@seanmozeik/tripwire 0.1.0

package/src/lib/event.ts

@@ -0,0 +1,106 @@
+import { Schema } from 'effect';
+
+const HookEvent = Schema.Struct({
+  hook_event_name: Schema.String,
+  tool_name: Schema.optional(Schema.String),
+  tool_input: Schema.optional(Schema.Unknown),
+  tool_response: Schema.optional(Schema.Unknown),
+  cwd: Schema.optional(Schema.String),
+  session_id: Schema.optional(Schema.String),
+  // Codex extension: present on every PreToolUse / PostToolUse event.
+  turn_id: Schema.optional(Schema.String),
+  tool_use_id: Schema.optional(Schema.String),
+});
+type HookEventType = typeof HookEvent.Type;
+
+interface BashInput {
+  readonly command: string;
+}
+
+interface EditInput {
+  readonly file_path: string;
+  readonly old_string: string;
+  readonly new_string: string;
+}
+
+interface WriteInput {
+  readonly file_path: string;
+  readonly content: string;
+}
+
+interface ReadInput {
+  readonly file_path: string;
+}
+
+// PostToolUse `tool_response` shape varies by tool. Bash returns
+// Stdout/stderr/interrupted; Read returns content; others vary. We extract
+// Any string-ish payload we can find for scanning purposes.
+interface BashResponse {
+  readonly stdout?: string;
+  readonly stderr?: string;
+  readonly interrupted?: boolean;
+}
+
+interface ReadResponse {
+  readonly content?: string;
+  readonly file?: { readonly content?: string };
+}
+
+const isBashInput = (x: unknown): x is BashInput =>
+  typeof x === 'object' && x !== null && typeof (x as BashInput).command === 'string';
+
+const isEditInput = (x: unknown): x is EditInput =>
+  typeof x === 'object' &&
+  x !== null &&
+  typeof (x as EditInput).file_path === 'string' &&
+  typeof (x as EditInput).old_string === 'string' &&
+  typeof (x as EditInput).new_string === 'string';
+
+const isWriteInput = (x: unknown): x is WriteInput =>
+  typeof x === 'object' &&
+  x !== null &&
+  typeof (x as WriteInput).file_path === 'string' &&
+  typeof (x as WriteInput).content === 'string';
+
+const isReadInput = (x: unknown): x is ReadInput =>
+  typeof x === 'object' && x !== null && typeof (x as ReadInput).file_path === 'string';
+
+// Extract any string payload from a tool_response we can scan for secrets.
+// Returns concatenated stdout/stderr for Bash, content for Read, or '' if
+// Nothing is recognizable.
+const extractResponseText = (toolName: string, response: unknown): string => {
+  if (typeof response !== 'object' || response === null) {
+    return '';
+  }
+  if (toolName === 'Bash') {
+    const r = response as BashResponse;
+    return [r.stdout ?? '', r.stderr ?? ''].filter((s) => s.length > 0).join('\n');
+  }
+  if (toolName === 'Read') {
+    const r = response as ReadResponse;
+    return r.content ?? r.file?.content ?? '';
+  }
+  // Best-effort fallback: stringify and let the scanner do its thing.
+  if (typeof (response as { content?: string }).content === 'string') {
+    return (response as { content?: string }).content ?? '';
+  }
+  return '';
+};
+
+export type {
+  BashInput,
+  BashResponse,
+  EditInput,
+  HookEventType as HookEvent,
+  ReadInput,
+  ReadResponse,
+  WriteInput,
+};
+export {
+  HookEvent as HookEventSchema,
+  extractResponseText,
+  isBashInput,
+  isEditInput,
+  isReadInput,
+  isWriteInput,
+};

package/src/lib/log.ts

@@ -0,0 +1,23 @@
+import { appendFileSync, mkdirSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { dirname } from 'node:path';
+
+const LOG_PATH = `${homedir()}/.claude/tripwire.log`;
+
+try {
+  mkdirSync(dirname(LOG_PATH), { recursive: true });
+} catch {
+  // Directory creation failure is non-fatal — logging is best-effort.
+}
+
+const logError = (rule: string, err: unknown): void => {
+  const stamp = new Date().toISOString();
+  const msg = err instanceof Error ? (err.stack ?? err.message) : String(err);
+  try {
+    appendFileSync(LOG_PATH, `[${stamp}] [${rule}] ${msg}\n`);
+  } catch {
+    // Never block the agent on a logging failure.
