@seanmozeik/tripwire 0.5.3 → 0.6.0

package/src/rules/bash-tool-policy.ts

@@ -2,10 +2,10 @@ import { type Segment, hasBypass } from '../lib/bash';
 import { type Decision, allow, deny, warn } from '../lib/decision';
 
 // Opinionated tooling enforcement. Hard-deny on the package managers and
-// Tools Sean has explicitly replaced (npm/pip/patch-package); soft-warn
+// Tools the user has explicitly replaced (npm/pip/patch-package); soft-warn
 // Suggesting modern equivalents (find→fd, grep→rg).
 //
-// Hard-deny rationale (from Sean's CLAUDE.md): TypeScript is bun-only,
+// Hard-deny rationale (from the user's CLAUDE.md): TypeScript is bun-only,
 // Python is uv-only. Slipping into npm or pip mid-session means the
 // Agent forgot the toolchain and is about to install into the wrong
 // Directory or make a lockfile bun can't read.
@@ -23,7 +23,7 @@ const POLICIES: readonly Policy[] = [
     rule: 'use-bun-not-npm',
     action: 'deny',
     message:
-      'Use `bun` instead of `npm`. Translations: `npm install` → `bun install`, `npm install <pkg>` → `bun add <pkg>`, `npm install -D <pkg>` → `bun add -d <pkg>`, `npm run X` → `bun run X` (or `bun X` for bin scripts), `npm test` → `bun test`. If you genuinely need npm (publishing to a registry that requires it, working in a non-Sean repo), append ` # tripwire-allow: <reason>` to the command.',
+      'Use `bun` instead of `npm`. Translations: `npm install` → `bun install`, `npm install <pkg>` → `bun add <pkg>`, `npm install -D <pkg>` → `bun add -d <pkg>`, `npm run X` → `bun run X` (or `bun X` for bin scripts), `npm test` → `bun test`. If you genuinely need npm (publishing to a registry that requires it, working in a different repo), append ` # tripwire-allow: <reason>` to the command.',
     fires: (seg) => seg.head === 'npm',
   },
   {
@@ -35,20 +35,20 @@ const POLICIES: readonly Policy[] = [
   {
     rule: 'use-bun-not-pnpm',
     action: 'deny',
-    message: 'Use `bun` instead of `pnpm`. Sean is bun-only across his repos.',
+    message: 'Use `bun` instead of `pnpm`. The user is bun-only across their repos.',
     fires: (seg) => seg.head === 'pnpm',
   },
   {
     rule: 'use-bun-not-yarn',
     action: 'deny',
-    message: 'Use `bun` instead of `yarn`. Sean is bun-only.',
+    message: 'Use `bun` instead of `yarn`. The user is bun-only.',
     fires: (seg) => seg.head === 'yarn',
   },
   {
     rule: 'use-uv-not-pip',
     action: 'deny',
     message:
-      'Use `uv` instead of `pip`. Translations: `pip install <pkg>` → `uv add <pkg>` (project dependency) or `uv pip install <pkg>` (env-only escape hatch). `pip freeze` → `uv pip freeze`. `pip list` → `uv pip list`. Sean is uv-only across Python repos.',
+      'Use `uv` instead of `pip`. Translations: `pip install <pkg>` → `uv add <pkg>` (project dependency) or `uv pip install <pkg>` (env-only escape hatch). `pip freeze` → `uv pip freeze`. `pip list` → `uv pip list`. The user is uv-only across Python repos.',
     fires: (seg) => seg.head === 'pip' || seg.head === 'pip3',
   },
   {
@@ -76,12 +76,12 @@ const POLICIES: readonly Policy[] = [
     fires: (seg) => seg.head === 'patch-package',
   },
 
