enforce command safety rules generically in BaseCommand and fix compound operations

- Evaluate command rules in BaseCommand.init() so every command is checked
  against safety rules automatically (e.g., { command: "code:deploy", action: "block" })
- Add temporary DELETE allow rules for code:deploy and code:watch to prevent
  internal WebDAV cleanup from being blocked by safety middleware
- Simplify job commands to only evaluate job-specific rules (command rules
  now handled generically)
- Update safety guide to document automatic command rule enforcement

Author: clavery

docs/guide/safety.md

@@ -112,11 +112,12 @@ Matches OCAPI job execution by job ID. This catches both direct job commands and
 
 #### CLI Command ID
 
-Matches CLI commands by their oclif command ID:
+Matches CLI commands by their oclif command ID. Command rules are enforced automatically for **every** command before `run()` executes -- no per-command opt-in is needed:
 
 ```json
 { "command": "sandbox:delete", "action": "confirm" }
 { "command": "sandbox:*", "action": "block" }
+{ "command": "code:deploy", "action": "block" }
 ```
 
 ### Evaluation Order

packages/b2c-cli/src/commands/code/deploy.ts

@@ -161,6 +161,14 @@ export default class CodeDeploy extends CartridgeCommand<typeof CodeDeploy> {
       this.log(`  ${c.name} (${c.src})`);
     }
 
+    // After safety evaluation passes, temporarily allow WebDAV DELETE operations
+    // that are part of the deploy flow (cleanup of temp zip, --delete cartridge removal).
+    const cleanupSafetyRule = this.safetyGuard.temporarilyAddRule({
+      method: 'DELETE',
+      path: '**/Cartridges/**',
+      action: 'allow',
+    });
+
     try {
       // Optionally delete existing cartridges first
       if (this.flags.delete) {
@@ -240,6 +248,8 @@ export default class CodeDeploy extends CartridgeCommand<typeof CodeDeploy> {
         this.error(t('commands.code.deploy.failed', 'Deployment failed: {{message}}', {message: error.message}));
       }
       throw error;
+    } finally {
+      cleanupSafetyRule();
     }
   }
 }

packages/b2c-cli/src/commands/code/watch.ts

@@ -56,6 +56,14 @@ export default class CodeWatch extends CartridgeCommand<typeof CodeWatch> {
       this.log(t('commands.code.watch.codeVersion', 'Code Version: {{version}}', {version}));
     }
 
+    // Temporarily allow WebDAV DELETE on Cartridges paths for the watch lifecycle.
+    // The watcher DELETEs temp zip files after upload and syncs local file deletions.
+    const cleanupSafetyRule = this.safetyGuard.temporarilyAddRule({
+      method: 'DELETE',
+      path: '**/Cartridges/**',
+      action: 'allow',
+    });
+
     try {
       const result = await this.operations.watchCartridges(this.instance, this.cartridgePath, {
         ...this.cartridgeOptions,
@@ -92,6 +100,8 @@ export default class CodeWatch extends CartridgeCommand<typeof CodeWatch> {
         this.error(t('commands.code.watch.failed', 'Watch failed: {{message}}', {message: error.message}));
       }
       throw error;
+    } finally {
+      cleanupSafetyRule();
     }
   }
 }

packages/b2c-cli/src/commands/job/export.ts

@@ -129,15 +129,14 @@ export default class JobExport extends JobCommand<typeof JobExport> {
 
     const hostname = this.resolvedConfig.values.hostname!;
 
-    // Safety evaluation — check rules for export job before executing
+    // Safety evaluation — check rules for export job before executing.
+    // Command-level rules are already evaluated generically in BaseCommand.init().
     const jobEvaluation = this.safetyGuard.evaluate({type: 'job', jobId: 'sfcc-site-archive-export'});
-    const cmdEvaluation = this.safetyGuard.evaluate({type: 'command', commandId: this.id});
-    const evaluation = jobEvaluation.action === 'allow' ? cmdEvaluation : jobEvaluation;
-    if (evaluation.action === 'block') {
-      this.error(evaluation.reason, {exit: 1});
+    if (jobEvaluation.action === 'block') {
+      this.error(jobEvaluation.reason, {exit: 1});
     }
-    if (evaluation.action === 'confirm') {
-      await this.confirmOrBlock(evaluation);
+    if (jobEvaluation.action === 'confirm') {
+      await this.confirmOrBlock(jobEvaluation);
     }
 
