@trac3er/oh-my-god 1.0.2

package/hooks/intentgate-keyword-detector.py

@@ -0,0 +1,188 @@
+#!/usr/bin/env python3
+"""
+IntentGate Keyword Detection Hook — OMG v1.2
+
+UserPromptSubmit hook that detects magic keywords in user prompts,
+maps them to intents with confidence scoring, and injects a LEADER_HINT
+into the hook output for downstream routing. Detection only — no execution.
+
+Classification v1.2:
+  - Each detected intent includes a confidence score (0.0–1.0)
+  - Compound intent parsing: multiple keywords → multiple intents
+
+Confidence rules:
+  - Exact keyword match (standalone): 0.95
+  - Keyword embedded in context: 0.90
+  - Keyword in compound phrase (multi-intent): 0.85
+  - Multiple occurrences of same keyword: 0.98 (cap)
+
+Magic keywords:
+  - ultrawork, autopilot, ralph → execution modes
+  - plan this, tdd, search → task types
+  - stop, crazy → special directives
+"""
+import json
+import sys
+import os
+import re
+import time
+
+HOOKS_DIR = os.path.dirname(__file__)
+if HOOKS_DIR not in sys.path:
+    sys.path.insert(0, HOOKS_DIR)
+
+try:
+    from hooks._common import (
+        setup_crash_handler,
+        json_input,
+        get_feature_flag,
+        _resolve_project_dir,
+        check_performance_budget,
+        PRE_TOOL_INJECT_MAX_MS,
+    )
+except ImportError:
+    import importlib
+    _common = importlib.import_module("_common")
+    setup_crash_handler = _common.setup_crash_handler
+    json_input = _common.json_input
+    get_feature_flag = _common.get_feature_flag
+    _resolve_project_dir = _common._resolve_project_dir
+    check_performance_budget = _common.check_performance_budget
+    PRE_TOOL_INJECT_MAX_MS = _common.PRE_TOOL_INJECT_MAX_MS
+
+setup_crash_handler("intentgate-keyword-detector", fail_closed=False)
+
+# ═══════════════════════════════════════════════════════════
+# KEYWORD → INTENT MAPPING
+# ═══════════════════════════════════════════════════════════
+KEYWORD_INTENT_MAP = {
+    "ultrawork": "INTENT_MAX_EFFORT",
+    "autopilot": "INTENT_AUTONOMOUS",
+    "ralph": "INTENT_LOOP",
+    "plan this": "INTENT_PLAN",
+    "tdd": "INTENT_TEST_DRIVEN",
+    "search": "INTENT_SEARCH",
+    "stop": "INTENT_STOP",
+    "crazy": "INTENT_CRAZY",
+}
+
+
+# ═══════════════════════════════════════════════════════════
+# CONFIDENCE SCORING ENGINE
+# ═══════════════════════════════════════════════════════════
+
+def _count_keyword_occurrences(keyword, prompt_lower):
+    """Count occurrences of keyword in prompt (respecting matching rules)."""
+    if " " in keyword:
+        # Multi-word: non-overlapping substring count
+        count = 0
+        start = 0
+        while True:
+            idx = prompt_lower.find(keyword, start)
+            if idx == -1:
+                break
+            count += 1
+            start = idx + len(keyword)
+        return count
+    else:
+        # Single-word: word boundary count
+        pattern = r'\b' + re.escape(keyword) + r'\b'
+        return len(re.findall(pattern, prompt_lower))
+
+
+def _compute_confidence(keyword, prompt_lower, occurrence_count, total_intents):
+    """Compute confidence score for a detected intent.
