@seanmozeik/tripwire 0.4.0 → 0.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seanmozeik/tripwire",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Opinionated hooks dispatcher for AI coding agents with configurable safety rules",
   "license": "MIT",
   "bin": {
@@ -31,15 +31,15 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@effect/platform-bun": "^4.0.0-beta.65",
-    "effect": "^4.0.0-beta.65",
+    "@effect/platform-bun": "^4.0.0-beta.66",
+    "effect": "^4.0.0-beta.66",
     "shell-quote": "^1.8.3"
   },
   "devDependencies": {
-    "@types/bun": "^1.3.13",
+    "@types/bun": "^1.3.14",
     "@types/shell-quote": "^1.7.5",
-    "oxfmt": "^0.48.0",
-    "oxlint": "^1.61.0",
+    "oxfmt": "^0.50.0",
+    "oxlint": "^1.65.0",
     "oxlint-tsgolint": "^0.22.1",
     "typescript": "^6.0.3"
   },

package/src/lib/bash.ts

@@ -256,6 +256,60 @@ const countFdPrefixRedirects = (cmd: string): number => {
   return matches?.length ?? 0;
 };
 
+const heredocDelimiterFromLine = (line: string): string | null => {
+  const match = /<<-?\s*(?:"([^"]+)"|'([^']+)'|([A-Za-z_][A-Za-z0-9_]*))/u.exec(line);
+  return match?.[1] ?? match?.[2] ?? match?.[3] ?? null;
+};
+
+const SHELL_STDIN_HEAD_RE =
+  /(?:^|[|;&]\s*)(?:\/(?:usr\/bin|bin|usr\/local\/bin|opt\/homebrew\/bin)\/)?(?:sh|bash|zsh|dash|ksh|ash)(?:\s|$)/u;
+
+const heredocFeedsShell = (line: string): boolean => SHELL_STDIN_HEAD_RE.test(line);
+
+const maskLiteralHeredocBodies = (cmd: string): string => {
+  const lines = cmd.split('\n');
+  const out: string[] = [];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!;
+    out.push(line);
+    const delimiter = heredocDelimiterFromLine(line);
+    if (delimiter === null || heredocFeedsShell(line)) {
+      continue;
+    }
+    i++;
+    while (i < lines.length && lines[i]!.trim() !== delimiter) {
+      i++;
+    }
+    if (i < lines.length) {
+      out.push('__HEREDOC_BODY__');
+      out.push(lines[i]!);
+    }
+  }
+  return out.join('\n');
+};
+
+const extractShellHeredocCommands = (cmd: string): string[] => {
+  const lines = cmd.split('\n');
+  const out: string[] = [];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!;
+    const delimiter = heredocDelimiterFromLine(line);
+    if (delimiter === null || !heredocFeedsShell(line)) {
+      continue;
+    }
+    const body: string[] = [];
+    i++;
+    while (i < lines.length && lines[i]!.trim() !== delimiter) {
+      body.push(lines[i]!);
+      i++;
+    }
+    if (body.length > 0) {
+      out.push(body.join('\n'));
+    }
+  }
+  return out;
+};
+
 // Extract inner commands from `$(...)`, `<(...)`, `>(...)`, and `` `...` ``.
 // Shell-quote collapses these into opaque sentinel tokens (which is correct
 // For safe-path checks — substituted output is unknown), but it also hides
@@ -266,53 +320,502 @@ const countFdPrefixRedirects = (cmd: string): number => {
 // Backticks don't nest (bash needs `\` escaping for that, which we treat as
 // A literal). Process/command substitutions can nest arbitrarily — a depth
 // Counter handles the balanced parens.
-const extractInnerCommands = (cmd: string): string[] => {
-  const inner: string[] = [];
-  // Backticks: simple, non-nesting.
-  const bt = cmd.match(/`([^`]+)`/g);
-  if (bt !== null) {
-    for (const m of bt) {
-      inner.push(m.slice(1, -1));
+const findBacktickEnd = (cmd: string, start: number): number | null => {
+  for (let i = start; i < cmd.length; i++) {
+    const ch = cmd[i]!;
+    if (ch === '\\') {
+      i++;
+      continue;
+    }
+    if (ch === '`') {
+      return i;
     }
   }
-  // $( ), <( ), >( ) with balanced parens.
