cli-enforcement 0.1.0__py3-none-any.whl

cli_enforcement/engine/bash_gate.py

@@ -0,0 +1,456 @@
+#!/usr/bin/env python3
+"""
+Bash Gate - PreToolUse Hook for Bash
+=====================================
+Blocks Bash commands that tamper with enforcement files.
+
+PROTECTED FILES:
+- .unified_state.json (points, workflow)
+- .file_reads.json (anti-hallucination)
+- .edits_since_approval (edit tracking)
+- .reads_this_session, .claude_md_read_this_session (markers)
+- enforce_check.py, agent_gate.py, state_manager.py (scripts)
+- enforcement_unlock.py, bash_gate.py (this script)
+- points_config.yaml, settings.json (config)
+
+BYPASS: User says "unlock enforcement" (sets flag via hook).
+
+HOOK PROTOCOL:
+- Exit 0 = ALLOW
+- Exit 2 = BLOCK
+
+SANITIZATION (updatedInput):
+- Dangerous flags (--force, --hard, -f) are stripped instead of hard-blocking
+- The sanitized command is returned via updatedInput so Claude runs the safe version
+"""
+
+import json
+import os
+import sys
+import time
+
+sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
+
+from state_manager import get_manager
+
+try:
+    import enforcement_logger as elog
+except ImportError:
+    elog = None
+
+# Patterns that identify enforcement files (substring match in command)
+PROTECTED_PATTERNS = [
+    ".unified_state",
+    ".file_reads.json",
+    ".edits_since_approval",
+    ".reads_this_session",
+    ".claude_md_read_this_session",
+    ".reads_pending_batch",
+    ".enforcement_checksums",
+    ".hard_stop",
+    ".project_checksums",
+    ".sandbox_file_hashes",
+    "sandbox_hook.py",
+    "enforce_check.py",
+    "state_manager.py",
+    "enforcement_unlock.py",
+    "bash_gate.py",
+    "record_read.py",
+    "record_edit.py",
+    "post_edit_validate.py",
+    "check_dismissal.py",
+    "session_init.py",
+    "session_end.py",
+    "stop_check.py",
+    "flush_reads.py",
+    "cascade_manager.py",
+    "project_integrity.py",
+    "post_bash_check.py",
+    "integrity_check.py",
+    "enforcement_cli.py",
+    "workflow_server.py",
+    "settings.json",
+    "project_config.yaml",
+]
+
+# Protected DIRECTORIES - any write targeting these dirs is blocked
+# even without naming a specific file (prevents rm -rf .claude/mcp/)
+# ORDER MATTERS: most specific first, most general last.
+# ".claude" last = catches glob/expansion attacks on .claude/ root files
+# (e.g., rm .claude/.u* which bypasses PROTECTED_PATTERNS substring matching)
+PROTECTED_DIRS = [
+    ".claude/mcp",
+    ".claude/config",
+    ".claude/skills",
+    ".claude",
+]
+
+# Commands that DIRECTLY WRITE to a file (must be followed by the protected pattern)
+# These are checked with "indicator.*protected_pattern" regex, not simple substring
+DIRECT_WRITE_COMMANDS = [
+    r"rm\s+(-\w+\s+)*",       # rm [-flags] <protected>
+    r"rm\s+-",                  # rm -rf <protected>
+    r"mv\s+\S+\s+",            # mv <source> <protected>
+    r"cp\s+\S+\s+",            # cp <source> <protected>
+    r"cp\s+(-\w+\s+)+",        # cp [-flags] ... <protected>
+    r"install\s+",              # install <source> <protected>
+    r"rsync\s+",                # rsync ... <protected>
+    r"sed\s+-i",                # sed -i <protected>
+    r"tee\s+(-\w+\s+)*",       # tee [-flags] <protected>
+    r"chmod\s+\S+\s+",         # chmod mode <protected>
+    r"chown\s+\S+\s+",         # chown owner <protected>
+    r"truncate\s+",             # truncate <protected>
+    r"unlink\s+",               # unlink <protected>
+    r"dd\s+.*of=",              # dd of=<protected>
+    r"ln\s+(-\w+\s+)*",        # ln [-sf] <target> <protected>
+    r"patch\s+",                # patch <protected>
+    r"wget\s+.*-O\s*",         # wget -O <protected>
+    r"curl\s+.*-o\s*",         # curl -o <protected>
+    r"shred\s+",                # shred <protected>
+    r"git\s+checkout\s+.*--\s*", # git checkout -- <protected>
+    r"git\s+restore\s+",       # git restore <protected>
+    r"tar\s+.*x",              # tar extract (may overwrite <protected>)
+    r"unzip\s+",                # unzip (may overwrite <protected>)
+    r"cpio\s+",                 # cpio extract
+    r"vi\s+",                   # vi <protected>
+    r"vim\s+",                  # vim <protected>
+    r"nano\s+",                 # nano <protected>
+    r"ed\s+",                   # ed <protected>
+    r"ex\s+",                   # ex <protected>
+    r"find\s+.*-delete",        # find -delete
+    r"find\s+.*-exec\s+rm",    # find -exec rm
+    r"xargs\s+.*rm",           # xargs rm
+    r"sort\s+.*-o\s*",         # sort -o <protected>
+    r"touch\s+",                # touch <protected> (changes mtime)
+]
+
+# Redirect patterns: check if output redirects TO a protected file
+# These use ">" or ">>" followed by the protected pattern
+REDIRECT_PATTERN = r"[12]?\s*>{1,2}\s*"
+
+# Inline code execution that can write anything
+INLINE_CODE_INDICATORS = [
+    "python3 -c",
+    "python -c",
+    "python3 <<",
+    "python <<",
+    # Removed "python3 -" (M2 fix): was too broad, matched python3 -m, python3 --version
+    "bash -c",
+    "sh -c",
+    "perl -e",
+    "perl -p",
+    "ruby -e",
+    "node -e",
+    "php -r",
+    "lua -e",
+    "awk -f",
+]
+
+
+def sanitize_command(command):
+    """Sanitize dangerous flags from commands instead of hard blocking.
