@garethdaine/agentops 0.9.0 → 0.9.1

package/hooks/auto-delegate.sh

@@ -3,7 +3,7 @@ set -uo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${SCRIPT_DIR}/feature-flags.sh"
 
-[ "$(agentops_flag 'auto_delegate_enabled')" != "true" ] && exit 0
+agentops_automation_enabled 'auto_delegate_enabled' || exit 0
 
 INPUT=$(cat) || exit 0
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) || exit 0
@@ -33,8 +33,8 @@ CODE_TRACKER="${STATE_DIR}/modified-files.txt"
 # Count source code files only
 CODE_COUNT=$(sort -u "$CODE_TRACKER" 2>/dev/null | grep -cE "$SOURCE_CODE_EXTENSIONS" || echo 0)
 
-# After 5+ source code files modified, trigger delegation
-if [ "$CODE_COUNT" -ge 5 ]; then
+# After threshold source code files modified, trigger delegation
+if [ "$CODE_COUNT" -ge "$AGENTOPS_DELEGATE_THRESHOLD" ]; then
   date -u +%FT%TZ > "$DELEGATE_SENT" 2>/dev/null
 
   # Collect the modified source files for review context

package/hooks/auto-evolve.sh

@@ -3,7 +3,7 @@ set -uo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${SCRIPT_DIR}/feature-flags.sh"
 
-[ "$(agentops_flag 'auto_evolve_enabled')" != "true" ] && exit 0
+agentops_automation_enabled 'auto_evolve_enabled' || exit 0
 
 INPUT=$(cat) || exit 0
 CWD=$(echo "$INPUT" | jq -r '.cwd // "."' 2>/dev/null) || CWD="."

package/hooks/auto-verify.sh

@@ -3,7 +3,7 @@ set -uo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${SCRIPT_DIR}/feature-flags.sh"
 
-[ "$(agentops_flag 'auto_verify_enabled')" != "true" ] && exit 0
+agentops_automation_enabled 'auto_verify_enabled' || exit 0
 
 INPUT=$(cat) || exit 0
 CWD=$(echo "$INPUT" | jq -r '.cwd // "."' 2>/dev/null) || CWD="."

package/hooks/content-trust.sh

@@ -13,6 +13,7 @@ TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) || exit 0
 TRUST="contextual"
 case "$TOOL" in
   WebFetch|WebSearch) TRUST="untrusted" ;;
+  Agent) TRUST="untrusted" ;;
   mcp__*) TRUST="untrusted" ;;
 esac
 

package/hooks/credential-redact.sh

@@ -7,12 +7,33 @@ source "${SCRIPT_DIR}/feature-flags.sh"
 
 INPUT=$(cat) || exit 0
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) || exit 0
+
+SENSITIVE_EXTENSIONS='\.(env|pem|key|crt|secret|p12|pfx|credential|token|password|ssh)'
+SENSITIVE_CONFIG='\.(json|yaml|yml|toml|cfg|ini)$'
+
+# Handle Read tool — warn when reading sensitive files
+if [ "$TOOL" = "Read" ]; then
+  FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null) || exit 0
+  if echo "$FILE_PATH" | grep -qiE "$SENSITIVE_EXTENSIONS"; then
+    LOG_DIR="${CLAUDE_PROJECT_DIR:-.}/.agentops"
+    mkdir -p "$LOG_DIR" 2>/dev/null
+    jq -nc --arg ts "$(date -u +%FT%TZ)" --arg fp "$FILE_PATH" \
+      '{ts:$ts, event:"CREDENTIAL_ACCESS", tool:"Read", file:$fp}' >> "$LOG_DIR/audit.jsonl" 2>/dev/null
+
+    jq -nc '{hookSpecificOutput:{hookEventName:"PostToolUse",additionalContext:"WARNING: This file may contain credentials. Do NOT include any secrets, API keys, tokens, or passwords in your response. Redact any sensitive values with [REDACTED]."}}'
+    exit 0
+  fi
+  exit 0
+fi
+
+# Handle Bash tool — warn when commands read credential files
 [ "$TOOL" != "Bash" ] && exit 0
 
