IAClF,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,MAAc;IACjD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAEzC,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9C,MAAM,IAAI,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC;IAElC,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CACxC,CAAC,CAAS,EAAE,EAAE,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAClE,CAAC;IACF,IAAI,CAAC,cAAc;QAAE,OAAO,KAAK,CAAC;IAElC,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CACxC,CAAC,CAAS,EAAE,EAAE,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAClE,CAAC;IACF,OAAO,CAAC,cAAc,CAAC;AACzB,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe,EAAE,MAAc;IACvD,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;QAC7D,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC1C,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACpE,IAAI,UAAU,EAAE,CAAC;YACf,KAAK,MAAM,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC7C,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACjE,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC1C,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBACzB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;oBAClB,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAgB;IACzC,MAAM,OAAO,GAA6B;QACxC,IAAI,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,CAAC;QACrC,KAAK,EAAE,CAAC,QAAQ,CAAC;QACjB,IAAI,EAAE,CAAC,QAAQ,CAAC;QAChB,SAAS,EAAE,CAAC,QAAQ,CAAC;QACrB,IAAI,EAAE,CAAC,MAAM,CAAC;KACf,CAAC;IACF,OAAO,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,KAAK,UAAU,SAAS;IACtB,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACjD,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,IAAI,CAAC;QACH,mEAAmE;QACnE,MAAM,cAAc,EAAE,CAAC;QAEvB,MAAM,SAAS,GAAG,MAAM,SAAS,EAAE,CAAC;QACpC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,CAAC;YACtB,WAAW,EAAE,CAAC;YACd,OAAO;QACT,CAAC;QAED,IAAI,KAAgB,CAAC;QACrB,IAAI,CAAC;YACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAc,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,WAAW,EAAE,CAAC;YACd,OAAO;QACT,CAAC;QAED,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC;QAElE,uEAAuE;QACvE,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAChD,MAAM,QAAQ,GAAG,YAAY,CAAC,WAAW,CAAC,CAAC;QAE3C,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;YACrB,WAAW,EAAE,CAAC;YACd,OAAO;QACT,CAAC;QAED,iDAAiD;QACjD,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,MAAM,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;YAChD,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;gBAC9B,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;gBAClD,IAAI,MAAM,EAAE,CAAC;oBACX,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;oBACvD,OAAO;gBACT,CAAC;YACH,CAAC;QACH,CAAC;QAED,iEAAiE;QACjE,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACtD,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;YACnD,IAAI,OAAO,GAAG,EAAE,CAAC;YAEjB,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACzB,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;YAC5C,CAAC;iBAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;gBAC/B,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;YAC/C,CAAC;iBAAM,IAAI,QAAQ,KAAK,WAAW,EAAE,CAAC;gBACpC,MAAM,KAAK,GAAG,SAAS,CAAC,KAAuC,IAAI,EAAE,CAAC;gBACtE,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5D,CAAC;YAED,IAAI,QAAQ,IAAI,OAAO,EAAE,CAAC;gBACxB,+DAA+D;gBAC/D,IAAI,YAAY,IAAI,cAAc,EAAE,CAAC;oBACnC,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;oBAE1C,IAAI,QAAQ,IAAI,UAAU,IAAI,YAAY,IAAI,eAAe,EAAE,CAAC;wBAC9D,sCAAsC;wBACtC,MAAM,UAAU,EAAE,CAAC;wBACnB,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;wBAE7B,6BAA6B;wBAC7B,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;4BAC9B,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;4BAChE,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gCACpC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE;oCAC9B,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO;oCAC7B,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI;oCACvB,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iCACtC,CAAC,CAAC;gCACH,OAAO;4BACT,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,oEAAoE;gBACpE,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;oBAC9B,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM;wBAAE,SAAS;oBAE3C,