vibesafu 0.1.25 → 0.1.26

package/dist/index.js

@@ -7,7 +7,7 @@ import { fileURLToPath } from "url";
 import { dirname, join as join3 } from "path";
 
 // src/cli/install.ts
-import { readFile, writeFile, mkdir } from "fs/promises";
+import { readFile, writeFile, mkdir, chmod } from "fs/promises";
 import { homedir } from "os";
 import { join } from "path";
 var CLAUDE_SETTINGS_PATH = join(homedir(), ".claude", "settings.json");
@@ -24,7 +24,12 @@ async function readClaudeSettings() {
   try {
     const content = await readFile(CLAUDE_SETTINGS_PATH, "utf-8");
     return JSON.parse(content);
-  } catch {
+  } catch (error) {
+    if (error instanceof Error && "code" in error && error.code === "ENOENT") {
+      return {};
+    }
+    const msg = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Warning: Failed to read Claude settings (${CLAUDE_SETTINGS_PATH}): ${msg}. Starting fresh.`);
     return {};
   }
 }
@@ -32,6 +37,7 @@ async function writeClaudeSettings(settings) {
   const dir = join(homedir(), ".claude");
   await mkdir(dir, { recursive: true });
   await writeFile(CLAUDE_SETTINGS_PATH, JSON.stringify(settings, null, 2));
+  await chmod(CLAUDE_SETTINGS_PATH, 384);
 }
 function isHookInstalled(settings) {
   const hooks = settings.hooks?.PermissionRequest ?? [];
@@ -84,7 +90,7 @@ async function uninstall() {
 }
 
 // src/cli/config.ts
-import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2, chmod } from "fs/promises";
+import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2, chmod as chmod2 } from "fs/promises";
 import { homedir as homedir2 } from "os";
 import { join as join2 } from "path";
 import { createInterface } from "readline";
@@ -123,24 +129,30 @@ async function readConfig() {
   try {
     const content = await readFile2(CONFIG_PATH, "utf-8");
     return mergeConfig(DEFAULT_CONFIG, JSON.parse(content));
-  } catch {
+  } catch (error) {
+    if (error instanceof Error && "code" in error && error.code === "ENOENT") {
+      return DEFAULT_CONFIG;
+    }
+    const msg = error instanceof Error ? error.message : "Unknown error";
+    process.stderr.write(`[vibesafu] Warning: Failed to read config (${CONFIG_PATH}): ${msg}. Using defaults.
+`);
     return DEFAULT_CONFIG;
   }
 }
 async function writeConfig(config2) {
   await mkdir2(CONFIG_DIR, { recursive: true });
   await writeFile2(CONFIG_PATH, JSON.stringify(config2, null, 2));
-  await chmod(CONFIG_PATH, 384);
+  await chmod2(CONFIG_PATH, 384);
 }
 function prompt(question) {
   const rl = createInterface({
     input: process.stdin,
     output: process.stdout
   });
-  return new Promise((resolve) => {
+  return new Promise((resolve2) => {
     rl.question(question, (answer) => {
       rl.close();
-      resolve(answer);
+      resolve2(answer);
     });
   });
 }
@@ -166,16 +178,6 @@ async function config() {
   console.log("Configuration saved!");
   console.log(`Config file: ${CONFIG_PATH}`);
 }
-async function getApiKey() {
-  if (process.env.ANTHROPIC_API_KEY) {
-    return process.env.ANTHROPIC_API_KEY;
-  }
-  const cfg = await readConfig();
-  if (cfg.anthropic.apiKey) {
-    return cfg.anthropic.apiKey;
-  }
-  return void 0;
-}
 
