@staff0rd/assist 0.166.0 → 0.167.0

package/README.md

@@ -119,7 +119,7 @@ After installation, the `assist` command will be available globally. You can als
 - `assist devlog repos` - Show which github.com/staff0rd repos are missing devlog entries
 - `assist devlog skip <date>` - Add a date to the skip list
 - `assist devlog version` - Show current repo name and version info
-- `assist cli-hook` - PreToolUse hook for auto-approving read-only CLI commands (reads from `assist.cli-reads`, also auto-approves read-only `gh api` calls). Supports compound commands (`|`, `&&`, `||`, `;`) by checking each sub-command independently
+- `assist cli-hook` - PreToolUse hook for auto-approving CLI commands (reads from `allowed.cli-reads` and `allowed.cli-writes`, also auto-approves read-only `gh api` calls). Supports compound commands (`|`, `&&`, `||`, `;`) by checking each sub-command independently
 - `assist cli-hook add <cli>` - Discover a CLI's commands and auto-permit read-only ones
 - `assist cli-hook check <command> [--tool <tool>]` - Check whether a command would be auto-approved by `cli-hook` (tool defaults to `Bash`)
 - `assist cli-hook deny` - List all deny rules

package/{assist.cli-reads → allowed.cli-reads}

@@ -19,27 +19,18 @@ acli jira workitem link list
 acli jira workitem search
 acli jira workitem view
 acli jira workitem watcher list
-assist backlog add
-assist backlog comment
 assist backlog comments
-assist backlog done
 assist backlog list
-assist backlog phase-done
-assist backlog plan
 assist backlog show
-assist backlog start
 assist backlog view
 assist cli-hook
-assist commit
 assist complexity
 assist coverage
-assist devlog
 assist dotnet
 assist jira ac
 assist jira auth
 assist jira view
 assist news
-assist notify
 assist prs list-comments
 assist ravendb auth list
 assist ravendb collections
@@ -49,11 +40,7 @@ assist roam show-claude-code-icon
 assist screenshot
 assist seq auth list
 assist seq query
-assist signal next
 assist status-line
-assist sync
-assist transcript format
-assist transcript summarise
 assist verify
 assist voice
 az account list

package/allowed.cli-writes

@@ -0,0 +1,15 @@
+assist backlog add
+assist backlog comment
+assist backlog done
+assist backlog link
+assist backlog phase-done
+assist backlog plan
+assist backlog unlink
+assist backlog start
+assist commit
+assist devlog
+assist notify
+assist signal next
+assist sync
+assist transcript format
+assist transcript summarise

package/dist/index.js

@@ -6,7 +6,7 @@ import { Command } from "commander";
 // package.json
 var package_default = {
   name: "@staff0rd/assist",
-  version: "0.166.0",
+  version: "0.167.0",
   type: "module",
   main: "dist/index.js",
   bin: {
@@ -17,7 +17,8 @@ var package_default = {
   files: [
     "dist",
     "claude",
-    "assist.cli-reads"
+    "allowed.cli-reads",
+    "allowed.cli-writes"
   ],
   publishConfig: {
     access: "public"
@@ -3721,32 +3722,41 @@ import { dirname as dirname14, resolve as resolve2 } from "path";
 import { fileURLToPath as fileURLToPath4 } from "url";
 var __filename2 = fileURLToPath4(import.meta.url);
 var __dirname4 = dirname14(__filename2);
-function getCliReadsPath() {
-  return resolve2(__dirname4, "..", "assist.cli-reads");
+function packageRoot() {
+  return resolve2(__dirname4, "..");
 }
-var cachedLines;
+function readLines(path50) {
+  if (!existsSync21(path50)) return [];
+  return readFileSync16(path50, "utf-8").split("\n").filter((line) => line.trim() !== "");
+}
+var cachedReads;
+var cachedWrites;
 function getCliReadsLines() {
-  if (cachedLines) return cachedLines;
-  const path50 = getCliReadsPath();
-  if (!existsSync21(path50)) {
-    cachedLines = [];
-    return cachedLines;
+  if (!cachedReads) {
+    cachedReads = readLines(resolve2(packageRoot(), "allowed.cli-reads"));
+  }
+  return cachedReads;
+}
+function getCliWritesLines() {
+  if (!cachedWrites) {
+    cachedWrites = readLines(resolve2(packageRoot(), "allowed.cli-writes"));
   }
-  cachedLines = readFileSync16(path50, "utf-8").split("\n").filter((line) => line.trim() !== "");
-  return cachedLines;
+  return cachedWrites;
 }
 function loadCliReads() {
   return getCliReadsLines();
 }
 function saveCliReads(commands) {
-  writeFileSync15(getCliReadsPath(), `${commands.join("\n")}
-`);
-  cachedLines = void 0;
+  writeFileSync15(
+    resolve2(packageRoot(), "allowed.cli-reads"),
+    `${commands.join("\n")}
+`
+  );
+  cachedReads = void 0;
 }
-function findCliRead(command) {
+function findMatch(command, lines) {
   const words = command.split(/\s+/);
   if (words.length === 0) return void 0;
-  const lines = getCliReadsLines();
   if (lines.includes(words[0])) return words[0];
   if (words.length < 2) return void 0;
   const prefix2 = `${words[0]} ${words[1]}`;
@@ -3755,6 +3765,12 @@ function findCliRead(command) {
   );
   return candidates.sort((a, b) => b.length - a.length).find((rc) => command === rc || command.startsWith(`${rc} `));
 }
+function findCliRead(command) {
+  return findMatch(command, getCliReadsLines());
+}
+function findCliWrite(command) {
+  return findMatch(command, getCliWritesLines());
+}
 