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;wBACvC,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC;4BAAE,SAAS;wBAE7D,IAAI,CAAC;4BACH,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;4BAC5C,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;4BAClC,IAAI,KAAK,EAAE,CAAC;gCACV,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gCAClD,MAAM,OAAO,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;gCAC5D,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE;oCACtB,OAAO,EAAE,IAAI,CAAC,OAAO;oCACrB,IAAI,EAAE,OAAO;oCACb,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iCAC7B,CAAC,CAAC;gCACH,OAAO;4BACT,CAAC;wBACH,CAAC;wBAAC,MAAM,CAAC;4BACP,sBAAsB;wBACxB,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,8BAA8B;QAC9B,MAAM,OAAO,GAAa,EAAE,CAAC;QAE7B,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,MAAM,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;YAChD,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;gBAC9B,OAAO,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;aAAM,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7D,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;YACnD,IAAI,QAAQ;gBAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC;QAED,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,IAAI,SAAiB,CAAC;YACtB,IAAI,CAAC;gBACH,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;oBACvB,SAAS,GAAG,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;gBACpC,CAAC;qBAAM,CAAC;oBACN,SAAS,GAAG,MAAM,CAAC;gBACrB,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,GAAG,MAAM,CAAC;YACrB,CAAC;YAED,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;gBAC9B,MAAM,WAAW,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;gBAChD,IAAI,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;oBACxC,IAAI,WAAW,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,CAAC;wBACnC,UAAU,CAAC,GAAG,MAAM,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC,CAAC;wBAClD,OAAO;oBACT,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,WAAW,EAAE,CAAC;IAChB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,sBAAsB;QACtB,WAAW,EAAE,CAAC;IAChB,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC"}
|
package/dist/types.d.ts
CHANGED
|
@@ -1,16 +1,130 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Command rule for intercepting specific shell commands.
|
|
3
|
+
* Patterns use glob-style matching:
|
|
4
|
+
* - "npm install" matches exact command
|
|
5
|
+
* - "npm *" matches any npm subcommand
|
|
6
|
+
* - "npm install *" matches npm install with any args
|
|
7
|
+
*/
|
|
8
|
+
export interface CommandRule {
|
|
9
|
+
/** Glob patterns for commands to block */
|
|
10
|
+
block: string[];
|
|
11
|
+
/** Optional suggestion to show user (e.g., "Use: pnpm install") */
|
|
12
|
+
suggest?: string;
|
|
13
|
+
/** Human-readable reason for the block */
|
|
14
|
+
reason: string;
|
|
15
|
+
}
|
|
16
|
+
/**
|
|
17
|
+
* AST-based rule for precise code pattern matching.
|
|
18
|
+
* Uses tree-sitter S-expression queries for zero false positives.
|
|
19
|
+
*/
|
|
20
|
+
export interface ASTRule {
|
|
21
|
+
/** Unique identifier for this rule */
|
|
22
|
+
id: string;
|
|
23
|
+
/** Tree-sitter S-expression query */
|
|
24
|
+
query: string;
|
|
25
|
+
/** Languages this rule applies to */
|
|
26
|
+
languages: ('typescript' | 'javascript')[];
|
|
27
|
+
/** Human-readable reason for blocking */
|
|
28
|
+
reason: string;
|
|
29
|
+
/** Optional suggestion for alternative */
|
|
30
|
+
suggest?: string;
|
|
31
|
+
/** Optional regex for fast pre-filtering (skip AST if no match) */
|
|
32
|
+
regexPreFilter?: string;
|
|
33
|
+
}
|
|
34
|
+
/**
|
|
35
|
+
* Result of checking content against AST rules
|
|
36
|
+
*/
|
|
37
|
+
export interface ASTCheckResult {
|
|
38
|
+
allowed: boolean;
|
|
39
|
+
match?: {
|
|
40
|
+
line: number;
|
|
41
|
+
column: number;
|
|
42
|
+
text: string;
|
|
43
|
+
reason: string;
|
|
44
|
+
suggest?: string;
|
|
45
|
+
ruleId: string;
|
|
46
|
+
};
|
|
47
|
+
/** Which method was used for checking */
|
|
48
|
+
method: 'ast' | 'regex' | 'skipped';
|
|
49
|
+
/** Performance timing in milliseconds */
|
|
50
|
+
timing?: {
|
|
51
|
+
parseMs: number;
|
|
52
|
+
queryMs: number;
|
|
53
|
+
};
|
|
54
|
+
}
|
|
55
|
+
/**
|
|
56
|
+
* Content rule for matching patterns within file contents.
