@seanmozeik/tripwire 0.6.2 → 0.6.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seanmozeik/tripwire",
-  "version": "0.6.2",
+  "version": "0.6.4",
   "description": "Opinionated hooks dispatcher for AI coding agents with configurable safety rules",
   "license": "MIT",
   "bin": {

package/src/dispatch.ts

@@ -3,8 +3,7 @@
 //
 // Reads a hook event JSON payload on stdin, routes by hook_event_name +
 // Tool_name, runs rules with per-rule timeouts, merges decisions
-// (most-restrictive wins), wraps allowed Bash commands through rtk for
-// Token-saver rewriting, scans PostToolUse output for secrets via
+// (most-restrictive wins), scans PostToolUse output for secrets via
 // Betterleaks, and writes Claude Code's expected JSON response on stdout.
 //
 // Design rules:
@@ -19,8 +18,14 @@ import { BunRuntime } from '@effect/platform-bun';
 import { Cause, Effect, Exit, Schema } from 'effect';
 
 import { parseCommand } from './lib/bash';
-import { getDefaultConfig, loadConfig, mergeWithDefaults, type Config } from './lib/config';
-import { type Decision, allow, merge } from './lib/decision';
+import {
+  CONFIG_PATH,
+  getDefaultConfig,
+  loadConfigResult,
+  mergeWithDefaults,
+  type Config,
+} from './lib/config';
+import { type Decision, allow, deny, merge } from './lib/decision';
 import {
   type BashInput,
   type EditInput,
@@ -34,7 +39,6 @@ import {
   isWriteInput,
 } from './lib/event.ts';
 import { logError } from './lib/log';
-import { runRtkRewrite } from './lib/rtk';
 import { bashDeny } from './rules/bash-deny';
 import { bashGit } from './rules/bash-git';
 import { bashNetworkInstall } from './rules/bash-network-install';
@@ -61,50 +65,26 @@ const writeAllow = (): void => {
 };
 
 // Codex's PreToolUse hook rejects `hookSpecificOutput.additionalContext`
-// (openai/codex issue #19385) and `updatedInput` (#18491). Detect Codex
-// Via its `turn_id` extension and downgrade output accordingly. Claude
-// Code accepts both, so we only narrow when we can confirm we're on Codex.
+// (openai/codex issue #19385). Detect Codex via its `turn_id` extension
+// And downgrade output accordingly. Claude Code accepts it, so we only
+// Narrow when we can confirm we're on Codex.
 const isCodex = (event: HookEvent): boolean => event.turn_id !== undefined;
 
-const writeRewriteAllow = (event: HookEvent, command: string, _reason?: string): void => {
-  // Codex's PreToolUse parser strict-rejects `updatedInput` (openai/codex
-  // #18491 — parsed but unimplemented as of codex-cli 0.12x). On Codex we
-  // Can't transparently rewrite, so pass the original command through
-  // Silently. Until #18491 lands, RTK savings are Claude-only.
-  if (isCodex(event)) {
-    writeAllow();
-    return;
-  }
-  // Claude Code: rewrite silently. We deliberately omit
-  // `permissionDecisionReason` so the model's context isn't polluted with
-  // "rtk rewrote your command" chatter every Bash call.
-  const out = {
-    continue: true,
-    hookSpecificOutput: { hookEventName: event.hook_event_name, updatedInput: { command } },
-  };
-  process.stdout.write(`${JSON.stringify(out)}\n`);
-};
-
 interface WarnOutput {
   hookEventName: string;
   additionalContext?: string;
-  updatedInput?: { command: string };
 }
 
 const writeWarn = (event: HookEvent, decision: Decision): void => {
   const eventName = event.hook_event_name;
   const reason = `[tripwire:${decision.rule}] ${decision.message}`;
   if (isCodex(event)) {
-    // Codex rejects both `additionalContext` and `updatedInput` on
-    // PreToolUse. Send only `systemMessage`; the rewrite (if any) is
-    // Dropped and the original command runs.
+    // Codex rejects `additionalContext` on PreToolUse. Send only
+    // `systemMessage`.
     process.stdout.write(`${JSON.stringify({ continue: true, systemMessage: reason })}\n`);
     return;
   }
   const hookSpecificOutput: WarnOutput = { hookEventName: eventName, additionalContext: reason };
-  if (decision.rewriteCommand !== undefined) {
-    hookSpecificOutput.updatedInput = { command: decision.rewriteCommand };
-  }
   process.stdout.write(`${JSON.stringify({ continue: true, hookSpecificOutput })}\n`);
 };
 
