vibesafu 0.1.25 → 0.1.27

package/dist/index.js

@@ -7,7 +7,7 @@ import { fileURLToPath } from "url";
 import { dirname, join as join3 } from "path";
 
 // src/cli/install.ts
-import { readFile, writeFile, mkdir } from "fs/promises";
+import { readFile, writeFile, mkdir, chmod } from "fs/promises";
 import { homedir } from "os";
 import { join } from "path";
 var CLAUDE_SETTINGS_PATH = join(homedir(), ".claude", "settings.json");
@@ -24,7 +24,12 @@ async function readClaudeSettings() {
   try {
     const content = await readFile(CLAUDE_SETTINGS_PATH, "utf-8");
     return JSON.parse(content);
-  } catch {
+  } catch (error) {
+    if (error instanceof Error && "code" in error && error.code === "ENOENT") {
+      return {};
+    }
+    const msg = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Warning: Failed to read Claude settings (${CLAUDE_SETTINGS_PATH}): ${msg}. Starting fresh.`);
     return {};
   }
 }
@@ -32,6 +37,7 @@ async function writeClaudeSettings(settings) {
   const dir = join(homedir(), ".claude");
   await mkdir(dir, { recursive: true });
   await writeFile(CLAUDE_SETTINGS_PATH, JSON.stringify(settings, null, 2));
+  await chmod(CLAUDE_SETTINGS_PATH, 384);
 }
 function isHookInstalled(settings) {
   const hooks = settings.hooks?.PermissionRequest ?? [];
@@ -84,7 +90,7 @@ async function uninstall() {
 }
 
 // src/cli/config.ts
-import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2, chmod } from "fs/promises";
+import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2, chmod as chmod2 } from "fs/promises";
 import { homedir as homedir2 } from "os";
 import { join as join2 } from "path";
 import { createInterface } from "readline";
@@ -103,11 +109,7 @@ var DEFAULT_CONFIG = {
     block: [],
     allow: []
   },
-  allowedMCPTools: [],
-  logging: {
-    enabled: true,
-    path: join2(CONFIG_DIR, "logs")
-  }
+  allowedMCPTools: []
 };
 function mergeConfig(defaults, user) {
   return {
@@ -115,32 +117,37 @@ function mergeConfig(defaults, user) {
     models: { ...defaults.models, ...user.models },
     trustedDomains: user.trustedDomains ?? defaults.trustedDomains,
     customPatterns: { ...defaults.customPatterns, ...user.customPatterns },
-    allowedMCPTools: user.allowedMCPTools ?? defaults.allowedMCPTools,
-    logging: { ...defaults.logging, ...user.logging }
+    allowedMCPTools: user.allowedMCPTools ?? defaults.allowedMCPTools
   };
 }
 async function readConfig() {
   try {
     const content = await readFile2(CONFIG_PATH, "utf-8");
     return mergeConfig(DEFAULT_CONFIG, JSON.parse(content));
-  } catch {
+  } catch (error) {
+    if (error instanceof Error && "code" in error && error.code === "ENOENT") {
+      return DEFAULT_CONFIG;
+    }
+    const msg = error instanceof Error ? error.message : "Unknown error";
+    process.stderr.write(`[vibesafu] Warning: Failed to read config (${CONFIG_PATH}): ${msg}. Using defaults.
+`);
     return DEFAULT_CONFIG;
   }
 }
 async function writeConfig(config2) {
   await mkdir2(CONFIG_DIR, { recursive: true });
   await writeFile2(CONFIG_PATH, JSON.stringify(config2, null, 2));
-  await chmod(CONFIG_PATH, 384);
+  await chmod2(CONFIG_PATH, 384);
 }
 function prompt(question) {
   const rl = createInterface({
     input: process.stdin,
     output: process.stdout
   });
-  return new Promise((resolve) => {
+  return new Promise((resolve2) => {
     rl.question(question, (answer) => {
       rl.close();
-      resolve(answer);
+      resolve2(answer);
     });
   });
 }
@@ -166,16 +173,6 @@ async function config() {
   console.log("Configuration saved!");
   console.log(`Config file: ${CONFIG_PATH}`);
 }
-async function getApiKey() {
-  if (process.env.ANTHROPIC_API_KEY) {
-    return process.env.ANTHROPIC_API_KEY;
-  }
-  const cfg = await readConfig();
-  if (cfg.anthropic.apiKey) {
-    return cfg.anthropic.apiKey;
-  }
-  return void 0;
-}
 
