claude-quality-gate/guard_safety.py at main · nardovibecoding/claude-quality-gate · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
#!/usr/bin/env python3
# Copyright (c) 2026 Nardo (nardovibecoding). AGPL-3.0 — see LICENSE
"""PreToolUse hook: block destructive ops, VPS direct access, hook tampering, credential reads, git hook bypass, branch creation."""
import re
import sys
from pathlib import Path
sys.path.insert(0, str(Path(__file__).parent))
from hook_base import run_hook

# --- Resolved credential directories (P0 #2) ---
_HOME = str(Path.home())
_CREDENTIAL_DIRS = [
    f"{_HOME}/.ssh/",
    f"{_HOME}/.aws/",
    f"{_HOME}/.gnupg/",
    f"{_HOME}/.kube/",
    f"{_HOME}/.config/gcloud/",
]

# --- Bash deny pattern (compiled once) ---
_BASH_DENY = re.compile(
    # Destructive ops (#1, #2)
    r"rm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+|--force)|rm\s+-rf|"
    r"git\s+push\s+(-[a-zA-Z]*f|--force)|git\s+reset\s+--hard|"
    r"git\s+checkout\s+\.|git\s+clean\s+-[a-zA-Z]*f|"
    # VPS direct access — scp/rsync (#3, #4)
    r"(scp|rsync)\s+.*157\.180|"
    # VPS direct access — ssh write (#5)
    r"ssh\s+.*cat\s*>|ssh\s+.*sed\s+-i|ssh\s+.*tee\s|"
    # Manual bot start (#6)
    r"ssh\s+.*python.*bot|python\s+(admin_bot|run_bot)|"
    # Kill start_all (#7)
    r"kill.*start_all|pkill.*start_all|"
    # sed in-place (#8)
    r"sed\s+(-[a-zA-Z]*i|--in-place)|"
    # pip/npm/curl install (#9)
    r"pip3?\s+install|npm\s+install|curl\s+.*\|\s*(ba)?sh|"
    # Log overwrite (#10)
    r">\s*/tmp/.*\.log\s|"
    # Bad subprocess $$ (#11)
    r"grep\s+-v\s+\$\$|pgrep.*grep.*\$\$|"
    # Agent git push (#13)
    r"Agent.*git\s+push|agent.*push.*origin|"
    # Branch creation (#14) — force all commits to main
    r"git\s+(checkout\s+-b|switch\s+-c|branch\s+(?!-[dD]))|"
    # P1 #5 — block --no-verify / --no-gpg-sign on git commands
    r"git\s+(commit|push)\s+.*--no-verify|--no-verify\s+.*git\s+(commit|push)|"
    r"git\s+(commit|push)\s+.*--no-gpg-sign|--no-gpg-sign\s+.*git\s+(commit|push)"
)

# prediction-markets + on-chain-bots are permanently private — block all GitHub exposure
_PM_BLOCK = re.compile(r"prediction.markets|on.chain.bots", re.IGNORECASE)
_PM_GIT_OPS = re.compile(r"git\s+(push|remote\s+set.url|remote\s+add)|gh\s+repo\s+(create|delete|view|clone)")

# Private data — block git add on sensitive paths
_PRIVATE_ADD = re.compile(
    r"git\s+add\s+.*("
    r"\.env|portfolio\.json|trades\.jsonl|calibration_curve\.json|"
    r"memory/|/memory\b|wiki/|nardoworld|"
    r"scanner\.log|llm_calibration\.jsonl|positions\.json|"
    r"cookie|token|credential|secret|password|passwd|auth\.json|access\.json|"
    r"\.key|\.pem|\.p8|\.p12|\.pfx|id_rsa|id_ed25519|"
    r"config\.yaml|config\.json|settings\.json|\.netrc|\.htpasswd|"
    r"wallet|keystore|mnemonic|seed_phrase|private_key|privkey|"
    r"bot_token|\.db|\.sqlite|backup|dump\."
    r")",
    re.IGNORECASE
)

