@seanmozeik/tripwire 0.1.0 → 0.2.0

package/README.md

@@ -14,11 +14,16 @@ bun install @seanmozeik/tripwire
 tripwire test '<command>'                 # Test a command
 tripwire test --tool=Read --path=.env     # Test Read tool
 tripwire test --post --tool=Bash --stdout='ghp_TOKEN'  # Test PostToolUse
+
+tripwire install claude                   # Install hooks for Claude Code
+tripwire install codex                    # Install hooks for Codex
+tripwire install pi                       # Install hooks for pi-guardrails
+tripwire install all                      # Install hooks for all agents
 ```
 
 ## Hook Configuration
 
-Configure your AI agent to call `tripwire-hook` for hook events:
+Configure your AI agent to call `tripwire-hook` for hook events. You can do this manually, or use the `tripwire install` command to automatically configure hooks for supported agents:
 
 ### Claude Code
 

package/dist/tripwire-cli.js

@@ -1,6 +1,11 @@
 #!/usr/bin/env bun
 // @bun @bytecode @bun-cjs
-(function(exports, require, module, __filename, __dirname) {var L=require("child_process"),M="/Users/sean/dev/tripwire/src/../dist/tripwire.js",O=(f)=>{let j="Bash",z=!1,x,F,G,J,K;for(let q of f){if(q==="--post"){z=!0;continue}if(q.startsWith("--tool=")){j=q.slice(7);continue}if(q.startsWith("--path=")){x=q.slice(7);continue}if(q.startsWith("--stdout=")){G=q.slice(9);continue}if(q.startsWith("--stderr=")){J=q.slice(9);continue}if(q.startsWith("--content=")){K=q.slice(10);continue}F??=q}return{tool:j,post:z,path:x,command:F,stdout:G,stderr:J,content:K}},Q=(f,j)=>{if(f==="Bash")return{command:j.command??""};if(f==="Read")return{file_path:j.path??""};if(f==="Write")return{file_path:j.path??"",content:j.content??""};if(f==="Edit"||f==="MultiEdit")return{file_path:j.path??"",old_string:"",new_string:j.content??""};return},R=(f)=>{let j=f.post?"PostToolUse":"PreToolUse",z=f.tool,x={hook_event_name:j,tool_name:z,cwd:process.cwd(),session_id:"tripwire-cli-test",tool_input:Q(z,f)};if(f.post)x.tool_response=z==="Bash"?{stdout:f.stdout??"",stderr:f.stderr??""}:{content:f.content??""};return x},V=()=>{process.stdout.write(["tripwire CLI \u2014 synthetic-event tester","","Usage:","  tripwire test '<command>'                 # PreToolUse Bash","  tripwire test --tool=Read --path=.env     # PreToolUse Read","  tripwire test --tool=Write --path=foo.ts --content='TODO finish'","  tripwire test --post --tool=Bash --stdout='ghp_REAL_TOKEN'  # PostToolUse",""].join(`
-`))},W=()=>{let f=process.argv.slice(2);if(f.length===0||f[0]!=="test")V(),process.exit(0);let j=O(f.slice(1)),z=R(j),x=L.spawnSync(M,[],{input:JSON.stringify(z),encoding:"utf8",timeout:1e4});if(x.error!==void 0)process.stderr.write(`error: ${String(x.error)}
-`),process.exit(1);let F=x.stdout;try{let G=JSON.parse(F);process.stdout.write(`${JSON.stringify(G,null,2)}
-`)}catch{process.stdout.write(F)}};W();})
+(function(exports, require, module, __filename, __dirname) {var S=require("@effect/platform-bun"),Q=require("effect"),w=require("effect/unstable/cli");var W={name:"@seanmozeik/tripwire",version:"0.2.0",description:"Opinionated hooks dispatcher for AI coding agents with configurable safety rules",license:"MIT",bin:{tripwire:"./dist/tripwire-cli.js","tripwire-hook":"./dist/tripwire.js"},files:["dist","package.json","src","README.md"],type:"module",exports:{".":"./src/index.ts"},publishConfig:{access:"public"},scripts:{build:"bun scripts/build.ts",prepublishOnly:"bun run build",check:"bun run format && bun run lint:fix && bun run typecheck",format:"oxfmt --write .",lint:"oxlint --tsconfig tsconfig.oxlint.json .","lint:fix":"oxlint --format agent --tsconfig tsconfig.oxlint.json --fix .",test:"bun test",typecheck:"tsc --noEmit"},dependencies:{"@effect/platform-bun":"^4.0.0-beta.65",effect:"^4.0.0-beta.65","shell-quote":"^1.8.3"},devDependencies:{"@types/bun":"^1.3.13","@types/shell-quote":"^1.7.5",oxfmt:"^0.48.0",oxlint:"^1.61.0","oxlint-tsgolint":"^0.22.1",typescript:"^6.0.3"},engines:{bun:">=1.0"}};var B=require("os"),N=globalThis.Bun,X="tripwire-hook",Z=(b)=>{if(!b)return[[{hooks:[{type:"command",command:X}]}],!1];let q=!1,x=b.map((L)=>({hooks:L.hooks.map((D)=>{if(D.command===X||D.command.endsWith("/tripwire-hook")){if(D.command!