@seanmozeik/tripwire 0.6.0 → 0.6.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seanmozeik/tripwire",
-  "version": "0.6.0",
+  "version": "0.6.2",
   "description": "Opinionated hooks dispatcher for AI coding agents with configurable safety rules",
   "license": "MIT",
   "bin": {
@@ -31,8 +31,8 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@effect/platform-bun": "^4.0.0-beta.66",
-    "effect": "^4.0.0-beta.66",
+    "@effect/platform-bun": "^4.0.0-beta.78",
+    "effect": "^4.0.0-beta.78",
     "shell-quote": "^1.8.4"
   },
   "devDependencies": {

package/src/lib/bash.ts

@@ -209,7 +209,17 @@ const parseSegment = (entries: readonly ParseEntry[], fdBudget: FdBudget): Segme
       args.push(t);
     }
   }
-  return { head: tokens[0]!, tokens, args, flags, redirects, raw: tokens.join(' ') };
+  // Normalise the head to its basename so command-name rules match regardless
+  // Of whether the command was invoked via absolute path (/bin/rm), a
+  // Homebrew-prefixed path (/opt/homebrew/bin/gog), or a relative ./rm form.
+  // This fixes the containment hole where `/bin/rm <unsafe>` bypassed every
+  // Rule that compared `seg.head === 'rm'`.  The `tokens` array is left
+  // Unchanged (raw reconstruction stays accurate); only the canonical `head`
+  // Used for matching is normalised.
+  const rawHead = tokens[0]!;
+  const slashIdx = rawHead.lastIndexOf('/');
+  const head = slashIdx === -1 ? rawHead : rawHead.slice(slashIdx + 1);
+  return { head, tokens, args, flags, redirects, raw: tokens.join(' ') };
 };
 
 // Pass an env function that preserves variable references as literals,
@@ -714,6 +724,8 @@ const unwrapStaticString = (value: string, heredocBodies?: ReadonlyMap<string, s
 // Otherwise sees `sh` as the head and the script as an opaque positional
 // Arg. We pull the script out and feed it back through `parseCommand` so
 // All existing rules apply.
+// Head normalisation in `parseSegment` strips directory prefixes, so this set
+// Only needs bare basenames — `/bin/bash` etc. are now unreachable as heads.
 const SHELL_WRAPPER_HEADS: ReadonlySet<string> = new Set([
   'sh',
   'bash',
@@ -721,16 +733,6 @@ const SHELL_WRAPPER_HEADS: ReadonlySet<string> = new Set([
   'dash',
   'ksh',
   'ash',
-  '/bin/sh',
-  '/bin/bash',
-  '/bin/zsh',
-  '/bin/dash',
-  '/bin/ksh',
-  '/usr/bin/sh',
-  '/usr/bin/bash',
-  '/usr/bin/zsh',
-  '/usr/local/bin/bash',
-  '/opt/homebrew/bin/bash',
 ]);
 
 const extractShellWrappedCommands = (seg: Segment): string[] => {
@@ -931,7 +933,9 @@ const RTK_WRAPPER_SUBCOMMANDS: ReadonlySet<string> = new Set([
   'summary',
 ]);
 
-const isRtkHead = (head: string): boolean => head === 'rtk' || head.endsWith('/rtk');
+// Head normalisation in `parseSegment` strips directory prefixes, so only the
+// Bare basename is needed — the `endsWith` fallbacks are now unreachable.
+const isRtkHead = (head: string): boolean => head === 'rtk';
 
 const skipRtkGlobalFlags = (tokens: readonly string[]): number => {
   // Rtk's global options (`-v`/`-vv`/`--verbose`, `--ultra-compact`,