+
+    Rules (applied in priority order):
+      - Multiple occurrences of same keyword: 0.98 (capped)
+      - Keyword in compound phrase (multiple intents): 0.85
+      - Exact keyword match (standalone prompt): 0.95
+      - Keyword embedded in context signals: 0.90
+    """
+    # Multiple occurrences of same keyword → highest confidence (cap)
+    if occurrence_count > 1:
+        return 0.98
+
+    # Compound intent (multiple different keywords detected)
+    if total_intents > 1:
+        return 0.85
+
+    # Single intent, single occurrence
+    stripped = prompt_lower.strip()
+
+    # Exact/standalone match → high confidence
+    if stripped == keyword:
+        return 0.95
+
+    # Keyword embedded in surrounding context → slightly lower
+    return 0.90
+# ═══════════════════════════════════════════════════════════
+# FEATURE FLAG CHECK
+# ═══════════════════════════════════════════════════════════
+start_time = time.time()
+
+if not get_feature_flag("INTENTGATE", default=False):
+    # Feature disabled — return no-op JSON
+    json.dump({}, sys.stdout)
+    sys.exit(0)
+
+# ═══════════════════════════════════════════════════════════
+# INPUT PARSING
+# ═══════════════════════════════════════════════════════════
+data = json_input()
+
+prompt = data.get("tool_input", {}).get("user_message", "") or data.get("user_message", "")
+if not prompt:
+    json.dump({}, sys.stdout)
+    sys.exit(0)
+
+prompt_lower = prompt.lower().strip()
+
+# ═══════════════════════════════════════════════════════════
+# KEYWORD DETECTION (case-insensitive, multi-keyword, confidence scoring)
+# ═══════════════════════════════════════════════════════════
+
+# First pass: detect keywords with occurrence counts
+detected_raw = []
+
+for keyword, intent in KEYWORD_INTENT_MAP.items():
+    occurrences = _count_keyword_occurrences(keyword, prompt_lower)
+    if occurrences > 0:
+        detected_raw.append((keyword, intent, occurrences))
+
+# Second pass: compute confidence scores
+num_intents = len(detected_raw)
+detected_intents = []
+
+for keyword, intent, occurrences in detected_raw:
+    confidence = _compute_confidence(keyword, prompt_lower, occurrences, num_intents)
+    detected_intents.append({
+        "intent": intent,
+        "confidence": confidence,
+        "keyword": keyword,
+    })
+# ═══════════════════════════════════════════════════════════
+# OUTPUT CONSTRUCTION
+# ═══════════════════════════════════════════════════════════
+output = {}
+
+if detected_intents:
+    # Inject LEADER_HINT with detected intents and confidence scores
+    output["LEADER_HINT"] = {
+        "detected_intents": detected_intents,
+        "keyword_count": len(detected_intents),
+        "routing_enabled": True,
+        "classification_version": "1.2",
+    }
+
+# ═══════════════════════════════════════════════════════════
+# PERFORMANCE BUDGET CHECK
+# ═══════════════════════════════════════════════════════════
+elapsed_ms = (time.time() - start_time) * 1000
+check_performance_budget("intentgate-keyword-detector", elapsed_ms, PRE_TOOL_INJECT_MAX_MS)
+
+# ═══════════════════════════════════════════════════════════
+# OUTPUT
+# ═══════════════════════════════════════════════════════════
+json.dump(output, sys.stdout)
+sys.exit(0)

package/hooks/magic-keyword-router.py

@@ -0,0 +1,195 @@
+#!/usr/bin/env python3
+"""
+Magic Keyword Router — OMG v1.2
+
+PostToolUse hook that reads the LEADER_HINT produced by
+intentgate-keyword-detector, selects the appropriate agent based on intent,
+and writes a routing result to `.omg/state/routing_result.json`.
+
+Decision only — no subprocess calls or agent execution.
