v1.11.7: secret-file deny list for codebase tools

Ports continue.dev's DEFAULT_SECURITY_IGNORE_FILETYPES + ignored-dir lists into apps/server/src/services/secret_guard.ts plus a small BooCode additions block (id_rsa*, *credentials*, .netrc, *.kdbx). Tiny glob-to- regex matcher; no new prod dep. view_file hard-refuses via SecretBlockedError. list_dir / grep / find_files filter their results and surface a pathguard_note string field with the hidden count — never list the offending paths back. Named secret_guard.ts (not safety/pathGuard.ts) to avoid collision with the existing path_guard.ts which already exports a pathGuard() function. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-20 20:55:50 +00:00
parent 85037f000d
commit 863452ae07
3 changed files with 467 additions and 11 deletions
--- a/apps/server/src/services/tools.ts
+++ b/apps/server/src/services/tools.ts
@@ -2,6 +2,7 @@ import { readFile, readdir, stat } from 'node:fs/promises';
 import { resolve, basename, relative } from 'node:path';
 import { z } from 'zod';
 import { pathGuard, PathScopeError } from './path_guard.js';
+import { isSecretPath, SecretBlockedError, filterSecretEntries } from './secret_guard.js';
 import { grep as fileOpsGrep, findFiles as fileOpsFindFiles } from './file_ops.js';
 import { getGitMeta } from './git_meta.js';
 import { findSkills, getSkillBody, getSkillResource } from './skills.js';
@@ -63,6 +64,15 @@ export const viewFile: ToolDef<ViewFileInputT> = {
  },
  async execute(input, projectRoot) {
    const real = await pathGuard(projectRoot, input.path);
+    // v1.11.7: secret-file deny check. Test the project-relative path
+    // (matches the form continue.dev's patterns expect: basenames + dir
+    // segments). Throw a typed error so executeToolCall in inference.ts
+    // surfaces a clear "blocked" message to the LLM instead of silently
+    // returning content the user wanted hidden.
+    const relPath = relative(projectRoot, real) || basename(real);
+    if (isSecretPath(relPath)) {
+      throw new SecretBlockedError(relPath);
+    }
    const s = await stat(real);
    if (!s.isFile()) {
      throw new PathScopeError(`not a file: ${input.path}`);
@@ -152,11 +162,21 @@ export const listDir: ToolDef<ListDirInputT> = {
        };
      })
    );
+    // v1.11.7: filter entries whose project-relative path matches a secret
+    // pattern. Each entry is tested using the project-rel dir + its name
+    // so the pattern's path/segment semantics work for nested dirs like
+    // `.aws/`. The count is surfaced via `pathguard_note` — we never list
+    // the hidden paths (defeats the purpose).
+    const relDir = relative(projectRoot, real) || '.';
+    const secretFilter = filterSecretEntries(out, (e) =>
+      relDir === '.' ? e.name : `${relDir}/${e.name}`,
+    );
    return {
-      path: relative(projectRoot, real) || '.',
-      entries: out,
-      total,
+      path: relDir,
+      entries: secretFilter.kept,
+      total: secretFilter.kept.length,
      truncated: total > MAX_DIR_ENTRIES,
+      ...(secretFilter.note ? { pathguard_note: secretFilter.note } : {}),
    };
  },
 };
@@ -208,14 +228,21 @@ export const grep: ToolDef<GrepInputT> = {
      case_sensitive: input.case_sensitive,
      hidden: input.hidden,
    });
+    const reshaped = result.matches.map((m) => ({
+      path: m.path,
+      line: m.line,
+      content: m.text,
+    }));
+    // v1.11.7: drop matches whose source file is a known-secret pattern.
+    // file_ops.grep returns project-relative paths, so we feed them straight
+    // into isSecretPath. Multiple matches in the same secret file each get
+    // dropped individually — they all count in the hidden tally.
+    const secretFilter = filterSecretEntries(reshaped, (m) => m.path);
    return {
-      matches: result.matches.map((m) => ({
-        path: m.path,
-        line: m.line,
-        content: m.text,
-      })),
-      total: result.matches.length,
+      matches: secretFilter.kept,
+      total: secretFilter.kept.length,
      truncated: result.truncated,
+      ...(secretFilter.note ? { pathguard_note: secretFilter.note } : {}),
    };
  },
 };
@@ -260,10 +287,15 @@ export const findFiles: ToolDef<FindFilesInputT> = {
      path: input.path,
      max_results: limit,
    });
+    // v1.11.7: drop paths matching secret patterns. The original `total`
+    // from file_ops includes pre-truncation count; we report the visible
+    // count post-filter so the LLM can't infer hidden-count by subtraction.
+    const secretFilter = filterSecretEntries(result.files, (p) => p);
    return {
-      paths: result.files,
-      total: result.total,
+      paths: secretFilter.kept,
+      total: secretFilter.kept.length,
      truncated: result.truncated,
+      ...(secretFilter.note ? { pathguard_note: secretFilter.note } : {}),
    };
  },
 };