 // src/hook.ts
 import Anthropic from "@anthropic-ai/sdk";
@@ -779,6 +776,13 @@ var INSTANT_BLOCK_PATTERNS = [
   ...DESTRUCTIVE_PATTERNS,
   ...SELF_PROTECTION_PATTERNS
 ];
+for (const p of INSTANT_BLOCK_PATTERNS) {
+  if (p.pattern.global) {
+    throw new Error(
+      `Security pattern "${p.name}" must not use the global (g) flag. The g flag makes RegExp.test() stateful, causing intermittent bypasses. Remove the g flag from the pattern.`
+    );
+  }
+}
 var CHECKPOINT_PATTERNS = [
   // Script execution
   { pattern: /curl\s+.*\|\s*(ba)?sh/i, type: "script_execution", description: "curl piped to shell" },
@@ -822,12 +826,18 @@ var CHECKPOINT_PATTERNS = [
   { pattern: /\.ssh/i, type: "file_sensitive", description: "SSH directory access" },
   { pattern: /\.aws/i, type: "file_sensitive", description: "AWS credentials access" },
   { pattern: /credentials/i, type: "file_sensitive", description: "Credentials file access" },
-  { pattern: /CLAUDE\.md/i, type: "file_sensitive", description: "CLAUDE.md modification" },
   // Sensitive file copy/move (indirect path bypass)
   { pattern: /(cp|mv)\s+.*\.ssh\//i, type: "file_sensitive", description: "Copying/moving SSH files" },
   { pattern: /(cp|mv)\s+.*\.aws\//i, type: "file_sensitive", description: "Copying/moving AWS credentials" },
   { pattern: /(cp|mv)\s+.*\.env(\s|$)/i, type: "file_sensitive", description: "Copying/moving .env file" }
 ];
+for (const p of CHECKPOINT_PATTERNS) {
+  if (p.pattern.global) {
+    throw new Error(
+      `Checkpoint pattern "${p.description}" must not use the global (g) flag. The g flag makes RegExp.test() stateful, causing intermittent bypasses. Remove the g flag from the pattern.`
+    );
+  }
+}
 
 // src/guard/instant-block.ts
 function checkHighRiskPatterns(command) {
@@ -1034,7 +1044,10 @@ function isTrustedUrl(url) {
 function extractUrls(command) {
   const urlPattern = /https?:\/\/[^\s"'<>]+/gi;
   const matches = command.match(urlPattern);
-  return matches ?? [];
+  if (!matches) return [];
+  return matches.map((url) => {
+    return url.replace(/[),;.]+$/, "");
+  });
 }
 function isUrlShortener(hostname) {
   const normalizedHost = hostname.toLowerCase();
@@ -1058,6 +1071,21 @@ function containsUrlShortener(command) {
     shortenerUrls
   };
 }
+var RISKY_URL_PATTERNS = [
+  // Raw file content from GitHub - can be any user's code
+  /raw\.githubusercontent\.com/i,
+  // GitHub gist raw content
+  /gist\.github\.com\/[^/]+\/[^/]+\/raw/i,
+  // GitHub releases downloads - binary files from any user
+  /github\.com\/[^/]+\/[^/]+\/releases\/download/i,
+  // GitHub objects (blobs, etc.)
+  /objects\.githubusercontent\.com/i,
+  // Installer script patterns (get.*.sh)
+  /\/get\.[^/]+\.sh/i
+];
+function isRiskyUrlPattern(url) {
+  return RISKY_URL_PATTERNS.some((pattern) => pattern.test(url));
+}
 