+
+Input sources (checked in priority order):
+  1. LEADER_HINT in stdin JSON (from hook pipeline)
+  2. `.omg/state/leader_hint.json` (persisted by future integrations)
+
+Feature flag: OMG_MAGIC_ROUTER_ENABLED (default off)
+"""
+import json
+import os
+import sys
+import time
+
+HOOKS_DIR = os.path.dirname(__file__)
+if HOOKS_DIR not in sys.path:
+    sys.path.insert(0, HOOKS_DIR)
+
+try:
+    from hooks._common import (
+        setup_crash_handler,
+        json_input,
+        get_feature_flag,
+        atomic_json_write,
+        get_project_dir,
+        check_performance_budget,
+        PRE_TOOL_INJECT_MAX_MS,
+    )
+except ImportError:
+    import importlib
+    _common = importlib.import_module("_common")
+    setup_crash_handler = _common.setup_crash_handler
+    json_input = _common.json_input
+    get_feature_flag = _common.get_feature_flag
+    atomic_json_write = _common.atomic_json_write
+    get_project_dir = _common.get_project_dir
+    check_performance_budget = _common.check_performance_budget
+    PRE_TOOL_INJECT_MAX_MS = _common.PRE_TOOL_INJECT_MAX_MS
+
+try:
+    from hooks._agent_registry import INTENT_ROUTING
+except ImportError:
+    _registry = importlib.import_module("_agent_registry")
+    INTENT_ROUTING = _registry.INTENT_ROUTING
+
+setup_crash_handler("magic-keyword-router", fail_closed=False)
+
+# ═══════════════════════════════════════════════════════════
+# CONSTANTS
+# ═══════════════════════════════════════════════════════════
+ROUTING_RESULT_PATH = ".omg/state/routing_result.json"
+LEADER_HINT_PATH = ".omg/state/leader_hint.json"
+
+
+# ═══════════════════════════════════════════════════════════
+# FEATURE FLAG CHECK
+# ═══════════════════════════════════════════════════════════
+start_time = time.time()
+
+if not get_feature_flag("MAGIC_ROUTER", default=False):
+    # Feature disabled — no-op
+    json.dump({}, sys.stdout)
+    sys.exit(0)
+
+# ═══════════════════════════════════════════════════════════
+# INPUT PARSING
+# ═══════════════════════════════════════════════════════════
+data = json_input()
+
+
+def _extract_leader_hint(hook_data):
+    """Extract LEADER_HINT from hook stdin data.
+
+    Checks multiple locations where the hint may appear:
+      - Top-level "LEADER_HINT" key
+      - Nested under "tool_output"
+      - Nested under "hookSpecificOutput"
+    """
+    if not isinstance(hook_data, dict):
+        return None
+    # Direct top-level
+    hint = hook_data.get("LEADER_HINT")
+    if hint:
+        return hint
+    # Nested in tool_output
+    tool_output = hook_data.get("tool_output", {})
+    if isinstance(tool_output, dict):
+        hint = tool_output.get("LEADER_HINT")
+        if hint:
+            return hint
+    # Nested in hookSpecificOutput
+    hso = hook_data.get("hookSpecificOutput", {})
+    if isinstance(hso, dict):
+        hint = hso.get("LEADER_HINT")
+        if hint:
+            return hint
+    return None
+
+
+def _read_leader_hint_file(project_dir):
+    """Read LEADER_HINT from persisted file (secondary source)."""
+    path = os.path.join(project_dir, LEADER_HINT_PATH)
+    if not os.path.exists(path):
+        return None
+    try:
+        with open(path, "r", encoding="utf-8") as f:
+            data = json.load(f)
+        # File may contain {"LEADER_HINT": {...}} or the hint directly
+        if isinstance(data, dict):
+            return data.get("LEADER_HINT", data) if "detected_intents" not in data else data
+        return None
+    except (json.JSONDecodeError, OSError):
+        return None
+
+
+def _resolve_routing(leader_hint):
+    """Given a LEADER_HINT dict, resolve the target agent.
+
+    Returns (target_agent, intent, confidence) tuple.
+    target_agent may be None (e.g., INTENT_STOP → halt).
