codeforge-dev 1.13.0 → 1.14.1

package/.devcontainer/plugins/devs-marketplace/plugins/workspace-scope-guard/README.md

@@ -1,33 +1,49 @@
 # workspace-scope-guard
 
-Claude Code plugin that enforces working directory scope for all file operations. Blocks writes outside the current project directory and warns on reads outside it. Prevents accidental cross-project modifications in multi-project workspaces.
+Nuclear workspace scope enforcement for Claude Code. Blocks ALL operations (read, write, bash) outside the current working directory. Permanently blacklists `/workspaces/.devcontainer/` — no exceptions, no bypass, even from workspace root.
 
 ## What It Does
 
-Intercepts file operations (Read, Write, Edit, NotebookEdit, Glob, Grep) and checks whether the target path is within the current working directory:
+Intercepts all file and bash operations and enforces strict scope boundaries:
 
 | Operation | Out-of-scope behavior |
 |-----------|-----------------------|
-| Write, Edit, NotebookEdit | **Blocked** (exit 2) with error message |
-| Read, Glob, Grep | **Warned** (exit 0) with advisory context |
+| Write, Edit, NotebookEdit | **Blocked** (exit 2) |
+| Read, Glob, Grep | **Blocked** (exit 2) |
+| Bash | **Blocked** (exit 2) — two-layer detection |
+| Unknown tools | **Blocked** (exit 2) |
 
-When the current working directory is `/workspaces` (the workspace root), all operations are unrestricted.
+### Blacklisted Paths
 
-### Allowed Prefixes
+`/workspaces/.devcontainer/` is permanently blocked for ALL operations — reads, writes, and bash commands. This blacklist:
+
+- Runs BEFORE all other checks (scope, allowlist, cwd bypass)
+- Cannot be overridden, even when cwd is `/workspaces`
+- Prevents the most common scope escape: writing to the workspace-root devcontainer instead of the project's
+
+### Allowlisted Paths
 
 These paths are always permitted regardless of working directory:
 
 | Path | Reason |
 |------|--------|
-| `/workspaces/.claude/` | Claude Code configuration |
-| `/workspaces/.tmp/` | Temporary files |
-| `/workspaces/.devcontainer/` | Container configuration |
+| `/workspaces/.claude/` | Claude config, plans, rules |
 | `/tmp/` | System temp directory |
-| `/home/vscode/` | User home directory |
+
+### CWD Context Injection
+
+The plugin injects working directory awareness on four hook events:
+
+| Hook Event | Purpose |
+|-----------|---------|
+| SessionStart | Set scope context at session begin |
+| UserPromptSubmit | Remind scope on every prompt |
+| PreToolUse | Context alongside scope enforcement |
+| SubagentStart | Ensure subagents know their scope |
 
 ## How It Works
 
-### Hook Lifecycle
+### Hook Lifecycle (File Tools)
 
 ```
 Claude calls Read, Write, Edit, NotebookEdit, Glob, or Grep
@@ -36,24 +52,43 @@ Claude calls Read, Write, Edit, NotebookEdit, Glob, or Grep
        │
        └─→ guard-workspace-scope.py
             │
-            ├─→ cwd is /workspaces? → allow (unrestricted)
-            ├─→ No target path? → allow (tool defaults to cwd)
-            ├─→ Resolve path via os.path.realpath() (handles symlinks/worktrees)
-            ├─→ Path is within cwd? → allow
-            ├─→ Path matches allowed prefix? → allow
-            ├─→ Write tool + out of scope → exit 2 (block)
-            └─→ Read tool + out of scope → exit 0 (warn via additionalContext)
+            ├─→ Extract target path from tool input
+            ├─→ Resolve via os.path.realpath() (handles symlinks)
+            ├─→ BLACKLIST check (first!) → exit 2 if blacklisted
+            ├─→ cwd is /workspaces? → allow (bypass, blacklist already checked)
+            ├─→ Path within cwd? → allow
+            ├─→ Path on allowlist? → allow
+            └─→ Out of scope → exit 2 (block)
 ```
 