==X)return q=!0,{...D,command:X};return D}return D})}));if(x.some((L)=>L.hooks.some((D)=>D.command===X)))return[x,!q];return[[...x,{hooks:[{type:"command",command:X}]}],!1]},v=async()=>{let b=`${B.homedir()}/.claude/settings.json`,q=N.file(b);try{let x=await q.text(),y=JSON.parse(x);y.hooks??={};let[G,L]=Z(y.hooks.PreToolUse),[D,j]=Z(y.hooks.PostToolUse);if(y.hooks.PreToolUse=G,y.hooks.PostToolUse=D,L&&j)return{success:!0,message:`Already configured: ${b}`};return await q.write(`${JSON.stringify(y,null,2)}
+`),{success:!0,message:`Updated ${b}`}}catch(x){let y=x instanceof Error?x.message:String(x);if(y.includes("No such file"))return{success:!1,message:`Config file not found: ${b}`};return{success:!1,message:`Failed to update Claude config: ${y}`}}},A=async()=>{let b=`${B.homedir()}/.pi/agent/settings.json`,q=N.file(b);try{let x=await q.text(),y=JSON.parse(x);y.hooks??={};let[G,L]=Z(y.hooks.PreToolUse),[D,j]=Z(y.hooks.PostToolUse);if(y.hooks.PreToolUse=G,y.hooks.PostToolUse=D,L&&j)return{success:!0,message:`Already configured: ${b}`};return await q.write(`${JSON.stringify(y,null,2)}
+`),{success:!0,message:`Updated ${b}`}}catch(x){let y=x instanceof Error?x.message:String(x);if(y.includes("No such file"))return{success:!1,message:`Config file not found: ${b}`};return{success:!1,message:`Failed to update pi config: ${y}`}}},J=async()=>{let b=`${B.homedir()}/.codex/config.toml`,q=`${B.homedir()}/.codex/hooks.json`,x=N.file(q),y=N.file(b),G=!1,L=!1;try{let D=await x.text(),j=JSON.parse(D);j.hooks??={};let[Y,V]=Z(j.hooks.PreToolUse),[z,$]=Z(j.hooks.PostToolUse);if(j.hooks.PreToolUse=Y,j.hooks.PostToolUse=z,!V||!$)G=!0;let K=(U)=>{return U?.map((E)=>({hooks:E.hooks.map((M)=>{if(M.command===X&&M.timeout===void 0)return{...M,timeout:10};return M})}))??[]};if(j.hooks.PreToolUse=K(j.hooks.PreToolUse),j.hooks.PostToolUse=K(j.hooks.PostToolUse),G)await x.write(`${JSON.stringify(j,null,2)}
+`)}catch(D){let j=D instanceof Error?D.message:String(D);if(j.includes("No such file"))return{success:!1,message:`Config file not found: ${q}`};return{success:!1,message:`Failed to update Codex hooks.json: ${j}`}}try{let j=await y.text();if(j.includes("hooks = true"));else if(L=!0,j.includes("[features]")){let Y=j.indexOf("[features]"),V=j.indexOf(`
+[`,Y+1);if(V===-1)j+=`
+hooks = true`;else j=`${j.slice(0,V)}
+hooks = true${j.slice(V)}`}else j+=`
+[features]
+hooks = true`;if(L)await y.write(j)}catch(D){let j=D instanceof Error?D.message:String(D);if(j.includes("No such file"))return{success:!1,message:`Config file not found: ${b}`};return{success:!1,message:`Failed to update Codex config.toml: ${j}`}}if(!G&&!L)return{success:!0,message:`Already configured: ${b} and ${q}`};return{success:!0,message:`Updated ${b} and ${q}`}},_=async()=>{return[{target:"claude",...await v()},{target:"codex",...await J()},{target:"pi",...await A()}]};var C="/Users/sean/dev/tripwire/src/../dist/tripwire.js",H=(b,q,x,y)=>{if(b==="Bash")return{command:q??""};if(b==="Read")return{file_path:x??""};if(b==="Write")return{file_path:x??"",content:y??""};if(b==="Edit"||b==="MultiEdit")return{file_path:x??"",old_string:"",new_string:y??""