@wazir-dev/cli 1.3.0 → 1.4.0

package/tooling/src/hooks/pretooluse-dispatcher.js

@@ -0,0 +1,300 @@
+import fs from 'node:fs';
+import path from 'node:path';
+
+import { readPipelineState } from '../state/pipeline-state.js';
+import { readYamlFile } from '../loaders.js';
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+const ALWAYS_ALLOWED_TOOLS = new Set([
+  'Read', 'Grep', 'Glob', 'Agent', 'Skill',
+  'TaskCreate', 'TaskUpdate', 'TaskList', 'TaskGet',
+]);
+
+const WRITE_BLOCKED_PHASES = new Set(['clarify', 'verify', 'review']);
+const GIT_BLOCKED_PHASES = new Set(['init', 'clarify', 'verify', 'review']);
+const UNRESTRICTED_PHASES = new Set(['init', 'execute', 'complete']);
+
+const GIT_MUTATING_PATTERNS = [
+  /^git\s+commit/,
+  /^git\s+push/,
+  /^git\s+merge/,
+  /^git\s+rebase/,
+  /^git\s+reset/,
+  /^git\s+checkout\s+--/,
+];
+
+const DEFAULT_ROUTING_MATRIX = {
+  large: ['npm test', 'vitest', 'jest', 'pytest', 'npm run build', 'tsc --noEmit', 'npm ls', 'pip list', 'eslint .', 'prettier --check .', 'tail -f'],
+  small: ['git status', 'git log', 'git branch', 'git rev-parse', 'ls', 'pwd', 'mkdir', 'cp', 'mv', 'rm', 'wazir doctor', 'wazir index', 'wazir capture', 'wazir validate', 'which', 'echo'],
+  ambiguous_heuristic: { pipe_detected: true, redirect_detected: true, verbose_binaries: ['find', 'rg', 'grep', 'awk', 'sed', 'curl'] },
+};
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function isWazirPath(filePath) {
+  if (!filePath) return false;
+  return filePath.includes('.wazir/') || filePath.includes('/.wazir');
+}
+
+function isWazirCommand(command) {
+  if (!command) return false;
+  const trimmed = command.trim();
+  return trimmed.startsWith('wazir ') || trimmed === 'wazir';
+}
+
+function isGitMutating(command) {
+  if (!command) return false;
+  const trimmed = command.trim();
+  return GIT_MUTATING_PATTERNS.some(pattern => pattern.test(trimmed));
+}
+
+// ---------------------------------------------------------------------------
+// Protected path check
+// ---------------------------------------------------------------------------
+
+const APPROVED_FLOWS = new Set([
+  'host_export_regeneration',
+  'pipeline_integration',
+]);
+
+function checkProtectedPath(projectRoot, filePath, approvedFlow) {
+  if (!filePath || !projectRoot) return null;
+
+  let manifest;
+  try {
+    manifest = readYamlFile(path.join(projectRoot, 'wazir.manifest.yaml'));
+  } catch {
+    // If manifest can't be read, block writes defensively
+    return { decision: 'deny', reason: 'Cannot read manifest to check protected paths.' };
+  }
+
+  if (!manifest?.protected_paths) return null;
+
+  const absoluteTarget = path.isAbsolute(filePath)
+    ? path.resolve(filePath)
+    : path.resolve(projectRoot, filePath);
+  const relTarget = path.relative(projectRoot, absoluteTarget);
+
+  // Outside project = not protected
+  if (relTarget === '..' || relTarget.startsWith(`..${path.sep}`) || path.isAbsolute(relTarget)) {
+    return null;
+  }
+
+  const blocked = manifest.protected_paths.find(
+    (pp) => relTarget === pp || relTarget.startsWith(`${pp}${path.sep}`),
+  );
+
+  if (blocked) {
+    // Check approved flow override
+    if (APPROVED_FLOWS.has(approvedFlow)) {
+      return null; // approved flow may write protected paths
+    }
+    return { decision: 'deny', reason: `Protected path blocked: ${relTarget}` };
+  }
+
+  return null;
+}
+
+// ---------------------------------------------------------------------------
+// Context-mode classification
+// ---------------------------------------------------------------------------
+
+function classifyCommand(cmd, matrix) {
+  if (!cmd) return { category: 'small', reason: 'empty command' };
+
+  if (cmd.includes('# wazir:context-mode')) return { category: 'large', reason: 'explicit marker' };
+
+  for (const pattern of matrix.large) {
+    if (cmd === pattern || cmd.startsWith(pattern + ' ') || cmd.startsWith(pattern + '\t')) {
