autocoder

ros/autocoder

Fork 0

mirror of https://github.com/leonvanzyl/autocoder.git synced 2026-01-30 06:12:06 +00:00

Commit Graph

Author	SHA1	Message	Date
Marian Paul	996ac0065c	fix: improve path matching and org config validation Changes: - Support path patterns without ./ prefix (e.g., 'scripts/test.sh') - Reject non-string or empty command names in org config - Add 8 new test cases (5 for path patterns, 3 for validation) Details: - matches_pattern() now treats any pattern with '/' as a path pattern - load_org_config() validates that cmd['name'] is a non-empty string - All 148 unit tests + 9 integration tests passing Security hardening: Prevents invalid command names from reaching pattern matching logic, reducing attack surface.	2026-01-22 15:35:00 +01:00
Marian Paul	f1b48be10e	feat: increase command limit to 100 and add optimization guide Changes: - Increase command limit from 50 to 100 per project - Add examples/OPTIMIZE_CONFIG.md with optimization strategies - Update all documentation references (50 → 100) - Update tests for new limit Rationale: - 50 was too restrictive for projects with many tools (Flutter, etc.) - Users were unknowingly exceeding limit by listing subcommands - 100 provides headroom while maintaining security - New guide teaches wildcard optimization (flutter* vs listing each subcommand) UI feedback idea: Show command count and optimization suggestions (tracked for Phase 3 or future enhancement)	2026-01-22 13:29:33 +01:00
Marian Paul	a9a0fcd865	feat: add per-project bash command allowlist system Implement hierarchical command security with project and org-level configs: WHAT'S NEW: - Project-level YAML config (.autocoder/allowed_commands.yaml) - Organization-level config (~/.autocoder/config.yaml) - Pattern matching (exact, wildcards, local scripts) - Hardcoded blocklist (sudo, dd, shutdown - never allowed) - Org blocklist (terraform, kubectl - configurable) - Helpful error messages with config hints - Comprehensive documentation and examples ARCHITECTURE: - Hierarchical resolution: Hardcoded → Org Block → Org Allow → Global → Project - YAML validation with 50 command limit per project - Pattern matching: exact ("swift"), wildcards ("swift"), scripts ("./build.sh") - Secure by default: all examples commented out TESTING: - 136 unit tests (pattern matching, YAML, hierarchy, validation) - 9 integration tests (real security hook flows) - All tests passing, 100% backward compatible DOCUMENTATION: - examples/README.md - comprehensive guide with use cases - examples/project_allowed_commands.yaml - template (all commented) - examples/org_config.yaml - org config template (all commented) - PHASE3_SPEC.md - mid-session approval spec (future enhancement) - Updated CLAUDE.md with security model documentation USE CASES: - iOS projects: Add Swift toolchain (xcodebuild, swift, etc.) - Rust projects: Add cargo, rustc, clippy - Enterprise: Block aws, kubectl, terraform org-wide - Custom scripts: Allow ./scripts/build.sh PHASES: ✅ Phase 1: Project YAML + blocklist (implemented) ✅ Phase 2: Org config + hierarchy (implemented) 📋 Phase 3: Mid-session approval (spec ready, not implemented) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-22 12:29:20 +01:00

Author

SHA1

Message

Date

Marian Paul

996ac0065c

fix: improve path matching and org config validation

Changes:
- Support path patterns without ./ prefix (e.g., 'scripts/test.sh')
- Reject non-string or empty command names in org config
- Add 8 new test cases (5 for path patterns, 3 for validation)

Details:
- matches_pattern() now treats any pattern with '/' as a path pattern
- load_org_config() validates that cmd['name'] is a non-empty string
- All 148 unit tests + 9 integration tests passing

Security hardening: Prevents invalid command names from reaching
pattern matching logic, reducing attack surface.

2026-01-22 15:35:00 +01:00

Marian Paul

f1b48be10e

feat: increase command limit to 100 and add optimization guide

Changes:
- Increase command limit from 50 to 100 per project
- Add examples/OPTIMIZE_CONFIG.md with optimization strategies
- Update all documentation references (50 → 100)
- Update tests for new limit

Rationale:
- 50 was too restrictive for projects with many tools (Flutter, etc.)
- Users were unknowingly exceeding limit by listing subcommands
- 100 provides headroom while maintaining security
- New guide teaches wildcard optimization (flutter* vs listing each subcommand)

UI feedback idea: Show command count and optimization suggestions
(tracked for Phase 3 or future enhancement)

2026-01-22 13:29:33 +01:00

Marian Paul

a9a0fcd865

feat: add per-project bash command allowlist system

Implement hierarchical command security with project and org-level configs:

WHAT'S NEW:
- Project-level YAML config (.autocoder/allowed_commands.yaml)
- Organization-level config (~/.autocoder/config.yaml)
- Pattern matching (exact, wildcards, local scripts)
- Hardcoded blocklist (sudo, dd, shutdown - never allowed)
- Org blocklist (terraform, kubectl - configurable)
- Helpful error messages with config hints
- Comprehensive documentation and examples

ARCHITECTURE:
- Hierarchical resolution: Hardcoded → Org Block → Org Allow → Global → Project
- YAML validation with 50 command limit per project
- Pattern matching: exact ("swift"), wildcards ("swift*"), scripts ("./build.sh")
- Secure by default: all examples commented out

TESTING:
- 136 unit tests (pattern matching, YAML, hierarchy, validation)
- 9 integration tests (real security hook flows)
- All tests passing, 100% backward compatible

DOCUMENTATION:
- examples/README.md - comprehensive guide with use cases
- examples/project_allowed_commands.yaml - template (all commented)
- examples/org_config.yaml - org config template (all commented)
- PHASE3_SPEC.md - mid-session approval spec (future enhancement)
- Updated CLAUDE.md with security model documentation

USE CASES:
- iOS projects: Add Swift toolchain (xcodebuild, swift*, etc.)
- Rust projects: Add cargo, rustc, clippy
- Enterprise: Block aws, kubectl, terraform org-wide
- Custom scripts: Allow ./scripts/build.sh

PHASES:
✅ Phase 1: Project YAML + blocklist (implemented)
✅ Phase 2: Org config + hierarchy (implemented)
📋 Phase 3: Mid-session approval (spec ready, not implemented)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-01-22 12:29:20 +01:00

3 Commits