+  }
+};
+
+export { logError };

package/src/lib/rtk.ts

@@ -0,0 +1,96 @@
+// Wrap the `rtk hook claude` subprocess. After tripwire's gate passes on a
+// Bash tool call, we hand the original event to rtk to apply its
+// Command-rewrite logic (token-saver). If rtk returns an updatedInput, we
+// Merge that into our hook response.
+
+import { spawnSync } from 'node:child_process';
+
+import type { RtkConfig } from './config';
+
+interface RtkOutput {
+  readonly updatedCommand?: string;
+  readonly reason?: string;
+}
+
+const findRtkBin = (config: RtkConfig): string | null => {
+  // If config specifies a path, try it first
+  if (config.path !== undefined) {
+    return config.path;
+  }
+
+  // Try common locations
+  const home = process.env['HOME'] ?? '';
+  const commonPaths = ['/opt/homebrew/bin/rtk', '/usr/local/bin/rtk', `${home}/.local/bin/rtk`];
+
+  for (const path of commonPaths) {
+    try {
+      spawnSync('test', ['-x', path], { stdio: 'ignore' });
+      return path;
+    } catch {
+      continue;
+    }
+  }
+
+  // Try searching PATH
+  try {
+    const whichResult = spawnSync('which', ['rtk'], { stdio: 'pipe' });
+    if (whichResult.status === 0) {
+      const stdout = whichResult.stdout as string | Buffer | null;
+      if (stdout !== null) {
+        const path = String(stdout).trim();
+        if (path.length > 0) {
+          return path;
+        }
+      }
+    }
+  } catch {
+    // Ignore errors
+  }
+
+  return null;
+};
+
+const runRtkRewrite = (event: unknown, config: RtkConfig, timeoutMs = 2000): RtkOutput => {
+  // If rtk is disabled, skip it
+  if (!config.enabled) {
+    return {};
+  }
+
+  const rtkBin = findRtkBin(config);
+  if (rtkBin === null) {
+    // Rtk not found, silently continue
+    return {};
+  }
+
+  const payload = JSON.stringify(event);
+  const result = spawnSync(rtkBin, ['hook', 'claude'], {
+    input: payload,
+    encoding: 'utf8',
+    timeout: timeoutMs,
+    maxBuffer: 1024 * 1024,
+  });
+  if (result.error !== undefined || typeof result.stdout !== 'string') {
+    return {};
+  }
+  try {
+    const parsed = JSON.parse(result.stdout) as {
+      hookSpecificOutput?: {
+        permissionDecisionReason?: string;
+        updatedInput?: { command?: string };
+      };
+    };
+    const cmd = parsed.hookSpecificOutput?.updatedInput?.command;
+    const reason = parsed.hookSpecificOutput?.permissionDecisionReason;
+    if (typeof cmd !== 'string') {
+      return {};
+    }
+    if (typeof reason === 'string') {
+      return { updatedCommand: cmd, reason };
+    }
+    return { updatedCommand: cmd };
+  } catch {
+    return {};
+  }
+};
+
+export { runRtkRewrite };

package/src/lib/secrets.ts

@@ -0,0 +1,120 @@
+// Secret scanning via the `betterleaks` binary (Zach Rice's gitleaks
+// Successor, MIT). We spawn it once per PostToolUse, write the tool
+// Output to a temp file, scan the file, parse JSON findings, redact
+// Matches in-place, and delete the temp file.
+//
+// Why subprocess vs. inline regex: betterleaks ships the curated
+// 100+-rule pack the gitleaks ecosystem has tuned over years (AWS, GH,
+// Stripe, OpenAI, Anthropic, mongo URLs, JWTs, private keys, plus ~70
+// Long-tail vendors). We get all of it for one fork+exec, ~250–300ms.
+//
+// Why a temp file vs. `--pipe`: betterleaks `--pipe` *adds* stdin to its
+// Scan but does not replace the directory walk, so it scans the cwd as
+// Well. Writing to a tempfile in /tmp and using `--source <file>` is
+// Scoped, deterministic, and only ~5ms slower.
