@seanmozeik/tripwire 0.5.3 → 0.6.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seanmozeik/tripwire",
-  "version": "0.5.3",
+  "version": "0.6.0",
   "description": "Opinionated hooks dispatcher for AI coding agents with configurable safety rules",
   "license": "MIT",
   "bin": {
@@ -33,14 +33,14 @@
   "dependencies": {
     "@effect/platform-bun": "^4.0.0-beta.66",
     "effect": "^4.0.0-beta.66",
-    "shell-quote": "^1.8.3"
+    "shell-quote": "^1.8.4"
   },
   "devDependencies": {
     "@types/bun": "^1.3.14",
     "@types/shell-quote": "^1.7.5",
-    "oxfmt": "^0.50.0",
-    "oxlint": "^1.65.0",
-    "oxlint-tsgolint": "^0.22.1",
+    "oxfmt": "^0.53.0",
+    "oxlint": "^1.68.0",
+    "oxlint-tsgolint": "^0.23.0",
     "typescript": "^6.0.3"
   },
   "engines": {

package/src/cli.ts

@@ -14,6 +14,7 @@
 //   Bun src/cli.ts install pi
 //   Bun src/cli.ts install all
 
+// oxlint-disable-next-line unicorn/import-style
 import { dirname } from 'node:path';
 
 import { BunServices } from '@effect/platform-bun';
@@ -27,7 +28,7 @@ import { installAll, installClaude, installCodex, installPi } from './lib/instal
 // Resolve tripwire-hook path at runtime using process.argv
 // This works in both script mode (bun run) and compiled/bundled mode
 const runtimeSelf = (): string => {
-  const isBunCli = /\/bun(\.exe)?$/.test(process.argv[0] ?? '');
+  const isBunCli = /\/bun(?<ext>\.exe)?$/.test(process.argv[0] ?? '');
   return isBunCli ? process.argv[1]! : process.argv[0]!;
 };
 

package/src/lib/bash.ts

@@ -257,8 +257,13 @@ const countFdPrefixRedirects = (cmd: string): number => {
 };
 
 const heredocDelimiterFromLine = (line: string): string | null => {
-  const match = /<<-?\s*(?:"([^"]+)"|'([^']+)'|([A-Za-z_][A-Za-z0-9_]*))/u.exec(line);
-  return match?.[1] ?? match?.[2] ?? match?.[3] ?? null;
+  const match =
+    /<<-?\s*(?:"(?<quoted>[^"]+)"|'(?<single>[^']+)'|(?<unquoted>[A-Za-z_][A-Za-z0-9_]*))/u.exec(
+      line,
+    );
+  return (
+    match?.groups?.['quoted'] ?? match?.groups?.['single'] ?? match?.groups?.['unquoted'] ?? null
+  );
 };
 
 const SHELL_STDIN_HEAD_RE =
@@ -483,7 +488,7 @@ const pathDangerScore = (t: string): number => {
   if (t === '~' || HOME_VAR_RE.test(t)) {
     return 90;
   }
-  if (/^\/(etc|usr|bin|sbin|System|Library|var|boot|root|home)(\/|$)/.test(t)) {
+  if (/^\/(?<dir>etc|usr|bin|sbin|System|Library|var|boot|root|home)(?<suffix>\/|$)/.test(t)) {
     return 80;
   }
   if (t.startsWith('/Users/')) {
@@ -679,15 +684,16 @@ const extractExecCommands = (seg: Segment): string[] => {
 // Treats substitutions as opaque sentinels — and any rule that touches
 // Agent-controlled content should route through one of them.
 
-const HEREDOC_SUBST_RE = /\$\(\s*cat\s+<<-?\s*['"]?(\w+)['"]?\s*\n([\s\S]*?)\n\s*\1\s*\)/u;
-const ECHO_PRINTF_SUBST_RE = /\$\(\s*(?:printf|echo)\s+(?:-[a-zA-Z]+\s+)*'([^']*)'/u;
+const HEREDOC_SUBST_RE =
+  /\$\(\s*cat\s+<<-?\s*['"]?(?<delimiter>\w+)['"]?\s*\n(?<body>[\s\S]*?)\n\s*\k<delimiter>\s*\)/u;
+const ECHO_PRINTF_SUBST_RE = /\$\(\s*(?:printf|echo)\s+(?:-[a-zA-Z]+\s+)*'(?<content>[^']*)'/u;
 