+      return { category: 'large', reason: `matched pattern: ${pattern}` };
+    }
+  }
+
+  if (cmd.includes('# wazir:passthrough')) return { category: 'small', reason: 'passthrough marker' };
+
+  for (const pattern of matrix.small) {
+    if (cmd === pattern || cmd.startsWith(pattern + ' ') || cmd.startsWith(pattern + '\t')) {
+      return { category: 'small', reason: `matched pattern: ${pattern}` };
+    }
+  }
+
+  const heuristic = matrix.ambiguous_heuristic || {};
+  if (heuristic.pipe_detected && /(?<![\\])\|/.test(cmd)) {
+    return { category: 'ambiguous', reason: 'pipe detected' };
+  }
+  if (heuristic.redirect_detected && /(?<![\\])>/.test(cmd)) {
+    return { category: 'ambiguous', reason: 'redirect detected' };
+  }
+
+  const bin = cmd.split(/\s+/)[0] || '';
+  if (Array.isArray(heuristic.verbose_binaries) && heuristic.verbose_binaries.includes(bin)) {
+    return { category: 'ambiguous', reason: `verbose binary: ${bin}` };
+  }
+
+  return { category: 'small', reason: 'no pattern matched' };
+}
+
+// ---------------------------------------------------------------------------
+// Load routing matrix
+// ---------------------------------------------------------------------------
+
+function loadRoutingMatrix(projectRoot) {
+  try {
+    const matrixPath = path.join(projectRoot, 'hooks', 'routing-matrix.json');
+    return JSON.parse(fs.readFileSync(matrixPath, 'utf8'));
+  } catch {
+    return DEFAULT_ROUTING_MATRIX;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Main evaluation — consolidates all three PreToolUse concerns
+// ---------------------------------------------------------------------------
+
+/**
+ * Consolidated PreToolUse dispatcher.
+ *
+ * Evaluation order:
+ * 1. Always-allowed tools (reads, task tools)
+ * 2. .wazir/ path writes (pipeline state)
+ * 3. wazir CLI commands
+ * 4. No state = allow all
+ * 5. Protected path check (manifest protected_paths)
+ * 6. Phase restriction check (write/git blocks)
+ * 7. Context-mode routing (Bash classification)
+ *
+ * @param {string} stateRoot   — pipeline state directory
+ * @param {string} projectRoot — project root directory
+ * @param {object} hookInput   — { tool, input }
+ * @returns {{ decision: 'allow'|'deny', reason?: string, routing_decision?: object }}
+ */
+export function evaluateDispatch(stateRoot, projectRoot, hookInput) {
+  const { tool, input = {} } = hookInput;
+
+  // 1. Always-allowed tools
+  if (ALWAYS_ALLOWED_TOOLS.has(tool)) {
+    return { decision: 'allow' };
+  }
+
+  // 2. .wazir/ path writes always allowed
+  if ((tool === 'Write' || tool === 'Edit') && isWazirPath(input.file_path)) {
+    return { decision: 'allow' };
+  }
+
+  // 3. wazir CLI commands always allowed
+  if (tool === 'Bash' && isWazirCommand(input.command)) {
+    return { decision: 'allow' };
+  }
+
+  // 4. Protected path check (Write/Edit only — always enforced regardless of phase)
+  if (tool === 'Write' || tool === 'Edit') {
+    const protectedResult = checkProtectedPath(projectRoot, input.file_path, input.approved_flow);
+    if (protectedResult) return protectedResult;
+  }
+
+  // 5. No state file = not a pipeline session = allow
+  let state;
+  try {
+    state = readPipelineState(stateRoot);
+  } catch {
+    return { decision: 'allow' };
+  }
+  if (!state || !state.current_phase) {
+    return { decision: 'allow' };
+  }
+
+  const phase = state.current_phase;
+
+  // 6. Unrestricted phases
+  if (UNRESTRICTED_PHASES.has(phase)) {
+    return addRoutingIfBash(tool, input, projectRoot);
+  }
+
+  // 7. Phase-based Write/Edit restriction
+  if ((tool === 'Write' || tool === 'Edit') && WRITE_BLOCKED_PHASES.has(phase)) {
+    return {
+      decision: 'deny',
+      reason: `Write/Edit blocked during "${phase}" phase. This phase is read-only for project files. Only .wazir/ writes are allowed.`,
+    };
+  }
+
+  // 8. Phase-based git mutation restriction