|
|
57
|
+
* Used to prevent banned imports, patterns, or coding styles.
|
|
58
|
+
* NOTE: Legacy regex-based rules - prefer ASTRule for accuracy.
|
|
59
|
+
*/
|
|
60
|
+
export interface ContentRule {
|
|
61
|
+
/** Regex pattern to match in file content */
|
|
62
|
+
pattern: string;
|
|
63
|
+
/** File patterns where this rule applies (e.g., ["*.ts", "*.js"]) */
|
|
64
|
+
fileTypes: string[];
|
|
65
|
+
/** Human-readable reason for blocking */
|
|
66
|
+
reason: string;
|
|
67
|
+
/** Optional suggestion for alternative */
|
|
68
|
+
suggest?: string;
|
|
69
|
+
/**
|
|
70
|
+
* Validation mode:
|
|
71
|
+
* - 'fast': Direct regex match (default, may have false positives in comments/strings)
|
|
72
|
+
* - 'strict': Strip comments/strings before matching (fewer false positives)
|
|
73
|
+
* - 'semantic': LLM validates match context (slowest, most accurate)
|
|
74
|
+
*/
|
|
75
|
+
mode?: 'fast' | 'strict' | 'semantic';
|
|
76
|
+
/**
|
|
77
|
+
* Negative patterns - if ANY of these match, the rule is NOT violated.
|
|
78
|
+
* Used to prevent false positives (e.g., don't flag 'any' in variable names)
|
|
79
|
+
*/
|
|
80
|
+
exceptions?: string[];
|
|
81
|
+
}
|
|
82
|
+
/**
|
|
83
|
+
* Result of checking content against content rules
|
|
84
|
+
*/
|
|
85
|
+
export interface ContentCheckResult {
|
|
86
|
+
blocked: boolean;
|
|
87
|
+
rule?: ContentRule;
|
|
88
|
+
/** Line number where match was found (1-indexed) */
|
|
89
|
+
line?: number;
|
|
90
|
+
/** The matched text */
|
|
91
|
+
match?: string;
|
|
92
|
+
}
|
|
1
93
|
export interface Policy {
|
|
2
94
|
action: 'delete' | 'modify' | 'execute' | 'read';
|
|
95
|
+
/** File patterns to protect (glob) */
|
|
3
96
|
include: string[];
|
|
97
|
+
/** File patterns to allow (exceptions) */
|
|
4
98
|
exclude: string[];
|
|
5
99
|
description: string;
|
|
100
|
+
/** Optional command-level rules (Phase 1) */
|
|
101
|
+
commandRules?: CommandRule[];
|
|
102
|
+
/** Optional content-level rules (Phase 2 - regex-based, legacy) */
|
|
103
|
+
contentRules?: ContentRule[];
|
|
104
|
+
/** Optional AST-based rules (Phase 2.1 - preferred, zero false positives) */
|
|
105
|
+
astRules?: ASTRule[];
|
|
6
106
|
}
|
|
7
107
|
export interface CheckRequest {
|
|
8
108
|
action: string;
|
|
9
109
|
target: string;
|
|
110
|
+
/** Full command string for command-level checking */
|
|
111
|
+
command?: string;
|
|
112
|
+
/** File content for content-level checking */
|
|
113
|
+
content?: string;
|
|
10
114
|
}
|
|
11
115
|
export interface CheckResponse {
|
|
12
116
|
allowed: boolean;
|
|
13
117
|
reason?: string;
|
|
118
|
+
/** Suggestion if command was blocked */
|
|
119
|
+
suggest?: string;
|
|
120
|
+
}
|
|
121
|
+
/**
|
|
122
|
+
* Result of checking a command against command rules
|
|
123
|
+
*/
|
|
124
|
+
export interface CommandCheckResult {
|
|
125
|
+
blocked: boolean;
|
|
126
|
+
rule?: CommandRule;
|
|
127
|
+
matchedPattern?: string;
|
|
14
128
|
}
|
|
15
129
|
export interface SessionState {
|
|
16
130
|
pid: number;
|
