KjdZddlmZddlZddlZddlZddlmZmZm Z m Z  ddl m Z m Z mZmZmZmZmZed e DZej,d Zej,d Zej,dZej,dZej,dZej,dZddZddZddZddZ ddZ!ddZ" d dZ#y#e$rdZ dZdZd Z d Zd Zdd ZYwxYw)!zAxis 3 restricted canary - tool call classifier (canonical, PYTHONPATH-agnostic). chair_authorization_id = CHAIR-AUTH-AXIS-3-CANARY-20260524-JJONGS-RESTRICTED-001 Pure function classifier. No I/O, no side effects, no globals mutated. ) annotationsN)IterableMappingOptionalTuple)CREDENTIAL_PATTERNSDECISION_AUDIT_ONLYDECISION_BLOCK DECISION_WARNFORBIDDEN_PATH_GLOB_SUFFIXESFORBIDDEN_PATH_PREFIXESinitial_decision_for_category AUDIT_ONLYWARNBLOCKc8|dk(rtS|dvrtStS)N destructive)forbidden_pathcredential_pattern)r r r )categorys 5/home/jay/workspace/utils/runtime_guard_classifier.pyrr#s% } $! ! ? ? ""c#FK|]}tj|ywN)recompile).0ps r r +sGaBJJqMGs!zv(?:^|\s|;|&&|\|\|)rm\s+(?:-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*|-[a-zA-Z]*f[a-zA-Z]*r[a-zA-Z]*|-rf|-fr)\s+/(?:\s|$|;|&&|\|\|)zbgit\s+push\s+(?:.*\s)?--force(?:[^-]|-with-lease)?[^\n;|&]*?\s(?:origin\s+main|origin/main|main)\bzHgit\s+push\s+(?:.*\s)?-f\s+(?:.*\s)?(?:origin\s+main|origin/main|main)\bz#git\s+branch\s+-D\s+(?:.*\s)?main\bz%cokacdir(?:\s+\S+)*\s+--cron-remove\bzgit\s+reset\s+--hard\s+(\S+)ctj|D]0}|jd}|dvrtjd|r0yy)zBlock git reset --hard with explicit non-current ref. Conservative heuristic: allow HEAD / HEAD~N / @{u} / origin/ via classifier WARN list, only BLOCK when an explicit other branch/sha is given. )HEADz@{u} ORIG_HEAD FETCH_HEADzHEAD~\d+TF)_GIT_RESET_HARD_REfinditergroupr fullmatch)commandmatchrefs r_is_destructive_git_resetr-=sP $,,W5kk!n = =  << S )  rctj|rytj|stj|ryt |ryt j|ryt j|ryy)N)zdestructive.rm_rf_rootzrm -rf / detected)zdestructive.git_push_force_mainz%git push --force origin/main detected)z'destructive.git_reset_hard_other_branchz.git reset --hard detected)z"destructive.git_branch_delete_mainzgit branch -D main detected)z destructive.cokacdir_cron_removezcokacdir --cron-remove detected)_RM_RF_ROOT_REsearch_GIT_PUSH_FORCE_MAIN_RE_GIT_PUSH_FORCE_F_MAIN_REr-_GIT_BRANCH_DELETE_MAIN_RE_COKACDIR_CRON_REMOVE_RE)r*s r_scan_destructiver5NssW%>%%g.2K2R2RSZ2[ !) "((1  &&w/  rcl|sytD](}|j|}|sdd|jfcSy)Nzcredential_pattern.matchzcredential pattern matched: )_CREDENTIAL_REGEXESr0pattern)textrxms r_scan_credentialsr<hsE !] IIdO .2Nrzzl0[\ \] rcd tjj|S#t$r|cYSwxYwr)ospathabspath Exception)rs r _norm_pathrBrs.wwq!! s ! //c |syt|}tD]$}||k(s|j|dzsdd|fcS|j}tD]:}|j d|zs|j d|zsd|z|vs3dd|fcSy)N/zforbidden_path.prefixzforbidden path prefix: .zforbidden_path.suffixzforbidden path suffix: )rBr startswithlowerr endswith)r?normprefixloweredsuffixs r_scan_forbidden_pathrMys  d D)Q 6>T__Vc\:+/Fvh-OP PQjjlG.Q   C&L )W-=-=cFl-KsU[|_fOf+/Fvh-OP PQ rc#KdD]+}|j|}t|ts%|s(|-|dk(rm|jdd}t|trJ|rG tj|d}|D])}|j ds|j ds&|+yyyy#t $r|j }YMwxYww) N) file_pathr? notebook_pathBashr*T)posixrDz~/)get isinstancestrshlexsplitrArF) tool_name tool_inputkeyvcmdtokensts r_extract_tool_pathsr`s5 NN3  a !GFnnY+ c3 C %S5 <<$ T(:G  %(   % %s9'CC/CB&4'C C&C?CCCc|i}|dk(rD|jdd}t|tr"t|}|r|\}}t d||ddSt ||D]&}t |}|s|\}}t d||ddcSdD]H}|j|}t|ts%t|}|s3|\}}t d||ddcStd d d dS) zReturn decision dict {decision, rule_id, reason, category}. Pure function. AUDIT_ONLY when no rule fires. tool_input may be None when the hook fails to parse the upstream event payload. rQr*rRr)decisionrule_idreasonrr)content new_stringr*promptrz audit.noopz no rule fired audit_only) rTrUrVr5rr`rMr<r ) rYrZr]hitrcrdrr[r\s rclassifyrjs! FnnY+ c3 #C(C"% =m L&$ - !J 7 "1% !OGV9:JK" ,   >  NN3  a #A&C"% =>R S&$ 4  (!  r)rrVreturnrV)r*rVrkbool)r*rVrkOptional[Tuple[str, str]])r9rVrkrm)rrVrkrV)r?rVrkrm)rYrVrZzMapping[str, object]rkz Iterable[str])rYrVrZzOptional[Mapping[str, object]]rkdict)$__doc__ __future__rr>rrWtypingrrrrutils.runtime_guard_policy_maprr r r r r rrAtupler7rr/r1r2r3r4r&r-r5r<rBrMr`rjrrrrts5 # 55#4G3FGG}%"**i'BJJO(RZZ(NO%2::&NORZZ ?@"4 "99.9 9}#&MN#%  ##sCC*)C*