428 regex patterns for detecting dangerous shell commands and credential file access. Use as a standalone library or as part of the HardStop plugin.
Install hardstop-patterns as an npm dependency and verify pattern matching works for both dangerous command detection and safe command recognition.
checkBashDangerous('rm -rf /')returns{ matched: true }with pattern detailscheckBashSafe('git status')returns{ matched: true }- Import/require works without errors
- Install via npm
- Import the library
- Verify dangerous command detection
- Verify safe command passthrough
npm install hardstop-patternsconst {
checkBashDangerous,
checkBashSafe,
checkReadDangerous,
checkReadSafe
} = require('hardstop-patterns');
// Should detect as dangerous
const dangerous = checkBashDangerous('rm -rf /');
console.assert(dangerous.matched === true, 'FAIL: rm -rf / not detected');
console.log('Dangerous:', dangerous);
// Should recognize as safe
const safe = checkBashSafe('git status');
console.assert(safe.matched === true, 'FAIL: git status not recognized');
console.log('Safe:', safe);
// Should detect credential file as dangerous
const cred = checkReadDangerous('/home/user/.ssh/id_rsa');
console.assert(cred.matched === true, 'FAIL: SSH key not detected');
console.log('Credential:', cred);
// Should recognize source code as safe to read
const src = checkReadSafe('src/index.js');
console.assert(src.matched === true, 'FAIL: source file not recognized');
console.log('Source:', src);
console.log('hardstop-patterns verified');Main functions:
checkBashDangerous(command)— returns{ matched, pattern }if command matches a dangerous patterncheckBashSafe(command)— returns{ matched, pattern }if command matches a known-safe patterncheckReadDangerous(filePath)— returns{ matched, pattern }if filepath is a sensitive credential filecheckReadSensitive(filePath)— returns{ matched, pattern }if filepath is suspicious (warrants warning)checkReadSafe(filePath)— returns{ matched, pattern }if filepath is known-safe to read
All functions return { matched: false } if no pattern matches. All accept an optional { platform } option ('auto' | 'linux' | 'macos' | 'windows' | null).
Consumers MUST check dangerous patterns before safe patterns:
1. checkBashDangerous(command) → if matched, BLOCK
2. checkBashSafe(command) → if matched, ALLOW
3. (unknown) → escalate to human or LLM review
- Repository: https://github.com/frmoretto/hardstop-patterns
- Full documentation: https://github.com/frmoretto/hardstop-patterns#readme
- Schema specification: https://github.com/frmoretto/hardstop-patterns/blob/main/SCHEMA.md
- Parent project: hardstop (GitHub)