# --- Splitter for compound commands (P0 #3) ---
_CMD_SPLIT = re.compile(r'\s*(?:&&|\|\||;|\||\$\(|`)\s*')


def _check_hook_path(path_str):
    """P0 #1: Return True if path targets security hooks directory."""
    if not path_str:
        return False
    expanded = path_str.replace("~", _HOME)
    return "/.claude/hooks/" in expanded or ".claude/hooks/" in expanded


def _check_credential_read(path_str):
    """P0 #2: Return True if path targets a credential directory."""
    if not path_str:
        return False
    expanded = path_str.replace("~", _HOME)
    try:
        resolved = str(Path(expanded).resolve())
    except Exception:
        resolved = expanded
    for cred_dir in _CREDENTIAL_DIRS:
        if resolved.startswith(cred_dir) or expanded.startswith(cred_dir):
            return True
    return False


def _check_bash_cmd(cmd):
    """P0 #3: Decompose compound bash commands and check each sub-command."""
    sub_commands = _CMD_SPLIT.split(cmd)
    for sub in sub_commands:
        sub = sub.strip()
        if sub and _BASH_DENY.search(sub):
            return True
    return False


def check(tool_name, tool_input, input_data):
    # P0 #1 — Block Write/Edit on hook files
    if tool_name in ("Write", "Edit"):
        path = tool_input.get("file_path", "") or tool_input.get("path", "")
        if _check_hook_path(path):
            return "hook_protect"

    # P0 #2 — Block Read on credential directories
    if tool_name == "Read":
        path = tool_input.get("file_path", "") or tool_input.get("path", "")
        if _check_credential_read(path):
            return "credential_read"

    # prediction-markets hard block — never expose to GitHub or any remote
    if tool_name == "Bash":
        cmd = tool_input.get("command", "")
        if _PM_BLOCK.search(cmd) and _PM_GIT_OPS.search(cmd):
            return "pm_private"
        if _PRIVATE_ADD.search(cmd):
            return "private_data"

    # Bash checks (P0 #3 compound decomposition + P1 #5 --no-verify + #14 branch)
    if tool_name == "Bash":
        cmd = tool_input.get("command", "")
        if _check_bash_cmd(cmd):
            return "bash_deny"

    return False


def action(tool_name, tool_input, input_data):
    return None


_REASONS = {
    "hook_protect": "Blocked: cannot modify security hooks. This protects against prompt injection disabling the security layer.",
    "credential_read": "Blocked: reading credential directories is restricted.",
    "bash_deny": None,
    "pm_private": "BLOCKED: prediction-markets / on-chain-bots are permanently private. Never push to GitHub or any remote.",
    "private_data": "BLOCKED: this path contains private data (portfolio, memory, wiki, .env). Cannot stage for git.",
}


def check_and_deny(tool_name, tool_input, input_data):
    """Return deny decision for PreToolUse."""
    result = check(tool_name, tool_input, input_data)
    if not result:
        return None

    reason = _REASONS.get(result)

    if result == "bash_deny":
        cmd = tool_input.get("command", "")
        if re.search(r"--no-verify|--no-gpg-sign", cmd):
            reason = "Blocked: skipping git hooks/signing is not allowed."
        else:
            reason = f"**BLOCKED: Destructive operation.** `{cmd[:80]}` — requires user confirmation."

    return {
        "hookSpecificOutput": {
            "hookEventName": "PreToolUse",
            "permissionDecision": "deny"
        },
        "systemMessage": reason
    }


if __name__ == "__main__":
    import json
    try:
        input_data = json.load(sys.stdin)
    except (json.JSONDecodeError, EOFError):
        print("{}")
        sys.exit()
    result = check_and_deny(
        input_data.get("tool_name", ""),
        input_data.get("tool_input", {}),
        input_data
    )
    print(json.dumps(result or {}))