-  for (let i = 0; i < cmd.length - 1; i++) {
+  return null;
+};
+
+const findSubstitutionEnd = (cmd: string, start: number): number | null => {
+  let depth = 1;
+  let quote: 'single' | 'double' | null = null;
+  for (let j = start; j < cmd.length; j++) {
+    const cj = cmd[j]!;
+    if (cj === '\\') {
+      j++;
+      continue;
+    }
+    if (quote === 'single') {
+      if (cj === "'") {
+        quote = null;
+      }
+      continue;
+    }
+    if (cj === "'") {
+      quote ??= 'single';
+      continue;
+    }
+    if (cj === '"') {
+      quote = quote === 'double' ? null : 'double';
+      continue;
+    }
+    if (cj === '(') {
+      depth++;
+      continue;
+    }
+    if (cj === ')') {
+      depth--;
+      if (depth === 0) {
+        return j;
+      }
+    }
+  }
+  return null;
+};
+
+const extractInnerCommands = (cmd: string): string[] => {
+  const inner: string[] = [];
+  let quote: 'single' | 'double' | null = null;
+  for (let i = 0; i < cmd.length; i++) {
     const ch = cmd[i]!;
-    const next = cmd[i + 1]!;
-    const isSubStart = (ch === '$' || ch === '<' || ch === '>') && next === '(';
-    if (!isSubStart) {
+    if (ch === '\\') {
+      i++;
       continue;
     }
-    let depth = 1;
-    let j = i + 2;
-    while (j < cmd.length && depth > 0) {
-      const cj = cmd[j]!;
-      if (cj === '(') {
-        depth++;
-      } else if (cj === ')') {
-        depth--;
+    if (quote === 'single') {
+      if (ch === "'") {
+        quote = null;
       }
-      if (depth > 0) {
-        j++;
+      continue;
+    }
+    if (ch === "'") {
+      quote ??= 'single';
+      continue;
+    }
+    if (ch === '"') {
+      quote = quote === 'double' ? null : 'double';
+      continue;
+    }
+    if (ch === '`') {
+      const end = findBacktickEnd(cmd, i + 1);
+      if (end !== null) {
+        inner.push(cmd.slice(i + 1, end));
+        i = end;
       }
+      continue;
     }
-    if (depth === 0) {
-      inner.push(cmd.slice(i + 2, j));
-      i = j;
+    const next = cmd[i + 1];
+    const isCommandSubStart = ch === '$' && next === '(';
+    const isProcessSubStart = quote === null && (ch === '<' || ch === '>') && next === '(';
+    if (!isCommandSubStart && !isProcessSubStart) {
+      continue;
+    }
+    const end = findSubstitutionEnd(cmd, i + 2);
+    if (end !== null) {
+      inner.push(cmd.slice(i + 2, end));
+      i = end;
     }
   }
   return inner;
 };
 
+// ── Exec-flag extraction (fd -x, find -exec, etc.) ───────────────────
+// Tools that take a subcommand on the same arg vector hide that
+// Subcommand from rule analysis. Pull it out, substitute the user-
+// Provided search root into the placeholder(s), and feed the
+// Reconstructed command back through parseCommand so every existing
+// Bash rule (deny / scoped-rm / redirect / etc.) sees it.
+
+const HOME_VAR_RE = /^\$\{?HOME\}?(?:\/|$)/;
+
+const pathLikeToken = (t: string): boolean => {
+  if (t === '' || t === '-') {
+    return false;
+  }
+  if (t === '/' || t === '~' || t === '.' || t === '..') {
+    return true;
+  }
+  if (
+    t.startsWith('/') ||
+    t.startsWith('~') ||
+    t.startsWith('./') ||
+    t.startsWith('../') ||
+    HOME_VAR_RE.test(t)
+  ) {
+    return true;
+  }
+  return false;
+};
+
+// Rank candidate search roots by how dangerous a `cmd <root>` invocation
+// Would be. Higher wins.
