UNPKG

@hugsylabs/plugin-security

Version:

Security restrictions for Hugsy - protect sensitive files and operations

github.com/HugsyLabs/hugsy-plugins/tree/main/packages/plugins/security

HugsyLabs/hugsy-plugins

121 lines (84 loc) 2.63 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# @hugsylabs/plugin-security Security restrictions plugin for Hugsy that focuses solely on protecting sensitive files and operations. ## Features - 🔒 Deny access to sensitive files (env, keys, secrets) - 🛡️ Block dangerous system commands - ⚠️ Require confirmation for risky operations - 🚨 Security warnings via hooks - 🔐 Protect credentials and API keys - 🚫 Prevent accidental data loss ## Installation ```bash npm install @hugsylabs/plugin-security ``` ## Usage Add to your `.hugsyrc.json`: ```json { "plugins": ["@hugsylabs/plugin-security"] } ``` ## What It Adds ### Denied Operations The plugin **completely blocks** these dangerous operations: **Sensitive Files:** - Environment files (`.env`, `.env.*`) - SSH keys and certificates - Credentials and secrets - API keys and tokens - AWS/GCloud credentials - Database files **System Operations:** - System file modifications (`/etc/passwd`, `/etc/shadow`) - Dangerous deletions (`rm -rf /`) - Unsafe script execution (`curl | bash`) - Global package installations - Network scanning tools - Process termination commands - System service management ### Ask Before Operations The plugin **requires confirmation** for these operations: - File/directory deletions (`rm -rf`, `rm -r`) - Permission changes (`chmod`, `chown`) - Archive extraction (`tar`, `unzip`) - File downloads (`curl`, `wget`) - Docker operations - Database connections - Force Git operations ### Security Hooks **Pre-operation warnings:** - Sudo command detection - File deletion warnings - Permission change alerts **Post-operation notifications:** - Download completion alerts - Source verification reminders ## Security Philosophy This plugin follows the principle of **least privilege**: 1. **Deny by default** - Block access to known sensitive files 2. **Ask when uncertain** - Require confirmation for risky operations 3. **Warn proactively** - Alert users before dangerous actions 4. **Protect data** - Prevent accidental data loss or exposure ## Single Responsibility This plugin focuses **solely** on security restrictions: - Protecting sensitive files - Blocking dangerous commands - Requiring confirmations - Adding security warnings It does NOT handle: - General permissions (use presets) - Development workflows (use other plugins) - Git operations (use `@hugsylabs/plugin-git`) - Testing (use `@hugsylabs/plugin-test`) ## Customization You can override specific restrictions in your `.hugsyrc.json`: ```json { "plugins": ["@hugsylabs/plugin-security"], "permissions": { "allow": ["Read(**/.env.example)"] } } ``` ## License MIT