@ictechgy/context-guard 0.4.10 → 0.4.12

package/plugins/context-guard/bin/context-guard-read-symbol

@@ -11,6 +11,7 @@ import argparse
 import ast
 import errno
 import hashlib
+import importlib.machinery
 import importlib.util
 import json
 import os
@@ -39,8 +40,27 @@ def _load_hook_secret_patterns():
     raise ImportError("hook_secret_patterns.py not found in " + ", ".join(searched))
 
 
+def _load_sanitize_output():
+    searched = []
+    for helper_path in (SCRIPT_DIR / "sanitize_output.py", SCRIPT_DIR / "context-guard-sanitize-output"):
+        searched.append(str(helper_path))
+        if not helper_path.is_file():
+            continue
+        loader = importlib.machinery.SourceFileLoader("_claude_token_sanitize_output", str(helper_path))
+        spec = importlib.util.spec_from_loader(loader.name, loader)
+        if spec is None:
+            continue
+        module = importlib.util.module_from_spec(spec)
+        loader.exec_module(module)
+        return module
+    raise ImportError("sanitize_output helper not found in " + ", ".join(searched))
+
+
 _hook_secret_patterns = _load_hook_secret_patterns()
+_sanitize_output = _load_sanitize_output()
 hook_label_has_sensitive_evidence = _hook_secret_patterns.hook_label_has_sensitive_evidence
+redact_sensitive_hook_text = _hook_secret_patterns.redact_sensitive_hook_text
+LineSanitizer = _sanitize_output.LineSanitizer
 
 DEFAULT_CONTEXT_LINES = 3
 DEFAULT_MAX_CHARS = 16_000
@@ -391,6 +411,11 @@ def strip_line_for_brace_count(line: str, in_block_comment: bool = False) -> tup
     return "".join(output), in_block_comment
 
 
+def redact_symbol_content(content: str) -> str:
+    sanitizer = LineSanitizer(show_paths=True)
+    return "".join(sanitizer.sanitize(line)[0] for line in content.splitlines(keepends=True))
+
+
 def find_symbol_slice(path: Path, symbol: str, context: int, max_chars: int, show_paths: bool) -> SymbolSlice | None:
     text, scan_truncated = read_text_bounded(path)
     lines = text.splitlines(keepends=True)
@@ -409,6 +434,8 @@ def find_symbol_slice(path: Path, symbol: str, context: int, max_chars: int, sho
     start_with_context = max(0, start - max(0, context))
     end_with_context = min(len(lines), end + max(0, context))
     content = "".join(lines[start_with_context:end_with_context])
+    content = redact_symbol_content(content)
+    content = redact_sensitive_hook_text(content, "[REDACTED]")
     capped = False
     if max_chars > 0 and len(content) > max_chars:
         marker = f"\n[context-guard-kit] symbol slice capped: {len(content)} chars total\n"

package/plugins/context-guard/bin/context-guard-sanitize-output

@@ -8,6 +8,7 @@ keeps only bounded head/anchor/tail context when output is too large.
 from __future__ import annotations
 
 import argparse
+import codecs
 import collections
 import hashlib
 import os
@@ -19,7 +20,7 @@ import subprocess
 import sys
 import threading
 import time
-from typing import Iterable, Iterator, TextIO
+from typing import BinaryIO, Iterable, Iterator, TextIO
 