-### Symlink and Worktree Handling
+### Hook Lifecycle (Bash)
+
+```
+Claude calls Bash
+  │
+  └─→ PreToolUse hook fires
+       │
+       └─→ guard-workspace-scope.py
+            │
+            ├─→ Extract write targets (Layer 1) + workspace paths (Layer 2)
+            ├─→ BLACKLIST check on ALL extracted paths → exit 2 if any blacklisted
+            ├─→ cwd is /workspaces? → allow (bypass, blacklist already checked)
+            ├─→ Layer 1: Check write targets against scope
+            │    ├─→ System command exemption (only if ALL targets are system paths)
+            │    └─→ exit 2 if any write target out of scope
+            └─→ Layer 2: Scan ALL /workspaces/ paths in command (ALWAYS runs)
+                 └─→ exit 2 if any workspace path out of scope
+```
 
-Target paths are resolved with `os.path.realpath()` before scope checking. This correctly handles:
-- Symbolic links that point outside the working directory
-- Git worktree paths (`.git` file containing `gitdir:`)
+### Bash Two-Layer Detection
 
-### Path Field Mapping
+**Layer 1 — Write target extraction:** 20+ regex patterns extract file paths from write operations (redirects, cp, mv, touch, mkdir, rm, ln, rsync, chmod, chown, dd, wget, curl, tar, unzip, gcc, sqlite3, etc.). Each target is resolved and scope-checked.
 
-The script extracts the target path from different tool input fields:
+System commands (git, pip, npm, etc.) get a Layer 1 exemption ONLY when ALL write targets resolve to system paths (`/usr/`, `/bin/`, `/sbin/`, `/lib/`, `/opt/`, `/proc/`, `/sys/`, `/dev/`, `/var/`, `/etc/`). Any `/workspaces/` write target outside cwd cancels the exemption.
+
+**Layer 2 — Workspace path scan (ALWAYS runs):** Regex scans the entire command for any `/workspaces/` path string. Catches paths in inline scripts (`python3 -c`), variable assignments, quoted strings, and anything Layer 1 misses. No exemptions, no bypass.
+
+### Path Field Mapping
 
 | Tool | Input Field |
 |------|-------------|
@@ -63,29 +98,66 @@ The script extracts the target path from different tool input fields:
 | NotebookEdit | `notebook_path` |
 | Glob | `path` |
 | Grep | `path` |
+| Bash | `command` (multi-path extraction) |
 
 ### Error Handling
 
 | Scenario | Behavior |
 |----------|----------|
-| JSON parse failure | Fails open (exit 0) |
-| Other exceptions | Fails open (exit 0) — logs error to stderr |
+| JSON parse failure | **Blocked** (exit 2) — fail closed |
+| Any exception | **Blocked** (exit 2) — fail closed |
+| Hook timeout | Fails open (Claude Code runtime limitation) — mitigated by 10s timeout and pure computation (no I/O) |
+
+## Known Limitations
+
+| Limitation | Why It's Accepted |
+|-----------|-------------------|
+| Pre-set env vars (`$OUTDIR/file` from prior command) | Layer 2 only catches literal `/workspaces/` strings. Variable set in same command IS caught. |
+| Base64-encoded paths | Not an accidental misuse pattern |
+| Bash brace expansion | Not an accidental directory construction pattern |
+| Variable concatenation across statements | No single literal path exists to match |
+| Hook timeout fails open | Mitigated: 10s timeout, pure computation, no I/O |
+
+## Installation
+
+### CodeForge DevContainer
+
+Pre-installed and activated automatically — no setup needed.
+
+### From GitHub
+
+Use this plugin in any Claude Code setup:
+
+1. Clone the [CodeForge](https://github.com/AnExiledDev/CodeForge) repository:
+
+   ```bash
+   git clone https://github.com/AnExiledDev/CodeForge.git
+   ```
+
+2. Enable the plugin in your `.claude/settings.json`:
 
-### Timeout
+   ```json
+   {
+     "enabledPlugins": {
+       "workspace-scope-guard@<clone-path>/.devcontainer/plugins/devs-marketplace": true
+     }
+   }
+   ```
 
-The hook has a 5-second timeout.
+   Replace `<clone-path>` with the absolute path to your CodeForge clone.
 