package/dist/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,MAAM;IACrB,MAAM,EAAE,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,CAAC;IACjD,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,MAAM,WAAW,WAAW;IAC1B,0CAA0C;IAC1C,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,mEAAmE;IACnE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,0CAA0C;IAC1C,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,OAAO;IACtB,sCAAsC;IACtC,EAAE,EAAE,MAAM,CAAC;IACX,qCAAqC;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,qCAAqC;IACrC,SAAS,EAAE,CAAC,YAAY,GAAG,YAAY,CAAC,EAAE,CAAC;IAC3C,yCAAyC;IACzC,MAAM,EAAE,MAAM,CAAC;IACf,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mEAAmE;IACnE,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,yCAAyC;IACzC,MAAM,EAAE,KAAK,GAAG,OAAO,GAAG,SAAS,CAAC;IACpC,yCAAyC;IACzC,MAAM,CAAC,EAAE;QACP,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AAED;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,6CAA6C;IAC7C,OAAO,EAAE,MAAM,CAAC;IAChB,qEAAqE;IACrE,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,yCAAyC;IACzC,MAAM,EAAE,MAAM,CAAC;IACf,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;OAKG;IACH,IAAI,CAAC,EAAE,MAAM,GAAG,QAAQ,GAAG,UAAU,CAAC;IACtC;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,WAAW,CAAC;IACnB,oDAAoD;IACpD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,uBAAuB;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,MAAM;IACrB,MAAM,EAAE,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,CAAC;IACjD,sCAAsC;IACtC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,0CAA0C;IAC1C,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,mEAAmE;IACnE,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,qDAAqD;IACrD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,wCAAwC;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,WAAW,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,IAAI,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,IAAI,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACvE;AAED,MAAM,WAAW,MAAM;IACrB,UAAU,EAAE,OAAO,CAAC;IACpB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,QAAQ,EAAE,OAAO,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,eAAO,MAAM,cAAc,EAAE,MAQ5B,CAAC"}
|
package/dist/types.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,eAAe;
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,eAAe;AA+Jf,MAAM,CAAC,MAAM,cAAc,GAAW;IACpC,UAAU,EAAE,IAAI;IAChB,kBAAkB,EAAE,IAAI;IACxB,iBAAiB,EAAE,IAAI;IACvB,gBAAgB,EAAE,KAAK;IACvB,kBAAkB,EAAE,GAAG,GAAG,IAAI;IAC9B,QAAQ,EAAE,KAAK;IACf,OAAO,EAAE,KAAK;CACf,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"daemon.d.ts","sourceRoot":"","sources":["../../src/wrapper/daemon.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,MAAM,EACN,YAAY,EACZ,aAAa,EACb,YAAY,EACb,MAAM,aAAa,CAAC;AAMrB,qBAAa,UAAU;IACrB,OAAO,CAAC,MAAM,CAA2B;IACzC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,KAAK,CAAe;IAC5B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,KAAK,CAAS;gBAEV,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,GAAE,MAAW;IAe7D,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC;IAsC9B,KAAK,CAAC,GAAG,EAAE,YAAY,GAAG,aAAa;
|
|
1
|
+
{"version":3,"file":"daemon.d.ts","sourceRoot":"","sources":["../../src/wrapper/daemon.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,MAAM,EACN,YAAY,EACZ,aAAa,EACb,YAAY,EACb,MAAM,aAAa,CAAC;AAMrB,qBAAa,UAAU;IACrB,OAAO,CAAC,MAAM,CAA2B;IACzC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,KAAK,CAAe;IAC5B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,KAAK,CAAS;gBAEV,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,GAAE,MAAW;IAe7D,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC;IAsC9B,KAAK,CAAC,GAAG,EAAE,YAAY,GAAG,aAAa;IA4EvC,QAAQ,IAAI,YAAY;IAIxB,IAAI,IAAI,IAAI;CA0Bb"}
|