 const unwrapStaticString = (value: string, heredocBodies?: ReadonlyMap<string, string>): string => {
   const heredoc = HEREDOC_SUBST_RE.exec(value);
   if (heredoc !== null) {
-    const captured = heredoc[2] ?? value;
+    const captured = heredoc.groups?.['body'] ?? value;
     if (heredocBodies !== undefined && captured.trim() === '__HEREDOC_BODY__') {
-      const delimiter = heredoc[1];
+      const delimiter = heredoc.groups?.['delimiter'];
       const real = delimiter === undefined ? undefined : heredocBodies.get(delimiter);
       if (real !== undefined) {
         return real;
@@ -697,7 +703,7 @@ const unwrapStaticString = (value: string, heredocBodies?: ReadonlyMap<string, s
   }
   const printf = ECHO_PRINTF_SUBST_RE.exec(value);
   if (printf !== null) {
-    return printf[1] ?? value;
+    return printf.groups?.['content'] ?? value;
   }
   return value;
 };
@@ -752,6 +758,13 @@ const extractShellWrappedCommands = (seg: Segment): string[] => {
   return [];
 };
 
+// Heads that take `[flags] <command> [args]` on the same arg vector: the
+// First non-flag token after the prefix is the real command. `sudo`/`doas`
+// (privilege escalation), `xargs` (stdin-driven exec), and `watch` (repeated
+// Exec) all hide a sibling command this way, so the same unwrap that handles
+// `command`/`env`/`nohup` applies. `sudo` is also matched by bash-deny's
+// `ask` rule on the outer segment — both fire, and the more-restrictive
+// Interior decision (e.g. `sudo rm -rf /` → deny) wins on merge.
 const HEAD_RENAMING_HEADS: ReadonlySet<string> = new Set([
   'command',
   'exec',
@@ -766,6 +779,10 @@ const HEAD_RENAMING_HEADS: ReadonlySet<string> = new Set([
   'unbuffer',
   'script',
   'taskset',
+  'sudo',
+  'doas',
+  'xargs',
+  'watch',
 ]);
 
 const HEAD_RENAMING_VALUE_FLAGS: Readonly<Record<string, ReadonlySet<string>>> = {
@@ -777,6 +794,52 @@ const HEAD_RENAMING_VALUE_FLAGS: Readonly<Record<string, ReadonlySet<string>>> =
   stdbuf: new Set(['-i', '--input', '-o', '--output', '-e', '--error']),
   script: new Set(['-c', '--command']),
   taskset: new Set(),
+  sudo: new Set([
+    '-u',
+    '--user',
+    '-g',
+    '--group',
+    '-C',
+    '--close-from',
+    '-D',
+    '--chdir',
+    '-h',
+    '--host',
+    '-p',
+    '--prompt',
+    '-r',
+    '--role',
+    '-t',
+    '--type',
+    '-U',
+    '--other-user',
+    '-R',
+    '--chroot',
+    '-T',
+    '--command-timeout',
+  ]),
+  doas: new Set(['-a', '-C', '-u']),
+  xargs: new Set([
+    '-I',
+    '-i',
+    '-J',
+    '-n',
+    '--max-args',
+    '-P',
+    '--max-procs',
+    '-s',
+    '--max-chars',
+    '-L',
+    '--max-lines',
+    '-E',
+    '--eof',
+    '-d',
+    '--delimiter',
+    '-a',
+    '--arg-file',
+    '--replace',
+  ]),
+  watch: new Set(['-n', '--interval']),
 };
 
 const tokenLooksLikeEnvAssignment = (token: string): boolean =>
@@ -843,6 +906,186 @@ const extractEvalCommands = (seg: Segment): string[] => {
   return sub === '' ? [] : [sub];
 };
 
