@seanmozeik/tripwire 0.4.1 → 0.5.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seanmozeik/tripwire",
-  "version": "0.4.1",
+  "version": "0.5.1",
   "description": "Opinionated hooks dispatcher for AI coding agents with configurable safety rules",
   "license": "MIT",
   "bin": {
@@ -31,15 +31,15 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@effect/platform-bun": "^4.0.0-beta.65",
-    "effect": "^4.0.0-beta.65",
+    "@effect/platform-bun": "^4.0.0-beta.66",
+    "effect": "^4.0.0-beta.66",
     "shell-quote": "^1.8.3"
   },
   "devDependencies": {
-    "@types/bun": "^1.3.13",
+    "@types/bun": "^1.3.14",
     "@types/shell-quote": "^1.7.5",
-    "oxfmt": "^0.48.0",
-    "oxlint": "^1.61.0",
+    "oxfmt": "^0.50.0",
+    "oxlint": "^1.65.0",
     "oxlint-tsgolint": "^0.22.1",
     "typescript": "^6.0.3"
   },

package/src/lib/bash.ts

@@ -256,6 +256,89 @@ const countFdPrefixRedirects = (cmd: string): number => {
   return matches?.length ?? 0;
 };
 
+const heredocDelimiterFromLine = (line: string): string | null => {
+  const match = /<<-?\s*(?:"([^"]+)"|'([^']+)'|([A-Za-z_][A-Za-z0-9_]*))/u.exec(line);
+  return match?.[1] ?? match?.[2] ?? match?.[3] ?? null;
+};
+
+const SHELL_STDIN_HEAD_RE =
+  /(?:^|[|;&]\s*)(?:\/(?:usr\/bin|bin|usr\/local\/bin|opt\/homebrew\/bin)\/)?(?:sh|bash|zsh|dash|ksh|ash)(?:\s|$)/u;
+
+const heredocFeedsShell = (line: string): boolean => SHELL_STDIN_HEAD_RE.test(line);
+
+const maskLiteralHeredocBodies = (cmd: string): string => {
+  const lines = cmd.split('\n');
+  const out: string[] = [];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!;
+    out.push(line);
+    const delimiter = heredocDelimiterFromLine(line);
+    if (delimiter === null || heredocFeedsShell(line)) {
+      continue;
+    }
+    i++;
+    while (i < lines.length && lines[i]!.trim() !== delimiter) {
+      i++;
+    }
+    if (i < lines.length) {
+      out.push('__HEREDOC_BODY__');
+      out.push(lines[i]!);
+    }
+  }
+  return out.join('\n');
+};
+
+// Side-channel for static-string lookup. Mask-protected rules (hasBypass,
+// Bash-deny scanning) must never see heredoc body characters — a body
+// Containing `# tripwire-allow` or `rm -rf /` would slip past them.
+// `unwrapStaticString` still needs the original body of `$(cat <<EOF ... EOF)`
+// To validate the wrapped commit message. Keep masking universal, and pass
+// The original-body lookup through a separate channel only the static-string
+// Extractor consults.
+const collectHeredocBodies = (cmd: string): ReadonlyMap<string, string> => {
+  const map = new Map<string, string>();
+  const lines = cmd.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!;
+    const delimiter = heredocDelimiterFromLine(line);
+    if (delimiter === null || heredocFeedsShell(line)) {
+      continue;
+    }
+    const body: string[] = [];
+    i++;
+    while (i < lines.length && lines[i]!.trim() !== delimiter) {
+      body.push(lines[i]!);
+      i++;
+    }
+    if (!map.has(delimiter)) {
+      map.set(delimiter, body.join('\n'));
+    }
+  }
+  return map;
+};
+
+const extractShellHeredocCommands = (cmd: string): string[] => {
+  const lines = cmd.split('\n');
+  const out: string[] = [];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!;
+    const delimiter = heredocDelimiterFromLine(line);
+    if (delimiter === null || !heredocFeedsShell(line)) {
+      continue;
+    }
+    const body: string[] = [];
+    i++;
+    while (i < lines.length && lines[i]!.trim() !== delimiter) {
+      body.push(lines[i]!);
+      i++;
+    }
+    if (body.length > 0) {
+      out.push(body.join('\n'));
