vibesafu 0.1.24 → 0.1.26

package/dist/index.js

@@ -7,7 +7,7 @@ import { fileURLToPath } from "url";
 import { dirname, join as join3 } from "path";
 
 // src/cli/install.ts
-import { readFile, writeFile, mkdir } from "fs/promises";
+import { readFile, writeFile, mkdir, chmod } from "fs/promises";
 import { homedir } from "os";
 import { join } from "path";
 var CLAUDE_SETTINGS_PATH = join(homedir(), ".claude", "settings.json");
@@ -24,7 +24,12 @@ async function readClaudeSettings() {
   try {
     const content = await readFile(CLAUDE_SETTINGS_PATH, "utf-8");
     return JSON.parse(content);
-  } catch {
+  } catch (error) {
+    if (error instanceof Error && "code" in error && error.code === "ENOENT") {
+      return {};
+    }
+    const msg = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Warning: Failed to read Claude settings (${CLAUDE_SETTINGS_PATH}): ${msg}. Starting fresh.`);
     return {};
   }
 }
@@ -32,6 +37,7 @@ async function writeClaudeSettings(settings) {
   const dir = join(homedir(), ".claude");
   await mkdir(dir, { recursive: true });
   await writeFile(CLAUDE_SETTINGS_PATH, JSON.stringify(settings, null, 2));
+  await chmod(CLAUDE_SETTINGS_PATH, 384);
 }
 function isHookInstalled(settings) {
   const hooks = settings.hooks?.PermissionRequest ?? [];
@@ -84,7 +90,7 @@ async function uninstall() {
 }
 
 // src/cli/config.ts
-import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2, chmod as chmod2 } from "fs/promises";
 import { homedir as homedir2 } from "os";
 import { join as join2 } from "path";
 import { createInterface } from "readline";
@@ -109,27 +115,44 @@ var DEFAULT_CONFIG = {
     path: join2(CONFIG_DIR, "logs")
   }
 };
+function mergeConfig(defaults, user) {
+  return {
+    anthropic: { ...defaults.anthropic, ...user.anthropic },
+    models: { ...defaults.models, ...user.models },
+    trustedDomains: user.trustedDomains ?? defaults.trustedDomains,
+    customPatterns: { ...defaults.customPatterns, ...user.customPatterns },
+    allowedMCPTools: user.allowedMCPTools ?? defaults.allowedMCPTools,
+    logging: { ...defaults.logging, ...user.logging }
+  };
+}
 async function readConfig() {
   try {
     const content = await readFile2(CONFIG_PATH, "utf-8");
-    return { ...DEFAULT_CONFIG, ...JSON.parse(content) };
-  } catch {
+    return mergeConfig(DEFAULT_CONFIG, JSON.parse(content));
+  } catch (error) {
+    if (error instanceof Error && "code" in error && error.code === "ENOENT") {
+      return DEFAULT_CONFIG;
+    }
+    const msg = error instanceof Error ? error.message : "Unknown error";
+    process.stderr.write(`[vibesafu] Warning: Failed to read config (${CONFIG_PATH}): ${msg}. Using defaults.
+`);
     return DEFAULT_CONFIG;
   }
 }
 async function writeConfig(config2) {
   await mkdir2(CONFIG_DIR, { recursive: true });
   await writeFile2(CONFIG_PATH, JSON.stringify(config2, null, 2));
+  await chmod2(CONFIG_PATH, 384);
 }
 function prompt(question) {
   const rl = createInterface({
     input: process.stdin,
     output: process.stdout
   });
-  return new Promise((resolve) => {
+  return new Promise((resolve2) => {
     rl.question(question, (answer) => {
       rl.close();
-      resolve(answer);
+      resolve2(answer);
     });
   });
 }
@@ -155,16 +178,6 @@ async function config() {
   console.log("Configuration saved!");
   console.log(`Config file: ${CONFIG_PATH}`);
 }
-async function getApiKey() {
-  if (process.env.ANTHROPIC_API_KEY) {
-    return process.env.ANTHROPIC_API_KEY;
-  }
-  const cfg = await readConfig();
-  if (cfg.anthropic.apiKey) {
-    return cfg.anthropic.apiKey;
-  }
-  return void 0;
-}
 