 TERMINAL_CONTROL_RE = re.compile(
     r"(?:"
@@ -48,9 +49,17 @@ PRIVATE_KEY_END_RE = re.compile(
 AUTH_HEADER_RE = re.compile(
     r"(?i)^(?P<prefix>\s*(?:(?:[^:\n]+):\d+(?::\d+)?:)?\s*(?:[+-]\s*)?(?:Proxy-)?Authorization\s*:\s*).+$"
 )
+COOKIE_HEADER_RE = re.compile(
+    r"(?i)^(?P<prefix>\s*(?:(?:[^:\n]+):\d+(?::\d+)?:)?\s*(?:[+-]\s*)?(?:Set-)?Cookie\s*:\s*).+$"
+)
+SESSION_SECRET_KEY = (
+    r"(?:session(?:[_-]?(?:id|token))?|sessionid|sid|jsessionid|"
+    r"csrf(?:[_-]?token)?|xsrf(?:[_-]?token)?)"
+)
 SECRET_KEY = (
     r"[A-Za-z0-9_.-]*(?:api[_-]?key|apikey|token|secret|password|passwd|pwd|"
     r"private[_-]?key|access[_-]?key|client[_-]?secret)[A-Za-z0-9_.-]*"
+    rf"|{SESSION_SECRET_KEY}"
     r"|AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN|"
     r"GOOGLE_APPLICATION_CREDENTIALS|AZURE_CLIENT_SECRET"
 )
@@ -60,11 +69,48 @@ INLINE_QUOTED_SECRET_ASSIGNMENT_RE = re.compile(
     rf"[\"']?(?:{SECRET_KEY})[\"']?\s*[:=]\s*)"
     rf"(?P<quote>[\"'])(?P<value>(?:\\.|(?!(?P=quote)).)*)(?P=quote)(?P<tail>[^\s,;}}\]]*)"
 )
+CODE_IDENTIFIER = r"[A-Za-z_$][A-Za-z0-9_$]*(?:\.[A-Za-z_$][A-Za-z0-9_$]*)*"
+CALL_ARGUMENT_CHUNK = r"(?:[^()\"'\n;]+|\"(?:\\.|[^\"\\])*\"|'(?:\\.|[^'\\])*'|\([^()]*\))*"
+INLINE_UNQUOTED_CALL_SECRET_ASSIGNMENT_RE = re.compile(
+    rf"(?i)(?P<lead>^|[\s;{{\[,])"
+    rf"(?P<prefix>(?:(?:[^:\n]+):\d+(?::\d+)?:)?\s*(?:[+-]\s*)?(?:export\s+)?"
+    rf"[\"']?(?:{SECRET_KEY})[\"']?\s*[:=]\s*)"
+    rf"(?P<value>(?![\"']){CODE_IDENTIFIER}\({CALL_ARGUMENT_CHUNK}\))"
+)
+SECRET_IDENTIFIER_PART = (
+    r"(?:[A-Za-z_$][A-Za-z0-9_$]*(?:api_?key|apikey|token|secret|password|passwd|pwd|"
+    r"private_?key|access_?key|client_?secret|sessionid|session_id|session_token|"
+    r"csrf_token|xsrf_token)[A-Za-z0-9_$]*|session|sid|csrf|xsrf)"
+)
+FALLBACK_SECRET_OPERAND = rf"(?:[A-Za-z_$][A-Za-z0-9_$]*\.)*{SECRET_IDENTIFIER_PART}"
+INLINE_UNQUOTED_FALLBACK_SECRET_ASSIGNMENT_RE = re.compile(
+    rf"(?i)(?P<lead>^|[\s;{{\[,])"
+    rf"(?P<prefix>(?:(?:[^:\n]+):\d+(?::\d+)?:)?\s*(?:[+-]\s*)?(?:export\s+)?"
+    rf"[\"']?(?:{SECRET_KEY})[\"']?\s*[:=]\s*)"
+    rf"(?P<value>(?![\"']|\[REDACTED\])"
+    rf"[^;\n]*?(?:\bor\b|\|\||\?\?|\belse\b|\?[^:\n;]*:)\s*"
+    rf"(?:[\"'](?:\\.|[^\"'\\])*[\"']|{FALLBACK_SECRET_OPERAND})[^;\n]*)"
+)
+INLINE_UNQUOTED_BRACKETED_SECRET_ASSIGNMENT_RE = re.compile(
+    rf"(?i)(?P<lead>^|[\s;{{\[,])"
+    rf"(?P<prefix>(?:(?:[^:\n]+):\d+(?::\d+)?:)?\s*(?:[+-]\s*)?(?:export\s+)?"
+    rf"[\"']?(?:{SECRET_KEY})[\"']?\s*[:=]\s*)"
+    rf"(?P<value>(?![\"']|\[REDACTED\])"
+    rf"[^\s,;}}\]]*(?:\([^;\n]*?\)|\{{[^;\n]*?\}}|\[[^;\n]*?\])[^\s,;}}\]]*)"
