@seanmozeik/tripwire 0.1.0

package/src/rules/bash-redirect.ts

@@ -0,0 +1,91 @@
+import { type Segment, hasBypass } from '../lib/bash';
+import { type Decision, allow, deny } from '../lib/decision';
+
+// Block writes (via shell redirect, tee, cp, mv) that target sensitive
+// Files. Catches the exfil-via-redirect gap that path-protect can't see
+// Because it only watches Edit/Write tool calls.
+
+const PROTECTED_TARGET_RE: readonly { rule: string; pattern: RegExp; message: string }[] = [
+  {
+    rule: 'redirect-env',
+    pattern: /(^|\/)\.env(\.[^/]+)?$/,
+    message:
+      'Refusing to write into a .env file via shell redirect / tee / cp / mv. .env files hold secrets — never overwrite from a tool call.',
+  },
+  {
+    rule: 'redirect-dev-vars',
+    pattern: /(^|\/)\.dev\.vars(\.[^/]+)?$/,
+    message: 'Refusing to write into .dev.vars (Cloudflare/Wrangler secrets).',
+  },
+  {
+    rule: 'redirect-ssh',
+    pattern: /(^|\/)\.ssh\//,
+    message: 'Refusing to write into ~/.ssh/ via shell.',
+  },
+  {
+    rule: 'redirect-key',
+    pattern: /\.(pem|key|p12|pfx)$/i,
+    message: 'Refusing to overwrite a private-key-shaped file via shell.',
+  },
+  {
+    rule: 'redirect-aws-credentials',
+    pattern: /(^|\/)\.aws\/credentials$/,
+    message: 'Refusing to write into ~/.aws/credentials via shell.',
+  },
+  {
+    rule: 'redirect-netrc',
+    pattern: /(^|\/)\.netrc$/,
+    message: 'Refusing to write into ~/.netrc via shell.',
+  },
+  {
+    rule: 'redirect-block-device',
+    pattern: /^\/dev\/(sd|disk|nvme|rdisk)/i,
+    message: 'Redirecting into a raw block device wipes the disk. Refuse.',
+  },
+];
+
+const checkPath = (path: string): Decision | null => {
+  for (const p of PROTECTED_TARGET_RE) {
+    if (p.pattern.test(path)) {
+      return deny(p.rule, p.message);
+    }
+  }
+  return null;
+};
+
+const bashRedirect = (segments: readonly Segment[], cmd: string): Decision => {
+  if (hasBypass(cmd)) {
+    return allow('bash-redirect');
+  }
+  for (const seg of segments) {
+    for (const r of seg.redirects) {
+      if (r.op === '>' || r.op === '>>') {
+        const d = checkPath(r.target);
+        if (d !== null) {
+          return d;
+        }
+      }
+    }
+    if (seg.head === 'tee') {
+      for (const t of seg.args) {
+        const d = checkPath(t);
+        if (d !== null) {
+          return d;
+        }
+      }
+    }
+    if (seg.head === 'cp' || seg.head === 'mv') {
+      // The destination is the last positional arg.
+      const dst = seg.args.at(-1);
+      if (dst !== undefined) {
+        const d = checkPath(dst);
+        if (d !== null) {
+          return d;
+        }
+      }
+    }
+  }
+  return allow('bash-redirect');
+};
+
+export { bashRedirect };