+const pathDangerScore = (t: string): number => {
+  if (t === '/') {
+    return 100;
+  }
+  if (t === '~' || HOME_VAR_RE.test(t)) {
+    return 90;
+  }
+  if (/^\/(etc|usr|bin|sbin|System|Library|var|boot|root|home)(\/|$)/.test(t)) {
+    return 80;
+  }
+  if (t.startsWith('/Users/')) {
+    return 70;
+  }
+  if (t.startsWith('/') || t.startsWith('~')) {
+    return 60;
+  }
+  if (t.startsWith('../')) {
+    return 40;
+  }
+  if (t === '..' || t === '.' || t.startsWith('./')) {
+    return 10;
+  }
+  return 50;
+};
+
+interface ExecSpec {
+  // Flag tokens that introduce a nested command, e.g. `-x` / `-exec`.
+  readonly execFlags: ReadonlySet<string>;
+  // Placeholder tokens the tool substitutes with each match path.
+  readonly placeholders: ReadonlySet<string>;
+  // Walk tokens[1..execFlagIdx) and return the most-suspicious search root
+  // The tool would feed into placeholders, or `.` if nothing path-shaped
+  // Is present.
+  readonly pickRoot: (tokens: readonly string[], execFlagIdx: number) => string;
+}
+
+// Fd's flag layout: flags can appear before or after the pattern/path
+// Positionals, and some flags consume a value (-e ts, -t f, -d 3). We
+// Need to skip those value tokens, otherwise `ts` is misread as a path.
+const FD_VALUE_FLAGS: ReadonlySet<string> = new Set([
+  '-e',
+  '--extension',
+  '-t',
+  '--type',
+  '-E',
+  '--exclude',
+  '-d',
+  '--max-depth',
+  '--min-depth',
+  '--exact-depth',
+  '-c',
+  '--color',
+  '--changed-within',
+  '--changed-before',
+  '-S',
+  '--size',
+  '-o',
+  '--owner',
+  '-j',
+  '--threads',
+  '-g',
+  '--glob',
+  '--format',
+  '--max-results',
+  '--ignore-file',
+  '--search-path',
+  '--base-directory',
+  '--path-separator',
+  '--and',
+]);
+
+const pickFdSearchRoot = (tokens: readonly string[], execFlagIdx: number): string => {
+  const candidates: string[] = [];
+  let i = 1;
+  while (i < execFlagIdx) {
+    const t = tokens[i]!;
+    if (FD_VALUE_FLAGS.has(t)) {
+      i += 2;
+      continue;
+    }
+    if (t.startsWith('-')) {
+      i++;
+      continue;
+    }
+    if (pathLikeToken(t)) {
+      candidates.push(t);
+    }
+    i++;
+  }
+  if (candidates.length === 0) {
+    return '.';
+  }
+  candidates.sort((a, b) => pathDangerScore(b) - pathDangerScore(a));
+  return candidates[0]!;
+};
+
+// Find's grammar: PATHs come first, before any flag-shaped token. Once we
+// Hit a `-`-prefixed token (a test predicate or action), no more paths.
+// `find` defaults to cwd if no path is given. We collect everything
+// Path-shaped in the prefix region as candidates.
+const pickFindSearchRoot = (tokens: readonly string[], execFlagIdx: number): string => {
+  const candidates: string[] = [];
+  for (let i = 1; i < execFlagIdx; i++) {
+    const t = tokens[i]!;
+    if (t.startsWith('-')) {
+      break;
+    }
+    if (pathLikeToken(t)) {
+      candidates.push(t);
+    }
+  }
+  if (candidates.length === 0) {
+    return '.';
+  }
+  candidates.sort((a, b) => pathDangerScore(b) - pathDangerScore(a));
+  return candidates[0]!;
+};
+
+const FD_SPEC: ExecSpec = {
+  execFlags: new Set(['-x', '-X', '--exec', '--exec-batch']),
+  placeholders: new Set(['{}', '{/}', '{//}', '{.}', '{/.}']),
+  pickRoot: pickFdSearchRoot,
+};
+
+const FIND_SPEC: ExecSpec = {
+  // `-ok` / `-okdir` prompt interactively per-match, but the executed
+  // Command is still constructed from agent-controlled input, so treat
+  // It the same as `-exec`.
