@miller-tech/uap 1.26.1 → 1.26.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@miller-tech/uap",
-  "version": "1.26.1",
+  "version": "1.26.3",
   "description": "Autonomous AI agent memory system with CLAUDE.md protocol enforcement",
   "type": "module",
   "main": "dist/index.js",

package/templates/hooks/pre-tool-use-edit-write.sh

@@ -32,10 +32,17 @@ fi
 # (common for Write to a new file).
 ABS_PATH="$(realpath -m "$FILE_PATH" 2>/dev/null || printf '%s' "$FILE_PATH")"
 
-# Resolve repo root from current working directory. If cwd is not inside a
-# git repo at all, allow — there's no worktree policy to enforce.
+# Resolve repo root from current working directory. In a BARE repo (this
+# project's layout) `git rev-parse --show-toplevel` returns empty even from the
+# project root — so fall back to the root derived from the hook's own location
+# (<root>/.factory/hooks/) and FAIL CLOSED. A missing repo root must not silently
+# disable the worktree guard, which previously let root-dir edits through.
 REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || true)"
 if [ -z "$REPO_ROOT" ]; then
+  REPO_ROOT="$(cd "$HOOK_DIR/../.." 2>/dev/null && pwd || true)"
+fi
+if [ -z "$REPO_ROOT" ]; then
+  # Genuinely cannot locate a project root — nothing to enforce against.
   exit 0
 fi
 

package/templates/hooks/uap-policy-gate.sh

@@ -4,21 +4,42 @@
 set -euo pipefail
 
 PAYLOAD="$(cat)"
-REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
-cd "$REPO_ROOT"
+HOOK_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Resolve two roots:
+#   CHECKOUT_ROOT — the current working tree (a worktree under .worktrees/, or the
+#                   main checkout). git-based enforcers run their `git diff` here.
+#   MAIN_ROOT     — the main checkout that holds RUNTIME data. policies.db and the
+#                   .policy-tools/ enforcers live ONLY here (policies.db is gitignored
+#                   and is never copied into worktrees).
+# Previously the DB path was resolved against the checkout root, so when a tool ran
+# from inside a worktree the gate found no policies.db and silently skipped ALL
+# policy enforcement. Anchor DB + enforcer paths to MAIN_ROOT to fix that, while
+# keeping the enforcer working directory on the actual working tree.
+CHECKOUT_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || true)"
+[[ -z "$CHECKOUT_ROOT" ]] && CHECKOUT_ROOT="$(cd "$HOOK_DIR/../.." 2>/dev/null && pwd || pwd)"
+MAIN_ROOT="${CHECKOUT_ROOT%%/.worktrees/*}"
+
+# Anchor enforcers to MAIN_ROOT via _common.repo_root(). This is the project root
+# that *contains* the worktrees, so path-relative enforcers reason correctly from
+# any cwd — e.g. worktree-required sees an edit as ".worktrees/NNN/..." (allow)
+# instead of, when run from inside a worktree, resolving repo_root to the worktree
+# itself and mis-flagging a legitimate worktree edit as a root edit (false block).
+export UAP_REPO_ROOT="$MAIN_ROOT"
+cd "$MAIN_ROOT"
 
 TOOL="$(printf '%s' "$PAYLOAD" | python3 -c 'import json,sys; d=json.load(sys.stdin); print(d.get("tool_name") or d.get("tool") or "")' 2>/dev/null || true)"
 ARGS="$(printf '%s' "$PAYLOAD" | python3 -c 'import json,sys; d=json.load(sys.stdin); print(json.dumps(d.get("tool_input") or d.get("args") or {}))' 2>/dev/null || echo '{}')"
 
 [[ -z "$TOOL" ]] && exit 0
 
-DB="agents/data/memory/policies.db"
+DB="$MAIN_ROOT/agents/data/memory/policies.db"
 [[ ! -f "$DB" ]] && exit 0
 
 # Iterate active policies with attached executable tools
 while IFS='|' read -r pid pname tool; do
   [[ -z "$pid" ]] && continue
-  enforcer=".policy-tools/${pid}_${tool}.py"
+  enforcer="$MAIN_ROOT/.policy-tools/${pid}_${tool}.py"
   [[ ! -f "$enforcer" ]] && continue
   out="$(python3 "$enforcer" --operation "$TOOL" --args "$ARGS" 2>/dev/null || true)"
   allowed="$(printf '%s' "$out" | python3 -c 'import json,sys;