package/src/rules/bash-scoped-rm.ts

@@ -0,0 +1,84 @@
+import { type Segment, hasBypass, isSafePathTarget, safeScopesSummary } from '../lib/bash';
+import type { SafePathsConfig } from '../lib/config';
+import { type Decision, allow, deny } from '../lib/decision';
+
+interface Issue {
+  readonly kind: 'rm' | 'find -delete';
+  readonly targets: readonly string[];
+}
+
+const analyzeRm = (seg: Segment, config: SafePathsConfig): readonly string[] => {
+  // `rm -- foo` ends flag parsing. Treat -- as flag-like and stop after it.
+  let endOfFlags = false;
+  const targets: string[] = [];
+  for (const t of seg.tokens.slice(1)) {
+    if (!endOfFlags && t === '--') {
+      endOfFlags = true;
+      continue;
+    }
+    if (!endOfFlags && t.startsWith('-') && t !== '-') {
+      continue;
+    }
+    targets.push(t);
+  }
+  const extraRelative = config.relative ?? [];
+  const extraAbsolute = config.absolute ?? [];
+  return targets.filter((t) => !isSafePathTarget(t, extraRelative, extraAbsolute));
+};
+
+const analyzeFindDelete = (seg: Segment, config: SafePathsConfig): readonly string[] | null => {
+  if (!seg.tokens.includes('-delete')) {
+    return null;
+  }
+  const paths: string[] = [];
+  for (const t of seg.tokens.slice(1)) {
+    if (t.startsWith('-')) {
+      break;
+    }
+    paths.push(t);
+  }
+  const checked = paths.length === 0 ? ['.'] : paths;
+  const extraRelative = config.relative ?? [];
+  const extraAbsolute = config.absolute ?? [];
+  return checked.filter((p) => !isSafePathTarget(p, extraRelative, extraAbsolute));
+};
+
+const bashScopedRm = (
+  segments: readonly Segment[],
+  cmd: string,
+  config: SafePathsConfig,
+): Decision => {
+  if (hasBypass(cmd)) {
+    return allow('bash-scoped-rm');
+  }
+  const issues: Issue[] = [];
+  for (const seg of segments) {
+    if (seg.head === 'rm') {
+      const unsafe = analyzeRm(seg, config);
+      if (unsafe.length > 0) {
+        issues.push({ kind: 'rm', targets: unsafe });
+      }
+      continue;
+    }
+    if (seg.head === 'find') {
+      const unsafe = analyzeFindDelete(seg, config);
+      if (unsafe !== null && unsafe.length > 0) {
+        issues.push({ kind: 'find -delete', targets: unsafe });
+      }
+    }
+  }
+  if (issues.length === 0) {
+    return allow('bash-scoped-rm');
+  }
+  const extraRelative = config.relative ?? [];
+  const extraAbsolute = config.absolute ?? [];
+  const detail = issues
+    .map((i) => `  • ${i.kind} on: ${i.targets.map((t) => JSON.stringify(t)).join(', ')}`)
+    .join('\n');
+  return deny(
+    'destructive-outside-safe-paths',
+    `Destructive deletion outside known-safe scopes is blocked. Use \`trash\` (macOS Trash, recoverable) or \`rip\` (graveyard at ~/.local/share/graveyard, recoverable) instead. Real \`rm\` and \`find -delete\` are allowed only inside ephemeral build / cache / state directories:\n${safeScopesSummary(extraRelative, extraAbsolute)}\n\nFlagged targets:\n${detail}\n\nIf raw \`rm\` is genuinely needed, append \` # tripwire-allow: <reason>\` to the command.`,
+  );
+};
+
+export { bashScopedRm };

package/src/rules/bash-tar-explosion.ts

@@ -0,0 +1,76 @@
+import { type Segment, hasBypass } from '../lib/bash';
+import { type Decision, allow, deny } from '../lib/decision';
+
+// Block tar/zip/unzip extractions that would write into / or $HOME
+// (`tar -xf foo.tar.gz -C /` style explosions).
+
+const isExtractFlag = (f: string): boolean =>
+  f === '-x' ||
+  f === '-xf' ||
+  f === '-xzf' ||
+  f === '-xjf' ||
+  f === '-xJf' ||
+  f === '-xvf' ||
+  f === '-xvzf' ||
+  f === '-xvjf' ||
+  f === '--extract' ||
+  /^-[xvzjJtf]+$/.test(f);
+
+const findChangeDir = (seg: Segment): string | null => {
+  for (let i = 0; i < seg.tokens.length; i++) {
+    const t = seg.tokens[i]!;
+    if (t === '-C' || t === '--directory') {
+      return seg.tokens[i + 1] ?? null;
+    }
+    if (t.startsWith('--directory=')) {
+      return t.slice('--directory='.length);
+    }
+  }
+  return null;
+};
+
+const isUnsafeExtractDest = (dest: string): boolean => {
+  return dest === '/' || /^(~|\$HOME|\$\{HOME\})$/.test(dest);
+};
+
+const bashTarExplosion = (segments: readonly Segment[], cmd: string): Decision => {
+  if (hasBypass(cmd)) {
+    return allow('bash-tar-explosion');
+  }
+  for (const seg of segments) {
+    if (seg.head !== 'tar') {
+      continue;
+    }
+    const extracting = seg.flags.some(isExtractFlag) || seg.tokens.includes('--extract');
+    if (!extracting) {
+      continue;
+    }
+    const dest = findChangeDir(seg);
+    if (dest !== null && isUnsafeExtractDest(dest)) {
+      return deny(
+        'tar-extract-to-root',
+        `tar -x with -C ${dest} can overwrite arbitrary system files. Refuse — extract to a contained directory (e.g. ./tmp/extract) and inspect before moving anything elsewhere.`,
+      );
+    }
+  }
+  // Unzip with -d destination
+  for (const seg of segments) {
+    if (seg.head !== 'unzip') {
+      continue;
+    }
+    for (let i = 0; i < seg.tokens.length; i++) {
+      if (seg.tokens[i] === '-d') {
+        const dest = seg.tokens[i + 1];
+        if (dest !== undefined && isUnsafeExtractDest(dest)) {
+          return deny(
+            'unzip-to-root',
+            `unzip -d ${dest} can overwrite arbitrary system files. Refuse — extract to a contained directory.`,
+          );
+        }
+      }
+    }
+  }
+  return allow('bash-tar-explosion');
+};
+
+export { bashTarExplosion };

