fix: block bash commands in Prometheus mode to respect permission config (#1449)

kaizen403 · web-flow · commit 6151d1cb5ea8 · 2026-02-04T11:06:54.000+09:00
Fixes #1428 - Prometheus bash bypass security issue
diff --git a/src/hooks/prometheus-md-only/constants.ts b/src/hooks/prometheus-md-only/constants.ts
@@ -9,7 +9,7 @@ export const ALLOWED_EXTENSIONS = [".md"]
 
 export const ALLOWED_PATH_PREFIX = ".sisyphus"
 
-export const BLOCKED_TOOLS = ["Write", "Edit", "write", "edit"]
+export const BLOCKED_TOOLS = ["Write", "Edit", "write", "edit", "bash"]
 
 export const PLANNING_CONSULT_WARNING = `
 
diff --git a/src/hooks/prometheus-md-only/index.test.ts b/src/hooks/prometheus-md-only/index.test.ts
@@ -173,7 +173,25 @@ describe("prometheus-md-only", () => {
       ).rejects.toThrow("can only write/edit .md files")
     })
 
-    test("should not affect non-Write/Edit tools", async () => {
+    test("should block bash commands from Prometheus", async () => {
+      // given
+      const hook = createPrometheusMdOnlyHook(createMockPluginInput())
+      const input = {
+        tool: "bash",
+        sessionID: TEST_SESSION_ID,
+        callID: "call-1",
+      }
+      const output = {
+        args: { command: "echo test" },
+      }
+
+      // when / #then
+      await expect(
+        hook["tool.execute.before"](input, output)
+      ).rejects.toThrow("cannot execute bash commands")
+    })
+
+    test("should not affect non-blocked tools", async () => {
       // given
       const hook = createPrometheusMdOnlyHook(createMockPluginInput())
       const input = {
diff --git a/src/hooks/prometheus-md-only/index.ts b/src/hooks/prometheus-md-only/index.ts
@@ -106,6 +106,20 @@ export function createPrometheusMdOnlyHook(ctx: PluginInput) {
         return
       }
 
+      // Block bash commands completely - Prometheus is read-only
+      if (toolName === "bash") {
+        log(`[${HOOK_NAME}] Blocked: Prometheus cannot execute bash commands`, {
+          sessionID: input.sessionID,
+          tool: toolName,
+          agent: agentName,
+        })
+        throw new Error(
+          `[${HOOK_NAME}] ${getAgentDisplayName("prometheus")} cannot execute bash commands. ` +
+          `${getAgentDisplayName("prometheus")} is a READ-ONLY planner. Use /start-work to execute the plan. ` +
+          `APOLOGIZE TO THE USER, REMIND OF YOUR PLAN WRITING PROCESSES, TELL USER WHAT YOU WILL GOING TO DO AS THE PROCESS, WRITE THE PLAN`
+        )
+      }
+
       const filePath = (output.args.filePath ?? output.args.path ?? output.args.file) as string | undefined
       if (!filePath) {
         return