+)
 INLINE_UNQUOTED_SECRET_ASSIGNMENT_RE = re.compile(
     rf"(?i)(?P<lead>^|[\s;{{\[,])"
     rf"(?P<prefix>(?:(?:[^:\n]+):\d+(?::\d+)?:)?\s*(?:[+-]\s*)?(?:export\s+)?"
     rf"[\"']?(?:{SECRET_KEY})[\"']?\s*[:=]\s*)"
-    rf"(?P<value>[^\s,;}}\]]+)"
+    rf"(?P<value>(?![\"']|\[REDACTED\])[^\s,;}}\]]+)"
+)
+UNQUOTED_MULTILINE_SECRET_ASSIGNMENT_RE = re.compile(
+    rf"(?i)(?:^|[\s;{{\[,])"
+    rf"(?:(?:[^:\n]+):\d+(?::\d+)?:)?\s*(?:[+-]\s*)?(?:export\s+)?"
+    rf"[\"']?(?:{SECRET_KEY})[\"']?\s*[:=]\s*(?P<value>(?![\"']).*)$"
+)
+CONTINUATION_OPERATOR_RE = re.compile(
+    r"(?i)(?:\\|\|\||&&|\?\?|[+*/%&|^?,]|\?|:|\bor\b|\band\b|\belse\b)\s*(?://.*|#.*)?$"
 )
 URL_LIKE_RE = re.compile(r"\b[A-Za-z][A-Za-z0-9+.-]*://[^\s]+")
 URL_SECRET_PARAM_RE = re.compile(rf"(?i)([?&#;](?:{SECRET_KEY})=)[^\s?&#;]+")
@@ -79,6 +125,43 @@ SAFE_UNQUOTED_VALUES = {
     "undefined",
 }
 IDENTIFIER_CHAIN_RE = re.compile(r"^[A-Za-z_$][A-Za-z0-9_$]*(?:\.[A-Za-z_$][A-Za-z0-9_$]*)+$")
+SAFE_ENV_LOOKUP_CALL_RE = re.compile(r"^(?:os\.getenv|os\.environ\.get)\(\s*[\"'][A-Za-z0-9_.-]{1,80}[\"']\s*\)$")
+SAFE_RE_COMPILE_CALL_RE = re.compile(r"^re\.compile\([^;\n]*\)$")
+SAFE_CODE_EXPRESSION_CALL_RE = re.compile(rf"^{CODE_IDENTIFIER}\(\s*(?:{CODE_IDENTIFIER}(?:\s*,\s*{CODE_IDENTIFIER})*)?\s*\)$")
+GETTER_CALL_RE = re.compile(rf"^{CODE_IDENTIFIER}\.get\(\s*[\"'](?P<key>[A-Za-z0-9_.-]{{1,80}})[\"']\s*\)$")
+CAMEL_ACRONYM_BOUNDARY_RE = re.compile(r"(?<=[A-Z])(?=[A-Z][a-z])")
+CAMEL_WORD_BOUNDARY_RE = re.compile(r"(?<=[a-z0-9])(?=[A-Z])")
+SAFE_GETTER_KEY_NAMES = {
+    "access_key",
+    "access_token",
+    "api_key",
+    "apikey",
+    "auth",
+    "authorization",
+    "aws_access_key_id",
+    "aws_secret_access_key",
+    "aws_session_token",
+    "azure_client_secret",
+    "client_id",
+    "client_secret",
+    "cookie",
+    "credential",
+    "credentials",
+    "csrf",
+    "google_application_credentials",
+    "jwt",
+    "password",
+    "passwd",
+    "private_key",
+    "pwd",
+    "refresh_token",
+    "secret",
+    "session",
+    "session_id",
+    "sessionid",
+    "sid",
+    "token",
+}
 INLINE_PATTERNS: tuple[tuple[re.Pattern[str], str], ...] = (
     (re.compile(r"(?i)\bBearer\s+[A-Za-z0-9._~+/=-]+"), "[REDACTED]"),
     (re.compile(r"(?i)\bBasic\s+[A-Za-z0-9._~+/=-]+"), "[REDACTED]"),
@@ -112,6 +195,9 @@ MAX_SECTION_LINES_LIMIT = 2_000
 DEFAULT_TIMEOUT_SECONDS = 600
 MAX_TIMEOUT_SECONDS = 86_400
 TIMEOUT_EXIT_CODE = 124
+COMMAND_READ_CHUNK_BYTES = 64 * 1024
+COMMAND_MAX_UNTERMINATED_LINE_CHARS = 4_096
+RAW_TRUNCATION_REDACTION_HOLDBACK_CHARS = 1_024
 