 // src/guard/checkpoint.ts
 function detectCheckpoint(command) {
@@ -1091,29 +1119,39 @@ function checkTrustedDomains(command) {
     return {
       allTrusted: true,
       // No URLs means nothing untrusted
+      hasRiskyUrls: false,
       urls: [],
       trustedUrls: [],
-      untrustedUrls: []
+      untrustedUrls: [],
+      riskyUrls: []
     };
   }
   const trustedUrls = [];
   const untrustedUrls = [];
+  const riskyUrls = [];
   for (const url of urls) {
     if (isTrustedUrl(url)) {
       trustedUrls.push(url);
     } else {
       untrustedUrls.push(url);
     }
+    if (isRiskyUrlPattern(url)) {
+      riskyUrls.push(url);
+    }
   }
   return {
     allTrusted: untrustedUrls.length === 0,
+    hasRiskyUrls: riskyUrls.length > 0,
     urls,
     trustedUrls,
-    untrustedUrls
+    untrustedUrls,
+    riskyUrls
   };
 }
 
 // src/guard/file-tools.ts
+import { resolve } from "path";
+import { homedir as homedir3 } from "os";
 var WRITE_SENSITIVE_PATHS = [
   // SSH - Critical (persistent access)
   {
@@ -1292,13 +1330,6 @@ var WRITE_SENSITIVE_PATHS = [
     legitimateUses: ["Configuring PyPI", "Publishing packages"]
   },
   // Claude Code config - Critical (could disable security)
-  {
-    pattern: /CLAUDE\.md$/i,
-    description: "Claude instructions file",
-    severity: "critical",
-    risk: "Can modify AI behavior and disable security rules",
-    legitimateUses: ["Updating project instructions", "Configuring Claude behavior"]
-  },
   {
     pattern: /^~?\/?\.claude\//i,
     description: "Claude config directory",
@@ -1450,8 +1481,18 @@ var READ_SENSITIVE_PATHS = [
   }
 ];
 function normalizePath(filePath) {
-  let normalized = filePath.replace(/\$HOME/g, "~").replace(/\$\{HOME\}/g, "~");
+  let normalized = filePath;
+  normalized = normalized.replace(/\$HOME/g, "~").replace(/\$\{HOME\}/g, "~");
   normalized = normalized.replace(/\/+/g, "/");
+  if (normalized.startsWith("/")) {
+    normalized = resolve(normalized);
+  }
+  const home = homedir3();
+  if (normalized.startsWith(home + "/")) {
+    normalized = "~" + normalized.slice(home.length);
+  } else if (normalized === home) {
+    normalized = "~";
+  }
   return normalized;
 }
 function checkFilePath(filePath, action) {
@@ -1516,19 +1557,21 @@ var PROMPT_INJECTION_PATTERNS = [
   /pretend\s+(to\s+be|you\s+are)/i,
   /new\s+instructions?:/i,
   /updated?\s+instructions?:/i,
-  // Context/role markers (could be trying to inject fake context)
-  /system\s*:/i,
-  /assistant\s*:/i,
-  /human\s*:/i,
-  /user\s*:/i,
+  // Context/role markers (require injection-like context to avoid false positives)
+  // "system:" alone is too broad (matches "operating system: linux")
+  // Require either line-start or preceded by newline to indicate role-marker usage
+  /^\s*system\s*:/im,
+  /^\s*assistant\s*:/im,
+  /^\s*human\s*:/im,
+  /^\s*user\s*:/im,
   /<\s*system\s*>/i,
   /<\s*\/?\s*instructions?\s*>/i,
-  // Emphasis markers often used in injection
-  /\bIMPORTANT\s*:/i,
-  /\bNOTE\s*:/i,
-  /\bWARNING\s*:/i,
-  /\bCRITICAL\s*:/i,
-  /\bURGENT\s*:/i,
+  // Emphasis markers - only flag when combined with directive language
+  /\bIMPORTANT\s*:.*\b(approve|allow|safe|trust|skip|ignore)\b/i,
+  /\bNOTE\s*:.*\b(approve|allow|safe|trust|skip|ignore)\b/i,
+  /\bWARNING\s*:.*\b(approve|allow|safe|trust|skip|ignore)\b/i,
+  /\bCRITICAL\s*:.*\b(approve|allow|safe|trust|skip|ignore)\b/i,
+  /\bURGENT\s*:.*\b(approve|allow|safe|trust|skip|ignore)\b/i,