@@ -259,26 +239,11 @@ const decide = (event: HookEvent, config: Config = getDefaultConfig()): Decision
   return allow('no-rules');
 };
 
-const handleBashAllow = (event: HookEvent, decision: Decision, config: Config): void => {
-  // After the gate passes (allow or warn), apply rtk command-rewrite. If
-  // Rtk doesn't change the command, fall through to normal allow / warn.
-  const rtk = runRtkRewrite(event, config.rtk ?? { enabled: false });
-  const original = (event.tool_input as { command?: string } | undefined)?.command ?? '';
-  const rewritten =
-    rtk.updatedCommand !== undefined && rtk.updatedCommand !== original ? rtk.updatedCommand : null;
-
+const handleBashAllow = (event: HookEvent, decision: Decision, _config: Config): void => {
   if (decision.kind === 'warn') {
-    if (rewritten !== null) {
-      writeWarn(event, { ...decision, rewriteCommand: rewritten });
-      return;
-    }
     writeWarn(event, decision);
     return;
   }
-  if (rewritten !== null) {
-    writeRewriteAllow(event, rewritten, rtk.reason);
-    return;
-  }
   writeAllow();
 };
 
@@ -296,8 +261,17 @@ const handleAllow = (event: HookEvent, decision: Decision, config: Config): void
   writeAllow();
 };
 
+// A broken config (bad JSON / unknown field / decode failure) silently dropping
+// All custom policy is the dangerous case this guards. Fail closed: deny the
+// Pending PreToolUse call with the decode error inline so the agent halts and
+// The user sees it, rather than running on bare defaults unannounced.
+const configErrorMessage = (error: string): string =>
+  `tripwire config at ${CONFIG_PATH} failed to load, so ALL custom safety policy is ` +
+  `inactive. Failing closed until it is fixed. Fix the JSON, then this clears on the next ` +
+  `call (the shim daemon caches config at warm — restart it there). Error: ${error}`;
+
 const program = Effect.gen(function* () {
-  const config = yield* loadConfig();
+  const configLoad = yield* loadConfigResult();
   const raw = yield* Effect.promise(readStdin);
 
   const parseExit = yield* Effect.exit(
@@ -319,6 +293,22 @@ const program = Effect.gen(function* () {
   }
   const event = decodeExit.value;
 
+  if (!configLoad.ok) {
+    if (event.hook_event_name === 'PreToolUse') {
+      writePreToolGate(
+        event.hook_event_name,
+        deny('config-error', configErrorMessage(configLoad.error)),
+      );
+      return;
+    }
+    // Config governs PreToolUse gating; PostToolUse secret-scrub is config-
+    // Independent and there is always an imminent next PreToolUse to surface the
+    // Deny, so don't block already-run output here.
+    writeAllow();
+    return;
+  }
+  const config = configLoad.config;
+
   if (event.hook_event_name === 'PreToolUse') {
     const decision = decide(event, config);
     if (decision.kind === 'deny' || decision.kind === 'ask') {

package/src/index.ts

@@ -1,6 +1,6 @@
 export type { Decision } from './lib/decision.ts';
 export type { HookEvent } from './lib/event.ts';
-export type { Config } from './lib/config.ts';
+export type { Config, ConfigLoad } from './lib/config.ts';
 export { allow, deny, ask, warn } from './lib/decision.ts';
 export { decide } from './dispatch.ts';
-export { getDefaultConfig, loadConfig, mergeWithDefaults } from './lib/config.ts';
+export { getDefaultConfig, loadConfig, loadConfigResult, mergeWithDefaults } from './lib/config.ts';

package/src/lib/bash.ts

@@ -14,7 +14,7 @@
 //     Token (`__tripwire_cmd_sub__`) so safe-path checks fail safely.
 //   - Glob expansion is not performed.
 
