fix: block bash commands in Prometheus mode to respect permission config (#1449)

Fixes #1428 - Prometheus bash bypass security issue
2026-02-04 07:36:54 +05:30 · 2026-02-04 07:36:54 +05:30 · 6151d1cb5e
commit 6151d1cb5e
parent 13e1d7cbd7
3 changed files with 34 additions and 2 deletions
--- a/src/hooks/prometheus-md-only/constants.ts
+++ b/src/hooks/prometheus-md-only/constants.ts
@ -9,7 +9,7 @@ export const ALLOWED_EXTENSIONS = [".md"]

 export const ALLOWED_PATH_PREFIX = ".sisyphus"

-export const BLOCKED_TOOLS = ["Write", "Edit", "write", "edit"]
+export const BLOCKED_TOOLS = ["Write", "Edit", "write", "edit", "bash"]

 export const PLANNING_CONSULT_WARNING = `

--- a/src/hooks/prometheus-md-only/index.test.ts
+++ b/src/hooks/prometheus-md-only/index.test.ts
@ -173,7 +173,25 @@ describe("prometheus-md-only", () => {
      ).rejects.toThrow("can only write/edit .md files")
    })

-    test("should not affect non-Write/Edit tools", async () => {
+    test("should block bash commands from Prometheus", async () => {
+      // given
+      const hook = createPrometheusMdOnlyHook(createMockPluginInput())
+      const input = {
+        tool: "bash",
+        sessionID: TEST_SESSION_ID,
+        callID: "call-1",
+      }
+      const output = {
+        args: { command: "echo test" },
+      }
+
+      // when / #then
+      await expect(
+        hook["tool.execute.before"](input, output)
+      ).rejects.toThrow("cannot execute bash commands")
+    })
+
+    test("should not affect non-blocked tools", async () => {
      // given
      const hook = createPrometheusMdOnlyHook(createMockPluginInput())
      const input = {
--- a/src/hooks/prometheus-md-only/index.ts
+++ b/src/hooks/prometheus-md-only/index.ts
@ -106,6 +106,20 @@ export function createPrometheusMdOnlyHook(ctx: PluginInput) {
        return
      }

+      // Block bash commands completely - Prometheus is read-only
+      if (toolName === "bash") {
+        log(`[${HOOK_NAME}] Blocked: Prometheus cannot execute bash commands`, {
+          sessionID: input.sessionID,
+          tool: toolName,
+          agent: agentName,
+        })
+        throw new Error(
+          `[${HOOK_NAME}] ${getAgentDisplayName("prometheus")} cannot execute bash commands. ` +
+          `${getAgentDisplayName("prometheus")} is a READ-ONLY planner. Use /start-work to execute the plan. ` +
+          `APOLOGIZE TO THE USER, REMIND OF YOUR PLAN WRITING PROCESSES, TELL USER WHAT YOU WILL GOING TO DO AS THE PROCESS, WRITE THE PLAN`
+        )
+      }
+
      const filePath = (output.args.filePath ?? output.args.path ?? output.args.file) as string | undefined
      if (!filePath) {
        return