   // Output manipulation
   /respond\s+with\s+(this\s+)?(exact\s+)?json/i,
   /return\s+(only\s+)?["']?ALLOW["']?/i,
@@ -1588,10 +1631,10 @@ var FORCE_ESCALATE_PATTERNS = [
   // su commands
   /chmod\s+[0-7]*[7][0-7]*/i,
   // chmod with executable permissions
-  /\.env/i,
-  // env file access
-  /\/(etc|root|home)\//i
-  // System directory access
+  /\.env(\s|$|\.local|\.production|\.development|\.staging|\.test)/i,
+  // .env file access (not .envoy, .environment, etc.)
+  /\/(etc|root)\//i
+  // System directory access (/etc/, /root/ - not /home/ which is too broad)
 ];
 function shouldForceEscalate(command) {
   if (containsPromptInjection(command)) {
@@ -1599,6 +1642,96 @@ function shouldForceEscalate(command) {
   }
   return FORCE_ESCALATE_PATTERNS.some((pattern) => pattern.test(command));
 }
+function extractJsonFromText(text) {
+  try {
+    const parsed = JSON.parse(text.trim());
+    if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
+      return parsed;
+    }
+  } catch {
+  }
+  const codeBlockMatch = text.match(/```(?:json)?\s*\n?([\s\S]*?)\n?\s*```/);
+  if (codeBlockMatch) {
+    try {
+      const parsed = JSON.parse(codeBlockMatch[1].trim());
+      if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
+        return parsed;
+      }
+    } catch {
+    }
+  }
+  const startIdx = text.indexOf("{");
+  if (startIdx === -1) return null;
+  let depth = 0;
+  let inString = false;
+  let escaped = false;
+  for (let i = startIdx; i < text.length; i++) {
+    const ch = text[i];
+    if (escaped) {
+      escaped = false;
+      continue;
+    }
+    if (ch === "\\" && inString) {
+      escaped = true;
+      continue;
+    }
+    if (ch === '"') {
+      inString = !inString;
+      continue;
+    }
+    if (inString) continue;
+    if (ch === "{") depth++;
+    else if (ch === "}") {
+      depth--;
+      if (depth === 0) {
+        const candidate = text.slice(startIdx, i + 1);
+        try {
+          const parsed = JSON.parse(candidate);
+          if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
+            return parsed;
+          }
+        } catch {
+          return null;
+        }
+      }
+    }
+  }
+  return null;
+}
+
+// src/utils/llm-call.ts
+async function callLLM(options) {
+  const { client, model, systemPrompt, userPrompt, maxTokens, timeoutMs } = options;
+  try {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+    const response = await client.messages.create(
+      {
+        model,
+        max_tokens: maxTokens,
+        system: systemPrompt,
+        messages: [{ role: "user", content: userPrompt }]
+      },
+      { signal: controller.signal }
+    );
+    clearTimeout(timeoutId);
+    const text = response.content[0]?.type === "text" ? response.content[0].text : "";
+    if (!text) {
+      return { ok: false, error: "empty_response", message: "Empty response from LLM" };
+    }
+    const extracted = extractJsonFromText(text);
+    if (!extracted) {
+      return { ok: false, error: "parse_error", message: "Could not parse JSON response" };
+    }
+    return { ok: true, data: extracted };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : "Unknown error";
+    if (errorMessage.includes("abort") || errorMessage.includes("timeout")) {
+      return { ok: false, error: "timeout", message: "API timeout" };
+    }
+    return { ok: false, error: "api_error", message: errorMessage };
+  }
+}
 