package/src/lib/grep-sanitize.ts

@@ -0,0 +1,254 @@
+interface Token {
+  readonly raw: string;
+  readonly value: string;
+  readonly start: number;
+  readonly end: number;
+}
+
+interface SegmentPart {
+  readonly kind: 'segment';
+  readonly text: string;
+}
+
+interface SeparatorPart {
+  readonly kind: 'separator';
+  readonly text: string;
+}
+
+type Part = SegmentPart | SeparatorPart;
+
+const GREP_HEADS: ReadonlySet<string> = new Set(['grep', 'rg', 'egrep', 'fgrep']);
+const COLLISION_SHORT: ReadonlySet<string> = new Set(['r', 'R', 'E']);
+const COLLISION_LONG: ReadonlySet<string> = new Set([
+  '--recursive',
+  '--dereference-recursive',
+  '--extended-regexp',
+]);
+const VALUE_SHORT: ReadonlySet<string> = new Set(['A', 'B', 'C', 'm', 'd', 'D', 'e', 'f']);
+
+const basename = (head: string): string => {
+  const slashIdx = head.lastIndexOf('/');
+  return slashIdx === -1 ? head : head.slice(slashIdx + 1);
+};
+
+const splitShellSegments = (command: string): Part[] => {
+  const parts: Part[] = [];
+  let quote: "'" | '"' | null = null;
+  let segmentStart = 0;
+  let i = 0;
+
+  while (i < command.length) {
+    const ch = command[i]!;
+    if (ch === '\\') {
+      i += 2;
+      continue;
+    }
+    if (quote === "'") {
+      if (ch === "'") {
+        quote = null;
+      }
+      i++;
+      continue;
+    }
+    if (quote === '"') {
+      if (ch === '"') {
+        quote = null;
+      }
+      i++;
+      continue;
+    }
+    if (ch === "'" || ch === '"') {
+      quote = ch;
+      i++;
+      continue;
+    }
+
+    const two = command.slice(i, i + 2);
+    const op = two === '&&' || two === '||' || two === '|&' ? two : ch;
+    if (op === ';' || op === '&' || op === '|' || op === '&&' || op === '||' || op === '|&') {
+      if (i > segmentStart) {
+        parts.push({ kind: 'segment', text: command.slice(segmentStart, i) });
+      }
+      parts.push({ kind: 'separator', text: op });
+      i += op.length;
+      segmentStart = i;
+      continue;
+    }
+    i++;
+  }
+
+  if (segmentStart < command.length) {
+    parts.push({ kind: 'segment', text: command.slice(segmentStart) });
+  }
+  return parts;
+};
+
+const tokenizeSegment = (segment: string): Token[] => {
+  const tokens: Token[] = [];
+  let quote: "'" | '"' | null = null;
+  let raw = '';
+  let value = '';
+  let start = 0;
+
+  const flush = (end: number): void => {
+    if (raw.length === 0) {
+      return;
+    }
+    tokens.push({ raw, value, start, end });
+    raw = '';
+    value = '';
+  };
+
+  for (let i = 0; i < segment.length; i++) {
+    const ch = segment[i]!;
+    if (raw.length === 0 && !/\s/u.test(ch)) {
+      start = i;
+    }
+    if (ch === '\\') {
+      raw += ch;
+      const next = segment[i + 1];
+      if (next !== undefined) {
+        raw += next;
+        value += next;
+        i++;
+      }
+      continue;
+    }
+    if (quote === "'") {
+      raw += ch;
+      if (ch === "'") {
+        quote = null;
+      } else {
+        value += ch;
+      }
+      continue;
+    }
+    if (quote === '"') {
+      raw += ch;
+      if (ch === '"') {
+        quote = null;
+      } else {
+        value += ch;
+      }
+      continue;
+    }
+    if (ch === "'" || ch === '"') {
+      raw += ch;
+      quote = ch;
+      continue;
+    }
+    if (/\s/u.test(ch)) {
+      flush(i);
+      continue;
+    }
+    raw += ch;
+    value += ch;
+  }
+  flush(segment.length);
+  return tokens;
+};
+
+const sanitizeShortFlag = (flag: string): string | null => {
+  let out = '-';
+  for (let i = 1; i < flag.length; i++) {
+    const letter = flag[i]!;
+    if (VALUE_SHORT.has(letter)) {
+      out += flag.slice(i);
+      return out.length === 1 ? null : out;
+    }
+    if (!COLLISION_SHORT.has(letter)) {
+      out += letter;
+    }
+  }
+  return out.length === 1 ? null : out;
+};
+
+const sanitizedTokenValues = (tokens: readonly Token[]): ReadonlyMap<Token, string | null> => {
+  const changed = new Map<Token, string | null>();
+  let optionsEnded = false;
+  let skipValueFor: string | null = null;
+
+  for (const token of tokens) {
+    if (skipValueFor !== null) {
+      skipValueFor = null;
+      continue;
+    }
+    if (optionsEnded) {
+      continue;
+    }
+    if (token.value === '--') {
+      optionsEnded = true;
+      continue;
+    }
+    if (COLLISION_LONG.has(token.value)) {
+      changed.set(token, null);
+      continue;
+    }
+    if (token.value.startsWith('--')) {
+      continue;
+    }
+    if (token.value.startsWith('-') && token.value !== '-') {
+      const clean = sanitizeShortFlag(token.value);
+      if (clean !== token.value) {
+        changed.set(token, clean);
+      }
+      if (clean?.length === 2 && VALUE_SHORT.has(clean.at(-1)!)) {
+        skipValueFor = clean.at(-1)!;
+      }
+    }
+  }
+  return changed;
+};
+
+const applyTokenChanges = (
+  body: string,
+  tokens: readonly Token[],
+  changes: ReadonlyMap<Token, string | null>,
+): string => {
+  let out = '';
+  let cursor = 0;
+
+  for (let i = 0; i < tokens.length; i++) {
+    const token = tokens[i]!;
+    if (!changes.has(token)) {
+      out += body.slice(cursor, token.end);
+      cursor = token.end;
+      continue;
+    }
+    const replacement = changes.get(token) ?? null;
+    out += body.slice(cursor, token.start);
+    if (replacement === null) {
+      cursor = token.end;
+      const next = tokens[i + 1];
+      if (next === undefined) {
+        out = out.trimEnd();
+      } else if (/\s$/u.test(out)) {
+        cursor = next.start;
+      }
+      continue;
+    }
+    out += replacement;
+    cursor = token.end;
+  }
+
+  return out + body.slice(cursor);
+};
+
+const sanitizeSegment = (segment: string): string => {
+  const leading = /^\s*/u.exec(segment)?.[0] ?? '';
+  const trailing = /\s*$/u.exec(segment)?.[0] ?? '';
+  const body = segment.slice(leading.length, segment.length - trailing.length);
+  const tokens = tokenizeSegment(body);
+  const head = tokens[0];
+  if (head === undefined || !GREP_HEADS.has(basename(head.value))) {
+    return segment;
+  }
+  return `${leading}${applyTokenChanges(body, tokens, sanitizedTokenValues(tokens))}${trailing}`;
+};
+
+const sanitizeGrepFlags = (command: string): string =>
+  splitShellSegments(command)
+    .map((part) => (part.kind === 'segment' ? sanitizeSegment(part.text) : part.text))
+    .join('');
+
+export { sanitizeGrepFlags };