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null) || exit 0
 
-# Log to audit if command reads credential files (redact the command before logging)
-if echo "$COMMAND" | grep -qiE "(cat|less|head|more|tail|grep).*\.(env|pem|key|crt|secret)"; then
+# Match: reading credential files via common tools or scripting languages
+if echo "$COMMAND" | grep -qiE "(cat|less|head|more|tail|grep|jq|python3?|ruby|node|source|base64|xxd)\s.*${SENSITIVE_EXTENSIONS}" || \
+   echo "$COMMAND" | grep -qiE "source\s+.*\.env\b"; then
   LOG_DIR="${CLAUDE_PROJECT_DIR:-.}/.agentops"
   mkdir -p "$LOG_DIR" 2>/dev/null
   REDACTED_CMD=$(echo "$COMMAND" | agentops_redact)

package/hooks/exfiltration-check.sh

@@ -12,14 +12,20 @@ TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null) || agentops_fail
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null) || agentops_fail_closed
 [ -z "$COMMAND" ] && exit 0
 
+# Normalize command: strip path prefixes so /usr/bin/curl matches as curl
+NORM_CMD=$(echo "$COMMAND" | sed -E 's|/[^ ]*/([^ /]+)|\1|g')
+
 HARD_DENY=$(agentops_hard_deny)
 SENSITIVE_FILES='\.(env|pem|key|crt|p12|pfx|secret|credential|token|password|ssh)'
 
+# Network tool pattern — covers common and uncommon transfer utilities
+NET_TOOLS='(curl|wget|nc|ncat|socat|scp|rsync|sftp|ssh|http|httpie|aria2c|openssl\s+s_client|telnet|lwp-request|fetch)'
+
 # Hard-deny rules — always enforce, even in bypass/unrestricted mode
 
 # 1. Network transfer of sensitive files (including -F for curl form uploads)
-if echo "$COMMAND" | grep -qE "curl.*(-d|--data|--upload-file|-F)|wget.*--post|nc\s|ncat\s|socat\s"; then
-  if echo "$COMMAND" | grep -qiE "$SENSITIVE_FILES"; then
+if echo "$NORM_CMD" | grep -qE "curl.*(-d|--data|--upload-file|-F)|wget.*--post|nc\s|ncat\s|socat\s|http\s+(POST|PUT|PATCH)|aria2c\s|openssl\s+s_client"; then
+  if echo "$NORM_CMD" | grep -qiE "$SENSITIVE_FILES"; then
     jq -nc --arg action "$HARD_DENY" \
       '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"ExfiltrationDetector: network transfer of sensitive file type (hard deny)"}}'
     exit 0
@@ -27,15 +33,15 @@ if echo "$COMMAND" | grep -qE "curl.*(-d|--data|--upload-file|-F)|wget.*--post|n
 fi
 
 # 2. Piping secrets to network (including command substitution: curl -d "$(cat .env)")
-if echo "$COMMAND" | grep -qE "(cat|less|head|tail|base64|xxd).*${SENSITIVE_FILES}.*\|.*(curl|wget|nc|ssh|scp|rsync|sftp)" || \
-   echo "$COMMAND" | grep -qE "(curl|wget|nc|ssh|scp|rsync|sftp).*\\$\(.*${SENSITIVE_FILES}"; then
+if echo "$NORM_CMD" | grep -qE "(cat|less|head|tail|base64|xxd).*${SENSITIVE_FILES}.*\|.*${NET_TOOLS}" || \
+   echo "$NORM_CMD" | grep -qE "${NET_TOOLS}.*\\$\(.*${SENSITIVE_FILES}"; then
   jq -nc --arg action "$HARD_DENY" \
     '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"ExfiltrationDetector: piping sensitive file to network command (hard deny)"}}'
   exit 0
 fi
 
 # 3. Direct file transfer tools with sensitive files
-if echo "$COMMAND" | grep -qE "(scp|rsync|sftp)\s" && echo "$COMMAND" | grep -qiE "$SENSITIVE_FILES"; then
+if echo "$NORM_CMD" | grep -qE "(scp|rsync|sftp)\s" && echo "$NORM_CMD" | grep -qiE "$SENSITIVE_FILES"; then
   jq -nc --arg action "$HARD_DENY" \
     '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"ExfiltrationDetector: file transfer of sensitive file type (hard deny)"}}'
   exit 0
@@ -46,22 +52,30 @@ agentops_is_bypass "$INPUT" && agentops_bypass_advisory "exfiltration-check"
 ACTION=$(agentops_enforcement_action)
 
