claude-dev-env 1.29.2 → 1.30.0

package/hooks/blocking/destructive_command_blocker.py

@@ -3,6 +3,7 @@ import datetime
 import json
 import os
 import re
+import shlex
 import subprocess
 import sys
 import tempfile
@@ -139,6 +140,132 @@ def _build_silent_gh_deny_response(matched_description: str) -> dict:
     }
 
 
+def _path_is_bare_ephemeral_root(resolved_path: str) -> bool:
+    leading_repeated_slash_pattern = re.compile(r"^/{2,}")
+    forward_slash_normalized_path = leading_repeated_slash_pattern.sub(
+        "/",
+        resolved_path.replace("\\", "/").lower().rstrip("/"),
+    )
+    system_temporary_root = leading_repeated_slash_pattern.sub(
+        "/",
+        os.path.normpath(tempfile.gettempdir()).replace("\\", "/").lower().rstrip("/"),
+    )
+    forbidden_bare_ephemeral_roots = {"/tmp", "/temp", "/worktrees", "/worktree", system_temporary_root}
+    return forward_slash_normalized_path in forbidden_bare_ephemeral_roots
+
+
+def _path_is_bare_named_worktrees_container(resolved_path: str) -> bool:
+    return Path(resolved_path).name.lower() in ("worktrees", "worktree")
+
+
+def _path_basename_is_shell_glob_wildcard(resolved_path: str) -> bool:
+    bracket_class_empty_length = len("[]")
+    basename = Path(resolved_path).name
+    if not basename:
+        return False
+    if basename in ("*", "?"):
+        return True
+    if basename.startswith("[") and basename.endswith("]") and len(basename) > bracket_class_empty_length:
+        return True
+    if "*" in basename or "?" in basename:
+        return True
+    return False
+
+
+def _command_contains_windows_style_path(command: str) -> bool:
+    windows_drive_path_pattern = re.compile(r"(?<![A-Za-z0-9_])[A-Za-z]:\\")
+    windows_unc_path_pattern = re.compile(r"(?<!\S)\\\\[^\s\\]+\\[^\s\\]+")
+    return bool(
+        windows_drive_path_pattern.search(command)
+        or windows_unc_path_pattern.search(command)
+    )
+
+
+def _split_command_preserving_windows_backslashes(command: str) -> list[str]:
+    if "\\" in command and (
+        os.name == "nt" or _command_contains_windows_style_path(command)
+    ):
+        forward_slash_normalized_command = command.replace("\\", "/")
+        return shlex.split(forward_slash_normalized_command)
+    return shlex.split(command)
+
+
+def _rm_flags_before_double_dash_are_unsafe(tokens_after_rm: list[str]) -> bool:
+    safe_long_options = frozenset({
+        "--recursive",
+        "--force",
+        "--verbose",
+        "--interactive",
+        "--dir",
+    })
+    for each_token in tokens_after_rm:
+        if each_token == "--":
+            return False
+        if not each_token.startswith("-"):
+            continue
+        if "=" in each_token:
+            return True
+        if each_token.startswith("--"):
+            if each_token not in safe_long_options:
+                return True
+            continue
+        short_rest = each_token[1:]
+        if not short_rest or not all(c in "rfRvidI" for c in short_rest):
+            return True
+    return False
+
+
+def _collect_rm_target_tokens(tokens_after_rm: list[str]) -> list[str]:
+    targets: list[str] = []
+    has_seen_end_of_options = False
+    for each_token in tokens_after_rm:
+        if not has_seen_end_of_options and each_token == "--":
+            has_seen_end_of_options = True
+            continue
+        if not has_seen_end_of_options and each_token.startswith("-"):
+            continue
+        targets.append(each_token)
+    return targets
+
+
+def rm_targets_only_ephemeral_paths(command: str) -> bool:
+    """Return True when command is a single rm invocation whose every target is inside an ephemeral directory.
+
+    Refuses compound commands so operators like && / || / ; / | / backticks /
+    $(...) cannot piggy-back non-rm work on the ephemeral auto-allow. Rejects
+    bare ephemeral roots (/tmp, system temp dir) and bare directories named
+    worktrees/worktree so we never auto-approve wiping those roots. Only
+    allows common short flags and a small set of long options before ``--``;
+    tokens with ``=`` or unknown long options disable auto-allow.
+    """
+    compound_shell_operator_pattern = re.compile(r'(?:&&|\|\||;|\||`|\$\()')
+    if compound_shell_operator_pattern.search(command):
+        return False
+    try:
+        all_command_tokens = _split_command_preserving_windows_backslashes(command)
+    except ValueError:
+        return False
+    if len(all_command_tokens) < 2 or all_command_tokens[0] != "rm":
+        return False
+    tokens_after_rm = all_command_tokens[1:]
+    if _rm_flags_before_double_dash_are_unsafe(tokens_after_rm):
+        return False
+    all_target_tokens = _collect_rm_target_tokens(tokens_after_rm)
+    if not all_target_tokens:
+        return False
+    for each_target_token in all_target_tokens:
+        each_resolved_path = os.path.normpath(os.path.expanduser(each_target_token))
+        if _path_basename_is_shell_glob_wildcard(each_resolved_path):
+            return False
+        if _path_is_bare_ephemeral_root(each_resolved_path):
+            return False
+        if _path_is_bare_named_worktrees_container(each_resolved_path):
+            return False
+        if not directory_is_ephemeral(each_resolved_path):
+            return False
+    return True
+
+
 def targets_only_claude_directory(command: str) -> bool:
     """Check if rm command targets only paths under ~/.claude/."""
     all_rm_target_paths = re.findall(
@@ -160,6 +287,24 @@ def targets_only_claude_directory(command: str) -> bool:
     return True
 