+
+import { spawnSync } from 'node:child_process';
+import { mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+interface BetterleaksFinding {
+  readonly RuleID: string;
+  readonly Description: string;
+  readonly StartLine: number;
+  readonly EndLine: number;
+  readonly Secret: string;
+  readonly Match: string;
+}
+
+interface ScanResult {
+  readonly hits: readonly { readonly rule: string; readonly count: number }[];
+  readonly redacted: string;
+}
+
+const BETTERLEAKS_BIN = '/opt/homebrew/bin/betterleaks';
+
+const summarizeHits = (
+  findings: readonly BetterleaksFinding[],
+): readonly { rule: string; count: number }[] => {
+  const counts = new Map<string, number>();
+  for (const f of findings) {
+    counts.set(f.RuleID, (counts.get(f.RuleID) ?? 0) + 1);
+  }
+  return [...counts.entries()].map(([rule, count]) => ({ rule, count }));
+};
+
+const escapeRegExp = (s: string): string => s.replace(/[.*+?^${}()|[\]\\]/g, String.raw`\$&`);
+
+// Replace every found secret in the original input with a tagged redaction.
+const redactWith = (input: string, findings: readonly BetterleaksFinding[]): string => {
+  let out = input;
+  // Sort by length descending so shorter matches that are substrings of
+  // Longer ones don't fire first and break the longer match.
+  const sorted = [...findings].toSorted((a, b) => b.Secret.length - a.Secret.length);
+  for (const f of sorted) {
+    if (f.Secret === '') {
+      continue;
+    }
+    out = out.replaceAll(f.Secret, `[REDACTED:${f.RuleID}]`);
+  }
+  return out;
+};
+
+const scanAndRedact = (input: string, timeoutMs = 5000): ScanResult => {
+  if (input.length === 0) {
+    return { hits: [], redacted: input };
+  }
+  const dir = mkdtempSync(join(tmpdir(), 'tripwire-scan-'));
+  const inPath = join(dir, 'input');
+  const reportPath = join(dir, 'report.json');
+  try {
+    writeFileSync(inPath, input);
+    const result = spawnSync(
+      BETTERLEAKS_BIN,
+      [
+        'detect',
+        '--no-git',
+        '--no-banner',
+        '--no-color',
+        '--report-format',
+        'json',
+        '--report-path',
+        reportPath,
+        '--source',
+        inPath,
+        '--exit-code',
+        '0',
+        '--log-level',
+        'error',
+      ],
+      { encoding: 'utf8', timeout: timeoutMs, maxBuffer: 64 * 1024 * 1024 },
+    );
+    if (result.error !== undefined) {
+      return { hits: [], redacted: input };
+    }
+    let findings: BetterleaksFinding[];
+    try {
+      const raw = readFileSync(reportPath, 'utf8');
+      const parsed = JSON.parse(raw || '[]') as unknown;
+      findings = Array.isArray(parsed) ? (parsed as BetterleaksFinding[]) : [];
+    } catch {
+      return { hits: [], redacted: input };
+    }
+    if (findings.length === 0) {
+      return { hits: [], redacted: input };
+    }
+    return { hits: summarizeHits(findings), redacted: redactWith(input, findings) };
+  } finally {
+    try {
+      rmSync(dir, { recursive: true, force: true });
+    } catch {
+      // Best-effort cleanup.
+    }
+  }
+};
+
+// `escapeRegExp` is exported so tests / callers can build patterns over the
+// Redacted output without re-implementing escaping.
+export type { BetterleaksFinding, ScanResult };
+export { escapeRegExp, scanAndRedact };

package/src/rules/bash-deny.ts

@@ -0,0 +1,346 @@
+import { type Segment, hasBypass } from '../lib/bash';
+import { type Decision, allow, ask, deny } from '../lib/decision';
+
+interface Spec {
+  readonly rule: string;
+  readonly action: 'deny' | 'ask';
+  readonly message: string;
+  // Match function evaluated against the parsed segment. Returns true when
+  // The rule fires.