 # 4. Base64 encoding + network (obfuscation attempt)
-if echo "$COMMAND" | grep -qE "base64.*\|.*(curl|wget|nc)" || echo "$COMMAND" | grep -qE "(curl|wget).*base64"; then
+if echo "$NORM_CMD" | grep -qE "base64.*\|.*${NET_TOOLS}" || echo "$NORM_CMD" | grep -qE "${NET_TOOLS}.*base64"; then
   jq -nc --arg action "$ACTION" \
     '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"ExfiltrationDetector: base64 encoding with network transfer detected"}}'
   exit 0
 fi
 
 # 5. DNS exfiltration via command substitution (including backticks)
-if echo "$COMMAND" | grep -qE "(dig|nslookup|host)\s.*(\\$\(|\`)" ; then
+if echo "$NORM_CMD" | grep -qE "(dig|nslookup|host)\s.*(\\$\(|\`)" ; then
   jq -nc --arg action "$ACTION" \
     '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"ExfiltrationDetector: possible DNS exfiltration via command substitution"}}'
   exit 0
 fi
 
 # 6. Scripting language network calls with sensitive file references
-if echo "$COMMAND" | grep -qE "(python|ruby|node|perl)\s" && echo "$COMMAND" | grep -qiE "(requests\.post|urllib|http\.request|Net::HTTP|fetch|open\()" && echo "$COMMAND" | grep -qiE "$SENSITIVE_FILES"; then
+if echo "$NORM_CMD" | grep -qE "(python3?|ruby|node|perl)\s" && echo "$NORM_CMD" | grep -qiE "(requests\.(post|put|patch)|urllib|http\.request|Net::HTTP|fetch|open\()" && echo "$NORM_CMD" | grep -qiE "$SENSITIVE_FILES"; then
   jq -nc --arg action "$ACTION" \
     '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"ExfiltrationDetector: scripting language network call with sensitive file reference"}}'
   exit 0
 fi
+
+# 7. Script-write-then-execute pattern (write a script and immediately run it)
+if echo "$NORM_CMD" | grep -qE "(echo|cat|printf|tee).*>.*\.(sh|py|rb|pl|js)\s*[;&|]" && \
+   echo "$NORM_CMD" | grep -qE "(bash|sh|python3?|ruby|perl|node)\s"; then
+  jq -nc --arg action "$ACTION" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"ExfiltrationDetector: script-write-then-execute pattern detected — review for exfiltration"}}'
+  exit 0
+fi

package/hooks/flag-utils.sh

@@ -4,13 +4,24 @@
 
 FLAGS_FILE="${CLAUDE_PROJECT_DIR:-.}/.agentops/flags.json"
 
-# Read a single flag value from flags.json.
+# Internal cache — avoids re-reading flags.json on every agentops_flag call.
+_AGENTOPS_FLAGS_CACHE=""
+_AGENTOPS_FLAGS_LOADED=false
+
+# Read a single flag value from flags.json (cached after first read).
 # Usage: VALUE=$(agentops_flag "flag_name" "default")
 agentops_flag() {
   local FLAG="$1"
   local DEFAULT="${2:-true}"
-  if [ -f "$FLAGS_FILE" ]; then
-    jq -r --arg key "$FLAG" --arg def "$DEFAULT" 'if .[$key] == null then $def else (.[$key] | tostring) end' "$FLAGS_FILE" 2>/dev/null || echo "$DEFAULT"
+  if [ "$_AGENTOPS_FLAGS_LOADED" = false ]; then
+    if [ -f "$FLAGS_FILE" ]; then
+      _AGENTOPS_FLAGS_CACHE=$(cat "$FLAGS_FILE" 2>/dev/null) || true
+    fi
+    _AGENTOPS_FLAGS_LOADED=true
+  fi
+  if [ -n "$_AGENTOPS_FLAGS_CACHE" ]; then
+    echo "$_AGENTOPS_FLAGS_CACHE" | jq -r --arg key "$FLAG" --arg def "$DEFAULT" \
+      'if .[$key] == null then $def else (.[$key] | tostring) end' 2>/dev/null || echo "$DEFAULT"
   else
     echo "$DEFAULT"
   fi

