@seanmozeik/tripwire 0.6.1 → 0.6.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seanmozeik/tripwire",
-  "version": "0.6.1",
+  "version": "0.6.3",
   "description": "Opinionated hooks dispatcher for AI coding agents with configurable safety rules",
   "license": "MIT",
   "bin": {

package/src/dispatch.ts

@@ -3,8 +3,7 @@
 //
 // Reads a hook event JSON payload on stdin, routes by hook_event_name +
 // Tool_name, runs rules with per-rule timeouts, merges decisions
-// (most-restrictive wins), wraps allowed Bash commands through rtk for
-// Token-saver rewriting, scans PostToolUse output for secrets via
+// (most-restrictive wins), scans PostToolUse output for secrets via
 // Betterleaks, and writes Claude Code's expected JSON response on stdout.
 //
 // Design rules:
@@ -34,7 +33,6 @@ import {
   isWriteInput,
 } from './lib/event.ts';
 import { logError } from './lib/log';
-import { runRtkRewrite } from './lib/rtk';
 import { bashDeny } from './rules/bash-deny';
 import { bashGit } from './rules/bash-git';
 import { bashNetworkInstall } from './rules/bash-network-install';
@@ -61,50 +59,26 @@ const writeAllow = (): void => {
 };
 
 // Codex's PreToolUse hook rejects `hookSpecificOutput.additionalContext`
-// (openai/codex issue #19385) and `updatedInput` (#18491). Detect Codex
-// Via its `turn_id` extension and downgrade output accordingly. Claude
-// Code accepts both, so we only narrow when we can confirm we're on Codex.
+// (openai/codex issue #19385). Detect Codex via its `turn_id` extension
+// And downgrade output accordingly. Claude Code accepts it, so we only
+// Narrow when we can confirm we're on Codex.
 const isCodex = (event: HookEvent): boolean => event.turn_id !== undefined;
 
-const writeRewriteAllow = (event: HookEvent, command: string, _reason?: string): void => {
-  // Codex's PreToolUse parser strict-rejects `updatedInput` (openai/codex
-  // #18491 — parsed but unimplemented as of codex-cli 0.12x). On Codex we
-  // Can't transparently rewrite, so pass the original command through
-  // Silently. Until #18491 lands, RTK savings are Claude-only.
-  if (isCodex(event)) {
-    writeAllow();
-    return;
-  }
-  // Claude Code: rewrite silently. We deliberately omit
-  // `permissionDecisionReason` so the model's context isn't polluted with
-  // "rtk rewrote your command" chatter every Bash call.
-  const out = {
-    continue: true,
-    hookSpecificOutput: { hookEventName: event.hook_event_name, updatedInput: { command } },
-  };
-  process.stdout.write(`${JSON.stringify(out)}\n`);
-};
-
 interface WarnOutput {
   hookEventName: string;
   additionalContext?: string;
-  updatedInput?: { command: string };
 }
 
 const writeWarn = (event: HookEvent, decision: Decision): void => {
   const eventName = event.hook_event_name;
   const reason = `[tripwire:${decision.rule}] ${decision.message}`;
   if (isCodex(event)) {
-    // Codex rejects both `additionalContext` and `updatedInput` on
-    // PreToolUse. Send only `systemMessage`; the rewrite (if any) is
-    // Dropped and the original command runs.
+    // Codex rejects `additionalContext` on PreToolUse. Send only
+    // `systemMessage`.
     process.stdout.write(`${JSON.stringify({ continue: true, systemMessage: reason })}\n`);
     return;
   }
   const hookSpecificOutput: WarnOutput = { hookEventName: eventName, additionalContext: reason };
-  if (decision.rewriteCommand !== undefined) {
-    hookSpecificOutput.updatedInput = { command: decision.rewriteCommand };
-  }
   process.stdout.write(`${JSON.stringify({ continue: true, hookSpecificOutput })}\n`);
 };
 
@@ -259,26 +233,11 @@ const decide = (event: HookEvent, config: Config = getDefaultConfig()): Decision
   return allow('no-rules');
 };
 