package/src/rules/bash-tool-policy.ts

@@ -0,0 +1,134 @@
+import { type Segment, hasBypass } from '../lib/bash';
+import { type Decision, allow, deny, warn } from '../lib/decision';
+
+// Opinionated tooling enforcement. Hard-deny on the package managers and
+// Tools Sean has explicitly replaced (npm/pip/patch-package); soft-warn
+// Suggesting modern equivalents (find→fd, grep→rg).
+//
+// Hard-deny rationale (from Sean's CLAUDE.md): TypeScript is bun-only,
+// Python is uv-only. Slipping into npm or pip mid-session means the
+// Agent forgot the toolchain and is about to install into the wrong
+// Directory or make a lockfile bun can't read.
+
+interface Policy {
+  readonly rule: string;
+  readonly action: 'deny' | 'warn';
+  readonly message: string;
+  readonly fires: (seg: Segment) => boolean;
+}
+
+const POLICIES: readonly Policy[] = [
+  // ── HARD DENIES: wrong package manager ───────────────────────────────
+  {
+    rule: 'use-bun-not-npm',
+    action: 'deny',
+    message:
+      'Use `bun` instead of `npm`. Translations: `npm install` → `bun install`, `npm install <pkg>` → `bun add <pkg>`, `npm install -D <pkg>` → `bun add -d <pkg>`, `npm run X` → `bun run X` (or `bun X` for bin scripts), `npm test` → `bun test`. If you genuinely need npm (publishing to a registry that requires it, working in a non-Sean repo), append ` # tripwire-allow: <reason>` to the command.',
+    fires: (seg) => seg.head === 'npm',
+  },
+  {
+    rule: 'use-bunx-not-npx',
+    action: 'deny',
+    message: 'Use `bunx` instead of `npx`. Same usage shape, faster, no implicit npm cache.',
+    fires: (seg) => seg.head === 'npx',
+  },
+  {
+    rule: 'use-bun-not-pnpm',
+    action: 'deny',
+    message: 'Use `bun` instead of `pnpm`. Sean is bun-only across his repos.',
+    fires: (seg) => seg.head === 'pnpm',
+  },
+  {
+    rule: 'use-bun-not-yarn',
+    action: 'deny',
+    message: 'Use `bun` instead of `yarn`. Sean is bun-only.',
+    fires: (seg) => seg.head === 'yarn',
+  },
+  {
+    rule: 'use-uv-not-pip',
+    action: 'deny',
+    message:
+      'Use `uv` instead of `pip`. Translations: `pip install <pkg>` → `uv add <pkg>` (project dependency) or `uv pip install <pkg>` (env-only escape hatch). `pip freeze` → `uv pip freeze`. `pip list` → `uv pip list`. Sean is uv-only across Python repos.',
+    fires: (seg) => seg.head === 'pip' || seg.head === 'pip3',
+  },
+  {
+    rule: 'use-uv-sync-not-venv',
+    action: 'deny',
+    message:
+      '`python -m venv` creates a bare venv; use `uv sync` instead. uv sync creates the venv AND installs from pyproject.toml + uv.lock in one atomic step. To activate: `source .venv/bin/activate` after.',
+    fires: (seg) =>
+      (seg.head === 'python' || seg.head === 'python3') &&
+      seg.tokens.includes('-m') &&
+      seg.tokens.includes('venv'),
+  },
+  {
+    rule: 'uv-sync-over-uv-venv',
+    action: 'deny',
+    message:
+      'Use `uv sync` instead of `uv venv`. `uv venv` creates an empty venv that you then have to populate; `uv sync` creates the venv AND resolves+installs from pyproject.toml + uv.lock in one step. The only reason to use `uv venv` standalone is when there is no pyproject.toml — and in that case, `uv init` first.',
+    fires: (seg) => seg.head === 'uv' && seg.tokens[1] === 'venv',
+  },
+  {
+    rule: 'use-bun-patch-not-patch-package',
+    action: 'deny',
+    message:
+      'Use `bun patch` instead of `patch-package`. Bun has built-in patch support that integrates with bun.lock; patch-package is npm-era and produces patches in a different format.',
+    fires: (seg) => seg.head === 'patch-package',
+  },
+
+  // ── SOFT WARNS: modern equivalents Sean has installed ────────────────
+  {
+    rule: 'consider-fd',
+    action: 'warn',
+    message:
+      'Consider `fd` instead of `find`. Faster, simpler syntax, respects .gitignore by default. Examples: `find . -name "*.ts"` → `fd -e ts`, `find . -type f -name "X"` → `fd -t f X`, `find PATH ...` → `fd ... PATH`. Sean has both installed; either works.',
+    fires: (seg) => seg.head === 'find',
+  },
+  {
+    rule: 'consider-rg',
+    action: 'warn',
+    message:
+      'Consider `rg` (ripgrep) instead of `grep`. Faster, recursive by default, respects .gitignore, sane defaults. Most flags carry over: `-i`, `-n`, `-v`, `-l`, `-c`. `grep -r PATTERN .` → `rg PATTERN`.',
+    fires: (seg) => seg.head === 'grep' || seg.head === 'egrep' || seg.head === 'fgrep',
+  },
+  {
+    rule: 'consider-btop',
+    action: 'warn',
+    message: 'Consider `btop` instead of `top`. Better UI, more info, modern.',
+    fires: (seg) => seg.head === 'top',
+  },
+  {
+    rule: 'consider-dust',
+    action: 'warn',
+    message: 'Consider `dust` instead of `du -sh`. Sorted, colorful, faster.',
+    fires: (seg) => seg.head === 'du',
+  },
+  {
+    rule: 'consider-duf',
+    action: 'warn',
+    message: 'Consider `duf` instead of `df -h`. Better formatting, more readable.',
+    fires: (seg) => seg.head === 'df',
+  },
+  {
+    rule: 'consider-procs',
+    action: 'warn',
+    message: 'Consider `procs` instead of `ps aux`. Better filtering and output.',
+    fires: (seg) => seg.head === 'ps',
+  },
+];
+
+const bashToolPolicy = (segments: readonly Segment[], cmd: string): Decision => {
+  if (hasBypass(cmd)) {
+    return allow('bash-tool-policy');
+  }
+  for (const seg of segments) {
+    for (const p of POLICIES) {
+      if (p.fires(seg)) {
+        return p.action === 'deny' ? deny(p.rule, p.message) : warn(p.rule, p.message);
+      }
+    }
+  }
+  return allow('bash-tool-policy');
+};
+
+export { bashToolPolicy };

