/** * Bash tool safety layers. * * Seven layers of defense-in-depth for shell command execution, plus a * final UX gate: * 1. Environment variable stripping * 2. Critical path protection * 3. Command classification * 4. Path validation for write commands * 5. Obfuscation and injection detection * 6. Script preflight * 6.5. Interactive command detection (UX gate — prevents silent timeouts * on editors, pagers, REPLs, and interactive DB clients) * 7. Auto-mode classifier (utility model LLM call) * * Reference: docs/cortex/tools/bash.md (Safety Architecture) */ export type CommandClassification = 'read' | 'write' | 'create' | 'network' | 'safe-stdin' | 'unknown'; export interface SafetyCheckResult { allowed: boolean; reason?: string | undefined; classification?: CommandClassification | undefined; } /** * Build a safe environment for child processes by stripping dangerous variables. * Adds CORTEX_SHELL=exec as a context marker. * * Delegates to the shared buildSafeEnv utility so that both the Bash tool * and the MCP client use the same blocklist. * * @param parentEnv - The source environment (typically process.env) * @param overrides - Optional env var overrides that bypass the blocklist */ export declare function buildSafeEnv(parentEnv: NodeJS.ProcessEnv, overrides?: Record): Record; export declare function isCriticalPath(targetPath: string): boolean; export declare function isCriticalPathOrDescendant(targetPath: string): boolean; /** * Split a command string on shell operators (; && || |) while respecting * quoted strings. Returns the individual sub-commands. */ export declare function splitOnShellOperators(command: string): string[]; /** * Classify a command (potentially compound) by its potential impact. * For compound commands, returns the highest-risk classification * among all sub-commands. */ export declare function classifyCommand(command: string): CommandClassification; /** * Extract target paths from write/create commands. * Returns the paths that would be modified by the command. * Handles compound commands by extracting paths from all sub-commands. */ export declare function extractWritePaths(command: string): string[]; /** * Validate that write paths are within the allowed working directory. */ export declare function validateWritePaths(command: string, workingDirectory: string, currentCwd: string): SafetyCheckResult; /** * Strip invisible Unicode characters that could be used for obfuscation. */ export declare function stripInvisibleChars(command: string): string; /** * Per-character quote context. Describes the quoting state at a given position. */ export type QuoteContext = 'none' | 'single' | 'double' | 'backtick' | 'escaped'; /** * Analyze the quoting context of each character in a shell command. * Returns an array of QuoteContext values, one per character, indicating * whether that position is inside single quotes, double quotes, backticks, * escaped, or unquoted. Handles nested escapes correctly (e.g., `\"` inside * double quotes keeps the next character as "double", not "escaped"). */ export declare function analyzeQuoteState(command: string): QuoteContext[]; /** * Detect IFS variable manipulation in unquoted context. * `IFS=` inside quotes is harmless (just a string literal). * Unquoted `IFS=` is a shell variable assignment that can enable attacks. */ export declare function checkIfsInjection(command: string, states: QuoteContext[]): SafetyCheckResult; /** * Detect access to sensitive /proc and /sys paths in unquoted context. * Quoted references (e.g., `echo "/proc/self/environ"`) are harmless string * literals. Unquoted references indicate actual filesystem access attempts. */ export declare function checkProcSysAccess(command: string, states: QuoteContext[]): SafetyCheckResult; /** * Detect jq command abuse: system() calls, @sh filter for shell injection, * and -n with module imports that could load malicious jq modules. */ export declare function checkJqAbuse(command: string): SafetyCheckResult; /** * Detect ANSI-C quoting ($'...') with hex or octal escape sequences that * encode potentially dangerous content. Simple escapes like $'\n' and $'\t' * are legitimate and allowed. */ export declare function checkAnsiCQuoting(command: string): SafetyCheckResult; /** * Detect heredoc patterns and validate their content. Unquoted heredoc * delimiters (<; /** * Auto-mode classifier that uses the utility model to classify whether * a command should be blocked in autonomous mode. * * The full implementation will: * 1. Fast check (256 max tokens): quick classification * 2. Full analysis (4096 max tokens): if fast check is uncertain * * Fail-safe behavior: when auto-approve mode is active (isAutoApprove=true) * but no classifier function is available, this layer BLOCKS the command. * When auto-approve is not active, the consumer's permission resolver * (beforeToolCall) has already approved, so this layer passes through. */ export declare function checkAutoModeClassifier(command: string, description: string | undefined, utilityComplete?: ((context: unknown) => Promise) | undefined, isAutoApprove?: boolean): Promise; /** * Run all safety layers on a command. * Returns the first failure or { allowed: true } if all pass. */ export declare function runSafetyChecks(command: string, workingDirectory: string, currentCwd: string, options?: { utilityComplete?: ((context: unknown) => Promise) | undefined; description?: string | undefined; /** Whether the consumer is in auto-approve mode. When true and no classifier is available, Layer 7 blocks. */ isAutoApprove?: boolean | undefined; }): Promise; //# sourceMappingURL=safety.d.ts.map