+// ── rtk (token-optimizing CLI proxy) ─────────────────────────────────
+// Rtk wraps real commands so their output is filtered before reaching the
+// Agent's context, and Codex auto-prepends it. The wrapper hides the real
+// Command from every rule: `rtk proxy rm -rf /` parses with head `rtk` and
+// The destructive `rm` buried in opaque positional args. Strip the `rtk`
+// Prefix and reconstruct the interior command so the existing rules decide
+// On what actually runs.
+//
+// Grammar: `rtk [global-opts] <subcommand> [args]`. Two subcommand classes
+// Exec a sibling command:
+//   • wrapper subs — the keyword is dropped, the remainder is an arbitrary
+//     Command: `run` (also `-c <string>`), `proxy`, `err`, `test`, `summary`.
+//   • tool-proxy subs — the keyword *is* the binary: `git`, `find`, `npm`,
+//     `docker`, … Reconstructing from the subcommand onward yields the real
+//     Invocation (`git push …`, `find … -delete`). rtk-internal filters that
+//     Aren't real binaries (`gain`, `config`, `diff`, …) reconstruct to inert
+//     Heads no rule matches, so no allowlist is needed.
+const RTK_WRAPPER_SUBCOMMANDS: ReadonlySet<string> = new Set([
+  'run',
+  'proxy',
+  'err',
+  'test',
+  'summary',
+]);
+
+const isRtkHead = (head: string): boolean => head === 'rtk' || head.endsWith('/rtk');
+
+const skipRtkGlobalFlags = (tokens: readonly string[]): number => {
+  // Rtk's global options (`-v`/`-vv`/`--verbose`, `--ultra-compact`,
+  // `--skip-env`) are all boolean, so any leading flag token can be skipped.
+  let i = 1;
+  while (i < tokens.length) {
+    const t = tokens[i]!;
+    if (t.startsWith('-') && t !== '-' && t !== '--') {
+      i++;
+      continue;
+    }
+    break;
+  }
+  return i;
+};
+
+const dashCommandArg = (tokens: readonly string[], start: number): string | null => {
+  for (let k = start; k < tokens.length; k++) {
+    const t = tokens[k]!;
+    if ((t === '-c' || t === '--command') && k + 1 < tokens.length) {
+      return tokens[k + 1]!;
+    }
+    if (t.startsWith('--command=')) {
+      return t.slice('--command='.length);
+    }
+  }
+  return null;
+};
+
+const extractRtkCommands = (seg: Segment): string[] => {
+  if (!isRtkHead(seg.head)) {
+    return [];
+  }
+  const subIdx = skipRtkGlobalFlags(seg.tokens);
+  const sub = seg.tokens[subIdx];
+  if (sub === undefined) {
+    return [];
+  }
+  if (RTK_WRAPPER_SUBCOMMANDS.has(sub)) {
+    // `rtk run -c '<cmd>'` carries the command in a flag value.
+    const viaFlag = dashCommandArg(seg.tokens, subIdx + 1);
+    if (viaFlag !== null) {
+      return viaFlag === '' ? [] : [viaFlag];
+    }
+    // Otherwise the command is the positional remainder after the keyword,
+    // Skipping any wrapper-local boolean flags.
+    let j = subIdx + 1;
+    while (j < seg.tokens.length) {
+      const t = seg.tokens[j]!;
+      if (t === '--') {
+        j++;
+        break;
+      }
+      if (t.startsWith('-') && t !== '-') {
+        j++;
+        continue;
+      }
+      break;
+    }
+    const inner = seg.tokens.slice(j).join(' ');
+    return inner === '' ? [] : [inner];
+  }
+  // Tool-proxy subcommand: the subcommand token is the real binary name.
+  const inner = seg.tokens.slice(subIdx).join(' ');
+  return inner === '' ? [] : [inner];
+};
+
+// ── Positional-prefix wrappers ───────────────────────────────────────
+// Heads where the real command follows one or more positional arguments
+// The wrapper consumes itself: `timeout <duration> <cmd>`, `chroot <newroot>
+// <cmd>`, `flock <lockfile> <cmd>` (or `flock <lockfile> -c '<cmd>'`), and
+// `su [user] -c '<cmd>'`. Skip the flag region, drop the wrapper's own
+// Positionals, and the remainder is the command.
+interface PrefixWrapperSpec {
