Release v0.18.0

permissions-hook.ts

@@ -0,0 +1,40 @@
+import type { HookAPI } from "./packages/coding-agent/src/index.js";
+
+const dangerousPatterns = [
+	{ pattern: /\brm\s+(-[rf]+\s+)*\//, reason: "Deleting from root" },
+	{ pattern: /\brm\s+-rf?\s/, reason: "Recursive delete" },
+	{ pattern: /\bsudo\b/, reason: "Elevated privileges" },
+	{ pattern: /\bchmod\s+777\b/, reason: "World-writable permissions" },
+	{ pattern: /\b(mkfs|dd\s+if=)/, reason: "Disk operations" },
+	{ pattern: />\s*\/dev\//, reason: "Writing to device" },
+	{ pattern: /\bcurl\b.*\|\s*(ba)?sh/, reason: "Pipe to shell" },
+	{ pattern: /\bwget\b.*\|\s*(ba)?sh/, reason: "Pipe to shell" },
+];
+
+const alwaysAllow = [
+	/^(ls|cat|head|tail|grep|find|pwd|echo|date|whoami)\b/,
+	/^git\s+(status|log|diff|branch|show)\b/,
+	/^npm\s+(run|test|install|ci)\b/,
+];
+
+export default function (pi: HookAPI) {
+	pi.on("tool_call", async (event, ctx) => {
+		if (event.toolName !== "bash") return;
+
+		const cmd = (event.input.command as string).trim();
+
+		// Always allow safe commands
+		if (alwaysAllow.some((p) => p.test(cmd))) return;
+
+		// Check for dangerous patterns
+		for (const { pattern, reason } of dangerousPatterns) {
+			if (pattern.test(cmd)) {
+				const ok = await ctx.ui.confirm(`⚠️ ${reason}`, cmd);
+				if (!ok) return { block: true, reason: `Blocked: ${reason}` };
+				return; // User approved
+			}
+		}
+
+		return;
+	});
+}