+  execFlags: new Set(['-exec', '-execdir', '-ok', '-okdir']),
+  placeholders: new Set(['{}']),
+  pickRoot: pickFindSearchRoot,
+};
+
+const EXEC_SPECS: Readonly<Record<string, ExecSpec>> = Object.assign(
+  Object.create(null) as Record<string, ExecSpec>,
+  { fd: FD_SPEC, fdfind: FD_SPEC, find: FIND_SPEC, gfind: FIND_SPEC },
+);
+
+const substitutePlaceholders = (
+  tokens: readonly string[],
+  spec: ExecSpec,
+  root: string,
+): string[] => tokens.map((t) => (spec.placeholders.has(t) ? root : t));
+
+const extractExecCommands = (seg: Segment): string[] => {
+  const spec = EXEC_SPECS[seg.head];
+  if (spec === undefined) {
+    return [];
+  }
+  const out: string[] = [];
+  const tokens = seg.tokens;
+  for (let i = 1; i < tokens.length; i++) {
+    if (!spec.execFlags.has(tokens[i]!)) {
+      continue;
+    }
+    // Collect tokens until the exec terminator (`;` or `+`, both shared
+    // By fd and find) or end of segment. shell-quote turns `\;` into the
+    // Literal string token `;`.
+    const inner: string[] = [];
+    let j = i + 1;
+    while (j < tokens.length) {
+      const t = tokens[j]!;
+      if (t === ';' || t === '+') {
+        break;
+      }
+      inner.push(t);
+      j++;
+    }
+    if (inner.length === 0) {
+      continue;
+    }
+    const head = inner[0]!;
+    if (spec.placeholders.has(head)) {
+      continue;
+    }
+    const root = spec.pickRoot(tokens, i);
+    out.push(substitutePlaceholders(inner, spec, root).join(' '));
+    i = j;
+  }
+  return out;
+};
+
+// ── Substitution unwrappers ──────────────────────────────────────────
+//
+// Bash hides agent-controlled content inside command substitutions and
+// Shell wrappers two different ways, and rules need two different shapes
+// Of unwrap:
+//
+//   1. `sh -c '<script>'` and `bash -c '<script>'` carry a script the
+//      Outer parser can't see into. Extracted with
+//      `extractShellWrappedCommands(seg)` and re-parsed as bash segments
+//      So every existing rule applies. Used by `parseCommand`.
+//
+//   2. `$(cat <<'TAG' ... TAG)` and `$(echo '...')` / `$(printf '...')`
+//      Compute a static string value at runtime. Rules that inspect arg
+//      Values (commit-message convention, redirect targets, etc.) need
+//      The string, not a re-parse. `unwrapStaticString(token)` returns
+//      It; pass-through if the token isn't a recognised substitution.
+//
+// Both layers cover the same underlying gap — the shell-quote parser
+// Treats substitutions as opaque sentinels — and any rule that touches
+// Agent-controlled content should route through one of them.
+
+const HEREDOC_SUBST_RE = /\$\(\s*cat\s+<<-?\s*['"]?(\w+)['"]?\s*\n([\s\S]*?)\n\s*\1\s*\)/u;
+const ECHO_PRINTF_SUBST_RE = /\$\(\s*(?:printf|echo)\s+(?:-[a-zA-Z]+\s+)*'([^']*)'/u;
+
+const unwrapStaticString = (value: string): string => {
+  const heredoc = HEREDOC_SUBST_RE.exec(value);
+  if (heredoc !== null) {
+    return heredoc[2] ?? value;
+  }
+  const printf = ECHO_PRINTF_SUBST_RE.exec(value);
+  if (printf !== null) {
+    return printf[1] ?? value;
+  }
+  return value;
+};
+
+// Recover commands hidden inside a `sh -c '...'` / `bash -c '...'` wrapper.