 
+def _ephemeral_recursive_rm_auto_allow_granted(command: str, matched_description: str) -> bool:
+    return matched_description.startswith(("rm -rf", "rm --recursive")) and rm_targets_only_ephemeral_paths(command)
+
+
+def _git_reset_hard_allowed_for_command(command: str, current_working_directory: str) -> bool:
+    if directory_is_ephemeral(current_working_directory):
+        return True
+    current_working_directory_lowercased = os.path.normpath(current_working_directory).lower()
+    for allowed_project in load_allow_git_reset_hard_projects():
+        allowed_project_lowercased = os.path.normpath(allowed_project).lower()
+        if current_working_directory_lowercased.startswith(allowed_project_lowercased):
+            return True
+        for path_match in re.findall(r'cd\s+"([^"]+)"', command):
+            if os.path.normpath(path_match).lower().startswith(allowed_project_lowercased):
+                return True
+    return False
+
+
 def main() -> None:
     try:
         hook_input = json.load(sys.stdin)
@@ -185,20 +330,12 @@ def main() -> None:
     if matched_description is not None and targets_only_claude_directory(command):
         sys.exit(0)
 
-    # Allow git reset --hard in explicitly approved projects (case-insensitive for Windows drive letters)
+    if matched_description is not None and _ephemeral_recursive_rm_auto_allow_granted(command, matched_description):
+        sys.exit(0)
+
     if matched_description is not None and "git reset --hard" in matched_description:
-        current_working_directory = os.getcwd()
-        if directory_is_ephemeral(current_working_directory):
+        if _git_reset_hard_allowed_for_command(command, os.getcwd()):
             sys.exit(0)
-        current_working_directory_lowercased = os.path.normpath(current_working_directory).lower()
-        for allowed_project in load_allow_git_reset_hard_projects():
-            allowed_project_lowercased = os.path.normpath(allowed_project).lower()
-            if current_working_directory_lowercased.startswith(allowed_project_lowercased):
-                sys.exit(0)
-            # Also check the cd target in the command itself
-            for path_match in re.findall(r'cd\s+"([^"]+)"', command):
-                if os.path.normpath(path_match).lower().startswith(allowed_project_lowercased):
-                    sys.exit(0)
 
     if matched_description is not None:
         ask_response = {