vibesafu 0.1.26 → 0.1.27

package/dist/index.js

@@ -109,11 +109,7 @@ var DEFAULT_CONFIG = {
     block: [],
     allow: []
   },
-  allowedMCPTools: [],
-  logging: {
-    enabled: true,
-    path: join2(CONFIG_DIR, "logs")
-  }
+  allowedMCPTools: []
 };
 function mergeConfig(defaults, user) {
   return {
@@ -121,8 +117,7 @@ function mergeConfig(defaults, user) {
     models: { ...defaults.models, ...user.models },
     trustedDomains: user.trustedDomains ?? defaults.trustedDomains,
     customPatterns: { ...defaults.customPatterns, ...user.customPatterns },
-    allowedMCPTools: user.allowedMCPTools ?? defaults.allowedMCPTools,
-    logging: { ...defaults.logging, ...user.logging }
+    allowedMCPTools: user.allowedMCPTools ?? defaults.allowedMCPTools
   };
 }
 async function readConfig() {
@@ -1562,19 +1557,21 @@ var PROMPT_INJECTION_PATTERNS = [
   /pretend\s+(to\s+be|you\s+are)/i,
   /new\s+instructions?:/i,
   /updated?\s+instructions?:/i,
-  // Context/role markers (could be trying to inject fake context)
-  /system\s*:/i,
-  /assistant\s*:/i,
-  /human\s*:/i,
-  /user\s*:/i,
+  // Context/role markers (require injection-like context to avoid false positives)
+  // "system:" alone is too broad (matches "operating system: linux")
+  // Require either line-start or preceded by newline to indicate role-marker usage
+  /^\s*system\s*:/im,
+  /^\s*assistant\s*:/im,
+  /^\s*human\s*:/im,
+  /^\s*user\s*:/im,
   /<\s*system\s*>/i,
   /<\s*\/?\s*instructions?\s*>/i,
-  // Emphasis markers often used in injection
-  /\bIMPORTANT\s*:/i,
-  /\bNOTE\s*:/i,
-  /\bWARNING\s*:/i,
-  /\bCRITICAL\s*:/i,
-  /\bURGENT\s*:/i,
+  // Emphasis markers - only flag when combined with directive language
+  /\bIMPORTANT\s*:.*\b(approve|allow|safe|trust|skip|ignore)\b/i,
+  /\bNOTE\s*:.*\b(approve|allow|safe|trust|skip|ignore)\b/i,
+  /\bWARNING\s*:.*\b(approve|allow|safe|trust|skip|ignore)\b/i,
+  /\bCRITICAL\s*:.*\b(approve|allow|safe|trust|skip|ignore)\b/i,
+  /\bURGENT\s*:.*\b(approve|allow|safe|trust|skip|ignore)\b/i,
   // Output manipulation
   /respond\s+with\s+(this\s+)?(exact\s+)?json/i,
   /return\s+(only\s+)?["']?ALLOW["']?/i,
@@ -1634,10 +1631,10 @@ var FORCE_ESCALATE_PATTERNS = [
   // su commands
   /chmod\s+[0-7]*[7][0-7]*/i,
   // chmod with executable permissions
-  /\.env/i,
-  // env file access
-  /\/(etc|root|home)\//i
-  // System directory access
+  /\.env(\s|$|\.local|\.production|\.development|\.staging|\.test)/i,
+  // .env file access (not .envoy, .environment, etc.)