+// Without this, every redirect / deny / scoped-rm rule can be trivially
+// Bypassed by wrapping the offending command in `sh -c`. The shell parser
+// Otherwise sees `sh` as the head and the script as an opaque positional
+// Arg. We pull the script out and feed it back through `parseCommand` so
+// All existing rules apply.
+const SHELL_WRAPPER_HEADS: ReadonlySet<string> = new Set([
+  'sh',
+  'bash',
+  'zsh',
+  'dash',
+  'ksh',
+  'ash',
+  '/bin/sh',
+  '/bin/bash',
+  '/bin/zsh',
+  '/bin/dash',
+  '/bin/ksh',
+  '/usr/bin/sh',
+  '/usr/bin/bash',
+  '/usr/bin/zsh',
+  '/usr/local/bin/bash',
+  '/opt/homebrew/bin/bash',
+]);
+
+const extractShellWrappedCommands = (seg: Segment): string[] => {
+  if (!SHELL_WRAPPER_HEADS.has(seg.head)) {
+    return [];
+  }
+  const tokens = seg.tokens;
+  for (let i = 1; i < tokens.length; i++) {
+    const t = tokens[i]!;
+    if (t === '-c' && i + 1 < tokens.length) {
+      return [tokens[i + 1]!];
+    }
+    // Combined short flags that include `c`: `-ec`, `-xc`, `-eu c` won't —
+    // Only treat `c` as the last char so the next token is the script.
+    if (
+      t.startsWith('-') &&
+      !t.startsWith('--') &&
+      t.endsWith('c') &&
+      t.length > 2 &&
+      i + 1 < tokens.length
+    ) {
+      return [tokens[i + 1]!];
+    }
+  }
+  return [];
+};
+
+const HEAD_RENAMING_HEADS: ReadonlySet<string> = new Set([
+  'command',
+  'exec',
+  'env',
+  'time',
+  'nohup',
+  'setsid',
+  'nice',
+  'ionice',
+  'chronic',
+  'stdbuf',
+  'unbuffer',
+  'script',
+  'taskset',
+]);
+
+const HEAD_RENAMING_VALUE_FLAGS: Readonly<Record<string, ReadonlySet<string>>> = {
+  command: new Set(),
+  env: new Set(['-u', '--unset', '-C', '--chdir', '-S', '--split-string', '--block-signal']),
+  time: new Set(['-f', '--format', '-o', '--output']),
+  nice: new Set(['-n', '--adjustment']),
+  ionice: new Set(['-c', '--class', '-n', '--classdata', '-p', '--pid']),
+  stdbuf: new Set(['-i', '--input', '-o', '--output', '-e', '--error']),
+  script: new Set(['-c', '--command']),
+  taskset: new Set(),
+};
+
+const tokenLooksLikeEnvAssignment = (token: string): boolean =>
+  /^[A-Za-z_][A-Za-z0-9_]*=.*/u.test(token);
+
+const skipHeadRenamingPrefix = (tokens: readonly string[]): number => {
+  const head = tokens[0]!;
+  const valueFlags = HEAD_RENAMING_VALUE_FLAGS[head] ?? new Set<string>();
+  let i = 1;
+  while (i < tokens.length) {
+    const token = tokens[i]!;
+    if (head === 'env' && tokenLooksLikeEnvAssignment(token)) {
+      i++;
+      continue;
+    }
+    if (valueFlags.has(token)) {
+      i += 2;
+      continue;
+    }
+    if (token.includes('=') && valueFlags.has(token.slice(0, token.indexOf('=')))) {
+      i++;
+      continue;
+    }
+    if (token.startsWith('--') && token !== '--') {
+      i++;
+      continue;
+    }
+    if (token.startsWith('-') && token !== '-') {
+      i++;
+      continue;
+    }
+    break;
+  }
+  return i;
+};
+
+const extractHeadRenamingCommands = (seg: Segment): string[] => {
+  if (!HEAD_RENAMING_HEADS.has(seg.head)) {
+    return [];
+  }
+  if (seg.head === 'script') {
+    for (let i = 1; i < seg.tokens.length - 1; i++) {
+      const token = seg.tokens[i]!;
