Add Team features: approval workflows, webhooks, sessions, custom rules, DLP, audit#49
Merged
Add Team features: approval workflows, webhooks, sessions, custom rules, DLP, audit#49
Conversation
…error handling, clippy lints - Fix audit_aggregator compute_stats time_range to use min_by/max_by instead of first/last - Fix PowerShell approval catch block: log error, fail closed, reset validKeys - Sync powershell-hook.ps1 to embedded assets - Improve error handling in audit.rs, checkpoint.rs, mcp/dispatcher.rs, webhook.rs - Improve error reporting in check.rs, run.rs, scan.rs, score.rs - Fix uninlined_format_args clippy lints in dispatcher.rs, redact.rs, webhook.rs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
push_segment() incorrectly treated VAR=VALUE as the command token. Now skips leading environment variable assignments to find the real command. Adds pub is_env_assignment() helper for use by engine bypass detection. Fixes: TIRITH=0 curl evil.com now correctly identifies curl as command. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bypass detection now finds TIRITH=0 in inline env prefixes and env wrappers (env -i TIRITH=0, /usr/bin/env TIRITH=0), not just process env. Handles -u value-taking flag and -- option terminator. Self-invocation guard allows tirith's own commands (tirith diff, etc.) in single-segment inputs. Resolves through env/command/time wrappers. Uses canonicalized path comparison for path-form invocations with fallback to literal-only matching when canonicalization fails. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add command-aware output-flag skipping for curl (-o/--output) and wget (-O/-OFILE/--output-document). Extract URLs from command+args instead of raw segment text to avoid matching URLs in env-prefix values. Add conservative non-TLD file extensions (.png, .jpg, .mp4, etc.) to schemeless host exclusion list. Fixes issue #33. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…paths Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…09 ignore - Run cargo fmt --all - Fix clippy lints: redundant closures, uninlined_format_args, approx_constant - Pin time crate to 0.3.37 (0.3.47 uses edition2024, incompatible with MSRV 1.83) - Add .cargo/audit.toml ignoring RUSTSEC-2026-0009 (time crate DoS, not exploitable in our usage, fix requires Rust 1.88) - Add same ignore to deny.toml
- Merge origin/main (glibc build fix) - Fix single & segment boundary in split_raw_words (security) - Use exact match == TIRITH=0 (prevents false bypass) - Skip flags in resolve_command_wrapper - Remove dead code in is_tirith_command - Remove quote-stripping from is_env_assignment Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Resolved 18 conflicts by keeping main's improved code. Replaced engine.rs with main's version to fix duplicate function definitions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
🤖 Generated with Claude Code
Note
Adjust blank line formatting across Team features code related to approval workflows, webhooks, sessions, custom rules, DLP, and audit
Normalize whitespace by modifying blank lines; no functional code changes are introduced.
📍Where to Start
Start with the root-level formatting changes in README.md or the primary Team module entry file, if present, to see whitespace adjustments.
Macroscope summarized 1ae729f.