 ## Plugin Structure
 
 ```
 workspace-scope-guard/
 ├── .claude-plugin/
-│   └── plugin.json                # Plugin metadata
+│   └── plugin.json                  # Plugin metadata
 ├── hooks/
-│   └── hooks.json                 # PreToolUse hook registration
+│   └── hooks.json                   # Hook registrations (6 events)
 ├── scripts/
-│   └── guard-workspace-scope.py   # Scope enforcement (PreToolUse)
-└── README.md                      # This file
+│   ├── guard-workspace-scope.py     # Scope enforcement (PreToolUse)
+│   └── inject-workspace-cwd.py      # CWD context injection (4 events)
+└── README.md                        # This file
 ```
 
 ## Requirements

package/.devcontainer/plugins/devs-marketplace/plugins/workspace-scope-guard/hooks/hooks.json

@@ -1,14 +1,60 @@
 {
-	"description": "Enforce workspace scope for file operations",
+	"description": "Nuclear workspace scope enforcement — blocks all operations outside cwd, permanently blacklists /workspaces/.devcontainer/",
 	"hooks": {
 		"PreToolUse": [
 			{
-				"matcher": "Read|Write|Edit|NotebookEdit|Glob|Grep",
+				"matcher": "Read|Write|Edit|NotebookEdit|Glob|Grep|Bash",
 				"hooks": [
 					{
 						"type": "command",
 						"command": "python3 ${CLAUDE_PLUGIN_ROOT}/scripts/guard-workspace-scope.py",
-						"timeout": 5
+						"timeout": 10
+					}
+				]
+			},
+			{
+				"matcher": "",
+				"hooks": [
+					{
+						"type": "command",
+						"command": "python3 ${CLAUDE_PLUGIN_ROOT}/scripts/inject-workspace-cwd.py",
+						"timeout": 3
+					}
+				]
+			}
+		],
+		"SessionStart": [
+			{
+				"matcher": "",
+				"hooks": [
+					{
+						"type": "command",
+						"command": "python3 ${CLAUDE_PLUGIN_ROOT}/scripts/inject-workspace-cwd.py",
+						"timeout": 3
+					}
+				]
+			}
+		],
+		"UserPromptSubmit": [
+			{
+				"matcher": "",
+				"hooks": [
+					{
+						"type": "command",
+						"command": "python3 ${CLAUDE_PLUGIN_ROOT}/scripts/inject-workspace-cwd.py",
+						"timeout": 3
+					}
+				]
+			}
+		],
+		"SubagentStart": [
+			{
+				"matcher": "",
+				"hooks": [
+					{
+						"type": "command",
+						"command": "python3 ${CLAUDE_PLUGIN_ROOT}/scripts/inject-workspace-cwd.py",
+						"timeout": 3
 					}
 				]
 			}

package/.devcontainer/plugins/devs-marketplace/plugins/workspace-scope-guard/scripts/guard-workspace-scope.py

@@ -1,29 +1,41 @@
 #!/usr/bin/env python3
 """
-Enforce workspace scope for file operations.
+Nuclear workspace scope enforcement.
 
-Blocks write operations (Write, Edit, NotebookEdit) to files outside the
-current working directory. Warns on read operations (Read, Glob, Grep)
-outside the working directory. Allows unrestricted access when cwd is
-/workspaces (the workspace root).
+Blocks ALL operations (read, write, bash) outside the current working directory.
+Permanently blacklists /workspaces/.devcontainer/ — no exceptions, no bypass.
+Bash enforcement via two-layer detection: write target extraction + workspace path scan.
+Fails closed on any error.
 