+
+    Returns (sanitized_command, list_of_modifications).
+    If no modifications needed, returns (command, []).
+    """
+    import re
+    sanitized = command
+    modifications = []
+
+    # Strip --force from git push
+    if re.search(r'git\s+push.*--force', command):
+        sanitized = re.sub(r'\s*--force\b', '', sanitized)
+        modifications.append("Removed --force from git push")
+
+    # Strip --hard from git reset
+    if re.search(r'git\s+reset.*--hard', command):
+        sanitized = re.sub(r'\s*--hard\b', '', sanitized)
+        modifications.append("Removed --hard from git reset")
+
+    # Strip -f from rm (but not rm -rf / which stays blocked)
+    if re.search(r'\brm\s+-[^/]*f', command) and not re.search(r'rm\s+-rf\s+/', command):
+        sanitized = re.sub(r'(\brm\s+)-([a-zA-Z]*)f([a-zA-Z]*)', r'\1-\2\3', sanitized)
+        modifications.append("Removed -f flag from rm")
+
+    return sanitized, modifications
+
+
+def deny(reason):
+    """BLOCK the bash command via exit 0 + JSON deny.
+
+    FIX API-C2: Exit 2 causes Claude Code to IGNORE all JSON output.
+    Must use exit 0 + JSON deny so Claude sees the structured reason.
+    """
+    if elog:
+        elog.log_decision("bash_gate", False, reason)
+    output = {
+        "hookSpecificOutput": {
+            "hookEventName": "PreToolUse",
+            "permissionDecision": "deny",
+            "permissionDecisionReason": reason
+        }
+    }
+    print(json.dumps(output))
+    print(reason, file=sys.stderr)
+    sys.exit(0)
+
+
+def allow():
+    """ALLOW the bash command."""
+    if elog:
+        elog.log_decision("bash_gate", True, "safe_command")
+    output = {
+        "hookSpecificOutput": {
+            "hookEventName": "PreToolUse",
+            "permissionDecision": "allow"
+        }
+    }
+    print(json.dumps(output))
+    sys.exit(0)
+
+
+def allow_sanitized(sanitized_command, modifications):
+    """ALLOW the bash command with a sanitized version via updatedInput."""
+    if elog:
+        elog.log_decision("bash_gate", True, "sanitized: " + "; ".join(modifications))
+    output = {
+        "hookSpecificOutput": {
+            "hookEventName": "PreToolUse",
+            "permissionDecision": "allow",
+            "permissionDecisionReason": "Command sanitized: " + "; ".join(modifications),
+            "updatedInput": {"command": sanitized_command},
+            "additionalContext": "WARNING: Your command was modified for safety: " + "; ".join(modifications)
+        }
+    }
+    print(json.dumps(output))
+    print("Command sanitized: " + "; ".join(modifications), file=sys.stderr)
+    sys.exit(0)
+
+
+def main():
+    """Gate Bash commands that target enforcement files."""
+    # Read hook JSON from stdin with FIX #3: Size limit + error context
+    try:
+        raw = sys.stdin.read()
+        if not raw:
+            deny("BLOCKED: bash_gate.py received empty stdin (pipe broken?)")
+        # FIX #3: CRITICAL - Prevent JSON DoS with size limit
+        if len(raw) > 100000:  # 100KB limit
+            deny("BLOCKED: bash_gate.py input exceeded 100KB limit (command too long?)")