-const handleBashAllow = (event: HookEvent, decision: Decision, config: Config): void => {
-  // After the gate passes (allow or warn), apply rtk command-rewrite. If
-  // Rtk doesn't change the command, fall through to normal allow / warn.
-  const rtk = runRtkRewrite(event, config.rtk ?? { enabled: false });
-  const original = (event.tool_input as { command?: string } | undefined)?.command ?? '';
-  const rewritten =
-    rtk.updatedCommand !== undefined && rtk.updatedCommand !== original ? rtk.updatedCommand : null;
-
+const handleBashAllow = (event: HookEvent, decision: Decision, _config: Config): void => {
   if (decision.kind === 'warn') {
-    if (rewritten !== null) {
-      writeWarn(event, { ...decision, rewriteCommand: rewritten });
-      return;
-    }
     writeWarn(event, decision);
     return;
   }
-  if (rewritten !== null) {
-    writeRewriteAllow(event, rewritten, rtk.reason);
-    return;
-  }
   writeAllow();
 };
 

package/src/lib/bash.ts

@@ -14,7 +14,7 @@
 //     Token (`__tripwire_cmd_sub__`) so safe-path checks fail safely.
 //   - Glob expansion is not performed.
 
-import { parse, type ParseEntry } from 'shell-quote';
+import { parse, quote, type ParseEntry } from 'shell-quote';
 
 interface Segment {
   readonly head: string; // First non-flag token, e.g. `rm`, `npm`
@@ -667,7 +667,7 @@ const extractExecCommands = (seg: Segment): string[] => {
       continue;
     }
     const root = spec.pickRoot(tokens, i);
-    out.push(substitutePlaceholders(inner, spec, root).join(' '));
+    out.push(quote(substitutePlaceholders(inner, spec, root)));
     i = j;
   }
   return out;
@@ -894,7 +894,7 @@ const extractHeadRenamingCommands = (seg: Segment): string[] => {
     }
   }
   const start = skipHeadRenamingPrefix(seg.tokens);
-  const inner = seg.tokens.slice(start).join(' ');
+  const inner = quote(seg.tokens.slice(start));
   return inner === '' ? [] : [inner];
 };
 
@@ -904,7 +904,10 @@ const extractEvalCommands = (seg: Segment): string[] => {
   if (!EVAL_HEADS.has(seg.head)) {
     return [];
   }
-  const sub = seg.tokens.slice(1).join(' ');
+  if (seg.tokens.length === 2) {
+    return [seg.tokens[1]!];
+  }
+  const sub = quote(seg.tokens.slice(1));
   return sub === '' ? [] : [sub];
 };
 
@@ -995,11 +998,11 @@ const extractRtkCommands = (seg: Segment): string[] => {
       }
       break;
     }
-    const inner = seg.tokens.slice(j).join(' ');
+    const inner = quote(seg.tokens.slice(j));
     return inner === '' ? [] : [inner];
   }
   // Tool-proxy subcommand: the subcommand token is the real binary name.
-  const inner = seg.tokens.slice(subIdx).join(' ');
+  const inner = quote(seg.tokens.slice(subIdx));
   return inner === '' ? [] : [inner];
 };
 
@@ -1074,7 +1077,7 @@ const extractPrefixWrapperCommands = (seg: Segment): string[] => {
     break;
   }
   i += spec.skipPositionals;
-  const inner = seg.tokens.slice(i).join(' ');
+  const inner = quote(seg.tokens.slice(i));
   return inner === '' ? [] : [inner];
 };
 
@@ -1090,9 +1093,41 @@ const SEGMENT_EXTRACTORS: readonly ((seg: Segment) => string[])[] = [
   extractPrefixWrapperCommands,
 ];
 
