npm - @seanmozeik/tripwire - Versions diffs - 0.4.1 → 0.5.0 - Mend

@seanmozeik/tripwire 0.4.1 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/tripwire.js.jsc CHANGED Viewed

Binary file

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@seanmozeik/tripwire",
-  "version": "0.4.1",
+  "version": "0.5.0",
   "description": "Opinionated hooks dispatcher for AI coding agents with configurable safety rules",
   "license": "MIT",
   "bin": {
@@ -31,15 +31,15 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@effect/platform-bun": "^4.0.0-beta.65",
-    "effect": "^4.0.0-beta.65",
+    "@effect/platform-bun": "^4.0.0-beta.66",
+    "effect": "^4.0.0-beta.66",
     "shell-quote": "^1.8.3"
   },
   "devDependencies": {
-    "@types/bun": "^1.3.13",
+    "@types/bun": "^1.3.14",
     "@types/shell-quote": "^1.7.5",
-    "oxfmt": "^0.48.0",
-    "oxlint": "^1.61.0",
+    "oxfmt": "^0.50.0",
+    "oxlint": "^1.65.0",
     "oxlint-tsgolint": "^0.22.1",
     "typescript": "^6.0.3"
   },

package/src/lib/bash.ts CHANGED Viewed

@@ -256,6 +256,60 @@ const countFdPrefixRedirects = (cmd: string): number => {
   return matches?.length ?? 0;
 };
+const heredocDelimiterFromLine = (line: string): string | null => {
+  const match = /<<-?\s*(?:"([^"]+)"|'([^']+)'|([A-Za-z_][A-Za-z0-9_]*))/u.exec(line);
+  return match?.[1] ?? match?.[2] ?? match?.[3] ?? null;
+};
+const SHELL_STDIN_HEAD_RE =
+  /(?:^|[|;&]\s*)(?:\/(?:usr\/bin|bin|usr\/local\/bin|opt\/homebrew\/bin)\/)?(?:sh|bash|zsh|dash|ksh|ash)(?:\s|$)/u;
+const heredocFeedsShell = (line: string): boolean => SHELL_STDIN_HEAD_RE.test(line);
+const maskLiteralHeredocBodies = (cmd: string): string => {
+  const lines = cmd.split('\n');
+  const out: string[] = [];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!;
+    out.push(line);
+    const delimiter = heredocDelimiterFromLine(line);
+    if (delimiter === null || heredocFeedsShell(line)) {
+      continue;
+    }
+    i++;
+    while (i < lines.length && lines[i]!.trim() !== delimiter) {
+      i++;
+    }
+    if (i < lines.length) {
+      out.push('__HEREDOC_BODY__');
+      out.push(lines[i]!);
+    }
+  }
+  return out.join('\n');
+};
+const extractShellHeredocCommands = (cmd: string): string[] => {
+  const lines = cmd.split('\n');
+  const out: string[] = [];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!;
+    const delimiter = heredocDelimiterFromLine(line);
+    if (delimiter === null || !heredocFeedsShell(line)) {
+      continue;
+    }
+    const body: string[] = [];
+    i++;
+    while (i < lines.length && lines[i]!.trim() !== delimiter) {
+      body.push(lines[i]!);
+      i++;
+    }
+    if (body.length > 0) {
+      out.push(body.join('\n'));
+    }
+  }
+  return out;
+};
 // Extract inner commands from `$(...)`, `<(...)`, `>(...)`, and `` `...` ``.
 // Shell-quote collapses these into opaque sentinel tokens (which is correct
 // For safe-path checks — substituted output is unknown), but it also hides
@@ -266,39 +320,98 @@ const countFdPrefixRedirects = (cmd: string): number => {
 // Backticks don't nest (bash needs `\` escaping for that, which we treat as
 // A literal). Process/command substitutions can nest arbitrarily — a depth
 // Counter handles the balanced parens.
-const extractInnerCommands = (cmd: string): string[] => {
-  const inner: string[] = [];
-  // Backticks: simple, non-nesting.