+  if (tool === 'Bash' && GIT_BLOCKED_PHASES.has(phase) && isGitMutating(input.command)) {
+    return {
+      decision: 'deny',
+      reason: `Git mutations (commit/push) blocked during "${phase}" phase. Git commits are only allowed during the execute phase.`,
+    };
+  }
+
+  // 9. Context-mode routing for Bash
+  return addRoutingIfBash(tool, input, projectRoot);
+}
+
+function isContextModeEnabled(projectRoot) {
+  const envVal = process.env.WAZIR_CONTEXT_MODE;
+  if (envVal !== undefined) return envVal === '1' || envVal === 'true';
+
+  try {
+    const manifestPath = path.join(projectRoot, 'wazir.manifest.yaml');
+    const manifestText = fs.readFileSync(manifestPath, 'utf8');
+    const match = manifestText.match(/context_mode:[\s\S]*?enabled_by_default:\s*(true|false)/);
+    if (match) return match[1] === 'true';
+  } catch { /* ignore */ }
+
+  return false;
+}
+
+function addRoutingIfBash(tool, input, projectRoot) {
+  if (tool === 'Bash') {
+    const matrix = loadRoutingMatrix(projectRoot);
+    const cmd = (input.command || '').trim();
+    const classification = classifyCommand(cmd, matrix);
+    const contextModeEnabled = isContextModeEnabled(projectRoot);
+
+    let route = 'passthrough';
+    if (contextModeEnabled && (classification.category === 'large' || classification.category === 'ambiguous')) {
+      route = 'context-mode';
+    }
+
+    const routing_decision = {
+      command: cmd,
+      category: classification.category,
+      reason: classification.reason,
+      route,
+      context_mode_enabled: contextModeEnabled,
+    };
+    return { decision: 'allow', routing_decision };
+  }
+  return { decision: 'allow' };
+}
+
+// ---------------------------------------------------------------------------
+// CLI entry point
+// ---------------------------------------------------------------------------
+
+const isDirectRun = process.argv[1] && import.meta.url.endsWith(process.argv[1].replace(/\\/g, '/'));
+
+if (isDirectRun) {
+  const stateRoot = process.argv[2] || process.env.WAZIR_STATE_ROOT;
+  const projectRoot = process.argv[3] || process.env.WAZIR_PROJECT_ROOT || process.cwd();
+
+  let hookInput = {};
+  try {
+    const stdin = fs.readFileSync(0, 'utf8').trim();
+    if (stdin) hookInput = JSON.parse(stdin);
+  } catch { /* no stdin */ }
+
+  if (!stateRoot) {
+    console.log(JSON.stringify({ decision: 'allow' }));
+    process.exit(0);
+  }
+
+  const result = evaluateDispatch(stateRoot, projectRoot, hookInput);
+  console.log(JSON.stringify(result));
+  process.exit(0);
+}

package/tooling/src/hooks/pretooluse-pipeline-guard.js

@@ -0,0 +1,141 @@
+import fs from 'node:fs';
+import { readPipelineState } from '../state/pipeline-state.js';
+
+// ---------------------------------------------------------------------------
+// Phase → tool restriction rules
+// ---------------------------------------------------------------------------
+
+// Phases where Write/Edit to project files are blocked
+const WRITE_BLOCKED_PHASES = new Set(['clarify', 'verify', 'review']);
+
+// Phases where git commit/push are blocked
+const GIT_BLOCKED_PHASES = new Set(['init', 'clarify', 'verify', 'review']);
+
+// Phases where all tools are unrestricted
+const UNRESTRICTED_PHASES = new Set(['init', 'execute', 'complete']);
+
+// Tools that are always allowed (read-only operations)
+const ALWAYS_ALLOWED_TOOLS = new Set(['Read', 'Grep', 'Glob', 'Agent', 'Skill', 'TaskCreate', 'TaskUpdate', 'TaskList', 'TaskGet']);
+
+// Git commands that modify state
+const GIT_MUTATING_PATTERNS = [
+  /^git\s+commit/,
+  /^git\s+push/,
+  /^git\s+merge/,
+  /^git\s+rebase/,
+  /^git\s+reset/,
+  /^git\s+checkout\s+--/,
+];
+
+// ---------------------------------------------------------------------------
+// Evaluation
+// ---------------------------------------------------------------------------
+
+/**
+ * Evaluate whether a tool call should be allowed in the current pipeline phase.