package/hooks/hooks.json

@@ -48,6 +48,12 @@
           { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/injection-scan.sh", "timeout": 5 },
           { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/runtime-mode.sh", "timeout": 5 }
         ]
+      },
+      {
+        "matcher": "Bash|Write|Edit",
+        "hooks": [
+          { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/unicode-firewall.sh", "timeout": 5 }
+        ]
       }
     ],
     "PostToolUse": [
@@ -75,10 +81,15 @@
           { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/integrity-verify.sh", "timeout": 5 }
         ]
       },
+      {
+        "matcher": "Bash|Read",
+        "hooks": [
+          { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/credential-redact.sh", "timeout": 5 }
+        ]
+      },
       {
         "matcher": "Bash",
         "hooks": [
-          { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/credential-redact.sh", "timeout": 5 },
           { "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/detect-test-run.sh", "timeout": 5 }
         ]
       },

package/hooks/patterns-lib.sh

@@ -19,4 +19,7 @@ AGENTOPS_PROTECTED_PATHS='(\.agentops/|tasks/lessons\.md$)'
 
 # Writable state files — whitelisted from protected path enforcement
 # so that plugin commands (e.g. /agentops:flags) can manage them via Write/Edit.
-AGENTOPS_WRITABLE_STATE='(\.agentops/flags\.json$|\.agentops/integrity\.jsonl$|\.agentops/build-state\.json$|\.agentops/build-execution\.jsonl$|tasks/lessons\.md$)'
+AGENTOPS_WRITABLE_STATE='(\.agentops/flags\.json$|\.agentops/build-state\.json$|\.agentops/build-execution\.jsonl$|tasks/lessons\.md$)'
+
+# Delegation threshold — number of modified source files before auto-delegate triggers
+AGENTOPS_DELEGATE_THRESHOLD=5

package/hooks/redact-lib.sh

@@ -8,8 +8,16 @@ agentops_redact() {
     -e 's/(PASSWORD|PASS|SECRET|TOKEN|API_KEY|PRIVATE_KEY|AUTH|CREDENTIAL)=[^ "'\''&]*/\1=[REDACTED]/gi' \
     -e 's/(sk|pk|api|key|token|secret|auth)[-_][A-Za-z0-9]{16,}/[REDACTED]/g' \
     -e 's/Bearer [A-Za-z0-9._~+\/=-]{20,}/Bearer [REDACTED]/g' \
+    -e 's/Basic [A-Za-z0-9+\/=]{20,}/Basic [REDACTED]/g' \
     -e 's/AKIA[A-Z0-9]{16}/[REDACTED]/g' \
     -e 's/gh[pousr]_[A-Za-z0-9]{36,}/[REDACTED]/g' \
+    -e 's/xox[bpas]-[A-Za-z0-9-]{10,}/[REDACTED]/g' \
+    -e 's/sk_(live|test)_[A-Za-z0-9]{10,}/[REDACTED]/g' \
+    -e 's/pk_(live|test)_[A-Za-z0-9]{10,}/[REDACTED]/g' \
+    -e 's/sk-ant-[A-Za-z0-9_-]{10,}/[REDACTED]/g' \
+    -e 's|hooks\.slack\.com/services/[A-Za-z0-9/]+|hooks.slack.com/services/[REDACTED]|g' \
+    -e 's|discord(app)?\.com/api/webhooks/[A-Za-z0-9/]+|discord.com/api/webhooks/[REDACTED]|g' \
     -e 's|[a-zA-Z]+://[^:@/]+:[^@/]+@|[REDACTED_CONN]@|g' \
-    -e 's/eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/[REDACTED_JWT]/g'
+    -e 's/eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/[REDACTED_JWT]/g' \
+    -e 's/-----BEGIN[A-Z ]*PRIVATE KEY-----/[REDACTED_PEM]/g'
 }

package/hooks/telemetry.sh

@@ -10,24 +10,56 @@ TS=$(date -u +%FT%TZ)
 EVENT=$(echo "$INPUT" | jq -r '.hook_event_name // "unknown"' 2>/dev/null) || EVENT="unknown"
 SESSION=$(echo "$INPUT" | jq -r '.session_id // "unknown"' 2>/dev/null) || SESSION="unknown"
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // ""' 2>/dev/null) || TOOL=""
-CWD=$(echo "$INPUT" | jq -r '.cwd // ""' 2>/dev/null) || CWD=""
 
 jq -nc \
   --arg ts "$TS" --arg event "$EVENT" --arg session "$SESSION" \
-  --arg tool "$TOOL" --arg cwd "$CWD" \
-  '{ts:$ts, event:$event, session:$session, tool:$tool, cwd:$cwd}' >> "$LOG_FILE" 2>/dev/null || true
+  --arg tool "$TOOL" \
+  '{ts:$ts, event:$event, session:$session, tool:$tool}' >> "$LOG_FILE" 2>/dev/null || true
 