+const normalizeTopLevelNewlines = (cmd: string): string => {
+  let out = '';
+  let inSingle = false;
+  let inDouble = false;
+  let escaped = false;
+
+  for (const ch of cmd) {
+    if (escaped) {
+      out += ch;
+      escaped = false;
+      continue;
+    }
+    if (ch === '\\') {
+      out += ch;
+      escaped = true;
+      continue;
+    }
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+      out += ch;
+      continue;
+    }
+    if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+      out += ch;
+      continue;
+    }
+    out += ch === '\n' && !inSingle && !inDouble ? ' ; ' : ch;
+  }
+  return out;
+};
+
 const parseCommand = (cmd: string): Segment[] => {
   let entries: ParseEntry[];
-  const cmdForParsing = maskLiteralHeredocBodies(cmd);
+  const cmdForParsing = normalizeTopLevelNewlines(maskLiteralHeredocBodies(cmd));
   try {
     entries = parse(cmdForParsing, PRESERVE_ENV);
   } catch {
@@ -1214,7 +1249,7 @@ const safeScopesSummary = (
       '.bundle',
       '.cargo-target',
     ],
-    'tmp / state': ['tmp', '.tmp', '.state', '/tmp', '/var/tmp', '/var/folders'],
+    'tmp / state': ['tmp', '.tmp', '.state', ...SAFE_ABSOLUTE],
     iac: ['.terraform'],
     'bundler dev': ['.yarn/cache', '.yarn/install-state.gz', '.pnpm-store', '.bun'],
   };

package/src/lib/config.ts

@@ -17,11 +17,6 @@ const BlockRuleSchema = Schema.Struct({
   ),
 });
 
-const RtkConfigSchema = Schema.Struct({
-  enabled: Schema.optional(Schema.Boolean),
-  path: Schema.optional(Schema.String),
-});
-
 const GitConfigSchema = Schema.Struct({
   protectedBranches: Schema.optional(Schema.Array(Schema.String)),
   enforceConventionalCommits: Schema.optional(Schema.Boolean),
@@ -33,7 +28,6 @@ const SafePathsConfigSchema = Schema.Struct({
 });
 
 const ConfigSchema = Schema.Struct({
-  rtk: Schema.optional(RtkConfigSchema),
   git: Schema.optional(GitConfigSchema),
   safePaths: Schema.optional(SafePathsConfigSchema),
   blockedCommands: Schema.optional(Schema.Array(BlockRuleSchema)),
@@ -62,7 +56,6 @@ const decodeConfig = (unknown: unknown): Effect.Effect<Config, Error> =>
   Schema.decodeUnknownEffect(ConfigSchema)(unknown);
 
 const getDefaultConfig = (): Config => ({
-  rtk: { enabled: false },
   git: {
     protectedBranches: ['main', 'master', 'develop', 'production', 'release'],
     enforceConventionalCommits: true,
@@ -73,7 +66,6 @@ const getDefaultConfig = (): Config => ({
 });
 
 const mergeWithDefaults = (partial: Config): Config => ({
-  rtk: partial.rtk ?? getDefaultConfig().rtk,
   git: partial.git ?? getDefaultConfig().git,
   safePaths: partial.safePaths ?? getDefaultConfig().safePaths,
   blockedCommands: partial.blockedCommands ?? getDefaultConfig().blockedCommands,
@@ -102,7 +94,6 @@ export const loadConfig = (): Effect.Effect<Config> =>
   );
 
 export type BlockRule = typeof BlockRuleSchema.Type;
-export type RtkConfig = typeof RtkConfigSchema.Type;
 export type GitConfig = typeof GitConfigSchema.Type;
 export type SafePathsConfig = typeof SafePathsConfigSchema.Type;
 export type Config = typeof ConfigSchema.Type;

package/src/lib/decision.ts

@@ -6,16 +6,12 @@
 //   Deny  — block the tool call (PreToolUse) or refuse to surface its
 //           Output to the model (PostToolUse)
 //
-// Rewrites are a separate axis: a rule may attach a rewriteCommand even on
-// `allow` or `warn` to substitute a different command before execution.
-
 type DecisionKind = 'allow' | 'warn' | 'ask' | 'deny';
 
 interface Decision {
   readonly kind: DecisionKind;
   readonly rule: string;
   readonly message: string;
-  readonly rewriteCommand?: string;
 }
 
 const order: Record<DecisionKind, number> = { allow: 0, warn: 1, ask: 2, deny: 3 };
@@ -25,22 +21,13 @@ const warn = (rule: string, message: string): Decision => ({ kind: 'warn', rule,
 const ask = (rule: string, message: string): Decision => ({ kind: 'ask', rule, message });
 const deny = (rule: string, message: string): Decision => ({ kind: 'deny', rule, message });
 