-  // ── SOFT WARNS: modern equivalents Sean has installed ────────────────
+  // ── SOFT WARNS: modern equivalents the user has installed ────────────────
   {
     rule: 'consider-fd',
     action: 'warn',
     message:
-      'Consider `fd` instead of `find`. Faster, simpler syntax, respects .gitignore by default. Examples: `find . -name "*.ts"` → `fd -e ts`, `find . -type f -name "X"` → `fd -t f X`, `find PATH ...` → `fd ... PATH`. Sean has both installed; either works.',
+      'Consider `fd` instead of `find`. Faster, simpler syntax, respects .gitignore by default. Examples: `find . -name "*.ts"` → `fd -e ts`, `find . -type f -name "X"` → `fd -t f X`, `find PATH ...` → `fd ... PATH`. The user has both installed; either works.',
     fires: (seg) => seg.head === 'find',
   },
   {

package/src/rules/lazy-code.ts

@@ -20,21 +20,21 @@ const STUB_RE: readonly RegExp[] = [
   /\btemp fix\b/i,
   /\bfallback\b/i,
   /\bplaceholder\b/i,
-  /\bbackwards?[ -]?compat(ibility)?\b/i,
+  /\bbackwards?[ -]?compat(?<ibility>ibility)?\b/i,
   /\bfor later\b/i,
   /\blater on\b/i,
   /\bget back to\b/i,
   /\bI'?ll fix\b/i,
   /\bto be implemented\b/i,
-  /\bnot yet (implemented|done)\b/i,
+  /\bnot yet (?<state>implemented|done)\b/i,
   /\bstubbed\b/i,
 ];
 
 const CODE_EXT_RE =
-  /\.(ts|tsx|js|jsx|mjs|cjs|py|rs|go|rb|java|kt|swift|c|cc|cpp|h|hpp|cs|php|sh|zsh|bash|lua|ex|exs|clj|scala|dart)$/i;
+  /\.(?<ext>ts|tsx|js|jsx|mjs|cjs|py|rs|go|rb|java|kt|swift|c|cc|cpp|h|hpp|cs|php|sh|zsh|bash|lua|ex|exs|clj|scala|dart)$/i;
 
 const TEST_PATH_RE =
-  /(^|\/)(__tests__|tests?|spec|fixtures?|mocks?|__mocks__|stories)(\/|$)|\.(test|spec|fixture|mock|stories)\.[^/]+$/i;
+  /(?<prefix>^|\/)(?<dir>__tests__|tests?|spec|fixtures?|mocks?|__mocks__|stories)(?<suffix>\/|$)|\.(?<ext>test|spec|fixture|mock|stories)\.[^/]+$/i;
 
 // Comment-syntax-agnostic. Works in `//`, `#`, `--`, `/* */`, `<!-- -->`,
 // `;`, `%`, etc.

package/src/rules/path-protect.ts

@@ -1,3 +1,4 @@
+// oxlint-disable-next-line unicorn/import-style
 import { resolve } from 'node:path';
 
 import { type Decision, allow, deny } from '../lib/decision';
@@ -11,39 +12,47 @@ interface Spec {
 
 const protections: readonly Spec[] = [
   {
-    pattern: /(^|\/)\.env(\.[^/]+)?$/,
+    pattern: /(?<prefix>^|\/)\.env(?<ext>\.[^/]+)?$/,
     rule: 'env-file',
     message:
       '.env files hold secrets that should never be sent to the model. Refuse to write or edit. If an example is needed, create .env.example with redacted placeholders.',
   },
   {
-    pattern: /(^|\/)\.dev\.vars(\.[^/]+)?$/,
+    pattern: /(?<prefix>^|\/)\.dev\.vars(?<ext>\.[^/]+)?$/,
     rule: 'dev-vars',
     message: '.dev.vars holds Cloudflare/Wrangler secrets. Do not modify.',
   },
-  { pattern: /(^|\/)\.ssh\//, rule: 'ssh-dir', message: 'Never write into ~/.ssh/. Refuse.' },
   {
-    pattern: /(^|\/)(id_rsa|id_ed25519|id_ecdsa|id_dsa)(\.pub)?$/,
+    pattern: /(?<prefix>^|\/)\.ssh\//,
+    rule: 'ssh-dir',
+    message: 'Never write into ~/.ssh/. Refuse.',
+  },
+  {
+    pattern: /(?<prefix>^|\/)(?<key>id_rsa|id_ed25519|id_ecdsa|id_dsa)(?<pub>\.pub)?$/,
     rule: 'ssh-key',
     message: 'SSH key file. Refuse.',
   },
   {
-    pattern: /\.(pem|key|p12|pfx)$/i,
+    pattern: /\.(?<ext>pem|key|p12|pfx)$/i,
     rule: 'private-key',
     message:
-      'Private key file. Refuse to overwrite. If generating a new key, use a different filename and let Sean review.',
+      'Private key file. Refuse to overwrite. If generating a new key, use a different filename and let the user review.',
   },
   {
-    pattern: /(^|\/)secrets?\.(json|ya?ml|toml|env)$/i,
+    pattern: /(?<prefix>^|\/)secrets?\.(?<ext>json|ya?ml|toml|env)$/i,
     rule: 'secrets-file',
     message: 'Secrets file. Refuse.',
   },
   {
-    pattern: /(^|\/)\.aws\/credentials$/,
+    pattern: /(?<prefix>^|\/)\.aws\/credentials$/,
     rule: 'aws-credentials',
     message: 'AWS credentials file. Refuse.',
   },
-  { pattern: /(^|\/)\.netrc$/, rule: 'netrc', message: '.netrc holds host credentials. Refuse.' },
+  {
+    pattern: /(?<prefix>^|\/)\.netrc$/,
+    rule: 'netrc',
+    message: '.netrc holds host credentials. Refuse.',
+  },
 ];
 