 // src/hook.ts
 import Anthropic from "@anthropic-ai/sdk";
@@ -768,6 +781,13 @@ var INSTANT_BLOCK_PATTERNS = [
   ...DESTRUCTIVE_PATTERNS,
   ...SELF_PROTECTION_PATTERNS
 ];
+for (const p of INSTANT_BLOCK_PATTERNS) {
+  if (p.pattern.global) {
+    throw new Error(
+      `Security pattern "${p.name}" must not use the global (g) flag. The g flag makes RegExp.test() stateful, causing intermittent bypasses. Remove the g flag from the pattern.`
+    );
+  }
+}
 var CHECKPOINT_PATTERNS = [
   // Script execution
   { pattern: /curl\s+.*\|\s*(ba)?sh/i, type: "script_execution", description: "curl piped to shell" },
@@ -816,6 +836,13 @@ var CHECKPOINT_PATTERNS = [
   { pattern: /(cp|mv)\s+.*\.aws\//i, type: "file_sensitive", description: "Copying/moving AWS credentials" },
   { pattern: /(cp|mv)\s+.*\.env(\s|$)/i, type: "file_sensitive", description: "Copying/moving .env file" }
 ];
+for (const p of CHECKPOINT_PATTERNS) {
+  if (p.pattern.global) {
+    throw new Error(
+      `Checkpoint pattern "${p.description}" must not use the global (g) flag. The g flag makes RegExp.test() stateful, causing intermittent bypasses. Remove the g flag from the pattern.`
+    );
+  }
+}
 
 // src/guard/instant-block.ts
 function checkHighRiskPatterns(command) {
@@ -1022,7 +1049,10 @@ function isTrustedUrl(url) {
 function extractUrls(command) {
   const urlPattern = /https?:\/\/[^\s"'<>]+/gi;
   const matches = command.match(urlPattern);
-  return matches ?? [];
+  if (!matches) return [];
+  return matches.map((url) => {
+    return url.replace(/[),;.]+$/, "");
+  });
 }
 function isUrlShortener(hostname) {
   const normalizedHost = hostname.toLowerCase();
@@ -1046,6 +1076,21 @@ function containsUrlShortener(command) {
     shortenerUrls
   };
 }
+var RISKY_URL_PATTERNS = [
+  // Raw file content from GitHub - can be any user's code
+  /raw\.githubusercontent\.com/i,
+  // GitHub gist raw content
+  /gist\.github\.com\/[^/]+\/[^/]+\/raw/i,
+  // GitHub releases downloads - binary files from any user
+  /github\.com\/[^/]+\/[^/]+\/releases\/download/i,
+  // GitHub objects (blobs, etc.)
+  /objects\.githubusercontent\.com/i,
+  // Installer script patterns (get.*.sh)
+  /\/get\.[^/]+\.sh/i
+];
+function isRiskyUrlPattern(url) {
+  return RISKY_URL_PATTERNS.some((pattern) => pattern.test(url));
+}
 
 // src/guard/checkpoint.ts
 function detectCheckpoint(command) {
@@ -1079,29 +1124,39 @@ function checkTrustedDomains(command) {
     return {
       allTrusted: true,
       // No URLs means nothing untrusted
+      hasRiskyUrls: false,
       urls: [],
       trustedUrls: [],
-      untrustedUrls: []
+      untrustedUrls: [],
+      riskyUrls: []
     };
   }
   const trustedUrls = [];
   const untrustedUrls = [];
+  const riskyUrls = [];
   for (const url of urls) {
     if (isTrustedUrl(url)) {
       trustedUrls.push(url);
     } else {
       untrustedUrls.push(url);
     }
+    if (isRiskyUrlPattern(url)) {
+      riskyUrls.push(url);
+    }
   }
   return {
     allTrusted: untrustedUrls.length === 0,
+    hasRiskyUrls: riskyUrls.length > 0,
     urls,
     trustedUrls,
-    untrustedUrls
+    untrustedUrls,
+    riskyUrls
   };
 }
 
