{"id":32789539,"url":"https://github.com/knoopx/opencode-plugin-command-blocker","last_synced_at":"2025-11-05T11:01:39.362Z","repository":{"id":312103931,"uuid":"1046306881","full_name":"knoopx/opencode-plugin-command-blocker","owner":"knoopx","description":null,"archived":false,"fork":false,"pushed_at":"2025-10-25T06:37:14.000Z","size":205,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-25T08:25:55.704Z","etag":null,"topics":["opencode","opencode-ai"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/knoopx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-08-28T13:48:49.000Z","updated_at":"2025-10-25T06:37:17.000Z","dependencies_parsed_at":null,"dependency_job_id":"500034e6-0fbc-48b1-9daa-68f368e36c03","html_url":"https://github.com/knoopx/opencode-plugin-command-blocker","commit_stats":null,"previous_names":["knoopx/opencode-plugin-command-blocker"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/knoopx/opencode-plugin-command-blocker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knoopx%2Fopencode-plugin-command-blocker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knoopx%2Fopencode-plugin-command-blocker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knoopx%2Fopencode-plugin-command-blocker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knoopx%2Fopencode-plugin-command-blocker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/knoopx","download_url":"https://codeload.github.com/knoopx/opencode-plugin-command-blocker/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knoopx%2Fopencode-plugin-command-blocker/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":282807270,"owners_count":26730414,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-05T02:00:05.946Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["opencode","opencode-ai"],"created_at":"2025-11-05T11:00:36.554Z","updated_at":"2025-11-05T11:01:39.356Z","avatar_url":"https://github.com/knoopx.png","language":"TypeScript","readme":"# Command Blocker Plugin\n\nA comprehensive opencode plugin that enforces best practices by blocking potentially harmful or non-reproducible commands and file edits.\n\n![Demo](screenshot.png)\n\n## Features\n\n### Command Blocking\n\nThe plugin blocks various commands to promote better development practices:\n\n#### JavaScript/Node.js Commands\n\n- **`node`** - Blocked in favor of `bun` or `bunx`\n- **`npm`** - Blocked in favor of `bun` or `bunx`\n\n#### Python Commands\n\n- **`pip`** - Blocked in favor of `uv` or `uvx`\n- **`python`**, **`python2`**, **`python3`** - Blocked in favor of `uv` or `uvx`\n  - **Exception**: Virtual environment python commands are allowed:\n    - ✅ `.venv/bin/python`, `.venv/bin/python3`\n    - ✅ `venv/bin/python`, `venv/bin/python3`\n    - ✅ `env/bin/python`, `env/bin/python3`\n\n#### Git Commands\n\n- **Write operations** - Only read-only git commands are allowed:\n  - ✅ `git status`\n  - ✅ `git diff`\n  - ✅ `git show`\n  - ❌ `git add`, `git commit`, `git push`, `git checkout`, etc.\n\n#### Nix Commands\n\n- **Local flake references** - Must use proper prefixes:\n  - ✅ `nix run path:./my-flake#output`\n  - ✅ `nix run github:user/repo#output`\n  - ✅ `nix run git+https://github.com/user/repo#output`\n  - ❌ `nix run ./my-flake#output`\n\n#### Privilege Escalation Commands\n\n- **`sudo`** and **`su`** - Blocked to prevent privilege escalation:\n  - ❌ `sudo apt update`\n  - ❌ `su root`\n  - **Rationale**: Agents should instruct system administrators to perform privileged operations\n\n### File Edit Blocking\n\n#### Lock Files\n\nPrevents editing of auto-generated lock files:\n\n- `package-lock.json` - Use `bun install` or `bun update` instead\n- `bun.lockb` - Use `bun install` or `bun update` instead\n- `yarn.lock` - Use `yarn install` or `yarn upgrade` instead\n- `pnpm-lock.yaml` - Use `pnpm install` or `pnpm update` instead\n- `poetry.lock` - Use `poetry install` or `poetry update` instead\n- `uv.lock` - Use `uv sync` or `uv lock` instead\n- `Cargo.lock` - Use `cargo update` instead\n- `Gemfile.lock` - Use `bundle install` or `bundle update` instead\n- `flake.lock` - Use `nix flake update` instead\n\n## Installation\n\n```bash\n# Add to your opencode plugins\n```\n\n## Configuration\n\nThe plugin works out of the box with sensible defaults. All blocking rules are hardcoded for consistency and reliability.\n\n## Usage Examples\n\n### Allowed Commands\n\n```bash\n# JavaScript with Bun\nbun install\nbunx create-react-app my-app\n\n# Python with uv\nuv sync\nuvx ruff check .\n\n# Virtual environment python (allowed)\n.venv/bin/python script.py\nvenv/bin/python3 -c \"print('hello')\"\n\n# Git read operations\ngit status\ngit diff HEAD~1\ngit show HEAD\n\n# Nix with proper prefixes\nnix run path:./my-flake#hello\nnix run github:nix-community/nixpkgs-fmt#nixpkgs-fmt\n```\n\n### Blocked Commands\n\n```bash\n# These will be blocked with helpful error messages\nnode --version\nnpm install\npip install requests\npython script.py  # (but .venv/bin/python is allowed)\ngit add .\nnix run ./my-flake#hello\nsudo apt update\nsu root\n```\n\n## Advanced Features\n\n### Escape Method Detection\n\nThe plugin detects and blocks various command injection techniques:\n\n- **Piping**: `echo \"node --version\" | bash`\n- **Command substitution**: `echo $(node --version)`\n- **Backticks**: `echo \\`node --version\\``\n- **Semicolons**: `ls; node --version`\n- **Logical operators**: `ls \u0026\u0026 node --version`\n- **Background execution**: `node --version \u0026`\n- **Redirection**: `node --version \u003e output.txt`\n- **Environment variables**: `NODE_ENV=prod node app.js`\n- **Eval/Exec**: `eval \"node --version\"`\n- **Quoted strings**: `bash -c \"node --version\"`\n\n### Complex Pattern Matching\n\nThe plugin uses sophisticated regex patterns to detect blocked commands in:\n\n- Complex command structures\n- Multi-line commands\n- Nested command substitutions\n- Various quoting styles\n\n## Testing\n\nRun the test suite:\n\n```bash\nnpm test\n# or\nbun test\n```\n\nThe plugin includes comprehensive tests covering:\n\n- All blocked commands and allowed alternatives\n- File edit restrictions\n- Various escape methods and edge cases\n- Integration scenarios\n\n## Rationale\n\nThis plugin enforces several development best practices:\n\n1. **Reproducibility**: Blocks direct package manager usage in favor of modern alternatives\n2. **Lock File Integrity**: Prevents manual editing of auto-generated lock files\n3. **Git Workflow**: Encourages proper git workflows by limiting write operations\n4. **Nix Best Practices**: Ensures proper flake referencing for reproducibility\n5. **Security**: Blocks potentially harmful command injection techniques and privilege escalation attempts\n\n## Contributing\n\nWhen adding new blocking rules:\n\n1. Add the rule to the appropriate constant (e.g., `BLOCKED_COMMAND_MESSAGES`)\n2. Implement the validation logic in the corresponding function\n3. Add comprehensive tests covering various usage patterns\n4. Update this README with the new functionality\n\n## License\n\nThis plugin is part of the opencode ecosystem.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fknoopx%2Fopencode-plugin-command-blocker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fknoopx%2Fopencode-plugin-command-blocker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fknoopx%2Fopencode-plugin-command-blocker/lists"}