oklahomer / go-risa
78%

DEFAULT BRANCH: main
Repo Added
Files 3
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

LAST BUILD ON BRANCH main
branch: SELECT
CHANGE BRANCH
x

coverage: 78.09% (+7.4%) from 70.667%
23707817393

push

github

web-flow 
feat: Enforce tool patterns via two-layer strategy (--tools + PreToolUse hooks) (#4)

* feat: Enforce tool patterns via two-layer strategy (--tools + PreToolUse hooks)

The --tools flag only accepts bare tool names, not pattern syntax like
"Bash(date *)". Replace the single-layer approach with a two-layer strategy:

- Layer 1: Pass only bare tool names to --tools (e.g., Bash, WebSearch)
- Layer 2: Dynamically generate PreToolUse hook scripts that validate
  tool input against allowed patterns using bash glob matching

Key changes:
- Add parseToolEntry, BareToolNames, groupedToolPatterns for parsing
  allowed-tools entries into bare names and pattern groups
- Add generatePatternHookScript with Go text/template for hook generation
- Add expandPatterns to handle bare command invocations (e.g., "date"
  matching "date *")
- Merge multiple patterns per tool into a single script with OR logic
- Update buildCmd and prepareTempDir signatures to accept *SkillMeta
- Update README security documentation

* feat: Add Skill tool to two-layer pattern validation strategy

Extend the PreToolUse hook system to restrict Skill tool invocations.
Each skill now automatically allows its own name plus any explicitly
declared Skill(...) patterns, blocking undeclared sub-skill calls.
Bare "Skill" in allowed-tools opts out of restriction. Includes an
example SKILL.md for stock-analysis demonstrating Skill(fundamental-analysis).

* feat: Add PowerShell compound guard hook and pattern validation support

Extend the two-layer pattern validation strategy to the PowerShell tool,
mirroring the existing Bash compound command guard. This enables entries
like PowerShell(Get-Date *) in SKILL.md allowed-tools.

* feat: Add WebFetch SSRF guard hook to block requests to internal addresses

Add a PreToolUse hook that blocks WebFetch requests to localhost,
loopback (127.0.0.0/8), private IP ranges (10/8, 172.16/12, 192.168/16),
link-local (169.254/16, fe80::), and non-http(s) schemes (file:/... (continued)

128 of 145 new or added lines in 1 file covered. (88.28%)

278 of 356 relevant lines covered (78.09%)

9.53 hits per line

Relevant lines Covered
356 RELEVANT LINES 278 COVERED LINES
9.53 HITS PER LINE
Source Files on main

Recent builds

Builds Branch Commit Type Ran Committer Via Coverage
23707817393 main feat: Enforce tool patterns via two-layer strategy (--tools + PreToolUse hooks) (#4) * feat: Enforce tool patterns via two-layer strategy (--tools + PreToolUse hooks) The --tools flag only accepts bare tool names, not pattern syntax like "Bash(d... push web-flow github
78.09
23685265270 feat/two-layer-tool-whitelist Merge d91519dea into 9a4ae923e Pull #4 web-flow github
78.09
23402412516 main feat: Add file-write guard hook to restrict writes to cwd and protect control files Add a PreToolUse hook (pre-tool-use-file-write.sh) that restricts Edit, Write, and NotebookEdit tools to only write within the working directory. The hook derives... push oklahomer github
70.67
22928717094 main docs: Add comprehensive README with architecture and security documentation (#3) Add project overview, core architecture docs, six-layer security measures, getting started guide, and Discord bot example reference. push web-flow github
75.24
22906888072 docs/update-readme Merge 90cc1cb91 into 0d6e31eef Pull #3 web-flow github
75.24
22854124565 main feat: Add system prompt directive for prompt injection defense (#2) * feat: Add system prompt directive for prompt injection defense Write a system-prompt.md file per invocation in prepareTempDir and pass it via --append-system-prompt-file so th... push web-flow github
75.24
22853974137 feat/system-prompt-injection-defense Merge 640e348a9 into cd6b0427a Pull #2 web-flow github
75.24
22853561548 feat/system-prompt-injection-defense Merge f54506165 into cd6b0427a Pull #2 web-flow github
75.24
22798539789 main Add CI workflow with Coveralls integration (#1) * ci: Add CI workflow with Coveralls integration Add GitHub Actions CI workflow that runs build, vet, and tests across Go 1.25, 1.26, and tip with 80% coverage threshold. Report coverage to Coveral... push web-flow github
74.87
22798452679 add-ci-workflow Merge d69d1e9d2 into 06cfbc3dd Pull #1 web-flow github
74.87
See All Builds (11)