-  const bt = cmd.match(/`([^`]+)`/g);
-  if (bt !== null) {
-    for (const m of bt) {
-      inner.push(m.slice(1, -1));
+const findBacktickEnd = (cmd: string, start: number): number | null => {
+  for (let i = start; i < cmd.length; i++) {
+    const ch = cmd[i]!;
+    if (ch === '\\') {
+      i++;
+      continue;
+    }
+    if (ch === '`') {
+      return i;
     }
   }
-  // $( ), <( ), >( ) with balanced parens.
-  for (let i = 0; i < cmd.length - 1; i++) {
+  return null;
+};
+const findSubstitutionEnd = (cmd: string, start: number): number | null => {
+  let depth = 1;
+  let quote: 'single' | 'double' | null = null;
+  for (let j = start; j < cmd.length; j++) {
+    const cj = cmd[j]!;
+    if (cj === '\\') {
+      j++;
+      continue;
+    }
+    if (quote === 'single') {
+      if (cj === "'") {
+        quote = null;
+      }
+      continue;
+    }
+    if (cj === "'") {
+      quote ??= 'single';
+      continue;
+    }
+    if (cj === '"') {
+      quote = quote === 'double' ? null : 'double';
+      continue;
+    }
+    if (cj === '(') {
+      depth++;
+      continue;
+    }
+    if (cj === ')') {
+      depth--;
+      if (depth === 0) {
+        return j;
+      }
+    }
+  }
+  return null;
+};
+const extractInnerCommands = (cmd: string): string[] => {
+  const inner: string[] = [];
+  let quote: 'single' | 'double' | null = null;
+  for (let i = 0; i < cmd.length; i++) {
     const ch = cmd[i]!;
-    const next = cmd[i + 1]!;
-    const isSubStart = (ch === '$' || ch === '<' || ch === '>') && next === '(';
-    if (!isSubStart) {
+    if (ch === '\\') {
+      i++;
       continue;
     }
-    let depth = 1;
-    let j = i + 2;
-    while (j < cmd.length && depth > 0) {
-      const cj = cmd[j]!;
-      if (cj === '(') {
-        depth++;
-      } else if (cj === ')') {
-        depth--;
+    if (quote === 'single') {
+      if (ch === "'") {
+        quote = null;
       }
-      if (depth > 0) {
-        j++;
+      continue;
+    }
+    if (ch === "'") {
+      quote ??= 'single';
+      continue;
+    }
+    if (ch === '"') {
+      quote = quote === 'double' ? null : 'double';
+      continue;
+    }
+    if (ch === '`') {
+      const end = findBacktickEnd(cmd, i + 1);
+      if (end !== null) {
+        inner.push(cmd.slice(i + 1, end));
+        i = end;
       }
+      continue;
+    }
+    const next = cmd[i + 1];
+    const isCommandSubStart = ch === '$' && next === '(';
+    const isProcessSubStart = quote === null && (ch === '<' || ch === '>') && next === '(';
+    if (!isCommandSubStart && !isProcessSubStart) {
+      continue;
     }
-    if (depth === 0) {
-      inner.push(cmd.slice(i + 2, j));
-      i = j;
+    const end = findSubstitutionEnd(cmd, i + 2);
+    if (end !== null) {
+      inner.push(cmd.slice(i + 2, end));
+      i = end;
     }
   }
   return inner;
@@ -467,12 +580,10 @@ const FIND_SPEC: ExecSpec = {
   pickRoot: pickFindSearchRoot,
 };
-const EXEC_SPECS: Readonly<Record<string, ExecSpec>> = {
-  fd: FD_SPEC,
-  fdfind: FD_SPEC,
-  find: FIND_SPEC,
-  gfind: FIND_SPEC,
-};
+const EXEC_SPECS: Readonly<Record<string, ExecSpec>> = Object.assign(
+  Object.create(null) as Record<string, ExecSpec>,
+  { fd: FD_SPEC, fdfind: FD_SPEC, find: FIND_SPEC, gfind: FIND_SPEC },
+);
 const substitutePlaceholders = (
   tokens: readonly string[],
@@ -518,15 +629,193 @@ const extractExecCommands = (seg: Segment): string[] => {
   return out;
 };
+// ── Substitution unwrappers ──────────────────────────────────────────
+//
+// Bash hides agent-controlled content inside command substitutions and
+// Shell wrappers two different ways, and rules need two different shapes
+// Of unwrap:
+//
+//   1. `sh -c '<script>'` and `bash -c '<script>'` carry a script the
+//      Outer parser can't see into. Extracted with
+//      `extractShellWrappedCommands(seg)` and re-parsed as bash segments
+//      So every existing rule applies. Used by `parseCommand`.