};return},O=(b)=>{let{tool:q,post:x,command:y,path:G,stdout:L,stderr:D,content:j}=b,V={hook_event_name:x?"PostToolUse":"PreToolUse",tool_name:q,cwd:process.cwd(),session_id:"tripwire-cli-test",tool_input:H(q,y,G,j)};if(x)V.tool_response=q==="Bash"?{stdout:L??"",stderr:D??""}:{content:j??""};return V},u=(b)=>Q.Effect.sync(()=>{let{command:q,content:x,path:y,post:G,stderr:L,stdout:D,tool:j}=b,Y=O({tool:j,post:G,command:q,path:y,stdout:D,stderr:L,content:x}),V=Bun.spawnSync([C],{stdin:new TextEncoder().encode(JSON.stringify(Y)),timeout:1e4,stdout:"pipe",stderr:"pipe"});if(V.exitCode!==0){let $=new TextDecoder().decode(V.stderr);console.error(`error: ${$}`),process.exit(1)}let z=new TextDecoder().decode(V.stdout);try{let $=JSON.parse(z);console.log(JSON.stringify($,null,2))}catch{console.log(z)}}),T=w.Command.make("test",{command:w.Argument.string("command").pipe(w.Argument.optional,w.Argument.withDescription("Command to test (for Bash tool)")),content:w.Flag.string("content").pipe(w.Flag.optional,w.Flag.withDescription("Content for Write/Edit tools")),path:w.Flag.string("path").pipe(w.Flag.optional,w.Flag.withDescription("File path for Read/Write/Edit tools")),post:w.Flag.boolean("post").pipe(w.Flag.withDescription("Test PostToolUse instead of PreToolUse")),stderr:w.Flag.string("stderr").pipe(w.Flag.optional,w.Flag.withDescription("Stderr for PostToolUse Bash")),stdout:w.Flag.string("stdout").pipe(w.Flag.optional,w.Flag.withDescription("Stdout for PostToolUse Bash")),tool:w.Flag.string("tool").pipe(w.Flag.withDefault("Bash"),w.Flag.withDescription("Tool name (Bash, Read, Write, Edit, MultiEdit)"))},({command:b,content:q,path:x,post:y,stderr:G,stdout:L,tool:D})=>u({command:Q.Option.getOrUndefined(b),content:Q.Option.getOrUndefined(q),path:Q.Option.getOrUndefined(x),post:y,stderr:Q.Option.getOrUndefined(G),stdout:Q.Option.getOrUndefined(L),tool:D})).pipe(w.Command.withDescription("Test a synthetic hook event")),I=(b)=>Q.Effect.gen(function*(){if(!["claude","codex","pi","all"].includes(b))console.error(`error: unknown target "${b}"`),console.error("Valid targets: claude, codex, pi, all"),process.exit(1);let q;switch(b){case"claude":{q=[{target:"claude",result:yield*Q.Effect.promise(()=>v())}];break}case"codex":{q=[{target:"codex",result:yield*Q.Effect.promise(()=>J())}];break}case"pi":{q=[{target:"pi",result:yield*Q.Effect.promise(()=>A())}];break}case"all":{q=(yield*Q.Effect.promise(()=>_())).map((G)=>({target:G.target,result:G}));break}default:{q=[];break}}let x=!1;for(let{target:y,result:G}of q)if(G.success){let L=G.message.startsWith("Already configured")?"\u2299":"\u2713";console.log(`${L} [${y}] ${G.message}`)}else console.error(`\u2717 [${y}] ${G.message}`),x=!0;if(x)process.exit(1)}),P=w.Command.make("install",{target:w.Argument.string("target").pipe(w.Argument.withDescription("Target agent (claude, codex, pi, or all)"))},({target:b})=>I(b)).pipe(w.Command.withDescription("Install tripwire hooks for AI agents")),F=w.Command.make("tripwire").pipe(w.Command.withDescription("Opinionated hooks dispatcher for AI coding agents"),w.Command.withSubcommands([T,P])),p=w.Command.run(F,{version:W.version}),c=async()=>{try{await Q.Effect.runPromise(p.pipe(Q.Effect.provide(S.BunServices.layer)))}catch(b){let q=b instanceof Error?b.message:String(b);console.error(q),process.exitCode=1}};c();})

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seanmozeik/tripwire",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Opinionated hooks dispatcher for AI coding agents with configurable safety rules",
   "license": "MIT",
   "bin": {

package/src/cli.ts

@@ -3,62 +3,25 @@
 // Dispatcher and pretty-print the decision. Indispensable for tuning
 // Rules without going through Claude Code.