+        hook_input = json.loads(raw)
+    except json.JSONDecodeError as e:
+        deny(f"BLOCKED: bash_gate.py JSON parse error at position {e.pos}: {e.msg}")
+    except (IOError, OSError) as e:
+        deny(f"BLOCKED: bash_gate.py stdin read failed: {e}")
+
+    # Extract the command
+    tool_input = hook_input.get("tool_input", {})
+    if isinstance(tool_input, dict):
+        command = tool_input.get("command", "")
+    else:
+        command = str(tool_input)
+
+    if not command:
+        allow()
+
+    import re
+
+    # ANTI-SELF-HEALING: Block the AI from running recovery commands.
+    # Only the USER can recover points or reset enforcement (via user prompt).
+    # The AI running these would defeat the entire purpose of enforcement.
+    SELF_HEALING_PATTERNS = [
+        (r"enforcement_cli\.py\s+points\s+recover", "points recovery"),
+        (r"enforcement_cli\.py\s+reset", "hard_stop reset"),
+        (r"integrity_check\.py\s+rebaseline", "checksum rebaseline"),
+    ]
+
+    # PERSISTENCE ATTACKS: Block commands that install persistent backdoors
+    PERSISTENCE_PATTERNS = [
+        (r"crontab", "cron job installation"),
+        (r"\bat\s+", "at job scheduling"),
+        (r"systemctl\s+(enable|start|restart)", "systemd service manipulation"),
+        (r"nohup\s+.*&", "background process persistence"),
+    ]
+    for pattern, description in PERSISTENCE_PATTERNS:
+        if re.search(pattern, command):
+            deny("BLOCKED: " + description + " not allowed in sandbox.")
+    for pattern, description in SELF_HEALING_PATTERNS:
+        if re.search(pattern, command):
+            # Check if user explicitly unlocked enforcement
+            mgr = get_manager()
+            state = mgr.load()
+            unlock = state.get("enforcement_unlocked", {})
+            if unlock.get("active") and time.time() < unlock.get("expires_at", 0):
+                break  # User unlocked - allow
+            deny(
+                "BLOCKED: AI cannot self-heal (" + description + "). "
+                "Only the user can recover points or reset enforcement. "
+                "Ask the user to type 'recover points' or 'unlock enforcement'."
+            )
+
+    # Check 0: DIRECTORY-LEVEL PROTECTION
+    # Block destructive commands targeting enforcement directories
+    # even without naming a specific file (prevents rm -rf .claude/mcp/)
+    for protected_dir in PROTECTED_DIRS:
+        if protected_dir in command:
+            # Check if this is a destructive operation on the directory
+            esc_dir = re.escape(protected_dir)
+            dir_write_patterns = [
+                r"rm\s+(-\w+\s+)*.*" + esc_dir,
+                r"rm\s+-\w*r\w*\s+.*" + esc_dir,
+                r"mv\s+.*" + esc_dir,
+                r"chmod\s+-\w*R\w*\s+.*" + esc_dir,
+                r"chown\s+-\w*R\w*\s+.*" + esc_dir,
+                r"rsync\s+.*--delete.*" + esc_dir,
+                # find-based destruction (dir appears BEFORE -delete/-exec)
+                r"find\s+" + esc_dir + r".*-delete",
+                r"find\s+" + esc_dir + r".*-exec\s+rm",
+                r"find\s+.*" + esc_dir + r".*-delete",
+                r"find\s+.*" + esc_dir + r".*-exec\s+rm",
+                # Pipe chains: dir referenced then piped to destructive command
+                esc_dir + r".*\|\s*xargs\s+.*rm",
+                esc_dir + r".*\|\s*xargs\s+.*\brm\b",
+                # Pipe to shell execution (echo "rm ..." | bash)
+                esc_dir + r".*\|\s*(?:bash|sh|zsh)\b",
+                # Loop-based destruction
+                r"for\s+.*" + esc_dir + r".*\brm\b",
+                r"while\s+.*" + esc_dir + r".*\brm\b",
+            ]
+            for dp in dir_write_patterns:
+                if re.search(dp, command):
+                    # Check unlock
+                    mgr = get_manager()
+                    state = mgr.load()
+                    unlock = state.get("enforcement_unlocked", {})
+                    if unlock.get("active") and time.time() < unlock.get("expires_at", 0):
+                        break  # Unlocked - allow
+                    deny(
+                        "BLOCKED: Destructive command targets enforcement directory '"
+                        + protected_dir + "'. Say 'unlock enforcement' to allow."
