omp-defender
v1.0.2
Published
Operation protection for oh-my-pi coding agent. Blocks dangerous commands and protects sensitive files.
Readme
OMP Defender
Operation protection for the oh-my-pi coding agent. Blocks dangerous commands and protects sensitive files via OMP extensions.
Install
cd ~/.omp/plugins
npm install omp-defenderRestart OMP. The defender protection-level selector appears on session start.
For local development:
cd ~/.omp/plugins
npm install omp-defender@link:../extensions/omp-defender
ln -s ~/.omp/extensions/omp-defender ~/.omp/plugins/node_modules/omp-defender
omp plugin link ~/.omp/extensions/omp-defenderUninstall
cd ~/.omp/plugins
npm uninstall omp-defender
rm ~/.omp/defender/patterns.yaml
rm ~/.omp/agent/instructions/defender.mdHow It Works
Agent tool call
│
▼
Forbidden path? ──── yes ──► BLOCK (always, even when disabled)
│ no
▼
Disabled? ────────── yes ──► ALLOW
│ no
▼
Aborted? ─────────── yes ──► BLOCK
│ no
▼
┌─── bash only ──────────────────────────────┐
│ │
│ Pattern match? ── yes ──► prompt (allow/deny)
│ │ no │
│ ▼ │
│ Strict mode? ──── no ───► ALLOW │
│ │ yes │
│ ▼ │
│ Whitelisted? ──── yes ──► ALLOW │
│ │ no │
│ ▼ │
│ Prompt: approve / whitelist / deny / abort │
│ │
└─────────────────────────────────────────────┘
│
▼
ALLOWProtection Modes
| Mode | Behavior | |------|----------| | Patterns only (default) | Dangerous commands blocked by regex, everything else runs silently | | Strict | Every bash command requires your approval | | Disabled | All checks off — except forbidden path checks, which are always enforced |
Path Protection
Three tiers, configured in patterns.yaml:
| Tier | Read | Write/Edit | Delete | Examples |
|------|------|------------|--------|----------|
| Forbidden | Blocked | Blocked | Blocked | ~/.ssh/, ~/.aws/, *.pem, id_rsa |
| Read-only | Allowed | Blocked | Blocked | /etc/, ~/.bashrc, *.lock, .env |
| No-delete | Allowed | Allowed | Blocked | LICENSE, README.md, .omp/ |
Forbidden checks are enforced across all 9 tools: bash, write, edit, read, search, find, ast_grep, ast_edit, debug.
See src/patterns.yaml for the full default lists.
Bash Patterns
Dangerous commands blocked by regex (user prompted to allow or deny):
| Category | Examples |
|----------|----------|
| Destructive ops | rm -rf, find -delete, xargs rm |
| Privilege escalation | sudo, su - |
| Database destruction | DROP TABLE, DELETE FROM x;, TRUNCATE |
| Git destructive | git push --force, git reset --hard, git stash drop |
| Network attacks | curl \| bash, wget \| sh |
| System danger | dd if=, mkfs, chmod 777, shutdown, eval |
See src/patterns.yaml for the full pattern list.
Commands
| Command | Effect |
|---------|--------|
| /defender:status | Show blocked/allowed counts and active config |
| /defender:reload | Reload patterns.yaml from disk |
| /defender:strict on\|off | Enable/disable strict mode (or toggle) |
| /defender:log [N] | Show last N audit log entries (default 20) |
Audit Log
All decisions are logged to ~/.omp/defender/audit.log as JSONL — one line per block/allow/deny/abort/whitelist/approve event with timestamp, tool, reason, command/path, and cwd.
Configuration
Config merges from three paths (all merged, deduped):
| Priority | Path | Scope |
|----------|------|-------|
| 1 | .omp/patterns.yaml | Project |
| 2 | ~/.omp/defender/patterns.yaml | Global |
| 3 | Bundled src/patterns.yaml | Defaults |
bashToolPatterns:
- pattern: '\brm\s+-[rRf]'
reason: rm with recursive or force flags
forbiddenPaths:
- ~/.ssh/
- "*.pem"
readOnlyPaths:
- /etc/
- .env
noDeletePaths:
- LICENSE
strictModeWhiteList:
- ^git status\bSafety Guarantees
- Forbidden paths are always enforced, even with defender disabled
- Whitelists never override
bashToolPatternsblocks - Abort persists until
/defender:strict off - Regex patterns validated at load time (ReDoS-safe)
- Relative paths resolved to absolute before matching
- Fail-closed: UI failure defaults to patterns-only, no-UI defaults to deny
License
MIT