+//
+//   2. `$(cat <<'TAG' ... TAG)` and `$(echo '...')` / `$(printf '...')`
+//      Compute a static string value at runtime. Rules that inspect arg
+//      Values (commit-message convention, redirect targets, etc.) need
+//      The string, not a re-parse. `unwrapStaticString(token)` returns
+//      It; pass-through if the token isn't a recognised substitution.
+//
+// Both layers cover the same underlying gap — the shell-quote parser
+// Treats substitutions as opaque sentinels — and any rule that touches
+// Agent-controlled content should route through one of them.
+const HEREDOC_SUBST_RE = /\$\(\s*cat\s+<<-?\s*['"]?(\w+)['"]?\s*\n([\s\S]*?)\n\s*\1\s*\)/u;
+const ECHO_PRINTF_SUBST_RE = /\$\(\s*(?:printf|echo)\s+(?:-[a-zA-Z]+\s+)*'([^']*)'/u;
+const unwrapStaticString = (value: string): string => {
+  const heredoc = HEREDOC_SUBST_RE.exec(value);
+  if (heredoc !== null) {
+    return heredoc[2] ?? value;
+  }
+  const printf = ECHO_PRINTF_SUBST_RE.exec(value);
+  if (printf !== null) {
+    return printf[1] ?? value;
+  }
+  return value;
+};
+// Recover commands hidden inside a `sh -c '...'` / `bash -c '...'` wrapper.
+// Without this, every redirect / deny / scoped-rm rule can be trivially
+// Bypassed by wrapping the offending command in `sh -c`. The shell parser
+// Otherwise sees `sh` as the head and the script as an opaque positional
+// Arg. We pull the script out and feed it back through `parseCommand` so
+// All existing rules apply.
+const SHELL_WRAPPER_HEADS: ReadonlySet<string> = new Set([
+  'sh',
+  'bash',
+  'zsh',
+  'dash',
+  'ksh',
+  'ash',
+  '/bin/sh',
+  '/bin/bash',
+  '/bin/zsh',
+  '/bin/dash',
+  '/bin/ksh',
+  '/usr/bin/sh',
+  '/usr/bin/bash',
+  '/usr/bin/zsh',
+  '/usr/local/bin/bash',
+  '/opt/homebrew/bin/bash',
+]);
+const extractShellWrappedCommands = (seg: Segment): string[] => {
+  if (!SHELL_WRAPPER_HEADS.has(seg.head)) {
+    return [];
+  }
+  const tokens = seg.tokens;
+  for (let i = 1; i < tokens.length; i++) {
+    const t = tokens[i]!;
+    if (t === '-c' && i + 1 < tokens.length) {
+      return [tokens[i + 1]!];
+    }
+    // Combined short flags that include `c`: `-ec`, `-xc`, `-eu c` won't —
+    // Only treat `c` as the last char so the next token is the script.