+    }
+  }
+  return out;
+};
+
 // Extract inner commands from `$(...)`, `<(...)`, `>(...)`, and `` `...` ``.
 // Shell-quote collapses these into opaque sentinel tokens (which is correct
 // For safe-path checks — substituted output is unknown), but it also hides
@@ -266,39 +349,98 @@ const countFdPrefixRedirects = (cmd: string): number => {
 // Backticks don't nest (bash needs `\` escaping for that, which we treat as
 // A literal). Process/command substitutions can nest arbitrarily — a depth
 // Counter handles the balanced parens.
-const extractInnerCommands = (cmd: string): string[] => {
-  const inner: string[] = [];
-  // Backticks: simple, non-nesting.
-  const bt = cmd.match(/`([^`]+)`/g);
-  if (bt !== null) {
-    for (const m of bt) {
-      inner.push(m.slice(1, -1));
+const findBacktickEnd = (cmd: string, start: number): number | null => {
+  for (let i = start; i < cmd.length; i++) {
+    const ch = cmd[i]!;
+    if (ch === '\\') {
+      i++;
+      continue;
+    }
+    if (ch === '`') {
+      return i;
+    }
+  }
+  return null;
+};
+
+const findSubstitutionEnd = (cmd: string, start: number): number | null => {
+  let depth = 1;
+  let quote: 'single' | 'double' | null = null;
+  for (let j = start; j < cmd.length; j++) {
+    const cj = cmd[j]!;
+    if (cj === '\\') {
+      j++;
+      continue;
+    }
+    if (quote === 'single') {
+      if (cj === "'") {
+        quote = null;
+      }
+      continue;
+    }
+    if (cj === "'") {
+      quote ??= 'single';
+      continue;
+    }
+    if (cj === '"') {
+      quote = quote === 'double' ? null : 'double';
+      continue;
+    }
+    if (cj === '(') {
+      depth++;
+      continue;
+    }
+    if (cj === ')') {
+      depth--;
+      if (depth === 0) {
+        return j;
+      }
     }
   }
-  // $( ), <( ), >( ) with balanced parens.
-  for (let i = 0; i < cmd.length - 1; i++) {
+  return null;
+};
+
+const extractInnerCommands = (cmd: string): string[] => {
+  const inner: string[] = [];
+  let quote: 'single' | 'double' | null = null;
+  for (let i = 0; i < cmd.length; i++) {
     const ch = cmd[i]!;
-    const next = cmd[i + 1]!;
-    const isSubStart = (ch === '$' || ch === '<' || ch === '>') && next === '(';
-    if (!isSubStart) {
+    if (ch === '\\') {
+      i++;
       continue;
     }
-    let depth = 1;
-    let j = i + 2;
-    while (j < cmd.length && depth > 0) {
-      const cj = cmd[j]!;
-      if (cj === '(') {
-        depth++;
-      } else if (cj === ')') {
-        depth--;
+    if (quote === 'single') {
+      if (ch === "'") {
+        quote = null;
       }
-      if (depth > 0) {
-        j++;
+      continue;
+    }
+    if (ch === "'") {
+      quote ??= 'single';
+      continue;
+    }
+    if (ch === '"') {
+      quote = quote === 'double' ? null : 'double';
+      continue;
+    }
+    if (ch === '`') {
+      const end = findBacktickEnd(cmd, i + 1);
+      if (end !== null) {
+        inner.push(cmd.slice(i + 1, end));
+        i = end;
       }
+      continue;
+    }
+    const next = cmd[i + 1];
+    const isCommandSubStart = ch === '$' && next === '(';
+    const isProcessSubStart = quote === null && (ch === '<' || ch === '>') && next === '(';
+    if (!isCommandSubStart && !isProcessSubStart) {
+      continue;
     }
-    if (depth === 0) {
-      inner.push(cmd.slice(i + 2, j));
-      i = j;
+    const end = findSubstitutionEnd(cmd, i + 2);
+    if (end !== null) {
+      inner.push(cmd.slice(i + 2, end));
+      i = end;
     }
   }
   return inner;
@@ -467,12 +609,10 @@ const FIND_SPEC: ExecSpec = {
   pickRoot: pickFindSearchRoot,
 };
 