+ *
+ * @param {string} stateRoot  — path to the pipeline state directory
+ * @param {object} hookInput  — { tool: string, input: object }
+ * @returns {{ decision: 'allow'|'deny', reason?: string }}
+ */
+export function evaluatePreToolUse(stateRoot, hookInput) {
+  const { tool, input = {} } = hookInput;
+
+  // 1. Always-allowed tools (reads are never blocked)
+  if (ALWAYS_ALLOWED_TOOLS.has(tool)) {
+    return { decision: 'allow' };
+  }
+
+  // 2. No state file → not a pipeline session → allow everything
+  let state;
+  try {
+    state = readPipelineState(stateRoot);
+  } catch {
+    return { decision: 'allow' };
+  }
+
+  if (!state || !state.current_phase) {
+    return { decision: 'allow' };
+  }
+
+  const phase = state.current_phase;
+
+  // 3. Unrestricted phases
+  if (UNRESTRICTED_PHASES.has(phase)) {
+    return { decision: 'allow' };
+  }
+
+  // 4. Always-allow: .wazir/ path writes (pipeline state management)
+  if ((tool === 'Write' || tool === 'Edit') && isWazirPath(input.file_path)) {
+    return { decision: 'allow' };
+  }
+
+  // 5. Always-allow: wazir CLI commands
+  if (tool === 'Bash' && isWazirCommand(input.command)) {
+    return { decision: 'allow' };
+  }
+
+  // 6. Check Write/Edit restrictions
+  if ((tool === 'Write' || tool === 'Edit') && WRITE_BLOCKED_PHASES.has(phase)) {
+    return {
+      decision: 'deny',
+      reason: `Write/Edit blocked during "${phase}" phase. This phase is read-only for project files. Only .wazir/ writes are allowed.`,
+    };
+  }
+
+  // 7. Check git mutation restrictions in Bash
+  if (tool === 'Bash' && GIT_BLOCKED_PHASES.has(phase) && isGitMutating(input.command)) {
+    return {
+      decision: 'deny',
+      reason: `Git mutations (commit/push) blocked during "${phase}" phase. Git commits are only allowed during the execute phase.`,
+    };
+  }
+
+  // 8. Default: allow
+  return { decision: 'allow' };
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function isWazirPath(filePath) {
+  if (!filePath) return false;
+  return filePath.includes('.wazir/') || filePath.includes('/.wazir');
+}
+
+function isWazirCommand(command) {
+  if (!command) return false;
+  const trimmed = command.trim();
+  return trimmed.startsWith('wazir ') || trimmed === 'wazir';
+}
+
+function isGitMutating(command) {
+  if (!command) return false;
+  const trimmed = command.trim();
+  return GIT_MUTATING_PATTERNS.some(pattern => pattern.test(trimmed));
+}
+
+// ---------------------------------------------------------------------------
+// CLI entry point
+// ---------------------------------------------------------------------------
+
+const isDirectRun = process.argv[1] && import.meta.url.endsWith(process.argv[1].replace(/\\/g, '/'));
+
+if (isDirectRun) {
+  const stateRoot = process.argv[2] || process.env.WAZIR_STATE_ROOT;
+  if (!stateRoot) {
+    console.log(JSON.stringify({ decision: 'allow' }));
+    process.exit(0);
+  }
+
+  let hookInput = {};
+  try {
+    const input = fs.readFileSync(0, 'utf8').trim();
+    if (input) hookInput = JSON.parse(input);
+  } catch { /* no stdin */ }
+
+  const result = evaluatePreToolUse(stateRoot, hookInput);
+  console.log(JSON.stringify(result));
+  process.exit(0);
+}

package/tooling/src/hooks/stop-pipeline-gate.js

@@ -0,0 +1,92 @@
+import fs from 'node:fs';
+import { readPipelineState, setStopHookActive } from '../state/pipeline-state.js';
+
+const SAFETY_VALVE_REASONS = new Set(['context-limit', 'user-abort']);
+
+/**
+ * Evaluate whether the Stop hook should block or allow conversation end.