+      if (token === '-c' || token === '--command') {
+        return [seg.tokens[i + 1]!];
+      }
+      if (token.startsWith('--command=')) {
+        return [token.slice('--command='.length)];
+      }
+    }
+  }
+  const start = skipHeadRenamingPrefix(seg.tokens);
+  const inner = seg.tokens.slice(start).join(' ');
+  return inner === '' ? [] : [inner];
+};
+
+const EVAL_HEADS: ReadonlySet<string> = new Set(['eval']);
+
+const extractEvalCommands = (seg: Segment): string[] => {
+  if (!EVAL_HEADS.has(seg.head)) {
+    return [];
+  }
+  const sub = seg.tokens.slice(1).join(' ');
+  return sub === '' ? [] : [sub];
+};
+
 const parseCommand = (cmd: string): Segment[] => {
   let entries: ParseEntry[];
+  const cmdForParsing = maskLiteralHeredocBodies(cmd);
   try {
-    entries = parse(cmd, PRESERVE_ENV);
+    entries = parse(cmdForParsing, PRESERVE_ENV);
   } catch {
     return [];
   }
   entries = mergeAmpRedirects(entries);
-  const fdBudget: FdBudget = { remaining: countFdPrefixRedirects(cmd) };
+  const fdBudget: FdBudget = { remaining: countFdPrefixRedirects(cmdForParsing) };
 
   const out: Segment[] = [];
   let buf: ParseEntry[] = [];
@@ -337,12 +840,45 @@ const parseCommand = (cmd: string): Segment[] => {
   // Outer segment's args are already opaque sentinels (safe-path-failing);
   // This catches dangerous inner commands the outer call would otherwise
   // Hide.
-  for (const sub of extractInnerCommands(cmd)) {
+  for (const sub of [...extractInnerCommands(cmd), ...extractShellHeredocCommands(cmd)]) {
     for (const innerSeg of parseCommand(sub)) {
       out.push(innerSeg);
     }
   }
 
+  // Tools like `fd -x …` and `find -exec …` carry an inner subcommand
+  // On the same arg vector. Without extraction the executed command is
+  // Hidden and slips past every rule. Pull it out (with the user's
+  // Search root substituted into placeholders) and parse it as its own
+  // Segments so bash-deny et al. see it.
+  // Snapshot length: we push new segments into `out` from within the
+  // Loop, but should only scan the segments that existed pre-extraction
+  // To avoid re-processing extracted ones.
+  const preExtractLen = out.length;
+  for (let k = 0; k < preExtractLen; k++) {
+    const seg = out[k]!;
+    for (const sub of extractExecCommands(seg)) {
+      for (const innerSeg of parseCommand(sub)) {
+        out.push(innerSeg);
+      }
+    }
+    for (const sub of extractShellWrappedCommands(seg)) {
+      for (const innerSeg of parseCommand(sub)) {
+        out.push(innerSeg);
+      }
+    }
+    for (const sub of extractHeadRenamingCommands(seg)) {
+      for (const innerSeg of parseCommand(sub)) {
+        out.push(innerSeg);
+      }
+    }
+    for (const sub of extractEvalCommands(seg)) {
+      for (const innerSeg of parseCommand(sub)) {
+        out.push(innerSeg);
+      }
+    }
+  }
+
   return out;
 };
 
@@ -425,4 +961,11 @@ const safeScopesSummary = (
 const hasBypass = (cmd: string): boolean => /(^|\s)#\s*tripwire-allow\b/.test(cmd);
 
 export type { Redirect, Segment };
-export { hasBypass, isSafePathTarget, parseCommand, safeScopesSummary };
+export {
+  EXEC_SPECS,
+  hasBypass,
+  isSafePathTarget,
+  parseCommand,
+  safeScopesSummary,
+  unwrapStaticString,
+};