-const EXEC_SPECS: Readonly<Record<string, ExecSpec>> = {
-  fd: FD_SPEC,
-  fdfind: FD_SPEC,
-  find: FIND_SPEC,
-  gfind: FIND_SPEC,
-};
+const EXEC_SPECS: Readonly<Record<string, ExecSpec>> = Object.assign(
+  Object.create(null) as Record<string, ExecSpec>,
+  { fd: FD_SPEC, fdfind: FD_SPEC, find: FIND_SPEC, gfind: FIND_SPEC },
+);
 
 const substitutePlaceholders = (
   tokens: readonly string[],
@@ -518,15 +658,201 @@ const extractExecCommands = (seg: Segment): string[] => {
   return out;
 };
 
+// ── Substitution unwrappers ──────────────────────────────────────────
+//
+// Bash hides agent-controlled content inside command substitutions and
+// Shell wrappers two different ways, and rules need two different shapes
+// Of unwrap:
+//
+//   1. `sh -c '<script>'` and `bash -c '<script>'` carry a script the
+//      Outer parser can't see into. Extracted with
+//      `extractShellWrappedCommands(seg)` and re-parsed as bash segments
+//      So every existing rule applies. Used by `parseCommand`.
+//
+//   2. `$(cat <<'TAG' ... TAG)` and `$(echo '...')` / `$(printf '...')`
+//      Compute a static string value at runtime. Rules that inspect arg
+//      Values (commit-message convention, redirect targets, etc.) need
+//      The string, not a re-parse. `unwrapStaticString(token)` returns
+//      It; pass-through if the token isn't a recognised substitution.
+//
+// Both layers cover the same underlying gap — the shell-quote parser
+// Treats substitutions as opaque sentinels — and any rule that touches
+// Agent-controlled content should route through one of them.
+
+const HEREDOC_SUBST_RE = /\$\(\s*cat\s+<<-?\s*['"]?(\w+)['"]?\s*\n([\s\S]*?)\n\s*\1\s*\)/u;
+const ECHO_PRINTF_SUBST_RE = /\$\(\s*(?:printf|echo)\s+(?:-[a-zA-Z]+\s+)*'([^']*)'/u;
+
+const unwrapStaticString = (value: string, heredocBodies?: ReadonlyMap<string, string>): string => {
+  const heredoc = HEREDOC_SUBST_RE.exec(value);
+  if (heredoc !== null) {
+    const captured = heredoc[2] ?? value;
+    if (heredocBodies !== undefined && captured.trim() === '__HEREDOC_BODY__') {
+      const delimiter = heredoc[1];
+      const real = delimiter === undefined ? undefined : heredocBodies.get(delimiter);
+      if (real !== undefined) {
+        return real;
+      }
+    }
+    return captured;
+  }
+  const printf = ECHO_PRINTF_SUBST_RE.exec(value);
+  if (printf !== null) {
+    return printf[1] ?? value;
+  }
+  return value;
+};
+
+// Recover commands hidden inside a `sh -c '...'` / `bash -c '...'` wrapper.
+// Without this, every redirect / deny / scoped-rm rule can be trivially
+// Bypassed by wrapping the offending command in `sh -c`. The shell parser
+// Otherwise sees `sh` as the head and the script as an opaque positional
+// Arg. We pull the script out and feed it back through `parseCommand` so
+// All existing rules apply.
+const SHELL_WRAPPER_HEADS: ReadonlySet<string> = new Set([
+  'sh',
+  'bash',
+  'zsh',
+  'dash',
+  'ksh',
+  'ash',
+  '/bin/sh',
+  '/bin/bash',
+  '/bin/zsh',
+  '/bin/dash',
+  '/bin/ksh',
+  '/usr/bin/sh',
+  '/usr/bin/bash',
+  '/usr/bin/zsh',
+  '/usr/local/bin/bash',
+  '/opt/homebrew/bin/bash',
+]);
+
+const extractShellWrappedCommands = (seg: Segment): string[] => {
+  if (!SHELL_WRAPPER_HEADS.has(seg.head)) {
+    return [];
+  }
+  const tokens = seg.tokens;
+  for (let i = 1; i < tokens.length; i++) {
+    const t = tokens[i]!;