 Exit code 2 blocks the operation with an error message.
-Exit code 0 allows the operation to proceed (with optional warning context).
+Exit code 0 allows the operation to proceed.
 """
 
 import json
 import os
+import re
+import shlex
 import sys
 
-# Paths that are always allowed regardless of working directory
+# ---------------------------------------------------------------------------
+# BLACKLIST — checked FIRST, overrides everything.
+# Nothing touches these paths. Ever. No exceptions.
+# Checked before allowlist, before scope check, before cwd bypass.
+# ---------------------------------------------------------------------------
+BLACKLISTED_PREFIXES = [
+    "/workspaces/.devcontainer/",
+    "/workspaces/.devcontainer",  # exact match (no trailing slash)
+]
+
+# Paths always allowed regardless of working directory
 ALLOWED_PREFIXES = [
-    "/workspaces/.tmp/",
-    "/tmp/",
-    "/home/vscode/",
+    "/workspaces/.claude/",  # Claude config, plans, rules
+    "/tmp/",                 # System scratch
 ]
 
 WRITE_TOOLS = {"Write", "Edit", "NotebookEdit"}
 READ_TOOLS = {"Read", "Glob", "Grep"}
+ALL_FILE_TOOLS = WRITE_TOOLS | READ_TOOLS
 
 # Tool input field that contains the target path
 PATH_FIELDS = {
@@ -35,6 +47,76 @@ PATH_FIELDS = {
     "Grep": "path",
 }
 