+  readonly valueFlags: ReadonlySet<string>;
+  // Positional args the wrapper consumes before the command (duration, newroot…).
+  readonly skipPositionals: number;
+  // Whether the command can also arrive via `-c <string>` (su, flock).
+  readonly dashCommand: boolean;
+}
+
+const PREFIX_WRAPPER_SPECS: Readonly<Record<string, PrefixWrapperSpec>> = {
+  timeout: {
+    valueFlags: new Set(['-s', '--signal', '-k', '--kill-after']),
+    skipPositionals: 1,
+    dashCommand: false,
+  },
+  gtimeout: {
+    valueFlags: new Set(['-s', '--signal', '-k', '--kill-after']),
+    skipPositionals: 1,
+    dashCommand: false,
+  },
+  chroot: {
+    valueFlags: new Set(['--userspec', '--groups']),
+    skipPositionals: 1,
+    dashCommand: false,
+  },
+  flock: {
+    valueFlags: new Set(['-w', '--wait', '--timeout', '-E', '--conflict-exit-code']),
+    skipPositionals: 1,
+    dashCommand: true,
+  },
+  su: { valueFlags: new Set(), skipPositionals: 0, dashCommand: true },
+};
+
+const extractPrefixWrapperCommands = (seg: Segment): string[] => {
+  const spec = PREFIX_WRAPPER_SPECS[seg.head];
+  if (spec === undefined) {
+    return [];
+  }
+  if (spec.dashCommand) {
+    const viaFlag = dashCommandArg(seg.tokens, 1);
+    if (viaFlag !== null) {
+      return viaFlag === '' ? [] : [viaFlag];
+    }
+  }
+  let i = 1;
+  while (i < seg.tokens.length) {
+    const t = seg.tokens[i]!;
+    if (spec.valueFlags.has(t)) {
+      i += 2;
+      continue;
+    }
+    if (t.includes('=') && spec.valueFlags.has(t.slice(0, t.indexOf('=')))) {
+      i++;
+      continue;
+    }
+    if (t === '--') {
+      i++;
+      break;
+    }
+    if (t.startsWith('-') && t !== '-') {
+      i++;
+      continue;
+    }
+    break;
+  }
+  i += spec.skipPositionals;
+  const inner = seg.tokens.slice(i).join(' ');
+  return inner === '' ? [] : [inner];
+};
+
+// Each extractor pulls the inner command(s) a wrapper hides on its own arg
+// Vector, to be re-parsed as additional segments so every rule sees what
+// Actually runs. Order is irrelevant — all results are unioned into `out`.
+const SEGMENT_EXTRACTORS: readonly ((seg: Segment) => string[])[] = [
+  extractExecCommands,
+  extractShellWrappedCommands,
+  extractHeadRenamingCommands,
+  extractEvalCommands,
+  extractRtkCommands,
+  extractPrefixWrapperCommands,
+];
+
 const parseCommand = (cmd: string): Segment[] => {
   let entries: ParseEntry[];
   const cmdForParsing = maskLiteralHeredocBodies(cmd);
@@ -894,24 +1137,11 @@ const parseCommand = (cmd: string): Segment[] => {
   const preExtractLen = out.length;
   for (let k = 0; k < preExtractLen; k++) {
     const seg = out[k]!;
-    for (const sub of extractExecCommands(seg)) {
-      for (const innerSeg of parseCommand(sub)) {
-        out.push(innerSeg);
-      }
-    }
-    for (const sub of extractShellWrappedCommands(seg)) {
-      for (const innerSeg of parseCommand(sub)) {
-        out.push(innerSeg);
-      }
-    }
-    for (const sub of extractHeadRenamingCommands(seg)) {
-      for (const innerSeg of parseCommand(sub)) {
-        out.push(innerSeg);
-      }
-    }
-    for (const sub of extractEvalCommands(seg)) {
-      for (const innerSeg of parseCommand(sub)) {
-        out.push(innerSeg);
+    for (const extract of SEGMENT_EXTRACTORS) {
+      for (const sub of extract(seg)) {
+        for (const innerSeg of parseCommand(sub)) {
+          out.push(innerSeg);
+        }
       }
     }
   }
@@ -1001,7 +1231,7 @@ const safeScopesSummary = (
 // A legitimate bypass marker sits on the actual command line, which the
 // Mask leaves intact.
 const hasBypass = (cmd: string): boolean =>
-  /(^|\s)#\s*tripwire-allow\b/.test(maskLiteralHeredocBodies(cmd));
+  /(?<prefix>^|\s)#\s*tripwire-allow\b/.test(maskLiteralHeredocBodies(cmd));
 