 //
+// `tripwire install <target>` — install tripwire hooks for AI agents.
+//
 // Usage:
 //   Bun src/cli.ts test 'rm -rf /etc'
 //   Bun src/cli.ts test --tool=Read --path=.env
 //   Bun src/cli.ts test --post --tool=Bash --stdout='ghp_<token>'
+//   Bun src/cli.ts install claude
+//   Bun src/cli.ts install codex
+//   Bun src/cli.ts install pi
+//   Bun src/cli.ts install all
 
-import { spawnSync } from 'node:child_process';
-
-const DISPATCH_BIN = `${import.meta.dir}/../dist/tripwire.js`;
+import { BunServices } from '@effect/platform-bun';
+import { Effect, Option } from 'effect';
+import { Argument, Command, Flag } from 'effect/unstable/cli';
 
-interface CliArgs {
-  readonly tool: string;
-  readonly post: boolean;
-  readonly path: string | undefined;
-  readonly command: string | undefined;
-  readonly stdout: string | undefined;
-  readonly stderr: string | undefined;
-  readonly content: string | undefined;
-}
+import pkg from '../package.json' with { type: 'json' };
+import { installAll, installClaude, installCodex, installPi } from './lib/install';
 
-const parseArgs = (argv: readonly string[]): CliArgs => {
-  let tool = 'Bash';
-  let post = false;
-  let path: string | undefined;
-  let command: string | undefined;
-  let stdout: string | undefined;
-  let stderr: string | undefined;
-  let content: string | undefined;
-  for (const a of argv) {
-    if (a === '--post') {
-      post = true;
-      continue;
-    }
-    if (a.startsWith('--tool=')) {
-      tool = a.slice('--tool='.length);
-      continue;
-    }
-    if (a.startsWith('--path=')) {
-      path = a.slice('--path='.length);
-      continue;
-    }
-    if (a.startsWith('--stdout=')) {
-      stdout = a.slice('--stdout='.length);
-      continue;
-    }
-    if (a.startsWith('--stderr=')) {
-      stderr = a.slice('--stderr='.length);
-      continue;
-    }
-    if (a.startsWith('--content=')) {
-      content = a.slice('--content='.length);
-      continue;
-    }
-    command ??= a;
-  }
-  return { tool, post, path, command, stdout, stderr, content };
-};
+const DISPATCH_BIN = `${import.meta.dir}/../dist/tripwire.js`;
 
 interface BuiltEvent {
   hook_event_name: string;
@@ -69,80 +32,209 @@ interface BuiltEvent {
   tool_response?: unknown;
 }
 
-const buildToolInput = (tool: string, args: CliArgs): unknown => {
+const buildToolInput = (
+  tool: string,
+  command: string | undefined,
+  path: string | undefined,
+  content: string | undefined,
+): unknown => {
   if (tool === 'Bash') {
-    return { command: args.command ?? '' };
+    return { command: command ?? '' };
   }
   if (tool === 'Read') {
-    return { file_path: args.path ?? '' };
+    return { file_path: path ?? '' };
   }
   if (tool === 'Write') {
-    return { file_path: args.path ?? '', content: args.content ?? '' };
+    return { file_path: path ?? '', content: content ?? '' };
   }
   if (tool === 'Edit' || tool === 'MultiEdit') {
-    return { file_path: args.path ?? '', old_string: '', new_string: args.content ?? '' };
+    return { file_path: path ?? '', old_string: '', new_string: content ?? '' };
   }
   return undefined;
 };
 
-const buildEvent = (args: CliArgs): BuiltEvent => {
-  const eventName = args.post ? 'PostToolUse' : 'PreToolUse';
-  const tool = args.tool;
+interface EventParams {
+  readonly tool: string;
+  readonly post: boolean;
+  readonly command: string | undefined;
+  readonly path: string | undefined;
+  readonly stdout: string | undefined;
+  readonly stderr: string | undefined;
+  readonly content: string | undefined;
+}
+
+const buildEvent = (params: EventParams): BuiltEvent => {
+  const { tool, post, command, path, stdout, stderr, content } = params;