package/src/lib/rtk.ts

@@ -6,6 +6,7 @@
 import { spawnSync } from 'node:child_process';
 
 import type { RtkConfig } from './config';
+import { sanitizeGrepFlags } from './grep-sanitize';
 
 interface RtkOutput {
   readonly updatedCommand?: string;
@@ -50,6 +51,21 @@ const findRtkBin = (config: RtkConfig): string | null => {
   return null;
 };
 
+const sanitizeRtkEvent = (event: unknown): unknown => {
+  if (typeof event !== 'object' || event === null) {
+    return event;
+  }
+  const toolInput = (event as { readonly tool_input?: unknown }).tool_input;
+  if (typeof toolInput !== 'object' || toolInput === null) {
+    return event;
+  }
+  const command = (toolInput as { readonly command?: unknown }).command;
+  if (typeof command !== 'string') {
+    return event;
+  }
+  return { ...event, tool_input: { ...toolInput, command: sanitizeGrepFlags(command) } };
+};
+
 const runRtkRewrite = (event: unknown, config: RtkConfig, timeoutMs = 2000): RtkOutput => {
   // If rtk is disabled, skip it
   if (!config.enabled) {
@@ -62,7 +78,7 @@ const runRtkRewrite = (event: unknown, config: RtkConfig, timeoutMs = 2000): Rtk
     return {};
   }
 
-  const payload = JSON.stringify(event);
+  const payload = JSON.stringify(sanitizeRtkEvent(event));
   const result = spawnSync(rtkBin, ['hook', 'claude'], {
     input: payload,
     encoding: 'utf8',