 // src/hook.ts
 import Anthropic from "@anthropic-ai/sdk";
@@ -779,6 +781,13 @@ var INSTANT_BLOCK_PATTERNS = [
   ...DESTRUCTIVE_PATTERNS,
   ...SELF_PROTECTION_PATTERNS
 ];
+for (const p of INSTANT_BLOCK_PATTERNS) {
+  if (p.pattern.global) {
+    throw new Error(
+      `Security pattern "${p.name}" must not use the global (g) flag. The g flag makes RegExp.test() stateful, causing intermittent bypasses. Remove the g flag from the pattern.`
+    );
+  }
+}
 var CHECKPOINT_PATTERNS = [
   // Script execution
   { pattern: /curl\s+.*\|\s*(ba)?sh/i, type: "script_execution", description: "curl piped to shell" },
@@ -822,12 +831,18 @@ var CHECKPOINT_PATTERNS = [
   { pattern: /\.ssh/i, type: "file_sensitive", description: "SSH directory access" },
   { pattern: /\.aws/i, type: "file_sensitive", description: "AWS credentials access" },
   { pattern: /credentials/i, type: "file_sensitive", description: "Credentials file access" },
-  { pattern: /CLAUDE\.md/i, type: "file_sensitive", description: "CLAUDE.md modification" },
   // Sensitive file copy/move (indirect path bypass)
   { pattern: /(cp|mv)\s+.*\.ssh\//i, type: "file_sensitive", description: "Copying/moving SSH files" },
   { pattern: /(cp|mv)\s+.*\.aws\//i, type: "file_sensitive", description: "Copying/moving AWS credentials" },
   { pattern: /(cp|mv)\s+.*\.env(\s|$)/i, type: "file_sensitive", description: "Copying/moving .env file" }
 ];
+for (const p of CHECKPOINT_PATTERNS) {
+  if (p.pattern.global) {
+    throw new Error(
+      `Checkpoint pattern "${p.description}" must not use the global (g) flag. The g flag makes RegExp.test() stateful, causing intermittent bypasses. Remove the g flag from the pattern.`
+    );
+  }
+}
 
 // src/guard/instant-block.ts
 function checkHighRiskPatterns(command) {
@@ -1034,7 +1049,10 @@ function isTrustedUrl(url) {
 function extractUrls(command) {
   const urlPattern = /https?:\/\/[^\s"'<>]+/gi;
   const matches = command.match(urlPattern);
-  return matches ?? [];
+  if (!matches) return [];
+  return matches.map((url) => {
+    return url.replace(/[),;.]+$/, "");
+  });
 }
 function isUrlShortener(hostname) {
   const normalizedHost = hostname.toLowerCase();
@@ -1058,6 +1076,21 @@ function containsUrlShortener(command) {
     shortenerUrls
   };
 }
+var RISKY_URL_PATTERNS = [
+  // Raw file content from GitHub - can be any user's code
+  /raw\.githubusercontent\.com/i,
+  // GitHub gist raw content
+  /gist\.github\.com\/[^/]+\/[^/]+\/raw/i,
+  // GitHub releases downloads - binary files from any user
+  /github\.com\/[^/]+\/[^/]+\/releases\/download/i,
+  // GitHub objects (blobs, etc.)
+  /objects\.githubusercontent\.com/i,
+  // Installer script patterns (get.*.sh)
+  /\/get\.[^/]+\.sh/i
+];
+function isRiskyUrlPattern(url) {
+  return RISKY_URL_PATTERNS.some((pattern) => pattern.test(url));
+}
 
 // src/guard/checkpoint.ts
 function detectCheckpoint(command) {
@@ -1091,29 +1124,39 @@ function checkTrustedDomains(command) {
     return {
       allTrusted: true,
       // No URLs means nothing untrusted
+      hasRiskyUrls: false,
       urls: [],
       trustedUrls: [],
-      untrustedUrls: []
+      untrustedUrls: [],
+      riskyUrls: []
     };
   }
   const trustedUrls = [];
   const untrustedUrls = [];
+  const riskyUrls = [];
   for (const url of urls) {
     if (isTrustedUrl(url)) {
       trustedUrls.push(url);
     } else {
       untrustedUrls.push(url);
     }
+    if (isRiskyUrlPattern(url)) {
+      riskyUrls.push(url);
+    }
   }
   return {
     allTrusted: untrustedUrls.length === 0,
+    hasRiskyUrls: riskyUrls.length > 0,
     urls,
     trustedUrls,
-    untrustedUrls
+    untrustedUrls,
+    riskyUrls
   };
 }
 