+  readonly match: (seg: Segment, raw: string) => boolean;
+}
+
+const argsJoined = (seg: Segment): string => seg.tokens.slice(1).join(' ');
+
+const flagPresent = (seg: Segment, ...flags: readonly string[]): boolean =>
+  seg.flags.some((f) => flags.includes(f));
+
+const SPECS: readonly Spec[] = [
+  // ── catastrophic deletions ────────────────────────────────────────────
+  {
+    rule: 'rm-rf-root',
+    action: 'deny',
+    message:
+      'rm -rf / is catastrophic. If the goal is cleaning a subdirectory, scope the path inside the project (e.g. ./dist).',
+    match: (seg) =>
+      seg.head === 'rm' && flagPresent(seg, '-rf', '-fr', '-Rf', '-fR') && seg.tokens.includes('/'),
+  },
+  {
+    rule: 'rm-rf-home',
+    action: 'deny',
+    message: 'rm -rf on $HOME / ~ would erase the home directory. Refuse.',
+    match: (seg) =>
+      seg.head === 'rm' &&
+      flagPresent(seg, '-rf', '-fr', '-Rf', '-fR') &&
+      seg.tokens.some((t) => /^(~|\$HOME|\$\{HOME\})$/.test(t)),
+  },
+  {
+    rule: 'fork-bomb',
+    action: 'deny',
+    message: 'Fork bomb pattern detected. Refuse.',
+    match: (_seg, raw) => /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;/.test(raw),
+  },
+  {
+    rule: 'dd-raw-device',
+    action: 'deny',
+    message: 'dd writing to a raw block device wipes the disk. Refuse.',
+    match: (seg) => seg.head === 'dd' && /\bof=\/dev\/(disk|sd|nvme|rdisk)/i.test(argsJoined(seg)),
+  },
+  {
+    rule: 'mkfs',
+    action: 'deny',
+    message: 'mkfs formats a filesystem. Refuse.',
+    match: (seg) => /^mkfs(\.[a-z0-9]+)?$/i.test(seg.head),
+  },
+  {
+    rule: 'kill-all',
+    action: 'deny',
+    message: 'kill -9 -1 kills every process you own. Refuse.',
+    match: (seg) => seg.head === 'kill' && seg.tokens.includes('-9') && seg.tokens.includes('-1'),
+  },
+  {
+    rule: 'chmod-777-recursive',
+    action: 'deny',
+    message:
+      'Recursive chmod 777 makes everything world-writable. Use 755 for directories, 644 for files, scoped narrowly.',
+    match: (seg) =>
+      seg.head === 'chmod' && seg.flags.some((f) => f.includes('R')) && seg.tokens.includes('777'),
+  },
+
+  // ── git: detailed policy lives in bash-git.ts (smarter, supports
+  // ── `git -C <dir>`, conventional-commit enforcement, etc.) ──────────
+
+  // ── verify-skipping & signing-bypass ──────────────────────────────────
+  {
+    rule: 'no-verify',
+    action: 'deny',
+    message: '--no-verify skips git hooks. Per policy: never skip hooks. Fix the underlying issue.',
+    match: (seg) => seg.tokens.includes('--no-verify'),
+  },
+  {
+    rule: 'no-gpg-sign',
+    action: 'deny',
+    message: 'Bypassing GPG signing is off-limits unless explicitly requested.',
+    match: (_seg, raw) => /--no-gpg-sign\b|-c\s+commit\.gpgsign=false/.test(raw),
+  },
+
+  // ── sudo: ask ─────────────────────────────────────────────────────────
+  {
+    rule: 'sudo',
+    action: 'ask',
+    message:
+      'sudo escalates privileges and is almost never needed in a coding session. If genuinely required, explain why; otherwise find a non-sudo path.',
+    match: (seg) => seg.head === 'sudo',
+  },
+
+  // ── macOS / system destructive ────────────────────────────────────────
+  {
+    rule: 'shutdown',
+    action: 'deny',
+    message:
+      'shutdown / reboot / halt control the machine. Refuse — system control should be done manually.',
+    match: (seg) => ['shutdown', 'reboot', 'halt', 'poweroff'].includes(seg.head),
+  },
+  {
+    rule: 'launchctl-mutation',
+    action: 'deny',
+    message:
+      'launchctl load/unload/bootstrap/bootout/kickstart mutates system services. Refuse — surface the intent instead.',
+    match: (seg) =>
+      seg.head === 'launchctl' &&
+      typeof seg.tokens[1] === 'string' &&
+      ['load', 'unload', 'bootstrap', 'bootout', 'kickstart', 'enable', 'disable'].includes(
+        seg.tokens[1],
+      ),
+  },
+  {
+    rule: 'defaults-write',
+    action: 'deny',
+    message: '`defaults write` mutates macOS preferences. Refuse — surface the intent.',