+    if (t === '-c' && i + 1 < tokens.length) {
+      return [tokens[i + 1]!];
+    }
+    // Combined short flags that include `c`: `-ec`, `-xc`, `-eu c` won't —
+    // Only treat `c` as the last char so the next token is the script.
+    if (
+      t.startsWith('-') &&
+      !t.startsWith('--') &&
+      t.endsWith('c') &&
+      t.length > 2 &&
+      i + 1 < tokens.length
+    ) {
+      return [tokens[i + 1]!];
+    }
+  }
+  return [];
+};
+
+const HEAD_RENAMING_HEADS: ReadonlySet<string> = new Set([
+  'command',
+  'exec',
+  'env',
+  'time',
+  'nohup',
+  'setsid',
+  'nice',
+  'ionice',
+  'chronic',
+  'stdbuf',
+  'unbuffer',
+  'script',
+  'taskset',
+]);
+
+const HEAD_RENAMING_VALUE_FLAGS: Readonly<Record<string, ReadonlySet<string>>> = {
+  command: new Set(),
+  env: new Set(['-u', '--unset', '-C', '--chdir', '-S', '--split-string', '--block-signal']),
+  time: new Set(['-f', '--format', '-o', '--output']),
+  nice: new Set(['-n', '--adjustment']),
+  ionice: new Set(['-c', '--class', '-n', '--classdata', '-p', '--pid']),
+  stdbuf: new Set(['-i', '--input', '-o', '--output', '-e', '--error']),
+  script: new Set(['-c', '--command']),
+  taskset: new Set(),
+};
+
+const tokenLooksLikeEnvAssignment = (token: string): boolean =>
+  /^[A-Za-z_][A-Za-z0-9_]*=.*/u.test(token);
+
+const skipHeadRenamingPrefix = (tokens: readonly string[]): number => {
+  const head = tokens[0]!;
+  const valueFlags = HEAD_RENAMING_VALUE_FLAGS[head] ?? new Set<string>();
+  let i = 1;
+  while (i < tokens.length) {
+    const token = tokens[i]!;
+    if (head === 'env' && tokenLooksLikeEnvAssignment(token)) {
+      i++;
+      continue;
+    }
+    if (valueFlags.has(token)) {
+      i += 2;
+      continue;
+    }
+    if (token.includes('=') && valueFlags.has(token.slice(0, token.indexOf('=')))) {
+      i++;
+      continue;
+    }
+    if (token.startsWith('--') && token !== '--') {
+      i++;
+      continue;
+    }
+    if (token.startsWith('-') && token !== '-') {
+      i++;
+      continue;
+    }
+    break;
+  }
+  return i;
+};
+
+const extractHeadRenamingCommands = (seg: Segment): string[] => {
+  if (!HEAD_RENAMING_HEADS.has(seg.head)) {
+    return [];
+  }
+  if (seg.head === 'script') {
+    for (let i = 1; i < seg.tokens.length - 1; i++) {
+      const token = seg.tokens[i]!;
+      if (token === '-c' || token === '--command') {
+        return [seg.tokens[i + 1]!];
+      }
+      if (token.startsWith('--command=')) {
+        return [token.slice('--command='.length)];
+      }
+    }
+  }
+  const start = skipHeadRenamingPrefix(seg.tokens);
+  const inner = seg.tokens.slice(start).join(' ');
+  return inner === '' ? [] : [inner];
+};
+
+const EVAL_HEADS: ReadonlySet<string> = new Set(['eval']);
+
+const extractEvalCommands = (seg: Segment): string[] => {
+  if (!EVAL_HEADS.has(seg.head)) {
+    return [];
+  }
+  const sub = seg.tokens.slice(1).join(' ');
+  return sub === '' ? [] : [sub];
+};
+
 const parseCommand = (cmd: string): Segment[] => {
   let entries: ParseEntry[];
+  const cmdForParsing = maskLiteralHeredocBodies(cmd);
   try {
-    entries = parse(cmd, PRESERVE_ENV);
+    entries = parse(cmdForParsing, PRESERVE_ENV);
   } catch {
     return [];
   }
   entries = mergeAmpRedirects(entries);
-  const fdBudget: FdBudget = { remaining: countFdPrefixRedirects(cmd) };
+  const fdBudget: FdBudget = { remaining: countFdPrefixRedirects(cmdForParsing) };
 
