oklahomer / go-risa / 23707817393
78%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 3
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 78.09% (+7.4%) from 70.667%
23707817393

push

github

web-flow 
feat: Enforce tool patterns via two-layer strategy (--tools + PreToolUse hooks) (#4)

* feat: Enforce tool patterns via two-layer strategy (--tools + PreToolUse hooks)

The --tools flag only accepts bare tool names, not pattern syntax like
"Bash(date *)". Replace the single-layer approach with a two-layer strategy:

- Layer 1: Pass only bare tool names to --tools (e.g., Bash, WebSearch)
- Layer 2: Dynamically generate PreToolUse hook scripts that validate
  tool input against allowed patterns using bash glob matching

Key changes:
- Add parseToolEntry, BareToolNames, groupedToolPatterns for parsing
  allowed-tools entries into bare names and pattern groups
- Add generatePatternHookScript with Go text/template for hook generation
- Add expandPatterns to handle bare command invocations (e.g., "date"
  matching "date *")
- Merge multiple patterns per tool into a single script with OR logic
- Update buildCmd and prepareTempDir signatures to accept *SkillMeta
- Update README security documentation

* feat: Add Skill tool to two-layer pattern validation strategy

Extend the PreToolUse hook system to restrict Skill tool invocations.
Each skill now automatically allows its own name plus any explicitly
declared Skill(...) patterns, blocking undeclared sub-skill calls.
Bare "Skill" in allowed-tools opts out of restriction. Includes an
example SKILL.md for stock-analysis demonstrating Skill(fundamental-analysis).

* feat: Add PowerShell compound guard hook and pattern validation support

Extend the two-layer pattern validation strategy to the PowerShell tool,
mirroring the existing Bash compound command guard. This enables entries
like PowerShell(Get-Date *) in SKILL.md allowed-tools.

* feat: Add WebFetch SSRF guard hook to block requests to internal addresses

Add a PreToolUse hook that blocks WebFetch requests to localhost,
loopback (127.0.0.0/8), private IP ranges (10/8, 172.16/12, 192.168/16),
link-local (169.254/16, fe80::), and non-http(s) schemes (file:/... (continued)

128 of 145 new or added lines in 1 file covered. (88.28%)

278 of 356 relevant lines covered (78.09%)

9.53 hits per line

Uncovered Changes

Lines Coverage File
17
74.92
 10.15% claude.go
Jobs
ID Job ID Ran Files Coverage
1 23707817393.1 3
78.09
 GitHub Action Run
Source Files on build 23707817393