+# ---------------------------------------------------------------------------
+# Bash Layer 1: Write target patterns
+# Ported from guard-protected-bash.py + new patterns
+# ---------------------------------------------------------------------------
+WRITE_PATTERNS = [
+    # --- Ported from guard-protected-bash.py ---
+    r"(?:>|>>)\s*([^\s;&|]+)",                                              # > file, >> file
+    r"\btee\s+(?:-a\s+)?([^\s;&|]+)",                                       # tee file
+    r"\b(?:cp|mv)\s+(?:-[^\s]+\s+)*[^\s]+\s+([^\s;&|]+)",                  # cp/mv src dest
+    r'\bsed\s+-i[^\s]*\s+(?:\'[^\']*\'\s+|"[^"]*"\s+|[^\s]+\s+)*([^\s;&|]+)',  # sed -i
+    r"\bcat\s+(?:<<[^\s]*\s+)?>\s*([^\s;&|]+)",                            # cat > file
+    # --- New patterns ---
+    r"\btouch\s+(?:-[^\s]+\s+)*([^\s;&|]+)",                               # touch file
+    r"\bmkdir\s+(?:-[^\s]+\s+)*([^\s;&|]+)",                               # mkdir [-p] dir
+    r"\brm\s+(?:-[^\s]+\s+)*([^\s;&|]+)",                                  # rm [-rf] path
+    r"\bln\s+(?:-[^\s]+\s+)*[^\s]+\s+([^\s;&|]+)",                         # ln [-s] src dest
+    r"\binstall\s+(?:-[^\s]+\s+)*[^\s]+\s+([^\s;&|]+)",                    # install src dest
+    r"\brsync\s+(?:-[^\s]+\s+)*[^\s]+\s+([^\s;&|]+)",                      # rsync src dest
+    r"\bchmod\s+(?:-[^\s]+\s+)*[^\s]+\s+([^\s;&|]+)",                      # chmod mode path
+    r"\bchown\s+(?:-[^\s]+\s+)*[^\s:]+(?::[^\s]+)?\s+([^\s;&|]+)",         # chown owner[:group] path
+    r"\bdd\b[^;|&]*\bof=([^\s;&|]+)",                                      # dd of=path
+    r"\bwget\s+(?:-[^\s]+\s+)*-O\s+([^\s;&|]+)",                           # wget -O path
+    r"\bcurl\s+(?:-[^\s]+\s+)*-o\s+([^\s;&|]+)",                           # curl -o path
+    r"\btar\s+(?:-[^\s]+\s+)*-C\s+([^\s;&|]+)",                            # tar -C dir
+    r"\bunzip\s+(?:-[^\s]+\s+)*-d\s+([^\s;&|]+)",                          # unzip -d dir
+    r"\b(?:gcc|g\+\+|cc|c\+\+|clang)\s+(?:-[^\s]+\s+)*-o\s+([^\s;&|]+)",  # gcc -o out
+    r"\bsqlite3\s+([^\s;&|]+)",                                            # sqlite3 dbpath
+]
+
+# ---------------------------------------------------------------------------
+# Bash Layer 2: Workspace path scan (ALWAYS runs, never exempt)
+# Stops at: whitespace, ;, |, &, >, ), <, ', "
+# ---------------------------------------------------------------------------
+WORKSPACE_PATH_RE = re.compile(r'/workspaces/[^\s;|&>)<\'"]+')
+
+# ---------------------------------------------------------------------------
+# System command exemption (Layer 1 only)
+# ---------------------------------------------------------------------------
+SYSTEM_COMMANDS = frozenset({
+    "git", "pip", "pip3", "npm", "npx", "yarn", "pnpm",
+    "apt-get", "apt", "cargo", "go", "docker", "make", "cmake",
+    "node", "python3", "python", "ruby", "gem", "bundle",
+})
+
+SYSTEM_PATH_PREFIXES = (
+    "/usr/", "/bin/", "/sbin/", "/lib/", "/opt/",
+    "/proc/", "/sys/", "/dev/", "/var/", "/etc/",
+)
+
+
+# ---------------------------------------------------------------------------
+# Core check functions
+# ---------------------------------------------------------------------------
+
+def is_blacklisted(resolved_path: str) -> bool:
+    """Check if resolved_path is under a permanently blocked directory."""
+    return (resolved_path == "/workspaces/.devcontainer"
+            or resolved_path.startswith("/workspaces/.devcontainer/"))
+
+
+def is_in_scope(resolved_path: str, cwd: str) -> bool:
+    """Check if resolved_path is within the working directory."""
+    cwd_prefix = cwd if cwd.endswith("/") else cwd + "/"
+    return resolved_path == cwd or resolved_path.startswith(cwd_prefix)
+
+
+def is_allowlisted(resolved_path: str) -> bool:
+    """Check if resolved_path falls under an allowed prefix."""
+    return any(resolved_path.startswith(prefix) for prefix in ALLOWED_PREFIXES)
+
 
 def get_target_path(tool_name: str, tool_input: dict) -> str | None:
     """Extract the target path from tool input.
@@ -48,16 +130,147 @@ def get_target_path(tool_name: str, tool_input: dict) -> str | None:
     return tool_input.get(field) or None
 
 
-def is_in_scope(resolved_path: str, cwd: str) -> bool:
-    """Check if resolved_path is within the working directory."""
-    cwd_prefix = cwd if cwd.endswith("/") else cwd + "/"
-    return resolved_path == cwd or resolved_path.startswith(cwd_prefix)
+# ---------------------------------------------------------------------------
+# Bash enforcement
+# ---------------------------------------------------------------------------
 
+def extract_write_targets(command: str) -> list[str]:
+    """Extract file paths that the command writes to (Layer 1)."""
+    targets = []
+    for pattern in WRITE_PATTERNS:
+        for match in re.finditer(pattern, command):
+            target = match.group(1).strip("'\"")
+            if target:
+                targets.append(target)
+    return targets
 
-def is_allowlisted(resolved_path: str) -> bool:
-    """Check if resolved_path falls under an allowed prefix."""
-    return any(resolved_path.startswith(prefix) for prefix in ALLOWED_PREFIXES)
 