   const out: Segment[] = [];
   let buf: ParseEntry[] = [];
@@ -551,7 +877,7 @@ const parseCommand = (cmd: string): Segment[] => {
   // Outer segment's args are already opaque sentinels (safe-path-failing);
   // This catches dangerous inner commands the outer call would otherwise
   // Hide.
-  for (const sub of extractInnerCommands(cmd)) {
+  for (const sub of [...extractInnerCommands(cmd), ...extractShellHeredocCommands(cmd)]) {
     for (const innerSeg of parseCommand(sub)) {
       out.push(innerSeg);
     }
@@ -573,6 +899,21 @@ const parseCommand = (cmd: string): Segment[] => {
         out.push(innerSeg);
       }
     }
+    for (const sub of extractShellWrappedCommands(seg)) {
+      for (const innerSeg of parseCommand(sub)) {
+        out.push(innerSeg);
+      }
+    }
+    for (const sub of extractHeadRenamingCommands(seg)) {
+      for (const innerSeg of parseCommand(sub)) {
+        out.push(innerSeg);
+      }
+    }
+    for (const sub of extractEvalCommands(seg)) {
+      for (const innerSeg of parseCommand(sub)) {
+        out.push(innerSeg);
+      }
+    }
   }
 
   return out;
@@ -654,7 +995,21 @@ const safeScopesSummary = (
     .join('\n');
 };
 
-const hasBypass = (cmd: string): boolean => /(^|\s)#\s*tripwire-allow\b/.test(cmd);
+// Mask heredoc bodies before scanning, otherwise a `# tripwire-allow`
+// Smuggled inside a heredoc body (e.g. a commit message piped via
+// `$(cat <<EOF ... EOF)`) disarms every rule for the surrounding command.
+// A legitimate bypass marker sits on the actual command line, which the
+// Mask leaves intact.
+const hasBypass = (cmd: string): boolean =>
+  /(^|\s)#\s*tripwire-allow\b/.test(maskLiteralHeredocBodies(cmd));
 
 export type { Redirect, Segment };
-export { hasBypass, isSafePathTarget, parseCommand, safeScopesSummary };
+export {
+  EXEC_SPECS,
+  collectHeredocBodies,
+  hasBypass,
+  isSafePathTarget,
+  parseCommand,
+  safeScopesSummary,
+  unwrapStaticString,
+};

package/src/rules/bash-deny.ts

@@ -40,6 +40,13 @@ const SPECS: readonly Spec[] = [
     message: 'Fork bomb pattern detected. Refuse.',
     match: (_seg, raw) => /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;/.test(raw),
   },
+  {
+    rule: 'source-script',
+    action: 'deny',
+    message:
+      '`source` / `.` executes a file in the current shell. Refuse arbitrary sourced scripts.',
+    match: (seg) => (seg.head === 'source' || seg.head === '.') && seg.tokens.length > 1,
+  },
   {
     rule: 'dd-raw-device',
     action: 'deny',
@@ -329,18 +336,52 @@ const SPECS: readonly Spec[] = [
   },
 ];
 
+// Rules in this set ignore `# tripwire-allow` on the command line. They
+// Are catastrophic / irreversible operations and hard policy rules that
+// Have no legitimate prompt-line override. If the user genuinely needs
+// One of these to run, they should do it in a terminal themselves.
+const UNBYPASSABLE_RULES: ReadonlySet<string> = new Set([
+  // Catastrophic / irreversible
+  'rm-rf-root',
+  'rm-rf-home',
+  'fork-bomb',
+  'dd-raw-device',
+  'mkfs',
+  'kill-all',
+  'diskutil-destructive',
+  'tmutil-destructive',
+  // System control
+  'shutdown',
+  'csrutil',
+  'nvram',
+  'kextload',
+  'spctl-disable',
+  'xattr-quarantine-bypass',
+  'topgrade',
+  'softwareupdate-install',
+  'systemsetup',
+  'scutil-set',
+  'security-keychain-destructive',
+  // Hard policy rules
+  'no-verify',
+  'no-gpg-sign',
+]);
+
 const bashDeny = (segments: readonly Segment[], cmd: string): Decision => {
-  if (hasBypass(cmd)) {
-    return allow('bash-deny');
-  }
+  const bypass = hasBypass(cmd);
   for (const seg of segments) {
     for (const s of SPECS) {
-      if (s.match(seg, cmd)) {
-        return s.action === 'deny' ? deny(s.rule, s.message) : ask(s.rule, s.message);
+      if (!s.match(seg, cmd)) {
+        continue;
+      }
+      if (bypass && !UNBYPASSABLE_RULES.has(s.rule)) {
+        // Caller asserted in-turn approval; honor it for this rule.
+        continue;
       }
+      return s.action === 'deny' ? deny(s.rule, s.message) : ask(s.rule, s.message);
     }
   }
   return allow('bash-deny');
 };
 