-# Forward to OTLP if configured — validate endpoint and add timeout
+# Forward to OTLP if configured — validate endpoint with hostname allowlist
 if [ -n "${OTLP_ENDPOINT:-}" ]; then
-  # Only allow https:// endpoints; reject localhost, private IPs, metadata endpoints
-  if echo "$OTLP_ENDPOINT" | grep -qE '^https://[^/]+\.[^/]+' && \
-     ! echo "$OTLP_ENDPOINT" | grep -qiE '(localhost|127\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|169\.254\.|metadata\.google|\.internal[:/])'; then
-    PAYLOAD=$(tail -1 "$LOG_FILE" 2>/dev/null) || true
-    if [ -n "$PAYLOAD" ]; then
-      curl -sf --max-time 10 --connect-timeout 5 \
-        -X POST "$OTLP_ENDPOINT/v1/logs" \
-        -H "Content-Type: application/json" \
-        -d "$PAYLOAD" &>/dev/null &
+  # Require explicit hostname allowlist — reject if not configured
+  OTLP_ALLOWLIST="${OTLP_HOSTNAME_ALLOWLIST:-}"
+  if [ -z "$OTLP_ALLOWLIST" ]; then
+    exit 0
+  fi
+
+  # Extract hostname from endpoint URL
+  OTLP_HOST=$(echo "$OTLP_ENDPOINT" | sed -E 's|^https?://([^:/]+).*|\1|')
+
+  # Must be HTTPS
+  if ! echo "$OTLP_ENDPOINT" | grep -qE '^https://'; then
+    exit 0
+  fi
+
+  # Check hostname against allowlist (comma-separated)
+  ALLOWED=false
+  IFS=',' read -ra HOSTS <<< "$OTLP_ALLOWLIST"
+  for ALLOWED_HOST in "${HOSTS[@]}"; do
+    ALLOWED_HOST=$(echo "$ALLOWED_HOST" | tr -d ' ')
+    if [ "$OTLP_HOST" = "$ALLOWED_HOST" ]; then
+      ALLOWED=true
+      break
+    fi
+  done
+  [ "$ALLOWED" = false ] && exit 0
+
+  # Resolve hostname and reject private/loopback IPs (DNS rebinding defense)
+  RESOLVED_IP=$(dig +short "$OTLP_HOST" 2>/dev/null | head -1)
+  if echo "$RESOLVED_IP" | grep -qE '^(127\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|169\.254\.|::1|0\.0\.0\.0|fe80:)'; then
+    exit 0
+  fi
+
+  PAYLOAD=$(tail -1 "$LOG_FILE" 2>/dev/null) || true
+  if [ -n "$PAYLOAD" ]; then
+    AUTH_HEADER=""
+    if [ -n "${OTLP_AUTH_TOKEN:-}" ]; then
+      AUTH_HEADER="-H \"Authorization: Bearer ${OTLP_AUTH_TOKEN}\""
     fi
+    eval curl -sf --max-time 10 --connect-timeout 5 --no-location \
+      -X POST "$OTLP_ENDPOINT/v1/logs" \
+      -H "Content-Type: application/json" \
+      $AUTH_HEADER \
+      -d "'$PAYLOAD'" '&>/dev/null &'
   fi
 fi

package/hooks/todo-prune.sh

@@ -19,7 +19,8 @@ TODO="${CWD}/tasks/todo.md"
 
 # Build a pruned version: keep unchecked items and their nearest heading
 # Remove checked items (- [x]) and blank lines that result from removal
-TEMP=$(mktemp)
+# Create temp file in same directory as target for atomic mv (same filesystem)
+TEMP=$(mktemp "${TODO}.XXXXXX")
 trap 'rm -f "$TEMP"' EXIT
 