+  const eventName = post ? 'PostToolUse' : 'PreToolUse';
   const event: BuiltEvent = {
     hook_event_name: eventName,
     tool_name: tool,
     cwd: process.cwd(),
     session_id: 'tripwire-cli-test',
-    tool_input: buildToolInput(tool, args),
+    tool_input: buildToolInput(tool, command, path, content),
   };
-  if (args.post) {
+  if (post) {
     event.tool_response =
-      tool === 'Bash'
-        ? { stdout: args.stdout ?? '', stderr: args.stderr ?? '' }
-        : { content: args.content ?? '' };
+      tool === 'Bash' ? { stdout: stdout ?? '', stderr: stderr ?? '' } : { content: content ?? '' };
   }
   return event;
 };
 
-const printUsage = (): void => {
-  process.stdout.write(
-    [
-      'tripwire CLI — synthetic-event tester',
-      '',
-      'Usage:',
-      "  tripwire test '<command>'                 # PreToolUse Bash",
-      '  tripwire test --tool=Read --path=.env     # PreToolUse Read',
-      "  tripwire test --tool=Write --path=foo.ts --content='TODO finish'",
-      "  tripwire test --post --tool=Bash --stdout='ghp_REAL_TOKEN'  # PostToolUse",
-      '',
-    ].join('\n'),
-  );
-};
+const runTest = (config: {
+  readonly command: string | undefined;
+  readonly content: string | undefined;
+  readonly path: string | undefined;
+  readonly post: boolean;
+  readonly stderr: string | undefined;
+  readonly stdout: string | undefined;
+  readonly tool: string;
+}): Effect.Effect<void> =>
+  Effect.sync(() => {
+    const { command, content, path, post, stderr, stdout, tool } = config;
+    const event = buildEvent({ tool, post, command, path, stdout, stderr, content });
+    const result = Bun.spawnSync([DISPATCH_BIN], {
+      stdin: new TextEncoder().encode(JSON.stringify(event)),
+      timeout: 10_000,
+      stdout: 'pipe',
+      stderr: 'pipe',
+    });
+    if (result.exitCode !== 0) {
+      const errorOutput = new TextDecoder().decode(result.stderr);
+      console.error(`error: ${errorOutput}`);
+      process.exit(1);
+    }
+    const output = new TextDecoder().decode(result.stdout);
+    try {
+      const parsed = JSON.parse(output) as unknown;
+      console.log(JSON.stringify(parsed, null, 2));
+    } catch {
+      console.log(output);
+    }
+  });
 
-const main = (): void => {
-  const argv = process.argv.slice(2);
-  if (argv.length === 0 || argv[0] !== 'test') {
-    printUsage();
-    process.exit(0);
-  }
-  const args = parseArgs(argv.slice(1));
-  const event = buildEvent(args);
-  const result = spawnSync(DISPATCH_BIN, [], {
-    input: JSON.stringify(event),
-    encoding: 'utf8',
-    timeout: 10_000,
+const testCommand = Command.make(
+  'test',
+  {
+    command: Argument.string('command').pipe(
+      Argument.optional,
+      Argument.withDescription('Command to test (for Bash tool)'),
+    ),
+    content: Flag.string('content').pipe(
+      Flag.optional,
+      Flag.withDescription('Content for Write/Edit tools'),
+    ),
+    path: Flag.string('path').pipe(
+      Flag.optional,
+      Flag.withDescription('File path for Read/Write/Edit tools'),
+    ),
+    post: Flag.boolean('post').pipe(Flag.withDescription('Test PostToolUse instead of PreToolUse')),
+    stderr: Flag.string('stderr').pipe(
+      Flag.optional,
+      Flag.withDescription('Stderr for PostToolUse Bash'),
+    ),
+    stdout: Flag.string('stdout').pipe(
+      Flag.optional,
+      Flag.withDescription('Stdout for PostToolUse Bash'),
+    ),
+    tool: Flag.string('tool').pipe(
+      Flag.withDefault('Bash'),
+      Flag.withDescription('Tool name (Bash, Read, Write, Edit, MultiEdit)'),
+    ),
+  },
+  ({ command, content, path, post, stderr, stdout, tool }) =>
+    runTest({
+      command: Option.getOrUndefined(command),