 // src/guard/haiku-triage.ts
 var DEFAULT_HAIKU_MODEL = "claude-haiku-4-20250514";
@@ -1658,70 +1791,42 @@ async function triageWithHaiku(client, checkpoint, model) {
   }
   const sanitizedCommand = sanitizeForPrompt(checkpoint.command);
   const userPrompt = TRIAGE_USER_PROMPT.replace("{command}", escapeXml(sanitizedCommand)).replace("{checkpoint_type}", escapeXml(checkpoint.type)).replace("{context}", escapeXml(checkpoint.description));
-  try {
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), API_TIMEOUT_MS);
-    const response = await client.messages.create(
-      {
-        model: model ?? DEFAULT_HAIKU_MODEL,
-        max_tokens: 500,
-        system: TRIAGE_SYSTEM_PROMPT,
-        messages: [{ role: "user", content: userPrompt }]
-      },
-      { signal: controller.signal }
-    );
-    clearTimeout(timeoutId);
-    const text = response.content[0]?.type === "text" ? response.content[0].text : "";
-    if (!text) {
-      return {
-        classification: "ESCALATE",
-        reason: "Triage failed: Empty response from Haiku",
-        riskIndicators: ["triage_error"]
-      };
-    }
-    const jsonMatch = text.match(/\{[\s\S]*\}/);
-    if (!jsonMatch) {
-      return {
-        classification: "ESCALATE",
-        reason: "Triage failed: Could not parse JSON response",
-        riskIndicators: ["triage_error"]
-      };
-    }
-    const parsed = JSON.parse(jsonMatch[0]);
-    if (!parsed.classification || !["SELF_HANDLE", "ESCALATE", "BLOCK"].includes(parsed.classification)) {
-      return {
-        classification: "ESCALATE",
-        reason: "Triage failed: Invalid classification in response",
-        riskIndicators: ["triage_error"]
-      };
-    }
-    if (parsed.classification === "SELF_HANDLE" && shouldForceEscalate(checkpoint.command)) {
-      return {
-        classification: "ESCALATE",
-        reason: "Auto-escalated: Command contains patterns requiring deeper review",
-        riskIndicators: ["forced_escalation", ...parsed.risk_indicators ?? []]
-      };
-    }
+  const result = await callLLM({
+    client,
+    model: model ?? DEFAULT_HAIKU_MODEL,
+    systemPrompt: TRIAGE_SYSTEM_PROMPT,
+    userPrompt,
+    maxTokens: 500,
+    timeoutMs: API_TIMEOUT_MS
+  });
+  if (!result.ok) {
+    const tag = result.error === "timeout" ? "triage_timeout" : "triage_error";
     return {
-      classification: parsed.classification,
-      reason: parsed.reason ?? "No reason provided",
-      riskIndicators: parsed.risk_indicators ?? []
+      classification: "ESCALATE",
+      reason: `Triage failed: ${result.message}`,
+      riskIndicators: [tag]
     };
-  } catch (error) {
-    const errorMessage = error instanceof Error ? error.message : "Unknown error";
-    if (errorMessage.includes("abort") || errorMessage.includes("timeout")) {
-      return {
-        classification: "ESCALATE",
-        reason: "Triage failed: API timeout",
-        riskIndicators: ["triage_timeout"]
-      };
-    }
+  }
+  const parsed = result.data;
+  if (!parsed.classification || !["SELF_HANDLE", "ESCALATE", "BLOCK"].includes(parsed.classification)) {
     return {
       classification: "ESCALATE",
-      reason: `Triage failed: ${errorMessage}`,
+      reason: "Triage failed: Invalid classification in response",
       riskIndicators: ["triage_error"]
     };
   }
+  if (parsed.classification === "SELF_HANDLE" && shouldForceEscalate(checkpoint.command)) {
+    return {
+      classification: "ESCALATE",
+      reason: "Auto-escalated: Command contains patterns requiring deeper review",
+      riskIndicators: ["forced_escalation", ...parsed.risk_indicators ?? []]
+    };
+  }
+  return {
+    classification: parsed.classification,
+    reason: parsed.reason ?? "No reason provided",
+    riskIndicators: parsed.risk_indicators ?? []
+  };
 }
 
