From c9f89bdc855a12d224df197f994bc24519108df3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 28 Feb 2026 13:47:00 +0000 Subject: [PATCH 1/3] deps: update rust crate tree-sitter to v0.26.5 --- Cargo.lock | 4 ++-- Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index cc6f216..70826e2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1220,9 +1220,9 @@ dependencies = [ [[package]] name = "tree-sitter" -version = "0.25.10" +version = "0.26.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "78f873475d258561b06f1c595d93308a7ed124d9977cb26b148c2084a4a3cc87" +checksum = "12987371f54efc9b9306a20dc87ed5aaee9f320c8a8b115e28515c412b2efe39" dependencies = [ "cc", "regex", diff --git a/Cargo.toml b/Cargo.toml index 80e13b9..103cde9 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -25,7 +25,7 @@ serde_json = "=1.0.149" sha2 = "=0.10.9" shlex = "=1.3.0" thiserror = "=2.0.18" -tree-sitter = "=0.25.10" +tree-sitter = "=0.26.5" tree-sitter-bash = "=0.25.1" [features] From cfe782de1e6f86e85980148047474c82f5d81bab Mon Sep 17 00:00:00 2001 From: "fohte-bot[bot]" <139195068+fohte-bot[bot]@users.noreply.github.com> Date: Sat, 28 Feb 2026 13:47:44 +0000 Subject: [PATCH 2/3] style: auto-format --- schema/runok.schema.json | 322 --------------------------------------- 1 file changed, 322 deletions(-) diff --git a/schema/runok.schema.json b/schema/runok.schema.json index 360c158..e69de29 100644 --- a/schema/runok.schema.json +++ b/schema/runok.schema.json @@ -1,322 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "title": "Config", - "description": "Top-level runok configuration.", - "type": "object", - "properties": { - "defaults": { - "description": "Default settings applied when no rule matches.", - "anyOf": [ - { - "$ref": "#/$defs/Defaults" - }, - { - "type": "null" - } - ] - }, - "definitions": { - "description": "Reusable definitions for paths, sandbox presets, wrappers, and commands.", - "anyOf": [ - { - "$ref": "#/$defs/Definitions" - }, - { - "type": "null" - } - ] - }, - "extends": { - "description": "List of configuration files to inherit from. Supports local paths and\nremote Git repositories (`github:/@`).", - "type": [ - "array", - "null" - ], - "items": { - "type": "string" - } - }, - "rules": { - "description": "Ordered list of permission rules evaluated against each command.", - "type": [ - "array", - "null" - ], - "items": { - "$ref": "#/$defs/RuleEntry" - } - } - }, - "$defs": { - "ActionKind": { - "description": "Permission action kind.", - "type": "string", - "enum": [ - "allow", - "ask", - "deny" - ] - }, - "Defaults": { - "description": "Default settings applied when no rule matches a command.", - "type": "object", - "properties": { - "action": { - "description": "Default action when no rule matches: `allow`, `deny`, or `ask`.", - "anyOf": [ - { - "$ref": "#/$defs/ActionKind" - }, - { - "type": "null" - } - ] - }, - "sandbox": { - "description": "Default sandbox preset name to apply.", - "type": [ - "string", - "null" - ] - } - } - }, - "Definitions": { - "description": "Reusable definitions for paths, sandbox presets, wrappers, and commands.", - "type": "object", - "properties": { - "commands": { - "description": "Additional command patterns to recognize.", - "type": [ - "array", - "null" - ], - "items": { - "type": "string" - } - }, - "paths": { - "description": "Named path lists referenced by `` in sandbox deny rules.", - "type": [ - "object", - "null" - ], - "additionalProperties": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "sandbox": { - "description": "Named sandbox presets that can be referenced by rules.", - "type": [ - "object", - "null" - ], - "additionalProperties": { - "$ref": "#/$defs/SandboxPreset" - } - }, - "wrappers": { - "description": "Wrapper command patterns for recursive evaluation (e.g., `sudo `).", - "type": [ - "array", - "null" - ], - "items": { - "type": "string" - } - } - } - }, - "FsPolicy": { - "description": "Filesystem access policy within a sandbox preset.", - "type": "object", - "properties": { - "deny": { - "description": "Paths the sandboxed process is denied access to. Supports `` references.", - "type": [ - "array", - "null" - ], - "items": { - "type": "string" - } - }, - "writable": { - "description": "Directories the sandboxed process is allowed to write to.", - "type": [ - "array", - "null" - ], - "items": { - "type": "string" - } - } - } - }, - "NetworkPolicy": { - "description": "Network access policy within a sandbox preset.", - "type": "object", - "properties": { - "allow": { - "description": "Whether network access is allowed.", - "type": [ - "boolean", - "null" - ] - } - } - }, - "RuleEntry": { - "description": "A permission rule entry. Exactly one of `deny`, `allow`, or `ask` must be set.", - "oneOf": [ - { - "type": "object", - "properties": { - "deny": { - "description": "Command pattern to deny. Matched commands are rejected.", - "type": "string" - }, - "fix_suggestion": { - "description": "Suggested