+      content: Option.getOrUndefined(content),
+      path: Option.getOrUndefined(path),
+      post,
+      stderr: Option.getOrUndefined(stderr),
+      stdout: Option.getOrUndefined(stdout),
+      tool,
+    }),
+).pipe(Command.withDescription('Test a synthetic hook event'));
+
+const runInstall = (target: string): Effect.Effect<void> =>
+  Effect.gen(function* () {
+    if (!['claude', 'codex', 'pi', 'all'].includes(target)) {
+      console.error(`error: unknown target "${target}"`);
+      console.error('Valid targets: claude, codex, pi, all');
+      process.exit(1);
+    }
+
+    let results: {
+      readonly target: string;
+      readonly result: { readonly success: boolean; readonly message: string };
+    }[];
+
+    switch (target) {
+      case 'claude': {
+        const result = yield* Effect.promise(() => installClaude());
+        results = [{ target: 'claude', result }];
+        break;
+      }
+      case 'codex': {
+        const result = yield* Effect.promise(() => installCodex());
+        results = [{ target: 'codex', result }];
+        break;
+      }
+      case 'pi': {
+        const result = yield* Effect.promise(() => installPi());
+        results = [{ target: 'pi', result }];
+        break;
+      }
+      case 'all': {
+        const installResults = yield* Effect.promise(() => installAll());
+        results = installResults.map((r) => ({ target: r.target, result: r }));
+        break;
+      }
+      default: {
+        results = [];
+        break;
+      }
+    }
+
+    let hasFailure = false;
+    for (const { target: t, result: r } of results) {
+      if (r.success) {
+        const symbol = r.message.startsWith('Already configured') ? '⊙' : '✓';
+        console.log(`${symbol} [${t}] ${r.message}`);
+      } else {
+        console.error(`✗ [${t}] ${r.message}`);
+        hasFailure = true;
+      }
+    }
+
+    if (hasFailure) {
+      process.exit(1);
+    }
   });
-  if (result.error !== undefined) {
-    process.stderr.write(`error: ${String(result.error)}\n`);
-    process.exit(1);
-  }
-  const stdout: string = result.stdout;
+
+const installCommand = Command.make(
+  'install',
+  {
+    target: Argument.string('target').pipe(
+      Argument.withDescription('Target agent (claude, codex, pi, or all)'),
+    ),
+  },
+  ({ target }) => runInstall(target),
+).pipe(Command.withDescription('Install tripwire hooks for AI agents'));
+
+const app = Command.make('tripwire').pipe(
+  Command.withDescription('Opinionated hooks dispatcher for AI coding agents'),
+  Command.withSubcommands([testCommand, installCommand]),
+);
+
+const program = Command.run(app, { version: pkg.version });
+
+const main = async (): Promise<void> => {
   try {
-    const parsed = JSON.parse(stdout) as unknown;
-    process.stdout.write(`${JSON.stringify(parsed, null, 2)}\n`);
-  } catch {
-    process.stdout.write(stdout);
+    await Effect.runPromise(program.pipe(Effect.provide(BunServices.layer)));
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    console.error(message);
+    process.exitCode = 1;
   }
 };
 
-main();
+// oxlint-disable-next-line no-void, unicorn/prefer-top-level-await
+void main();

package/src/lib/config.ts

@@ -89,7 +89,7 @@ export const loadConfig = (): Effect.Effect<Config> =>
     return mergeWithDefaults(config);
   }).pipe(
     Effect.timeout(1000),
-    // eslint-disable-next-line promise/prefer-await-to-then
+    // oxlint-disable-next-line promise/prefer-await-to-then
     Effect.catch(() => {
       // Log error but return defaults to never block the agent
       console.error('[tripwire] Config loading failed, using defaults');

package/src/lib/install.ts

@@ -0,0 +1,238 @@
+// Config installation module for tripwire hooks.