+    """
+    detected = leader_hint.get("detected_intents", [])
+    if not detected:
+        return None, None, 0.0
+
+    # Pick first non-None routable intent (highest priority = first in list)
+    for intent_entry in detected:
+        intent_name = intent_entry.get("intent", "")
+        confidence = intent_entry.get("confidence", 0.0)
+        target = INTENT_ROUTING.get(intent_name)
+
+        # INTENT_STOP maps to None explicitly — that IS a valid routing result
+        if intent_name in INTENT_ROUTING:
+            return target, intent_name, confidence
+
+    # No known intent found
+    return None, None, 0.0
+
+
+# ═══════════════════════════════════════════════════════════
+# LEADER_HINT RESOLUTION (stdin preferred, file fallback)
+# ═══════════════════════════════════════════════════════════
+project_dir = get_project_dir()
+leader_hint = _extract_leader_hint(data)
+
+if leader_hint is None:
+    leader_hint = _read_leader_hint_file(project_dir)
+
+# ═══════════════════════════════════════════════════════════
+# ROUTING DECISION
+# ═══════════════════════════════════════════════════════════
+from datetime import datetime, timezone
+
+routing_result_path = os.path.join(project_dir, ROUTING_RESULT_PATH)
+ts = datetime.now(timezone.utc).isoformat()
+
+if leader_hint and leader_hint.get("detected_intents"):
+    target_agent, intent, confidence = _resolve_routing(leader_hint)
+    routing_result = {
+        "target_agent": target_agent,
+        "intent": intent,
+        "confidence": confidence,
+        "fallback": False,
+        "timestamp": ts,
+    }
+else:
+    # No LEADER_HINT → fallback
+    routing_result = {
+        "target_agent": None,
+        "intent": None,
+        "confidence": 0.0,
+        "fallback": True,
+        "timestamp": ts,
+    }
+
+atomic_json_write(routing_result_path, routing_result)
+
+# ═══════════════════════════════════════════════════════════
+# PERFORMANCE BUDGET CHECK
+# ═══════════════════════════════════════════════════════════
+elapsed_ms = (time.time() - start_time) * 1000
+check_performance_budget("magic-keyword-router", elapsed_ms, PRE_TOOL_INJECT_MAX_MS)
+
+# ═══════════════════════════════════════════════════════════
+# OUTPUT (no-op for PostToolUse — just exit clean)
+# ═══════════════════════════════════════════════════════════
+json.dump({}, sys.stdout)
+sys.exit(0)

package/hooks/policy_engine.py

@@ -0,0 +1,310 @@
+#!/usr/bin/env python3
+"""OMG v1 Policy Engine
+
+Centralized policy decision layer for tool access, file access, and supply-chain
+artifact verification.
+"""
+from __future__ import annotations
+
+from dataclasses import dataclass, asdict
+import os
+import re
+from typing import Any
+
+
+Action = str
+RiskLevel = str
+
+
+@dataclass
+class PolicyDecision:
+    action: Action  # allow | ask | deny
+    risk_level: RiskLevel  # low | med | high | critical
+    reason: str = ""
+    controls: list[str] | None = None
+
+    def to_dict(self) -> dict[str, Any]:
+        data = asdict(self)
+        if data.get("controls") is None:
+            data["controls"] = []
+        return data
+
+
+def allow(reason: str = "", controls: list[str] | None = None) -> PolicyDecision:
+    return PolicyDecision("allow", "low", reason, controls or [])
+
+
+def ask(reason: str, risk_level: RiskLevel = "med", controls: list[str] | None = None) -> PolicyDecision:
+    return PolicyDecision("ask", risk_level, reason, controls or [])
+
+
+def deny(reason: str, risk_level: RiskLevel = "high", controls: list[str] | None = None) -> PolicyDecision:
+    return PolicyDecision("deny", risk_level, reason, controls or [])
+
+
+# === BASH POLICY ============================================================
+
+DESTRUCT_PATTERNS = [
+    (r"rm\s+-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*\s+/(\s|$|\*)", "rm -rf /"),
+    (r"rm\s+-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*\s+~/?(\s|$|\*)", "rm -rf ~"),
+    (r"rm\s+-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*\s+\$HOME", "rm -rf $HOME"),
+    (r"rm\s+-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*\s+\$\{?HOME\}?", "rm -rf ${HOME}"),
+    (r"rm\s+-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*\s+\.\.\s", "rm -rf .."),
+    (r":\(\)\s*\{\s*:\|:&\s*\}\s*;:", "fork bomb"),
+    (r"function\s+\w+\(\)\s*\{\s*\w+\s*\|\s*\w+\s*&", "potential fork bomb"),
+    (r">\s*/dev/sd[a-z]", "overwrite disk"),
+    (r"dd\s+.*of=/dev/sd[a-z]", "dd to disk device"),
+    (r"sudo\s+(dd|mkfs|fdisk|parted|wipefs)\b", "destructive disk op"),
+    (r"sudo\s+rm\b", "sudo rm"),
+    (r"echo\s+.*>\s*/proc/", "write to /proc"),
+    (r"echo\s+.*>\s*/sys/", "write to /sys"),
+]
+
+PIPE_SHELL_PATTERNS = [
+    r"(curl|wget)\s+.*\|\s*(sudo\s+)?(ba)?sh",
+    r"(curl|wget)\s+.*\|\s*python[23]?",
+    r"(curl|wget)\s+.*\|\s*perl",
+    r"(curl|wget)\s+.*\|\s*ruby",
+    r"base64\s+.*\|\s*(ba)?sh",
+    r"echo\s+.*\|\s*base64\s+-d\s*\|\s*(ba)?sh",
+]
+
+EVAL_PATTERNS = [
+    r"\beval\s+\"\$",
+    r"\beval\s+\$\(",
+    r"\beval\s+`",
+]
+
+SAFE_ENV_REFERENCE = re.compile(r"\.env\.(example|sample|template)\b", re.IGNORECASE)
+
+SECRET_FILE_PATTERNS = [
+    r"\.(env|pem|key|p12|pfx|jks|keystore|netrc|npmrc|pypirc)\b",
+    r"/\.aws/(credentials|config)\b",
+    r"/\.kube/config\b",
+    r"/id_(rsa|ed25519|ecdsa)\b",
+    r"/\.ssh/",
+    r"\bsecrets?/",
+    r"\bcredentials?\.",
+    r"\bpasswords?\.",
+    r"\btokens?\.",
+]
+
+READ_COMMANDS = [
+    "cat", "less", "more", "head", "tail", "strings", "xxd", "od",
+    "hexdump", "base64", "vim", "vi", "nano", "emacs", "view",
+    "bat", "pygmentize", "highlight", "source", "\\.",
+    "awk", "gawk", "mawk", "perl", "ruby", "python", "python3", "node",
+]
+READ_PATTERN = r"(?:^|\s|;|&&|\|\|)(?:" + "|".join(re.escape(c) for c in READ_COMMANDS) + r")\s+"
+
+EXFIL_COMMANDS = [
+    r"\b(cp|mv|ln\s+-s)\s+",
+    r"\btar\s+.*-?c",
+    r"\bzip\s+",
+]
+
+ASK_PATTERNS = [
+    (r"(^|\s)(curl|wget)(\s|$)", "Network egress"),
+    (r"(^|\s)(ssh|scp|rsync)(\s|$)", "Remote connection"),
+    (r"git\s+push\s+.*(-f|--force)", "Force push"),
+    (r"git\s+push\s+.*(main|master|production|release)", "Push to protected branch"),
+    (r"chmod\s+(777|666|a\+[rwx])", "Overly permissive chmod"),
+    (r"docker\s+run\s+.*--privileged", "Privileged container"),
+    (r"python[23]?\s+-c\s+", "Inline Python execution"),