-import { parse, type ParseEntry } from 'shell-quote';
+import { parse, quote, type ParseEntry } from 'shell-quote';
 
 interface Segment {
   readonly head: string; // First non-flag token, e.g. `rm`, `npm`
@@ -667,7 +667,7 @@ const extractExecCommands = (seg: Segment): string[] => {
       continue;
     }
     const root = spec.pickRoot(tokens, i);
-    out.push(substitutePlaceholders(inner, spec, root).join(' '));
+    out.push(quote(substitutePlaceholders(inner, spec, root)));
     i = j;
   }
   return out;
@@ -894,7 +894,7 @@ const extractHeadRenamingCommands = (seg: Segment): string[] => {
     }
   }
   const start = skipHeadRenamingPrefix(seg.tokens);
-  const inner = seg.tokens.slice(start).join(' ');
+  const inner = quote(seg.tokens.slice(start));
   return inner === '' ? [] : [inner];
 };
 
@@ -904,7 +904,10 @@ const extractEvalCommands = (seg: Segment): string[] => {
   if (!EVAL_HEADS.has(seg.head)) {
     return [];
   }
-  const sub = seg.tokens.slice(1).join(' ');
+  if (seg.tokens.length === 2) {
+    return [seg.tokens[1]!];
+  }
+  const sub = quote(seg.tokens.slice(1));
   return sub === '' ? [] : [sub];
 };
 
@@ -995,11 +998,11 @@ const extractRtkCommands = (seg: Segment): string[] => {
       }
       break;
     }
-    const inner = seg.tokens.slice(j).join(' ');
+    const inner = quote(seg.tokens.slice(j));
     return inner === '' ? [] : [inner];
   }
   // Tool-proxy subcommand: the subcommand token is the real binary name.
-  const inner = seg.tokens.slice(subIdx).join(' ');
+  const inner = quote(seg.tokens.slice(subIdx));
   return inner === '' ? [] : [inner];
 };
 
@@ -1074,7 +1077,7 @@ const extractPrefixWrapperCommands = (seg: Segment): string[] => {
     break;
   }
   i += spec.skipPositionals;
-  const inner = seg.tokens.slice(i).join(' ');
+  const inner = quote(seg.tokens.slice(i));
   return inner === '' ? [] : [inner];
 };
 
@@ -1090,9 +1093,41 @@ const SEGMENT_EXTRACTORS: readonly ((seg: Segment) => string[])[] = [
   extractPrefixWrapperCommands,
 ];
 
+const normalizeTopLevelNewlines = (cmd: string): string => {
+  let out = '';
+  let inSingle = false;
+  let inDouble = false;
+  let escaped = false;
+
+  for (const ch of cmd) {
+    if (escaped) {
+      out += ch;
+      escaped = false;
+      continue;
+    }
+    if (ch === '\\') {
+      out += ch;
+      escaped = true;
+      continue;
+    }
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+      out += ch;
+      continue;
+    }
+    if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+      out += ch;
+      continue;
+    }
+    out += ch === '\n' && !inSingle && !inDouble ? ' ; ' : ch;
+  }
+  return out;
+};
+
 const parseCommand = (cmd: string): Segment[] => {
   let entries: ParseEntry[];
-  const cmdForParsing = maskLiteralHeredocBodies(cmd);
+  const cmdForParsing = normalizeTopLevelNewlines(maskLiteralHeredocBodies(cmd));
   try {
     entries = parse(cmdForParsing, PRESERVE_ENV);
   } catch {
@@ -1214,7 +1249,7 @@ const safeScopesSummary = (
       '.bundle',
       '.cargo-target',
     ],
-    'tmp / state': ['tmp', '.tmp', '.state', '/tmp', '/var/tmp', '/var/folders'],
+    'tmp / state': ['tmp', '.tmp', '.state', ...SAFE_ABSOLUTE],
     iac: ['.terraform'],
     'bundler dev': ['.yarn/cache', '.yarn/install-state.gz', '.pnpm-store', '.bun'],
   };

package/src/lib/config.ts

@@ -5,7 +5,7 @@
 import { accessSync, constants, readFileSync } from 'node:fs';
 import { homedir } from 'node:os';
 