+  /\/(etc|root)\//i
+  // System directory access (/etc/, /root/ - not /home/ which is too broad)
 ];
 function shouldForceEscalate(command) {
   if (containsPromptInjection(command)) {
@@ -1702,6 +1699,40 @@ function extractJsonFromText(text) {
   return null;
 }
 
+// src/utils/llm-call.ts
+async function callLLM(options) {
+  const { client, model, systemPrompt, userPrompt, maxTokens, timeoutMs } = options;
+  try {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+    const response = await client.messages.create(
+      {
+        model,
+        max_tokens: maxTokens,
+        system: systemPrompt,
+        messages: [{ role: "user", content: userPrompt }]
+      },
+      { signal: controller.signal }
+    );
+    clearTimeout(timeoutId);
+    const text = response.content[0]?.type === "text" ? response.content[0].text : "";
+    if (!text) {
+      return { ok: false, error: "empty_response", message: "Empty response from LLM" };
+    }
+    const extracted = extractJsonFromText(text);
+    if (!extracted) {
+      return { ok: false, error: "parse_error", message: "Could not parse JSON response" };
+    }
+    return { ok: true, data: extracted };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : "Unknown error";
+    if (errorMessage.includes("abort") || errorMessage.includes("timeout")) {
+      return { ok: false, error: "timeout", message: "API timeout" };
+    }
+    return { ok: false, error: "api_error", message: errorMessage };
+  }
+}
+
 // src/guard/haiku-triage.ts
 var DEFAULT_HAIKU_MODEL = "claude-haiku-4-20250514";
 var API_TIMEOUT_MS = 3e4;
@@ -1760,70 +1791,42 @@ async function triageWithHaiku(client, checkpoint, model) {
   }
   const sanitizedCommand = sanitizeForPrompt(checkpoint.command);
   const userPrompt = TRIAGE_USER_PROMPT.replace("{command}", escapeXml(sanitizedCommand)).replace("{checkpoint_type}", escapeXml(checkpoint.type)).replace("{context}", escapeXml(checkpoint.description));
-  try {
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), API_TIMEOUT_MS);
-    const response = await client.messages.create(
-      {
-        model: model ?? DEFAULT_HAIKU_MODEL,
-        max_tokens: 500,
-        system: TRIAGE_SYSTEM_PROMPT,
-        messages: [{ role: "user", content: userPrompt }]
-      },
-      { signal: controller.signal }
-    );
-    clearTimeout(timeoutId);
-    const text = response.content[0]?.type === "text" ? response.content[0].text : "";
-    if (!text) {
-      return {
-        classification: "ESCALATE",
-        reason: "Triage failed: Empty response from Haiku",
-        riskIndicators: ["triage_error"]
-      };
-    }
-    const extracted = extractJsonFromText(text);
-    if (!extracted) {
-      return {
-        classification: "ESCALATE",
-        reason: "Triage failed: Could not parse JSON response",
-        riskIndicators: ["triage_error"]
-      };
-    }
-    const parsed = extracted;
-    if (!parsed.classification || !["SELF_HANDLE", "ESCALATE", "BLOCK"].includes(parsed.classification)) {
-      return {
-        classification: "ESCALATE",
-        reason: "Triage failed: Invalid classification in response",
-        riskIndicators: ["triage_error"]
-      };
-    }
-    if (parsed.classification === "SELF_HANDLE" && shouldForceEscalate(checkpoint.command)) {
-      return {
-        classification: "ESCALATE",
-        reason: "Auto-escalated: Command contains patterns requiring deeper review",
-        riskIndicators: ["forced_escalation", ...parsed.risk_indicators ?? []]
-      };
-    }
+  const result = await callLLM({
+    client,
+    model: model ?? DEFAULT_HAIKU_MODEL,
+    systemPrompt: TRIAGE_SYSTEM_PROMPT,
+    userPrompt,
+    maxTokens: 500,
+    timeoutMs: API_TIMEOUT_MS
+  });
+  if (!result.ok) {
+    const tag = result.error === "timeout" ? "triage_timeout" : "triage_error";
     return {
-      classification: parsed.classification,
-      reason: parsed.reason ?? "No reason provided",
-      riskIndicators: parsed.risk_indicators ?? []
+      classification: "ESCALATE",
+      reason: `Triage failed: ${result.message}`,
+      riskIndicators: [tag]
     };
-  } catch (error) {
-    const errorMessage = error instanceof Error ? error.message : "Unknown error";
-    if (errorMessage.includes("abort") || errorMessage.includes("timeout")) {