+    (r"node\s+-e\s+", "Inline Node execution"),
+]
+
+
+def evaluate_bash_command(cmd: str) -> PolicyDecision:
+    if not cmd:
+        return allow("empty command")
+
+    for pat, label in DESTRUCT_PATTERNS:
+        if re.search(pat, cmd):
+            return deny(f"Blocked: {label}", "critical", ["destructive-op"])
+
+    for pat in PIPE_SHELL_PATTERNS:
+        if re.search(pat, cmd):
+            return deny("Blocked: pipe-to-shell", "critical", ["remote-code-exec"])
+
+    for pat in EVAL_PATTERNS:
+        if re.search(pat, cmd):
+            return deny("Blocked: dynamic eval", "high", ["dynamic-eval"])
+
+    for secret_pat in SECRET_FILE_PATTERNS:
+        if not re.search(secret_pat, cmd, re.IGNORECASE):
+            continue
+
+        if SAFE_ENV_REFERENCE.search(cmd):
+            cleaned = SAFE_ENV_REFERENCE.sub("__SAFE_REF__", cmd)
+            if not re.search(secret_pat, cleaned, re.IGNORECASE):
+                continue
+
+        if re.search(READ_PATTERN, cmd, re.IGNORECASE):
+            return deny("Blocked: reading secret file", "critical", ["secret-access"])
+
+        if re.search(r"<\s*\S*(" + secret_pat + r")", cmd, re.IGNORECASE):
+            return deny("Blocked: reading secret file via redirect", "critical", ["secret-access"])
+
+        for exfil in EXFIL_COMMANDS:
+            if re.search(exfil, cmd):
+                return deny("Blocked: copying secret file", "critical", ["secret-exfiltration"])
+
+        if re.search(r"\bgrep\b", cmd):
+            return ask("Searching inside potential secret file — confirm this is safe", "high", ["secret-search"])
+
+    for pat, label in ASK_PATTERNS:
+        if re.search(pat, cmd):
+            return ask(f"{label}: {cmd[:120]}", "med", ["human-approval"])
+
+    return allow("command allowed")
+
+
+# === FILE POLICY ============================================================
+
+BLOCKED_FILES = {
+    ".env", ".env.local", ".env.development", ".env.production",
+    ".env.staging", ".env.test", ".npmrc", ".pypirc", ".netrc",
+    "id_rsa", "id_ed25519", "id_ecdsa", "id_rsa.pub", "id_ed25519.pub", "id_ecdsa.pub",
+}
+
+EXAMPLE_FILES = {".env.example", ".env.sample", ".env.template"}
+
+BLOCKED_PATH_PATTERNS = [
+    r"/\.aws/(credentials|config)$",
+    r"/\.kube/config$",
+    r"/\.ssh/",
+    r"/\.gnupg/",
+    r"/secrets?/",
+    r"\.(pem|key|p12|pfx|jks|keystore)$",
+    r"(^|/)secret[s]?\.",
+    r"(^|/)credential[s]?\.",
+    r"(^|/)password[s]?\.",
+    r"(^|/)token[s]?\.",
+    r"(^|/)\.docker/config\.json$",
+    r"(^|/)\.git-credentials$",
+]
+
+
+# OMG internal credential store paths (exempted from secret-file blocking)
+# Only these exact filenames inside .omg/state/ are allowed.
+_OMG_CREDENTIAL_STORE_ALLOWLIST = frozenset({
+    "credentials.enc",
+    "credentials.meta",
+})
+
+
+def _is_omg_credential_path(normalized_path: str) -> bool:
+    """Return True if the path is an OMG credential store file.
+
+    Only exempts files that are:
+    1. Inside .omg/state/ directory
+    2. Named exactly 'credentials.enc' or 'credentials.meta'
+    3. Feature flag MULTI_CREDENTIAL is enabled
+
+    This is deliberately narrow to prevent path traversal attacks.