-import { Effect, Schema } from 'effect';
+import { Cause, Effect, Schema } from 'effect';
 
 const BlockRuleSchema = Schema.Struct({
   pattern: Schema.String,
@@ -17,11 +17,6 @@ const BlockRuleSchema = Schema.Struct({
   ),
 });
 
-const RtkConfigSchema = Schema.Struct({
-  enabled: Schema.optional(Schema.Boolean),
-  path: Schema.optional(Schema.String),
-});
-
 const GitConfigSchema = Schema.Struct({
   protectedBranches: Schema.optional(Schema.Array(Schema.String)),
   enforceConventionalCommits: Schema.optional(Schema.Boolean),
@@ -33,7 +28,6 @@ const SafePathsConfigSchema = Schema.Struct({
 });
 
 const ConfigSchema = Schema.Struct({
-  rtk: Schema.optional(RtkConfigSchema),
   git: Schema.optional(GitConfigSchema),
   safePaths: Schema.optional(SafePathsConfigSchema),
   blockedCommands: Schema.optional(Schema.Array(BlockRuleSchema)),
@@ -42,27 +36,30 @@ const ConfigSchema = Schema.Struct({
 
 const CONFIG_PATH = `${homedir()}/.config/tripwire/config.json`;
 
-const configExists = (): Effect.Effect<boolean> =>
+const configExists = (path: string): Effect.Effect<boolean> =>
   Effect.sync(() => {
     try {
-      accessSync(CONFIG_PATH, constants.R_OK);
+      accessSync(path, constants.R_OK);
       return true;
     } catch {
       return false;
     }
   });
 
-const readConfigFile = (): Effect.Effect<string, Error> =>
-  Effect.try({ try: () => readFileSync(CONFIG_PATH, 'utf8'), catch: (error) => error as Error });
+const readConfigFile = (path: string): Effect.Effect<string, Error> =>
+  Effect.try({ try: () => readFileSync(path, 'utf8'), catch: (error) => error as Error });
 
 const parseConfigJson = (raw: string): Effect.Effect<unknown, Error> =>
   Effect.try({ try: () => JSON.parse(raw) as unknown, catch: (error) => error as Error });
 
+// `onExcessProperty: 'error'` rejects unknown keys (the default 'ignore' would
+// Silently strip them — a typo'd `blockedComands` would vanish unnoticed, the
+// Same silent-policy-drop class this whole change exists to kill). A stray key
+// Now fails loud, e.g. the `rtk` block that triggered MTA-137.
 const decodeConfig = (unknown: unknown): Effect.Effect<Config, Error> =>
-  Schema.decodeUnknownEffect(ConfigSchema)(unknown);
+  Schema.decodeUnknownEffect(ConfigSchema)(unknown, { onExcessProperty: 'error' });
 
 const getDefaultConfig = (): Config => ({
-  rtk: { enabled: false },
   git: {
     protectedBranches: ['main', 'master', 'develop', 'production', 'release'],
     enforceConventionalCommits: true,
@@ -73,38 +70,58 @@ const getDefaultConfig = (): Config => ({
 });
 
 const mergeWithDefaults = (partial: Config): Config => ({
-  rtk: partial.rtk ?? getDefaultConfig().rtk,
   git: partial.git ?? getDefaultConfig().git,
   safePaths: partial.safePaths ?? getDefaultConfig().safePaths,
   blockedCommands: partial.blockedCommands ?? getDefaultConfig().blockedCommands,
   allowedCommands: partial.allowedCommands ?? getDefaultConfig().allowedCommands,
 });
 