 // src/guard/file-tools.ts
+import { resolve } from "path";
+import { homedir as homedir3 } from "os";
 var WRITE_SENSITIVE_PATHS = [
   // SSH - Critical (persistent access)
   {
@@ -1292,13 +1335,6 @@ var WRITE_SENSITIVE_PATHS = [
     legitimateUses: ["Configuring PyPI", "Publishing packages"]
   },
   // Claude Code config - Critical (could disable security)
-  {
-    pattern: /CLAUDE\.md$/i,
-    description: "Claude instructions file",
-    severity: "critical",
-    risk: "Can modify AI behavior and disable security rules",
-    legitimateUses: ["Updating project instructions", "Configuring Claude behavior"]
-  },
   {
     pattern: /^~?\/?\.claude\//i,
     description: "Claude config directory",
@@ -1450,8 +1486,18 @@ var READ_SENSITIVE_PATHS = [
   }
 ];
 function normalizePath(filePath) {
-  let normalized = filePath.replace(/\$HOME/g, "~").replace(/\$\{HOME\}/g, "~");
+  let normalized = filePath;
+  normalized = normalized.replace(/\$HOME/g, "~").replace(/\$\{HOME\}/g, "~");
   normalized = normalized.replace(/\/+/g, "/");
+  if (normalized.startsWith("/")) {
+    normalized = resolve(normalized);
+  }
+  const home = homedir3();
+  if (normalized.startsWith(home + "/")) {
+    normalized = "~" + normalized.slice(home.length);
+  } else if (normalized === home) {
+    normalized = "~";
+  }
   return normalized;
 }
 function checkFilePath(filePath, action) {
@@ -1599,6 +1645,62 @@ function shouldForceEscalate(command) {
   }
   return FORCE_ESCALATE_PATTERNS.some((pattern) => pattern.test(command));
 }
+function extractJsonFromText(text) {
+  try {
+    const parsed = JSON.parse(text.trim());
+    if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
+      return parsed;
+    }
+  } catch {
+  }
+  const codeBlockMatch = text.match(/```(?:json)?\s*\n?([\s\S]*?)\n?\s*```/);
+  if (codeBlockMatch) {
+    try {
+      const parsed = JSON.parse(codeBlockMatch[1].trim());
+      if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
+        return parsed;
+      }
+    } catch {
+    }
+  }
+  const startIdx = text.indexOf("{");
+  if (startIdx === -1) return null;
+  let depth = 0;
+  let inString = false;
+  let escaped = false;
+  for (let i = startIdx; i < text.length; i++) {
+    const ch = text[i];
+    if (escaped) {
+      escaped = false;
+      continue;
+    }
+    if (ch === "\\" && inString) {
+      escaped = true;
+      continue;
+    }
+    if (ch === '"') {
+      inString = !inString;
+      continue;
+    }
+    if (inString) continue;
+    if (ch === "{") depth++;
+    else if (ch === "}") {
+      depth--;
+      if (depth === 0) {
+        const candidate = text.slice(startIdx, i + 1);
+        try {
+          const parsed = JSON.parse(candidate);
+          if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
+            return parsed;
+          }
+        } catch {
+          return null;
+        }
+      }
+    }
+  }
+  return null;
+}
 
 // src/guard/haiku-triage.ts
 var DEFAULT_HAIKU_MODEL = "claude-haiku-4-20250514";
@@ -1679,15 +1781,15 @@ async function triageWithHaiku(client, checkpoint, model) {
         riskIndicators: ["triage_error"]
       };
     }
-    const jsonMatch = text.match(/\{[\s\S]*\}/);
-    if (!jsonMatch) {
+    const extracted = extractJsonFromText(text);
+    if (!extracted) {
       return {
         classification: "ESCALATE",
         reason: "Triage failed: Could not parse JSON response",
         riskIndicators: ["triage_error"]
       };
     }
-    const parsed = JSON.parse(jsonMatch[0]);
+    const parsed = extracted;
     if (!parsed.classification || !["SELF_HANDLE", "ESCALATE", "BLOCK"].includes(parsed.classification)) {
       return {
         classification: "ESCALATE",
@@ -1822,8 +1924,8 @@ async function reviewWithSonnet(client, checkpoint, triage, model) {
         userMessage: "Automated security review failed. Please review this operation manually."
       };
     }
-    const jsonMatch = text.match(/\{[\s\S]*\}/);
-    if (!jsonMatch) {
+    const extracted = extractJsonFromText(text);
+    if (!extracted) {
       return {
         verdict: "ASK_USER",
         riskLevel: "medium",
@@ -1831,7 +1933,7 @@ async function reviewWithSonnet(client, checkpoint, triage, model) {
         userMessage: "Automated security review failed. Please review this operation manually."
       };
     }
-    const parsed = JSON.parse(jsonMatch[0]);
+    const parsed = extracted;
     const verdict = parsed.verdict ?? "ASK_USER";
     if (!["ALLOW", "ASK_USER", "BLOCK"].includes(verdict)) {
       return {
@@ -1871,10 +1973,25 @@ async function reviewWithSonnet(client, checkpoint, triage, model) {
 