 // src/guard/sonnet-review.ts
@@ -1800,81 +1905,76 @@ BLOCK - Do not allow:
 async function reviewWithSonnet(client, checkpoint, triage, model) {
   const sanitizedCommand = sanitizeForPrompt(checkpoint.command);
   const userPrompt = REVIEW_USER_PROMPT.replace("{command}", escapeXml(sanitizedCommand)).replace("{checkpoint_type}", escapeXml(checkpoint.type)).replace("{context}", escapeXml(checkpoint.description)).replace("{triage_reason}", escapeXml(triage.reason)).replace("{risk_indicators}", escapeXml(triage.riskIndicators.join(", ") || "none"));
-  try {
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), API_TIMEOUT_MS2);
-    const response = await client.messages.create(
-      {
-        model: model ?? DEFAULT_SONNET_MODEL,
-        max_tokens: 1e3,
-        system: REVIEW_SYSTEM_PROMPT,
-        messages: [{ role: "user", content: userPrompt }]
-      },
-      { signal: controller.signal }
-    );
-    clearTimeout(timeoutId);
-    const text = response.content[0]?.type === "text" ? response.content[0].text : "";
-    if (!text) {
-      return {
-        verdict: "ASK_USER",
-        riskLevel: "medium",
-        reason: "Review failed: Empty response from Sonnet",
-        userMessage: "Automated security review failed. Please review this operation manually."
-      };
-    }
-    const jsonMatch = text.match(/\{[\s\S]*\}/);
-    if (!jsonMatch) {
-      return {
-        verdict: "ASK_USER",
-        riskLevel: "medium",
-        reason: "Review failed: Could not parse JSON response",
-        userMessage: "Automated security review failed. Please review this operation manually."
-      };
-    }
-    const parsed = JSON.parse(jsonMatch[0]);
-    const verdict = parsed.verdict ?? "ASK_USER";
-    if (!["ALLOW", "ASK_USER", "BLOCK"].includes(verdict)) {
-      return {
-        verdict: "ASK_USER",
-        riskLevel: "medium",
-        reason: "Review failed: Invalid verdict in response",
-        userMessage: "Automated security review failed. Please review this operation manually."
-      };
-    }
-    const result = {
-      verdict,
-      riskLevel: parsed.risk_level ?? "medium",
-      reason: parsed.analysis?.intent ?? "Review completed"
+  const FALLBACK_MSG = "Automated security review failed. Please review this operation manually.";
+  const result = await callLLM({
+    client,
+    model: model ?? DEFAULT_SONNET_MODEL,
+    systemPrompt: REVIEW_SYSTEM_PROMPT,
+    userPrompt,
+    maxTokens: 1e3,
+    timeoutMs: API_TIMEOUT_MS2
+  });
+  if (!result.ok) {
+    const msg = result.error === "timeout" ? "Security review timed out. Please review this operation manually." : FALLBACK_MSG;
+    return {
+      verdict: "ASK_USER",
+      riskLevel: "medium",
+      reason: `Review failed: ${result.message}`,
+      userMessage: msg
     };
-    if (parsed.user_message) {
-      result.userMessage = parsed.user_message;
-    }
-    return result;
-  } catch (error) {
-    const errorMessage = error instanceof Error ? error.message : "Unknown error";
-    if (errorMessage.includes("abort") || errorMessage.includes("timeout")) {
-      return {
-        verdict: "ASK_USER",
-        riskLevel: "medium",
-        reason: "Review failed: API timeout",
-        userMessage: "Security review timed out. Please review this operation manually."
-      };
-    }
+  }
+  const parsed = result.data;
+  const verdict = parsed.verdict ?? "ASK_USER";
+  if (!["ALLOW", "ASK_USER", "BLOCK"].includes(verdict)) {
     return {
       verdict: "ASK_USER",
       riskLevel: "medium",
-      reason: `Review failed: ${errorMessage}`,
-      userMessage: "Automated security review failed. Please review this operation manually."
+      reason: "Review failed: Invalid verdict in response",
+      userMessage: FALLBACK_MSG
     };
   }
+  const reviewResult = {
+    verdict,
+    riskLevel: parsed.risk_level ?? "medium",
+    reason: parsed.analysis?.intent ?? "Review completed"
+  };
+  if (parsed.user_message) {
+    reviewResult.userMessage = parsed.user_message;
+  }
+  return reviewResult;
 }
 
