f77c1b7fdc
Security hotfix — v0.15.1 Wave 1 fixes from 4-parallel audit. RED-1 (CVE): KEI_DISABLED_HOOKS tokenized match — was `*all*` substring-glob (trivially bypassable via "install", "wall-clock", etc.), now exact-token split on comma/space. Patched in all 9 hooks: no-hand-edit-agents, assemble-agents, assemble-validate, tomd-preread, agent-fork-logger, site-wysiwyd-check, error-spike-detector, milestone-commit-hook, session-end-dump. RED-2 (observability): minimal profile whitelist now includes agent-fork-logger and session-end-dump (ledger + trace paths) so observability is not silently lost on minimal installs. HIGH: review.json schema minItems:1 on findings — rejects empty reviews; new Rust test review_schema_rejects_empty_findings. HIGH: typed-handoff wire-up — produces_artifact declared at top level on 5 manifests (kei-security-auditor, kei-validator, kei-architect, kei-code-implementer, kei-critic); duplicate per-handoff declarations removed. MED: kei-artifact validate.rs gains warn_unsupported_keywords — non-fatal stderr warning when schema uses keywords outside the hand-rolled 2020-12 subset. LOW: CI Node matrix dropped 18, now ['20','22']. Doc drift: skills/hooks-control/SKILL.md reflects tokenized-match semantics and updated minimal-profile hook list. Tests: 191 Rust workspace + 30 assembler (both pass). RED-1 reproducer 10/10 (4 former-CVE vectors blocked, 5 legit vectors accepted, empty passes). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
69 lines
2.1 KiB
Bash
Executable file
69 lines
2.1 KiB
Bash
Executable file
#!/bin/sh
|
|
# PreToolUse(Bash) — validate all agent manifests before `git commit` in ~/.claude.
|
|
#
|
|
# Trigger: Bash command contains "git commit" AND current directory is under ~/.claude.
|
|
# On validation failure: print FAIL list to stderr, exit 1 → Claude Code blocks the commit.
|
|
#
|
|
# Stdin: JSON with tool_input.command
|
|
|
|
# Silent fall-through if jq is absent; otherwise `set -eu` would abort and
|
|
# Claude Code would refuse the tool call system-wide.
|
|
command -v jq >/dev/null 2>&1 || exit 0
|
|
|
|
# --- RUNTIME CONTROLS (v0.15.1) ---
|
|
# KEI_DISABLED_HOOKS: tokenized exact-match list (comma- or space-separated).
|
|
# Repro of pre-v0.15.1 substring bypass (CVE-class): KEI_DISABLED_HOOKS="foo-all-bar"
|
|
# previously disabled every hook via `*all*`. v0.15.1 requires token equality.
|
|
_hook_name="$(basename "$0" .sh)"
|
|
_disabled=" $(printf '%s' "${KEI_DISABLED_HOOKS:-}" | tr ',' ' ') "
|
|
case "$_disabled" in
|
|
*" $_hook_name "*|*" all "*) unset _disabled; exit 0 ;;
|
|
esac
|
|
unset _disabled
|
|
case "${KEI_HOOK_PROFILE:-full}" in
|
|
off) exit 0 ;;
|
|
minimal)
|
|
case "$_hook_name" in
|
|
no-hand-edit-agents|assemble-validate|agent-fork-logger|session-end-dump) ;;
|
|
*) exit 0 ;;
|
|
esac
|
|
;;
|
|
advisory-off)
|
|
case "$_hook_name" in
|
|
recurrence-suggest|citation-verify|error-spike-detector|milestone-commit-hook) exit 0 ;;
|
|
esac
|
|
;;
|
|
full|*) ;;
|
|
esac
|
|
# --- end runtime controls ---
|
|
|
|
set -eu
|
|
|
|
ASSEMBLER="$HOME/.claude/agents/_assembler/target/release/assemble"
|
|
[ -x "$ASSEMBLER" ] || exit 0
|
|
|
|
CMD=$(jq -r '.tool_input.command // empty')
|
|
|
|
# Only act on git commit inside ~/.claude
|
|
case "$CMD" in
|
|
*"git commit"*) ;;
|
|
*) exit 0 ;;
|
|
esac
|
|
|
|
# Check cwd is under ~/.claude
|
|
case "$PWD" in
|
|
"$HOME/.claude"*) ;;
|
|
*) exit 0 ;;
|
|
esac
|
|
|
|
OUTPUT=$("$ASSEMBLER" --validate 2>&1 || true)
|
|
if echo "$OUTPUT" | grep -q '^FAIL'; then
|
|
echo "[assemble-validate] agent manifest validation FAILED:" >&2
|
|
echo "$OUTPUT" | grep -E '^(FAIL|OK)' | grep '^FAIL' >&2
|
|
echo "" >&2
|
|
echo "Fix manifests in ~/.claude/agents/_manifests/ before committing." >&2
|
|
echo "Run: $ASSEMBLER --validate" >&2
|
|
exit 1
|
|
fi
|
|
|
|
exit 0
|