+def extract_primary_command(command: str) -> str:
+    """Extract the primary command, stripping sudo/env/variable prefixes."""
+    try:
+        tokens = shlex.split(command)
+    except ValueError:
+        # Unclosed quotes or other parse errors — no exemption
+        return ""
+    i = 0
+    while i < len(tokens):
+        tok = tokens[i]
+        # Skip inline variable assignments: VAR=value
+        if "=" in tok and not tok.startswith("-") and tok.split("=")[0].isidentifier():
+            i += 1
+            continue
+        # Skip sudo and its flags
+        if tok == "sudo":
+            i += 1
+            while i < len(tokens) and tokens[i].startswith("-"):
+                flag = tokens[i]
+                i += 1
+                # Flags that consume the next token as an argument
+                if flag in ("-u", "-g", "-C", "-D", "-R", "-T"):
+                    i += 1  # skip the argument too
+            continue
+        # Skip env and its variable assignments
+        if tok == "env":
+            i += 1
+            while i < len(tokens):
+                if "=" in tokens[i] and not tokens[i].startswith("-"):
+                    i += 1  # skip VAR=val
+                elif tokens[i].startswith("-"):
+                    i += 1  # skip env flags (-i, etc.)
+                else:
+                    break
+            continue
+        # Skip nohup, nice, time
+        if tok in ("nohup", "nice", "time"):
+            i += 1
+            continue
+        return tok
+    return ""
+
+
+def check_bash_scope(command: str, cwd: str) -> None:
+    """Enforce scope on Bash commands. Calls sys.exit(2) on violation."""
+    if not command:
+        return
+
+    # --- Extract paths from command ---
+    write_targets = extract_write_targets(command)
+    workspace_paths = WORKSPACE_PATH_RE.findall(command)
+
+    # --- BLACKLIST check (FIRST — before cwd bypass, before everything) ---
+    # Early exit on first blacklisted path found
+    for target in write_targets:
+        resolved = os.path.realpath(target.strip("'\""))
+        if is_blacklisted(resolved):
+            print(
+                f"Blocked: Bash command writes to blacklisted path '{target}'. "
+                f"/workspaces/.devcontainer/ is permanently blocked.",
+                file=sys.stderr,
+            )
+            sys.exit(2)
+
+    for path_str in workspace_paths:
+        resolved = os.path.realpath(path_str)
+        if is_blacklisted(resolved):
+            print(
+                f"Blocked: Bash command references blacklisted path '{path_str}'. "
+                f"/workspaces/.devcontainer/ is permanently blocked.",
+                file=sys.stderr,
+            )
+            sys.exit(2)
+
+    # --- cwd=/workspaces bypass (blacklist already checked above) ---
+    if cwd == "/workspaces":
+        return
+
+    # --- Layer 1: Write target scope check ---
+    if write_targets:
+        primary_cmd = extract_primary_command(command)
+        is_system_cmd = primary_cmd in SYSTEM_COMMANDS
+
+        resolved_targets = [
+            (t, os.path.realpath(t.strip("'\""))) for t in write_targets
+        ]
+
+        # System command exemption: skip Layer 1 ONLY if ALL targets are system paths
+        skip_layer1 = False
+        if is_system_cmd:
+            skip_layer1 = all(
+                any(r.startswith(sp) for sp in SYSTEM_PATH_PREFIXES)
+                for _, r in resolved_targets
+            )
+            # Override: if ANY target is under /workspaces/ outside cwd → NOT exempt
+            if skip_layer1:
+                for _, resolved in resolved_targets:
+                    if resolved.startswith("/workspaces/") and not is_in_scope(resolved, cwd):
+                        skip_layer1 = False
+                        break
+
+        if not skip_layer1:
+            for target, resolved in resolved_targets:
+                if not is_in_scope(resolved, cwd) and not is_allowlisted(resolved):
+                    print(
+                        f"Blocked: Bash command writes to '{target}' which is "
+                        f"outside the working directory ({cwd}).",
+                        file=sys.stderr,
+                    )
+                    sys.exit(2)
+
+    # --- Layer 2: Workspace path scan (ALWAYS runs, never exempt) ---
+    for path_str in workspace_paths:
+        resolved = os.path.realpath(path_str)
+        if not is_in_scope(resolved, cwd) and not is_allowlisted(resolved):
+            print(
+                f"Blocked: Bash command references '{path_str}' which is "
+                f"outside the working directory ({cwd}).",
+                file=sys.stderr,
+            )
+            sys.exit(2)
+
+
+# ---------------------------------------------------------------------------
+# Main
+# ---------------------------------------------------------------------------
 