 export type { Redirect, Segment };
 export {

package/src/lib/log.ts

@@ -1,5 +1,6 @@
 import { appendFileSync, mkdirSync } from 'node:fs';
 import { homedir } from 'node:os';
+// oxlint-disable-next-line unicorn/import-style
 import { dirname } from 'node:path';
 
 const LOG_PATH = `${homedir()}/.claude/tripwire.log`;

package/src/lib/secrets.ts

@@ -16,6 +16,7 @@
 import { spawnSync } from 'node:child_process';
 import { mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
+// oxlint-disable-next-line unicorn/import-style
 import { join } from 'node:path';
 
 interface BetterleaksFinding {

package/src/rules/bash-deny.ts

@@ -1,5 +1,5 @@
 import { type Segment, hasBypass } from '../lib/bash';
-import { type Decision, allow, ask, deny } from '../lib/decision';
+import { type Decision, allow, ask, deny, merge } from '../lib/decision';
 
 interface Spec {
   readonly rule: string;
@@ -32,7 +32,7 @@ const SPECS: readonly Spec[] = [
     match: (seg) =>
       seg.head === 'rm' &&
       flagPresent(seg, '-rf', '-fr', '-Rf', '-fR') &&
-      seg.tokens.some((t) => /^(~|\$HOME|\$\{HOME\})$/.test(t)),
+      seg.tokens.some((t) => /^(?<home>~|\$HOME|\$\{HOME\})$/.test(t)),
   },
   {
     rule: 'fork-bomb',
@@ -51,13 +51,14 @@ const SPECS: readonly Spec[] = [
     rule: 'dd-raw-device',
     action: 'deny',
     message: 'dd writing to a raw block device wipes the disk. Refuse.',
-    match: (seg) => seg.head === 'dd' && /\bof=\/dev\/(disk|sd|nvme|rdisk)/i.test(argsJoined(seg)),
+    match: (seg) =>
+      seg.head === 'dd' && /\bof=\/dev\/(?<type>disk|sd|nvme|rdisk)/i.test(argsJoined(seg)),
   },
   {
     rule: 'mkfs',
     action: 'deny',
     message: 'mkfs formats a filesystem. Refuse.',
-    match: (seg) => /^mkfs(\.[a-z0-9]+)?$/i.test(seg.head),
+    match: (seg) => /^mkfs(?<ext>\.[a-z0-9]+)?$/i.test(seg.head),
   },
   {
     rule: 'kill-all',
@@ -162,7 +163,7 @@ const SPECS: readonly Spec[] = [
     rule: 'osascript',
     action: 'ask',
     message:
-      'osascript runs arbitrary AppleScript and can do almost anything (move files, send emails, drive apps). Confirm with Sean what you want done before running it.',
+      'osascript runs arbitrary AppleScript and can do almost anything (move files, send emails, drive apps). Confirm with the user what you want done before running it.',
     match: (seg) => seg.head === 'osascript',
   },
   {
@@ -194,7 +195,7 @@ const SPECS: readonly Spec[] = [
     rule: 'pmset-write',
     action: 'deny',
     message:
-      '`pmset` (with arguments) writes power-management settings. Read-only `pmset -g` is fine; mutations need Sean.',
+      '`pmset` (with arguments) writes power-management settings. Read-only `pmset -g` is fine; mutations need the user.',
     match: (seg) =>
       seg.head === 'pmset' &&
       seg.tokens.length > 1 &&
@@ -237,7 +238,7 @@ const SPECS: readonly Spec[] = [
     rule: 'kextload',
     action: 'deny',
     message:
-      'Loading a kernel extension (`kextload`, `kmutil load`) is a system-level mutation. Refuse — Sean handles this manually.',
+      'Loading a kernel extension (`kextload`, `kmutil load`) is a system-level mutation. Refuse — the user handles this manually.',
     match: (seg) =>
       seg.head === 'kextload' ||
       seg.head === 'kextunload' ||
@@ -369,6 +370,11 @@ const UNBYPASSABLE_RULES: ReadonlySet<string> = new Set([
 