 
 def bounded_int(value: object, default: int, minimum: int, maximum: int) -> int:
@@ -167,20 +253,33 @@ def cap_line(line: str, max_line_chars: int) -> tuple[str, bool]:
     return body[:keep] + marker + newline, True
 
 
+def normalize_getter_key(key: str) -> str:
+    key = CAMEL_ACRONYM_BOUNDARY_RE.sub("_", key)
+    key = CAMEL_WORD_BOUNDARY_RE.sub("_", key)
+    key = re.sub(r"[_.-]+", "_", key)
+    return re.sub(r"_+", "_", key).strip("_").lower()
+
+
+def is_safe_getter_key(key: str) -> bool:
+    return normalize_getter_key(key) in SAFE_GETTER_KEY_NAMES
+
+
 def should_redact_unquoted_secret_value(line: str, match: re.Match[str]) -> bool:
     value = match.group("value").strip()
+    prefix = match.group("prefix")
     if not value:
         return False
     if value.lower() in SAFE_UNQUOTED_VALUES:
         return False
     if IDENTIFIER_CHAIN_RE.match(value):
         return False
-    end = match.end("value")
-    if end < len(line) and line[end] in "([{":
-        # Likely a function call or expression (`api_key = os.getenv(...)`);
-        # preserve it so Claude can still reason about code flow.
+    if SAFE_ENV_LOOKUP_CALL_RE.match(value) or SAFE_RE_COMPILE_CALL_RE.match(value):
         return False
-    if any(ch in value for ch in "()[]{}"):
+    getter_match = GETTER_CALL_RE.match(value)
+    if re.search(r"\s[:=]\s*$", prefix) and (
+        SAFE_CODE_EXPRESSION_CALL_RE.match(value)
+        or (getter_match is not None and is_safe_getter_key(getter_match.group("key")))
+    ):
         return False
     return True
 
@@ -214,6 +313,9 @@ def redact_secret_assignments(line: str) -> tuple[str, bool]:
         return f"{match.group('lead')}{match.group('prefix')}[REDACTED]"
 
     line = INLINE_QUOTED_SECRET_ASSIGNMENT_RE.sub(quoted_repl, line)
+    line = INLINE_UNQUOTED_FALLBACK_SECRET_ASSIGNMENT_RE.sub(unquoted_repl, line)
+    line = INLINE_UNQUOTED_CALL_SECRET_ASSIGNMENT_RE.sub(unquoted_repl, line)
+    line = INLINE_UNQUOTED_BRACKETED_SECRET_ASSIGNMENT_RE.sub(unquoted_repl, line)
     line = INLINE_UNQUOTED_SECRET_ASSIGNMENT_RE.sub(unquoted_repl, line)
     return line, redacted
 
@@ -253,6 +355,54 @@ def detect_multiline_secret_assignment(line: str) -> str | None:
     return None
 
 
+def expression_bracket_delta(text: str) -> int:
+    delta = 0
+    quote: str | None = None
+    escaped = False
+    for char in text:
+        if quote is not None:
+            if escaped:
+                escaped = False
+            elif char == "\\":
+                escaped = True
+            elif char == quote:
+                quote = None
+            continue
+        if char in {"'", '"'}:
+            quote = char
+        elif char in "([{":
+            delta += 1
+        elif char in ")}]":
+            delta -= 1
+    return delta
+
+
+def ends_with_continuation_operator(text: str) -> bool:
+    return bool(CONTINUATION_OPERATOR_RE.search(text.rstrip()))
+
+
+def detect_multiline_secret_expression(line: str) -> int | None:
+    marker = UNQUOTED_MULTILINE_SECRET_ASSIGNMENT_RE.search(line)
+    if marker is None:
+        return None
+    value = marker.group("value").strip()
+    if not value:
+        return 0
+    delta = expression_bracket_delta(value)
+    if delta > 0:
+        return delta
+    if ends_with_continuation_operator(value):
+        return max(delta, 0)
+    return None
+
+
+def update_multiline_secret_expression_state(line: str, depth: int) -> int | None:
+    next_depth = max(0, depth + expression_bracket_delta(line))
+    if next_depth == 0 and not ends_with_continuation_operator(line):
+        return None
+    return next_depth
+
+
 def private_key_state_after_line(line: str) -> bool | None:
     """Return updated private-key state for a line, or None when no marker appears."""
     if PRIVATE_KEY_BEGIN_RE.search(line):
@@ -273,6 +423,7 @@ class LineSanitizer:
         self.show_paths = show_paths
         self.in_private_key_block = False
         self.multiline_secret_quote: str | None = None
+        self.multiline_secret_expression_depth: int | None = None
         self.redactions = 0
 
     def sanitize(self, raw_line: str) -> tuple[str, bool]:
@@ -305,6 +456,12 @@ class LineSanitizer:
                 self.in_private_key_block = False
             return self._finish(diff_prefix + "[REDACTED PRIVATE KEY BLOCK]\n", redacted)
 