package/src/rules/config-custom.ts

@@ -0,0 +1,51 @@
+// Config-based custom blocking/allowing rules.
+// Uses shell parsing utilities to match command patterns from config.
+
+import { parseCommand, type Segment } from '../lib/bash';
+import type { BlockRule } from '../lib/config';
+import { type Decision, allow, deny, ask } from '../lib/decision';
+
+// Match a pattern against parsed segments using shell parsing.
+// This is more powerful than simple regex because it uses the same
+// Parsing logic as the rest of tripwire.
+const matchPattern = (segments: readonly Segment[], pattern: string): boolean => {
+  const patternSegs = parseCommand(pattern);
+  if (patternSegs.length === 0) {
+    return false;
+  }
+
+  const patternHead = patternSegs[0]!.head;
+
+  // Simple head match for now - can be extended to match flags, args, etc.
+  for (const seg of segments) {
+    if (seg.head === patternHead) {
+      return true;
+    }
+  }
+  return false;
+};
+
+export const configCustom = (
+  segments: readonly Segment[],
+  _cmd: string,
+  blockedCommands: readonly BlockRule[],
+  allowedCommands: readonly BlockRule[],
+): Decision => {
+  // Check allowed first (overrides blocks)
+  for (const allowRule of allowedCommands) {
+    if (matchPattern(segments, allowRule.pattern)) {
+      return allow('config-custom');
+    }
+  }
+
+  // Then check blocked
+  for (const blockRule of blockedCommands) {
+    if (matchPattern(segments, blockRule.pattern)) {
+      return blockRule.action === 'deny'
+        ? deny('config-custom', blockRule.message)
+        : ask('config-custom', blockRule.message);
+    }
+  }
+
+  return allow('config-custom');
+};

