1  /**
 2   * Pattern lists for dangerous shell-tool allow-rule prefixes.
 3   *
 4   * An allow rule like `Bash(python:*)` or `PowerShell(node:*)` lets the model
 5   * run arbitrary code via that interpreter, bypassing the auto-mode classifier.
 6   * These lists feed the isDangerous{Bash,PowerShell}Permission predicates in
 7   * permissionSetup.ts, which strip such rules at auto-mode entry.
 8   *
 9   * The matcher in each predicate handles the rule-shape variants (exact, `:*`,
10   * trailing `*`, ` *`, ` -…*`). PS-specific cmdlet strings live in
11   * isDangerousPowerShellPermission (permissionSetup.ts).
12   */
13  
14  /**
15   * Cross-platform code-execution entry points present on both Unix and Windows.
16   * Shared to prevent the two lists drifting apart on interpreter additions.
17   */
18  export const CROSS_PLATFORM_CODE_EXEC = [
19    // Interpreters
20    'python',
21    'python3',
22    'python2',
23    'node',
24    'deno',
25    'tsx',
26    'ruby',
27    'perl',
28    'php',
29    'lua',
30    // Package runners
31    'npx',
32    'bunx',
33    'npm run',
34    'yarn run',
35    'pnpm run',
36    'bun run',
37    // Shells reachable from both (Git Bash / WSL on Windows, native on Unix)
38    'bash',
39    'sh',
40    // Remote arbitrary-command wrapper (native OpenSSH on Win10+)
41    'ssh',
42  ] as const
43  
44  export const DANGEROUS_BASH_PATTERNS: readonly string[] = [
45    ...CROSS_PLATFORM_CODE_EXEC,
46    'zsh',
47    'fish',
48    'eval',
49    'exec',
50    'env',
51    'xargs',
52    'sudo',
53    // Anthropic internal: ant-only tools plus general tools that ant sandbox
54    // dotfile data shows are commonly over-allowlisted as broad prefixes.
55    // These stay ant-only — external users don't have coo, and the rest are
56    // an empirical-risk call grounded in ant sandbox data, not a universal
57    // "this tool is unsafe" judgment. PS may want these once it has usage data.
58    ...(process.env.USER_TYPE === 'ant'
59      ? [
60          'fa run',
61          // Cluster code launcher — arbitrary code on the cluster
62          'coo',
63          // Network/exfil: gh gist create --public, gh api arbitrary HTTP,
64          // curl/wget POST. gh api needs its own entry — the matcher is
65          // exact-shape, not prefix, so pattern 'gh' alone does not catch
66          // rule 'gh api:*' (same reason 'npm run' is separate from 'npm').
67          'gh',
68          'gh api',
69          'curl',
70          'wget',
71          // git config core.sshCommand / hooks install = arbitrary code
72          'git',
73          // Cloud resource writes (s3 public buckets, k8s mutations)
74          'kubectl',
75          'aws',
76          'gcloud',
77          'gsutil',
78        ]
79      : []),
80  ]