+                    )
+
+    # Check 0.5: REDIRECT/WRITE into protected directories
+    # Catches: echo x > .claude/mcp/evil.py, cp x .claude/skills/y
+    for protected_dir in PROTECTED_DIRS:
+        # Redirect into protected dir
+        if re.search(REDIRECT_PATTERN + r"\S*" + re.escape(protected_dir), command):
+            mgr = get_manager()
+            state = mgr.load()
+            unlock = state.get("enforcement_unlocked", {})
+            if not (unlock.get("active") and time.time() < unlock.get("expires_at", 0)):
+                deny(
+                    "BLOCKED: Redirect writes into enforcement directory '"
+                    + protected_dir + "'. Say 'unlock enforcement' to allow."
+                )
+        # cp/install/rsync INTO protected dir
+        write_into_patterns = [
+            r"cp\s+\S+\s+\S*" + re.escape(protected_dir),
+            r"install\s+\S+\s+\S*" + re.escape(protected_dir),
+            r"rsync\s+.*\s+" + re.escape(protected_dir),
+            r"tee\s+\S*" + re.escape(protected_dir),
+        ]
+        for wip in write_into_patterns:
+            if re.search(wip, command):
+                mgr = get_manager()
+                state = mgr.load()
+                unlock = state.get("enforcement_unlocked", {})
+                if not (unlock.get("active") and time.time() < unlock.get("expires_at", 0)):
+                    deny(
+                        "BLOCKED: Write into enforcement directory '"
+                        + protected_dir + "'. Say 'unlock enforcement' to allow."
+                    )
+
+    # Check if command references any protected file
+    matched_pattern = None
+    for pattern in PROTECTED_PATTERNS:
+        if pattern in command:
+            matched_pattern = pattern
+            break
+
+    if matched_pattern is None:
+        # Not touching enforcement files — check if command needs sanitization
+        sanitized, mods = sanitize_command(command)
+        if mods:
+            allow_sanitized(sanitized, mods)
+        allow()  # Not touching enforcement files, no sanitization needed
+
+    is_write = False
+    matched_write = None
+
+    # Check 1: Direct write commands targeting a protected file
+    for cmd_pattern in DIRECT_WRITE_COMMANDS:
+        if re.search(cmd_pattern + r".*" + re.escape(matched_pattern), command):
+            is_write = True
+            matched_write = cmd_pattern.split(r"\s")[0]
+            break
+
+    # Check 2: Redirect output TO a protected file (> or >> before protected name)
+    if not is_write:
+        if re.search(REDIRECT_PATTERN + r"\S*" + re.escape(matched_pattern), command):
+            is_write = True
+            matched_write = "redirect >"
+
+    # Check 3: Inline python code + protected file (can write anything)
+    if not is_write:
+        for indicator in INLINE_CODE_INDICATORS:
+            if indicator in command:
+                is_write = True
+                matched_write = indicator
+                break
+
+    # Check 4: READ commands on enforcement files (exfiltration protection)
+    # Agent shouldn't read enforcement state via bash — gives knowledge to game the system
+    if not is_write:
+        READ_PATTERNS = [
+            r"cat\s+",
+            r"less\s+",
+            r"more\s+",
+            r"head\s+",
+            r"tail\s+",
+            r"xxd\s+",
+            r"hexdump\s+",
+            r"strings\s+",
+            r"file\s+",
+            r"wc\s+",
+            r"md5sum\s+",
+            r"sha\d+sum\s+",
+            r"stat\s+",
+            r"cp\s+",
+        ]
+        for rp in READ_PATTERNS:
+            if re.search(rp + r".*" + re.escape(matched_pattern), command):
+                is_write = True  # Treat as write for blocking purposes
+                matched_write = rp.split(r"\s")[0] + " (exfiltration)"
+                break
+
+    if not is_write:
+        # Benign reference — check if command needs sanitization before allowing
+        sanitized, mods = sanitize_command(command)
+        if mods:
+            allow_sanitized(sanitized, mods)
+        allow()  # Truly benign reference to enforcement file name
+
+    # WRITE to protected file detected - check unlock flag
+    mgr = get_manager()
+    state = mgr.load()
+    unlock = state.get("enforcement_unlocked", {})
+
+    if unlock.get("active") and time.time() < unlock.get("expires_at", 0):
+        # Unlocked — still check if command needs sanitization
+        sanitized, mods = sanitize_command(command)
+        if mods:
+            allow_sanitized(sanitized, mods)
+        allow()  # User unlocked enforcement - allow
+
+    # BLOCKED: Write to enforcement file without unlock
+    deny(
+        "BLOCKED: Bash command writes to enforcement file '"
+        + matched_pattern
+        + "' (via: '"
+        + str(matched_write)
+        + "'). Say 'unlock enforcement' to allow."
+    )
+
+
+if __name__ == "__main__":
+    main()