fix command shown when a deny rule matches.", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "Message shown when the rule matches (primarily for deny rules).", - "type": [ - "string", - "null" - ] - }, - "when": { - "description": "CEL expression that must evaluate to true for this rule to apply.", - "type": [ - "string", - "null" - ] - } - }, - "additionalProperties": false, - "required": [ - "deny" - ] - }, - { - "type": "object", - "properties": { - "allow": { - "description": "Command pattern to allow. Matched commands are permitted.", - "type": "string" - }, - "fix_suggestion": { - "description": "Suggested fix command shown when a deny rule matches.", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "Message shown when the rule matches (primarily for deny rules).", - "type": [ - "string", - "null" - ] - }, - "sandbox": { - "description": "Sandbox preset name to apply when this rule matches (not allowed for deny rules).", - "type": [ - "string", - "null" - ] - }, - "when": { - "description": "CEL expression that must evaluate to true for this rule to apply.", - "type": [ - "string", - "null" - ] - } - }, - "additionalProperties": false, - "required": [ - "allow" - ] - }, - { - "type": "object", - "properties": { - "ask": { - "description": "Command pattern to ask about. Matched commands prompt for confirmation.", - "type": "string" - }, - "fix_suggestion": { - "description": "Suggested fix command shown when a deny rule matches.", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "Message shown when the rule matches (primarily for deny rules).", - "type": [ - "string", - "null" - ] - }, - "sandbox": { - "description": "Sandbox preset name to apply when this rule matches (not allowed for deny rules).", - "type": [ - "string", - "null" - ] - }, - "when": { - "description": "CEL expression that must evaluate to true for this rule to apply.", - "type": [ - "string", - "null" - ] - } - }, - "additionalProperties": false, - "required": [ - "ask" - ] - } - ] - }, - "SandboxPreset": { - "description": "Sandbox preset defining filesystem and network restrictions.", - "type": "object", - "properties": { - "fs": { - "description": "Filesystem access policy.", - "anyOf": [ - { - "$ref": "#/$defs/FsPolicy" - }, - { - "type": "null" - } - ] - }, - "network": { - "description": "Network access policy.", - "anyOf": [ - { - "$ref": "#/$defs/NetworkPolicy" - }, - { - "type": "null" - } - ] - } - } - } - } -} From 17dce36464f7cac01fda390a3bdbb420f90d5149 Mon Sep 17 00:00:00 2001 From: Hayato Kawai Date: Tue, 3 Mar 2026 01:45:07 +0900 Subject: [PATCH 3/3] fix: adapt to tree-sitter v0.26.5 API changes tree-sitter v0.26.5 changed `Node::child()` parameter type from `usize` to `u32`. Cast the loop index with `as u32` at each call site to match the new signature. Also regenerate the JSON schema file which was accidentally emptied by the auto-format commit. --- schema/runok.schema.json | 322 ++++++++++++++++++++++++++++++++++++ src/rules/command_parser.rs | 8 +- 2 files changed, 326 insertions(+), 4 deletions(-) diff --git a/schema/runok.schema.json b/schema/runok.schema.json index e69de29..360c158 100644 --- a/schema/runok.schema.json +++ b/schema/runok.schema.json @@ -0,0 +1,322 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "title": "Config", + "description": "Top-level runok configuration.", + "type": "object", + "properties": { + "defaults": { + "description": "Default settings applied when no rule matches.", + "anyOf": [ + { + "$ref": "#/$defs/Defaults" + }, + { + "type": "null" + } + ] + }, + "definitions": { + "description": "Reusable definitions for paths, sandbox presets, wrappers, and commands.", + "anyOf": [ + { + "$ref": "#/$defs/Definitions" + }, + { + "type": "null" + } + ] + }, + "extends": { + "description": "List of configuration files to inherit from. Supports local paths and\nremote Git repositories (`github:/@`).", + "type": [ + "array", + "null" + ], + "items": { + "type": "string" + } + }, + "rules": { + "description": "Ordered list of permission rules evaluated against each command.", + "type": [ + "array", + "null" + ], + "items": { + "$ref": "#/$defs/RuleEntry" + } + } + }, + "$defs": { + "ActionKind": { + "description": "Permission action kind.", + "type": "string", + "enum": [ + "allow", + "ask", + "deny" + ] + }, + "Defaults": { + "description": "Default settings applied when no rule matches a command.", + "type": "object", + "properties": { + "action": { + "description": "Default action when no rule matches: `allow`, `deny`, or `ask`.", + "anyOf": [ + { + "$ref": "#/$defs/ActionKind" + }, + { + "type": "null" + } + ] + }, + "sandbox": { + "description": "Default sandbox preset name to apply.", + "type": [ + "string", + "null" + ] + } + } + }, + "Definitions": { + "description": "Reusable definitions for paths, sandbox presets, wrappers, and commands.", + "type": "object", + "properties": { + "commands": { + "description": "Additional