     // Build data units configuration

packages/b2c-cli/src/commands/job/import.ts

@@ -72,15 +72,14 @@ export default class JobImport extends JobCommand<typeof JobImport> {
 
     const hostname = this.resolvedConfig.values.hostname!;
 
-    // Safety evaluation — check rules for import job before executing
+    // Safety evaluation — check rules for import job before executing.
+    // Command-level rules are already evaluated generically in BaseCommand.init().
     const jobEvaluation = this.safetyGuard.evaluate({type: 'job', jobId: 'sfcc-site-archive-import'});
-    const cmdEvaluation = this.safetyGuard.evaluate({type: 'command', commandId: this.id});
-    const evaluation = jobEvaluation.action === 'allow' ? cmdEvaluation : jobEvaluation;
-    if (evaluation.action === 'block') {
-      this.error(evaluation.reason, {exit: 1});
+    if (jobEvaluation.action === 'block') {
+      this.error(jobEvaluation.reason, {exit: 1});
     }
-    if (evaluation.action === 'confirm') {
-      await this.confirmOrBlock(evaluation);
+    if (jobEvaluation.action === 'confirm') {
+      await this.confirmOrBlock(jobEvaluation);
     }
 
     // Create lifecycle context

packages/b2c-cli/src/commands/job/run.ts

@@ -95,16 +95,14 @@ export default class JobRun extends JobCommand<typeof JobRun> {
       'show-log': showLog,
     } = this.flags;
 
-    // Safety evaluation — check rules for this job before executing
+    // Safety evaluation — check rules for this job before executing.
+    // Command-level rules are already evaluated generically in BaseCommand.init().
     const jobEvaluation = this.safetyGuard.evaluate({type: 'job', jobId});
-    const cmdEvaluation = this.safetyGuard.evaluate({type: 'command', commandId: this.id});
-    // Use the more restrictive evaluation
-    const evaluation = jobEvaluation.action === 'allow' ? cmdEvaluation : jobEvaluation;
-    if (evaluation.action === 'block') {
-      this.error(evaluation.reason, {exit: 1});
+    if (jobEvaluation.action === 'block') {
+      this.error(jobEvaluation.reason, {exit: 1});
     }
-    if (evaluation.action === 'confirm') {
-      await this.confirmOrBlock(evaluation);
+    if (jobEvaluation.action === 'confirm') {
+      await this.confirmOrBlock(jobEvaluation);
     }
 
     // Parse parameters or body

packages/b2c-tooling-sdk/src/cli/base-command.ts

@@ -203,6 +203,10 @@ export abstract class BaseCommand<T extends typeof Command> extends Command {
     // Update safety guard with config-provided safety settings (merges env + config)
     this.initializeSafetyGuard();
 
+    // Evaluate command-level safety rules for every command.
+    // This enforces rules like { command: "code:deploy", action: "block" } generically.
+    await this.evaluateCommandSafety();
+
     this.addTelemetryContext();
   }
 
@@ -753,6 +757,28 @@ export abstract class BaseCommand<T extends typeof Command> extends Command {
     }
   }
 
+  /**
+   * Evaluate command-level safety rules for the current command.
+   *
+   * This runs at the end of init() so every command is evaluated against
+   * command rules (e.g., `{ command: "code:deploy", action: "block" }`).
+   * If no command rule matches, this is a no-op — level-based blocking
+   * is handled by the HTTP middleware and assertDestructiveOperationAllowed().
+   */
+  private async evaluateCommandSafety(): Promise<void> {
+    const evaluation = this.safetyGuard.evaluate({
+      type: 'command',
+      commandId: this.id,
+    });
+
+    if (evaluation.action === 'block' && evaluation.rule) {
+      this.error(evaluation.reason, {exit: 1});
+    }
+    if (evaluation.action === 'confirm' && evaluation.rule) {
+      await this.confirmOrBlock(evaluation);
+    }
+  }
+
   /**
    * Require interactive confirmation for a safety-guarded operation.
    *