 // src/hook.ts
 var TIMEOUT_SECONDS = 7;
+var REGEX_TIMEOUT_MS = 50;
+function safeRegexTest(pattern, input) {
+  try {
+    if (/(\(.+[+*]\))[+*]|\(\?:[^)]+[+*]\)[+*]/.test(pattern)) {
+      process.stderr.write(`[vibesafu] Warning: Skipping potentially dangerous regex pattern: ${pattern}
+`);
+      return false;
+    }
+    if (/\([^)]*\|[^)]*\)[+*]/.test(pattern)) {
+      process.stderr.write(`[vibesafu] Warning: Skipping potentially dangerous regex pattern: ${pattern}
+`);
+      return false;
+    }
+    if (/\([^)]*[+*][^)]*\)[+*]/.test(pattern)) {
+      process.stderr.write(`[vibesafu] Warning: Skipping potentially dangerous regex pattern: ${pattern}
+`);
+      return false;
+    }
+    const regex = new RegExp(pattern, "i");
+    const testInput = input.length > REGEX_TIMEOUT_MS * 40 ? input.slice(0, REGEX_TIMEOUT_MS * 40) : input;
+    return regex.test(testInput);
+  } catch {
+    return false;
+  }
+}
 var PLAN_MODE_TIMEOUT_SECONDS = 72 * 60 * 60;
 var SAFE_NON_BASH_TOOLS = ["WebFetch", "WebSearch", "Task", "Glob", "Grep", "LS", "TodoRead", "TodoWrite", "NotebookRead"];
-async function processPermissionRequest(input, anthropicClient) {
-  const config2 = await readConfig();
+async function processPermissionRequest(input, anthropicClient, preloadedConfig) {
+  const config2 = preloadedConfig ?? await readConfig();
   if (input.tool_name === "Write" || input.tool_name === "Edit" || input.tool_name === "Read") {
     const fileCheck = checkFileTool(input.tool_name, input.tool_input);
     if (fileCheck.blocked) {
@@ -1981,33 +2081,34 @@ Auto-reject in ${TIMEOUT_SECONDS}s.`
     };
   }
   const command = input.tool_input.command;
+  if (typeof command !== "string" || !command.trim()) {
+    return {
+      decision: "deny",
+      reason: `Invalid input: Bash tool requires a non-empty string command, got ${typeof command}`,
+      source: "instant-block"
+    };
+  }
   for (const pattern of config2.customPatterns.allow) {
-    try {
-      if (new RegExp(pattern, "i").test(command)) {
-        return {
-          decision: "allow",
-          reason: `Custom allow pattern: ${pattern}`,
-          source: "instant-allow"
-        };
-      }
-    } catch {
+    if (safeRegexTest(pattern, command)) {
+      return {
+        decision: "allow",
+        reason: `Custom allow pattern: ${pattern}`,
+        source: "instant-allow"
+      };
     }
   }
   for (const pattern of config2.customPatterns.block) {
-    try {
-      if (new RegExp(pattern, "i").test(command)) {
-        return {
-          decision: "needs-review",
-          reason: `Custom block pattern: ${pattern}`,
-          source: "high-risk",
-          userMessage: `[CUSTOM BLOCK] Matched pattern: ${pattern}
+    if (safeRegexTest(pattern, command)) {
+      return {
+        decision: "needs-review",
+        reason: `Custom block pattern: ${pattern}`,
+        source: "high-risk",
+        userMessage: `[CUSTOM BLOCK] Matched pattern: ${pattern}
 