+    match: (seg) => seg.head === 'defaults' && seg.tokens[1] === 'write',
+  },
+  {
+    rule: 'csrutil',
+    action: 'deny',
+    message: 'csrutil controls System Integrity Protection. Refuse.',
+    match: (seg) => seg.head === 'csrutil',
+  },
+  {
+    rule: 'nvram',
+    action: 'deny',
+    message: 'nvram modifies firmware variables. Refuse.',
+    match: (seg) => seg.head === 'nvram',
+  },
+  {
+    rule: 'diskutil-destructive',
+    action: 'deny',
+    message: 'diskutil eraseDisk / reformat / partitionDisk wipes disks. Refuse.',
+    match: (seg) =>
+      seg.head === 'diskutil' &&
+      typeof seg.tokens[1] === 'string' &&
+      ['eraseDisk', 'reformat', 'partitionDisk', 'eraseVolume', 'secureErase'].includes(
+        seg.tokens[1],
+      ),
+  },
+  {
+    rule: 'tmutil-destructive',
+    action: 'deny',
+    message: 'tmutil delete / disablelocal touches Time Machine. Refuse.',
+    match: (seg) =>
+      seg.head === 'tmutil' &&
+      typeof seg.tokens[1] === 'string' &&
+      ['delete', 'disablelocal'].includes(seg.tokens[1]),
+  },
+  {
+    rule: 'osascript',
+    action: 'ask',
+    message:
+      'osascript runs arbitrary AppleScript and can do almost anything (move files, send emails, drive apps). Confirm with Sean what you want done before running it.',
+    match: (seg) => seg.head === 'osascript',
+  },
+  {
+    rule: 'topgrade',
+    action: 'deny',
+    message:
+      'topgrade upgrades everything (brew, mas, npm globals, rust, mise). System upgrades should be done manually.',
+    match: (seg) => seg.head === 'topgrade',
+  },
+  {
+    rule: 'rsync-delete',
+    action: 'deny',
+    message:
+      'rsync --delete removes files at the destination. High blast radius — surface the intent instead.',
+    match: (seg) => seg.head === 'rsync' && seg.flags.includes('--delete'),
+  },
+  {
+    rule: 'softwareupdate-install',
+    action: 'deny',
+    message:
+      '`softwareupdate --install / -i / -d` triggers macOS system updates. Refuse — system updates should be done manually.',
+    match: (seg) =>
+      seg.head === 'softwareupdate' &&
+      seg.flags.some(
+        (f) => f === '--install' || f === '-i' || f === '-d' || f.startsWith('--download'),
+      ),
+  },
+  {
+    rule: 'pmset-write',
+    action: 'deny',
+    message:
+      '`pmset` (with arguments) writes power-management settings. Read-only `pmset -g` is fine; mutations need Sean.',
+    match: (seg) =>
+      seg.head === 'pmset' &&
+      seg.tokens.length > 1 &&
+      !seg.tokens.includes('-g') &&
+      !seg.tokens.includes('-G'),
+  },
+  {
+    rule: 'dscl-mutate',
+    action: 'deny',
+    message:
+      '`dscl . -create / -delete / -append / -change / -merge` modifies the local directory service (your user account, groups, etc.). Refuse.',
+    match: (seg) =>
+      seg.head === 'dscl' &&
+      seg.tokens.some((t) =>
+        ['-create', '-delete', '-append', '-change', '-merge', '-passwd'].includes(t),
+      ),
+  },
+  {
+    rule: 'xattr-quarantine-bypass',
+    action: 'deny',
+    message:
+      "`xattr -d com.apple.quarantine` removes Gatekeeper's quarantine bit — the macOS protection against running untrusted binaries. Refuse.",
+    match: (seg) =>
+      seg.head === 'xattr' &&
+      seg.tokens.includes('-d') &&
+      seg.tokens.some((t) => t.includes('com.apple.quarantine')),
+  },
+  {
+    rule: 'spctl-disable',
+    action: 'deny',
+    message:
+      '`spctl --master-disable` / `--global-disable` disables Gatekeeper system-wide. Refuse.',
+    match: (seg) =>
+      seg.head === 'spctl' &&
+      seg.flags.some(
+        (f) => f === '--master-disable' || f === '--global-disable' || f === '--disable',
+      ),
+  },
+  {
+    rule: 'kextload',
+    action: 'deny',
+    message:
+      'Loading a kernel extension (`kextload`, `kmutil load`) is a system-level mutation. Refuse — Sean handles this manually.',
+    match: (seg) =>
+      seg.head === 'kextload' ||
+      seg.head === 'kextunload' ||