 def main():
     try:
@@ -67,63 +280,63 @@ def main():
 
         cwd = os.getcwd()
 
-        # Unrestricted when working from the workspace root
-        if cwd == "/workspaces":
+        # --- Bash tool: separate code path ---
+        if tool_name == "Bash":
+            check_bash_scope(tool_input.get("command", ""), cwd)
             sys.exit(0)
 
+        # --- File tools ---
         target_path = get_target_path(tool_name, tool_input)
 
-        # No path specified — tool defaults to cwd, which is in scope
+        # No path → tool defaults to cwd, always in scope (for known file tools)
         if target_path is None:
-            sys.exit(0)
+            if tool_name in ALL_FILE_TOOLS:
+                sys.exit(0)
+            # Unknown tool with no recognizable path → block
+            print(
+                f"Blocked: Unknown tool '{tool_name}' — not in scope guard allowlist.",
+                file=sys.stderr,
+            )
+            sys.exit(2)
 
         resolved = os.path.realpath(target_path)
 
-        if is_in_scope(resolved, cwd):
-            sys.exit(0)
-
-        if is_allowlisted(resolved):
-            sys.exit(0)
-
-        # Out of scope
-        if tool_name in WRITE_TOOLS:
+        # BLACKLIST — checked FIRST, before cwd bypass
+        if is_blacklisted(resolved):
             print(
-                json.dumps(
-                    {
-                        "error": (
-                            f"Blocked: {tool_name} targets '{target_path}' which is "
-                            f"outside the working directory ({cwd}). Move to that "
-                            f"project's directory first or work from /workspaces."
-                        )
-                    }
-                )
+                f"Blocked: {tool_name} targets '{target_path}' which is under "
+                f"blacklisted path /workspaces/.devcontainer/. This path is "
+                f"permanently blocked for all operations.",
+                file=sys.stderr,
             )
             sys.exit(2)
 
-        if tool_name in READ_TOOLS:
-            print(
-                json.dumps(
-                    {
-                        "additionalContext": (
-                            f"Warning: {tool_name} targets '{target_path}' which is "
-                            f"outside the working directory ({cwd}). This read is "
-                            f"allowed but may indicate unintended cross-project access."
-                        )
-                    }
-                )
-            )
+        # cwd=/workspaces bypass (blacklist already checked)
+        if cwd == "/workspaces":
+            sys.exit(0)
+
+        # In-scope check
+        if is_in_scope(resolved, cwd):
+            sys.exit(0)
+
+        # Allowlist check
+        if is_allowlisted(resolved):
             sys.exit(0)
 
-        # Unknown tool — allow by default
-        sys.exit(0)
+        # Out of scope — BLOCK for ALL tools
+        print(
+            f"Blocked: {tool_name} targets '{target_path}' which is outside "
+            f"the working directory ({cwd}). Move to that project's directory "
+            f"first or work from /workspaces.",
+            file=sys.stderr,
+        )
+        sys.exit(2)
 
     except json.JSONDecodeError:
-        # Can't parse input — allow by default
-        sys.exit(0)
+        sys.exit(2)
     except Exception as e:
-        # Don't block on hook failure
         print(f"Hook error: {e}", file=sys.stderr)
-        sys.exit(0)
+        sys.exit(2)
 
 
 if __name__ == "__main__":