+    """
+    # Import here to avoid circular dependency at module level
+    from _common import get_feature_flag
+
+    # Only exempt if feature is enabled
+    if not get_feature_flag("MULTI_CREDENTIAL", default=False):
+        return False
+
+    basename = os.path.basename(normalized_path).lower()
+    if basename not in _OMG_CREDENTIAL_STORE_ALLOWLIST:
+        return False
+
+    # Verify it's actually inside .omg/state/
+    parent = os.path.dirname(normalized_path)
+    return parent.endswith(os.sep + ".omg" + os.sep + "state") or \
+           parent.endswith("/.omg/state")
+
+
+def evaluate_file_access(tool: str, file_path: str) -> PolicyDecision:
+    if not file_path:
+        return allow("no file")
+
+    normalized = os.path.normpath(file_path)
+    # Resolve symlinks to prevent bypass via symlink to secret file
+    try:
+        normalized = os.path.realpath(normalized)
+    except (OSError, ValueError):
+        pass
+    basename = os.path.basename(normalized).lower()
+    lowpath = normalized.lower()
+
+    if basename in EXAMPLE_FILES and tool in ("Write", "Edit", "MultiEdit"):
+        return deny(
+            f"Modifying example env file blocked (Read is allowed): {file_path}",
+            "high",
+            ["immutable-env-template"],
+        )
+
+    if basename in BLOCKED_FILES:
+        return deny(f"Secret file blocked: {file_path}", "critical", ["secret-access"])
+
+    if re.match(r"^\.env(\..+)?$", basename) and basename not in EXAMPLE_FILES:
+        return deny(f"Environment file blocked: {file_path}", "critical", ["secret-access"])
+
+    # EXEMPTION: OMG credential store files within .omg/state/
+    # These are managed by hooks/credential_store.py and must be accessible
+    if _is_omg_credential_path(normalized):
+        return allow("OMG credential store (managed path)")
+
+    for pat in BLOCKED_PATH_PATTERNS:
+        if re.search(pat, lowpath):
+            return deny(f"Sensitive path blocked: {file_path}", "critical", ["secret-access"])
+
+    return allow("file allowed")
+
+
+# === SUPPLY CHAIN POLICY ====================================================
+
+
+def evaluate_supply_artifact(artifact: dict[str, Any], mode: str = "warn_and_run") -> PolicyDecision:
+    """Verify artifact trust with Warn-And-Run semantics.
+
+    mode=warn_and_run: missing trust metadata returns ASK
+    critical findings always DENY
+    """
+    findings = artifact.get("static_scan") or []
+    permissions = artifact.get("permissions") or []
+    signer = artifact.get("signer")
+    checksum = artifact.get("checksum")
+
+    for finding in findings:
+        sev = str((finding or {}).get("severity", "")).lower()
+        if sev == "critical":
+            return deny("Critical static-scan finding detected", "critical", ["supply-critical-block"])
+
+    joined_perms = " ".join(str(p) for p in permissions)
+    if any(token in joined_perms for token in ["sudo", "rm -rf", "--privileged", "curl |", "wget |"]):
+        return deny("Critical permission profile detected in artifact", "critical", ["dangerous-permissions"])
+
+    if not signer or not checksum:
+        if mode == "warn_and_run":
+            return ask(
+                "Artifact missing signer/checksum metadata (untrusted). Continue with isolation.",
+                "high",
+                ["isolate-network", "read-only-fs", "manual-approval"],
+            )
+        return deny("Artifact missing signer/checksum metadata", "high", ["unsigned-artifact"])
+
+    has_high = any(str((finding or {}).get("severity", "")).lower() == "high" for finding in findings)
+    if has_high:
+        return ask("High-risk findings present. Explicit approval required.", "high", ["manual-approval"])
+
+    return allow("artifact trusted")
+
+
+def to_pretool_hook_output(decision: PolicyDecision) -> dict[str, Any] | None:
+    if decision.action == "allow":
+        return None
+    return {
+        "hookSpecificOutput": {
+            "hookEventName": "PreToolUse",
+            "permissionDecision": decision.action,
+            "permissionDecisionReason": decision.reason,
+        }
+    }