+      (seg.head === 'kmutil' && (seg.tokens[1] === 'load' || seg.tokens[1] === 'unload')),
+  },
+  {
+    rule: 'security-keychain-destructive',
+    action: 'deny',
+    message:
+      '`security delete-keychain / delete-generic-password / delete-internet-password / set-keychain-settings` mutates your Keychain (where CLIs store their secrets). Refuse — Keychain should be managed manually.',
+    match: (seg) =>
+      seg.head === 'security' &&
+      typeof seg.tokens[1] === 'string' &&
+      [
+        'delete-keychain',
+        'delete-generic-password',
+        'delete-internet-password',
+        'delete-certificate',
+        'delete-identity',
+        'set-keychain-settings',
+        'unlock-keychain',
+        'lock-keychain',
+        'create-keychain',
+      ].includes(seg.tokens[1]),
+  },
+  {
+    rule: 'security-keychain-add-write',
+    action: 'ask',
+    message:
+      '`security add-generic-password / add-internet-password / add-certificate` writes to your Keychain. Other tools manage their own entries — confirm this is the right path before adding anything else manually.',
+    match: (seg) =>
+      seg.head === 'security' &&
+      typeof seg.tokens[1] === 'string' &&
+      ['add-generic-password', 'add-internet-password', 'add-certificate'].includes(seg.tokens[1]),
+  },
+  {
+    rule: 'systemsetup',
+    action: 'deny',
+    message:
+      '`systemsetup -set...` writes machine-wide settings (timezone, sleep, network time, restart-on-power-failure). Refuse.',
+    match: (seg) => seg.head === 'systemsetup' && seg.tokens.some((t) => t.startsWith('-set')),
+  },
+  {
+    rule: 'scutil-set',
+    action: 'deny',
+    message:
+      '`scutil --set` writes system configuration (computer name, hostname, LocalHostName). Refuse — read-only `scutil --get` is fine.',
+    match: (seg) => seg.head === 'scutil' && seg.tokens.includes('--set'),
+  },
+
+  // ── package mutation: ask before installing/removing ──────────────────
+  {
+    rule: 'brew-mutation',
+    action: 'ask',
+    message:
+      '`brew install/uninstall/upgrade/untap` modifies the machine globally. Confirm before running.',
+    match: (seg) =>
+      seg.head === 'brew' &&
+      typeof seg.tokens[1] === 'string' &&
+      ['install', 'uninstall', 'upgrade', 'reinstall', 'untap', 'tap'].includes(seg.tokens[1]),
+  },
+  {
+    rule: 'mas-mutation',
+    action: 'ask',
+    message: '`mas install/uninstall` changes installed Mac App Store apps. Confirm.',
+    match: (seg) =>
+      seg.head === 'mas' &&
+      typeof seg.tokens[1] === 'string' &&
+      ['install', 'uninstall', 'purchase'].includes(seg.tokens[1]),
+  },
+
+  // ── cloud destructive ────────────────────────────────────────────────
+  {
+    rule: 'gh-destructive',
+    action: 'deny',
+    message: 'gh repo/release/issue delete is destructive on shared state. Refuse.',
+    match: (seg) =>
+      seg.head === 'gh' &&
+      typeof seg.tokens[1] === 'string' &&
+      typeof seg.tokens[2] === 'string' &&
+      ['repo', 'release', 'issue', 'pr'].includes(seg.tokens[1]) &&
+      ['delete', 'destroy', 'remove'].includes(seg.tokens[2]),
+  },
+  {
+    rule: 'flyctl-destroy',
+    action: 'deny',
+    message: 'flyctl apps destroy / volumes destroy nukes deployed infra. Refuse.',
+    match: (seg) =>
+      seg.head === 'flyctl' && seg.tokens.some((t) => t === 'destroy' || t === 'delete'),
+  },
+  {
+    rule: 'gcloud-delete',
+    action: 'deny',
+    message: '`gcloud ... delete` affects cloud resources. Refuse.',
+    match: (seg) => seg.head === 'gcloud' && seg.tokens.includes('delete'),
+  },
+];
+
+const bashDeny = (segments: readonly Segment[], cmd: string): Decision => {
+  if (hasBypass(cmd)) {
+    return allow('bash-deny');
+  }
+  for (const seg of segments) {
+    for (const s of SPECS) {
+      if (s.match(seg, cmd)) {
+        return s.action === 'deny' ? deny(s.rule, s.message) : ask(s.rule, s.message);
+      }
+    }
+  }
+  return allow('bash-deny');
+};
+
+export { bashDeny };