-export { bashDeny };
+export { bashDeny, UNBYPASSABLE_RULES };

package/src/rules/bash-git.ts

@@ -1,4 +1,4 @@
-import { type Segment, hasBypass } from '../lib/bash';
+import { type Segment, collectHeredocBodies, hasBypass, unwrapStaticString } from '../lib/bash';
 import type { GitConfig } from '../lib/config';
 import { type Decision, allow, ask, deny, warn } from '../lib/decision';
 
@@ -107,19 +107,24 @@ const parseGit = (seg: Segment): GitInvocation | null => {
   return null;
 };
 
-const messageOf = (subArgs: readonly string[]): string | null => {
+const messageOf = (
+  subArgs: readonly string[],
+  heredocBodies?: ReadonlyMap<string, string>,
+): string | null => {
   for (let i = 0; i < subArgs.length; i++) {
     const t = subArgs[i]!;
     if (t === '-m' || t === '--message') {
-      return subArgs[i + 1] ?? null;
+      const raw = subArgs[i + 1];
+      return raw === undefined ? null : unwrapStaticString(raw, heredocBodies);
     }
     if (t.startsWith('--message=')) {
-      return t.slice('--message='.length);
+      return unwrapStaticString(t.slice('--message='.length), heredocBodies);
     }
     // Combined short flags like `-am`, `-ma`, `-amS` carry the message
     // In the next positional arg — same as `-m` alone.
     if (/^-[a-zA-Z]*m[a-zA-Z]*$/.test(t)) {
-      return subArgs[i + 1] ?? null;
+      const raw = subArgs[i + 1];
+      return raw === undefined ? null : unwrapStaticString(raw, heredocBodies);
     }
   }
   return null;
@@ -151,6 +156,7 @@ interface HandlerCtx {
   readonly flags: readonly string[];
   readonly positional: readonly string[];
   readonly config: GitConfig;
+  readonly heredocBodies: ReadonlyMap<string, string>;
 }
 
 type Handler = (ctx: HandlerCtx) => Decision;
@@ -304,14 +310,14 @@ const handleMerge: Handler = ({ subArgs }) => {
   return ask('git-merge', '`git merge <branch>` may create merge conflicts. Confirm intent.');
 };
 
-const handleCommit: Handler = ({ subArgs, config }) => {
+const handleCommit: Handler = ({ subArgs, config, heredocBodies }) => {
   if (has(subArgs, '--amend')) {
     return deny(
       'git-commit-amend',
       '`git commit --amend` rewrites the last commit. If it has been pushed, this causes upstream divergence. Refuse — surface the intent.',
     );
   }
-  const msg = messageOf(subArgs);
+  const msg = messageOf(subArgs, heredocBodies);
   const hasFile = has(subArgs, '-F', '--file', '-c', '-C', '--reuse-message', '--reedit-message');
   const hasNoEdit = has(subArgs, '--no-edit');
   if (msg === null && !hasFile && !hasNoEdit) {
@@ -509,7 +515,11 @@ const HANDLERS: ReadonlyMap<string, Handler> = new Map<string, Handler>([
   ],
 ]);
 
-const evalGit = (inv: GitInvocation, config: GitConfig): Decision | null => {
+const evalGit = (
+  inv: GitInvocation,
+  config: GitConfig,
+  heredocBodies: ReadonlyMap<string, string>,
+): Decision | null => {
   const { subcommand, subArgs } = inv;
   const flags = flagsOf(subArgs);
   const positional = positionalOf(subArgs);
@@ -564,7 +574,7 @@ const evalGit = (inv: GitInvocation, config: GitConfig): Decision | null => {
 
   const handler = HANDLERS.get(subcommand);
   if (handler !== undefined) {
-    return handler({ subcommand, subArgs, flags, positional, config });
+    return handler({ subcommand, subArgs, flags, positional, config, heredocBodies });
   }
   return warn(
     'git-unknown-subcommand',
@@ -576,12 +586,13 @@ const bashGit = (segments: readonly Segment[], cmd: string, config: GitConfig):
   if (hasBypass(cmd)) {
     return allow('bash-git');
   }
+  const heredocBodies = collectHeredocBodies(cmd);
   for (const seg of segments) {
     const inv = parseGit(seg);
     if (inv === null) {
       continue;
     }
-    const d = evalGit(inv, config);
+    const d = evalGit(inv, config, heredocBodies);
     if (d !== null && d.kind !== 'allow') {
       return d;
     }