 HAS_UNCHECKED=false
@@ -67,9 +68,9 @@ if [ "$SECTION_HAS_UNCHECKED" = true ] && [ -n "$SECTION_BUFFER" ]; then
 fi
 
 if [ "$HAS_UNCHECKED" = true ]; then
-  # Replace with pruned version containing only incomplete items
-  mv "$TEMP" "$TODO"
+  # Replace with pruned version containing only incomplete items (atomic rename)
   trap - EXIT
+  mv "$TEMP" "$TODO"
   REMAINING=$(grep -cE '^\s*- \[ \]' "$TODO" 2>/dev/null || echo 0)
   jq -nc --arg remaining "$REMAINING" \
     '{systemMessage: ("AgentOps: Pruned completed todos from previous session. " + $remaining + " incomplete item(s) remain in tasks/todo.md — review them before planning new work.")}'

package/hooks/unicode-firewall.sh

@@ -21,6 +21,26 @@ audit() {
     '{ts:$ts, event:$ev} + $ARGS.named' >> "$LOG_DIR/audit.jsonl" 2>/dev/null
 }
 
+# ── PreToolUse: Scan inputs for dangerous Unicode before execution ────────
+if [ "$EVENT" = "PreToolUse" ]; then
+  CONTENT=""
+  case "$TOOL" in
+    Bash)   CONTENT=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null) ;;
+    Write)  CONTENT=$(echo "$INPUT" | jq -r '.tool_input.content // empty' 2>/dev/null) ;;
+    Edit)   CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // empty' 2>/dev/null) ;;
+  esac
+
+  if [ -n "$CONTENT" ] && echo "$CONTENT" | unicode_detect; then
+    CATEGORIES=$(echo "$CONTENT" | unicode_classify)
+    audit "UNICODE_PRETOOL_WARNING" --arg tool "$TOOL" --arg cats "$CATEGORIES"
+
+    jq -nc --arg cats "$CATEGORIES" --arg tool "$TOOL" \
+      '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"ask",permissionDecisionReason:("UNICODE FIREWALL: " + $tool + " input contains dangerous invisible Unicode (" + $cats + "). This may be a Trojan Source attack. Review the content carefully before allowing.")}}'
+    exit 0
+  fi
+  exit 0
+fi
+
 # ── PostToolUse: Auto-strip on Write/Edit ───────────────────────────────────
 # Instead of blocking the write, we let it through and immediately sanitise
 # the file, emitting a warning so the agent knows what happened.

package/hooks/unicode-lib.sh

@@ -10,19 +10,22 @@
 #   Cat 5: Variation sel. supp.    U+E0100-E01EF
 UNICODE_PATTERN='[\x{200B}-\x{200F}\x{2060}-\x{2064}\x{FEFF}\x{202A}-\x{202E}\x{2066}-\x{2069}\x{FE00}-\x{FE0F}\x{E0001}-\x{E007F}\x{E0100}-\x{E01EF}]'
 
-# Returns 0 (match) if dangerous invisible Unicode is found in stdin.
+# Returns 0 (match) if dangerous invisible Unicode is found.
+# Usage: unicode_detect < file    OR    echo "$text" | unicode_detect
+#        unicode_detect "filepath"
 unicode_detect() {
-  perl -CSD -ne "if (/$UNICODE_PATTERN/) { exit 0 } END { exit 1 }" 2>/dev/null
+  if [ $# -gt 0 ]; then
+    perl -CSD -ne "if (/$UNICODE_PATTERN/) { exit 0 } END { exit 1 }" "$1" 2>/dev/null
+  else
+    perl -CSD -ne "if (/$UNICODE_PATTERN/) { exit 0 } END { exit 1 }" 2>/dev/null
+  fi
 }
 