 // src/shared/readSettingsPerms.ts
 import { existsSync as existsSync22, readFileSync as readFileSync17 } from "fs";
@@ -3788,6 +3804,7 @@ var allowCache;
 var denyCache;
 var TOOL_RE = /^(Bash|PowerShell)\((.+?)(:.*)?\)$/;
 var SHELL_TOOLS = ["Bash", "PowerShell"];
+var DOTSLASH_RE = /^\.[\\/]/;
 function loadPerms(key) {
   return parsePerms(readSettingsPerms(key));
 }
@@ -3797,18 +3814,22 @@ function shellEntries(map, toolName) {
   }
   return map.get(toolName) ?? [];
 }
-function findMatch(entries, command) {
+function normCmd(cmd) {
+  return cmd.replace(DOTSLASH_RE, "");
+}
+function findMatch2(entries, command) {
+  const norm = normCmd(command);
   return entries.find(
-    (e) => e.wildcard ? command === e.command || command.startsWith(`${e.command} `) : command === e.command
+    (e) => e.wildcard ? norm === e.command || norm.startsWith(`${e.command} `) : norm === e.command
   )?.command;
 }
 function matchesAllow(toolName, command) {
   if (!allowCache) allowCache = loadPerms("allow");
-  return findMatch(shellEntries(allowCache, toolName), command);
+  return findMatch2(shellEntries(allowCache, toolName), command);
 }
 function matchesDeny(toolName, command) {
   if (!denyCache) denyCache = loadPerms("deny");
-  return findMatch(shellEntries(denyCache, toolName), command);
+  return findMatch2(shellEntries(denyCache, toolName), command);
 }
 function parsePerms(entries) {
   const map = /* @__PURE__ */ new Map();
@@ -3816,7 +3837,7 @@ function parsePerms(entries) {
     const m = entry.match(TOOL_RE);
     if (m) {
       const tool = m[1];
-      const command = m[2];
+      const command = normCmd(m[2]);
       const wildcard = m[3] !== void 0;
       const list4 = map.get(tool) ?? [];
       list4.push({ command, wildcard });
@@ -3829,8 +3850,10 @@ function parsePerms(entries) {
 // src/shared/isApprovedRead.ts
 function isApprovedRead(command, toolName = "Bash") {
   if (isCdToCwd(command)) return "cd to current directory";
-  const matched = findCliRead(command);
-  if (matched) return `Read-only CLI command: ${matched}`;
+  const matchedRead = findCliRead(command);
+  if (matchedRead) return `Read-only CLI command: ${matchedRead}`;
+  const matchedWrite = findCliWrite(command);
+  if (matchedWrite) return `Allowed CLI write: ${matchedWrite}`;
   if (isGhApiRead(command)) return "Read-only gh api command";
   const allowMatch = matchesAllow(toolName, command);
   if (allowMatch) return `Allowed by settings: ${allowMatch}`;

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@staff0rd/assist",
-	"version": "0.166.0",
+	"version": "0.167.0",
 	"type": "module",
 	"main": "dist/index.js",
 	"bin": {
@@ -11,7 +11,8 @@
 	"files": [
 		"dist",
 		"claude",
-		"assist.cli-reads"
+		"allowed.cli-reads",
+		"allowed.cli-writes"
 	],
 	"publishConfig": {
 		"access": "public"