package/src/rules/lazy-code.ts

@@ -0,0 +1,95 @@
+import { type Decision, allow, warn } from '../lib/decision';
+import { addedLines, readFileOrEmpty } from '../lib/diff';
+import type { EditInput, WriteInput } from '../lib/event';
+
+// Phrases that frequently signal incomplete or deferred work. Some — like
+// "fallback" or "placeholder" — are also legitimate product terms (an auth
+// Fallback flow, an HTML input placeholder). Rather than try to disambiguate
+// Statically, we accept the false-positive rate and keep this as a non-
+// Blocking warn. The advisory is written to make the intent unmistakable
+// So the agent treats real-product uses as no-action and treats actual
+// Stub work as a prompt to finish the job before returning to the user.
+const STUB_RE: readonly RegExp[] = [
+  /\bTODO\s*:/i,
+  /\bFIXME\s*:/i,
+  /\bXXX\s*:/i,
+  /\bHACK\s*:/i,
+  /\bfor now\b/i,
+  /\bnot implemented\b/i,
+  /\bNotImplementedError\b/,
+  /\btemp fix\b/i,
+  /\bfallback\b/i,
+  /\bplaceholder\b/i,
+  /\bbackwards?[ -]?compat(ibility)?\b/i,
+  /\bfor later\b/i,
+  /\blater on\b/i,
+  /\bget back to\b/i,
+  /\bI'?ll fix\b/i,
+  /\bto be implemented\b/i,
+  /\bnot yet (implemented|done)\b/i,
+  /\bstubbed\b/i,
+];
+
+const CODE_EXT_RE =
+  /\.(ts|tsx|js|jsx|mjs|cjs|py|rs|go|rb|java|kt|swift|c|cc|cpp|h|hpp|cs|php|sh|zsh|bash|lua|ex|exs|clj|scala|dart)$/i;
+
+const TEST_PATH_RE =
+  /(^|\/)(__tests__|tests?|spec|fixtures?|mocks?|__mocks__|stories)(\/|$)|\.(test|spec|fixture|mock|stories)\.[^/]+$/i;
+
+// Comment-syntax-agnostic. Works in `//`, `#`, `--`, `/* */`, `<!-- -->`,
+// `;`, `%`, etc.
+const BYPASS_RE = /tripwire-allow\b/;
+
+const matches = (line: string): boolean => {
+  if (BYPASS_RE.test(line)) {
+    return false;
+  }
+  for (const re of STUB_RE) {
+    if (re.test(line)) {
+      return true;
+    }
+  }
+  return false;
+};
+
+const lazyCode = (input: EditInput | WriteInput): Decision => {
+  const path = input.file_path;
+  if (!CODE_EXT_RE.test(path) || TEST_PATH_RE.test(path)) {
+    return allow('lazy-code');
+  }
+
+  const next = 'content' in input ? input.content : input.new_string;
+  const prev = 'content' in input ? readFileOrEmpty(path) : input.old_string;
+
+  const offenders: string[] = [];
+  for (const line of addedLines(prev, next)) {
+    if (matches(line)) {
+      offenders.push(line.slice(0, 200));
+    }
+  }
+  if (offenders.length === 0) {
+    return allow('lazy-code');
+  }
+
+  const sample = offenders
+    .slice(0, 3)
+    .map((l) => `  • ${l}`)
+    .join('\n');
+  const more = offenders.length > 3 ? `\n  …and ${offenders.length - 3} more` : '';
+
+  return warn(
+    'lazy-code-marker',
+    [
+      `Heads up: line(s) you just added contain words that often signal incomplete or deferred work. The write went through — this is a flag, not a block.`,
+      ``,
+      `Why this exists: AI coding agents have a strong pull toward stubbing things, deferring "for now," and shipping half-built fallbacks instead of finishing the work in the same turn. The point of this warning is to push back on that pull on every iteration. If you stubbed something out for time, finish it this turn rather than leaving deferred work for later.`,
+      ``,
+      `If the marker is genuinely permanent — a real product term ("auth fallback flow", "retry fallback chain", an HTML input placeholder, a public API field literally named "placeholder"), a logging tag, or a comment intentionally left for a human reader — no action needed. To silence the flag on subsequent edits of that line, append \`tripwire-allow: <one-line reason>\` (any comment syntax: \`//\`, \`#\`, \`--\`, etc.).`,
+      ``,
+      `Flagged additions:`,
+      sample + more,
+    ].join('\n'),
+  );
+};
+
+export { lazyCode };