-# Returns 0 (match) if dangerous invisible Unicode is found in a file.
-unicode_detect_file() {
-  local FILE="$1"
-  perl -CSD -ne "if (/$UNICODE_PATTERN/) { exit 0 } END { exit 1 }" "$FILE" 2>/dev/null
-}
-
-# Returns human-readable category summary from stdin.
+# Returns human-readable category summary.
+# Usage: unicode_classify < file    OR    echo "$text" | unicode_classify
+#        unicode_classify "filepath"
 unicode_classify() {
+  local _ARGS=("$@")
   perl -CSD -ne '
     BEGIN { %c = () }
     $c{"zero-width chars"}++            if /[\x{200B}-\x{200F}\x{2060}-\x{2064}\x{FEFF}]/;
@@ -31,32 +34,18 @@ unicode_classify() {
     $c{"tag characters"}++              if /[\x{E0001}-\x{E007F}]/;
     $c{"variation sel. supplement"}++   if /[\x{E0100}-\x{E01EF}]/;
     END { print join(", ", sort keys %c) if %c }
-  ' 2>/dev/null
-}
-
-# Returns human-readable category summary from a file.
-unicode_classify_file() {
-  local FILE="$1"
-  perl -CSD -ne '
-    BEGIN { %c = () }
-    $c{"zero-width chars"}++            if /[\x{200B}-\x{200F}\x{2060}-\x{2064}\x{FEFF}]/;
-    $c{"bidi overrides"}++              if /[\x{202A}-\x{202E}\x{2066}-\x{2069}]/;
-    $c{"variation selectors"}++         if /[\x{FE00}-\x{FE0F}]/;
-    $c{"tag characters"}++              if /[\x{E0001}-\x{E007F}]/;
-    $c{"variation sel. supplement"}++   if /[\x{E0100}-\x{E01EF}]/;
-    END { print join(", ", sort keys %c) if %c }
-  ' "$FILE" 2>/dev/null
+  ' "${_ARGS[@]}" 2>/dev/null
 }
 
-# Count affected lines from stdin.
+# Count affected lines.
+# Usage: unicode_count_lines < file    OR    echo "$text" | unicode_count_lines
+#        unicode_count_lines "filepath"
 unicode_count_lines() {
-  perl -CSD -ne "print if /$UNICODE_PATTERN/" 2>/dev/null | wc -l | tr -d ' '
-}
-
-# Count affected lines in a file.
-unicode_count_lines_file() {
-  local FILE="$1"
-  perl -CSD -ne "print if /$UNICODE_PATTERN/" "$FILE" 2>/dev/null | wc -l | tr -d ' '
+  if [ $# -gt 0 ]; then
+    perl -CSD -ne "print if /$UNICODE_PATTERN/" "$1" 2>/dev/null | wc -l | tr -d ' '
+  else
+    perl -CSD -ne "print if /$UNICODE_PATTERN/" 2>/dev/null | wc -l | tr -d ' '
+  fi
 }
 
 # Strip dangerous Unicode from a file in-place.
@@ -64,3 +53,8 @@ unicode_strip_file() {
   local FILE="$1"
   perl -CSD -pi -e "s/$UNICODE_PATTERN//g" "$FILE" 2>/dev/null
 }
+
+# Legacy aliases for backward compatibility with unicode-scan-session.sh
+unicode_detect_file() { unicode_detect "$1"; }
+unicode_classify_file() { unicode_classify "$1"; }
+unicode_count_lines_file() { unicode_count_lines "$1"; }

package/hooks/validate-command.sh

@@ -13,7 +13,7 @@ COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null) || a
 HARD_DENY=$(agentops_hard_deny)
 
 # 1. Destructive system commands (always deny, even in bypass/unrestricted)
-if echo "$COMMAND" | grep -qE "(rm\s+-rf\s+/[^t]|mkfs\s|dd\s+if=|shutdown|reboot|init\s+[06])"; then
+if echo "$COMMAND" | grep -qE "(rm\s+-rf\s+/([^t]|t[^m]|tm[^p]|tmp[^/])|mkfs\s|dd\s+if=|shutdown|reboot|init\s+[06])"; then
   jq -nc --arg action "$HARD_DENY" \
     '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"Destructive system command blocked by AgentOps CommandPolicy (hard deny)"}}'
   exit 0
@@ -51,7 +51,7 @@ if echo "$COMMAND" | grep -qE '>\s*[^ ]*\.agentops/' \
   fi
 fi
 
-# 4b. Tampering with hooks/ directory via Bash (always deny — prevent hook tampering)
+# 4b. Tampering with hooks/ directory via Bash write operations (always deny — prevent hook tampering)
 if echo "$COMMAND" | grep -qE '>\s*[^ ]*hooks/' \
    || echo "$COMMAND" | grep -qE '(tee|cp|mv|install)\s+[^ ]*\s+[^ ]*hooks/' \
    || echo "$COMMAND" | grep -qE 'sed\s+-i[^ ]*\s+[^ ]*hooks/' \
@@ -63,6 +63,14 @@ if echo "$COMMAND" | grep -qE '>\s*[^ ]*hooks/' \
   exit 0
 fi
 