-export const loadConfig = (): Effect.Effect<Config> =>
+// A present-but-broken config (bad JSON, schema decode failure, timeout) must
+// Never be papered over with defaults — that silently drops all custom safety
+// Policy. `loadConfigResult` reports the failure as data so callers can fail
+// Closed loudly (see `loadConfig` and the dispatcher). A *missing* file is the
+// One legitimate defaults case.
+type ConfigLoad =
+  | { readonly ok: true; readonly config: Config }
+  | { readonly ok: false; readonly error: string };
+
+export const loadConfigResult = (path: string = CONFIG_PATH): Effect.Effect<ConfigLoad> =>
   Effect.gen(function* () {
-    const exists = yield* configExists();
+    const exists = yield* configExists(path);
     if (!exists) {
-      return getDefaultConfig();
+      const result: ConfigLoad = { ok: true, config: getDefaultConfig() };
+      return result;
     }
 
-    const raw = yield* readConfigFile();
+    const raw = yield* readConfigFile(path);
     const parsed = yield* parseConfigJson(raw);
     const config = yield* decodeConfig(parsed);
-    return mergeWithDefaults(config);
+    const result: ConfigLoad = { ok: true, config: mergeWithDefaults(config) };
+    return result;
   }).pipe(
     Effect.timeout(1000),
-    // oxlint-disable-next-line promise/prefer-await-to-then
-    Effect.catch(() => {
-      // Log error but return defaults to never block the agent
-      console.error('[tripwire] Config loading failed, using defaults');
-      return Effect.succeed(getDefaultConfig());
+    Effect.catchCause((cause) => {
+      const result: ConfigLoad = { ok: false, error: Cause.pretty(cause) };
+      return Effect.succeed(result);
     }),
   );
 
+// Loud loader for library consumers (e.g. the shim daemon) that expect a
+// `Config`. A broken config dies rather than silently defaulting, so the
+// Consumer fails closed visibly until the file is fixed.
+export const loadConfig = (path: string = CONFIG_PATH): Effect.Effect<Config> =>
+  loadConfigResult(path).pipe(
+    Effect.flatMap((result) =>
+      result.ok
+        ? Effect.succeed(result.config)
+        : Effect.die(new Error(`[tripwire] config load failed (${path}): ${result.error}`)),
+    ),
+  );
+
 export type BlockRule = typeof BlockRuleSchema.Type;
-export type RtkConfig = typeof RtkConfigSchema.Type;
 export type GitConfig = typeof GitConfigSchema.Type;
 export type SafePathsConfig = typeof SafePathsConfigSchema.Type;
 export type Config = typeof ConfigSchema.Type;
 
+export type { ConfigLoad };
 export { CONFIG_PATH, ConfigSchema, getDefaultConfig, mergeWithDefaults };

package/src/lib/decision.ts

@@ -6,16 +6,12 @@
 //   Deny  — block the tool call (PreToolUse) or refuse to surface its
 //           Output to the model (PostToolUse)
 //
-// Rewrites are a separate axis: a rule may attach a rewriteCommand even on
-// `allow` or `warn` to substitute a different command before execution.
-
 type DecisionKind = 'allow' | 'warn' | 'ask' | 'deny';
 
 interface Decision {
   readonly kind: DecisionKind;
   readonly rule: string;
   readonly message: string;
-  readonly rewriteCommand?: string;
 }
 
 const order: Record<DecisionKind, number> = { allow: 0, warn: 1, ask: 2, deny: 3 };
@@ -25,22 +21,13 @@ const warn = (rule: string, message: string): Decision => ({ kind: 'warn', rule,
 const ask = (rule: string, message: string): Decision => ({ kind: 'ask', rule, message });
 const deny = (rule: string, message: string): Decision => ({ kind: 'deny', rule, message });
 
-// Merge picks the most restrictive kind. Rewrite commands are preserved
-// From the most restrictive decision that carries one, falling back to the
-// First non-empty rewrite if no restrictive rule has one.
+// Merge picks the most restrictive kind.
 const merge = (decisions: readonly Decision[]): Decision => {
   let best: Decision = allow('none');
-  let rewriteCommand: string | undefined;
   for (const d of decisions) {
     if (order[d.kind] > order[best.kind]) {
       best = d;
     }
-    if (rewriteCommand === undefined && d.rewriteCommand !== undefined) {
-      rewriteCommand = d.rewriteCommand;
-    }
-  }
-  if (rewriteCommand !== undefined && best.rewriteCommand === undefined) {
-    return { ...best, rewriteCommand };
   }
   return best;
 };