 // src/hook.ts
 var TIMEOUT_SECONDS = 7;
+var REGEX_TIMEOUT_MS = 50;
+function safeRegexTest(pattern, input) {
+  try {
+    const regex = new RegExp(pattern, "i");
+    if (/(\(.+[+*]\))[+*]|\(\?:[^)]+[+*]\)[+*]/.test(pattern)) {
+      process.stderr.write(`[vibesafu] Warning: Skipping potentially dangerous regex pattern: ${pattern}
+`);
+      return false;
+    }
+    const testInput = input.length > REGEX_TIMEOUT_MS * 40 ? input.slice(0, REGEX_TIMEOUT_MS * 40) : input;
+    return regex.test(testInput);
+  } catch {
+    return false;
+  }
+}
 var PLAN_MODE_TIMEOUT_SECONDS = 72 * 60 * 60;
 var SAFE_NON_BASH_TOOLS = ["WebFetch", "WebSearch", "Task", "Glob", "Grep", "LS", "TodoRead", "TodoWrite", "NotebookRead"];
-async function processPermissionRequest(input, anthropicClient) {
-  const config2 = await readConfig();
+async function processPermissionRequest(input, anthropicClient, preloadedConfig) {
+  const config2 = preloadedConfig ?? await readConfig();
   if (input.tool_name === "Write" || input.tool_name === "Edit" || input.tool_name === "Read") {
     const fileCheck = checkFileTool(input.tool_name, input.tool_input);
     if (fileCheck.blocked) {
@@ -1982,32 +2099,26 @@ Auto-reject in ${TIMEOUT_SECONDS}s.`
   }
   const command = input.tool_input.command;
   for (const pattern of config2.customPatterns.allow) {
-    try {
-      if (new RegExp(pattern, "i").test(command)) {
-        return {
-          decision: "allow",
-          reason: `Custom allow pattern: ${pattern}`,
-          source: "instant-allow"
-        };
-      }
-    } catch {
+    if (safeRegexTest(pattern, command)) {
+      return {
+        decision: "allow",
+        reason: `Custom allow pattern: ${pattern}`,
+        source: "instant-allow"
+      };
     }
   }
   for (const pattern of config2.customPatterns.block) {
-    try {
-      if (new RegExp(pattern, "i").test(command)) {
-        return {
-          decision: "needs-review",
-          reason: `Custom block pattern: ${pattern}`,
-          source: "high-risk",
-          userMessage: `[CUSTOM BLOCK] Matched pattern: ${pattern}
+    if (safeRegexTest(pattern, command)) {
+      return {
+        decision: "needs-review",
+        reason: `Custom block pattern: ${pattern}`,
+        source: "high-risk",
+        userMessage: `[CUSTOM BLOCK] Matched pattern: ${pattern}
 
 This command was blocked by your custom config.
 
 Auto-reject in ${TIMEOUT_SECONDS}s.`
-        };
-      }
-    } catch {
+      };
     }
   }
   const allowResult = checkInstantAllow(command);
@@ -2045,6 +2156,14 @@ Only proceed if you know what you're doing.`
   if (checkpoint.type === "network") {
     const domainResult = checkTrustedDomains(command);
     if (domainResult.allTrusted && domainResult.urls.length > 0) {
+      if (domainResult.hasRiskyUrls) {
+        return {
+          decision: "needs-review",
+          reason: `Risky URL pattern from trusted domain: ${domainResult.riskyUrls.join(", ")}`,
+          source: "checkpoint",
+          checkpoint
+        };
+      }
       return {
         decision: "allow",
         reason: `All URLs from trusted domains: ${domainResult.trustedUrls.join(", ")}`,
@@ -2135,12 +2254,13 @@ async function runHook() {
     console.log(JSON.stringify(output2));
     return;
   }
+  const config2 = await readConfig();
   let anthropicClient;
-  const apiKey = await getApiKey();
+  const apiKey = process.env.ANTHROPIC_API_KEY ?? (config2.anthropic.apiKey || void 0);
   if (apiKey) {
     anthropicClient = new Anthropic({ apiKey });
   }
-  const result = await processPermissionRequest(input, anthropicClient);
+  const result = await processPermissionRequest(input, anthropicClient, config2);
   let output;
   if (result.decision === "allow") {
     output = createHookOutput("allow");
@@ -2149,7 +2269,7 @@ async function runHook() {
   }
   const warningMessage = result.userMessage ?? result.reason;
   const timeout = result.timeoutSeconds ?? TIMEOUT_SECONDS;
-  await new Promise((resolve) => setTimeout(resolve, timeout * 1e3));
+  await new Promise((resolve2) => setTimeout(resolve2, timeout * 1e3));
   const timeoutDisplay = timeout >= 3600 ? `${Math.round(timeout / 3600)}h` : `${timeout}s`;
   const denyMessage = `\u{1F6E1}\uFE0F [vibesafu] Auto-denied (no response in ${timeoutDisplay})
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibesafu",
-  "version": "0.1.25",
+  "version": "0.1.26",
   "description": "Better Claude Code workflow with smart safety checks. Safe YOLO mode without --dangerously-skip-permission",
   "type": "module",
   "main": "dist/index.js",