+# 4c. Scripting language file I/O to protected paths (always deny — prevent bypass via python/ruby/node)
+if echo "$COMMAND" | grep -qE "(python3?|ruby|node|perl)\s+(-c|(-e\s))" && \
+   echo "$COMMAND" | grep -qE '(\.agentops/|hooks/)'; then
+  jq -nc --arg action "$HARD_DENY" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:"Scripting language referencing protected paths blocked by AgentOps CommandPolicy (hard deny)"}}'
+  exit 0
+fi
+
 # Soft rules below — bypass/unrestricted can downgrade these
 agentops_is_bypass "$INPUT" && agentops_bypass_advisory "validate-command"
 ACTION=$(agentops_enforcement_action)

package/hooks/validate-env.sh

@@ -22,7 +22,8 @@ for VAR in $VARS; do
   VAR_UPPER=$(echo "$VAR" | tr '[:lower:]' '[:upper:]')
 
   # Forbidden keys — LD_PRELOAD, PATH, HOME etc. are always dangerous
-  if echo "$VAR_UPPER" | grep -qE "^(PATH|HOME|SHELL|USER|LD_PRELOAD|LD_LIBRARY_PATH|DYLD_)"; then
+  if echo "$VAR_UPPER" | grep -qE "^(PATH|HOME|SHELL|USER|LD_PRELOAD|LD_LIBRARY_PATH|NODE_OPTIONS|NODE_PATH|PYTHONPATH|PYTHONSTARTUP|RUBYOPT|PERL5OPT|CLASSPATH)$" || \
+     echo "$VAR_UPPER" | grep -qE "^DYLD_"; then
     jq -nc --arg var "$VAR" --arg action "$HARD_DENY" \
       '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:$action,permissionDecisionReason:("EnvPolicy: forbidden env var " + $var + " (hard deny)")}}'
     exit 0

package/hooks/validate-path.sh

@@ -38,14 +38,12 @@ if [ ${#FILE_PATH} -gt 1024 ]; then
   exit 0
 fi
 
-# Canonicalize for symlink resolution (for Write/Edit, resolve existing paths)
+# Canonicalize for symlink resolution (resolve existing paths for all tools)
 CANONICAL="$FILE_PATH"
-if [ "$TOOL" = "Write" ] || [ "$TOOL" = "Edit" ]; then
-  PARENT_DIR=$(dirname "$FILE_PATH")
-  if [ -d "$PARENT_DIR" ]; then
-    RESOLVED=$(realpath -m "$FILE_PATH" 2>/dev/null) || RESOLVED="$FILE_PATH"
-    CANONICAL="$RESOLVED"
-  fi
+PARENT_DIR=$(dirname "$FILE_PATH")
+if [ -d "$PARENT_DIR" ]; then
+  RESOLVED=$(realpath -m "$FILE_PATH" 2>/dev/null) || RESOLVED="$FILE_PATH"
+  CANONICAL="$RESOLVED"
 fi
 
 # 4. Protect plugin state files from agent writes (hard deny)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@garethdaine/agentops",
-  "version": "0.9.0",
+  "version": "0.9.1",
   "description": "Enterprise guardrails, delivery lifecycle, and self-evolution for Claude Code CLI",
   "author": {
     "name": "Gareth Daine",
@@ -27,6 +27,10 @@
     "compliance",
     "audit"
   ],
+  "scripts": {
+    "test": "bats tests/",
+    "lint": "shellcheck hooks/*.sh"
+  },
   "files": [
     ".claude-plugin/",
     "agents/",

package/settings.json

@@ -1,6 +1,17 @@
 {
   "permissions": {
     "allow": [],
-    "deny": []
+    "deny": [
+      "Bash(rm -rf /*)",
+      "Bash(curl*|*bash)",
+      "Bash(curl*|*sh)",
+      "Bash(wget*|*bash)",
+      "Bash(wget*|*sh)",
+      "Write(/etc/*)",
+      "Write(/sys/*)",
+      "Write(/proc/*)",
+      "Write(/dev/*)",
+      "Write(/boot/*)"
+    ]
   }
 }