-      return {
-        classification: "ESCALATE",
-        reason: "Triage failed: API timeout",
-        riskIndicators: ["triage_timeout"]
-      };
-    }
+  }
+  const parsed = result.data;
+  if (!parsed.classification || !["SELF_HANDLE", "ESCALATE", "BLOCK"].includes(parsed.classification)) {
     return {
       classification: "ESCALATE",
-      reason: `Triage failed: ${errorMessage}`,
+      reason: "Triage failed: Invalid classification in response",
       riskIndicators: ["triage_error"]
     };
   }
+  if (parsed.classification === "SELF_HANDLE" && shouldForceEscalate(checkpoint.command)) {
+    return {
+      classification: "ESCALATE",
+      reason: "Auto-escalated: Command contains patterns requiring deeper review",
+      riskIndicators: ["forced_escalation", ...parsed.risk_indicators ?? []]
+    };
+  }
+  return {
+    classification: parsed.classification,
+    reason: parsed.reason ?? "No reason provided",
+    riskIndicators: parsed.risk_indicators ?? []
+  };
 }
 
 // src/guard/sonnet-review.ts
@@ -1902,73 +1905,43 @@ BLOCK - Do not allow:
 async function reviewWithSonnet(client, checkpoint, triage, model) {
   const sanitizedCommand = sanitizeForPrompt(checkpoint.command);
   const userPrompt = REVIEW_USER_PROMPT.replace("{command}", escapeXml(sanitizedCommand)).replace("{checkpoint_type}", escapeXml(checkpoint.type)).replace("{context}", escapeXml(checkpoint.description)).replace("{triage_reason}", escapeXml(triage.reason)).replace("{risk_indicators}", escapeXml(triage.riskIndicators.join(", ") || "none"));
-  try {
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), API_TIMEOUT_MS2);
-    const response = await client.messages.create(
-      {
-        model: model ?? DEFAULT_SONNET_MODEL,
-        max_tokens: 1e3,
-        system: REVIEW_SYSTEM_PROMPT,
-        messages: [{ role: "user", content: userPrompt }]
-      },
-      { signal: controller.signal }
-    );
-    clearTimeout(timeoutId);
-    const text = response.content[0]?.type === "text" ? response.content[0].text : "";
-    if (!text) {
-      return {
-        verdict: "ASK_USER",
-        riskLevel: "medium",
-        reason: "Review failed: Empty response from Sonnet",
-        userMessage: "Automated security review failed. Please review this operation manually."
-      };
-    }
-    const extracted = extractJsonFromText(text);
-    if (!extracted) {
-      return {
-        verdict: "ASK_USER",
-        riskLevel: "medium",
-        reason: "Review failed: Could not parse JSON response",
-        userMessage: "Automated security review failed. Please review this operation manually."
-      };
-    }
-    const parsed = extracted;
-    const verdict = parsed.verdict ?? "ASK_USER";
-    if (!["ALLOW", "ASK_USER", "BLOCK"].includes(verdict)) {
-      return {
-        verdict: "ASK_USER",
-        riskLevel: "medium",
-        reason: "Review failed: Invalid verdict in response",
-        userMessage: "Automated security review failed. Please review this operation manually."
-      };
-    }
-    const result = {
-      verdict,
-      riskLevel: parsed.risk_level ?? "medium",
-      reason: parsed.analysis?.intent ?? "Review completed"
+  const FALLBACK_MSG = "Automated security review failed. Please review this operation manually.";
+  const result = await callLLM({
+    client,
+    model: model ?? DEFAULT_SONNET_MODEL,
+    systemPrompt: REVIEW_SYSTEM_PROMPT,
+    userPrompt,
+    maxTokens: 1e3,
+    timeoutMs: API_TIMEOUT_MS2
+  });
+  if (!result.ok) {
+    const msg = result.error === "timeout" ? "Security review timed out. Please review this operation manually." : FALLBACK_MSG;
+    return {
+      verdict: "ASK_USER",
+      riskLevel: "medium",
+      reason: `Review failed: ${result.message}`,
+      userMessage: msg
     };
-    if (parsed.user_message) {
-      result.userMessage = parsed.user_message;
-    }
-    return result;
-  } catch (error) {
-    const errorMessage = error instanceof Error ? error.message : "Unknown error";
-    if (errorMessage.includes("abort") || errorMessage.includes("timeout")) {
-      return {
-        verdict: "ASK_USER",
-        riskLevel: "medium",
-        reason: "Review failed: API timeout",
-        userMessage: "Security review timed out. Please review this operation manually."
