molecule-ai/molecule-ai-plugin-molecule-careful-bash
38
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Compare commits

base: molecule-ai:main
Branches Tags
molecule-ai:main
molecule-ai:fix/inline-ci-workflow
molecule-ai:chore/sop-checklist-gate
molecule-ai:plugin/pycache-hygiene-2026-05-10
molecule-ai:fix/offsec-002-version-bump
molecule-ai:fix/pycache-gitignore
molecule-ai:plugin/offsec-002-token-exfil-2026-05-10
molecule-ai:fix/lowercase-org-slug
molecule-ai:fix/install-path-gitea
molecule-ai:v1.0.0
..
compare: molecule-ai:fix/pycache-gitignore
Branches Tags
molecule-ai:fix/inline-ci-workflow
molecule-ai:chore/sop-checklist-gate
molecule-ai:main
molecule-ai:plugin/pycache-hygiene-2026-05-10
molecule-ai:fix/offsec-002-version-bump
molecule-ai:fix/pycache-gitignore
molecule-ai:plugin/offsec-002-token-exfil-2026-05-10
molecule-ai:fix/lowercase-org-slug
molecule-ai:fix/install-path-gitea
molecule-ai:v1.0.0

No commits in common. "main" and "fix/pycache-gitignore" have entirely different histories.
main ... fix/pycach

6 changed files with 6 additions and 50 deletions
Show Stats Expand all files Collapse all files

5
.gitea/workflows/ci.yml
View File

@ -1,5 +0,0 @@
name: CI
on: [push, pull_request]
jobs:
validate:
uses: molecule-ai/molecule-ci/.gitea/workflows/validate-plugin.yml@main

5
.github/workflows/ci.yml vendored Normal file
View File

@ -0,0 +1,5 @@
name: CI
on: [push, pull_request]
jobs:
validate:
uses: molecule-ai/molecule-ci/.github/workflows/validate-plugin.yml@main

17
.gitignore vendored
View File

@ -19,20 +19,3 @@
# Workspace auth tokens
.auth-token
.auth_token
# Python bytecode (append only — do not remove entries above)
__pycache__/
*.pyc
.pytest_cache/
# Python bytecode (append only — do not remove entries above)
__pycache__/
*.pyc
*.py[cod]
*$py.class
.Python
*.egg-info/
*.egg
.pytest_cache/
build/
dist/
.eggs/

2
plugin.yaml
View File

@ -1,5 +1,5 @@
name: molecule-careful-bash
version: 1.0.1
version: 1.0.0
description: Refuse destructive bash commands (git push --force to main, rm -rf at root, DROP TABLE prod). PreToolUse:Bash hook.
author: Molecule AI
tags: [molecule, guardrails]

27
tests/README.md
View File

@ -1,27 +0,0 @@
# Test Coverage — molecule-careful-bash
## What We Test
This plugin has **executable hooks** (Python), so it warrants real unit tests.
| File | Tests | Coverage |
|------|-------|---------|
| `hooks/pre-bash-careful.py` | 35 pytest tests | Destructive command blocking, token exfiltration prevention |
## Test Categories
| Class | Count | What |
|-------|-------|------|
| `TestRefuseForcePush` | 5 | `git push --force` to main/master blocked; feature branches allowed |
| `TestRefuseGitResetHard` | 3 | `git reset --hard` on main blocked; feature branches allowed |
| `TestRefuseSQLDestructive` | 4 | `DROP TABLE/DATABASE prod` blocked; test/sandbox allowed |
| `TestRefuseRmRf` | 5 | `rm -rf /`, home, `.git` blocked; safe paths allowed |
| `TestTokenExfiltrationBlocking` | 13 | Token file reads, `env \| grep` secrets, credential path exfil blocked |
| `TestWarnList` | 2 | Warning-only patterns: `--force-with-lease`, `close` PR |
| Safe-prompt passthrough | 3 | Legitimate commands (normal push, grep for non-secret, non-token files) pass through |
## Running Tests
```bash
python -m pytest tests/ -v
```

BIN
tests/__pycache__/test_pre_bash_careful.cpython-311-pytest-9.0.3.pyc Normal file
View File

Binary file not shown.