 const pathProtect = (input: EditInput | WriteInput): Decision => {

package/src/rules/read-protect.ts

@@ -1,3 +1,4 @@
+// oxlint-disable-next-line unicorn/import-style
 import { resolve } from 'node:path';
 
 import { type Decision, allow, deny } from '../lib/decision';
@@ -12,39 +13,43 @@ interface Spec {
 const PROTECTIONS: readonly Spec[] = [
   {
     rule: 'read-env',
-    pattern: /(^|\/)\.env(\.[^/]+)?$/,
+    pattern: /(?<prefix>^|\/)\.env(?<ext>\.[^/]+)?$/,
     message:
       '.env files hold secrets that should never enter the model context. Refuse to read. If the goal is documenting required env vars, look at .env.example or describe the schema from memory.',
   },
   {
     rule: 'read-dev-vars',
-    pattern: /(^|\/)\.dev\.vars(\.[^/]+)?$/,
+    pattern: /(?<prefix>^|\/)\.dev\.vars(?<ext>\.[^/]+)?$/,
     message: 'Refuse to read .dev.vars (Cloudflare/Wrangler secrets).',
   },
-  { rule: 'read-ssh', pattern: /(^|\/)\.ssh\//, message: 'Refuse to read files inside ~/.ssh/.' },
+  {
+    rule: 'read-ssh',
+    pattern: /(?<prefix>^|\/)\.ssh\//,
+    message: 'Refuse to read files inside ~/.ssh/.',
+  },
   {
     rule: 'read-ssh-key',
-    pattern: /(^|\/)(id_rsa|id_ed25519|id_ecdsa|id_dsa)$/,
+    pattern: /(?<prefix>^|\/)(?<key>id_rsa|id_ed25519|id_ecdsa|id_dsa)$/,
     message: 'Refuse to read SSH private key files.',
   },
   {
     rule: 'read-private-key',
-    pattern: /\.(pem|key|p12|pfx)$/i,
+    pattern: /\.(?<ext>pem|key|p12|pfx)$/i,
     message: 'Refuse to read private-key-shaped files.',
   },
   {
     rule: 'read-aws-credentials',
-    pattern: /(^|\/)\.aws\/credentials$/,
+    pattern: /(?<prefix>^|\/)\.aws\/credentials$/,
     message: 'Refuse to read ~/.aws/credentials.',
   },
   {
     rule: 'read-netrc',
-    pattern: /(^|\/)\.netrc$/,
+    pattern: /(?<prefix>^|\/)\.netrc$/,
     message: 'Refuse to read ~/.netrc (host credentials).',
   },
   {
     rule: 'read-secrets-file',
-    pattern: /(^|\/)secrets?\.(json|ya?ml|toml|env)$/i,
+    pattern: /(?<prefix>^|\/)secrets?\.(?<ext>json|ya?ml|toml|env)$/i,
     message: 'Refuse to read a file named secrets.{json,yaml,toml,env}.',
   },
 ];