 // src/guard/file-tools.ts
+import { resolve } from "path";
+import { homedir as homedir3 } from "os";
 var WRITE_SENSITIVE_PATHS = [
   // SSH - Critical (persistent access)
   {
@@ -1431,8 +1486,18 @@ var READ_SENSITIVE_PATHS = [
   }
 ];
 function normalizePath(filePath) {
-  let normalized = filePath.replace(/\$HOME/g, "~").replace(/\$\{HOME\}/g, "~");
+  let normalized = filePath;
+  normalized = normalized.replace(/\$HOME/g, "~").replace(/\$\{HOME\}/g, "~");
   normalized = normalized.replace(/\/+/g, "/");
+  if (normalized.startsWith("/")) {
+    normalized = resolve(normalized);
+  }
+  const home = homedir3();
+  if (normalized.startsWith(home + "/")) {
+    normalized = "~" + normalized.slice(home.length);
+  } else if (normalized === home) {
+    normalized = "~";
+  }
   return normalized;
 }
 function checkFilePath(filePath, action) {
@@ -1535,7 +1600,7 @@ function sanitizeForPrompt(command) {
   if (sanitized.length > MAX_COMMAND_LENGTH) {
     sanitized = sanitized.slice(0, MAX_COMMAND_LENGTH) + "... [truncated]";
   }
-  sanitized = sanitized.replace(/</g, "&lt;").replace(/>/g, "&gt;");
+  sanitized = sanitized.replace(/]]>/g, "]]&gt;");
   sanitized = sanitized.replace(/\n{3,}/g, "\n\n");
   return sanitized;
 }
@@ -1580,9 +1645,65 @@ function shouldForceEscalate(command) {
   }
   return FORCE_ESCALATE_PATTERNS.some((pattern) => pattern.test(command));
 }
+function extractJsonFromText(text) {
+  try {
+    const parsed = JSON.parse(text.trim());
+    if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
+      return parsed;
+    }
+  } catch {
+  }
+  const codeBlockMatch = text.match(/```(?:json)?\s*\n?([\s\S]*?)\n?\s*```/);
+  if (codeBlockMatch) {
+    try {
+      const parsed = JSON.parse(codeBlockMatch[1].trim());
+      if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
+        return parsed;
+      }
+    } catch {
+    }
+  }
+  const startIdx = text.indexOf("{");
+  if (startIdx === -1) return null;
+  let depth = 0;
+  let inString = false;
+  let escaped = false;
+  for (let i = startIdx; i < text.length; i++) {
+    const ch = text[i];
+    if (escaped) {
+      escaped = false;
+      continue;
+    }
+    if (ch === "\\" && inString) {
+      escaped = true;
+      continue;
+    }
+    if (ch === '"') {
+      inString = !inString;
+      continue;
+    }
+    if (inString) continue;
+    if (ch === "{") depth++;
+    else if (ch === "}") {
+      depth--;
+      if (depth === 0) {
+        const candidate = text.slice(startIdx, i + 1);
+        try {
+          const parsed = JSON.parse(candidate);
+          if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
+            return parsed;
+          }
+        } catch {
+          return null;
+        }
+      }
+    }
+  }
+  return null;
+}
 
 // src/guard/haiku-triage.ts
-var HAIKU_MODEL = "claude-haiku-4-20250514";
+var DEFAULT_HAIKU_MODEL = "claude-haiku-4-20250514";
 var API_TIMEOUT_MS = 3e4;
 var TRIAGE_SYSTEM_PROMPT = `You are a security triage agent for an autonomous coding system.
 Your ONLY job is to classify commands as SELF_HANDLE, ESCALATE, or BLOCK.
@@ -1629,7 +1750,7 @@ var FORCE_ESCALATE_TYPES = [
   "package_install"
   // Supply chain attacks via postinstall scripts
 ];
-async function triageWithHaiku(client, checkpoint) {
+async function triageWithHaiku(client, checkpoint, model) {
   if (FORCE_ESCALATE_TYPES.includes(checkpoint.type)) {
     return {
       classification: "ESCALATE",
@@ -1644,7 +1765,7 @@ async function triageWithHaiku(client, checkpoint) {
     const timeoutId = setTimeout(() => controller.abort(), API_TIMEOUT_MS);
     const response = await client.messages.create(
       {
-        model: HAIKU_MODEL,
+        model: model ?? DEFAULT_HAIKU_MODEL,
         max_tokens: 500,
         system: TRIAGE_SYSTEM_PROMPT,
         messages: [{ role: "user", content: userPrompt }]
@@ -1660,15 +1781,15 @@ async function triageWithHaiku(client, checkpoint) {
         riskIndicators: ["triage_error"]
       };
     }
-    const jsonMatch = text.match(/\{[\s\S]*\}/);
-    if (!jsonMatch) {
+    const extracted = extractJsonFromText(text);
+    if (!extracted) {
       return {
         classification: "ESCALATE",
         reason: "Triage failed: Could not parse JSON response",
         riskIndicators: ["triage_error"]
       };
     }
-    const parsed = JSON.parse(jsonMatch[0]);
+    const parsed = extracted;
     if (!parsed.classification || !["SELF_HANDLE", "ESCALATE", "BLOCK"].includes(parsed.classification)) {
       return {
         classification: "ESCALATE",
@@ -1706,7 +1827,7 @@ async function triageWithHaiku(client, checkpoint) {
 }
 