+// Parses and upserts hook configurations for Claude Code, Codex, and pi-guardrails.
+
+import { homedir } from 'node:os';
+
+import { file } from 'bun';
+
+interface ClaudeConfig {
+  hooks?: {
+    PreToolUse?: { hooks: { type: string; command: string }[] }[];
+    PostToolUse?: { hooks: { type: string; command: string }[] }[];
+  };
+}
+
+interface PiConfig {
+  hooks?: {
+    PreToolUse?: { hooks: { type: string; command: string }[] }[];
+    PostToolUse?: { hooks: { type: string; command: string }[] }[];
+  };
+}
+
+interface CodexHooksConfig {
+  hooks?: {
+    PreToolUse?: { hooks: { type: string; command: string; timeout?: number }[] }[];
+    PostToolUse?: { hooks: { type: string; command: string; timeout?: number }[] }[];
+  };
+}
+
+const TRIPWIRE_HOOK = 'tripwire-hook';
+
+const addHookIfMissing = (
+  hooks: { hooks: { type: string; command: string; timeout?: number }[] }[] | undefined,
+): [{ hooks: { type: string; command: string; timeout?: number }[] }[], boolean] => {
+  if (!hooks) {
+    const newHooks: { hooks: { type: string; command: string; timeout?: number }[] }[] = [
+      { hooks: [{ type: 'command', command: TRIPWIRE_HOOK }] },
+    ];
+    return [newHooks, false];
+  }
+
+  let needsNormalization = false;
+
+  const normalizedHooks = hooks.map((h) => ({
+    hooks: h.hooks.map((hook) => {
+      if (hook.command === TRIPWIRE_HOOK || hook.command.endsWith('/tripwire-hook')) {
+        if (hook.command !== TRIPWIRE_HOOK) {
+          needsNormalization = true;
+          return { ...hook, command: TRIPWIRE_HOOK };
+        }
+        return hook;
+      }
+      return hook;
+    }),
+  }));
+
+  const hasTripwire = normalizedHooks.some((h) =>
+    h.hooks.some((hook) => hook.command === TRIPWIRE_HOOK),
+  );
+
+  if (hasTripwire) {
+    return [normalizedHooks, !needsNormalization];
+  }
+
+  const newHooks: { hooks: { type: string; command: string; timeout?: number }[] }[] = [
+    ...normalizedHooks,
+    { hooks: [{ type: 'command', command: TRIPWIRE_HOOK }] },
+  ];
+  return [newHooks, false];
+};
+
+export const installClaude = async (): Promise<{ success: boolean; message: string }> => {
+  const configPath = `${homedir()}/.claude/settings.json`;
+  const configFile = file(configPath);
+
+  try {
+    const raw = await configFile.text();
+    const config = JSON.parse(raw) as ClaudeConfig;
+
+    config.hooks ??= {};
+    const [preToolUse, preSkipped] = addHookIfMissing(config.hooks.PreToolUse);
+    const [postToolUse, postSkipped] = addHookIfMissing(config.hooks.PostToolUse);
+
+    config.hooks.PreToolUse = preToolUse;
+    config.hooks.PostToolUse = postToolUse;
+
+    if (preSkipped && postSkipped) {
+      return { success: true, message: `Already configured: ${configPath}` };
+    }
+
+    await configFile.write(`${JSON.stringify(config, null, 2)}\n`);
+
+    return { success: true, message: `Updated ${configPath}` };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (message.includes('No such file')) {
+      return { success: false, message: `Config file not found: ${configPath}` };
+    }
+    return { success: false, message: `Failed to update Claude config: ${message}` };
+  }
+};
+
+export const installPi = async (): Promise<{ success: boolean; message: string }> => {
+  const configPath = `${homedir()}/.pi/agent/settings.json`;
+  const configFile = file(configPath);
+
+  try {
+    const raw = await configFile.text();
+    const config = JSON.parse(raw) as PiConfig;
+
+    config.hooks ??= {};
+    const [preToolUse, preSkipped] = addHookIfMissing(config.hooks.PreToolUse);
+    const [postToolUse, postSkipped] = addHookIfMissing(config.hooks.PostToolUse);
+
+    config.hooks.PreToolUse = preToolUse;
+    config.hooks.PostToolUse = postToolUse;
+
+    if (preSkipped && postSkipped) {
+      return { success: true, message: `Already configured: ${configPath}` };
+    }
+
+    await configFile.write(`${JSON.stringify(config, null, 2)}\n`);
+