+        if self.multiline_secret_expression_depth is not None:
+            self.multiline_secret_expression_depth = update_multiline_secret_expression_state(
+                line, self.multiline_secret_expression_depth
+            )
+            return self._finish(diff_prefix + "[REDACTED MULTILINE SECRET]\n", True)
+
         multiline_quote = detect_multiline_secret_assignment(line)
         if multiline_quote is not None:
             self.multiline_secret_quote = multiline_quote
@@ -319,11 +476,21 @@ class LineSanitizer:
                 self.in_private_key_block = True
             return self._finish(diff_prefix + "[REDACTED PRIVATE KEY BLOCK]\n", redacted)
 
+        expression_depth = detect_multiline_secret_expression(line)
+        if expression_depth is not None:
+            self.multiline_secret_expression_depth = expression_depth
+            return self._finish(diff_prefix + "[REDACTED MULTILINE SECRET]\n", True)
+
         new_line, count = AUTH_HEADER_RE.subn(r"\g<prefix>[REDACTED]", line)
         if count:
             redacted = True
             line = new_line
 
+        new_line, count = COOKIE_HEADER_RE.subn(r"\g<prefix>[REDACTED]", line)
+        if count:
+            redacted = True
+            line = new_line
+
         line, assignment_redacted = redact_secret_assignments(line)
         if assignment_redacted:
             redacted = True
@@ -520,14 +687,16 @@ def terminate_process_tree(
 class TimedCommandStream:
     def __init__(
         self,
-        proc: subprocess.Popen[str],
-        stdout: TextIO,
+        proc: subprocess.Popen[bytes],
+        stdout: BinaryIO,
         *,
         timeout_seconds: int,
+        max_line_chars: int = MAX_LINE_CHARS_LIMIT,
         process_group_id: int | None = None,
     ) -> None:
         self.proc = proc
         self.timeout_seconds = timeout_seconds
+        self.max_unterminated_line_chars = max(1, max_line_chars)
         self.process_group_id = process_group_id
         self.deadline = time.monotonic() + timeout_seconds
         self.timed_out = False
@@ -537,10 +706,62 @@ class TimedCommandStream:
         self._thread = threading.Thread(target=self._read_stdout, args=(stdout,), daemon=True)
         self._thread.start()
 