 // src/guard/sonnet-review.ts
-var SONNET_MODEL = "claude-sonnet-4-20250514";
+var DEFAULT_SONNET_MODEL = "claude-sonnet-4-20250514";
 var API_TIMEOUT_MS2 = 6e4;
 var REVIEW_SYSTEM_PROMPT = `You are a senior security engineer reviewing potentially risky operations.
 Your job is to analyze commands and determine if they are safe to execute.
@@ -1778,7 +1899,7 @@ BLOCK - Do not allow:
   "user_message": "Concise message explaining the security risk to the user (2-3 sentences max). Do NOT include timing or instructions - those are added automatically."
 }
 </response_format>`;
-async function reviewWithSonnet(client, checkpoint, triage) {
+async function reviewWithSonnet(client, checkpoint, triage, model) {
   const sanitizedCommand = sanitizeForPrompt(checkpoint.command);
   const userPrompt = REVIEW_USER_PROMPT.replace("{command}", escapeXml(sanitizedCommand)).replace("{checkpoint_type}", escapeXml(checkpoint.type)).replace("{context}", escapeXml(checkpoint.description)).replace("{triage_reason}", escapeXml(triage.reason)).replace("{risk_indicators}", escapeXml(triage.riskIndicators.join(", ") || "none"));
   try {
@@ -1786,7 +1907,7 @@ async function reviewWithSonnet(client, checkpoint, triage) {
     const timeoutId = setTimeout(() => controller.abort(), API_TIMEOUT_MS2);
     const response = await client.messages.create(
       {
-        model: SONNET_MODEL,
+        model: model ?? DEFAULT_SONNET_MODEL,
         max_tokens: 1e3,
         system: REVIEW_SYSTEM_PROMPT,
         messages: [{ role: "user", content: userPrompt }]
@@ -1803,8 +1924,8 @@ async function reviewWithSonnet(client, checkpoint, triage) {
         userMessage: "Automated security review failed. Please review this operation manually."
       };
     }
-    const jsonMatch = text.match(/\{[\s\S]*\}/);
-    if (!jsonMatch) {
+    const extracted = extractJsonFromText(text);
+    if (!extracted) {
       return {
         verdict: "ASK_USER",
         riskLevel: "medium",
@@ -1812,7 +1933,7 @@ async function reviewWithSonnet(client, checkpoint, triage) {
         userMessage: "Automated security review failed. Please review this operation manually."
       };
     }
-    const parsed = JSON.parse(jsonMatch[0]);
+    const parsed = extracted;
     const verdict = parsed.verdict ?? "ASK_USER";
     if (!["ALLOW", "ASK_USER", "BLOCK"].includes(verdict)) {
       return {
@@ -1852,9 +1973,25 @@ async function reviewWithSonnet(client, checkpoint, triage) {
 
 // src/hook.ts
 var TIMEOUT_SECONDS = 7;
+var REGEX_TIMEOUT_MS = 50;
+function safeRegexTest(pattern, input) {
+  try {
+    const regex = new RegExp(pattern, "i");
+    if (/(\(.+[+*]\))[+*]|\(\?:[^)]+[+*]\)[+*]/.test(pattern)) {
+      process.stderr.write(`[vibesafu] Warning: Skipping potentially dangerous regex pattern: ${pattern}
+`);
+      return false;
+    }
+    const testInput = input.length > REGEX_TIMEOUT_MS * 40 ? input.slice(0, REGEX_TIMEOUT_MS * 40) : input;
+    return regex.test(testInput);
+  } catch {
+    return false;
+  }
+}
 var PLAN_MODE_TIMEOUT_SECONDS = 72 * 60 * 60;
 var SAFE_NON_BASH_TOOLS = ["WebFetch", "WebSearch", "Task", "Glob", "Grep", "LS", "TodoRead", "TodoWrite", "NotebookRead"];
-async function processPermissionRequest(input, anthropicClient) {
+async function processPermissionRequest(input, anthropicClient, preloadedConfig) {
+  const config2 = preloadedConfig ?? await readConfig();
   if (input.tool_name === "Write" || input.tool_name === "Edit" || input.tool_name === "Read") {
     const fileCheck = checkFileTool(input.tool_name, input.tool_input);
     if (fileCheck.blocked) {
@@ -1917,8 +2054,7 @@ This will auto-reject if not approved.`,
       };
     }
     if (input.tool_name.startsWith("mcp__")) {
-      const config3 = await readConfig();
-      const isAllowed = config3.allowedMCPTools.some((pattern) => {
+      const isAllowed = config2.allowedMCPTools.some((pattern) => {
         if (pattern.endsWith("*")) {
           const prefix = pattern.slice(0, -1);
           return input.tool_name.startsWith(prefix);
@@ -1962,34 +2098,27 @@ Auto-reject in ${TIMEOUT_SECONDS}s.`
     };
   }
   const command = input.tool_input.command;
-  const config2 = await readConfig();
   for (const pattern of config2.customPatterns.allow) {
-    try {
-      if (new RegExp(pattern, "i").test(command)) {
-        return {
-          decision: "allow",
-          reason: `Custom allow pattern: ${pattern}`,
-          source: "instant-allow"
-        };
-      }
-    } catch {
+    if (safeRegexTest(pattern, command)) {
+      return {
+        decision: "allow",
+        reason: `Custom allow pattern: ${pattern}`,
+        source: "instant-allow"
+      };
     }
   }
   for (const pattern of config2.customPatterns.block) {
-    try {
-      if (new RegExp(pattern, "i").test(command)) {
-        return {
-          decision: "needs-review",
-          reason: `Custom block pattern: ${pattern}`,
-          source: "high-risk",
-          userMessage: `[CUSTOM BLOCK] Matched pattern: ${pattern}
+    if (safeRegexTest(pattern, command)) {
+      return {
+        decision: "needs-review",
+        reason: `Custom block pattern: ${pattern}`,
+        source: "high-risk",
+        userMessage: `[CUSTOM BLOCK] Matched pattern: ${pattern}
 