+    return { success: true, message: `Updated ${configPath}` };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (message.includes('No such file')) {
+      return { success: false, message: `Config file not found: ${configPath}` };
+    }
+    return { success: false, message: `Failed to update pi config: ${message}` };
+  }
+};
+
+export const installCodex = async (): Promise<{ success: boolean; message: string }> => {
+  const configTomlPath = `${homedir()}/.codex/config.toml`;
+  const hooksJsonPath = `${homedir()}/.codex/hooks.json`;
+  const hooksJsonFile = file(hooksJsonPath);
+  const configTomlFile = file(configTomlPath);
+
+  let hooksUpdated = false;
+  let tomlUpdated = false;
+
+  // First, update hooks.json
+  try {
+    const raw = await hooksJsonFile.text();
+    const config = JSON.parse(raw) as CodexHooksConfig;
+
+    config.hooks ??= {};
+    const [preToolUse, preSkipped] = addHookIfMissing(config.hooks.PreToolUse);
+    const [postToolUse, postSkipped] = addHookIfMissing(config.hooks.PostToolUse);
+
+    config.hooks.PreToolUse = preToolUse;
+    config.hooks.PostToolUse = postToolUse;
+
+    if (!preSkipped || !postSkipped) {
+      hooksUpdated = true;
+    }
+
+    // Add timeout to tripwire-hook if not present
+    const addTimeout = (
+      hooks: { hooks: { type: string; command: string; timeout?: number }[] }[] | undefined,
+    ): { hooks: { type: string; command: string; timeout?: number }[] }[] => {
+      return (
+        hooks?.map((h) => ({
+          hooks: h.hooks.map((hook) => {
+            if (hook.command === TRIPWIRE_HOOK && hook.timeout === undefined) {
+              return { ...hook, timeout: 10 };
+            }
+            return hook;
+          }),
+        })) ?? []
+      );
+    };
+
+    config.hooks.PreToolUse = addTimeout(config.hooks.PreToolUse);
+    config.hooks.PostToolUse = addTimeout(config.hooks.PostToolUse);
+
+    if (hooksUpdated) {
+      await hooksJsonFile.write(`${JSON.stringify(config, null, 2)}\n`);
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (message.includes('No such file')) {
+      return { success: false, message: `Config file not found: ${hooksJsonPath}` };
+    }
+    return { success: false, message: `Failed to update Codex hooks.json: ${message}` };
+  }
+
+  // Then, update config.toml to enable hooks
+  try {
+    const raw = await configTomlFile.text();
+    let toml = raw;
+
+    // Enable hooks in [features] section
+    if (toml.includes('hooks = true')) {
+      // Already enabled, nothing to do
+    } else {
+      tomlUpdated = true;
+      if (toml.includes('[features]')) {
+        // Find [features] section and add hooks = true
+        const featuresIndex = toml.indexOf('[features]');
+        const nextSectionIndex = toml.indexOf('\n[', featuresIndex + 1);
+        if (nextSectionIndex === -1) {
+          toml += '\nhooks = true';
+        } else {
+          toml = `${toml.slice(0, nextSectionIndex)}\nhooks = true${toml.slice(nextSectionIndex)}`;
+        }
+      } else {
+        toml += '\n[features]\nhooks = true';
+      }
+    }
+
+    if (tomlUpdated) {
+      await configTomlFile.write(toml);
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (message.includes('No such file')) {
+      return { success: false, message: `Config file not found: ${configTomlPath}` };
+    }
+    return { success: false, message: `Failed to update Codex config.toml: ${message}` };
+  }
+
+  if (!hooksUpdated && !tomlUpdated) {
+    return { success: true, message: `Already configured: ${configTomlPath} and ${hooksJsonPath}` };
+  }
+
+  return { success: true, message: `Updated ${configTomlPath} and ${hooksJsonPath}` };
+};
+
+export const installAll = async (): Promise<
+  { target: string; success: boolean; message: string }[]
+> => {
+  return [
+    { target: 'claude', ...(await installClaude()) },
+    { target: 'codex', ...(await installCodex()) },
+    { target: 'pi', ...(await installPi()) },
+  ];
+};