 const bashDeny = (segments: readonly Segment[], cmd: string): Decision => {
   const bypass = hasBypass(cmd);
+  // Collect the first matching spec per segment, then return the most
+  // Restrictive across all of them. Returning the first match outright lets
+  // A weaker `ask` on an early segment (e.g. the outer `sudo`) shadow a
+  // `deny` on a later unwrapped segment (e.g. the interior `shutdown`).
+  const hits: Decision[] = [];
   for (const seg of segments) {
     for (const s of SPECS) {
       if (!s.match(seg, cmd)) {
@@ -378,10 +384,11 @@ const bashDeny = (segments: readonly Segment[], cmd: string): Decision => {
         // Caller asserted in-turn approval; honor it for this rule.
         continue;
       }
-      return s.action === 'deny' ? deny(s.rule, s.message) : ask(s.rule, s.message);
+      hits.push(s.action === 'deny' ? deny(s.rule, s.message) : ask(s.rule, s.message));
+      break;
     }
   }
-  return allow('bash-deny');
+  return hits.length === 0 ? allow('bash-deny') : merge(hits);
 };
 
 export { bashDeny, UNBYPASSABLE_RULES };

package/src/rules/bash-git.ts

@@ -19,7 +19,7 @@ import { type Decision, allow, ask, deny, warn } from '../lib/decision';
 //     And no -F) — deny (would hang the agent).
 //   - Rebase / cherry-pick / merge — ask (creates conflicts).
 //   - Config — allow read; deny write to --global / --system; deny local
-//     Write (Sean's identity / workflow).
+//     Write (the user's identity / workflow).
 //
 // `git -C <dir>`, `git --git-dir=<path>`, `git --work-tree=<path>`,
 // `git -c key=value` are stripped before subcommand dispatch — `git -C ../foo
@@ -38,7 +38,7 @@ const getProtectedBranches = (config: GitConfig): readonly string[] =>
 
 // Conventional Commits 1.0.0 — type(scope)?(!)?: description
 const CONVENTIONAL_RE =
-  /^(feat|fix|docs|style|refactor|perf|test|build|ci|chore|revert)(\([\w./\- ]+\))?!?:\s+\S/;
+  /^(?<type>feat|fix|docs|style|refactor|perf|test|build|ci|chore|revert)(?<scope>\([\w./\- ]+\))?!?:\s+\S/;
 
 const PRE_SUB_FLAG_TAKES_VALUE: ReadonlySet<string> = new Set([
   '-C',
@@ -502,7 +502,7 @@ const HANDLERS: ReadonlyMap<string, Handler> = new Map<string, Handler>([
     ({ subcommand }) =>
       warn(
         `git-${subcommand}`,
-        `\`git ${subcommand}\` is allowed but unusual mid-session. Make sure this is what Sean asked for.`,
+        `\`git ${subcommand}\` is allowed but unusual mid-session. Make sure this is what the user asked for.`,
       ),
   ],
   [
@@ -510,7 +510,7 @@ const HANDLERS: ReadonlyMap<string, Handler> = new Map<string, Handler>([
     ({ subcommand }) =>
       warn(
         `git-${subcommand}`,
-        `\`git ${subcommand}\` is allowed but unusual mid-session. Make sure this is what Sean asked for.`,
+        `\`git ${subcommand}\` is allowed but unusual mid-session. Make sure this is what the user asked for.`,
       ),
   ],
 ]);

package/src/rules/bash-network-install.ts

@@ -56,7 +56,7 @@ const bashNetworkInstall = (segments: readonly Segment[], cmd: string): Decision
   if (isFetchPipedToShell(segments)) {
     return deny(
       'curl-pipe-shell',
-      "Piping `curl` / `wget` directly into a shell runs whatever the remote URL serves. Refuse — download to a file, inspect, then run if appropriate. If you genuinely need this, append ` # tripwire-allow: <reason>` (and explain to Sean what you're running).",
+      "Piping `curl` / `wget` directly into a shell runs whatever the remote URL serves. Refuse — download to a file, inspect, then run if appropriate. If you genuinely need this, append ` # tripwire-allow: <reason>` (and explain to the user what you're running).",
     );
   }
   for (const seg of segments) {