+    if (
+      t.startsWith('-') &&
+      !t.startsWith('--') &&
+      t.endsWith('c') &&
+      t.length > 2 &&
+      i + 1 < tokens.length
+    ) {
+      return [tokens[i + 1]!];
+    }
+  }
+  return [];
+};
+const HEAD_RENAMING_HEADS: ReadonlySet<string> = new Set([
+  'command',
+  'exec',
+  'env',
+  'time',
+  'nohup',
+  'setsid',
+  'nice',
+  'ionice',
+  'chronic',
+  'stdbuf',
+  'unbuffer',
+  'script',
+  'taskset',
+]);
+const HEAD_RENAMING_VALUE_FLAGS: Readonly<Record<string, ReadonlySet<string>>> = {
+  command: new Set(),
+  env: new Set(['-u', '--unset', '-C', '--chdir', '-S', '--split-string', '--block-signal']),
+  time: new Set(['-f', '--format', '-o', '--output']),
+  nice: new Set(['-n', '--adjustment']),
+  ionice: new Set(['-c', '--class', '-n', '--classdata', '-p', '--pid']),
+  stdbuf: new Set(['-i', '--input', '-o', '--output', '-e', '--error']),
+  script: new Set(['-c', '--command']),
+  taskset: new Set(),
+};
+const tokenLooksLikeEnvAssignment = (token: string): boolean =>
+  /^[A-Za-z_][A-Za-z0-9_]*=.*/u.test(token);
+const skipHeadRenamingPrefix = (tokens: readonly string[]): number => {
+  const head = tokens[0]!;
+  const valueFlags = HEAD_RENAMING_VALUE_FLAGS[head] ?? new Set<string>();
+  let i = 1;
+  while (i < tokens.length) {
+    const token = tokens[i]!;
+    if (head === 'env' && tokenLooksLikeEnvAssignment(token)) {
+      i++;
+      continue;
+    }
+    if (valueFlags.has(token)) {
+      i += 2;
+      continue;
+    }
+    if (token.includes('=') && valueFlags.has(token.slice(0, token.indexOf('=')))) {
+      i++;
+      continue;
+    }
+    if (token.startsWith('--') && token !== '--') {
+      i++;
+      continue;
+    }
+    if (token.startsWith('-') && token !== '-') {
+      i++;
+      continue;
+    }
+    break;
+  }
+  return i;
+};
+const extractHeadRenamingCommands = (seg: Segment): string[] => {
+  if (!HEAD_RENAMING_HEADS.has(seg.head)) {
+    return [];
+  }
+  if (seg.head === 'script') {
+    for (let i = 1; i < seg.tokens.length - 1; i++) {
+      const token = seg.tokens[i]!;
+      if (token === '-c' || token === '--command') {
+        return [seg.tokens[i + 1]!];
+      }
+      if (token.startsWith('--command=')) {
+        return [token.slice('--command='.length)];
+      }
+    }
+  }
+  const start = skipHeadRenamingPrefix(seg.tokens);
+  const inner = seg.tokens.slice(start).join(' ');
+  return inner === '' ? [] : [inner];
+};
+const EVAL_HEADS: ReadonlySet<string> = new Set(['eval']);
+const extractEvalCommands = (seg: Segment): string[] => {
+  if (!EVAL_HEADS.has(seg.head)) {
+    return [];
+  }
+  const sub = seg.tokens.slice(1).join(' ');
+  return sub === '' ? [] : [sub];
+};
 const parseCommand = (cmd: string): Segment[] => {
   let entries: ParseEntry[];
+  const cmdForParsing = maskLiteralHeredocBodies(cmd);
   try {
-    entries = parse(cmd, PRESERVE_ENV);
+    entries = parse(cmdForParsing, PRESERVE_ENV);
   } catch {
     return [];
   }
   entries = mergeAmpRedirects(entries);
-  const fdBudget: FdBudget = { remaining: countFdPrefixRedirects(cmd) };
+  const fdBudget: FdBudget = { remaining: countFdPrefixRedirects(cmdForParsing) };
   const out: Segment[] = [];
   let buf: ParseEntry[] = [];
@@ -551,7 +840,7 @@ const parseCommand = (cmd: string): Segment[] => {
   // Outer segment's args are already opaque sentinels (safe-path-failing);
   // This catches dangerous inner commands the outer call would otherwise
   // Hide.