package/src/rules/path-protect.ts

@@ -0,0 +1,59 @@
+import { resolve } from 'node:path';
+
+import { type Decision, allow, deny } from '../lib/decision';
+import type { EditInput, WriteInput } from '../lib/event';
+
+interface Spec {
+  readonly pattern: RegExp;
+  readonly rule: string;
+  readonly message: string;
+}
+
+const protections: readonly Spec[] = [
+  {
+    pattern: /(^|\/)\.env(\.[^/]+)?$/,
+    rule: 'env-file',
+    message:
+      '.env files hold secrets that should never be sent to the model. Refuse to write or edit. If an example is needed, create .env.example with redacted placeholders.',
+  },
+  {
+    pattern: /(^|\/)\.dev\.vars(\.[^/]+)?$/,
+    rule: 'dev-vars',
+    message: '.dev.vars holds Cloudflare/Wrangler secrets. Do not modify.',
+  },
+  { pattern: /(^|\/)\.ssh\//, rule: 'ssh-dir', message: 'Never write into ~/.ssh/. Refuse.' },
+  {
+    pattern: /(^|\/)(id_rsa|id_ed25519|id_ecdsa|id_dsa)(\.pub)?$/,
+    rule: 'ssh-key',
+    message: 'SSH key file. Refuse.',
+  },
+  {
+    pattern: /\.(pem|key|p12|pfx)$/i,
+    rule: 'private-key',
+    message:
+      'Private key file. Refuse to overwrite. If generating a new key, use a different filename and let Sean review.',
+  },
+  {
+    pattern: /(^|\/)secrets?\.(json|ya?ml|toml|env)$/i,
+    rule: 'secrets-file',
+    message: 'Secrets file. Refuse.',
+  },
+  {
+    pattern: /(^|\/)\.aws\/credentials$/,
+    rule: 'aws-credentials',
+    message: 'AWS credentials file. Refuse.',
+  },
+  { pattern: /(^|\/)\.netrc$/, rule: 'netrc', message: '.netrc holds host credentials. Refuse.' },
+];
+
+const pathProtect = (input: EditInput | WriteInput): Decision => {
+  const path = resolve(input.file_path);
+  for (const p of protections) {
+    if (p.pattern.test(path)) {
+      return deny(p.rule, p.message);
+    }
+  }
+  return allow('path-protect');
+};
+
+export { pathProtect };

package/src/rules/post-secret-scrub.ts

@@ -0,0 +1,38 @@
+import { type Decision, allow, deny } from '../lib/decision';
+import { extractResponseText } from '../lib/event';
+import { scanAndRedact } from '../lib/secrets';
+
+// PostToolUse: scan whatever string content a tool returned (Bash stdout,
+// Read content) for known secret patterns via betterleaks. If anything
+// Fires, block the result (so the original output never reaches the
+// Model) and surface a redacted version in the block reason — that lets
+// The agent see what was returned without leaking the secret itself.
+
+interface PostInput {
+  readonly toolName: string;
+  readonly response: unknown;
+}
+
+const postSecretScrub = (input: PostInput): Decision => {
+  const text = extractResponseText(input.toolName, input.response);
+  if (text.length === 0) {
+    return allow('post-secret-scrub');
+  }
+  const { hits, redacted } = scanAndRedact(text);
+  if (hits.length === 0) {
+    return allow('post-secret-scrub');
+  }
+  const summary = hits.map((h) => `${h.rule}×${h.count}`).join(', ');
+  return deny(
+    'secrets-in-output',
+    [
+      `tripwire intercepted ${hits.length} secret pattern(s) in this tool's output (${summary}). The original output was withheld so the secret never enters the model context. A redacted form is below — work from this, do not re-run the same command in a way that re-fetches the underlying secret.`,
+      ``,
+      `Redacted output:`,
+      redacted.slice(0, 16_000) + (redacted.length > 16_000 ? '\n…[truncated]' : ''),
+    ].join('\n'),
+  );
+};
+
+export type { PostInput };
+export { postSecretScrub };