package/src/rules/bash-redirect.ts

@@ -8,38 +8,38 @@ import { type Decision, allow, deny } from '../lib/decision';
 const PROTECTED_TARGET_RE: readonly { rule: string; pattern: RegExp; message: string }[] = [
   {
     rule: 'redirect-env',
-    pattern: /(^|\/)\.env(\.[^/]+)?$/,
+    pattern: /(?<prefix>^|\/)\.env(?<ext>\.[^/]+)?$/,
     message:
       'Refusing to write into a .env file via shell redirect / tee / cp / mv. .env files hold secrets — never overwrite from a tool call.',
   },
   {
     rule: 'redirect-dev-vars',
-    pattern: /(^|\/)\.dev\.vars(\.[^/]+)?$/,
+    pattern: /(?<prefix>^|\/)\.dev\.vars(?<ext>\.[^/]+)?$/,
     message: 'Refusing to write into .dev.vars (Cloudflare/Wrangler secrets).',
   },
   {
     rule: 'redirect-ssh',
-    pattern: /(^|\/)\.ssh\//,
+    pattern: /(?<prefix>^|\/)\.ssh\//,
     message: 'Refusing to write into ~/.ssh/ via shell.',
   },
   {
     rule: 'redirect-key',
-    pattern: /\.(pem|key|p12|pfx)$/i,
+    pattern: /\.(?<ext>pem|key|p12|pfx)$/i,
     message: 'Refusing to overwrite a private-key-shaped file via shell.',
   },
   {
     rule: 'redirect-aws-credentials',
-    pattern: /(^|\/)\.aws\/credentials$/,
+    pattern: /(?<prefix>^|\/)\.aws\/credentials$/,
     message: 'Refusing to write into ~/.aws/credentials via shell.',
   },
   {
     rule: 'redirect-netrc',
-    pattern: /(^|\/)\.netrc$/,
+    pattern: /(?<prefix>^|\/)\.netrc$/,
     message: 'Refusing to write into ~/.netrc via shell.',
   },
   {
     rule: 'redirect-block-device',
-    pattern: /^\/dev\/(sd|disk|nvme|rdisk)/i,
+    pattern: /^\/dev\/(?<type>sd|disk|nvme|rdisk)/i,
     message: 'Redirecting into a raw block device wipes the disk. Refuse.',
   },
 ];

package/src/rules/bash-scoped-rm.ts

@@ -77,7 +77,7 @@ const bashScopedRm = (
     .join('\n');
   return deny(
     'destructive-outside-safe-paths',
-    `Destructive deletion outside known-safe scopes is blocked. Use \`trash\` (macOS Trash, recoverable) or \`rip\` (graveyard at ~/.local/share/graveyard, recoverable) instead. Real \`rm\` and \`find -delete\` are allowed only inside ephemeral build / cache / state directories:\n${safeScopesSummary(extraRelative, extraAbsolute)}\n\nFlagged targets:\n${detail}\n\nIf raw \`rm\` is genuinely needed, append \` # tripwire-allow: <reason>\` to the command.`,
+    `Destructive deletion outside known-safe scopes is blocked. Use \`trash\` (macOS Trash, recoverable) or \`rip\` (graveyard at /tmp/graveyard-$USER, recoverable until reboot) instead. Real \`rm\` and \`find -delete\` are allowed only inside ephemeral build / cache / state directories:\n${safeScopesSummary(extraRelative, extraAbsolute)}\n\nFlagged targets:\n${detail}\n\nIf raw \`rm\` is genuinely needed, append \` # tripwire-allow: <reason>\` to the command.`,
   );
 };
 

package/src/rules/bash-tar-explosion.ts

@@ -30,7 +30,7 @@ const findChangeDir = (seg: Segment): string | null => {
 };
 
 const isUnsafeExtractDest = (dest: string): boolean => {
-  return dest === '/' || /^(~|\$HOME|\$\{HOME\})$/.test(dest);
+  return dest === '/' || /^(?<home>~|\$HOME|\$\{HOME\})$/.test(dest);
 };
 
 const bashTarExplosion = (segments: readonly Segment[], cmd: string): Decision => {