-// Merge picks the most restrictive kind. Rewrite commands are preserved
-// From the most restrictive decision that carries one, falling back to the
-// First non-empty rewrite if no restrictive rule has one.
+// Merge picks the most restrictive kind.
 const merge = (decisions: readonly Decision[]): Decision => {
   let best: Decision = allow('none');
-  let rewriteCommand: string | undefined;
   for (const d of decisions) {
     if (order[d.kind] > order[best.kind]) {
       best = d;
     }
-    if (rewriteCommand === undefined && d.rewriteCommand !== undefined) {
-      rewriteCommand = d.rewriteCommand;
-    }
-  }
-  if (rewriteCommand !== undefined && best.rewriteCommand === undefined) {
-    return { ...best, rewriteCommand };
   }
   return best;
 };

package/src/lib/rtk.ts

@@ -1,96 +0,0 @@
-// Wrap the `rtk hook claude` subprocess. After tripwire's gate passes on a
-// Bash tool call, we hand the original event to rtk to apply its
-// Command-rewrite logic (token-saver). If rtk returns an updatedInput, we
-// Merge that into our hook response.
-
-import { spawnSync } from 'node:child_process';
-
-import type { RtkConfig } from './config';
-
-interface RtkOutput {
-  readonly updatedCommand?: string;
-  readonly reason?: string;
-}
-
-const findRtkBin = (config: RtkConfig): string | null => {
-  // If config specifies a path, try it first
-  if (config.path !== undefined) {
-    return config.path;
-  }
-
-  // Try common locations
-  const home = process.env['HOME'] ?? '';
-  const commonPaths = ['/opt/homebrew/bin/rtk', '/usr/local/bin/rtk', `${home}/.local/bin/rtk`];
-
-  for (const path of commonPaths) {
-    try {
-      spawnSync('test', ['-x', path], { stdio: 'ignore' });
-      return path;
-    } catch {
-      continue;
-    }
-  }
-
-  // Try searching PATH
-  try {
-    const whichResult = spawnSync('which', ['rtk'], { stdio: 'pipe' });
-    if (whichResult.status === 0) {
-      const stdout = whichResult.stdout as string | Buffer | null;
-      if (stdout !== null) {
-        const path = String(stdout).trim();
-        if (path.length > 0) {
-          return path;
-        }
-      }
-    }
-  } catch {
-    // Ignore errors
-  }
-
-  return null;
-};
-
-const runRtkRewrite = (event: unknown, config: RtkConfig, timeoutMs = 2000): RtkOutput => {
-  // If rtk is disabled, skip it
-  if (!config.enabled) {
-    return {};
-  }
-
-  const rtkBin = findRtkBin(config);
-  if (rtkBin === null) {
-    // Rtk not found, silently continue
-    return {};
-  }
-
-  const payload = JSON.stringify(event);
-  const result = spawnSync(rtkBin, ['hook', 'claude'], {
-    input: payload,
-    encoding: 'utf8',
-    timeout: timeoutMs,
-    maxBuffer: 1024 * 1024,
-  });
-  if (result.error !== undefined || typeof result.stdout !== 'string') {
-    return {};
-  }
-  try {
-    const parsed = JSON.parse(result.stdout) as {
-      hookSpecificOutput?: {
-        permissionDecisionReason?: string;
-        updatedInput?: { command?: string };
-      };
-    };
-    const cmd = parsed.hookSpecificOutput?.updatedInput?.command;
-    const reason = parsed.hookSpecificOutput?.permissionDecisionReason;
-    if (typeof cmd !== 'string') {
-      return {};
-    }
-    if (typeof reason === 'string') {
-      return { updatedCommand: cmd, reason };
-    }
-    return { updatedCommand: cmd };
-  } catch {
-    return {};
-  }
-};
-
-export { runRtkRewrite };