+ *
+ * @param {string} stateRoot  — path to the pipeline state directory
+ * @param {object} context    — stop context (may include stop_reason)
+ * @returns {{ decision: 'approve'|'block', reason: string }}
+ */
+export function evaluateStopGate(stateRoot, context = {}) {
+  // 1. No state file → not a pipeline session → allow
+  let state;
+  try {
+    state = readPipelineState(stateRoot);
+  } catch {
+    return { decision: 'approve', reason: 'State read error — allowing stop.' };
+  }
+
+  if (!state) {
+    return { decision: 'approve', reason: 'No pipeline state — no pipeline active, allowing stop.' };
+  }
+
+  // 2. Malformed state (no current_phase)
+  if (!state.current_phase) {
+    return { decision: 'approve', reason: 'Pipeline state malformed — allowing stop.' };
+  }
+
+  // 3. Safety valve: stop_hook_active flag (infinite loop guard)
+  if (state.stop_hook_active) {
+    try { setStopHookActive(stateRoot, false); } catch { /* best effort */ }
+    return { decision: 'approve', reason: 'Stop hook loop guard active — allowing stop to break loop.' };
+  }
+
+  // 4. Safety valve: context-limit or user-abort
+  if (context.stop_reason && SAFETY_VALVE_REASONS.has(context.stop_reason)) {
+    return { decision: 'approve', reason: `Safety valve: ${context.stop_reason} — allowing stop.` };
+  }
+
+  // 5. Init phase — pipeline hasn't started real work yet
+  if (state.current_phase === 'init') {
+    return { decision: 'approve', reason: 'Pipeline at init — no work in progress, allowing stop.' };
+  }
+
+  // 6. Complete phase — all done
+  if (state.current_phase === 'complete') {
+    return { decision: 'approve', reason: 'Pipeline complete — all phases done.' };
+  }
+
+  // 7. Pipeline is in progress — block
+  try { setStopHookActive(stateRoot, true); } catch { /* best effort */ }
+
+  const remaining = getRemainingPhases(state.current_phase);
+  return {
+    decision: 'block',
+    reason: `Pipeline incomplete: currently in "${state.current_phase}" phase. Remaining: ${remaining.join(', ')}. Complete all phases before stopping.`,
+  };
+}
+
+function getRemainingPhases(currentPhase) {
+  const phases = ['clarify', 'execute', 'verify', 'review', 'complete'];
+  const idx = phases.indexOf(currentPhase);
+  if (idx === -1) return phases;
+  return phases.slice(idx);
+}
+
+// ---------------------------------------------------------------------------
+// CLI entry point — reads stateRoot from argv, prints JSON to stdout
+// ---------------------------------------------------------------------------
+
+const isDirectRun = process.argv[1] && import.meta.url.endsWith(process.argv[1].replace(/\\/g, '/'));
+
+if (isDirectRun) {
+  const stateRoot = process.argv[2] || process.env.WAZIR_STATE_ROOT;
+  if (!stateRoot) {
+    console.log(JSON.stringify({ decision: 'approve', reason: 'No state root provided.' }));
+    process.exit(0);
+  }
+
+  // Read context from stdin if available
+  let context = {};
+  try {
+    const input = fs.readFileSync(0, 'utf8').trim();
+    if (input) context = JSON.parse(input);
+  } catch { /* no stdin or invalid JSON */ }
+
+  const result = evaluateStopGate(stateRoot, context);
+  console.log(JSON.stringify(result));
+  process.exit(0);
+}