 This command was blocked by your custom config.
 
 Auto-reject in ${TIMEOUT_SECONDS}s.`
-        };
-      }
-    } catch {
+      };
     }
   }
   const allowResult = checkInstantAllow(command);
@@ -2027,6 +2156,14 @@ Only proceed if you know what you're doing.`
   if (checkpoint.type === "network") {
     const domainResult = checkTrustedDomains(command);
     if (domainResult.allTrusted && domainResult.urls.length > 0) {
+      if (domainResult.hasRiskyUrls) {
+        return {
+          decision: "needs-review",
+          reason: `Risky URL pattern from trusted domain: ${domainResult.riskyUrls.join(", ")}`,
+          source: "checkpoint",
+          checkpoint
+        };
+      }
       return {
         decision: "allow",
         reason: `All URLs from trusted domains: ${domainResult.trustedUrls.join(", ")}`,
@@ -2043,7 +2180,7 @@ Only proceed if you know what you're doing.`
     };
   }
   process.stderr.write("\x1B[90m[vibesafu] Assessing security risks...\x1B[0m\n");
-  const triage = await triageWithHaiku(anthropicClient, checkpoint);
+  const triage = await triageWithHaiku(anthropicClient, checkpoint, config2.models.triage);
   if (triage.classification === "BLOCK") {
     return {
       decision: "deny",
@@ -2059,7 +2196,7 @@ Only proceed if you know what you're doing.`
     };
   }
   process.stderr.write("\x1B[90m[vibesafu] Escalating to deep analysis...\x1B[0m\n");
-  const review = await reviewWithSonnet(anthropicClient, checkpoint, triage);
+  const review = await reviewWithSonnet(anthropicClient, checkpoint, triage, config2.models.review);
   if (review.verdict === "BLOCK") {
     const result2 = {
       decision: "deny",
@@ -2117,12 +2254,13 @@ async function runHook() {
     console.log(JSON.stringify(output2));
     return;
   }
+  const config2 = await readConfig();
   let anthropicClient;
-  const apiKey = await getApiKey();
+  const apiKey = process.env.ANTHROPIC_API_KEY ?? (config2.anthropic.apiKey || void 0);
   if (apiKey) {
     anthropicClient = new Anthropic({ apiKey });
   }
-  const result = await processPermissionRequest(input, anthropicClient);
+  const result = await processPermissionRequest(input, anthropicClient, config2);
   let output;
   if (result.decision === "allow") {
     output = createHookOutput("allow");
@@ -2131,7 +2269,7 @@ async function runHook() {
   }
   const warningMessage = result.userMessage ?? result.reason;
   const timeout = result.timeoutSeconds ?? TIMEOUT_SECONDS;
-  await new Promise((resolve) => setTimeout(resolve, timeout * 1e3));
+  await new Promise((resolve2) => setTimeout(resolve2, timeout * 1e3));
   const timeoutDisplay = timeout >= 3600 ? `${Math.round(timeout / 3600)}h` : `${timeout}s`;
   const denyMessage = `\u{1F6E1}\uFE0F [vibesafu] Auto-denied (no response in ${timeoutDisplay})
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibesafu",
-  "version": "0.1.24",
+  "version": "0.1.26",
   "description": "Better Claude Code workflow with smart safety checks. Safe YOLO mode without --dangerously-skip-permission",
   "type": "module",
   "main": "dist/index.js",