-    def _read_stdout(self, stdout: TextIO) -> None:
+    def _truncated_raw_line(self, text: str) -> str:
+        holdback = min(RAW_TRUNCATION_REDACTION_HOLDBACK_CHARS, self.max_unterminated_line_chars)
+        safe_keep = max(0, self.max_unterminated_line_chars - holdback)
+        return (
+            text[:safe_keep]
+            + (
+                "...[context-guard-kit: raw line truncated before newline "
+                f"after {self.max_unterminated_line_chars} chars; "
+                f"withheld {holdback} boundary chars for redaction safety]\n"
+            )
+        )
+
+    def _read_stdout(self, stdout: BinaryIO) -> None:
+        decoder = codecs.getincrementaldecoder("utf-8")("replace")
+        pending = ""
+        discarding_oversized_line = False
+
+        def feed(text: str) -> None:
+            nonlocal pending, discarding_oversized_line
+            if not text:
+                return
+            pending += text
+            while pending:
+                if discarding_oversized_line:
+                    newline_index = pending.find("\n")
+                    if newline_index == -1:
+                        pending = ""
+                        return
+                    pending = pending[newline_index + 1 :]
+                    discarding_oversized_line = False
+                    continue
+
+                newline_index = pending.find("\n")
+                if newline_index != -1:
+                    if newline_index > self.max_unterminated_line_chars:
+                        self._queue.put(self._truncated_raw_line(pending))
+                    else:
+                        self._queue.put(pending[: newline_index + 1])
+                    pending = pending[newline_index + 1 :]
+                    continue
+
+                if len(pending) > self.max_unterminated_line_chars:
+                    self._queue.put(self._truncated_raw_line(pending))
+                    pending = ""
+                    discarding_oversized_line = True
+                return
+
         try:
-            for line in stdout:
-                self._queue.put(line)
+            while True:
+                chunk = stdout.read(COMMAND_READ_CHUNK_BYTES)
+                if not chunk:
+                    break
+                feed(decoder.decode(chunk, final=False))
+            feed(decoder.decode(b"", final=True))
+            if pending and not discarding_oversized_line:
+                self._queue.put(pending)
         finally:
             self._stream_closed = True
             self._queue.put(_STREAM_END)
@@ -613,7 +834,9 @@ def process_group_id_for(proc: subprocess.Popen[str]) -> int | None:
 def run_command(
     command: list[str],
     timeout_seconds: int,
-) -> tuple[Iterable[str], subprocess.Popen[str] | None, int | None]:
+    *,
+    max_line_chars: int = MAX_LINE_CHARS_LIMIT,
+) -> tuple[Iterable[str], subprocess.Popen[bytes] | None, int | None]:
     popen_kwargs: dict[str, object] = {}
     if os.name != "nt":
         popen_kwargs["start_new_session"] = True
@@ -622,9 +845,8 @@ def run_command(
             command,
             stdout=subprocess.PIPE,
             stderr=subprocess.STDOUT,
-            text=True,
-            bufsize=1,
-            errors="replace",
+            text=False,
+            bufsize=0,
             **popen_kwargs,
         )
     except OSError as exc:
@@ -638,6 +860,7 @@ def run_command(
             proc,
             proc.stdout,
             timeout_seconds=timeout_seconds,
+            max_line_chars=max_line_chars,
             process_group_id=process_group_id_for(proc),
         ),
         proc,
@@ -685,11 +908,15 @@ def main() -> int:
     if command and command[0] == "--":
         command = command[1:]
 
-    proc: subprocess.Popen[str] | None = None
+    proc: subprocess.Popen[bytes] | None = None
     command_stream: TimedCommandStream | None = None
     early_rc: int | None = None
     if command:
-        stream, proc, early_rc = run_command(command, args.timeout_seconds)
+        stream, proc, early_rc = run_command(
+            command,
+            args.timeout_seconds,
+            max_line_chars=COMMAND_MAX_UNTERMINATED_LINE_CHARS,
+        )
         if isinstance(stream, TimedCommandStream):
             command_stream = stream
         if early_rc is not None and proc is None:

package/plugins/context-guard/bin/context-guard-setup

@@ -2210,6 +2210,25 @@ def backup_existing(path: Path) -> Path | None:
     return backup
 
 
+def rollback_restore_guidance(settings_path: Path, backup_path: Path | None, original_existed: bool) -> str:
+    if backup_path is not None:
+        return (
+            "Restore only with a no-follow, symlink-safe copy that opens the backup and target parent "
+            "without following links, then atomically replaces the target; do not use generic shell "
+            f"copy/delete commands on this mutable target. Backup: {backup_path}. Target: {settings_path}."
+        )
+    if original_existed:
+        return (
+            "No backup path was recorded; inspect the target with no-follow file operations before any "
+            f"manual recovery. Do not use generic shell copy/delete commands on this mutable target: {settings_path}."
+        )
+    return (
+        "The target did not exist before setup. If cleanup is required, verify the target and every parent "
+        "without following symlinks and remove only the verified regular file; do not use generic shell "
+        f"delete commands on this mutable target: {settings_path}."
+    )
+
+
 def write_rollback_record(
     *,
     root: Path,
@@ -2237,11 +2256,8 @@ def write_rollback_record(
         "target_path": str(settings_path),
         "backup_path": str(backup_path) if backup_path else None,
         "original_existed": original_existed,
-        "restore": (
-            f"cp {shlex.quote(str(backup_path))} {shlex.quote(str(settings_path))}"
-            if backup_path
-            else f"rm -f {shlex.quote(str(settings_path))}"
-        ),
+        "restore": rollback_restore_guidance(settings_path, backup_path, original_existed),
+        "restore_requires_no_follow": True,
     }
     atomic_write(rollback_path, json.dumps(record, indent=2, sort_keys=True) + "\n", 0o600)
     return rollback_id, rollback_path