-      };
-    }
+  }
+  const parsed = result.data;
+  const verdict = parsed.verdict ?? "ASK_USER";
+  if (!["ALLOW", "ASK_USER", "BLOCK"].includes(verdict)) {
     return {
       verdict: "ASK_USER",
       riskLevel: "medium",
-      reason: `Review failed: ${errorMessage}`,
-      userMessage: "Automated security review failed. Please review this operation manually."
+      reason: "Review failed: Invalid verdict in response",
+      userMessage: FALLBACK_MSG
     };
   }
+  const reviewResult = {
+    verdict,
+    riskLevel: parsed.risk_level ?? "medium",
+    reason: parsed.analysis?.intent ?? "Review completed"
+  };
+  if (parsed.user_message) {
+    reviewResult.userMessage = parsed.user_message;
+  }
+  return reviewResult;
 }
 
 // src/hook.ts
@@ -1976,12 +1949,22 @@ var TIMEOUT_SECONDS = 7;
 var REGEX_TIMEOUT_MS = 50;
 function safeRegexTest(pattern, input) {
   try {
-    const regex = new RegExp(pattern, "i");
     if (/(\(.+[+*]\))[+*]|\(\?:[^)]+[+*]\)[+*]/.test(pattern)) {
       process.stderr.write(`[vibesafu] Warning: Skipping potentially dangerous regex pattern: ${pattern}
 `);
       return false;
     }
+    if (/\([^)]*\|[^)]*\)[+*]/.test(pattern)) {
+      process.stderr.write(`[vibesafu] Warning: Skipping potentially dangerous regex pattern: ${pattern}
+`);
+      return false;
+    }
+    if (/\([^)]*[+*][^)]*\)[+*]/.test(pattern)) {
+      process.stderr.write(`[vibesafu] Warning: Skipping potentially dangerous regex pattern: ${pattern}
+`);
+      return false;
+    }
+    const regex = new RegExp(pattern, "i");
     const testInput = input.length > REGEX_TIMEOUT_MS * 40 ? input.slice(0, REGEX_TIMEOUT_MS * 40) : input;
     return regex.test(testInput);
   } catch {
@@ -2098,6 +2081,13 @@ Auto-reject in ${TIMEOUT_SECONDS}s.`
     };
   }
   const command = input.tool_input.command;
+  if (typeof command !== "string" || !command.trim()) {
+    return {
+      decision: "deny",
+      reason: `Invalid input: Bash tool requires a non-empty string command, got ${typeof command}`,
+      source: "instant-block"
+    };
+  }
   for (const pattern of config2.customPatterns.allow) {
     if (safeRegexTest(pattern, command)) {
       return {
@@ -2280,11 +2270,6 @@ If this was intentional, re-run the command and click "Allow".`;
   console.log(JSON.stringify(output));
 }
 
-// src/cli/check.ts
-async function check() {
-  await runHook();
-}
-
 // src/index.ts
 var __dirname = dirname(fileURLToPath(import.meta.url));
 var pkg = JSON.parse(readFileSync(join3(__dirname, "../package.json"), "utf-8"));
@@ -2323,7 +2308,7 @@ async function main() {
       await uninstall();
       break;
     case "check":
-      await check();
+      await runHook();
       break;
     case "config":
       await config();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibesafu",
-  "version": "0.1.26",
+  "version": "0.1.27",
   "description": "Better Claude Code workflow with smart safety checks. Safe YOLO mode without --dangerously-skip-permission",
   "type": "module",
   "main": "dist/index.js",