command patterns to recognize.", + "type": [ + "array", + "null" + ], + "items": { + "type": "string" + } + }, + "paths": { + "description": "Named path lists referenced by `` in sandbox deny rules.", + "type": [ + "object", + "null" + ], + "additionalProperties": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "sandbox": { + "description": "Named sandbox presets that can be referenced by rules.", + "type": [ + "object", + "null" + ], + "additionalProperties": { + "$ref": "#/$defs/SandboxPreset" + } + }, + "wrappers": { + "description": "Wrapper command patterns for recursive evaluation (e.g., `sudo `).", + "type": [ + "array", + "null" + ], + "items": { + "type": "string" + } + } + } + }, + "FsPolicy": { + "description": "Filesystem access policy within a sandbox preset.", + "type": "object", + "properties": { + "deny": { + "description": "Paths the sandboxed process is denied access to. Supports `` references.", + "type": [ + "array", + "null" + ], + "items": { + "type": "string" + } + }, + "writable": { + "description": "Directories the sandboxed process is allowed to write to.", + "type": [ + "array", + "null" + ], + "items": { + "type": "string" + } + } + } + }, + "NetworkPolicy": { + "description": "Network access policy within a sandbox preset.", + "type": "object", + "properties": { + "allow": { + "description": "Whether network access is allowed.", + "type": [ + "boolean", + "null" + ] + } + } + }, + "RuleEntry": { + "description": "A permission rule entry. Exactly one of `deny`, `allow`, or `ask` must be set.", + "oneOf": [ + { + "type": "object", + "properties": { + "deny": { + "description": "Command pattern to deny. Matched commands are rejected.", + "type": "string" + }, + "fix_suggestion": { + "description": "Suggested fix command shown when a deny rule matches.", + "type": [ + "string", + "null" + ] + }, + "message": { + "description": "Message shown when the rule matches (primarily for deny rules).", + "type": [ + "string", + "null" + ] + }, + "when": { + "description": "CEL expression that must evaluate to true for this rule to apply.", + "type": [ + "string", + "null" + ] + } + }, + "additionalProperties": false, + "required": [ + "deny" + ] + }, + { + "type": "object", + "properties": { + "allow": { + "description": "Command pattern to allow. Matched commands are permitted.", + "type": "string" + }, + "fix_suggestion": { + "description": "Suggested fix command shown when a deny rule matches.", + "type": [ + "string", + "null" + ] + }, + "message": { + "description": "Message shown when the rule matches (primarily for deny rules).", + "type": [ + "string", + "null" + ] + }, + "sandbox": { + "description": "Sandbox preset name to apply when this rule matches (not allowed for deny rules).", + "type": [ + "string", + "null" + ] + }, + "when": { + "description": "CEL expression that must evaluate to true for this rule to apply.", + "type": [ + "string", + "null" + ] + } + }, + "additionalProperties": false, + "required": [ + "allow" + ] + }, + { + "type": "object", + "properties": { + "ask": { + "description": "Command pattern to ask about. Matched commands prompt for confirmation.", + "type": "string" + }, + "fix_suggestion": { + "description": "Suggested fix command shown when a deny rule matches.", + "type": [ + "string", + "null" + ] + }, + "message": { + "description": "Message shown when the rule matches (primarily for deny rules).", + "type": [ + "string", + "null" + ] + }, + "sandbox": { + "description": "Sandbox preset name to apply when this rule matches (not allowed for deny rules).", + "type": [ + "string", + "null" + ] + }, + "when": { + "description": "CEL expression that must evaluate to true for this rule to apply.", + "type": [ + "string", + "null" + ] + } + }, + "additionalProperties": false, + "required": [ + "ask" + ] + } + ] + }, + "SandboxPreset": { + "description": "Sandbox preset defining filesystem and network restrictions.", + "type": "object", + "properties": { + "fs": { + "description": "Filesystem access policy.", + "anyOf": [ + { + "$ref": "#/$defs/FsPolicy" + }, + { + "type": "null" + } + ] + }, + "network": { + "description": "Network access policy.", + "anyOf": [ + { + "$ref": "#/$defs/NetworkPolicy" + }, + { + "type": "null" + } + ] + } + } + } + } +} diff --git a/src/rules/command_parser.rs b/src/rules/command_parser.rs index 7dbef72..5f07a57 100644 --- a/src/rules/command_parser.rs +++ b/src/rules/command_parser.rs @@ -272,7 +272,7 @@ fn collect_commands(node: tree_sitter::Node, source: &[u8], commands: &mut Vec { for i in 0..node.child_count() { - let Some(child) = node.child(i) else { + let Some(child) = node.child(i as u32) else { continue; }; if !child.is_named() { @@ -345,7 +345,7 @@ fn collect_commands(node: tree_sitter::Node, source: &[u8], commands: &mut Vec = (0..node.child_count()) .filter_map(|i| { - let child = node.child(i)?; + let child = node.child(i as u32)?; if !child.is_named() { return None; }