 This command was blocked by your custom config.
 
 Auto-reject in ${TIMEOUT_SECONDS}s.`
-        };
-      }
-    } catch {
+      };
     }
   }
   const allowResult = checkInstantAllow(command);
@@ -2045,6 +2146,14 @@ Only proceed if you know what you're doing.`
   if (checkpoint.type === "network") {
     const domainResult = checkTrustedDomains(command);
     if (domainResult.allTrusted && domainResult.urls.length > 0) {
+      if (domainResult.hasRiskyUrls) {
+        return {
+          decision: "needs-review",
+          reason: `Risky URL pattern from trusted domain: ${domainResult.riskyUrls.join(", ")}`,
+          source: "checkpoint",
+          checkpoint
+        };
+      }
       return {
         decision: "allow",
         reason: `All URLs from trusted domains: ${domainResult.trustedUrls.join(", ")}`,
@@ -2135,12 +2244,13 @@ async function runHook() {
     console.log(JSON.stringify(output2));
     return;
   }
+  const config2 = await readConfig();
   let anthropicClient;
-  const apiKey = await getApiKey();
+  const apiKey = process.env.ANTHROPIC_API_KEY ?? (config2.anthropic.apiKey || void 0);
   if (apiKey) {
     anthropicClient = new Anthropic({ apiKey });
   }
-  const result = await processPermissionRequest(input, anthropicClient);
+  const result = await processPermissionRequest(input, anthropicClient, config2);
   let output;
   if (result.decision === "allow") {
     output = createHookOutput("allow");
@@ -2149,7 +2259,7 @@ async function runHook() {
   }
   const warningMessage = result.userMessage ?? result.reason;
   const timeout = result.timeoutSeconds ?? TIMEOUT_SECONDS;
-  await new Promise((resolve) => setTimeout(resolve, timeout * 1e3));
+  await new Promise((resolve2) => setTimeout(resolve2, timeout * 1e3));
   const timeoutDisplay = timeout >= 3600 ? `${Math.round(timeout / 3600)}h` : `${timeout}s`;
   const denyMessage = `\u{1F6E1}\uFE0F [vibesafu] Auto-denied (no response in ${timeoutDisplay})
 
@@ -2160,11 +2270,6 @@ If this was intentional, re-run the command and click "Allow".`;
   console.log(JSON.stringify(output));
 }
 
-// src/cli/check.ts
-async function check() {
-  await runHook();
-}
-
 // src/index.ts
 var __dirname = dirname(fileURLToPath(import.meta.url));
 var pkg = JSON.parse(readFileSync(join3(__dirname, "../package.json"), "utf-8"));
@@ -2203,7 +2308,7 @@ async function main() {
       await uninstall();
       break;
     case "check":
-      await check();
+      await runHook();
       break;
     case "config":
       await config();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibesafu",
-  "version": "0.1.25",
+  "version": "0.1.27",
   "description": "Better Claude Code workflow with smart safety checks. Safe YOLO mode without --dangerously-skip-permission",
   "type": "module",
   "main": "dist/index.js",