-  for (const sub of extractInnerCommands(cmd)) {
+  for (const sub of [...extractInnerCommands(cmd), ...extractShellHeredocCommands(cmd)]) {
     for (const innerSeg of parseCommand(sub)) {
       out.push(innerSeg);
     }
@@ -573,6 +862,21 @@ const parseCommand = (cmd: string): Segment[] => {
         out.push(innerSeg);
       }
     }
+    for (const sub of extractShellWrappedCommands(seg)) {
+      for (const innerSeg of parseCommand(sub)) {
+        out.push(innerSeg);
+      }
+    }
+    for (const sub of extractHeadRenamingCommands(seg)) {
+      for (const innerSeg of parseCommand(sub)) {
+        out.push(innerSeg);
+      }
+    }
+    for (const sub of extractEvalCommands(seg)) {
+      for (const innerSeg of parseCommand(sub)) {
+        out.push(innerSeg);
+      }
+    }
   }
   return out;
@@ -657,4 +961,11 @@ const safeScopesSummary = (
 const hasBypass = (cmd: string): boolean => /(^|\s)#\s*tripwire-allow\b/.test(cmd);
 export type { Redirect, Segment };
-export { hasBypass, isSafePathTarget, parseCommand, safeScopesSummary };
+export {
+  EXEC_SPECS,
+  hasBypass,
+  isSafePathTarget,
+  parseCommand,
+  safeScopesSummary,
+  unwrapStaticString,
+};

package/src/rules/bash-deny.ts CHANGED Viewed

@@ -40,6 +40,13 @@ const SPECS: readonly Spec[] = [
     message: 'Fork bomb pattern detected. Refuse.',
     match: (_seg, raw) => /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;/.test(raw),
   },
+  {
+    rule: 'source-script',
+    action: 'deny',
+    message:
+      '`source` / `.` executes a file in the current shell. Refuse arbitrary sourced scripts.',
+    match: (seg) => (seg.head === 'source' || seg.head === '.') && seg.tokens.length > 1,
+  },
   {
     rule: 'dd-raw-device',
     action: 'deny',
@@ -329,18 +336,52 @@ const SPECS: readonly Spec[] = [
   },
 ];
+// Rules in this set ignore `# tripwire-allow` on the command line. They
+// Are catastrophic / irreversible operations and hard policy rules that
+// Have no legitimate prompt-line override. If the user genuinely needs
+// One of these to run, they should do it in a terminal themselves.
+const UNBYPASSABLE_RULES: ReadonlySet<string> = new Set([
+  // Catastrophic / irreversible
+  'rm-rf-root',
+  'rm-rf-home',
+  'fork-bomb',
+  'dd-raw-device',
+  'mkfs',
+  'kill-all',
+  'diskutil-destructive',
+  'tmutil-destructive',
+  // System control
+  'shutdown',
+  'csrutil',
+  'nvram',
+  'kextload',
+  'spctl-disable',
+  'xattr-quarantine-bypass',
+  'topgrade',
+  'softwareupdate-install',
+  'systemsetup',
+  'scutil-set',
+  'security-keychain-destructive',
+  // Hard policy rules
+  'no-verify',
+  'no-gpg-sign',
+]);
 const bashDeny = (segments: readonly Segment[], cmd: string): Decision => {
-  if (hasBypass(cmd)) {
-    return allow('bash-deny');
-  }
+  const bypass = hasBypass(cmd);
   for (const seg of segments) {
     for (const s of SPECS) {
-      if (s.match(seg, cmd)) {
-        return s.action === 'deny' ? deny(s.rule, s.message) : ask(s.rule, s.message);
+      if (!s.match(seg, cmd)) {
+        continue;
+      }
+      if (bypass && !UNBYPASSABLE_RULES.has(s.rule)) {
+        // Caller asserted in-turn approval; honor it for this rule.
+        continue;
       }
+      return s.action === 'deny' ? deny(s.rule, s.message) : ask(s.rule, s.message);
     }
   }
   return allow('bash-deny');
 };
-export { bashDeny };
+export { bashDeny, UNBYPASSABLE_RULES };

package/src/rules/bash-git.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { type Segment, hasBypass } from '../lib/bash';
+import { type Segment, hasBypass, unwrapStaticString } from '../lib/bash';
 import type { GitConfig } from '../lib/config';
 import { type Decision, allow, ask, deny, warn } from '../lib/decision';
@@ -111,15 +111,17 @@ const messageOf = (subArgs: readonly string[]): string | null => {
   for (let i = 0; i < subArgs.length; i++) {
     const t = subArgs[i]!;
     if (t === '-m' || t === '--message') {
-      return subArgs[i + 1] ?? null;
+      const raw = subArgs[i + 1];
+      return raw === undefined ? null : unwrapStaticString(raw);
     }
     if (t.startsWith('--message=')) {
-      return t.slice('--message='.length);
+      return unwrapStaticString(t.slice('--message='.length));
     }
     // Combined short flags like `-am`, `-ma`, `-amS` carry the message
     // In the next positional arg — same as `-m` alone.
     if (/^-[a-zA-Z]*m[a-zA-Z]*$/.test(t)) {
-      return subArgs[i + 1] ?? null;
+      const raw = subArgs[i + 1];
+      return raw === undefined ? null : unwrapStaticString(raw);
     }
   }
   return null;